The Host Unknown Podcast - Episode 64 - He's Baaaaaack!
Episode Date: July 16, 2021This week in Infosec (10.28)With content liberated from the “today in infosec” Twitter account14th July 1998: Ethereal was first released publicly as version 0.2.0. Its creator, Gerald Combs, thou...ght it was cool that Bob Metcalfe named Ethernet after luminiferous ether so he picked a name beginning with ether. Since 2006 the network protocol analyzer has been known as Wireshark.https://twitter.com/todayininfosec/status/141538475371334041711th July 2013: In the wake of revelations about the NSA's PRISM program, Jeff Moss (aka The Dark Tangent) asked feds not to attend DEF CON - the first time government employees were asked to stay away.https://twitter.com/todayininfosec/status/1414330928537686021 Billy Big Balls of the Week (17:39)Thousands of PS4s seized in Ukraine in illegal cryptocurrency mining stinghttps://www.zdnet.com/article/thousands-of-ps4s-seized-in-ukraine-in-illegal-cryptocurrency-mining-sting/ Tweet of the Week (27.57)FURY! at ICO doing their job for once.The ICO is robustly investigating the data leak of hidden camera footage of former Health Secretary Matt Hancock breaking his own isolation and distancing rules. https://www.theregister.com/2021/07/15/ico_matt_hancock_raids/https://metro.co.uk/2021/07/15/houses-raided-by-cops-in-hunt-for-matt-hancock-kissing-leaker-14934920/https://apple.news/AqkfgpuvFTd--l-z_bZRRmw Industry News (42.35)Too many workers are still falling victim to phishing attacksRemote workers battle against a massive range of distractionsRansomware groups are looking for new recruits with solid negotiation skillsSolarWinds rolls out another emergency patch as new attack vector emergesAlmost half of companies do not have a proper security policy in placeEmployees in the dark over the importance of new digital technologiesUK businesses are spending big on security, but drowning in false positivesTraditional ransomware defenses are failing businessesAlmost half of businesses reported to ICO since GDPR came into effect Rant of the Week (50:40)Facebook adds 'expert' feature to groupsFacebook is rolling out a way to designate topic "experts" inside user-run Facebook groups.The social network says the new feature is designed to help real experts "stand out" in discussions about their field of expertise.Group admins will have the power to give the title to nearly any member they want. Incidental Music "The Box" © Charlie Langford Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
speaking of the 80s and well 90s and i don't know 2000s
britney spears is uh her case is ongoing and uh other than the case i saw an article that
a man was stuck at 10 000 free britney shirts because he tried to make money off the case
no he's stuck with it yeah and i immediately thought of you andy i thought this is something andy would do is that you mate no no i i would not attempt to profit from that type of thing but i
will um funny enough like when i was younger i did have a thing for britney um as i'm sure many
many people did and um one time like this was back in the early days of uh there's a site called qxl um like quick sell
it's supposed to be pronounced but it's that everyone just said qxl it's like the original
ebay or you know the first competitor to ebay it's like competitive type site and there's this
auctioneer house that went on there and um used to auction off a lot of their stuff but they were
like a genuine house you know they just this was their online version of doing things. They didn't have a website.
And there was this signed Britney poster and like, you know, some other stuff that went with it.
And so I wanted to buy it.
And I thought I was like the only one that was trying to buy it.
Obviously, because back then, not many people were online doing this sort of stuff.
And then it turns out a friend of mine was actually trying to buy it for my birthday.
And we ended up competing against each other, unbeknownst to each other.
And I ended up paying well over the odds for this poster,
which I still have to this day.
All because someone was trying to do a nice thing for me.
You're listening to the Host Unknown Podcast. Because someone was trying to do a nice thing for me.
He's back.
Hello, hello, hello.
Good morning, good afternoon, good evening from wherever you are joining us.
And welcome back to The Real, The Original,
and the only one you really want to listen to,
the Host Unknown podcast, episode 64.
Gentlemen, how are we?
How was it without me for that week?
Bliss.
I mean, yeah, it was, sorry, let me think about it.
Yeah, do you want to take this one?
You know, it's just like, you know know if you've been backpacking for a week or a month and then you finally get home or to a nice hotel you can afford and you just
it's like linen bedsheets like silk it just smooth it feels like you're floating that's that's how i
like to describe myself yeah yes yes it's not like that at all then no that's what it was like last week now we're out
backpacking again yeah now we're wearing the hair shirts again so how was your week off tom what
did you get up to that's very good i um i went for a walk with a friend and we went to uh in
bristol as a like a pop-up donut place um So I went and ate myself into a sugar coma.
Awesome.
Yeah, I didn't get anything in the post.
You don't want a donut in the post, mate.
Not a euphemism.
It goes hard.
Not a euphemism.
That's what?
Yeah, yeah.
But, well, next time you're down,
maybe we could do a sort of roving podcasting in the streets or something.
We can go and get these donuts between the three of us
and go and find a cafe and do the podcast from there.
Yeah, or live from Cheddar Gorge.
Why not do that?
Oh, yes.
So why would you go to Cheddar Gorge instead of a donut place?
Well, we take the donuts with us, obviously.
It's more about atmospheric, isn't it?
Yeah, well, I mean, so's a Nero's, but, you know.
Anyway, Jav, how are you?
