The Host Unknown Podcast - Episode 65 - Its Too hot

Episode Date: July 23, 2021

This week in Infosec (08:10)With content liberated from the “today in infosec” twitter account16th July 2001: Russian programmer Dmitry Sklyarov was arrested the day after DEF CON for writing soft...ware to decrypt Adobe's e-book format. Charges against him were later dropped and the trial against his employer resulted in not guilty verdicts. United States v. Elcom Ltd.https://twitter.com/todayininfosec/status/1416188118655459329 15th July 2011: Microsoft Hotmail announced that it would be banning very common passwords such as "123456" and "ilovecats".Weak Passwords Banned from Hotmailhttps://twitter.com/todayininfosec/status/1414330928537686021 Rant of the Week (24:29)Majority of Britons convinced their phones and smart speakers are listening without being prompted. Billy Big Balls of the Week (33:48)Accuracy at any cost? Gamer leaks British military secrets to company founded in Russia to prove its tank model is wrong Industry News (43:05)Amnesty International and French media protection org claim massive misuse of NSO spywareUS legal eagles representing Apple, IBM, and more take 5 months to inform clients of ransomware data breachVerified: UK.gov launching plans for yet another digital identity schemeNorthern Train's ticketing system out to lunch as ransomware attack shuts down serversJourno who went to prison for 2 years for breaking US cyber-security law is jailed againSpanish cops cuff Brit bloke accused of playing role in 2020 celeb Twitter hijackingNSO Group 'will no longer be responding to inquiries' about misuse of its softwareChina pushes back against Exchange attack sponsorship claimsThales launches payment card with onboard fingerprint scanner Tweet of the Week (48:26)Tennessee Man Died After He Was 'Swatted' by People Targeting His Twitter Handle https://twitter.com/ThomLangford/status/1416690928354463744Police forces in brazil celebrating a thief's 18th birthday because they can't arrest anyone under 18 Come on! Like and bloody well subscribe!

Transcript
Discussion (0)
Starting point is 00:00:00 well I was going to say you know two weeks ago I did interview Jav to see whether he was a suitable co-host and this week it's your turn to be interviewed ah right well well you know like I said last week and you know and I'll say again this week it's you know that episode with just him was the lowest uh lowest listened to episode for a while statistics don't lie you're listening to the Host Unknown Podcast. Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us. us and welcome to what is it episode 65 this is uh um this is the too hot episode yeah i'm looking forward to four episodes time i'm sure we can have a lot of fun with that one but um yeah it's got it is just too hot isn't it it is ridiculous yes absolutely melting here been and well fortunately
Starting point is 00:01:03 i mean the weather's going to break, right? We're going to be taking a break from it for the next few days. Storms are coming. The summer is over. Exactly. It's going to break apparently tomorrow, which is when I'm going to be helping with someone photographing a wedding that has apparently been rescheduled three times already and they managed to pick the the day after two weeks of the best weather that it's likely to
Starting point is 00:01:30 rain so i i can't even begin to imagine how that must feel but yeah we're sweltering i think you know iphones are going into panic mode heat panic mode at the drop of a hat and you know you know it's bad when the iphones are falling over right absolutely well and this is the i speak to colleagues in arizona and you know they ask what the temperature is and i say so you know it's like 32 degrees and they just kind of laugh and chuckle yeah and it's yeah okay yeah but they laugh and chuckle from their air-conditioned rooms you know and their air-conditioned homes i was this close to buying an aircon unit this week yeah i looked at it and it was like can i get away with this in
Starting point is 00:02:11 the house for those three days a year i need it yeah that's what i was saying that to somebody the other day it's like you get to this point and you think right i am not going to get caught out next year i'm going to i'm going to buy an air conditioning unit i'm going to get one for this room and that room and blah blah blah and then the heat stops and then you say right let's get look at that air conditioning unit five grand i'm not paying five grand for an air conditioning unit it's not that hot now anyway um and rinse and repeat every uh every year after that really it yeah, it just simply isn't worth it. But, yeah, so what have you been doing this week, Andy, apart from sweating, I would imagine?
Starting point is 00:02:51 So I actually learned a lot about wasps this week. Oh, no. Yes. Did they, through your broadband connection, by any chance? No. So I, I mean, I've dealt with wasp nests in the past, right? They've been up in the loft before, like in the previous house as well. And I'm normally like, you know, I wrap myself up.
Starting point is 00:03:11 I will get the hoover and like a lot of bug spray. And I'll just take care of it like face to face. So the last couple of weeks at nighttime, while I've been like watching TV, I've heard this kind of almost like a purring noise. And I thought it was coming from outside. No, I kid you not. You can look it up on YouTube, like what a wasp's nest sounds like at night time.
Starting point is 00:03:35 And this purring noise was starting to become more frequent every night. And it was going on for longer. And yeah, it turns out that noise is the worker wasp like um regurgitating the wood that they gather from the day or whatever and building the nest and wow yeah and i thought because i thought it was coming from outside the window really it was actually coming from inside the wall um between the internal and external wall and uh yeah so i started like really banging on the wall like you know one o'clock in the morning really sort of like banging and kicking it every time i heard
Starting point is 00:04:09 this purring there's such inconsiderate wasps inconsiderate wasps i know you know but yeah i heard this uh this buzzing noise and um yeah it went outside so there's like this vent thing uh really old vent like really low down on the wall outside, and that's where they've been getting in and out. And then I actually started noticing the wasps coming in and out, and I was like, wow. So how long have they been? A good couple of weeks. But yeah, I called some guys out who came and took care of it. He just sort of said, look, I advise you to keep your windows shut
Starting point is 00:04:40 for the next two hours. It's going to get a bit crazy around here. And yeah, I looked at the old wing camera on the outside after they had sprayed and uh it really was crazy as the wasps uh were they flying around and then and then getting to the front of the camera and screaming at the camera oh the be manatee of it all and they were banging on the window as well funny enough like flying into the window to try and get there. Please, please, I have children. Oh my God. I also have images of these guys
Starting point is 00:05:14 coming up with a huge kettle that they pour the hot water down. Well, that's how I'd normally deal with it, right? If it was something low enough. Or, you know, in the old house, I don't like knock it off the, knock it off the side of the house into a bucket of hot water.
