The Host Unknown Podcast - Episode 63 - The JavAndy Show

Episode Date: July 9, 2021

This weeks show is 33% off but the content is still as average as ever!This week in Infosec - 3 mins 11 secsBilly Big Balls - 12 mins 49 secsRant of the week - 20 mins 52 secsIndustry News - 30 mins 5...6 secsTweet of the week - 38 mins 20 secs THIS WEEK IN INFOSECWith content liberated from the “today in infosec” twitter account4th July 1994: John Markoff's article "Cyberspace's Most Wanted: Hacker Eludes F.B.I. Pursuit" was published by the New York Times. It was about Kevin Mitnick.Cyberspace's Most Wanted: Hacker Eludes F.B.I. Pursuithttps://twitter.com/todayininfosec/status/14118918491329249328th July 2008: Dan Kaminksy gave a press conference announcing a DNS vulnerability he discovered 6 months prior.  RIP, Dan.Fix found for net security flawhttps://twitter.com/todayininfosec/status/1413206908882804739 BILLY BIG BALLSRansomware-hit law firm gets court order asking crooks not to publish the data they stoleCriminals break into your systems, they do the usual, exfiltrate data, deploy ransomware, and leave you nasty messages about how they pwned you while blackmailing you.However, New Square Ltd may have found a way to stop the criminals from capitalising on the data they have stolen by making it illegal for the criminals to release any of the stolen information.  RANT OF THE WEEKThis TikTok Lawsuit Is Highlighting How AI Is Screwing Over Voice ActorsVoice actors are rallying behind Bev Standing, who is alleging that TikTok acquired and replicated her voice using AI without her knowledge.At the center of this reckoning is voice actress Bev Standing, who is suing TikTok after alleging the company used her voice for its text-to-speech feature without compensation or consent. This is not the first case like this; voice actress Susan Bennett discovered that audio she recorded for another company was repurposed to be the voice of Siri after Apple launched the feature in 2011. She was paid for the initial recording session but not for being Siri.Find a job with TikTok Resumes INDUSTRY NEWSREvil Group Demands $70 Million for 'Universal Decryptor'Suspected Cyber-Criminal "Dr Hex" Tracked Down Via Phishing KitBA Settles with Data Breach VictimsOfficial Formula 1 App HackedBiden Administration Cancels $10bn JEDI ContractOver 170 Scam Cryptomining Apps Charge for Non-Existent ServicesRegulator Probes Former Health Secretary's Use of Private EmailTrump Sues Facebook, Google and TwitterNew PrintNightmare Patch Can Be Bypassed, Say Researchers TWEET OF THE WEEKhttps://twitter.com/sherrod_im/status/1412856171652861953https://twitter.com/doctorow/status/1412923242273140736?s=20Full story - Delivery Drivers Are Using Grey Market Apps to Make Their Jobs Suck LessDrivers are there virtually, using GPS-spoofing apps to position themselves right in the center of the McDonald's lot while they physically wait under nearby shelters. Using these unofficial apps, known as tuyul, drivers can set their GPS pins at the optimal location they would like orders from, without having to physically drive there.       And with that we leave you to enjoy the weekend! Come on! Like and bloody well subscribe!

Transcript
Discussion (0)
Starting point is 00:00:00 So, Geoff, do you think it's feeling a bit younger around here at the moment? Only by about four decades, yes. So I guess we should explain what's happened. We actually hit the target, and so Tom is not here. Last week, we said on the podcast, if we raise £100, then Tom gets the day off. Less than four hours after the podcast was published the duchess of ladywell aka mrs langford senior went to church on sunday got up and asked for contributions so that she could see her son one day in the week yeah and the community pulled together and they made it happen.
Starting point is 00:00:45 So thank you. Yeah, and had we known that's all it took to get some money, I guess we would have asked for that a long time ago. If you want to give us money, we'll make sure Tom does not come back to record. That's it. A younger podcast, a more ethically diverse podcast. What more could you ask for?'re listening to the host unknown podcast
Starting point is 00:01:08 good morning good afternoon good evening from wherever you are well heaven knows that was a tough job to replace jeez it's making out you know it does all the heavy lifting on this show Well, heaven knows that was a tough job to replace. Jeez, he's making out. You know, he does all the heavy lifting on this show. I will play the role of Tom today. So, Jev, how are you, sir? I'm doing great, my man.
