The Host Unknown Podcast - Episode 68 - One More Show Until Dinner

Episode Date: August 13, 2021

This Week in Infosec (14:29)With content liberated from the “today in infosec” Twitter account10th August 2001: A Japanese woman, Kumiyo Kishi, was arrested for accessing her coworker's email acco...unt, then contacting the user's ISP to regain access after the coworker changed their password.Japan arrests woman for email snoopinghttps://twitter.com/todayininfosec/status/1425123899474423811 7th August 2010: Terry Childs was sentenced to 4 years in prison for network tampering after refusing to hand over network passwords to his supervisor. He was later ordered to pay nearly $1.5 million in restitution. S.F. computer whiz Childs gets 4-year sentenceSorting out the facts in the Terry Childs casehttps://twitter.com/todayininfosec/status/1291377901456232448 Billy Big Balls of the Week (28:34)https://twitter.com/J4vv4D/status/1425381977482539008?s=20My scooter was stolen last week. Unknown to the thief, I hid two Airtags inside it. I was able to use the Apple Find My network and UWB direction finding to recover the scooter today. Here’s how it all went down: - Dan Guido Industry News (38:51)Disney Employees Among Those Arrested in Child Abuse StingNCSC Sticks by 'Three Random Words' Strategy for PasswordsMartial Arts Instructor Accused of Spying on StudentsFraudsters Impersonate DPD in "Convincing" New Smishing ScamHouse of Commons (HoC) Beefs up Cyber Training Following Matt Hancock CCTV Leak ScandalChinese Espionage Group UNC215 Targeted Israeli Government NetworksSalesforce Communities Could Expose Business-Sensitive InformationOver $600 Million Stolen in Biggest Ever Cryptocurrency TheftAccenture Tied Up in $50M Ransom Lockbit 2.0 Attack Tweet of the Week (46:45)https://twitter.com/runasand/status/1423810127451365382?s=20Looks like pornhub is always bending over backwards, doing far more than any other social media platformIn a Huge Policy Shift, Pornhub Bans Unverified Uploads The Box incidental music © Charlie Langford Come on! Like and bloody well subscribe!

Transcript
Discussion (0)
Starting point is 00:00:00 Andy, have you got crisp on? I do, but I was eating cereal. Yeah, I know, and I could hear the clink of the bowl. Oh, really? Oh, maybe I don't have crisp on then. Or maybe you're just a really loud eater. Right, let me do the old jelly bean test. Oh, Jesus Christ.
Starting point is 00:00:21 Yes, yes. Okay, so crisp is not on, it would appear. I tell you what, that jelly bean can is definitely getting emptier and emptier. That's on his third refill. Yeah, that's right. You ever seen those Americans or the Gun Rangers and, like, the ones that are really good? They're, like, bam, bam, bam. It empties and, like, within half a second second they've emptied the magazine stuffed a new one in
Starting point is 00:00:46 you're listening to the host unknown podcast hello hello hello good morning good afternoon good evening and welcome to the host unknown podcast episode 68 and yeah i know i know who'd have thought it who'd so do you know what that means for episode 69 although in reality it has already passed because this is really episode 73 yeah for episode 69 i think we should bring back smutty or security oh absolutely In fact, why aren't you working on it right now? Because Crisp isn't working, so you'd hear me typing. Yes, indeed. Yes, indeed. Very true. Very true. Yes, we are episode 68, 70, whatever. It doesn't matter. We've lost count.
Starting point is 00:01:47 Andy, how are you? You've had a busy week. It's been a crazy week. I've been up in Nottingham, one of the offices we have up there, like up and down the country this week. Lots of driving. Got back late last night. And I haven't told you guys this yet. When I got back late last night, I had a notification that my 23andMe DNA results were in. Whoa. So I just took a DNA test. Turns out I'm 100% that bitch.
Starting point is 00:02:17 If you're a TikTok user, you'd get that. I have no idea what you're talking about. So, yeah, so i mean this is one of these things i have debated for years about whether or not i'm prepared to submit my dna to you know companies like this because of misuse and obviously showing up and unsolved cases somewhere across the country um but no it's actually really interesting and i was reading it and i was so i did it on prime day right i bought it uh through amazon at the time when it was nice and cheap and it comes like you get this like you got spit in a vial and it's actually a lot harder to
Starting point is 00:02:58 generate the amount of saliva you need to top up without like dropping a you know a pavement oyster in there so it was like uh it goes into a box in its second class and i thought you know should i just get this done expedited you know should i pay for the extra and i was like i didn't bother at the time stuck it in a second class box posted it and um then you can track it and i'm like okay you know like a week later you know you open the app and it says waiting waiting for your receipt and i'm like okay you know like a week later you know you open the app and it says waiting waiting for your receipt and i'm like jesus what's going on and then it's like 10 days after that and then all of a sudden it says oh you know we're now going to post your kit and it's like what the kit goes to the us and it takes forever to go through so if you think of when prime day was
Starting point is 00:03:41 like back in when was it end of june six weeks ago yeah so they registered oh i registered the kit um on the 4th of july uh yeah funny enough and i got the results yesterday so it's been a while and you know i posted it straight after i spat into it so so so just just to clarify is your spit covered under GDPR? I believe it is. But it's an American company, so you never know. Okay. You never know.
Starting point is 00:04:13 Yeah, they're not big on privacy. Any privacy lawyers out there, is spit covered under GDPR? Yeah. So, yeah, I mean, it was quite interesting. Under the health analysis, they do things like i'm predisposed to like some of the personal traits were a bit um you know a bit too personal um you know i'm predisposed to basically hoarding items i never use seriously it gets to that level of detail it says that yeah i'm predisposed to uh favoring sweet things over salty things well no shit sherlock they could
Starting point is 00:04:46 probably tell by the by the m&m colored spit that was in there i uh i did not fill in any of the data like it says while you're waiting why don't you fill in some of this information to help us make your results more accurate and i was like no i'm not telling you nothing like you know you you tell me all about this. But one part I was very disappointed in. They said that I am 82% unlikely to have any bald spots. So I was like, guys, you're way off the mark with that one. It's certainly the other way around. But conversely, they're saying you're 18% likely to have bald spots.
