The Host Unknown Podcast - Episode 52 - The Boys Are Back In Town
Episode Date: April 23, 2021Thom’s l33t crypto coin investments This week in InfosecLiberated from the “today in infosec” twitter account:18th April 1995: proff (Julian Assange) published "The Dan Farmer Rap", about SATAN... author, Dan Farmer.Yes, that Julian Assange.Yes, the same one.Yes.https://seclists.org/bugtraq/1995/Apr/19519th April 2010: The OWASP Top 10 for 2010 was officially released.http://web.archive.org/web/20100628190859/http://www.owasp.org/index.php/OWASPTop10-2010-PressReleasehttps://twitter.com/todayininfosec/status/125189502259880345719th April 2011: Microsoft published a policy requiring employees to follow specific procedures when reporting vulnerabilities in 3rd-party products.https://twitter.com/todayininfosec/status/1252023386026340352 Rant of the WeekThey Hacked McDonald’s Ice Cream Machines—and Started a Cold Warhttps://www.wired.com/story/they-hacked-mcdonalds-ice-cream-makers-started-cold-war/ Billy Big BallsCellebrite makes software to automate physically extracting and indexing data from mobile devices.https://signal.org/blog/cellebrite-vulnerabilities/ELI5: https://twitter.com/ErrataRob/status/1385020198697291777?s=20 Industry NewsGoogle to Delay Publishing Bug Details for 30 DaysICO Issued Over £42 Million in Fines Last YearFIN7 Sysadmin Gets 10 Years Behind BarsGoogle Trumpets New Mobile App Security StandardMI5: 10,000+ Brits Approached by Spies on Social SiteDating Service Suffers Data BreachTikTok Sued Over Use of Minors’ DataDoJ Launches Ransomware Taskforce as Apple Hit by Extortion AttemptStallone Classic a Password Favorite Tweet of the Weekhttps://twitter.com/H3KTlC/status/1385232019387404296?s=20Related:Add another cause of mental health concern from the past year’s Pandemic-induced, work-from-home requirements. New research from Microsoft shows the potential downside of the virtual workplace, confirming that stress increases over the course of back-to-back virtual meetings.https://www.forbes.com/sites/brucerogers/2021/04/20/our-brains-need-breaks-from-virtual-meetings/?sh=6de6770a21e9 Sticky Pickle of the WeekHat-tip to Martin @maxsec Hepworth for bringing this story to our attention (and the reason Smashing Security missed it is because they record on Tuesday and spend a day and a half editing their show before releasing it):“Linux kernel developers do not like being experimented on”https://twitter.com/gregkh/status/1384785747874656257?s=20https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/ Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
shot through the heart uh i'm just googling hsbc's manager's candid linkedin post about
stress-related heart attack goes viral i'll tell you what their hr department is like
desperately meeting with the pr at the moment to discuss to work out how they can let this
guy go for telling everybody that their job and their company caused him to have a heart
still come out of it looking good.
They're going to release his underperformance.
Hold on. We're talking about HSBC,
the bank that was caught
several times laundering money
for the cartels in Mexico.
They know how to spin a good story out of anything.
They'll be fine you're listening to the host unknown podcast
hello hello hello good morning good afternoon good evening from wherever you are joining us
and welcome to episode 52 of the host unknown podcast and i believe we're at 56 already 56 exactly gentlemen how are you
how are you jav how are you sir how's um how's not eating in daytime going yeah it's good it's
good i'm feeling great still early yeah it is early days yeah yeah give it give it a couple
of weeks folks we'll we'll we'll have a different uh a different animal on the show with us by then that's code for like you'll have a stand-in replacement yeah yeah yeah carol
carol terrio are you there you know we might need you to replace jav
uh andy how are you oh good can't complain another uh business as usual week i had to
get a new boiler this week funnily enough uh so business as usual week. I had to get a new boiler this week, funnily enough.
So business as usual for you is getting a new boiler.
Well, it's just one of those really random things.
Booked the guy in to come and just service the boiler.
And it was booked to come in on the Tuesday.
And then the Monday, it just stopped working.
And I was trying to get it working again, like, you know, as you do.
Trying my knowledge of boilers. Is the pilot light on no okay try and light it um reset it
off and on again exactly do that like a hundred times and then um yeah i was like oh well at least
he's coming out tomorrow and uh he did he turned up and he serviced it and then he was like there's
something not right with this and i was like yeah, yeah, that's probably why it stopped working yesterday.
And then it caught a light.
While he was sitting there, a big flame went up,
and the guy absolutely shat himself.
And he was like, where's the gas, mate?
Where's the gas, mate?
The thing is, when a gas professional shits himself
when something like that happens, and you're actually he he's the one with the knowledge of how gas works
you know and how gas works around flammable you know well around flames so you should have been
going for the door yeah do you know what funny i was actually on a call at the time and i was
sort of like you know muting myself pointing to under the stairs i was like i'm disappointed you didn't pull out
your phone and start recording a tiktok video or something yeah but me for part two and then
you're outside a burnt house but but as as good advice goes you know whenever there's a gas leak
or something and you're looking for the the gas main don't forget to switch the lights on so you're clear to yeah absolutely you can see everything well luckily i had a lighter
in my pocket so i was in here somewhere just down here oh it's so stressful watching him run around
like that i had to have a cigarette but how's your week anyway tell do you know it was going very
very well until he spoke to us right yeah until funny enough about
10 minutes ago uh but then i i was i was looking through my revolute um app on my on my phone
and i thought i'd take a little little peek at um my cryptocurrency because i actually sold all my
all my stuff i needed some some cash for Christmas last year.
Was it Christmas?
I can't remember.
Oh, no, it was September.
That's right.
You know, the pandemic was digging deep.
I needed a little bit of cash.
I thought I'd just, you know, cash in what I had.
I didn't have much, just a few hundred pounds.
And I'd forgotten about it, actually.
And so I went back and had a look.
