The Host Unknown Podcast - Episode 118 - We should have taken a summer holiday
Episode Date: August 26, 2022This week in InfoSec: (The one and only):23rd August 2006: SpoofCard confirmed that Paris Hilton was among the terminated customers, and that Lindsay Lohan was among those whose voicemail accounts wer...e broken into. SpoofCard said it had implemented controls to prevent recurrences.Paris Hilton: Master Hacker?https://twitter.com/todayininfosec/status/129721363805972889626th August 2008: It was reported that a laptop on the International Space Station was infected by removable media containing the http://W32.Gammima.AG worm.Space. Where you don't want to be dealing with malware.Malware detected at the International Space Stationhttps://twitter.com/todayininfosec/status/1298690676448735232 Rant of the Week:Block sued after ex-staffer siphons customer dataBlock – the digital payments giant formerly known as Square – faces allegations it failed to take adequate measures to protect customers' personal information.A lawsuit, filed Tuesday in a federal district in Oakland, California, on behalf of two users of Cash App, operated by Block subsidiary Cash App Investing, claims the company failed to implement reasonable security. As a result, a former employee was able to download internal reports containing personal information after leaving the firm.Coincidentally, Twitter – another venture co-founded by Block Head Jack Dorsey – was accused of subpar security by its former security chief in a recent whistleblower complaint.Block disclosed the December 10, 2021 data theft on April 4, 2022, and stated it was contacting 8.2 million current and former customers about the privacy snafu. The biz said, "a former employee downloaded certain reports of its subsidiary Cash App Investing LLC … that contained some US customer information."The employee had access to those reports while employed but in this instance downloaded the files after leaving the company. The data obtained included customers' full name and brokerage account numbers, and in some cases, brokerage portfolio values, brokerage portfolio holdings and/or stock trading activity for one trading day.As far as the litigants are concerned, Block didn't meet its security obligations, failed to notify customers in a timely manner, provided too little information about the incident, and failed to offer credit or identity monitoring services. Billy Big Balls:Lloyd's to exclude certain nation-state attacks from cyber insurance policiesLloyd's of London insurance policies will stop covering losses from certain nation-state cyber attacks and those that happen during wars, beginning in seven months' time.In a memo sent to the company's 76-plus insurance syndicates, underwriting director Tony Chaudhry said Lloyd's remains "strongly supportive" of cyber attack coverage. However, as these threats continue to grow, they may "expose the market to systemic risks that syndicates could struggle to manage," he added [PDF], noting that nation-state-sponsored attacks are particularly costly to cover.Because of this, all standalone cyber attack policies must include "a suitable clause excluding liability for losses arising from any state-backed cyberattack," Chaudhry wrote. These changes will take effect beginning March 31, 2023 at the inception or renewal of each policy.At a minimum – key word: minimum – these policies must exclude losses arising from a war, whether declared or not, if the policy doesn't already have a separate war exclusion. They must also at least exclude losses from nation-state cyber attacks that "significantly impair the ability of a state to function or that significantly impair the security capabilities of a state." Industry News: Counterfeit Android Devices Revealed to Contain Backdoor Designed to Hack WhatsApp Ex-Security Chief Accuses Twitter of Cybersecurity Negligence Facebook Bug Causes Users’ Feeds to Be Spammed Plex Suffers Data Breach, Warns Users to Reset Passwords Scammers Create 'AI Hologram' of C-Suite Crypto Exec Workplace Stress Worse than Cyber-Attack Fears for Security Pros US Firm Pays $16m to Settle Healthcare Fraud Claims Talos Renews Cybersecurity Support For Ukraine on Independence Day Microsoft Attributes New Post-Compromise Capability to Nobelium Tweet of the Week:https://twitter.com/J4vv4D/status/1562775110544949248?s=20 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
well no but it's like a really like difficult one okay because the question was you have to commit
one crime but by doing so you will ensure that nobody ever commits that crime again
so what crime would you do knowing that you would literally be the last it would be the last time
this crime ever occurred when you commit it wow so you can wipe out a particular type of crime but you will
forever be the last person who does it that's so tough it's like i'd like there to be no more
murder but i don't want to commit a murder oh man i don't know it's a tricky one well okay i'll hire alex stamos as my final crime
you're listening to the host unknown podcast
hello good morning good afternoon good evening and welcome to episode 122 of the Host Undone Podcast.
You are here this week with your award-winning hosts.
Jeff, how are you doing?
I'm very good, thanks. I thought I'd start off by putting my life and reputation on danger with that joke.
It was a joke, Alex.
Alex or Mudge, right?
You know, there's two guys out there.
I know.
You got one that airs dirty laundry in public and the other who...
Who is dirty laundry.
It's all done in jest. It's all done in jest.
It's all done in jest.
