The Host Unknown Podcast - Host Unknown Podcast: The Definitive 6th Episode
Episode Date: May 15, 2020Absolutely no technical difficulties were experienced, and we heard every word that our very special guest Rowenna Fielding was making, especially her third point. Stay tuned for Jav's legal woes and ...Andy's auditor supremacy. Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
uh yeah this is uh kind of weird i'm feeling feeling like stuff just got professional
like we got prepared or something yeah so we just need time like the present
i was gonna say we just need a soundbite for the intro then don't we yep yep
you're listening to the Host Unknown Podcast. out yeah and i've got mine on mute so yeah i know it's not me
folks as always you know we were just saying we're ready and professional and then jav goes
and drops the uh drops the ball there so jav welcome you know i'd like to make a make a
entrance so an entrance with a with with a message, didding?
Yeah, just to attract attention.
He hates it when all eyes are on his and not on him.
So I bet he sent the message to himself.
He is the embodiment of a peacock, without a shadow of a doubt.
Maybe with less pee, anyway.
I'm not sure.
And Andy, how the devil are you sir
not doing too bad thank you i um again my challenge hold on hold on whose phone is buzzing
let me ask that okay i mean that's just one long bus i have the gardeners in at the moment it's not
a euphemism yeah you're like uh you know half the infosec industry i know what my limitations are
and uh i'm not prepared to tell professionals other professionals smes how to do their jobs
um so i have the experts come in and trim my bush uh you know once once a month and uh
yeah it makes the garden look better, I guess.
You must have a nice looking bush.
Indeed.
This is not that kind of podcast, gents.
Come on.
This is not viz.
What do you think this is?
Smashing security?
Yeah, exactly.
I was going to tell you, my woes with HMRC
continue this week.
I've not told you guys this one.
So obviously, apart from the fact they obviously believe I have undeclared income
and so put me on the most ridiculous tax code whilst I'm under investigation,
the post office is now holding a shipment which I have from China because HMRC believe that import
duty is required on it and this is a shipment of protective personal equipment personal protective
equipment so they are face masks which I have been buying in bulk I've had no issues with the
first shipment which I received
because it came via Spain.
However, this second shipment came straight from China
once I realised the seller was actually selling decent stuff.
And so now I have a letter saying that I owe import duty on it,
which, as we know, you do not have to pay VAT on PPE.
So here we are.
They're just trying to take money from me.
But import duty isn't VAT, PPE. So here we are. They're just trying to take money from this.
But import duty isn't VAT though, is it?
Sorry, so there's no VAT
or import duty, customs duty
on PPE at the moment.
Ah, you are a
marked man at the moment. This is brilliant.
So now I'm going to go on eBay
or AliExpress even
and start ordering
some stuff to send you, Andy.
Well, the best thing is
if you didn't order it,
you can just leave it there.
It gets sent back
and there's no charge.
So, you know.
Exactly.
Yeah, it's not about
you getting charged.
It's about you getting
even deeper into that watch list.
It is.
And the annoying thing is
that the Royal Mail
also add an eight
pound handling fee onto the whole uh process oh yeah i know they have nothing to do with the whole
you know they're saying look we're just we're just acting on uh you know hmrc's instructions
so you know we handle the payments and you know if you've got an issue you've got to take it up
with them i know i know when i last ordered some dodgy gray goods for it for
imports you know during a national crisis i remember exactly the same happened to me
have you andy you got on mute again mate no he's just speechless i did go on mute there obviously um but no i'm biting my tongue as you
know uh i am not one for uh profiteering uh whatsoever in fact uh i know i'm so generous
i do not even claim my expenses that's how generous i am so generous and stupid so andy
you know the sponsorship money
we got for Hosts Unknown it went into your
account did you declare that
it went to China
China
why don't you go ask China that question
yeah
oh dear
how are you Mr Lankford this week
I'm good I'm good. I'm good.
I'm a tad busy.
I've been doing some filming.
The Lost Seesaw is about to make a grand return, which is good.
There was a little teaser video went out the other day, yesterday, actually.
And the first episode is going out on Monday.
I saw that.
I saw the teaser.
It looks very, very good.
Yeah.
Yeah, I'm really pleased with it.
So my professional assistant, the person who knows more about film than anything,
i.e. my son, he did the intro sequence.
Although I jazzed it up, I actually made some contributions to it.
And then I pulled together all of the bits where i stuffed up here during the
the first few days of filming it came together all right i think came together all right so
yeah i'm looking forward to it we've got five episodes in the can three of them are edited
and uploaded ready to go so today i'll be editing the the last two and then i've got
five more to film so if you've got topics you want covered then um
let me know excellent yeah i'm very pleased it's come together quite well it went from uh
i'm going to do this within the first week of the lockdown to i really can't be arsed to oh my god
this is actually a little bit easier than i thought it would be so uh let's just say i've
been on one of those bb BBC journeys as a result of this.
Anyway, so what have we got for you guys today?
I know we were so professional, we actually got a list.
So we've got rant of the week, a Billy Big Balls, a tweet of the week,
industry news as well, and the little people.
So we've got five things to get through.