Very good, thanks. so's a Nero's but you know anyway Jav how are you uh very good thanks a bit sore because not a euphemism but I over the weekend uh my mum and one of my daughters we decided to go up to
the Scottish Highlands for a bit of a break it was uh really nice got on the hogwarts express and everything and uh
went for some scenic walks and we were in the in the town of fort william under the shade of ben
nevis the the highest peak the highest mountain in the uk and we saw people coming going there
and we thought how hard can it be it's just a little walk isn't it it's only like 1400 meters above sea level when you start pretty
much at sea level the average person they say takes about four hours to go up there
really fit people like the people that win the the ben race every year they do it in 90 minutes
up and back again jesus um so so we said yeah sure Why not put on our hiking boots
Grab some hiking sticks and start walking up it
You took your mother up there
My mother beat me and my daughter
To the peak by 45 minutes
No lie
No lie
She's in her mid 60s
She's in her mid 60s
And she's still an OG she's a gangster
She made it up there
honestly if it wasn't for her I'm pretty sure me and my daughter would have like
after two hours we would have turned back but we knew that if we turned back now we'll never
hear the end of it so we plowed on did somebody tell her there was like a masala chai shop at the top? No, she was like fully prepared.
She gave it, you know, all of us like enough like water bottles
and oranges and everything in our backpacks and what have you.
And we were off.
And she got to the top 45 minutes before us.
We got up there in six hours.
She was just over five hours.
And presumably she was dressed properly rather than in the jeans
and trainers that you were probably sporting i was in jeans and trainers and very quickly i
realized that was a big mistake it wasn't trainers i did have like high you know ankle support shoes
on like hiking shoes but ankle support shoes that sounds like a medical i know i know
but you know but the jeans were terrible they've got no stretching them no it's like and you're
sweating them so they stick to your legs it was not um a pretty time let's put it that way
but um but i'm glad we done it it's something we're all immensely glad we done
and none of us want to do again yeah you're very well put some big effort into it you know how long
did it take you to get down six hours again seriously because they're not like a lift at
the top that you can just say right i know right a z there. I know, right? A zip line. Put a zip line on there.
45-minute zip line.
Yeah.
A 45-minute zip line.
I have been falling for 45 minutes.
But actually, on the drive back, I just off the whip, I said,
why don't the three generations of Malik's do the three peaks challenge?
Obviously not in 24 hours, but let's try to go to Snowdon next.
And then the third one ending.
Did you get thrown out of the car at that point?
Yeah, my daughter was like, you've got to take another one of the kids with you.
You can't take me.
Serve my time.
So, Andy, how about you uh nothing anywhere near as exciting is that
just you know the usual holding down the fort working my backside off someone's got to pay
for this show someone's got to pay for this show i don't know i don't know who you're thinking that
might be i don't know i found this card mr t langford
or something good i'm just feeling that but i assume i assume my bill's gonna come sometime
hasn't yet but i'm sure it will yeah oh dear well i mean talking to that we have to actually uh
uh well i have to actually thank a couple of members of my family most namely my my mother and my aunt because uh
they're the ones that you can thank for my absence last week and we thank them too yeah yeah
absolutely absolutely did they feel a bit short-changed that they paid for your day
off and you spent it in a donut shop in bristol with some other friends friends oh no it's you know there's there's there's oh shut up you um
well i um last night changing the subject completely last night i made my first ever
batch of banana bread well what did you do in the original lockdown if you didn't make banana bread
well um well i certainly didn't make any kind of bread in the original lockdown if you didn't make banana bread? Well, I certainly didn't make any kind of bread in the original lockdown.
I think I took it as some kind of a holiday.
But, yeah, so I tried two different recipes because I had four bananas
and the recipe only calls for two.
So I decided to make two different types.
And I thought, it's not about the recipe.
So I made two identical mixtures, except one I did normally by hand.
The other one I shoved in the NutriBullet and whizzed it.
And yeah, now I know why you don't make banana bread with a NutriBullet.
Amateur.
But it does taste lovely, even though it will stick to your ribs if it gets that far.
It's very thick and very solid.
What have we got coming up for you today?
This week in InfoSec is all about
the old pre-Wireshark days
and how not to get invited to DEF CON.
Billy Big Balls tells us where
all those old Sony PS4s actually disappeared to.
The badly labelled tweetweet of the Week sees
Fury at the ICO actually doing its job for once. Industry News brings us the latest and
greatest news stories from around the world, only this time from our temp news agency,
would you believe? And finally, Rant of the Week just goes to show that there really is
an expert hiding inside all of us, at least
according to Facebook. Let's move straight on, shall we, now to one of our favourite
segments of the show. This week in InfoSec.
it's that part of the show we're going to do a drive by infosec memory lane today um so imagine you were technical uh just for a minute like you got to think outside the box here
you need to analyze network traffic and you bust out your network diagnostic toolkit um you know your
favorite hacking utility belt what is your go-to network protocol analyzer why a shock sniffer
indeed uh so it was a mere 28 years ago on the 14th of july 1998 um ethereal was first released publicly as a version 0.2.0
and his creator gerald coombs thought it was a cool name that bob metcalf had come up with
um you know when he named ethernet uh So he picked the name beginning with Ether as well.
And so Ethereum was born. And it wasn't until 2006 that Network Protocol Analyzer was renamed
and it's now known as Wireshark.
Oh, I was joking.
I didn't realize Ethereum became Wireshark.
Yeah, yeah.
