The Host Unknown Podcast - Episode 56 - The Post Birthday Blues
Episode Date: May 21, 2021This Week in InfoSecLiberated from the “today in infosec” Twitter account:15th May 1998: The first issue of Bruce Schneier's (@schneierblog) monthly Crypto-Gram internet newsletter was published. ...And The Secret Story of Non-Secret Encryption is a pretty pretty pretty pretty...good read.https://www.schneier.com/crypto-gram/archives/1998/0515.htmlhttps://www.schneierfacts.com/https://twitter.com/sirjester/status/867809572173602817https://twitter.com/todayininfosec/status/1393708868304359426 22nd May 2010: A Floridian man named Laszlo Hanyecz, received what he thought was a “free lunch”.https://bitcointalk.org/index.php?topic=137.0Bitcoin Pizza Day: Why Bitcoiners Are Celebrating Today By Eating PizzaBitcoin's surge beyond $60,000 means the famed programmer Laszlo Hanyecz effectively paid $613 million for 2 pizzas Rant of the WeekWe'd love to report on the outcome of the CREST exam cheatsheet probe, but the UK infosec body won't publish ithttps://www.theregister.com/2021/05/17/crest_not_publishing_cert_exam_cheat_report/ Billy Big Balls of the WeekThe Military Is Creating a ‘Gig Eagle’ App to Uber-ize Its Workforce“We are creating a gig economy for the Department of Defense,” said one official.https://www.vice.com/en/article/n7bzvw/the-military-is-creating-a-gig-eagle-app-to-uber-ize-its-workforce Industry NewsRapid7 Source Code Accessed in Cyber-attackQuarter of CISOs Self-Medicate as Pandemic Stress SpikesUS Sentences Cyber-Stalker Who Sent Sex Workers to Family’s HomeToshiba Business Reportedly Hit by DarkSide RansomwareCybercrime Forum Bans Ransomware ActivityAXA Faces DDoS After Ransomware AttackFamilies of Missing Persons Receive Fake Ransom DemandsDarkSide Gang Retires on $90mUSPS Reportedly Uses Clearview AI to Spy on Americans Tweet of the Weekhttps://twitter.com/WeldPond/status/1395151316809306114https://twitter.com/GossiTheDog/status/1395502236101451777 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
But you know, I did actually have a theory on, you know, how Elon Musk is like driving the prices of cryptocurrency up and down.
So I actually have this theory that he purchased a shitloads of Bitcoin and then drove the price up deliberately.
Yeah.
Just in case, you know, he's got lots of other investments.
And I think one of his other investments got hit by ransomware.
And so he had to pay the ransom.
Well, he was hit by ransomware.
Yeah, but, you know, another one that we don't know about.
And it was quite significant in Bitcoin.
So what he did, he drove the price down.
And then, you know, he's paid the ransom.
Wow.
That is an interesting theory.
I like that theory.
That's much better than I'm just doing it for greed.
I'm doing it to piss off these ransom, you know, criminal gangs.
I like that.
I like that almost as much as this music we're listening to.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you're joining us.
Welcome to episode 56 of the Host Unknown Podcast.
Gentlemen, welcome. How are we?
Can't complain. How are you doing?
Yeah, all right. All right. How are we? Can't complain. How are you doing? Yeah, all right.
All right. How are you, Jav? Yeah, not bad at all. Not bad at all. Thanks. I'm glad that you finally got everything working. Hey, it's seamless. Utterly bloody seamless. You know,
much, much like your transition to being a, you know, a genius leadership.
No, no, cut that out.
We can't talk about that yet.
Oh, f***.
It's under Friendier.
Friendier?
Yeah.
I like that one.
Oh, dear.
What's Friendier?
Like an NDA, but between friends.
Oh, it's gone. Oh, my God. I can't believe we have to explain this. like an NDA but between friends oh my god
I can't believe we have to explain this
no wonder he keeps blabbing his mouth
that stuff I tell hey Tom this is under
Frendi A don't tell anyone
you didn't say anything like that
you didn't say anything about a Frendi A
or NDA nothing at all
I thought it was implied
not at all well I mean what can I. Not at all. Not at all. Well, I mean, what can I say?
We've just beat it out, but, you know,
who knows what you all might see on Monday is all I can say.
Who knows?
It's going to be pretty amazing, to say the least.
Under embargo.
Under embargo.
Now, that I understand.
Frenzy A, none of this mismatched names.
But you know what? You don't get that. Yeah, you're just not down with the. Friendier. None of this mismatched names.
But you know what?
You don't get that.
Yeah, you're just not down with the kids, Tom.
I think this is part of the problem.
Look, and how long have we known this?
Oh, yeah.
At least for the last 40 years.
Yeah, I know.
Yeah.
Yeah.
Look, just pick up a 1950s dictionary and use words that you find there.
Simple.
Simple.
You know, I need to know words that are in my bailiwick anyway it's not in
the dictionary or not on your encounter cds or it's not in your carter cds what are you talking
about i haven't reached them yet i love the on carter cds they were so good i still interactive
and carter interactive encyclopedia.
Yeah, yeah.
Half the time it would hang, though, as you were loading it.
Yeah, yeah, of course, of course.
You know, but, you know, that's not unlike me at the moment, you know.
So anyway, Jav, what have you been up to this week?
Oh, you know, just stretching my creative muscles and what have you,
but I can't say much more about that.
You'll have to wait until Monday.
Indeed.
In fact, we may be peppering the entire episode
telling people to wait till Monday,
which would be bizarre when they listen to it on Tuesday.
So if you're listening to this on Tuesday,
Wednesday,
or Thursday,
um,
we're terribly sorry about the very disappointing,
uh,
thing that happened on Monday.
