The Host Unknown Podcast - Episode 45 - The Antibody Episode
Episode Date: March 5, 2021This week in InfosecLiberated from the “today in infosec” twitter account:2nd March 2002: Zone-H was launched in Estonia and began saving and publishing copies of defaced websites 7 days later. h...ttp://www.zone-h.org/news/id/4742?hz=2https://twitter.com/todayininfosec/status/12344923508330086402nd March 2010: Gregory D. Evans' book "How To Become The World's No. 1 Hacker" was published. The book was heavily plagiarized and not held in high regard. Evans was quite controversial...to say the least. And got a lot of attention for a couple of years. Google him if you wish.https://twitter.com/todayininfosec/status/1234320212117221376https://attrition.org/errata/charlatan/gregory_evans/ https://blog.c22.cc/2010/06/17/threats/comment-page-2/ Rant of the Week (not covered)A warning went up on the perl.org infrastructure weblog late in January notifying users that perl.com now directed to a parking site and advised against visiting "as there are some signals that it may be related to sites that have distributed malware in the past."The site later returned an ERR_CONNECTION_CLOSED error message.The hijack appears to have followed the age-old path of an attacker pouncing on a compromised account and swiping the domain rather than a simple expiration.A good read out of what happened from Perl’s point of view as well as their Incident Response processes (link at the bottom).We had learned very quickly that when you use the registered domain for your email contact, no one can contact you when that domain no longer handles your mail. What we think happenedThis part veers into some speculation, and Perl.com wasn’t the only victim. We think that there was a social engineering attack on Network Solutions, including phony documents and so on. There’s no reason for Network Solutions to reveal anything to me (again, I’m not the injured party), but I did talk to other domain owners involved and this is the basic scheme they reported.John Berryhill provided some forensic work in Twitter that showed the compromise actually happened in September. The domain was transferred to the BizCN registrar in December, but the nameservers were not changed. The domain was transferred again in January to another registrar, Key Systems, GmbH. This latency period avoids immediate detection, and bouncing the domain through a couple registrars makes the recovery much harder.RANT: Domain was hijacked, old methods, there are no new hacks!https://www.perl.com/article/the-hijacking-of-perl-com/ Billy Big BallsAOL phishing email states your account will be closedhttps://www.bleepingcomputer.com/news/security/beware-aol-phishing-email-states-your-account-will-be-closed/https://mashable.com/2014/08/21/aol-disc-marketing-jan-brandt/?europe=true Industry NewsOur source on probation over at the Infosec PA newswire has been very busy bringing us the latest and greatest security news from around the globe! TikTok Set for Massive $92m Payout Over Privacy SuitFacebook Photo-tagging Lawsuit Settled for $650mGo Malware Detections Increase 2000%Quarter of Healthcare Apps Contain High Severity BugsMicrosoft Patches Four Zero-Day Exchange Server BugsPassword Reuse at 60% as 1.5 Billion Combos Discovered OnlineRansomware Attacks Soared 150% in 2020Canadian Cyber-Agency Workers Threaten StrikeMissing Teens Used School Laptops to Chat with Alleged Abductors Javvad’s Weekly StoriesJav has the COVID Jab Tweet of the WeekMalwareAndPickles @malwrandpicklesIt's probably nothing.Marc J @DrGeekthumbThe server room had no lock.Andy Cooke แอนดี้ คุกส์ @cooke_andyOK, 3389 open to the internet.MrR3b00t | it's safe just don't go outside @UK_Daniel_Cardi wiped the right drive right?Christopher J. Marcinko @christoperjI’m compliant so I’m definitely secureDavid Downs @drdownsWe have a strong password policySimon @cigh033"sorry, your password is too long"Josh Centers @jcentersRudy Giuliani, professional cyber security expertwim letzer @wimletzerThat does not happen to me.David Robert Newman @davidnewman“I wrote my own crypto libraries”Jeroen Jetten @TheTallestJJWe’re too small to be attackedJames Kelley @kelleyllcClient required SolarWinds for security reasons.dao ming si @dms1899Our security policy protects against abuse.Moreno Daltin @morenjiWe have always done this wayPaul Stephenson @tupelofortitudeWife found my credit card statementhttps://twitter.com/Sophos/status/1367082335997427720 The Little PeopleThere will no longer be a Little People segment for the foreseeable future. Sticky Pickle of the WeekImagine you are the CEO of an American based, billion dollar global company. You hit a SNAFU and are called to testify before congress about what happened. Obviously the members of congress will want to know in layman's terms how your IT infrastructure was left so unprotected that it was used to deliver malware to several branches of the federal government as well as a series of high-profile private sector targets?What might be your go-to responses?Correct answer: Blame the internAccording to Thompson and current SolarWinds CEO Sudhakar Ramakrishna, an intern who worked at the company posted the “solarwinds123” password on GitHub back in 2017. Security researcher Vinoth Kumar later discovered that the password had been posted publicly since at least June 2018 and informed the company of the leak in 2019, at which point, according to Ramakrishna, it was removed from GitHub.Needless to say, that explanation still leaves a lot of questions unanswered. For instance, was the intern actually responsible for setting the “solarwinds123” password? And, if so, why on earth had the company delegated responsibility for setting such an important password to an intern? Was the password actually changed when the leak was discovered in 2019 or was it just removed from GitHub? And why was there no multifactor authentication protecting that server if it could be used to transfer files onto company servers?It’s a tempting narrative—as the stories about how a massive, complicated breach is the fault of a single actor often are—in which some clueless college student shows up for a summer and sets a dumb password and then carelessly leaves it up in some publicly accessible code on GitHub. Above all, it’s a story that’s easy to understand, especially for members of Congress. For instance, California Rep. Katie Porter pointed out at the hearing, “I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad.”https://slate.com/technology/2021/03/solarwinds-hack-cyber-espionage-intern-password.html Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
so who are we thinking of insulting this week
I don't know if we've got a little person
we can just insult their mum
or something
some close family member or something like that
listen I've got to make a public apology to Yusuf
because he was a bit upset with me
from last week. You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
Welcome to the Host Unknown Podcast, episode 45.
This is the anti, I was going to say the anti-vax special no it's the
antibody special um and uh yes welcome to the show javad how are you sir uh barely alive
you nearly didn't make it this morning i nearly didn't, especially as I was glowing bright green last night.
You did go for the COVID vaccination, right?
Not the Chernobyl one.
I think that's what I went for.
No one seemed to know what they were doing.
It was the tent out in the parking area after GP surgery.
You just handed over 50 quid, right?
And the guy said he could do it for you.
Yeah, exactly.
You could jump the queue.
Yeah.
I wanted my travel passport.
