The Host Unknown Podcast - Episode 93 - Its That Man Again
Episode Date: February 18, 2022This Week in InfoSec (07:54)With content liberated from the “today in infosec” Twitter account and further afield15th February 1999Computer owners (dominated by Linux users) marched on Microsoft...’s offices demanding refunds for the copies of Windows that came pre-installed on their computers. This day came to be known as Windows Refund Day.15th February 2007: TSA Removes Online Traveller Redress System. The Transportation Security Agency has removed from its website an online system designed for travellers who have been told they are on a watchlist and inserted a statement that the agency takes information security seriously, following reporting by 27B (and others) that the site could put travellers at risk of identity theft and looked like online fraud. Rant of the Week (17:41)3G network shutting down could disable millions of home security alarms and car safety systemshttps://apple.news/AuLfeucEvTSOwz1aqMIUDowMillions of burglar alarms, car safety systems, GPS trackers, medical monitors, and even prisoner ankle tags could stop working when American 3G mobile networks shut down later this year. Billy Big Balls of the Week (29:26)Gary Bowser was recently sentenced to over 3 years in prison and ordered to pay millions to Nintendo for what his lawyers say was a relatively minor role in a Nintendo Switch piracy ring.He was the victim of domestic violence from a girlfriend, and another girlfriend of his was murdered. His older brother died in a plane crash, and Bowser’s mother died when he was 15, the court record adds. In response, Bowser drank, the court records state.Bowser was charged in Canada in 2004 in a fraud case concerning less than $5,000, the court records say. In 2018, he contracted lymphedema, likely from a mosquito bite, which “caused morbid swelling of his left leg,” the lawyers wrote.When Bowser did join Xecutor, he was the only member who did so under his own identity; his colleagues were pseudonymous on the site. Xecutor as “one of the most prolific video game hacking groups,” and said that Bowser also administered a website called rom-bank.com which contained illegal copies of over 10,000 video games, Bowser was paid $500 to $1,000 a month over the course of seven years to maintain the organization’s websitesLast week, Bowser was sentenced to more than three years in prison and has agreed to pay $4,500,000 in restitution to Nintendo. In a related civil lawsuit that concluded in December, a court ordered Bowser to also pay $10,000,000.https://www.vice.com/en/article/epxm5n/gary-bowser-small-apartment-owes-nintendo-10-million Unskilled hacker linked to years of attacks on aviation, transport sectorsFor years, a low-skilled attacker has been using off-the-shelf malware in malicious campaigns aimed at companies in the aviation sector as well as in other sensitive industries.The threat actor has been active since at least 2017, targeting entities in the aviation, aerospace, transportation, manufacturing, and defence industries.Tracked as TA2541 by cybersecurity company Proofpoint, the adversary is believed to operate from Nigeria and its activity has been documented before in the analysis of separate campaigns. Industry News (37:18) Trustpilot Sues Immigration Biz for Alleged Fake ReviewsInternet Society Data LeakedHealthcare Data Breaches Impact 147k IllinoisansFinance Officer Jailed After Stealing £200,000 from CharityRed Cross Attackers Exploited Zoho Bug Used by ChinaGrand Prix CFO Sentenced for Identity TheftResearchers Block "Largest Ever" Bot AttackData Privacy Lawsuit Could Cost Meta $90mPhishing Top Threat to US Healthcare Tweet of the Week (44:32 )https://twitter.com/zebpalmer/status/1492742757185556483 https://twitter.com/JackRhysider/status/1494330800564625413 [That was this week's TWEET OF THE WEEK!] Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
I think we've increased the ballast this week, haven't we?
We've increased the ballast!
We've jettisoned Javad, but we've put on...
EasyJet would not be happy with the number of extra suitcases we've brought with us.
Built for comfort, not speed.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us. And welcome to episode 93-ish of the Host Unknown Podcast.
97!
Yeah, do you know, our centenary episode is going to be really, well, just like the Queen.
You're going to celebrate it twice.
Yeah, exactly, exactly.
Alternate endings.
We have.
This is never going to end, trust me.
That's what people think every week when they listen to us.
So, as you can hear, we have the dulcet tones of Mr.
Graham Cooy with us.
Special guest star from the Smashing Security podcast.
Graham, welcome.
Hi. Hi. Great to be here.
Thank you for having me.
Our absolute pleasure.
I mean, the moment Jav said that he was going camping in the hills of Pakistan somewhere
that we realised we just
had to get someone professional in for once.
Is it?
Camping? He's actually going camping?
That's a very...
Camping, training
camp, it's got the word camping in it.
Exactly.
Is he erecting a tent in this wind?
Is that wise?
At his age, erecting anything isn't wise.
It's a mission.
It's hard work.
That's why it's going to take a couple of weeks.
Exactly.
It's like a spiritual retreat for him.
Hence the five wives as well.
It's a team effort.
It's a team sport.
