The Host Unknown Podcast - Episode 62 - Bikini Bottom
Episode Date: July 2, 2021This Week in InfoSec (08:03)With content liberated from the “today in infosec” twitter account30th June 1998: AOL confirmed a leaked spreadsheet containing info of 1,300 AOL community leaders had ...been stolen from an employee's account.Not around then? AOL was kind of a big deal - it bought Time Warner in 2000 and was worth $200 billion before imploding.https://www.cnet.com/news/aol-volunteer-list-hacked/https://twitter.com/todayininfosec/status/1410396545896177668 Rant of the Week (22:15)via @rootsploitCybersecurity Workers Flood Twitter With Bikini Pics to Protest HarassmentInfosec Community Posts Solidarity Bikini Pics After Twitter Troll OutburstCybersecurity professionals have come together on Twitter to show their support for an infosec worker who was trolled after posting a bikini pic.Coleen Shane, founder and chief engineer for InfoSec Bad Girls and Hacker Spring Camp, was astonished when an anonymous follower reacted angrily to the shot.The user, who follows over 200 infosec-related accounts, argued that there was "no warning" for the image, intimating that "otherwise respectable people" should not be doing such.Coleen's response was widely praised."It's a bikini, and I'm a human being who is a lot more complicated than just Infosec - also I do whatever the hell I want, whenever the hell I want, however the hell I want. Adios," she tweeted.Communications company got their support for the movement (horribly) wrong by creating a calendar of the bikini photos (without consent) for people to downloadTheir apology has gone as well as expected Billy Big Balls of the Week (34:00)Doctor arrested for trying to hire a hitman to kidnap and inject ex-wife with heroin in bizarre bid to win her backRonald Ilg, 55, was arrested in April and is being charged in federal court for hiring a hitman over the internet to abduct his wife and imprison her in a "secure location" for a week, all the while dosing her with heroin.Dr Ilg apparently agreed to pay the would-be kidnapper in Bitcoin. The FBI traced the Bitcoin transaction, which led them to Dr Ilg's Coinbase account. Industry News ( 41:41)World’s Largest E-tailers to be Investigated Over Fake ReviewsUS the Only Top Tier Cyber-powerSensitive Defense Documents Found at Bus StopPentagon CISO Suspected of Sharing SecretsSalvation Army Hit by Ransomware AttackAnalyst Steals Millions by Spoofing DirectorPrintNightmare: Windows Zero-Day Accidentally Disclosed by Chinese ResearchersNew Charges Filed Against Alleged Capital One HackerPutin Orders Twitter to Open Russian Office Tweet of the Week (48:25)Teenagers are figuring out how to fake positive Covid tests using lemon juice and hacks from TikTokhttps://twitter.com/imbadatlife/status/1410526468577411072 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
he did say to start without him didn't he yeah i was gonna say it's been a while since we've done
it we might as well yeah yeah although he's gonna come back and swear so you might have to bleep
stuff out later you're listening to the host unknown podcast
hello hello hello good morning good afternoon good evening from wherever you are joining us
and welcome to episode 62 of the Host Unknown podcast.
Yes, we've started without Jav because we just think it's hilarious, absolutely hilarious.
Andy, how are you?
Not too bad, I've got a new washing machine this week.
Have you?
Yes.
This was like a real...
Do you know what?
The last week, I've done more tasks around the house than I normally like to do.
Can I just interject as well and say, you know you've reached a certain age when the
purchase of a new washing machine is the highlight of your week?
Well, do you know what was probably even greater than that?
I bought a hedge trimmer in the Prime Day sales like the other week.
I think they call that a body shaving kit.
No, this is not for my man garden.
This is for my actual garden.
Your actual garden.
Your lady garden.
Oh, he's back. He he's back i hate you guys and uh and so uh yeah so last saturday like this the washing machine is due to
be due to uh be delivered and uh i took out the old hedge trimmer went out back and realized why
i pay gardeners to do that kind of stuff because I spent about four hours trimming all
the hedges and then I spent about four hours picking up all the leaves afterwards and the
hedges are all wonky right they're absolutely really badly wonky as well so when they come in
I need them to straighten them out but yeah so that day my washing machine was due to be delivered
never actually turned up and it kept saying like it'd be between three and five then four and six and then it just kept going up and
up and said don't worry it's still on the way anyway it didn't turn up this gone 10 o'clock
no one answered the phone called them first thing next morning they said oh yeah it wasn't even
loaded onto the truck so you know that that whole tracking thing which they gave us just completely
useless um but it gets worse right so they the earliest they can re-deliver is Wednesday morning.
So they rock up Wednesday morning, 7 a.m.,
and I pay for the whole connection, disconnection,
all that kind of stuff.
And the guy's like, you know,
how can I switch off the mains water?
I said, oh, you can't switch off the mains water
because the stopcock's behind the dishwasher.
It's integrated.
You're not getting to it.
But don't worry about it.
Just a bit of water.
Just unplug that one.
Plug in that one.
And also, shouldn't the inlet pipes have little valves on them anyway?
It does, yeah.
That wasn't working.
I don't know why.
But, yeah, anyway, they were like, no, we can't do that.
And I'm like, why?
You literally just swap it over.