And you know how you do the graphs and it shows you when you've bought
and all that sort of thing, and the graphs go up and down
and shows you your value.
Well, I worked out when I last sold, and I sold –
because I've been selling a few bits and bobs up to that point,
but I sold 105 pounds, 106 pounds worth of Bitcoin on the 27th of September when it was worth 8,000.
And it's now at 40,000. Yay. I sold everything. And actually, as I recall, in fact, no, it's all
coming back to me. I sold it to put into Apple stock because Apple was about to do a big announcement.
And I thought, you know what?
The sensible money, you know, it's going to Apple.
I think I made about £1.50.
You're never going to make big money on big established stocks like that.
No, I know.
I know.
You know what?
It's also, I would feel sorry for you,
but after hearing you this morning, I'd say good.
Oh, charming.
Why is that?
This started before you joined, Andy,
and this was me and Tom were just chatting before the prequel,
waiting for Andy to join and wait to hit record.
When he was just finishing.
And Tom's phone rings and he goes, oh, hold on a second.
It's my mum. and he picks up the
phone hello hello mom yeah what the wi-fi is not working what part of it's not working is it on the
ipad or everything i'll tell you what mom go to the router you know the main box and everything
crawl underneath turn it off for five minutes and turn it back on again then go to all the satellite
dishes that you know the repeaters and turn them off then turn the everything turn off and on and
go okay bye mom love you i'm going to record the podcast and he hung up and he goes that'll keep
her busy for two hours never let the truth get in the way of a good story hey jav what part of that
is not true talk about talk about
stitching me up
anyway
it was you who said
that'll keep her busy
for two hours
but there you go
mum you can
stop listening now
damn
so nobody
nobody turn up
to talk
nobody turn to Tom
for any advice
because
yeah
that's how he treats
his mum. And so I'm happy that
he sold bitcoins when they were worth
like a mere eight grand.
Yeah, I think I bought them when they were
worth a mere eight
and a little bit less grand.
So what have we
got coming up for you today? Well, this week
in InfoSec takes us back to an InfoSec rap artist
who predates even us, even host unknown,
and reminds us of just how recently responsible disclosure became a thing.
Rant of the Week talks about a McDonald's cold war.
Industry news, as usual, brings us the latest and greatest InfoSec news
from around the globe.
Tweets of the week is a simple reminder to just take care of yourself
because we're caring and sharing like that.
Billy Big Ball's Signal to Celebrate by Felicia.
The sticky pickle of this week is about students pushing the boundaries of ethics.
And, well, isn't that the point of being a student?
I don't know.
And finally, if the sky falls, tall people will be killed first.
And that is something positive we've got to say about little people this week,
even if they don't always understand what social engineering is.
Anyway, Andy, what have we got coming up now?
I think it's time for...
This Week in InfoSec.
So it's that part of the show where we take a stroll down InfoSec memory lane
with content liberated from the Today in InfoSec Twitter account and embellished by us.
I'm still not quite sure about that tagline.
I just feel like someone might steal it.
You know?
Yeah.
I don't know.
We'll see.
Well, I'm on a podcast next week who I think they're probably the ones
who are most likely to steal it.
So I'll keep an ear out.
Cheers.
Yeah, that would be appreciated uh so anyway first of all i'm going to take you back a mere 21 years uh to the 18th
of april 1995 and i did not see this one at the time 21 years 21 years uh 26 years ago a mere 26 do you know what there's six years where i was just drinking a lot
it makes a lot more sense well hey if we if we throw mine in as well then it was probably only
18 years ago andy you're the man with the calculator on your desktop. That's a bunch of white.
When are you talking about these stories?
I should have worked this one out.
But I thought, no, no, that's simple.
It's 1995.
That's only like six years ago, isn't it?
26 years ago, a guy called Prof published something called
The Dan Farmer Rap. uh published something called the dan farmer rap now prof with two f's is better known as
julian assange and yes it is that julian assange really yeah so on to the bug track mailing list
archive um it is absolutely fantastic he posted this and it And to me, it's a diss track, right? Obviously,
this is back in the day where there was no YouTube, there was no recording media,
this was all in text. And it's titled The Dan Farmer Rap. I'm Dan Farmer, you can't fool me,
the only security consultant to be on MTV. i've got long red hair hey hands off man
don't touch the locks of the mighty dan and that's just a sample this goes on for like another
20 odd paragraphs it is was it saundian like year eight at school or something i really think it
was obviously we spoke about dan farmer uh you know uh author of um satan um you know and the amount that he has done for the industry like you know
revolutionary you know basically brought these tools to the masses and the final line in this uh
uh rap um literally says i'm dan farmer now take that. It's not every day you get to interview the world's biggest security clown.
So, I mean, there is a link in the show notes.
Just read the whole rap and just remember who we're dealing with.
This is Julian Assange dissing Dan Farmer.
And, you know, I'm not even going to talk about how these lyrics don't flow.
But, I mean, it's just so funny.
And the thing is, these mailing lists back then,
the thing this was actually sent, he sent it,
oh, actually, the 17th of April, you know, 95, he sent it.
And the next reply came on the 20th of April, you know,
like three days later because, you know,
people weren't online in real time in these days.
There's very much a lot of... As opposed to three seconds later now. Yeah, I mean, people weren't online in real time in these days. There's very much a lot of...
As opposed to three seconds later now.
Yeah, I mean, properly cancelled.
And this actually only received, well, one, two, three, four, five,
five responses to it.
You know, one person, you know, straight away, this isn't funny.
Next person, actually, it's very funny.
And then, yeah, the final one came from like twitter
then yeah and then the final one came from uh a left one himself uh it just says can we keep this
kind of crap off the list and then there was no uh no further follow-up to that but um all i can
picture is julian assange after getting those those thinking, I'll get you, internet, and then history was made.
I know.
It is just crazy what he did.
But he obviously took a lot of time to go through this,
and his lyrics are not that solid, if I'm honest.
