The Host Unknown Podcast - Episode 43 - The Avengers Snitched and Assembled
Episode Date: February 19, 2021This week in InfosecNot liberated from the “today in infosec” twitter account:12th February 2009: 2009: Microsoft announced a $250,000 reward for info resulting in the arrest and conviction of th...ose responsible for the Conficker worm. As of 2018, Microsoft's offer was still open.https://web.archive.org/web/20120418094401/http://www.microsoft.com/en-us/news/press/2009/feb09/02-12confickerpr.aspxhttps://www.dailymail.co.uk/sciencetech/article-6058565/Microsoft-offering-hackers-250-000-bounty-remove-Conficker-malware.htmlhttps://twitter.com/todayininfosec/status/1227775375565918208 Billy Big BallsAfter the failure of the Facebook Phone, get ready for a Facebook Watchhttps://arstechnica.com/gadgets/2021/02/after-the-failure-of-the-facebook-phone-get-ready-for-a-facebook-watch/ Rant of the WeekPassword manager LastPass is making its free accounts effectively useless by limiting account holders to one type of device, leaving millions of users stranded.https://www.forbes.com/sites/barrycollins/2021/02/17/lastpass-breaks-free-accounts-where-to-store-your-passwords-now/?ss=cybersecurityJohn Deere being dicks:https://www.bloomberg.com/news/features/2020-03-05/farmers-fight-john-deere-over-who-gets-to-fix-an-800-000-tractor Industry NewsNearly Two-Thirds of CVEs Are Low ComplexityPolice Reportedly Arrest Egregor Ransomware MembersYandex Insider Breach Hits Nearly 5000 InboxesDuo Charged with Multimillion-Dollar Dark Web Drugs SchemeMicrosoft: 1000+ Hackers Worked on SolarWinds CampaignCentreon: Sandworm Attacks Targeted Legacy Open Source ProductNHS Phishing Scam Promises #COVID19 VaccineSingtel Breach Hits 129,000 CustomersTwo More Lazarus Group Members Indicted for North Korean Attacks Javvad’s Weekly Stories Tweet of the Weekhttps://twitter.com/torriangray/status/1361778280521605122 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Who's going?
Your mum.
Like, she doesn't like to be called old.
Well, she doesn't like you to be called old, Tom,
because that makes her really old.
So apologies to the lady, the Duchess.
Duchess of Ladywell.
Ladywell.
Your son is young.
He's the youngest of the lot.
He's a spring chicken, and so are you.
Yeah, absolutely.
Oh, and by the way, I'm going to be getting my jab soon,
according to the NHS.
Which we thought you would have had about six months ago.
Look, just because that Captain Tom got it
didn't mean that was actually me, you know.
You're listening to the Host Unknown Podcast.
to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are. And welcome to the Host Unknown Podcast, run by the very, very young and energetic me and our two colleagues,
Jav and Andy. G gents how are you two good morning
can't uh can't complain okay so i am actually hiding in my office today i've closed the curtains
because um my boys have been since lockdown and what have you and this week's been half term so
there's been no online learning either they've've just been on their phones, the tablets,
and the PlayStation all the time.
So last night after they went to sleep, I picked up all the items,
and I've brought them to the back and hid them,
and they've only woken up a little while ago,
so they haven't clocked on yet.
So I'm just hiding in the back, and I'm expecting them to come charging
into the office any time soon, demanding their devices back.
So any disruption during, you know exactly why that is.
So you're not a fan of the digital babysitter?
Well, no.
Well, you know what?
I am.
It's very convenient.
It's very good.
I wish I had one when I was younger.
I wish I had an iPad when I was growing up.
I got told off just watching too much TV.
Yeah.
And that was only like two hours a day or something.
Remember that? Get outside.
Yeah.
Don't come back before it's dark.
Yeah.
What?
I always used to tell my kids that uh back in the old days before electricity
we had to watch television in the dark it took them a couple of moments to to work work that
one out oh dear so andy what you've been up to this week uh enjoying the heat uh i believe
so the previous week you're not in te Texas then? I'm not in Texas.
No, but I can relate to my colleagues in Texas.
Did you go to Cancun with Senator Cruz?
It's a logical step, right?
Dubai's shut.
So, you know, there's a lot of blowback from there.
Is Dubai shut?
Well, unless you're an influencer.
No, you're not allowed to travel at the moment.
No non-essential travel.
But I did, you know, we had this sort of big freeze over here in the UK.
I did have problems with my boiler.
For our guests and our listeners in Texas,
a big freeze in the UK means somebody in the neighbourhood
left their freezer door open.
Well, you're joking.
I mean, we hit minus four, and some areas in Texas actually only hit minus seven.
So there wasn't too much in it.
Obviously, with the windchill factor, it took it down to about minus 17 for those guys in Texas.
But, you know, looking at the actual data, what was the actual temperature?
Yeah, we weren't far off.
But your boiler broke down, whereas for them, everything broke down.
Yeah, well, I guess that's the problem when you don't run
your own national power grid, isn't it?
Well, yes, this is true.
When you secede from the nation's power grids and think,
yeah, we can do this and we don't need to put warmers on our, you
know, in our wind turbines and stuff like that.
Yeah.
But I mean, it's pretty harsh.
Like one of my colleagues, you know, she sent me the message she gets when she calls the
power company.
And it pretty much says you're on your own.
Like find some blankets.
Wait it out.
And it said, take warm drinks.
I know.
But how do you warm them up?
And Americans don't have kettles either.
What's that all about in the house?
No, exactly.
Exactly.
Maybe on the East Coast, maybe in Boston, they might have a kettle.
No, Boston and tea aren't.
We don't talk about them, no.
