The Host Unknown Podcast - Podcast The Fifth Or Something V2
Episode Date: May 1, 2020The fourth or fifth podcast from the incorrigible trio of Host Unknown. Dubious audio quality. dire subject matter told in a dreary way, amateur productions techniques. The show Thom was trying to rem...ember? Benson. Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Can you tell him to stop banging on the door, Andy?
That's the person Jav has in his cupboard.
OK.
You're listening to the Host Unknown Podcast.
Hello and welcome to another week of the Host Unknown Podcast.
Probably about a day late as we had some scheduling problems and also doing another slightly different method to getting our jingles and stuffing
because of more technical difficulties.
So we started this about 35 minutes ago and we've literally only just started to hit record.
So hello folks. Hello Andy.
Hello Tom, how are you?
Yeah, very good. Nice, bright and sunny.
Listening to the birds singing in the background. It's very nice.
Life is good.
And hello. Yes, it is. It is. It's very good. Well, it's okay. All right. It could be better.
Jav, how are you?
I'm very good, thank you. Very good on this fine Friday.
Indeed. Indeed. I understand you're fasting today. Well, not just today, but for a while.
I am, yes. I am.
Yeah. So are you going to be in a good mood for us, though?
I'm always in a good mood, mate.
So here's what, why do they call it fasting when it goes so slow?
Yeah, what is the etymology of fasting?
That would be an interesting one to follow up.
We need someone educated like Grahamham clewley to tell us friends of the show folks yeah very odd one very odd one so there's uh
how's the week's been rather how's the week been for you folks uh gone fast gone slow or is it just
a series of yesterday's todays and tomorrows
uh i mean to me it's not been too much different i know a lot of people are obviously without the
travel and uh not changing time zones um but otherwise it's uh been busy uh which i don't
think everyone's been experiencing judging by the activity on whatsapp and other social media
yeah we do we do tend to get your whatsapp messages in a little bit of a flurry
yes in between meetings i shall add yeah yeah and we also know when you're on a really long
boring meeting because then you won't shut up and the memes flow they flow like water so basically this is uh end user end user behavioral
analytics that's exactly what it is yeah yeah what we need is a little agent that will monitor
andy's whatsapp and i bet we could establish his schedule to a tee did Did you say little agent or a little agent?
Whichever's cheaper.
The agent's always going to be cheaper.
Oh, man. Folks,
we don't go in for that sort of thing, Jav. Consider yourself reprimanded.
Consider myself reprimanded.
What?
Whatever.
So, have we got some stuff for you this week uh that's a genuine question for
you gents i think we're doing i think we're going to try and make it a little bit in shorter
well it definitely shorter but maybe chuck in a bit of infosec uh relevance uh into some of
these conversations indeed indeed i think um last week we said we wanted to make the podcast shorter
and it turned out to be 90 seconds shorter.
Well, we did not lie.
No, we delivered.
So the dashboard on Mr. CISO showed green.
Exactly.