No, it sounds like something ripped off of a fresh Prince of Bel-Air sort of thing.
But what it also does show is that, you know, people who moan about kids these days and their etiquette online and what have you,
they're no different from what the people were like 20, 25 years ago.
Exactly the same.
Yeah.
Just higher volume.
That's right.
Oh, geez.
Julian, I hope you're even more ashamed of yourself i know yeah he's still got that school kid mentality but uh it's you know i know we often
say you know everything old is new and everything new is old um which brings us on to the second one 19th of April 2010 a mere 11 years ago without a calculator uh the OWASP top 10 for 2010 was
released um so for I'm sure everyone's aware you know OWASP is a non-profit org uh I think
originally founded in 2003 um obviously to with the mission to make security vulnerabilities more well-known and more visible to people and companies so that they could develop applications better to look out for the most common vulnerabilities that were found.
The last update prior to that was 2007.
And ironically, only two things have changed on that list, you know, within those two years.
And I think, you know, subsequently since then, you know,
that top ten list hasn't changed too much in terms of the things
that will always get your website hacked or, you know,
the most common things exploited on the website.
So SQL injection and cross-site scripting have been in there forever, right?
They have, yeah.
I think they're still at that list.
Now, here's the thing.
I'm not a developer.
And I know that might come as a shock to many people
and I don't code or anything like that.
But surely if you're being told that here's two things,
SQL injection and cross-site scripting,
that you absolutely really have to be careful about
when you're developing websites, and you've been told that for the last 15 years you try not
to develop websites with sql injection and cross-site scripting vulnerabilities right
you would think but you know what happens especially in big companies you know people
come and go and then someone else comes in and they're just editing old code, you know.
But have they not heard of OWASP?
I mean, I struggle here.
No, you're right in struggling because I think there's a few things.
One is that we think it's far more commonly known
because we work in security and there's that echo chamber effect.
Not every developer has the same exposure. secondly developers are under just pressure a lot of time pressures and
what to just get something working and as long as it looks like we call that lean yeah yeah
so so there's that and the third thing someone told me that there's um i can't remember what
there's a developer's book one of the main books about which developers buy and they learn how to code and build web apps.
And security is literally like one of the last chapters and one of the last topics covered.
And it's one of the smallest topics.
So I think there's a lot to be said about getting in early within the with the
developer community i know that's what obos has tried to do the intention was but i think it's
ended up being more of a security community thing because it's been widely adopted by pen testers
and assurance and and code code analysis uh vendors because that's that's good for them.
But I think a lot of it is I blame the security community
for not doing a good enough job for engaging early
and often with developer communities and really getting that message out there
because I don't think the message is out there as half as well
as what it could be.
But still, the message is out there as as uh half as well as what it could be but still the message is still not out there um i mean we can't have done that bad a job can we well yeah i think like you know most companies if you need something developed you go on fiverr
find a 21 year old kid from india or bangladesh and he'll just cobble something together and
give it to you and three years later
that's the heart of your commercial product well it's that thing you can either do it uh do it fast
you can do it cheap or you can do it a high quality and uh you can only pick two out three
of those so yeah nothing uh nothing new on that one but it's just interesting you know this has
been around for a long time and uh fortunately we will still stay employed while uh people don't change
in which case everybody ignore o-wasp
uh yeah take that uh not not you know official advice but you know take it with a pinch because
we're known for our consumer advice here, aren't we?
So the next one, 19th of April, 2011.
Now, let me just get my calculator.
2021 minus 2011.
So a mere 10 years ago. Nine years ago.
Yeah, a mere 10 years ago this week.
And this is crazy because I really think this was a time where you know
the industry was you know just booming uh especially with uh people getting together
on twitter and you know other sort of groups there were lots of meets up industries um you
know besides london big events going on so you know it's a real sort of fledgling community
going on and it's only 10 years ago that microsoft published a policy requiring employees to follow specific procedures
when reporting vulnerabilities in third-party products and i've got a quote here from friend
of the show we're definitely into the idea of no surprises for any of our vendors that we find vulnerabilities in.
We're basically following the golden rule for disclosure.
And it's all about protecting customers because there's no reason to unnecessarily amplify risk by imposing some sort of one size fits all deadline on things.
And that was a quote from Katie Masouris, who was the Microsoft Senior Security Strategist at the time.
Katie.
Shout out to Katie.
Yes.
Oh, Katie, you said.
I wonder what you said there.
Couldn't make it out.
Yeah.
In your excitement, Jav, you mispronounced it slightly.
Yeah.
That was only 10 years ago, can you believe it?
Blimey, that does not feel...
It feels like it should be a lot longer ago.
Yeah, yeah.
But I think all these vendors like Bug Crowd and HackerOne,
they came after that, isn't it?
Yeah, yeah, yeah.
Again, a seminal moment in InfoSec history
where, you know, things just boomed after that.
That's right.
And we can say we knew the person vaguely who was involved.
I follow them on Twitter.
Yes, and therefore I know them.
Excellent stuff, Andy.
Thank you.
This week in InfoSword.
Oh, dear.
Good.
So this next story, which is a rant,
Jav refused to tell me about it before the show
because he wanted the full effect.
So any laughter or lack thereof from me is entirely unscripted.
So, Jav, no pressure.
Listen up!
Rant of the week.
It's time for Mother F***ing Rage.
You make out like as if any part of the show is actually scripted.
Anyway.
Like we prepare.
The story starts with McDonald's ice cream machines and they are
notoriously finicky so much so that people have made bots to determine whether your mcdonald's
machines are busted or not uh there's a link called mcbroken.com and it actually shows you
a map of i think it's only in the u.s it might be global
but it shows you which machines are broken and between five to sixteen percent of these machines
are broken at any given time that's probably because they're online and can be accessed
by people maybe no i think this is this might be just reported where people go and report oh i see
crowdsourced right right right so these so the ways these machines are designed to you say it's
just an ice cream machine but what they're designed to do is do overnight repasteurizations
on leftover ice cream mix so unlike older machines you they older machines had to be drained and cleaned
every night so there's like high labor and wastage costs so this one it takes your leftover mix and
repasteurizes overnight so it's for use the next day um now there's a trade-off and that is that
these machines are far more complex and you you know, they're prone to breaking down.
