The Host Unknown Podcast - Episode 67 - A Total Car Crash
Episode Date: August 6, 2021This Week in InfoSec (07:40) With content liberated from the “today in infosec” Twitter account30th July 2013: Chelsea Manning (their name was Bradley Manning at the time) was found guilty of esp...ionage, theft, and computer fraud, as well as military infractions.United States v Manninghttps://twitter.com/todayininfosec/status/1421171398656024587 3rd August 2007: Reporter Michelle Madigan (Associate Producer of Dateline NBC) went undercover at DEF CON with a hidden camera to try to get attendees to confess to crimes, was outed by @thedarktangent, and bolted from the venue chased by a pack of 150 people. Dateline Mole Allegedly at DefCon with Hidden CameraAn undercover Dateline NBC reporter flees the Defcon (Video)https://twitter.com/todayininfosec/status/1422682529220472833 Rant of the Week (18:42)UK Politicians are apparently very unlucky with their IT equipment, especially when they need to be investigated. Billy Big Balls of the Week (29:45)Apple snooping on your picshttps://twitter.com/matthew_d_green/status/1423109002280513540?s=20 Industry News (41:04)US Seeks Espionage Retrial for Chinese ResearcherZoom Pays $85m to Settle Privacy SuitUS Senate: Seven out of Eight Agencies Are Failing on CyberSon Charged in Murder of Cybersecurity ‘Genius’MoD Boosts Cyber-Resilience with Ethical Hacker ProjectOver 60 Million Americans Exposed Through Misconfigured DatabaseWeb Shells and Digital Extortion Drive Triple-Digit Growth in Cyber-IntrusionsDecade-Old Router Bug Could Affect Millions of DevicesCybercrime Ransomware 'Ban' is No Match for Threat Actors Tweet of the Week (54:52)https://twitter.com/iamdevloper/status/1423219304435228676?s=21 "The Box" Incidental Music ©Charlie Langford Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
that video right yeah that's um that's pretty messed up whoa jab and that's your that's your
front yard is it it is yes my front yard because i live in america but well hey i'm just catering
for our international listeners here okay so that's you he thought you were a yardie yeah
that's your that's your front patch of concrete it is yes it's my front patch of concrete. It is, yes. It's my front patch of concrete, which a car has just hit the wall at.
Literally, in the last few minutes, it's just ploughed into yours and your neighbour's wall.
Yeah.
But I don't understand how she is going so slow.
And at that speed, I generally reckon she would have been better off just driving into the car
in front of her because at least then the bumpers would have because the funny thing she's already
hit the um hit the uh car in front and that's why that came to a stop ah i see that explains
the flashing lights and the uh yeah right so she must have hit that car at some speed because there's a bit of a lag before
she comes into shot you know yeah yeah i think so i think so she hit that car that car hit a car
ahead of it they both came and pulled over and then she came rolling down claiming that her
brakes had failed and then she came and plowed through my wall i like how the passenger gets
out the car quick that passenger's not sitting around see if everyone's all right what i can
say jav is it's really lucky that you're fully covered with your house insurance yes
you're listening to the host unknown podcast
hello hello hello good morning good afternoon good evening from wherever you are joining us
and yes that was jav's nervous laugh uh as you just heard um good morning folks how are we both uh very good good good
jav are you feeling nervous at all about uh all the damage done to your house not really
i mean stuff happens isn't it i mean you know you know a few fellas who can who can knock a
few bricks about right yeah yeah yeah i mean the main thing is, like, no one appears seriously hurt.
No.
And everything else can be rebuilt.
But apparently all the food on the back seat
is all over the inside of the car now.
Yeah.
That's the biggest tragedy here, let's face it.
It is, it is.
So I went round and, honestly, the back seat,
it's like the scene out of Pulp Fiction.
But with curry. Yeah fiction but with curry yeah but with curry
oh man did you uh go out in your dressing gown and say like did you see a sign in the front
that said spilled curry storage oh man how you doing Tom
I'm alright
I'm alright
it's all good here
it's
yeah
end of another busy week
got a busy weekend ahead
so yeah
pretty good
pretty good
preparing for another wedding
next week actually
oh
second shooter again
yeah
second shooter
gonna be doing a bit of
video footage as well
on the gimbal.
So, yeah, yeah, all good, all good.
Excellent.
What about you, Andy?
Oh, sorry, go on.
Are you missing out not being in Vegas this week?
Yes.
Because I know you were really looking forward to going there.
I was really looking forward to it, actually, and yes, I am.
And the worst part is I got a ticket for DEF CON,
because obviously that started yesterday. That was last day of I got a ticket for DEF CON because obviously that started yesterday.
That was last day of Black Hat yesterday and DEF CON today.
And so I can I can use my ticket to access everything through Discord.
I can't work out Discord. Come on.
Talk about overcomplicating a social platform or at least some kind of you know collaborative and
communications platform dear god how does it work it's called it's just horrible i'm do you know
i'm glad it's not just me because i was feeling distinctly old and out of touch and uh but uh
yeah it's it isn't just me is it uh no it's a pretty poor it's a pretty poor uh i'm just about to open
it again now just to remind myself of how bad it really is yeah i did stop using it for
uh for reason i got it oh memes memes memes new messages memes yeah it's pretty poor. You heard it here first, folks.
These three old people don't like Discord,
so if all of you young folks could move on to a normal platform,
that would be great.
But do you know what annoys me is that they're posting TikToks on Discord.