Now, last week, our episode ran at something like over 50 50 odd minutes um never know might be shorter this time we'll see um but should we should we
jump straight into something let's do it go for it run the jingle yeah okay i will run the jingle
as soon as i found it on this stupid bloody... Ah, here we go. Rant of the Week.
Rant of the Week.
That's me, isn't it?
Okay.
So, rant of the week for me this week
is this whole CIWSP is equivalent
to a Masters debacle.
Oh, I've seen some of this.
I've seen some of this.
It's got nasty. it's got nasty out there
some really nasty stuff in fact there's only one person who i think has presented a a calm and
considered opinion and that was uh rob graham um i think and he did uh one of his classic sort of
multi-part tweets about it very considered etc i think on the whole he was he felt that uh it shouldn't be considered
equivalent to a master's but he gave some very good reasons apart you know whereas most people
are just hell no i've done a master's my blood sweat and tears blah blah blah and it's definitely
not the same um so i'm i'm on the side i'm actually on the side of the CISPs being seen as an equivalent to the Masters.
And just to clarify, that is considered the less popular view, is it?
Yes, yes, somewhat.
So one, and perhaps my initial reaction is, for goodness sake, people,
we've got bigger and better things to be worried about than this.
we've got bigger and better things to be worrying about than this um and two i think um uh the it's been called an equivalent it's not being called the same as it's not being you know
it's not being um it's not like you get to stand up in some cathedral somewhere and receive a piece
of paper or whatever it's an equivalent and that's's all. Now, the reason I'm in support of this is I think
they are two very different beasts without a shadow of a doubt.
I know people who've done Masters and I know people who've done SISPs.
In fact, all three of us are CIWSPs, I believe.
Indeed.
Is that right?
Yeah.
And I also have a PhD as well, so I'm able to comment on this topic.
No, it just says Doctor on one of your credit cards doesn't it more than one come on so um so yeah and i think i know people who have breezed
through masters and i know who people who have breezed through uh crsps and i also know people
who have put blood sweat and tears into both um and many people who have put blood, sweat and tears into both.
And many people who have failed the CRWSP, you know, multiple occasions. Now, it's not to say
that the, you know, that the amount of effort into each one is the same, etc. But I think what
we need to remember is that they're two very different types of qualification delivered in two very different ways and for
very different reasons and very different aims as well. So with a master's, I could have got a
master's 10 years ago in a subject and still have the letters, you know, whatever a master's is after your name um if i did that with the cisp unless i carried on submitting cpes and actually
doing continual education i could no longer have those letters after my name after three years
um you know so um it's they're very different beasts and masters master's is a static shot in time, whereas the CIWSP, in theory,
and I know there's going to be plenty of naysayers who say that this is not the case
or it's easily abused, et cetera, but the CIWSP, in a sense,
is a far more living qualification in the way that you have to continue
to prove your knowledge, et cetera, or prove that you are continuing your education
towards it and then there's the cost element so people are saying you know i i spent you know
10 000 pounds or on my masters and again blood sweat and tears that seems to be a common theme
amongst people um but um but then you only pay that once and again to that that that that ongoing theme of
continual education and continual certification uh you do have to pay isc squared money on a on a
i think it's a three yearly basis i've got a bit i did get confused with when they made those
changes i feel like i'm paying twice every year and I'm not quite sure why.
No, you're not. You're not at all. But anyway, well, I don't think so.
I don't know. I just pay what I'm told.
But the thing is, it's significantly a lower amount or lower amount of money as well.
So, again, we're not comparing apples to's we're not comparing you know apples to oranges
here or we are comparing apples to oranges here a little bit so can i just clarify is it uh is it
any masters or are they sort of uh making it all about um you know masters in cyber security uh or
similar that's a that's a very good question but i i think what they're saying is it's you know
it's an equivalent to any masters i mean it doesn't mean to say that you get the cisp and you can be a masters you know in art no of course whatever
what it's not saying is that your your um you know your level of education is that is at that level
um and that there is a this isn't just isc squared declaring that you know the cP is the same as the Masters. There is a third-party organisation
who's...
I've done so much research,
I could name this organisation,
but I decided I won't.
NARIC.
Yeah, that's them, NARIC.
Yeah, I'm saying that like I know that it's them.
But they're the people
who have actually done the analysis on this
and done the research and
ascertained that it reaches, what was it, level seven of NARIC, of the assessment,
which is the equivalent of masters. So, you know, this isn't just IRC squared going off on one and,
you know, having visions of grandeur. This is a third party um you know actually looking at it and trying to create
some equivalency across the board um there are discrepancy across you know across everything
but i think people are reacting very much to the headline on this rather than the underlying um
are you saying that uh people read the headline and then gave their opinion without actually
reading through the uh the content you know what? Yeah, I think possibly you're right.
Shut the pitchforks!
Yeah.
There were a lot of cries of pitchforks, I'm sure.
It was, you know, it's like, please.
So anyway.
Well, I was going to say, all of a sudden,
this is the, I'm guessing the same people who, you know,
straightaway decry, you know, a valid security-related certificate.
You know, you're never going to get one thing that solves everything, you know.
So, you know, what do you want to do about it?
Okay, do we create more standards and just, you know,
end up with 100 different certificates and everyone aligns to which one they want?
