The Host Unknown Podcast - Episode 75 - The Old Men of InfoSec
Episode Date: October 1, 2021Jav's Record Breakers 14th October https://www.eventbrite.ie/e/biggest-virtual-cybersecurity-lesson-tickets-166314899341 https://www.prnewswire.com/news-releases/organizers-of-security-serious-week-...aim-to-set-new-guinness-world-records-title-for-viewership-of-an-online-security-lesson-301376191.html This week in InfosecWith content liberated from the “today in infosec” Twitter account27th September 2001: Jan de Wit was sentenced to 150 hours of community service in the Netherlands for creating and spreading the Anna Kournikova virus. It was one of the first of the major viruses created from a virus toolkit - the dawn of cybercrime toolkits.Kournikova virus kiddie gets 150 hours community servicehttps://twitter.com/todayininfosec/status/117777255707784396827th September 1998: On this day in 1998: Google launchesGoogle Milestones8 Search Engines That Rocked Before Google Even Existedhttps://twitter.com/JonErlichman/status/1442432706877399049?s=20 Rant of the WeekSecure those Macs: Apple must step up and support older machinesFor the good of the planet and the safety of its users, it's time for Apple to step up and support its older machines. Billy big Balls of the WeekMr GoxA hamster has been trading cryptocurrencies in a cage rigged to automatically buy and sell tokens since June - and it's currently outperforming the S&P 500 Industry NewsEU Slams Russia Over Disinformation Hacking CampaignHuawei CFO Released After Admitting She Misled BankComputer Scientist Jailed Over Dark Web ConspiracyCrypto Developer Pleads Guilty to North Korean PlotCanadian Vaccine Passport App Exposes DataSolarWinds Attackers Develop New FoggyWeb BackdoorVulnerability Exposes iPhone Users to Payment FraudScammers Capitalize on Release of New Bond MovieCyber Second Only to Climate Change as Biggest Global Risk Tweet of the Weekhttps://twitter.com/csoandy/status/1442501996750118915?s=20https://twitter.com/dcuthbert/status/1442821545047601163?s=20 "The Boc" © Charlie Langford Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
that's the problem with making too many jokes is no one knows when you're
really being serious.
It's a bit like dumb and dumber when they put salt in the guy's food and like
he's,
um,
his blood pressure shoots up and,
and he's all like coughing and spluttering and they're just laughing at him
saying,
ah,
you're really playing it off.
Well,
Oh dear.
That's going to happen.
I'm literally going to have a heart attack and die in front of you guys
and you're gonna be like ah just give him some sugar he'll be fine no no i'm a good friend andy
i'll be like quickly before his pulse completely disappears uses biometrics to unlock his phone
and delete all of his WhatsApp messages.
If only it was just his internet history.
Christ, it's going to take like a full forensic team.
No, that's half speed for some reason.
Hang on, there's something really weird. You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
And welcome to, and this really is, episode 75.
I think I called last week's episode 75 but hey
so it's 79 exactly numbering has never been our strong point uh but yes episode 75 welcome
welcome welcome uh andy how are you sir uh not too bad are you able to just explain what happened
there with the uh jingles on the intro where where you played it a couple of times saying it wasn't right?
I just want to check.
Is it your hearing that's going or was there something wrong?
Well, obviously, I would have edited that out.
But, yeah, I don't know.
It was just played at half speed, but it was very odd or a different level.
Did you hear it?
Was it different to you?
No, it sounded normal to me. But, do i know did it really yeah maybe the drugs are kicking in
i was speaking to a colleague yesterday i had a i had a he's uh based in the netherlands and
and he was talking funny i said what's up he goes i went to the dentist had root canal
i said oh that's not good he goes yeah i had two
for the price of one i was like how's that he goes well he went in and the the dentist was like oh
it's the second from the back he goes yeah so he numbed it up and started drilling and he goes hold
on no it's the second from the back at the top i drilled into the bottom no yeah I thought you were lining up for a joke here.
Yeah, so did I.
No, it's completely true.
So he had like double the amount of thing.
And dentists were like, oh, that needed it anyway.
So good thing we've done that early.
Yeah, that needed it anyway. Yeah, it's sort of like giving the signal to the dental assistant to modify the notes.
Yes.
Insert false x-rays.
Yeah.
X-ray on the x-ray.
Oh, man.
That's terrible.
Yeah.
Which country was this?
The Netherlands.
The Netherlands.
Oh, well, they've got far too many canals there anyway.
I know.
Oh, my day.
You see, that's where I thought it was going that's why i
thought it was a joke you know there's gonna be some play on root canal two for one and then some
weird dutch humor being thrown in no no no no it's funny because we were on the call to uh on our
team called later in the day and our u.s colleagues were like, yeah. See, within five minutes, we would have had four attorneys on him
suing the shit out of them.
