The Host Unknown Podcast - Episode 96 - We Don't Know What She Has But They Are Colossal
Episode Date: March 11, 2022This Week in InfoSec (08:22)With content liberated from the “today in infosec” Twitter account and further afield6th March 1992: The Michelangelo virus, so-named because it activates on March 6,... the birthday of Michelangelo, begins infecting computers. The virus will also make news in 1993. It was one of the earliest viruses to receive widespread media attention and also one of the first to prompt widespread hysteria. The irony of the name of the virus was that nothing in the virus’ code referenced Michelangelo. It is possible the virus author, who was never identified, did not know March 6th was Michelangelo’s birthday!9th March 1999: United States Vice President Al Gore gives an interview on CNN’s Late Edition in which he states, “During my service in the United States Congress, I took the initiative in creating the Internet. I took the initiative in moving forward a whole range of initiatives that have proven to be important to our country’s economic growth and environmental protection, improvements in our educational system.” This is the infamous statement which will be widely misquoted as “I invented the Internet.” Rant of the Week (13:59)Most Orgs Would Take Security Bugs Over Ethical Hacking HelpA new survey suggests that security is becoming more important for enterprises, but they’re still falling back on old “security by obscurity” ways.Enterprises are putting greater stock in cybersecurity, but outdated “security by obscurity” is still prevailing as companies wrestle with security awareness and shy away from bug-bounty programs.That’s according to new survey data from HackerOne, which found that a full 65 percent of organizations surveyed claimed that they “want to be seen as infallible.” However, just as many – 64 percent – said they practice a culture of security through obscurity, where secrecy is used as the primary method of protecting sensitive systems and assets. Carole's Colossal Cahones (24:49)When Pigs Cry: Tool decodes the Emotional Lives of Swinehttps://www.nytimes.com/2022/03/09/science/pigs-oinks-grunts.html Industry News (30:31)Google to Acquire MandiantDirty Pipe Exploit Rings Alarm Bells in the Linux CommunityChinese APT41 Group Compromises Six US Government NetworksPrison for Man Who Scammed US Government to Buy Pokémon CardUK Announces New Rules to Tackle Surging Online Scam AdvertsOver 90% of Exposed Russian Cloud Databases CompromisedAI Accountability Framework Created to Guide Use of AI in SecurityConti Group Spent $6m on Salaries, Tools and Services in a YearQakbot Debuts New Technique Tweet of the Week (39:33)https://twitter.com/paygapapp https://twitter.com/achornback/status/1501677184515256321?s=12 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
This is not Sticky Pickles.
Yeah, perfect.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
And welcome to episode 96-ish of the Host of the Podcast.
100!
Do you know, we're nearly there.
We're going to have to do something.
Yes.
Perhaps we should do something, you know, like Smashing Security styley where we have,
you know, Noel's house party and people ringing into our podcast or something like that.
I think that would work.
That would work.
You know, in fact, let's ask an expert.
Carole, what do you think?
You definitely have to do something.
Hi, everybody.
Thanks for having me on, guys.
That's all right.
I love giving you guys my Friday morning.
Love it.
It's my favorite.
We could tell by the noise you were making before we went live.
Yeah, you definitely have to do something.
I'm guessing you're going to invite some special guests on the show to say hi. In fact, it seems like we're preparing for that right now.
Very, very special guests.
We are very selective, though, with the guests.
We just allow anyone to come on.
In fact, we've only ever had two different guests, haven't we?
Well, three if we include Jeff.
Poor Jeff.
Hi, Jeff.
He has a regular guest spot on the show.
He does.
He does, yeah.
Although I'm going to be away for the next couple of weeks,
so unless we're recording on different days,
I'm going to become the guest. i shall become the butt of the jokes are you guys recording even
though you're away tom because you do all the editing and stuff don't you all right well
exactly this wow i think that the word editing is a bit of a well it means different things to
different people right it certainly did when i didn't edit with that one week.
Anyway, Carole, how are you?
Delightful, delightful, and delighted to be here.
So excellent.
Feeling good, baby. Have you had a good week?
Yeah, busy, busy.
Podcasting everywhere, doing work for the Cyber Wire and Sticky Pickles and Smashing Security.
Wow.
Cyber Wire, if you're interested in sponsoring
the Host Unknown podcast, just let us
know. Perhaps
taking us under your wing
maybe. I don't know.
You can give us a salary.
You really align with how they work.
Are they
really professional too?
They make us look like amateurs.
I mean, us at Smashing.
Holy moly. Andy, what about about you how have you been sir good it's been a good week i um yeah just positivity
this week i think lots uh lots going on i think we're turning into the sun is almost coming i feel
spring is almost upon us yes the daffs are almost in bloom.
Yeah, and that kind of makes everything seem good.
Yeah.
Yeah, it just makes me think that my windows are dirty.
