The Host Unknown Podcast - Episode 51 - Punking the Punkbuster

Episode Date: April 16, 2021

We think we sound much better this week, all thanks to Krisp! Tighten up your audio, remove background noise, and annoying work colleagues, all with Krisp. Download it here:https://ref.krisp.ai/u/ue2a...67ba76 One advantage of being short is that you get to be in the front of all pictures taken of a group and that is all we have to say about Little People this week. This week in InfosecLiberated from the “today in infosec” twitter account:15th April 2000: The RCMP arrested a Canadian juvenile known as MafiaBoy for a DDoS attack against cnn.com.https://twitter.com/todayininfosec/status/1250622615204454400 https://en.wikipedia.org/wiki/Michael_Calce14th April 2005: It was announced that the National Infrastructure Advisory Council (NIAC) had chosen FIRST to be the custodian of the Common Vulnerability Scoring System (CVSS), the then-emerging standard in vulnerability scoring.https://twitter.com/todayininfosec/status/125025120339027558416th April 2014: Host Unknown released their debut music video to great acclaim within the Infosec echo-chamberhttps://twitter.com/HostUnknownTV/status/456395301159305216Jav’s proposal for Pulp Security from 2011 (cue Mesirlou  clarinet version to avoid copyright infringment notices)Cynic: So tell me more about America.Jester: Well it's the same shit we got here, it's just a little different.Cynic: Example?Jester: Well I mean, you can get encryption products out there. It's legal for you to own it, it's legal for you to install it… but get this. If you try to export it out of the country it's illegal for you to do it.Cynic: Damn man, that's harsh.Jester: You know what they call a router (pronounced rooter) out in the US?Cynic: They don't call it a Rooter?Jester: Nah man, they got their own system, they call it a Router (pronounced rowter)Cynic: haha Rant of the Week Industry NewsHackers Hacked as Underground Carding Site is BreachedFacebook Removes 16k Groups for Trading Fake ReviewsBrits Still Confused by Multi-Factor AuthenticationFood Shortages at Dutch Supermarkets After Ransomware OutageCyber-Attack Shutters Half of Tasmania’s CasinosMicrosoft Patches Four More Critical Exchange Server BugsLawsuit Filed After Facial Recognition Tech Leads to Wrongful ArrestMan Gets 10 Years for Multimillion-Dollar Medicare Fraud SchemeEurope's Data Protection Guardians Green Light EU-UK Data Flows Javvad’s Weekly StoriesHow I pwned an ex-CISO and Smashing Security https://youtu.be/lb5htJmjcFM Tweet of the WeekRobert McArdle - @bobmcardleDirector FTR - CyberCrime Research for @TrendMicro. Lecturer in Malware Analysis.https://twitter.com/bobmcardle/status/1382602129005772801 Sticky Pickle of the WeekYour company is looking to promote an upcoming Women in Security webinar and you’re looking to maximise engagement on your social media channels so you come up with a single question which you believe will solicit engagement and believe the structure of the question is in a way that keeps responses on topic:“What according to you are the most common challenges faced by women in the cybersecurity domain?”.Sound good so far?  Can you make it simpler by providing multiple choice answers to choose from?  It’s not a bad strategy so what are the optional responses to the most common challenges faced by women in the industry are?A: “Only men can do this job”B: “Women can’t handle this job”C: “Women aren’t encouraged enough.”Now the responses you’re receiving to this insightful quiz are not going in the direction you thought they would - what are your next steps?https://www.infosecurity-magazine.com/blogs/the-story-of-the-eccouncil-gender/ Come on! Like and bloody well subscribe!

Transcript
Discussion (0)
Starting point is 00:00:00 are we are we still being sponsored by crisp uh it depends on whether or not you can hear this okay ready after three one two three did you hear that no no what was it 0.4 kilos of jelly beans my friends you didn't hear them me shaking them like maracas no go okay let me switch off crisp oh that holy moly oh blimey right now with crisp back on let's see if you can hear this anything that is just amazing either either crisp is brilliant or you're just not shaking them no you know i think crisp really is that good it's a virtual microphone that you download that removes all the background noise. And this reminds me,
Starting point is 00:00:50 do you remember those double glazing ads when they first came out? And there's a helicopter in the garden and it's really loud. Then the guy closes the double glazer and it's quiet. And then he drops a feather down the side and it just... Get the best Everest.
Starting point is 00:01:05 And folks, if you'd like crisp, and then he drops a feather down the side and it just... Get the best Everest. Yeah. And folks, if you'd like crisp, then link in the show notes. You're listening to the Host Unknown Podcast. Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us. Welcome to episode 51 of the Host Unknown podcast. Blimey, folks. 51 episodes or 53 or 54. We've got to 55. Yeah. I tell you what, your numbering is streaking ahead of my numbering.
Starting point is 00:01:45 I'm sure you add extra episodes every time. Yeah, blimey, episode 51. Andy's like the Jim Ross of commentating or podcasting. He's like, oh, my God, that must be at least 200 foot off the air. Is that Jim Ross, the Channel 4 interviewer guy? Yeah, that's exactly who it is. With the list. Okay.
Starting point is 00:02:09 Just checking. Just checking. So, Jav, how are you? Yeah, good, thanks. Good. Ramadan started this week. So you're grumpy, basically. No, no, no.
