The Host Unknown Podcast - Episode 107 - Rewarding The Bad Bad Man
Episode Date: June 10, 2022This week in InfoSec (06:06)With content liberated from the “today in infosec” twitter account and further afield3rd June 1983: The science fiction film WarGames is released. Notable for bringing ...the hacking phenomena to the attention of the American public, it ignites a media sensation regarding the hacker sub-culture. The film’s NORAD set is the most expensive ever built at the time at a cost of $1 million dollars. Not widely known is that the movie studio provided the film’s star, Matthew Broderick, with the arcade games Galaga and Galaxian so he could get first-hand experience before shooting the film’s arcade scenes.9th June 1993 The motion picture Jurassic Park premiers in Washington D.C. The highest grossing film in history at the time, the contributions of Jurassic Park to the field of special effects is perhaps as important as the original Star Wars movie 16 years prior. Rant of the Week (15:55)Why Netflix isn't the Only One Bummed About Password SharingPassword sharing is commonplaceEven if you put aside the obvious problems that password sharing creates for Netflix, Netflix password sharing may only be a symptom of a more serious problem. The Netflix password sharing trend has conditioned people to accept the idea that it is OK to share passwords with one another if there is a good reason for doing so. Billy Big Balls of the WeekUkraine's secret cyber-defense that blunts Russian attacks: Excellent backups"One thing that the Ukrainians have taught us so well – and they certainly have had eight years of practice and suffered from Russian cyber operations – is the importance of resiliency," Alperovitch said. "The reality is that a number of these Russian attacks are successful."The Russians have seen success worldwide penetrating networks and dropping malware, he added. "However, the Ukrainians are able to rebuild the networks within hours," Alperovitch said. Industry News (30:45)Gloucester Council IT Systems Still Not Fully Operational Six Months After Cyber-AttackNew Linux Malware Symbiote is "Nearly Impossible to Detect"Cyber-Attack Surface "Spiralling Out of Control"Evil Corp Hacker Group Changes Ransomware Tactics to Evade US SanctionsTwitter Set to Agree to Elon Musk Request For Data on Fake AccountsSocial Care Organizations Get Cybersecurity BoostUS and Euro Police Smash Cybercrime MarketplaceRansomware Pressure Forces UK CISOs to Consider QuittingCISA Reveal Chinese Hackers Tactics Targeting US Telecoms and Network Service Providers Tweet of the Week (38:30)https://twitter.com/kevinslaten/status/1534109273281597441?s=24&t=Ad3rQTRKuGYQNxSe3aplHghttps://twitter.com/quentynblog/status/1534125293526474753?s=20 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Are we going to talk about Andy's bushes?
Yes.
Yeah.
Good.
Because from what I can make out of the photos he sent,
it really does need a trim.
Does it make the garden look bigger, though?
It does, obviously.
Make his house look bigger, maybe, but...
Oh, dear.
So now the house is overshadowing.
Is someone unwrapping a suite?
Because I can hear...
Yeah, that's Andy.
That's me.
That's Andy.
For goodness sake.
I'm not...
We try and do a quality intro
and this is what we get.
You're listening to the Host Unknown Podcast.
Hello, hello, hello, good morning, good afternoon, good evening from wherever you are joining us.
And welcome to this very special episode, episode 107 of the Hosted Unknown podcast.
Very special because we have a special guest on who's only going to be with us for the next 15 minutes, which is Andy.
GFY.
Andy is going to do a Piers Morgan and just storm out midway through the show.
GFY stands for Go Frick Yourself. Morgan and just storm out midway through the show. And depending on... Go frick yourself.
Yeah, depending on how quickly his meeting goes, he might be back for the end part.
We don't know.
Yeah, I'm sure I will actually.
You know, the way that you guys go, I'm surprised that, yeah, there's a very good chance I'll
be back at the end for Tweet of the Week.
I've always been accused of going long.
Gav, how are we this week good good so I'll tell you yesterday my my technology failed me
so I'm not an Apple person like you Tom I'm a I'm a Samsung person so I've got a Samsung
phone and the watch that goes with it I'm really sorry sorry Joe. And what used, there's been an update to the
software, so what used to happen if I put my phone on mute or do not disturb, it would automatically
synchronize with the watch, and if I've done it on the watch it would synchronize with the phone.