So I have a window cleaner.
Well, of course you do.
Do you also have a second window cleaner just in case the other one doesn't do a good job,
like your internet connections?
No, but you know what? The funny thing is that he could have actually
just scammed us for all i know is that one day we're sitting here and uh i'm in in the office
working and then the windows start getting cleaned and then i go outside and i'm like hey what's up
and he's like oh who are you and we're like uh this is our house he's like oh i'm the window
cleaner i come every month and do the windows.
Maybe he does.
Maybe he doesn't.
Maybe he's just looking for houses that were recently sold.
It's just rocked up.
But we've always kept him since then.
He's been pretty good.
And haven't paid him at all.
Cash in hand.
It's all good.
But, yeah, maybe that's a way of getting new business.
You have cash?
Who has
cash these days? Especially
post-rona, yeah. I have
do you know what? I have
a lot of cash which I have not spent
since the pandemic.
So I used to
you know, just always carry cash. Oh, I know what you use cash
for, I remember, yeah.
No, but I always just used to carry cash i'd pay a local taxi so when i used to travel like you get two options either you pay your local taxi firm claiming back in expenses or you know you get a
company car that's just ridiculously overpriced uh and a bit too formal so i'd always just pay
for a taxi to go to the airport um so i always just had cash in case i you know because i never got to the bank often um and so i've still probably got about 200 quid in cash which is a good you
know another at least 12 washes of the windows i know someone who's in an industry where cash is
often you know quite commonly used and so he secretes it around the house, normally in DVD boxes,
and he counted it up not so long ago.
He said he had about 27 grand.
What?
Jesus.
That is a lot of DVD boxes.
That must weigh a lot.
If you put that on a scale.
It's 50s and stuff, but it is literally just all over all over the place everywhere can you imagine if he
gets burgled that would be like how do you explain that to the insurance guy just taking the dvds
yeah well i think there's no value in dvds whatsoever well there is in his yeah in his
but i can't give dvds or like even charity shops don't take them around here
yeah i've probably got about 400 dv 400 DVDs that I'm trying to offload.
What, because you've ripped them
and so therefore...
No, I don't have a DVD player anymore.
Well, I would be getting one of those, right?
And then just keep it for your old age.
Yeah?
I will never see old age.
That's what your wife keeps telling you.
Yeah.
But how are you doing, Tom?
I'm all right.
I am all right.
Things are ticking along nicely.
Yay.
I'm trying to think what any important news this week,
at least news that I can share.
No, it's going well.
Oh, I did go up to London on Wednesday.
Extremely expensive trip because I had to replace a tire on the car on the way there.
Awful.
Which was, you know, it was a scary looking tire after to tell you.
It was shredded.
But I went up to London to watch Glamonatrix with Dieter Von Teese.
It was excellent. Of course Teese. It was excellent.
Of course you did.
It was very glam.
It was, well, it was me all over.
What can I say?
And did you wear your feather boa
and sort of glitter the face up before you got there?
Just the feather boa, yeah.
Just the feather boa, okay.
That's why changing the car,
changing the tyre on the motorway on the way down,
I got a few honks.
Yeah.
Oh, dear.
But your nails were still okay by the time you got there? You didn't break anything?
They were fine. They were fine.
I know you spent a lot of money on those.
This lovely chap pulled over, you know.
I mean, I was flashing a bit of leg and everything else, but yeah, it was fine. It was fine.
Anyway, enough of that. Enough of that.
What have we got coming up for you in today's show?
Well, this week in InfoSec reminds us of how smart researchers name viruses.
Rant of the week is a story about security through obscurity. That old chestnut.
Billy Big Balls is a story that starts with oink oink and ends with I'm not entirely sure, maybe a bacon sandwich.
Industry News brings us the latest and greatest security news stories from around the world.
And Tweets of the Week calls out corporate social media accounts on their platitudes.
A little known fact, platitudes are the only mammal that lay eggs.
In fact, platitudes are the only mammal that lay eggs.
So moving swiftly on, we'll move on to the part of the show that we like to call...
This Week in InfoSec.
That's like stealing. Love that royalty-free music. It's a royalty royalty free start to the show it's a brilliant one uh so it is that
part of the show where we take a stroll down infosec memory lane with content liberated from
sources across the internet and where we are able to we will embellish i like how we change the words there uh so our first story takes us back 30 years to
the 6th of march 1992 when the michelangelo virus begins infecting computers uh it was so named
because it activates on the 6th of march which is the birthday of michelangelo who is the teenage
mutant ninja turtle who wears the orange eye mask and wields nunchucks as his weapon of choice.
I thought they were all born on the same day, you know, being turtles and stuff.
But, you know.
Well, mate, yeah, he was born first.
I think it was, yeah, 1159 he was born and the others were born in midnight.
The rest of the day after, yeah.
