The Host Unknown Podcast - Episode 85 - The Not So Christmas Special
Episode Date: December 10, 2021Andy’s mattressThis Week in InfoSec (11:46)With content liberated from the “today in infosec” Twitter account 7th December 1999: The Recording Industry Association of America sues the peer-to-p...eer file sharing service Napster alleging copyright infringement for allowing users to download copyrighted music for free. The RIAA would eventually win injunctions against Napster forcing the service to suspend operations and eventually file bankruptcy. In the end the RIAA and its members would settle with Napster’s financial backers for hundreds of millions of dollars.How The Founder of Napster Trolled Metallica at the VMAsShawn Fanning at the MTV Video Music Awards in 2000 December 2009, when Yahoo! Doesn't Want You To Know Its Spying Price List; Issues DMCA TakedownCompliance Guide for Law Enforcement Rant of the Week (22:37)The vice president should not be using Bluetooth headphonesThis week, Politico opened its newsletter with an article on Vice President Kamala Harris’ aversion to using Bluetooth headphones. The VP was “Bluetooth-phobic,” the story claimed, “wary” of her AirPods and cautious with her technology use to an extent former aides described as “a bit paranoid.” Proof could be seen in her televised appearances: wires dangling from her ears in an interview with MSNBC’s Joy Reid or clutched in her hand during the famous “We did it, Joe” call.But for a high-profile public official, this is a lot more reasonable than you might think. As security researchers were quick to point out, Bluetooth has a number of well-documented vulnerabilities that could be exploited if a bad actor wanted to hack, say, the second most powerful person in the US government. Billy Big Balls of the WeekFeds charge two men with claiming ownership of others' songs to steal YouTube royalty paymentsAlleged scheme said to have netted $20m since 2017"Batista and Teran perpetrated their fraud by falsely representing to Y.T. [YouTube] and to A.R., an intermediate company responsible for enforcing their music library, that they were the owners of a wide swath of music and that they were entitled to collect any resulting royalty payments."The government claims that around April, 2017, two men, through their company MediaMuv, LLC, entered into a contract with A.R., which administers and distributes YouTube royalty payments, claiming to control a 50,000 song catalog of music.They subsequently sent the corresponding song files to A.R., which in turn uploaded the files to YouTube, the indictment claims. The court filing cites as an example the song "Viernes Sin Tu Amor," which A.R. is said to have uploaded to YouTube in 2017 and has earned around $24,000 in royalty payments since then.This was allegedly done for numerous songs, with A.R. eventually, at the direction of the MediaMuv, writing to YouTube "to bulk clear potential copyright conflicts from MediaMuv's entire music catalog." Industry News (36:28) Nine State Department Phones Hijacked by SpywareCyber-attack Closes UK Convenience StoresFrench Transport Giant Exposes 57,000 Employees and Source CodeHotel Guests Locked Out of Rooms After Ransomware AttackPassports Now Most Attacked Form of IDAWS Outage Hits Eastern USIT Execs Half as Likely to Face the Axe After BreachesMost Phishing Pages are Short-livedHalf of Websites Still Using Legacy Crypto Keys Tweet of the Week (44:08)https://twitter.com/TJ_Null/status/1469006847449440262https://twitter.com/johnjhacking/status/1468860997272174594 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
You know, there was a company, I can't remember which company.
Oh, it was the car rental company.
I can't remember.
It was Avis or Hurt.
I think Avis was always like second to Hurt.
So their marketing campaign was we're number two, so we try harder.
Is that us then?
Because I'm not convinced we try harder.
No, we don't.
And I'm not even convinced we're number two, but okay.
You're listening to the Host Unknown Podcast.
Hello, hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
And welcome, welcome to episode 85. This is the penultimate episode of the year.
Espe-sode, episode, espedrilles, something, I don't know. I'm not re-recording that.
So yeah, penultimate episode of the year. So blimey, blimey. And yeah, hello gentlemen,
how are we? Jaf, how are you, sir?
Yeah, Tom, do you want to explain for our American views
what penultimate actually means?
It's the one before the last one.
Yeah, thanks.
Because you know what?
I use the term fortnight.
Yeah, yeah, and we'll be off for a fortnight, folks.
Yeah.
That doesn't mean we're playing a game.
We're not playing a game.
Yeah.
We're back for the bi-weekly and bi-annual survey.
I know.
Is that what?
I said fortnight.
They didn't understand what I said, so I said it's like every two weeks.
And then like, so you mean bi-monthly?
I said, no, I don't mean every two months.
Yeah, that's right.
I'm sure there must be an iso standard on this i'm sure it must be there must be there must be have you
seen the iso standard on making a cup of tea what do you mean seen it i i live by it you live by it
excellent i wrote it i still have the white gloves I wore when I wrote it.
Fantastic.
Yeah.
But I'm in a good mood.
I actually went out yesterday.