This new update somehow now has broken that, so now if you mute your phone it doesn't mute your
your watch, and i found that
this out yesterday as i was presenting virtually might i add thankfully at the sixth annual cyber
physical convergence forum and um apparently one of andy's friends was there attending and he told
andy oh jav's presenting so my phone on mute, but my watch started beeping at me.
And I was frantically trying to present, control my slides,
and like, shut up, shut up.
And I had to glance at it, and it's like,
good old Andy's name was showing up.
And I was like, with friends like this, who needs enemies?
Andy texted me to say, Jav's presenting.
Let's get in.
And I literally was just walking into the Jack's presenting. Let's get in. And I literally was just walking
into the doctor's surgery. Otherwise,
there'd have been more phone calls.
Yeah. I was like,
he keeps rejecting my calls. What's going on?
Oh, man. Oh, dear.
Classics. They never die, those
gags. They never get old.
No, they don't, do they?
No.
So, Andy, what about you?
Did you manage to get through to any of your friends this week?
No, I don't have many friends, sadly.
That's surprising.
No, I was just trying to actually think logically which microphone was plugged in.
If you could hear that wrapper, it must be this microphone that I'm heading towards.
You mean the wrong one?
No, it is the right one, I hope.
But I guess we'll find out in post, right?
That's the beauty of this show.
Even we don't know what it's going to come out like at the end.
No, even I don't know, and I'm the one who edits it.
I have no clue.
How was your week?
Did you get your tummy tucked down all right after the surgery yesterday?
No, he said I'd had cowboys in and out.
He's going to have to do a full reconstruction.
How many cowboys have you had in and out of you, Tom?
Sorry, say again?
How many cowboys have you had in and out of you, Tom? Sorry, say it again? How many cowboys have you had in and out of you?
Yee-haw.
As many as is legally required.
Round them up, partner.
Oh, dear.
No, it's been a busy week.
It's been a busy week.
It's going to be a busy day today.
I'm not sure when this show will get out, so if you're listening, just be aware this episode may be released a little later.
Yeah, so whenever you're listening to it, we're sorry it's late.
Yeah, that's right. Well, we don't have to apologise as such, because they'll already know, because we've told them.
Yeah, this is true. Yeah, exactly. Anyway,
shall we
find out what we've got
coming up today? Well,
this week in InfoSec is a
trip to the movies.
Rant of the Week talks about password hygiene
and Billy Big Balls is a
story of backups.
Which doesn't sound very Big Balls-ish
to me. No, I don't need no stinking backups. She doesn't sound very big balls-ish to me.
No, I don't need no stinking backups.
Industry News
brings us the latest and greatest security news stories
from around the world and Tweets of the Week
shows us why it can pay
to snoop on your neighbour.
Would this be the
neighbour whose trees
you're trimming? I don't know.
So I'll be clear, they are my trees. They're trimming. I don't know. Possibly.
So I'll be clear. They are my trees.
They're just in next door's garden.
What did you put them there for?
Alright. Let's move on
shall we to our
favourite part of the show.
The part of the show that we like to call
No we don't
the host unknown podcast
now I'm going to have to
leave that
this week
in InfoSec
is that part of the show where we take a stroll down infosec memory lane with
content liberated from the today in infosec twitter account and further afield
and this week we have gone further afield because once again steve has not updated the today in
infosec twitter account however we are going back to the movies our first story takes us back to the field because once again Steve has not updated the Today in Inverse Egg Twitter account.
However we are going back to the movies. Our first story takes us back to the 3rd of June 1983 which I actually thought was 29 years ago but upon checking on the calculator it's actually
39 years ago which doesn't quite sound right because I enjoyed this film when I was younger.
So 3rd June 1983, the science fiction film War Games was released,
notable for bringing the hacking phenomena to the attention of the American public.
It ignites a media sensation regarding the hacker subculture.
The film's NORAD set is the most expensive ever built at the time at a cost of
$1 million. So I don't know how much you remember this film, War Games, and I'm sure that the youth
of today will not necessarily appreciate it. But if you recall, he hacked into the school computers
to change his grades. I mean, this is before starting, you know, almost starting World War
Three. But the hacking aspect was in order to change his grades, I mean, this is before starting, you know, almost starting World War III. But the hacking aspect was, in order to change his grades,
he logged into the school computer.
But do you remember how he got the password for that?
And bear in mind, this was 1983.
Wasn't it under somebody's keyboard?
It was.