Or do, you know, we try and fix the one that we've got?
You know, what is missing from it fundamentally? Can everyone agree that which i again i don't think we can you know i think the
pen no i don't think so you know the technical people have another view the management have
another view um but you know to argue about whether or not it uh you know meets that same
criteria as the the level seven uh on that scale for a master's.
You know, this is the same industry that decried the Equifax CSO
for not being qualified because, you know,
she had a master's in a different topic.
You know, we're not taking into account the, you know,
the experience that people bring with that.
But, you know, you need some kind of indicator to
just just because somebody has a master's doesn't mean that they're actually any good at it i mean
i've got a i've got a bachelor's degree um on paper great you know i've got an honest as bachelor
a bachelor honors degree but it's a third class degree actually when you dig a bit deeper it's
it's not it didn't do me any good it was you know I faffed around at university it was only when I
you know got a real job that I started to realise what what hard work was actually about and it's
the same thing with the masters you got a master's from 10 years ago congratulations you you um you
showed people 10 years ago that you knew stuff from 10 years ago how is that applicable
now you know it's about how you apply that knowledge yeah if nothing else what the crwsp
offers is a way that of proving that you have certified your educational efforts towards it
on an annual basis so i think we're see ic squared went wrong a bit was just in
how they they marketed that that news that they were yeah so the headline or the tweet that went
out made it appear and that's that's the problem it and people won't read the the article but
the headline that went out and the press release that went out made it appear that, oh, this is equal to a MSC. And I done a little bit of digging into NARIC and what it was
and everything. And I think fundamentally what it's designed to do is really to bring some
consistency to international students. So say you grew up inuritius and you've done a a level equivalent there it
might be called something else so when you come over here you need something to say that what you
did over there was the equivalent of an a level to allow you to get into university yeah like a
baccalaureate or something yeah exactly and that's what this is trying to do. It's mainly for educators or for employers to say, well, you know, these things are kind of like different types of apples that you can put in the same thing.
And actually, after they've done that and seen the backlash, IC2 actually put out a blog with a faq what you need to know about the
cisp comparable to uk master's degree and they've actually explained it really well and and so you
know the faqs are like you know does this mean that the cisp is the same as a master's degree
and their answer is no rfq level c means that earning the CIS is considered an educational achievement.
That is the same level to achieve, you know, within the CIS.
Yeah, but you can't get worked up with facts. You have to go by a headline.
It destroys your entire argument when you start presenting facts.
Yeah. I saw one tweet where somebody somebody was offended.
Yeah, I saw one tweet where somebody was offended.
You know, it's like, really?
Oh, my God, you've got to have better things to be offended about.
Just to add some bit more colour to Jav's comparison
about getting an education in Mauritius and coming to the UK,
you'll be pleased to know that the Mauritian education system,
there's actually two types, one that aligns with the French system and one that aligns with the UK system. So they still call their GCSEs O-levels, but they also have A-levels, you know, in school.
And it's aligned with the University of Cambridge.
Just for your education, a little bit of fact about the Mauritian education system.
There you go. The French one uses the baccalaureate scheme, doesn't it?
I'll be honest, my French isn't very good, so I...
I'd say the English one is, you know, the desired system in Mauritius.
Ladies and gentlemen, our resident Mauritian expert in-house,
setting the record straight.
Exactly.
We are a multicultural podcast.
Anyway, I guess in summary, what we're saying is that ISC Squared,
we love you, we think you're awesome, and by the way, this could be you.
Host Unknown.
Sponsored by ISC Squared.
We're here.
Host Unknown Sponsored by
ISC Square
So for a small sum of money
ISC Square, this could be you
You could be helping us spread your message
and love, your message of
love I should say
love and equivalency
So yeah folks
that was my
rant of the week Very good i enjoyed that one
yeah yeah i did as well i did as well i think we brought the facts to this consumer focus show
that's scary and uh also quite intense to start things up with so hopefully the next segment is
going to be a bit more light-hearted well i'm looking at the next segment and uh no it won't so
unless unless we can really make um light of certain things but yeah maybe not but yeah it's
uh um we'll try and throw in a few more gags in there. You never know. You're listening to the host unknown podcast,
more fun than a security vendors briefing.
So shall we move on to the next one?
Let's do it.
Let's do it.
So Jav,
I think this is you,
isn't it?
Um,
yeah,
this is you. So what I think what we're going to go on to now is the Billy Big Balls, which just whenever I say that, I always think of you anyway, Jav.
Billy Big Balls of the Week.
So this week's Billy Big Balls, someone or something related to the industry or maybe not related to the industry, who we think has really gone above
and beyond the expectations of regular balls.
Let's put it that way.
So this week, I want to talk about Wim Reams or Wim Remes.
See, I'm not too sure.
Maybe I should ask him how he pronounces his surname.
I once heard somebody called him Vim.
And then they couldn't escape that conversation.
Yeah, exactly.
Sorry.
Hang on.
Hey.
I'll tell you what what you know what the secret
of good comedy is
timing
timing
oh
dear
it's already light hearted
see
and that was the segment
well done Vim.
No, we want to keep it below 55 minutes this week.
So let's crack on.
2011, November 2011 was the date when Wim said,
I've had enough of ISE squared, but I...