Starting point is 00:05:29 Yeah, yeah. Knock it off the side of the house. Jesus. I mean, you see that on YouTube, you know, people are like trying to catch, you know, very big spiders or trying to knock a wasp nest out
Starting point is 00:05:41 and, you know, just clipping it or something and then ending up with the wasp nest on their head or whatever. It's like, Jesus, you know, I know we take the mickey out of you for getting people to cut, you know, trim your hedges and stuff, but blimey, I, I, I wouldn't mess around. I did, I did go on a walkabout once with a gamekeeper. Cause my grandfather used to run a pheasant shoot up in Shropshire.
Starting point is 00:06:02 Of course, I expect nothing less for your time. Of course, of course. Although I was expecting you to say, like, wild game there for a minute, like, you know, some rare lions or something. That's the one we don't talk about. Oh, right, OK, that's the taboo one. That was the eccentric granddad.
Starting point is 00:06:22 But, yeah, walking around with this gamekeeper, and, you know know gamekeepers are hard bastards anyway right and uh i think his name and mac that's right mac was his name he's walking around in you know in shorts and a t-shirt and whatever and um he had to get rid of this wasp's nest so he he just got a bunch of this goop you know anti-wasp goop or whatever it was scooped some up into his hands walked into the you know into the undergrowth found the wasp goop or whatever it was scooped some up into his hand walked into the you know into the undergrowth found the wasp nest shoved his hand you know into the middle of the wasp nest to daub it around the inside of this thing you know and then walked out i'm like and you know me is
Starting point is 00:06:56 like sort of 16 or whatever going ah wasps wasps you know it's like oh my god you know and this guy was just like brushing stings off him you know it's like jeez yeah God. And this guy was just brushing stings off him. Jeez. I don't know how people do that. I'm impressed. I'm impressed by that sort of thing. So what have we got coming up for you today? Well, this week in InfoSec brings us another DEF CON related story.
Starting point is 00:07:23 It's almost like DEF CON is coming up. Billy Big Balls shows how an attention to detail can end up with you being put behind bars. Industry News brings us the latest and greatest news stories from around the world, only this time, again, from our temp news agency. Rant of the Week asks the real question we should all be asking ourselves.
Starting point is 00:07:47 Do the walls have ears? And finally, Tweet of the Week brings us a new angle on freedom all the way from the land of Murica. So shall we, let's move straight on, shall we, in the great spirit of things and onto our favourite part of the show, the part we like to call... This Week in InfoSec. See, I'm not sure if I love it because of the content or because of the wholly original sound
Starting point is 00:08:27 that you put together for that one yeah i know i know it's great right but it's hard to tell it's it's it's the fact that we can use royalty-free music like this and know that we're not kind of imitating or copying anyone exactly royalty-free baby it's out there uh so this is that part of the show where we take a stroll down infosec memory lane with content liberated from the today and infosec twitter account so our first memory takes us back a mere 20 years to the 16th of July 2001 when Russian programmer Dmitry Skylarov was arrested the day after DEF CON and he was arrested for writing software to decrypt Adobe's ebook format and although charges against him were later dropped it was actually actually quite an interesting case. So it became known as the United States versus Elcom Limited,
Starting point is 00:09:30 and Elcom, a.k.a. Elcom Soft, who are well known for producing sort of password recovery kits and forensic analysis tools, you know, really easily usable for non-technical people as well. And so, I mean, this was a case that blew up right in 20 years ago uh so skylar of uh i might just call him dimitri because you know i'm struggling with that name uh he was arrested um the day after giving his a talk at defcon which was titled ebook security theory and practice um and his whole presentation sort of delivered this
Starting point is 00:10:07 message saying how adobe was careless violated the rights of authors by using a security system that was unapproved by professional cryptologists and basically applying these restrictions to what was then you know 20 years ago a fast-growing electronic books market um and so his that seems a little bit that seems a little bit odd he's one he's saying that um by using poor standards he they're not representing the authors but on the flip side they're saying but they're also restricting the authors is that what they're saying uh well not so much yeah so adobe were anything that they were putting through their market you know they were adding these drm restrictions uh yeah i got a few of those books from back then back on the the days remember the compact ipac and yes uh the the
Starting point is 00:10:59 burgeoning windows pc market and all that sort of stuff yeah so i bought a bunch of those books and i've still got them somewhere. And you couldn't open them on other devices? No, exactly. I could only ever read them on a tiny low resolution screen. Well, at least by today's standard. Anyways, it was amazing at the time. But yeah, I remember only getting halfway through the books
Starting point is 00:11:19 and then getting rid of the iPack and then realizing I couldn't read them. You couldn't finish it. And that was, I guess, ultimately the crux of what went on here. So although it was 16th of July, all of this stuff, actually, the wheels were set in motion a few weeks prior to this. So on the 22nd of June, 2001, Alchemsoft hosted a press release announcing this new software program called Advanced Ebook Processor.