Uh,
but if you're listening to it,
uh,
today or Saturday or Sunday,
this amazing thing is going to happen on Monday.
I think that,
I think that covers the basis.
Um,
Andy,
what about you? So what you've been up to
uh so do you know what like in the before times in in fact it's been actually been a while i think
maybe this is what i've been stressed the last few years i used to have a sauna every day
before i went into the office and um where did you have that in clapham uh it has a uh the virgin
the virgin gyms in clapham it was quite nice it's
paid okay you know a fair amount on a monthly basis I thought you had one built in under your
stairs or something no so yeah I'd like walk up to the office and uh you know be totally sweating
and you know just totally red face and everything and then decide to go for a sauna yeah exactly
but then you know I switched jobs I moved to uh victoria area and um you know
you want to play through the sun around there then it's like you know it's uh it might come
with a certain kind of ending uh i wish that would actually probably be cheap but you know
what i didn't look into that maybe that's the cheaper option um yeah the only problem is you're
in with crowds of people that are on their way back from a night out rather than on the way to work.
Oh, interesting.
So I've heard.
But last week I was very happy to receive from a couple of acquaintances
a portable sauna or a personal sauna, which I can use at home.
From two people you will soon that at some point in
your life you will call people i once knew yes exactly yeah so this guy called um tim langley
and uh uh jerry jerry maloak or something i didn't get the names properly but yeah they got me this
uh personal sauna and it's like i don't know how
to explain it it's like a tent that you get in and it's got like a machine in there and there's
a hole at the top that you stick your head through and it's totally sealed inside and uh it looks
absolutely epic so that is what my friday night is going to consist of today is getting in that
sauna which room is it going to live in?
Do you know what?
It might even live in my office.
If I can figure out a way to control my,
I'm going to set up my text to speech and stuff.
And obviously all my conference calls are done with ear pods anyway.
So I may actually have it in my office.
You know what you need?
You need to have it in green so you can green screen it.
There you go.
Put your body underneath it
and then it will look a floating head or just print out on a piece of a3 a little body
or lay one of those t-shirts it's got a shirt and tie printed on it on over the front
i we have to have you doing a podcast while having a sauna
we've got to do
an episode next week that's your challenge
Andy
I'd absolutely love to
I'm a big fan of the saunas
that sounds absolutely
epic
give us a review so that I know
whether I should buy one
fork for myself so so how was your 26th birthday good it was uh exactly as i like it very low-key
um you know not not much else going on uh yeah just quite a time i seem to get quite a lot of
treats as you quite know i sort of hit a
bit of a sugar rush or sugar crash i think the phrase you used was i'm pissing syrup
yeah so these were i know it wasn't actually uh part of uh part of my birthday it came after uh
jav supplied his e-treats to everyone oh yeah yeah and uh yeah these were exceptionally sugary
i think jeff you described them as the uh pakistani haribo
yeah it was pretty epic i think by that by that notion it means if if you lived in pakistan andy
you'd have been dead 10 years ago definitely yeah i mean this type of stuff i might next time i want to mess about with
my doctor if i have a blood test i might eat one of these before i go in just so it spikes and he
says that you need to see an improvement so next time i go i just don't eat one of those and he's
like oh amazing you've been working so hard i'm like yeah that's right doctor your sugar levels
are only twice as high as they should be, not three times.
Oh, man.
You don't have to game the system.
You should become an auditor or liaise with auditors at some point in your career.
That's right.
Then you know all the tricks they would play, like the audit box.
Anyway, so what have we got coming up today? So this week in InfoSec actually takes us back to the humble beginnings
of InfoSec's Chuck Norris.
I think we all know who that is.
A rant of the week addresses the outcome of the Crest cheat sheet probe.
I think, did I do that story last time and didn't really understand it
but nonetheless it was uh um maybe i'll at the end of this story i might i might understand what
the hell's going on billy big balls this week sees the u.s military uberize its workforce uh so that
means that there'll be more little disposable bottles of water and sweeties in the US military.
Industry News brings us the latest and greatest InfoSec news
from around the globe.
Tweet of the Week tries to sneak in another This Week in InfoSec,
as if we don't have enough of that already.
And finally, the literal definition of down to earth
is all we've got to say on the topic of the little people this week.
So, yes, I think we should crack straight on, don't you?
This week in InfoSec.
so this is the part of the show where we take a stroll down infosec memory lane to bring you content liberated from the today in infosec twitter account and today i also added something
myself so it's not entirely stolen uh borrowed research stuff um you know i did do some of this
work myself um the first one we are taking you back 23 years to the humble
beginnings of infosec royalty and this is on the 15th of may 1998 the first issue of bruce
schneier's monthly cryptogram internet newsletter was published um and so that i am aware that there are students
probably currently studying ethical hacking at universities who were not even born when this
newsletter was first started so you know they may not appreciate the dedication bruce has committed
to deliver a newsletter on the 15th of every month for 23 years. I mean, Jav, you probably publish your monthly newsletter
about eight or nine times a year, right?
My weekly newsletter, eight or nine times a year.
Yeah, so for those who don't know Bruce Schneier,
firstly, where have you been?
But secondly, understandable if you're not old.
Bruce is this 57-year-old American cryptographer, computer security professional, privacy specialist and a writer.
He's currently a lecturer at Harvard Kennedy School, a board member for the EFF and the Tor Project.
And he is the author of many, many books um also a very quotable person
so if you you know look up any anything from you you can search like bruce and i quotes and
one from his older ted talks which i absolutely love is um the question to ask when you look at
security is not whether this makes us safer but whether it's worth the trade-off,
which I always think is a great quote. And the other one, which you'll often see other people use as pen testers
and red teamers use this one a lot, it's amateurs hack systems,
professionals hack people.