They've got no respect for t and boston
little party they threw so i'd say a quick one i was actually in uh boston um a couple of years
ago and uh i thought i'd do some touristy stuff while i was there so i joined this reenactment
tour um down by the harbor and uh yeah you're given these cards of a character that you play
and it's amazing like i thought it's like really hysterical but you know i got in there i hadn't
spoken to anyone yet i was on my own and uh i was the name of like some patriot as uh you know
they're all patriots there and the venom towards the english that they drummed up uh whilst in that
room giving everyone the brief of what's happening.
I actually kept my mouth shut throughout the whole thing.
Yes, I'm this character.
My name's John.
I'm a patriot.
I'm Billy Bob.
And I drive a red pickup.
But yeah, I mean, those things still go on.
And I was quite surprised that uh like i even joined
in like on the reenactment they've got these um these boxes of tea that you throw into the harbour
and they're attached by rope so they pull them back out again you know when you're gone
but uh yeah i was joining in i was like yeah screw the british like chucking this stuff over the side. Self-preservation.
It reminds me of a friend of mine,
and he was like the only Bengali kid in his school growing up,
because he grew up in this area that hadn't been, whatever.
Colonised garlic mine?
It wasn't multicultural.
Anyway, the school was having some work done,
and there were some Sikh builders working on the roof across.
And he's sitting in a class, and one of the kids pointed out the window and said, oh, there's the P word on the roof.
And everyone started laughing and started calling him the P word.
And I said, what did you do?
He goes, I started laughing and joined in as well.
Oops.
And that's Andy through and through.
Although in that kid's defence, he wasn't from Pakistan, right?
No, neither was the builder.
He was from India.
That's not the point.
That's not the point, though.
You know, the kid joined in, you know, but, I mean,
Andy completely betrayed his home, his own country.
The drop of a hat.
There's about 75 angry Americans who, obviously,
changing the course of history, just had hatred for the British.
So, yeah, I just, I was inside as an observer.
I'll put it that way.
Yeah, but even a couple of years ago, you could probably have outrun them.
Yeah, true. I mean, you that way. Yeah, but even a couple of years ago, you could probably have outrun them. Yeah, true.
You're a big lad, Andy,
but you're not American big.
I kept referring to him as a skinny lad.
What's my favourite
saying? Americans eat like they've
got free healthcare.
Oh, man.
For all of our listeners in America,
if you listen to us more
than once, then I think
you know that we love you specifically.
I'm just looking at our
following list. We're not getting so many.
We're in
Lewis Centre. Hello from there.
Atlanta. One in Atlanta. Kansas City. this uh we're in lewis center hello from there atlanta one in atlanta kansas city
suntan santan valley you know how netflix has uh regional shows so certain shows you get in the uk
you won't get in the us and and that kind of stuff i think maybe we need to do that with our podcast
we need to like edit out certain parts-dub them just for a US audience
so we don't alienate them.
Be quite a short show.
We also, as I noticed here, we got one listener this week.
It's last week in Wellington, New Zealand.
So hello there.
Give us a shout if you're listening again.
One in Kampala.
Hey, Uganda.
Yeah.
Yeah.
So Kampala, three from Harare.
And 20 from Lagos this last week.
Boys are back in town.
Yeah.
20 from Lagos. So if you're part. Yeah, 20 from Lagos.
So if you're part of the
listenership from Lagos, give us a shout.
Tell us about yourselves and why
on earth you'd be listening to us.
And first one to messaging gets a
$20 Amazon voucher.
Yeah.
Yeah, absolutely.
You just need to Western Union us some money first
to cover the handling fee, right?
We don't deal with stereotypes here.
No, seriously, the first one of any of those places I just mentioned
that writes in, because I won't remember who they are,
so actually you could write in from Cheswick as far as I'm concerned,
but the first one to write in will get a 20-something Amazon voucher.
Dollars, pounds, rupees, whatever.
Go for dollars.
Stick with dollars.
Right.
Let's see.
What have we got for you this week?
Let's see.
Well, so we do have this week in InfoSec.
Always up for that one.
Tweets of the week.
Billy Big Balls. Rants of the Week, Industry News,
and a sticky pickle, Trademark of the Week.
So I think we should get straight onto it, shall we?
Let's have a look at...
This week in InfoSec.
So just the one this week, this part of the show,
where we take a stroll down memory lane with content liberated from the Today in InfoSec Twitter account.
As we know, Steve has not been updating it recently,
so we're having to go
much further back to find something relevant. And this is a story which I found interesting.
Now, if you recall Configure, which was a fast-spreading worm that targeted a specific
vulnerability in Windows operating systems, it exploited the vulnerability that was patched with MS-08067.
So this is from November 2000.
I'm amazed you still remember all that detail.
I know, but I did actually open an article just to double-check it.
So this is one that we received ourselves from a development office we had in Belgrade.
Popped up on Instant Messenger, spread around the office as it does.
So this was one of those sort of blended threat viruses where, you know, sort of did several approaches of spreading.
Once it infected the computer, it would disable things like, you know, the automatic backup settings.
There were store points that were part of Windows XP at the time.
And it could just spread everywhere.
And the whole thing was it was due to receive an update on 1st of April.
And no one knew what this update was going to be on the 1st of April, all these instructions.
But anyway, this virus, it was a menace.
It wasn't actually, I guess, not as destructive as you see ransomware and today's viruses,
but it was just a complete menace.
It just spread everywhere.
It's like the virus equivalent of a glitter bomb.
Once it hits the network, it's a pain in the cleanup.
However, so taking us back to get to the point, 12 years.
On the 12th of February 2009, Microsoft announced a $250,000 reward for information that resulted in the arrest
and conviction of those people responsible for the conficker worm now I don't ever recall a reward
being offered for a virus for the capture of a virus author or group that spread this stuff.
So you've got a quarter of a million dollars up for grabs.
And as of 2018, that money was still available.
And I say 2018 because that is the furthest back I can find evidence
that it is definitely still open.
So there's a big possibility that's still open today.
But, you know, that's obviously one that Microsoft were annoyed about.
Well, I mean, it's something that disrupts your flagship operating system
quite so dramatically.