That's right.
Yeah.
Whereas this one, it's okay.
It's fine.
Just relax.
I'll give you more drugs, okay?
Exactly.
That's my entirely accurate impersonation of the Dutch people.
Oh, wait.
Oh, I thought you actually got a dutch person
just to come in and say that it's incredible it's like they're in the room
oh dear what about you jeff you okay you well i am good i am good i'm i'm i'm putting on my
tap dancing shoes and preparing to join the the likes of uh roy castle in the guinness book of world records
it's norris mcwhirter what about him is he going to be there in fact what the hell are you doing
what's what's the record-breaking attempt number of days i don't know
growing a beard what putting up with you two but well i, I think we're all in the same running for that.
So we are, so we...
When you say we, am I involved in this?
No, we as in Nobifor.
Did I miss an email?
Nobifor, where I work, and OneLogin have partnered up,
where myself and Niam from OneLogin
will be delivering the attempt of the most views
of a cybersecurity lesson video in YouTube in 24 hours.
Anything for views, right?
It's quite specific, isn't it, as well?
Well, you know.
Oh, and in brackets, delivered by a person under 5'6".
With a beard. Yes, with a beard. Oh, and in brackets, delivered by a person under five foot six.
With a beard.
Yes, with a beard.
Or as I say, a person exactly one Tom Cruise of height and with facial hair.
But yeah, no, it's happening on the 14th. It's completely free to register.
If you're among the first 5,000 people to register,
you will actually get an official guinness world records participation
certificate too so what is the number to beat or has this just never been done before it's never
been done no one's been brave enough to try this before so you're pretty much guaranteed to get a
world record even if three people turn up unless uh tom how about myself and yourself we
create our own video for like the following day yeah and we try and beat their numbers
you can do that but i'll always be first and and i have to say i do have a vested interest in this
because despite my mock surprise at the beginning of that
conversation i'm actually was it an adjudicator for this are you serious i am serious i'm serious
they obviously went right the way down to the bottom of the list um but yeah i have absolutely
no idea what i've got to do but if it means staying awake and
looking at youtube stats then i'll be sorely disappointed no it's a one it's a one hour
session that's uh broken into two two concurrent sessions i'll be doing one and one login we'll
be doing the other pre-recorded no no so the first one will be live and then it'll be on replay on demand for 24
hours so basically you're putting in an hour's worth of effort for this no it's uh you know this
is like the uh the story of the the the old plane that wasn't working and the engineers the way that
jav just goes off topic onto a story when the simple answer is yes. No, no, no, no.
I'm putting things into context.
And this is very important, you see.
This is very important.
We're not in a court of law where you're trying to cross-examine me and say,
yes or no, yes or no, Mr. Manning.
We're in a court of podcasts.
We've got public opinion on our side.
This is kangaroo court, Jav.
You have no choice in this anyway tell us
about your tell us your little story about the plane the plane it's an old plane none of the
engineers could fix it so then they someone said oh there's this old retired engineer he's in his
80s he worked on these planes let's give him a call so he turned up and he looked he says oh I
know what's wrong a couple of bangs of the hammer tightened a nut at it and says, oh, I know what's wrong. A couple of bangs with a hammer, tightened it up, fixed it,
and the bill came for like $15,000.
This is a plumber story.
Yeah.
Is it a plumber story?
It's a experience, right?
Yeah.
Yeah, exactly.
Why are we paying him 15 grand to hit it with a hammer?
We're not paying him 15 grand to hit it with a hammer.
We're paying him 15 grand to know where to hit it with a hammer we're paying him 15 grand to know where
to hit it with a hammer how hard and with what hammer exactly and that i thought you were going
down the route of like you know the adjudicator there was no young one so they had to go and find
an old one and that's where tom came into it i didn't realize this was a no no no so so where
you're saying oh you're only putting in an hour's worth of work
based on 20 years of experience in the industry.
So you're going to be telling all of your old war stories
that are no longer relevant.
Hang on.
This is the wrong way around.
This should be you telling me this, not me telling you this.
Anyway. around this should be you telling me this not me telling you this anyway you have reached a critical age jav where actually all the old jokes now apply to you too no they don't apply to me shut up i don't like you see this is why i i me and andy should have
gotten graham clearly to be our third participant on this podcast when we started it off he's such a
nice man he's a true gentleman and a scholar and you know I always get really offended when you
keep on you know well I like I said I've always preferred Carole well she's all right as well but
you know Graham's a good man Graham if you're listening and I don't know if you ever do listen
to this podcast because I know you're a busy man with lots of priorities in your life,
but, you know, I think you're okay.
You heard it here first, everybody.
Jav thinks Graham is okay.
So what have we got coming up for you today?