It was on a Post-it note under the keyboard.
Or under the...
Yeah.
And he just picked it up, read the password.
And, I i mean this is
stuff that you know we talked about in the 90s and early noughties about what you shouldn't do
you know writing your password down sticking it to the monitor sticking it under the keyboard that
sort of stuff um and to say you know they were doing this 40 odd years ago yeah human nature which it takes a while to fix. Yeah, well.
You know, bear in mind, in 83,
we weren't recycling anything at all other than a bunch of, like, you know,
clean piece hippies.
And now you've got, like,
every household has two or three bins.
Every office has a row of five bins.
You know, behaviour does change.
I think the messaging
just hasn't been quite right yeah well and also the enforcement right you know because it's it's
government and local councils that have decided to change on recycling but you know it's it's only
recently that we're seeing government advice on you know password and security and even then it's
coming through the ncse the UK which you know I
guarantee about 75% of the the country's population has never heard of yeah but it's fair to say
people do understand password security these days I guess with more scams being prevalent yeah yeah
yeah and they actually know what two-factor authentication is
because, you know, it's that thing your bank does.
Well, I was going to say because Instagram offers it
or Facebook offers it as well.
Yeah.
Yeah, well, Facebook asked for your mobile number
to use for two-factor authentication and then sold it.
Yes.
That was Twitter, wasn't it?
No, that was Facebook. Oh, it was one of them. No, it's twitter a few days ago we we covered the story yeah it was twitter facebook
just haven't been found out yet yeah facebook doesn't run about it it was definitely facebook
who did it um but yeah twitter as well just everyone's doing it, right? Your data's gone, right?
Everyone's doing it.
Yeah, absolutely right.
But actually, just to come back to the story,
and you say that War Games in 83
brought hacking to the public eye,
and actually, I didn't see it when it first came out.
I think I wasn't that interested.
What really brought hacking to my attention
was a year later when Auto Man
hit the TV screens,
and I think it was only one one season but that left
a lasting impact on me was he the guy who could sort of blend into walls and his car drove it
drove it so auto man was i can't believe i'm having to tell you guys this so it was one of
those glenn a larson shows it was like It was like a police officer who worked in the computer forensics
of the IT department.
And he made a program on his computer,
and the cursor flies out of the screen,
and it creates Auto Man, where he's the face of a human,
and the whole body is like CGI, sort of blue, glowy thing.
I remember watching this at school.
Rings a bell.
His car used to drive
and turn at right angles.
It did, it did, because he was like a computer
so it could only do right angles.
And so, of course, all the criminals chasing
him would crash into the wall.
Yes.
And the police officer would be
forever being slammed
against the windows whenever they would turn.
His face would be pressed up against the window.
Was it some blonde dude?
Some like, you know, I can't remember now.
I'm going to have to get some pictures in the show notes.
So it says it aired for 12 episodes, although 13 were made.
So it kind of rings a bell, but I don't remember.
I couldn't remember any of this.
I remember watching it thinking, this is really good.
I'm hoping it's going to deliver on its promise
of what it's really going to do,
and then just obviously being disappointed.
Yeah, yeah.
Apparently, though, Street Hawk also only aired for one season,
and I was sure that scared the more than.
Well, it's because it was a terrible idea.
It was like... scared the mothers. Well, it's because it was a terrible idea. It was like...
That was fantastic.
A motorbike that could do 300 miles an hour.
It was basically Airwolf, but for motorbikes.
Which is a bit of a downgrade, isn't it?
No, but Airwolf was like Knight Rider, but for helicopters.
No, no, no.
Airwolf was like the modernized uh uh blue thunder
it was yeah very good although the tv series was shit yeah it was the tv series whirlybird
now if you look that up that that was an actual show and it was terrible
don't get me on to terror hawks now
um shall we move on anyway moving swiftly on um our second story takes us back to the 9th of June, 1993,
which was, well, I want to say 19 years ago,
but it was 29 years ago.
It was still 19 years ago.
Why is there an extra 10 in this equation?
Yeah.