I didn't know that was him, actually.
Yeah.
The other term he coined was security theatre, wasn't it?
Oh, okay.
I didn't see that one.
Yeah, but, I mean, I say, you know, he's just been around for so long,
and it makes sense that he's, you know, he is a pillar of this industry.
But, obviously, at some point during, you know, sort of Bruce's popularity,
it resonated with the, I guess, the wider internet as it was going through its Chuck Norris peak.
I don't know if you recall that Chuck Norris was a big thing years back.
So his beard was especially.
Yeah, especially his beard.
And this website was created called Schneier Facts, which is sort of a crowdsource site publishing.
And I say this in air quotes that you can't see, facts about Bruce Schneier.
So examples include,
Bruce Schneier's code doesn't have parameters.
It has arguments.
And it always wins them.
Bruce Schneier is the reason that 57 isn't prime.
What?
And that most people salt their hash bruce salt and peppers his
and one of my favorites when god needs a new secure certificate he uses bruce snyder as the
signing authority i obviously had to look up this site i was thinking how that site has aged over
the years and i had to look around um and i was amazed to find as I was taking down this trip down memory lane I actually went
down memory lane my own personal life because the site's author is a guy called John Leach who I met
back in Defcon in 2001 and I'm normally terrible with names and faces, but I actually posted in the show notes a link to a tweet
where I recognized him on Twitter sort of in 2017.
And he shared some amazing footage from DEF CON back then,
you know, when we actually met in Vegas.
But anyway, this isn't about me.
This is about the true internet guru, Bruce Schneier,
starting his CryptoGram newsletter 23 years ago,
still publishing.
If you don't get it, you should subscribe.
It takes a look back on the month.
He also does a Friday squid blog.
Yes.
It's not every Friday, but it's always got a squid in it.
It's bizarre.
And it's all infosec related.
Or not always, actually.
Sometimes it is just an interesting thing about a squid. But it's bizarre and it's all info sec related or not always actually sometimes it is just an interesting thing about a squid but it's always on a friday and there's always a mention
of a squid in there which i think is entirely random quite quite good fun i have to say well
yeah also i mean his wikipedia page actually says uh you know he is a squid enthusiast
most people like football yeah is that like normal squid or is that
like anime squid or something like that? Oh tentacle porn. That's the one. Yeah.
Yeah no this is really interesting and I remember back in early 2000, 2000-2001 someone gave me a
book at work and it was a Schneider I think it was Secrets and Lies.
Yeah.
And they were like, this is a really good book. And I didn't realize, you know, what a big deal
he was. But I tried and I struggled with the book because I was so new in the industry. And I,
you know, a lot of the concepts was like, who's going to that but uh one thing i i think is quite consistent in most
of his books is the one schneier fact that he he publishes on all of them which is the quote that
apparently appeared on the register the closest thing the security industry has to a rock star
yes that's only because he's got a ponytail i I mean, he's more like the Status Quo rock star with the bald head and the ponytail.
Is it a Francis Rossi?
That's more your era, Tom.
Both chords.
Yeah, if you want to talk about Ariana Grande or, you know, Dua Lipa.
That's a font, isn't it?
Oh, dear.
So anyway, moving on, this second story is about a florida how do you say floridian
a man from florida floridian man named laszlo and yet um who 11 years ago this week decided
that he wanted a free lunch uh so you're probably going to see stories of this surface over the weekends um you know as
it does every year but obviously it gets gets funnier each year so uh 22nd of may 2010 a
floridian man named laszlo hand yet received what he thought was a free lunch uh now laszlo was a
at the time a young programmer and he was an early contributor to the Bitcoin software.
And as an active member of what was obviously a very niche community back then, Laszlo actually advanced Bitcoin mining in a really significant way.
he did this by coding the program that makes it possible for miners to mine bitcoin using their computer graphics card or gpus which was obviously a more powerful method than using the the onboard
processor which was the original way that they mined bitcoin but most people will not know laszlo
for his contribution to bitcoin mining what they will remember him for is what his mining activity allowed him to do.
And that was purchase pizza with Bitcoin.
Yeah, that was the first purchase, wasn't it?
Yeah.
Well, so, yeah, he is actually.
So on 18th of May 2010, he actually posted to this Bitcoin talk forum.
I will pay 10,000 bitcoins for a couple of pizzas maybe two large ones so i have some left over for
the next day if you're interested please let me know and we can work out a deal uh and then he
went on to say like you know you can either make the pizza yourself and bring it to my house or
order it for me from a delivery place uh what i'm aiming for is getting food delivered in exchange for bitcoins where i don't
have to order or prepare it myself and transaction yeah and he went on said things uh you know i like
things like onions peppers sausage mushrooms tomatoes pepperoni etc just standard stuff no
weird fish topping or anything like that you know so this man does not like anchovies no pineapple no pineapple um and he said like you know i also like
regular cheese pizzas which may be cheaper to prepare or otherwise acquire and what i love like
looking back at this forum it's still online today you can go to the post links in the show notes
someone responded 10 000 bitcoins that's quite a bit you could sell those on bitcoin market for 41 dollars right now
good luck getting your free pizza
but some other guy was interested in you know it's like you know okay where do you live right
i will you give me 10 000 bitcoins i will order this pizza for you so he ordered him two large
supreme pizzas um in exchange for 10 000 bitcoins and as of today's bitcoin price
at time of recording this will you know just have to work out those two pizzas uh 10 000 bitcoins
would be worth 283 million pounds um wow so yeah on today's prices on today's prices. On today's prices. Yeah. Back then, $41.
Today,
283 million.
And at its highest.
Yeah.