Although the problem was I missed out a two minute segment this should have been included
our astute listeners may have noticed that when we cut to something and then cut straight back
out and then started talking about it it didn't work very well so technically we would have been
over but but yeah dashboard is green uh because uh nobody reported anything i don't think anybody actually
listened to it no this reminds me of this time i was working for a large multinational organization
and they rolled out this um um identity access management system it's meant to do automatic
provisioning and deprovisioning and all that kind of stuff and because it was a
global organization like a lot of global organizations they grew over a series of
acquisitions over the year so the naming convention across different domains for
users was not consistent so what happened is that when if say like a Tom
Langford was working in the UK and left if there was a Tom Langford with the
same naming convention anywhere globally they would deprovision all of them as well
and so after a while they turned off the system just for troubleshooting but the contractor that
was the the expert with that product his contract
then came to him so he left and it was about nine months later that someone said oh what's up you
know someone queried it and no one had noticed that the actual system had been turned off they
just no one cared no one was aware and it cost like you know several million over two years to implement it oh man and that's the beauty is that sometimes in large companies you just have to continue
to take that uh you are so far committed on a project with so much money spent
that you just need to keep going sounds like government yes yeah cancelling a project is more expensive than actually carry on with it possibly
not good i just hope that someone's uh bringing that innovation to the company to figure out a
way forward i remember a similar kind of situation where um when i was a an it administrator many moons ago on nt4 and exchange i think at that
point it was five and uh we had a lever i think his name was something like richard erkhart or
something like that and we also had a richard erskine and so i highlighted what i thought
was richard erkhart to remove his account and disable his mail and all that sort of stuff
because i backed it up on tape
and it was all sorted I'd actually deleted the wrong user who was sat about 20 feet away from me
um was a was a senior director in the company and as soon as I hit delete I realized what I'd done
and thought right damage control so I ran over to him just as he started looking at his laptop like what the hell's
going on my mail's gone and i said richard richard there's been a problem and your account has been
removed somehow but it's okay i've got it i'm restoring it from tape right now um and you
should be back up and running in about an hour you'll only have missed you know this morning's
emails and they'll probably be still you know uh stored somewhere oh tom thank you so much thank you so oh that's a lifesaver
so richard erskine if you're listening dr richard erskine if you're listening uh sorry that was me
it's all about how you manage it i mean it is yeah i've done similar um i don't want to use the word
f up but you know i've um so back in the day do you remember the software called iss like
internet security scanner oh yeah and i was working for a large uh multinational um
company um which begins with an e i won't mention it but it is a credit reference agency so this was late 90s you know early 2000s and I got a copy of this ISS
because I was a security guy and I knew exactly what I was doing it's basically
a point-and-click tool so I installed it on my machine obviously domain admin
full access to every network I just put like autumn you know
the i can't remember what it's called but the equivalent of like the autopone option
uh and just set it across the entire network and i'm sitting there like watching this thing running
and like all the phones are ringing in the background like all my colleagues
and they're like what what do you mean huh locked out okay you know just constant reading everyone saying can't do anything
oh and it took a good sort of like you know three minutes before i realized it was me that was
locking out everyone's accounts trying to brute force them and uh there was some sko unix box that
we had that uh it was ancient and it was never touched because um uh everyone was worried it would break if
anyone touched it um and i killed it literally killed it with the with the auto exploits that
it had um yeah good times and i still didn't get fired after that that was a good lesson
but did you fess up? Absolutely not. No.
I just slowly picked up the phone and joined in with everyone else.
I was like, what, locked out?
And later that day, there was a small fire of a computer in the car park.
Exactly.
No, I told my boss, I was like, uh-oh. I may been part of uh a series of events that occurred that day
a series of unfortunate events
good side but you live and learn i mean you don't get away with that stuff these days you've got to
understand back then late 90s we were all still um still learning the the trade sort of you know
hands-on security as opposed to now discipline
we're all experts now we're experts at covering our ass yeah i wouldn't go that far but it's
definitely more a uh defined uh discipline these days uh whereas back then obviously security was
traditionally you know firewalls were part of the it team um you know and it was it was just the job
of the it guy um you know and the vulnerability scanning
was a whole new concept for us yeah well speaking of like money that is sunk into projects that
don't work but it's too expensive to cancel uh maybe one you're going to talk about our videos here this bloody podcast yeah you know how much i spent on this podcast
that's exactly what i was going to bring up tom
sure we could do with a sponsor sponsor you're absolutely right i've got something here for that
hang on host unknown sponsored by... Insert name here.
That could be you, folks.
All of you people who have money in your pocket at this moment.
All you people who don't have cash flow problems because of the Rona right now.
That could be you on the end of that jingle.
You're not trying to get down with the kids, are you?
No.
That just sounded so bad.
Yeah, that did not flow.
What?
I'm just asking for sponsors.
I'm thinking of that Steve Buscemi meme, you know, where he's got the skateboard and the cap on.
I'm sorry, Andy, the who?
Who was that?
Go on.
The Steve who?
Go on.
Criticise my pronunciation of his name.
Whose name?
Sorry.
You do know.
Hold on.