Well, this week in InfoSec, we are searching for stories on the internet,
but we really didn't know how to find them.
Billy Big Balls is about a hamster.
I thought they were quite small on a hamster, but who knew?
Rant of the Week sees Apple once again in the crosshairs.
It's just so unfair.
Industry News brings us the latest and greatest security news stories from around the world.
And finally, Tweet of the week is just full of vendor hate
I mean, come on guys, throw us a bone here
So let's move swiftly on to
This week in InfoSec.
It is that part of the show where we take a stroll down InfoSec memory lane with content liberated from the Today in InfoSec Twitter account.
And also via a group chat, which Jav scoured a story for. So the first story is going to take us back 20 years
to the 27th of September, 2001,
when Jan de Wit was sentenced
to 150 hours of community service in the Netherlands
for creating and spreading the anacornicovirus.
Oh, I thought it was for doing
unnecessary root canal surgery.
Different jam, different jam.
Different jam, okay.
Yeah, it was one of the first major virus cases
created from a virus toolkit.
And the author refers to it as the dawn of cybercrime toolkits.
So this whole, do you remember the anaconda COVID virus, right?
Yes.
It was basically click here for nudes, wasn't it?
Well, pretty much, yeah.
It was a hidden VBS script in Outlook emails that come in.
So this guy is 20 years old at the time, went by the handle OnTheFly,
actually created it in February of the same year to 2001.
And so, you know, you'd receive this email.
It would look like a picture of Anna Kournikova, obviously a very popular tennis player at the
time.
But instead, when he opened it, it's called Anna Kournikova.jpg.vbs.
And obviously, when you open that in Outlook, it didn't display the picture of anaconda cove you're looking for it actually launched a vb script uh that then forwarded itself to
all the contacts in your address book um so it's really more like a load on uh systems that you
know sort of that was the the main problem it didn't do anything destructive uh in any other
way but the great thing about this was the guy created it using like a VB worm generator,
you know, which he downloaded one afternoon
and then just created that same day
and just sent it loose in the news group.
And then, you know, that's it.
It just went all the way around the world.
Very, you know, very unlike the I love you virus,
you know, that did actually cause problems with more
destructive you know yeah but the funny thing about all that overtime was the result of him
just dicking around for an afternoon yeah yeah pretty much but the funny thing about this is that
the um the guy that helped track him down with the fbi was a guy called david smitten who you may recall was the author of
the 1999 melissa virus um who was in fbi custody at the time uh so it was one of those sort of
you know use uh use a virus creator to to find a virus creator except i don't think yan was as you
know sort of hardcore as uh everyone thought he was i'm just using a point and click toolkit um but yeah no great times and i think that anaconda cobra virus is still embedded in
in virus like folklore uh in terms of i swear i still get emails from people who've been hit by
it because i just get forward forwarded some nonsensical email from them oh no i'm generally
sending you emails about anna kornikova
oh right okay well i'll click on them next time yeah yeah okay uh but our second story will take
us back a mere 23 years to the 27th of september 1998 when uh on that day Google launched.
No way.
You may have heard of this company called Google, but prior to this date
most people would typically use
Lycos, Yahoo
or AltaVista.
And then obviously Google came along
with this fancy search engine.
But I was actually looking for what else people
were using back then. So those three were the most popular.
But there were actually eight search engines that were set to have defined that
the world of search prior to Google coming along.
So you had web crawler,
uh,
which was one,
uh,
like us,
uh,
obviously Alta Vista,
which,
you know,
if you didn't use that and you were just wrong,
um,
excite Yahoo,
which everyone knows about dog pile. Do remember that one yeah i don't actually
you don't okay it was um no it was great terrible branding but uh otherwise a good yeah uh a good
one um ask jeeves yeah yeah remember that we had the butler so yeah exactly and i remember at
victoria station when i was going into london they did a big promo there where they're people dressed as butlers uh handing out sweets um yeah great
sweets that's what i'm sure that sure that wasn't around about the bbc studios around about the 80s
oh yeah that's that as well uh and then one called jump station uh as well which i don't um no i
don't know that one i don't recall it i remember somebody showing me
google for the first time just saying it was the best search engine ever i'm thinking oh yeah it's
very good you know and there's this you know i'm feeling lucky button and all that sort of stuff
which would take you to you know just one of the responses or whatever uh never in a million years
would i thought it became it would become what it has,
if you see what I mean.
Yeah.
It was just another company, just another search thing.
Yeah, and just think, like, back then, would you actually just dedicate,
you know, would you only ever use one search?
Like, why would you want anything better than AltaVista, right?
Exactly.
But so they launched in, you know, the late 90s.
Yahoo tried to buy them for three billion dollars in 2002, which obviously Google turned it down because they actually felt the deal was worth five billion.