Yeah, but the virus went on to make news again the same time the following year
and it was one of the earliest viruses to receive
widespread media attention and also one of the first to prompt widespread hysteria and the irony
of the name of the virus was that nothing in the virus's code referenced Michelangelo and it's
possible that the virus author who was never identified did not even know that 6th of March was Michelangelo's birthday.
Really?
Yeah.
It seemed a little bit coincidental.
I mean, it's a 1 in 365 chance, right?
Maybe it's the author's birthday, right?
I'm going to throw a spanner in the works here.
Oh.
I just went to Michelangelo on Wikipedia, and it opens with the fact that it's been discovered on the 4th of February 1991 in Australia.
Indeed, it was discovered there, but it began infecting computers on the 6th.
Oh.
So they discovered it, but it didn't actually, you know, activate.
Coming on here, our show and throwing around facts, Carole.
I'm just trying to be part of the team here, guys.
No, but if you actually go back to the show
notes of episode 46,
you will find a link to the Newsround
episode, which interviews the
virus researcher who discovered
and named the virus.
It's some guy in his 60s called
Graham Clully.
I've heard of him.
Yeah.
I've not fact-checked that part.
Yeah.
Yeah.
I believe it was him that named it.
Yeah.
Sounds like a, yeah.
It's got an old sound to his name, isn't it?
Yeah.
It's probably one of those old fuddy-duddy.
Is it like Godfrey or something?
You don't know him?
I've never heard of him.
So our second story takes us back only a mere 23 years ago
to the 9th of March, 1999,
when US Vice President Al Gore gave an interview on CNN's Late Edition
in which he stated,
during my service in the United States Congress,
I took the initiative in creating the internet.
He then went on to explain that I took the initiative in moving forward a whole range of initiatives that have proven to be important to our country's economic growth and environmental protection.
And this is the infamous statement, which continues to be widely misquoted as al gore saying that he invented the internet
well wasn't he kind of intimating that yeah of course and this is like you know his end of year
performance reviews must have been next level right i mean americans are pretty good at self
promotion anyway yes you know sort of the way he's he's kind of like well i'm not saying i
invented the internet but all these words if you listen to what i'm saying i invented the internet, but all these words, if you listen to what I'm saying, I invented the internet. Yeah. So, yeah.
It was one of those things that would have happened anyway.
He probably helped things move along with certain,
as he says, initiatives, right?
Yeah, very legally perfect.
The way he said it made it sound like he was saying,
I am God.
Yes.
But that's the thing, though. when you're talking to your boss you kind of embellish a bit more than you don't realize it's going to get out and
everyone's going to analyze it and say oh you should see my cv i have seen your cv it looks
very familiar to my cv but i think you wrote a little bit of mine.
Oh dear.
Yeah.
No,
it's a good CV though, Tom,
I have to say.
Yeah.
Well,
you know,
it's,
it's worked so far,
you know,
more news to come on that front,
hopefully.
Anyway.
Excellent.
Andy,
thank you very much for that.
Always good to look back in time and remember our,
our childhood of watching
cartoons and
Ninja Turtles.
Thank you.
This week in InfoCircle. voted the most entertaining content coming out of Europe. We read all complaints sent to our Reddit channel
on r slash Smashing Security.
You guys are so lame.
I say, yeah, copyright jingle that one, by the way.
It's like it's a Friday morning, I volunteer my time,
and I just get hammered.
You don't get hammered.
I should get hammered, because then I can cope with this better.
All we've done is say nice things about you, Carole.
So far.
What do you mean, so far?
Oh, well, I don't know.
Let's move on, shall we?
Let's get on to this week's...
Listen up!
Rant of the Week.
It's time for Mother F***ing Rage!
So in grand tradition, I haven't really read ahead here,
so I've got a choice of two.
But I think I'm going to take this one.
Most organisations, the headline reads,
would take security bugs over ethical hacking help.
Seriously?
As the link loads.
As the link loads.
So a new survey.
So professional, guys.
So obviously we need to ask questions like who was asked?
What were they asked?
How many times were they asked?
What was the exact question?
Suggests that security has become more important for enterprises,
but they're still falling back on old security by obscurity ways,
which basically means let's not stick our head above the parapet.
Let's not announce anything.
Let's not say that we've got the most secure environments in the world
for people to come and test us.
Let's just try and avoid any kind of attacks whatsoever.
I'm not against that approach, I'll be honest.
No, as long as that's not your only defence.
Yes.
I remember years ago having to visit data centers and things like that.
And the number of times I've walked around business parks on the outskirts of London trying to find the actual right location of the data center because they do not put their company name up
anywhere on any of the boards or on the outside of the building because you they didn't want to
advertise that they were massive data centers right and so yeah you know and that was a sensible
precaution but they also had you know razor wire and security guards and all the other stuff. But that's security obscurity done right.