I know you've been kind of glued to the car wreck, the train wreck, the car crash,
the ongoing discussions about whether or not Twitter has covered up poor security practices?
This is actually one of my favourite topics these days.
You are right.
Because there's been no mediocre takes on this.
They've either been really good or really bad, and it's been excellent.
Because people have hired us.
So what you're saying there's
a gap in the market for us there is to give a mediocre take the mediocre take would be
meh stuff happens former employees get thrown under the bus disgruntled employees
dirty laundry what's that nothing new which is pretty much where i think um yeah i think i kind of
landed on that you know when you first started sharing the the sort of articles in the tweets
i was like yeah it's always hard to know but there's always two sides to a story right
well three isn't it there's there's their side the other person's side, and then there's the tree. Yeah.
Yeah, I don't know.
It's a tricky one.
How's your week been?
I would say quite.
It's actually been quite busy.
It's always busy, right?
Everyone I work with is on holiday at the moment,
and so I'm doing work because there's no one else around to do it so it's not like we're sharing the load
we're just kind of
getting through it
but how thrilling is that?
Wow
that is
that is incredible
and so this reminds me
and we were talking about this as a potential
tweet of the week but we ditched it for something
far far more riveting.
But Mermaid, Morgan, a friend of the show,
she posted a tweet the other day.
The words were something along the lines,
the challenge is work in security without it defining your identity
and overtaking every part of your life.
And I think you just failed that challenge.
Did you feel seen?
You felt seen when you saw that?
Oh, yeah.
Oh, yeah.
Actually, that was the first time in my life, I think,
you know, like these last few years,
that you can actually go to someone and say,
what do you work in?
They say, I work in the cybers.
And they actually have some sort of clue as to what you do.
Not like I work in IT security and like, what the the hell is that can you help me hack someone's facebook do you think that's a follow-up question yeah yeah
and then it's like no no no and then you have to spend time explaining how you set
ntfs permissions on windows nt4 and all that kind of stuff
but what do we have coming up today this week yes i shall tell you what we have coming up today this week? Yes, I shall tell you what we have coming up today this week.
This week in InfoSec takes us back to a chapter in the life of Paris Hilton, master hacker.
Rant of the week is finding a pattern with company's Jack Dorsey co-founders.
Billy Big Balls is another bold move from the cyber insurers.
Industry News brings us the latest and greatest security news from around the world.
And Tweet of the Week is a list of things everyone should know by the time they're 30
which leads us on to tom's favorite part of the show the part of the show that he likes to call
this week in InfoSec.
It is that part of the show where we take a stroll down InfoSec memory Paris Hilton was among the customers they terminated for breaking into people's voicemails.
And Lindsay Lohan was among those whose voicemail accounts were accessed in an unauthorized manner and then spoof card had gone on to say they've now implemented controls to prevent reoccurrences so spoof card was a popular
caller id spoofing service which was actually regularly used to hack into people's voicemails
i mean back then was there ever any other reason to spoof your number? So if you recall, particularly around in, well, it's probably all the way from like late 90s onwards, right?
Your voicemail provider, you know, your phone provider, to access your voicemail, you just had to call the number.
And it would recognise your caller ID and let you access it without a PIN.
So PIN numbers were not required by default to access your voicemail.
out a pin so pin numbers were not required by default to access your voicemail and then you could just um log in and retrieve people's uh you know just retrieve the voicemails that were on
there and that has been sort of it wasn't just a uniquely american thing this is um i think if you
recall some of the more grubby red top papers in the uk um yeah they sort of had a history of
of listening to other people's voicemails because um you know
what voicemail providers did in the uk was to avoid just having no pin number they all had
default pin numbers yeah uh so you know vodafone would be three three three three and um you know
o2 would be like zero zero zero zero uh really common things like that but um yeah very easy
thing to to fake back then and spoof card
actually went public they said it was uh they publicly announced it in actions uh discourage
this type of activity and alert mobile phone networks and their customers of the need to
protect voicemail access with passwords and other security measures but you know yeah let's
get this on to the user well exactly i mean obviously providing a spoofing service is it's not the question no no this isn't
in question here yeah that's not the problem everyone has a right it's probably one of the
you know 94th amendments or something yeah the right to spoof your number this reminds me so i
i never realized that it was so easy to well i you know we
i never indulged in hacking into other people's voice but when i was at university i had a one-to-one
phone they were i think then they're now t-mobile t-mobile yeah t-mobile yeah anyway so the package
was that back then you had text messages weren't a thing. So it's only voice data, voice calls that you paid for.
And I think whatever the monthly fee was, and I only got 15 minutes free.
But one to one said that you have free access to voicemail,
which some other providers, they used to take even listening to voicemail out of your allocated minutes.