You don't always win, but when you lose, you lose's a team sport you don't always win but when you lose you lose as a team you know
but that that that feeling of deflation at the end it just doesn't leave you
uh anyway graham how have you been this week sir oh i'm gorgeous i'm gorgeous i've been very busy
of course with the smashing Smashing Security podcast.
I think, you know, one of the top three cybersecurity podcasts out there.
It's award-winning.
It's award-winning.
It was in the past, yes.
I mean, obviously, recently the judges have been nobbled.
Overtaken by sort of younger, more agile shows, right?
I'm trying to think who it is, but really, every other one i'm thinking of is neither younger nor agile
and anyway when you win an award isn't it always technically now in the past
oh i suppose so yes but ours are particularly in the past i mean
like three or four years it's a bit embarrassing even to mention it anymore, isn't it?
Well, that's why I bring it up.
Oh, thank you.
Are those awards happening again this year?
Are we going to be competing against each other?
We're not interested in awards like that.
If people want to give them to us, then yeah.
But we record this for the people.
All I can say is that the Direct Debit to the Judges has been coming out every month
for the last, well, since the last awards.
So, you know, what can I say?
It bought them a new tent anyway, didn't it?
That's good.
Yeah, that's right.
This isn't the Great British Bake Off.
Anyway, Andy, how are you?
Good.
Can't complain.
Never do.
So I'm not going to start today.
That's really good for a talking show, brilliant.
I know, so this week my excitement in my life is down to purchasing new sofas on interest-free credit.
I thought it was on expenses, or was that something else?
No, I did claim some expenses.
Oh, wow.
August of 2020.
I obviously misinterpreted that message you sent me.
No, I claimed some expenses and I gave my boss a heads up.
I said, look, these are out of policy.
I will take whatever flat comes with it.
I don't need a lecture, okay?
Well, I know you need a new sofa.
I said, as you know, I only do this once a year.
And he just replied.
He said, fine.
I used to be the same back when I had a real job.
They weren't very keen on me, I have to say.
Showed up and it's like, yeah, so this is from about three years ago.
And the receipt has faded.
I had the opposite. Because I used to put them in weekly.
I was like, can you approve my expenses?
I just did.
Oh, my new ones, the ones I just have put in.
You claim taxi receipts before you've taken the rides.
That was the issue people had with you.
It was forward thinking.
You got caught out because you tried to expense the taxi receipt book off Amazon when you ordered it.
There was that website, wasn't there, where you could generate your own expenses.
So you type in an amount.
I don't know.
Was there, Tom?
Was there?
Yeah, it was brilliant.
You typed in an amount. know it's 250 quid and then it would generate a restaurant receipt that came to
that amount wow and with the names of people and stuff like that i mean it was obviously a fake one
and i for the record never ever did anything like that but so it was funny so there's actually a company called
look who's charging that's um really uninteresting they actually do that for companies they look
through the receipts and make sure that the receipt does match to you know what it says it's
for so for example lilac tree restaurants is actually a strip club called sophisticates
so what they do is if someone submits you know lilac tree restaurants uh is actually a strip club called sophisticats um so what they
do is if someone submits you know lilac tree restaurants then um the receipt will actually
say gentlemen's club rather than um you know what it's going down proper spoil sport but uh you know
yeah that's right probably set up you know that's a real sort of you know poacher turned gamekeeper
scenario right he knows all the tricks.
Yeah.
He knows all the tricks.
But how was your week anyway, Tom?
Very good. I'm in London at the moment.
I am podcasting directly from the Duchess of Ladywell's
residence. From Storm Unis.
Yes. You've got a red warning,
haven't you? I have,
yes. Well, that's why I actually
was supposed to come up this
afternoon uh but i came up last night because i'm going to the theater tonight my mother is taking
me out to the theater we're going to watch only fools and horses that's assuming the robin reliant
hasn't been blown off the step the set by, indeed. Indeed. It should be good fun.
It should be good fun.
And then back home tomorrow.
So, yeah.
Yeah, all good.
All good.
So, talking about dodgy trading and expense claims,
let's look at what we've got coming up today.
This week in InfoSec takes us back to the debate of OEM software.
Always confused about OEM software. Always confused
about... OEM to me just
meant like a plain brown box.
Rant of the week is a story
about the impact of phasing out
3G too quickly.
We've renamed Billy Big Balls this week
as Bowser's Big Balls.
All will be revealed.
Scary. Industry News brings us
the latest and greatest security news stories from around the world and tweet of the week is the levity will be revealed. Scary. Industry News brings us the latest and greatest security news stories
from around the world,
and Tweet of the Week is the levity we'll be leaving with you today.
So, time to move on to our favourite part of the show,
the part of the show that we like to call...
Pick of the Week.
This week in InfoSec.
Hang on.
Sounds familiar.
I love that music.
Really, it's just, it's the royalty freeness of it,
which I really enjoy.
Yeah, exactly.
I think that's the...
It's the can't sue us or anything of it that I like.