Starting point is 00:02:20 It's week one, so I'm still very happy. It's still like I've got plenty of reserves, as we know from our biggest loser challenge. Yeah. So you haven't accidentally slipped and fallen onto a shawarma or something? No, not yet. Not yet. It asked me in like 15 days. I slipped, fell and the shawarma entered me via my mouth. Yes. And do you do that thing where you brush your teeth and accidentally swallow water during the day? For someone that's not fasting,
Starting point is 00:02:52 you surprisingly know all the tricks. This is from my time when I was living in the Middle East and I had to blend in. It's by eating toothpaste. It was tough during Ramadan, I tell you. Durka, durka. Durka you andy how are you good thank you i'm uh i'm excited for the weekend it's uh it's been a long week so i'm just glad that the weekend's in sight excellent excellent believe it or not this is the fourth podcast i've been on this week i do believe it because i i know for
Starting point is 00:03:26 a fact that you've been whoring yourself around it's almost like we're a side note these days so on monday i started a brand new podcast with somebody i work with um and that's called two great nations it streams live every monday i'm leaving all the production to him, so I've got no idea what the links are. So, you know, maybe you'll find it. Maybe you won't. I don't know. And then, what was it, Wednesday I recorded – no, yesterday, sorry, I recorded the new Sentinel One podcaster with Rowena Fielding.
Starting point is 00:04:03 That was good fun. Sentinel One podcaster with Rowena Fielding. That was good fun. And then I recorded the Sticky Pickles podcast with Carole and Maria. That's actually released now as we are recording. It's just been released. I'll tell you what, Jeff, if you've got Maria's number, I'm thinking we need to replace her presenter.
Starting point is 00:04:24 I know we had a talk about Tom's performance review and his end end of year is not looking good it was going to be a pip it was going to be an improvement plan but i just don't think it's even worth it i think you know we need to manage him out that's fine that's right maria and i can swap out not a problem at all so this is pickles podcast i've not heard of it is that a spin-off from the sticky pickles of the week segment that we did it is it is do you know what i think i think they stole the idea from our sticky pickles of the week uh this is like better call saul it's like a prequel to breaking bad yeah it's got some of the fun elements but it's not quite breaking bad i mean i mean let's let's let's be clear we we've pretty much launched uh graham cluley and Corral Terrio's careers in the
Starting point is 00:05:05 podcast industry, really. Yeah. You know, we've got it in black and white about how, how our first episode inspired the Smashing Security podcast and our, and our Sticky Pickles. And yet both of them have got more followers and listeners than we have. It's debatable.
Starting point is 00:05:25 It's outrageous. We go for quality, not quantity. Absolutely. We do try to maintain the quality. We don't get people to pay money just to listen to the podcast a day early. All of that stuff. So it's all good. It's all good.
Starting point is 00:05:39 Anyway, I think we should probably move on, unless anybody's got some amazing news this week. No, no. Okay. Well, actually, we've got some amazing stories this week. That's for sure. We've got coming up. We've got today in InfoSec, a very musical themed one as well.
Starting point is 00:06:02 We have got a story about awful banking when it comes to rant of the week. We've got industry news, obviously. We've even got some Jav's weekly stories as well. Funnily enough, all Ramadan related. And a tweet of the week, again, musically themed. And we do like to go back to our roots, and we've got a sticky pickle of the week, original. The original and still the best sticky pickle of the week coming up. So, Andy, shall we go straight into... This week in infosec
Starting point is 00:06:47 uh so the part of the show where we take a stroll down memory lane liberating content from today in infosec twitter account and uh embellishing it by uh i kind of mixed up my uh my taglines there. I didn't know where I was going with that one. You completely messed that up. But hey, you know, that's why this is quality and not quantity. This is live, people. So the first story I have is from the 15th of April 2000,
Starting point is 00:07:21 a mere 21 years ago. And as we do more and more of these stories it actually horrifies me at how recent these things were so this week 21 years ago the royal canadian mountie police arrested a canadian juvenile hacker known as mafia boy and it was originally for a ddos attack against cnn.com and it turned out it was actually against more sites than that so mafia boy his real name was michael hauchi uh i think and what's funny about this you know he's now a security expert and you know he described himself as a computer expert former computer hacker uh from can. And he launched like a series of like highly publicized denial of service attacks in February of 2000.
Starting point is 00:08:09 But what was amazing about these is they were all against really large commercial websites. So they included Yahoo, FIFA, Amazon, eBay, E-Trade, CNN. Wow. Yes, it's a quite big one. So as a 15-year-old, he targeted all of these sites with a project he called Revolta, which meant rebellion in Italian. And at the time, Yahoo was the multi-billion dollar web company and the top search engine in 2000, believe it or not. Google had only launched like 18 months or so before that.
Starting point is 00:08:47 So, you know, all the big players... It would still be run by two servers under their desks, probably. In a garage somewhere, yes. I mean, you know, back then the big players were still AltaVista, MSN Search, Excite had recently acquired WebCrawler, and AskJeeves was on the up as well but he managed to shut down yahoo for an hour with his ddos attack um and while all of this stuff was going on it's funny buy.com you know the big us retail actually switched off their website in response you know they were like actually do
Starting point is 00:09:19 you know what this stuff's looking bad let's just switch it off um and this is what happened back then you know 21 years ago if you couldn't protect your website you just shut it down so yeah because actually it was it was a it was a side thought right it was an afterthought yeah it yeah 21 i know it doesn't seem that that long ago but it really is um so he then turned up the heat he also brought down ebay cnn amazon believe it or not um although dell is often reported in the same series of attacks he didn't successfully bring them down and he later claimed in an interview that the attacks were launched unwittingly after he'd plugged known addresses into a security call that he had downloaded and then he left for school and he didn't realize
Starting point is 00:10:06 what happened yeah he'd done an andy what he said he came home from uh school later that day his computer had crashed and then you know he overheard the news and recognized the company's being mentioned on the news um but yeah i, his story sort of breaks down. So he also launched a series of failed attacks against, you know, nine of the 13 root servers on the Internet. So there's a lot of figures that are always bandied about with this one because some senior analysts at the Yankee Group said that he told reporters that the attacks caused $12 billion dollars worth of economic
Starting point is 00:10:47 damages and then you know other media outlets would then do the conversion to Canadian dollars and make that 1.7 billion Canadian dollars but in court the actual trial prosecutor said the figure was about seven and a half million dollars but what was also interesting was whilst testifying at a hearing before members of the congress uh jav a colleague of yours and uh known computer expert win schwarto said that the government and commercial computer systems are so poorly protected today that they can essentially be considered defenseless. He coined the phrase that they were an electronic Pearl Harbor waiting to happen. Oh, dear God. I know.