And then he'd get the injection afterwards.
Yeah, yeah.
So, yeah, you feel a little bit unwell, Jav?
Yeah, yeah.
Last night I was just feeling a bit cold, a bit of the shivers,
and that's passed.
Now I just feel like, you know when you're on the other end of a flu
after like five days, or a man flu, should I clarify,
and you're just feeling a bit run down and achy.
It's just at that phase.
I think I'll survive.
But, you know, just for our listeners,
if I've ever in any way accidentally offended you, upset you, I'm sorry.
Let's move on.
Blimey, it was supposed to be a jab for COVID, not a conscience.
And also, none of our listeners can see this,
but Jav is actually sat in his office.
can see this, but Javi's actually sat in his office. He's got a woolen beanie hat on and a massive zip-up hoodie with the hood over and then his headphones over the top of that. So he can't
really hear much anyway, but he looks like the Michelin Man. A homeless version of the Michelin
Man. The homeless version, yeah i'm talking about the homeless version
andy how are you not doing too bad still uh still kicking it i've um i am still awaiting my jab
obviously i'm not as old as you two so i am much further down the list so hopefully i will get mine
in the next couple of months much younger and healthier right much younger and healthier and
then although not according to the photos you sent us earlier.
Well, I have had a – do you know what? I was concerned.
I had to see the doctor on Monday, but obviously with the current
COVID protocols, it's not an in-person visit.
No.
Yeah, so it's weird.
I had to download this app, and then we sort of talked about
what my symptoms were, and obviously I was a bit concerned.
So essentially all my glands have come up, like all swollen.
And, you know, they were getting redder.
And now the skin's all cracked.
And, you know, I was Googling some symptoms myself.
And I was like, oh, this is either diabetes or cancer.
Like, you know, it's not looking good.
But fortunately, no, the doctor says it's just a uh infection brought
on by stress so i'm like unsurprising unsurprising given your workload but also jav do you think do
you think we made the right decision to not make this the uh the first video episode of the podcast
you know given what it was like looking at andy when he first came on this morning. Well, to be fair, it's all gone down from my face.
So, you know, I've got like high neck, high neck T-shirt on.
You're doing a Steve Jobs today, I must admit.
Yeah.
But yeah, the funniest thing about that was he doing the whole diagnosis fire app.
And, you know, she asked for the photos and i'm like well you know what
it's like it's like i'll send pictures of myself naked i just want to confirm these are solicited
pictures right and i'm like you know i don't know how safe that you know i don't know where
these things are going so i'm like make sure my face isn't in any of these pictures right
and you send them to us no issues with you guys that's fine like you know you've seen worse
but uh you know the doctor you know what's she gonna do with it but uh obviously the funniest
thing was the uh she prescribed loads of medication uh which i had to pick up direct at the pharmacy
like you know the prescription goes straight to the pharmacy i got there the pharmacy calls me
out says uh you know to give the instructions of everything
and um my favorite part was this uh steroid shampoo which uh and uh you know the pharmacist
is like this is for you right i'm like yeah you need to leave this in your hair for three to five
minutes and so looks at my bald head and it's like for you right yep so uh yeah there's a few a few hiccups in that that way of uh diagnosing someone but
you know it mostly works and if you've just joined us welcome to the host unknown healthcare edition
call in let us know your symptoms and uh we'll do our best to completely misdiagnose it and give you
shampoo for your bald head how are you doing tom you're fully uh recovered from your covid jab
right yes i had i had i had mine um before jav i'd like to say i i obviously pulled my white privilege card to get that.
And yeah, I had it last Saturday at Bath Racecourse, of all places.
It was really efficient.
I mean, you have your details checked three times on the way in,
but that's fair.
It's a pretty sort of – it's a big sort of logistical exercise.
Sat in a chair, had a chat with a nurse who was the sort of third check-in
and I had to sign the forms and all that sort of stuff.
She told me what I was getting, all that sort of thing.
And then I was told to go and wait at a chair.
Two minutes later, got called into a booth, had the jab,
20 minutes sat in a chair because I was driving
and they don't want you to drive straight away oh really yeah and then and then went and got a takeaway cup of tea from
the cafe on site and uh drove home it was really easy uh and then that night slept for 12 hours
and then for just over 10 hours the following night so I didn't feel any effects apart from the fact that I just died,
was dead to the world overnight.
So,
so folks,
all of you naysayers out there,
all you anti-vaxxers out there,
uh,
I'm sure there's not that many of you who,
you know,
you've obviously,
uh,
shown a modicum of intelligence by just listening to the podcast in the
first place.
But,
but yeah,
really just chill,
chill the hell out.
Get your, get your, uh, get your jab sorted as soon as you can. Um place. But, yeah, really, just chill the hell out.
Get your jab sorted as soon as you can.
And then if we can debate the niceties of the jab and the whole process in the pub later this year.
And that's my public service announcement.
That's your unofficial rant of the week, right?
Yes, my unofficial rant of the week.
I know somebody who said, oh, I don't want to get the vaccine.
I said, why not?
I don't want to put that in my body.
What?
This is a person who travels to Africa every year
and gets all the vaccination.
Well, I have to have those in order to travel.
Well, you might need this one in order to
carry on living yeah you know it's really funny i was talking to one of my american colleagues
yesterday and the same topic came up about the vaccine and what have you and i was like
if you're brave enough to put some of that american takeaway food in your mouth then i'm
sure the vaccine is nothing by comparison brave enough to eat brave enough to eat Hershey's. Yeah, or McDonald's or whatever it is.
That melted cheese thing that they call cheese, whatever it is.
Oh, cheese flavour.
Cheese flavour, mac and cheese.
Pasta and orange powder of unknown origin.
That's it.
Oh, dear. Anyway, what we have got for you this week. that's it oh dear
anyway
what we have got
for you this week
oh we've got
a massive tweet
of the week
we've got a
Billy Big Balls
rant of the week
industry news
certainly after
last week
we're not going
to have a little
people today
I think it's time
to retire that
segment
I think the offers of
doing little people have dried up
since last week.
Yeah, before that they were knocking down,
banging down the door, weren't they?
Yeah, exactly, exactly.
If you're listening, Yusuf, you know,
the joke was on Jav, not you.
But
we do have a sticky pickle
of the Week trademark.
It's a doozy this week.
I'm looking forward to that one.
So, yeah, without further ado, shall we move on?
Let's do it.
Let's do it.
This week in InfoSec.
in InfoSec.
I said let's do it and then realized it's me that's going to be doing the talking here.
This is the part of the show where we liberate content from the Today in InfoSec Twitter account.
