The Host Unknown Podcast - Episode 69 - Think of a Number Bill and Ted

Episode Date: August 20, 2021

This week in InfosecWith content liberated from the “today in infosec” twitter account14th August 2013: Affinity Health Plan was fined $1,215,780 for a HIPAA violation after a photocopier purchase...d by CBS for an investigatory report in 2010 revealed medical info.At $1.2M, photocopy breach proves costlyhttps://twitter.com/todayininfosec/status/1294252352191565824  17th August 2005: Jason Smathers, a former employee of AOL, was sentenced to 15 months in prison for selling screen names and email addresses of 92 million users to spammers.Ex-AOL worker who stole e-mail list sentencedJason Smathers: Internet Criminalhttps://twitter.com/todayininfosec/status/1295500512830394371 The Box incidental music © Charlie Langford Rant of the WeekYou can post LinkedIn jobs as almost ANY employer — so can attackersAnyone can create a job listing on the leading recruitment platform LinkedIn on behalf of just about any employer—no verification needed.And worse, the employer cannot easily take these down.Now, that might be nothing new, but the feature and lax verification on career websites pave the ways for attackers to post bogus listings for malicious purposes.The attackers can, for example, use this social engineering tactic to collect personal information and resumes from professionals who believe they are applying to a legitimate company, without realizing their data may be sold or used for phishing scams. Billy Big Balls of the WeekWoman accessed ex-partner’s Alexa to torment his new girlfriendPhilippa Copleston-Warren terrified love rival by using smart device to switch lights on and off and tell her to get out of the houseChelsea woman used Alexa to scold ex-lover’s new girlfriendA management consultant from west London accessed the Alexa device at her ex-boyfriend’s home from more than 100 miles away to tell his new partner to get out of the house.Philippa Copleston-Warren, 46, logged into an app linked to smart devices in the victim’s Lincolnshire home, and was able to see her ex’s new girlfriend on the property’s CCTV system.Prosecutors said Copleston-Warren was able to tell the woman “to get out” and used the app to turn the bedside lights on and off.At Isleworth crown court, Copelston-Warren admitted posting a naked photo of her ex-boyfriend on Facebook, accompanying it with the caption: “Do I look fat??? My daily question”.[That was this weeks BILLY BIG BALLS][SEEN ON REDDIT] Thom:Antivaxers Think Their ‘Pure’ Semen Will Skyrocket in ValueI’m going to retire as a “cum cow” Industry News"Jigsaw Puzzle" Phishing Attacks Use Morse Code to HideCadbury Campaigns Against Cyber-bullyingMisconfigured Server Leaks US Terror WatchlistYik Yak ReturnsAirline Employee Jailed for Spending Passengers’ MoneyT-Mobile: 49 Million Customers Hit by Data BreachJPMorgan Chase Notifies Customers of Data BreachCoin Ninja CEO Admits Operating Darknet Bitcoin MixerWomen Charged Over Sexually Exploitative Child Modeling Sites Tweet of the Weekhttps://twitter.com/Kaipo_Rozwolf/status/1428426623091724289OnlyFans Will Ban Pornography Starting in October, Citing Need to Comply With Financial Partners   Come on! Like and bloody well subscribe!

Transcript
Discussion (0)
Starting point is 00:00:00 So just a biggest loser update. Oh, yeah. Yeah, we haven't spoken about that for a long time, have we? We haven't, no. But collectively, I think this is probably the biggest update we've had, right? Actually, we've lost a huge amount of weight. A huge amount. A 14 stone of ugly fat is gone.
Starting point is 00:00:21 Yeah, absolutely. Maybe just for this week because you know how much, you know, weight comes, you lose weight and it comes back really, you know, in a really unwelcome manner and very quickly and just makes you feel very sad and upset and lonely when it comes back. But for this week, let's just celebrate the fact that we are, you know, 14 stone lighter. Well, 14 stone minimum, I think. Yeah, at least 14 stone.
Starting point is 00:00:51 At least. I mean, you know, certainly in bare feet. But yeah, we've lost 14 stone this week and we've never felt better. You're listening to the Host Unknown Podcast. better. Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us and welcome to episode 69. 69, dude. Yeah, Of the Host Unknown podcast. Wow. Episode 69.
Starting point is 00:01:28 I call this the Bill and Ted's episode because that's the number they always think of in the films. Think of a number. 69. So, yes. Yes, very good. Very good. Andy, how are you, sir? I am good.
Starting point is 00:01:41 I'm feeling good about this weight loss. Yeah. Which has been going on. But I think we should probably just clarify. Actually, why don't we ask feeling good about this weight loss yeah which has been going on but i think we should probably just clarify for actually why don't we ask jav about this weight loss jav jav jav well there you go evidence of our weight loss oh indeed how are you doing anyway this week i'm all right i'm all right i'm on holiday this week like jav but i'm you know i'm committed to the cause um you know i i don't just not turn up for the hell of it i actually there has to be pure financial reasons for me not turning up but jav no he just didn't feel like it and also i think jav's in that american mindset isn't he where
Starting point is 00:02:20 you just take time off without notice uh you know in the uk it's polite to give notice when you're going to be off so yeah exactly he just said last night oh i'll send you something you can play it as if i was there and it's like yeah we're still waiting jav you know i mean we we do try and do everything live in this show we don't pre-record everything it's just phoning it in from another level though isn't it oh this is completely well if only he would phone it in because at least he would be committed and hit being here on time right you know you know he's not even recording it in uh so uh but no jav if you're listening because we know you are uh i hope you had a lovely time i hope the court case went well and um that we'll that we won't be seeing you in three to five you know that he'll plead guilty
Starting point is 00:03:13 the first opportunity oh my god yeah absolutely absolutely yeah and and he and he's only the witness yeah yeah i'll take a plea agreement I want to go super grass it was all Andy and Tom Mr Malik we'll hear about your wife's parking ticket but yeah it's been nice couple of days up in London with my mother which which was fun. The Duchess?