So sticking on the theme of movies,
on the 9th of June, 1993,
the motion picture Jurassic Park premieres in Washington, D.C., the highest highest grossing film in history at the time
and the contributions of Jurassic Park to the field of special effects is perhaps as important
as the original Star Wars movie which was only 16 years prior now the reason I have included this
one is one of my favorite scenes in the film where you know the velociraptors
are closing in and the only chance to basically save all the humans in jurassic park is um lex
uh you know a young adolescent hacker um who has to find a way to reactivate the security system
and you know they're in luck because uh it's a unix i know this and she says i know this
which is classic because any kind of like you know 11 year old that knows unix um you know
i know unix but it's even got a complete subreddit
yeah and the best thing is that the computer actually was a Unix system. It was a genuine Silicon Graphics iRix system.
And the 3D file system was also real.
It's called FSN.
And you can still download it today.
So, yeah, it's a tenuous link to security.
But as it were, the movie's this week.
I think having dinosaurs crashing out
of a theme park because of
a distinct lack of
security and an under
investment in IT
staffing as well I might add
because it was just that one
dude who ate donuts
all the time as I recall
so
there is a message there
excellent thank you Andyy for uh this week's well little
email jingle but um for this week's
this week in infosur and this is the point that we lose andy for a little while so uh andy um
it is that wasn't just an email jingle
that is actually a notification so you go and have your meeting with hr talk amongst yourselves
and i'll be back you know let us know how it goes okay it's just a misunderstanding right
don't forget to put your batman suit on yes all right talk amongst yourselves You're listening to the host unknown podcast,
Bubblegum for the brain.
Which brings us sweetly on to this week's...
Listen up!
Rant of the week.
It's time for Motherf***ing Rage.
Now, this week's rant of the week is one that I haven't read yet.
But it's about...
Nothing new there, really, I know.
No, no, nothing new there at all.
But there's an article there about a story that we covered a few weeks back about netflix password sharing uh and you know netflix is now starting to get concerned given that their revenues are down
and all that sort of thing um and somebody has actually uh one bleeping computer they have started to, um, an article on why password sharing is actually a really bad
idea. You know, even if you put aside the obvious, uh, problems that, uh, password sharing creates
just for Netflix, um, it's kind of a, um, a symptom of a more serious problem. It's actually conditioned people to accept the idea that
sharing your passwords is okay, as long as there's a good reason to do so. And I think
there's an element of truth here, although there's two sides to this rant, really. I mean,
I think the first one is someone has made a really tenuous link between you know a high profile netflix
story and security here not just us um and but uh but also it's it's so very very true um
password sharing or giving somebody your access badge so they can walk around the office or go and find the toilets and the
the tea and all that sort of thing it's a it's a bad principle you know 99 times out of 100
nothing's going to happen but when that one thing happens you're going to be on the hook for it
because it's you that's doing it um and there's you know it's back to your point uh
jav about you know communication here we just still haven't got this right uh there's lots of
better ways of doing this you know like using shared vaults right you know last pass one
password you can you can um you know use vaults to sort of share passwords in a secure
way that actually ensure that you don't even see the password in some cases
yeah yeah i think yeah this is really interesting story so you're right about it being a tenuous
link because yeah you know maybe they're losing revenue because their originals aren't as good
as disney's originals for example
speaking of which I've been watching
Obi-Wan Kenobi absolutely loving
that show
very good
and Miss Marvel actually
I haven't seen that yet
have you not
Miss Marvel is very very good
because the main protagonist of course is a
16 year old pakistani muslim girl living in new york yeah that's how i know it's fake so
say that to my daughters see what she's doing at 16 what are you doing you're not even a doctor yet
so no it's very good well worth watching okay cool but but back to the problem
on the passwords is that we've created or like the way systems have been architected i think are just
wrong because everything with a password and a login account was designed with a one user one
device kind of policy and there's nothing built in there that makes it easy and intuitive for people to share certain things.
Yeah. And people treat apart.
And the analogies don't quite extend into the digital world as they do in the in the in the physical world.
So a password is a bit like the house keys or your car keys.
You hang your car keys in a common place and bit like the house keys or your car keys you hang your car
keys in a common place and whoever in the house is going out they can grab it and take the car
because the car is a shared resource and the keys get you in it it's not like everyone has their own
so so i think it's it's one of those things where as as an architecture in terms of the the the way we offer the solutions
it's just not the right way which leads to as your point and i can't believe i'm agreeing with you
semi but you know it leads to this thing where people they have a legitimate need to share this
and there's no easier convenient way i mean i've i've got my mom
using a password manager but to extend that and say now we're going to have a shared vault or
something i think that's going to be a step too far for most people to to wrap their heads around
and and to understand uh i i haven't managed to get the duchess of ladywell onto a password vault yet but um but
you know my family is is on one now and that it does make life so much easier it's a you know dad
what's the password for this what's in there you know the downside is when they're saying
send me the six digit code yeah yeah exactly and that's a failing off like the the the way mfa is
implemented it's either a text message or you only have one device where your authenticator app is on Yeah, exactly. And that's a failing of the way MFA is implemented.