So they have very, very narrow sort of margins of error to operate within.
Yeah.
And then when you take into the fact that McDorrell's employees are low pay, high turnover, young and new to the job um you can see why these machines break so often
and wasn't there a thing about pooping into them or something like that i don't know about that
on the internet about about that yeah i don't know if this is uh comes from you know the reddit amas
where uh you got like fast food workers yeah and uh you know one person will say
something but you know talking about that high labor to clean it i do know uh you know a common
uh statement that a lot of workers said was they couldn't be asked to clean the machines
which is why they just left them off a lot of the time oh right anyway that's not the entire story
oh well good because it wasn't that funny so far so it i didn't say it was going to be funny i just said it's interesting
so it turns out that this is made far worse the problem is made far worse because the machines
are like boilers andy you'd know when when they down, they'll throw up at some sort of cryptic code.
It's like the Microsoft blue screen.
It's like E7333220XXX.
Oh, that means the heating coil's gone.
Yeah, yeah.
No one knows what it means.
So they have to call an engineer out from the company Taylor that makes the machines.
from the company Taylor that makes the machines. These are 18 grand machines that the franchisees pay for because they have to buy approved McDonald's products to use in their thing.
So they pay 18 grand to get these machines. And then the franchisee has to pay the call
out charge every time it breaks down. So you see where there's a problem here now that franchises are getting stung by machines that are breaking break getting broke that are breaking down very frequently they
can't change to anything else because mcdonald's owns the the has the final saying what you can
and cannot use but then mcdonald's corporation doesn't bear the brunt of any of the costs of
calling out the charge uh the the engineers. And there's this theory that maybe
someone in McDonald's HQ is getting a backhander by Taylor to keep things like that because
Taylor's making lots. Yeah, Taylor's making a lot more money from call-out charges than they
are from the machines and all the kind. So there's a company then that that comes in called kitch k-y-t-c-h
uh it's a startup and um what they did was they built automatic uh in enclosures for the taylor
ice cream machine and uh what they can do is they give the the franchisees the ability
to monitor and diagnose those 18 grand machines without having to call a technician out so what
the machine what the kitchen machine would do is it's got raspberry pi and whatever it's just
really simple but it will say oh this is wrong press the cone icon then tap the snowflake button and then five
and then two and then hit reset and it starts working again so this was a runaway success
franchisees bought the gadgets and paid activation and recurring fees and they were glad for it
because it was far cheaper than paying taylor's service tax time and time again. You know, the gadget is really well done.
It's proper modern day and what have you.
But McDonald's was not happy about this.
Well, I suppose Taylor was not happy about this.
And so they teamed up with McDonald's saying,
hey, we're losing money, you're losing money,
everyone's losing money here.
So this is where it takes a dark turn.
So McDonald's began to send increasingly unhinged scare memos,
warning that Kitsch might steal confidential data.
And then it creates a, quote quote potentially very serious safety risk for the
crew or technician attempting to clean or repair the machine bear in mind this is just a diagnostic
machine yeah it just helps you repair the all that PII that you put through your ice cream machine
right exactly the memo concludes uh that this machine could cause serious human injury.
And McDonald's strongly recommends that you remove the kitsch device from all machines and discontinue use.
Strongly recommends, not demands.
Yeah. So it's quite the tale.
You know, there's you have this device that breaks down.
It's quite the tale.
You know, you have this device that breaks down.
It's turned into a big money spinner for a giant corporation that values the service charge more than it cares
about disappointed customers.
And then on the other side, you've got the tale
of scrappy inventors and hackers who transport the gadget
half a century forward in one fell swoop and who get
destroyed by the big corporations through a mix of scare stories uh and uh eviction threats so i
think this this all comes down to that that story of all the all the ongoing issues that we see more
and more about the right to repair do you own own the device? Do you just own the hardware and you just lease the software?
It's similar to the ongoing issues that John Deere has been having
with farmers in the US where people not want to do that.
It reared its ugly head when Sonos last year said they're going
to start bricking devices, older devices,
as part of their quote
unquote recycling program and then they've done a u-turn once people complained so i just spent
500 quid on a sonos device that you're now going to break yeah yeah so i think it's it's it's one
of those ones that i think you know it's really hard to know because certain things you really are just buying a dumb device and everything is built into the server.
So if you buy one of those smart speakers like Apple Home or whatever, there's nothing really in there on Alexa.
There's nothing in there. It's just a mechanism for you to communicate with the back end servers.
And it's just literally a speaker
so in in that case you can kind of understand okay you're you're only paying minimal cost for
the hardware but the actual value has come from the software but when it comes to things like
tractors or your ice cream machine you know you don't expect i don't think the the market is there
where you expect to be paying only for
hardware.
And,
you know,
the software is still controlled by someone else and you have to make,
you know,
stupid payments for all that charges or ongoing maintenance fees or upgrades
and all that kind of stuff.
For a simple glitch in a system that can reset very easily.
And I think as long as kitchen are being honest in what you can do in the sense
that, you know, this is a perfectly normal error code and can be reset
and you're fine versus, you know, here's a serious safety issue
that the content has not been pasteurized overnight.
Press this, reset it, you'll be fine.
That's a slightly different matter.