Yeah, like 35p a minute. Yeah, yeah. so it was free to listen to your voicemail and then what
students find out is that if you're both on one-to-one you can phone the other person's voicemail
directly and leave a message there was like just a weird number you had to put in the beginning or
something i can't remember exactly what it was but so i could phone directly into your voicemail and leave a message for you andy and because it was
phoning into the voicemail service i wouldn't get charged and you'd be sitting there and you'd get
a notification on your phone saying you have a new voicemail and you would listen to my message
without charge it was brilliant all the students were doing it. It was fantastic. It's like the predecessor to WhatsApp audio messages.
Yes, yes.
Oh, man.
God, just to think these days.
And you're right, because back then people would actually leave voicemail messages.
Now, if it rings out after like three rings, I'll hang up.
Do you know what I mean?
So I'm not going to leave a message.
No.
You've now
seen that i've called so i'll wait for you to call back if you can be bothered or else like you know
i'll just wait for that whatsapp message what do you want dude i called you four days ago
but anyway our second story takes us back just a mere 14 years to the 26th of August 2008
when it was reported that a laptop on the International Space Station
was infected by removable media containing the Gamima worm.
And so there we are in space dealing with malware.
You know, the one place you don't want to be.
So NASA did downplay what actually happened here.
But it appears that the laptops on the ISS
were not actually receiving antivirus signature updates, amazingly.
And, you know, you had a lot of people arriving with removable drives,
which they were just you know walking up to
laptops and then just plugging back into you know plugging into their uh devices up there um so old
old uh you know risks still active i guess and it doesn't matter whether you are on earth or in
space isn't this how they won in independent state though the first one they did he did
actually jack in did and it was amazing that was it a usb cable he managed to do it all through
it was um quite a stroke of luck yeah and again you know we don't learn from lessons right even
even the aliens don't learn from lessons like you cannot allow untrusted media, removable devices,
to be plugged into any device.
So, yeah, it's...
In the aliens' defence, it was through a stolen spaceship of their own.
So it was kind of like an insider threat.
It was a trusted asset.
Although it had been off the network for a very, very long time.
So that should have made it as suspicious.
And at least, right, you know, if you're going to be able to make some sort of privilege,
you need some sort of MFA, right?
Even just a push.
MFA push.
Say, right, you know, is this really you?
Yeah.
Yeah.
Or maybe they'd done a Cisco and they just, like, sent them so many pushes.
Like, the alien just got fed up.
Just said yes at the end of it.
MFA fatigue.
Yeah.
MFA fatigue.
Just disable it.
There's too many of them.
Oh, dear.
Oh, man.
We've got so much fun at the movies, aren't we?
I know.
And that was...
This week in infosur.
You're listening to the host unknown podcast bubblegum for the brain.
So Jeff, how are you feeling? You, uh, how's your blood pressure?
Oh, it's not high enough. I need it raised.
Okay. I've got an idea.
Listen up! Rant of the week. It's time for mother. I need it raised. Oh, OK. I've got an idea. Listen up!
Rant of the Week.
It's time for Mother F***ing Rage.
Oh, yeah, brother.
We are here to rant and rave.
So, Block, the company formerly known as Square, faces...
What an imaginative name change they went with.
It's just so... known as square faces. What an imaginative name change they went with.
This sounds like something you'd do at the playground. What's this? This is my square.
Looks like a block. Actually, that's a better name.
But yeah, they face allegations it failed to take adequate measures to protect customers personal information so
square or block is one of those companies that was co-founded by jack dorsey of twitter fame
it's got a bit of a bit of a pattern going on here yeah there is a pattern like jack dorsey and bad security. So Block disclosed that December 10th, 2021,
data theft on April 4th, 2022.
So that was like four months after they actually got breached.
And this was a former employee of Block
who still had access to the system so he was able to access
reports and downloaded the files when he's not even employed by them anymore so the data included
customers full name and brokerage account numbers and in some cases brokerage portfolio values, brokerage portfolio holdings, and or stock trading activity.
So the whole JML process isn't working.
Yeah, the JML process isn't working.
The, what do you call it?
The recertification access control.
Oh, I'm thinking DLP.
That's the word I'm looking for.
The obvious one
you know what because i'm looking at my screen and this picture of jack dorsey is on there and
he looks like this hobo he's like massive beard and he just looks like a homeless person but yeah
so so the jml process the dlp isn't working the instantML process isn't working, the DLB isn't working, the incident response clearly isn't working.
I think you can still forgive companies for getting breached or for there being some hole in their process,
even as fundamental as letting a next employee access stuff and download it.
But I think the one thing people do really want is some form of timely notification.
Say, hey, this happened, or we've noticed something.
Not just sit on it for four months, and they're like,
you know, oh, by the way, you know four months ago this happened?