Starting point is 00:03:47 Yeah, the Duchess. Yeah, she says hello. She always likes being mentioned. She said she especially likes it when Jav apologises to her. Sorry, Mrs Lengford. And then what did we do? Oh, yeah, came back to Chippenham, and son's got some work going on. He's got six days' worth of work, so he's busy doing that at the moment.
Starting point is 00:04:15 Daughter and I went to Oxford yesterday, and we basically went coffee shop, book shop, coffee shop, restaurant, bookshop, coffee shop, home. That's like your perfect day out, isn't it? It was wonderful. And did you take your iPad for each place? I did, and I didn't open it. Well, I only opened it once. I'd send one email.
Starting point is 00:04:37 In the meantime, we were just reading books and chatting. Yeah. Yeah, it was really nice. It was really nice. So, yeah, the absolute perfect nice. It was really nice. So, yeah, the absolute perfect evening. Perfect day, sorry. And, yeah, now I have to come back and do this. And now you've got this rubbish to contend with.
Starting point is 00:04:55 Exactly. I've got to get this shit out of the way. What about you? What about you? You've been busy as ever. It's always been. It's just crazy at the moment. I don't know why.
Starting point is 00:05:03 There's just so much work on. But much like yourself and Jav, I will actually be taking a week off next week. Oh, really? Yeah, I won't be skipping the show, obviously. No, obviously. I mean, what kind of shit heel skips the show just because they're on holiday? Yeah, just lying in bed. In fact, to be fair, he does that when he's due on the show anyway.
Starting point is 00:05:23 Well, yes. It's hard to tell the difference. But in Jav's honour, I will disagree with you on most things you mentioned today, just for the sake of it. Oh, thanks, mate. Because it would feel odd. It would be the same. It would feel odd, you know, me going off on something and Jav saying,
Starting point is 00:05:40 well, no, once again, you're half an hour late and, you know, £2.50 short or whatever it is. And that, of course, is after setting me up to say the thing I said anyway. Here's a story you should cover, Tom. Yeah, yeah. Oh, and by the way, that story's ridiculous. What are you covering that for? It's last week's version of it anyway.
Starting point is 00:06:01 Yeah, that's right. I'm not bitter at all. Oh, dear. So what have we got coming up today then? Oh, let's see. What have we got coming up today? So this week in InfoSec reminds us of the dangers of leasing equipment. Mostly financial, I would have thought.
Starting point is 00:06:21 Rant of the week is offering you a job. Billy Big Balls gives a scary insight into the houses of the rich and famous. A new feature seen on Reddit brings us commentary from peak Reddit. I think we could probably leave that description in there every week. Industry News brings us the latest
Starting point is 00:06:42 and greatest security news from around the world and finally tweet of the week this week shows us that we don't learn from history again i think we could probably leave that description in there every week as well but yeah we've got a new feature in fact we've got a whole bunch of new features coming up over the next few weeks so uh you've been having fun with the jingles andy i have yeah i got uh got a bit carried away well i didn't get so carried away uh you know i came up with some uh requests and uh our man mr fiverr got very carried away with the jingles uh he's totally brought into host unknown yeah yeah because you i think you only asked for three and we got seven or
Starting point is 00:07:25 something didn't we yeah he knows it i got you man yeah yeah i said uh yeah he understood the assignment and then some yeah and gave us everything we asked for and more yeah well i mean you know we have to we have to evolve the show right i mean it's not like we can just run with the same three topics or two topics even every single every single week that's just terrible there's no future in a show like that no that's right i mean that's that's the only reason you do that is if if is if you're extremely successful and need to keep um your sponsors happy yeah we of course are not constrained by such uh such issues no you can't you can't constrain the
Starting point is 00:08:12 creative genius no that's right that's right and once we find the sweet spot and the sponsors come flooding in then we stay the same yeah oh dear all right should we uh move on uh straight away on to this week in infosec it's that part of the show where we take a stroll down infoSec memory lane with content liberated from the Today in InfoSec Twitter account. And our first story was only eight years ago, on or around the 14th of August 2013. Affinity Health Plan was fined $1.2 million for a HIPAA violation after a photocopier purchased by CBS for an investigatory report in 2010 revealed medical information. Just saying this,
Starting point is 00:09:13 this title is definitely from America because investigatory, surely that should be investigative. Yes. Also it was a as well instead of an. Yeah. Yes. I did have to correct that as i was reading um but this is a story which did like it sounded familiar when i heard it and i can't remember if this is because this is the original story of just one of many that occurred around that time um so in this particular instance the the US Department of Health and Human Services settled with Affinity Health Plan for HIPAA violations to the tune of $1,215,780
Starting point is 00:09:54 after a photocopier containing patient information was compromised. So Affinity had to file a breach report as required under the Health Information Technology for Economic and Clinical Health Act or HITECH. Their breach notification rule requires any HIPAA covered entities notify HHS of a breach of unsecured protected health information. So what had happened is that as part of this investigative report, CBS purchased a photocopier that was previously leased by Affinity. And obviously that photocopier had a hard drive on it full of confidential medical information. And Affinity stated it was about 344,000 individuals were affected by that. So small by modern day standards but still a big issue at the time and obviously at the time yeah yeah and hippo was you know flexing its muscles
Starting point is 00:10:52 as well to sort of let people know that it wasn't a um you know they're not just a nobody organization not just an african mammal yes exactly um and uh yeah so basically they were charged with failing to incorporate the electronic protected health information stored on the hard drives in its analysis of risks and vulnerabilities, which was required. And they also failed to implement policies and procedures when returning photocopiers to its leasing agents. So now, I was going to say, go on. Well, no, I was i was gonna say i know you
Starting point is 00:11:26 probably recall i think there was another one at the time where i don't know whether it was canon or i want to say that say it was canon but there's like a whole warehouse full of these photocopiers um you know that people had leased and then sent back but essentially what's happening is that when people have these uh office devices or you know they were network printers back then, they did everything, sort of fax, photocopy, you know, print, all of that. But whenever you sent something to the printer, it automatically stored a copy on the local hard drive. And, you know, depending on the settings,
Starting point is 00:12:00 it would either keep it perpetually or until it ran out of space and overwrote it. it would either keep it perpetually or until it ran out of space and overwrote it um so yeah it's a long um long old long old process to clear those devices down and not everyone did it um and i don't really think people added it to that i think not everybody knew about it because because printers and photocopiers for the longest time were separate and just fairly straightforward. I remember you used to buy RAM for your HP printers so that it could store stuff. But, of course, the moment you switched it off, then... Store a PowerPoint presentation with a clip-up.