Do you know what I mean?
It is that easy, and yet I'd still be prepared to pay someone to do it.
And, yeah, they're like, no, we can't do that. It's going to flood your house. Oh, it's that easy and yet i'd still be prepared to pay someone to do it yeah and uh yeah they're like no we can't do that it's going to flood your house
oh it's not going to flood the house it's a bit of water like you know it's a tap
and uh yeah and so they're like well we can't do that so you know we can leave this washing
machine and you know you can do it yourself and we're gone and i said well i want this one taken
away and they're like well if we're still in the area we'll come back later and do it and I said, well, I want this one taken away. And they're like, well, if we're still in the area, we'll come back later and do it.
And I said, well, I'll tell you what.
I said, do you do that?
I said, make sure you're still around.
And so they brought in the new one, and while they were standing there,
I unplugged the old one, plugged it straight into the new one.
Didn't flood the kitchen too bad.
And I said, right, you can take it away now.
And they just kind of looked at me like I was some kind of nutter.
And you're recording this from a hotel
after your insurance claim for water damage.
Yes, so the house flooded,
and the pipes didn't fit,
called a plumber out,
couldn't get here till tomorrow.
Your wife came back after a week at her parents,
and now she hates the garden,
she hates the kitchen,
she's kicked you out.
She was polite about the garden. She the kitchen she just kicked you out she was polite about the garden she was like well you know at least the the hedge is lower
well it's trimmed yeah oh dear it's like a like a teenage boy after his first attempt at shaving
shaving a goatee not yes well you're trying to leave something behind oh i just balance it out oh damn it i just balance it on the other side
oh dear how's your week yeah very good very good i've i've had um well the last three and a half
days off which hasn't been nice um i had them booked off because i was helping somebody uh do it at a at
a wedding uh as a second shooter um but it was postponed to september but i thought i'd keep
the days off anyway ah okay so you're gonna kill the groom before he got down the aisle
yeah something like that you back up for the primary yeah i just realized what that sounds
like yeah yeah that's right i i i was i was the insurance you know if in case the first shooter missed exactly you were you were
going down that that way i was going down completely different path there andy but
we won't go down there oh okay it's one of those is it the depth of your mind yeah so so yes it's
been a been a been a nice uh nice week um nice and relaxed built a bit of lego
made a bonsai tree as a lego of course um and uh yeah been very nice very nice jav what what about
you mate you know i'll to give you an indication of what what my week's been like this morning i
was walking back to the office to to set up and everything and I looked into the garage which is just next to this and my motorbike's not there
and yeah my motorbike's not in the garage no I I was like holy shit where's my bike
and it took me a good like 10 seconds to remember I gave it in for an MOT in service yesterday.
So that's how my week's been.
It's been one of those weeks.
So I was just commenting when you were late for the start of the podcast,
Jav, that it's indicative of men of certain ages when, in Andy's case,
the highlight of his week was the arrival of a dishwasher.
And in your case, you forgot what you did yesterday with your motorbike.
Yeah, pretty much.
Although what I did also find out yesterday, for the first time in my life,
I actually paid in a check at the post office because my local branch of the bank had shut down and the branch that is there is now further away.
And because it was a cheque above the £500 limit
that you can do with the app, I had to give it.
And then I went to the post office and I felt like a proper pensioner.
I walked in and I was like, excuse me, young man, do you cash cheques here?
Can I pay you my cheque?
Well, yes, we can, sir.
And it will take two to three days to clear.
That's fine as long as I might be...
Two to three days?
Is that working days?
Does that include the weekend?
I know.
Brilliant.
It's great when you get like a young counter assistant
and they're like, wait a minute.
And they're like, they call the manager.
It's like, can we take a check?
This old guy here wants to know if we can take a check.
Brilliant. Yeah, funnily enough, I'd
stick one in the post the other day as well.
So, what have we got coming up for you
today? This week in
InfoSec takes us back to a story
about the internet's
original mods.
Rant of the week talks about an
itty-bitty-teenweeny yellow trolling infosec
meanie. Billy Big Balls this week can be filed under how not to win back your ex. Industry News
brings you the latest and greatest infosec news from around the globe. And Tweet of the Week
is just a reminder that teenagers gonna teenage, even in a pandemic. So moving swiftly on, let's get on to the first piece of this week's podcast, namely...
This week in InfoSec.
So it's that part of the show where we take a stroll down infosec memory lane with content
liberated from the today in infosec twitter account so we are going to go back 23 years
the 30th of june 1998 where yeah Did you hear the cogs whirring there?
It was the calculator I heard.
Okay.
So on that day, AOL confirmed that a leaked spreadsheet
containing info of 1,300 AOL community leaders
had been stolen from an employee's account.
Blimey.
Yeah, so who cares? and what is AOL anyway so
half the people may be thinking so AOL was actually a company worth a considerable amount
of money back then to the tune of hundreds of billions of dollars in the late 90s so it was
kind of a big deal and they were so big they actually acquired Time Warner in 2000.
Oh, that's right, AOL Time Warner, yeah.
Yeah, and that was, I mean, that was an ill-fated acquisition slash murder for another story, you know, a story for another time.