Starting point is 00:01:38 What could be better is just chatting to my best mate without Uncle Tom overlooking us and trying to censor us. Oh, dear, it's going to be a fun show today. I'm still nervous about how we actually get this published. You know, I'm sure we'll figure something out. But do you have the logins to the site that we need to load it to in order to publish it? It doesn't matter because Tom has three passwords he uses for every single website he's ever logged onto in his life. So I'm sure we can get in right okay that's uh password one two three four password four three two one and just uh
Starting point is 00:02:11 password all lowercase isn't it yeah that's the one cool coming up today what do we have for you we have this week in infosec you've got quite a lot of resource pursuing a guy and they're not entirely sure why they're pursuing him barely big balls i have no idea it's genius isn't it it's absolute genius rant of the week like you just put me on the spot there and said like what would i say and i don't have an elevator pitch ready industry news and of course our favorite tweet of the week so you know using one technique over the other just to stick it to the man so we will kick off the show with this week in InfoSec. So it's that part of the show where we take a stroll down InfoSec memory lane by regurgitating content liberated from the Today in InfoSec Twitter account. And so this week, I am going to remind you of two InfoSec luminaries with very different paths. On the 4th of July 1994, a mere 27 years ago, and it's a day, 4th of July, that's
Starting point is 00:03:38 a date that, you know, Americans celebrate. Not entirely sure why. It's just a regular week regular day for us so 4th of july 1994 john markoff's article titled cyberspace is most wanted hacker eludes fbi pursuit was published by the new york times and it was of course a story about kevin mitnick no less so cyberspace is most wanted obviously what an accolade and obviously you know these days it is a very different life for kevin of course, a story about Kevin Mitnick, no less. So cyberspace is most wanted. Obviously, what an accolade. And obviously, you know, these days, it is a very different life for Kevin, as you well know, you work with him. But for those of us of a certain age who missed the stories of Kevin's past, he's probably these days most well known for his business cards, which double as a lockpick set rather than you know people fully understanding what he went through so regardless of anyone's like anyone's views on
Starting point is 00:04:29 mitnick he has been a main player in the infosec story so i'm going to quote directly from the new york times article it states that combining technical wizardry with the ages old guile of a grifter kevin mitnick is a computer programmer run amok and law enforcement officials cannot seem to catch up with him at the time this article was written you know he had actually already served time in jail for you know previous computer computer crime and he was now one of the nation's most wanted computer criminals so he was being pursued under under suspicion of stealing software and data from like half a dozen different phone companies and he did it by coaxing employees into giving him passwords what we refer to these days as socially engineering but this article in the new york times and there's a link in the show
Starting point is 00:05:19 notes went on to basically liken him as the kid that foreshadowed the plot of the 1983 movie War Games. Ultimately, on this occasion, he was accused of causing $4 million in damage to computer operations at the company and stealing a million dollars worth of software. Now, obviously, we know how companies come up with this number. It's a bit tedious. But in 1993, so the year previous while a fugitive he managed to gain control of a phone system in california that allowed him to wiretap the fbi agents that were actually searching for him so he pulled like a proper uno reverse card on them to you know to sort of stay ahead of the
Starting point is 00:06:00 game but what the article goes on says it's not clear if he was using his computer skills, or it's not clear that if his computer skills were unusual in the world of programming. But obviously, he was very good at socially engineering. So, you know, even at the time, 1994, they were unsure, you know, what a hacker was, what a social engineer was, they didn't really understand, you know, what everyone's able to do. But I mean, there's no evidence that he actually used his skills illegally to make money, right? And the phone companies who say that he stole this software, they were worried that he would sell it to competing manufacturers in Asia or offload it to criminals who want to make free phone calls.
Starting point is 00:06:42 And even at the time, the FBI and Justice Department said they didn't have absolute proof that he was behind any of these attacks on the phone companies. And this is really what made him one of the main characters in this story, is that you've got quite a lot of resource pursuing a guy, and they're not entirely sure why they're pursuing him. But eventually, they caught up with him in the february of 95 this is like a year later he was charged with wire fraud possession of unauthorized access devices interception of wire or electronic communications unauthorized access to federal computers and of course damaging causing damage to a computer which is you know it's kind of standard in the 90s if you wanted to arrest a hacker um and obviously you know know what the justice process is like. It takes a while to get there, right? So it wasn't until four years later in 1999 that he actually
Starting point is 00:07:32 got the opportunity to plead guilty to a number of counts of these charges as part of a plea agreement. So he was sentenced to 46 months in prison, plus 22 months for violating terms of a previous 1989 supervisor release and he admitted to violating terms of that release by hacking into Pac Bell's voicemail and other systems so he served five years in prison four and a half years pre-trial and then eight months in solitary confinement and that was because law enforcement officials convinced a judge that he had the ability to start a nuclear war by whistling into a payphone. So just to make this absolutely clear, the police managed to convince the judge that Kevin Mitnick would somehow be able to dial into the
Starting point is 00:08:26 norad system via a payphone from prison and communicate with the modem by whistling like nuclear launch codes right yeah the judge believed it is eventually released in uh 2000 on you know again superfiles released and although he was convicted of copying software unlawfully, you know, at the time, supporters argued that his punishment was excessive. And a lot of the charges against him were like fraudulent, not actually based on actual losses. And even Kevin himself in his book, The Art of Deception, he actually says that everything he compromised was using passwords and codes that he'd gained by socially engineering. He didn't actually use any tools or crack passwords or otherwise exploit vulnerabilities.