What?
Yeah, it's like, gosh, why?
Let's just get it from source.
Use TikTok.
Although, you know, I do feel for that kind of thing
because that's how I imbibe my sort of quota of TikTok
is through WhatsApp and YouTube.
Yeah, I mean, I've seen,
I did take the mic out of a friend of mine the other day
who sent a screen recording of an Instagram video that was a TikTok.
And sent through WhatsApp.
Yeah, and sent through WhatsApp.
But the funny thing is that all these social networks have share buttons,
so you can share the original source, but people just aren't using them.
It's probably too complicated, something like that.
Yeah, must be.
So your week, Andy, how's it been?
Chaos. It's just work. It's constant work at the moment.
It's time to...
Well, given the quality of the show notes you sent through last night,
we honestly didn't think you were going to make it, Javanai.
I almost did not, didn't I?
I did actually say, look, guys, this could be the one that I'm not here.
But then I realised this show would absolutely tank without me,
and I thought, well, I'm not ready to just let it die just yet.
I think previous viewing figures have proven otherwise.
Correlation does not equal causation true true i have to
agree with andy on that one what have we got coming up for you today so uh this week in infosec
takes us back to a time when the hunter became the hunted on the streets of las vegas
billy big balls tells us of a company that's trying to snoop into our photos on a
regular basis. Industry News is back home at last and continues to bring us the latest and greatest
security news stories from around the world. Rant of the Week tells us just how unlucky some UK
politicians are. And Tweet of the week shows us how the best
intentions of a hobby can lead to a professional career.
Do you like how that was literally being typed as you were getting to it?
You know what? I'm glad because otherwise I would have made up something completely
bizarre. I have no idea. But hey, it's fresh content. We're live, people. We're live. You have no idea um yeah but hey it's fresh live people we are live you have no idea
how live anything can happen in the next half hour to quote troy tempest so uh yes yes shall we uh
let's move straight on shall we to this week in InfoSec
It's that part of the show where we take a stroll down InfoSec memory lane, revisiting content liberated from the Today in InfoSec Twitter account. So our first story takes us back eight years
to the 30th of July, 2013,
when Chelsea Manning,
who was known as Bradley Manning at the time,
was found guilty of espionage, theft, and computer fraud,
as well as various other military infractions.
And so unless you've lived under a rock
for the past nine years or so, you will know that
U.S. prosecutors presented over 300,000 pages of documents in evidence against Manning,
including chat logs, classified material.
And it would appear that Manning took very few security precautions.
So you may remember around this time that um mark snowden was sort
of recommend you know he contacted his lawyers told them to you know store switch off their
phones take out the batteries store them in the fridge um you know and all these kind of
precautions whereas manning not so much um so after manning's uh basement was searched. They found an SD card.
It contained Afghan and Iraq war logs,
along with a message to WikiLeaks.
And then investigators,
they also found like computer trails
of Google and interlink searches
and a whole load of WGET commands
used to download documents.
But yeah, so a very key part
of the WikiLeaks era era i think this was and it wasn't
until the 21st of august so like a couple of weeks later manning was actually sentenced to 35 years
imprisonment um and you know and as if that wasn't kicker enough also got reduction in pay grade to
eu1 in the military and forfeiture
of all pay and allowances in addition to a dishonorable discharge and so it wasn't until
four years later when president barack obama commuted manning's sentence to a total of seven
years confinement instead of that original 35 years and And Manning was eventually released on the 17th of May 2017.
But, you know, a very key part of the WikiLeaks story.
It's an interesting one, isn't it?
Because, you know, Manning at the time had, you know, joined the US Army,
had taken the president's dollar or whatever the equivalent of the Queen's shilling is,
the president's dollar or whatever the equivalent of the queen's shilling is.
And, you know, had signed up to whatever the equivalent of the Official Secrets Act and all that sort of stuff
and had deliberately and with effectively malice of forethought
shared a whole bunch of data that could put people, you know,
operational activities in danger,
could have put certain people's lives in danger and all that sort of stuff.
Yeah, we've covered this as that sort of whistleblower versus patriot type argument.
Absolutely, but you're absolutely right.
I think the point I'm making is that, you know, on the one side,
it's a very clear-cut case.
You know, you do the crime, you do the time.
You know, you kind of know what you're doing up front. But the flip side is,
it actually opened the floodgates on an awful lot of investigations. And, you know, there was
certain, you know, human rights abuses that needed to be investigated as a result and all that sort
of thing. So it's a very difficult one, and I can see why Barack Obama commuted it
down to seven because there is still a crime to be accounted for.
To answer for, yeah.
To answer for, yeah, exactly.
But 35 years is, well, that's…
It's one of those grey areas, isn't it?
Yeah, it's a really difficult one. Really difficult one.
I don't know.
I don't know where I stand on this, but all I can say is I probably wouldn't have done it
if I was in Manning's position at the time, I must admit.
Yeah.
I probably would.
No, I wouldn't.
I don't know.
It's hard to say.
You don't know how bad things were. No. You don't know how bad things were.
No.
You don't know the stuff that Manning saw at the time,
which maybe increased their feelings towards whether or not
they're willing to go through with it or not.
Yeah, yeah.
But it's a bit strange, isn't it?
Man joins international exporter of terrorism and killing machine
gets shocked when uh sees acts of terrorism and killing right yeah so moving swiftly on to the
second story we've got which is from the 3rd of august 2007 which is a mere 14 years ago.