Starting point is 00:12:34 Yeah, yeah, exactly. Exactly. You know, but they didn't have massive storage devices. And then, of course, the multifunction stuff came along and they needed the the storage device nobody really knew about it it was kind of it then suddenly became because originally i i always saw photocopiers as being like you know part of facilities not it yes suddenly it was an it problem but nobody told the it folks actually what you've now got is a computer with a printer
Starting point is 00:13:03 attached they just saw it as a printer and a photocopier combined. And I think there was this sort of mismatch of expectation and responsibility for the devices. And I wouldn't say it was a, you know, back in 2013, it was a massive, oh my God, there's a, you know, there's a computer inside here with a hard disk. We must make sure that it gets wiped before it leaves. But it certainly was a little bit of a shock, I think, to some people
Starting point is 00:13:33 that that was the case, that it had this big sort of computer inside with storage. Yeah, it's funny you mention that facilities thing because my previous company, it was the office manager that sorted. We just plugged it in. The IT team just plugged it in. And then when I moved to Big Corp, it did actually fall under facilities in the early days. The contracts were with facilities to have those serviced and maintained.
Starting point is 00:14:04 But you're right. It's not quite shadow IT. It's sort of like someone else has dumped something on your doorstep that you just didn't know was there. Well, that you think is a photocopier but is actually a Decepticon. Yeah. I mean, I remember and I certainly don't think I'm unique in this by any stretch, but I think I realised these were potential problems because back in 2002 when I moved to a company there,
Starting point is 00:14:35 they were doing massive print jobs. They had a system called a Fiery, and it actually required a Mac stuck on the side of the printer to print to it, you know, because the print, a native printer couldn't handle it. So you had this, basically it was a processing unit, the Mac, that actually converted these huge plots into things that could be printed by regular plotters. And so you kind of realize, well, that's a computer. Therefore, if it leaves, I have to, you know, blank it. I have to do something with it.
Starting point is 00:15:06 Decommission process. Yeah, exactly. And then, of course, these things started to, you know, you plug them directly into the network and all that sort of stuff. And, yeah, it just took off from there. But it was a big deal. But the thing is, so you've got on the one side, you've got the IT folks on here going, well, it's just a fancy photocopy.
Starting point is 00:15:25 What the hell do I need to worry about it? But you've also got the manufacturers who are really, I wouldn't say negligent, but quite sort of profligate with their policies in that, oh, we'll just leave it so it fills up. We'll just wait for the disk to fill up with all of these documents because they're confidential, but they're on a hard disk. It'll be fine. Nobody will think to look for a hard disk on there.
Starting point is 00:15:52 Encryption? No, we don't need that. Just slow it down. So you've got this kind of perfect storm just waiting to happen. Yeah, it's just been one of those things. of those um the things i say it just came in it just sounded so familiar because i think this wasn't just a one-off you know this occurred a lot um you know in that era yeah yeah yeah i haven't heard anything since but i guess it kind of ties in with that buying x equipment off um ebay and stuff like that as well yeah yeah i think so i think so but uh yeah fascinating fascinating i um you got you got
Starting point is 00:16:28 a lot of a good uh copy of story especially as as i know quentin will probably uh chime in on this as well qa by q qa by q he'll say no it wasn't canon it wasn't i was thinking as i was saying i was thinking oh maybe it's not yeah and there's one of our listeners may well correct me so so come on qaq uh let us know let us know if if this was all your fault excellent that was a that was a short one this week but um since we're missing jav we have to make up with the other short things uh thank you very much this week in infrasound wake up with the other short things. Thank you very much. So let's see how many Jav gags we can get in this week.
Starting point is 00:17:19 We've had basically fat and short so far. Oh, and ugly, for that matter. Right, I'll come up with something lazy. Yeah. Oh, what, you mean Jav's lazy? Yeah. Easy. Right, let's move straight on, shall we?
Starting point is 00:17:37 Let's get on to this week's... Listen up! Rant of the Week. It's time for Mother F***ing Rage. So this was one Andy and I were discussing this morning. It took me a little while to unpick it, mainly because I just read the headline. I hadn't actually read the story. But this is a jab at LinkedIn.
Starting point is 00:17:58 So we all know when we're looking for jobs that LinkedIn is actually one of the places we go to. You can set up rules and reminders. And employers also use LinkedIn quite extensively as well. It's a good way. You have your company profile on there. People can find out all about you. They can find out who works for you.