And then obviously, you know, that they didn't do anything. But yeah, since then, Google's just gone on from strength to strength.
Google's just gone on from strength to strength, right?
Obviously, they launched Gmail.
You know, they went public.
Google Maps, they launched that.
They acquired YouTube.
They acquired DoubleClick, you know, the ad empire at the time.
Launched their own browser, Chrome browser.
Android Market, Nexus One, you know,
working on self-driving cars at the moment.
Like, the whole company's just gone.
It's like the honky-tonk man.
I can sing, I can dance, I can do it all.
Yeah.
They've done some great stuff and things like, you know,
Google Maps and all that sort of thing and, you know,
all of the other products that they've brought out has definitely been at the forefront of technology.
But I just don't like using most of their products, I have to say. products that they brought out has definitely been at the forefront of technology but i just
don't like using most of their products i have to say i've even stopped using them as a search
engine i can't bear the g suite i try to do you use uh go oh okay oh oh so i do retain some
credibility then yeah if i'd said Bing, I mean, come on.
Even my mum doesn't use Bing.
You can't find anything.
Yeah, that's right.
But, yeah, I don't like their Chrome browser.
I just, you know, I don't like their stance on privacy,
although that's a whole hot potato at the moment for everybody.
It's just interesting how
much they've contributed to you know the environment that and the products that we use
but actually for me personally how much i dislike using their product you know this is just the the
the fanboy the apple fanboy speaking from within and he's just in inherent dislike of google that's why i used duck duck go yeah yeah
okay i i know the i see what you're saying i i do feel also that a lot of their products end up
just being half baked in many cases it just feels like everything's in the beta which product
google plus yeah things like google plus and the chat and, you know, all these things.
They kind of launch a bunch of things that, like, they have all this hype behind it.
Google Glasses, the ones they launch.
There's so many things that they seem to have some promise
and then they never seem to see it through.
They don't improve them.
You always feel like they're going to, you know,
there's a whole bunch of core products which are fantastic and i'm a i'm a complete um sort of like uh google set up in my in my boy yeah
not not a fanboy but i i do have an android phone i've had one for for years and it's solid i've um
you know got the g suite and you know, the Chrome and everything. It's perfect.
Even Chromebooks, I think, are absolutely brilliant.
I got one for one of the kids, and it's solid.
It's just so good.
And it's cheap as well, right?
It is.
They built a whole ecosystem.
It's very affordable.
Yeah.
Yeah, yeah, I get that.
I get that.
But at what price?
You know, it's cheap because you're paying in other ways.
What ways?
Well, by handing all your data over for a start.
What data?
You know all those photos that you thought were safe on Google Drive?
Well, like the same ones that iCloud are scanning.
Yeah.
Well, not yet.
Not yet.
They might do, at which point I might change my opinion, but
at the moment, they're not.
Okay. Do you want to feel really old?
I was just looking this up, and this is moving
back one story. Anna Kournikova
is 40 years old now.
Wow.
Damn, she's older
than me.
I was going to say, she's officially too old for you now andy i i always see it's weird because i only remember as like that what 16 17 year old
17 year old yeah yeah that's kind of like in my mind that's how it's always been because i'm
you know obviously it's not really had much of a career or anything outside of tennis. Not had much of a career outside of tennis.
Tennis has been her life.
I think modelling was probably more successful as a model.
Yeah, but it's like saying, Jav, you've not had much of a career outside security, have you?
No, I mean outside of tennis.
So she stopped quite young as well.
She didn't go on to have a full career she she you know got into modeling and then she started dating i think
physically yeah she had back problems yeah yeah so i don't know where you're getting i don't know
why you're getting so so so shocked by my statement it was a very do you know what it's the uh you
know what happens when you mention like google versus uh apple yeah and then it kind of festers inside him and he just lashes
out he needs to like it in anger my four-year-old has more self-restraint than you do tom
yeah well this is what i can say to that
this week in infosec yeah well this is what I can say to that well next up is
is a rant of the week
from me which I'm
kind of and guess what it does
concern Apple so I'm kind of
worried about this about where we're
going to go on this so
you warmed up that's good precisely I think I'm warmed up concern apple so i'm kind of worried about this about where we're gonna go on this so uh you're
warmed up that's good yeah let's see yeah that's precisely i think i'm warmed up listen up rant
of the week it sounds a mother rage so this rant of the week is about apple and the story goes there was a uh an article on ZDNet of all places uh by David Gewirtz
um and it's the headline was secure those Macs Apple must step up and support older machines
for the good of the planet and the safety of its users.
And then the sort of headline image is a pile of old computers,
trashed, et cetera, links in the show notes,
of which upon inspection there are no Macs.
So, you know, strike one for David on this one initially.
But it's a fair point to make.