It's either a text message or you only have one device where your authenticator app is on and what have you.
So it's really tied down to one person, one thing,
and having this shared process.
I think that is where the problem is.
I don't think any amount of education can sort it out
because the tools that we're
giving people is done badly in the first place yeah exactly but but you're right because in the
sense that we've with passwords generally we've seen a bit of a step change recently with you
know the nist advice that you know passwords shouldn't be changed regularly they should be
only changed when um you know when there's suspicion that they might have been breached, etc.
And in fact, you know, where I work, they've just announced that now the minimum password length is 14 digits, 14 characters.
Only needs to include numbers, although they recommend special characters as well.
And, you know, showing how they should use a passphrase,
a series of words, etc. And you won't have to reset your password every three months if it
meets those criteria. And I think we're seeing a step change again in the way sort of
how humans operate with passwords and accounts is we do need to share things.
And so therefore, we need to build the system around that, not force how people share around, you know, an assumption that it's one password and account per person.
Exactly, exactly. And so a couple of my colleagues are at RSA and Roger Grimes, one of my colleagues,
he was livid that about three of the keynote speakers
or three talks he was in,
they touted the fact, the stat,
that MFA will prevent 99% of all your breaches.
And he's like, well, that's misquoted because I think it's taken
from an original Microsoft article or bit of research which actually the the correct phrasing
was something along the lines of 99% of account takeovers will be prevented by MFA not all breaches
but also I think it comes to that point like MFA is not well when you look at
in the in the personal context it's not something everyone's going to have set up not every service
offers it and then it again it ruins it breaks in many cases the whole shared family setup because
then it's going to be like you know so many times many times, like, you know, you know, I've asked my wife or she's asked me to log on to something.
And then the same thing, yelling at each other, like, what's the code?
Or like, you know, you're texting them.
Well, I'm abroad or like on a work trip and I'm getting a message on WhatsApp saying,
you're going to get a text message. It's me. I'm trying to log on.
Can you send me the code?
It just, you know, it just defeats the whole purpose of it all.
What? Do you know what I reckon would fix this?
What's that?
Blockchain.
Blockchain.
Rant of the week.
You're listening to the award-winning Host Unknown podcast.
Officially more entertaining than smashing security.
In your face!
Only for maybe another week or so,
because I think the awards are the week after next, aren't they?
They are, yes.
InfoSec that week, I think.
Are we going to do a live show from InfoSec?
I think maybe we should try and schedule that in.
No, because it ends by Friday, doesn't it?
Well, we can record it a day early.
Well, that ruins the whole flow.
Our stories will be a day old.
You know people coming to us for cutting-edge news and breaking stories.
This is true.
This is true.
Talking to cutting-edge stories. This is true. This is true. Talking to cutting-edge stories.
So, unlike you,
I was skim-reading the article
while that intro was playing,
so I am far more well-versed in what I'm...
You're about five seconds ahead of where i was i am yes that five
second delay is all you need for live tv so it's good enough for them it's good enough for us
so ukraine's secret cyber defense that blunts russian attacks what do you think that could be
oh um it's a piece of technology it's's something that a vendor sells. It's, oh, I don't know.
It's extra special security awareness training and phishing training.
I'll give you a hint.
It's not blockchain.
Oh, what?
Yeah, yeah, yeah.
Is it AI?
It's not AI.
It's something far more fundamental than that. Apparently it is excellent
backups. So there was a talk at RSA where some people, they looked at it and what have you and
you know, before the attack on Ukraine, there was like cyber attacks. They tried to take down
satellites and power systems and everything. But one thing that the Ukrainians have taught us so well, they certainly have had
eight years of practice and suffered Russian cyber operations, is the importance of resiliency.