Starting point is 00:05:24 You always were an outlier, well exactly yeah but no other than that it's quite interesting and i've got it sort of populates a family tree of people dna relatives yeah um and i do have it looks like relatives in the us who have they share my uh share my mother's maiden name, but a different spelling of it, which we are aware of. So it's accurate that at some point... Which trailer park are they in? Well, funny you say that. A couple of them are in North Carolina.
Starting point is 00:05:56 So that is proper you know. We are in Trump territory up there. But yeah, no, the other we've got some in California as well, by the looks of it. So hippies on that side. That's the side of the family you don't talk about. Yeah, exactly.
Starting point is 00:06:13 But yeah, no, interesting. Wow, that's fantastic. So what was the most mind-blowing thing from the whole test? Do you know who your dad is? Yeah, so I do. It's quite interesting so i am 55.9 percent european of either british or irish heritage which i think i knew my mother's irish makes sense yep and then the next highest one is the sub-saharan african at 25.7 percent obviously
Starting point is 00:06:42 my father's mauritian but then they break it down by a bit further and it's not just uh sub-saharan african i'm also 14.1 percent central and south asian right what yeah so um on my father's side there's some um sri lankan um central asian northern indian and pakistani uh which is obviously why you know i think me and jav have a good bond uh you know probably better than than me and me and you tom yeah against the imperialist invader yeah absolutely so yeah it's a nice but i'm 55 percent uh irish and 45 percent um african wow yeah which which to be, to be honest with you,
Starting point is 00:07:26 never have guessed from looking at you. Let's face it. Um, yeah, fair comment. Yeah. I'm a man of the world, you know,
Starting point is 00:07:35 I blend in anywhere. That's why I don't know. You blend in anywhere where there are other pale skinned people. Yeah. In Africa. In Africa. Yeah. In Africa. In Africa, yeah. That is quite fascinating. Yeah.
Starting point is 00:07:50 Jav, what about you? How did your DNA test work out? No, like Andy said, you know, there's just too much risk for being implicated in something. The child support agency might get hold of it. Yeah, yeah, you never know. You never know. So I'm keeping shtum on that.
Starting point is 00:08:11 But no, speaking of child support agencies, like yourself, well, both your kids, Tom, I believe they had major educational milestones this week. Yes. They had major educational milestones this week. Yes. And my daughter also, she gave her GCSEs. It was all teacher assessed, but she got her results. And I was very happy, pleasantly surprised. And, yeah, so she's now on to do A-levels.
Starting point is 00:08:43 Nice. Very good. Yeah, same with my daughter. She said she was a bit disappointed with the results, but it was enough to get on to the next step, right? You know, you just do a reset and to be blunt, you start to forget about your O-levels, or sorry, GCSEs after a while, don't you?
Starting point is 00:09:00 Yeah. I'll tell you honestly, were they still called O-levels when you did them? Yes. Damn, man, you're old i was i was the last year of o levels in fairness in my defense i thought they got rid of o levels a lot later than that but okay in 1987 was the last year of o levels there you go um and yeah my son got son got his results. He did very well. He got, was it, well, his highest grade, which was an A star, was in drama, which given, you know, for a young man who stammers, I find incredible.
Starting point is 00:09:39 I just, he gets on stage and it's gone. It's like there's, it's as if it's never happened to him at all. It's quite incredible. And obviously we talk about it with him, and he doesn't really get it either. He just knows he likes getting up on stage and having a laugh. Wasn't there that, this going back years and years, but there was one of those Popeye doors or something like that? Gareth Gates?
Starting point is 00:10:03 Yeah. Yes. He wouldn't stutter when he sang, but when he spoke, he could have controlled it. I was saying Ed Sheeran was a stammerer as well. So it's interesting. It's one of those things, funnily enough, and obviously we've done a bit of research on it and all that sort of stuff,
Starting point is 00:10:21 but we still don't know what causes it. Still have no idea what triggers, you know, what actually triggers a stammerer to continue to stammer. Because we all stammer to one extent or another, right? You know, if we're stressed and we can't get our words out, it's effectively the same thing. Recording a podcast. Recording a podcast, yeah, under stress and duress in most cases but um you know so everybody has it but it's just that it sticks with some people more than others and nobody knows why yet uh so it's fascinating but yeah so he's off he's taking a year off we're going to be doing some uh um uh film work videographer work and uh you know anybody need a good talented sort of uh director
Starting point is 00:11:07 editor etc films just let me know uh and then he's off to the london film school next year well let me well hope hope so that that one year off doesn't turn into uh four years four years yeah exactly a A trip round Thailand. Yeah. Well, at the moment, right. Yeah, well, we're going to... I say we, he doesn't live with me, but that's going to be discouraged by ensuring he pays rent. Yeah. If you're working, you're paying rent, end of.
Starting point is 00:11:43 It's only fair. Yeah, absolutely. And to be blunt blunt it just all goes into the big pot that pays for his university education anyway right yeah well or your apple gadgets yeah yeah yeah like i'm gonna see any of this money come on is it better to call it rent or Call it parent tax. Board and lodging. Good one. So, you know, I was reading this interesting thing about how calling different things something different actually makes a profound impact on how people perceive it. Yes. And the one example they said was student loan. They said, we call it a student loan.