So David apparently has just finished upgrading a small fleet of older Macs
and he's had to pull five machines out of service.
And the reason for which is because he couldn't get the latest operating system onto them.
And then he makes some good points on this.
He does say that obviously there's huge amounts of recycling issues here,
saving the planet.
We're just basically, even if the machines are recycled,
we're just reusing a lot of energy to do that.
We should be keeping these old machines in service for as long as possible,
especially ones that, using or paraphrasing his own words,
are as well built as Apple machines, which will last a long, long time.
He also says that one of the reasons people get rid of them is because
software support ends on it.
And frankly, it wouldn't cost much for Apple to maintain.
He reckons a 20 million for salaries and 20 million a year for facilities and gear, et
cetera, for roughly a hundred engineers who could be dedicated on maintaining support on those older machines, which is
a drop in the ocean on the 89.6 billion of revenue that Apple posted last year.
So, you know, very good points, very good points.
The thing here is that, and where I disagree is, is that in many cases, the Apple machines do continue to be supported.
For instance, yesterday, to test this, I upgraded an old iPhone SE, first released in 2016, I think,
so five and a half years ago, onto the latest iOS 15.
So that's possible.
the latest iOS 15. So that's possible. He also then said that of those five machines, he actually installed not the latest software, but I think it was Big Sur or something like that. Oh no,
it was Catalina, I'm sorry, which had a full suite of security patches on it.
So it may not have run the latest software, but it still did run a perfectly workable operating system that was currently being maintained by Apple.
And again, I've just upgraded some friends machines and I've been sort of reselling their old ones.
And I've got a 12011 machine
running catalina and fully patched uh and uh one 2030 2013 machine running i think it's uh big sir
fully patched uh so these there is support for a lot of these machines and going back quite some time as well. So not sure about this. And the other point as well was,
he even says, goes on to say that smaller developers can't be expected to maintain patches
for older operating systems. But if you don't maintain that software, then even a fully patched operating system could still be vulnerable as a result of the application it's running.
So you can't kind of have one without the other.
So whilst it was an interesting article, I think it does raise some good points.
I think it's quite confused in some areas and doesn't actually contradicts itself in a way and i know jav you and i had a little um
uh whatsapp chat on this and then we said you know save it for the uh
save it for the podcast but um i think you were largely agreeing weren't you
yeah i think like like most podcasts it's uh
these conversations between us uh feel like a battle of wits to which you turned up uh unarmed
but uh no but for for a change no i think you're right i think there are many things that are
convoluted in it um you know especially the issues about developers and apps
and everything so you're jumping from os support to application support and that kind of thing i
think if we strip it down to the real bare basics i think as a principle just as a principle should
more vendors be providing support for longer time?
And so as a principle, I think, yes, I think, you know, I don't think it's fair that, you know, you spend a grand on a phone or you take out a 48 month contract on a phone and you're a bit unsure whether this phone and it's not just Apple. It's like Android, whatever. You're not sure whether by the end of the 48 months with the latest, you know, installs, it's even going to be running very well or not.
Well, no, I don't know. I don't. I definitely think you're going to get two years out of it.
Sometimes. Yeah, you do. You know, but, you know, it's a big investment. And I think it's it's also one of those things we need to think about um sort of like people that can't
afford to upgrade very frequently for them it's a big investment uh there are lots of other countries
where like their their laptop schemes where people send their unused laptops or older laptops
and and you know we don't want to build up this whole ecosystem that can just be turned into a
massive bot network for for some someone because they're not secure and
what have you i'm not suggesting that companies like apple and microsoft and google they they
maintain everything forever but i think maybe i mean in my mind i think maybe there's there
should be another option maybe they should develop a a legacy os for their machines that you can install or like maybe their old things
they don't need to though like you can honestly you can get huawei phones that are you know very
affordable and can run you know versions of android that it doesn't you know they're very
like for years and years and years but you know for as a as a vendor, as a producer of software, you cannot continuously support legacy software.
Like people have to upgrade.
That is just the nature of these applications.
You cannot have legacy teams supporting, you know, what are you going to do?
Build, have completely different teams for every version of the OS that you release.
teams for every version of the os that you release it's just you know those then all of a sudden 89 billion profit drops down to 80 88 million 88 billion i i i just think that i i i agree with
you i don't think that's a unfair point i just think that hardware has gotten so much better
now and devices last longer so i just think that the window of support maybe if
vendors extend it you know maybe it's like three years or five years at the moment if they just
extend it by a year or two I think that will cover most of the things because it I've been in that
position as well where you've got something that works perfectly fine it's the hardware is absolutely
good you've got it all set up but then it's not
compatible to install the latest update and so you you're kind of like left with that tough choice
where you you run something vulnerable so i think just if you just support it for as long as the
the hardware survives at least no because hardware can go on forever but that's why there's so many
classic cars available on the road right as? As long as you maintain it.