Oh, did you?
Where?
I thought you weren't going anywhere.
I know.
Is this to install the bollards behind your house?
Yeah.
No, those are... Snoop on a neighbour. Track down a lead on behind your house? Yeah. No, there's that.
Snoop on a neighbour.
Track down a lead
on who's been
dumping rubbish.
No, no, okay, okay.
So that's going out.
All right, Columbo.
All right, Columbo.
That's going out.
I actually went out, out.
Oh, out, out.
Yeah, yeah, yeah.
I wore like an N95 mask.
I wore gloves.
I wore the whole hazmat suit.
Got on the underground.
I was going to say, that was just to get to the front door.
Yeah, got on the underground.
You didn't even take the bike.
It was really cold yesterday.
Money well spent there.
Yeah.
It's a bike.
Of course.
If you didn't realise that it was going to get a bit chilly every now and then.
Couldn't you put the windows up?
Yeah.
Anyway, so you went on the underground, yeah.
I went to the Apollo and saw Paul Chowdhury.
Is that the Hammersmith one?
Yes.
It's Starlight Express not on anymore.
Yeah, Paul Chowdhury, he's a comedian. Is that the Hammersmith one? Yes. Starlight Express not on anymore. Yeah.
Paul Cherry, he's a comedian.
I know he might look like Aladdin to you guys,
and you might have thought it's a pantomime.
It's not.
He's a very good stand-up comedian.
It's the Punjab Express, isn't it?
It is, yes.
They've rebranded.
Yeah.
There's like 200 Indians all standing on the outside of the train,
hanging on.
So he's good, was he?
Oh, he was brilliant.
He was absolutely fantastic.
Pro tip.
It's never a good idea to sit in the front of any comedian show, but particularly his,
unless you want to be stripped of any dignity you have left.
I mean, there were people walking out of there.
They had less dignity than Graham Cluley by the end of it.
It was just amazing.
Dude, we had to go three weeks.
Three weeks.
Geoff missed the start of last week, Tom.
You mean he didn't listen to it either?
What?
You guys listened to it?
We've got to start the clock again crap oh is this like
how many weeks without incident like yeah and and then we might get invited back on the show
and therefore see a slight increase in our listenership what's this we only you get
invited on that show i had to pay i had to pay them to get on the show. No, I got an invite, Jav, don't worry.
Oh, yeah, you're pretty big now in the security industry.
I'm big in Japan.
Yeah.
Yeah, it's called lockdown, wait.
So you'd recommend Paul Chowdhury because he's, I wouldn't say he's niche,
but he definitely focuses on first-generation Indians, right?
Yeah.
It really helps if you're bilingual to actually appreciate a lot
of the nuance to his jokes.
And I hesitated to say Indian there because, obviously,
you're Pakistani, but not wishing to collide those two cultures
because as if there's not enough trouble there already.
No, no, there were plenty of Bengalis there as well last night
and they got ripped hard.
No quarter was given.
No, no, no.
And the seven white people in the audience were picked out specifically.
It was just, it was so fun.
It was just like, I haven't been out for such a long time
and it was just such a good family-friendly comedy show.
It was brilliant.
What I like about that is it can, and humour generally like that
when it's done well, it can draw people together
through their differences.
Well, that's exactly what he said at the end.
He goes like, you know, it goes, you bring people together
because at the end of the day, we're, you know, everyone's the same.
Yeah.
You know, and like, you know And comedy is such a great way of addressing
some of the serious topics in society.
And if you can make fun of them and if you can all laugh together,
then you've got that common ground.
Yes.
Yeah, exactly.
Exactly.
Was there anybody who was offended in the audience?
If they were, they were too scared.
offended in the audience?
If they were, they were too scared to mention it.
And talking of offensive, Andy, how are you?
Not too bad, thanks.
No, I've got nothing
exciting to talk about this week. I've got a new bed
though, on Monday that came.
Not exciting and you've got
a new bed?
To be honest, it's been a long time since my
last bed was oh god knows a long time ago and uh it was just time to upgrade it ordered it about
four years ago as it looks like when you buy these things and it arrived on monday and all my days my
sleep patterns have changed you're getting an extra half an hour a night i am i'm
not even like getting up in the night well other than you know occasionally it's got a built-in um
kimono kimono not kimono kimono no kimono so i can just get up and answer the door
i'm already covered um yeah no that that is the most exciting thing
that's happened to me this week but is this a bed in your bedroom or is this the one in your office
no this is in my bedroom so did it was you know we're asking the real questions here on this
infosec podcast was it the whole frame or was it just the mattress? It was everything.
The whole frame and mattress.
The last one chucked out.
New, what's it called?
Tempor?
Yeah, Tempor, is it?
Yeah, memory foam.
No, it's not the memory foam one.
Oh.
Does it have like springs in it at all?