And reporter Michelle Madigan, who is the associate producer of Dateline NBC, went undercover at DEF CON with a hidden camera to try to get attendees to confess to crimes.
But she was outed by the dark tangent and she ended up like running from the venue,
being chased by a pack of 150 people.
Now, if there's ever a metaphor for someone bringing a knife to a gunfight,
I think Michelle Maddy is the embodiment of it.
So obviously Dateline NBC was best known for its To Catch a Predator series.
Take a seat, please.
Yeah, well, I think, Jav, you've been on that show,
I think seasons three, four, and nine, I think.
But no, so if you don't know, the Catch a Predator series is,
they use hidden cameras to, you know, I don't know, entrap people.
I don't know, it's controversial because it's almost entrapment, isn't it?
It is an entrapment, yeah.
They set up a sting operation, don't they?
Yeah, to sort of goad people into meeting minors that they meet online.
So according to DEF CON staff, Madigan had, you know, she had told,
well, in fact, her purpose for being there was to capture a,
basically hackers confessing to crimes.
You know, she had a hidden camera and stuff.
Or being willing to take on criminal work. Or being willing to take on criminal work or being willing to take on criminal work yeah and um she also wanted to uh you know
she told the um sort of the goons at DEFCON she actually wanted to you know spot a fed uh or
whatever but the reason I think you know it sounds harsh that she was outed you know that doesn't
sound very DEFCON friendly but DEFCON I think
they said four times you know they actually went to and said do you want a press pass you know do
you want press credentials and so the way people are identified at DEFCON you know by the sort of
lanyards or badges they've got and it's very clear when you're talking to press um you know so you
can you know tone your uh you know, adapt your conversations appropriately, right?
You don't know what you're representing or, you know, how it could be misconstrued without context.
And so she was asked four times if she wanted press credentials at various stages, you know, throughout the day.
And she said no, she denied being pressed.
And then obviously, yeah, so the DEF CON staff sort of made out there's going to be this fake event,
then obviously yeah so the the defcon staff sort of made that made out there's going to be this fake event uh or so it made out the spot the fed contest was going in session uh you know in in
this hall down the down the way so loads of people went in there and as she sat down um you know jeff
moss uh or dark tangent he sort of announced they were changing the game and instead of playing spot
the fed they're going to play spot the undercover reporter and he announced that you know there's
one in this room right now.
And,
and there's a,
but I've put a link to the YouTube video.
That's in the show notes.
You can see it for yourself.
I mean,
I don't agree with the mob mentality of these things,
but you know,
2007 different times.
And like I say,
she,
she really played that one wrong.
Well,
yeah.
You say more mentality and yeah that's that's
a bad thing but the way it's worded bolted from the venue chased by a pack of 150 people i watched
the video it's it's more just like some nerds and geeks just following a lady saying shame shame
hey that is like a mob for the geeks right but they were also i mean it was also half of them were
reporters themselves right yeah were pressed themselves saying you know can you tell us what
happened can you tell you know because you tell us why you're doing that yeah please take the heat
away from us no but obviously if you um if it just said you know she was asked to leave that's not a
very good ending to a to a tweet right you gotta say she was chased by a mob uh, you know, she was asked to leave, that's not a very good ending to a tweet, right? You've got to say she was chased by a mob.
And, you know, you think, God, I've got to see this.
A mob of socially awkward people who like to avoid eye contact.
And I think from then on, you know,
I think all the press have played by the rules.
You know, they've all got press badges.
And it's quite funny that if you even search for um michelle's name now michelle
madigan um you know she's got her her linkedin profile then you know her one of her social
medias and then it's um you know the third story is still about this story from 14 years ago
you know she will forever be known as that that person that messed with the uh with the crowd at defcon yeah yeah i i think
that's um not quite well it goes way beyond not being able to read the rooms and not being able
to read the conference do you know what's me it's it's like you know they have a spot the fed
competition how hard is it going to be to spot the journalist i mean you're in the wrong part of town
oh excellent thank you andy
this week in infosur
you're listening to the award-winning host unknown podcast officially more entertaining
than smashing security in your face indeed uh we do wish our learned colleagues over at smashing
security a lovely holiday they obviously work very hard to produce the second most entertaining infosec podcast
and deserve all the time off they can get we however we like to continue to bring you
the very best in infosec entertainment throughout the year and if they're they're sponsors like last
pass right yeah and those guys hey guys that you know if you're missing if you didn't want to take
a holiday we're here for you we are here for you absolutely and at only half the price
the listenership is also uh roughly that honest um so uh i think we should move on to this week's
listen up rent of the week.
It's time for Mother F***ing Rage.
And
why
after that jingle, it makes me realise
I think for about the last 10 weeks
I've always done the rant
Jav has always done the tweet
and Andy, you seem to have always done
the easy part
at the end. I know, you do the tweet, and Jav does the Billy Big Balls.
That's right.
So we're definitely falling into something here.
I'm the ranty old man.
You're the dead donkey story at the end, Andy.
And Jav likes to aspire to be a Billy Big Balls at some point in his life.
So I don't know what's going on here.
But anyway, anyway, rant of the week.
So I read this from Reddit, link in the show notes,
and the title is three senior Tories, and for our international listeners,
a Tory is a conservative politician, right wing, and currently the ones in power, have now either replaced a phone, have suffered an IT glitch, or replaced a device, coinciding with being asked to hand over phone records related to cases.