Starting point is 00:09:11 He absolutely just targeted the people. This is one of those cases that tested the new laws that had been created to deal with computer crime as it was evolving. And it really sort of raised that public awareness involving network security. But the controversy remains today. The Mitnick story is still often cited as an example of the influence that newspapers and media outlets have on law enforcement personnel. So it was an interesting time back in the 90s, but to me, definitely a main character in what has become this industry. The book you mentioned the art of deception i remember stephen bonner recommended that to me back in the early 2000s i think it
Starting point is 00:09:51 even today it's so relevant because the same techniques he used then are applicable today yeah and this is i guess this is one of the things that we try and highlight is that it's exactly that there's not much that has changed in terms of techniques that people are using to exploit, you know, social engineering. It's still the same, like password guessing, convincing people to release information they wouldn't otherwise. And, you know, we're just doing different delivery methods, I guess, these days. It's easy to laugh at the judge who got convinced by the police that he could whistle codes down. But then I thought, how's this different from any CEO who approves a CISO's request to have, we need a three-year identity and access management project to go on, and we need to
Starting point is 00:10:36 hire big consultants here, and we need to spend two million on this product over here. It's about selling a story, isn't it? It is. Briefly, I will uh mention just the other person you know i'll mention is someone who is on the polar opposite end of the scale to kevin and i guess his origin story really started you know 13 years ago on around i think it's the 8th of july 2008 um and it's a guy called dan kaminsky who gave a press conference announcing a dns vulnerability that he had discovered six months previously obviously rest in peace dan i know with a heavy heart we obviously lost him earlier this year age only 42 so you know went really
Starting point is 00:11:21 early but you know dan was known for his many contributions you know in the industry including the discovery of the dns cash poisoning vulnerability you know in 2008 early work in developing a framework to address sql injection and cross-site scripting but i guess what differentiated dan from other figures who might be considered amongst you know the elders of the internet was his kindness and the help and encouragement that he offered to other hackers, you know, particularly those making their start in the industry. So I'm not gonna be able to do him justice, you know, without preparing way more notes on this one. But you know, his influence does reach areas that you might not even realize. So I've included a link in the show notes,
Starting point is 00:12:03 it's got a video which talks about some of the influences that he's had on people but there's one quote which i did like and i think summed it up is you know we owe him so much and people who will never know his name oh dan and so there you have it yeah i mean there's two different types of people in this assorted box of infosec main characters and whether you believe it not, your life is probably better because of them. Absolutely. Can't underestimate the impact that some of the early Piners had on the direction of the industry. Yeah, and that was...
Starting point is 00:12:36 This Week in InfoSec. This is the podcast the Queen listens to. Although she won't admit it. So I guess we should head straight into this week's... I was going to say the ball's in my court this week because I've been watching a bit of Wimbledon. But did you actually see before I get into the story there was uh I saw a clip of it Federer played a little
Starting point is 00:13:11 kid on court some kid came onto court and he had a little rally with him and the kid lobbed him and got it through I didn't say that no I saw it on LinkedIn what was great is someone posted it and one of the first comments or one of the top comments were nice video but LinkedIn isn't the place for it yeah and so many people get flamed is he got flamed so hard everything ranging from you know who are you are you the LinkedIn police yeah but but lots of people actually made the comment this is actually good leadership and making other people feel good about themselves and what would he have achieved had he just like beaten the kid or or what have you a lot of it's just about how to win friends and influence people and that kind
Starting point is 00:13:56 of thing people do love getting the pitchforks out in a public forum though don't they they do it's why i've got i've been getting more and more scared to post anything on these days that's just it's a minefield out there you just don't know what you're going to get you're going to get cancelled if you do it wrong what is perfectly acceptable today in two weeks time it's going to be the thing that will get you fired from your job so i think we should start auto deleting old podcasts as well especially the ones with tom in it and hopefully by the end of the year people actually forget that tom was an original part So I think we should start auto-deleting old podcasts as well, especially the ones with Tom in them. And hopefully by the end of the year, people actually forget that Tom was an original part of this.
Starting point is 00:14:30 Yeah, exactly. Yeah, an original team member. Anyway, the Billy Big Balls of the week. It's a usual story. Criminals break into an organisation. They do the usual. They'll do some lateral movement. They'll exfiltrate some data, deploy some ransomware, and then leave you nasty messages about how they pwned you.