Like, does it have pocket springs and with a layer of
foam on top
or is it just
completely foam
um
well the mattress
was like 1200 quid
so it was
it's a decent one
it's
wow
it's uh
yeah
he didn't ask how expensive
it was
he asked if it had springs
yeah
yeah to be honest
I couldn't tell you
it doesn't feel like it
unlike the last one
what you can do
is if you undo the stitching at the bottom.
Hold on, I've got a knife here.
Barely two sets.
It's...
And ladies and gentlemen,
welcome to this week's Beds R Us podcast.
So Andy, did they advise you to flip the mattress every six hours
just so it wouldn't
settle on one side i'll tell you the weight of this mattress you it's going to be a struggle
to flip it well depending on the style you rather than flip it you sometimes just rotate it yes
yeah this this mattress isn't moving it's
and of course since you bought it online,
now your internet browser is full of adverts for mattresses
because you've obviously shown an interest.
I went into the store for this one.
Yeah, no, end of October, during the half term, actually.
Yeah, there you go.
Yeah, it's a TheraPure ActiGel Response 2000K mattress.
Just to, you know, for all you mattress fans that are looking us up,
I know the one.
Yes.
Alas, how's your week been?
Well, yeah, very good.
I think I had my last presentation of the year this week, which is good.
What else happened?
Not a lot.
Slow news week.
It is a slow news week, as the rest of our stories will show.
But, yeah, I'm looking forward to the weekend, I'll tell you.
Even though it's been slow, but it's been quite intense work-wise.
But, yeah, just getting ready for Christmas.
I even started a spreadsheet of Christmas presents.
That's how ready I am now.
I haven't bought any, but, you know,
just like I haven't bought, you know, a certain birthday present yet.
Oh, and Andy, they said they didn't want to sell me that thing
for Joe's birthday, so we've got to start again.
I know. Chuck in an extra five.'m worried i know i know i'm an extra fiver double the price
triple oh dear anyway let's see what we've got coming up for you today uh this week in InfoSec takes us back to a time when sharing was caring.
Around to the week is a complaint about people criticising good security practice.
Just bear that in mind.
Billy Big Balls pays homage to people who take credit on group projects without contributing anything.
We know how that feels, don't we, Andy?
Industry News brings us the latest and greatest security news stories
from around the world.
And Tweets of the Week is a new CVE about an old issue.
After 18.
Do you know what? It will be. It will be.
Anyway, let's go to our favourite part of the show,
the part of the show that we like to call this week in infosec
it is that part of the show where we take a stroll down InfoSec memory lane with content I had to find myself this week.
What?
If anyone is in contact with Steve Worby, who runs the Today in InfoSec Twitter account,
could they please ask him to step up his game?
Because it's adding a lot of unbudgeted time in the preparation of these show notes.
Yeah, this stuff's just not ready for me in the mornings when I arrive.
So our first story takes us back
a mere 22 years to the 7th of December 1999
when the Recording Industry Association of America,
or the RIAA for short,
sued the peer-to-peer file sharing service Napster,
alleging copyright infringement for allowing users to download copyrighted music for free.
And this was a case that spanned nearly eight years after it started.
And ultimately, the RIAA would eventually win injunctions against Napster,
forced them to eventually file for bankruptcy.
And then they settled with members of Napster's financial backers, which included media giant
Bertelsmann for sums of hundreds of millions of dollars.
And why I like this story is while it was focused absolutely on copyright violations,
the bigger picture for the RIAA was about controlling the recording industry.
Because in 1999, they were actually caught with their pants down when it came to digital music in the Internet.
They just were not prepared for the sudden popularity of digital music downloads.
And they basically didn't have a model to monetize it.
So it's really about, you you know squashing the practice of
downloading music as it was about recovering you know compensation uh but the genie was out the
bottle already at that point um you know stopping napster it already spun off you know other services
kazaa limewire bear share yeah yeah yeah variants of didn't napster go to a a subscription model for a period of time
uh i don't recall that part of it because obviously in the late 90s early 2000s the
thought of paying for music after tasting napster you know it was just never going to happen
all right you know i have now had all of this music for free.
You know, now all of a sudden you want me to pay for it?
But what was interesting was that it was Napster, you know,
this whole case, it did go on, you know, the recording industry basically got on board with commercialized music
in the end.
Yeah.
With commercialized music downloading services and
itunes were one of the first which was launched sort of three years after this time um in april
2003 that was the first music i ever downloaded was was yes of course it would be because it
do you know but the only thing I had was the third generation iPod. Everything else is Windows.
Yeah, yeah.
Steve Jobs was really visionary in that regard.
He saw where the music industry was going,
and he saw that albums weren't the future.
It was individual songs.
And if you just make it easy for people to just click and download it,
it's just the convenience of getting music quickly
and getting the songs that you want.
It wasn't necessarily the money that was putting people...
Everything that Napster did.
Yes.