And although it has not been updated for very long we have gone years back and managed to
find some stuff that occurred this week in infosec so taking us back 19 years on the 2nd of march
2002 the zone h website was first launched in estonia and this website then began saving and publishing copies of defaced websites seven days later.
Now, why this was monumental in InfoSec history was, I think, roundabout back in that time,
the only other site that mirrored stuff was attrition.
And maybe a German site called Uldas, I think it was.
But this is where, you know, when hackers did something amazing, you know, such as deface a site or get their political message out that these were the people that mirrored that.
So you could go back and view what happened because you can go around and see it in real time, you know, if you missed it. I guess had my first cyber crush on someone called Evil Angelica, who may not even be a woman, but she just had fantastic humor
when it came to defacing websites.
Always something funny, always something witty, always something clever.
And these were the sites where you could see them.
And I believe I read that a couple of months after these guys started,
Attrition actually gave them a copy of their mirror,
which went back to 1995.
So, you know, it's not often that that sort of…
I didn't know Attrition did mirrors of defaced websites.
A long time ago they did.
And so, yeah, that's the problem with, you know, like Zone H,
you know, Audacity, Attrition. You know know back then it was like really sort of newsworthy um you know sort of
there weren't as many websites and you know quite often it was a well actually it's always a default
password you'd go into tomcat or whatever and uh just uh admin admin and um you know you get in
you could change it there but
this is when you know hackers would deface like back up the index page but then you know write
a funny message on it or like yeah image and stuff like that but nowadays it's graffiti on the on on
the shop window base it was yeah it wasn't actually that harmful like you know i mean yeah it was it
was bad reputation wise and but it's not like they've
stolen data or anything like these though they're not encrypting stuff um you know it's just a little
defacement but yeah they've all stopped uh doing these mirrors uh now i guess there's just too much
to keep up with um oh so they're not doing it anymore i don't believe so so zone h hasn't been
updated for a number of years i think 2015 is the last time they updated.
Obviously, attrition stopped long before that and pointed to other sites.
But I guess it's just difficult with every site that's out there, the slightest.
The people that ran it either got proper jobs or had kids, one or the other.
Guaranteed.
Seems to be the way.
Absolutely guaranteed, or probably both.
Yeah.
And as all three of us know, having proper jobs and kids
stops you from doing an awful lot of stuff.
Yeah.
Well, I think it's two-way.
On one hand, it stops you from doing stuff.
That's part of it.
But the other part of the pie chart is it just sucks out all the motivation for doing any other sort of stuff
as well well uh i'm trying to put a positive spin on that statement oh oh sorry yes yes yes
all the motivation not because you feel like you you haven't slept for seven years and uh
uh wondering you know,
what you did to be fate's cruel mistress in this particular relationship
or because actually you're thinking about bigger
and more important things like the future for your children.
Wow.
Or how to build a time machine, go back in time and tell yourself
it's not worth it.
to build a time machine, go back in time and tell yourself it's not worth it.
Oh, my dear, so welcome to Host Unknown, a parent's podcast.
The dad bod edition.
The dad bod edition. Yeah, we've got three significant dad bods today.
I like that. I'm going to have to look into it and do you know what every now and then i always like to drop into attrition.org and see um you know see see who the
latest uh plagiarists are or the latest um uh what do they call them the charlatan charlatans
yeah well charlatans are but i doubt they's been updated you are you're gonna like this
second one uh yeah i have for you so second of march 2010 just a mere 11 years ago and
i've been worried about this one coming up because i just don't even think i can do it justice
um and it's one of those things that and i think people will look back on you know, when future generations explain to their kids what it was like living through the Trump era,
you know, when he recommended people inject bleach during a pandemic, stuff like that.
You know, unless you're actually there to witness it, you're just not going to believe it.
You think it's been embellished and stuff like that.
it's been embellished and stuff like that so second of march 2010 gregory d evans book how to become the world's number one hacker was published this book was heavily plagiarized and not held in
high regard um but greg evans was quite controversial to say the least. And he got a lot of attention for a number of years.
Yeah. And yeah, again, from our friends over at Attrition, they have an entire section dedicated
to him. Now, Greg, I mean, I don't even know how to, you know, explain if you don't know who he is,
I don't even know where to start, you know, to start. So he called himself the world's number one hacker.
He said he was a high-tech hustler, convicted felon.
He gave his prison number or whatever.
Said that he shared a cell with Kevin Mitnick and all kinds of crazy things like this,
which are just easily disproved.
But he built this massive company.
Are you joking with me as to if he actually did?
He didn't.
No, yeah, he didn't share a cell. Oh, he He didn't. No, yeah, he didn't, Sheriff.
Oh, he absolutely didn't.
No.
I don't even think they were in prison at the same time either.
I was going to say, given that we have access to somebody who knows Kevin.
Yeah.
Works with Kevin.
Has, you know, has got a similar ID badge to Kevin to get into the office.
You know.
I'm sure Jav could.
No, no. Evenvin's refuted uh
all of his claims or a number of whatever he said i you know the thing with greg evans is that
he doesn't even try to tell the truth that that's the thing it's a different thing where you have
something that's based around the truth and then you you exaggerate it this is just like straight out
fabrications come out of his mouth well i mean it worked for trump for four years i mean really
greg evans was a man ahead of his time he did it first so he he basically plagiarized everything
um like his high-tech hustler book was 100 uh copyright infringement it was every single part that
was ripped off um you know what the other books uh 125 ways to protect your personal computer 68
plagiarized um his spyware reference and study guide came out as 99.3 plagiarized
i'm surprised he was even able to do 0.7 percent and the copyright notice yeah ironically i mean his website then became one of the most hacked
websites i think like this is security firm uh website became one of the most hacked websites for
um you know for another a number of months or a couple of years uh you know
after this stuff um but yeah he lied about having this cisp lied about having his ch lied about being
a certified fraud examiner lied about a c-sicism um you know all these things are not that difficult
to get either and they're not difficult to i mean yeah you're going to get found
out quite easily but yeah then you know over the next sort of uh you know 18 months or so he was
removed from you know various speaking engagements and stuff he's 11 million dollars in debt
um or his company went 11 million dollars in debt due to um you know his his various outlandish
claims and and lawsuits and software that uh didn't work um but like i said i can't do this
justice right you you stuck a link in the show notes um you know what actually happened i mean
where is he still around so i actually his twitter account active. I'm guessing sort of RSS feeds.
And so, you know, I don't know if he's actually speaking or engaging with people.
But it's just, yeah, you're right.
This is the guy ahead of his time.
He did, you know, when you look at Trump and just say everything you're saying is a lie.
This guy did it first.
Yeah.
Yeah.
Yeah.