But, you know, we covered that on a previous episode,
like their amazing CD mailing promotion to, you know, sign people up
and just their pure market domination they used to have.
So AOL used to have these community leaders who basically volunteered their time as guides and chat room monitors in exchange for free membership.
So, you know, the type of people that, you know, wanted to do this back then are probably the type of people who aspire to be special constables these days,
you know, with no plans of actually becoming a real police officer or reddit moderators
well this is it yeah this is a little bit more fascistic than most policemen police people police
officers and this is probably the the early version of a reddit moderator right so reddit
wasn't around till what 2003 2005 i can't you know, this is what it was back then.
So they basically got free access in exchange for their work as community leaders.
And AOL was probably one of the most targeted platforms back then, right?
And there's even a tool called AOHEL, which, you know, is like GUI-based.
You know, you could download it it and it would do things like fake
account generated because AOL would need
a credit card to allow you to create
an account. But what you could do is use
the fake account generated, click the button
it creates a number based on the
LUN algorithm
just like the credit card number and AOL
wouldn't realise it was fake until they tried to
bill it 30 days later.
So you always got free access for a month and you could create fake names and stuff like number and AOL wouldn't realize it was fake until they tried to bill it 30 days later um so you
always got like you know free access for a month and you could create fake names and stuff like
that um they had a built-in phishing tool as well that it let you sort of um it had like automated
instant messages um that would try and uh you know get people to to hand over their details
it'd be like hi this is AOL customer service We're running a security check and need to verify your details.
You know, please enter your username, password to continue,
that kind of stuff.
You know, flooding scripts, mail bombs,
like all this kind of stuff that was great.
And you could also impersonate the AOL founder, Steve Case,
in chat rooms using this tool.
I mean, like, do you know what I mean?
It was a thankless task
being this much you know to try and try and moderate these kind of rooms you know there's no
fun in it it's you really got to be dedicated to the cause or you must really desperately want free
access um and considering it's aol access i'm not sure you really appreciated the internet um
so anyway yeah this uh back then there was
uh an excel file that was actually taken and it had the true names true account names account
numbers of more than 1300 of these uh community leaders um and unfortunately led to them being
harassed uh quite seriously uh you know some threatening phone calls and actually why am i
surprised why am i surprised yeah mean, this doesn't change.
You know, and this is one of those things where I think why I like this story was it was,
it's not that it has anything really changed in those 23 years.
Nothing's changed.
Nothing's changed.
You know, the fact that they were using those phishing ims back then you could probably use
them today and still get people's details the fact that they were using excel to store all of the
details yeah it's still used to save so much thing and and and i suppose the third one is is um
there's a cult-like following in tech
where people blindly give up hours of their life a week
to support some big corporation for free.
It is free labour as well.
And I think they actually brought a case.
I'm sure there was a case actually later in the,
maybe like 2009 or something,
where a lot of these volunteers tried to claim back pay.
The volunteers tried to claim back pay?
Yeah, or rather reasonable compensation for their time
that they dedicated supporting this.
Did they forget a fundamental part of when they volunteered?
But you know what i think this is more this is more culturally about you know american corporations and you know we like the whole restaurant industry
thing where you know they pay the absolute minimum wage and that's it you live off your tips
but you can also un-volunteer yeah true do you know what i mean it's difficult to you know to to to quit your job
because you know you gotta eat joined up meat occasionally and have a roof above your head
but you know so yeah the whole restaurant thing totally behind utterly outrageous all that sort
of stuff but to complain about compensation for a job that you volunteered for
knowing that it was a volunteer position and that volunteers mean you do it freely
do you know what so i've just uh found the story um aol actually settled
um to the tune of 15 million dollars with unpaid volunteers
i've done so they each got, well, if it's 13...
No, they didn't each get, yeah, no, they...
I'm just trying to see what they all got.
It's probably 14.5 million in legal fees and the rest was...
Yes, exactly, yeah.
I find that, you know, I'm all for, you know,
keeping large corporations in check and all that sort of thing
and making sure, to be blunt, you know, let's just not be dicks, right?
You know, even as individuals or corporations.
But to join what is, I guess, a class action suit to say, hey, my volunteer role should be back paid.
That seems a bit of a dick moving of itself.
Well, you know, I agree with you because it seems to be the American way.
Like you sue anyone, you join a class action lawsuit for whatever you want.
But I think on the other side, it's a bit like coming out of a toxic environment or an abusive relationship.
You don't always realize how bad it is when you're
there you think that you're working towards something else yeah and you only see the light
when you're out of it and so and sorry go yeah go well so i was going to say that so that i'm
just reading now the distinction in this one um so obviously AOLs, as you've rightly said, Tom,
that they felt that they're not workers, they're volunteers
because they voluntarily did this.
However, the argument was that it was the regimented nature
of their activities.
So although they were offering their time willingly,
they had to complete a training program,
they had to work for a certain number of hours per week, and they had to complete a training program they had to work for a certain number
of hours per week and they had to regularly report to their superiors on what they had done
okay if they didn't do that they would have been kicked out volunteering at Oxfam so when you say
you're going to turn up at the shop so they can open it you got to turn up and you know and you've
got to be kind of nice to the customers there
because it's a shop, but it's still all volunteering.
I'm not getting it myself.