I don't get it.
Why is this even a discussion? You can't just
buy something and expect it to
be supported at the software level
for the life
as long as you live.
Who said anything about as long as you live?
Perhaps even some regulation
that says computers must be
supported for 10 years, phones must be supported for 10 years
phones must be supported for three to five years is perfectly adequate in the world of of technology
yeah says the person who can afford to replace something every three to five years yeah exactly
mac is a my mac's a 2013 mac okay that's one of them what about all the other stuff you've got
yeah and i also have a windows
machine which i purchased last year when you guys were getting your new shiny macs i said no i
cannot justify spending that money on a brand new mac i'm going to get me a 500 pound windows 10
machine yeah i think regretting that already i think where the author where this article really misses the point I don't think um
desktops and mobiles are the biggest issue what we really need is to put more pressure on IOT
manufacturers to ask them how long they're going to support their devices for and uh
whether anything companies go bust by the time the product's shipped. Exactly. Exactly. That's the thing.
The dash cam manufacturer of my bloody dash cam.
Really?
Yeah.
Yeah.
The app that comes with it is crappy and buggy,
and, of course, they're not around to deal with it.
So it's a pain to get the images off.
It probably sat in the warehouse for, like, a year before it was shipped to you,
you know, before it went on sale.
I mean,
there's so many logistics in like the supply chain involved in distributing
these devices with,
with,
uh,
you know,
not everyone's got an infrastructure like Apple.
Yeah.
Don't talk about supply chain right now.
Everyone in the country is a supply chain expert at the moment.
This is,
this,
this is not Facebook.
Yeah.
Keep,
keep your supply chain discussions elsewhere
i watch this youtube video right and this is why i know what's going on
no not buying it sorry but uh three to five years is perfectly adequate for
technology and it's nothing to do with affordability yet that's the if you want a
mac yes it's going to be expensive but there are more
reasonably priced devices that are more affordable and um you know what about the impact on the
environment for a start the amount of raw materials so why are we not making this discussion about
recycling because that's that's not the main thrust of topic we're doing recycling next weekend
you know this.
Recycling?
Isn't that the part we call This Week in InfoSec?
Yeah.
Yeah, there's our green credentials right there.
Yeah.
We've got a carbon neutral show.
Yeah.
Anyway, anyway, since we need to move very swiftly on, I think Apple, you could try a little bit harder,
but this article doesn't pitch a very good story in support of it.
And Andy likes to get a new machine every three to five years, just so we know.
And we all know it's less than that.
Yes.
Rant of the week.
Oh, dear me. Well, that was week. Oh, dear me.
Well, that was fun.
That was very fun.
Sketchy presenters.
Weak analysis of content.
And consistently average delivery.
But they still won an award.
Like and subscribe now.
Over to you, Andy.
So what do you guys know about investing in the markets?
I know that whatever I take my money out of suddenly goes up amazingly in value the week later so there's a um uh a book written by an author called burton uh malkeel
um it's called a random walk down wall street and in it he's got this uh you know he has this
belief that a blindfolded monkey throwing
darts at a stock ticker listed in the newspaper could actually do perform as well as a human
investment was it definitely dance uh it was definitely dance yeah um so this is the story
of a hamster that has been live streamed uh and the hamster is named mr gox um and they have built
a cage or they call it the trading office it's got like a camera in it like the intention wheel
and it's got a decision buy tunnel and a decision sell tunnel and uh based on the hamster doing his
exercises and then walking through the tubes as to whether or not they should buy or sell you know as it's spinning around the cryptocurrency that it's looking at
this hamster has managed to outperform the S&P 500 the sort of futures market so he started
trading on the 12th of June and as of last friday he's returned 24 on the initial investment wow um which
is it's absolutely fantastic so yeah cycles through 30 cryptocurrencies hamster just based
on his random patterns his exercise and which which way he decides to walk around his cage
um he's either making money or losing money and thus far he's made a lot of money. So I wonder what the long-term outcome of this will be.
So, yeah, 24% up now, but could be down vast amounts in six months
and then could be up again.
So it's almost like random inputs into a somewhat random or chaotic system
are going to result in generally neutral outputs
over long periods of time, right?
And I think that's the crux of investing in crypto, right?
Yeah.
Yeah, that is pretty much.
You might as well be random and then random purchasing and then at
least you won't be losing money in the long run but you might won't also be making money
yeah can we can we replicate this by creating our um sort of like risk decision monkey so you know
you ask him like should we accept the risk transfer the risk uh you know, you ask him, like, should we accept the risk, transfer the risk, you know, whatever, apply a control and then do risk management that way.
And then a year later, we say, look, as a result of this, this organization has not suffered any data breaches.