Starting point is 00:11:43 announcing this new software program called Advanced Ebook Processor. And it basically removed the encryption coding from Adobe Acrobat PDF files and Adobe Ebook Reader software. So it let users make backup copies of ebooks that were protected with passwords, any sort of needed security plugins, various DRM that was in there, which made you able to read these protected, formerly protected PDFs with any PDF viewer without plug-ins. So you weren't just limited to using Adobe. So it made it, to your point,
Starting point is 00:12:17 it made it easier to decrypt these e-books because people wanted, at the time, to load them onto their Palm Pilots and other, like your iPhone said, like the other... The Palm Pilots. Well, exactly., like your iPhone. The Palm Pilots. Well, exactly. I mean, these were like godsends, right? For those who travel.
Starting point is 00:12:30 Love the Palm Pilot. The handwriting on the Palm Pilot was actually really good. Yeah. Total segue, sorry. But, you know, total segue. But this is always a trip down memory lane. Do you know what? It makes me want to go and see if I can pick up another Palm Pilot from eBay.
Starting point is 00:12:50 I have to say. I think it would be one of those. I do wonder whether it's one of those things that's best confined to nostalgia. Like, you know, you don't really want to see it because if I recall, it took about 40 minutes to boot up anyway, right?
Starting point is 00:13:04 You wanted to check your diary so okay yeah hold on a minute right let's go and get another drink while my diary loads up yeah connectivity was not wonderful on them no well you had to sync it didn't you it wasn't uh yeah the early versions weren't even over the over the air it was actually connected to your laptop well yeah that's right that's right. And then I remember... Yes. Oh, my God, the cradle. With the synchronization button. Yeah.
Starting point is 00:13:29 And it was a serial port, wasn't it? It was a serial port connector. Only the fancy ones that came along later had a USB port. So you could spot the execs as to who had a cradle on their desk. Yeah. It wasn't just about an office. And as I recall, Thinkpad did them as well ibm before they sold the brand they the ibm ones because that's i i had some of the 3com ones
Starting point is 00:13:53 and then the thinkpad ones came when i was at pwc and then uh i got involved in a pilot which allowed you to connect your little mini thinkpad to uh a nokia 6310 um okay you know it's a choice back then absolutely and you know to get your mail but oh oh my god i now i now i want to get not only i mean palm pilot i want to get a 6310 and just to see what oh god play with those this is going to cost me a fortune this episode um so i mean yeah so obviously this whole the removal of this protection it allowed you to like annotate pdfs as well so they're really useful features right um so anyway all this these wheels were set in motion at the time so adobe then updated like a week later adobe updated its software to prevent the um you know outcome Elcomsoft software from working, that whole sort of cat and mouse
Starting point is 00:14:49 thing that we see. So Elcomsoft then released a new version, which again, you know, circumvented Adobe's protections. And in parallel, Adobe met with the FBI. And a week after that meeting, the FBI filed an affidavit with the Northern District Court of California. It wasn't a copyright violation. This is the great thing. I'll come back to you and tell you exactly what it was about. About the ability to circumvent protection. It was the DMCA. DMCA? Yeah, the Digital Millennium Copyright Act.
Starting point is 00:15:24 It was the Copyright Act, yeah, but they weren't going... They were going for... It wasn't actually about the copyright violation. They were going about providing tools that can circumvent copyright. Yeah, so it was a very... Yeah. You know, like, it was very legal, you know, sort of... Well, these were early days of this sort of thing as well.
Starting point is 00:15:44 It was. Even 2001. And this was one of the first cases tested. Yeah, this was one days of this sort of thing as well. It was. Even 2001. This was one of the first cases tested. Yeah, this was one of the first cases tested. Yeah, that's right. So, yeah, so Dimitri, you know, when he was getting ready to check out of his hotel after giving his talk in Vegas,
Starting point is 00:15:56 he was arrested by the FBI, held without bail. And what's really important about this one is that one of the selling points at the time, according to Alchemsoft's website, was the ability to make backup copies of this electronic software or documents, which was actually required by Russian law, where the software was developed and sold initially. initially so you know it was really sort of interesting adobe like to their surprise did not realize how much of a national outcry this would cause um there are actual protest marches as well over um dimitri's arrest my god really yeah yeah and then the eff electronic frontier foundation got involved um at which point Adobe requested Dimitri be released and they wouldn't be pressing charges themselves. But despite Adobe's willingness to back down, the DOJ actually continued to press on with
Starting point is 00:16:54 its own prosecution. And this is where it all sort of comes down to it, because it's not illegal in Russia for programmers to develop circumvention software. But U.S. prosecutors argued that because he was on american soil the federal government had authority to establish jurisdiction um i mean the whole thing turned into a complete cluster right and yeah ultimately the u.s government agreed to drop all charges against skylar of provided he testified at a trial against his company so he was permitted to return to Russia um on you know later that year um but then on the 17th December the following
Starting point is 00:17:35 year there was a two-week trial in uh California um and the federal jury found Elkhornsov not guilty on all charges under the DMCA that the US side has been against them. I mean, you have to have these cases in order to sort of help... To establish a... Flex and establish law and all that sort of thing. But it does feel like such a waste of time and effort for something that feels, you know,
Starting point is 00:18:01 like it's stretching the credibility of the law to its very limits it did feel like an yeah but sometimes you need to do it yeah and this was uh like as you say the early days of the dmca but it actually raised all the concerns that you know the individual being prosecuted for active activities are actually fully legal in the country where they occurred yeah that's right so it's you know breaking a doing an activity in the country um that is not against the law and then traveling to a country where it is and then getting arrested for it wow i mean at that basic level surely they could have seen that it was not in their interest to do that, but obviously it's not quite so good.
Starting point is 00:18:49 Trying to establish a new, you know, the DMCA trying to establish a base on it so they could use for future cases. Right. You've got to get that one ruling to go in your favor. Yeah. Yeah, that's right. And then that will establish the future, but blimey. It's a bad case to choose. Yeah, I'd not heard of this case particularly, but I had heard of the overarching furore, if you know what I mean.