Hold on.
Tom, this is really insensitive.
So many of you don't know that Andy's had a speech impediment since the age of six.
And he took him years off therapy to overcome it.
To overcome his inability to say to say steve buscemi
buscemi steve buscemi come on you can't try and own me and then say that are you picking on that
because you don't know which meme i'm talking about i do how's it hanging kids or whatever it is mr trump how how how are we doing my fellow kids
i can pronounce names i can pronounce names better than anyone
my pronunciation of names everybody says so
all right i'm going to change the subject right now. Before we have to go on and say more about Mr Buscemi.
Jav, we've got one. Let's jump in on the one that we missed last week.
The Little People.
Yes, so The Little People.
It's a segment where we bring to light people who are underrepresented,
who no one knows about the
unsung heroes if you will of the industry or the unsung foot soldiers in many cases
this week well actually last week we got this person on but there was a few legal concerns so
we we had to restructure host unknown and now um yeah good luck trying to sue the canary but yeah
and jav because he's not a director anymore yes never was i'm just a i'm just a perpetual guest
on this show yeah so so talking to the technical duty last week last week did um and legal issues
did uh did carol ever call you back?
No, she just messaged me saying, stop harassing me.
We thought she was a friend of the show, you know, her and Graham.
They should be, you know, we are the spiritual parents of their podcast after all.
This is true.
This is true.
So anyway, who's your little person this week?
My little person this time is a little person who works in a very little company. So the company is called Canon. They make cameras and printers and things like that.
You might not have heard of them. And he's their European CISO.
So his name is Quentin Taylor.
Never heard of him.
Never heard of him. A good thing I pronounce it.
I mean, like if Andy was reading, he would say, who's this Hugh N. Tyne?
I would have said Quentin.
Yeah.
Yeah.
Quentin Toyilla.
Yeah.
And he was very...
Buscemi.
Yeah.
He was very kind.
Sure, it's not Taylor.
Quentin Taylor.
So it's not Taylor. Quentin Taylor.
So Mr. Taylor kindly joined us to share some of his thoughts on security, actual security and remote working during the times of the Rona.
Hi, Jav. Yeah, just to answer your question about the biggest challenge facing my business at the moment in time, I suppose it's how to keep people being productive at home, how to keep them safe,
and how to keep them able to be able to work. Because every little extra control that you put in place adds a burden, and that burden takes away time that they've got to be able to spend
on being productive and making money for the company. And it's about making sure that people
understand that they're not working from home, they're working at home at the moment so normally
when you're working from home it's just you there you don't have the added pressures of having your
children around of having to go out shopping and taking a long time to go out shopping because of
the lockdown restrictions you you don't have all the demands on your time that you may have when
you've got office space and office time so clear your head so it's about making sure you keep your
spirits up as well as make sure that they can actually work safely that means really making
sure you drill into them lock their laptop so their children don't start using their computer
if they print anything really super confidential making sure they don't just throw it out in the
household rubbish and they do actually shred it or if they can't shred it burn it and if they can't burn it
store it until they can bring it back into the office to get it disposed of and one of the things
that really worries me at the moment is making sure you keep a posture so that you can deal with
incidents and we've seen incidents at the moment online you've seen the whole thing with the
Portuguese energy company with the outsourcer, and obviously with TravelX.
I think even you blogged about the other day.
And it's about making sure that whilst your entire workforce is distributed, for many companies, this is a brand new time with their entire workforce distributed.
How is it that we react and respond to incidents?
How do we do forensics?
How do we do machine rebuilds how do we do these things when our where our users may not be due to legal restriction be able to bring
their machine to the office or bring their machine to somewhere and we're having to rely upon their
postal services so that's obviously a bit of a worry and the last thing is that uh that confidential
project that we were chatting about the other day hang on a second are you recording this interesting so jab did he not know that
you were recording him are you
surreptitiously recording people at the
moment I thought it was just known I
thought it was a given you mean you're
recording this well to be fair someone
needs to because you're struggling I am
it would be handy if somebody could.
Yeah.
I need some backup on this.