It's the can't sue us or anything of it that I like.
It is that part of the show where we take a stroll down InfoSec memory lane with content liberated from other people's hard work.
So you can catch part one of this feature on this week's Smashing Security podcast
when Graham took us back through the history of macros
before Tom took us back to the 70s discussing comics.
But alas, I shall only take us back a mere 23 years
to the 15th of February, 1999,
when computer owners, and I should say dominated by Linux users,
marched on Microsoft's offices demanding refunds
for the copies of Windows that came
pre-installed on their computers and then this day came to be known as Windows Refund Day.
Now I remember something about this back in the time because I was first starting to use Linux and
there used to be a website called ThinkGeek, and you could get cool stuff off there. And I remember getting all these badges which said,
the instructions said, install on Windows 98 or greater.
So I installed it on Linux.
You know, really sort of things you thought were cool back then.
But then you realize, actually, it's just so difficult to use stuff.
Like writing your own drivers in the late 90s was just not.
It was never going to hit just not it was still quite challenging
it's still quite challenging in fairness yeah so the oem you mentioned oem obviously it stands for
original equipment manufacturers um and so microsoft had this deal where anyone that sold
pcs or you know equipment if it came pre-supplied with windows or pre-installed,
it was just cheaper for people to purchase it that way.
And so there was this whole movement dedicated to,
we don't want this, it's antitrust, you're not giving us a choice.
And the more I looked into this, they said it was like this sort of people came from all over the world.
It's said to be about 100 people marched onto the offices at the offices uh at redmond and um after it kind
of fizzled out they all ended up in the local denny's um with their placards and banners that
they were protesting so comparing beards probably if they were linux sandals yeah swapping tips on
open toe sandals like to generalize it i i would say people like this need to get a hobby because
they're really wasting their time the problem is they do have a hobby what they're doing is
they're making their own software on linux exactly it's like sure how they got time for this and
quite apart from the fact you know so a hundred people are upset that their their the computer
they bought had an operating system what What about the rest of the world?
And I think this was the problem.
So it turns out that there were a handful of people
that managed to get $50 refunds through this.
But many people were very unsuccessful.
And it's really down to choice, right?
You can buy any machine you want,
whether you buy it pre-installed or un-pre-installed
but this was uh one of those times when i think antitrust was a big thing about microsoft um
certainly in the late 90s you know and now if we look at the people we've got today like the
zuckerbergs and you know the apple ecosystems and i think bill gates was the least of our worries as
we look back. He generally
was someone that I think was trying to do the right
thing and trying to bring desktops to everyone.
But, you know, it's interesting.
And also trying to run a business as well, right?
Yeah, and
there is that to it. But also, I don't
think it was particularly...
If you consider the software was there, right?
They are trying to introduce you
into their world,
into their ecosystem, but it's not like they were stealing data.
You know, it's not like other people.
That came later, right?
Yes.
But has Microsoft ever been the bad guy in that respect?
Not really.
I don't believe they have.
I think their cloud was one of the first to have, you know,
sort of regionalised things, so it wasn't.
Exactly.
And they publicly stated that they would not hand over data to the U.S.
government.
To the U.S. authorities on servers located outside of the U.S.
and things like that.
So, I mean, every company gathers data, right?
Every single company.
Even us.
I think –
Just by listening to this podcast, we are tracking.
We see you, Mrs. Trellis.
Mrs. Trellis.
Cut your lawn.
I'm sorry.
This is not that kind of show, Graham.
Oh, sorry.
Bringing your smut and filth on here.
So, yeah, so Microsoft were never really that bad, I don't think.
I think they're up there with the more trustworthy people.
Well, you say that, Tom, but I remember back in 1995,
Microsoft shipped a CD-ROM with the concept virus,
and I could talk to you about it for at least 20 minutes.
But was that intentional or just a little bit of a fuck-up?
Oh, dear.
Nice.
What else have you got for us?
Well, I was going to take us on to our second story,
which is a mere 15 years ago on the 15th of February 2007
when the TSA removed the online trave traveler redress system from public view.
And this was a story that the Transport Security Agency, the people that touch you up if you travel through the US,
removed from its website an online system designed for travelers who had been told they were on a watch list.
And so what happened in this situation was they just published it online.
If you're on a watch list, you just go online and check whether you were there or not.
It was actually quite easy access.
You know, you just search by your name and, yeah, come up.
So it's I mean, I've had the dreaded four S's on my boarding card before.
Yeah. Not because I was on a watch list.
It'd be pretty bad news if your name was Terry Bin Laden laden or something like that wouldn't it javad malik
the one time jav didn't get the four s's on his boarding pass was when he traveled with me
but there's nothing worse than that it's honestly it's shocking because
all the you can't pre-book you can't pre-book your seats so you get left with whatever's available at check-in.
And the food's the worst food available because everyone else has pre-ordered.
I'm talking about the real problems with all this stuff.