Starting point is 00:19:15 Yeah. So I remember this one because he got arrested. Yeah, he got arrested. Yeah, I was actually late coming back from DEFCON, and it was like a joke at the time whether I got arrested because there's a story about someone... As well, yeah. ...at a hotel.
Starting point is 00:19:32 Yeah, as well. But, yeah, no, I was having a great time in Vegas. So was Dimitri until the day he tried to leave. Yes, poor old... What's his name? Marcus Wanakwai, I forget his surname. He was also arrested at Vegas, wasn't he?
Starting point is 00:19:52 It's actually a bad idea to go to Vegas, people. It is. Even if you don't believe it's illegal, there's a chance you can get arrested. Which I am no longer going to Vegas. I heard an echo there. What? What?
Starting point is 00:20:06 Oh, my God. Seriously, dude? Are you turning up now? How long have you been recording for? You are an hour and a quarter late. Wow. You know, I thought the clocks changed last night. In which case, you're 15 minutes late.
Starting point is 00:20:26 I'm 15 minutes late? Oh, OK. I apologise for being too late. Oh, sorry. No, the clocks did change. You're two and a quarter hours late. So I assume I've just missed the good morning, good afternoon, good evening. How are you all doing?
Starting point is 00:20:40 Yeah, we're halfway through this week in InfoSec. We're about to do the second story, which was only 10 years ago. And the account actually, I'll correct the website, the account actually stated this was 18th of July. But fact-checking this story, because that's what I'm doing, it actually came out on the 15th of July, 2011. So that's mere 10 years ago, plus a week.
Starting point is 00:21:04 Microsoft Hotmail announced that it would be banning very common passwords, such as 123456 and ilovecats to be used to secure their accounts. You'd think more companies would be doing
Starting point is 00:21:20 stuff like this now, wouldn't you? They'd be loading up you know, effectively a basic rainbow table, right? You know? Yeah. But yeah, yeah. And this is why I thought it was a good one, like I say, 10 years ago.
Starting point is 00:21:39 You know, Microsoft was doing... That's actually quite a forward-looking move in hindsight, isn't it? You know, that's it and we're still not seeing companies do this now so that's quite impressive excellent well thank you Andy for
Starting point is 00:21:56 this week in InfoCirc so Jav how was it last night in InfoServe. So, Jav, how was it last night? What's the ditch like that you've just woken up in? So, no, so, I was up in Birmingham for a...
Starting point is 00:22:16 You drank the wrong drink, didn't you? Yeah, I thought it was a monster energy drink. It was something else. You sound dreadful i literally rolled out of bed like thinking it was like that scene from back to the future where he waits something he's like oh shit duck i'm late for school and he's jumping over hedges and like skateboarding on the back of hanging on to the back of I just literally
Starting point is 00:22:49 rolled out of bed, looked at the clock and I was like oh crap and I ran downstairs and did you run really or did you jog? jog? I think you probably fell have you seen those penguins on the Discovery Channel? Not too dissimilar to that.
Starting point is 00:23:11 Was that the drunk penguin episode? Yes. Oh, my goodness. Well, you know, well, we've got stories already dished out, so you might have to just, you know, I'll tell you what, you can do Tweeter the week later. How's that? Yeah, sure. i'm here to add value to our listeners it's only for our beloved listeners that i showed up i don't care about you two as you know but you know i know the listeners would be severely bitterly disappointed and i'm sorry
Starting point is 00:23:42 i wasn't here with you from the beginning you love them so much that you just can't be asked to turn up for an hour and a quarter. Oh, dear me. Oh, man. I'm so glad I woke up whilst having the worst nightmare. What? Was the nightmare that you were late for your own podcast? No. No, I woke up and I thought, well, I had a dream that I came to the back of my office,
Starting point is 00:24:07 like my whole garage had been broken into overnight and everything had been taken. So I came to the back and it looked exactly like it was in my dream, except it wasn't robbed. It was just me being a messy slob. Yeah, exactly. Exactly. Oh dear. Right. Oh, dear. Right, let's move swiftly on here. I think it's time now for... Listen up!
Starting point is 00:24:32 Rant of the Week. It's time for Mother F***ing Rage. So this one is on me. This is actually a story that ran just late last week. It was about the journalist was basically asking the question, are our online devices, are our phones, smart speakers, et cetera, listening without us being prompted? And it turns out that something like 70-odd plus percent of Britons actually are convinced their phones and smart speakers are listening into us without us being prompted. Now, that's all well and good.
Starting point is 00:25:15 The thing that gets me here, though, is I'm kind of amazed that, well, one, that this is a story in in a sense but also the fact that some of the people seem quite so upset by it um we are buying these devices and um buying them quite cheaply i mean let's face it an alexa you can get for like 30 quid now um and in wondering why it's so cheap and how it's so good at knowing it knowing what we want and when we want it without realizing actually they're they're they're there because they're they're listening into us and uh selling our data on because that's what the uh what the product is it's a bit like smart tvs when you buy a large sort of, you know, 40 inch TV for 200 quid, basically most of that money goes into the cardboard that the thing is packed into because the cost of the TV is being subsidized by the data that it's gathering on you. So we didn't we know that this was occurring
Starting point is 00:26:21 before, like the various ways that you can actually, not just iPhones, but all phones can listen to you. I think we did as a sort of industry and a set of security professionals. I think what's interesting here though is that that's now shifting and the general population is now a lot more aware that this sort of thing can happen, which I think is a good thing in a sense.