And so, I mean, we used to have the debate whether it was a ethereal
or ethereal uh you know how it's pronounced um so that's clearly the reason they renamed it to
y shark but now yeah it's so now why shark is um it's probably known as what's 26 uh 2006 you know
my math isn't great yeah so it's been known as wireshark for longer than it was known as ethereal 15 years
15 years it's been known as wireshark and uh only eight years it was known as ethereal uh but yes
the very same tool um was released uh this week 28 years ago i i remember on two occasions
downloading wireshark and thinking i need to know more about this, you know, networking stuff.
And then going googly-eyed as all the numbers went past your eyes.
Yeah, I think I'll just pay someone to do this.
But it is good, especially in the earlier days when communications weren't encrypted
and you're getting like clear text going through the logs.
Yeah, yeah.
So, yeah, arguably the most common networking if you're getting like clear text going through the logs yeah yeah so yeah arguably the most common network if you're around um and the next story is practically yesterday uh as we
talk about uh this week in infosec um it was a mere eight years ago on the 11th of july 2013 um in in the wake of revelations about the nsa's prison program
jeff moss aka the dark tangent asked feds not to attend defcon the first time government
employees were asked to stay away um and so just a recap that you know prism uh the stories about prison came out after um you know
june of that same year 2013 a private contractor that was working for booze allen um leaked
classified presentation slides that sort of gave the detailed existence of prism
um which is the you know the mechanism that allowed the government to collect data from
companies like microsoft google, Apple, Yahoo,
and a whole host of others to buy the NSA.
And just for a bonus point, do you recall who that private contractor was at Booz Allen?
It was not Snowden, was it?
It was Edward Snowden, a then 29-year-old intelligence contractor,
formerly employed by the NSA,
CIA and Booz Allen.
Uh,
he actually confessed responsibility for leaking those documents,
um,
revealing himself on the 9th of June of that same year.
Um,
saying that he didn't want to live in society in a society that does those
types of things.
Yeah.
Um,
so now he lives in Russia and and now he lives in russia
a huge irony a huge irony yeah hopefully he'll be allowed back one day you know
god yeah but that that whole thing in um you know defcon about you know spot the fed and all
all that sort of thing it's it's quite you know and it's a game at the end of the
day it's a good-natured game and all that sort of stuff but to actually suggest that they don't turn
up at all uh yeah well all i can imagine is that they they turned up in you know even higher numbers
um because you know don't turn up why don't you want us to turn up what are you going
to talk about you know well themselves even more yeah because what is that there was this this whole
period that the early days of spot the fed because they were just curious as what these these crazy
punks are doing and then defcon became more more mainstream and mature. And then, you know, Spot the Fed was less of a game
and it was just accepted that they're there.
And then this happened.
And then it wasn't even stay away.
It was just like, let's take a break.
The way it was worded, if I remember correctly,
it sounded almost like a teenager trying to break up from his girlfriend.
It was really weirdly, it was weasel word.
It was just to appease the masses,
but without alienating the feds too much.
And then he had like, that was it,
General Keith Alexander was a keynote at DEFCON as well
around that time.
That's right, yeah, yeah.
And yeah, it's just words, isn't it?
It's nothing's ever going to happen like you know that the feds are never going to face any consequences for the
illegal wiretapping or erosion of human rights or anything like that and and jeff moss you know
making a a token statement it never really changed anything feeling cynical today jeff yeah well no
but but you know to be
honest though i mean you know the feds at defcon lisa my worries it's the dicks at defcon that
really yes the real big problems yeah you know feds and me we we go back a long way from the
time i reached the airport i know they're looking after me they They've got their eye on me. Nothing's going to happen to me.
Oh, dear.
Excellent.
So short one this week, Andy.
Short one.
It was a drive by InfoSec memory lane, not a stroll down.
Do you know what?
Maybe if I'd listened to what you said, I'd have worked that bit out.
This week in InfoServe.
Very, very good.
So, Jav, since you're feeling very, very cynical, it would seem,
why don't we move straight on now to your segment?
InfoServe.
so um it's it's a not entirely a security related story but i i thought this was a very very interesting one so cryptocurrency is the big thing it's the shiny hotness in the
criminal underworld the seedy underbelly of the cyber realm.
Sorry, do you just refer to it as the new thing?
It's the current trend, isn't it?
It's the shiny hotness.
It's cryptocurrency.
AI is the shiny hotness.
Crypto and Bitcoin.
God, that's like so last five years ago, dude.
I'm trying to think when Silk Road shut down.
Yeah.
Dude, when I'm involved in something, it's definitely not new and shiny,
and I've got cryptocurrency.
Exactly.
I've got Dogecoin.
Yeah, it's mainstream.
It's not bright and shiny.
It's mainstream.
So anyway, apart from us just undermining entirely your story there.
Well, I don't think that's the full story.
Cryptocurrency mining is basically like having your own mint
where you can print your own money.
But it is difficult to do.
It's expensive and costs a lot of money.
So people actually invest a lot in setting up their own mining rigs
with powerful computers, processors, graphics cards, the whole works.
Sometimes they spend more money in building these rigs
and it consumes more electricity than the actual
currency they end up mining so so it's not a very good business model to get into it reminds me of
many of andy's business ventures actually but um those t-shirts are not going to sell themselves
you know no those chocolate teapots were a great idea. Sold five to some American tourists.