Well, no.
I think what it is is that there's certain expectations that are built up.
And I think with Oxfam or charities yeah it's it's easier to to make that but then you have
people like i was speaking to someone not too long ago who ran uh one of these ic squared uh chapters
uh the local chapters that they do yeah and they're all volunteers but he was like you know what I put in all this time and
effort and organization and everything and he goes it's not that he was after or he or she I'm not
I'm not saying who it is but it's not that they were feeling that they wanted compensation for it
even though I see square makes a lot of money despite being a non-profit but they felt like there was no it was
just a one-way relationship and so they've subsequently after many years um stopped stopped
being involved in it and and i think that's that's what it is you you you invest in something
and you end up feeling like um you know you you want something in return for it,
some recognition or some satisfaction or some say in the future direction.
And if you don't get any of those things, then you're just being exploited.
And so I agree with that perspective.
This is the problem that people have with technology,
is the the problem that people have with technology in that you don't actually mind so much people or apps say like taking some of your data if it builds a bit of a relationship so
if you're on the British Airways frequent flyer program and you always you don't mind giving them
your information because you think hey if there's only one seat left on the plane and there's four
of us they're going to give me preference if i've flown the most miles because they know how many
miles i traveled and what have you but if you don't get that then you're going to think what
what's the point in me investing in this relationship so i think there's there's that
psychological aspect that yeah but but you say you know that that it's exploitation it's exploitation when
you pay them very little money and work them to death and you know and expect them to do i think
that's the point is that there's this expectation that you would have of other employees that are
getting paid yeah but but but also in the case of that individual that what they got back was the
fact that it went on their cv or resume right? That they were the president or whatever of an organisation.
And that helped their stand.
They were getting something from it, just not what they expected to get from it
or what they wanted to get from it.
And that's more on them, I think.
Spoken like a true newbie to the running of a chapter for ISC Squared.
Yeah.
Yes.
Yeah.
Trust me.
I've already got my own challenges there.
But that's fine.
You know what?
I said I was going to do it and I'll do it.
And when I'm done or at the end of the year and I don't wish to do it anymore,
then I won't.
I'll stop doing it.
I will stand down.
You know, if it's not worth my time and effort, et cetera. But that's on me. What I
can't do at the end of five years is say, oh, well, I got nothing out of it. I feel exploited.
That's ridiculous in an entirely voluntary, you know, situation. Now, if I had to do this role or it was the only job I could get
and I couldn't move anywhere else and I was being underpaid and I was expected to work seven days a
week, blah, blah, blah, then yes, that's exploitation. You know, I mean, my, my only
other experience of this and I, um, is early in my online dating, um, periods, you know, so a year or plus. So ago, I signed up to a
bunch of all of the online dating things. And one of them was okay. Cupid. And they contacted me and
asked me if I wanted to be a moderator of content and basically any escalations that were put to
them, they would send to people like me and ask my opinion on whether, you know, a complaint should be upheld
or not. And I got, I got through about five of these and all of them were like, oh, it's too
much nudity. It's like, oh, for fuck's sake, it's a dating site and it's her shoulders. Do you know
what I mean? It's that kind of thing. And in the end, after, after literally about two weeks of
this, I thought, I'm not doing this anymore. This is ridiculous. It's a waste of my time.
this i thought i'm not doing this anymore she's ridiculous it's a waste of my time um you know i i'm not providing any value here whatsoever um and so i unvolunteered now that's that's what
volunteering is about right we've gone down a real rabbit hole here yeah as a visual you're wrong
i was gonna say you've gone down a rabbit hole
this week in infosound wrong. You've gone down a rabbit hole.
This week in InfoSword.
Well,
we were talking about having
that a little bit shorter this week
because we'd only got the one story, but
yeah, thanks to that little
segue halfway through there,
I think we managed to pad that out quite nicely.
We are officially the most
entertaining content amongst our peers.
Alright, and
now it's time for
this week's...
Listen up! Rant of the week.
It's time for Motherf***ing
Rage!
Oh god, this is a doozy.
I don't even know where to begin, really.
Well, right at the beginning, perhaps.
So there is a hashtag trending at the moment.
Hashtag InfoSecBikini. So a Twitterer called Colleen posted a picture
of themselves in a bikini, basically saying, and I'm paraphrasing here, felt cute, might delete
later. And it was met with lots of love and claps and all that sort of thing, except by somebody called InfoSec underscore follower,
who said, what is it about Twitter that causes otherwise respectable people
to post fucking underwear shots?
Three question marks, total sign of insanity.
Your bio says InfoSec, no warning for this crap hashtag unfollow uh which of course kicked off
a bit of a storm colleen got back um very very uh clearly saying it's a bikini and i'm a human
being who's a lot more complicated than just infosec also i do whatever the hell i want whenever the hell i want and however the
hell i want adios and also my bio says infosec bad girls and this created a huge amount of support
from uh twitter with many many other uh women posting photographs of themselves in bikinis,
bikinis, swimwear, underwear in some cases,
some revealing more skin than others, dependent upon comfort, but all in sundry.
And then some of the fellas joined in.
It was one where it was a chap.
I think his name was, I can't remember.
No, definitely can't remember his name.