So I mean this,
every year,
this story is going to come up and every year,
you know,
the price of Bitcoin is going to be worked up and people will say,
oh God,
this man paid,
you know,
however many million pounds for pizzas.
But yeah, if you want to join a modern-day Ponzi,
digital Ponzi scheme, forget Bitcoin.
Invest in Bitcoin.
Jump on the cum rocket.
That's where it is.
Cummies to the moon.
Yeah, but you can't get cummies through Revolut.
No, you can't.
Yeah, it's quite convoluted.
You need to go by the button.
Yeah, exactly.
Yeah.
But, yeah can't. Yeah, it's quite convoluted. You need to go by the button. Yeah, exactly. Yeah. But, yeah.
Excellent.
Thank you very much, Andy, for this week's – no, not industry news.
It's InfoSec.
This week in InfoSec.
This week in InfoSec.
This week in InfoSec.
You're not firing on all cylinders today, are you, Tom?
No, I'm not.
That said, my alarms didn't go off and I did wake up at quarter past nine,
15 minutes before I was supposed to actually get online to start recording.
Wow.
Although, yeah, it was not a good start to the day, I can tell you.
Tom, there's a book called The Checklist Manifesto.
Have you read that?
No, what is it?
It's a book about the value of checklists.
It talks about how hospitals, for example,
there used to be lots of line infections,
where you have lines going into people, basically.
Yeah, yeah, yeah.
And people dying after post-surgery
or getting complications after post-surgery or getting complications after post-surgery.
So one of the things they introduced was a checklist.
So nurses had the authority to overall doctors to make sure they followed a checklist,
which was simple, make sure this happens first and then this happens and this happens.
And in samples they conducted, there's a massive reduction in infections and complications after surgery.
It's the same principle that pilots use.
You could have flown like a million flights, but you go through a certain checklist every single time.
Even though some of it seems really obvious.
Yeah, even though some of it seems really obvious.
And I think that's what you need to do in order to set up and prep the podcast so you can like
have a checklist that says ensure wires are plugged in ensure the right jingles are loaded on the on
the tube which is all fine absolutely but the problem is that the two wild cards is is you two
I mean you guys we were early. We were stable connections.
No issues.
No, nothing.
Have I ever missed the deadline of submitting a podcast?
No, no.
Where's episode two, Tom?
Episode two.
All right.
Have I ever, apart from episode two, and that wasn't because of a checklist.
That was just because it was really difficult.
Anyway, anyway, do you know what?
This is the podcast the Queen listens to.
Although she won't admit it.
I like that one.
And we have to use it more before Her Majesty leaves us.
I was going to say something different you
know yeah absolutely absolutely okay so i think uh now we definitely have to move on to this week's
so yes billy big balls of the week um so, yes, Billy Big Balls of the Week.
So we're completely going off the show notes.
But Billy Big Balls of the Week.
The US military has announced that it's in the early stages of development
of an app called Gig Eagle,
which sounds like something from Family Guy, GigEagle.
But it's an app that Uberizes its workforce.
And you kind of think, surely your workforce is full time anyway and all that sort of thing.
But there is more to this.
And the Department of Defense official said, we are creating a gig economy for the Department of Defense.
And what this really does is it's an it's an app that all of the part time military employees, they can they can download.
And if they have other skills that they can bring to the Department of Defence,
they pop it on there, and the Department of Defence can then sort of hand out work.
So it's a way of trying to ensure that outsourced work goes to their own effectively.
So if, for instance, you might be a part-time soldier, a weekend warrior,
or you might be a part-time analyst or something like that, and you program in your spare time as well or whatever, you can actually get additional work from the Department of Defense through this app.
They look you up.
They find your services.
It's a bit like Fiverr, I guess.
In fact, I don't know why they're calling this the Fiverr of, we're Fiverr in the Department of Defence.
I think Uber's a known verb though, isn't it?
Well, I know, exactly. We want to Uberise everything.
But, and so they look you up and they'll make, you know, they'll book you for a period of time and pay you the set amount or whatever it is.
And it's quite interesting in a sense that when you read the report to this,
there's a lot of talk from Silicon Valley executives about the strength of the nation
and the defense of the nation.
And we don't want China to be taking over our technological advantages and making everything that we use in the US China-ified and all that sort of thing.
And how they need stronger connections with the Department of Defense and other agencies.
And this is effectively the Department of Defense's response to this saying, look, we're going to embrace your technology, embrace your zero hours economy.
And we're going to use this so that we can ensure that not only do we get, you know, the best programmers out there, the best whatever's out there, but also we're giving back to our own people.
But it does raise a number of issues. One, the sheer paranoia of many of the folks in, which it's known for, you know,
wasting and being hugely profligate with its money and contracts running behind and all that sort of
thing. And maybe this is an approach to it. But I think as we've seen with Uber, the downside is,
is that it's a very quick race to the bottom when it comes to working conditions and pay
and the fact that it's zero hours and all that sort of thing.
And as if the US military wasn't already built on the basis of the cheapest contractor,
you know, military grade means it was made by the people who bid the lowest amount of money for something
at the end of the day.
it was made by the people who bid the lowest amount of money for something at the end of the day.
This has the potential to make that even worse,
to really sort of drive down costs,
but subsequently also drive down quality as the people on the app,
and obviously as you get more and more people on the app,
they're all fighting for the same amount of work.
And price is obviously going to be one of them.
So it's going to be really interesting to see how this pans out
and whether this is a great way of managing costs and maintaining quality
or a great way of actually producing something that's just really poorly made.
I know exactly how this is going to pan out.
Okay, go on.
There's got to be a conflict somewhere.
There's got to be soldiers, and they're going to be like,
we're pinned on.
Send reinforcements.
They're like, oh, sorry, you have no reinforcements available.