2011? 2011, yeah. I've had enough of ISC Squared, but I...
2011?
2011, yeah.
So he said that on August, he said,
I received a yearly email from ISC Squared where they informed me of their board elections that begin.
While I respect everyone currently slated,
I always cringe a little when I look back at yet another year
of separation
between the InfoSec community of which I'm a vocal participant and the institution IC Squared.
I could spend another year on the sideline, or I can try and be the change that many of my online
and real-life friends are waiting for. This is my official petition to have my name added to the election ballot on November 16th.
That was back in 2011.
And I really got behind him.
I think a lot of people really got behind him.
This was like the Obama era of changes coming.
And I think he went on with great
intentions and he served like several seasons or whatever terms on the board and he tried to do
what he could he because of him many other people joined the board so dave lewis joined the board
jennifer manila i think dave kenn Kennedy possibly was there for a term or something.
So, you know, I think as a result of what he did, he inspired a lot of people to try and get up there and try to make the change.
And, you know, try to bring the organization, you know, there's this perceived separation between the community and the organization.
So let's try to bridge that gap. Let's bring a bit of transparency.
Let's bring a bit of respect, all those kinds of things.
Fast forward to today and Wim is, well, he served all of his terms.
There's term limits now, so he's no longer on there.
So nine years later, right?
Yeah, a week or so ago, he tweeted out something along the lines of,
I just resigned from the ethics board of IC Squared.
It wasn't a personal decision, but I'm out.
I'm sorry, it had to come to this.
And then when this news broke about the, when the tweet went out about
about the um when the tweet went out about um cissp equivalent of a msc he said this is fnbs something along those lines uh and uh and you know in a way i you know i think if you invest
that much time he's probably invested more into ic squared than
many people do into a relationship yeah so he's he yeah he's put it more into into the ic squared
than virtually every other commentator um you know on the internet right exactly exactly so
i think that there's there must be and again he mentioned in one of his tweets that he can't say
anymore because
of ndas and and what have you which is which is unfortunate but i understand american organizations
are very fond of their ndas and litigation society yeah yeah anti-disparagement and all those kinds
of things so it's unfortunate because i think one of the things that we all hoped when he joined was that it would bring more transparency to the organization.
But I think that the legal eagles have kind of like throttled that and, you know, the frustration comes through.
Having said that, whether you agree with him or disagree with him, I think that he has contributed a lot.
He's tried a lot. I don't think it's turned out the way he
wanted to it's certainly not everything's turned out the way I wanted to but I think Wim this one's
for you you are this week's Billy Big Balls yeah yeah very much so I think um yeah I I I know Wim
and I I respect him and like him a lot um but he is very vocal about a lot of stuff and um you know sometimes
that uh you know being that vocal is is good because you're open and transparent about you
know where you stand and stuff like that but but it can also you know make you a bit of a target as
well um and uh i think he was you know he was part of some of the change we saw in irc squared
without a shadow of a doubt and he's probably frustrated that um you know more change hasn't been made but we're talking
about large global organizations here and anybody who's worked for you know any company that's
larger than 20 30 000 people know um change does not come that quickly or dramatically uh or very rarely comes in that way
um and also you know small changes in in direction don't always go in the the way that you want but
you have to think of the long term and the bigger picture so um so yeah i, from my rant, I think obviously he's wrong about his opinion
on the CISP Masters equivalency argument,
but that doesn't mean that I don't listen to what he says a lot of the other times.
Glad you agree.
I said, I've got nowhere to go from there.
guys you agree and i said i mean i've got nowhere to go from there that's sort of parallels on a smaller scale you know i used to work for a small company um you know
very fast-paced uh you know work hard play hard kind of attitude that uh you know a lot of the
new generation kind of decry and say i've used the
word decry a lot today um but you know so it's not healthy uh you know for companies but yeah you know
it's a lot of fun uh you know as someone sort of really getting involved in a lot of things got to
wear many hats um do lots of things that you wouldn't necessarily get to do at larger organizations
um and then we got acquired by this very large organization. And I remember moaning
and complaining throughout the entire process of that integration about, you know, how, you know,
we could do it so much better as a small company and, you know, X, Y, Yada, Yada, Yada.
And, you know, I complained so much. They said, well, if you think you can do a better job, then here, it's yours. And it's tough. It is really tough. You know, there's so many moving parts that you just don't consider, you know, when you're dealing with tens of thousands of people.
You know, different laws in different countries means, you know, as much as you want to take a global approach, there are always going to be nuances.
And it is slow.
You know, there's so many things I want to get done and, you know, sort of say, right,
this is the target, you know, we're going to make this difference.
Very difficult to actually implement.
You can move the dial slowly.
But I've swallowed my pride from the beginning.
I hear the same arguments from new companies that get acquired.
And it's okay.
Anything you can do to make it better, we always want to improve.
No one goes into a job thinking, right, I just want to maintain the status quo and make sure that, you know,
the same gripes keep coming in year after year.
You'd be surprised.
Well, yeah, we're not talking about council jobs, though.
You know, actual proper, you know, private companies.
But, yeah, it's difficult.
I mean, if it was that simple, then why isn't it being done?