Which, well, my rant here is both political and technical,
I have to say.
So politically speaking, outrageous, utterly outrageous.
I mean, you know, once is unfortunate, but three?
And I bet these are not the only cases.
You know, it's…
Enron Protocol.
Oh, my God, yeah.
You can almost hear the electronic shredders in the background whilst you talk about it.
So politically speaking, this is appalling.
If you go into the highest office of power in the country, you need to be prepared to be transparent about personal dealings.
You need to – even if you're asked by people who have the authority and the credence to do so to hand
over your uh electronic records and you do so because that's part of the democratic process
right and to say that oh i've lost my phone oh i've lost this you know i don't you know these
people are investigate don't care that you've got uh i don't know balloon porn or clown porn on your
on your phone they they're that you know They probably know that already, but you need to hand over your devices
and your communications because you need to be held accountable for this.
So politically, that's one side, but technically, technologically,
seriously, I mean, given that these are official government devices,
these should have mirrors somewhere at all times.
There should always be backup copies of everything that's on these devices.
I mean, companies are required to do this by, ironically, government regulation in some cases,
as well as international standards.
government regulation in some cases, as well as international standards.
You need to have the ability to take control of a device in the sense that you can either wipe or recover data from them.
And I just think the sheer incompetence of this, you know,
for a government that should have no, at least for this kind of thing no sort of financial restrictions
on what what uh uh what they can do because much of this stuff is just off the shelf product right
yeah i just find this like you'd find your iphone right yeah exactly you know and your
icl backup or whatever or you know use use Microsoft it doesn't matter I mean these are
off-the-shelf products so I do like I'm reading that one of the comments in there and it's
one of the guys says uh did we not spend the last decade building a massive intrusive surveillance
network that can intercept everyone's texts and emails for pretty much this exact purpose yeah can we not just use that yeah
yeah exactly and then it turns out the MPs voted for themselves to be exempt uh from monitoring
well it's not quite exempt it's it has to be done at the direct or it has to be signed off by the
prime minister and the prime minister alone right Right. So it can be done.
And interestingly, someone tries to say, oh, the bloody Tories voting for them not to be covered.
Interestingly, it was a Labour government that put that forward and voted it in, that particular element of it.
And yet no one is going to revoke that now it's in, right?
No.
Well, it's much harder to revoke something than it is to invoke it, right?
No, well, it's much harder to revoke something than it is to invoke it, right?
So, Tom, do you think now, in light of all of this,
it's maybe a good idea for some vigilante to put CCTV in government buildings so that we can catch these politicians?
Are you a little bit butthurt about that particular story, Jack?
No, no, not in the slightest.
No, unconvinced but that well no i think i think that's i i think
that's the upshot of exactly this happening and that's just a really slippery slope you know if we
be right back you two continue amongst yourselves oh it's gonna be like another car's gone through
his front lawn is it exactly yeah i know that's
the only thing i can think of now so someone's saying would this excuse run for suspected drug
dealers uh i don't know well they'd have the um massive intrusive surveillance network focused
on them wouldn't they for a start yeah true you know but yeah but to jav's point you
know having someone put sneaky cctv in because you know ministers are doing this well this is
exactly the upshot of ministers doing this and that we lose trust and faith in our in our
government officials do you know what i mean it's like well you've got a government that's using
burner phones yeah yes exactly and so, people feel that, you know,
people who are working in those locations and seeing these kind of,
you know, abusive powers, that's exactly what they do.
Just normalise it.
Yeah, exactly.
And it means that we end up with an even more insecure
and, you know and Swiss cheese environment
rather than it's okay, I trust our politicians
because frankly they can be held accountable.
Their communications are, whilst not actively monitored,
but are stored and can be…
It's like the old audit log things, right?
They're not preventative controls,
but you've got detective controls in there
in case you need to go back.
Exactly.
And you know what?
You really don't want to go on there on record as saying,
let's give this job to Boris's mate's wife, allegedly Dame Heido Dardin,
just as a made-up name.
Let's give this job to to that person you know because frankly they threw a lovely dinner party the
other weekend you know anyway you know there's the you might have seen the TikTok videos where
there's uh someone at a phone repair shop and they get a phone in and it's like,
oh, it's not charging, it's not working.
And they open it up and there's a note inside there saying,
here's a hundred pounds or a hundred dollars in here.
They just fold it up inside the phone saying,
tell my wife it doesn't work.
And I think there's a business there.
I think there's a business opportunity there
to provide services to government officials
for, you know, phone repairs, in quotes.
No, you supply them.
You have a government contract to supply phones with cases
that have a secret compartment that you can fit, you know,
money in a note in.
Yeah.
Oh, dear.
So, anyway. I was going to say, one of the other um the things like that is that you know when a when a normal person when one of us working people is um you know accused of a crime you can
get everything seized like computers phones any other devices in your house totally seized like
gone for months uh while search for evidence but um obviously if you're an mp uh you just say you
don't have that device well the distinction is they're not being accused of a crime are they
at least i don't believe so in this case by default they're always accused of a crime right
i'm pretty sure that um you know that's the mo it is just to you know operate without
operate with impunity operate as if we get as if this is illegal just in case, yeah.
Yeah, exactly.
I mean, it is a cartel, right?
Basically everything a cartel does is a crime.
It's got a lot worse over recent years.
It really has.
You know, the cronyism is, well, the cronyism is in the open.