The security by obscurity that is prevailing now is that they're shying away from things
like bug bounty programs, the ethical hacking help.
And the thing here, I, you know, a friend of the show, Katie Mazuris is, is, is one of the sort of key proponents of.
Where is she now?
She just moved somewhere.
No, I think she's still in the US.
No, no.
I mean, sorry, I interrupted you.
I don't, I honestly, I don't know, but yes, I have heard that she moved somewhere, but the, but the bug bounty thing, which is, I think we can now say is now a mature, um,
industry for want of a better term.
And there are very sort of clearly defined ways of doing it right as well as, you know,
how not to do it.
And, um, not knowing how to work with bug bounty programs, not having a bug bounty program, or even worse, not knowing how to deal with an ethical hacker stroke security researcher who tells you that you've got a problem.
Well, it's asinine nowadays.
It's the sort of thing that would happen sort of 10, 15 years ago. It's a bit like that case in the US of the journalist who hit,
what is it, F12?
I can't remember.
Yeah, to view source code.
Yeah, to view source code, basically, and then was prosecuted,
although subsequently the case was thrown out
and actually the department that brought the prosecution
was brought under fire.
But they didn't
know how to deal with that so they they attacked the source and in fact i've had experience of this
where um i've had a place i used to work a project had a security researcher come and say hey you've
got vulnerabilities here let me show you it and they were freaking out about this person doing it
and in the end all it took was me to meet them at a
conference and give them a bit of swag, literally some company branded mugs and mouse mats and
t-shirts and stuff. And he was absolutely thrilled that he was playing a part, whereas they got the
lawyers lined up. Yeah. But there's also, there's different types of bug bounty programs. I think,
you know, like you have, as you say, like what I'm calling bug bounty brokers, right? Like the hacker ones, the bug crowd, the Synax. And then you've got like in-house
bounty programs. So like Apple has a security bounty and Microsoft bug bounty programs and all
this. So it's interesting for me to see whether, what your views are on whether someone should go
direct, like someone should offer this as a technology firm
or do you want them to shuffle them all through bug bounty programs?
I think for me, I think both are absolutely fine.
I think as long as the company itself, the target,
and I use that in the loosest term,
is actually clear about which way to go or what happens.
I think, you know, if there's a clear thing that sort of says,
hey, if you find any issues, then contact us directly
at bugbountyatapple.com or contact us at appleathacker1.com
or whatever, you know.
It should be clear, you know, because that's the first step
in establishing trust in the sense that I am following the instructions. I have done my
research and I am genuinely concerned that there is a vulnerability here. And Hey, let me make some
coin out of it since, you know, I'm doing your work for you. Um, but I think, yeah, go on.
I'm just going to say often,
or I've read of situations where bug bounty programs
will negotiate the deal, right?
With the company that has the vulnerability.
But along with the wanga that will be offered
to the researcher might be a non-disclosure agreement as well.
And some of the policies in there may include,
we don't have to
address this right now. So that's an interesting thing for a researcher. If you find a huge bug
in something, you want it fixed. Like you always expect, you know, as soon as you tell them,
they're going to go, hallelujah, thank you so much, right? That's what they should do.
And then it's not addressed.
Right. And then they don't address it. And that must be the most frustrating thing for a researcher,
like bury the lead, right?
And I guess that's why God invented end-to-end encryption messaging programs
because six months later you could say, mate, take a look at this,
have a go, see if you can raise it as well.
I don't know.
I mean, that's poor as well.
I mean, if people are highlighting vulnerabilities to you to the point where they're critical
enough that you're willing to offer money, but not address it, there's got to be a challenge.
And by their silence.
Yeah.
And by their silence.
Although the risk-based approach says if addressing it costs more than the potential loss or the money that you're handing
over anyway, is it worth addressing? Well, I know of security researchers who have
vulnerabilities in big software and they turned down the money because they didn't want to sign
the NDA. So they gave them 90 days to make the fixes,
and they didn't do it.
So then they went live with it.
And guess what?
Millions of people complained, and they fixed it.
This was Zoom, actually, back in 2019.
Ah, right, yeah, yeah.
And Zoom is a company who's actually really cleaned up their act on this. Oh, and that is where Kate Missouri, I think, is now.
I may be wrong on that, but I think Zoom's hired her
because I think they've got their own bug bounty program now. I may be wrong on that, but I think Zoom's hired her because I think they've got their own bug bounty program now.
I may be wrong, but somehow I'm making that tie.
Don't quote me.
Don't quote me.
Katie, in your new employment, if you're looking to sponsor a little startup podcast,
look no further than the annoying little brother that snaps at the heels of smashing security.
No, it was host unknown.
So, yeah, well, I think we've kind of said it here.
And there's a great stat here that says that the survey that came from HackerOne,
so there we go, a little bit of insider.
Rose-tinted glasses.