Very good.
But yeah,
this whole working from home things are really,
it's a bit of a challenge.
Lots of people.
In fact,
I think we mentioned it a few weeks back,
but lots of people really having to go through a bit of a cultural shift to,
to actually be able to engage properly
with the business um i've noticed myself on you know all the video conferences how people started
with if not wearing ties and certainly collared shirts and now it's just t-shirts and you know
hair down to their ankles and all that sort of thing it's it's quite interesting and i even had
a call yesterday with somebody while his kids were fighting in the background but i should suggest
tom if you have hair down to your ankles you need to manscape yeah i always i always forget
oh dear
cut that out yeah maybe maybe not but i am one of those people that has been um
well i wouldn't say i was wearing shirts in the first place but i've gone from
polo shirts to just regular t-shirts yeah depending on the day to just close on the top half
i mean i've always done that anyway and that's the one in the office yeah
the tube journey's horrendous but once you're at the desk it's fine yeah so no one got the
memo right no pants monday you guys didn't get the memo no pants wednesday
what an american thing to say pants.
No, he's talking about his underpants.
Okay, that's all right then.
Right, what the?
Why would I switch to American all of a sudden?
That's just.
I know, I know.
That's the sort of thing that meme would happen,
you know, with Steve Buscemi,
he would kind of switch like that.
And it's like Microsoft Word at the moment.
You don't know how many times you change it to English, British English.
He falls back to American English and starts underlining words every now and then.
And weird pronunciations and everything.
Yeah, exactly.
Do you know what?
I reckon let's really continue this Infosec theme. Let's do some industry
news shall we? Because I think we've got some great stories to talk about. In fact we've
got one each. So yeah, let's do some industry news.
Industry news.
So GCHQ has been granted access to NHS data as privacy concerns continue.
Industry News
Blockchain startups move from coin offerings to investment for funding.
Industry News
Cyber security pros see roles and duties change due to hashtag covid industry news
industry news so folks there you go you can't get much more content than that and that was our
industry news
smashing it this week boys i think that's a good segment yeah so one i'll tell you what you know
that last uh headline that you uh touched on there about cyber security professionals change
seeing their job roles change um certainly seen a lot of that um you know within the company we're
actually discussing the industry news are we uh well we don't have it actually just made me think about how yeah it has actually changed uh yeah sorry a lot more
remote work um you know we've obviously got teams that go out do a lot of assessing uh you know
third-party supply chain assurance or that kind of stuff um you know this stuff can't stop just
because you know we can't travel so there's a lot more remote assessments.
Certainly, you know, I'm seeing the end of that.
But, you know, I actually just got bored talking about it.
Industry news.
There we go.
That's the quality news that you pay pay for especially if you host unknown sponsored by
insert name here there you go you could be paying for that kind of content
so let's go move on to the second half of the show, shall we? Sounds good. Yeah.
So one of the things we often talk about is the Billy Big Balls. And this can be anything like a person or a company or a thing.
And the key thing about it is something, someone,
The key thing about it is something, someone, somebody who has really overtly heavy influence over our industry.
Now, normally we only do three segments, but Jav felt he'd like to make a little mini shout out for a...
Billy Big Balls of the Week. So, Jav, who have you got?
I've got the town of Wuhan.
Oh, here we go.
Now, I know what you're thinking.
I don't think you do.
I really don't think you do.
So, this does have a security tie-in as well and it's quite
relevant to supply chain but not in the way you think so we had made the news
because it's the epicenter of the global outbreak allegedly okay nice sound effects there. You got your Christmas song?
I'm on mute.
No you're not.
All I can hear is a crick, crick, crick, crick, crick.
Are you tucking into some snackage there, Tom?
I've got a bit of a cough.
Seriously, I've got a bit of a cough so I'm having some snackage.
I thought I'd muted.
He's just bored.
As soon as I started talking like you know
crunch crunch
okay it's nap time
you hear the drilling
in the background
as he's doing his DIY
sorry Jav
I'm intrigued
do go on
but what I only found out
this week
is Wuhan
is also
one of the major
global suppliers
of methamphetamine and fentanyl.