Starting point is 00:11:29 And the fact that the largest website in the world could be rendered inaccessible by a 15-year-old schoolboy created widespread concern. What about a cleaner? I'm plugging something to plug the vacuum cleaner in. Well, yeah, it's on par with that, isn't it? Yeah, so former CIA agent Craig Dewant actually credits Mafia Boy for the significant increase in online security that took place in the following decade. So whether he set out to do that or not, he has had a massive impact on the information security
Starting point is 00:12:05 industry um so so mafia boy my family thanks you for the uh the roof over our heads and the joins up joins up meat that we get to eat every day yeah yeah and the best thing about this was the following year is when he was actually sentenced and can you guess how severe his sentence was? 15 years. Six months. 70 years. A month. It was eight months of open custody, one year of probation, and restricted internet use. So basically they put him onto AOL.
Starting point is 00:12:40 Pretty much, yeah. Pretty much, yeah. But that's actually very light compared to some of the sentences that are being handed down today and even just over the last decade. I mean, members of Anonymous and some, well, in fact, the members of the public who used, you know, the low orbit ion cannon-like tool, they were threatened with 100 years in jail. Well, that's how it starts, isn't it?
Starting point is 00:13:11 That's just like the normal legal process. It starts really high and then it ends up being like, OK, you paid a £60 fine. Well, I don't think it went quite like that. But the fact is, legally, they could have gone down for that amount of time because of how the offences were interpreted, rather than actually, legally, the most we can impose is, I don't know, five years or whatever.
Starting point is 00:13:38 That's the difference. That's the distinction. Anyway, sorry, you were saying? But thank God for Dudley Do-Right being there on time. What? Do you not remember the cartoon? It was like a Canadian Mountie police cartoon. Yeah.
Starting point is 00:13:54 Do you know what that vaguely rings a bell? That vaguely rings a bell. Was it in colour? It must have been. I never had a black and white TV. You never had a black and white TV you never had a black and white tv well not personally oh my goodness i had one in my room black and white tv do you remember back in the day sorry i'm going on complete tom your back in the day is very different to our
Starting point is 00:14:16 back in the day yeah channel four had just come online right when the centurion messenger arrived but channel four and international folks channel four is funnily enough was the fourth channel that came online in the uk because unlike most other countries you know when i grew up originally we only had three channels um but channel four was the brand new channel and um to sort of mark them out as slightly edgy, a little bit like the very imaginatively named Channel 5 did a few years later. But to mark them out as slightly edgy, they started to show sort of soft porn and erotica in the evening. And I say evening, like after 11 o'clock. And in order to warn viewers that it was time to get sexy they'd put a little red triangle in the corner
Starting point is 00:15:05 of the screen uh which is a bit of a problem on a black and white telly is this uh where you learned uh french yeah yes i learned a lot of things i can tell you anyway sorry to go on andy i know we've got a couple more stories yeah so secondly i'll whistle this one is only a mere 16 years ago uh again 15th of april 2005 it was announced that the national infrastructure advisory council uh that's the niac had chosen first to be custodian of the common vulnerability scoring system uh which is better known as CVSS, which was a then-emerging standard in vulnerability scoring. So what you're saying is that NIAC chooses first for CVSS?
Starting point is 00:15:56 Yes, pretty much so. Obviously, this is a free and open industry standard for assessing the severity of vulnerabilities. And CVSS tries to standardize or assign severity scores to vulnerabilities so people can prioritize responses. It's something I depend on a lot when working with potential targets. In the world of M&A, there's lots of posturing and people think we're looking to knock the price down by highlighting deficiencies and things like that, which is furthest from the truth you could possibly believe. It's, you know, we really don't care. We just need to know what the risks are. But, yeah, I mean, this is an internationally recognized standard. So it's not just, you know, one party saying this is a serious problem.
Starting point is 00:16:45 just you know one party saying this is a serious problem uh you know this is people around the world all agreeing that you know on the same scale um you know this problem is serious in any country and it gets a bit more complicated than that you know you can there's a calculator where you can add in sort of you know mitigating controls but essentially it's based on you know the attack vector complexity privileges required whether interactions required um you know and the effort required to achieve that so it's a great standard if you do any kind of technical risk management i have no doubt you will be familiar with the cvss score and i don't even know how people survived in a world without it absolutely and little known fact actually for our american um you know brethren chums over over the pond you can also go to cvss to get your um uh pharmaceutical and chocolate to get your vaccination yeah to get your covid19 vaccination
Starting point is 00:17:38 that was really labored i stumbled on my words a little bit come on give me a break uh so right i'm sticking in a third story this week and it's last and definitely not least it was a mere seven years ago today that the infamous host unknown released their first music video to the public to greater claim within the infosec echo chamber um i'm a ci double sp reached 100 000 views on on youtube just in time for its seven year anniversary that's the one so just this week we've just cleared 100 000 views on that video 100 000 views wow that's amazing that is that is pretty amazing i mean you should be so proud of that jav i mean that video
Starting point is 00:18:31 i get people tagging me all the time saying i love your music videos well so obviously at the time host unknown the group that i put together were mostly bound at uh industry events taking uh taking the mic and do you remember we used to have a regular column in the infosec buzz magazine when you say regular comma column well every month that guy would email us and say right you know and every month we go oh god we've got time for that i know we'd also done a so i went like way back uh you know looking through um uh all my archives and uh you know at the time we've done a few rant events we've done a couple of videos with jim shields of twists and shout fame um you know we've done videos causing mischief infoset europe Europe, 44 Facts About 44 Con, which I enjoyed.