I love his Twitter bio.
I love his Twitter bio he's like Gregory D Evans is
a cyber security hashtag cyber security
hashtag mogul and founder of
hashtag national cyber security
first hacker
to make 100 million dollars
yes
what
yeah
yeah I have no idea where that
number comes from how he made that whether he's implying
that he had that much money or whether whatever i don't know yeah but um but i would i really
wonder where you where do you go from here it's a bit like in 10 years time are we going to be
talking about president trump for instance and it's like, where did Trump go?
Because I know Trump's a slightly bigger, larger character, et cetera,
but where is Gregory Evans today?
Gregory, we know you're a listener.
Friend of the show, Gregory Evans. Friend of the show, Gregory D. Evans.
Give us a shout.
Tell us.
Sponsor the show, my friend.
Ligat security. Is Ligat show, my friend. Ligat Security.
Is Ligat still around?
It's Ligat, yeah.
But I wonder, you know, what is he, you know,
is he working as like a SOC analyst somewhere under a pseudonym or,
do you know what I mean?
It's like what?
The man had no security bone in his body.
He was not a security person.
This is the biggest issue is that he was just not a security person that this is i think this is the biggest issue is that
he was just not a security person at all yeah yeah but i just i really want to know where he is today
and what he's doing so um there was a podcast at that time when he came out with the book there
was a podcast called shit cast it was the students hacker right in it podcast it was run by
matthew hughes and yeah they came up the night i'm sorry they came up with the name of that before
they actually decided yeah it was gonna be called yeah exactly exactly i'm sorry i interrupted you
there no worries no worries so it's and there were students at the time uh matt hughes and tom uh thomas
mckenzie yeah uh they they were both young t-mac exactly yeah he although he doesn't go by t-mac
anymore he's grown up he's like oh he's had kids yeah he's grown up he's married he's had kids he's
got a full-time job well actually uh he he was like a head of red team services at IBM up until a couple of months ago.
And now he's CEO of a startup.
So good on TMAC.
And Matthew Hughes has been a fantastic freelance writer for many years.
And last year he joined the register.
So he's a reporter at the register.
So these guys went on to very big things.
Anyway, they were students in university at the time doing
a ethical hacking degree of some sort and they started up this podcast from their bedroom and
it was uh what have you and they for some how they managed to get greg evans on the podcast
oh wow and it was a train wreck as you'd imagine uh I think they also got Chris John Reilly on.
Oh, didn't this?
On the same show?
Yes.
Yeah.
Didn't this result in a lawsuit being issued?
Yes.
What?
Yes.
What?
I remember this now.
No way.
Oh, this was amazing.
So because they showed up, Greg Evans, forans for you know being a charlatan he
then went and launched a lawsuit he was sending all sorts of vile threats and and racist stuff
to chris john riley accusing him of being a white supremacist or something like that i can't remember
what you know i'd actually forgotten all about that
until you said Chris John Reilly.
Then I remember, like, this is that thing.
I just can't do it justice to explain how crazy this was.
It was about, it was a good sort of like 12 to 18 months worth
of just craziness where it's like, what is happening?
Like, what is reality here?
Yeah, I know you referenced him in a talk you did once, Jav.
I think that was around about 2012, 2013.
Yes, I did when I have the chart.
The chart is the stages of your profession.
Yes, exactly.
Something like that, yeah.
Yeah, I think Gregory Evans, he had to, like, kind of get a, you know,
a sharpie and it fitted so far in the top right or whatever of the card.
He was beyond.
So along the X axis, there was, like, how well people know you.
And on the X axis was how much security knowledge you have.
Yes.
And on the Y axis was how well people know you
or how seriously they take you or what have you.
And he was high up
because he was being invited on fox news or what have you to give his expert opinions but his
knowledge was actually negative on the on the security knowledge side yeah that's right you
definitely want to avoid that zone but it's a bit of a self-fulfilling prophecy isn't it because
you only got to get on fox news a couple of times and then you are their go-to expert.
And then you get quoted as being on Fox News
and then you get invited onto other shows as a result.
And the basis is you still know nothing.
And in fact, it's not just knowing nothing,
you're doing more damage than good.
And that's the great irony.
So he was much like Trump.
He played the media exactly so he was much like trump he was you know he he played the
media exactly how he wanted to and he got what he wanted from it yeah yeah i mean there's that
um you know shortcut to to getting you know famous get on tv etc but you know become an expert is uh
you know you've got the traditional path you know go into something you know as a student analyst work your way up become you know maybe through management
technical expert sme then become you know consultant and then become an expert or it
takes 15 years right yeah or else you know you do something stupid get caught uh you know get
arrested for it become become famous and 18 months
later you can just bypass
that entire career trajectory
and end up in the same interviews
That's it
It reminds me kind of like
and Andy will appreciate the analogy
if you wanted a shot at the champ in
WWE
you could work your way up trying to win the Royal Rumble
or something or you could land
a cheap shot on the champ after a match,
come out from under the ring, hit him with a chair,
and then, you know, you've got the next main event,
you're fighting for the title.
I'm laughing like I know what you're talking about.
But nonetheless, it's very true.
Very true.
Right. Okay. Blimey, look at us. nonetheless it's very true very true right okay
well
blimey
look at us
we're 26 minutes in
27 minutes in already
Greg D even
go and
follow the links
in the show notes
you just won't believe
it happened
it's
oh my god
that really is
a blast from the past
it's making me
smile and
laugh and cry
all at the same time.
Anyway, thanks, Andy.
That was this week's.
This week in InfoSoul.
Wow.
Right.
Do you know what?
I'm going to skip the next story and see if we have time for it later on in the show,
mainly because you gave me the most technical story ever.
And I'm reading through it thinking all I'm going to do is just read this out.
I have no idea what's going on.
And also we are very literally nudging up onto halfway through the show
and we've just done the first section.
Yeah, the Greg D. Evans show.
The Greg D. the show. We've just done the first section. Yeah, the Greg D. Evans show. The Greg D. Evans show.
The host unknown podcast known as Gregory D. Evans.
Just don't tag him when you tweet this one out
because it's not worth the fallout.
Well, we're going to get sued.
Yeah.
Exactly.
Exactly.
So, yes, in all seriousness, I think we're going to move on
to the Billy Big Balls of the week.
Billy Big Balls of the week.