Yeah.
Yeah.
Minus the money or plus the money, whichever way you want to put it.
Yeah.
Yeah.
I've just thrown a tweet into the show notes,
and it's someone called Angry Man.
He's saying, on this day 15 years ago,
my mum's picked up the phone and interrupted a file at 96%.
I'd been downloading from Napster for 17 hours.
Oh, jeez, the response to this.
The comment, yeah.
Can someone explain? Yeah, yeah can someone go for it can someone explain this tweet to me why it takes so long the fuck is napster
oh man and this is the problem right so the ria did take down napster but what napster
basically started back then has completely changed,
you know,
how the music and technology industries run.
Yeah.
Which people don't know,
but I,
I will give a respectful nod to Napster co-founder,
Sean Fanning.
And I posted a link in the show.
I was too,
but you know,
still a teenager and whilst facing multimillion pound lawsuits,
including a famous one by Metallica,
he was invited to present at MTV's Music Awards in 2000.
And not only did he walk out on stage wearing a Metallica T-shirt,
but he then joked about not even paying for the T-shirt
and acquiring it from a friend.
When you are facing that much you know or you know it's just as a guy you just had
nothing left to lose right yeah yeah it's hysterical that these were good times back then
um yeah so yeah massive change in the industry back then copyright music all of that but it's
it's like the movie industry so it's just like
the movie industry about you know keeping up with digital downloads there and the first thing they
they try and do is to is to restrict it a bit like the original dvds and yeah and even in blue
oh if you're not in this country you can't play this this particular thing oh god you remember
region yeah exactly dvd players and all that does is encourage people to illegally obtain stuff.
Circumvent it, yeah.
Yeah, exactly.
If you make it easy, people will actually go above and beyond
to get this stuff, I think.
Yeah.
I have Apple Music for all my digital devices and all that sort of thing.
I also have a fairly substantial vinyl collection.
Many cases, it's complete duplicates, but I like listening to the vinyl as well.
And I like the artwork and the ceremony of it and all that sort of thing.
And I think if you make it difficult, people just steal it.
It's ridiculous.
Anyway, sorry. You were saying. Move on. Yeah. difficult people just just steal it it's it's ridiculous anyway sorry yeah you would say move on
yeah yeah that was because our second story takes us back only 12 years ago uh to the 4th of
december 2009 when yahoo didn't want you to know its spying price list uh so issued a dcma uh sorry
dmca takedown notice to the site hosting the information.
And this is obscure but true.
Phone companies and internet service providers charge US law enforcement and spy agencies a fee
to turn over subscribers' communications and records.
Oh, an admin fee, presumably.
Well, exactly.
And they have different terms for it.
So although the article refers to it as a spying price list,
this is based off research a guy called Chris Sokonian did just a week earlier at this point.
He revealed data on how often Sprint was sharing GPS data with the government.
And in his write-up, he actually had a price of the various service providers
and what they provided to the data and how much they charged for it.
And it almost showed how selling this data to the government
could actually be a bit of a profit center for a lot of these firms.
So he uncovered some of these price lists,
but then Yahoo and Verizon refused to reveal their price lists, claiming that to do so would shock or confuse customers.
Shock or confuse. The fact that it says shock tells you everything you need to know. long for someone to uh leak that price list um or more accurately as yahoo refer to it as the
compliance guide for law enforcement which includes pricing information um so it ended up on crypto me
and uh other documents were sort of posted there as well from other service providers but
it was only yahoo we freaked out about it they sent a dc uh dmca takedown request um which kryptome also then posted along with the
ongoing email discussions with yahoo's lawyers um whilst leaving the original document in place
and of course the barbara streisand effect yeah you know kicked in and um all but guaranteed that
document is living in all sorts of places uh which now makes you wonder why they bothered
to try and hide it in the first place.
But link in the show notes for that one as well.
But it's quite interesting in the sense that
you'd be very naive if you didn't think
this information was being passed to governments
and if money wasn't being made, etc.
But I think having the price list shown in front of you
puts such a definitive value
on your data and what you are worth to that organization.
I think that's where it gets shocking because obviously governments
have got a hand in a lot of this stuff and they write the laws
that require companies to hand this stuff over.
But as you say, making a profit from this
from information that you have you know provided to these organizations in good faith that's where
it starts to hurt i think yeah but don't forget this was 12 years ago as well this is before
i mean i don't know when the first sort of canaries were used um you know to signal that
law enforcement was you know know, had made requests
for your data.
Yeah.
We'll have to look into that a bit more.
But yeah, I mean, 12 years ago, it was, I think, still good times, right?
We didn't really have the protections of all the, we had data protections.
I don't even think privacy was in the dictionary at the time.
Well, yeah, exactly.
So, yeah, it was probably, you know, especially the likes of Yahoo.
How can we save money?
You know, we burn through money.
We make crappy acquisitions that always kill us.