That's going to piss you off, isn't it?
I bet Bill was rather unhappy.
Yeah, probably reached into his back pocket and said,
right, whoever brings me the head of that writer...
Can have the contents of my wallet.
Yeah, exactly.
Yeah.
Thing is, like, back in 2009,
250 grand might have bought you a one-bedroom flat in London.
Today, it won't, so...
It's a down payment.
Yeah, it's a down payment.
It's your deposit.
Well, once you take the exchange rate and tax, that's 125 plus tax, you probably take
home maybe 70 grand.
Yeah, that's a lot.
It's not a lot, is it?
No, no.
What, to rat out one of your enemies?
Yeah, well, it depends.
I mean, it's free money, right?
But who knows?
Unless it's some kid in a basement,
you've got to be looking over your shoulder for a little while,
haven't you?
Yeah.
Although, do you know, there's a place I used to work.
We had a product where we would sell PII,
all totally legal, basically selling PII on DVD or CD at the time.
As it was, you know, the big edition was DVD.
And it was called the UK InfoDisc.
So it was basically a copy of the electoral roll, BT or OSIS data,
as it's called, phone directory data, and Dun & Bradstreet data as well, sort of business information.
But with all this, you know, you could look people up.
It was used by, you know, genealogy people, you know, ancestry type stuff way before ancestry.com was a big thing.
And we had this problem.
Every time we released one, there was this hacker that would release it,
you know, almost like a day later.
A guy could – in fact, I won't even say.
But he, you know, he always released it.
It was a complete pain.
So people were buying these pirate copies off eBay.
And, you know, we'd have to go through eBay's Vero program
to verify rights ownership or something,
to have all these other listings removed.
It's just a hassle.
You know what I mean?
It took like an hour every morning just to go through that stuff.
And the way we actually caught him was one of his mates dobbed him in.
Yeah, so our CTO met this guy in Manchester train station, handed over an envelope full of cash and received the details of who we needed.
I'd love to see the expense claim for that envelope.
Well, that's one of the great things about working in smaller companies is that, you know, the paperwork's a bit more lax.
is that the paperwork's a bit more lax.
I did, one day after a company event,
I did try claiming back all the racing stubs of all the horses I'd lost bets on.
Very good.
I did once, as part of a build, as in an office build,
I did once hand 15 grand of cash over to the office owner for ceiling tiles.
Is this like where the builders can get it cheaper if you don't pay tax sort of thing?
Yeah, basically.
Well, the guy said, look, you can take them off this other floor if you want.
But, you know, so rather than paying 35 grand or 50 grand
or whatever it was to get some new ones, you can have these for 15.
Right.
And did the tenants of the other floor know that you were taking them?
Yeah.
It was empty, thankfully.
It was empty.
But, yeah, so I had a chat with our, you know, CFO and said,
look, what if I told you I could knock 20 grand off the cost of this
build yeah fantastic what if i told you i'd need to expense 15 grand in cash okay petty cash yeah
yeah exactly so i took the cash out on my amex oh geez oh dear so let's be honest. How much was your commission in there in the cash?
Do you know what?
I was a good corporate citizen.
I was a very good corporate citizen.
I got a lot of kudos for that particular build.
But, yeah, the things you do to make it work, right?
Yeah.
Funny.
So, yeah, just that one story.
Conficker still around. If you do know if that uh reward is
available um yeah do let me know and i may have some information which yeah exactly it's funny
like the guy the guy who wrote it even if it was a kid in his 20s 20s probably like what 32 now or
something he's married with keith He's listening to this podcast going,
oh shit.
This story
should have died.
Send us, if you
know who it is, send us an email
at anonymous tips at
host.
And we'll
give you 10%.
And you're not the rat.
You know, we'll take that for you.
Yeah, exactly.
We take the risk.
We take the risk.
And you can, you know, we'll submit it in the name of javadmalik at gmail.com.
Excellent.
Thank you very much, Andy.
This week in InfoSword oh man well let's hope nothing comes of that particular conversation
I think we we all opened the kimono a little bit on there
ah shall we move on go it Yeah, let's do it
Alright, so this is a
Excuse me, this is a slightly
Tongue-in-cheek
Billy Big Balls
That's what you said
That's not funny
anyway
so as we know
Facebook is upset with Apple
because
Apple is protecting the privacy
of its users
Apple is a snitch that's why but carry on
yeah that's right snitches get stitches
blah blah blah
but so and are
actively trying to diss Apple in the process to get them to back down,
which of course they're not going to do.
And this is the same Facebook that's been accused of school bully tactics
for their removal of the ability to share news on Facebook in Australia.
That's right.
They cut all news feeds into Australia, didn't they?
Amazing.
On Facebook, which also included companies that weren't news companies.
I heard, yeah.
So Sky News, wasn't it, in the UK, who licensed out to Facebook in Australia.
Yeah, their stuff was cut for a bit.
Yeah. Because obviously Facebook wants to be able to control the news that it shares. in Australia. Yeah, their stuff was cut for a bit.
Yeah.
Because obviously Facebook wants to be able to control the news that it shares.
Yeah.
What's funny is it reminds me of this episode of The Simpsons
where they have a power cut because Homer messes something up
at the plant.
And the camera pans around all of Springfield and there are kids
flying kites.
There are people having
barbecues in their gardens they're like everything it's just such a blissful wonderful life and then
the power switches back on so the power's back and everyone's right in front of the tv again
yeah so I think actually this might be a great thing for the um for our Australian friends that
if they're not getting new through facebook i mean
i don't really see the downside to it no no but anyway that's not the big ball's move
interesting enough the big ball's move is uh well actually no let me give it another little
bit of history do you remember the facebook phone i remember they tried to make a phone
yeah didn't work very well did it no so so making a making a smartphone is quite difficult right I remember they tried to make a phone. the Android. Apple have done spectacularly well with the iPhone, obviously, huge amounts there.