So this isn't a story that is necessarily a Billy Big Balls
in the traditional sense it's more of a
a story in a case of optimism or what they're still around like gregory evans
so i am i'm intrigued yes so you know you get a lot of phishing emails where it claims to be a
brand that you you know and love and use and say, like, we're going to close
your account due to reasons. Click here to ensure that your access is not revoked. So, you know,
it's particularly worrying when it comes through and it's like Netflix is like, oh, crap, it's not
just me. It's like the seven family members that use this account. They're going to all lose access
to it. So you click on the link, you put in your card details, you think you've renewed it, but in actual fact, you've given your details to a criminal. So we're quite used to seeing these things. But the one that really caught my eye this week was there's a phishing scam going around stating your AOL account will be closed.
closed. I think that's pretty Billy Big Balls because that's kind of like, you know, we know this is a diminishing market, but if you're still on AOL or have an AOL email address,
you're pretty likely to click on this link. Yeah, yeah. And you're probably old and we can
take over your pension fund or something. Actually actually on that topic fbi did release an
advisory this week's uh warning about elder fraud where scammers are targeting older people so i
think this probably falls into that category because i don't think there's anyone under the
age of uh i don't know 78 that is using aol well i'm to, I'm going to have to stand up, you know, uh,
stand up for somebody else.
So my aunt uses,
it still has an AOL email address.
No way.
Yeah.
Yeah.
She does.
I don't know.
I mean,
obviously AOL was bought out by somebody,
right?
It was,
you know,
acquisition.
Yeah.
So I don't know,
you know,
where she's still connects to,
but she still has the AOL account.
Um, and, and in fairness to her, but she still has the AOL account.
And in fairness to her, she's pretty savvy as well.
So, and she's not 78, Sally.
So, you know, please, I apologise on behalf of Javad again.
But what is it with insulting family members, Geoff?
Is it Scott Adams still has a, you know, the guy who writes Dilbert?
Does he still have an AOL account?
Yeah, scottadams.aol.com.
The Trump fan, you mean?
Yes.
Yeah.
Well, I just Googled him.
Yeah, I didn't realise that.
Oops.
But then again, that's part of him having an aol account and doing dilbert that kind of
sets the era and also sets the kind of the feel of the universe he creates if you see what i mean even if it is trumpian dystopia. But, yeah, so I think you're right, though.
In fairness, I think this is targeting a certain generation of person,
people who got onto the internet when it first arrived with AOL,
and let's face it, AOL was easy.
You plug in the CD and you're done.
Well, so that was a marketing campaign led by someone
called uh jan brand i think it was ironically brand uh but you know so they called it like
the aol carpet bombing campaign uh and yeah yeah she was hired and basically her job was just to
get aol in front of as many people as possible. Certainly because at the time they were competing against Prodigy,
you know, internet, who sort of had the largest part of the market.
MSN Network, as I recall.
Was it MSN Network?
Okay.
The Microsoft one, the Microsoft.
Oh, yeah, yeah.
And who else do we have over here?
CompuServe over here.
CompuServe.
Yeah, and so, you know, and she just said,
all right, let's just get it out there, direct marketing.
And they emailed these AOL CDs with like 60 hours free,
90 hours free, all this kind of stuff.
Yeah.
Pizza boxes, it was in the cinemas on the back of popcorn boxes.
And for the kids listening today, when Andy says 60 hours free, 90 hours free,
that's because you used to have to pay to dial up to an internet provider
through your phone bill.
So if you were able to phone a number that wouldn't charge you for the call,
then, of course, you're saving huge amounts of money.
Yeah.
It would take you all night just to download one song
yeah so hers was quite an interesting story because she had to um i'm saying she had troubles
within the company keeping the sort of the startup software that aol used had to fit on a cd
and sort of obviously the tech guys were like oh you know this is like a five disc installation
but she was like no that will not work with a marketing campaign.
It has to be a single disc.
And that's actually a really interesting story as well.
I'll try and find a link for that.
Well, it's actually where, you know, technology meets marketing
and who's right, you know.
And whilst technology probably could have produced a far better experience
by having, you know, multi-disk install etc they would have had nothing like uh the level of success they would have had um if if unless
she had insisted on the single disc you know single click install basically you're right you're
right and and i was watching the uh a talk the other day and it was by a marketer and he he he touched on this in a
different example but i think it applies so much to this story uh this particular example and how
we count things in security in general and the story is that i think eurostar spent six million
or it could have been 60 million i don't know um upgrading the rail system to cut journey time down by 40 minutes
yeah because someone counted and said customer satisfaction is all about reducing the time and
we need to do this it'll be a better journey you know people get into the paris like 40 minutes
quicker um but he goes no one stopped to think that well for a tenth of the price you could
actually install high speed internet all the way through the duration of the journey.
So people could have access to stream like Netflix or whatever through the entire journey.
Because that maybe would have made people happier and they wouldn't have minded the 40 minutes extra journey time.
In fact, for half of that price for a whole year, you could hire some of the world's top
models to serve free champagne up and down the carriages. Not only would have that made people
happier, but they would have been begging you to slow the trains down. So, you know, it's like
from a tech perspective, people always think about one from a particular lens and they're like,
we need this feature, this feature, this feature, this feature will make people happier and
happier and happier. But no, I think the Miss Brand was right on point that, you know, you
need to make it something simple and easy that appeals to the masses. They can put one
CD in, it connects, it works. And's sometimes the the angle you need to go for
it's that old you know when all you've got is a hammer everything looks like a nail yeah i love
i love stories like that because i love the um you know the the way that the whole thing gets
flipped on its head if you see what i mean as you said you know for for a you know a tenth of the
price you could have actually actually made very few changes
and people would have been significantly happier.
I love the way that logic, when it's looked at,
or sorry, when a situation is looked at with a different kind of logic
and through a different lens, you end up with a much better solution.
And I think that's where, without wishing to turn this into a rant of the week by any
stretch, but I think this is where in security, all we do is focus on security, funnily enough,
you might say.
But actually, it's not a security thing in itself.
It's a people thing.
It's a finance thing.
It's a legal thing. It's a finance thing.
It's a legal thing.
It's a business thing.
It's a marketing and perception thing.
It's all rolled into one.
That's right.
That's right.
Because if you think that you work in security and your job is to provide security, then you're in the wrong business.
I think you don't understand the business you're in.
To your point, you're absolutely right. What we're in the business of is giving the comfort of security. We're in an emotions business. We're not necessarily in a technical business. That's how I see it.
We're in the business of whatever it is the company does that employs us.
Well, we are that, but we're in the business of making them feel secure
and comfortable in the decisions they're making to sell more beer,
as your analogy would go.
To sell more beer, exactly.
I was slowly nudging towards that.
Sorry, sorry.
I've seen your slide deck so many times.
I jumped like three slides ahead in my mind.