Starting point is 00:12:27 And in our minds, it's always that, oh, we've borrowed the money and we have to give it back. And one of the ideas was, well, think about you only have to pay it back if you're earning over whatever, 35,000 a year or something. So they said, rather rather than calling a student loan call it a future wealth tax so you only get to pay it if you are wealthy wealthy yeah and if you don't then you won't have to pay it and that actually um you know for a lot of people then that actually removes a lot of the negative connotations. And the stigma as well. Yeah, exactly.
Starting point is 00:13:10 Yeah, I like that idea. I like that idea. Yeah, the problem is because he's going to a private institution, the London Film School, rather than a sort of regular university, so he can't even take advantage of full student loans, I hope. Harsh. That's what Dad's for. Sorry, that's what? That's what what Dad's for. Sorry, that's what, what?
Starting point is 00:13:26 That's what his dad's for. Oh, my God. Yeah, but, you know, that's not going to pay for the next iPhone, is it? Perhaps you should call it the Future iPhone Renewal Fund. So when he's big and famous and he's getting sponsorship and all that sort of stuff i i get all that all the benefits of that right so what have we got coming up for you today well this week in infosec warns of when cis admins go rogue uh rant of the week is actually mia this
Starting point is 00:14:02 week bully big balls gives us a blow-by-blow account of scooter theft and recovery. Industry News brings us the latest and greatest security news stories from around the world. And Tweet of the Week shows Apple possibly tripping up on their own shoelaces.
Starting point is 00:14:20 Alright. Andy, I think it's time for our favourite segment of the week in its... This week in InfoSec. Yeah, it's that part of the show where we take a stroll down InfoSec memory lane with content liberated from the Today in InfoSec Twitter account. So the first story is going to take us back a mere 20 years ago, on or around the 10th of August 2001.
Starting point is 00:14:56 Good times back then. So a Japanese woman. I was actually in the US, I think, around about that time. 2001? Yeah. Good times. A Japanese woman, Kumio Kishi, was arrested for accessing her co-worker's email account, then contacting the user's ISP to regain access after the co-worker changed their password.
Starting point is 00:15:21 So the source is El Reg. So I believe they do have some integrity but i struggled to corroborate this story but the story basically goes that this uh japanese lady um was just reading her colleague's email just like out of interest okay just can't why not right um and she was given this dubious honor of being the first person in the country to be arrested for breaking what's called the electronic communications law, according to the Manichi Daily news reports. But I can't find any more information about that law either. At least not in English, anyway. At least not in English, no.
Starting point is 00:15:57 Yeah, and that's right. It could just be something, you know, not... I mean, most laws are translated for international purposes. Anyway, this 30-year-old lady from Tokyo, once she was caught reading her co-worker's emails, her co-worker changed her password. And then Kishi just contacted her ISP. And she was like, hi, I'm so-and-so.
Starting point is 00:16:20 I forgot my password. And the ISP help desk was like, oh, no, I hope we can help you. Can you confirm that you are this person? And she says, yes, I am. And the help desk person says, excellent, okay. Your new password is 123456. You know, please change it when you log in. Have a nice day.
Starting point is 00:16:38 Oh, my God. And then she continued to read the emails for another couple of weeks. Yeah, but how, if the password was changed how was the other person really that that was the giveaway oh i see right okay yeah yeah i mean obviously that makes sense but but did she not think that part through well do you know 2001 different times right it was uh you know i don't think people are attached to you as it as attached to email as they are now this is true i definitely had a lot more memes back then yeah and it will also span you know when you used to get those executable files via email
Starting point is 00:17:18 um and it's like oh you know check this and it's like gnome bowling. Yeah. You know, you double-click the X, and it turns your screen into like a puzzle, and you have to solve the puzzle in order to get back to your work. Yeah. All those kind of, like, you know, a virtual Rubik's Cube type thing. The one I remember was, and I stood in the Charing Cross offices of PwC on the fifth floor, I think it was,
Starting point is 00:17:45 which is like a hot desk in floor. And I think I had a locker there and I was just opening the locker and suddenly I heard from one of the desks, hey, everybody, I'm watching porno. I knew you were going to say that one. That was a classic. Which was a classic. But do you know what?
Starting point is 00:18:03 Not a single reaction. Nothing. Nothing. Not even somebody kind of like slapping their keyboard or looking around. Because I was like, where was that from? That is awesome. Oh, dear. Yeah, good times.
Starting point is 00:18:21 But then, you know, one person ruined it for everyone. You could no longer send XEs or things like that to people. Yeah, good times. But then, you know, mouse, one person ruined it for everyone. You could no longer send XEs or, you know, things like that to people. Yeah. And then you had to embed them in Word documents and shit like that. Yeah, exactly. It's just been a game of cat and mouse ever since. It was. It was.
Starting point is 00:18:38 So, you know, the interesting thing about reading emails is that nowadays what you see a lot, well, I say a lot, but there's been a few cases where I've seen they gain access to an email and they know they're going to get caught or the password's going to change at some point. So they end up just setting up an inbox rule to forward all the emails to them. Brilliant. So that way, even if the person changes their password, unless they actively go in to check their their rules yeah make sure that it's not being copied and forwarded on uh
Starting point is 00:19:11 they'll just never know and uh you can just read their emails forever forward to jay malik at aol.com yeah yeah exactly we had um yeah what's it like yts what's the equivalent yts uh that you call these days but anyway these kids were in the office and they used to just keep leave leaving their laptops unattended right and so in the old days would go to like hotmail.com but as in like h-o-t-m-a-l-e yes um you know and so set that as a default browser so it kind of loads up it's almost like lemon party like when it loads um but obviously in the corporate environment you got like filters and you know that sort of stuff doesn't fly so what i typically do is set myself as um like administrator of the mailbox and um you know control the calendar as well if people leave their machines and then you know i go to
Starting point is 00:20:02 friendlies that i know so you know i knew these girls in the other office and i sort of gave my heads up i said hey look you know i'm gonna send you some stuff it's obviously from me but can you act outraged and stuff like that i remember this one guy nathan and uh i basically sent um a calendar invite to this girl i said hey look you know i saw you walking around uh you know the office do you fancy meeting behind the bike shed you know i'll block out 30 minutes in the calendar so she got this invite she replies and she's like this is wholly inappropriate inappropriate i'm gonna contact hr and oh my day is like just the panic you know when someone goes bright red and it took him like a while to figure out what was going on. Oh, unsurprisingly. And then the other one is when you just, I call it like a chat roulette, you know, where you just open up someone's Skype or Teams and then just message a random person in the address book
Starting point is 00:20:56 and ask if they sell drugs or anything, or like where you can score some drugs. Hey, I'm coming to the office on such and such, and I was told that you might know where I can score two grams of Coke or something. I mean, these are the only ways you can do it these days with all the filters and stuff. But anyway, I digress. Moving on to the second story. Ten years ago, on the 7th of August 2010, Terry Childs was sentenced to four years in prison for network tampering after refusing to hand over network passwords to his supervisor.