In Ukraine, our good friends in Ukraine, the Ukraine Secret Service,
said that in the city of Vinicica, they exposed and documented, and this is interesting,
a large-scale electricity theft. So what happened is there was an old warehouse that belonged to an electricity company. And what what the criminals done they broke into the
warehouse and it was just abandoned derelict and they they saw they still had electricity there
so they rigged up their playstation 4s uh when i say playstation 4s there was about
3 800 of these playstation 4s wow that's a hell of a death
match i guess yeah over 500 graphics cards 50 processors uh notebooks phones flash drives
and uh they they had it all rigged up in this warehouse uh to mine cryptocurrency wow uh the monthly um early estimates say that the um they estimate about
250 000 a month in electricity was being stolen
well how much were they mining though i mean how much are they actually getting for it
i don't know how much they were making but well i mean obviously that part fluctuates but i think the key thing is that
you know you it's free yeah you're mining um you know at less cost than everyone else
so the playstation 4s have pretty powerful um uh processors in them yeah you know which is why
they're right you know they're great for,
yeah.
Sony should pick up on this story and say they could have done this with just
one PS five.
Yeah.
But yeah,
if they didn't mind waiting six months to get one.
Exactly.
Exactly.
So it's not the first time actually this happened.
So a couple of years ago in China, there was an oil field and they had some oil mines, oil wells, sorry.
And there was some machinery there used to maintain them and they were just left there.
And what a local person done, he actually hot wired uh some electricity from there
and it was difficult to run obviously a big cable through the field so he dug it underground and
then there was some um some lakes and ponds nearby so he he actually hid the cables in in the fish
ponds and and lakes and ran the cable to the fish ponds and lakes,
and ran the cable to the other side of the field where there's a little shed,
and he had his old setup over there.
And even that time, they found it quite quickly,
but even at that time,
they thought that he sold at least $7,000 in electricity.
It was a much smaller setup.
And I think this is, and I tried to find the story for this,
and I can't find it anywhere, but I heard this many years ago,
before the days of the internet.
There was something a bit like CFAX,
but it was a bit of an interactive service i can't remember what it's
called but it predates me tom probably remembers it maybe it was cf but the royal family had it
and you could go on there and you could you know put in stuff like reminders or a schedule or
something and some people were able to hack into it and they saw some messages on it, what have you.
And this is before the Computer Crime Act or Computer Misuse Act.
So they found the people, they arrested them and they didn't know what to charge them for.
And they ended up charging them for theft of electricity because when they connected in,
the device spun up and consumed more
electricity than it would have otherwise yeah and that's what they actually nailed on because it was
a royal family and i and i thought it was really interesting from those humble beginnings now we
have wholesale theft of electricity going on to uh to to to mine cryptocurrency yeah it wasn't mintel was it or something like that
it might have been intel yes yes really big in france they loved that thing everybody had like a
well instead of a home computer because it was before that they had like these little terminals
that you could uh type in and out and i'm sure it was like a CFAX type thing.
Yes, that's probably what it is.
We'll look it up.
Otherwise, I'm sure one of our avid listeners will message you
to tell me how I'm wrong again, Tom.
Yeah, maybe we'll get a Q-tip.
You never know.
You never know.
You never know.
Q, if you're listening.
If you're listening, of course you're listening,
send us your Q tip on whether it was Mintel or something like that
because you'd know.
You'd know.
Even though you're only 27, you'd definitely know.
Yeah.
Excellent.
Thank you.
Thank you, Jav.
That was a fascinating.
Billy Big Balls of the Week.
Billy Big Balls of the Week.
Are you not entertained?
What?
The judges were.
You're listening to Europe's most entertaining content.
Bro, what are you talking about, man?
The Host Unknown Podcast.
Europe's most entertaining content, don't forget that.
Oh, and by the way, I've just been looking at the stats, gents,
for last week's show.
Didn't do very well.
Didn't do very well.
I think that tells you something, right?
It was, I think it's come out in the last five episodes.
It's fourth of the last five episodes.
Do you know why?
It's because we didn't release it until late on Friday.
It's a special one for the hardcore.
Do you know why?
You've got this generic stuff where you're here,
the generic listeners can get it.
We'll release it early on a Friday.
If you want the real cult following, the people that are here for the cause you know so when you say cult you mean hardly anybody likes it or watches it or listens to it but they will you know fight you to the death about it yeah they'll complain about it
so look the only reason our figures are low is because your mum didn't listen to it last week.
I must admit, you did have me worried at some point.
Where was it?
Day two, you had me worried.
It was like, oh, my God, they're going to surpass it.
But no.
You're listening to the Host Unknown Podcast.
Bubblegum for the brain.
So, yeah, you did have me worried at some point during the week, but now, you know, it's tailed off a little bit.
And frankly, the episodes 62 and 63,
the ones that were masterfully edited and managed by myself,
just raced ahead.
So, yeah, folks, you get what you pay for, you know.
Pay money, get something that might be perfect,
but it just isn't quite as good, you know. You know, pay money, get something that might be perfect,
but it just isn't quite as good, you know.
It may be perfect, but it just quite isn't as good.
You're right.
Yeah, that's how it works.
You know, perfect is the enemy of good enough.
So you're saying you're just good enough and me and Andy were perfect. Yeah, absolutely.
But it's my rough edges that bring them rolling in.
Anyway, anyway, I think we should move swiftly on to,
and I'm just playing around here.
Tweet of the week.
Yeah, and we always play it twice.
A tradition I noticed you did do last week.
Thank you.