Well, I was going to say, you know, I know I'm stealing from Andy's presentations here. times i i jumped like three decks three slides ahead in one way i was well i was gonna say you
know i know i'm stealing from andy's uh presentations here you know before i'm gonna be i'm gonna be
talking about toilets and toothbrushes next so uh but uh you wait until you see my latest malware
presentation i'll tell you oh seriously yeah you boys are in for a treat uh right it's funny because
i just finished one yesterday on ransomware.
Really?
Yeah.
Okay.
Well, I might tweak it because I think ransomware sounds a bit more relevant.
You send somebody a copy of your presentation,
they can't even get the subject right.
Jesus.
Thanks, man.
Yeah, man. Oh, dear.
Yeah, folks, watch his space.
There's a new presentation in town.
Andy will be announcing his tour date soon.
Awesome.
Thank you very much, Jav, for this week's...
Billy Big Balls of the Week
Tom I just thought you could start
billing Andy as your cover
band
a cover band
or even
I'm sorry I'm sick I can't
make it to this talk
he'll put some Vaseline over the lens of his webcam you'll never You know, I'm sorry, I'm sick. I can't make it to this talk. Just do it.
He'll put some Vaseline over the lens of his webcam.
You'll never tell the difference.
It's like the understudy in a big West End show, right?
Yeah, one of these days I'll be your understudy, Gav.
Gav? Andy, I mean.
No, no, it's fine.
The tree slips out.
That's okay.
Yeah, gentlemen,
I will be both of your understudies.
Oh, dear.
Andy, what time is it?
So it's that time of the week where we head over to...
I actually forgot the words
I was going to say there.
I've done it so many times I actually forgot what I was going to say. It's the time of the week where we head over to i actually forgot the words i was going to say that i've done it so many times i
actually forgot what i was going to say it's the time of the week where we head over to our sources
on probation over at the infoset pa newswire who have been very busy bringing us the latest
and greatest security news from around the globe industry news News. TikTok set for massive 92 million payout over privacy suits. Industry News. Facebook photo
tagging lawsuit settled for 650 million dollars. Industry News. Go malware detections increase
2000 percent. Industry News. Quarter of healthcare apps contain high severity bugs.
Industry news.
Microsoft patches for zero day exchange server bugs.
Industry news.
Password reuse at 60% as 1.5 billion combos discovered online.
Industry news.
Ransomware attacks
soared 150%
in 2020.
Who knew? Industry news.
Canadian cyber agency
workers threatened strike.
Industry news.
Missing teens use school laptop
to chat with alleged abductors.
Industry news.
And that was this week's...
Industry News.
Well, there's not a lot going on this week, was there?
No, I did like the way the headline,
Microsoft patches for zero-day exchange server bugs.
They actually wrote the word zero um to avoid people saying oh day
did they really yeah it's uh they've actually spelt out the word rather than use the uh
yeah what why would somebody say oh day i mean please well i guess it's like you know because
when it happens you're like oh oh oh yeah so i use the top i use the top person
in the next when bond comes to stream you're like double zero seven license to kill actually
you know what you're absolutely i said why would people call it an ode but yeah double oh so that's
exactly the sort of thing like 1902 2002 and it should be 2002, you know, or seven, which is not quite the same, you know.
You're asking the most relevant questions. What I found myself, and this is actually,
I was just thinking about it the other day, when I read out a phone number,
the first zero, I always call it an O, and then any subsequent ones are always a zero i don't
know why i do it like this yes well well when i'm you know lived in london with you know growing up
the number was o1 not zero one it was o1 yeah they changed that when i was younger to uh 071 or 081 depending on whether you're in or out of london well and now it's um
0181 isn't it you're 0207 020 that's right i'm getting very confused those are the other numbers
at the time growing up more history facts here for you on this show people i know yeah it's like
when i you know that's why it's always good to have a number without an O in the middle.
So then you can easily rattle it off like 07879 841 515.
It just comes off easily.
Jav, we need to talk.
Call me.
That's the number for sponsorship inquiries, ladies and gentlemen. Yes, it is. Yes for sponsorship inquiries ladies and gentlemen yes it is yes sponsorship
inquiries um so tiktok set for massive 92 million payout over privacy suit i haven't clicked on it
because i'm just reading the headline i want to give my opinion here yeah but um is this what
people pay for that is this is this tiktok set to get 92 million because they've been slandered
or because they've got to pay 92 million?
No, yeah, TikTok's agreed to pay out to settle multiple lawsuits,
which was about sharing user data without consent.
So all the stuff that you told us not to worry about, Andy?
Well, and then subsequently in later shows
talked about how you know they've been on a journey so this stuff was older they've they've
changed they've changed well no this was they found god yeah exactly they saw the error in
their ways now this was uh from the early days which they're just now settling. Whereas, obviously, I mean, next to Facebook, $650 million for repeated breaches of stuff.
You know, it's kind of chump change.
TikTok is the lesser evil of the two, without a shadow of a doubt.
Yeah.
I trust the Chinese over Zuckerberg any day.
Yeah.
Oh, my God, yeah.
Yeah.
Isn't that a really interesting thing you know uh
what is someone who's essentially a paragon of the american dream you know come up from
i wouldn't say nowhere but it's come from you know it's come up gone through college
didn't he um crash out of college to to build facebook in the ends but but nonetheless you
know he built this albeit to you know creep But nonetheless, you know, he built this, albeit to, you know,
creep on girls in college, but nonetheless he built it
and made it what it is today.
And it's definitely got his fingerprints all over it.
And yet in many circles he's more reviled than communist China
and all of the things that go on there.
Yeah.
It's, well, I don't know what it is confusing at best.
For real.
Yeah.
Anyway.
The other interesting thing about these stories you see,
what it is is that we just started March,
so people have had a couple of months to research all the trends from 2020.
So now this month, March is normally the month
where all the 2020 reports come out.
So that's why you've got things like ransomware attacks
soared 150% in 2020 or malware detections increased 2,000%,
all that kind of password reuse.
So we're going to see more of these in the coming weeks.
You heard it here first.
Yeah, absolutely.
So that's a favourite one.
Just talking about, this reminds me, a long time ago,
well, I say a long time ago, probably about 2010, 2011,
when I needed to get into an account for research purposes.
So this is about them tagging people, storing people's biometric data
so they could identify who it is, you know, from their facial recognition.
And Facebook did this thing.
So where I had a password and it let me in, but it said, okay, this password,
this is your old password.
You know, prove to reset it, answer these questions.
And it basically gave you a choice.
And what it does is flash up pictures of different people.
And it would be multiple choice.
Who is this person in the picture?
Ah, yes.
And you had to select who it was.
And there was just most of these people had online profiles.
So you could actually then do the search in another tab
and answer all the questions.