Yeah, that's difficult. I mean, if it was that simple, then why isn't it being done? Yeah, that's right. And it's not because of, you know, intransience or ignorance or just, you know, people just not giving a toss.
It's because actually there is normally a bigger picture at play that you're not either privy to or not willing to see.
Exactly. Exactly. And this is a problem that I see a lot in the vendor space, say, for example. So, you know, vendors, they'll put up booths at RSA and people say, oh, look at them spending all the money over there, or they'll have certain marketing campaigns, or they'll do certain things, or, you know, what have you there's all these things and people will complain and they'll complain about say the product and how it's developed and how it's marketed and how it's done and it's only
until you actually start working for a vendor that you actually realize well you know these are things
that are great in an ideal world but if you're a company that's taken say investment or you have
made certain commitments to shareholders or you have got a certain you know number of employees you
need to ensure get paid every month then those things dictate your your your path a lot more than
simple whims and desires of like oh i wish you made this a free community edition or or what
have you so definitely there's there's that disconnect between understanding how the real
world works or what the real challenges are to a lot of organisations.
So I think what we're saying is that, Wim, you're definitely a Billy Big Balls,
but you're wrong.
I didn't say that.
Everyone's entitled to their opinion, Mr Langford.
Wim, we love you. Come on the show, please.
We could do with some fresh blood.
Yeah, bring a translator as well
because I've struggled with your accent.
Anyway, thank you, Jav.
That was...
Billy Big Balls of the Week.
God, we're getting all serious this week.
What is going on?
Why are we...
We're pivoting from our usual
utter rots that we we're channeling the pitchforks we are we are we are we are we are maturing before
our audience's ears indeed yes we are yes we are i think it's um it's it's it's uh I think it's a very odd feeling to become, you know, the source of solid, thought out and considered opinion for our industry. But I think it's a mantle that we welcome, I think would be safe to say, right?
Yeah. So to those sponsors that said that we were a bit too immature, ha-ha, get in touch.
Yes. Yes, please.
Do you know what I think it's time for?
What?
Industry News.
I didn't mean to play that one. I meant to play this one.
Industry News.
Excellent. Let's hit the Industry News. Yeah, twice.
So Industry News. Remote workers often not provided secure tools. Industry News.
Industry news.
City index reports intrusion and potential data breach.
Industry news.
Brexit-related firm wins government contracts related to AI and data mining.
Isn't that again?
That's again.
Industry news.
As if there was only two stories in the last week.
I mean, whoever writes this stuff needs to really pull their thumb out.
Jeez, I mean, come on.
You know, we can't continue to produce this kind of high-quality content without somebody, you know, doing the background work for us.
It's like handcuffs. It's handcuffs.
I know. It is. It is.
You know, you might as well just, you know, chop my arm off.
I'm just as useful. Anyway, folks i hope you enjoyed uh this week's uh industry news
that is quality infotainment so um what else have you guys been uh this week? Let's have a little chat
before we segue into our last section.
Maybe I'll tell you next week
once the lawyers say I can speak about it.
Oh, controversial.
Nice.
We know this story.
Oh, I'm so tempted to talk.
Oh.
Well, in which case, perhaps we could get an auditor update ah yeah so this is um
the story of the auditor so you know i i wear many hats in a company that i currently work at
uh one of those is uh that makes me a little concerned about how many hats you actually have. Lots. More hats.
Is your hat cupboard big enough?
Well, so I get a lot of disposable hats, which I import from China.
HMRC have cottoned onto it.
Hang on. This man seems to be wearing far too many hats.
This is... Hang on. This man seems to be wearing far too many hats.
This is... That reminds me of that story of that guy that, you know,
crossed the border from Mexico into Texas every year, every day.
You know that one, right?
Every day he'd come through, like, the pedestrian entrance with his bike
and he always had two sandbags with him.
And every time he went through the border patrol, like, you know, they'd say, right, this guy's smuggling stuff.
And they would, you know, sort of inspect what was in the bags and the sandbags, sort of sniff through.
Couldn't find anything.
You know, then, you know, they used the x-ray machines.
They had the sniffer dogs.
Every day, this guy would come on, you know, wheel across with his bike, go into the U.S. with these two sandbags.
And the board patrol agent was like, this guy is smuggling something.
I need to know what it is.
And this went on every single day for 20 years.
And then this board patrol agent was retiring.
And on the day of his retirement, he said, look, Juan,
I know you're smuggling something into the u.s every day you come here you've got these two sandbags i've never
been able to figure out what it is just tell me it's my own peace of mind what is it you are
smuggling into this country and the guy says bikes yeah the English equivalent of that is a wheelbarrow with straw in it.
Yeah, exactly.
And they go smuggling wheelbarrows.
Yeah.
Oh, dear.
But that also reminds me of this story.
This is completely true, apparently.
You know, not just some allegorical story.
Forward, forward, forward, forward, forward, forward, forward.
But completely true. So Bristol Zoo. allegorical story forward forward forward forward forward forward but it completely so um bristol zoo uh i don't know if anybody's been to bristol zoo i live um sort of fairly close to it but
there's um town center on a friday night isn't it yeah that's right next night club big shout out
that's cardiff that's cardiff zoo but um having been in cardiff at three o'clock in the morning
on the high street, my God.