We lose money hand over fist.
You know, how can we make some of it back?
Excellent.
Excellent.
Thank you very much, Andy, for this week's.
This week in InfoSoul.
This is the podcast the Queen listens to.
Although she won't admit it.
Let's move on to the next section of the show,
which, as eons of tradition have dictated, I will be taking. Listen up! Rant of the show which as eons of tradition have dictated i will be taking listen up rent of the week it's time to mother rage so actually before i talk about jav what
do you think of this story what do i think of this story i think it's a it was a slow news day much ado about nothing journalists should get a life
which is probably fairly true but the the headline is um that you know the vice president should not
be using bluetooth headphones and this is kamala harris the u.s vice president she's been seen on multiple occasions wearing, heaven forbid, wired headphones or clutching them in her hand or whatever.
And the story is that the VP is Bluetooth-phobic, wary of her AirPods and cautious with her technology use, according to certain former aides.
And she was described as a bit paranoid.
And the evidence, obviously, as I just said, is in the imagery
where she's constantly clutching wired headphones.
So as you say, Jav, yeah, it seems like a bit of a non-story here. But I think there is a nugget, a nugget of InfoSec advice and education in here.
And I think as the story goes on to say, a high-profile public official,
this is actually not an unreasonable thing.
an unreasonable thing. I think it was Dick Cheney who had a heart pacemaker, which had IoT capabilities. I think it was Bluetooth. And when he went into office, he actually had
the Bluetooth or the remote access capabilities of his pacemaker switched off on advice
because it was felt that it wasn't secure and could be hacked easily.
So this isn't beyond the realms of reason here.
Maybe they've got some good sort of security analysts highlighting the risks that they may face and giving them information to make a decision on how to tackle it.
And let's face it, there's probably more people want to kill Dick Cheney than you or I, right?
So, you know, his risk profile is very different to our risk profile.
to our risk profile.
Many security researchers have pointed out that Bluetooth has got a number of well-documented vulnerabilities
that can be exploited.
And given that this person, you know, second most powerful person
in the US government, probably has access to a huge amount
of top secret and, you know uh very very sensitive conversations it's plausible
it's plausible it might not necessarily be likely but it's certainly plausible so
you know i think um like i say there's a nugget in here that i think we need to be aware of if
nothing else i think as i said you know their risk profile is not is not our risk profile uh
whether or not it warrants you know quite the coverage it had uh jav i think i think you're
onto something there but um yeah i mean i mean i agree i think it's uh it's definitely a security
measure that needs to be taken because of risks and secret service normally advises any new new
president as to what they can and can't do i remember they had to go through a whole bunch
of hoops when obama took power because he had a blackberry that's right he was on twitter a lot
so they wanted to lock it down and make sure it wasn't a an attack avenue actually uh biden he
had his uh peloton bicycle as well um that he wanted to bring into the White House
and...
They took out the camera, did they?
No, didn't they not
let him bring it in because it was likely to kill
pets and small children?
Maybe, that's how they went for it.
Yeah, maybe.
But being a security analyst in the White House
since the previous administration where
you raise all these risks like you know your daughter's not um you know approved to receive
all this classified information you know her husband's not uh cleared to receive all this
classified information yes you really shouldn't be tweeting a you know covfefe at two in the
morning her husband is obviously a lizard in a skin suit related to Mark Zuckerberg.
Yeah.
So, I mean, can you imagine actually having your stuff
now taken seriously after all this time of like,
oh, there's no risk here.
There's no risk here.
Even the nation states that have been, you know,
surveilling the previous administration must be like,
damn, man, where are we going to get our information from?
We're actually going to have to go down there.
Putin's budget for, you know uh counter espionage is is probably you know he's been saving a bunch of money recently because he only had to have a gmail account and it was all emailed
to him right now it's now he's got to get serious again the russian economy is going to tank. Yeah.
Oh, dear.
Yeah, so it's kind of a mild rant this week,
but I think an important one nonetheless.
Rant of the week.
This is the Host Unknown podcast, home of Billy Big Ball Energy. And talking of a pair of big balls, Jav, it's over to you.
Billy Big Balls.
You guys know about this video sharing platform called YouTube, right?
It's the one with the adverts.
This is the Google Video video um competitor right yes yes
so apparently unlike what we've done people actually make money from their videos when
they upload on youtube they can monetize them yeah you monetize them and you're the one receiving all
the checks uh well okay so this is very closely related to this.
Okay.
I know where our money is.
It's resting.
It's resting.
So I invested them in cryptocurrency.
And NFTs.
Yes.
Anyway, so the thing is that the copyright and monetization rules on YouTube are rather complex.
So we don't even know why some of our music videos are still up there.
One of them, maybe earlier in the year, got a copyright strike.
And then it came back.
Maybe it was deemed a parody.
We don't know.
And that's the thing.