Tweet of the week. So this one Thank you. Tweet of the week.
So this one is me.
Tweet of the week.
I'm not quite sure why this is a tweet.
So I think maybe we should just call it a...
Listen up!
Rant of the week.
It's time for mother f***ing rage.
But with a tweet on top.
Tweet of the week so this was
Fury was the headline
that I read
saw it on
saw it on Twitter
I did see it on Twitter
but saw it from
I think it was the sun
of all places
but I didn't take much
research to find it elsewhere
including the register.
But Fury in capital letters with an exclamation mark, possibly more than one as well,
at the ICO for their heavy handed techniques or tactics in the investigation of the Matt Hancock kissing leaker affair.
Matt Hancock kissing leaker affair.
And this I just find amazing.
You know, fury at the ICO doing their job for once,
because as we all know, the ICO has not been the most effective of our sort of national regulators here.
But they seem to have, probably under political pressure, no doubt,
but they seem to have upped the ante here.
seem to have, probably under political pressure, no doubt, but they seem to have upped the ante here.
As you may recall, some weeks back, our then Health Secretary, Matt Hancock, was caught in a passionate embrace with someone other than his wife, caught on camera, and that said footage was leaked to the newspapers.
And Mr. Hancock has subsequently separated from his wife
and from the government by standing down from his job.
Now, obviously, the fury was around the fact that the footage was taken
at a time when there was supposed to be bubbles in place
and no contact and all that sort of stuff.
And it was seen that extremely hypocritical that he would then in his own offices,
where they're supposed to be maintaining distance from co-workers, etc.,
that he's just caught snogging someone who is on his team.
And the footage was released and he subsequently lost his job.
All very good.
It's one of the very few things that I agree with Dominic Cummings on about Mr.
Hancock's ability to do his job with the NHS.
But the fury, it seems, is that whilst it's OK
for his extramarital affairs to be exposed on camera and shared,
the fury is that actually the ICO have been seen to come in
with their starzy-like bully boy tactics,
I think was the quote that was used, in the investigation of the data leak.
And I find this really quite amazing because this is not just a one-dimensional issue.
This isn't just about the health secretary being hypocritical, etc.
being hypocritical, etc. There was a leak of camera footage and potential audio from inside Parliament from, as it turns out, a camera installed in a smoke alarm to a British newspaper, which is, of course, of national concern. Now, if for, and many ministers have
subsequently had their offices sweeped for cameras and bugs, etc, because it's caused a little bit of
consternation within Parliament as to what else is going on. And so I find it amazing that people think that this is a perfectly normal
and acceptable thing to happen and that there should be no investigation
as a result when somebody has quite clearly stolen confidential data
that should have been deleted after 30 days, apparently.
It was removed.
But should it have been deleted after 30 days?
Or is it a case they keep recording for a minimum of 30 days?
What I read was the sort of facilities company in question
had a contract to maintain this data for 30 days
and then it should be deleted.
As I understand it, you know, so who knows
because we're all on the outside looking in here
just trying to get what we can.
So yes, there's probably questions to be asked there as well.
But nonetheless, this should have been deleted data,
but it was it was removed
from uh parliament and handed to the newspapers so it's the the interesting part here is the
handing of it to the newspapers was done in the in inverted commas in the national interest
but the fact that it was capable of being removed in the first place is of huge concern. In fact, the ICO have involved the police.
They've raided houses and taken computer equipment
and all that sort of thing.
And this is seen as, as I said, Stasi-like behaviour,
you know, heavy-handed bully boy tactics.
Yeah, absolutely.
No, what, seriously?
Yes.
Why?
You keep calling it a leak.
This is actually a perfectly legitimate whistleblowing activity taking place.
And the people who are blowing the whistle should be afforded whistleblower protection.
Well, maybe they have been.
Maybe they have.
The outrage isn't so much at, well, some of it is at the heavyhanded approach, but it's the disproportionate approach.
And there are people who have lost loved ones and they couldn't even go and give them a final hug before they died because of people like Matt Cockhan, who said, no, we need social distancing and this, that, the other.
And people will never get those final few moments
with their loved ones back again and they had to at you know so many people working in hospitals
they said like you know they begged and maybe a nurse put them on a video call and that was the
last time they saw them i think you're diluting the issue no this absolute toss pot of a waste
of blood and organs that basically makes up most of the Tory party.
They think that there's one rule for them and one rule for everyone else.
And then they use the police to their own benefit to put into these investigations when
there are so many bigger issues at play out there.
There are bigger issues, yes, because what's to stop this happening when there is a sensitive Cobra meeting?
What's to stop this from happening when there are other activities being discussed that really need to be done behind closed doors in the interest of national security?
And this is the government that wants to put an end-to-end-to-end encryption for the masses.
But this is not the issue that we're talking about.
You're diverting.
You're whatabouting at the moment.
I'm not whatabouting.
You are.
You're just saying, what about end-to-end encryption?
This is what the government's trying to do.
That's not the questioning.
You're overly simplifying what the outrage is about.
And that's not what the outrage is about.
The outrage is about this entire government and their hypocrisy. That's what the outrage is about. The outrage is about this entire government and their hypocrisy.
That's what the outrage is about.
It's not just about one thing.
It's about the entirety of it all.
And I know your Tory colours are showing now,
but, you know, it's not like that at all.
And this is a very, very dangerous path we're heading down.