Starting point is 00:18:20 And then you can also apply for jobs there. It's wonderful. It also has the added benefit i mean i use it for motivational pep talks like if i ever feel down i like to go into linkedin and see you know other people that get up at 4 a.m and achieve all of this this great stuff before you know before the working day starts um so i mean yeah i use it for motivation at all rather than anything else right just to see who else is up at four o'clock like a exactly like an insomniac who's so overly stressed they can't cope they can't you know get more than two hours sleep a night 24 usable hours and every day
Starting point is 00:18:55 so um but the the and and employees would go on to linkedin obviously and they would create a job and you'd apply through LinkedIn, and, you know, brilliant, all very transparent, all very lovely. Although a researcher, a Mr. Singh, I think it was, links in the show notes, folks, has found that anyone can create a job listing on the leading recruitment platform, LinkedIn, on behalf of just about any employer. And you don't even, I'm going to say all that again, because that really did sound
Starting point is 00:19:32 like I was reading it. So it turns out that anyone can create a job listing on LinkedIn, even on behalf of virtually any employer as well without any additional verification. And to make it worse, it's not actually that easy to change the settings. So what happens is you set up your profile on LinkedIn. It can be false entirely, obviously, in a false company etc you then can create a job listing for that company sorry for any company you want and then tell it to forward all of the cvs and resumes and inquiries on it to an entirely different email address so using your own credentials, you can create a job, say it's from, for instance, Canon. And that's just an example. I don't know if Canon have fixed this or not. But say it's from Canon, put in your email address of the very fine chaps at hostunknown.tv.
Starting point is 00:20:41 And everybody who applies for that job at Canon will be sent to you so you will start harvesting huge amounts of data some of it you know fairly personal given the the contents of a of a cv etc um we're talking here like typically i know a lot of people put their name address um phone number which yeah depending which country you're in as well they include a photo yes your country um also you know a lot of personal details as well maybe links to personal websites uh hobbies things like that sometimes pets you know all you know all fairly valuable data let's face it um i'm gonna play devil's advocate is it a, you know, you're putting this information out there anyway for the purposes of job search.
Starting point is 00:21:30 Yeah, there's two sides to this. One is, is it a problem in the grand scheme of things for you as an individual? Possibly not, but you are sharing data with someone who you don't realise you're sharing data with. And you could actually maintain some kind of dialogue with that person, thinking they're from a company. They could be prompting you to log into various websites under the guise of, you know, can you send us a photo? Can you prove you're a real person?
Starting point is 00:22:03 We need to get your passport details. So we're talking about the next level, like how you escalate this attack. Yeah, this is a great sort of foot in the door way of getting data, you know, social manipulation way of getting data. That's just on the side of the individual. The actual companies themselves could actually suffer a fair amount of sort of credibility damage because if you want to, you know, screw up a company, probably one of the smaller ones,
Starting point is 00:22:37 if you're disgruntled, you could, you know, gather all this data for a supposed job and then just wind these people up, lose their data, uh, telling the job no longer exists and that they're, they're dickheads and all, all, all that sort of stuff. And nobody would really know that it wasn't the company. They would just think, you know, and then they get onto Glassdoor and start slamming the, you know, uh, the company for, you know, poor employment practices, know poor employment practices you know all all that sort of stuff as well so it can be quite damaging for the employer too the worst so i can think of two things where this is uh so firstly if you are applying for a job at a company then you obviously
Starting point is 00:23:20 create that exact same job but for a a different company with a very high salary. Get people to apply for it and then pick out the best CVs and use that in your own application. Which is probably the most benign of uses for something like this. It is, but the other way is if you want to create one for your competitor and see how many of your own staff are applying for jobs with your competitor. Yeah, yeah. Yeah, that would be an interesting way to see who's disgruntled.
Starting point is 00:23:50 Or even if you're guessing at salaries, right, you put up particular salary ranges and see whether those ranges are attractive to your own staff for the jobs that they're currently doing. It's a free way of getting that kind of data. Yeah. And not a particularly good way. I mean, it's not's a free way of getting that kind of data yeah um but and and not a particularly good way i mean it's not well it's not a transparent way anyway or or a formal way but the worst part about this is that linkedin are completely aware that this happens and that this can be done and that there are ways of addressing it um and the prime you know and it's all it's all in. And it's all in the detail.
Starting point is 00:24:27 It's all in the settings and click this, tick that. But the primary way is an email address that you contact to say, we need to have X, Y, Z switched off, blah, blah, blah. All very well, except that email address is not available on the website. It's not available on LinkedIn. So not only do you have to know that this is a problem, you then have to work out what email address to send this to, to send your concerns to, to have it sort of disabled.
Starting point is 00:24:58 So Bleeping Computer did a little investigation. So the researcher did everything except post a job um so he didn't want to sort of go that far bleeping computer this is one of those um our our reporter made their excuses and left yes yeah yeah exactly but they actually posted a job um they tried to do it for google and it didn't work because they'd actually put all these other um you other things in place. As you'd imagine, Google, they probably got the resources for it. They tried it with another company and it worked. And they were able to get applications for a job with a different
Starting point is 00:25:38 company sent to them. And I think the rant side of this is LinkedIn knew about this years ago and they've still not openly, transparently and easily addressed this. They've just made it like some kind of arcane amulets that you need to know about and to have and to circle around a dead chicken anti-clockwise whilst chanting something in order to switch it off and that's just appalling i mean this is this is lazy system admin at the end of the day yeah so this is something companies have to control themselves yes exactly so you need to set up your own only these people are allowed to post jobs on behalf of companies. But there are no guidelines or even an email address published
Starting point is 00:26:28 that you can use, even though that email address is the way that you do it. That's crazy. Link in the show notes, folks. Credit to Mr Singh, who found this, and also to Bleeping Computer actually tested it fully as well. And a big boo to LinkedIn for not fixing this. who found this and also to bleep and computer actually tested it fully as well. Um, and, a big boo to LinkedIn for not fixing this.