Try Gig Eagle.
And so they're going to log on, and they're going to be like,
we're in this sector.
We need reinforcements. And then like a black van log on and they're going to be like, we're in this sector, we need reinforcements.
And then like a black van, a GMC van with a red stripe,
five guys will come out, one of them's got a cigar.
So, okay, we're the backup guys.
And they go, you can either have the premium service.
Steel Team 6 is available at this price.
Yeah, that's right.
Or Redneck from the Redneck with the mullet, SEAL Team 6 is available at this price. Yeah, that's right.
Or Redneck from the Redneck with the Mullet,
who believes in his Second Amendment rights, can be there in 15 minutes.
He's bringing both his shotguns. Yeah, and he just needs like a pack of tobacco or something.
Yeah.
Chewing tobacco.
And what will happen is you'll get defectors on the other side signing up for the
app and saying i'm available available for espionage services i'm behind enemy lines
what do you need me to do what are the entry requirements for being on this app in the first
place because surely you could just download it and that's it well that'd be great because
because then you'd have you know we we talk about
things being a win-win but then you'd end up with win-win being on the actual app and coding stuff
with backdoors for china right uh you know it's so it's there's there's plenty to dissect here
and plenty to find out you know because uh i don't know it just doesn't seem
right you know it just there's something not quite right there so do you know what just
yeah go ahead i was just saying i could just imagine the uk looking at it and say
okay let we already got the uh plastic police officer the pcsos yes let's put them on an app
like this so if you have a a low severity crime you just look up like
the cop app and you know one of these guys from your neighbors they'll quickly change out their
pajamas and come around and like i've got it the app can be called cop out yes yes well that's
better than pigs on demand is what i was thinking. Or when it's cold, pigs in blankets.
But this is the way, I think obviously companies look at this
and think it's a massive cost saving.
Like I've no doubt there's this huge drive of cost saving.
Oh my God.
And this is the worrying part because as a company,
this is actually quite a good idea.
And it's possible you don't need your top
say for example pen testers right you don't need your pen testers to be full-time employees no you
know if you can just get them on demand but rather than paying a you know having a dedicated company
that you go to every time you know preferred supplier list you've got your preferred well
you know gig eagles that you you go to yeah and they don't have the overheads of a company so
that's not but it but quality is always the thing so
you just rate people you know i used this guy before six my guy i called him out we're in the
middle of a firefight you know four of my people still died so you know two stars but but you know with uber it's what happens is if the if
the driver's ratings get too low they just re-register as a different driver and different
details and all that sort of thing you know but also if you you know if you order an uber and
it's two o'clock in the morning and it's raining and you know and you got dave who's a 3.9 in brackets,
in inverted commas, a bit rapey but okay,
then you think, oh, fuck it, it'll do, it'll be fine.
Do you know what I mean? It's a little bit, to a certain extent,
the rating system is good and will allow you to be more selective
until you just really need that cab home.
Yeah.
So, like, what you're saying is right at the moment, you know,
you really need an enemy stronghold bombed.
You know, you've got a guy who's a bit hit and miss, right?
He's a bit hit and miss.
He's a 3.7, you know, on the app.
But, yeah, he's missed a couple of targets and hit neighbouring villages.
We just need some big noise and some big explosions.
Yes, exactly.
It's really more about just sending a message.
We're not too bothered about, you know.
Yeah, about the accuracy of said messages.
Exactly.
You're going to get, like, a Nick Nolte-type character
from the Tropic Thunder.
Yeah.
Four leaf.
But isn't that just the US Air Force generally?
You know?
Yes.
Ah, shit, we missed.
Ah, be fine.
But, yeah, I don't know.
I don't know.
The upside of Uberization is, or the Uberification or whatever,
is real flexibility and cost savings and self-policing
of a you know of content and quality and all that sort of thing and really shaking
shaking the industry up you know a bit like black cabs black cabs have to really up their game to
compete with uber and rightly so you know because none of this are not going south of the river mate
yeah um you know i'm not going there mate the river, mate. I'm not going there, mate.
It's ridiculous, whereas Uber will just take you.
And so black cabs had to up their game.
But the downside is quality generally can go down.
So I noticed that in the earlier days of Uber, the cars were nice.
Drivers were always nice.
There was water and sweets and all that sort of thing.
Now it smells like somebody died in the back of them half the time um it's it and you get the uh the passengers that are like
really abusive to drivers as well because they threaten them with low ratings and so they end
up having cameras in the cabs that nice yeah yeah so now you're gonna have people recording their
black ops just in case someone says they did something. That's right. Yeah, that's right. A whole new YouTube channel of secret raids.
Three out of five missed both targets.
Well, actually, I think you'll find I hit one of the targets
and only just missed the second one.
Oh, I did.
But it wouldn't surprise me if there was a whole Netflix series
that spawned off the back of this as well, you know,
comedy series like Space Force.
A documentary like Tiger King, I think that's what's good.
Well, did you see that Netflix series Space Force?
Yes.
It was very good.
It's well worth watching.
It really highlights some of the absurdity of the military
taking control of space operations. Very good. Well worth watching, It really highlights some of the absurdity of the military taking control of space operations.
Very good.
Well worth watching, like I say.
But, yes, interesting.
A very interesting one there from, you know,
a bit of a Billy Big Balls move on behalf of the Department of Defence,
and we will see what happens.
Billy Big Balls of the Week.
Right, I think we should
move straight on, because Jav's
itching, itching I tell you,
to get on to
this week's...
Rent of the Week.
It sounds a mother f***ing
rage.