Sorry, what's it? How's it pronounced, Jeb?
It's pronounced fentanyl.
Fentanyl.
Yeah, so I only heard...
Fentanyl. See,ter white never said that word he always
said methamphetamines i know how to say that so they actually produce the raw drugs that um
synthetically to to make the these um narcotics and they're one of the major suppliers to like the mexican cartels so how do
you measure this i mean it's not like they publish annual statements financial reports you know we
have our biggest client is the mexican cartel uh you know this year we shifted well there is there
has been a lot of chatter on their forums and stuff. And also, surely the Mafia don't get that big without being organised,
so there's going to be invoices and paperwork, right?
Yeah, yeah.
So what has happened is that on the forums...
But who's auditing them?
It's not like the big four are going in there.
It's not like, hey, we're the auditors from PWC. We're here to check. Maybe they are,
but they can't
under professional disclosure
clauses. I don't know. No, no. They're far
too incompetent. They'd be bankrupt if it was any
of the big four.
Hey, Mafia guys,
if you need anybody to help with your security
risk assessments,
TL2 Security is available for work
right now. Are you changing your name
to sol goodman soon yeah the company with no morals
and um so so the prices have rain rate risen in in mexico between 25 to 400 percent
so i think for a pound of of um meth it used to be something like a hundred dollars and
that's gone up to about six hundred dollars and um but what's driving this uh this price increase
i mean that's and also well it's four hundred percent of one hundred dollars four hundred
dollars it's between that i mean that that was like so different so i'm doing this podcast with people
who can't pronounce stuff and can't do sums make america great again boys
so you're gonna you're gonna tell me that they that you know they
you're gonna be able to do five million tests in a day soon why not why not aim for the stars
yeah i never did like that steve buscemi and george clooney
so actually what you said is is the the um the rona has um has has affected affected all stratas of society,
not just the rich and famous in their 12-bedroom mansions.
No, they're rich and famous in their 12-bedroom mansions.
It's all their workers that are getting furloughed.
And if you're in the Mexican cartel...
And can't afford their meth.
Yeah, yeah.
If you're in the Mexican cartel and you're getting furloughed,
that means a whole other... Yeah, that, if you're in the Mexican cartel and you're getting furloughed, that means a whole other problem
Yeah, that's right, you get to retain 80% of your body parts
That's fascinating, how does Wuhan produce that much methamphetamine under the, well, obviously not under the radar if you know about it
But do you know what I mean mean how can it produce that much well it produces the the synthetic raw ingredients for
it which are legal to transport um oh what on long trains that can be intercepted yeah on planes and
stuff yeah because they they're used for other those chemicals are used and there's a whole
so yeah so yeah for the whole synthetic um
oh what do they you know what to take addicts off it to help them get off it
yeah substitutes yeah methadone methadone yeah yeah yeah so because the chinese make it so
cheaply and quickly um of course so the mex Mexican cartels just say, okay, just ship
us it over, and then they just have to
whatever, cut it, dilute it,
I don't know what they do.
Honestly, honestly I don't.
And they're ready to go.
So on
the forums, actually it was posted
a few months ago that
we're in lockdown, we're not producing anything
at the moment because we're
all in home uh and then it slowly started to trickle back because a lot of the the wuhanese
uh entrepreneurs have started making it in their houses so are folks like you know el chapo and you
know all the drug kingpings are they sending out sort sort of uplifting messages from their gold-plated mansions about, you know,
stay strong, my friends.
The shortages and the price rises will stop soon.
Keep strong.
We're here for you.
That sort of thing.
You know, I'm guessing it's like a subculture of our lives, right?
And they're basically holding town halls with their uh with their frontline
methodices yeah absolutely except when when everybody applauses they just shoot guns into
the air it's yeah it's like or is that or is that a greek wedding i can't remember one of the other
you better hope the corona kills you before i get there that's not a very uplifting message. No, and it's also very Indian
sounding.
I think they've got
an Indian middleman there.