A little bit of an ulterior motivetinted glasses for the reporting.
A little bit of an ulterior motive here.
Hey, you're crack, come work with us.
A full 65% of organisations surveyed claimed that they want to be seen as infallible,
although just as many said, 64%,
said they practise a security,
a culture of security through obscurity what it
doesn't say however is how what percentage of that 64 and 65 are common between the two
uh which i think would be a far more interesting piece of information but i think the uh the the
key takeaway here is you know security through obscurity is absolutely fine, but you cannot let go of everything else. You still need to have a, you know, a multi-initiative program in place
that actually addresses your security. And just hiding and waiting in the wings and crossing your
fingers is really not a valid security posture.
Totally.
And the whole infallibility, right, you know,
feels a little 80s, 90s, like Arnie Schwarzenegger or, you know,
Stallone.
You know, you cannot pass, you know, and it's just...
I still meet you.
I let him go.
I let him go.
Well, yeah, absolutely.
And the fact is that we know that, you know, it's not a case of if,
but when you get hacked.
And if you think you've never been hacked, then chances are you've already been hacked.
You just don't know about it and all that sort of thing.
I think, you know, the world has matured on this front,
but many organizations probably haven't.
No, I know.
But then they always put that in their T's and C's anyway,
just saying, well, do everything we can to protect your stuff.
But, you know, bad stuff happens.
So, you know, fingers crossed.
You missed the most important part of that.
We take security seriously.
Yes, that's right.
That's right.
Very seriously. R rant of the week this is the host unknown podcast home of billy big ball energy
all right now we move on to a special part of the show just for Carole and it is the part
of the show that we for today
only are going to call
Look at the size of that thing!
Carol's
Cajones
Carol's
Who's she?
Hey, you know, the jingles
are from Fiverr, they can't distinguish
between names.
Come on.
All right.
So my story has to do with piggies because there's been an algorithm built by EU researchers, it's all designed to help farmers speak pig or understand pig language in order to improve
animal welfare.
Is this some sort of gag from like, you know, when you're in your late teens, early 20s
and you drink a lot of alcohol and then sort of hit the dance floor?
Because I also had that ability to speak to uh so it's apparently it's designed to assess the pig's emosh state
based on the sounds they make so how do you crack the pig code, right?
How do you do that?
They got five different researchers.
You mean how do you crackling the pig code?
They got five researchers in five different EU countries
and using handheld microphones, see?
Shout out to all the podcasters listening.
Gathered more than
7,000 distinct
snorts and grunts
from over 400 pigs.
And apparently
the algorithm they based on,
they created based on
all these sounds, is 92%
accurate of the time.
What? So my question
to you is, how the fuck do they know
and also have they got like the star trek universal translator going exactly
pigs in different countries would speak different languages right
but that's so funny right because because they had to do it in different countries that's probably
why they did that to just see see it. And what about American pigs
versus British pigs?
You know, oh, pip pip telly ho.
Oink oink, freedom!
Oink oink.
Imagine the translations,
right? They'd be like, fuck me, it's
hot out here today. Exactly.
Or, oh, fucking dumb farmers coming, hide!
Morning Dave. Just wonderful. Morning John. all right how'd you do not bad and it turns out they say in this article uh this is the new york times uh link in
the show notes but uh they say that the short small sweet high-pitched sounds are happier sounds
and the long horrible squeals are the ones where they're unhappy.
Like when a sow crushes her baby or something.
And you're like,
Hmm,
good thing we have some research on this.
Yeah.
Cause contextual clues are always difficult.
Anyway,
it's just interesting where,
you know,
technology is making its forays.
And then you think,
what if that gets hacked?
That's what's happening to my life now.
That's the question I ask every time I hear about new technology around the corner.
What's going to happen when that goes wrong?
You're going to hear a pig sound and you're going to say,
that pig's just told me to kill you.
Maybe I might try.
It got hacked.
Maybe you'd play French pigs to english pigs to see
if they get on or not right see if there's any any friction there no i think the english pigs would
would uh just um you know just just start swearing in whateveraganese or whatever it is. Damn immigrants coming here.
Anyway, there's my story.
If the French people call the English a la rost beef,
because of their ability to go bright red in the sun,
what do the French pigs call the English pigs?
La rost pork?
I don't know.
It just doesn't translate really, does it?
I don't know.
Yeah. Good question. I have no idea what that would be oh excellent well i mean as as as a billy big balls or a carol's colossal cojones i mean all i've got in my mind now are pig sweetmeats
so it's um someone actually funded that. You know that.
Someone actually funded that research.
Sorry.
Well, the idea is to give...
Yeah, the idea, they say, is all to improve animal welfare,
which, you know, that goes a long way.
If somehow you can kind of go,
I have 90% happy squeaks on my farm.
Oh, I only got 30.