The reality is that a number of Russian attacks are successful. However, ukrainians are able to rebuild the network within hours
um so it's it's kind of like the the not expected billy this is a bit like
when someone's lost a bunch i i remember once uh this is a rsa europe or something tom you and i
yeah we had dinner with uh cindy and duane from they were both
at tripwire at the time yeah and at that time duane had lost a ton of weight and he was looking
really good and i said to him duane what's your secret and he just looked at me goes eat less and
move about a bit more and i smiled and he goes like everyone seems to ask that question
thinking there's some secret i'm gonna divulge or something he goes it's really not that hard
yeah and this is what this story reminds me of it's like oftentimes we're looking at these
fancy solutions or backups or not backup but you know cutting edge technology to to help us defend
and this and we need resiliency whereas like sometimes it's just as simple as look just take
a backup take regular snapshots when your system gets compromised nuke it rebuild it you know it's
and sometimes it is as simple as that it's not not sexy. It's not fun, but it just works.
And I think if...
But sometimes you can only do this
if you've been hit hard at some point
and you learn the hard way.
And then you learn the hard way
that actually it's not as bad as you think it might be
to do or as difficult as it might be
to do this in the first place.
Whereas I think with a lot of people,'s like oh the thought of rebuilding a system from a backup is you know
just anathema to them yeah yeah no you're right and you know anyone that's ever got a new phone
now the phones are a lot better with the the cloud restore and everything but
you know even like five six years ago it used to be terrible certain things would synchronize certain things didn't i mean even
now like your uh your authenticator app doesn't carry across so you have to re-remember like every
every app that you but whatever you get a new phone it's a blank slate you just restore from
your backup in the cloud and you get 80, 90% of your stuff back straight away.
So you're up and running.
So all of us are pretty much familiar
with the concept and the process
and how it can be designed quite well.
So I think it's the message of the week
is that sometimes it's doing the hard grind.
The fundamental stuff is the Billy Big Balls move to make.
Indeed.
Billy Big Balls of the week.
You don't think anyone noticed I winged that story, do you, Tom?
In the category of most entertaining content,
the winners are...
Post Unknown.
It's also strange for us because we voted for Lazarus Heist 2.
Yeah, just saying we didn't vote for them this year.
No, we didn't. No.
So it's that time of the show where i say to andy andy let me
try and come up with some you know overly complex analogy or or uh yeah um you know some way of
saying you know finding out at what point in the sky is the sun relative to where I sit on the earth and all that sort of thing.
I will tell you, it's that time of the show where Andy is putting all his possessions
into a brown box and being marched out of the office.
It is, of course, that time of the show where we head over to our news sources
over at the InfoSec PA Newswire, who have been very busy bringing us
the latest
and greatest security news from around the globe.
I must say, he does do it better.
Industry News.
Gloucester Council IT system still not fully operational
six months after cyber attack.
Industry News
New Linux malware symbiote is nearly impossible to detect.
Industry News
Cyber attack surface spiralling out of control.
Industry News
Evil Corp hacker group changes ransomware tactics to evade US sanctions
Industry News
Twitter set to agree to Elon Musk request for data on fake accounts
Industry News
Social care organisations get cyber security boost
Industry News
US and Euro police smash cyber crime marketplace Industry News. US and Euro police smash
cybercrime marketplace.
Industry News.
Ransomware pressure forces UK
CISOs to consider quitting.
Industry
News.
CISO revealed Chinese hackers
tactics targeting US
telecoms and network service
providers. Industry
news. And that was this
week's
Industry News.
Huge. Huge.
Huge. That first one
ties right back into the
Ukraine thing. Gloucester Council
IT system still not fully operational
six months after cyber attack
i mean they must have some really slow backups yeah they got the old tapes out yeah they got
the real to real tapes out yeah yeah although you know and and you know in all seriousness you don't
know because many you know mainframes are still in use in a lot of places, right, because they're not broken, they continue to work.
And some of that stuff is not easy to manage nowadays.
It's quite literally not the parts for it and all that sort of thing.
So I'm not saying that this is a mainframe problem.
I think it's obviously more generally backups.
But I think we kind of assume that it's, you know,
even the most sort of um mundane of environments you might just sort of pop a tape in and you're away but it's it's a big
it's a big challenge it's a big big job is it six months worth of work i don't know
yeah yeah so so this is interesting and i thought I'd get your perspective on this story.
Ransomware pressure forces UK CISOs to consider quitting.
Are you considering quitting, Tom?
No, no, I'll wait until I get fired.
Yeah. So according to this, it's that some 49% of UK cybersecurity decision makers have considered leaving the industry due to mounting stress levels.