Facebook trying a phone didn't work. Have they learned from that lesson? Probably not, because
in their war against Apple, it seems that Facebook are now going to be releasing a watch,
a Facebook watch. The best part about this, of course, is if you
can't make a phone, how do you think you're going to make a watch? So I think this is going to be a
massive own goal for Facebook, even though they think it's probably a Billy Big Ball's move,
to say the least. So this watch, according to reports uh the links in the show notes is a
standalone device it's able to hook up to cellular networks without tethering um it's going to build
its own ecosystem that's going to let wearers send messages using facebook services offer health and
fitness features uh all the stuff that you'd expect in there, right?
So I think to me, so that's the one that concerns me is the data it captures. And
I know it's been discussed before with, you know, these wearables and, you know,
what information they have. But Facebook has a history of selling your data. But, you know,
they are not there to build good products for your
benefit and you know health companies uh their insurance products everything they do you know
insurance companies they would they will pay serious amounts for that data because you know
what they do is a complete science uh you know to make sure your premiums cover any sort of potential
payouts and things like that.
And that's the scary part because I don't think Facebook would even hesitate
to sell data if they had it on you and they said, this is this person.
In a shop.
In a heartbeat, they would sell it.
But here's the thing as well.
I reckon this watch, because they're going to try and saturate the market,
is going to come in at under $100.
That's my prediction.
Really?
And if it comes in at under $100,
where do you think they're going to be making their money on that device?
So, yeah.
I mean, the thing is, like, actually, when you look at the market already,
there are a whole bunch of very cheap, like, £30 kind of fitness tracker
with a bit of watch functionality built
into it so it is very very possible absolutely and they could do this yeah i think the other
thing that might have prompted something like this is uh google's acquisition of
yeah that's right so you know they they feel because apple's got something in the wearable
market google's got huge stuff um so they're
being a bit left out of everyone else's world garden i think the third factor that comes into
play is that um in a lot of developing countries facebook is the internet for a lot of people
yeah yeah so i think that is also a key market for them if they can make a cheap and nasty wearable,
that captures a lot of information.
People in those countries, maybe not as privacy conscious,
or they can't afford an Apple Watch, so it's the next best thing.
But then I guess, you know, is the data as valuable in developing countries?
Not in a derogatory way, but I mean, you're not selling medical care.
They're not selling insurance.
Yeah, to some people. Yeah, yeah, i think i think this is a long game i think i think when you look at it today yeah when you look at it today and if you look at facebook's ad revenue breakout the us
is by far like i think per person or per household is something like 12 and then it goes down to
other other nations have got like you know a few cents per
person but um i think the two things to to bear in mind is one is the sheer volume of people you
can tap into uh so it adds up and the secondly it's these are these countries are are skipping
a whole uh piece of infrastructure they haven't gone through wired connections or internet they've just gone straight to mobile yeah and they were doing mobile banking before exactly exactly and the rate of
adoption has been higher yeah so i think that in in 10 years time that will be a very very that
that i wouldn't be surprised if that makes up the majority of their ad revenue yeah i wouldn't be
surprised if it falls on its ass as well,
but I also, you know, given the luck they had with the phone
and also some of the press they're getting, I think, you know,
I think although it's still not bad or universally bad,
I think there is a lot more noise picking up about Facebook.
And also there are other platforms that people are getting more engaged with as well.
Like what?
Parler.
Parler, yeah.
Only fans.
And TikTok for you two gentlemen, as I recall.
So I've always been a fan of TikTok.
Really?
And I noticed Jav has dabbled in the past and then
disappeared i think there was one day he turned up like an hour late to the show
it's been all night on tiktok but uh well he's back on it again he's actually posting content
now yeah uh we have some of his youtube channels but think... You must be spending a fortune on lingerie, Jav. No.
What's really interesting is, from a creative point of view,
it's really, really good because it forces you to take one idea and compress it into 60 seconds or less.
And so, I mean, I've posted, I think,
one or two original TikTok content pieces on there.
And it took a lot longer to plan them out, but it was a lot quicker to film and edit and post them.
So from a creative perspective, it's actually more fun.
You cut out all the fat.
The interesting thing is that from TikTok, then you can download the video.
So then you can upload them to YouTube
because YouTube has this hashtag shorts,
which is their kind of TikTok.
Yeah, it's their equipment.
Yeah, so I've been doing that.
And one of the videos I posted on LinkedIn as well.
So downloaded, uploaded it to LinkedIn as a native video.
And most people are like, oh, this is good.
This is really interesting,
you know, share, because it was just something about using passphrases instead of passwords.
And there was two people on there who commented like, what the fuck is this? This TikTok video
is on LinkedIn. This is getting ridiculous. This is a professional network.
People get so mad about content, like everything, like any news articles you read will always come from somewhere else.
Like the amount of news articles I've seen saying, oh,
this TikTok user showed these life hacks or these things.
All of the BuzzFeed stories come from Reddit.
You know, it's like one of the top ten.
It's just no one does original content.
Like no one sources their own content
it's all taken from other platforms it's all you know subreddits that have got you know links to
youtube videos or embedded youtube videos or tiktok videos or instagram videos it's um that's
not the thing to get annoyed about no no i mean i i'd understand it if it was like me doing one of those trend dances
or something, then it's like, yeah, exactly.
Maybe LinkedIn's not the place to post it,
but it was a security tip for non-security.
I dare you, Jeff.
I double dare you.
Oh, this reminds me.
Oh, do you remember what was the company a few years ago?
There was a young lady at the company who did a competition
for guess the amount of USBs in a bowl.
Oh, that's right.
Do you remember?
And she happened to be.
Had a very low-cut top on.
Yeah, and a sort of attractive woman in inverted commas, et cetera.
And she took a huge amount of trolling, didn't she?
LinkedIn went crazy about that.
Yeah.
Like, just the abuse that she got was unbelievable.
And yet it was perfectly acceptable business attire.
And it was actually, like, a legitimate competition as well.