Starting point is 00:26:48 But, you know, goodness me, it's taken long enough for people to work that out. You know, oh, I was just talking about, I don't know, rucksacks just the other day in my kitchen and then, you know, in front of my Alexa and then I go onto Amazon and it's, it's suggesting, you know, brand new rucksacks to me. It's like, God, you know, you've got to put, it's, it's, it's, you know, it's amazing that you're not realizing this when, you know, all you have to do is shout out Alexa and she's already listening to you and recording. And these devices are known for, you know, taking these recordings and sending them off to, you know, phoning the recordings back to base
Starting point is 00:27:33 without any kind of permission to do so as such. It's only, you know, even now, only, for instance, Apple devices are starting to process that speech on device and not send anything out until you tell it to. So, yeah, it's a fascinating subject in a sense. But I do find it frustrating that, one, the fact that we're still talking about this one, this should have been known for such a long time. Such a long time such a long time indeed and i think um you know the only way that we're going to um uh force this and make this actually far more apparent is for you know governmental regulation to force that kind of
Starting point is 00:28:20 transparency and to make sure that these manufacturers are very open and honest about this tradeoff that's going on between the cost of a device and the data that it's selling as a result. And being much more transparent about it rather than just bearing it deep in the small print of a, you know, a hundred page end user license agreement. So yeah, I think it's, it's, it's, I'm ranty about this because this conversation is still happening when it should have gone on, when we should be knowing this already and it should be managed. It should have been dealt with by now yeah so i'm trying to think so what was the big scare so yeah this does happen i'll say we know so i'm looking at an article from 2017 in the new york times where you know the people people of a sports app um didn't realize
Starting point is 00:29:21 that they were being monitored um and what was occurring at the time was that, you know, if you want to play sports games in a pub or have it on big screens, you need a separate licence, right? So what this company was doing was checking where people were at the time of game. That's right. To see whether they were watching the game obviously yeah that's right yeah and from that they could then check cross-reference whether that place was licensed
Starting point is 00:29:51 to show the game or not uh you know with a large group of people so yeah i mean this as you say this isn't anything new this was like you know nearly four years ago yeah um that was occurring and i guess you're right new sort of privacy uh the way the phones tell us how these apps are using their data um you know so this requires access to the microphone or etc but what um you know people have been doing or you know theories that came out i think it was last year was that they were no longer actually directly using the microphone. They could do it from the vibrations that the phone was picking up. So they could tell what you were watching. From the accelerometer.
Starting point is 00:30:34 That's the word, yeah, from the accelerometer. So, you know, what adverts you're listening to, what words you're saying and stuff like that. And none of that goes through the app permissions, you know, the permissions for using your microphone or that stuff so that was um you know it's not that whole cat and mouse i i'm absolutely this this both amazes and astounds me in both a good way and a bad way one the fact that they'll you know people these companies will do anything to ensure that they can still listen into you and two the fact that a piece of technology like an accelerometer
Starting point is 00:31:11 can use vibrations pure vibrations to listen into a conversation or to ascertain what's being said which i find technologically speaking absolutely amazing yeah yeah there's also this other um patent that i think facebook's one that came out earlier this year maybe or or sometime last year that they they're looking at the the dirt on the lens or scratches on the lens to uniquely identify the cameras that's right you talked about that in an earlier episode actually yeah that's right that's right it's um but also yeah yeah yeah no i think i think what it is is it's also it's not just the microphone and the audio it's a lot of other data they can collect so i was reading this piece ages ago as a thread on on on uh twitter that someone said that um they went to their mother's house and um there was it's actually a lot of its gps location as well so so if say i come to your house tom and i say
Starting point is 00:32:14 oh that's a nice lego set you've got and you're like yeah yeah i i like to build legos in my spare time for example when i come home and i suddenly start seeing adverts for legos yeah it's not necessarily through the voice that they've detected it. It's because geolocation wise, they know that from your interest that you buy a lot of Legos. And now we're both in the same geolocation, connected to the same Wi-Fi. And I've come back.
Starting point is 00:32:38 And that's why it's now advertising me with that. And that happens a lot. I've got one problem with what you just said there i i it's not legos i know you keep getting it's lego right yeah yeah and it's lego not legos see now you know how we've i've done that on purpose just to let you know how it feels when you talk about putting things on the line on the line you mean on the washing line yeah send it to the internet no it's the internet internet anyway so that that was um i think it it's a really good article it's well worth a read
Starting point is 00:33:22 um so yeah that was uh that was this week's... Rant of the Week. Right. Okay. So, going freaking back to the notes. Let's see. So, I think, Andy, I think we could probably move on to you, shall we, for this week. Billy Big Balls of the Week.
Starting point is 00:33:51 As I'm standing in for people that didn't want to turn up anyway, so I have come together. This Billy Big Balls this week is actually a continuation of something you mentioned last week, Don, where you said perfection is the enemy of good enough. Stand by it. Stand by it. And you still stand by it. So this article is titled Accuracy at Any Cost. So let me say this. Have you ever played Flight Simulator?
Starting point is 00:34:21 Yep. I used to play a lot of those. Comanche was my favorite one that that old uh that helicopter that never made it into production but yeah playing those sorts of things loved it so yeah i mean it's it's got a real um a real big fan base right and they love the detail of it you know of all the planes and everything like that so imagine a equivalent of that there's something called war thunder okay now it's not something i was familiar with but war thunder is or sorry a challenger to um sorry uh war thunder is what i'm going to refer to as the equivalent of flight simulator but for tanks, right?
Starting point is 00:35:05 Right. Yeah. And so imagine, you know, you've got the same sort of people that are really absolutely fanatic about the detail and all of this kind of stuff. has apparently decided that preserving British state secrets is less important than proving to a game company that its digital model of the UK's main battle tank is inaccurate. And so rather... And this is genuine. So ultimately, you know, this guy saw this new tank which they produced in this game, War Thunder, and he was not happy at the level of detail.