Nobody actually knows how it works
and what you can do or not do with it. So if you upload a video and you use commercial music,
one of, I think, a few things can happen. Number one, the algorithm doesn't detect the music and you get away with it. Or the music is detected in your video and so your video is muted or rendered unavailable in countries or you get a copyright strike against it.
Or number three, the owner of the music, so the music label, can claim that the music is theirs,
music label can claim that the music is theirs allow you to keep the video and it plays but they get all the royalties generated from the video or and and slash or they can get the
statistics from the viewing of the video but now the content id is incredibly complicated um
and the eff uh has this blurb or in in a blog post they wrote about it
they said that in its simplest form it's a labyrinth where every dead end leads to the DMCA
this complexity yeah this complexity is not a bug it's a feature it prevents youtubers from challenging matches and lets right holders and
youtube expend as little time and resource dealing with content id as possible so this is where it
gets interesting there's uh two enterprising uh individuals batista and tiranan from Arizona. And they set up some shell companies
and a company called MediaMov.
And there's third parties that YouTube work with
to manage their content library.
So one of them is uh adrev and they claimed with adrev
that they owned a music library of 50 000 songs and so adrev went on their behalf to youtube and
started lodging copyright claims against all these videos that contained any of those songs so these people
then started collecting royalty money from every video that had one of these 50 000 songs in it
and they've been going on since 2017 and it's estimated they made just over 20 million dollars in royalty payments jeez so you know there's no hacking
technically going on here they're not breaking into people's youtube accounts they're not they're
just looking at this system that is so complex no one really understands how it works they're just
saying hey those are my music videos pay me royalties creators are too scared to challenge
anything because they don't want their accounts to get taken down and youtube's like okay if you
say it's yours that's fine here you go and they've had all this money so but now they're they are
seeing their day in court there's indictment against them in in arizona and uh hopefully um in Arizona. And hopefully that money can be recovered and distributed to us as legal owners of our music.
So I think it's still a really interesting,
it's a Billy Big Balls move.
I mean, they used a lot of shell companies.
They used stolen identities to set up some of these companies.
They falsely represented who they were
and the music and everything but
it's all that very conman type um uh tactics they used and they got away with it for a number of
years but do you know what i'm looking at is the trying to work out the maths on this one right so
they're going to get fined up to 250 000 dollars per how's this work per fence and there's well
and there's 30 counts of them doing this and they've made 20 million dollars so 250 000 times
30 that's 7.5 million they're still walking away with like a you know 12.5 million, they're still walking away with a 12.5 million profit.
Right?
It's a long game,
but it's still profitable.
Yeah. As long as they
haven't pissed it up against the wall somewhere.
I mean, you would
do, wouldn't you, if you're getting all this money for nothing?
Well, yeah.
The indictment did say they spent a lot of their
money on jewellery, lavish consumer items and property.
So maybe there is some investment that went into there as well.
You're not exactly going to spend it on cleaning products, are you?
I mean, what else are they going to spend that sort of money on?
I don't know.
I'm going to buy the world's biggest bottle of bleach of course it's
gonna be jewelry and property and i don't know why they say that all the time you know in stuff
like this on a lavish lifestyle yes because they've got lots of money of course it's lavish
not not they lived like a monk and earned you know 2.4 percent on compound interest on their
savings it's like what no of course they're not going to.
And this is why they get caught, right?
It's because they're not smart about what they do with that money.
Because they don't live like monks.
They attract too much attention.
Yeah.
Attract too much attention.
Oh, man.
And Billy Big Balls as well on YouTube for just running with it.
They're enablers in this.
Oh, they are because they're getting money as well, aren't they?
Exactly.
Yeah, I mean, they've made something that should be really quite straightforward,
so complex that schemes like this can exist.
You know, they have to be taken into account for this.
But then again, you know, we should trust them because Google says do no evil, right?
They used to say that.
It's still in their contract, apparently.
No, they sacked some staff who, this is a couple of weeks ago,
they sacked some staff who tried to stick by that motto
and didn't do as they were told.
Yeah, because it's still in their contracts of do no evil.
Brilliant.
Anyway, thank you, Jav.
That was excellent.
Billy Big Balls of the Week.
You're listening to the host unknown podcast,
Bubblegum for the brain.
Andy, have you got the time, mate?
Let me just double check.
Oh, yes.
It's that time of the show where we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news
from around the globe.
Industry news.
Nine State Department phones hijacked by spyware
Industry News
Cyber attack closes UK convenience stores
Industry News
French transport giant exposes 57,000 employees and source code
Industry News
Hotel guests locked out of rooms after ransomwareware attack, some of them in the nude.
Industry news.
Passports now most attacked form of ID.
Industry news.
AWS outage hits eastern US.
Industry news.
IT execs half as likely to face the axe after breaches. Industry news. IT execs half as likely to face the axe after breaches.
Industry news.
