The Host Unknown Podcast - Episode Joe 90 - Filmed in SuperMarionation
Episode Date: January 28, 2022This Week in InfoSec (07:20)With content liberated from the “today in infosec” Twitter account and further afield26th January 2011: Facebook Enables HTTPS So You Can Share Without Being Hijacked.�...� Facebook announced Wednesday it would begin supporting a feature to protect users from having their accounts hijacked over Wi-Fi connections or snooped on by schools and businesses.19th January 2012: Feds Shutter Megaupload, Arrest Executives. Since the shutdown of Megaupload, stories have erupted about the life and exploits of the company’s founder, a self-styled “Dr. Evil” of file sharing. Kim Dotcom’s opulent digs, high-end cars, fondness for models and other Bond-villain-esque behaviours have been splashed across websites and have confused evening newscasts for the last week.25th January 2003: A new worm took the Internet by storm, infecting thousands of servers running Microsoft’s SQL Server software every minute. The worm, which became known as SQL Slammer, eventually became the fastest-spreading worm ever and helped change the way Microsoft approached security and reshaped the way many researchers handled advisories and exploit code. The Inside Story of SQL Slammer. Rant of the Week (15:35)Court papers indicate text messages from HMRC's 60886 number could snoop on Brit taxpayers' locationsBritain's tax collection agency asked a contractor to use the SS7 mobile phone signalling protocol that would make available location data of alleged tax defaulters, a High Court lawsuit has revealed.Her Majesty's Revenue and Customs had the potential to use SS7 to silently request that tax debtors' mobile phones give up location data over the past six years, according to papers filed in an obscure court case about a contract dispute. Billy Big Balls of the Week (25:31)Unmasking Poopsenders, The Anonymous Website That Sends People Fake PoopSince 2007, Poopsenders.com has let people send packages filled with disturbingly realistic feces. Now, 'United States of America v. Poopsenders.com' has named two men who may be responsible. Industry News (34:25)Merck Wins $1.4bn NotPetya Payout from InsurerCyber Essentials Overhauled for New Hybrid Working EraExperts Call for More Open Security Culture After VW SackingEyeMed Fined $600k Over Data BreachGovernment Trials Effort to Make Bug Scanning EasierBest Cybersecurity Research Paper RevealedNorth Korea Loses Internet in Suspected Cyber-AttackFlorida Considers Deepfake BanIT and DevOps Staff More Likely to Click on Phishing Links Tweet of the Week (41:12)https://twitter.com/ra6bit/status/1486695164332711939 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
so I've just been hit with a tax bill.
So they've taken like 1500 quid off my salary this month for tax that I
haven't even earned yet.
It's for this year on account.
I don't get it.
I don't get how they're taking money for a tax year that is still in
progress.
How does that work?
Who knows the HMRC work in mysterious ways.
They just,
they just come up with a figure and they try to deduct it.
And they hope that,
you know, Mr. Earning like, you know, six, seven figures a year just doesn't notice it.
They've got a magic eight ball. They just shake it and a name comes up.
Do you know what? It really does feel like that sometimes.
You're listening to the Host Unknown Podcast.
The Host Unknown Podcast.
Hello, hello, hello.
Good morning, good afternoon, good evening from wherever you are joining us.
And welcome to episode 90-ish of the Host Unknown Podcast.
Episode 90.
Episode 90-ish.
Oh, yeah, yeah.
Yeah, so if I am a little sullen today,
it's because I've got a downer on HMRC.
I can't believe them.
How do they take money for the same year that you're currently in when actually you have to do a tax return
and then they're supposed to take the money?
What's that all about?
This is just easing you into it gently
because that $1 that 1500 they're
taking now is nothing compared to what's coming when you do your tax return they're taking it for
the next two months as well apparently oh it's it's uh you know man's got apple products to buy
i'm gonna have to go cold turkey for three months. It's not good. It's not good.
Anyway, Jav, how are you?
Good.
Well, I say good.
Recovering from the rona, I should say.
Yeah.
I got it last weekend, and it's not been so bad.
It's not been full-on man flu levels.