Well, I wouldn't say it's as itching i just thought that because i was due to go first that i i was going to go first but you took it anyway the rant
of the week now you might remember a few months ago um as tom often does where he reads a story
but doesn't understand it. But there was the British
InfoSec accreditation body Crest. So if you've ever arranged a pen test for your organization,
you will probably look for a firm that has pen testers that are either Czech or Crest certified.
either Czech or CREST certified. That's normally the benchmark for a lot of organisations.
And CREST apparently had basically cheat sheets found where there was a whole bunch of questions and answers and how to sit the exam and how to pass it. So it's basically a walkthrough
that anyone with a little experience can just cram in those cheat sheets and pass the exam.
So obviously, many people were up in arms about it. And the logo on a lot of these cheat sheets or the attribution of a lot of these cheat sheets was to a large InfoSec provider, NCC Group.
Allegedly.
Allegedly.
Yeah, allegedly.
They got a big legal team.
Yes, yes.
So there was a big bit of an uproar.
People were like, what is this all about?
You know, this is unfair advantage.
People were like, what is this all about?
You know, this is unfair advantage.
NCC can then allegedly put through all of their junior testers and they can have a far larger body of people who are CREST certified.
And based on that, they can bid for more work, win more work, get more work.
That's food that we could be putting on our family's plates.
But now we have to live in poverty.
So CREST took this very seriously and they launched an investigation into it.
And this investigation went on for a while.
This reminds me a bit of the scene from Team America World Police,
where Hans Blix from the United Nations is like,
Hans Blix from the United Nations.
He's like, let us inspect your weapons program.
And he's like, what if I don't let you?
He goes, we will write a very strongly worded letter to you.
So this is what the investigation felt like.
You will be happy to know that. Can't wait to read it.
Can't wait to read that report.
They're very good at reporting in CREST.
There's one thing they're really good at is really well-structured,
really good readable reports.
So I'm really excited to see the output.
Yes, yes, yes, yes.
So they have concluded the investigation.
A CREST spokeswoman told us, told the register,
which is the story I'm reading this from,
we commissioned a comprehensive investigation
that involved a significant amount of work.
Is significant higher than important?
Anyway, this has included allowing time for the publicity of independent whistleblowing channels,
detailed interviews by the appointed independent investigator,
the follow-up and validation of all information obtained,
and taking legal advice on the validity of the process.
legal advice on the validity of the process.
So a lot of words to say that we've done a very thorough job that Inspector Clouseau would be proud of.
We've done a report.
Yes.
But unfortunately, in the interest of, I don't know, in self-interest, I suppose is the word.
In interest of self, yeah.
Yes. The report is not going to be published.
It's not going to be made available for the public to see.
Okay. Yeah. And I think we knew this was coming.
But here's the thing, right?
So any kind of audit, just bear with me here but any kind
of audit and audit review etc if you don't have the evidence that something has been done then it
hasn't been done it doesn't matter how much you say oh but we've put this control in place show
me evidence that you've got this control in place i show me evidence that you've got this control in place. I don't have said evidence. Then that control is not in place, right?
It's like expensive, right?
Yeah, it's a standard logic, standard logic. So we've done a report. Show us evidence of this
report by allowing us to read it. We're not going to allow you to read it. Well, then you haven't
done the report. You haven't done an investigation. An investigation is something that by its very nature is open.
Even criminal investigations are open in courts of law, except under very, very extreme circumstances,
right? They are all under public scrutiny. That's the point of an investigation.
So the fact that they're saying it's not, they're saying we're not going to release it means it's not been done in the eyes of the public, right?
That's right.
You know, it's like the Catholic Church saying, oh, we've investigated Father O, what's his name, for kiddie fiddling.
And we've told him he's a very bad man and he's definitely not going to do it again.
You know, prove it.
You know, nothing's happened.
You're not showing us anything.
We're not seeing any kind of action or even any kind of report or whatever. And they're just hiding and covering up.
any kind of report or whatever.
And they're just hiding and covering up.
And it makes my blood boil, if I'm perfectly honest,
because one thing this industry does is it keeps secrets very well,
but what it also does is keep things secret that really should not be kept secret.
It should be open and transparent and honest.
And it really annoys me that's right
um one of the things they said that was part of their review they they can confirm that no
senior staffers from ncc group hold key positions at crest and it's like that's not even the question
it doesn't matter you don't need to hold a senior position at crest to create a cheat sheet or to be friends
with people who are at senior positions or what it's like the thing so you know do do people do
do people in ncc have relationships with staff at crest and the answer is no senior people at NCC Group have positions at Crest.
I have relations with Crest.
Yeah, exactly. Key positions, not just position.
And senior NCC official.
It's like the classic audit obfuscation, right?
And we know this because we've been on both sides of the table.
Yeah.
And we know this because we've been on both sides of the table.
Yeah. But it's – I hope the register are ripping them apart for this.
Yeah.
They are in the way that the register does.
But, you know, this is the problem with a lot of these certification bodies.
They're so opaque with how they operate and it just even if it's not the the whole
feeling that the average person gets is just an old boy's network yeah it's an old boy's club
they they're just there to make money and let's keep things quiet and and then it's like well
why is the membership so disenfranchised why do do people, you know, call us, you know,
just a stealth tax or whatever?
I mean, if this was EC Council, I would expect it from them.
But from Crest.
Why?
What is the difference?
And a genuine question here,
what is the difference between EC Council and Crest here?
They're different organisations. I think EC Council are perceived to still be going on a journey of maturity
yeah yeah that's the thing yeah oh i see okay yeah as opposed to jav's audit answer
they're two different organizations yeah that's i i know i know that's technically an answer to
my question but you know full well that's not what I meant.
Well, EC Council, I mean, to Andy's very political answer,
which I love, they're undergoing a journey of maturity.
They make lots of cock-ups along the way.