Yeah, exactly.
It was.
I mean, this is, like like you go to any conference i
mean we're not even talking about booth baby level this is just like very just like wearing
a corporate t-shirt kind of would you like to enter our common can i scan your badge type type
thing and you know what it's just people get so so um i don't know reason yeah wound up for no reason yeah wound up they just get on their high horses on LinkedIn
it's just full of pompous asses
yeah
I love LinkedIn
anyway
and that's why you'll only find me on TikTok
because it's full of asses
yeah
not the pompous kinds
no
anyway so my prediction a sub $100 Facebook watch from Facebook.
That would be dangerous.
That will be dangerous and will fail on its ass and they'll quietly disappear.
So just one other point.
So I've looked at the counterpoint market research from 2020 on this market.
Apple dominates the wearable industry with over 50
percent of the um yeah i know and fitbit actually only has 2.4 percent of the uh seriously yeah
yeah so apple is 51.4 percent wrenched that from fitbit because they were yeah fitbit were the
masters well this is the interesting thing.
So you've got 51.4% Apple, then Garmin coming at 9.4%,
then Huawei 8.3%, Samsung 7.2%.
I think that's iMu at 5.1%, Amazfit 2.4%,
which is on par with Fitbit.
But the interesting thing is the market has massively increased
since the Apple Watch came out.
Yeah.
You know, before Fitbits were for people who wanted to exercise
or whatever.
That's it.
The mere fact of buying a wearable, I should say,
was just for people who wanted to exercise.
The mere fact of buying an Apple Watch,
you're increasing that market massively. So people who would never have bought one but then subsequently
would go on and and do alternatives yeah and they look for alternatives and uh what's the other one
that you said uh was it nike had the jawbone oh yeah no jawbone was was its own brand oh but nike
had uh like a sport band because I had one back in 2013.
Right.
That was pretty good.
Although it was,
it was a solid band.
Um,
so it wasn't that comfortable.
It's like wearing a bangle.
Joe,
I think I recall one night we were at some event with an overnight stay and,
uh,
we both went to the gym.
Yes.
Um,
what?
I know. I know. I i know you wouldn't believe it that was 2013 was that 2013 geez yeah last time i exercised you were on the cross trainer i was on the road
machine yeah and i think yeah that's when you had one of those over the room yeah that's when you
had one of those wearables on that I think that was. Yeah. Yeah.
You know,
if you wanted to use a sauna,
you could have like skipped the gym part altogether.
Well,
funny story.
The,
the smoke alarm went off in my room when I used the shower after that, because I had it on pretty hot and the steam actually caused the smoke to go
off.
Like reception called me.
They said,
are you smoking in your room?
I was like,
I don't smoke.
And they couldn't figure it out.
And yeah, it turned out the shower was too hot.
The steam coming out.
They said, can you open the windows?
I was like, yeah, cool.
Yeah.
So, you know, Andy was like,
do you know the difference between a shower and a hot shower?
Hot shower is the one I'm in.
Well, this is taking a turn yes but uh yeah no interesting story facebook i would be i think if they do make it sub 100 pounds that is a problem because that
would attract people to get it yeah yeah exactly and they'll think it's they'll think they're getting a bargain yeah especially if you can
use Instagram and
WhatsApp on it as well
yeah
be dangerous wow anyway believe it or
not
that was this week's
Billy
Big Balls
of the Week
amazing yeah that was a story that big balls of the week amazing
yeah
that was a story
that gave and gave
and we stuck that one
in last minute
so Jav
let's
let's move straight on
shall we
in the interest of time
and the
and our
and our listeners
capacity
to hold on any longer for this week's...
Listen up!
Rant of the Week.
It's time for Mother F***ing Rage.
So, my rant of the week is about LastPass,
the popular password manager,
and they announced some sweeping changes to its free accounts,
apparently making them less useful than they were before.
So LastPass, like many online service providers,
they have different tiers, pricing.
So there's a free tier, there's a personal,
and then a professional or whatever.
But from March 16th, free account holders will no longer be able to access their passwords on
computers and mobile devices, they'll have to choose one or the other. So after March 16th,
the first device you log on to, it will determine your active device type and um when you fire it up say like on on
your second device it'll say no you know it you've got to use it from that one so you know it'll give
you three tight tries to do it yeah um you know so you know it's and so sorry just the idea is
that you then have to upgrade to a higher subscription to be able to use multiple devices yeah exactly exactly so you know the free version now is kind of like throttled that you can only
use it primarily on one device but you know if you start paying 225 a month um you know you can
then have it across multi-device how much 225 dollars a month two two dollars 2525 a month. $2.25 a month? Yeah. Okay, okay, just checking. It's like 25 bucks a year, right?
Something like that, I believe so, yeah. That's what it says in this article.
Anyway, so much to my surprise, I logged onto Twitter the other day, and I saw LastPass was
trending. So I was like, why is LastPass trending? I hadn't
heard of the story then. And there was so much outrage. People were calling them all sorts of
names. They were saying they don't like their customers. These are classic drug dealer tactics
where you give someone a free hit and then you start charging them. There were people calling them bait and switchers.
What?
So I, yes, I genuinely asked the question.
I was like, there's a service that is, in my opinion, very useful, fully fledged.
And they're offering it for free.
But now they want, they're thinking, well, it's a business decision they're taking.
So this is something that, again, it's very easy to think that everyone's out there doing stuff out of the goodness of their heart.
It's an act of philanthropy.
But we have to remember that everyone's out there, these organizations, they're a business.
And they're not in the, their business is to make money.
That's what we have to remember. No matter what it is, they're out there and they're not in the their business is to make money that's what we have to remember no matter what it is they're out there to make money it just so happens that they're
providing security as a service there you know and maybe down you know second or third or whatever
somewhere on the list is like yeah we want to make the world a better place by having people have
better credentials but ultimately they want to make business and if they're giving away something for free they might look at it and say hey this is just becoming
too costly to sustain as a business maybe i don't know i i can't see the insides of last
passes uh financials i don't know how much it costs them to stand up a free service for users
or how much or what percentage maybe they've only 30% of their total user base as paying customers and 70% are free.
