The Host Unknown Podcast - Episode 84 - The New Tiger King

Episode Date: December 3, 2021

This Week in InfoSec (06:57)With content liberated from the “today in infosec” twitter account4th December 2013: Troy Hunt launched the site "Have I Been Pwned? (HIBP)". At launch, passwords from ...the Adobe, Stratfor, Gawker, Yahoo! Voices, and Sony Pictures breaches were indexed.  https://twitter.com/todayininfosec/status/13350202387657441291st December 1996: America Online launches a new subscription plan offering their subscribers unlimited dial-up Internet access for $19.95/month. Previously, AOL charged $9.95/month for 5 hours of usage. The new plan brought in over one million new customers to AOL within weeks and daily usage doubled among subscribers (to a whole 32 minutes per day!). AOL goes unlimited Billy Big Balls of the Week (16:06)https://www.bleepingcomputer.com/news/security/former-ubiquiti-dev-charged-for-trying-to-extort-his-employer/ Industry News (21:15)Clearview AI to be Fined $22.6m for Breaching UK Data Protection LawsCyber Essentials Set for Major Update in 2022Texas School District to Scan Children's DevicesMI6 Boss: Digital Attack Surface Growing "Exponentially"Organizations Now Have 76 Security Tools to ManageTwitter to Remove Private MediaRussian Bulletproof Hosting Kingpin Gets Five YearsPolice Arrest 1800 in Major Money Laundering CrackdownPhishing Scam Targets Military Families Tweets of the Week (29:50)https://twitter.com/j_opdenakker/status/1466380453036838913https://twitter.com/bettersafetynet/status/1466460853105053699  Come on! Like and bloody well subscribe!

Transcript
Discussion (0)
Starting point is 00:00:00 So I was having dinner with Coral Terrio on Sunday. Okay. You know, the host of Smashing Security? Co-hosted with Graham Cluley? Doesn't ring a bell. Okay. Well, anyway, what she said was if we could go three weeks without mentioning Smashing Security, her or Graham,
Starting point is 00:00:28 then one of us would be able to go on their show. Just not ringing any bells with me. Sorry, mate. You're listening to the Host Unknown Podcast. Hello, hello, hello and welcome to episode 84-ish. 87, 88-ish. Ish covers a whole range of things. Of the Host Unknown podcast. Welcome, welcome one and all. And in our case right now, it's one because it's just Andy.
Starting point is 00:01:08 Andy, how are you? I'm all good. Thank you very much. We lost someone along the way. We did. We did. Oversleeping. Yeah. Something, something, something weight loss program. Yes. He'll be along soon, I'm sure. I think he's watching a school play at the moment, probably right at the front with his video camera, I'm sure. But, yes, yes, it's going to be an interesting episode. We are taking it nice and easy, taking it light. We've got a hard stop because Andy's going out for afternoon tea, don't you know?
Starting point is 00:01:45 Yeah. And yes, we're just going to kind of bluff it, if I'm perfectly honest with you. As opposed to every other week. As opposed to every other week, exactly. Exactly. So, Andy, how are you? What have you been up to? Not too bad. I went to Nottingham earlier this week. Woo! too bad so i went to uh nottingham earlier this week and yeah i mean it's strange obviously we've got this new uh omicron variant going around um you know the good one the decepticon one and it's kind of strange so i've been in the office up there and walking down the corridors
Starting point is 00:02:19 like not many people in all socially distant you know know, keep left, keep smiling, all that kind of thing. Wear your masks in this. Yeah. And so you wear your mask in the office with people, you know, very small amount of people and that's all good. And then we went out for a nice team dinner. Uh, that was all good. Like big restaurant, quite well space, not too bad. And then we hit some pubs afterwards and it was literally, you know, just wall to wall, shoulder shoulder to shoulder no masks whatsoever i just think yeah i can see how these rules are kind of you know they just don't make sense right no no that's right how can you go into a pub like that it's uh that's bizarre
Starting point is 00:02:56 do you know what was embarrassing and more so for uh colleagues of mine because they obviously weren't talking to me because it just wouldn't apply. We got to one bar to go in. It's just sort of after the meal. And they basically politely told my colleague that he was too old to come in. What?