But so Bristol Zoo parking is a bit of a problem and they've got, you know, strips of land for
parking, et cetera. And most of them are done with, you know, a machine and all that sort of
thing. But there's this one strip, which is really close to the zoo. And there was a guy walking
around who would, you know, give you a ticket, take your five pounds, it was good value, et cetera,
and he was doing that for some 15, 20 years.
And then one day he just wasn't there, just disappeared,
and people went to the zoo and said,
where's your parking attendant? We want to pay.
And he said, what parking attendant? He's nothing to do with us.
And so they went to the council and said, where's the parking attendant?
And they said, what parking attendant? He's nothing to do with us and then so they went to the council and said where's the parking attendant they said what parking attendant is nothing to do with us apparently it was just
some guy who 15 years ago set up with some tickets and some money to pay for people to do this just
carried on and then retired fantastic so anyway so there's an analogy to the cissp there somewhere
isn't there there is yeah and yeah. And the equivalency.
He may not have been an official parking inspector,
but he was equivalent to a parking inspector.
Yeah.
It's like one day, it's like, where do I put my AMS for?
And they're going to say, what AMS?
Yeah, yeah.
Who's ISEE Squares?
So, your auditor, Andy.
Yeah. So this is the story of the guy who came in, audited, you know, one of the services that he consumed from us and was unhappy that as per contract, we did not follow the principle of lease privilege.
we did not follow the principle of least privilege um yes and the the the particular area he had concerns with was the fact that uh people had access to their system 32 folder read access to
the system 32 folder on a machine um and so this has kind of been bubbling and escalating you know
that it sort of threatens um you know, legal action for breach of contract.
And by the way, listeners, for those of you who don't have a CRSSP, you do need read access to the System32 folder.
Absolutely. Yeah. If you're using Windows, yeah, it's absolutely required for the normal operation of your Windows machine.
As stated by Microsoft.
Yeah. So we got a statement from
microsoft uh you know so we have enterprise support with them uh microsoft uh you know
very tactfully sort of said look you know this is a required function there is no way to disable
this natively you know so they're sort of saying right maybe there's a way of doing it we just
don't support it um yeah so anyway as you can imagine escalations both sides
of the company you know certainly when you start threatening legal action uh you know people take
it seriously and it got onto a call where you know we had uh some pretty serious smes on our side
some of the heavy hitters you know from the insider threat team like you know pen testers
red teamers um you know contract specialists
on their side uh you know they brought in some people um one of whom you know identified you
know in his uh sort of intro identified himself as someone that has worked for a lot of three-letter
agencies and is a subject matter expert on um you know these environments which is mfi world of leather exactly yeah um and then uh
yes uh they had you know quite a senior executive on their side and um i have to say one of one of
the people in my team made a very passionate um sort of statement uh that it sort of honestly put
the hairs on the back of my neck up
when she kind of reeled off
the controls that were in place
across the environment, which we'd been
through many times before and
tried to pinpoint
what is the exact risk
you are concerned about.
Because that was part of the issue, wasn't it?
It was, yeah they wouldn't really
articulated the risk which leaves us uh you know very difficult play and this is you know
besides this is one of the issues i have with a lot of um i guess some pen testers you know they
are really good at finding problems you know they can pop gels they can you know they own boxes like no one else can very trump
statement believe me the best pen testers and i know a lot of very fine people yeah very fine
people yeah no one knows more about pen testing than me um yet sometimes they're not very good at
articulating what the actual risk of that is you know and that's great so you know so you're sitting
here you've got physical access to the machine you can launch calc okay great then what you know
why is this a problem okay other than an inconvenience that you can launch calc when
someone you know no one's expecting but um or the fact that you have to be sat at the machine itself
yeah exactly yeah yeah and all these things, when you put it in context.
I can launch calc when I'm sat at the machine itself.
And this is why you need that.
Look at me, I'm a Leap pen tester.
And this is why you need that.
There's various aspects to information security.
And I think that we all need to work together
to come up with this final end product,
whatever we're working on.
In the past, I've seen people, CISSP is absolute rubbish. to come up with this final end product, whatever we're working on.
I mean, in the past, I've seen people, you know,
CISSP is absolute rubbish.
You should get the OSCP, which is great.
But what are you trying to, you know, what's your end game?
What's your goal here?
You know, there are different things for different people.
So anyway, I'm digressing. So fortunately, there was a very sensible executive on their side
who de-escalated the whole situation.
Because obviously, we're in a situation where we just could not back down from this
because this would have an operational impact on how we run our business.
And for whatever reason, you know, the assessor the the auditor was doubling down
quadrupling down would not back out from this finding um and fortunately uh you know the or the
the exec on their side sort of rephrased um you know the narrative for the whole finding and said
look you know using his years of experience across multiple environments,
you know, the auditor has found this problem.
And what this is, is more of a recommendation or, you know, a process improvement opportunity.
However, you guys know your environment better than we do.
So if you believe that all of these other controls, you know, mitigate the risks, then, you know, we will not be pursuing this as a breach of contract.
And that's not unusual.