The hand up your bum is just considered a bit of fun.
Yeah, exactly.
No issues with that.
But to sell it, you've only got meatballs left i mean come on exactly exactly although the agent could at least have
called you in the morning in fairness the funniest thing about that is when i went they searched
through my bags i had a suitcase full of chocolate and sweets. And I mean like a giant suitcase because I was travelling to see my team in the US.
I always take English sweets with me because the American candy sucks.
So it was quite funny.
They thought I was some type of smuggler.
And you said, it's okay.
Just like when you take water through the checkpoint it's okay
i'll eat it now yeah i'll prove there's no drugs
i can go all day
so go on go on close the story out.
So that really was it because I don't have a subscription to Wired,
so I couldn't get into the full details of the story.
So if anyone else wants to tell us how bad this was about having details published online.
But I mean, yeah, the TLDR, the TSA removed it.
You know, they made this available prior to that. I don't know how many people downloaded that watch list um i'm sure many people did uh and obviously uh 27b 27 slash b
uh website which originally ran the story um no longer hosts it i tried to find it all i'm saying
is i tried to do the homework ran out of time yeah that's fair yeah you know storm unisa's here
like my whole morning's been thrown out.
Disrupted.
Exactly.
And I thought, you know, maybe Graham, with his knowledge,
would have known about this one.
No.
Clearly, just sitting back.
He's here to try and make sure we don't win any awards this year.
He's here to watch us.
Keep your enemies closer.
Has your wheelie been turned up a couple of streets away?
Well, I've actually tied mine up just to...
I've brought mine into the house.
It's in the hallway.
God.
Yeah, I found mine three streets away
and apparently it's booked into a speed awareness course next week.
Excellent.
Thank you very much, Andy,
for this week's...
This week in InfoSec.
This is the podcast
the Queen listens to.
Although she won't admit it.
So, let's move on to this week's...
Listen up!
Rant of the Week.
It's time for Mother F***ing Rage.
And Rant of the Week is with me this week, funnily enough.
The notes say Tom or Graham, but it's a rant, so it's mine.
Graham's far too nice to be ranty about stuff The headline here is
3G network shutting down
Could disable millions of home security alarms
And car safety systems
Now if that headline alone doesn't wind you up
Well I mean what hope is there for you
But digging slightly deeper
Only our American cousins over the pond need to be
worried about this right now. But the story is quite literally as it says, AT&T are just one
of the many providers in the US who are preparing to mothball their 3G networks. Now, 3G, if you're under the age of 30,
you'll remember was the really, really blisteringly fast internet
that came around in the early 2000s
that really just blew the speed cap off the top of 2G.
GPRS. GPRS 2.5G.
And I remember when it hit London, it was like, oh, my God, this is amazing.
I can stream this GIF in real time.
As long as you won't be standing in front of a tall building.
Yeah, that's right.
I mean, it suffered like all new technologies like that.
Initially, it was quite difficult to get a 3G signal.
Only certain cities had it, etc.
But it became the absolute backbone.
And really, I think, was the start of what we now know of as Internet of Things,
because you could plug these SIM cards into devices and they would have a reasonable level of connectivity.
You know, you couldn't necessarily stream live video, but actually just having the telemetry and stuff like that that you're able to download allows a lot of devices to start to hit the market.
start to hit the market now the problem is of course is that a lot of this technology like much iot just is put in place and left because it's just doing the job that it was designed to do
now um at&t are looking to shut down their 3g network on the 22nd of February. That's like just a few days ago.
Oh, crikey.
A few days to come.
T-Mobiles will be in the summer,
Verizon by December 2022.
And some companies are offering
their remaining 3G customers
free 4G phones to match.
That's less of an issue, I think,
in the customers, right?
And also in the US
they have, is it UMTS
where you have phones
that don't have SIM cards?
Because I believe there were some, isn't it
the Verizon iPhones? Don't
have SIM cards. What?
Yeah, did you not know this?
I didn't know this, no.
Yeah, some, I'm
pretty sure Verizon is the main one,
but many of their phones don't have SIM cards.
It's literally just built into the device.
So like eSIM cards or whatever?
I guess.
I guess it's probably the precursor to what we would now consider
to be an eSIM card.
So you would have to change be an e-sim card um so you actually had to you you would
have to change your phone to change your number and stuff like that anyway um but the biggest
problem is this internet of things devices this this mesh of of services and if you think oh well
what could that be like well little things like things like, you know, traffic sensors, burger alarms.
I'm trying to think of some other examples here.
Let's see.
Prisoner ankle tags was the one that caught my eye.
Ah, yeah, yeah, absolutely, absolutely.
Yeah, so my car, I'm sure it's got separate 3G.
Not my car, I think my last car did for um like the maps and
sat nav and well your new car's other updates obviously so is 4g widespread enough that it's
all right to turn off 3g i mean in america is there that good 4g coverage no yeah certainly not
i wouldn't have thought so god i you know i was on the train coming down here and I was getting 3G on the train. You know, it's like, yeah, because you're going through large, not densely populated areas and you're going to find yourself at a bit of a distance from a mast.