Starting point is 00:14:52 They will blackmail you, and they will want some money. Standard MO for one of these groups. Exactly, standard MO. It's an unfortunate pattern that is repeated a bit too often around the world on an almost daily basis. And up until now, it's been very difficult. You either pay the criminals the ransom they want. And nowadays, it's actually double extortion. So you pay them once to decrypt the data on your servers, and then you pay them again as a hush money to not steal or to not leak or publish the the data that they've stolen yeah and they're going to release that you know you've been hacked as well aren't they yeah they are but one company may have found the solution news square chambers which counts it dispute experts amongst its ranks, obtained a privacy
Starting point is 00:15:47 injunction from the High Court at the end of June against person or persons unknown who were blackmailing the firm. So basically what they're saying is criminals who have stolen our data and ransomware dust, we are now making it illegal for you to capitalise on the data you've stolen. No one think of this before. I have no idea. It's genius, isn't it? It's absolute genius. It's just like, well, you know, the laws didn't stop them from breaking in or ransomware or stealing the data, but now you've got a specific injunction against them, which is more likely it's going to be outside of your jurisdiction anyway and it reminds me when you log on to a system and there's that little banner that pops up and it's just like hey this is a restricted network please leave if you are not not authorized and
Starting point is 00:16:40 and i'm sure hackers look at and go oh my god my God, I shouldn't be here. You got me. No, wrong system. My bad. Sorry to disturb you. Maybe you could just threaten to tell the hacker's mum, like, your child's been very naughty. Oh, this is like what the girls that receive unsolicited pictures in their DMs have done, isn't it?
Starting point is 00:17:01 They just face the person back and then contacted their mum. This is what your son sending me yeah no that that could work obviously you know that assumes that you have a bit of knowledge about the hackers although i did post this question and online and and someone actually responded saying that you should put a 14-day waiting period on new computer purchases and limit purchases to one computer per month. It's worked to eliminate criminal use of firearms. Interesting. That sounds like someone who has very strong feelings about Second Amendment rights. That's right. I mean, I think there is some merit to this. Actually, I was digging into this story a bit more after I said I'm going to talk about this one. And apparently this story a bit more after after i said i'm going to talk about this one and apparently this happens a bit more often than some people think and part of it is insurance claims and what have you it's just to cover your ass for all eventualities and say you've done everything
Starting point is 00:17:56 you can in your power to stop it and prevent it and you took all these steps and what have you so some of it comes down to that. It's like the banners. It's like everything else. Yeah, I mean, I know we joke about the banners, but that is a genuine legal. If you're going to prosecute someone for unauthorised access to your system, you need to show that you have made it very clear
Starting point is 00:18:16 that they shouldn't be doing that. It's a unique way to go about it, but I think it also just shows how badly the security industry is scraping the bottom off the barrel, where that's the best they can do in reaction to data being stolen. Well, yeah, I mean, with this whole ransomware thing, it's massively getting out of control, right? Every day we could talk about another company that got hit with ransomware or someone that's paying it. And it seems to still be headline news and what makes me laugh is that you know as an industry i think
Starting point is 00:18:49 over the last few years in this sort of real explosion of um infosec experts and professionals is that we've all got opinions on how other departments should run what other teams should be doing and like how they should be tackling problems and like why is it this simple it's that simple and yet we have a problem that is in our court this is our domain and no one's able to solve it all the advice that we give marketing people about how they should market stuff all the advice we give tech people about how they secure no one's got a solution to how we should prevent ransomware other than keep your systems patched but then even then with example acacia it's not even you know you pay professionals to patch your systems
Starting point is 00:19:32 and even they get hit with ransomware and then distribute it out to you it's it's a massive problem you're absolutely right and hypocrisy really does show because it's not even a broad problem. It's a technical security problem. It's not like it's a policy problem, procedural problem or other people can't do it. And then on the other hand, when you walk the floors off a trade show, everyone's touting how they've got some really new fancy technology, yeah, AI, ML, whatever. They make it sound like they've got Jarvis that can protect you. And this is a problem that's been going for years now. Yeah, we're not getting any closer to solving it. No, no. But we're experts at shitting on other people. Yeah. Oh, nice one.
Starting point is 00:20:27 No, I enjoyed that one. No, thanks, Jeff, for this week's... Billy Big Balls of the Week. Sketchy presenters, weak analysis of content and consistently average delivery but they still won an award. Like and subscribe now. So let's head straight into this week's... Listen up! Rant of the week. It's time for Mother F***ing Rage.
Starting point is 00:20:59 So this is one which I have got and it is my beloved TikTok and I guess with this rant of the week I went off on a tangent believe it or not I know it it happens often on TikTok you going off on a tangent I've never heard of it it's one of those things right obviously we are men of culture obviously Tom's not a TikTok aficionado so he doesn't quite get the trends and where we go. And I heard a disturbing rumour that, you know, those people that we respected over at the Smashing Security podcast, they are not TikTok users either. And they're out there giving people advice and stuff.