Starting point is 00:19:25 That's one of my favourites, actually. Yeah, we'd done The Three Wise Men, Greatest Story Ever Told, which was pretty fun. And that was in the December prior. It's just, unfortunately, Jim refused to use YouTube in those days. So that video was on Vimeo, and it didn't get much organic traffic until we'd we'd uh sort of published it on youtube ourselves about six months later but um yeah by april of 2014
Starting point is 00:19:53 you know we're so happy to take mickey out of ourselves we went all in on a topic that was it just seems to be coming up all the time you know within within the industry um and you well you'll probably recall obviously jav was already well known for his youtube security videos and um you know by this point he'd already become the poster child for isc squared uh you know for his cisp certification with this whole uh cisp cisp mother you know video uh and tom as you rightly highlight tom you do remember ambitious jab in 2014 is very different to the animal um of the you know the karma uh you know more team playing jab that we know and love today um and this is yeah well i think it's it's funny because he obviously took all the credit for that video when it was published uh yeah he didn't necessarily say he created it but he certainly never corrected anyone who sort of
Starting point is 00:20:50 only did praise at him for it a hundred thousand views you know why would you correct anything with what exactly so you know people just assumed it Jav because obviously he'd already had his own InfoSec Cynic brand, which had been running. But, you know, it reminds me of the tagline from the Zuckerberg movie. It's like you don't get to a billion friends without making a few enemies. And never has that quote been more applicable to me. Tom, you remember, obviously, the funniest thing about this is that jav almost didn't even get involved in the video he didn't turn up it did turn up you turned up late but you couldn't even be asked beforehand you were like uh i don't know whether you guys go ahead you guys do it
Starting point is 00:21:39 yeah oh i'm gonna be late i gotta buy a. No idea what you're talking about. What's really funny is that a few months prior, Tom had been to Abertay to speak at Securite. And had become really good friends with a bunch of all the students there and what have you. And they saw the video and they loved it and they were watching it and they all saw it at home. Then they went to uni and they were playing it and they they they all saw it at home then they went to to uni and they were playing it on the on the projector at uni and then someone piped up and said like tom was in that video too and it was like what what no it's like the invisible gorilla all over again oh yeah that is tom yeah well you know the camera adds a few pounds right so i'd say we're all a little bit slimmer in those days yeah definitely i do need to give
Starting point is 00:22:34 credit to uh obviously chris rice uh ricey uh someone i used to work with in another life um so happy birthday for this week as well right so we actually released this uh on your birthday seven years ago um but he was responsible for changing uh some of the key lines within that song um so the original chorus as it was written was i'm a mother c-i-s-s-p um you know and he's just scrapped the whole thing said it was a whole load of crap and he changed it to uh you know i'm a in ci double sp which which flowed a lot better um yeah we're not talking about flow andy i'm not even gonna go there i'll tell you what we'll bring that up in september okay but the other thing i'll say is obviously uh i did a mini vanilli on that whole video um you know they are rice's dulcet
Starting point is 00:23:25 tones that you can hear in that song and i obviously mimed over the top um but yeah i mean that whole day i mean i don't know if you guys remember we obviously hired a nightclub bought some prop paid some extras had a cameraman uh the man they call moo uh that was his house featured at the beginning of that video where you know you two come to the front door. But the thing that I really recall about that whole day, you know, it's always the emotional part you remember. And it's how you two took the piss out of my singing all day long. Like you made me sing the whole thing and obviously overlaid the track on top. But then when we recorded the accepted the risk video jav was too embarrassed to sing in front of others and on the money video tom you couldn't even remember more than three
Starting point is 00:24:13 words at a time even now i tell you man that your lips were hardly moving when you were trying to lip sync over c i w s p i've even now if look at it, I tell you that some of those fake app videos, you know, those deep fake video apps, they do a better job of imposing lip movement than you did over your own face. It was just the worst. And I think 100,000 of my fans will agree. I think 100,000 of my fans will agree. I just remember thinking, oh, my God, I have to look in a certain direction,
Starting point is 00:24:55 move my body, move my legs, walk somewhere and sing at the same time and remember the words. It was, oh, my God. Do you remember we got Lee Munson came into the Accepted the Risk video, right? Yes. All he had to do was pretend to type on a keyboard in with them yes you couldn't do that if you look at the concentration on his face in that video oh that was brilliant but yeah I mean that was one of the I think once everyone realized how hard the whole thing is everyone sort of cut some slack right yeah well actually it's a long boring day right
Starting point is 00:25:25 it is really you know or there are long periods of boredom yeah early starts for most of us jab just rocks up with yeah just rocks up whenever it's uh yeah but uh yeah my biggest worry at the time was obviously the um uh being sued by ic squared uh so i think it was slightly lucky in the early days and sort of jab did take a lot of credit for it because obviously they had no incentive to go after their poster boy with cash yeah exactly uh and although we say it's only a hundred thousand views on youtube um it was copied some facebook group and then you know elsewhere after that and that had a lot of views that we weren't getting credit for yes indeed but we're not bitter about that we're not no I did I did speak to some people at IC squared uh afterwards and there was a few people that worked they said we absolutely
Starting point is 00:26:17 loved it it goes like they said they actually played it in one of their team meetings internally but the direction from the top was this is funny hilarious we love it but not a single one of their team meetings internally but the direction from the top was this is funny hilarious we love it but not a single one of us is allowed to even click like on that thing so you forget about sharing it or talking it it doesn't exist oh dear but i mean talking about you know i know this is the whole point of going down memory lane but you know going through my archives um i did find some hysterical content that we had so we obviously bounced a lot of stuff back and forth um back then there's a lot of bitterness uh particularly for me for not winning the pony award best song oh my god i remember that yeah i was annoyed in that one but you know anyway i could talk another
Starting point is 00:27:03 hour on that one but i did find some hilarious stuff which never made it to air. You know, I think, you know, Jav had his ideas. I had a lot of ideas and we bounced some stuff between each other. And there was one which Jav came up with in 2011. And bearing in mind that this is probably, you know, I would refer to the original host unknown you know for the uh for for any like really old school people and you wouldn't actually believe who was involved in this conversation thread jav it was you me and remember who the third person was no it was steve lord no way what yeah this was in the run-up to a 44 con and so Jeff put together this skit that
Starting point is 00:27:50 never made it to air and I have no idea why it never made it to air but I'm going to paste it in the show notes now and I want to read through it quickly okay let me let me let me help set the scene, shall I? Yes. So, Andy, tell me more about America. Well, it's the same shit we got here. It's just a little different. Example? Well, I mean, you can get encryption products out there. It's legal for you to own it.