And the 3G is the back off. Now, obviously there does need to be, excuse me, there does need to be some kind of,
you know, sort of phasing out of this because it's not like we're running original 1G and 2G
and GPRS masks everywhere at the moment, you know, and they've slowly come out of service because,
you know, or they've been upgraded to 3G, etc.
But it seems to be a little bit quick to my mind.
You know, we're only just getting 5G.
In the US, 5G is slow anyway because of the challenges they've had with the FAA and the fact that they reckon it makes planes difficult to land and stuff like that.
Well, it gives you COVID as well, doesn't it?
Oh, well, yes.
Yeah, that's right.
Something like that.
Yeah.
And in fact, I think when I got my vaccine,
I marched to Microsoft to demand my free copy of Windows 98.
It came pre-installed with the vaccine.
Yeah, it's what I want.
I need the
the serial number for my vaccine um but um so i can see how this would be a problem if things
like burglar and arms stopped working or if a car yeah something built into a car so it
automatically informed the emergency services you'd been in a crash i mean that that would be
quite important the one which surprised
me is the prisoner ankle tags because i would have thought in america it's probably a bit more
fun if you're not tracking the prisoners isn't it because then you can go on a manhunt i mean
wouldn't that be wouldn't that doesn't everyone need a bit of cheering up dog the bounty hunter, right? Oh, dog the bounty hunter.
Actually, we should see, have these telecoms companies,
have they invested in bounty hunter companies in the background just before they switch this off?
And they're going to see a huge surge in profits of bounty hunters.
I wouldn't be surprised if there's some evil kind of consortium
of the uber-rich who get their kicks out of some illegal...
It's a game, yeah.
Yeah, exactly, some sort of illegal manhunt kind of game.
I was going to say, like a hunt, yeah.
Yes.
And so you disable the ankle tag on a prisoner and let them loose
and say you have 24 hours.
If you make it to San Francisco, you leave.
I thought they were American, not Swiss.
I'm saying you've got 24 hours, boy.
Now I'm coming for you.
I said, I said, boy.
I said, I said.
So we know they're oil tycoons.
And you've Boss Hog.
Roscoe.
Roscoe.
Beep.
Gold train.
Oh, dear.
Sad everyone listening to this is too young to know what we're talking about.
Yeah, that's right.
Now them juke boys had a mission on their hands.
I just remember my awakening to Daisy Dukes.
Yeah.
Oh, dear.
Hang on.
This is now no longer a rant.
Hang on.
This is now three old men just half-closing their eyes.
Two old men.
Two old men.
back yeah two old men listeners write in if you could identify which two of these three men all right anyway but it's
ridiculous because you can end up with devices not being updated by what so you know surely
this is just another sign of the gradual decay of america
and more yeah absolutely and more than that i read that some tesla cars for instance you'll sign of the gradual decay of America. Absolutely.
And more than that, I read that some Tesla cars, for instance, you'll have
to pay a couple of hundred
dollars to have a new
modem fitted on your Model S.
It's like if your Model S Tesla
was built before June 2015.
It's not going to do
all the things it's supposed to do.
Is that acceptable acceptable should we be
bearing that charge i don't know it could be considered i mean in the in this day and age of
connected cars and you know electric cars and all all that sort of stuff could that be considered
the same as you know upgrading the oil filter or upgrading the air intake or something like that
oil filter or upgrading the air intake or something like that you know to make it less pollutable yeah i don't know it's i think about this this change that shifted bear in mind i'm
going to use some words here but shifting paradigm in how we view things in that what we would
consider to be acceptable for say an old style car and then suddenly say on a on a new car i've got to pay
200 pounds for a new modem that's ridiculous but the one you've got has reached the end of
its useful life in the same way that your air filter your oil filter whatever will have reached
the end of its useful life therefore it needs replacing you know so it's we our attitudes to these sorts of things will need to shift
that said if you're having to do it because of some very poor decision making in the underlying
infrastructure that is out of the hands of the in this case the automotive manufacturer
you're going to be pissed off but make sure you're pissed off at the right people
and 3g being turned off is in pursuit of progress, isn't it?
It is because they're able to use those frequencies,
I imagine, for expanding 4G and maybe 5G.
Precisely, precisely.
But it's about getting that balance right
of making sure that actually you don't switch it off
and then go, oh, or even sort of say you know old school it
you know and andy knows what i'm talking about here who does this belong to don't know switch
it off we'll see who screams you know nothing wrong with that yeah exactly exactly the trouble
is if half the country is screaming you know you've switched it off a little bit too early
without doing any homework blame Blame the asset register.
Yes, right.
AT&T said, well, they're not our devices.
Anyway, that was this week's...
Rant of the Week.