Starting point is 00:35:48 So he decided to send them a copy of the actual schematic for this tank so they could improve the accuracy. And it turns out that by doing this, he has violated the Official Secrets Act. Really? Yeah, believe it or not, because the material is a classified manual for the Challenger 2 battle tank.
Starting point is 00:36:10 And he didn't just send it direct to the game developers. He actually posted it on a forum just so he could prove his point to everyone. Just so he could show what a Billy Big Balls he was. Exactly. Just so he could say, look, i'm not making this up but i do know what i'm talking about um and so yeah this this story was actually reported by the uk defense journal um and yeah this guy is in active duty stationed at the royal tank regiment well not
Starting point is 00:36:39 anymore well not anymore i imagine he's under this week he's under court martial at the moment i would imagine a lot of pt uh while he considers what happened do you know what my my funny you should say that doing a lot of pt my uh cousin is now the commander of uh what used to be called the glass house the military prison right where you go after a war, a court-martial. And it apparently is not all about PT and beasting and all that sort of thing. It really is about re-education and all that. Absolutely fascinating. There was a thing on the TV about it, and he was interviewed on there.
Starting point is 00:37:19 And, yeah, so this view we have of being sent to military prison, which basically means getting shouted at permanently and flashbacks to Full Metal Jacket and all that sort of stuff is just not true anymore. Well, I don't know that. I mean, I hear different stories. Oh, really? Yeah, well, so they do. Obviously, on paper paper they've got this whole um you know about
Starting point is 00:37:48 re-education all that stuff but then you know you get guys when they're out in uh combat um you know away in afghanistan obviously they've got a lot of time sitting around so they get bored right and they do some of the most ridiculous challenges right and it's like if you state something that you can't back it up you know like we'd typically say okay you know how much you want to bet right you know we'll make a bet okay what are you going to lose right so these guys aren't you know betting money they're not betting like you know i'll do your chores and stuff like that they bet um so a friend of mine like he's tried to introduce it into a separate friend group it's just not working because we're not military right uh so
Starting point is 00:38:23 they bet on like eyebrows so it'd be like okay you know if you get this wrong it's like okay you know what you want to bet and it's like eyebrows and so if you're wrong you have to shave off your eyebrows right and then because they were you know on active duty for so long like no one had eyebrows okay and so it's on to the next thing it's right okay what next i bet you're a fire tuck and that's where you have to shave a fire tuck bald patch in your head and then the terry nutkins as well right so you got these these 21 year old kids basically with terry nutkins hair like bald on the top long on the side um and the reverse mo molen was the other one um but then other things i hear about like and i know we're going way off on a segue here uh but something that just still cracks me up to this day is where the um
Starting point is 00:39:13 and it's because you mentioned full metal jacket you know the very famous thing with the drill sergeant at the beginning where it's like yeah where you from private holy dog shit yeah um and so basically they had uh this like an every morning like when the drill sergeant came in like everyone stood up for the line and um if he smelled a fart he would say hoovers and literally everyone had to stand there sucking through their mouth going until the smell went. Yeah, but that's not the military prison, though, is it? That's just active duty.
Starting point is 00:39:53 But, I mean, just the whole point, to think that actually going into prison is better than actually giving those things out. That's why I think, you know, there's a part that's reported and then the reality of what, you know, serving personnel is saying is happening on the ground. Not dissimilar to companies, right? No, that's right. Exactly. I mean, if this chap, this, let's just call him Billy, shall we?
Starting point is 00:40:18 Major Billy. Or no, he'd be a captain, wouldn't he, if he's a tank commander because he's in charge of a squadron of tanks or something like that. Anyway, Captain Billy, let's call him. Maybe he can draw some comfort from the fact that if he has a word with us, I might be able to have a word with my cousin to get him to look after him. Yeah. And if you send us a copy of that manual as well, that would be...
Starting point is 00:40:40 Yeah, absolutely. We don't believe you. We don't believe you, Billy. You don't know what you're talking about. Prove it talking about prove it eyebrows we'll put our eyebrows up at stake if you send us a copy we'll we'll remove both of jav's eyebrows and trust me that's a lot of hair get the lawnmowers ready ready boys but isn't it again i'm i'm amazed and astounded again it's just an episode of being amazed and astounded that somebody who is in the british army in a position of responsibility you know supposed to be educated um certainly knows about the official Secrets Act and is quite happy to flout it, not just as a, oh my God, you know,
Starting point is 00:41:29 I'm blurting something out, but going through the process of berating them, posting it onto a public platform, et cetera, purely, but not realising that, or just not seeing the bloody... The errors in their ways. The consequences of his action. I find it astounding, but...
Starting point is 00:41:53 This is that meme, isn't it, where the wife's standing by the door saying, aren't you coming to bed? And he's like, no, there's somebody wrong on the internet. Yeah, that's right. That's exactly it. Exactly it. Oh, amazing. So three things that would have helped there,
Starting point is 00:42:07 obviously, is proper awareness training. Yes. Proper, I'm sure the documents were classified, so, you know, that may not be a thing. But DLP as well. You know, you should be letting confidential data outside of your control. Absolutely.
Starting point is 00:42:23 Absolutely. Oh, excellent. Thank you very much, Andy. That was an awesome one. Billy Big Balls of the Week. This is the podcast the Queen listens to. Although she won't admit it. So, Andy,
Starting point is 00:42:48 what time is it? So it's that time of the show where we head over to our news sources over at the InfoSec PA Newswire, who are still AWOL. So for the second week running, we've called in a temp agency and they have been very busy bringing us the latest and greatest security news from around the globe.