Starting point is 00:28:22 It's illegal for you to install it. But get this. If you try to export it out of the country, it's illegal for you to install it but get this if you try to export out the country it's illegal for you to do it damn man that's harsh you know what they call a router out in the us they don't call it a router no man they got their own system they call it a router router get out of here it's like i was in the room we absolutely have to move on we do but so you've got three
Starting point is 00:28:55 for the prize Mafia boys CVSS and CI SSP this week in InfoSoul anyway I think now we can move on to this week's listen up rent of the week it's time to mother rage so this one's uh from me and this is a a personal story because a good friend of mine, he's in the building trade. He owns and runs his own company.
Starting point is 00:29:28 Very, very successful, very large company. And he texted me over breakfast the other day. Obviously, I put a screen grab of this and a screen grab of this into the show notes. But let me read out his text and then we can discuss. So his text reads, being an IT security man, I thought this would make you laugh as it did me. Got to give out works bank details to give internet access for another user. Enter security details and then card reader, fill in personal information, print, and all account holders need to sign. All going well. Then with all this information on paper, I need to send by post
Starting point is 00:30:13 to Lloyds Bank, internet banking team, and over. May as well have put, please steal my personal details written on the envelope. Can't believe it.. Which really goes to show you I'm appalled by this because, one, you've got to authenticate yourself multiple times on the internet. So you go to change your bank details, and I'm doing this with the Thames Valley chapter of the IRC Squared, and it's a real pain in the bum hole to do. But in this case, you go online, you authenticate that it's you. You then have to enter security details, use your card reader, fill in that personal information. And the fact that you then have
Starting point is 00:31:00 to print everything out and post it, surely in this day and age, things can be done a little differently, right? Surely we can do things differently. It's like all you're doing is helping to automate a paper process rather than actually changing the process to be more secure. And then with details like that on the envelope itself, internet banking, of course, there's going to be sensitive data in there. But the irony of even having to put internet banking team onto the front of a paper envelope that you put a stamp on and put it into the postbox seems to be lost on Lloyd's. And I know Lloyd's is not the only one that does this. But really, can we not do better than this now? I mean, for instance, I've had business accounts with Revolut and Starling and various other companies and banks,
Starting point is 00:32:06 all handled through an app and online. Absolutely everything. No need to print anything off. No need to put anything in the post. And yet when last year working through some of the government processes and government loans and stuff and using a traditional bricks and mortar bank, had to print everything off again. Ridiculous.
Starting point is 00:32:30 I just find it absolutely stunning that there are businesses that are able to operate entirely digitally, who are operating in exactly the same space as traditional banks, as traditional banks and um you know basically building in this kind of of just slack-minded thinking i can only assume it's cost because you know there are plenty of services uh like you say that support the revolutes the monzos the m26 um that you know can do all of this verification online so i can only assume that for you know some of these all of this verification online. So I can only assume that for, you know, some of these banks, it's just cheaper for them to have people do it manually than it is to automate it.
Starting point is 00:33:13 Talk about being customer-focused. Jeez, ridiculous. It reminds me of that meme or that joke. It's like someone's trying to do something and, you know, the other party says, can you fax me over the details and he goes i don't have facts where i am he goes where are you because the year 2021 so that's what this reminds me of it's like can you post stuff it's like yeah i i think it yeah i agree with andy i think it's cost and then there's probably some process reengineering that needs to be done in the back end to support all of that.
Starting point is 00:33:50 And I don't think anyone's put forward a good enough business case internally for a lot of these banks. But you're right. It's just this is actually going back to the year 2000 or the early 2000s. to the year 2000 or the early 2000s this is how a lot of companies approached um the the e-commerce or the whatever everything was e uh something before that um they would just take a a manual process and say how can we add a computer into one of these processes at some point so it would be exactly the same thing print it off and then email or like email it here and then we'll print it off and post it back. You know, it was it was never it just gave me the feeling or the impression, the thin veneer of like this technology involved. It must be better, but it was still a manual process. It made it worse and less secure and more clunky as a result, because I must admit, you know, signing up to things like Monzo, Revolut, Starlink, etc.
Starting point is 00:34:44 a result because i must admit you know signing up to things like monzo revolute starling etc is so easy so easy um that it i i can't believe part of me can't believe that people are still using traditional banks and going to traditional banks i mean why would you want to i don't understand what needs there is for a traditional uh bank for the vast majority of people. So if anyone from HMRC is listening to this podcast, I'm sure you're just as interested as me into how many accounts does Tom actually have? He's got some traditional banks account and he's signed up for every new challenger bank there is. Why does he need to do that? But my ears did prick up when he said he's getting access to the ISC squared bank account. I was like, hmm.
Starting point is 00:35:30 Nice little earner there, isn't it? If you think I might be signing my name, but if you think I'm touching that bank account at all, that's what the other committee members are for. That's what I'm for, Tom. I'm your fool guy. Don't worry about it. Yeah, exactly. Yeah. Anyway, I'm El Presidente of the IC Squared Thames Valley chapter.
Starting point is 00:35:49 I've got the committee members to do it. Precarious liability, Tom. Yeah, I know. Do you get to fly on the private jet called Air AMF? Air AMF. Oh, dear. Well, they're true, very true. So, yes, come on, banks.