And I feel genuinely concerned for the future of
this nation and the the privacy and the security of its citizens and the privacy and the security
of the country as a whole you are you're you're changing the the conversation from the actual
um illegal exfiltration of this data from a parliament parliamentary building whistleblowing
whistleblowing well whistleblowing whistleblowing
well whistleblowing whatever that's that's absolutely fine and there is a fine line
between the two absolutely and there are different ways um where do you stand like just to interrupt
this uh stop your children from squabbling uh where do you stand on what snowden did
Where do you stand on what Snowden did?
Whistleblowing or theft?
Whistleblowing.
Tom?
I think it was, it's a very close call,
but I think it was ultimately theft.
It's a close call.
Let's refer to the third umpire to review on the video footage. No, I think it is a very close. It's a difficult distinction to make.
It was in the public interest to get someone like Matt Hancock out of the government because he is, as you say, a waste of blood and organs, etc.
But the fact is, it was done in a way that actually puts in question the security of the government as a whole and not just tory
government but all parties it's a bit embarrassing for the government to be honest it's it's
embarrassing for parliament as a whole people have been bugging their offices yeah exactly exactly
that's what it looks like and that's the question here is the fact that has this surveillance been done illegally has it actually
been done you know i think it's justified zero sympathy i'm actually i'm kind of siding with
jab on this yeah but i do see this more whistleblowing you say zero sympathy but sympathy
for who for the government well okay okay let's put it this way but this is not this is not a party issue this is
not a party issue no no no what do you think about dominic cummings leaking or sharing uh screenshots
of whatsapp chats with him and boris johnson well what the fuck are they doing it on what's on
whatsapp anyway it doesn't matter it doesn't matter the fact is that he leaked those for an agenda now
should he be investigated into the same degree because that could be seen as covert surveillance
that was not those were not official government channels
and this cctv footage wasn't official government channel either it was done in an official
government building well they could have been sat in official government buildings
while chatting on WhatsApp.
They could have been, but they also could not have been.
This is not about the government.
This is not about the Tories or whatever.
This is about the broader issue of national security.
That's what this is at.
I'm not trying to make this into an emotional issue of the NHS or whatever.
I think Hancock got exactly what he deserved here.
But does it not concern you that parties unknown can either install
and or extract sensitive information from the parliament with impunity.
I think the bigger question, the bigger concern is parties unknown can install and withdraw political leaders in Western countries.
What? No, you're what abouting again.
You are what abouting again and you didn't answer the question.
Are you not concerned with the
fact that these you know footage like this and you know in this case it was about a you know uh
an extramarital affair and hypocritical um you know uh behavior of the highest order
but it may well be about other stuff such as who knows i know troop locations or
security codes and you know um access to nuclear or critical national infrastructure or discussions
around issues and uh around pandemic responses at a much higher level than just bloody Hancock. Are you not concerned that that data can be exfiltrated?
And that is where I was starting.
No, no, no.
What you started with is that people are in uproar.
And why are they being in uproar for?
They're stupid for being angry at the disproportionate response by the ICO.
I didn't say they were stupid.
I said they were angry and I didn't understand it
because actually there is a bigger picture here
of data being exfiltrated from parliamentary buildings
in an illegal manner.
And frankly, how long has this been going on for?
What else has been removed?
So do you know what this is?
This is basically the government version of a data breach,
you know, a big security incident.
So now hopefully their security team will get the investment
they've been asking for over the last five years.
I think that's right.
Because now it's impacted them and they can see what the fallout is.
And they're doing a root cause analysis to work out exactly what's going on
and where it went wrong.
They take security very seriously.
Absolutely. Completely agree.
Well, maybe they should put Dido Harding in charge of security for the police.
Exactly, yeah.
They really want someone who's competent to run this investigation.
Send in Inspector Harding.
At least we'll know that the government will be protected from sequential attacks.
So anyway, Jav, with your faux outrage, that's appalling.
But you should be ashamed of yourself.
And that was this week's...
Andy.
Yes.
What time is it?
Is it time for Jav to go and take his Valium?
Well, do you know what?
It was that time of the show where we head over to our InfoSec PA newswire,
but they've gone AWOL.
What?
Yeah.
So instead, we've had to call in a temp agency
who has been busy bringing us the latest and greatest security news from around the globe.
I don't know how good they are.
Do you know what?
It all went downhill when our Stig left.
Yeah, it did.
Come back, Stig.
All is forgiven.
Industry news.
Too many workers are still falling victim to phishing attacks.
In the Stream News.
Remote workers battle against a massive range of distractions.
In the Stream News.
Ransomware groups are looking for new recruits with solid negotiation skills.
In the Stream News.
SolarWinds rolls out another emergency patch as new attack vector emerges
Almost half of companies do not have proper security policy in place
Employees in the dark over the importance of new digital technologies
UK businesses are spending big on security, but drowning in false positives.
Traditional ransomware defences are failing businesses.
Almost half of businesses reported to ICOs since GDPR came into effect.
And that was this week's...
Huge. Huge if true huge if true uh there we had we had uh you know businesses
report to ico yeah uh since gdpr came out almost half of businesses reported that literally half
of every business in the uk has been reported to the ICO. Half of every business.
So that half over there, not this department, but that half over there.
Well, it's funny you say that.
They actually say, they state that majority of those are self-reported cases,
which I think is one of the positives that came out of GDPR is, you know,
companies.
Companies are fearful.
Yeah. Yeah.
Yeah, well, pretty much, yeah.