Starting point is 00:26:49 Although I'm sure having, having listened to this episode, Mr. Lionel inked in will no doubt be, um, you know, on top of this, you know,
Starting point is 00:26:58 straight away. So it is in someone's backlog somewhere. It's somewhere. Yeah, exactly. Exactly. It's actually probably in the inbox. It's somewhere. Yeah, exactly. Exactly. It's actually probably in the inbox of that email address. Yeah, it's just been promoted.
Starting point is 00:27:11 Yeah, it's right. That's right. So, yeah, yeah. Terrible. Terrible practice. Don't like it. Brr, ranty. Yeah.
Starting point is 00:27:22 Rant of the Week. Wow, it's a good one. We're burning through stories today aren't we i mean we have a big list you see what happens when we're when we're not carrying dead weight we're actually moving at speed yeah that's right that's right i mean you know the carrying something that's lumpy heavy um awkward you know physically and emotionally yeah it's just baggage isn't it just makes life so much easier uh we're gonna have to fill up some time so uh listen to this you're listening to the award-winning host unknown podcast the show which smashing security sets their out of office-office to. They did as well. Yeah, particularly during this holiday season.
Starting point is 00:28:11 And we're welcome all the new listeners as well. I know, I know. Both of them, really good to have you. Yeah, kind of a different vibe though, isn't it? Just a little, just a little. All right, let's move straight on then to our very next segment. It's the ladies, Billy Big Balls. Look at the size of that thing. Carol's Coffee's Cajones.
Starting point is 00:28:40 We're playing that one because Carol was going to join us this morning and she just blew us out last minute. Yeah, although we will caveat we didn't tell her thatole was going to join us this morning and she just blew us out last minute. Yeah, although we will caveat, we didn't tell her that she was going to join us. Until about 1am, wasn't it? Yeah, it's understandable. Yeah, may not have been able to drop everything to join us. And even Graham, who'd go to the opening of an envelope, wasn't able to make it either.
Starting point is 00:29:04 Well, the older you get, the harder it is to wake up in the morning. It is. This is true. This is true, yeah. Either that or he's been up since 5 o'clock. Turning to his tomato plants or something in the greenhouse. Sitting on his rocking chair. Right, anyway, so this is a story about a woman who accessed her ex-partner's Alexa to torment his new girlfriend.
Starting point is 00:29:30 So this is the story of Philippa Copleston Warren. Yes, that is a double barreled name. And you will not be surprised to know that she is from Chelsea. So she is a management consultant from the same area she accessed her ex-boyfriend's Alexa device more than a hundred miles away to tell his new partner to get out the house so she still had after she split up with you know her previous boyfriend she still had access via the app um on her phone which was linked to not only the alexa device but also the property cctv in the house so she could tell um you know when his new girlfriend was in the house she could switch on the bedside lights and then switch them off again um you know while she was there, you know, just generally harass her in the house, switch the lights on and off, you know, spoke to her through Alexa.
Starting point is 00:30:32 But the crazy thing was none of this was actually a crime. I know. So the reason she actually got in trouble and she went, I'm trying to figure out where her punishment was. Oh, she's going to be sentenced on the 6th of October. So the punishment's not going to happen. Up to two years, I think, is the threat, yeah. But what she actually got in trouble for was posting a photo of her ex on Facebook where he was naked.
Starting point is 00:31:07 And she added the caption uh do i look fat and this actually fell under revenge porn category of crime and that's what she was actually prosecuted for so despite the invasion of privacy that you know she went through like you know violating his his uh you his privacy in his home, harassing his new girlfriend in the house while she didn't realise that she was being watched. It was this photo that was her downfall. And ultimately, even her lawyer put out a statement saying that she had joint access to all of these accounts.
Starting point is 00:31:42 She was legitimately allowed to access the CCTV and all that kind of stuff. How is this not illegal? It's ridiculous. Because she had the login details and the passwords, there was no hacking involved. And they were provided to her in good faith when she was with her old partner. Yeah, and I guess you don't have this sort of joiners, movers, leavers process, right?
Starting point is 00:32:04 When you tell your government, it's a case of, right. You guess you don't have this sort of joiners, movers, leavers process, right? Yeah, that's right. When you tell your girlfriend, it's a case of, right. You mean you don't? I know I do. This is the acceptable use policy for being my girlfriend. You'll be provisioned access to these accounts for the purposes of, you know, whilst you are in a relationship with me. But when you leave, you're no longer able to access and obviously unless you've got that banner that pops up every time yeah in the front door we we reserve
Starting point is 00:32:32 the right to uh review your device etc yeah exactly so i mean this is just a crazy one i mean you know there is a saying hell hath no fury like a woman scorned. And I do kind of admire the level of pettiness she went to, like switching the lights on and off. What I think is really interesting here is literally two-thirds or three-quarters of the story is about what she did with the Alexa and not the illegal thing. It's then, oh, and she might be sentenced for up to two years for revenge porn and posting a nude photo.
Starting point is 00:33:03 Yeah. But that does go to show, I think, that this gross invasion of privacy and breach of trust is actually a bigger concern than just posting a naked picture of someone on Facebook to the average person, if you see what I mean. Yeah. It's almost like, you know, what kind of world do we live in where revenge porn takes a second seat to something, you know,
Starting point is 00:33:33 like an invasion of privacy? And it's quite interesting. And I have some personal experience with this, and I won't get to any sort of significant details, but a friend of mine, her ex, she shared a couple of Alexa speakers, Bose Alexa speakers with her ex. He took one, she took one, all connected to his account. He borrowed it for a couple of days, handed it back.