Starting point is 00:36:10 Pull yourselves together. Sort it out. Make it easier. And, you know, perhaps you might start to recover some of that reputation that you've been losing steadily. Do either of you have any traditional bricks and mortar bank accounts? I do. And funnily enough, Lloyd's is one that causes me a problem. Yeah, I couldn't. It's all paper-based. I've got no online access to that. I can view my balances
Starting point is 00:36:37 as you can do with the open banking regulations, but I can't transfer money out of that account. Oh God, I can't think of anything worse it's like yesterday morning i literally woke up first thing you do of course is reach across and get your iphone and see who's emailed you overnight and all that sort of thing i don't check emails check your dating profile that sort of thing and um i'd found that i'd been paid uh some expenses and so literally in the first couple of minutes of my waking day, I'd transferred those expenses onto my credit card and Amex that I'd used. Boom, done, everything.
Starting point is 00:37:16 I can't imagine doing that with some of these bank accounts, some of these bricks and mortar banks. I know they're getting a lot better with their apps. I used to be with Royal Bank of Scotland and theirs was one of the better ones. But, yeah, I dropped them in 2017, 18, something like that, and I'm now wholly, you know, Challenger Bank at the moment. I couldn't imagine going back to another one.
Starting point is 00:37:43 Yeah, yeah. I mean, I've got a few um few traditional accounts and yeah lloyds is actually one of them as well and it is oh my god it is the worst um but but the others are good actually speaking of old banks i remember like do you remember griffin bank or midlands bank was it and they had a griffin account oh yeah and uh i remember being like i was young i was about 12 or something and they had a different account oh yeah and uh i remember being like as young i was like 12 or something and they had a child saver account but if you open up an account with at least 20 pound they gave you like a whole bunch of swag it was just like you know a duffel
Starting point is 00:38:15 bag and a and a money box with a globe on it and and a whole bunch of things so i set up that account just to get the swag yeah natwest did the same. They used to come into our schools. Yeah, so they had pig money boxes. Yeah, the pig events, yeah. Yeah, I signed up to NatWest when I was 11. They literally came into schools and signed you up, which is crazy if you think about it these days. Yeah.
Starting point is 00:38:39 I know my mother's goddaughter, she set up a NatWest bank account and put money into it, and she got her the full set of the pigs, which are worth a fortune now. Because obviously the more money you put in, you then get the next pig and the next pig, and they gradually got bigger. They're quite iconic now and quite sought after. Yeah.
Starting point is 00:39:00 Excellent. Thank you very much. That was this week's... Rant of the Week. Excellent. Thank you very much. That was this week's Rant of the Week. And I think we can also do one of these. Sketchy presenters, weak analysis of content, and consistently average delivery. Like and subscribe now.
Starting point is 00:39:24 So I've had a message come through asking if we're going to be doing a little people this week but all i can say is that one advantage of being short is you get to be in the front of all the pictures taken of a group and that's all we've got to say about the little people this week industry news hackers hacked as underground carding site is breached. Industry news. Facebook removed 16,000 groups for trading fake reviews. Industry news. Brits still confused by multi-factor authentication.
Starting point is 00:39:58 Industry news. Food shortages at Dutch supermarkets after ransomware outage Industry News Cyber attack shutters half of Tasmania's casinos Industry News Microsoft patches four more critical exchange server bugs Industry News Lawsuit filed after facial recognition tech leads to wrongful arrest
Starting point is 00:40:24 Industry News Lawsuit filed after facial recognition tech leads to wrongful arrest. Industry news. Man gets 10 years for multi-million dollar Medicare fraud scheme. Industry news. Europe's data protection guardians, Greenlight, EU, EU data flows. And that was this week's... Industry News. So what have we got from you this week, Jav?
Starting point is 00:40:53 Jav Ad's Weekly Stories. I'll start off by, yes, not even water. That is an ancient Ramadan proverb. You mean proverb? Yeah, whatever. It's not like a professional verb. It's, you know, proverb. You mean proverb? Yeah, whatever. It's not like a professional verb. It's, you know, proverb. It's not, okay.
Starting point is 00:41:13 Or it's not even, you know, an advocate for verbs. We're very supportive of verbs here. I am proverb. And I'm pronouns. Just not professional. I'm just not really pro-objective also if if you missed it there's a link in the show note a little video i made about how i owned an ex-ciso and smashing security the number two podcast in the uk uh in one don't click on it don't click on it in one sweep uh along with and
Starting point is 00:41:46 I and I credit where credit's due because I some people do accuse me sometimes I'm not giving credit um and he did help me out with this one he was my my Robin to to to my Batman yeah it was a it was a fun story of how uh Tom uh his opsec failed him yet again. His predictability failed him yet again. And it's been a while since Andy and I took a look into, you know, just poking a bit of fun at Tom. And he failed miserably. Been a while?
Starting point is 00:42:20 Been a while? It's like daily. Well, I mean, like at this level, something that makes good hallway chat. It was very funny, I have to say. But I knew exactly what was going on. That was the best part. I knew exactly what you're trying to do. And you still couldn't stop us.
Starting point is 00:42:40 You had all the IOCs and you still didn't stop it. Because my third party risks were not adequately dealt with. Wow. See, that's what you get. That's what you get. And Graham's a blabbermouth. Graham's a blabbermouth. Yeah.
Starting point is 00:42:56 And so is your son, actually. I asked your son something in confidence and he went and told you about it. Which is exactly right exactly right i i applaud him for that absolutely anyway i am more that's the problem yeah yeah that's right that's right you know what what got me was that there's this news story microsoft patches um for more critical exchange server bugs and uh it reminded me of this story from this week. Well, it could have made a bit of big balls, actually. We didn't put it in there. The FBI was out patching Microsoft Exchange servers this week.