That would help people, I guess,
understand whether that means
more i don't know you could end up with you know like a traffic light system on your pork chuck
now couldn't you happy yeah guaranteed 25 more happy squeaks yeah happy pigs brackets until the
very last one yeah these bacon rashers were from very unhappy pigs they would have wanted this
carol's colossus cojones These bacon rashers were from very unhappy pigs. They would have wanted this.
Carol's Colossus Cajones.
God, it's very dramatic, isn't it? It is.
Very dramatic.
Sketchy presenters, weak analysis of content,
and consistently average delivery.
But they still won an award
like and subscribe now so andy you were you're a fan of science fiction yeah i am did you like
like a bit of doctor who uh i do like the time lord absolutely absolutely what what you know
what's your opinion of uh of the time right now?
I'm just going to step into the TARDIS.
And as I look at the clock on the wall, it is that time of the show where we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News.
Google to acquire Mandiant. Industry News Google to acquire Mandiant Industry News
Dirty pipe exploit rings alarm bells in the Linux community
Industry News
Chinese APT41 group compromises six US government networks
Industry News
Prison for man who scammed US government to buy Pokemon card Industry News Industry news.
Industry news.
Industry news.
Industry news. AI accountability framework created to guide use of AI in security.
Industry news. Conti Group spent six million on salaries, tools and services in a year.
Industry news. Catbot debuts new technique. Industry News. And that was this week's...
Industry News.
Huge if true.
Huge news.
Especially the dirty pipe.
I mean, come on.
What kind of naming scheme was that?
I didn't even think that it's ruining everything
i went straight for the man who scammed the u.s government to buy a pokemon card
yeah how much was this pokemon card eighty five thousand dollars okay yeah that's worth
scamming the u.s government for yeah fair enough so again oh do you know what clickbait headline clickbait no there we go sarah sarah not good uh so he obtained 85 000
in covid relief fund and did use it to buy a
not that click baity well no he kind of said that he employed 10 people in the entertainment
service business in dublin uh and generated a huge loss in the 12 months during the uh
the pandemic and uh so yeah in his forging application
they said okay here's age five thousand dollars to to help you get back on your feet uh and he
used fifty eight thousand dollars of that to buy a very rare trading card
um and i don't want to i'm going to sound like a dick if i pronounce this wrong, Charizard. Oh, Charizard. Charizard, a fire-flying dragon-type Pokemon.
Yeah.
Well, it could be a company investment, right?
I mean, it could be towards the company.
I don't think he went that far.
That's only going to go up in price, absolutely.
It's just, yeah.
At least it's better than an NFT.
At least you have something physical.
Yes.
In fact, he could make copies of it and make an NFT.
That's right.
And say, this is the one that the US government paid for.
Could be famous.
Interesting seeing QuackBot, because when I first saw that,
I thought that was QuakeBot.
And I got very excited for all of the bots from Quake.
Yeah, coming back online.
Did you used to install that in the office?
Yeah.
I think that was the most installed game on an office machine.
I think, wasn't it originally, it was Doom.
I'm not sure Quake took quite so much, but nonetheless, it was certainly up there.
Quake took quite some up, but nonetheless, it was certainly up there.
But I did see this article, and they actually got some footage of it.
Somebody back in, when was it released, 90s, late 90s?
So somebody around about that time set up a server in a data center somewhere for people to connect and play to.
It was fairly normal.
And they had
i think six or seven bots in there which at the time took a lot of uh processing power and they
and they let the bots just run around they never stopped the game so the bots would go around and
try and kill each other yeah yeah and then they found they literally found this server like 15
years later so you can imagine it's like you know they left it a war zone um and
uh uh they came back 15 years later and there was utter silence and they found the bots had
evolved and they were actually all in a circle facing each other not doing anything they'd made
peace they'd made peace and then so somebody said well what
happens if we shoot one of them so they shot one of them and it all kicked off again they all just
went off at each other but you know after 15 years of peace somebody went in and disrupted
but the fact that these bots had come to like some kind of mutual agreement you know to me
that's brilliant.
Not that it's got anything to do with QuackBot.
No, but I was looking at the one,
Coral mentioned the Conti group spending $6 million on salaries.
Wow.
Yeah.
And like 485 individuals
have gone through the Conti system, it says.
Although this figure also includes potential candidates
who have declined roles.
But you can imagine how many people may have worked there
not knowing they were necessarily helping
a nefariously charged organization.
So are these people in multiple geographies?
Are they all over the place?
It says they had an HR recruitment lead.
Yeah, very well organized.
Yeah.
They probably had a LinkedIn jobs group and stuff.
And do you think you can get references if you previously worked there?
So when you go to your new place and you fill in.
I wonder if people would even know, though.
In most companies, they may not even know.