It's been a step below that. uh the whole family have got it so the missus for the first time in her life she's experiencing
what kind of like what a man flu is like so she's like completely knocked out yeah yeah and uh the
kids are just having a field day at home binge watching disney it's been good if i can make one
suggestion i suggest you cough every now and
then because i understand people from your workplace listen to this podcast so you just
need to like oh sorry i feel a bit weak now can't you add in post yeah i was gonna say
isn't it an american company you work for jeff i do because they take sick days like holiday days
right they get a certain allowance that they're expected to take.
Yeah.
So our company actually has, in America, not in Europe because the contracts are different,
but in America they get unlimited PTO.
Wow.
Okay, so this is PTO.
There we go.
Okay.
Okay.
Well, so in between bouts of you dying, Jav, and coughing occasionally, Andy, how are you?
Good.
I have made a discovery this week, which I am surprised about, and I am feeling, and
I'm hoping you're not hearing it, my fan in the office.
Is this Today I Learn or something? Yeah, sort sort of and it actually did come from a reddit thread yeah
so ceiling fans have a switch on them which allow you to change the direction of the airflow yes
and so in winter you're supposed to set it direction, so it sucks the heat up and circulates it around the room.
And in summer, you switch it to the other direction,
so it blows the cold air down.
No, the other way around.
Hot air rises.
Well, whichever direction.
I'm actually feeling cold air for an actual nice draft on my head
for the first time since i installed
this in november 2020 and you're wondering what the hell you put a fan in when you're constantly
hot when it's running yeah exactly well i just thought it was good like it just didn't seem to
be doing as much as i hoped it would yes um but yeah new world opened it's like wow is this did
you come across the manual or something?
No.
So I heard it on this Reddit thread.
And I say heard it because I listened to Today I Learned,
like a collection of them.
You listened to Reddit?
Yeah, rather than read it.
Is it in the Smashing Security robot voice?
It is.
It actually is.
It is.
Yeah.
It's all uh automated and then um yeah it was uh yeah
a complete eye opener and then i thought hang on a second let me have a look so i had no uh switches
on the side and i took the light cover off and lo and behold underneath the light cover there's a
switch i was like oh it says let me try that summer sadly it's not labeled but
yeah i'm like wow stuff is actually blowing around on my desk now
all that talcum powder being sprayed yeah
i i laugh but this exact same thing happened to me.
We had a bedroom fan and for two years, my wife was like, this does not work.
It's not cool. It's a really nice one. It's like one of those really fancy two blade ones.
It's like it looks like an old propeller from an airplane.
So I thought it looked really nice, but this doesn't work. This doesn't went off two years.
She's like, that's it. You're getting rid getting rid of it and i was like hold on a second i've read something
about this an exact same thing happened we're not doing it oh and then she was like she could
have killed me right i just stick with the dyson ones they do they they just sense what the
temperature is they do what they're supposed to do you know oh dear wow air blade or the bladeless air blade whatever yeah yeah that's right air
blade yeah yeah exactly so much better anyway welcome to the host unknown podcast for all of
your fan and cooling needs uh during the winter and summer months uh yeah so uh for me, all I've been doing is working on a spreadsheet
and using a calculator to work out what the hell I'm supposed to be doing with HMRC.
So, yeah, it's been a bit of a pain in the bum this week.
So, what have we got coming up for you today?
Well, this week in InfoSec sounds like it was pulled together
two minutes before we started recording.
I reckon 20,
because I know how much we chat beforehand.
Rant of the Week is a story
about a tax authority
watching every step you take
like bloody sting from the police.
Billy Big Balls is an OSINT story
which looks like it's going to land
two people in deep poop.
Industry News brings us the latest and greatest security news stories from around the world.
And Tweet of the Week has an analogy for you.
Let's move on to this week's...
This week in infosec
i'm glad that worked because i realized we didn't even test whether the jingles were working before
you're right today
but it is oh you did test yeah yeah but the problem is
you can always hear it
we're the ones that can't
well true
true
whatever
so it is that part of the show
where we take a stroll down
infosec memory lane
with content
scoured
from many sources
across the internet
so
it's not so catchy
as liberated from today
in infosec
it's not
but you know what
that
Stephen needs to pull his finger out is all I'm saying the source the well has run dry It's not so catchy as Liberated from Today in Inversector. It's not, but do you know what?