This is the Host Unknown Podcast.
unknown podcast so we shall move swiftly on to our brand new grand cojones member uh mr cluley with his very his age though don't tell me you should get it checked out it's not a um
it's not a flex it's uh could be something more serious. Oh. Way to break it to me, Cor, aren't they?
Well, hello, hello.
And the story which has arrived on my desk literally 90 seconds ago
when I was told I would be covering this on behalf of the two professional hosts of the Host Unknown podcast.
Hello.
Hello.
So, poor old Javad, I realise the way he takes time off now.
So, I've got a story which is right here.
I'm literally reading it as I speak.
It's the story of this chap who has been sentenced to over three years in prison and ordered to pay millions of dollars.
Quite astonishing. in prison and ordered to pay millions of dollars, quite astonishing, $4.5 million,
for what his lawyers say was just a little bit of piracy,
a little bit of piracy.
So this chap, his name is Gary Bowser.
Now, when you think of Bowser,
you probably think of this sort of dinosaur-like cartoon character
who appears in Mario video games, right?
Exactly.
I think of a large container of water used by fire services.
What?
Fire services.
You remember fire services when they were pulled by a horse,
however, don't you, in the cart?
It's a water bowser, right?
Maybe.
Okay, so Gary Bowser, of course, is also the name of this chap.
Gary Bowser.
Also the name of Mario's arch nemesis.
And who has he been targeted with his piracy?
But none other than Nintendo itself.
So it's almost destined.
Oh, the irony.
Destined for this.
It's absolutely.
You know, sometimes I wonder if people are, you know,
predestined by their actual names to pursue a particular career.
Well, if you call your daughter Sapphire or Mercedes or Diamond
or any other precious stone, she's going to be a stripper.
Like, it's just.
You might find she's just working at the Lilac Tea Rooms
or whatever it was you said earlier.
As a waitress. As a waitress.
So this isn't about Billy's big balls.
It's about Bowser's big balls
because he took on the might of Nintendo
and he was a member of a gang called X-E-Cuter
with a capital X at the beginning rather than an E before it.
It must be a sign.
Anyway, and he was a member of this group.
And just to
demonstrate how big his balls were,
he was the only person
who joined the Executor group and did
so under his own identity.
So he didn't put a pseudonym.
But to be fair,
if you called
Bowser and you're playing Nintendo you're going to assume it's a...
It's amazing.
Because everyone would have assumed that was...
Oh, it's like, oh, Gary, yeah, sure, right.
Bowser, yeah.
Fool the other one, you know.
And there he was, chatting to Princess Peach and Toad.
Exactly.
All the rest of them.
But it turned out that was his real name.
So he was the only person who wasn't using a pseudonym
because he couldn't think of anything better than his real name.
And Executor were one of the most prolific video game hacking groups
which existed.
And what they were doing was they were running a website called RomBank
which contained illegal copies of over
10 000 video games and you could download an image of the rom and with some hardware gadgetry and
some hacking you could then basically run pirated games on your nintendo switch console nice and he
was making something in the range of about $1,000 a month
just from running this website.
Not a huge amount of money.
Not a huge amount.
Well, I assume he wasn't selling advertising space or anything like that.
He wasn't maximizing the potential.
He was probably relying solely on subscriptions.
As he expanded, he could have reached out to a marketing firm
or hired a marketing manager.
I mean, there's opportunity there let's just say i guess if if if you are
in the market for pirated games if you go to a site like rom bank and you hack your nintendo
switch you're not going to pay 40 or 50 quid for the rom image because you don't want to pay
anything right you want to get it for free so it it's not a great industry, maybe, to be in, if you're doing it
that way. Anyway, so it's
reckoned it cost Nintendo
four and a half million dollars.
But it's not the only time he's been in trouble.
There have been other occasions, because
back in 2004, he was charged in
Canada. He was involved in a...
He wasn't throwing barrels at people, was he?
He was spitting fire.
Let's not.
Poor old Bowser.
Do some illegal plumbing on the side.
He's got a thing for plumbers.
He just can't help but attack them.
According to his legal team, in his defence, they were saying,
look, you know, he hasn't had the best life, right?
He's been the victim of domestic violence from his girlfriend,
Princess Peach. Maybe she's called Princess Punch. right he's he's been the victim of domestic violence from his girlfriend princess peach maybe she called princess punch another girlfriend of his was murdered oh jesus yeah the video game
took a dark turn there didn't it his older brother died in a died in a plane crash i don't know i'm
laughing older brother died in a plane crash was that that a Microsoft simulator, flight simulator crash?
And also in 2018, he caught lymphedema,
likely from a mosquito bite,
which caused a morbid swelling of his left leg,
according to his lawyers. Jeez.
So, I mean, imagine having a great big swelling down there.
Exactly.
And it not be your balls.
Right.
It would be horrific.
So this chap, I think he wins the prize for Big Balls of the Week
because he took on the might of Nintendo.