Most phishing pages are short-lived.
Industry news.
Half of websites still using legacy crypto keys.
Industry news.
And that was this week's...
Industry news.
Huge, if true. huge i'm um i'm just looking at this it execs half as likely to face the hacks after breaches um does that include security execs because or are they
lumping them all in as one in the same i think they're lumping them all in as one and the same. I think they're lumping it all in together because it was research done by Kaspersky,
a friend of the show, your buddy.
So this is versus data from three years ago.
Just 7% of organizations laid off senior IT staff following a security breach in 2021
versus 12% in 2018.
IT staff following a security breach in 2021 versus 12% in 2018.
And I think they're sort of saying that the C-levels execs are also half as likely to be sacked.
And they are implying it's due to skills shortages across the globe.
Oh, for fuck's sake.
You know, you're struggling to replace well-trained people
with equally well-trained people with equally well-trained people.
I'm more inclined to believe,
and maybe I'm a hopeless optimist in this regard,
I think that companies are realizing that breaches happen.
And there's no value in blaming someone
and making someone a scapegoat
if it's just the way business is.
Of course there is.
They need a face to take the fall.
The company doesn't want to say, hey, we're a company that loses data
and gets breached.
They want to say, this happened because of this intern.
Yes, yes.
And now we've removed that problem.
It will not happen again.
And then it does.
But I think isn't part of it as well is being attacked or being breached is almost as hard to control as the market conditions.
Sure, you can put yourself in as strong a position as you possibly can. But if those market conditions are going to change for
a variety of reasons beyond your control, be it your willingness or your financial capability,
or just purely out of your control, those market conditions will change and your business will be
impacted as a result. And the same to a certain extent with being attacked and breached is
you can do a lot to make make sure that you aren't but
you can't do everything and so it is an inevitability to a certain extent god that was deep it was i
i kind of find myself agreeing with you tom you're right
desperately thinking of a way to argue
coming up short every time Desperately thinking of a way to argue.
Coming up short every time.
Oh, dear.
Due where due is due. I have to say.
Don't you mean credit where credit is due?
He won't go that far.
He won't go that far.
No, although I do like
do where do is do.
Because you say do do.
Yes.
Yes, yes, yes.
Back to our normal intellectual level.
Yeah, absolutely.
Saying poo in different languages.
I do like the word about hotel
guests being locked out of their rooms.
Although if I was one of those hotel guests,
I'd be fucking livid.
I hate it when I can't get into my hotel room when I want to,
you know,
hate having to go and get the key reprogrammed.
Oh God.
Doing,
doing that naked walk of shame is just,
I'm,
you know,
the first time was bad enough,
but, uh, you know, now, you know, the first time was bad enough.
But, you know.
Now you know there's the guy that likes to walk around naked.
Yes.
Why do people go to the ice machine with nothing on?
You know what I mean?
Look down the corridor, see if anyone's coming,
and just leg it down there with a bucket.
Yeah. Because there's a certain thrill to it
anything else on here before we move on i was just thinking that spa one with the
uk convenience store i didn't realize spa was still around uh if i'm honest
apparently they still got 2600 stores i think it's mostly up north yeah yeah well that's it
yeah they've still got 2600 stores located across the uk um brackets mostly up north yeah yeah
they're saying that 330 of the shops in the north of england were unable to process payments
uh card payments basically um due to a cyber attack it's a cash economy up there anyway isn't it yeah well
you think so oh yeah that way the government can't see where your money really is yeah exactly
exactly i i just you know attacking spa i mean yeah they're um you know fairly ubiquitous
kind of brand out there but surely you're not gonna get a vast amount of money out of them
no i can't believe their margins are that high.
No.
What with the shoplifting and the low costs anyway.
Well, I think it's a low-level crime.
You know, you go in there, you rob from spa,
you take your earnings and you go spend it in Lidl.
And, you know, it's...
I love Lidl because it keeps the scum out of Waitrose.
Oh, dear.
I'm just doing the numbers.
Yep, that's both listeners from up north that we've just lost.
We just had a Lidl open up near us, and i tell you what that middle of little's brilliant
martin hefworth if you're up north maybe you can help us uh understand how the economy works up
there um please at us on twitter yes yes uh excellent thank you very much, gents.
That was this week's...
Industry News.
The Host Unknown Podcast.
Orally delivering the warm and fuzzy feeling you get when you pee yourself.
And talking of peeing yourself, Andy, it's time for...
Tweet of the Week.
We always play that one twice.
Tweet of the Week.
It's only happened like three times.
I don't know why you keep bringing it up.
That's right.
Three times in front of us.
Yeah.
So I've got two tweets on the same topic uh and the first one
you're gonna have to look in the show notes because i did that excellent thing where i get a visual
to uh to accompany the podcast uh and this is a tweet from tony which says how i feel about
raspberry pi default credentials being added as a cve. And there's a picture, a little meme,
and it's a box of kittens, and it says,
every time you don't change default credentials,
God kills a kitten.