Starting point is 00:43:35 Really? In the US, yes. So there were so many servers that weren't patched. And criminals, they'd broken in and they'd left web shells there so they could get back in and the feds they went in the fbi they got a uh a warrant from a judge it's uh uh it's what's it was an entry warrant what do you call it anyway yeah um and they were going in without telling the companies and patching their exchange servers for them and removing the web shells so that criminals couldn't get in. Well, what am I paying my security team for then?
Starting point is 00:44:12 Well, exactly. Exactly. Exactly. And, you know, it's just I think it opens up a whole can of worms as to where that could go. of worms as to like where that could go and yeah you know who knows the feds didn't put in their own back doors or or what what or what what recourse does the company have if they ended up screwing up one of their production systems i think it just it just so much i mean what what happened to just going to the organization saying hello i'm the fbi um please please sort your stuff out and that would have involved a whole lot less work
Starting point is 00:44:45 right and liability because you're right if something screws up then well this is America so of course what is it they wouldn't be held liable but something immunity I can't remember what it's called
Starting point is 00:45:00 for law enforcement officers but yeah rock i thought you rock up to work the next morning your mail server's falling over and you can't work out why because nothing's changed bizarre it is but that's a miracle for you well indeed yeah yeah i do have to wonder what what microsoft what what they you, they could have got involved, because that's a legit way where you can push down updates and notifications to your customer base. The Feds could have liaised with them, got it through to the customers. It's really weird. It's really bizarre. I don't know what prompted it.
Starting point is 00:45:42 There's either a big part of the story that we don't know about in the sense that the Feds knew something was coming and it was in their interest to deal with this in a way that they knew they could get it all done in a few days, a few weeks or whatever, rather than, yeah, we'll deal with that at some point, you know, or it's just really poor. It's just really poor it's just really poor it could be because the timing seemed um it seemed to coincide with the biden administration uh blacklisting a whole bunch of
Starting point is 00:46:15 um russian based uh tech companies a whole new oh that's right including one that uh a um a mutual colleague works at right yes that Yes, that's right. So it could have been a preemptive measure for that. Who knows? Yeah, because they were expecting a backlash as a result. Yeah. Yeah. Yeah.
Starting point is 00:46:37 So that's good research. Like I put out in a tweet the other day, I'm hoping the London Met will one day break into my house, fix the dodgy window I've got in the bathroom, change the locks for me and fix the squeaky door. And I think that's a good model to have. And post the new keys through the letterbox for you while you're out. Anyway, thank you very much, folks.
Starting point is 00:47:06 That was this week's Industry News. The host unknown podcast orally delivering the warm and fuzzy feeling you get when you pee yourself. And we're going to move straight on to this week's tweet of the week and once more for fun tweet of the week uh the tweet is from bob mcardle uh how am i only seeing host unknown tv now question mark do yourselves a favor and watch and there's a link to accepted the risk and a link to uh lost
Starting point is 00:47:46 all the money for a good educational laugh impressive javad most impressive impressive at tom langford i think you'll find then at suggester and then i think he's even spelt javad wrong he's put fours instead of A's. Only an idiot would substitute numbers for letters. Or an 11-year-old leet hacker. Yeah, exactly. J4, VV. Is it a VV or is it a W? I don't know.
Starting point is 00:48:18 It's hard to tell. Javad. Anyway. But, yeah, and I'm glad to say that the link is obviously lost all the money because that's the video that needs all the hits because he's only got 10 000 hits god oh 12 oh right oh well done well done bob thanks for that how many is um lost all Money got? 12,000? No, it's got a lot more. Lost All The Money?
Starting point is 00:48:48 Oh, Lost All The Money. Oh, not Lost All The Money. Yeah, Accepted The Risk. How many has Accepted The Risk got? Let's have a quick look. You mean you don't know? 69,000. Whoa.
Starting point is 00:49:02 I hope it stays at that number. Anyway, yes, so thank so thank you Mr McArdle And shame on you Is all I can say I know you're a friend of the show And you're an avid listener So shame on you For missing out on Host Unknown
Starting point is 00:49:21 For the last what Seven years No eight nine years. Oh, my goodness. It's quite a long time, isn't it? So, anyway, thank you. It's late of the week. He probably stopped following us when Steve Lord left the group,
Starting point is 00:49:36 Mina, so. I remember pitching, filming at 44Con for the entire two days. We were going to be a part of the CTF, weren't we? Do you remember that? Oh, yeah, but then it got a bit too technical for everyone, right? It just got very, very... It seemed like too much hard work. I know.
Starting point is 00:50:02 So we ended up with 44 facts about 44 kind of which. No, no. This is the year after. Oh, yeah. Oh. Oh. Yeah. Yeah.
Starting point is 00:50:10 That's right. Yes, indeed. Right. So, uh, chums, chums, chums. We come to the part of the show that we like to call... Sticky Pickle of the Week. Sticky Pickle of the Week. Sticky Pickle of the Week.
Starting point is 00:50:36 So the Sticky Pickle of the Week falls on my shoulders to do justice to because I'm the only one that can. shoulders to do justice to because I'm the only one that can. Your company is looking to promote an upcoming women in security webinar and you're looking to maximize engagement on your social media channels. So you come up with a survey question, ask a question, give it some multiple choice answers and you know you believe it will solicit engagement and uh you know keep responses on topic so the question this company chose what according to you are the most common challenges faced by women in the cyber security domain yeah i think I know the answer to this because I think it's definitely bad, bad questions and surveys. Well, let's let's read the question first. Yeah. Yes.
Starting point is 00:51:33 Interesting. OK, so the the what is the most common challenges faced by women in industry today? Is it option A? Only men can do this job. option A, only men can do this job? Is it option B, women can't handle the job? Or is it C, women aren't encouraged enough? It's a man's job. You've got to be honest. It's a man's job, right? Is it option A? Is that where we should be going? Do you know what? It's very true. It's very true because I use my penis almost exclusively when it comes to handling cybersecurity incidents. I'm a bit disappointed you're assuming my gender with the work I do. I think women could handle the job if they were out of the kitchen more. Yeah, and had a penis.