But he was lying on a sun lounger and it was difficult to tell where his beard ended and his chest hair began.
But, you know, it was all good.
I mean, it was quite a magnificent beard stroke chest hair. Um, so yes, this kicked off a huge amount of, um, of chatter and, uh, support and effectively what I, what I think is, you know, fair enough. If you want to tweet something, then tweet it as long as it's not breaking the terms of service and not abjectly offensive, in which case it would be breaking the terms of service, then go for it. and put up with their personal stuff, or you decide that their personal stuff is just too much for you
despite their InfoSec tweets and decide to unfollow them,
or even just see when it is a personal photograph and decide not to click on it.
So, yes, that all kicked off. It then took a even more sinister turn when Lisa Forte, friend of the show, Lisa Forte, hello, who had posted a bikini shot, then tweeted that bikini shot and a picture of a calendar that had been created, an InfoSec bikini calendar that had been created,
saying, without asking me, they used my bikini image, who put it into a calendar
that people could download. Like I'm a piece of meat. I posted to show support.
I didn't consent to being turned into the InfoSec bikini calendar. I'm horrified by this,
turned into the InfoSec bikini calendar.
I'm horrified by this.
Utterly unacceptable.
And obviously there was a huge amount of support for that because, frankly, just pulling pictures off the internet,
putting them into a calendar and using them without consent is,
well, frankly, that's Daily Mail territory, really.
So it's not surprising there was a huge amount of support uh uh for lisa
and everybody else involved in there uh so it didn't take long and this has all been going on
in what the last 48 hours is that right yeah this has been so it's been very quick yeah i mean this
is a minefield of a topic because uh you know, as a male, there's nothing I can say on this topic which will go down well anywhere.
Well, unless you post yourself a bikini top photo.
Yeah, exactly.
But I mean, the person, you know, I will say the person who did create that calendar, very clear English is not their first language.
um it's very clear english is not their first language uh so i think culturally you know they do things um you know i don't think they got the social cues on this one about you know what's
acceptable and what's not but um you know i'm not arguing with that you know what they did was wrong
very clear absolutely and the guy went out of his way to make an apology he made an apology
personally made an apology from his company account as well um but what isn't cool is the
hatred and vitriol that has gone on to that guy um and it's like you know he's apologized multiple
times and people are still harassing him i saw someone take the mickey out the fact that he's
got a ch which is basically just bullying um and you know how like in infosec
everyone always says oh the worst thing to do is if someone does something wrong is to vilify them
or like you know absolutely humiliate them and like you know because they're never going to come
back to you and report things or and that's exactly what the industry is doing to this guy
right he got it wrong he apologized he tried to undo. But no, pitchforks are still out for him.
And the mob is still baying for him.
Well, you say social and cultural clues and all that sort of thing.
So this, I believe, it's a company based in India.
Yes.
Is it the...
EC Council.
EC Council.
That's the one.ini eye communications alp
but i mean yeah we got like the point is you guys try to apologize i i i get where you're
coming from but i think you know uh social and cultural clues well in india you know um that sort of thing is just as unacceptable there
you know to share photos of of of people without their consent yeah okay so you know what it's
it's not like he went he's apologized he's trying to he's explained the reason should we still keep
going after him yeah and and it's not not like he went onto people's private accounts or Instagram.
It's posted publicly on Twitter.
Yeah.
You know, he didn't do anything untoward in how he obtained it.
And like Andy said, I think he apologised and that's good.
Well, he apologised via a lawyer.
No, he didn't.
He apologised from his personal account. Well, saying
if there had been any such
malafidee or monetary
intention. That's not the standard.
Right, so now we're attacking the guy's
apology, right? No, I'm just saying
it's obviously not written by him. And the fact that English isn't his first language.
Yeah. No.
These are very specific legal
terms.
Well, I'm sure the guy's paranoid now because of the mob that's after him.
Yeah, yeah.
See, I don't think that's the issue.
I think people are missing the real issue here.
Which is?
Is that one account with barely 100 followers trolled so many infosec professionals.
To show their bikini pictures yeah to get them to show them their bikini pictures and and people are you know it's
it's one of those things for an industry that prides itself in being all about opsec and social
engineering they just got social engineered themselves into like posting their bikini pictures and then being offended when it didn't go completely their
own way and i i'm not defending what anyone does and you know people should be free to post whatever
they want and it's absolutely acceptable and fine they should do whatever they want they should be
able to do it without any fear of people being creepy or weird or uh or bad but you know that's not the world we live in you could post
anything these days and you could offend someone somewhere and i think the more oxygen you give it
the worse it gets now the point is when you stand in solidarity with someone it's it's a bit like
going to a demonstration a march like like BLM or anti-war,
whatever cause you believe in, and then complaining that police were there and you ended up inhaling a
bit of pepper spray. I think that that's part of what it means to go out in solidarity or support
with someone, because it is quite a brave act because you are
putting yourself out there um not saying that it's right at all but it's just part of the uh
part of the nature it just reminds me of this uh a piece of advice which is great so to prepare your
your kids for life in um in the real world when they come home from from nursery or school with their
little paintings stick it on the on the fridge like you normally do but then leave really mean
comments beneath it and uh that way they'll that they'll prepare for adulthood yeah preparing for
a life of um desperation and mental anguish
we don't all want to be like you, Jav.