And, you know, in this line of work, sometimes you have different voices who come in, you know, make a statement and allow everyone to walk away.
You know, sort of saving face, you and then the the hard part is to bite
your tongue and not sort of you know retaliate and sort of just you know we've now got the victory
you know we've got the the situation that um yeah it's not i obviously it still came as a fine you
know a recommendation but not going to be pursued you know ideally we
want it scrubbed but you know sometimes you need to bite your tongue and say look let's not
open this wound again uh you know here everyone can walk away um so hopefully that's brought
close to the uh the issue and i guess until next year's audit the problem the problem i have with
this and i i totally agree with you it's it's deescalated, it's dealt with, it's off the table now, etc., etc.
But the response itself, and I understand why their senior executive
worded it like they did, etc., but what it's still saying is,
it's a finding, we don't like it, you know your environment better than we do,
which in itself is not a great statement yes
um therefore it's just a recommendation which i mean if if that's not trying to sort of um
give a uh how can i put it allow the uh the the original auditor to save face i don't know what
is you know rather than actually saying you're
right this is this is not something that uh should should be on here we're going to completely
drop it entirely yeah or even we're going to leave it as a recommendation because we have
seen it in certain environments um you know but we feel your controls are sufficient um to mitigate
against this because either your controls are more
sufficient or they're not not a case of you know your environment more than we do it's that it
sounds like um but there's lots to lots to pick up yeah lots to pick out but it is and this is the
i think the hardest part of the job um which is why it's not for everyone uh because you know i had a couple
of the the uh the people sort of i am in me during the conversation like you know why are we wasting
our time with this conversation you know everyone's got their opinion but sometimes you know you just
have to learn to uh bite your tongue um you know when to to walk away i think also like you know
it's it's more than saving face for the auditor,
it's saving face for the organization issue. Yeah. It's like, if you admit that, you know,
you were completely wrong and what have you, then that could, again, especially in large
organizations where sometimes they're litigation happy, they could say, well, you know, you said
you were going to send an experienced auditor, you've just admitted that they're litigation happy. They could say, well, you know, you said you were going to send an experienced auditor.
You've just admitted that they're not experienced
or they got it wrong and, you know,
invalidates this at the other,
or we want you to pay us back for time spent.
All those kinds of things that I'm sure run through people's minds
who actually have to foot the bills.
Yeah.
And I mean, you know, when you talk about experienced auditor,
this guy has his CIWSP.
So he's a master.
Shut up.
I'm going to cut this particular section because it undermines everything we've just been talking about.
Thanks for that, Andy.
Right.
Let's move on to another topic, shall we?
Yes, indeed.
I think we've got...
Oh, I'll tell you what we've got now.
We have...
Jav, who did you get for us this week?
This week, we mentioned her a couple of episodes ago,
Rowena Fielding, because it is...
Yay, Rowena!
Rowena, yes, everyone's favourite person on this podcast.
A friend of the podcast.
Friend of the show.
Friend of the podcast.
Friend of the show.
Friend of the show.
And so I got in touch with her and I was like, well, you know what?
It's the two-year anniversary of GDPR.
I know nothing about the impact it's had. So let me ask someone that
knows all about GDPR, someone that lives and breathes GDPR. So I went over and I said, Rowena,
two year anniversary. What difference has GDPR made? The little people.
Well, hello there. I must congratulate you on your impeccable taste in podcast guests.
So what difference has GDPR made?
I had a big long list, but I managed to cut it down to three positive differences and three negatives.
So the positives.
Businesses being directed towards actually giving a damn about the social and individual consequences of their data use.
Because apparently people will throw each other under buses quite happily unless there's a threat
of punishment for doing so. Who knew? More people know and are standing up for their data protection
rights. This is good for all of us because it's revealing how toxic the surveillance economy has
become to society and prompting calls for change. Hooray! Data protection is now starting to be
considered as a core business requirement,
like health or safety or fiscal responsibility, instead of an optional add-on. So those are the
good things. The bad things? Well, the infosec industry has done more to undermine data protection
than to assist it, by framing the GDPR as an infosec thing to cash in on it, and largely
ignoring the fairness, lawfulness and transparency principle at the foundation of the law.
Organisations are still treating data protection as a compliance matter because there's a law about it,
which leads to grudging and reactive approaches.
It's actually a quality assurance matter and a bridge between business strategy and organisational values, assuming the
organisational values include some form of don't be a git. Everyone is still obsessed with fines.
You have to screw up pretty goddamn badly to get a fine, but because the human cost of being crap
at data protection, that's the negative impacts on individuals rights freedoms and welfare that can't easily be
quantified the amount and likelihood of being fined is still the risk metric that organizations
are focusing on to the detriment of quality and values now i don't want to end on a negative so
here's another positive to wrap up with the career opportunities in data protection have
never been better it's much less tedious than InfoSec.
You did tell her that this was like a two-minute segment, right?
I did, yes.
And this is the point, folks, where we act like we've just listened to the audio,
but Jav neglected to send it to me.
I sent it to you on WhatsApp.
No, you didn't? Yeah, you did.
Oh, cock.
I haven't got it lined up to do.
Fix it in post.
I'll do some
magic jiggery here.
Oh, man.
What a fantastic segment there, Rowena.