Starting point is 00:33:58 And unbeknownst to her, he'd switched on like active listening or something like that, you know, like baby monitor mode. And so for a good few weeks, he was listening in to everything that was going on in her house without her knowledge. And the only reason she found out was she was on the phone to him and she could hear herself echoed in the background. And he fessed up, et cetera, you know, and all was good. And, you know, she, she i guess forgave him uh but i
Starting point is 00:34:27 was utterly incensed by this i found it awful she was really quite cool about oh it's just a difficult time blah blah blah you know all that sort of stuff you know he's but it could be like a you know abusive relationship type you know i be violent or, you know, intruded by certain things. It's going to be different. But that fundamental breach of trust and that fundamental breach of privacy just enraged me, enraged me. And yet she was not hugely concerned. Obviously she knew him better than I did, obviously. And, you know, I totally get that.
Starting point is 00:35:02 But bloody hell, it was, you know, really, really quite shocking to hear, you know, when she told me. But, yeah, I don't think people are as upset by things like this as they should be. Yes. Yeah, I think that's fair to say. Carol's Colossus Cajones well that wasn't very funny
Starting point is 00:35:32 well I say wipe down your devices and have a decommission process when you break up absolutely absolutely blimey yeah not very funny at all no sketchy presenters weak analysis of content and consistently average delivery but they still won an award like and subscribe now
Starting point is 00:35:52 so we have a new feature tom uh yes we do and this feature is called this is the sound of the host unknown podcast crew putting on their armour, getting ready to do battle with the hordes of strong opinions. This is As Seen on Reddit. As Seen on Reddit. I like it. Blimey. I tell you what, your Fiverr guy really went for it. He did. That was good. I like that.
Starting point is 00:36:26 Although, yeah, taking a look at Reddit does sometimes feel like you need a suit of armour or at least something you can wipe down easily afterwards. Fire has no suit, yeah. Which in this particular one, we won't dwell on this, but in this particular one is very, very true. So, again, link in the show notes. And actually, there's an archive link there because the subject has been suspended. The actual subreddit has actually been suspended. And when I read out the title, you'll understand why. So it's about anti-vaxxers.
Starting point is 00:37:05 So absolutely no security in this whatsoever. It's about anti-vaxxers. And here's the title. Anti-vaxxers think their pure, in inverted commas, semen will skyrocket in value. And the reason for this is when you click on the link and you know even the even the short link you see there is that they're they're honestly thinking that the fact that vaccinated people's semen is infected and bad and will spread faster than COVID.
Starting point is 00:37:47 I mean, jeez, I'm doing my best, but really, give me, I need a couple of days in between times, lads. But will spread and will basically result in two types of humans, genetically modified humans, i..e ones that have been vaccinated and and non-gmo um uh humans oh my god and then of course in pure reddit style somebody uh comes on to oh dear no i'm going to rephrase that phrasing. Somebody jumps into this and on the realisation that actually Siemen is going to be the next Bitcoin, says basically that they're going to retire as a cum cow moving forward.
Starting point is 00:38:40 Oh, life goals. Life goals. oh life goals life goals so this is i mean these are the same people that think that um you know unvaccinated blood is in high demand and because they started all these rumors that the red cross were turning away vaccinated donors and all this yeah which again misinformation is not true at all well not even misinformation it's utter lies. Which is just, um, yeah,
Starting point is 00:39:07 I don't know. Or come cow to the moon. It's, uh, I just, I just can't help thinking, you know, they say all the QAnon stuff,
Starting point is 00:39:18 80% of it comes down to what? Six people, 12 people, something like that. I just can't help but think that at the end of the day those people just sit back and just laugh their asses off at how they've managed to manipulate vast swathes of the world into thinking the dumbest shit possible i love the the uh the, mark my words, the unvaccinated sperm and blood will be in high commodity in a few months to a year.
Starting point is 00:39:51 So we're not even going long term here. We're talking about gains before the end of the year, potentially. Yeah, that's right. Damn, if only I didn't get those vaccines. It's always the same. I jumped out of Bitcoin just before it went big i pulled out of this sewing i pulled out my shares before they went big and now i went and got vaccinated before i you know before i could start all that money slipping through your hands
Starting point is 00:40:18 have you have you hacked my alexis got it in listen mode it's just yeah oh dear that must make some really interesting listening oh my god so yes i'm i just so can't even with these people. I just think... We should sum up that medical advice is still, those who are eligible for the vaccine should still get it. Oh my God, yes.
Starting point is 00:41:00 Please get it. Please go and get it. And homeopathy is not an alternative. I'm sorry, I'm going to have to stop there. I just so can't even with these people. Just remember to be nice in the comments section, as seen on Reddit. You're listening to the award-winning
Starting point is 00:41:23 Host Unknown podcast, officially more entertaining than Smashing Security. you're listening to the award-winning host unknown podcast officially more entertaining than smashing security so andy it's uh it's that time of the week isn't it it is it's that time of the show where we head over to our new sources over the infotech pa newswire who has been very busy bringing us the latest and greatest security news from around the globe industry news jigsaw puzzle phishing attacks use morse code to hide industry news cadbury campaigns against cyber bullying industry news misconfigured server leaks US terror watch list. Industry news. Yik Yak returns.
Starting point is 00:42:08 Industry news. Airline employee jailed for spending passengers money. Industry news. T-Mobile. 49 million customers hit by data breach. Industry news. JP Morgan Chase notifies customers of data breach. Industry News. JP Morgan Chase notifies customers of data breach. Industry News.
Starting point is 00:42:27 Coin Ninja CEO admits operating darknet Bitcoin mixer. Industry News. Women charged over sexually exploitative child modelling site. Industry News. And that was this week's... Industry News. And that was this week's... Industry News. Huge and true.