No, my parents never left any mean comments on me.
They just never put my pictures up.
That's right.
What is this?
This is crap.
This is not going on the fridge.
Will this painting help you in medical school?
No.
Then it goes in the bin.
Does it say Dr. Javad Malik under there?
No, it doesn't.
Well, I think the final words, and I still think, you know,
the Wheaton's Law here still applies.
Don't be a dick.
Come on.
That's just, you know, why can't we all just get along, man? So the final word here goes to a photo, which I'll put up in the show notes as well.
Those of you who are properly educated, et cetera, will know of a show called Archer on TV.
And there's a phrase he uses, you know, do you want something?
Because that's how you get something.
And the picture, the statement is, company takes InfoSec bikini photos
and makes them into a calendar without consent.
Do you want a free pen test?
Because that's how you get a free pen test.
Oh, so you're threatening, so you think it's okay to threaten people now?
Yeah.
Rant of the week.
Are you not entertained?
What?
The judges were.
You're listening to Europe's most entertaining content.
What are you talking about, man?
The Host Unknown podcast.
And move very swiftly on to my learned colleague, Jav, and...
You know, I'm just trying to remember,
what was the name of that guy in Sweden who built a basement
where he kept his family?
Oh, Joseph Fritzl.
Fritzl, yeah.
That's the one. Soundproofing expert right yes yes i remember watching a comedian and he was saying because i can't even build like a little toolbox in the gotham without
my whole neighborhood knowing how we built a massive basement and dungeon underground without anyone knowing is beyond me.
But this story kind of reminds me a bit of that.
So if you're a bit triggered by that kind of thing, just skip this section.
And Tom will kindly put the timestamps in the show notes.
No, I won't.
There's a doctor, a neonatal doctor in washington um ronald ill 55 was arrested in april and is being charged in federal court for hiring a hitman over the internet to abduct his
wife and imprison her in a quote-unquote securing location for a week all while dosing
her with heroin bloody hell there's a lot there's a lot to unpack there is a lot to unpack
so the story is something it reads if you saw this in a film you you'd probably say this is
just way too over the top it's it beyond Silence of the Lambs, kind of.
It's like Hostel 3, isn't it?
It sounds like the plot for one of those films.
Or Saw 17, or whatever it is now.
Yeah.
That's right.
So this man, he was married to someone.
They have a child together.
But she said that he was very aggressive, very controlling.
She broke up for a while.
He left her alone, but then he tried to win her back.
He had someone else in the time who he locked in the basement.
He's a bit of a twisted individual.
Anyway, he couldn't handle the fact
that his ex-wife didn't want anything to do with him.
And so first he was sending her lots of letters.
And then he was also hiring,
he was cruising the web looking for goons
to dish out beatings on those he believed had wronged him.
And later on, it transpired his user id online was scar 215 um and uh he he that that user scar 215 attempted
to hire muscle to use against a co-worker he believed had been spreading rumours about how he was fired. He was actually fired because he took a weapon into the office.
But he told his hired help to injure both hands significantly
or break the hands of the woman he was targeting.
He allegedly was ready to pay $2,000 in Bitcoin to whoever took the job.
But the request was never fulfilled.
You know you're a bit crazy when even like these weird people on the underground say,
you know, that job's a bit too crazy for me.
I'm just going to turn it down.
When scammers aren't even prepared to take your money.
Yeah, exactly.
A month later, the same user posted another assignment on the dark web, rent a killer site, this time asking for someone to kidnap, drug and blackmail his estranged wife.
And so, you know, he there was other. So that site actually rent a hitman dot com, he used, is actually a honeypot run by law enforcement.
Excellent.
So they got all his details from there and what have you.
So investigators raided Dr. Ill's home, finding his concrete bunkers and reference to his online handle, SCAR215, on a sticky note in his house.
Nice. People people this is
security awareness 101 don't put usernames and passwords on a sticky note oh my god on your
monitor um well bad guys you ignore the advice but good guys don't do that um according to a
broadcaster dr ill reportedly confessed that he tried to hire someone on the dark web but claimed he was actually trying
to hire someone to kill him to ensure that his girlfriend got all his belongings rather than his
estranged wife what a noble man honestly he just misunderstood yeah uno reverse card yeah
anyway it's it's just one of those really really weird stories i think it's it's absolutely stupid
uh what what he well if it's true he's he's a terrible human being and doesn't deserve to see
see uh live as a free man but um i think what's really interesting is that nearly every aspect of our life has some element of the cybers to it.
And, you know, use of Bitcoin and the dark web and finding online rent hitman services.
It just goes to show that, you know, it's just something that's embedded itself into the very fabric of society.