Starting point is 00:21:34 What? And he was later ordered to pay nearly $1.5 million in restitution. And I know you say, well, you remember this when you um hear where it was and i when i read this i remember the story because it freaked out the md of the company i was at at the time um because he was trying to figure out how an entire city government could apparently lose control of its network oh that's right yeah san francisco it's exactly yeah san francisco terry charles um i looked at a few stories in this one so one of them even gives That's right. Yeah, San Francisco. Exactly. Yeah, San Francisco. Terry Charles. I looked at a few stories on this one.
Starting point is 00:22:09 One of them even gives his CCIE number. So he's a certified Cisco internetworking engineer. So he was a member of the San Fran DTIS, the city's IT department for five years. And he was part of the group that built and managed the whole city's networks he was one of the most experienced and advanced network administrators and he basically single handedly designed and built like this this fiber wan that they had across the city um that sort of connected the fiber to to the mpls and it's a really complex network and it's core to all of the city services. And when Terry Charles created this, following its completion,
Starting point is 00:22:52 he actually looked at it as a creation of art. And so much so that he actually applied and was granted a copyright for the network design as technical artistry. What? But only as technical artistry, though. As technical artistry, yeah. So if you, yeah, but what kind of ego have you got to apply, you know, and get that right? I mean, he basically did not trust his colleagues at all.
Starting point is 00:23:17 You know, so he essentially became the sole administrator of this fiberware. And as a result, the only person with the passwords to the routers and switches um you know that controlled the whole network so it was it was known throughout dtis um you know he was the only point of contact for changes troubleshooting and just basically overall management and so there was a new um security manager that was brought into the DTIS, you know, a couple of weeks prior. And there was what they call an altercation between Charles and the security manager, Jenna Peralde. And essentially, like, the court ruling was that, you know,
Starting point is 00:24:01 he started harassing her and then confronted her, took photos of her with his mobile phone. And, you know, she feared for her safety. So she locked herself in a room, called the CIO for help. The CIO came and then, you know, had words with Charles and Charles later left. But, you know, what caused this altercation? I guess you may ask. So basically, no one told him that she was coming in as a security manager to audit his network. And so he perceived that as like an insult and a threat to, you know, whatever he did. So, I mean, the exact details of what happened over the next couple of weeks is still a bit of a mystery.
Starting point is 00:24:38 But essentially his boss basically asked him for the usernames and passwords and he refused to give them. So he was suspended for insubordination uh and then it led on to other things like then he was put under surveillance because you know now he was he didn't actually make any demands but you know they were worried that he was now holding the city to yeah yeah um and they found like guns and ammunition all kind of stuff at his house when they put him under surveillance. It's America. Of course, yeah. I mean, you know what they're... They'll find something on you if they want to, right? But even after he was arrested, he refused
Starting point is 00:25:12 to give up the passwords to the network and he said that he would only give them to the mayor. So, you know, get me the mayor down here if you want these passwords. And then it was about three weeks later, the mayor actually visited him visited him in prison uh met with him for 15 minutes got the passwords um and then yeah but like following just
Starting point is 00:25:32 one bit of clarification after that uh you know with his boss that they did actually have have access to the network again after that but um yeah utterly crazy that he could just take control or you know he did have control of this entire network and there's nothing anyone else could do you see this is less about sysadmins holding organizations to ransom and more about the average american's access to mental health care potentially yeah i mean but a good uh you know password management system you know something like last pass hey i understand they're on a break for a couple of weeks so hey last pass did that exist in 2010 though yeah um no maybe so we've just discovered the origin story
Starting point is 00:26:18 of last pass right so all right yeah i'm sorry i thought you had i thought that was a different story and from that the mayor of san francisco established a task force called last pass that guy's name albert einstein but yeah no but last pass yeah no interesting story, yeah, a warning as to, you know, what can occur if you don't treat your sysadmins with the, you know, if you insult their technical artistry. You understand that these guys are not just, you know, tech monkeys. They are proper artists. Well, or if you just don't provide them access
Starting point is 00:27:02 to regular mental health care. Yeah, well, you know, potato. Well, it's more about, I think, like, if you put all your eggs in one nut basket, then... Nut basket? That just sounds wrong, Jack. I know. I said it and it sounded wrong, but I tried to ignore it and keep rolling with it and you had to point it out. Thank you. Try to ignore it and keep rolling with it.