Starting point is 00:21:35 Dinosaurs, they're just not used to keeping up with the times. I mean, that's why Tom and Graham get on so well, because Graham and Tom, they just talk about everything like, oh, if they just installed Dr. Solomon's, they wouldn't have ransomware. They've got no idea what's going on in the real world. It's just choogy. So anyway, this is a story of a TikTok lawsuit,
Starting point is 00:21:59 which is highlighting how AI is screwing over voice actors. And this is the... So if you're not a TikTok user, there's a thing that people are doing at the moment. Well, I mean, it's been going on for a while and it's to enable accessibility, right? And this is the thing, it is quite an inclusive platform. A lot of deaf people look at TikTok or blind people look at TikTok as well, believe it or not. And so they're saying with this text to speech, they have this text to speech feature. Sorry, so you can, when you're
Starting point is 00:22:25 talking, it will automatically put the text on the screen and vice versa. If you just want to type it, it will automatically play a voice. And it's quite a popular thing when you're narrating videos or trying to draw attention to something. And so this lawsuit is about a voice actress called Bev Standing, who's suing TikTok after she's alleging that TikTok were actually using her voice for its text-to-speech feature without compensation or consent. And parallels have been drawn to another case. So this isn't the first case something like this has happened. A voice actress called Susan Bennett discovered that the audio she recorded for another company was repurposed to be the voice of Siri after Apple launched the feature in 2011. She was paid for the initial recording session, but not for being Siri.
Starting point is 00:23:15 And similarly with Beth Stanley, she's saying that she recorded this demo for a Chinese company. And she's not been compensated for that whole text to speech voice now I get it okay I am annoyed that someone's been taken advantage of right a professional has has done some work they were misled into what they were doing or their work was stolen or misappropriated but on something like textspeech on TikTok and there's a very clear distinction between the text-to-speech and Siri on Apple whereas I think Siri actually sounds like a real person but the text-to-speech feature on TikTok is very clearly a computer generated voice. Yes. What sort of sample set did they get of her voice in order to create this whole library of words that it can create just by you typing?
Starting point is 00:24:08 At what point does it stop becoming her voice? And, you know, what's the scale for the type of, I guess, compensation she's looking for? You know, what would she think was fair for her voice? This is what I'm really struggling to get, you know, wound up about. This is what I'm really struggling to get, you know, wound up about. I want to get annoyed about it, but I just can't find that, you know, that sort of crux of the issue. Yeah, that's the exact point. So, I mean, the lawsuit is basically saying that, you know, they didn't pay or notify her to use her likeness for its text to speech.
Starting point is 00:24:46 Some videos using her voice for foul and offensive language, which she claims causes irreparable harm to her reputation. And also brands advertising on TikTok had that text-to-speech function at their disposal, meaning that her voice could be used for commercial purposes. But again, like, maybe my ear's just not tuned to it. I would not be able to pick out her voice, you know, as a computer-generated voice. It's such a fine line and what if they change the pitch by a few decibels or something does that make it not that person's
Starting point is 00:25:13 voice anymore as well you have voice actors anyway who imitate other people's voices and Morgan Freeman's a huge hugely popular one on Fiverr yeah and so where do you stand on that I completely agree I think it's it's interesting because this is more about where the future's all heading today it's just one person tomorrow you're going to get pictures of people or videos of them when they're younger it's a bit like they had a two-pack in a hologram didn't they once performing on stage that's a few years back yeah yeah but that kind of thing if that technology becomes more accessible which it will then what's to stop people creating their own deep fate type of content online which features you know young people or whatever it's it's challenging yeah you know, young people or whatever. It's challenging. Yeah, you know those chatbots that pop up on a screen
Starting point is 00:26:09 when you go to a website. They'll have one of those talking heads, you know, the likeness of someone. I mean, they can already do it with, you know, Snapchat and TikTok have that feature where you can point the camera at a normal photo and it'll animate it, right? So like the whole Hogwartswarts thing like in harry potter films like where the photo so you can actually generate that artificially as it stands yeah no interesting but the other thing as i was obviously and this always happens when i go on
Starting point is 00:26:37 tiktok right i just go off on a tangent i discovered something called tiktok. And I'll stick a link in the show notes. And this is, I think, slightly worrying me in terms of, like, I always kind of think, right, I'm staying up to date with stuff. But this is really sort of caught me off guard. It's now people are now publishing their resumes or CVs on TikTok, creating virtual videos. And obviously, you've got up to three minutes to get your message across. And I mean, it's tricky. There's some good examples of what people are doing so far, you know, the stuff they've done. A lot of media savvy kids out there using this media to sort of demonstrate why they would be a good hire for your company. And I feel that this one has completely passed me by. And so I am slightly worried that this is that point where I'm kind of no longer looking over my shoulder, but starting to look at this new generation overtake me.
Starting point is 00:27:36 So I guess this is what, you know, Tom felt like maybe sort of 40, 50 years ago. Yeah. You shared this story with me and I thought the first thought I had was what an absolute terrible idea. And then when I started to look at it, I saw a couple of examples and I thought, wow, this is so amazing. But I think you're right. I think there's two types of companies. There's types of companies that will accept these resumes and they want that kind. And for those, these kinds of people who create these resumes are a good fit i think that there's people who don't who would never be a good fit in creating these or accepting these and i think that's good as well and i think just from that perspective you
Starting point is 00:28:18 get quite a good cultural um mix it in a way as long as it's not used as a tool to discriminate against which i think as humans is is always a big challenge but i actually think it's in some ways i can get a feeling of who someone is they can quickly tell me what they're about and in some ways it feels less laborious than looking over a cv yeah it's that tell me in your own words you know that sort of question right tell me in your own words how you got to where you are or you know what excites you they can do this now and they can add backing music they can add green screen they can do all kind of like quick examples of other stuff they've worked on scary i think you know this one is it's different i don't think any of our platforms if i'm honest at my company is ready to receive you know video
Starting point is 00:29:04 resumes just yet or TikTok resumes just yet. But I mean, the day is coming. You heard it here first. If you were to apply for a security job with a video resume, what would you put in there? Let's see, three minutes. I'll definitely drop in a chorus from CI double SP videos. I don't know. That's just it.