Yeah, exactly. Because, you know know it's a health and safety issue and and all that sort of thing but as long as kids are playing by you know morally and ethically there then what the hell
why wouldn't you i mean yeah the thing is they just don't want the competition you know they
signed a deal with mcdonald's is it taylor they're like look we're going to supply these machines but we want uh we don't want competition we want guaranteed income
you know we want to make sure this uh continues to bring us a minimum amount of money
and therefore they chuck in all those conditions about how you know you're not allowed to get a
third party to service it or you know we're the only people that can do it i mean it sucks don't
get me wrong but that is just big corpse all over right but but what's the difference between
the kitsch machine and let's say an ex-tailor engineer who decides you know what i've had
enough of ripping people off i'm gonna go and take it easy and work in work in a mcdonald's
part-time you know for the rest of my life. And then the manager hears about that and says,
hey, you're an ex-Taylor engineer.
What does this mean?
Oh, well, just press that, that, that, and that, and you'll reset it.
What's the difference between that?
Well, at that point, they're no longer authorized representatives
of Taylor, though, are they?
Yeah.
But neither is Kitsch.
No, I think that's the whole point, though, isn't it?
That's what Taylor is saying.
Yeah, yeah, yeah.
Yeah, exactly.
But you're buying that skill set from somewhere else
where you're not where you're you've not been legally bound to do so yeah yeah i mean there
should be some sort of so if taylor really wanted to address it they should offer some sort of
warranty with the product or certain number number of free call-outs.
You know, the first six call-outs a year are free after that,
you know, or just increase the quality.
What kind of device?
Your first six call-outs a year are free?
I mean, I know you just made that figure up.
I'm just throwing that out.
I know, but you can certainly imagine it because if there's a market
for something like Kitsch, those call-outs have got to be
pretty frequent and expensive. Yeah. Yeah. So Kitsch, that one's – no something like Kitsch, those call-outs have got to be pretty frequent and expensive.
Yeah.
Yeah.
So Kitsch, that one's – no, not Kitsch.
Taylor, that one's free, but in exchange you'll have to sponsor us.
Yes.
And I will accept an ice cream machine in my house.
Yeah.
But would you pay you the call-out charges?
No.
I'd get Kitsch to do it.
There's a tweet by McDonald's.
It says, we have a joke about our soft serve machine,
but we're worried it won't work.
Oh, nice.
I like that.
I like that.
And in the show notes, there's another meme as well,
which I think Andy put in, so very good.
Jev, thank you.
I was disappointed that it wasn't hilarious,
but I was not disappointed because it was a fascinating story.
I liked that one.
Very good.
Thank you.
Rant of the Week.
Sketchy presenters, weak analysis of content,
and consistently average delivery.
Like and subscribe now. All right, so now it's time for this week's
Now, somehow I've managed to get a story that combines both my significant strength
and my significant weakness.
So it's a story that does involve Apple.
I was going to say it's going to be like Apple and alcohol, right?
Apple and deep tech.
So that Apple, although Apple is a part player in this rather than the main player in this.
But so, yeah, bear with me as Is and indexes data from mobile devices.
Although you have to have the device physically in your hands.
So, you know, the kit apparently comes with like a nice little bag and it's got more connectors than um than you know what to do
with because it connects to every single device but it's been most famously used by various um
governments and junters and dictatorships around the world um for the uh sort of hacking and removing of data from people,
the undesirable people of those countries,
Apple devices, allowing them to read it.
And it's a very expensive device.
It's certainly beyond the reach of most of the average person.
And I believe that Celebrite also have a policy
of only selling to governmental agencies
anyway, although of course, I'm sure you can get hold of them somewhere. Perhaps one fell off the
back of a truck in front of you as it drove past. Anyway, so Celebrite is not a company that is loved by privacy advocates for obvious reasons, because,
you know, when you use your device and when you encrypt it and lock it,
privacy advocates and, in fact, most normal people say that that's your device and you should not be
obliged to share what's on it. Obviously, law enforcement may have different views,
governments may have different views,
and certainly oppressive regimes will have very different views.
So there's always a little bit of a conflict between these two groups.
Now, Signal is one of those groups.
Signal is a company much like Telegram, WhatsApp,
groups. Signal is a company much like Telegram, WhatsApp, and all of the others, messaging platforms that does end-to-end encryption, et cetera. Privacy is high on its agenda.
In fact, I do believe, again, and please correct me if I'm wrong, folks, but I do believe that the founders of WhatsApp, when they sold to Facebook,
they left and took a bunch of their money and gave it to Signal and said, go and do what we wanted to do with WhatsApp originally.
So Signal, folks, is one of those great platforms.
Now, what Signal has done is done like a little uno reverso, turny-tabely thingy
on Cellebrite. So normally, Cellebrite would download packages and data, including Signal
data and Telegram and WhatsApp and everything else, and be able to decrypt it and show the
contents of it. What Signal have done, and there is a link in the show notes including,
and explain like I'm five years old explainer, what Signal have done is actually
turn the tables and if Signal detects that, or if Signal's contents are downloaded, you also download a little package that executes on the Celebrite device and basically owns it,
basically hacks the Celebrite device and stops it from working and stops it from looking at the contents of the device in question
which is frankly quite brilliant uh if i'm honest i really like this how the turns of tables right
indeed how the turns of tables that's uh and i think one of the other important things there is
especially with law enforcement that use these devices to um you know capture data is that that
then calls into
question the whole integrity of that device and whether or not they can rely on it um because it's
it's you know it's no longer of uh sound or uh you know forensically sealed or untampered at that
point yeah it's it round and round but what i do like about it is in the show notes, the link to the Signal article that covers this is fascinating.
It's actually written in English language for once.
So mere mortals like myself can understand it, although there's a few hard words in there, I have to say.
And so it goes through and absolutely shows what it does and, you know, it pops up on the screen.
I think it's a Hack the Planet reference from, oh, what's that film?
Hackers.
Hackers.
Yes.
So it has a little quote from the Hackers movie
with Hack the Planet in there.
And it talks about, you know, the changes they've made to Signal that do it.
And then in the last paragraph, which I think is completely brilliant,
and the completely unrelated, in completely unrelated news,
upcoming versions of Signal will be periodically fetching files
to place in app storage.
These files are never used for anything inside Signal
and never interact with Signal software or data.