That's right. Or has suffered an increase of 24% in data breaches.
Yeah, well, still better than the big four.
in data breaches yeah well still better than the big four but in the long run our data breach um win lose ratio will be neutral exactly which reminds me two monkeys in a bath and one goes
and the other says we'll put some more cold in it then
damn watch see I thought
you had a good angle there
with a carbon neutral sort of tie in
and then you went and ruined it
had to be done
no he didn't
he just ruined it
anyway Andy thank you for
this week's Mr. Gox
Billy Big Balls
of the Week.
Are you not entertained?
What? The judges were.
You're listening to Europe's most entertaining content.
What are you talking about, man? The Host Unknown
Podcast.
Andy, what time is it? It's that time of the show where we head over to our news sources
over at the InfoSec PA Newswire who have been very busy bringing us the latest and greatest
security news from around the globe. Industry News. EU slams Russia over disinformation hacking campaign.
Industry news.
Huawei CFO released after admitting she misled bank.
Industry news.
Mutascientists gelled over dark web conspiracy.
Industry news.
Crypto developer pleads guilty to North Korean plot.
Industry news.
Canadian vaccine passport app exposes data.
Industry news.
Solar wind attackers develop new foggy web backdoor.
Industry news.
Euphemism.
Vulnerability exposes iPhone users to payment fraud.
Industry news.
Scammers capitalise on release of new Bond movie.
Cyber second only to climate change as biggest global risk.
And that was this week's...
Industry News.
Huge, if true.
Oh, we knew somebody was going to say it.
There's some big ones in there.
There were.
Yeah.
Yeah, I want to know more about this foggy web backdoor.
That sounds fun.
That's what she said.
Actually, no need to click on it. I don't want to.
I just wanted to say foggy web back door
so you know there's the um story and i saw this the other day um where apple visa
um vulnerability yeah yeah yeah and you know this is this is the story so you can use um
in your in your apple pay you can set up a transit card
so you don't need to unlock it when you get to your bus or train
or whatever poor people use, tram.
You just tap your phone on it and it will make the transport payment
without you having to unlock the phone.
Like the Oyster card type thing.
Like the Oyster card, yeah, exactly.
Now, researchers at a couple of universities they found it and they they've said there's a vulnerability where they can
uh if you use a visa card within apple pay and that's it as you're trying then they can like
force it to make a payment to a device if you're choosing and it removes the limits on the payment as well
and there's being a big hoo-ha about it because they're like oh apple haven't fixed the issue
visa haven't fixed the issue despite reporting it to them and this is where i i find like research
and reality just don't mix uh very well because think about, to be, to pull off this attack successfully,
you need to, uh, be physically close to your victim.
The victim has to have an iPhone.
They have to have a visa card on Apple pay.
And that visa card on Apple pay has to be enabled for transport mode as a transport
card.
If all those stars align, then you can go up to them
bump up bump up against their phone and and take a payment off them um which is pretty unrealistic
in a crowded tube train as you walk down accidentally bumping into people through a
corridor of 300 people see i think it's a lot easier if you just went for the contactless 30 pound limit and
bumped into people you know set yourself up as a coffee merchant and charge people like 2 pound 50
a bump that would be far easier i i just think it's one of those cases where it's it's not a
massive it's a big story but it's no it's not likely to happen in the wild exactly it's a big
story that it needs to be fixed because it could be utilized as part of another attack or the
vulnerability could become more critical for other reasons but yeah the actual threat to the in the
wild is tiny you know know, banks are,
if there's one thing banks are good at,
it's knowing
how to protect their money
within reasonable things.
And if the fraud on this is not high
or is not occurring
at all, there's no reason
really to fix it.
It's great in a lab environment.
Like you said, if it leads on to other things, then sure.
But for now, it's just much ado about nothing.
Ooh, getting the classics out.
Or as you would say, the moderns.
I was out only just last week.
I remember seeing the chaps playing that big circular theatre we've just had built.
Policy imp.
So, hang on, what's this one about a Bond movie?
Before we move on.
I was actually reading the one about cyber second only to climate change
as biggest global risk.
cyber second only to climate change as biggest global risk
so yeah
a major new survey
of 23,000 experts
oh
AXA future risks report
so insurance companies they know what they're doing
and everyone names climate
change as the biggest risk on the global stage
but
yeah cyber
climate change is the one that's going to kill us tomorrow cyber is the
thing that's going to kill us today yeah yeah well i don't think cyber's not i think we're beyond
that stage generally where cyber is its own separate entity everything is cyber now it's
just the way of the world yeah yeah that's very true so should we get insulate britain to sort of along
with their banners that say insulate britain at the bottom they can say patch your systems yeah
change your password exactly get a password manager
yeah bond run i think typical anytime something big comes out uh people jumping on the back of it
cyber criminals uh sending around i don't know
i'm trying to add where trojans capable of stealing login passwords but calling it
uh links to sites about no time to die oh you know i i don't know if you've seen the the latest
fast and furious movie fast nine not seen it yet yet. No. So I generally like the movies.