Stephen needs to pull his finger out is all I'm saying.
The well has run dry.
It has.
It's like he's lost the motivation to save me from doing some work.
It's just not good enough.
Anyway, there was far too much to try and get into this week.
So instead of serving you a main meal,
I'm going to bring out sort of various horse d'oeuvres just so you can get a little taster.
Or d'oeuvres.
Horse.
Or d'oeuvres.
I'm going to bring you some horse, Tom.
As long as they're d'oeuvres, I don't mind.
Or d'oeuvres.
Just so you can get a little taster.
Now, there's various stories I could have talked about, but I did settle.
So I could have said, you know, 38 years ago on the 24th of January, Apple Computer Inc. launched the Macintosh computer with a live demo.
with a live demo or i could have gone 24 years ago to the 27th of january 1994 when jim clark left silicon graphics to start mosaic communications and mosaic obviously later became netscape
communications and their first product was subsequently named nets Navigator, which was the biggest browser you would have found online in the late
90s. But I could have even gone 26 years earlier to the first version of the Java programming
language when that was released, you know, with the ability of Java to write once, run anywhere,
to make it ideal for internet-based applications. And as we know that over the years there have been many java vulnerabilities we could have talked about but instead i am going to take
you back just a mere 11 years ago to the 26th of january 2011 when facebook enabled https
so you could share content you could share photos share photos without your session being hijacked.
And this was actually big news, you know, 11 years ago.
Oh, my God.
11 years ago.
But I think that was around the time it was when, what is it,
Fire Sheep, the extension got popular?
Yes, exactly.
Yeah, coffee shops and stuff like that was a big one.
Yeah, going to coffee shops, use the Wi-Fi
and just basically watch people on Facebook.
See what they're talking about.
And the Poneapple.
Yeah, that's the...
The Wi-Fi Poneapple.
Yeah, that was if you're too lazy to to um download fire sheep and and it's like a
what's the browser it's just an extension to your browser yeah particularly difficult it's either
chrome or something browser firefox firefox that's the one yeah yeah hands fire sheep yes yes yes
um yeah so just 11 years ago and that was actually headline news that a site was going to run HTTPS.
Can you believe? And nowadays it's a wait, what? This site doesn't support HTTPS.
I'm not using that. This is a dodgy site.
For the second story, I'm going to take us back just a decade when the and I can't believe this even happened.
This was such a crazy time. It was around the 19th of January 2012 when it originally happened.
But then it did kind of go on for the following weeks when the Feds shuttered Mega Upload and arrested executives.
And if you recall Mega Upload, it was like the biggest, it was basically like a web-based pirate bay um in that
you didn't need any special software this is where you got all your wares and your pirated software
um and it was run by a guy called kim.com yes who like his lifestyle like the stories that have come
out around that and he's been referenced as like the. Evil of the file sharing world.
Helicopters and just crazy high-end cars, models,
and basically the most cliche Bond villain that you could possibly ever come across.
You know he's a badden when you see photos of him
wearing a beret unironically.
wearing a beret unironically yeah but i mean that was only 10 years ago that kim.com sort of dominated headlines and that was in new zealand he was caught wasn't it or something like that
yeah he was there he dragged it out for a long time he made a real spectacle out of it
yeah and you would i mean you you want to avoid getting arrested right yeah i think um
one of the things that mega upload and i might be getting this wrong but i believe what they've
done is if you uploaded a file onto it it it checked to see if that file already existed
yeah in which case it only gave you a link to that one file it didn't
let you duplicate that file so if you got a takedown notice they only removed that one link
yeah they did some clever stuff there was some sort of this is the loophole type i mean ultimately
right what they were doing was wrong i think we can all agree that yeah you know but it's just taking advantage of loopholes
right which is um yeah good good uh good guy but again this is like to me this is a recent times
right good and well you know i mean it's so he's a bit of a character it's not like he's he's out
there murdering right his mother loves him yes looks after his mom that lad um but i will you know for
the for the purists who are actually looking for like a proper in-depth um you know sort of internet
security story uh it was 19 years ago on the 25th of january 2003 when a new worm took the internet by storm, infecting servers running Microsoft SQL.