But they look nice and aesthetics are important in software.
Files will only be returned for accounts that have been active installs for some time already
and only probabilistically in low percentages based on phone number sharding.
We have a few different versions of files that we think are aesthetically pleasing
and we'll iterate through those slowly over time.
There is no significance to these files, which basically is a wonderful way of Signal saying,
we've got your back now and for the future as well.
I love it.
I think what the key there is that because if Signal had put all of the vulnerabilities out there,
then it would just provide free quality assurance for Cellebrite,
because they would just plug in Cellebrite and say, oh, here are new vulnerabilities, and then they'd patchable.
But what this means is that what they're doing is Signal have a bunch of vulnerabilities,
and every couple of months they'll push out just one yes
and what that means is that over time to andy's point it will just prove that at any given point
in time celebrate can never be trusted as a as a as a in a court case or anything like that exactly
which is uh absolute genius then however there's the flip side to this is this is exactly how criminals operate.
They hold on to zero-day vulnerabilities and every now and then release one
when they want to do something.
Which is, you know, is there – should Signal be under some kind
of responsible disclosure obligations here?
And obviously, the victors are the ones that write history, right?
And I know that Signal are trying to do the right thing here,
but are Signal deliberately disrupting somebody's business model
by deliberately inserting rogue code into a product
that will stop it from working?
So I'd be interested to see some of the long-term fallout of this.
Well, to be clear, that's only going to come into effect
if that product tries to you know
interfere with it you know it's not like an offensive tool is it it's a it only gets
triggered in response yeah so i mean i have no issue with that this is a stand around
kind of argument isn't it it's like someone comes breaks into your house then you have every right to defend that's great in america less so here yeah yeah actually actually signal on their blog
uh i think moxie he did say we are of course willing to responsibly disclose the specific
vulnerabilities we know about celebrate if they do the same for all the vulnerabilities they use
in their physical extraction and other services to their respective vendors now and in the future.
So, you know, it's I think it's perfectly fair.
Yeah, fair, but it's fair legal.
That's the other side of it.
But we'll soon see.
But, you know, for now, I certainly applaud.
I certainly applaud Signal for doing this.
You know, whilst there's a certain part of me that agrees
that what Celebrite is doing in certain circumstances
is very valid and useful, the fact that it's been sold
to oppressive regimes around the world and actively used
to, you know,
oppress certain types of people and minorities, et cetera,
in those countries, that kind of, you know,
significantly sways the argument away from them and towards Signal.
But so, you know, I absolutely do applaud Signal for what they've done here.
And maybe we'll see Telegram and other vendors doing the same.
I hope so.
Billy Big Balls of the Week.
So, Andy, what time is it?
It's that time of the show where we head over to our news sources
over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe
industry news
google to delay publishing bug details for 30 days industry news CO issued over £42 million in fines last year.
Industry news.
Bin7's admin gets 10 years behind bars.
Industry news.
Google trumpets new mobile app security standard.
Industry news.
MI5.
10,000 plus Brits approached by spies on social site.
Industry News. Eating service suffers data breach. Industry News. TikTok sued over use of
miners data. I told you. I told you guys. Industry News news doj launches ransomware task force as apple hit by
extortion attempt industry news it's the lone classic eight password favorite industry news
and that was this week's industry news
i don't know why there's so many miners using TikTok.
I mean, it's pretty dark in those caves.
Well, maybe they use it to light up the walls or something.
And, you know, when they're on their breaks,
I mean, you know, they've got something to do down there.
Quite how they get the signal down there, I don't know.
True.
Do you know what this MI5 10, 000 brits approached by spies on social sites that probably
explains why so many women on these dating sites don't reply to me they're all spies
or they think you're a spy there was uh didn't they post on instagram or something
i read this story uh earlier in the week what who? No, MI5 have got an account on Instagram.
Yes, I saw something like that.
You're right.
They do hashtag selfies and stuff like that.
No, no, they had a picture of a martini or something like that.
I love the fact that they really play up on that,
that they really, you know, that whole James Bond thing.
That is brilliant.
A lot of people know it's probably just really,
really boring desk jobs.
Yeah, it is.
Going through reports and reading stuff,
creating PowerPoints for your boss.
Yeah.
You have two career paths, boring desk job
or ending up floating in the Thames.
Which one would you like?
You mean I could be a
boat?
Yes.
Boaty McTomface.
Floaty
McTomface.
So what password is the Stallone
classic? What is that?
You know, I was thinking...
Have a guess.
Well, I don't know.
Rambo?
Adrian!
It is actually related to that.
Oh, is it?
Yeah.
Is it Rocky?
It is Rocky, yeah.
Is Rocky with a password?
Apparently top in the list, yeah.
Rocky is the most common password.
No way.
So has that beaten password and password 123 now?
I don't know.
I don't know whether they disqualified that
or whether they were just looking at...
So this is true.
So a company called SpecOps
trawled through 800 million breached passwords
to determine which big screen hits were favoured by users.
And then they created...
Okay, so this is purely focused on films and stuff.
So they created a sub-list,
a subset list of two billion passwords.
What?
The selection was a subset of a list of two billion passwords.
Jesus.
What?
Yeah, and topping that list was Rocky.
Yeah.
Followed by Hook,
which is, they say
it's part of the
Captain Hook movie or something
I don't know
That's Hook, that's really bizarre
Number three is
everyone's favourite hacker
Neo
The Matrix
What, N-E-O?