Starting point is 00:27:23 And you had to point it out. Thank you. But yeah, I mean, it's, um, I mean, say he didn't, you know,
Starting point is 00:27:29 take this order as an insult or something, you know, say he was actually hit by a bus or a tram in San Fran. There is that. Yes. You know, this is a, yeah,
Starting point is 00:27:37 this is bad, but he shouldn't have been allowed to get to that point in the first place. Right? No, no, but this is great. This reminds me of you remember the openings one of well uh in robocop when the guy he takes town hall
Starting point is 00:27:50 uh and he's like i want the mirror and i want to chop it and i want to go a car that does really shitty gas mileage uh oh man that's uh uh miracle excellent thank you very much andy America excellent thank you very much Andy this week in InfoSoul we are officially the most entertaining content amongst our peers
Starting point is 00:28:21 yes we are the most entertaining content anyway jav i believe it's time for you now for uh this week's okay so uh you know what I'm still daydreaming. I'm still thinking, like, how can I apply for a copyright in technical artistry? That's something for the bucket list now. You have to do two things, Jav, first. You have to do something technical and something artistic. And just in case you're wondering, I already own the copyright for this podcast. Neither of which are technical nor artistic i i am the banksy of the infosec world anyway billy big balls of the work week work week has to go to dan guido who is a friend of the show, a famous guy on Twitter, at Dan,
Starting point is 00:29:28 at D Guido, D-G-U-I-D. Oh, anyway, he's the CEO of TrailerBits. So he owns one of those electric scooters. But please do not judge. I was about to judge and then I read the thread and, you know, he's not one of those guys. Anyway, so his electric scooter was stolen. Unknown to the thief, he had hid two air tags inside it. Apple air tags? Apple air tags, yeah. He's a man of taste and honour. I just imagine the thieves, like, they take it to their chop shop and someone's like, hey, do you know
Starting point is 00:30:07 whose scooter you stole? This is Dan Guido's you crazy son of a bitch Look, he has not just one head, I've got another two And you killed his dog Get it out of here Anyway, so he went out for dinner and he locked it to a grate with motorcycle handcuffs because he finds them easier to use than a cable lock but apparently he's sorry so can we
Starting point is 00:30:37 just go back there what are motorcycle handcuffs is that when motorbikes want to get kinky or something? Is it a type of bike lock? It is a type of bike lock. I've never heard it called a motorcycle handcuff. I mean, I've seen those kinds of things. They're just, yeah. Don't we call them like bike locks? Yeah. Well, yeah, exactly.
Starting point is 00:30:59 That's what I'm thinking. Instead of a chain, it's a rigid hinged set. Mechanism. Mechanism that you lock around your. Yeah, but bikes don't have hands. A D lock. Ah, right. Now we're making sense.
Starting point is 00:31:16 No, but they don't have Ds either. No, Prince Albert. Oh, man. No, Prince Albert. Oh, man. Anyway, so the reason he had hit two air tags in there is that one was a decoy in the wheel and the second, more subtle, one inside of the stem covered in black duct tape. So if someone was actively looking for these, they would find the decoy one hopefully and think, job done. Yeah.
Starting point is 00:31:48 So the next day, he had to fly to Black Hat. So he wanted to try and find it. He had NYPD meet him. But they were reluctant to help because they weren't familiar with airtight thought i might be enlisting them to steal something and refused to walk me with me if i knocked on a door or or on a store he only had an hour to hunt couldn't find its precise location uh thought it was within an apartment but um you know but then he had to go um he couldn't get the the precise location why because of apple's anti-stalking features um yeah yeah yeah you know three days or something like that yeah yeah so they if you're an iphone user you receive a push notification if an unknown ear
Starting point is 00:32:39 tag has been like quote-unquote following you without its owner for a random time so between 8 and 24 hours and then the air tag will start making sound with a built-in built-in speaker yeah um luckily for him the air tags didn't move for the whole week so he caught up with a new plan so he got back from black hat um called the police trying to convince the cops to help him. And this is really interesting because he encountered resistance. So he, you know, some were saying, go back to where it was stolen, call 911. Someone else said, that's not our precinct. Others saying, we can't help you if he's inside a residence. Others are like, we're not familiar with your voodoo magic air tags. But, you know, he said he was patient.
Starting point is 00:33:32 He tried to educate them, showed them what the air tags were, you know, made a joke about it only costing $800, so it's not a felony. So eventually he got a two-man patrol to drive him to the current location yeah uh pointed at apartments and then it is what i could imagine it being one of the films like someone turned around and the camera pans around and everyone just stands there because there's a e-bike shop right there underneath the apartments. So they walked into the shop and he immediately got a ping that he's like about 13 feet away.
Starting point is 00:34:12 Yeah. Gestured to the cops. Seconds later, he walked right into his scooter. The employees were in disbelief. How did I know it was mine? I played sounds from an ear tag not good enough i paired it to the nine bot ios app that convinced the last holdouts um what the nine bot i presume that's the make of his bike or something yeah yeah the ios yeah
Starting point is 00:34:40 so you know that that shows you like all your um riding history percentage battery range anyway so um the at this point the one mechanic started making excuses for the current state of it the woman who bought it in had complained about brakes so he cut the power line to the handlebars and then removed this because this isn't really how you repair brakes um yeah cutting them yeah so as i further inspect the scooter the cops start asking questions do you sell used e-bikes do you collect them from the seller do you ask they prove ownership what is the contact info for the person who dropped this scooter off no no no and we don't know right someone dropped this off yeah at this point i noticed there were cameras um i i gestured to the cops to get the video before they delete it um an employee realized that they were investigating further so he started to become agitated saying that oh you
Starting point is 00:35:43 should be happy that you get a warrant but you know it's your fault for letting for getting it stolen this isn't how we do things in brooklyn oh my god so he goes he goes he stepped outside then while the let the cops do their job one employee that the aggressive employee followed him he goes all you're doing is making enemies gets closer to me and pantomimes shooting at me he implies i'd get murdered if he sees me again as opposed to friendly brooklyn well exactly yeah can't read too much into that and the best part is if he ever needs his bike serviced he he knows where to go now. Exactly, exactly. So, you know, other employees were more cooperative.