You'd always expect a certain amount of cronyism and nepotism
because, you know, in certain positions you want's you know that you'd always expect a certain amount of cronyism and nepotism because you know in certain positions you want people you know and trust and uh things like that in
in certain positions and you know and they go on and they do a good job but the problem is at the
moment you this this cronyism is resulting in people doing terrible jobs um you know and that
well with the many many examples over the last year,
they come in, they do a terrible job, they get lambasted by the press,
and then they get told, oh, you can go and head up
another massive government division instead.
So really failing upwards or failing sideways here,
rather than actually being held accountable for the actual terrible shitty job
that you've done in the first place sorry are you talking about politicians or cso's now
oh definitely politicians cso's are entirely blameless especially especially ex-recovering cso's
okay anyway anyway i can i can feel my voice going up an octave and I'm starting to sweat a little after all of that.
But yes, you should be ashamed of yourselves.
If only you had the feelings of a normal human being
rather than a race of lizard people in human skin suits.
But yes, these people should feel ashamed of themselves.
Rant of the Week.
Oh, gosh.
I'm feeling a little bit flush after that one.
And just in case anybody disagrees with what I've just said.
Are you outraged that Host Unknown was voted
the most entertaining content coming out of Europe?
We read all complaints sent to our Reddit channel on r slash Smashing Security.
Indeed, go to Reddit, send your complaints there.
Honestly, someone will read them.
Jav, why don't we move right on then to your story this week?
And I think, honestly, this should have been my story, but you crack on.
Fair enough.
So this is a bit of a big balls move because it's addressing the elephant in the room.
And everyone wants to do
something about it. No one's not too sure how to go about it. So everyone prefers a hands-off
approach. So we are talking about Apple. Apple is reportedly set to announce a new Photo identification feature that will use, if I understand correctly, a hashing algorithm to match the content of photos in a user's photo library with known child abuse materials.
This apparently will happen on your user device in the name of privacy.
So the iPhone would download a set of fingerprints representing illegal content
and then check each photo to the user's camera roll against that list.
So it's not doing any automatic analysis of your photos,
but rather it's downloading a set of known hashes
and then running those against your camera roll and seeing if there's any matches. And the assumption is that
any matches will be sent to humans for review. And this is a Billy Big Balls move because
no one really does want to touch this kind of technology or this kind of approach because, A, it's horrible material.
People would rather not think about it.
B, it's one of those things that if you do end up doing an investigation and finding any such questionable material on your corporate environment or what have you,
it opens up a whole process that you need to go through.
You need to invoke legal, law enforcement,
forensics investigations, the full nine yards.
On the other hand, it is a bit worrying
that now you have this technology
and it's one of those things
and it's like what you think of the children. Absolutely, it's a horrendous things and it's like, won't you think of the children?
Absolutely.
It's a horrendous thing.
And the more we can do as a society, as a world to stamp out this kind of reprehensible
behavior, the better.
The worry is that when you wave that around and we've heard politicians or other people
use this kind of argument before we need to end end to end encryption because pedophiles or terrorists.
I mean, those are your two go to arguments.
Why are you doing something?
It's because of pedophiles or terrorists.
And then, you know, if you're a terrorist pedophiles, yeah, all the terrorist pedophiles.
And if you if you go against it, then you're clearly with the terrorists or the terrorist pedophiles.
it then you're clearly with the terrorists or the terrorist speed of heart the the problem here is though that you know this technology can then be used for anything because once you know you can
download certain hashes or fingerprints to to a user device and and ping responses what's to stop
any government or anyone starting to put in their own hashes. So say you're a law enforcement
or you're the government in the Middle East
and all of a sudden there's an Arab Spring type of uprising
and you're like, okay, let's now look for fingerprints
or download these fingerprints,
look for hashes of anyone that was in Tahrir Square
throwing Molotov cocktails,
and then we can round up all those people.
So you can see how this type of technology can be bypassed
or can be used for malicious purposes as well.
So I'd be really, really cautious in how to proceed with this.
I do think it's a massive Billy Big Ball's gamble
by Apple to go about this, especially since they've been talking so much about privacy
as of late. And this is kind of like counter to that argument. But I don't know. I think
it's one of those things, unfortunately unfortunately recent history has shown that any such development
has led to government saying yay we can clamp down on uh suppressing unapproved opinions
and it's all very 1984 ish yeah yeah i'm i'm torn on this i have to say because yeah on the one side
i think if if there's any technology company out there that I would trust to do this right, it would be Apple, unsurprisingly, right?
Obviously.
You don't even ask questions.
You're straight away, hello, Mr. Apple.
Hang on a minute.
Bend over, grab your ankles.
I opened up with, I'm torn here.
So on the one side, I think, you know, obviously.
That's Apple tearing your wallet through your ass.
That's what that tearing noise is.
Anyway.
Trust me, if they scanned, you know, my photo stream for images of that,
they'd find plenty of Apple trying to tear my wallet through my ass.
No question about that.
I sat here in front of my virtually entirely Apple desk.
But, yeah, so if there is one company i trust i i trust apple mainly because of their stance on privacy you know to your point
jav about it's an interesting move given that they're they're um you know they've taken a
strong stance on the privacy side you know and the fact that they wanted to do it in a way
and they're open and transparent about how they want to do this.
I think it's it's a good thing, you know, and anything that supports that.