Their materials are not well respected by many,
and then you can see how they put together.
Even just yesterday on Twitter, I saw someone said that they were offered a thousand dollars by EC council to
create them four hours of online labs of network forensics or something.
Right.
And he was like,
well,
for a thousand dollars,
you're not going to get much.
Right.
You're going to get maybe half an hour.
Yeah.
EC council.
I don't know whether we spoke about this but a few
weeks ago oh we did yeah they're the ones that ran that survey about why don't women get more
involved in security and and the options were something like because they're too busy cooking
and cleaning and making babies something like that yeah there's women in security. Yeah.
Whatever.
Who let them out of the kitchen?
Yeah.
And then they were like, we're not sexist.
We have women who created the survey.
And then you look at LinkedIn and everyone in their marketing department is a man.
Oh, my God.
Oh, dear.
Well, that was a proper rant.
It was. That's how was a proper rant. It was.
That's how rants should be.
Yes.
So, anyway, thank you, Jav.
That was really good.
I enjoyed a bit of a ranty rant at that.
Thank you.
Rant of the Week.
What time is it, man?
We must be getting on.
We are.
As I look at my watch, it's that time of the show where we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy this week bringing us the latest and greatest security news from around the globe.
Industry News.
Rapid 7 source code accessed in cyber attacks.
Industry News.
Order of CISOs self-medicate as pandemic
stress spikes. Industry News. US sentences cyber stalker who sent sex workers to family's home.
Industry News. Toshiba business reportedly hit by darkide ransomware. Industry news.
Cybercrime forum bans ransomware activity.
Industry news.
AXA faces DDoS after ransomware attack.
Industry news.
Families of missing persons receive fake ransom demands.
Industry news.
DarkSide gang retires on $90 million.
Industry news. industry news dark side gang retires on 90 million dollars industry news usps reportedly uses clearview ai to spy on americans and that was this week's industry news
are you sure it's axaA? Because last week it was AXA. I know.
So, Stuart, there's one story in there
that obviously caught my eye by the headline.
It's the US sentences a cyberstalker
who sent sex workers to a family's home.
Exactly what I'm looking at.
You know what, I tell you,
the husband of that family,
he worked that one out.
No, love, it's not me.
It's a cyber stalker, definitely.
Yeah, but I mean, they obviously use sex workers as the catchy headline.
But this guy that got prosecuted, he actually sent 500,
like over 500 unwanted service people.
And I like that, you know, they put the sex workers in the service category.
But he also sent like plumbers, tow truck employees, locksmiths, food delivery workers, electricians.
And they were all offering a happy ending.
No, not all of them.
But they were all offering services that they believed that he he ordered.
And it got so bad.
He actually had to put a sign outside on his front lawn and said, you if you've been sent here please contact the police
um you know because it wasn't yeah it's not me but i mean you know sent sex workers you just
think you know a couple of cool girls being going to the family home but 500 over 500 not entirely
sure why but he you know he obviously he still doesn't even know who or why uh well it doesn't
say why he says that you know he went through um you know depression after you know a bereavement
but it doesn't say you know why he targeted this particular guy uh in oh i see i see right right
yeah yeah oh my god but yeah lots of uh stories about ransomware. You know, unbelievably, it's just around everywhere.
We just cannot get away with it.
You know what?
The other story that's not ransomware related is a quarter of CISOs
self-medicate as pandemic stress spikes.
I would be interested to see how that compares to everyone else,
because if it's a quarter of CISOs but actually half of everybody else,
well, then we're doing okay yeah or it doesn't surprise me that quarter is all based in London and yeah
it's right yeah yeah yeah and what are they self-medicating with is it so a quarter admitted
to having taken alcohol narcotics or prescription medication in the past to alleviate stress.
Nothing about Eid sweets then?
No. So this is based on a poll of 250 leaders across the globe.
So that's not many people if it's across the globe. If it was 250 in London,
that might make more sense.
No.
Which industry do you think had the highest rate?
Dentists.
Construction, 54%.
Oh, that's because they're all coked off their tits anyway.
I've heard lots of stories about anecdotal.
I can't prove any of them.
Yeah, about people that operate those big cranes and stuff.
They do a lot of self-medication.
Well, you've got to be off your tits to climb up that ladder.
Oh, yeah.
But, yeah, it's, you know, whilst I can sort of see and, you know,
haven't been through it as well, the self-medication of CISOs
and all that sort of thing, I always think the story also has to be put
into the wider context.
Yeah.
You know, because what about NHS workers?
You know, they've probably had a slightly more stressful time
this last, you know, year and a half.
Yeah, but they've got to stay on their feet for like 18 hours a day,
so they don't have time to self-medicate while they're working.
No, but they have access to it jesus yeah
you know and also staying on your feet isn't that what coke does for you well this is true i believe
but on nhs salary you'd probably be looking at uh speed or something like that instead well true
yeah allegedly yeah and whatever's left over in the sharps bin. But, yeah, it's, you know, as we all know, you know,
and I can attest to this, it is stressful, but I just,
what I don't like is the, you know, look at us,
aren't we really, really suffering as a result?
It's when actually I think a lot of people are suffering,
everybody's suffering.
That's not to underplay what the actual message is here per se,
but it's just, you know, context I think is really important.
You're absolutely right.
I think there's a lot of, you know, we are the most stressed people
in the world and we do the most important thing in the world
and therefore we deserve special treatment.
Yeah.
Yeah, exactly.
And it doesn't always work like that.
It doesn't always work like that it doesn't always work like that anyway i think uh looking at the time uh it's time to move on to this week's
tweet of the week and because that's so cute we do it twice tweet of the week i will uh
jump in on this one so i'm gonna sneak in an extra one here just briefly.