Starting point is 00:36:33 They provided video. It's a woman. They claimed that she didn't leave a phone, filed out a police report. And, you know, he got his scooter back. So, you know, some takeaways from this. I mean, this could have been a black hat talk. I don't know why he tweeted it out. But some good takeaways were like,
Starting point is 00:36:55 use an airtacker adhesive that blends in and muffles noise. It's clear that the thief was looking for them. Do not turn on loss mode. It immediately alerts the thief that looking for them. Do not turn on loss mode. It immediately alerts the thief that they're being tracked. And number three, act quickly before the anti-stalking feature kicks in. Damage done to a handlebars with likely in response to the regular noise from the air tag. And four, limit your in-person interactions. Always involve the police. Don't try and retrieve your stolen goods until you have backup. i imagine someone in america sitting
Starting point is 00:37:25 there they tap their the the the gun on their hip and they say i already have the backup i need right here wow do you know what i think it was quite fascinating there is about is more about the um the sequence of you know don't invoke lost mode don don't do this, do that. I think all the things that you'd automatically do, oh, my bike's gone. Let me switch on lost mode and I can find it. You know, all that stuff, it's slightly counterintuitive. Yeah. It is. It is.
Starting point is 00:37:55 And I think it's really just useful just to hear the process and how difficult it is to convince police, but you need to persevere and get it back. But I think it's kudos to him. He done a fantastic job in keeping his cool, sticking to it and getting it back. So it's a happy, happy story all around. Dan Guido, we have Host Unknown salute you, sir.
Starting point is 00:38:45 Yes, please, like and subscribe. And, oh, Andy, what time is it? It's that time already. It's that time of the show where we head over to our news sources over at the InfoSec PA Newswire, who have been very busy bringing us the latest and greatest security news from around the globe. Industry News. on the globe.
Starting point is 00:39:04 Industry News Disney employees among those arrested in child abuse sting. Industry News NCSE sticks by three random word strategy for passwords. Industry News Martial arts instructor accused of spying on students.
Starting point is 00:39:24 Industry News Fraudsters impersonate DPD in convincing Martial arts instructor accused of spying on students. Industry news. Fraudsters impersonate DPD in convincing new smishing scam. Industry news. House of Commons beefs up cyber training following Matt Hancock's CCTV leak scandal. Industry news. Salesforce communities could expose business sensitive information. Industry news. Salesforce communities could expose business-sensitive information. Industry news. Salesforce communities could expose business-sensitive information.
Starting point is 00:39:53 Who wrote this? Industry news. Salesforce community. No, no. Over $600 million stolen in biggest ever cryptocurrency theft. Industry news. stolen in biggest ever cryptocurrency theft. Industry News.
Starting point is 00:40:10 Accenture tied up in $50 million ransom lock bit 2.0 attack. Industry News. And that was this week's... Industry News. Were there only eight stories this week? No, I clearly made a mistake when I was adding things in, and I clearly got distracted at the time and thought, hey, this one's good.
Starting point is 00:40:34 It'll go in twice. You got distracted by your 24 and me. I was going to say, I'm from Africa. I can see the clickers on there. Who was was that that clicked on the house of commons one first uh that would be jav oh yeah because it wasn't me you don't care and jav likes to score points so you know that's uh accenture one um one. So there's obviously global consulting firm Accenture. They've been targeted by ransomware group Lockbit, right? And apparently the group have taken data. And I think I saw their share price hadn't dropped at all,
Starting point is 00:41:18 like completely unaffected by this detail. And obviously you've got the likes of Accenture. It's not just going to be their data right they are a lot of people's data yeah to lots and lots of people um you know similar to who was it uh which of the big four got done before was it deloitte where they lost a whole load of their client data i can't remember actually but it may well be i want to get one of them yeah it may
Starting point is 00:41:45 maybe I don't know we're not saying it is Deloitte but you know it could potentially have been one of the big four but yeah I think it just goes to show
Starting point is 00:41:53 you know we now have this fatigue against you know ransomware it happens everywhere right oh you got hit
Starting point is 00:42:00 oh well it's commoditized at the end of the day everybody's going to be hit by it uh speaking of a shocking amount of money you know this story about the um 600 million stolen and biggest ever cryptocurrency theft yes and there was uh the company that was hit was kind of like a broker they they sort of like joined different exchanges together of course and um the they they found a flaw in the in the the way they assigned the contracts to, you know, assign the tokens to or the Bitcoins or whatever the currency to. I don't understand the technicalities, clearly, but there was some vulnerability and that's how they made off with 600 million. And what was really interesting about this, as part of their incident response, recovery plan, incident response plan,
Starting point is 00:42:50 they put out a tweet and they said, please, bad hackers, you've stolen 600 million. Can you give some of it? Can you give it back, please? And as a result, I think as of yesterday, 260 million has been returned. What? Yeah, yeah. It's really bizarre. So it's been returned. And then the person claiming to be behind it said,
Starting point is 00:43:16 oh, it was just a prank, bro. We were only doing it to demonstrate the vulnerability. We didn't really. So here we're going to give you like a third of the, or like nearly half of your money back, but not all of it. It's just a prank, bro. Yeah, exactly. But my time costs money.
Starting point is 00:43:34 Yeah. This is type of consultancy, money can't buy. So it was just really, really weird how that all played out. And I assume it might still be playing out i mean we're probably going to find out oh it was the the uh the founders behind it that were behind it yeah to begin with but uh it's uh you hear about these these things happening all the time and and i read and i thought you know what, this is maybe why, you know, normal finance has so much regulation and what have you. It's kind of like to stop this stuff from happening.
Starting point is 00:44:12 But in researching it, I actually found out, I was like, well, maybe they, I thought maybe they gave back the money because, you know, they were feeling some heat and, you know, they were finding it difficult to move the money out the wallets or something. And someone told me, no, there's loads of services out there. They call them crypto mixers. And they're basically money laundering for cryptocurrencies. Oh, my God. And so you just, like, dump them, like, 100 million. And in the coming days, weeks, they'll take an percentage and it comes out clean.