So, for instance, I know you can download apps. So frequent travelers who go to various hotel rooms,
you take photos of your hotel room from a variety of angles and upload it so that law enforcement agencies can use that information in the in the fight for,
you know, to ascertain where images were taken and all that sort of stuff, you know.
So there's, you know, anything we can do to sort of move the needle on this has got to
be a good thing.
The flip side, however, is, you know, and again, you alluded to this, Jabba, I think
is this is, you know, once you've opened Pandora's box, this is actually going to be very difficult to scale back once it's in place to limit its use to the valid and moral cases.
be a huge, um, it's going to have a huge impact on how even financially for Apple, um, you know, as to how they're going to police this. And if they get it wrong, what is the liability of getting
it wrong? You know, what if somebody is pulled in front of the police and, you know, dragged from
their workplace as a teacher or whatever, uh, because Apple have wrongly flagged some photos
or because, um, they've wrongly identified photos as belonging to one person
versus another or whatever.
I think that's going to be very, very difficult,
and you end up with the mob pitchfork mentality.
So I kind of want to say time will tell.
Let's see what happens.
But by that point, it may well be too late.
So, yeah, I'm really not sure how to
you know how to uh process that i have to say so i'm looking at the um a lot of the i guess
the for's and against and i think yeah it's definitely a divisive um topic so i think
the majority of people have problems with the fact it runs client side rather than on a server
um that seems to be yeah the top arguments there um but then there's examples of how
the hashes could be uh you know using machine learning it can get confused and
there's a picture of i don't know some morphed up picture and some abstract art picture and it
shares the same hashes with
a photo of wayne rooney um you know so you got three pictures with the same hash yeah um but
very different pictures and yeah i don't know i guess it is and you're right and this does come
back you know we need to do something and i guess you know you're only going to get if you wait for
a perfect solution it's never going to happen
it's never going to happen so i guess it's got to be the um yeah how do we move it forward
yeah yeah difficult i mean i've got an old saying right it's uh you know perfection's the enemy of
of getting it done right good enough i think you mean oh good enough yeah yeah yeah yeah
that's right yeah yeah that's a good saying,
Andy.
Yeah,
well,
I know,
I came up with it.
Yeah,
yeah,
absolutely.
Apparently,
that's how you propose
to your wife,
isn't it?
It's like she was just
waiting for Mr. Right
and you were like,
hey,
perfection's in me,
I'm good enough.
Yeah,
and she went,
yeah,
you're right,
you're good enough.
Oh, good, it certainly wasn't for my money that's the funniest thing
oh dear no good story jav good story i'll be real this is one i think we we will be hearing a lot
more of in the coming weeks and months hopefully uh for reasons not related to content found on
any of your devices.
I've got an Android.
That...
Yeah, so...
Oh, yeah, you've definitely got something to hide there,
Andy. Jabber me.
It's a go.
Yeah, do me.
I see this,
not that North Korea issue iPhones, and Putin as know, you're not allowed and Putin as well.
You know, you're not allowed to create memes of those leaders.
I think, you know, if they get one of those memes and then, you know, get the hash from that and then start searching their citizens.
Slippery slope.
Yeah, absolutely.
Absolutely.
You know, Andy, I remember like a year ago you sent a screenshot that you had a missed call and it was from North Korea.
It was from North Korea. You remember that?
So I think you should find some some memes of the illustrious leader and send it to them on WhatsApp or text or something.
And then, you know, that'll get rid of that problem for you.
Yeah. Get rid of that problem about how I fit into this show.
Did you ever find out who it
was nope never found it's got to be a spoofed number it's got to be yeah it has to be spoofed
because you know look it's literally one of only i think five numbers that can dial out from north
korea yeah and and also you know only five people can afford to dial internationally from north
korea right maybe they wanted to sponsor the podcast.
Oh, come on.
Yeah, and you didn't answer, dude.
Mr. Jong-il or Mr. Kim or whatever.
Illustrious Leader, we would love to have your sponsorship money
and we'll play your adverts.
Not a problem because I don't think anybody who listens
particularly understands North Korean.
Anyway, Jeff, thank you very much.
This is definitely a story to follow.
Billy Big Balls of the Week.
Andy, have you got the time?
I do.
As I'm looking,
it's that time of the show where we need to head over to our news sources over at the InfoSec PA Newswire, who are back.
They did take a little unscheduled break, a little absent without leave.
But they are back and they've been very busy bringing us the latest and greatest security news from around the globe.
Industry News
US seeks espionage retrial
for Chinese researcher.
Industry News
Zoom pays $85
million to settle privacy
suit. Industry News
US Senate
7 out of
8 agencies are failing on cyber.
Sun charged in murder of cyber security genius.
MOD boosts cyber resilience with ethical hacker project.
Over 60 million Americans exposed through misconfigured database. Industry News. Over 60 million Americans exposed through misconfigured database.
Industry News.
Web shells and digital extortion drive triple digit growth in cyber intrusions.
Industry News.
Decade old router bug could affect millions of devices.
Industry News.
Cybercrime ransomware ban is no match for threat actors.
Industry News.
And that was this week's...
Industry News.
Huge if true.
Huge if true.
Amazingly huge.
Huge.
So anything of interest in there?
Let's see.
Oh, everything's interesting today.
Well, yeah well it's come
from a proper news source for a start it has you know the 60 million americans exposed through
misconfigured database that's a really interesting one because um when you read the story it could
actually be 120 million plus but there might be some duplicates in it so they've gone for conservative and said 60
million but that does make a refreshing changer right is that they've gone for the you know the
conservative number rather than but also this is by a company that is a year less than a year old
it's got no website it's got no thing it's like, where did they get those details from?