So if you are aware of the penguin meme where it's a penguin sort of sitting on a chair,
it basically says, well, now I'm not doing it, is the meme.
So you caption that, right?
So it's usually if someone tells you to do something you're going to do anyway,
you're now not going to do it.
And so someone posted, you know, the caption to it when all you want to do is hack.
But now someone is trying to make you do it.
And it's got this Pingu meme and it says, well, now I'm not doing it.
And what I liked about this was Chris Weisopel, World Pond from old school Loft Heavy Industries.
He actually then captioned that
with uh at state acquires loft heavy industries it's a fantastic little dig uh there which uh
is practically a throwback to the good old days um however that wasn't the main content this main
one was from kevin gomon or also or better known as gossy the
dog on twitter um and he has posted a link to the article that leading cyber security insurance
provider cna restored their systems in may as per their website it's following a cyber um a ransomware
attack um however bloomberg and now reporting they paid their attackers
40 million dollars in order to get their um their files back and so who insures cna well i don't know
but you know i mean uh kevin bowman actually you know puts a good tagline on this he says it's a
stunning failure in management and a benchmark for how low the cybersecurity industry is.
I would agree with the first part of that statement.
I think it's a bit unfair on the second part.
Well, I mean, you know, $40 million is a lot to pay for a ransom.
I completely agree.
It's a stunning failure in management to actually, you know, invest in the right systems
and the right security and all that sort of thing that may have avoided it in the right systems and the right security
and all that sort of thing that may have avoided it in the first place.
Yeah.
And a benchmark for how low the cybersecurity industry is?
I don't know.
Maybe it's a benchmark for how little business listens
to the cybersecurity industry.
It's a benchmark for maybe how ineffective some of the cyber security leadership
is that's fair enough but i don't know like i said i agree the first part entirely the second
part feels a little bit uh a bit harsh a bit too broad a generalization yes yes although i'm sure
there are people in management and inverted commas saying exactly the reverse yeah it's interesting
because um that a week or two ago a couple of these um insurance providers were like where
they're they're pulling out the cyber insurance or they're reducing cyber insurance axel was one of them and then they got hit by ransomware themselves and axa
oxo oxo yeah they're moving into the cyber security yeah yeah chicken cubes are just not enough
oh i did but yeah that's that's it just goes to show you know, the cyber insurance companies
who are holding a lot of companies accountable.
And, you know, I think, like I said, you know,
I had to do almost like interviews with insurance companies
to show what we were doing to reduce our payments
and all that sort of thing.
And yet they're not doing it themselves.
Yeah.
It's quite fascinating.
Big event.
I mean, as you say, we go through it every year as well
with multiple insurers because, you know, we need multiple insurers.
Yeah.
But, yeah, I guess, you know, the other side of this is, you know,
not only are these people insuring people, you know,
against ransomware attacks, but paying $40 million just funds the criminals
to be able to expand their operations, you know,
because I don't think there's many of those people that are doing it saying you know what this is the big payday boys let's let's
check out uh you know they're probably going to say wow that was easy if we just get another you
know 30 40 companies then we can check out yeah um so yeah not helping no not at all and it doesn't
seem like there was any even any negotiation Well, I think Bloomberg actually said the original demand was for 50 million.
Did I read that in Bloomberg?
Okay, I may have read that elsewhere, so can't quote.
But I think that they did knock 20% off the original asking price.
So I'm sure one of the negotiators in the insurance firm was happy
um yeah at least one of my targets yeah yeah one person in cna is gonna get their bonus this year
yeah um but yeah no i mean a lot of money to uh allow these people to continue and i just
i'm just stunned that we're still talking about ransomware 2021 people major stories almost every week well it's got worse and
i think you know certainly got worse over the last 18 months so it'll be interesting to see
if that's causation or correlation with with covid and all that sort of thing but um yeah
it's definitely gone through the roof especially if the fbi is reported um in that 145 million pounds, sorry, dollars in ransom demands were paid in 2019.
And yet here's one in 2021 for 40 million. I think it's gone through a massive step change
by the sounds of it. Excellent. Thank you. That's a tough one to end on but yeah
thank you very much
Andy for this week's
Tweet of the Week
I think we draw
to an end
gentlemen
I think we draw
to an end
we do have something
really special
coming up on Monday
which we do
we do
we do
which we may have
hinted at
and you may
if you're careful
and you hang on
to the bitter end
you may even hear
a little bit of it post-credits as well.
Ooh.
I know.
I know.
Exactly.
Well, you know, nothing but, right?
Anyway, so, Jav, thank you very much indeed for joining us this weekend.
Thank you.
Thank you.
It's been a pleasure as always.
As always,
apart from when it isn't
and you clearly tell us it isn't.
Apart from when it isn't,
but it's all right.
I try to stay in my best behaviour now
to keep Mrs Langford,
the lady of...
The Duchess.
The Duchess of Ladywell.
The Lady of Duchywell.
The Lady of Duchywell.
Well, that's very kind of you to say so,
and I know she'll be thrilled to hear her self-mention.
So, yes, thank you, Jav and Andy.
Thank you very much, sir.
Stay secure, my friends.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
The worst episode ever.
r slash Smashing Security.
Some chill tunes playing there.
I like it.
Very good.
Quite catchy, really.
It is.
It's got that old school hip hop vibe to it.
I know. It's almost like old school hip hop vibe to it. I know.
I know.
It's almost like original content instead of...
Being ripped off.
Yeah.
Yeah.
Sample, John.
We say sample, not...
Sorry.
Sorry.
Yeah.
Yeah.
It's, again, it's out of my bailiwick.
Yeah.
You know what?
I think this
could be a hit for
someone
unless you're listening on
Tuesday in which case sorry