Good point, well made.
Absolutely.
I particularly liked her third point.
There you go.
I've sent it to you again, Tom.
Yeah, it's too late now.
Oh, yeah, you did send it to me, didn't you?
Oh, well. So, Jav, me, didn't you? Oh, well.
So, Jav, what are your thoughts on that particular, on what she said?
She's comprehensive.
There's nothing I can add to it.
I always agree with Rowena because I know what's good for me.
Rowena, friends of the show, thank you very much indeed.
The Little People.
I have to do a lot of work
to fix that.
Right, folks, so
we've just hit
not far
off from 50 minutes, so if we end
now, we're still going to be in credit slightly.
So, folks, I
think we're good to go. Any last points?
Well, it won't be 50
minutes once you include
Rowena's part.
Oh, damn it, yeah.
Quick, finish!
That's what she said.
So, yes.
Oh, Tweet of the Week, Andy, yes!
Tweet of the Week.
I'd completely forgotten about that.
So, Tweet
of the Week.
I mean, you know, you you sent me a message before this recording saying right can you come up with a tweet of the week um you know
as you may know i've not been prolific on social media for some time um predominantly because it's
a toxic wasteland of people spouting vile views and unsubstantiated
opinions which they present as facts um does tiktok count as social absolutely not tiktok is
the best the best app in case you wonder where i've been for the last uh 18 months it's tiktok
um so you know a friend of uh my lik, you know, sort of scrolling through social media to walking into your living room and finding a couple of Jehovah's Witnesses sitting there, you know, you didn't invite him.
But however, you know, I was told to find a tweet of the week.
And so I had to, you know, you know, subject my eyes to some very painful crap this morning you know some real mind-blowing
stuff uh you know from people who think the world is round or uh you know can't see the link between
5g and the rona um but that being said uh you know when i did find this uh tweet of the week
5g and the what uh exactly i'm taking a i'm trying to save time by shortening it, right?
So it was going to be the teaser video for this new Lost Seesaw series, Unplugged.
Which I've heard very good things about.
No one knows more about the Lost Seesaw than I do.
It's a very good show.
Very fine person. Very fine person.
Very fine person.
But there was something
which was just slightly better for me
on the day.
What?
So there's a reason for it.
Obviously, the Lost Seesaw trailer
is looking very good,
but it's more of a,
as you say, it's a teaser, right?
This anticipates what's coming,
what's coming.
Whereas this other tweet has actually delivered something.
I like to learn at least one thing every day.
And this tweet, you know, from my cousin and friend of the show,
Quentin Taylor, has introduced a new word into my vocabulary,
which I was unaware of.
Is it decry? it's decry yes no
that was my word of the day toilet paper no so it's uh it's actually the phrase beg bounties
so yeah you know i i've not heard this term before and i absolutely love it and so his tweet
uh so it starts off saying uh beg bounties are a scourge
that should be driven from infosec could you imagine the beg bounty conversation in real life
and then he goes on to clarify that a beg bounty is someone deliberately security testing
infrastructure that isn't in scope of any bug bounty program and then asking for money for the results
um and so this sort of virtual panhandling uh type of i absolutely love it so uh my tweet of
the week is uh mr taylor that is congratulations mr taylor that is a good one i do like that
prize of masks will be on its way to you once Andy clears it from her husband.
Once they are released by Her Majesty's Border Patrol.
I wonder if Quentin actually made that up himself or if it was something he saw. I saw it from him first.
Oh, yeah. He will forever be on mine, Theo.
Exactly. It's almost like how Jav is associated with a CI SSP video.
And, you know.
Because it's my video.
Because I'm in it.
The origins of that video and how Jav almost didn't even make it into it
because he was too busy.
It's a story for another show i think are we talking about that vid that music video or the original cisp cisp video oh definitely the uh the the c i double s b video the popular one
you mean yeah exactly yeah yeah they're both popular and i love you both. Not the one where he had lots more hair.
Because actually, just as a little parting comment, folks,
Host Unknown has actually agreed on a haircut, would you believe?
We are all now shaven of head since Jav sent us a photo of himself.
I'm not shaven. It's more of a number one all over with did you use clippers yes you use clippers there you go number one number one come on you're not
that far off yeah but it's not a shaven head let's yeah you'll be a balding middle-aged man
soon don't worry soon soon once i get out actually no you are a bald in middle-aged man. You will soon become a bald middle-aged man.
Thanks.
No worries.
And on that note, just again,
a note to our potential sponsors out there.
This could be you.
Host Unknown.
Sponsored by Insert Name Here.
Right, gentlemen, thank you very much.
Thank you for all of your contributions.
Always a pleasure.
And we shall meet up next week.
Got a few technical difficulties to deal with.
Our current podcast storage provider has run out of space, so i've got to work out what to do there so it might be a day or so late going to the presses but we will be there
and we'll be back again next week so beautiful jav thank you very much you're welcome and andy
thank you very much stay Stay secure, my friends.
Indeed. Stay secure. Thank you. Javad Malik and Tom Langford Copyright 2015 or something like that
Insert legal agreement here
as applicable and binding
in your country of residence
We thank you
That's a really catchy
phrase you used there Andy you should use that more often