Starting point is 00:42:53 Huge and true, but that was mostly depressing or I'm really not sure what to say. Yeah, so the Yik Yak one. Yeah, I was looking at that. So I uninstalled Yik Yak earlier this year. What is Yik Yak? So it used to be like this, I want to say social network. It's like a platform where you can post things, but anonymously. But you can only post and you can only view it if you're within a five mile radius of the person that posted it.
Starting point is 00:43:19 So it's very common on sort of campuses, universities and things like that. Oh, right. very common on uh sort of campuses uh universities and things like that right and there were some classic sort of like one-liners little quips because it's not like you could post stories it was you know it's almost like a tweet um it's like a local area twitter in effect um probably a bad description but it kind of it did suffer massively from cyberbullying and racism. Kind of unsurprising. Anything that allows you to go anonymous, that's going to be the next step. Yes.
Starting point is 00:43:55 I mean, particularly in colleges where students were just called sluts constantly, it did have a pretty toxic reputation. I mean, I did use Yik yik yak uh you know to abuse people uh just to practice my so it was you no but it was um i mean yeah it was different everywhere you went so like i was in i went to center parks one time and like you know i logged into yik yak just see like what's going on there's a couple of other people around. Not aimed at the middle classes then. No.
Starting point is 00:44:35 But there were, I mean, when I did post in my local area, I got downvoted, like, genuinely for no reason. It's like really sort of, you know, people just, if they don't like it, that's it, you downvote. And what happens is that once you receive a certain amount of downvotes your message disappears uh but then obviously because when you get a pool of toxic people together they just keep up voting um and you know that message doesn't appear so if you want to sort of you know call someone a slut or you know some racist comments if you've got all your racist mates with you um you know it gets upvoted and stays there um but there were actually you know there's previous court case um i think where
Starting point is 00:45:10 students of the washington university somewhere yeah or mary washington university in virginia um they sued the university over harassments and threats of physical and sexual violence which were made over the app jesus christ so yeah so i don't know i mean it did just disappear uh without a without a trace but it's come back sort of four years later and i'm not entirely sure why uh they're saying it's got you know guardrails um you know they're gonna be putting in place but yeah i don't know. Yeah. Well, it'll be interesting to see what happens with this, I have to say, because I think, you know, any platform like that, like Parler as well, you know, anything that's promoting that kind of thing,
Starting point is 00:45:55 of course it finds, you know, a small core group of people who love that sort of thing. But they eventually, you know, they eventually cross the line. You know, either the company you know they eventually cross the line you know either the company or the users will cross the line and and and things get taken down right um yeah so they eventually cross the line they cross that line very quickly yeah they eventually cross the line to the point where law enforcement or the law steps in, right? Yeah. It always takes far longer than it really should. But, yeah. Oh, God.
Starting point is 00:46:29 Well, I mean, Yik Yak can stay Yik Yak'd as far as I'm concerned. Yeah, don't want them back at all. Even though I didn't know who they were in the first place. Okay, let's go up to our last section of the week, shall we? And let's go to. Tweet of the week. Oh,
Starting point is 00:46:49 we always play that one twice. Tweet of the week. So this is a tweet. And this is one of those, do we not learn from our mistakes? So similar to the Yik Yak, you know, giving people a platform to post things anonymously hasn't worked out well in the past.
Starting point is 00:47:06 I know. Let's try it again four years later. Similarly, this is the strange news that a UK based company called OnlyFans has decided to kick the core base it built to the curb. and so capo from twitter says i would like to remind them that tumblr was purchased by yahoo for 1.1 billion dollars in 2013 and following its ban of adult content was sold in 2019 for 3 million dollars so there's a huge difference between uh you know 3 million dollars and 1.1 billion outlay we can do a sesame street episode on that yes get the old uh the the count to uh count them yeah so this is um for those who do not know the the news only fans are going to ban pornography uh starting in october um and they cite the need to comply with financial partners um so we saw this with youtubers not youtube um pornhub pornhub yeah yeah a while back where you know they had to ban a whole load of uh
Starting point is 00:48:13 so i guess amateur content wasn't homemade well it was unverified content unverified yeah because because there was copyrighted material being uploaded and yeah but it was to satisfy their payment processes wasn't the likes of these are and that mastercard and those guys um and it's similar with only fans right so only fans have over 130 million users um and being blunt it is it is adult orientated uh subscription pages like you know they so they've made this announcement that as of october the first they're going to ban all sexually explicit content so their statement says only fans will prohibit the posting of any content containing sexually explicit conduct in order to ensure the
Starting point is 00:48:56 long-term sustainability of the platform and continue to host an inclusive community of creators and fans um so they are saying that, you know, according to them, they're saying that creators will continue to be allowed to post content containing nudity as long as it is consistent with our acceptable use policy. Now, their acceptable use policy is artistic nude. And, you know, people are kind of saying,
Starting point is 00:49:20 what's the clarification? What falls under artistic nude? What is, you know, sexually explicit? And it's kind of saying that what's the clarification what falls under artistic nude what is um you know sexually explicit um and it's it's kind of you know they'll know it when they see it i think is one of that um but yeah so in the last five years since it's uh since it was created they've paid out more than five billion dollars to creators of the platform um and the company keeps 20 of all revenue generated uh from its creators um but it has been home to x-rated content for a long time and i guess this is the default platform for it yeah um and this has been likened to sort of tinder saying they're no longer going to allow people to look for dates you know because uh or hookups yeah exactly so yeah it's an interesting one i
Starting point is 00:50:07 said we've seen we saw what happened with tumblr in the past um you know when they prohibit content that they are just widely known for so it's going to be interesting to see what happens with only fans after october i find it frustrating that you know you know for our payment partners basically the payment companies are saying to OnlyFans, we don't want to be associated with pornography, therefore kick them off or you can't make, you know, process payments for us or something like that. Or even, you know, you'll have to pay a higher percentage or something.