And this data comes from security vendor Deep Instinct's latest Voice of SecOps report,
compiled from interviews with a thousand C-suite and senior cyber security professionals
in North America, the UK, France and Germany.
Wow. So how many actually said they considered quitting?
49% of UK scientists, security decision makers.
Okay.
So worryingly, 46% of UK respondents said the stress of dealing with mounting threats
had risen measurably over the past year.
Even more, 51% believe this pressure is impacting their decision making.
Certainly not the alcohol or the drugs.
No.
No.
Ransomware was highlighted as the number one cause, followed by supply chain attacks and the impact of digital digital transformation on security posture wow so the day jobs get into
them their day job is getting to them you know what they say if you can't stand the heat you
better get out the kitchen so you know seems like a lot of them are leaving the kitchen well
49 to be precise yeah well so not a lot of them a minority so this um you know cyber attack surface
spiraling out of control well i don't know about spiraling out of control but obviously the more
complex our systems are the greater we um you know the more we do with them um the the the more we rely on them of course that
attack surface is going to grow so uh obviously i'm basing that purely on the on the uh on the
headline there but uh yeah it seems to be a little bit of a you know in today's uh stating the obvious
yeah yeah what isn't that what what all of is in a nutshell? Stating the bleeding obvious.
Yeah.
And spiralling out of control, apparently,
according to 49% of CISOs.
Yeah.
What else have we got here?
Oh, Twitter and bloody Elon Musk.
Please, either get a room or split up one or the other.
We're now bored.
This is like the Johnny Depp, Amber Heard heard trial but not as interesting no no and even even the depp heard trial was was dull after the you know once
they cobbled together the weird facial expressions and weird questions and all that sort of thing for
the internet yeah yeah the best were the tiktok compilations on that stuff or youtube compilations like those are the best like you know the mega mesh objection hearsay but yeah um yeah but then
the whole thing bored me very quickly i have to say yeah did it hit a bit too close to home
uh well you know it does does mean that my Pirates of the Caribbean costume has to, you know, sort of be put aside now.
I can't be dressing in that every weekend.
Yeah, I think that's it really, isn't it?
You know, just Twitter and Elon, please just sort it out.
Lots of stuff going wrong.
CISOs wanting to quit.
I'd be interested to know how many CEOs or CFOfos or cro's wish to quit at the moment as
well you know it wouldn't surprise me if it's a similar number yeah yeah i i mean i would quit but
i i just like getting paid too much so well is this is a sub headline there yeah i i just enjoy
having a roof over my head and eating occasionally.
Occasionally.
Yeah.
Well, okay, more than occasionally, looking down at my belly.
Excellent.
Well, that was this week's...
Industry News.
This is the Host Unknown Podcast.
Home of Billy Big Ball Energy.
All right.
We are coming to the end of the show.
It's obviously a little bit shorter with that Andy.
He obviously talks far too much.
Louis, coming to the end of the show and this week's... Tweet of the week.
And we always play that one twice.
Tweet of the week.
Do you want to do this? Shall I do this?
Go on, you do it.
I'll let you do it.
Okay, so this week's
Tweet of the Week
has come from Kevin
Slayton.
Hours ago, China's Ministry of State Security published
rules to reward citizens reporting behaviour that threatens national security. Those previous
words were all in capital letters. Effective immediately. Awards range from less than US$1,500 to US$15,000 plus,
depending on the information's significance. Wow. I mean, do you know what's interesting about this one? I think is that actually this is kind of old news because didn't the US quite a few weeks ago say that they would reward whistleblowers up to a thousand, was it a thousand dollars or ten thousand dollars?
If they basically reported women who were preparing to
or were going to have an abortion.
That's right.
That's right.
Now, you mentioned it.
Yes.
So it's quite interesting how, you know,
we sort of said, oh, those nasty Chinese people.
And yet it's already been done.
You know, they've already beaten you to it, China. You know so you know uh they've they've already uh beaten you beaten
you to it china you know you have to up your game yeah yeah no i think i think it's uh it's you're
right it's the way the the the narrative is framed as if like this only happens in the evil countries
like the communist bloc china would do this and russia would do this and you know
people often turn a blind eye to what the the western governments are doing and you know the
constant calls for like let's put back doors in encryption think of the children and all that
kind of stuff so it's it's it's no different at all this is exactly it's just reframed about
children and ownership of women's bodies.