Starting point is 00:52:21 Yeah, exactly, exactly. So there you have it. But no, this is actually... This is dreadful. This is by the EC Council. What? Providers of such fine certifications, such as ethical hacker and... And how to ask a good survey question in three steps.
Starting point is 00:52:46 Exactly. Yeah. You know, it's not only was this asked in such a horrible way. Some some people started complaining on Twitter to them and they started blocking them, especially the women. So they started blocking all the voices that were, because that makes the problem go away, doesn't it? Yeah, not the, oh, the EC Council started blocking them. Yeah, the EC Council started. Oh, for God's sake, that's ridiculous. Yeah, yeah.
Starting point is 00:53:20 And then, you know, then there was like, I think there's a link in the show notes to an cybersecurity story by Eleanor Dalloway, in which she spent the weekend. And you can almost feel the passion coming through the keyboard onto the words on the page, where she was desperately trying to get them to say, what's this all about? What's happened? You you know what have you and uh you know that the ec council gave a weasel worded uh statement we apologize for the wording and you know the offense uh we've been working it was you know and then they they said it was like an over eager member of the team that posted it. And it's sorry, not sorry.
Starting point is 00:54:07 Yeah. The intern. Exactly. Exactly. And then it went on for a bit and then someone else came out and they said, well, we cannot be sexist because all of our marketing team are females. And this survey was come up by a bunch of females. So therefore, it's impossible for
Starting point is 00:54:26 it to be sexist uh and then funnily enough someone on twitter actually uh they posted a picture of from linkedin of all the profiles of people in their marketing team and they're all men so seriously sometimes you just got to stop digging haven't you it's like you just got to hold your hand up and be like okay i mean i mean there's you know if you feel that you're trying to do something for the right reasons in the right way and all that sort of thing that's that's absolutely fine and you can you can justify your your intentions and where you're trying to go but To blankly say, sorry, not sorry, it's you, not us. I think, well, it's as bad as saying that you weren't breached when you were breached and then saying, well,
Starting point is 00:55:15 you might have copied your own data up there, you know, as a certain Indian fintech did, which we covered a few weeks back. You know, ridiculous. I can't be sexist. Some of my best friends are women. Yeah, exactly. I can't be sexist. My wife's a woman.
Starting point is 00:55:33 Forget that. Awful. My mother's a woman. Yeah. Top that. Exactly. And her mother was also a woman too. Got a long history of women in my family.
Starting point is 00:55:48 I mean, come on, EC Council, really, really. Well, it's also a thing of, or an element of crisis management as well, isn't it? And how important crisis communications are. Yeah, yeah. as well isn't it and how important crisis communications are yeah yeah i mean i think when you when you go through the story and and as eleno rightfully teases out it just shows that there's there's an underlying culture of fear and misogyny and and and what have you so that if someone did do that say for example someone in the marketing team did put that out then instead of you know backing it out they started blocking people that were complaining about it so that maybe their boss
Starting point is 00:56:31 doesn't see it or whoever it's it just shows a really horrible culture and it does and and the thing is those are pretty terrible questions that you know or options i should say they're pretty awful but you can understand okay they're trying to you know maybe move the dial in the right direction all that sort of thing and then when somebody says actually those are really bad questions no they're not blocked no they're not blocked it's ridiculous that's that's not how you engage in um in moving the dial on these important social issues that people face. No, no.
Starting point is 00:57:08 What I am interested in is that with the screenshot, over 500 people had voted by the time the screenshot was taken. So I'd be interested in knowing what the responses were. Yeah. Yeah, shame there wasn't an option D. Yeah. Yeah. Yeah. Shane, there was an option D. See, I personally just fundamentally don't like these these panels which are set up in this way where it's a bunch of women and they talk about how they can encourage women to get into security. I fundamentally think that's the female that's really good, that really knows her stuff and give her the keynote.
Starting point is 00:57:53 Why don't you do that? Because then she'll be a female up there who's talking about security, demonstrating she knows her stuff. and that acts far more as a far more stronger role model for other females looking to break into security than i think having a bunch of uh women just on a on a on a panel saying well why aren't there more of us in the industry you know it's it's not productive and not only will she be a female up on stage she'll be a woman up on stage as well yes it always reminds me of uh if you ever watch star trek the way the ferengi speak about females but whenever jeff uses the phrase female that's what it always reminds me i'm i'll never look at a ferengi again in the same way oh you assholes oh dear excellent that was sorry to the female langford listening to this podcast
Starting point is 00:58:52 the female oh dear me mum i'm sorry i'm sorry about my uh appalling colleagues um don't complain to jav because he'll just block you and tell you you're wrong. Well, tell you you're wrong, then block you. Oh, my God. Anyway, thank you, Jav, for this week's... Sticky Pickle of the Week. Sticky Pickle of the Week. Sticky Pickle of the Week. So thank you all for listening this week.
Starting point is 00:59:25 We've run our course. We have built a, or sorry, dug a hole for Jav to fall into. And yes, thank you very much. Thank you, Jav, for a lovely week. Jav's not. Andy, thank you very much stay secure my friends stay secure
Starting point is 00:59:48 you've been listening to the host unknown podcast if you enjoyed what you heard comment and subscribe if you hated it please leave your best insults on our reddit channel worst episode ever
Starting point is 01:00:02 r slash smashing security Jan's gone very quiet I was going to say The worst episode ever. R slash Smashing Security. Jav's gone very quiet. I was going to say, I always love taking the piss out of people that, you know, where English isn't their first language. It makes me feel superior. I wonder if he's a councillor hiring. Yeah, we should get Jav to apply, innit?
Starting point is 01:00:31 You're so glad that Crisp is filtering out all the sounds I'm making on this. Foreign language swear words, right? Yeah. I'm fasting. I shall not resort to swearing. Wait a few weeks, then he'll come back to us.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.