They may not do their due diligence and find out even out even what it is yeah during the interview phrase so what
do you know about the company wow to be honest I was more interested in the job
I didn't really look to see you know what the company did yeah yeah what do I
need to know about the company do you pay your salaries on time yes you know
somebody who's going through this at the moment it's got why do you want this job
because I want a roof over my head but you know what if if a company like this that wants
to you know get up to no good treats its uh employees really well yeah that is a very worrying
trend when many uh legit companies are trying to squeeze as much work um and as much as they can
you know out of their out of their typical employees.
So this could cause a whole havoc of stuff if this starts happening.
I was talking about recruitment.
I was chatting, I was having an interview earlier this week
and I was chatting to somebody and he said that the person
who's interviewing me, he said the most bizarre experience he had
was when they were recruiting for
a you know pen tester you know security researcher blah blah internal role and he said oh so what do
you do in your spare time basically this guy said he's a black hat hacker in his spare time
brilliant that's like yeah okay um don't call us we'll call you. It's not quite what we need.
But I think that's a really important point. I think companies need to look into the people
they think they're impressed by in terms of a job just to see what the background is.
But then you're going into, should people be allowed to investigate the people they're hiring going through deep searches of social media and any kind of online presence and going back to a comment they made about somebody back in 2010 on Twitter or whatever?
Is that a valid use of resources?
And is that kind of punishing them for things that they did years ago. I think if you're a company that wants to remain squeaky clean
and have a really good track record,
you have to make sure the people representing the firm are supporting that.
It doesn't mean go and, you know, you can do the private eye stuff,
but you can also just do a little bit of due diligence.
Like, you know, it's a lot of gray area there.
Yeah, yeah, there is.
It isn't a black and white thing,
but very difficult.
Very difficult.
I'm just glad
I've never been caught
at anything.
Anyway, excellent.
Thank you very much, folks.
That was this week's
Industry News.
We are officially
the most entertaining content amongst our peers
gonna get full use of these jingles before the uh awards come up yeah although i will say and i
said this before i've got the jingles lined up in front of me labeled 1 to 12 i don't actually
know which one's which i know it's always hit and miss it's like battleships with it is yeah
exactly in fact one of them doesn't play at all and miss it's like battleships it is yeah exactly in fact one
of them doesn't play at all and i can't remember which one it is
not that the listeners would know that because there's this thing called editing that i
occasionally do excellent so we now are fast approaching the end of the show and we're going
to move on to and, and this week's...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
That's just because you love that jingle, don't you?
I love that jingle.
It's got that copyright taste to it.
That's what I really like.
Yeah, exactly.
It's like intellectual property.
Woe betide anybody who tries to copy that one.
So I do have a Tweet of the week, but I have to draw attention first
to something I saw called the PayGap app, which is a gender pay gap bot.
Oh, yes, I saw this.
I didn't see this during, you know, on International Women's Day.
There's lots of companies sort of promoting, you know,
sort of how great they are and this bot literally
just goes in and publishes the um the gender pay gap um between men and women it's it's it's really
damning and i saw that some people some companies actually deleted tweets uh you know once this had
retweeted it and they sort of said hey you know the the women's median hourly pay is 41.7 percent
lower than men's in this company yeah so this is all lead this is only available in the uk this
it is yeah because yeah we require that information to be publicly known that's right yeah how
brilliant though it's superb it is is it still now? It's still going now, yes. They've even published this morning.
Yeah, it's just I love that this service is there.
It's really good at calling people out.
I know, but it also – so say you worked at a particular company
and you wanted to know what your company's was.
Yeah.
So you have to just put out International Women's Day or something, right?
Well, no, I think there are publicly available stats because it's – yeah you have to just put out international women's day or something right well no i think
there are uh publicly available stats because it's yeah it has to be published now yeah in the
in the uk company yeah they have to publish it but it's good to draw attention to it because
other people may see all this um what virtue signaling on on social media about how great
the company is and it's just actually you know you're good but you're still not paying fairly
and let's face it those um those stats are probably nestled next to the privacy policy about how great the company is. And it's just, actually, you're good, but you're still not paying fairly.
And let's face it, those stats are probably nestled next to the privacy policy on the website, right?
Yes.
Largely inaccessible.
Buried.
Yeah, no, really excellent.
I thought it was very clever, and it's using publicly available data
and just doing a little big bold and a splash.
And, in fact, it does it without drama as well.
It doesn't, you know...
It's a bot.
Yeah, exactly.
It takes the emotion out of it.
It's just a fact.
It doesn't try and sort of say,
oh, you're awful people because they think that.
Oh, you are awful.
But, you know, it doesn't try and sort of pass judgment.
It merely states the facts that have been reported
by that company itself, it and which makes it
far more powerful yeah i agree i agree so the uh the other tweet which i have so that's a great
account which uh you know link in the show notes definitely go and um uh follow that one yeah i was
just thinking what what app it was. Yeah, go and follow.