Exactly. Exactly. That's all it is. I mean, this this should be a rant of the week.
This there's nothing funny about this. Actually, you're right. You know, I think Andy screwed up the show notes this week, but he was doing them literally as he was as he was talking.
literally as he was talking.
He has one job, one job on this podcast. I know, right?
I know.
To just organise the stories in a coherent manner.
This is far too depressing a note.
Yeah, we moved to Riverside as well, away from, I can't remember,
oh, Zencaster, that's right, and it's his account.
And what did he say?
Oh, you can log in and sort everything out.
Hey, you don't want to add to your one job, mate.
That's fine.
I know, I know.
Anyway, that was this week's...
Tweet of the Week.
Well, that was a slightly depressing one to end on, wasn't it?
I know.
I'm actually frantically scrolling Twitter,
trying to find something a bit more lighthearted.
Yeah.
Exactly.
Yeah.
Exactly.
Just do a search on Elon Musk.
He's probably said something really, really bizarre or incorrect.
Who knows?
Who knows?
So, Jav, thank you very much for this week.
It was a slightly confusing one, but I think we got there.
We we we pushed our way through and we were able to to birth this podcast into the world.
This is like, you know, you say it's a confusing one.
This is like this will give some PhD students a lot of good data in in years to
come they'll see the transition of the podcast from something where you know these people were
relatively coherent and now that you know that the Alzheimer's is kicking in they're all a bit
confused you know how you see those little videos of Biden doing his talks and then he sort of like
mumbles or what have you yeah you can't make out what he's actually talking about that's what this podcast is is devolving into like you know oh so
and so can't make it this week because they have another opera appointment at the doctors for their
new meds or something exactly this will go down this show will go down in history as the show
where it became obvious the level of hard drugs that we were doing
it's not really even the well the the medically prescribed hard drugs i don't
yeah that's right i mean maybe if we had some sponsors we could actually afford some drugs
and we would make this into a fun show but but no so vendors don't like sponsoring people to do drugs
for some reason so i'll tell you what we'll do next next week we'll all bring our little pill
boxes and we'll all describe what pills we take and when and what they do
andy will bring his massive tub of harib's and say, do these contribute as pills? Because these are for medicinal purposes.
Oh, dear.
Excellent.
Well, thank you, Jav, for this week.
Appreciate your time as always.
Oh, you're welcome.
Stay secure, my friends.
Stay secure.
You've been listening to the Host Unknown podcast.
If you enjoyed what you heard comment and subscribe if you hated it please leave your best insults on our reddit channel
worst episode ever r slash smashing security
andy must be getting a real telling off i mean he's been away half an hour i know i know it's like he lived he left himself
logged on so yeah um well hopefully because it won't screw up the recording but uh but yeah my
god i thought it was like a little you know quick briefing with the boss but no she's obviously on
like 0.7 of you know why his tea is so bad yeah So actually, Andy missed a really big trick on Today in InfoSec,
and I feel it's important to add it in,
but on June 7th, so just, you know, this week in 1954,
Alan Turing took his life by his own hand.
Oh, my God.
This week.
You know, he invented the modern computer.
Well, well, you know what I mean.
According to the film, The Imitation Game.
Yeah. Which is, you know, apart from some of the names in there was was virtually entirely made up.
But he was extremely influential.
But there were plenty of other people Tommy Flowers was one of
the one of the key engineers on it who actually actually built the thing and he actually went on
to build a whole bunch of um you know post office systems and things like that but uh but um very
very influential without a shadow of a doubt but I i do think there's a little bit too much
sort of idolation of him yes yes possibly i have found a a light-hearted tweet to end on
okay okay i say light-hearted because like we we just talked about uh spying at the national level
and then we talked about someone committing suicide.
So anything,
I think if I just tell you I have diabetes, that will be a lighter
note to end on, but it's not.
So this is a tweet by Quentin
Taylor, friend of the show.
It's funny how
outside of the InfoSec Twitter
echo chamber, many
people don't realise that cobalt strike
is a legit piece of software sold by a legitimate company and and i laugh because with what do you
expect with a name like cobalt strike this is a problem when you have like little boys naming
stuff all the time no one's going to take you seriously.
Yeah.
Yeah.
I thought Cobalt Strike was part of the Command & Conquer series.
Yeah, that's what I thought.
I was like, you know, we need an aura find reset up first.
Yeah, that's right.