And there's no no way out of
it now so we we really need to up our game in how we secure these things and how we monitor them and
how we manage them and uh you know this is why sometimes the government i can sometimes understand
why certain people say like end-to-end encryption needs to go because then evil people like this are there but then that that just
leaves everything exposed so um yeah also evil people like this are obviously still dumb enough
to to make such mistakes that they're going to get found anyway yeah yeah they are but a truly
horrible person truly fascinating story we will put the the link in the show notes and have a read there's
far more details there and um you know it's uh cheaper than a movie it really is yeah it feels
like a an odd billy big balls but i know what you mean i mean the guy had aspirations and plans but
oh my god i just love the fact that the fbi have a uh a website called
rent a hitman that is so far up the seo rankings that the people actually click on it to uh to
well basically rent a hitman that's incredible i'm gonna leave a trust pilot review about this site i say one out of five got arrested for 10 years doing 10 to 30 conspiracy to commit murder oh man
billy big balls of the week sketchy presenters weak analysis of content and consistently average delivery
but they still won an award like and subscribe now
blimey andy would you look at the time i I can't believe it. It's already that time of the show where we head over to our InfoSec news sources
at the PA Newswire who have been very busy bringing us the latest and greatest security news
from around the globe.
Industry News
World's largest e-tailers to be investigated over fake reviews.
Industry news.
US the only top-tier cyber power.
Industry news.
Sensitive defence documents found at bus stop.
Industry news.
Pentagon CISO suspected of sharing secrets.
Industry news.
Salvation Army hit by ransomware attack.
Industry news.
Analyst steals millions by spoofing director.
Industry news.
Print nightmare.
Windows Zero Day accidentally disclosed by Chinese researchers.
Industry news.
New charges filed against alleged Capital One hacker. Industry News. New charges filed against alleged Capital One hacker.
Industry News.
Putin orders Twitter
to open Russian office. Industry News.
And that was this week's
Industry News.
Huge if true.
Yeah, they're
finding documents at a bus stop
Brilliant
I was
Watching the telly about this
Although they were classified
Although not top secret
But nonetheless
Who takes that sort of thing
Who takes the bus
This day and age
I thought buses were those black vehicles with the orange lights on the top.
Exactly.
Bus wankers.
But seriously, not only were those documents taken from the office,
but someone sat at a bus stop, took them out of their briefcase or whatever,
started reading them, put them down to presumably on a KitKat or something,
you know, talk to the old girl next to him or her,
and then go on a bus.
I mean, for goodness sake, you'd think if you've got that access
to those kinds of documents that you'd, well,
just not read them in public.
You know what? I'm going to be a bit ageist here but i'm
going to i'm going to say it's someone over the age of 55 that left it probably because i would
i would say so it contains printed emails and printed powerpoint presentations yes um although
although in fairness government does move at the speed of paper.
It does. It does. And maybe their DLP is so good, all they could do was print it off and take it to work on it. their executive assistants used to provide printed copies of everything,
which is a problem when, you know,
your presentation is electronic in format, you know,
might sometimes even have animations or steps.
If nothing else, you're trying to explain a process and you're trying to explain the steps.
And of course they get the whole thing all at once.
But if the EA is really good, she would actually print it fame by fame
and put it in a way that you can flick through it like one of those books that sort of does the animation.
Take it down into a little tiny sort of A6 or A7 booklet.
Yeah.
I mean, it's the difference between your average EA and your top EA.
Well, it's when I sent in that 45-minute film of me explaining the concept and she converted it into a,
you know,
25 pages per second,
a flick book,
as you say,
it's quite a large flick book.
Yeah.
Amazing.
I find it absolutely incredible.
I did like,
you know,
that story that,
uh,
Jav mentioned about the analyst,
uh,
who steals millions of dollars by spoofing director
so this is uh literally about a trading analyst who uh just impersonated the company director
to authorize transactions um and that was literally it it's like there's 106 wire transfers
um and he just used that guy's name and signed off using his name and email address.
And people just accepted it.
Oh, my God.
So it wasn't even some kind of complex scam?
No, it was just that simple.
Jesus.
That's terrible.
Yeah.
That's terrible.
Yeah, well, they say he charged for stealing $2.7 million worth of money by diverting funds into accounts under his control.
By just saying, by the way, this is Jack, not John.
Exactly that, yeah.
Wow.
What sort of company was this?
Some trading company.
Trading firm, I think it was, yeah.
But he's basically facing 57 years in prison.
Well, unless he signs his name as something else
and they'll put someone else in prison.
Yeah, that poor director's going down.
Yeah, yeah, that poor...
Exactly.
It wasn't me, it was him.
Yeah.
Wow.
Wow.
Okay.
You know, there's um so in pakistan uh i was there at one time and there was a heightened security risk at airports or something for free so if you drove into the
airport they'd have like those um those little mirrors on the end of a stick and they check underneath the car.
Oh, yeah, yeah, yeah.
Yeah, and they'd check in your, they'd look in the car,
they'd look in the glove box and everything.
And there was a little cartoon in the paper the next day,
like where there's a car that's being checked underneath and the boot's being looked at.
And right on the roof, there's a massive rocket strapped there.
And it's oblivious to it because there was a security lapse and it
was just something similar to this it just like the simple thing someone can just walk in with
with a bag with with like guns in it and stuff and that'll be fine but if you go in in a car
no they have to check the undercarriage and everything i don't know what car you drive
jav but if it's got undercarriage i think um that's quite impressive i don't know i'd ride
a motorbike that's not even here at the moment are you sure have you checked in the garage
let me go check yes
the host unknown podcast orally delivering the last segment and it's all for you.