Starting point is 00:43:13 Industry News. and they have been very busy bringing us the latest and greatest security news from around the globe. Amnesty International and French media protection org claim massive misuse of NSO spyware. US legal eagles representing Apple, IBM and more take five months to inform clients of ransomware data breach. Industry news. Verified. UK.gov launching plans for yet another digital identity scheme. Industry news. Scheme. Industry News. Northern train's ticketing system out to lunch as ransomware attack shuts down servers. Industry News. Journo, who went to prison for two years for breaking US cyber security law, is jailed again. Industry News. Spanish cops cut Brit bloke accused of playing role in 2020 celeb Twitter
Starting point is 00:44:07 hijacking. Industry News. NSO Group will no longer be responding to inquiries about misuse of its software. Industry News. China pushes back against
Starting point is 00:44:23 exchange attack sponsorship claims. Industry News. China pushes back against exchange attack sponsorship claims. Industry News. China is launching payment card with onboard fingerprint scanner. Industry News. And that was this week's... Industry News. Huge if true. You know what?
Starting point is 00:44:47 If an SO group don't want to put the effort into responding to inquiries, perhaps they shouldn't have done some dodgy shit in the first place. Well, they're saying it's not them, right? It's not us that are using this stuff dodgily. It's our clients. It's our clients, the people who we sell it to yeah but but we vet our clients so it's not actually them they must like not secure it properly yeah they must have they must have it must have been stolen from them or it's our clients
Starting point is 00:45:14 who who sold it on or oh my god the the the sheer audacity you gotta or it could just be the PR people like, sorry, guys, I just can't go out there with a straight face again today. That's right. Yeah. It's like, have you seen The Dictator, the movie with Sacha Baron Cohen? Yeah. And in the beginning, he's giving a speech and he's like, and we will not use nuclear weapons.
Starting point is 00:45:45 And we will only use them for peace. Yeah, he can't keep a straight face, that's right. Absolutely hilarious. Oh, man. Yeah, that was the one that just got to me the most. I mean, you know, company accused of dodgy shit refuses to talk about dodgy shit it's oh yeah but it was it was a massive investigation by all these uh many journalists across different agencies and and uh and newspapers and what have you and they found
Starting point is 00:46:21 what a list of about 50 000 phone numbers i think that's i don't know whether that's the entirety or not but there's like politicians on there there's like you know journalists on there there's human rights activists on there there's people under protection on there there's all sorts on there yeah and it's just really scary and uh it's not good it's not good at all no well you know when amnesty international is publishing a report about stuff your company does it's never going to be in positive it's right that's right it's you know publish and be damned is probably not the approach that they should be taking on this one no no or or even a sort of you know um you know any publicity is good publicity except when amnesty international are giving you the publicity well you know i think nsor are just part of the
Starting point is 00:47:15 problem the other part is how many governments out there and or agencies are willing to pay for this software to track people in in these ways and you know it's it that's that's the real scary thing because if there's a proper court order and whatever you can go through official channels and you can find out pretty much the same information yeah yeah well you know that all these government agencies right all the vendor managers and procurement people at these places are contacting nso group and they're like just to remind you we have a confidentiality clause and it's secure yeah exactly yeah we we don't want to stop answering inquiries either so yeah do you think nso group has one of those pages on their website with a bunch of logos check
Starting point is 00:48:00 out some of our happy customers yeah that, that's right. CIA, FBI, US government. Yeah, Chile, Venezuela. Yeah. What is it? Saudi Arabia. Yeah, exactly. Right, Jav, I think it's time for your Tweet of the Week this week. Are you ready for this?
Starting point is 00:48:23 I suppose so. Tweet of the Week. we always play that one twice tweet of the week so i i was talking to you about this other story during the week but that's quite depressing it's not a tweet of the week and it's really depressing as well so it's not a note that i want to end on but okay but but I will touch on it a bit before I go into the tweet of the week that you've kindly provided for me yes which is there was uh Andy you've got a highly desirable um Instagram account name haven't you that constantly gets hammered constantly and I don't know why Instagram don't do something about it. So that's the problem.
Starting point is 00:49:09 If you've got a desirable handle, before it used to be all about the domain names, but nowadays the handles on the particular platforms are worth a lot. So on Twitter or Instagram, if you're one of those early people that went in and you got one of those three-letter user IDs or something or something specific, it's quite desirable. And many times people will either get lots of account lockout notifications or failed login notifications. Or sometimes they'll get approached by organizations, say it's a corporate name that someone likes or something,
Starting point is 00:49:45 and they say, hey, we'll pay you a wheelbarrow full of money if you give us whatever the domain name or the handle is. Yeah, and I will actually sell my Instagram account. It's just no one's offered me money for it. They just keep trying to break into it. into it yeah so uh this goes to twitter where um a 60 year old man uh mark herring had the had the twitter id tennessee um and uh throughout many years people have asked him oh can you give us uh the the domain the the sort of twitter id Tennessee because we really like it and he's always refused he's like no this is mine I like it and what have you then uh during March and April of 2020 um some people asked him for it he said no and they got a
Starting point is 00:50:41 bit miffed so they started harassing him a bit by you know sending him and his family members things like pizza to their house with um with a payment on receipt kind of thing and uh this escalated and unfortunately ended up being a case of swatting where they phoned up police said that he shot his girlfriend or something like that. Armed police showed up, surrounded his house. He turned, he came out with his hands up, but unfortunately he had a heart attack from the stress and died. What?
Starting point is 00:51:18 Rest in peace, Mr Herring. Really, really sad, sad, sad state of fear. Anyway, they tracked down who was involved and there was a 18 year old in Tennessee and a minor based in the UK who were involved in this, apparently. An 18 year old? 18, 18 okay okay yeah yeah he just turned 18 or something I think they waited a few a few months for for him to actually turn 18 before they arrested him well you know normally I'd call that a dirty trick, but not in this case. Yeah, yeah. So, you know, it's... It's just a... I don't know what to say about it. It's just really sad and, you know...