Starting point is 00:44:46 So those crypto mixers are the equivalent of all those mobile phone shops that appear on the high street. Yes. And all those laundrettes are open 24-7. That's it. In fact, that's what those laundry machines are doing. They're actually spinning around and generating Bitcoins. Yeah.
Starting point is 00:45:05 It's not just metaphoricalical it is genuinely the other one i like was the ncse sticks by the three random word strategy so i think that they're stuck they're really kicking out some sensible down to earth uh advice at the moment yes um and i think it's true. These three random words. The only problem is of course, is that just about every, you know, everyone's password is horse battery staple. Yeah. Correct. Horse battery stapler. Yeah, absolutely. There is still to be a singular sensible down to earth approach to passwords across all, um, passwords across all areas of InfoSec. So you've got the NCSC at the top end saying one thing, and then you've got providers of services saying another, where it's maximum 12 characters and you can't cut and paste
Starting point is 00:45:57 and it has to be a mix of everything except these individual characters because we can't be bothered to code those in. Yeah. You're going to achieve peace in yeah you know you're going to achieve peace in the middle east before you can uh agree to a resolution to what what makes a good password strategy so well maybe the solution to peace in the middle east is the assertion of a good password strategy who knows who knows excellent, that was fascinating stuff this week, as usual. That was this week's industry news.
Starting point is 00:46:30 Industry news. This is the Host Unknown Podcast. Indeed. And now we move on to this week's... Tweet of the week. And we always say it twice. Tweet of the week. And we always say it twice. Tweet of the week. Okay, so this is a tweet from Runa Sandvik,
Starting point is 00:46:51 who says, I've lost count of all the odd choices Apple has made over the years, and then goes on to count them. But, one, gave us all U2. Two, remove VPNs from the App Store in China. Three, this new approach to scanning. And four, suing companies which enable security research. Interesting one.
Starting point is 00:47:13 I mean, to address those in order, one, gave us all U2. Really? Are we really that fussed about it? Just delete it. It's not a big deal. Really. You know what? I wasn't happy at the time because if you consider back then,
Starting point is 00:47:26 I mean, not only are iPhones expensive, they always have been. They do have very, very poor capacity. Then delete it. Well, it's more the fact they just did it without fucking. No, they told you. They told you they were going to do it. When? I had absolutely no recollection of them telling me.
Starting point is 00:47:46 In their announcements. What announcements? They made an... I was watching it. Clearly you're not a fanboy enough, Andy, if you don't sit through all the keynotes. Anyway, just delete it. Number two, remove...
Starting point is 00:47:57 That's what I ended up doing, but they did take up a lot of space by dropping that on there. A lot of space. They took up, up like 70 meg dude the iphones were about like 128 meg in total capacity but i don't act like they weren't like apple have always been pretty poor with the lowest one they've ever done was eight gig and that was the very first one yeah i i love these apple Apple stories. You can hear the blood pressure of Tom raising. We're trying to, Andy and me, have a little bet going,
Starting point is 00:48:32 seeing who can give Tom a heart attack. This next one, remove VPNs from the App Store in China. I think Apple need to show more balls when it comes to China. They really do need to because doing shit like this is absurd and you know they need to hold their ground here i know it's a big market but they can they can afford to lose a you know a few hundred million by not being in china to be honest with you uh so i think that sucks. This new approach to scanning. That's a tough one. I think we've spoken about that already. But let's actually get onto the tweet show. The suing companies which enable security research. So they are suing a company called
Starting point is 00:49:18 Corellium, which is an iOS virtualization vendor. And they're being sued under the Digital Millennium Copyright Act, that world-famous DMCA Act. They initially sued the company for infringement in August, alleging that the virtualization of iOS, which is basically they're creating an iPhone in software on a computer so that you can then load the iOS operating system onto it and then test various environments, et cetera, on there. But it was violating Apple's ownership of the code. So by creating this virtual machine and then taking a copy of iOS,
Starting point is 00:50:09 virtual machine and then taken a copy of iOS, that's against the end user license agreement that you can't do that. Their quote was, Corellium's business is based entirely on commercializing the illegal replication of the copyrighted operating system and applications that run on Apple's iPhone, iPad, and other Apple devices. And Corellium simply copies everything, the code, the graphical user interface, the icons, all of it in exacting detail and providing its users with the tools to do the same. So it doesn't have any connectivity, so it can't be used as a phone, but it does allow researchers to look at how certain software performs on iOS in minute detail because obviously they have control over the virtual hardware
Starting point is 00:50:56 and they can see what's going on underneath the hood. And it has been used as well to uncover surveillance related protocols in the United Arab Emirates Totok app. So it's a good way of actually seeing when an app is installed, what it does, does it phone home, all that sort of stuff. Corellium have said that the motion is part of a broader crackdown against jailbreaking. And jailbreaking being that thing that we all did when we first had an iPhone, where before there was an app store and before the phone was actually useful for anything other than just making phone calls, you could actually break the code and install software on it that was not Apple authorized. So Apple didn't like it was a real
Starting point is 00:51:48 cat and mouse game they would fix it in one software version then the the coders would break it in the next version etc um i used to jailbreak when i first got my iphone because i got my first one from the us and it was the only way you could get it tied to carriers yeah it was the only way you could get it to work in the UK. And then literally the moment the App Store came out, it was like, well, why am I bothering with this? And then you could buy – I think my original iPhone was jailbroken i think i jailbreak jailbroke my three just because um because uh apple number their iphones the same way we number our episodes um but um so i jailbroke my three because i just did and that was the way it was and then by the time the 3gs came out or the 3g sorry the