No, it's Matrix
So I mean, do you know what i do but so we're like many
moons ago we did a um yeah let's call it a password audit you know there's this guy and
he was actually x services uh he's x kgb and he used a dictionary word it was just a russian
dictionary word um and his password was the
easiest one to crack and you know when we told him it's like i didn't think you anyone could
speak russian and it's like dude seriously it's a dictionary word like no one can speak it but
you know we can upload a list oh man that's quality but a lot of things sound like i mean
other than rocky which i don't think any of the kids i
mean there's there's psycho on the list as well but most of these sound like accounts and kids
kids have created for their their online gaming accounts so yeah batman spider-man superman star
wars frozen x-men frozen how did they get my password on there
and you can tell the age groups
because Shrek doesn't come in to like number 10
and then Terminator's
way down number 19
yeah I thought it would have been I'll be back
oh dear excellent
you're listening to
the host unknown podcast bubblegum for the brain Oh, dear. Excellent. You're listening to the Host Unknown Podcast.
Bubblegum for the brain.
So let's move on, shall we, to the penultimate story,
this week's Tweet of the Week.
I just love playing that one.
Tweet of the Week.
So this is going to be a short one as I try and keep it quick, as is my nature.
So this is a tweet from at Hectic.
I just got that.
That's H3KT1C, I believe.
And she has posted just a very simple one-liner.
There needs to be a discussion on premature ageing
as a result of a career in information security.
Something I absolutely agree with.
When I first started in this industry, I had a full head of hair.
And, yeah, I won't try and say that I looked a lot younger,
but I did look a lot younger.
I think I'm ageing probably three times faster than many of my
friends who are not in the information security industry um yeah it's it's all down to information
security poor diet choices and lifestyle uh has nothing to do with it
there's some sort of you know correlation causation comment here
um but yeah no fantastic thing i think it's uh absolutely right you know there are
there's stressful jobs all over the place um you know don't get me wrong but uh certainly in in
infosec it seems there seems to be a lot on the line uh you know when you mess up for general
sort of office-based jobs for want of a better term
i think it's one of the more stressful ones yeah i mean we're certainly not pulling dead bodies out
of burning buildings and stuff like that or wait what is that only because you're working for a
vendor didn't you used to do that in corporate no it's because i'm working from home now okay gotcha
but uh also with this and this was quite interesting,
this story that came up on Forbes just related to this.
I stuck a link in the show notes,
and it's about how Microsoft has done this research, and they've actually found that doing back-to-back virtual meetings
increases stress, which I think we all sort of knew without any evidence.
It's so dull, half of them.
Yeah, well, they actually hooked people up to, you know,
monitoring machines and, you know, monitored brain waves
and heart rates and stuff like that.
And they saw that, you know, the longer people were sitting down
in meetings virtually, you know, the more stressed they became,
you know, regardless of the content of that meeting.
So it is important to take a break.
I wonder what the psychological reason for that is,
because in theory you're in your own environment,
you can switch your camera off under most circumstances,
you can, you know, you can pick your nose with impunity
and all that sort of stuff, all of which you can't do in a real meeting
because, you know, if you yawn at the wrong time,
if you, you know, if you glance down at your wrong time if you you know if you're glanced down
at your phone or whatever everybody's going to see it whereas on a zoom call you don't get that
there's that that kind of that distance allows you to separate a little bit so i wonder what
what they might find and i know i appreciate i haven't got the answers yet but what they might
find that is is causing that increase in stress in that particular circumstance.
I think just taking a break and doing that, you know,
whole water cooler moment, you know, at the end of the call,
just walking back and forth.
Yeah, it's just at least, you know,
even just walking up and down the stairs, you know, to the office.
Probably having to pee in a bottle as well when you've got three or four
in a row probably doesn't help.
Yeah, exactly.
I mean, yeah, the last time I did that in a meeting room i was asked to leave so yes
especially after the boss uh mixed that up with his uh apple juice yeah apple juice
oh dear oh dear excellent thank you andy
Thank you, Andy.
Tweets of the Week.
Now, we do have a Sticky Pickle this week, would you believe?
Would you believe?
I know.
So shall we just move straight into it then?
Sticky Pickle of the Week.
Sticky Pickle of the Week.
Sticky Pickle of the Week.
I love that one.
So this is me. This is so hat tip to Martin Hepworth at Max Sec on Twitter for bringing this story to our attention and not to smash insecurity.
Who missed it?
Because they take ages to not only record, but, you know, edit and send it out and all that sort of thing.
to not only record but edit and send it out and all that sort of thing.
So, folks, if you want up-to-the-minute news and views,
obviously stick with the number one InfoSec security podcast.
The Agile security podcast.
Agile security podcast. The Lean security podcast.
Well, there's many things that I would use,
many words I would use to describe all three of us.
Lean would not be one of them.
Many words I would use to describe all three of us.
Lean would not be one of them.
Anyway, so the headline of this is Linux kernel developers do not like being experimented on.
Were they abducted by aliens?
Yeah, exactly.
So as we know, and I'm going to be paraphrasing massively here,
but the Linux kernel, which is open source,
is open for contributions around the world.
Anybody can apply to become a contributor to the Linux kernel.
And by that, I mean the core function of Linux and how it operates, et cetera.
You can write snippets of code.
You can upload that.
They get taken into it.
They're reviewed by a panel of volunteers
to see if they're valid and if they should be included.
And this is all behind why Linux is so successful.
It's effectively, you know, there's effectively millions of people developing Linux, you know, whereas, you know, for many other operating systems, it's just a couple of companies and, you know, a few thousand people.
But this is what keeps Linux, one, very, very freshened on the sort of leading and potentially bleeding edge of computing,
but also so fucking complicated as well. And why most people don't, or the majority
of the world don't use it as a day-to-day platform. But, you know, Horses for Courses,
it's an incredibly important operating system. And, you know, just to reemphasize, built by volunteers constantly.
But there's a very strict set of criteria, et cetera.
So it's very well managed.
Now, the story goes that a certain number of people were making contributions to the Linux kernel with packages that made no sense,
that just were simply wrong, did not do what they said they were going to do, etc., etc.
And each submission is reviewed fully by these panels of people.
And they take up time and not only that personal time, etc.
and they take up time and not only that personal time, et cetera.
It turns out that actually when you sort of peel the layers away, it was a university-sponsored experiment on how the Linux community actually operates and responds to managing these kinds of requests.