Because obviously we like to tug on the heartstrings
in InfoSec.
Yeah, so John Jackson provided a more balanced view
on this topic.
It says, yes, the Raspberry Pi default cred CV is stupid,
but let's not do the InfoSec thing
where we downplay default creds in general.
For instance, hard-coded creds for an administrative panel
on an IoT device that's public-facing?
Huge issue.
So, yeah, this is the story that Raspberry Pis
apparently come with uh default credentials
uh hard-coded into them so you can um well yeah admin access yeah they do they do and that and
it and it says you should change this the moment the first time you log in you should change this
it says every time yeah but it's interesting because it's it's it's a um it's an iso
effectively that you download and install onto your SD card, etc.
So would it not take, and I come from a position of ignorance,
would it not take a considerable amount of effort and coordination
to ensure that every image that you download comes with unique credentials?
Or it doesn't come with any credentials you
have to create them on first use yeah or it forces you to change the credentials on first login
yeah yeah yeah that's true that's very true there are many ways around it that are well established
so yeah you know what it's sometimes a week a default credential isn't a big issue in the technical realm of things.
The issue I have is that what happens is that when you allow it, even where there's a low technical risk, is that it normalizes that behavior.
Yes. And I think that's that's the key point for me is like we want to make people aware that, look, you know, changing default credentials should be the norm and you should do it regardless of whether there's a because that then permutates throughout your organization and in other things you do.
So I think for me that that's what it boils down to is like having that secure behavior and and allowing it.
I mean, this is why, like, sometimes you see public Wi-Fi things, and they
have a weak password. And technically, there's no issue with it. Because, you know, that if it's
public Wi-Fi, and it's secured, and you know, whatever, and this, that, the other. But again,
you know, we have this big issue of educating people to adopt secure practices and behaviors.
adopt secure practices and behaviors so just making those uh passwords like a bit stronger like making them into passphrases for example just having more characters doesn't need to be
excessively complex it just psychologically it plays into that thing well oh everyone is choosing
a strong password maybe i should choose a strong password too yeah and that little thing would just
be enough to tip you over from being a victim to
avoiding getting breached and actually talk about raspberry pi so i i recently got hold of a
it's effectively a kid's educational kit about raspberry pi but it includes um you know a
keyboard a little you know a little um nine inch screen and a frame and all that sort of stuff. It's really very, very cool.
It's very nicely put together.
And in there, it doesn't talk about,
it may say you should change your password,
but it doesn't talk about why and why it's important or anything like that.
It's got this lovely set of very simple, you know,
kid-like instructions.
But as you say, it normalises the fact that you can change this you
or you you don't have to it's not a problem but it's an internet connected device you know being
connected to your home network etc etc virtually broadcasting the fact that it exists and um and
is vulnerable we agree again mr langford bloody hell what's going on? What's going on? Who are you and what have you done with my friend, Mr Malik?
Ah, see, that's what you slipped up.
You referred to me as your friend.
Sorry, my distinctly average friend.
Acquaintance.
Acquaintance.
Someone I will refer to as I once knew.
Okay, excellent.
Thank you very much for that, Andy.
Tweet of the Week.
And so we
draw to a close.
Gentlemen, thank you
very much. Next week will be our
sort of last show before
our little Christmas break of, what,
two weeks, three weeks? We haven't decided
yet, have we? Yeah, well, me
and Jav might come in and do something and not tell you about it. We haven't decided yet, have we? Yeah. Well, me and Jav might come in and do something,
you know, and not tell you about it.
We haven't decided yet.
Do you know what?
If you do, well done is all I can say.
I'm going to put money on the fact you won't.
We might get the Tom Langford AI dusted off again.
Yeah.
Or just set him off by himself, see what happens.
Can have a conversation with himself.
Yes, yes.
See if he ends up agreeing with himself or disagreeing with himself.
Oh, excellent.
Anyway, Geoff, thank you very much, sir.
You're welcome.
You're welcome.
And Andy, thank you.
Stay secure, my friends.
Stay secure.
You've been listening to the Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
You know, every time you say stay secure my friends
you're stealing my content and i've actually claimed a copyright copyright copyright uh
strike against you on youtube so now i'm getting paid every time you say it so i don't care you
know what let's as let's record since the beginning let's go back to the start of the
podcast who says it the most therefore it's my saying now if's go back to the start of the podcast. Who says it the most? Therefore, it's my saying.
If we go back to YouTube...
You stole it from me. I wasn't on
YouTube at the time.
How could I steal it if you weren't even there?
Yeah, I used to say it when I was
a CISO. I used to say it at the end of all my
global emails. You were never
a CISO. You were a Director of Security.
How very dare
you? LinkedIn says I was a
CISO. I'm a CISO.