Starting point is 00:52:42 3gs came out they had a proper app store and apps on there that I liked and I just didn't bother after that because you know it was just no need um so yeah and this is Apple's obviously declined to comment because that's exactly what they do um I think being a spokesperson for Apple must be the easiest job in the world if you think about it it must be and it's people like you that are doing it for free. Yeah, yeah, there is that. Well, there are comments here, and they're very, very split. And I must admit, I do appreciate where they're going
Starting point is 00:53:16 because obviously software like Corellium does break the end-user license. It does go against the license in terms of the software and all that sort of stuff, you know, very clearly against the terms and conditions of use of the software. And they've obviously managed to basically backward engineer some of the code to ensure that it runs on their virtualization software. So that, you know, which are, you know, again, against the licensing terms. But as we've seen that some valuable research has been found out so it's like any tool right you know if you get a knife you can you can chop food to make dinner or you can stab somebody with it and that i think is the is the problem here you can do good stuff with this but you can also do
Starting point is 00:54:00 bad stuff so you can look to subvert um um, you know, security within iOS, uh, you know, for malicious means and all that sort of thing. Um, so we've got one half of, uh, the, the, the commenters saying, uh, that, um, this is utter, you know, this is utter bull crap, you know, the, this is Apple just being, you being you know big brotherish and we should just let security researchers do their thing and the other one um basically saying um you know well if you write if you can run apple software on non-apple devices i virtualize software what's to stop samsung from making phones running ios or hp to sell Mac clones. That was already tested in court. I think it was Psi Star, I think, did it. And there is no excuse that this is merely an emulator to
Starting point is 00:54:55 override the transparently obvious fact that they're breaking the software's license terms. So it's interesting. So there's a legal side that says quite clearly you can't do this, but there's certainly a moral and ethical side that says actually there is benefit to this. And I think probably the, you know, not that I'm any judge of this or anything, but I'd say let's try. But you vote for Apple. Well, no.
Starting point is 00:55:20 Do you know what? I'm not sure, but if I was Corellian, I'd say come work with us. Let's get into something that allows us to provide these services to valid you know security researchers so that you can derive the benefit from the work that they do um but who knows it's probably more complex than that and we know that lawyers are not always the most uh well they tend to think a little bit more black and white than that don't they but lawyers are not always the most uh well they tend to think a little bit more black and white than that don't they but uh yeah this is a difficult one i think legally apple is in perfectly entitled to do this um and uh you know corellium are uh profiteering from
Starting point is 00:55:58 somebody else's intellectual property um but conversely i think Corellium are filling a space in the market that desperately needs filling. And Apple are not doing that. And so therefore, you know, Apple should be looking to see how they can actually make this work for all parties rather than just suing the crap out of them. Very good points, Tom. But as usual, you're a day late and a dollar short. Very good points, Tom. But as usual, you're a day late and a dollar short. Marvellous. Because a few days ago, actually, the negotiations were held and both parties have settled out of court.
Starting point is 00:56:35 So we know nothing about what happened. No, there's confidential term sheets have been signed by both, so there's no comments available by either. But I'll tell you, I picked up this one detail from it, and this explains why I think Apple backed down in the end. So earlier in this week, both Apple and Corellian filed papers as to showing who they would be calling as witnesses
Starting point is 00:57:04 for the upcoming trial. So Apple included people like Craig Federici, who's the SVP of software engineer, and security engineering chief Ivan Kristic. Corellium were going to call an executive from Azimuth, the Australian company that was credited with this hack of the San Bernardo's terrorist iPhone. Yeah. Right. And also they were going to call friend of the show, former Facebook chief security officer, Alex Stamos.
Starting point is 00:57:44 Really? Yes. And I think Apple thought, fuck it. Can't go. We can't compete with that. And, and they,
Starting point is 00:57:53 they, they, they agreed to settle out of court. Interesting. Anyway, that was this week's. Tweet of the week. And that brings us to the end of the show folks uh we may have missed one of the segments but
Starting point is 00:58:10 we're still running at close to an hour just goes to show how much uh jav likes to talk well well i wouldn't need to talk so much if you had your stories up to date right well this is what you mean the story that uh that in in whatsapp a couple of days ago you said, Tom, you can do this story. Yeah, a couple of days ago before it was settled out of court. Yeah, well, you know, if you want to set me up like that. It wasn't a set up, far from it. Revenge is a dish best served cold. In my case, probably slightly mouldy as well.
Starting point is 00:58:42 Oh, Jav, thank you very much, sir. Thank you for this week, and I hope you have a lovely Jav Thank you very much sir Thank you for this week And I hope you have A lovely weekend Thank you Thank you Thank you And Andy
Starting point is 00:58:51 Thank you sir Stay secure my friend Stay secure You've been listening to The Host Unknown Podcast If you enjoyed what you heard Comment and subscribe If you hated it Please heard, comment and subscribe.
Starting point is 00:59:08 If you hated it, please leave your best insults on our Reddit channel. Worst episode ever. R slash Smashing Security. So there's you stitching me up again, Jav, it would seem. What do you mean stitching you up again? Honestly, I just... Well, not just stitching you up, right? So as I was reading that story, because it's the first time I read it, as I was going through it.
Starting point is 00:59:24 It was actually from January 2020. No. The link is from January 2020. So it's obviously been an ongoing case, which is why we've now got the conclusion of it. Yeah, that's probably what happened. But I don't know. I just saw it. The WhatsApp is a brainstorming platform.
Starting point is 00:59:42 It's not like a definitive truth. The tweet was August 7th. So in fairness, the tweet of the week was up to date. The WhatsApp is a brainstorming platform. It's not like a definitive truth. The tweet was August 7th. So in fairness, the tweet of the week was up to date. Yes. So let's just blame the... Blame Runa. Runa, this is your fault.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.