When obviously the community found out about this, they were livid.
The individuals themselves, I believe, denied all knowledge of this
and said that this is not true.
You'll see that I you know, I've submitted
many things. But, you know, at the end of it all, there was a statement from which university,
the Minnesota Department of Computer Science and Engineering, about the details of research
being conducted by one of its faculty members and graduate students
into the security of the Linux kernel. The research method used raised serious concerns
in the Linux kernel community. And as of today, this has resulted in the university being banned
from contributing to the Linux kernel. So if you can imagine, you know, if you go to University of Minnesota,
you join a department of computer science and engineering,
and you learn stuff and you're learning things.
And part of that process is your ability to contribute to this massive pool
of computing, you know, by being able to contribute to the Linux kernel
and the development of the third biggest operating system, biggest operating system out there in the world today.
And now the university has lost this ability to contribute to it.
They've been banned.
Obviously, the University of Minnesota, quote, take this situation extremely seriously.
We have immediately suspended this line of research.
We'll investigate the research method and process by which this research method
was approved, determine appropriate remedial action,
and safeguard against future issues.
If needed, we will report our findings back to the community as soon as practical.
This is, well, I'm not surprised they've been banned.
I think this is outrageous.
This is not how you carry out proper scientific experiments.
This is, you know, you're messing with the real world.
It's a bit like, you know, let's change the timings,
let's randomly change the timings of the traffic lights in this town
and see what happens as an experiment, but without telling anybody either
or even having anybody looking at the controls of what we're using.
You know, if you're in that town and having to deal with the mess that arises from it
and the council that doesn't know that it's being done to their traffic lights,
you're going to be annoyed.
Well, more than annoyed, you're going to be utterly livid.
So, yes, brilliant find by Martin.
Thank you.
And, you know, folks at universities, don't mess with the Linux.
Thank you. And, you know, folks at universities don't mess with the Linux.
I think what this reminds me of, I was reading this as you were reading the story.
It reminded me of the back door in the RSA encryption a few years back.
And that was like, I don't know.
Andy probably knows it's about three years ago or seven years ago, on what what year it was but um but again it's it's in in these
sorts of things that if you slip in a vulnerability who knows where it's gonna rear its side of your
head yeah so you know they might be saying it's like this but you know how many things are you
weakening in the process and how can you undo it all afterwards it's very difficult so um yeah and
i think you know if if you are a
university faculty member and you're presented you know okay let's come up with a way we can
experiment with the open source community i know we'll just we'll just fuck with them we'll just
basically mess them around and waste their time and as as you say, potentially attempt to influence vulnerabilities as a result,
what could go wrong?
Yeah.
Yeah.
Let's check the effectiveness of the airbags and seatbelts in these cars
by cutting all the brake lines.
Yeah.
Yeah, exactly.
Exactly.
You know, that's thankfully,
Exactly. You know, that's, that's thankfully, and I think this, this just goes to show how effective the actual business and technology model, I said business model, small, small business model of, of, of Linux and its community based development is because they spotted a pattern and they reacted to it and very quickly as well. I only think it took them a few days to work this out
from what I can make out, about four or five days,
which, you know, and we've all worked for volunteer communities.
You know, I'm part of a chapter, an ISC Square chapter,
and trust me, we measure, you know, things turning around
in days and weeks and months sometimes.
So for a community like this to spot something quite so carefully hidden,
it's not like they were flagging these as bad requests or bad updates.
They were very clearly hiding them, and yet they found it and responded very promptly,
which I think, you know, hats off to them.
Sticky Pickle of the Week.
Sticky Pickle of the Week.
Sticky Pickle of the Week.
Or like a rant, to be honest.
Yeah, well, I've just realised I'm going to have to up my Sticky Pickle game
because I didn't pose it as a Sticky Pickle, did I?
No, you just went into it.
Oh, I just went into it.
I just, well, I was so incensed.
This is a problem because I'm actually co-hosting Sticky Pickles next week.
So I'm going to have to up my Sticky Pickles and rent.
Yeah.
So this reminds me of the time where there was Sean Michaels and Bret Hart were having a feud.
And Bret Hart came out and he started cutting a promo on Monday Night Raw.
And because he hated Sean Michaels so much.
And at the end, I mean, Bret was in a leg brace, a knee brace, and he came out on a wheelchair.
And at the end, Seanaelson went to super kick him
and he was meant to fall into the wheelchair and topple over but brett didn't didn't well he was
like vexed with sean and he didn't want that to happen so he he cut his promo a bit too long
and it went off air just before sean michael super kicked him
it's almost like it was scripted no no no that's the thing this part was not scripted
the script was he should have kicked him but obviously they got the live recording or was it
and that's what tom done with our sticky pickle of the week me and andy are waiting if where's
our cue where's our cue where's our cue it just runs out and the and Andy are waiting. Where's our cue? Where's our cue? Where's our cue? Yeah, I know.
It just runs out and the jingle plays and that's it.
We're out of time, folks.
Yeah, well.
Yeah, well.
And that was this week's...
Rant of the Week.
There you go.
Better?
Excellent.
I think we're up against it now.
Gentlemen, thank you so much for your time today, as always.
Jav, thank you, sir.
You're welcome.
You're welcome.
Thank you.
And Andy, thank you.
Stay secure, my friends.
Stay secure.
You've been listening to the Host Unknown podcast.
If you enjoyed what you heard,
comment and
subscribe.
If you hated it,
please leave your
best insults on
our Reddit channel.
Worst episode
ever.
R slash
smashing security.
I was halfway
through that and
realised,
damn it,
this is a sticky
pickle.
I should be doing
something differently
here.
Thought,
no,
go with it.
They'll never notice.
Do you think we got away with it?
Yeah.
I think so, yeah.
I don't think anyone noticed.
Maybe Quinton did, but other than that.
Well, he's getting his own segment soon anyway.
Yeah.
Q-tips.
Q-tips.