And the worm became known as the SQL Slammer Worm,
which eventually became the fastest spreading worm ever
and helped change the way Microsoft approached the security.
They completely, they almost overnight,
I say overnight, but they built a security team and security program
with proper goals and everything.
Everything changed, didn't it?
It was a huge, and Jav actually shared this story
on the group chat earlier this week.
It was a really excellent write-up from David Litchfield.
It was written in 2010, how him and his team saw this coming.
It's called The Inside Story of SQL Smer and or sql slammer and it's it links in the show notes it's just a
really interesting thing it's like it takes you know maybe seven minutes to read it
but just from on the ground you know this person saw it coming they'd previously done an engagement
where they theoretically tried to make this happen on a network.
And now, you know, he's one of the responders to it.
It's just a really good writer, which I highly recommend reading.
Excellent. Nice one.
Thank you very much, Andy, for this week's.
This week in InfoCert.
It doesn't matter if the judges were drinking.
Host Unknown was still awarded Europe's most entertaining content status.
And now it's time for...
Listen up!
Rant of the week.
It's time for Mother F***ing Rage. It falls to me, this one will come as no surprise,
especially given my current situation.
Court papers indicate that text messages from HMRC's 60886 number
could snoop on British taxpayers' locations. So just bear this in mind. So the
HMRC, sorry, I meant to say the HMRC, the Tax Collection Agency, they are an agency that is
actually allowed to retrospectively change the law as regard tax. So what was, you know, just to put this into
perspective, the type of agency we deal with, what was legal for you to do with your taxes last year
and the year before that, they could change and say, that's no longer legal. You now owe us tax
for last year and all the years before that. Just saying, you know, that tells you quite how this this organization works.
So this HMRC, the tax collection agency, they asked a contractor to use the SS7 mobile phone signaling protocol.
And what the SS7 mobile phone signaling protocol does, it's called signaling system number seven, is it detects where messages were received.
And the technique is therefore known as the home location register. These are all TLAs that basically say, we can find out where you actually are. Now, the reason why this has sort of popped
out is that apparently the third party that HMRC was using to send text messages to tax defaulters,
which in of itself, you can understand if someone's not paying the correct amount of tax, the HMRC would send reminders.
You know, you owe us this amount of money, etc.
What they didn't say was that they were also tracing where you were when you received that.
A bollock call.
It is.
Without telling you that that's what they were doing or without actually stating somewhere that that's what they were doing,
or even without claiming a legal basis or court orders to state that they can do this.
The reason this came out was because they fell out with their
SMS provider. The HMRC awarded the contract to a rival mobile phone organization.
And the original organization are suing HMRC. And it turns out that in the contract with HMRC, very clearly said
that the agency had asked for the capability of doing more than merely verifying that tax
demands sent by text had been delivered. So it's one thing to say,
we know that this message has been delivered, therefore it's the equivalent of getting a
signature on a letter or whatever, which may be useful in court later on. They had this statement
or these requirements in their contract, which is location and service provider information
associated with the recipient. This could be as little as the network provider of the recipient,
which would save us a stage in our investigative process,
thanks to numbers being ported between networks.
It could go as far as the location details of the recipient handset
when the SMS delivery route is queried via the C7 or SS7 signaling protocol.
The provision of SMS services
will not be over the PSN. So this is saying that HMRC were setting themselves up to get this data
without any kind of legal basis. The other side of this as well is when they decided to go to a different company, the actual 60886 number
that HMRC had said to a lot of people, if you get a text from this number, you know it's from HMRC
and therefore it's safe. Well, that number was actually the property of their third party. So
when they changed their provider, they could no longer use the 60886 number meaning that people were
then receiving hmrc uh texts from numbers that in the past hmrc had said ignore them unless it's
from this number so overall this is just an utter utter shod... You were going to say shit show, weren't you?
Oh, shit show.
This is an utter, utter shit show.
Sorry, thank you.
Awful, awful.
An organisation paid for by the taxpayers
that is, one, messing us around and illegally tracking us.
And goodness knows what this data...
The report doesn't go into where this data resides
how it was used if it was used um under what you know how it's attached to our tax records etc etc
because this this um and i'm looking for this in the in the uh document i believe it can also track
where your phone has been for the previous five years, is it?