And you're allowed to get two out of seven wrong, I think it was,
just where some people had been funny and sort of tagged their friends
in food or something like that.
It wasn't smart enough to recognize that the food wasn't a real person,
so you had no chance of knowing who was tagged in that picture.
But, yeah, it actually worked back then. Interesting. real person so you had no chance of you know knowing who was tagged in that picture but yeah
it actually worked back then interesting anyway let's move on to this week's oh no
javid's weekly stories
in this week's jba's Weekly Stories,
I had the jab.
Industry news.
I'm recording a podcast with two blithering idiots.
Industry news.
Was that the Jericho podcast that you did yesterday?
Oh, that's true.
That's true.
Well, there is that one too, honestly.
I don't know why I suffer. That was a very sexy episode, as I understand.
It was.
Lots of talk about semen.
It's out later today.
Yeah, you did talk a lot
about semen yesterday,
didn't you?
It was for informative purposes only.
Anyway,
and that was this week's
Javad's Weekly Stories.
Javad's Weekly Stories.
I'm surprised you call it the jab
and not rebrand it to the jav.
I'm surprised you call it the jab and not rebrand it to the jav hey have you had the jav in you this week
do you want a jav injection it's a little prick it won't hurt
sorry mum Sorry, Mum.
Has your mum had the job?
Okay, right.
Hit a sweeper, Tom.
Tom, hit a sweeper.
Sweeper, sweeper.
Hang on, hang on.
This is the Host Unknown Podcast.
Home of Billy Big Ball Energy. So last week it was Yusuf's dad.
This week it's my aunt and my mother again, Jav.
I mean, really, come on.
You're blessed to have so many people in your family who are worth talking about.
They're wonderful people.
So, oh, I see we've retweaked the deck this week so um uh yes let's let's move on to onto this week's
tweet of the week and because that's so cute we do it again tweet of the week i have to say that
is now my singular favorite uh jingle that we've ever had um so yeah tweet of the week. I have to say that is now my singular favourite jingle that we've ever had.
So, yeah, tweet of the week.
Now, this is going to be a little bit of a joint effort,
but this week's tweet of the week came from the company that I think
fired Graham Cluley, didn't they?
Yeah.
Was that right?
Was that how it worked?
Yeah, the slacker.
They refer to him as that slacker Cluley. That slacker cluley didn't they yeah was that right was that how it worked yeah they refer to him this
that slacker cluley that's graham give him his p45 cluley and take carol with you as well when you go
just kidding carol we're just doing our legally obligated mention of the Smashing Security podcast for this week.
I could imagine this going a bit like Jerry Maguire, like Graham's like leaving with the fish in his hand.
Who's coming with me other than blah, blah, blah.
And Carole just like, OK, felt sorry for him.
Yeah.
Felt sorry for him.
Yeah.
Anyway.
So Graham and Karol's previous employer, Sophos.
So their tweet was, tell us a cyber security horror story in six words.
I think someone at Sophos is a TikTok fan as well, don't you Andy?
I think that next week's tweet for them is,
tell me you're in cybersecurity without telling me you're in cybersecurity.
Yeah.
And the week after that, it's things you can say in cybersecurity and during sex.
Why did you say it while I had just had a mouthful of drink there?
So I thought about this, and mine, a very simple one,
is we've always done it this way.
Ah.
Have you guys got any off the top of your head?
Accepted the risk.
We have accepted the risk today. We have accepted the risk today.
We have accepted the risk today.
So why don't we, since we're all one big happy family in a team here,
why don't we go through the list that we've selected here one at a time.
Andy, go for it.
Malware and Pickles at Malware and Pickles.
It's probably nothing.
Mark J., who is Dr. Geek Thumb.
Well, I love the sound of that.
The server room had no lock.
Andy Cook, at Cook underscore Andy.
OK, 3389, open to the internet.
Remote desktop.
What a fool. fool Mr Robot says
I wiped the right drive right
Christopher J
Marchenko
at Christopher
he must have been like number 2 on Twitter
at Christopher J
so not too bad but even so
anyway I'm compliant
so I'm definitely secure.
At Dr.
Downs,
we have a strong
password policy.
Simon
at Sing033
says, sorry, your password
is too long.
Josh centers, Jay centers.
Rudy Giolani, professional cyber security expert.
Oh, that's quality.
Josh wins so far.
Yeah.
Wim Letzer says, that does not happen to me.
David Robert Newman says,
I wrote my own crypto libraries.
Jeroen Jetton at TheTallestJJ.
We're too small to be attacked.
Common one, common one.
James Kelly says,
Client required solar winds for security reasons.
Topical. Daoming C says, says client required solar winds for security reasons topical uh dao ming c says our security policy protects against abuse uh moreno dalton moren uh moren g uh obviously listen to what i
said right at the beginning we have always done this way, even though mine works much better than that.
It's grammatically more correct.
But nonetheless, we've always done this way.
And sticking to the dad bod theme,
Paul Stevenson says,
wife found my credit card statement.
Is that got to do with dad bod?
Because you bought some of those
sort of like electro-stim things
to stick on your belly so you can exercise well.
You know what?
I left eBay logged on to my iPad the other day.
That's more than six words.
No.
Oh, this is great.
My wife was looking for something, and she went into purchase history,
and she realized I'd underquoted her the price on nearly everything i've ever bought on ebay
she was like you told me that was only 100 pounds and it's actually 732
you really need to tighten up your security, Jav.
You really do.
I mean, you were sweating enough when you left your phone downstairs last night.
What it is, this is like the audit box trick.
You know, when you're trying to pass a clean bill.
If you're clean, you give them something, yeah?
And they feel like they've got to win.
And you swear and you're like, okay, you caught me.
And they're happy that they've caught you out on something,
whereas the real dead bodies are still buried deep, deep behind.
Yeah.
Yeah, indeed.
Anyway, thank you, folks, for this week's...
Tweet of the Week.
Yeah, indeed. Anyway, thank you, folks, for this week's Tweet of the Week.
So we don't have a little people ever again.
So why don't we move on to Sticky Pickle of the Week.
Sticky Pickle of the Week. Sticky Pickle of the Week. Sticky Pickle of the Week.
Okay, so imagine you were the CEO of an American-based,
billion-dollar global company.
Well, I think Andy could.
Jav and I would be too lazy to imagine that.
You hit a snafu, and you're called to testify before Congress about what happened.
Obviously, the members of Congress who want to know in layman's terms
how your IT infrastructure was left so unprotected
that it was used to deliver malware to several branches
of the federal government, as well as a series of high-profile
private sector targets.
What might be your go-to response?