Starting point is 00:03:16 What they said was, you know, gave him a good look up and down and said, sorry lads, it's students only tonight. Oh my god which uh yeah obviously you know not referring to me at all um is that like you're not coming in here with that gray hair mate pretty pretty much yeah but yeah not with those smart loafers it's pub shoes only mate yeah and then obviously it's uh you know followed by a couple of girls coming out with uh you know giving each other piggybacks you know absolutely hammered sort of falling out the door it's like yeah we wouldn't have fit in here anyway but uh yeah no
Starting point is 00:03:56 it was all good and it was all uh paid for by ncc so thank you very much ncc even better even better and uh they were definitely on a mission to get absolutely hammered to the point where I left early. That is how much drinking was going on. Andy, you have reached an age, I think. I know, 30. Unbelievable. But what have you been up to this week?
Starting point is 00:04:20 I saw your Lego Christmas wreath on the front door. Yes. Is it still there it is still there amazingly no it hasn't been scallied off by someone yeah it wouldn't last in my area i i'll pop a picture up that up in either show notes or the tweet but uh yeah yeah it's a look i think it looked quite cool actually from a distance you wouldn't even guess it's lego at all so no it took jav a minute didn't it it did yeah well 24 hours basically yeah but um uh but yeah it's uh it's it's up christmas has officially started um and actually i was in um copenhagen uh and denmark home of lego itself i believe and i found a lego
Starting point is 00:05:00 shop and it was it was being refurbished. I was like, oh, no. I wanted to buy something from the Danish Lego shop itself. And did you ask any of the natives where you could buy Legos with an S at the end? No, because I'm not an American. But, yeah, it was good. I did an event for isaka uh i did the opening keynote for them for their uh danish chapter right so it was actually security related because as we know you will attend any event uh the opening of an envelope and opening of an envelope exactly
Starting point is 00:05:40 uh but um yeah so did that and then i did an event for ISAN, which is a West African security group, followed by a chat with friends of the show, Quentin Taylor, for SC Media. So it was a busy, busy day that day. You know I'm not your boss, don't you? You don't have to justify your time to me. That's right. No, I'm practicing for boss, don't you? You don't have to justify your time to me. That's right. No, I'm practicing for when I do have to chat with my boss.
Starting point is 00:06:09 I mean, I'm just going to say that you hardly work anyway, regardless of what you're saying, what metrics you produce. That's right. Working hard or hardly working, am I right? Oh, dear. What have we got coming up for you today? Well, this week in InfoSec finds us repeating ourselves, although just a little bit.
Starting point is 00:06:32 Rant of the Week is inexplicably missing. Billy Big Balls is the triple crown of Billy Big Ball moves. Industry News brings us the latest and greatest security news stories from around the world. And finally, Tweet of the Week explores the real reason behind why we have security controls. So let's move swiftly on to this week's... This week in InfoSec. This week in InfoSec.
Starting point is 00:07:18 And this is This Week in InfoSec with content liberated from the Today in InfoSec Twitter account and from further afield this week. So our first story takes us back not just eight years ago, but also only one year since we last spoke about it and that was the story that on the 4th of december 2013 mr troy hunt launched the site have i been pwned and at launch it included passwords from the adobe stratratfor, Gawker, Yahoo, Voices, and Sony Picture breaches within their index. And obviously, it's just gone from strength to strength in the eight years since. It's quite an amazing resource. I mean, the fact that it now hooks into people's passwords, creation, and account management systems, such that it will search it
Starting point is 00:08:07 to see if that password has been used before, whether it's been vulnerable, you know, all that sort of stuff. It's really quite a massive success story, it has to be said. It is. For somebody who just fired something up on AWS and bunged a bunch of records in, right? Yeah, although was it not Azure? I think Mr. Hunt's a Microsoft man. Oh, of course, he's a Microsoft chappy, wasn't he?
Starting point is 00:08:30 Yes. Yeah, you're right, it is Azure. But despite the handicap of Azure, it's still a massive success. Oh, that's a whole different topic. Yeah, exactly. But I'm going to move on. So our second story is from a whole 25 years ago, which just doesn't seem real to me anymore. We're going back to the 1st of December 1996
Starting point is 00:08:55 when America Online launched a new subscription plan offering their subscribers unlimited dial-up internet access for $19.95 a month. So previously, AOL charged $9.95 a month for five hours of internet usage. And this new plan, unlimited for less than $20 a month, brought in over 1 million new subscribers to AOL within weeks. And their daily usage doubled amongst subscribers to a whole 32 minutes per day. Can you believe that?