So the second one is a tweet from Andrew Hornback, and he says,
now I've got a recruiter demanding that I change my resume.
You have no experience in cybersecurity, only IT and information security.
Where do they find these people and can they send them back?
Oh, my God. That that's awful i don't know
though remember when uh spyware as a term came out and i was the working then at sophos right
and we had this whole thing going well of course that's covered it under trojans and viruses but
you know but people would constantly go you guys don't manage spyware so we had to do this whole
getting that term everywhere across the website.
Say, yes, we do.
So, yeah, cybersecurity has become, and it's, yeah.
You have to dumb things down.
The term cybersecurity has entered the vernacular in the public's eyes,
not necessarily in our eyes.
But, you know, so what?
I use it.
I use the term.
Well, I use it now.
Yeah, absolutely.
I never used to.
I used to be along the, you know, oh, let's cyber all the things, blah, blah, blah.
You know, but if it's what people understand.
But the fact is, if you've got a recruiter in this industry saying you've got no experience in cyber, just in IT and information security, that is just pure ignorance.
That's terrible.
That's not just a term that's used in the vernacular, as it were.
It's terrible.
That's not just a term that's used in the vernacular, as it were. This is a completely misunderstood individual, probably.
Yeah.
But, yeah, I'm trying to imagine how much training they actually get as well.
You know, if you join that, they might be a new recruit thrown in the hot seat.
Junior resource.
Yeah.
Easier targets.
Exactly. thrown in the hot seat junior resource yeah these are your targets exactly exactly in fact probably all these um sort of senior all their senior mates in the in the company are probably
giving us like the equivalent of asking somebody to go and get a left-handed screwdriver
bucket steam this recruit dude this recruit he's got no cyber security yes totally tell him tell
him that's much more likely. Yeah.
That sounds a little bit more, well, less depressing.
Let me put it that way.
Tartan paint.
That was the other one.
Back at the steam.
Tartan paint.
A long wait.
A long wait.
We had a thing called Kiwi Shining Circles at school.
Because it was a military school and we had to gloss our shoes,
you know, basically bullying the shoes,
which is spending hours to bring them to a high gloss finish.
And anything that could speed that up was great.
And so you used to send people to the tuck shop where you buy things like your polish and stuff and ask for Kiwi Shining Circles,
as in Kiwi Polish.
The brand Kiwi.
Yeah.
Yeah. Funny. Anyway, excellent. Thank thank you andy for this week's sweet of the week well didn't that just fly past blimey blimey yeah quick is
not the word we are not missing jav in the slightest. Who? Yeah, exactly.
Oh, Jav.
Oh, dear.
Come back next week, Jav, because I might not be here.
Oh, did Jav send something that he wanted inserted into the... Oh, shoot, he did, didn't he?
Oh, well, I tell you what, we'll put it in.
We could do a midweek episode, maybe.
Or we can do that thing like they do over at Smashing
where you kind of have the interview at the end
that everyone just forwards through.
Yeah, just do what we do.
And it goes back to the end.
Why not?
Tried and tested.
Yeah.
Absolutely.
Actually, yeah, let's do it,
do how the professionals do it,
not how we would have done it.
So coming up now, we have a message from Jav.
Or coming up after we've done the jingle.
I'm, yeah, whatever.
Make it easy.
Oh, that was great.
Thanks very much for that, Jeff.
That was great.
And you just edit in
those two pieces there, right?
Right.
And let's all now...
Great points.
Well made.
Great points.
Well made.
Particularly the third point.
There you go. Brilliant.
We can add all of those in later. God, I'd totally
forgotten about that.
That's alright, Carole. We'll take your
bits out and we'll just edit Jared's.
Okay, no problem.
Again, I've told you how much I love giving you
Friday mornings. Great time to do this.
Super.
Tell me about it.
Tell me about it.
Anyway, Carole, thank you so much for giving up your Friday morning.
Do appreciate it.
If you ever want a full-time job here at Host Unknown,
we'll give Jav the push and you can come straight over.
What's the pay?
Sorry?
Women, I just want to know what the pay gap's going to be.
Oh, no, no.
It's exactly the same as what Jav and Andy and I get.
Fantastic.
We're equal opportunity.
Excellent.
Absolutely.
There is zero difference in our zero pay.
We all lose a Friday morning.
Yeah. Some of us lose a Friday morning.
Some of us lose a Friday afternoon.
So, Kroll, thank you very much indeed.
My pleasure.
Much appreciated.
Lovely to have you on the show.
And Andy, thank you, sir.
Stay secure, my friends.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
I guess we could put him in here, couldn't we?
Yeah, we could save it.
We'll insert it next week.
He's going to be late anyway, right?
So we'll just go straight over to Jav.
Sorry, as Jav would say in that particular instance,
that's what she said. Yeah.
Oh, dear.
Got to love him.
Yeah.