It's got to be nation state sponsored highly sophisticated attacks
that you know this is just so above anything we've ever seen before uh you know you can't
blame us we're doing our best we're you know it was just completely unavoidable yeah and sometimes
you know what that that is the case, because if you are a high
profile company delivering to federal agencies, you are going to become a target of, you know,
nation state stuff, right? And some of this stuff is particularly, you know, is particularly
invasive and damning. I mean, even if you look back at Stuxnet, for instance, that was an
environment that wasn't even on the internet and it got attacked yeah you know and it was a deliberate deliberate nation-state multi-million dollar um engagement so it's it is
going to happen right it is yeah so zero days do get burnt on these sorts of things um yeah i mean
i mean failing that you can always blame your your third party like your HVAC sister,
that they got breached through the supply chain.
I think that's always a good one to blame.
There was that Las Vegas casino that was attacked through its fish tank.
Allegedly.
Again, another sophisticated attack in the supply chain,
out of your control. Yeah, or rather know, out of your control.
Yeah, or rather one step outside of your control.
Yeah, you could have done a bit more.
Obviously there's remediation, but there's only
so much you can,
you can't wrestle people to the ground until
they, you know, physically show
you the code that they're using, as it were.
You have to take people
on their word to a certain extent and
you know, any kind of assessment is going to be uh you know a snapshot in time so any other answers
i think we've given you the best answers yeah i think it's the only way you know when you talk
the only answer you know they don't want to hear excuses You've just got to be honest about this stuff. So the SolarWinds CEO, Sudhakar Ramakrishna,
he's obviously extraordinarily well paid at SolarWinds.
He's obviously very senior as the CEO, very, very accomplished.
He blamed the intern for the breach.
blamed the intern for the breach.
So he found
the most junior,
least
compensated,
and least experienced
person in the entire
company and blamed the intern.
How about that one?
Makes sense. So this
intern was
obviously stupid enough to create a weak password,
which turns out to be SolarWinds123, right?
Yeah.
But is trusted enough to be responsible for this monumentous task
that could have a massive impact on the company.
So this intern posted the password onto GitHub back in 2017.
A security researcher, Vinoth Kumar, later discovered that the password
had been posted publicly since at least June 2018
and informed the company of the leak in 2019,
at which point, according to Ramakrishna, it was removed from GitHub.
So there's plenty more questions I'm sure you're wanting to ask.
You know, maybe why was the intern actually responsible for setting the password?
If so, why on earth had the company delegated that responsibility to that intern?
Why was the password actually changed when the leak was discovered in
2019 or was it just removed from github why was there no multi-factor authentication
um if it could be used to transfer files onto company servers it's it's a series of it's an
astounding accusation to make when frankly frankly, this is a fundamental failure of security,
procedure and culture. Let's be clear about that. You know, the fact that nobody who knew about this
GitHub exposure, because these things happen, you know, people do stupid things for all the right reasons.
And posting stuff on GitHub is a very clear example
of all the right reasons because GitHub is an extremely useful tool
and developers use it all the time to share code and manage code
and all that that entails.
share code and manage code and all that that entails but nobody within that entire chain of events felt the need to say shouldn't we change this password nobody and that's a security culture
failing which is squarely at mr ramakrishna's door. Absolutely. Absolutely.
Like, you know what, it's in hindsight and everything,
like, you know, security is hard, yeah?
And mistakes happen.
Like, you know, we've all been part of organisations
that have made, like, trivial mistakes that have led to big things.
And I don't think that's...
I don't necessarily blame them for
that in hindsight we can always point out that this was right but to not take it on the chin
to not accept responsibility and to blame an intern for all those reasons that you said is just
so it shows such poor leadership it is absolutely terrible absolutely I mean the the analogy I like to use when John
explains these things is like if my son kicked a football and it broke someone's window
sure he done it but the person the homeowner is going to come talk to me they're not going to
come and talk to my 10 year old or like four year old son or something and like say hey you you owe
me a new window he's going to come to me and say you owe me a new window and and for me to then turn around and
say oh where was the boy talk to him now i'm going to kick him out the house for that you know that's
very unparent like as much as much as much as love to do that but you know the only acceptable
response from mr ramakrishna should have been the buck stops with me.
You know, there was a series of mistakes that were made that shouldn't have been made. And frankly,
we need to tighten up our procedures internally and improve our entire company's attitude
to security. And that is something that I take seriously
and I will be taking a personal interest in.
That's proper ownership from a CEO, isn't it?
I know.
Exactly.
You know, appalling.
Frank, he should be ashamed of himself
for even mentioning the fact that it was an intern, did it?
I'm beside myself. Oh, oh no it's a mirror um but it's um yeah i it oh it sticks in my craw it really does but
the california representative uh katie porter uh she actually said at the the hearing i've got
stronger password than solar winds one two three to stop my
kids from watching youtube on their ipad yeah yeah exactly yeah yeah hers is president trump
2020 it's california four more years oh yeah oh that's true well Well, you never know. Some of those places. Anyway, anyway, that was this week's...
Sticky Pickle of the Week.
Sticky Pickle of the Week.
Sticky Pickle of the Week.
Found it.
Gentlemen, we are well over the hour at the moment.
So thank you so much thank you so much that
that show just flew by you were in a very ranty mood today tom i i like it do you know i woke up
a bit grumpy this morning i have to say i slept through my alarm my alarm was still going 45
minutes after i woke up wow before i woke, before I woke up, I should say.
Was it your neighbours knocking on your door that
once you opened the door?
Yeah, exactly.
Because they turned that damn thing off.
Yeah, complaining about the smell.
But so, yeah, I was a bit grumpy seeing it.
But that's SolarWinds story.
That really does piss me off, though.
That really does piss me off.
I think I may have seen a few too many other
executives like that.
But there you go.
But anyway, thank you so much for your conversation, time,
and company today, gentlemen.
Javad, thank you so much.
Yeah, thank you.
I'm now going to go cry in the fetal position while I wait for the rest
of the flu symptoms to wear off.
But, yeah, thank you.
It's been a pleasure. It has indeed. And, Andy, thank you, mate. Stay secure, my friends. Stay secure.
You've been listening to the Host Unknown podcast. If you enjoyed what you heard,
comment and subscribe. If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever. R slash Smashing Security.
Yeah, you know, speaking of responses from vendors,
Bit9, they're now called Carbon Black because they acquired them
and they adopted the brand.
They had a breach way back when, like about 10 years ago or something,
five, 10 years ago, and some of the servers got got popped and their response was
genius they said oh um due to an oversight internally we didn't install our own software
on those servers so it was like had we had our world-class security software there we would not
have been that is some, classic redirection
there. That is
smoke and mirrors. Seize that
opportunity.