Starting point is 00:50:41 I'm not entirely sure, but, uh, but it just, it, it seems to, um, it seems to sort of unfairly treat sex workers. Uh, it seems to unfairly treat that, you know, there's a market for this and people are to put themselves through college and, you know, supplementing their incomes and all that sort of thing with this. And because it's a self-driven environment, it's sort of – I don't want to use the word empowered because I don't think I'm kind of justified to, but it allows people to choose how and when they – and what they do in order to make money.
Starting point is 00:51:23 And I find this – it's almost exploitative in of itself, the fact that they're saying you can no longer do it. And I, you know, and I think as you said with the Tumblr and Yahoo example, I think OnlyFans are going to regret this because OnlyFans is synonymous with explicit content and even more than Tumblr was i think yeah um and a lot of people have um you know made a lot of money via um particularly throughout the pandemic yes um you know a lot of people have survived yeah and you know done very well as well yeah i'm sure absolutely
Starting point is 00:52:01 but you know there's there's obviously a market for And I think, you know, if they had said something, if they'd done something like, we're going to put in more safeguards, we're going to, you know, make sure that there is, you know, health warnings before and after anything like this, you know, any sexually explicit material, something like, I would get that. I would, you know, I would see that as a positive step to protection. But just to ban it, I think, is just driving it elsewhere and to less well-run and reputable platforms. So I must admit, I find this sort of faintly depressing, to be honest with you, as someone who does not have an OnlyFans account or has even paid any,
Starting point is 00:52:48 so I've never seen this, never used it, but I just think it's not going to end well. No. Not learning lessons. Not learning lessons. No. And I think the lesson we've learned is, you know, you've dropped us on a bum note again, Andy, at the end of the show. Tweet of the week.
Starting point is 00:53:08 There we have it. Well, we blasted through that this week. Absolutely blasted through it. Yeah, so, Andy, thank you very much indeed. Stay secure, my friend. You've been listening to the Host Unknown Podcast. If you enjoyed what you heard, comment and subscribe. If you hated it, please leave your best insults on our Reddit channel. Right, well, I guess what we could do is, since Jav said he was going to send us something today
Starting point is 00:53:41 and he hasn't arrived, he did send us something a couple of months ago when he was last you know couldn't be bothered to join us so should we just put should we just play that yeah and for everyone else that's listening this is the part where you can drop off yeah yeah much like uh any other show really uh but uh but yes uh so i hope you enjoy it. Hello gents, I'm totally right here and this is definitely not pre-recorded the day before. So yeah, I'm up for a rant of the week or tweet of the week or whatever the jingle was that just played before me. So Peloton, the fitness company, can't seem to get a break. Not too long ago, the treadmills had some serious design flaws in it, which meant that the screen could come off, it could hit people, and pets and small children could get trapped underneath it. So, you know,
Starting point is 00:54:47 children can get trapped underneath it. So, you know, you thought you would think that that would be the end of its woes, but no, now the Peloton bike has had some issues. Researchers at McAfee said they have found a flaw that let hackers bypass Peloton's boot verification process now what you've got to understand and appreciate is underneath this whole fancy bike is basically an android device controlling it all and what they can do is they can manipulate it they can install apps on it that say look like netflix so when you go to click on Netflix to start it up when you're on the bike and it asks you to log in, the bad guys can steal your credentials. Even worse, even worse. These bad guys can remotely access the webcam and microphone that are built into these devices. So if you're there sweaty, getting your workout on, not very attractive,
Starting point is 00:55:50 bad guys can get access to that footage remotely. All sounds pretty bad until you actually look at the report and say, in order for this to be successful, the report and say in order for this to be successful criminals need physical access to the bike and to plug in the USB and that's kind of like buried in in the story when you when you look at this headline and I'm looking at an article on uh Gizmondo it says the headline reads Peloton bike plus was vulnerable to remote hacking researchers find and there's no mention here is if you have to go down like three paragraphs in before it's mentioned or four paragraphs in actually before it mentions uh the vulnerability may not sound
Starting point is 00:56:40 all that serious for home users as it requires physical access to the bike plus to pull off well of course it's not serious if someone's got physical access to your device it's not your device anymore that is one of the immutable rules of security if someone has physical access i mean who would think that a criminal breaks into someone's house and they have got a plethora of technological devices there and thinks, I'm going to hack that bike. That bike looks really juicy. If I can catch someone full sweat on and take a picture, I could blackmail them with that. It is just ridiculous. And this angers me. This angers me a bit because it's an overblown finding in the sense that it's an important finding. We definitely shouldn't underplay that fact that someone can do this, but it's overblown because you need physical access.
Starting point is 00:57:37 If someone can have physical access to your home to install this, then you've got bigger problems to worry about. all this then you've got bigger problems to worry about and by raising this as a massive issue you give this perception that oh my god these bikes these devices are terribly insecure which they're not worst off there's no real solution to this if you're a home user and you see this well well what can i do maybe there's an update process maybe there's not i don't know is there a patch there's no evidence of being exploited in the world so you're left with this situation where you you you will contribute to that breach fatigue or that security fatigue where everything is broken the the sky is falling all your devices are owned and they belong to us and people will typically just start to ignore you so i think it's a bad piece of reporting for a non-issue this feels like one of those issues that your pen tester would put in the report and say, well, it's informational or it's theoretical.
Starting point is 00:58:48 In theory, if someone broke into your office by rappelling down the side of the building, then if they had access to the machine and if they could cut this wire perfectly, splice it together, then they could intercept all your traffic well done well done well that was really out of date it was but stay secure my friends stay secure

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.