He, despite all of the challenges which he had during his life,
he set out on this criminal spree,
hacking people left, right and centre,
made a bit of money out of it, not a huge amount,
but he obviously had some challenges in life.
And he's now been sentenced to more than three years in prison.
But the thing which really struck me as the big balls
was joining a piracy gang online
and not using a pseudonym
because his name was Bowser.
So he took on the might of Nintendo, but he still went to prison.
And lost.
So this is a literal, I fought the law and the law won.
Exactly, yes.
For fair play, right?
He made a stand.
You see, this is a faintly depressing Billy Big Balls,
I have to say.
It really is.
Oh, I am sorry.
No.
Maybe I should tell you the story.
This is an upbeat show.
Well, it's just, I mean, Andy suggested another story 30 seconds
before we began recording,
so I didn't have quite enough time to look at that one as well.
Yeah, that one was quite dull, wasn't it?
It was really dull.
Yeah.
No, this was actually just a guy
that's just been trying to hack
the aerospace
Don't tell them the dull story
now.
Okay, right.
Let's get back to the cancer and the guy with the swollen
leg that he got from an infected
mosquito bite with a dead brother. No, you're i don't want to take this on a downer
yeah you're right i've got to be bubble gum for the brain andy i know you were
running late this morning but i don't suppose you know what the actual time is doing i do and it is
that time of the show where we head over to our new sources over at the infosec pa newswire who
have been very busy bringing us the latest and greatest security news from around the globe.
Industry News.
Trust pilot sues immigration biz for alleged fake reviews.
Industry News.
Internet Society data leaked.
Industry News. Internet society data leaked.
Healthcare data breaches impact 147,000 Illinoisans.
What planet is that?
Finance officer jailed after stealing £200,000 from charity.
Red Cross attackers exploited Zoho bug used by China.
Industry news.
Grand Prix CFO sentenced for identity theft.
Industry news.
Researchers block largest ever bot attack.
Industry news. Data privacy lawsuit could cost meta facebook 90 million dollars industry news
phishing top threat to u.s healthcare industry news and that was this week's
Industry News.
Huge if true.
Huge if true.
So, Illinoisians, people from Illinois, right?
Would it be pronounced Illinoisians?
No, it wouldn't because it's Illinois.
Illinois Sands, maybe, for a security angle.
147,000 people from Illinois.
Yes, much easier.
So I'm just looking at this Trustpilot story because I'm sure you've probably looked at Trustpilot yourself
and all of these review sites and thought,
hang on a sec, these are just totally fake reviews
because you've also purchased this product
and you know it's a load of shite.
So, yeah, it's...
Okay, so the company's done nothing to stop its practice
of soliciting fake reviews.
So it's not just hosting the fake reviews,
it's soliciting them.
So they're saying there's a company...
Oh, it was actually...
So it's previously forced to remove
over 2.2 million fake reviews in 2020.
And there's a company...
Too many reviews.
I mean, what's...
I think this is all over, yeah.
Maybe it's Gary Bowser because he's got plenty of time at the moment.
So a UK-based immigration company has failed to respond
to repeated enforcement action.
So a company called Global Migrate has been allegedly soliciting
fake reviews from multiple people.
They say more than 700 of them are fabricated.
But, I mean, all the company has to do, right,
is just send out an email to people and say, hey, give us a review.
Yeah.
I mean, these systems, they're not great.
I mean, just look at Amazon, right?
Right, exactly, yeah.
Just give out all those free products.
Or not, and you still get them anyway.
Let's see.
So the Grand Prix CFO, I guess I'm going to have to click on this.
The Grand Prix CFO, I guess I'm going to have to click on this. The Grand Prix.
Is that the F1 Grand Prix?
No.
The former CFO of the Boston Grand Prix.
So it's an old bait and switch headline, this one.
It is, isn't it?
What the hell?
Sarah Coble of InfoSecurity, you should be ashamed of yourself.
Grand Prix what?
Is Grand Prix a company or?
The Boston Grand Prix.
What?
The Grand Prix, that sounds like a Billy Big Balls event to me.
Yeah.
No, no, you're thinking of the Grand Prix.
That's, okay, so he's been,
he's admitted to fortunately obtaining
pandemic relief funding grants.
Yeah, but what is the Grand Prix?
Well, it will be a race,
which will fool people into thinking it's Formula One.
I'm reading this story right now.
What he did, apparently, is he took covid relief funds and then
he used most of those funds for his personal expenses including a three carat diamond ring
a six month membership to match.com you can see where this is going private school tuition
he was it sounds like the sort of person who diddle his expenses. Yeah. So he just put it under, you know...
Miscellaneous.
Miscellaneous, yeah.
Restaurant bill.
Bob's Bar and Grill.
Employee welfare.
Wow.
The largest bot attack here, it said large-scale botnet
generated 400 million requests from the IP address over four days.
That's 10 requests per IP per hour on average.
That doesn't sound as much, but it's still probably quite a lot.
Wow.