Starting point is 00:09:35 Like, unbelievable numbers there. And the huge increase was so big, it actually overloaded AOL's infrastructure. And it meant so many people couldn't access a service and this is I think where they got a lot of their bad name from and as we're talking about in America this was the class action lawsuits were obviously filed by people who could no longer access the service they were paying for but regardless of you know the trouble and poor reputation they had which kind of stuck with them over the years,
Starting point is 00:10:06 offering unlimited internet access for a reasonable fee, it was AOL that really sort of helped facilitate that increased adoption of internet usage amongst people back then. That statistic is fascinating because I think I was only up for 15 minutes this morning when I'd used 32 minutes of internet usage. Yeah, and obviously Apple do this thing every week where, I'm sure other devices do it as well, but if you've got an iPhone, it tells you how much time you spend online.
Starting point is 00:10:35 And I regularly sort of hit nine, ten hours a day. Yeah. Which app, though? Well, all of them. But TikTok is one of the – it's certainly my biggest usage. Although I prefer it when they classify it as social media. Yeah, that's right. You know, that's right.
Starting point is 00:10:53 For legal purposes. Yeah, but it's pretty much TikTok, Reddit, and then that's it. News actually, I read a lot. It is interesting, you know, using it to doubled it to 32 minutes a day. It was very much used almost like as a phone call almost. I will dial up and find this out and then I will disconnect because it was a phone call quite literally. It would hog up your phone line.
Starting point is 00:11:18 So it was – and it's changed. So much. I remember – I mean, 96 was – i think i was really sort of getting online by this time uh you know sort of 96 97 you know phone bills astronomical because you know the uk didn't have this unlimited dial-up yeah until free surf came along uh you know much later but um yeah you know it's uh chat rooms at the time that really got me going. And this is the reason I used to go to colleges and universities, computer rooms and just use them for the chat rooms, because it was easy to use, you know, someone else that had. And those are the days when you could just walk in. Yeah, it was.
Starting point is 00:11:59 Yeah, just borrowed a friend's card. Canterbury University, your old horn. Yeah. I don't know if you remember on the walls, they had things like, you know, BLG. I borrowed a friend's card. Canterbury University, your old haunt. Yeah. I go down quite frequently. And I don't know if you remember on the walls they had things like, you know, be aware of becoming addicted to the internet and look for these signs. And, you know, if you're spending more than two hours a day online, you may have a problem.
Starting point is 00:12:19 If you are using your friend's student ID to gain access to the internet, you may have a problem. But it's just this whole world, you know, we're regularly conversing with Americans or Australians and, you know, just in real time as well. That was the crazy thing. I mean, if you think just some of the things used to happen back then, you know, films would be released in the US and it would be months before they came to the UK. Yeah. And I don't even remember the TV program Neighbours, the old soaps. In Australia, it was like they're nine months ahead of us.
Starting point is 00:12:55 You know what I mean? It was like, wow, what does that mean? You'd have someone that went to Australia, recorded an episode and came back. Wasn't it six months? You'd have someone that went to Australia, recorded an episode and came back. Wasn't it six months? Because then that meant that winter in Neighbours in Australia hit winter in the UK. Oh, was it?
Starting point is 00:13:12 Oh, yeah. I don't know this. I just know it was so far ahead. It was. I mean, yeah, it was. And that's not uncommon. It's certainly less common now, but certainly at the time it was about right. Well, that's the thing now is, you know, because of the internet, you know, things like, what, Game of Thrones, it was pretty much released at the same time over here as it was about right. Well, that's the thing now is because of the internet, things like Game of Thrones, it was pretty much released
Starting point is 00:13:26 at the same time over here as it was the US. Well, it has to be, doesn't it? Yeah. Because otherwise – People pirate stuff. Well, precisely. If you are going to put people at a disadvantage purely based on where they live and then you're going to push adverts
Starting point is 00:13:44 for said thing globally,, and then you're going to push adverts for said thing globally, then of course you're going to encourage people to download it, to get hold of it in any way they can. Yeah. This week in InfoServe. Yeah. Here we go. Father Christmas has arrived. Yeah.
Starting point is 00:14:07 That was a school play? Did you video it all? Oh, my God. Do not get me started on the school play. This is going to turn into a rant of the week, and I don't want to rain your grave, but parents, put your damn phones down. You are not Spielberg.
Starting point is 00:14:27 You are not, you know, shooting. It's just horrible. I was sat like two rows back. Spot the Android user. I could not see a thing because everyone was crowded, standing up, their arms extended. Be there for your children. Be present in the moment.