Starting point is 00:52:18 It's an all-round awful story, Geoff, thanks. Yeah, it is. Thank you. Yeah, thanks for that, Geoff. Yeah. So, Andy, andy give up your link give up your instagram id it's better than getting shot or suffering a heart attack are you saying someone's actually going to be sending pizza to my house because i'm down for that right payment on delivery i i think you underestimate underestimate Andy's willingness to pay for pizza.
Starting point is 00:52:48 As long as there's no anchovies, right? Or pineapple. Do you like pineapple? I don't mind pineapple on pizza. Yeah, you know, I'm a fan of pineapple as well. I mean, as long as it's like, if it's constant, I'm guessing I'm going to be getting different types of pizza. If people just keep sending me margaritas or ham and mushroom, that's going to say, you know, as long as it's like, if it's constant, I'm guessing I'm going to be getting different types of pizza. If people just keep sending me margaritas or ham and mushroom, that's going to annoy me.
Starting point is 00:53:08 No, it's going to be margarita with added anchovy. You know that because you've said as long as it's not anchovy and, you know, as long as it's not margarita, in which case you're screwed, mate. Yeah, I mean, what I really hate is a meat feast with no mushrooms. A couple of deep pans, extra large. That would be my worst nightmare right so so you gave out your phone number on the smashing security podcast give out your address
Starting point is 00:53:33 now to andy and then people will have all the details they need to get everything we need absolutely absolutely so anyway the tweet of the week is a bit more light-hearted it's from our good friend tom langford, who says... Oh, you're doing a story about me? Oh, thanks. It goes, this is from The Onion, right? And that was this week's tweet. And if you want to know what I was talking about,
Starting point is 00:54:01 listen to this week's episode of the Smashing Security podcast. No, no, no. If you want to find out what's that, follow Tom at Tom Langford on Twitter. There you go. So Tom retweeted Eric Finman, who I've never heard of, but apparently according to his bio,
Starting point is 00:54:18 he is the world's youngest Bitcoin millionaire. Yeah. Okay. He looks like a Chad. He does. He does. So he's announcing he's announced on July
Starting point is 00:54:35 14th the Freedom Phone complete with bald headed eagles. This is the first major pushback on tech big tech companies that attacked us just for thinking different complete with its own uncensorable app store and privacy features we're finally taking back control freedom phone.com so this looks like a classic case of um some misguided bravado and um snake oil if if the likes of philip zimmerman who came up with their black phone a couple of years ago couldn't make it a raging success
Starting point is 00:55:15 then uh this thing that is a thinly veiled sort of um what do you call it rip off veiled sort of um what do you call it rip off no not rip off what's that term it's a white list it's like a white labeled phone yeah it's a white label yeah it's it's a white label product that they've probably changed a few things on engraved something else onto it and and launched it as their own you know put some crappy software on yeah um the startup sound is uh star spangled banner and yeah the default ringtone is an american eagle coring oh wow please are you joking or is that true well i don't know but it seems about right yeah it does actually and and in all seriousness if you do check out the tweet there's a there's some responses there including a thread from a bunch of people about actually why this is such a bad idea and why it is in all likelihood just a white labelled piece of kit. And if this person is not completely lying through their teeth, he's certainly stretching the truth to extreme levels yeah about the quality
Starting point is 00:56:27 and security of this phone yeah and people will lap it up as well people will lap it well you know it targets us yeah targets a certain market yeah especially when they're talking about uh make apps great again oh for God's sake. And when one of the apps that they're advertising has come in pre-installed is Parler. Just, oh dear God, that tells you. Just call this the racist phone and be done with it. The special white model, right?
Starting point is 00:57:02 Yeah, it only comes with a hood. It only comes in white. Protective hood. It only comes in white. Protective hood. It only comes in white, exactly. And a guy whose first statement about himself was, it's a bit like Troy McClure of The Simpsons. Hi, my name's Eric Finman. You may remember me as the world's youngest Bitcoin millionaire.
Starting point is 00:57:29 That's all he's got going for him. And he's going to be saying that when he's 60, I guarantee it. Because that, don't get me wrong, being a Bitcoin millionaire is actually quite impressive. But you're only as good as your last job not the job you did you know five years ago so yeah i i just oh and also he tweeted this from an iphone as well he didn't even tweet it from a you know an advanced model of his own phone which you would have imagined that he would have done right you know because or at least you know from a prototype or or if he's selling an android phone that would be from an android but you know
Starting point is 00:58:11 no so yeah dreadful yeah dreadful anyway that was uh this week's snake oil tweet of the week. Tweet of the week. Sketchy presenters, weak analysis of content and consistently average delivery. Like and subscribe now. Excellent. Thank you very much, Jav, for that.
Starting point is 00:58:38 And that brings us to the close. Now, Jav, I know you feel like you've only just got warmed up, but I'm afraid that we've come to the end of the podcast. the close now jav i know you feel like you've only just got warmed up but i'm afraid that um we've come to the end of the podcast um i hope you enjoy yourself jav it's like a really short
Starting point is 00:58:51 one i'm i'm just getting ready to go exactly yeah can't think why i mean geez so thank you jav thank you jav for that uh scrabbling to recover from being late and very sad in your storytelling today. You're welcome. That's what I'm here to do, keep the emotional highs and lows going, keep people interested. And, Andy, thank you very much, sir. Stay secure, my friend.
Starting point is 00:59:26 Stay secure. and Andy thank you very much sir stay secure my friends stay secure you've been listening to the host unknown podcast if you enjoyed what you heard comment and subscribe if you hated it please leave your best insults on our reddit channel you know when you do the
Starting point is 00:59:44 rollercoaster of emotions, you're supposed to end on a high, not on a low. That's where I've been getting wrong.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.