Something like that.
Six years.
Six years.
This data that this text message can provide will show where you've been for up to six years,
which is an appalling invasion of privacy.
Absolutely appalling.
So, yes.
So I'm on a double downer with HMRC. Now I know HMRC,
if you're, if you're listening and you are looking to redress the balance, you can do so by sponsoring
this show. Um, but nonetheless, I mean, uh, I'm as, as if my view of the HMRC this week,
isn't bad enough. This just takes the biscuit.
Utterly appalling.
It's just appalling.
And you know what?
It's wrong on so many levels.
Obviously, the privacy and everything.
But then this is the point that people say, like,
sometimes they get hounded for, like, 50 pence or 20 pence.
Yeah.
And they get sent a letter, and they're like,
the stamp cost more than that.
And this is just a prime example. Switching providers, not having the number, having to probably send out all these communications again about how it's different.
Utter waste. It reminds me of the Michael McIntyre joke.
He goes like any time someone's mugged, the CCTV footage is proper grainy. It's like you can't make out anything.
Yet if you go in the bus lane when you're driving,
it's 4K, full HD, like, you know.
So he goes, if you're ever being chased by a mugger,
run into the bus lane.
And so I think if you ever get a threatening text,
anonymous and the police can't help,
just leave an anonymous tip with HMRC saying this phone number has underpaid taxes.
They will know where they've been for the last six years and they will hunt them down and get them.
Yeah, it's like they told me over the phone.
They can actually they have up to seven years to claim back tax that they feel they may have missed seven years.
seven years to claim back tax that they feel they may have missed seven years when you get a tax demand you get anywhere from immediate to up to 12 months to pay it jesus look at that balance of
power there yeah up seven years ago you could have made a mistake on a on a tax or the law they could
have changed the law retrospectively and say oh well, well, no, now you owe us this amount.
I'll tell you a quick tip, though,
and this worked for me many years ago.
I'm taking this with a pinch of salt.
You've got experience with HMRC, Geoff.
Yeah, I've got a bit of experience.
And like, you know, in a couple of occasions,
it's not worked out.
But there's one time that I was 100% in the right
and they were not, you were not responding to my messages.
They were going on about how I owed them money and I was like,
well, you owe me a rebate first, which is more than what that is,
so why don't you just deduct it from that and give it to me?
They were like, no, no, no.
So HMRC stands for Her Majesty's Revenue and Customs.
So I went straight to the top and I wrote a letter to Buckingham Palace.
Are you sure?
God's honest truth.
I wrote a letter to the Queen saying that I've got many issues with this,
that the other, I'm a loyal subject of yours.
How could you ever let someone, an organisation that uses your name,
Her Majesty, treat subjects like that?
Within three days, I got a phone call from someone at HMRC
who sounded quite senior saying...
Just called Liz.
Some lady called Liz.
Is that Javad Malik?
Yeah.
No, no, no.
Someone at HMRC, and I explained the situation to him,
and he goes, okay, and he amended the file,
and it got sorted out.
Oh, my God.
Seriously?
Yeah, yeah.
I got a letter back from Buckingham Palace as well,
and it was like, oh, we've forwarded it on,
and sorry to hear about the troubles.
Did you get a signed photo and a sticker as well?
I didn't.
No, no.
Say it like.
Oh, man.
Well, that's taken the anger out of this rant,
which is probably a good thing.
Probably a good thing.
Anyway, that was this week's Rant of the Week.
This is the Host Unknown Podcast.
The couch potato of InfoSec Broadcasting.
And talking of potatoes, here's Javad and this week's...
Oh yes, it's me.
You know what?
A ronald up Jeff just sitting there waiting for us for the inevitable honestly
i've i've felt like as slow as herb dean trying to like wonder whether i should stop a fight or not
so it's um no it's not anyway um billy big bull i'm distracted because I'm actually reading the story, trying to get trying to summarize it into a succinct point.
But OK, there's a website called Poop Senders that have been around for a number of years.
And if you can't tell by the name, it's a website that lets you anonymously send fake poop to people who you don't like.
anonymously send fake poop to people who you don't like.
It's terrible.