Who knows?
LastPass knows.
They have all the information.
We don't.
So they've, based on that, made a decision to say, okay,
let's restrict the number of devices.
So it's not like they're taking away free altogether,
but they're restricting it.
So you're saying you can have a free service?
You can have a free service just on one
device only and it won't synchronize so you know okay i get it it's it's a pain yeah i mean i if
anyone uses any of these types of services the beauty is that you can be on your phone your
laptop your desktop your your tablet it just it just works normally very very uh so so i asked twitter i said but
why are you upset and um you know so some person said the problem is they raised the prices
doubling them not too long ago and now crippling the fear the free tier i used to pay them but i'm
done over these last two changes um someone else said this person used to pay but because they're
now reducing the level of free service that they don't take advantage of not going to use them
anymore yeah yeah i know i know um you know and to be honest like the twitter responses were very
divided they were like yeas and naysays on both sides. Someone said that,
you know, in a tweet that made me smile. They go, InfoSec at work. The business does not like
to take security seriously. They will never approve our budget. InfoSec at home. I'm not
paying a penny for security. I need it for free. So, you know,
and there are plenty of others
and, you know, you can look
on Twitter or we'll put some tweets
in the show notes.
I think, like,
one thing we need to understand is
SaaS,
software service, has changed
the way software is
built, is built,
is distributed and consumed.
We no longer can you get the Microsoft Windows, you know,
CD or floppy disk and install it and give it to your friend
and they can install it and what have you,
and you never have to pay it again.
Everything's about recurring payments and it's about, you know,
annual retention rates and that's how businesses are built
and valued these days.
And the part of that is, I mean, you sort of mentioned the Microsoft stuff.
Remember Adobe Photoshop?
Back in the day, everyone had Photoshop because it was free.
It came on bootlegged CDs that you shared with your mates in the key gen.
And that's why everyone you know i think in
our generation knows how to use photoshop whereas now it's uh sass you know you got to pay for it
subscription uh platform if you don't pay for it you don't get access to it um but alongside that
is the fact that that maintenance needs to be done with this software if you think back then
you know adobe you you wouldn't update it for a year until you got the next version you know whereas now you know this software is a couple
of weeks yeah exactly things like last office right yeah someone like last pass they can't
afford to have a breach you know because their their whole business is about uh you know obviously
securing um you know your security uh exactly That's going to cost money.
In fact, before
LogMeIn bought them, they did have a breach and they
handled it really well.
Yeah, but there's only so many of those you can
handle really well.
Like Sony, before it becomes
BAU. Of course.
Yeah, I mean, I'm
on the side of it's their product.
I can see Soldier of Fortran has said that, you know,
it's their product.
How are you a customer when you're not paying for something?
Surely the definition of being a customer means you're handing over
something in return for something else.
That's right.
That's right.
And you're not handing over anything. It's not like they're giving you targeted ads in return for something else. That's right. That's right. And you're not handing over anything.
It's not like they're giving you targeted ads in return.
No.
They know you have accounts with these service providers,
so let's now sell you ads for their competitors or something.
It's not like that.
And this isn't unique.
I mean, let's put LastPass to the side for a second.
But, you know, Google Phot photos they they recently announced that you
know they're putting an end to their unlimited free photo storage indeed i believe we covered
this uh jab a few weeks ago with uh our co-host graham cluley uh i believe did the story the other
old white man but uh i don't know older white man. Last year, Gramps Cluley. Gramps Cluley.
Gramps Cluley.
Do you remember Sonos when they started bricking their devices?
They did a U-turn, though, didn't they?
They did a U-turn.
But, you know, it's something that every business these days considers.
John Deere, they make tractors,
and there's a big hoo-ha about them in the U.S. because.
Yeah, that's a dick move from John Deere. That make tractors and there's a big hoo-ha about them in the US because... Yeah, that's a dick move from John Deere.
That is a dick move.
The point being is that our relationship with software and how we consume it is not what it was 20 years ago.
It's changed.
It's changed very much.
So, you know, my point is like, how much should we be paying for security?
To Andy's point, they're offering a great service.
It's a very vital service.
Is it reasonable for us to expect these kind of security things to be for free?
Especially if it's a standard.
I would understand.
If it was built in, if, like Microsoft bought LastPass and then they said, but to unlock it, you need to pay us another $2.25 a month.
I would say that's, you know, I'm paying you a subscription for O365.
I want it to be included.
Yeah, that's right.
That's right.
This is a standalone product.
Yeah.
I think even Microsoft wouldn't do that.
No, no.
So, you know, how much should we expect people to pay for security?
And one of the challenges we do have is that everything nowadays
is kind of like a standalone product,
and everything is built to us for less than the price
of a cup of coffee a month.
But there's only so many coffees you can have in a month.
That's like a measurement of uh
and the funniest thing about that is the success of coffee shops when you can make great coffee at
home yes yeah or in the office we got one of the fanciest machines i've ever seen
in our office and uh we still go out and buy coffee
but that's now you're talking about the social aspect of going out.
Yeah,
exactly.
Yeah.
God,
I miss that.
Yeah.
Exactly.
I go to the coffee shop in town,
you know,
my,
you know,
my,
my regular place.
All right.
All right.
Busy?
No.
See you tomorrow.
I was trying to go in there once a day to get a coffee.
Anyway, I think I was going to say, yeah, the thing here is this is not a closed market.
There are plenty, plenty of other products out there.
In fact, I believe that the second best podcast um in the world is is sponsored
by another one of their competitors yeah um and it's just to clarify it's the reason that last
pass needs to start charging is because they used to sponsor the second best infosec podcast
that's true they've probably funneled all their cash into Smashing Security,
friends of the show, and now can't afford to offer a free version.