They're brilliant.
They're just good fun.
Not seen a single one.
This is by far the absolute worst.
Oh, really?
It is complete dog shit.
I couldn't watch it in one viewing.
I had to pause it and just watch it in little bits and pieces
just for the sake of getting through it.
Oh, that's sad to hear.
It is sad.
So what you're saying is I shouldn't take advantage of the iTunes offer
of all nine films for £49.99?
The first few were really good.
The first two, yeah.
Don't need to pay for it.
Yeah.
All right, that was this week's.
Industry News.
It's over to you now, Jav, for.
Sweets of the Week.
We always play that one twice.
Sweets of the Week.
So I saw this, I laughed, and then I cried, and then I laughed, and then I cried.
I laughed and then I cried and then I laughed and then I cried.
It's by Andy Ellis, CSO Andy, who up until last year, this year,
was the head of security at Akamai.
Where is he now?
Well, he's joined, is it Momentum?
No, not Momentum.
No, that's the Labour Party.
No, no, no, no.
There's a VC basically there, there in Israeli-based.
Right.
I can't remember.
No, no, no worries.
I just thought you might have it over the top of your head.
Yeah.
No, I can picture the guy, the founders, in my head,
but I can't think.
But he's joined them, and he's like an advisor now on startups,
and he's one of their residency says and what have you.
So his tweet is, if you put your dumpster fire onto a sinking ship,
at least you're on a path to put out the fire.
There's logic in there.
There is logic in there.
It's deep.
It's very deep.
Yes, yes.
And actually, I think this is an accurate representation of a lot of things that we do in security as an industry
oh dear so i i thought that was good and then there's a second tweet by a good friend of the
show dan cuthbert um absolutely love your hair dan by the way dan dan's yeah yeah he's uh he's one of those guys he's so he's got a full
head of hair which makes him instantly hateable but then he's so clever at what he does as well
which which i hate him which makes it even worse and then he's such a talented photographer on top
of it i don't i don't know if you've ever seen some of his photos. He's done one series. A few years ago, he published it online where he went to Chernobyl.
Yeah.
And he posted all those pictures.
Really, really good.
I'll look them up and I'll put them in the show notes later.
But he's posted a picture, which is a screenshot from The Godfather,
where he's doing favors.
And he goes, yes infosec where
a vendor tries to sell you your own breach data and offer it as a monitoring protection service
uh we now go live to one of their sales meetings this industry sometimes wow and there's that
picture of the godfather there but i i thought this was interesting and uh
i i wanted to get your guys takes on it as well like do you think it's really that bad do you
think it's um a bit of uh you know trying to sell sell there are companies that ostensibly do that
but i think the vast majority of them and the ones that we, you know, the household names, or at least the cyber household name known ones,
cyber household names ones, I'll get that out eventually,
there is a value add that they bring in the fact that they are,
they're doing their heavy lifting in the analysis and the consolidation
and the intelligence behind it.
But, yeah, it does sometimes feel like it
andy you deal with you you're you're more neutral than tom and i because we we both work for
for vendors yes so you deal with vendors yeah no i deal with vendors but yeah they do but
do you know what this is i don't think there's a way around it. Like, I mean,
although I hate vendors that do it,
I would be bored if they didn't try selling me something.
So you see this more as a sport than actual business?
Yeah,
but it's good to hear how they try and sell you something,
you know,
what they perceive the value to be.
Because,
you know,
ultimately if there is a value to it,
then,
you know,
we'll buy it
it will be of use but yeah i don't know um yeah i am actually kind of neutral on this one what
well that doesn't help the podcast in any way it doesn't at all yeah and on that bombshell tweet of the week Andy Switzerland Agnes ah dear me
Andy Keir Starmer Agnes
right well that brings
us to the end of this show
Jan thank you
very much indeed for your time today
you're welcome
and Andy thank you sir
stay secure my friend
stay secure you've been listening to the host
unknown podcast if you enjoyed what you heard comment and subscribe if you hated it please
leave your best insults on our reddit channel worst episode ever r slash smashing security Smashing security. So, Tom. Yeah.
Would you classify a TED Talk as only 18 minutes of effort?
Oh, it depends on the TED Talk.
I mean, yeah.
I mean, most of them just get up there and talk, right?
So, yeah.
I know what you're trying to get me to say.
I'm not trying to get you to say anything I'm just trying to show you the truth
you just
just go off and
keep hitting those pipes with your hammer Jav
and eventually you'll get it right
aye