Apparently the site's been around since 2007.
And they pride themselves on anonymity and nothing getting back to you.
So say like, Andy, if you wanted to send some poop to Tom tom you just pay them the money you can pay in cash or whatever i think it's only in the us but yeah but you know if i when i send
poop to tom i do it like you know like game of thrones like tell cersei it was me
to the courier tell langford it was me i i can tell it's you because it smells sweet like Haribo.
Oh, dear.
Yeah, we didn't think we were going to have to edit this week.
Oh, dear. Right. many victims over the years have been targeted by anonymous poop passive packages since 2007 even though the uh website says don't use it as uh forms of intimidation or harassment or anything
it's just for practical jokes which is like the the github
equivalent of when people say this phishing software is for educational purposes only we
are not responsible for anything you do with it um so um you know it it smells bad it looks quite
realistic uh some people feel like it might be the uh the. Anyway, after many, many years, many, many years,
there's a new legal proceedings,
the United States of America versus PoopSenders.com.
I mean, have they not got anything better to do?
Well, like HMRC, they like going after the big fish.
What, the big brown no-eyed fish yeah exactly so they've now named two men who they believe uh may be possible uh may be linked to it
uh and did they identify them through dna testing no um so for four years the two uh there's two men john sentos sentinus there's john and john
uh and his son john john jr john jr exactly john senior and john jr yeah exactly santanasta so
santanasta so yes and his son, John Edward Santonastoso.
Anyway, the two men were... John Edward what?
Anyway, for years, the two men were linked to an LLC
called JD Infinity, incorporated under Senior's home address
in a cul-de-sac in Pittsburgh.
The company has no website and no online footprint,
but now public records show show and this is a great
thing it received two payment protection program payments for a total of 43 000 from the first
covid 19 release bill that money plus the interest accrued was completely forgotten
two jobs were listed in jd infinity'sPP application, which may or may not have involved sending fake shit through the mail.
So until they attempted to claim money during COVID for loss of business, they were completely off the radar.
Yes. Yes.
I don't know if you've seen the film American Gangster.
It's with a long time ago. That was Russell Crowe and Denzel Washington.
And yeah. And Denzel's like this big time drug dealer. But he's really under the radar.
No one knows who he is. And he gets invited to a boxing match.
And his wife gets him this massive, fancy like fur coat and hat to go and he's always
played it low-key low-key but she's like oh no no like and just by going there wearing that sitting
in the front row he catches the eyes of the feds and then they start launching a massive investigation
into him so it's just it's always these small things people slip up for a second and all of a sudden it just pings out
and it might feel like nothing, but that's the thread that you pull on
and the whole Christmas jumper starts unravelling.
Yeah, so this is actually, because I'm trying to think,
it's not like they are, I guess, a business which had customers
that walked through the door that really was affected by the by the pandemic right this is a mail order business so yeah but people people have got
you know other things on their mind right rather than sending poop so if that they
i'm looking at their website now so they do have a website um and in fact you can i think the
registered entity didn't have a website oh yeah, I understand. OK. But nonetheless, you know, if if business went down, this is a you might say, you know, crass and really unpleasant business.
But it's a legal business and it's and it builds, you know, creates a living for its owners.
creates a living for its owners,
if business goes down because of COVID,
then they're in their right to surely ask for COVID relief in the same way that any other business is,
just because you don't like the product.
Yeah, no, I get it.
I'm just wondering whether or not they did suffer from...
Well, I guess that's down to the COVID relief programme
requiring evidence of such.
But they've got quite the broad range of products, I have to say.
I mean, you can send cow dung, elephant crap, gorilla poop, a combo pack.
You can send a mega pack with tiny candy hearts which is on special offer right now
limited time offer i wonder if that's because they're anticipating being shut down and you
know what uh i guess what is interesting here is that there's no nothing to actually say i think
jeff you've been saying that it's fake poop but there's i'm not seeing that anywhere it's under the faqs
apparently like is it real when they're like real poop yeah only the mad scientist that packs his
stuff in the back room knows for sure and he wouldn't tell us but we do know this it really
smells bad back there he is mixing up shit and he does visit the local dairy farm and zoo about
twice a week we also don't want the delivery company to actually know what kind of shit
they're delivering we can assure you that it looks nasty and really stinks.