Starting point is 00:14:48 Build the memories. If all you're going to do is experience the lives of your children through a flippant four-inch screen, don't be surprised if that's all they – you know, if they look up and say, draw a picture of mummy and they draw the back of an iPhone, you know why. So what you should have done jav was get your phone out and then zoom in onto one of the screens in front of you and then you could have watched the play yes i could have i could have yeah why why and i get it you want to make a little you know if you take a few photos make a little but then sit down and enjoy the production. The kids have put so much effort into it.
Starting point is 00:15:26 And, you know, you're just like, who is it for? Who is it for? You're going to post it on WhatsApp and no one's going to care or Facebook or whatever. No one cares about your kids' production. Except you. Yes, yes. But even then then not even you
Starting point is 00:15:45 yeah exactly I'm sorry have we just have we just gone full circle here I don't know you're listening to
Starting point is 00:15:56 the host unknown podcast bubble gum for the brain okay in a break from our usual programming let's move on to this week's...
Starting point is 00:16:07 So this week's story is about a former Ubiquiti employee. Ubiquiti Networks make a whole bunch of networking equipment, as the name would imply. Unify is their flagship Wi of flagship wi-fi product if you head over to troy hunt's page he's got an extensive write-up on how he uses unify everywhere and he's a big ubiquity fan a bit too expensive for me so i'll just take his word for it anyway just sticking with the the cans and the wet piece of string in between. Honestly, it just works. Those power line adapters are just good enough for me. But so a few months ago, well, actually back in March,
Starting point is 00:16:55 Brian Krebs broke the story that Ubiquity had had a breach, some sort of ransomware. And, you know, it was beta was getting exfiltrated all sorts of stuff i think we covered the story actually we did yes now are you ready for the plot twist so today or recent this week a Ubiquiti employee was arrested and charged with stealing the files from the company's AWS and GitHub infrastructure. That employee attempted to extort his employer. At the same time, he posed as an anonymous hacker and whistleblower and leaked the story to Krebs. Whoa.
Starting point is 00:17:49 So Krebs got played by this employee who was trying to extort the company from which he had himself stolen the files. It's a bit confusing. I get it. Is Christopher Nolan going to make a really confusing film about this yeah yeah it this is kind of like the uh the kaiser soze of insider threats i think the inception yeah so here's the good guy the bad guy and the guy telling everyone there's a problem and he was trying to fix it yes exactly so i think it's like it takes balls to be an insider in a
Starting point is 00:18:29 company and steal files uh it takes for it takes balls to steal files and extort your employer but i think it takes billy billy big balls to steal files extort your employer, and then pose as a whistleblower and leak the story to Krebs. That apparently caused the company to lose millions in losses as, you know, reputation and I assume the share price dropped. Yeah. So I'd love to know how he was found out. Well, wouldn't we all? I'll post some links to the story.
Starting point is 00:19:08 Look, you know me, I don't go past the headline and that headline just had me like, wow. What was the headline? Three sets of balls on this guy. Yeah. Billy Biquity. Yeah. Almost.
Starting point is 00:19:24 It was almost there. Billy Biquity balls. Yeah,ity. Yeah. Almost. It was almost there. Billy Biquity balls. Yeah, almost. Yeah. Bill Biquity balls? Katalin Kempannu, who has got a fantastic Twitter thread with lots of nuggets of information, but he says the best part of this whole indictment is that Sharp,
Starting point is 00:19:43 the name of the person was called into work on the incident response and immediately proceeded to attempt to ransom the company for 50 bitcoins promising to reveal how he got in and returned the stolen files ubiquity didn't pay and call law enforcement who found the VPN IP leak and raided Sharp in March. He was apparently told they identified the VPN leak, but Sharp denied paying for the Surfshark account, claiming that someone else used his PayPal to do so. I mean, you've got to be some kind of...
Starting point is 00:20:23 Yeah, so you're not the smartest tool in the shed when you pay for a VPN. You just leave this huge audit trail, right? And it's the type of thing where he would have probably got the ransom and then just deposited straight into his bank account. Yes. $2 million straight into the bank account
Starting point is 00:20:40 the day after the company pays it. And he's like, no, no, it's not me, bro. Oh, dear. Excellent. Thank you for that one, Jav. Billy Big Balls of the Week. This is the Host Unknown Podcast. Andy, have you got time?