They just want to make sure that they're covering their backsides.
Yeah.
Yeah, that's true.
Well, they did say that, what was it, May 25th or something like that
was when it came into play.
Or no, 27th, that's right.
And I think they said that everybody should just proactively report
to the ico on may 24th just to make sure that they were covered when it came into place
oh dear i i really like the the story about the headline it says traditional ransomware
defenses are failing businesses what traditional defenses are we talking about and when have they ever worked
and do we have non-traditional defenses i don't know well i think this is uh to be fair this is
that thing you know all the controls that we have um you know people go and say right primitive
defenses you're anti-malware um you know you do all of this stuff and it's a mitigation right
but people think they're secure.
They say, well, we've got a firewall.
We're behind 10 proxies.
Why are all of our files encrypted?
Yeah, that's right.
I don't think the industry's evolved in terms of this new threat. And I don't think we've come out with anything specific.
You say this new threat.
It's not a new threat, though.
That's the thing.
1989 was the first one. Yeah, okay. So it say this new threat. It's not a new threat, though. That's the thing. 1989 was the first one.
Yeah, okay.
So it's not a threat.
Why is it still such a massive problem?
I know.
Yeah, I know.
I know.
Well, I think it's a couple of things, isn't it?
The one is Bitcoin.
Oh, that new thing.
Yeah.
Well, over time, what was it, 2013 was when the first bitcoin payment was accepted
um you can tell i've done a talk on this right uh okay all right keep going i'm gonna check that
yeah i'm just making this i'm pretty sure it's it's close to that time just say you're making
it up as you go along so we know yeah how you roll yeah So Bitcoin Pizza Day is 2010.
Yes, that was, yeah.
But the first time it was used for ransomware.
Oh, okay.
Right.
Gotcha.
Yeah.
So, and then you've got, you know, asymmetric encryption,
which makes it harder to crack.
And then you've got the whole, you know, encryption, sorry,
ransomware as a service happening.
So the actual concept is, has been there for years.
It's just the sheer volume, I think, which has changed.
And the fact that, you know, people are using it, you know,
or I don't want to say nation states, but nation state, how can I put it?
Protected organizations are using this
and a lot of people are being caught
in the splash damage, as it were.
There's a lot of collateral damage
from what are ostensibly targeted attacks.
But of course, by its very nature,
it spreads really quickly.
So yeah, what concerns me more
is actually what's coming next.
What's next year's thing going to be?
Why does it need to be like this is still profitable?
Why do we need something new?
Yeah, well, because there will be something, you know,
they'll find that insurance companies will stop paying
or won't be paying quite so much.
They'll find that, you know, Bitcoin is becoming more easily traceable.
And, you know, therefore they're at greater risk of being found.
So there's going to be a move on to something else.
Yeah, I think, yeah, maybe we've still got another couple of years left in this.
I thought this would have been dead and buried years ago.
Well, it's those other things, know like bitcoin for instance that have uh that have made it you know profitable again basically yeah well what's happened is like now nowadays what you're
seeing is there's um almost half or or if not more of the revenues isn't coming from the actual ransomware of the
of the organization it's the the payment they take for extorting them right after they've
stolen data so like pay us money so we don't don't reveal it and i was reading this um analysis
and i think they they looked at some groups but they say in the next couple of years
the majority of their income will come from that and not from the actual ransomware itself because organizations getting better at backups or restoring or being
and being more resilient so i think that that's that's remains the problem like the uk government
like exaltation of data by unknown parties uh over unknown periods of time i think that's the real
the real challenge and you the the more we more we share information and data generation is really on the rise
and cloud databases make it really easy to just save everything
for a long period of time.
I think records management is going to be a major,
well, it has been a majorly overlooked sort of discipline for a long time
but i think that's that's an area where organizations really need to focus on but you
make a good point about the money being in the uh blackmail of the you know of the data and the fact
that we'll release your data etc back in the you know back in the days of dat and dlt right you
couldn't encrypt an offline backup whereas now it's all in the cloud.
That's why you had to secure your offline backup.
Exactly, exactly.
Whereas now because it's on the cloud, it's all on disk somewhere,
it's all available, those backups can be encrypted.
So any company that does its backups onto a DAT or a DLT
is going to be unaffected by that particular tactic.
Mind you, I don't know if you can buy DAT or DLT drives anymore.
It's like if you run Windows NT4,
you're safe from any USB attacks because it didn't support it.
Yeah, you're safe from USB attacks.
I don't know about all the others, though.
Baby steps, man.
Baby steps. Oh, man. attacks i don't know about all the others though baby steps man baby step
oh man right uh oh i know sketchy presenters weak analysis of content
and consistently average delivery like and subscribe now listen up rant of the week it's time to mother rage so this started yeah again i
know we're having a double rant of the week well this is a ranty episode right remember um what's
that for ghostbusters 2 where everyone's arguing and it's about the slime that's under the city
right yes that's what this week's episode is like there's some sort of slime going around,
so everyone's just ranting about stuff.
So this, I'm sure, is supposed to be a Billy Big Balls,
but it's going to be a rant instead.
So everyone's favourite social media platform, obviously Facebook,
is rolling out a feature which is going to allow group admins to designate topic experts inside their own sort of
like user-run Facebook groups. So Facebook says this new feature is designed to help real experts
stand out in discussions about their field of expertise, right? So, you know, if you get,
you see these comments, you know, something shows up in your feed or someone else is joining and you can actually actually this person's an expert in the field.