Facebook.
Yeah.
It's one of those marketing companies, I think, that email you say,
hey, we have all the customers off your competitors.
The company's called One More Lead, right?
Yes, that's the one. But is it me, or have you two been getting more and more emails
from people trying to sell you the RSA attendee list recently?
Don't read email.
Not recently.
Well, no, you don't.
Oh, virtually every week just following up on this RSA list.
And RSA themselves have said they don't even sell that list.
So I don't know how they're getting this information, but they keep on.
It's that person at the front that's scanning your badge, right, isn't actually associated with rsa yeah they've been doing it for years
god that would be that would be genius wouldn't it stand at the front of the doors with a badge
reader yeah collect every attendee you might not get every single attendee but you'll get a lot of
them yeah you you ever you ever hear about the um we might have spoken about this on
the podcast a while back but there's a car park that people would go to and you know ticket
collector was there and then they they reached out to the council because they didn't know how
to pay and the council like we don't own or manage this someone's just been taking the money
that was bristol zoo yeah yeah i remember telling you guys like 20 years yeah yeah that's
right he was you know taking money walking around you know yeah absolutely absolutely
i i think i think that's a lovely story because he was providing a quality service at the end
of the day you know you know nobody else it wasn't um you know doing it to for the detriment
of people in fact if nothing else it was was helping Bristol Zoo get more people in.
It's not like as a football fan when you travel to Liverpool
and you park your car and some scallies come up and they're like,
hey, I want your car for a favour, mister.
And it's like, oh, man, you know those windows are going in
if you don't pay these kids.
Yeah, that's right.
That's right.
You know, the other story that's really interesting
is Zoom pays $85 million to settle Privacy Suite.
And they didn't do enough to protect their users from Zoom bombing.
And, you know, apparently some of the data was
shared with Facebook and Twitter and what have you multiple complaints I think multiple complaints
multiple complaints and I was like you know and this um lawsuit was filed in March 2020
and I was like you know what I'm sure zoom were trying to like bolster their security
back then so i've done a quick search and um in april 2020 um alex stamos joined zooms as an advisor
so this is uh another one of those not wanting to you know, causation equals correlation type things. But this is ex-CISO for Facebook during the Cambridge Analytica years, right?
And then like CISO of Yahoo after the greatest data breach of all time.
I mean, I'm not saying anything like, you know, it's a tough job.
Don't get me wrong
it's just damn that guy's always
you know like Forrest Gump where there's
like major events there
he's always there
Alex we know you're an avid
listener so please come on we'll do a special
we'll do a special just
for you we'll spend an hour
with the three of us
ripping the piss out of you and giving you every
opportunity to respond.
But in all seriousness, if you'd like to come on the show, or if you know Alex,
if you're a listener who knows Alex, please do come on because, yeah, we joke and we take the
piss out about this. But at our hearts, we are serious security professionals well two out of three of us are anyway but um
serious security professionals we'd love to hear kind of your side and your take on this because
obviously we're going to take the side that uh sounds funniest and does a better story so please
come on we'll do a full hour special um and uh we might even let you listen to it as it goes out live yeah it'll
be like one of those uh this would be our equivalent of uh you know like on smashing
security where they get the sponsor to talk and everyone fast forwards at the end yeah it'll be
like that we'll just stick it at the end yeah there was that one the other week from a chap
from a i can't remember the company it It was Orange Branded based in Florida.
God, that guy was dull.
I had to fast-forward through that.
Yeah, I always fast-forward through him.
Yeah, exactly.
Mallock, something like that?
Jack Mallock.
Yeah.
Timmy Mallet.
Timmy Mallet, that's him.
I mean, you know, he's got the same sort of, you know,
inane grin most of the time.
Excellent. Thanks. Thank you very much, much gents for this week's industry news always a good one i should say always a good one in the category of
most entertaining content the winners are post unknown it's also strange for us because we voted for Lazarus Heist 2.
So we are going to keep playing those jingles,
telling everybody about how we won Most Entertaining Podcast
all the way through to next year when we're going to win another award for something.
How did we get on in the ponies this year?
Do you know what? I've not seen the results.
They've not posted the results.
In fact, let's do a very quick search now.
Because I think had you been there, you could have collected it for us.
Well, that was kind of my plan, you know.
So do a quick search.
Pony Awards 2021.
Apollos apparently won two 2021 awards.
Let's have a look.
Pony Awards today.
And they've still only got the nominees up. Oh, announcing the 2021 awards. Let's have a look. Pony Awards today. And they've still only got the nominees up.
Oh, announcing the 2021 winners.
Okay.
This is live.
This is live.
Ah, fixed.
Mother...
Okay.
Sorry.
So it wasn't us then.
It was us.
No, it wasn't.
No, it wasn't.
It was the ransomware song.
Hmm.
I mean, they have shunned us four times now, haven't they?
It's a guy who's shot the video in vertical format
and posted it on YouTube.
That is just unacceptable.
What?
Oh, my God.