So, yeah, thanks, Gramps.
Yeah.
So for any startups out there wanting to get massive exposure but not bleed the coffers dry, come to the Best Security Podcast.
We're a lot cheaper.
We're a lot cheaper.
But going back, you know, it's not like it's a closed market.
There are plenty of other options.
And in fact, you could, on all platforms,
I can't talk about Linux because I don't have anything of that here,
but on all platforms.
Most of the people that use Linux have already sort of got the tin file
notebooks.
They build their own password managers. People that use Linux have already sort of got the tinfoil notebooks. This is true.
They build their own password managers.
Yeah.
They don't trust cloud-based.
We compiled the kernel.
But so, for instance, Safari on Mac has got its own keychain,
which works across the iPhone.
Yeah.
You could, if you don't use a Mac.
It tells me frequently the amount of passwords that are compromised that I use.
Yeah, that's right.
On Windows machines, you could download Chrome or Firefox and do that on Android.
And if you create accounts, they share password credentials as well.
Maybe not as good as LastPass.
And generally, I don't think they are i'm a last pass customer and a very happy one a family i think i have a family account with them um but
it is that you get what you pay for right you get what you pay for absolutely yeah yeah and and you
can't you can't ask for your money back on a free service when that free service changes.
Yeah.
This free service you are in no way obligated to use
now wants to cover its costs.
Yeah.
Yeah.
I mean, like, exactly.
I don't think there's anything more to say on top of that.
I think everyone loves a free product, yeah,
but also, you know, why begrudge someone or a business trying to monetize their offering
yeah mic drop mic drop oh oh sorry sorry no hang on rent of the week blimey we got into that didn't we oh i like the john deere being dicks
added into the show notes you'll see that well i thought i'd add that in as uh you brought up
it's like what john deere did and then no one explained what they did yeah so you know yeah
should you want to know if you buy a john de Deere tractor, only John Deere can service it
and do anything with it.
If somebody else basically opens it up and starts servicing it,
it shuts down the tractor and you can't use it.
And if you put non-John Deere parts in it, it shuts down the tractor.
It's not good.
People are jealous of tractors.
Yeah, yeah. And it's increased the sales of second-hand
uh or older john deere models as well yeah that's right and the brands you know the the um it's
damaged the brand as well massively i mean geez john deere is a you know massive brand in the us
and here i am living in a you know living in a town in the UK, knowing that John Deere are dicks.
Do you know what I mean? It's like news travels. So when I'm next in the market for a tractor,
I tell you, I'm not buying John Deere. You're not buying a John Deere one. You make sure your
gardener doesn't ride John Deere. Damn straight. Damn straight. And on that note.
You're listening to the Host Unknown Podcast, Bubblegum for the brain.
Fantastic. So our source on probation over at the InfoSec PA Newswire has been very busy bringing us the latest and greatest security news from around the globe.
Industry news. around the globe. The index insider's breach hits nearly 5,000 inboxes. Industry news. Duo charged with multi-million dollar dark web drug scheme.
Industry news.
Microsoft.
1,000 plus hackers worked on SolarWinds campaign.
Industry news.
Centrion.
Sandworm attacks targeted legacy open source product.
Industry News.
NHS phishing scam promises hashtag COVID-19 vaccine.
Industry News.
Singtel breach hits 129,000 customers.
Industry News.
Two more Lazarus Group members indicted for North Korea attacks. And that was this week's... Industry News. Two more Lazarus Group members indicted for North Korea.
Industry News.
And that was this week's...
Industry News.
Industry News.
Oh, dear.
Huge, if true.
Do you know what?
The one that really surprises me here,
Duo charged with multimillion- dollar dark web drug scheme.
I know.
Are revenues down for Duo
security or something? Because
I thought they were a good, valid business.
But now they're... What's Wendy
Nather doing? I have no idea.
She's involved in a dark web drug scheme.
She's gone full Heisenberg, hasn't she?
She has.
It's really weird. I wonder
if Cisco are going to distance themselves from it.
Well, precisely... Hold on a second.
I've just got an incoming call.
Yeah, it's the
lawyers. They want to clarify
it's not Duo the company.
Not Duo the multi-billion
dollar company with a large team
of corporate lawyers, but rather
Duo as in
indicating two people so so who's working with wendy then
wendy if you're listening or in fact anybody from geo would you like to comment
oh dear oh man i the one the story beneath it the one that andy read at microsoft a thousand plus
hackers worked on solar winds campaign did they find the time sheets or something where did they
find a thousand hackers from there's a in case no one knows we've got like 50 billion shortage
of security professionals according to ic squared so where have they
found a thousand um they're all the ones that don't have five years of experience
the associates right yeah that's right so i mean microsoft assigned 500 engineers to look into this themselves,
internally.
Wow.
Wow.
How many years' experience do they have?
Combined, they have 500 years' experience.
That's incredible.
I mean, Sunburst has been, well, probably the biggest since NotPetya, right?
Yeah.
Yeah, it's quite a big one.
It's probably bigger than NotPetya and WannaCry in terms of impact, potentially.
It's just that it's not quite so – it hasn't taken people out of business,
you know, like shutting the nhs or closing down
mask or sony or whatever what it's done is just opened up back doors so it's not quite so dramatic
yeah but i think there's a lot more people um sort of misery loves company on this one you know so
many people have been impacted it's a real sort of how do we work together to fix it. Yeah, that's right. That's right.
Well, this is the thing.
It's like, again, this is capitalism at its finest, isn't it? When the rich get attacked or things don't go their way,
then suddenly you can find 500 engineers.
But someone gets scammed by these call centers abroad,
and they're like, hello, I'm calling from Microsoft and I'm here to help you.
And then they,
they scam some poor pensioner out of their money.
Then it's like,
oh,
sorry,
file a police report and get a crime reference number.
There's nothing we can do about it.
Yeah.
Yeah.