Frankly, I thought he was Welsh.
Tom Jones.
Good. Okay. Fascinating.
That was surprisingly very
interesting.
Thank you, Wuhan. Good. Okay. Fascinating. That was surprisingly very interesting. Billy Big Balls of the Week.
Thank you, Wuhan.
So we're drawing to a close.
We've got another couple of things to talk about.
I know Andy is absolutely champing at the bit to talk about his rant of the week.
I mean, we've seen the raw, unedited version
of this and it's not pretty, so I'm
going to be intrigued to see how he
sanitises this for
public consumption.
But before we go on
to that, I think we're going to move
on...
Tweet of the week!
Now, if we had a sponsor, I might have re-edited that to be Tweets of the Week,
because this is about the number of tweets that are going around at the moment,
which is basically, you know, tag your five favourite artists or directors or albums or whatever,
and then also tag five other people to add theirs.
And, you know, it's just kind of, you know, kind of endearing at first.
I think I tagged my five favourite films and then tagged five people, but then very quickly found out that all five responded and said,
oh, I've already done mine in another chain.
So that was that was
a bit annoying and there's another one now which is uh your five favorite 90s albums i don't remember
much of the 90s um and your and and six tags so great so you know i try and look at that one i've
got to try and remember you know 90s albums and let's face it the 90s wasn't great for music um and um and and six
friends and again i'm gonna have to call you out on that one that's a factually inaccurate statement
that you know 70s was way better than the 90s um no i'm gonna have to uh disagree with you on that
one i'm afraid look just because you weren't there well there's that. But I'll refer to Mr. Dr. Dre dropped The Chronic in 1992.
Oh, God.
You and Jav always with the rap stuff.
How could you forget about Dre?
Exactly.
Nowadays, everybody want to talk like they got something to say.
But nothing comes out with it.
It's so much Langford.
Do you see what I have to work with here?
I didn't want to do a rap song last year.
For a start, I knew the lyrics wouldn't flow.
And secondly, as you can probably gather when you look at that video, I can rap at all now give me a big band give me
a bowie song life on mars let's try and do something like life on mars yeah i can croon
that one out like the best of them anyway we're moving off topic here no no no hold on hold on
there was stoop dogs doggy soul came out that year in the 90s as did uh tupac and biggie i mean just between those four like you've
got probably one of the biggie smalls yeah you've got the biggest uh biggest era of music ever i
mean and that's no i'm sorry was that biggie smalls it is yeah yeah the most confusingly named
music star ever the notorious choose one one or the other, you can't be both my friend.
Why not both? That's a meme as well.
But then Nirvana, Pulp, Oasis.
Oh yeah.
Yeah, they're good, but as a decade it wasn't the greatest.
I have to strongly disagree with you on that one Mr Langford.
Tom, you're wrong.
REM? I have to strongly disagree with you on that one, Mr Langford. Tom, you're wrong. R.E.M.? No.
Oh, yeah, well, I rest my bloody case.
Bloody miserable.
Unbelievable.
There's some good stuff there.
Don't get me wrong.
There's some good stuff.
But really, 90s of all the decades we could have picked? So, I'll tell you, why don't we put a league table together?
You pick your albums from the 70ss i'll pick albums from the 90s
and we put up one album against each other and then put it to a poll
and uh the winner goes through to each round and we'll see who's left at the end
yeah i'll let i'll let you update the website for that
um anyway so these are just chain mails at the end of the day this is these are all chain tweets
and uh they're lovely and they're interesting they do make you think about a few things
um but yeah really i think and and we all need a distraction but all it does is reinforce the fact
that everybody's already responded to one of these before me and i seem to get tagged
last so i think that's probably why it's my uh my tweet of the week and why i'm not actually very
in favor of it sounds more like a rant of the week to me yeah exactly hey look you know how
much we research these topics and how much time we have to invest in actually talking about it.
So you'll understand why this one could easily have been confused as a rant of the week.
So, anyway, that was...
Tweet of the Week.
So, folks, what Tom's saying is tag him early, tag him often,
so when he tags people, he doesn't feel left out.