It will get the point across to your intended victim.
See, to me, is it real poop?
That's a yes or no question.
That's a lot of words.
Yeah, that's right.
Well, I guess they can't legally say that.
Yeah, yeah.
That's the whole thing.
You know, but if they're breaking laws, they should be shut down.
If they're not breaking laws...
More power to them.
Well, I mean, there's obviously some kind of weird demand for this.
Well, it's...
What, being able to anonymously send shit to people you don't like?
Yeah, I know.
What's the weird demand in that?
How are we we gonna sell this
oh man that's wow wow so tom at the moment is looking up like you know can you send
to hmrc wales po 9043. Do you send internationally?
Yeah.
Thank you very much, Jav, for this week's...
Billy Big Balls of the Week.
We are officially the most entertaining content amongst our peers.
So, Andy, what time is love?
It's that time.
What time is love?
Yeah, it's that time of the show where we head over to our InfoSec PA Newswire,
who have been very busy bringing us latest and greatest security news from around the globe.
Industry News
Merck wins £1.4 billion not-pet-your-payout from Insurer.
Industry News
Cyber Essentials overhauled for new hybrid working era.
Industry News
Experts call for more open security culture after VW sacking.
Industry news. IMED fined $600,000 over data breach. Industry news. Government trials effort
to make bug scanning easier. Industry news. Best cybersecurity research paper
revealed. Industry News.
North Korea
loses internet in suspected
cyber attack. Careless.
Industry News.
Florida considers deepfake ban.
Industry News.
IT and DevOps
staff more likely to click on phishing
links. Industry News.
And that was this week's...
Industry News.
Huge.
I see, Jeff, your cursor went straight onto the best cybersecurity research paper review.
Yeah, that's right.
Oh, was it?
Was it? Was it?
Was it?
No.
No.
Bullshit.
It's a research paper actually written by HMRC on vulnerabilities in text messaging.
Tracking people for fun and profit.
Yeah, that's right.
So who wrote it? Was it NASA?
No, it was by Yan-Yi Liu from Cornell University and Raphael Pass, Professor of Computer Science at Cornell Tech. It expounded a theorem that relates to the existence of one-way functions,
expounded a theorem that relates to the existence of one-way functions, OWFs,
to a measurement of the complexity of a string of text.
OK, that doesn't sound like the best cybersecurity research paper, but the most complex cybersecurity.
Surely the best one is the one that everybody reads,
understands and puts into action straight away.
I think what will give this a more credit than some of the other awards
that are out in the industry is that it's the NSA,
the National Security Agency, who are the judges of this competition.
These are the ones that the NSA, the agency that's been hacked
and had all of the tools that they use released into the public domain.
Yes.
It's those guys right the incorruptible NSA uh who kill people based on metadata yeah so just obviously I mean this is clearly a very easy way for them to uh receive inbound
theories right based on I'm reading this is the ninth time they've held this award as well
this is the ninth annual best cyber held this award as well. This is the ninth annual Best Cybersecurity Research Paper competition.
Is that because they've had nine pieces of bad news
that they've wanted to kind of distract people from?
Oh, my God, this has just blown up.
Quick, let's hold an awards ceremony.
Do you think if you go back five, six years,
you're going to find some papers that they're called something else,
but they describe eternal blue in almost like...
Yeah.
Everlasting red.
Yeah.
So I'm looking at the Florida seeking to outlaw
the malicious distribution of sexually explicit images
without the subject's consent.
This is the deepfakes thing.
But surely that falls under anti-pornography or revenge pornography.
You'd think there were laws already.
Yeah, that's the thing.
Well, it's Florida.
It's Florida.
Yeah, so they're saying they have to establish new regulations
because current revenge porn doesn't cover it.
What?
So you slap somebody's face onto that of a of a porn star release that and say oh look what andy's doing um i'm just oh you've
seen those for example yeah exactly and and and you can't be you you you can't be arrested for it
because it's deep fake and it's it's not doesn't fall under revenge i mean i'm sure you can't be arrested for it because it's deep fake and it's not, doesn't fall under revenge.
I mean, come on.