The victim was a job listing site.
Of all the people you could have attacked.
It wasn't people trying to leave reviews for an immigration business, was it?
And they just stepped on the wrong link.
We're attacking a bloody recruitment site.
You could do some real sort of activism here,
attack some global chemical company that Boris has let pour its effluent
into our British rivers and stuff like that.
But no, let's go after a recruitment company.
Tom, don't be rash.
You're always after sponsors.
You don't want to slag off any big multinational chemical companies
who are polluting the rivers if they're prepared to sponsor the pod.
If they'd like to divert some of their monetary effluent our way,
of course.
They can come on here and redress the balance.
We'll club seals for them.
Talking of evil companies,
I hear that Nestle are putting up the prices of Kit Kats
and Durex condoms, which...
Is there a link?
I was about to say, what's the punchline?
There's a really filthy one, but I can't possibly...
Yeah, you can. We'll beep it out.
You're listening to the award-winning
Host Unknown podcast.
Officially more entertaining than Smashing Security.
In your face!
And Graham has quit in protest at hearing that one.
So it would seem.
So it would seem.
Right, we have Graham back just in time.
Hello.
Just in time.
Glad you didn't hear that last jingle we paid.
You might have left us permanently.
So let's move on to the closing part of the show,
the part of the show that we like to call...
Tweet of the Week.
We always play that one twice.
Tweet of the Week.
And this week we have two tweets for you,
and I shall give you the first one.
You will have seen this everywhere.
LinkedIn, Twitter, WhatsApp, whatever groups you're in. for you and i shall give you the first one you will have seen this everywhere linkedin twitter
whatsapp whatever groups you're in um and it's a very intelligent one from zeb palmer and it
simply says cisco is offering splunk 20 billion dollars unclear if they're trying to buy the
company or just renew their subscription for another year for everyone who is aware of a blank subscription model on a database,
it is a very expensive tool to run. Especially if you want to keep logs for more than a day or two.
Yeah, exactly. I mean, they did it well, right? They used to give out the free ones, right? You
get, what, 500 meg a day? And then when logs became really important um yeah they decided to start charging for it
it was uh it's a great model but the second tweet is from uh jack recida and it says being the only
security person on your team doesn't make you the see-saw not even accidentally yeah not even accidentally. Yeah, not even. And this was quite a controversial statement, I think.
So really, well, a lot of people, there's a lot of responses to this one.
Various people say, well, it kind of depends on the type of company.
Right. And if there's no one else around, why wouldn't it make you the CISO?
And others saying, yeah, it's true.
It does mean you're part of the C-suite.
But now there's some people in CISO, you know,
with the CISO title who are not part of the C-suite.
And others who think that the C stands for cyber instead of chief.
Interesting.
I've never heard that.
No.
Well, I'm just reading these in the comments.
But it's a new generation, right?
People redefine things.
It is.
Yes, that's very true.
I think you could be the only security person and be a CISO
if you are quite literally in the C-suite.
If you are at that level, you could be the CISO.
But one, that's particularly unlikely.
And two, what a very frustrating place to be in.
All right, we should do this.
Oh, I've got nobody to do it.
Yeah, but I did see someone use the acronym DISO,
which is Default Information Security Officer.
I like that.
Oh, that's brilliant.
Excellent.
Thank you, Andy, for this week's Tweet of the Week.
And so we come smashing into the end of this week's
Host Unknown Security podcast.
Wonderful.
Thank you so much, one and all, for your time today.
Graeme, thank you so much for jumping on
uninvited to our podcast it was lovely to have you wonderful um so good uh i think you know you
you could make a living out of this you know you're pretty slick i wouldn't call it a living
you managed to blag it quite well you did without preparation you just, you know. I think another couple of years, polishing up, et cetera,
you should launch your own podcast.
I mean, you guys are, we do very much look up to you guys.
And we're full of admiration for what you've achieved.
It's not easy to make it look this shambolic.
As you can see.
I've got an ethical hacker CEH CBT I can share with you, Graham.
You know, if you want to brush up on some security.
CBT, isn't that cannabis oil?
I have that as well, but that's a bit more.
I charge for that.
The other stuff I'll give out for free.
Right, so you're standing outside the school
yards handing out freebies just i know it's all done by snapchat these days tom
oh dear no great thank you so much it's been an absolute pleasure so good to have a professional
on the show after uh months and months of of having jav roll out of bed and uh
and then claim that he's too tired to have looked at the show notes uh so thank you so much i do
hope you have a lovely week cheers same to you guys and andy thank you stay secure my friends
stay secure you've been listening to the host unknown podcast if you enjoyed what you heard comment and subscribe
if you hated it please leave your best insults on our reddit channel worst episode ever r slash
smashing security oh hang on have you ever had any comments left on your reddit channel about hosting only from the duchess of lady yeah just your mum just your mum
that sounds like you're trying to insult me but actually
that's a that's an insult with a velvet glove that one