Starting point is 00:21:03 Let me just double check. Oh, interesting. It's that time of the show where we head over to our news sources over at the InfoSec PA Newswire who have been very busy bringing us the latest and greatest security news from around the globe Industry News Clearview AI to be fined
Starting point is 00:21:22 $22.6 million for breaching UK data protection laws. Industry news. Cyber essentials set for major update in 2022. Industry news. Exit school district to scan children's devices. Industry news. MI6 boss digital attack surface growing exponentially.
Starting point is 00:21:45 Industry news. Organisations now have 76 security tools to manage. Industry news. Twitter to remove private media. Industry news. Russian bulletproof hosting kingpin gets five years. Industry news. pin gets five years industry news and police arrest 1800 in major money laundering crackdown industry news phishing scam targets military families and that was this week's
Starting point is 00:22:16 industry news huge interesting huge if true huge if true 76 security tools really yeah well so i'm looking at this this is from uh research from panacea uh as i uh so obviously you know the render that pulls together a lot of uh in just a lot of data and presents it in nice dashboards uh i think you'll find them up in gartner's tragicragic Quadrant somewhere. You know, as a tool of choice. Yeah, and I guess, you know, this is one of, because it's an in-house survey, I'm guessing, you've got to take the stats with a pinch of salt. You've got to take the stats with a pinch of salt, right?
Starting point is 00:23:01 Yeah, so they're saying that sometimes, yeah, from Excel spreadsheets through to every other tool that they get to try and simplify the management of Excel spreadsheets. So what, they're including Excel in this? Because Excel, for me, would substitute at least 25 of those tools. I think they were sort of referring to Excel as the reason people acquire tools, because they try and move away from spreadsheets and other in-house solutions. No, they don't need another tool. They just need to open another tab, another workbook.
Starting point is 00:23:33 They do. Excel is still the most popular security tool used by professionals around the world today. But not for gathering statistics on COVID infections. Remember the limitations of 76,000 rows or whatever? Yeah, exactly. Yeah, when you confuse your rows with your columns, you know, that's what happens.
Starting point is 00:23:55 So, simple mistake. And also, you know, let's not lose sight of this, what was it, 10 billion, whatever it was that for test and trace i mean these these microsoft office um licenses aren't going to buy themselves well a very reasonable cost as well yeah that is that is yeah so the story that caught my eye was this one the texas school district to scan children's devices um oh and they're basically saying they're going to do it to check if anyone's they're going to look for keywords um to detect if anyone's bullying other children and they're saying
Starting point is 00:24:31 it's to dissuade cyber bullies um and identify students with mental health issues but like to go through someone's device to say you're checking, you know, if they're harassing someone else. You know it's going to backfire. Yeah. What's this doing on here? You can't have this on there. You should be ashamed of yourself. Yeah, yeah.
Starting point is 00:24:55 No, it's, again, the case of, like, using technology as, like, the fix-all of everything wrong when it's it's a teaching issue it's a societal issue it's a parental issue yeah you know that that big jock that that likes to give kids wedgies i don't know it could be him it might not but i don't know it's it's like the whole thing of you know let's let's address uh school shootings by changing the shapes of corridors and teaching kids how to lock their classroom door and take cover behind desks. Yes, yes.
Starting point is 00:25:34 But wearing a mask to school would be traumatic. Well, that impedes on liberties. No, it's trauma. Trauma, I tell you. So, yeah, it's completely – I'm lost for words. I'm going to shut up. Wow, that's a first. Great.
Starting point is 00:25:56 It just – I'm broken. I'm broken when it comes to stuff like this now. Cyber Essentials, major update in 2022. I'd be really interested to see how this comes out because I'm a fan of Cyber Essentials. I'm fully behind what it tries to do. It is flawed, but it was a great start and it was easy to access and easy to engage with engage with so i think it was a good way of
Starting point is 00:26:27 getting companies to to get on board with it so i'll be really interested to see what the major updates are andy have you got any insight into this i do it's around uh homeworking and usage of cloud it's been added as a significant vector of risk to people. That would be good because the last time I've had to use it, it was all for companies that worked from home. Yeah, well, I guess that's the thing. It's aimed for companies with, what, less than 500 people? Yeah. And I think this is lost on a lot of security professionals.