I'm sure you can get arrested for it.
I think the problem is it will fall down in the court system, right?
Man, that sucks.
That sucks.
The one that doesn't surprise me at all is IT and DevOps staff
more likely to click on phishing links.
That's because, you know, ah, we wouldn't fall for that click yeah we know what we're doing we're
protected we're sandboxed yeah we've got all the tools sitting here logged in as domain admins yeah
yeah not on a sandbox yeah on the production network yeah what was really interesting, though, is that VW, there was someone at VW who said that he raised some concerns
about fraud in the payment system and everything.
Oh, it was a whistleblower.
It was a whistleblower, yeah, and he got fired for it.
And so now people are, like, outraged.
But VW is saying, no, there was lots of issues with him.
There was lots of like, you know, red flags on his.
All whistleblowers are really poor employees.
Yeah, yeah, yeah.
So it's really one of those interesting things, though.
Like, you know, I mean, VW, for those who remember,
they in 2015, they were caught caught fiddling their emissions.
And that's the thing.
So the whole industry was clearly doing it
because VW couldn't have been the only car manufacturer
that couldn't get their emissions down.
It's just that they were caught.
Yeah.
A bit like Lance Armstrong of the car world.
Yeah.
Anyway, thank you very much.
A great set of stories here for this week's...
Industry News.
The Host Unknown Podcast.
Orally delivering the warm and fuzzy feeling
you get when you pee yourself.
And talking of peeing yourself andy time for you and sweet of the week and we always play that one twice sweet of the week and this
is a tweet from someone who goes by rabbit um and they say antivirus software is pro-vaccine propaganda restricting your freedom to run
alternative code it's all part of the new world order agenda to weaken your computer's natural
immune system and make you dependent on security vendors and like on foot and whenever you sort of liken something to uh anti-vax movements or stuff like that it is
it's brought a whole lot of comments right i think you know rabbit did something quite clever
there it made me chuckle but then you know you got a whole load of responses many browser
developers and security folks myself included on both counts,
have reservations about antivirus products
for good reason.
What?
I know.
I mean, there are good ones
and there are less good ones,
but really?
And that's, you know,
someone else has said,
yeah, comparing antivirus software to vaccines
isn't a good argument if you want vaccines.
The caffeine antivirus ain't exactly a good option
and Norton's crypto mining. Vaccines and antivirus are tools and you can the caffeine antivirus ain't exactly a good option and norton's
crypto mining vaccines and antivirus are tools and you can choose good antivirus software but
so many are just bad come on it's like you know comparing the the sputnik uh one to kaspersky
and i don't know the sentinel one1 product to Pfizer, for instance.
Just saying.
Oh, man, I like what you did there.
There's got to be someone in marketing, you know,
updating the employee of the week.
Yeah, they better be.
They better be.
Nina, if you're listening.
Somebody else said,
I just let my computer catch all the viruses
for the natural immunity,
so I don't need it.
Oh, that's good.
Man.
Oh, dear.
Excellent.
Thank you very much for that one.
Tweet of the week.
And so we come hurtling into the brick wall and lamppost of theweet of the week. And so we come hurtling
into the brick wall
and lamppost
of the end of the show.
Gentlemen,
thank you so much
for your time today.
Jav, thank you, sir.
Oh, you're welcome.
Hope it wasn't too taxing for you.
Ah, well, you know,
all that coughing and spluttering
all the way through,
you know,
I'm sure you're exhausted
and you'll have to go
and have a nice lie down. And Andy, thank you, sir. Stay secure, you know. I'm sure you're exhausted and have to go and have a nice lie down.
And Andy, thank you, sir.
Stay secure, my friend.
Stay secure.
You've been listening to the Host Unknown podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
The worst episode ever.
R slash smashing security we haven't got time for a post-credit sequence because andy's got a run to to another
uh call and he's got to make some notes and make a cup of tea probably l gray actually a bit it
will be a bit of milk in there so whatever we do we cannot waste any more time at all.
And I can't emphasize this enough.
We cannot waste any further time on this post credit sequence.
Andy.
Andy.
Andy.
Andy.
Really need to ask you an important question.
Andy.
I need some tax advice that I can pass on to Tom.