Thank you, Jav.
Was that much to ask?
No, it wasn't.
So he feels like Steve with Jemmy.
He feels like one of the cool kids.
Hello, fellow teenagers.
Oh, dear.
You're listening to the Host Unknown Podcast.
More fun than a security vendor's briefing.
I think we can agree on that.
Absolutely.
Yeah.
Very good.
So Andy, we've reached that point now.
It is time.
The letdown point.
The anticlimax.
We've reached the anticlimax.
It's your turn to take centre stage and to bring everybody down
because we're now going to go to, well, we're now going to go to...
Rant of the Week.
Okay, so this week's Rant of the week, as you may or may not know,
I spend a lot of, well, I mean, I take the credit for it.
I have a fantastic team of people who are front auditors and assessors
who want to come in and basically get assurance that our security controls are in a position
that they would feel comfortable either taking our services or sharing data with us.
And I think we're pretty good.
We allow a lot of access.
We allow people to come on site, do a lot of testing.
And just prior to the lockdown, one of the last on-site audits that we had obviously now we switched to a lot more virtual audits we had an assessor come in who um you know i shall not name
the company or the assessor um and so there's different types of assessors that you come across
you know some just understand everything you know assessors or auditors depending on you know their
experience background what they're looking for um some just get it, you know, they're pragmatic, they understand risk management, they understand
compensating controls, mitigating controls, etc. And some are just tick box auditors, you know,
and a little knowledge can be a dangerous thing. And, you know, we're currently at an impasse with
a particular auditor who believes that, you know, we have what they consider a serious security issue that they are looking for us to remediate.
And however, we are of the opinion that it's not the serious issue that they believe it to be. And I'm not talking about one of these situations where the auditors came on site in order for us to prove that our diesel generators
would kick in, switch off the power to the data center to prove it because that's the only way
to evidence it. This auditor has listed a finding that users have access to the system32 folder on a Windows
machine.
Read access mind, not, you know, right.
They have read access to the system32 folder, but they can't qualify the risk of having
that, you know, which is something, you know, we're always keen to understand, you know,
if we receive a finding, what's the actual risk here uh because maybe we can satisfy you or give
you assurances in another way um but no the uh the risk is that you know there there are security
settings that can be identified through the executables and logs which are found within
the system 32 folder and as such, company considers these a risk.
And a very Trump-esque sort of follow up with,
there are literally tens of thousands of files
within system 32, so it's impossible to remove the risk
on an individual basis.
And that's pretty much where we're at.
So he acknowledges that you can't remove access to
tens of thousands of files so therefore you have to remove access to the system32 folder. Yes.
The system32 folder that allows your computer and the user to operate. If you know Windows you need
it to operate and we have a statement from microsoft saying look
guys this is uh not something we can do natively basically if you want to remove access to system
32 folder you're on your own has he have you have you actually demonstrated perhaps you know with a
virtual machine say in a screen share like okay I'm removing read access to system 32.
Let's reboot and see what happens.
Not interested.
Absolutely not interested at all.
The only remediation they have and what they consider is that they need just to prevent access to the system 32 folder.
Or, at the very minimum, evidence that people only have access to the files that they need
that is their compromise has he has he uh shown how that could be achieved no that's not his
problem so he doesn't know how it can be achieved and so the whole the whole uh but you know thing
they're pointing to is that contractually we are obliged to provide a service where any user supporting that service
follows a principle of least privilege and in his opinion having read access to the whole system 32
folder is not the principle of least privilege no if if you had read and write access to that folder
i would tend you know it's a it's a folder, I would tend, you know, it's a, you know, I would agree.
Therefore, you create least privilege and it's just read access so that you can execute stuff and do things in Windows.
It's a very technical term, I know, but that's, you know, as an assessor and an auditor, you know, risk,
I like to think of myself as knowing a little bit about risk.
Risk management professional? Yeah, real
world scenarios and all that sort of thing.
The guy's a fucking idiot.
Well, I mean, you said that, I didn't.