He's holding it in his hand like and he's playing the piano no he's just placed it up and
then he plays the piano i'm sure it's a good song high quality this year hump hump well you heard
it here first folks uh the pony awards don't bother overrated absolutely it's a complete fix definitely i mean
four times come on oh i don't know so i don't know if you guys um receive my newsletter
i think i unsubscribed but do go on so i um you know that unsubscribe link doesn't go anywhere takes you to a page that says your request has been actioned it's a static page
yes i know i see you hit on it three times a week andy so i i put in a story this week about um legacy and and and this ties into
um the the pony awards eventually it will so um there was a in 1846 there was a guy called Emil Nobel, and he was killed while working in a nitroglycerine factory.
And nitroglycerine was really unstable.
Hazard of the job, right?
Yes. Yeah. But his brother was a scientist and he was a pacifist and he wanted to make nitroglycerine safe.
And he figured out a way to make it really really safe and so you know
a really massive breakthrough. However Alfred's older brother then died from an illness and a
newspaper confused the two brothers. The newspaper thought that the brother that made nitroglycerin
safer died and the headline said Nobel the merchant of death is dead. Because nitroglycerin,
once it was made safe, was used on dynamites explosions and the war and everything. And
Alfred was shocked because he just wanted to make something safe. He was a pacifist.
He was humanitarian. But he was portrayed as a monster for discovering dynamite.
but he was a you know portrayed as a monster for discovering dynamite and that's not how he wanted to be remembered so he ended up founding the nobel awards and um you know in that there
was also the special nobel peace prize and that's how he redefined his own legacy. Is that a prize for the most amount of pieces you can get blown up by some dynamite?
I assume so.
They're the Darwin Awards.
It's like a 10,000-piece jigsaw puzzle.
Standard operating procedure in case of a bomb is to disperse yourself across a very wide area.
Yes, yes yes exactly
exactly um so so um i think that's what people do they create these awards things just to create a
better legacy of their own but unless you do them right uh you end up making some very powerful
enemies along the way so oh i did wonder where this was going so so therefore uh we we are now announcing uh nominations for the 2021 host
unknown awards are now open you know what i think that's got legs i do i think host unknown awards
or the host unpwned Pony Awards. Yes. Pony Awards, we're coming for you.
And we will announce the winners on the same day as the Pony Awards.
And we'll see who gets more people going to them.
We know it's going to be the Pony Awards, not us.
But I think that's got legs.
I think we should start doing that.
Yes.
Yes. Yeah. Yes.
Yeah.
I'll get some cheap crap from a pound store and spray it gold as an award.
We might be able to get a sponsor or two.
Yeah.
Alex, do you want to sponsor the Host Unpwned Awards?
Yes.
So between Alex Stamos and Kim kim jong il we can make this really
attractive right oh that would be brilliant that would be brilliant the host umpone award
oh man right well in case you're wondering who the hell we are this is the host unknown podcast so uh andy let's get straight on we're running out of time very rapidly and let's go on to this
week's suite of the week we always play it twice suite of the week so this is a light-hearted one
from i am developer and i guess this is the modern era. Like if I was a lot younger,
this would be the cartoon on the back of a paper,
I think.
But obviously in the era of Twitter,
it's kind of described visually.
And so I am developer says,
you know,
20,
2004,
maybe I can just edit this HTML myself.
Fast forward 17 years.
Why am I sat in a sprint planning meeting? I just wanted to
edit my MySpace profile. And so there's that visual. It's funny how things work out. You know,
you think you do something, you just want to make one slight improvement. And then you end up,
you know, saddled with a job and a career and God knows what else, fighting the man every day for being a wage slave just to, you know,
pay for stuff that you don't really need.
Yeah, I know we were talking about your job before the episode started, Andy,
but blimey.
Did it leak out there, Jeeves?
It took a turn.
It took a turn, slightly darker, but. Slightly darker. But, yeah.
Yeah, that was me channeling my inner Jav.
We're approaching the end of the show.
It's been too much fun.
Approaching the end of the show.
I'm sure you're going to say,
we're approaching the end of our useful lives or something like that
if you're channeling your inner Jav there.
These meat puppet vessels are no longer for this ursula.
I know I'm the old one, but Jav is actually, I mean, mentally,
I think he's centuries old and just fed up with life.
You too, that's the thing.
He was happy before he starts interacting with us.
Yeah, exactly.
He was happy before he starts interacting with us.
Yeah, exactly.
I mean, the car hitting my wall in the front was more entertaining than speaking to you two.
That's been the highlight of your day so far.
It has.
That's right.
You're just punching the air saying, I'm glad i paid those house insurance premiums yeah but by the end of next week it's going to be like 20 cars piled up outside you know it was like oh you wouldn't believe it i had to pull an old old pensioner out the way just to save them
i've had the best week ever you're going to be wheeling out your old um toyota aren't you
sticking it in the rubble for a replacement oh man
before we incriminate Jav any further
that was this week's
tweet of the week
oh dear
gentlemen thank you so much
for your time this week
Jav I hope your day does get
a little bit better
and you do get a nice, lovely new wall
from this morning's activities.
Thank you.
And Andy, thank you so much, sir.
Stay secure, my friend.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
Another one down.
Indeed.
Do you think it's too late for me to go and lie down
and put one of those fallen bricks on my leg? Do you think it's too late for me to go and lie down and put one of those fallen bricks on my leg?
The old classic.
I was going to say, put a pillow on your face.
Just in the driveway, just sit there and position myself underneath some of the rubble.
Yeah, holding your back going, oh.
Well, if you appear on next week's episode in a neck brace,
not forgetting this is not a visual medium,
we'll know what's happened.