Starting point is 00:29:23 But it helps. I mean, you can look at it saying, oh, it's just lazy. Like, you know, these kids are just looking to get around, you know, creating a well-structured CV. But it's actually difficult. Like, you just put me on the spot there and said, like, what would I say? And I don't have an elevator pitch ready. You know, I mean, that's, you know, this really is essentially what that is, isn't it? It's that elevator pitch. And it answers the question when people say, yes, fluent in English or fluent in whatever language. How fluent? Like, you know, you're actually going to hear them speak it.
Starting point is 00:29:52 Yeah, I don't know. Worried about this one. I'm not worried. I think it's on the fringes for now, but it's probably going to be one of those things that that we will see expand going forward to a degree but i don't think it will completely overtake traditional forms but i could be wrong yeah we'll see we'll reassess in 12 months time i could just imagine someone applying for a job at an amazon warehouse and say here's me packing 20 boxes in three minutes go yeah gee that's not that would be just 20 boxes in three minutes go yeah gee that's not that'd be
Starting point is 00:30:26 just 20 boxes in three minutes get out of here i think we need uh yeah we're looking for someone who can do like 200 boxes in three minutes yeah all right that was this week's rant of the week this is the host unknown podcast the couch potato of infosec broadcasting So Andy, do you know what time it is? I do. As I look at my clock, I realise it is that time of the show where we head over to our news sources over at the InfoSec PA Newswire who have been very busy bringing us the latest and greatest security news from around the globe. Industry News Revol Group demands $70 million for universal decryptor. Industry News
Starting point is 00:31:18 Suspected cyber criminal Dr. Hex tracked down via phishing kit. Industry News BA settles with data breach victims. Cybercriminal Dr. Hex tracked down via phishing kit. Industry news. BA settles with data breach victims. Industry news. Official Formula One app hacked. Industry news. Biden administration cancels $10 billion Jedi contract. Industry news.
Starting point is 00:31:41 Over 170 scam crypto mining apps charged for non-existent services. Industry News. Regulator probes former health secretary's use of private email. Industry News. Trump sues Facebook, Google and Twitter. Industry News. New print nightmare patch can be bypassed and that was this week's industry news huge if true amazing yeah i just love trump trying to sue facebook google and twitter for allegedly violating his first amendment right oh is that what the case is okay so i um the one that they're really called was the biden administration cancelling that 10 billion dollar jedi contract so this uh 10 billion dollar jedi cloud computing project was the the dod gave the contract to microsoft like a while ago and i think it was what back in late 2019 and so it was i mean can you imagine
Starting point is 00:32:46 like you're at microsoft and you win a 10 billion dollar contract right so everyone like you're going to start planning for stuff right you're thinking right we've got 10 billion dollars what do we need to get how are we going to you know spend this money we need to onboard recruit you know whatever manage this project and then amazon obviously launched a legal challenge against this because, you know, Jeff Bezos saw some money that he wasn't receiving. I thought, this money needs to come this direction. And I think, you know, Amazon basically claiming that that decision to award the contract to Microsoft was full of errors and basically the result of improper pressure from Trump. You know, they're actually stating or referencing a book
Starting point is 00:33:25 that reported that Trump had directed the Defense Department to screw Amazon out of that Jedi contract. So, you know, even as recently as like September, I know that the DOD did re-look at it and they said that, you know, Microsoft's admission was the best. But yeah, Amazon have managed to get their lawyers in there. And, you know, the whole thing's been axed until they can figure out how they're going to move forward. I think this can become a multi-cloud procurement, is the proposal.