Starting point is 00:26:59 Oh, it's so basic. Of course it's basic. Yeah, exactly. And then what we end up doing is creating another standard because the first one's not good enough. You know there's there's the right standards for the right size company right you know if you're a bigger company go for iso you know 27001 or something get sock 2 you know reviewed certified isa 3402 you know there's just find out what's right for you but you know i'm a big fan of cyber Essentials. And it does the basics very well.
Starting point is 00:27:26 Firewall, secure configuration, access controls, malware protection. You know, you get those things right. And account management. You know, do you know when people join your company and leave your company? And user awareness. Do your users know what their responsibilities are? Yeah, yeah, exactly. I found it very good.
Starting point is 00:27:43 I mean, I got Cyber Essentials certified when I was running my company. And for me, it wasn't a challenge. It was quite straightforward. But when I helped other companies through it, and I know you were an auditor, Andy. I was. I was on the other side of that.
Starting point is 00:27:59 And in fact, you signed off on one of my clients, as I recall. Oh, yes. Hold on, hold on, hold on. Andy signed off on one of my clients as i recall oh yes um hold on hold on hold on you and he signed off on one of your no conflict of interest there no like hey hang on a second right let's explain this this wasn't uh this was through my company it was uh i didn't even know it was tom's client at the time i think was it uh uh you know you had the previous certificate this is what you want almost sounds like matt hancock i didn't know he was my friend who had that company that awarded
Starting point is 00:28:29 that million pound contract right so i will let you know everything goes uh centrally via um you know the people that run it i as me and they just issue out the assessments to uh people order order order order exactly yeah no all above board we found out afterwards anyway yeah we found out afterwards but but i liked the way it was laid out and actually i could spend time educating people as to why they're doing something that was the most important part i think you know and and you know and I obviously shuttered the business, but, you know, the ones that I know have gone on and recertified again the second time and third time. So, you know.
Starting point is 00:29:16 I've had a good order to that first time. Well, exactly. You know, steer them right. Right. Thank you very much. That was this week's... Industry News. Are you not entertained?
Starting point is 00:29:35 What? The judges were. You're listening to Europe's most entertaining content. Bro, what are you talking about, man? The Host Unknown Podcast. And we're going to go on now to yet another... Tweet of the Week. And we always play that one twice. Tweet of the Week.
Starting point is 00:29:54 This week's Tweet of the Week comes from John Obdenacker, and he says, why are people from Norway so good at editing files in Linux? And do you know, when I first read this, I thought, you know what, I'm wondering, there's probably a very good reason. It's because their ancestors are Vikings. Whee! Oh, that is just...
Starting point is 00:30:21 Don't, don't, don't, hey, hate hate the game not the player uh so and our next one is from mick douglas one thing infosec techies don't talk or think about enough is that well over half of the purpose of an org's infosec program is to defend it against insurance adjusters, regulators, and auditors. Many big name tools are deployed only to satisfy those groups listed above. Hmm. Interesting. That is so true.
Starting point is 00:31:00 That is so true. So true. I don't know if it's that black and white. I don't like the language of it. No, I get the intent. And, you know, this reminds me of a clip, but I saw it. It's an old one by Steve Jobs. So you like this, Tom. He already liked it.
Starting point is 00:31:17 He hasn't heard it yet. I agree. Like, are you sure you want to read the article before resharing? No, I just want to read it. Double heart, smiley, so blessed. Yeah. So he goes that when you look at, he said, when you look at the difference in marketing literature
Starting point is 00:31:35 between Japanese companies and American companies, Japanese companies hardly ever use the word quality. They never describe their products as having good quality whereas american companies do and he goes but when you ask the average consumer of electronic goods uh which products do you find have quality they will inevitably always talk about japanese yeah and they say like quality isn't something you tell people about. It's something your consumers experience and they see for themselves. It doesn't matter how many awards you've won. It doesn't matter how many, you know, whatever.
Starting point is 00:32:13 I'm the top 30 under 30 sort of. Wait, is this a speech that someone gave you, Jeff, when you were talking about an award that you had won? I think you missed the message now that you put it like that well it's the truth right that's so I mean there's a what's the old saying a lion doesn't have to tell people it's a lion yes you know it's just obvious when it walks in the uh in the jungle yeah is that why when you go to weight lift... Weight lifters.
Starting point is 00:32:48 Weight lifters. I've got to say, weight loss anonymous, you don't stand up and say, I'm Andy and I'm overweight. Also, lions don't live in the jungle. They live in London too. No, they live in Florida. Ain't that the truth?