Well,
it's about getting the right people to,
um,
to be attacked,
isn't it?
At the end of the day.
Yeah.
Hmm. Hmm.
Okay, well, let's move on to... Javad's Weekly Stories.
Oh, you know what?
I haven't filled anything out in...
Okay, in which case, that was this week's.
Javad's Weekly Stories.
Another solid week's.
Jav's employers must try harder.
Okay, so... Ooh so what should we do
I think we're going to have to go
straight on to tweet of the week
time is pushing
quite
is nudging us
insistently in the back
well if you stop
if you stop gassing
and carry on with it
we would
yeah alright
I'm trying to find
the blooming
you know jeff
whenever tom's talking in between it's because he's searching on his ipad scrolling through the
different ports for which there are so many bloody jingles i can't find the damn he's picking it up
and pulling it closer to his face and squinting like a mole looking over his glasses Is my camera on?
Tweet of the week.
And we're doing that one again, as always.
Tweet of the week.
So I have this story and I absolutely love it.
I think Jav, you sent it around the group chat.
Oh, sorry, Tom.
See, normally when funny stuff comes through,
if it's not come from me, I just instantly assume it's Jeff.
But this is just what my brain does.
It just fills in the blanks, obviously.
Tom spent a long time, and I mean years,
being very passive on the group chat.
And so, you know, when you do send stuff it does make me
double take sometimes but uh so this is uh just or how do i say just not poking fun at uh what's
going on in texas but you know there's a light-hearted version of you know what's come out
of uh you know the the weather troubles they're having over in texas and this is a guy who's
talking about his brother who's essentially like a prepper uh you know for all uh for all
intents and purposes and this guy has done this tweet and his name is at torian gray on twitter
jean-michel conard and so he says so my eldest brother who is a moron has been playing soldier with his moron
friends in the deserts of texas for the last year preparing for the collapse of civilization
if biden won this is lol they were burying food and ammo stashes out in the desert running drills
crazy stuff uh so this included getting a CB license so he could be
their lifeline to other groups of white idiots when the cell towers all went offline, because
he wouldn't want to violate federal law while communicating with your resistance groups after
the fall of the federal government. So he says, anyways, you would assume, given that they've
been prepping for the end of the world for at least a year,
they were well situated to ride out the rolling blackouts. Right.
Well, and he goes into great detail of examples of how they are just failing terribly.
So he says their plan for cooking and eating during an extended power outage was natural gas but like
a lot of homes their gas service is out the food in their freezer and fridge is already toast due
to the power outages so they're down to can stuff but there's a catch they can get into the pool top
cans just fine but the ones that require an opener their only can opener is electric so a good three
quarters of his canned food store is inaccessible to him unless he goes after it with a knife which
i sincerely hope he does um and it's just a great thread it's like so captain survival was eating
unheated ravioli out of a can yesterday because i guess he doesn't know how to start a fire
they've got a fire pit but that too is gas fired oh my god and so that i mean the great thing is
just a great thread to read it's like you know the saving grace in all of this is that he's having to
ration his phone usage uh so he can't sit on the phone with his mum for hours crying about it.
And, yeah, he's presumably sitting there shivering,
ranting about libs while he sucks down cold beefaroni.
What a life.
But on the plus side, they've got plenty of guns and ammo so they can shoot the shit out of snow.
I think we've all seen the images of the capital um you know riots and what's gone
on in the u.s yeah that ran up to the election uh and i can honestly believe everything here
you know even though you wonder if some of these uh stories were embellished a bit for uh you know
entertainment value uh i genuinely believe that all of this happens and probably is just scratching the surface of what's going on there.
But I mean, you know, to not take the piss too much and to try and tie it up.
I think this is a classic example of testing your continuity plans.
Yes.
You know, how many people, you know, got hit by the pandemic and then realized their network couldn't take uh you know everyone working from home for example um you know with the bandwidth issues you know offices are
inaccessible for for long periods of time um and where you've got this guy here clearly you know
prepping for so long just didn't think that uh electricity would go out um and uh yeah all the
gear no idea, I guess.
Or not realising that his electric can opener runs on electricity.
Yes.
Those damn government funded electricity.
Government.
But yeah,
no,
great thread.
It's linked in the show notes.
Probably even funnier when you read through it yourselves.
It was a very, very good story.
In fact, he tells a lot more stories about his brother as well.
He does, yeah.
And, you know, you can spot the Republicans in the responses.
Yeah.
You're not really careful.
Yeah.
If you keep your wits about you and understand the type of hints
that they may drop, yeah.
Excellent.
Thank you, Andy, for this week's.
Tweet of the Week.
Right.
I think we're going to have to skip the Sticky Pickle given –
sorry, Sticky Pickle trademark of the week –
given we've already hit an hour.
Blimey.
Yeah.
Blimey.
Couldn't shut us up this week.
We're not getting through half the stories we've got.
No.
No, I don't know why we make so much effort.
We're doing the Jerry Maguire method of fewer stories,
but better research, better content.
Better research?
No.
No.
Just talk about the fewer stuff for a bit longer.
Yeah, that's right.
Just pad it out.
You know, you've got a 10-minute presentation,
but you've got half an hour to fill.
No problem.
Three slides.
You're right.
Exactly.
Three slides and a lot of fun.
Don't rely on the audience to ask questions at the end.
No, that's right.
That's right.
Excellent.
So, gentlemen, thank you so much for this week.
Really appreciate it.
Thank you.
Thank you, Javad.
Thank you.
It's been a pleasure.
As always.
Thank you, Andy.
Stay secure, my friends.
Stay secure and thank you very much.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
The worst episode ever.
r slash Smashing Security.
We should actually check out that Reddit channel to see if anybody has
complained.
I'm sure Gramps will let us know if someone has.
That's true.
That's true.
Outsource it.
Yeah.
Or Carole anyway.
I mean,
you know,
Gramps is probably a bit too tired these days,
but you know,
I'm sure Carole would let us know.