Starting point is 00:33:55 But I mean, that's a massive amount of money to be chucking around. I'm surprised how once it's been agreed and and handed out that you know amazon and and you can imagine that the lawyers on both sides of amazon microsoft are just the real winners in this whole story yeah they're gonna be the only people that you know earning earning money equivalent to to those guys and then the other story which caught my eye was and it's so much uh not not so much for its impact on what it is but it's really you know this thing like everything old is new again and like we're not inventing anything new so you remember whole trump's campaign about hillary using her private email you know to do so all the scandal that went with that and then you know half
Starting point is 00:34:41 the trump family used their own personal email during his administration yes yes um but now the ico has opened an official inquiry into the health secretary or the former health secretary matt hancock who also used private email and it's a case of like guys if there's one thing that's happening out there that you should not be doing right just use your corporate email right this is where all the controls are these are the official documents we need to have transparency and accountability um and the i can only assume that people are deliberately doing it to get away with stuff that they don't want on the record yep yep no other reason no other reason for it whatsoever this day and age it's so irresponsible when you've seen the impact it's had on other politicians like
Starting point is 00:35:34 hillary and or like how whatsapp messages being leaked when when has ministers are like colluding with each other and was it cummings released some screenshots about him and boris johnson the other week that makes me it's like if if any of us ever have a falling out right it's like everyone's going down no one comes out of it looking good no no the screenshots to ruin lives mutually assuredually assured destruction. Yeah. God, if Tom ever figures out how to screenshot, we're in trouble. Oh, man, that is massive trouble. Well, we're in enough trouble, the fact that any photos we send him
Starting point is 00:36:17 get uploaded to his iCloud and synchronized across his 30 Apple devices. How long ago was it when, when you know obviously it's a group chat that you know we'll send controversial content to as well and so didn't he come he sort of walked downstairs or something he received something on whatsapp it automatically saved the photo uploaded to his iCloud and he kind of walked downstairs went into the living room and that picture was on his tv his apple tv and in the living room or something wasn't it that's right his apple tv was using his his icloud photo reel as the the screensaver for the tv that was a bad bad bad setup anyway i think i think a few weeks later you were at the museum with your with your wife and your sister and your daughter and so you weren't checking the messages but they were getting downloaded into your photo reel so
Starting point is 00:37:10 after you came out from the museum you're on the train showing your wife or your sister the photos and you're scrolling through innocently so you get like pictures oh do you know what my wife has since learned not to just go scrolling for photos because some of the stuff that comes in because i'll get i'm in like various group chats you know when you open whatsapp it downloads all the photos from the different chat so i've actually started using apple tags know how it identifies people based on their face and stuff so if my kid ever wants to like old photos i will specifically search by her name and then use that as a tag and not search anything else but yeah no that's a risky risky behavior i'm gonna tag every photo with your daughter's name when i send it to you
Starting point is 00:37:57 yeah cheers for that job Joe. Really helpful. You're welcome. You're listening to the award-winning Host Unknown podcast. Officially more entertaining than smashing security. In your face! So it's that time of the show. We'll head over to... Tweet of the Week. And because Tom likes to do it twice and it's now stuck in my head that I have to hear it twice. Tweet of the Week. And because Tom likes to do it twice and it's now stuck in my head, I have to hear it twice. Tweet of the Week.
Starting point is 00:38:29 Excellent. Excellent. Yes, we do like to do it twice. Phrasing. We don't do it right. We do it twice. So there's actually two tweets here. The first one's just a short one, which is a funny one. It's by someone called Sherrod de grippo who said overheard in yesterday's team meeting it's not supply chain unless it comes from the supply region of ukraine imo yes yes some good risk management going on there with a bit of racism but we won't go there. Anyway, the real tweet is by the legend who is Corey Doctorow, and he speaks about Gojek.
Starting point is 00:39:12 Gojek is a $10 billion Indonesian super app that combines Postmates, Apple Pay, Venmo, and Uber, serviced by an army of agile drivers who are subjected to all the high-handed algorithmic horrors that gig workers everywhere suffer through and there's a link to a vice story there's a long twitter thread that will post into the the notes basically uh gig economy is everywhere and ever since the the lockdown everyone's gotten really used to delivering, having their food delivered to them. Yeah.
Starting point is 00:39:50 You can't drive past any McDonald's without seeing like a budget Hell's Angel on moped hang outside or waiting on their phones, waiting for a delivery to come through so they can go in, get your fish fillet meal and come deliver it to you while it's still warm but in Indonesia that that is obviously taken off as well but there's little parking space available and the weather's really bad in Jakarta a lot of times it could be warm one minute pouring down with rain the next and there's nowhere really for the bike riders to to hang out and all of them actually they figured out that the algorithm favors them if they're right in the center or as close to the coordinates of that mcdonald's or whatever place it is to and then they get preference on the order so they started using a gps spoofing app so they instead of waiting next to the mcdonald's or in the car park or positioning them right in the center
Starting point is 00:40:51 they'll go wait under a bridge across the road in the dry and they will use a spoofing app to make it look like their gps that they are sat right in mcdonald's so they get preference for whenever an order comes in. And this isn't the only thing. There are a whole host of other features that are cropped up in this grey economy to make it easier. There were some issues with the text being too small, so they'd magnify certain parts. So it says, this is the order, here's it coming from, here's it going to, this is the value of it. There's even some automation in there. So you can automatically accept certain orders or decline certain orders if it's too far from you or what have you. So there's a massive, massive gray area that's cropped up. And some of these apps have more than