Starting point is 00:33:12 But yeah, I think this tweet, I get the under, because I have absolutely no idea what point you were trying to make with that quote there, Jav. But I think the, and please write in if anybody did actually get it. But I get what he's trying to say, but the language is, you know, is to defend it against insurance adjusters. It just sounds like there's no sort of collaboration here or anything like that and that, you know, regulators, auditors,
Starting point is 00:33:41 insurance companies, et cetera, are the enemy here. And that just feels very, very wrong. You're right that it's wrong, but unfortunately it represents the truth in a lot of ways. But you're wrong because it's right. A huge Venn diagram with this conversation. No, it is a reality. You're right that it's wrong, but you're wrong that it's right.
Starting point is 00:34:02 Yes, yes. It is a reality. It's wrong that it shouldn't be that way in an ideal world. There should be more collaboration. However, many organizations still view it as an adversarial relationship, and I think that does need to change. And it will continue for as long as we consider it to be an adversarial relationship. So I'm thinking of examples, so like uh anti-malware tools on
Starting point is 00:34:26 yeah you know linux devices right yeah where it's you don't a lot of the tech guys would say actually there's no benefit to it on this you know the threats that that this particular asset would experience are just not there but no one's prepared to tell the insurance company that we don't have anti-malware exactly so it gets rolled out and deployed regardless that's exactly the point that's exactly it i mean this goes back to the the the shelfware uh research i learned many years ago when i was at 451 and say like uh wafts came up a lot and a lot of people were like we just deploy it because um of pci dss it's um you know either you get a full code review or you put a waft in place or something and he goes it's just
Starting point is 00:35:11 easy and you just put it in um in in just like pass-through mode so it's not really doing anything but you say but you can say you got a waft you say you got a WAF and it's installed and there it is. And the QSA says, happy days and walks off. So, you know, there is a lot of that stuff that goes on for the sake of regulators. And I think, you know, and Andy, you probably know better than most of us here. I'm the only one that does any work. How it's difficult to sometimes get an auditor to see reason that here's a perfectly adequate compensating control or or the reason why the risk doesn't exist but they're like nah here's a checklist i need i need to see something there yeah completely agree
Starting point is 00:35:58 completely agree i knew you'd come around, Tom. Yeah, but I'm right in that I'm wrong. Or am I wrong in that I'm right? I can't remember. Yeah, wreck it, Ralph. Gonna wreck it. Okay, that was this week's... Tweet of the Week. Gentlemen, thank you very much.
Starting point is 00:36:23 We draw to a close. Just in time for Andy to leap onto his speeding train to get his lovely cup of hot Earl Grey, some nicely cut cucumber sandwiches and a few cakes and scones. There's going to be more than a few cakes, my friend. I can tell you that. Duffel A is not playing on a Friday.
Starting point is 00:36:44 Are you going on the Orient Express or something? What train are you on? He's going for an afternoon tea. You'd have known if you arrived on time. I'll be in St. Pancras if anyone wants to. The Renaissance Hotel. That's beautiful.
Starting point is 00:36:58 That's the restored part of St. Pancras, isn't it? It is. Yeah. It's absolutely beautiful though. Absolutely beautiful. Anyway, Jav, have a wonderful weekend. Send us all the videos you took of the school play. Love to see
Starting point is 00:37:15 the backs of people's heads and the fronts of their phones. I'm looking forward to that. With crappy audio. I will do. Thank you for having me. With crappy audio? I will do. Thank you for having me. It's our pleasure. Thank you for eventually turning up. And Andy, thank you very much, sir.
Starting point is 00:37:32 Stay secure, my friend. Stay secure. You've been listening to The Host Unknown Podcast. If you enjoyed what you heard, comment and subscribe. If you hated it, please leave your best insults on our Reddit channel. Worst episode ever. R slash Smashing Security. We didn't even discuss the new Tiger King, which I noticed you titled the episode.
Starting point is 00:37:54 We didn't. I did talk about lines being in Florida. Yes, you did. I didn't mention it because I didn't want to get dissed by you to saying that, oh, we've already spoken about that. I didn't mention it because I didn't want to get dissed by you to saying that, oh, we've already spoken about that. Look at you prioritising your son over this podcast that we do for free. Exactly.
Starting point is 00:38:14 It's for the people, Geoff. It's not free, it's for the people. Yeah, we've got our priorities straight here, mate.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.