You know, they're obviously authoritative on this. So, you know, what they say must be must be great.
So it sounds like a good idea. Right. You now know who the authority are.
Well, how do they determine who the experts are and who gets that designation?
All right. Group admins determine who the experts are.
And so they have the power to dispose this title of, you know, expert on any group member they want.
So if you think, you know, you go into your like conspiracy theory groups or
you know your anti-vax groups and that kind of thing um it's up to the group admin to determine
who the experts are and then just give them that title and i'm pretty sure that most of these groups
can be run by people who you know maybe um let's say probably not necessarily sharing the same views as I guess we would share on this
podcast, right? So, you know, if we went into an anti-vax group and you start spouting, you know,
if an actual doctor decides to give some evidence and say, well, actually, statistically, these are
the lab trials that we did with the, you know, $2 billion worth of research funding that we had over this seven-year period.
And then you've got some guy sitting in his trailer in the Outback somewhere saying,
well, that's bollocks because my cousin got this jab and all his hair fell out.
So it's bad.
And if it's his group, he designates himself for the expert, right?
And so everyone else that sees can say, well, this doctor doesn't know what he's talking about but oh billy bob joe he knows exactly what uh what's in this
jab and um yes i mean to me this is just like facebook what are you doing like all you're doing
is now legitimizing or you know giving that sort of signal. You know, normally you'd see moderators will hold this tag
or, you know, some sort of self-regulated groups,
you know, like Reddit and things like that,
where it's sort of regulated by the community.
You'd see the moderators generally step in,
in line with what people, you know,
with the majority of people want.
But, you know, when you get these sort of closed groups
where, you know, QAnon, of closed groups where you know q anon like
i say anti-vax is a big thing at the moment like you know this this whole covid it's a hoax etc
and that that sort of stuff um you know you this stuff can appear in your feed and it's going to
have this type of tag as if experts are speaking on the on the matter but you know to the general
lay person that comes across this information and then believes it um you know that they're going to feel like you know well there's an expert that said that this
is true you know don't believe everything you read in the media you know they're just trying
to control you for their own good so uh to me this is a terrible idea um because all facebook
are doing is just giving this sort of visual signal um that the
craziest person in the room potentially um should be listened to well we put up with jav in here in
fairness yeah yeah to be fair this is like uh the the blue check mark that twitter gives it's kind
of like that but you know so you had like trump on there with a blue check for that Twitter gives. It's kind of like that, but, you know,
so you had like Trump on there with a blue checkmark
for the longest period of time.
All that said was that Trump was Trump, though, right?
Yeah, yeah.
And I think that the worst thing about this
is the use of the word expert.
If they'd called it anything else like high contributor
or valued member or, you know moderator's pet
anything like that i think it would have been better but the word expert is deliberately
misleading it's uh and and to andy's point facebook i haven't been on facebook for many
years now but it's just a cesspool of some of the, you know,
the shallow end of the gene pool in some of these groups.
So, yeah, I can't see how anything good will come from this.
It's a hive of scum and villainy.
That's been complimentary towards them.
I know.
But, you know, we say this and we rant about this. What do we expect from Facebook and Zuckerberg? It is just a hive of scum and villainy at the end of the day. They have absolutely no idea what they're doing it's purely about trying to get advertising revenue um out of people and
you get you get more advertising revenue out of sadly deluded people than you do
out of people that actually feel a bit more in control of their lives
yeah then it's it's a yeah and for them it's good business right the more they can encourage
people to debate um you know if you get sucked into this um you know what's the old saying don't
feed the trolls yeah it's um you know unfortunately there's people on facebook that can't resist
um you know they will argue until they're blue in the face and i'm grateful you know sometimes
there are those you know with genuine expertise that try and dispel all these myths and rumors
uh not that it gets them very far but but they are trying to keep up that fight.
Yeah, very, very disappointing, but totally not unexpected from Facebook, unfortunately.
Yeah.
Well, that's a cheery note to end this week's Rant of the Week.
Well, that's a cheery note to end this week's Rant of the Week.
So, wow, we swing round to the end of the show already.
Gentlemen, thank you very much for your time, effort, diligence,
and even your contributions.
You're welcome, as always.
You know you like a good whipping every now and then, Tom.
Welcome you back to the episode in style.
I don't know.
I don't know why I put up with it.
Jav, thank you very much indeed for this week's show.
I do hope you have a lovely weekend.
Oh, my God.
You're being overly nice to me.
That means you're really seething.
I'm going to wake up next to a horse's head, aren't I?
Now, that's no way to talk about Mrs Malick.
Oh, you son of a bitch.
No, sorry. Apologies, the Dutch's lady.
I didn't mean it like that.
You know what I meant.
Thank you very much, sir.
Stay secure, my friend.
Stay secure, my friend. Stay secure. You've been
listening to the Host Unknown Podcast.
If you enjoyed what you
heard, comment and subscribe.
If you hated it, please leave your
best insults on our Reddit channel.
The worst episode ever.
R slash Smashing Security.
Can I take next week off as well?
Goddamn
Please do
Do you guys need to hug it out?
No, I'm not hugging him
He might have a camera installed somewhere
And then claim it's in the national interest or something
And claim whistleblower rights
Of course it is
You know interest or something and claim whistleblower rights. Of course it is.
You know,
throw something, whatever it hits,
call it the target.