Starting point is 00:41:41 half a million downloads on the Google Play store. And a lot of this just started off because apps, they have some glitches or what have you, and a lot of the drivers, they needed help with some of the glitches or malfunctions. And there was a few that were a bit more tech savvy, and they started helping each other out with technical support. And they became known as IT Jalanan or it off the road and they created a form of localized tech support that was easier to access than the the official app support brilliant it champions exactly so this by now and this is a whole great market there
Starting point is 00:42:21 but it's actually helped a lot of these gig workers. It's made their lives easier or more bearable. And it makes me think, is this what the algorithm wars that we keep on talking about, AI attacking AI? Is this what it looks like? It's like people gaming the system. So, you know, using one technique over the other just to stick it to the man saying, well, oh, Uberber you want me to
Starting point is 00:42:45 abide by these rules but haha screw you my algorithm is going to make you think that i'm playing by the rules but i'm slightly bending them not not to make it illegal or break stuff but just to make things a bit easier for for everyone yeah so i guess this is one that i i'm trying to think of the negativities because you're right. I mean, you know, the weather is changeable in some regions. It's just absolutely downpour. And when they're on these bikes, you know, it's not great to be sitting there and just get absolutely drenched. And I'm guessing that like all these delivery companies have a light. says he's outside but then uber you know that driver then takes 15 minutes to pick up that
Starting point is 00:43:26 delivery and then you know takes an hour to deliver it he's clearly like not in the region or you know do you mean it's like i feel like these platforms have the data to know whether someone's taking liberties or if they are you know stuck in genuine traffic or something like that and i think that they will then punish that person accordingly are you know stuck in genuine traffic or something like that and i think that they will then punish that person accordingly because you know just because you're outside it doesn't mean that you'll automatically get it right it's going to be a pool of people you know and the one with the highest rating for example may get it if it's not an around robin so like to me this is like one of those harmless enhancements maybe like i don't know yeah i'm trying to think
Starting point is 00:44:06 where you know where it's a real like is it a material problem no i think you're right it's i think as long as it's just used to enhance the experience so this is like because this is some developer sitting in silicon valley probably or india or someone who's never been to that region who's not familiar with the local customs and traditions they've designed something based on their own reality and what these people are doing from what i understand is they've just tailored it so that it provides features that are more in line with their own reality so that it's just more convenient so and i'm all for that i think that's perfectly fine obviously i think if if you start using it for scams or you know what have you then then that that becomes a
Starting point is 00:44:54 problem or like an uber if you know one of the safety features is that the driver has to follow the the set path that that's on their app and if they deviate from it you as a as the passenger will get a message saying the driver's taking the wrong route do you approve or disapprove of it or what have you yeah i guess the other thing is obviously if you and me were competitors to these uh you know to the these delivery you know we could like spoof stuff sitting here in the uk and say yeah yeah we'll be right outside and then obviously never show up or deliver anything that's right so so i think there are sort of limits but i that they can go wrong but generally speaking this this warms my heart i i know in the terms
Starting point is 00:45:42 and conditions and things that you sign up to it'll probably be illegal to do so yes but you know it's it's people you know gaming they're not even gaming this i mean gaming the system sounds a bit underhandish it's not that i think it's just tweaking it to work tweaking it enhancing it getting it better and being more efficient. And I'm all for that. And I think this is where we need to be more open in how things are designed and used and why. Because these apps are everywhere and everyone relies on them so much. And there should be some flexibility there or at least some QA done to make sure that they fit everyone's reality. I mean, who's ever heard of a project pushing ahead without speaking to the users, right?
Starting point is 00:46:27 I know. Unheard of. Unheard of. Brilliant. Thank you for that, Jav. That was this week's Tweet of the Week. And so we draw to a close, dear listeners. How did it go without Tom?
Starting point is 00:46:39 Do you think it's organised? Is this show published on a Friday? I don't know that's uh who knows right the time now is uh 2 p.m on friday afternoon uh so we'll figure out how long it took to edit and publish i'll catch when it goes out brilliant no i've really enjoyed this andy this has been super cool we should do this more often feels feels more agile and relaxed and youthful. You don't have to tone stuff down. You can talk about TikTok because everyone understands it.
Starting point is 00:47:13 Exactly. You can make wrestling references. Exactly. In fact, Tom should just spin off, do his own spin off. Call it Tom Chat or something like that. I don't think his own company wanted that one awkward okay so i would say thank you sir for for your time this week no no no thank you you were far better than tom and you can be my wingman anytime stay secure my friend oh you had to go there. You've been listening to The Host Unknown Podcast.
Starting point is 00:47:47 If you enjoyed what you heard, comment and subscribe. If you hated it, please leave your best insults on our Reddit channel. Worst episode ever. R slash smashing security. How did that go? Yeah, it was fantastic. We should have another whip round, right? And we would just pay for Tom to stay off next week as well
Starting point is 00:48:06 Yeah, definitely We can just keep a percentage off the top Yeah, I think we've got enough money We've received enough money for what He can take the month off Yeah, yeah I see he's sent us a picture of him Enjoying breakfast with his mum
Starting point is 00:48:22 Stop!

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.