No, absolutely. Obviously we respect our
clients and we are working hard
to give them the assurances
that
we are managing their data uh in a manner that uh
they is appropriate this is just ridiculous i mean i thought auditors like this died in the um
early 2000s i remember it reminds me of this it's all right though this level of stupidity means
he'll be dead of the rona soon yeah you, you know, there was something on a forum many years ago and it became a big thing.
It was like this guy, he said that the auditor wants him password hashes so he can run a cracking tool against it to see...
Oh, that's right.
Oh, that was a QSA, wasn't it?
Yes.
Yeah, I remember that.
Yeah, so is it the same guy? Do you know what? That would be fascinating to find out, wouldn't it yes yeah yeah i remember that yeah so is it the same guy do you know what that would
be fascinating to find out well i don't think the guy ever named the assessor did he i think it was
quite professional in that manner uh yeah yeah much like i will not name the uh company nor the
auditor either no but you know so dave your secret safe yeah Obviously, in this industry, I know we focus a lot on the cool stuff,
the hacks, the pen tests, the exploits,
the really elite ways of privilege escalation, lateral movement.
But security is a diverse field,
and unfortunately there are people that have to sit the other side of the table
and demonstrate that all of these things uh you know don't happen um but this guy is really
um or lady uh you know not necessarily stating it's a guy it's uh sorry davina i meant davina
not dave yeah um but this uh yeah yeah, it's a very frustrating time this week
for me to deal with auditors
that just do not know how to apply logic to risks.
So speaking of principle of least privilege,
you know there are some keys on the keyboard
that are hardly ever used or never really used.
Is he asking to pop them out
so that people don't accidentally like
hit those keys you know like the weird one with the two s's interlocked on it and the
plus minus on it and weird stuff so that two s's is actually one of the characters in my password
so i need that yeah it's called a syrenthesis did you not know that oh see had you said a siren, assist Yeah, exactly I wouldn't know exactly what you were talking about
Are you French or something, Tom?
No, actually I just made it up and said it with conviction
Much like this auditor
So both of you have the SS in your passwords
Yeah, it's the SS on your passwords okay yeah yeah it's the SS in pass oh sorry hang on not
ready hold on just do you wanna go for it again yeah so in, that is my rant of the week.
One job, Tom, one job.
I tell you, you couldn't pay for this level of production.
Well, you could if you were the sponsor.
Yeah.
Yes.
Oh, God, no.
Tom has died, unfortunately, ladies and gentlemen. Tom's got the rona he got him just for calling it that well go on without me the rona's got me
well moving on without Tom now that was unfortunate we now be interesting. We now have a vacancy for an old white person to seamlessly take over.
Jack Daniel.
No, like, I was going to say, what was the aunt's name in Fresh Prince who they changed midway through?
Aunt Viv.
Aunt Viv, that's the one.
Aunt Viv.
Sorry, Tom, probably a bit late in the day for you.
You know, to appreciate that.
Tom, I mean, there's Aunt Vive. Yeah. bit late in the day for you you know what was the name of that show um cagney and lacey different strokes um with the butler the butler um mr belvedere no, that's Fresh Prince, isn't it?
Geoffrey was about doing the Fresh Prince. Oh, Geoffrey,
that's right. Oh,
God, I'll think of it in time for next
week's show, if nothing else, but I remember watching
that show with the...
Anyway, it doesn't
matter. God, the coughing
fit has got to me. Folks, I think we've reached
the end.
So, and we're still well not well under
we're about sort of 42 minutes uh plus quentin's thing so sorry quentin's thing that's about 44
so yeah we're still under we're still under so folks anything anything else you'd like to say
in closing no have a good week guys Have fun
Indeed, hope you enjoyed it
and see you next time
Stay secure And produced by Andrew Agnes, Javad Malik and Tom Langford. Copyright 2015.
Or something like that.
Insert legal agreement here as applicable and binding in your country of residence.
We thank you.
And we're out.
Marvellous.
Excellent. Good one.
It flows better when we've got...
It does.
Yeah.
It does.
I'll continue to work it out.