The tweet of the week.
And we'll do that one again.
The tweet of the week.
So this is a slight break from the norm.
This is just about teenagers doing what teenagers do.
Now, I don't know if you recall back in your school days jab maybe a bit longer for you tom but if you can
think back um i was always doing whatever i could to get out of class um you know i was i frequently
played hooky um you know and then you have to edit the register to show that you're in because the register is just sitting outside the headmaster's office.
So you just have to go down, pick one out and just put the old little X in there so that you did actually turn up.
And, you know, there's the pranks, you know, I think the real sort of hardcore people would actually pull the fire alarm, you know, to get people out.
hardcore people would actually pull the fire alarm you know to get people out uh but this pandemic has presented teenagers with a different opportunity um to get out of things and so
this is a tweet from a guy called luke bailey um and he just sort of pulled together um a whole
load of videos have been circulating on tiktok by uh teenagers and so now teenagers are at school
and if they test positive for COVID,
obviously they've got to isolate for 10 days, and, you know,
half the class has to isolate with them.
And it's causing utter chaos to the education of kids at the moment, right?
But those teenagers that don't want to be at school anyway,
they have basically found ways to trick the test that you have to take,
you know, twice a week to see whether you have COVID.
And they basically, using lemon juice,
will turn it into a positive test.
So you rock up, you take your test,
put a drop of lemon juice in there instead of your nasal swab,
and it returns a positive test,
and therefore everyone has to isolate.
The whole class is then off. It's causing disruption. So the tweet is actually from Luke Bailey. and it returns positive tests and therefore everyone has to isolate um you know the whole
class is then off uh it's causing disruption so the tweet is actually from luke bailey
it's essentially impossible to know how widespread this is in practice but even a small amount could
have huge impacts on our data um which i think is that you know what the kids probably don't
realize is that you know these numbers that are being reported every day um how many of them are
actually real but it's yeah kids it's genius it's been kids and i think it is genius it's it's almost
a really big balls move so as it is as you too often talk about uh it's not big balls it's tweet
yes it's a no that's what i'm saying it's almost oh almost okay oh that's right it didn't quite
make the grade um but i think uh you know as you two regularly state that you know tiktok is a
responsible platform what are tiktok doing about these videos on there they are actually removing
yeah anything that's sort of tagged like this that you know especially if it's reported they
are removing it um you know as soon as it comes up but it's one of those things it's a viral
trend um you know and people are sort of tweaking hashtags and stuff to uh you know bypass the
sensors as they do it's the typical game of cat and mouse but i do think tiktok are responding
quicker than others um you know it's well they have they have historically i mean i obviously
are for the for the sake of the show I was hoping that they weren't doing anything,
and I could say, see, see, I told you.
This is a show where you've been wrong in every single section, Tom.
It would seem to be that way, wouldn't it?
Maybe I won't turn up next week, and then I'll definitely be right.
Is that a promise?
No, not yet.
What if I put some lemon juice in your in your in your covid test is is that a euphemism for putting money in my bank account no that is absolutely
not then i then i'm definitely turning up next week but just out of um just out of curiosity
if you have a patreon and like you know how much would
it take for you to not turn up uh 100 quid so folks if if you would like this show to be run
by these two jokers next week all you have to do is go to hostunknown.tv there is a donate button
there if we make a hundred quid in the next week i the first i
will know of this show is when i listen to it when it's published probably four days after it
was recorded yeah if you want to go halves yeah yeah well i was just thinking we will like double
match any donations made so so i think, even if we get like for this,
I'm,
I'm happy to be paid to not turn up.
Not a problem in the scientist.
Okay.
Let's make this happen.
People.
Okay.
And,
uh,
that was this week's tweet of the week.
And I love playing that one twice as well.
Tweet of the week.
Awesome. So gents thank you
very much for this week's show
I think
but yes very good
bringing it in well under the hour
as well well well under the hour
depends how long we natter now
but Jav thank you very much
yeah no thanks I've got to go
pick up my motorbike now so
yeah but do you remember from where
that's that we'll be told next week on this just exciting just do a search for all the
mot garages in your area and then just go round in a circle through all of those yeah i stuck
an apple airag on it.
Don't worry, Jav.
I can tell you where it is.
Oh, brilliant.
Thank you.
Excellent.
Thank you, Jav.
Thank you.
And Andy, thank you very much.
Stay secure, my friend.
Stay secure.
You've been listening to the Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our reddit channel worst episode ever r slash smashing security
so i'm just logging on to the host unknown.tv site now
so that's six6,000. Holy crap. Yeah.
£6,000, so that's the next 60 shows.
Excellent.
So I got just over a year off.
What's this?
Mrs Langford.
What?
Top contributor.
Yeah, well, I'll go and see my mum instead.
How's that? you you you you you you you you you you you you you you you So, what have we got coming up for you today?
This week in InfoSec takes us back to a story about the Internet's original mods.
Rant of the Week talks about an itty-bitty teeny-weeny yellow trolling InfoSec meanie.
Billy Big Balls this week can be filed under how not to win back your ex.
Industry News brings you the latest and greatest infosec news from around the globe.
And tweet of the week is just a reminder that teenagers gonna teenage, even in a pandemic.