And then people are like, ah, so that's why I've been getting
all these weird things on my credit file recently.
weird things on my credit file recently it's just beggars belief that in 2022 we can still have companies that think it's okay to not disclose a breach for four months it's absolutely unbelievable
and i'm trying to wind myself up i'm i'm just too empathetic so i'm sure i am actually surprised that you you
were quite forgiving about how you know well people leave people still have access and you
know this and dlp fails and like you know maybe there's no recertification the account should
have been disabled but i mean come on that's pretty they handle payments right is this not a regulated
in i don't know if it's the regular if they're regulated in the us um but this this type of thing
is like just horrendous like to imagine this well i mean i'm sure it does happen but to allow it to
get to this level like who's even monitoring the logs of who's doing what and copying this data and
whether or not this is normal behavior to your point it's 2022 how does a payment company not
keep track of trades or they must be regulated surely or is this the problem we've got here
i i don't know i mean thing is like if if the only reason you're going to do anything is because you're regulated,
and these are just such basic, fundamental things.
That's a fair point, yeah.
We're not even asking them to implement something like the blockchain.
It's just like, hey, make sure when you fire someone or someone leaves, just you revoke their access.
Yeah, you know that thing that people have been doing for you know since the 60s maybe
like take the punch card off them as they walk out the door yeah this stuff was in the orange
book for heaven's sake it was like it's not we're not even talking about bs7799
yeah no i um yeah i think i'm in agreement with you jeff it's uh it is horrendous and they
should have told people and for someone like dorsey like you can you can say you so i'm more
forgiving of twitter with its um inadequacies because i think that was one of those platforms
where like you started it off and it was very difficult to predict how successful it would be
or how much it would take off.
I mean, it started off with the text messaging.
It wasn't even, you know, a web client.
So, you know, you can forgive them for poorly architecting things
or, like, having it run on stuff and then it's growing over time
and it's a Frankenstein that's like, oh, my God, it's alive.
I don't know.
You know, you couldn't have predicted
the the global impact the platform would have had and what have you so you can say okay maybe they
haven't adequately built in stuff from the beginning to to protect it but when you're
building a platform from scratch which is meant to be a payment payment platform and
take all these transactions and what have you then you should kind of build
these things in from the beginning it's not like oh my god i had no idea that we would be holding
such sensitive data really okay
very good that was this week rent of the week
this is the podcast the queen listens to although she won't admit it
true story and we shall milk that one until we have a king i believe not that i'm wishing uh
you know anything on that but uh but let's just be real.
So what have we got coming up next?
It is...
Over to you, Jeff.
Oh, wow, me again.
Oh, my God, I'm pulling double duty today.
Sir Lloyd of London, the overarching big insurance godfather um has asked its members to start
excluding certain nation-state attacks from cyber insurance policies um so they have uh asked to
them to they sent a member memo to um it's nearly 76 plus insurance syndicates
um and they remain strongly supportive of cyber attack coverage however as these threats continue
to grow they may expose the market to systemic risks that syndicates could struggle to manage.
Noting that nation state sponsored attacks are particularly costly to cover.
Because of all this, standalone cyber attack policies must include a suitable clause excluding liability for losses arising from any state-backed cyber attack.
And these will take effect from March 2023.
Wow.
I read this and I thought,
oh, that is a big balls move.
That is really, you know, quite ballsy.
And then I've had a bit of a think about it since then. And, uh, I've spoken to a couple of people who actually work in, in, in, in insurance.
And, uh, there were two things that, that, that calmed me down about my initial outrage,
like thinking, ah, typical insurance companies wanting your money and not wanting to pay out.
insurance companies wanting your money and not wanting to pay out and uh one thing was like you know acts of war have always been excluded from oh you know it's like force mule force mature
whatever have you pronounce it and war is always excluded so it's no real difference uh but also this these that the wording actually off the this one is like for catastrophic
losses so it's not um your average attack because my my whole argument with them was like well you
know it's the attribution game no one really knows who's who you could anyone could say oh we've been attacked and say oh this is
either a russia russia or north korea a gang based in russia or someone based in
i don't know croydon pretending to be operating out of russia so it's it's all that thing. But apparently the burden of proof is on the insurer
to prove that it is a nation-state attack.
It's just really messy.
And I think that the only thing I learnt from all of this
is that really read the contract carefully go over every single clause
and i and get clarification as to what is and isn't covered because i think like we spoke about
this story last week where the we did yeah social engineering was yeah excluded yeah yes it was like
no that this policy only covers that. If you want social engineering,
then that's covered under a different clause or something
and you didn't take out that option,
so you need to take that out as well.
So I think that's kind of where my head's at.
I think these things are going to, you know,
as most insurance from the history of time did,
they will try to slip out of paying anything
and up your premiums as much as possible so you need
to be really careful as to what you're agreeing to how much you're actually being covered in which
instances are you being covered and then accept the risk cheap plug there i don't know i i am
i don't know is insurance i mean we're saying last week is insurance worth it if they exclude
social engineering because you can attribute worth it if they exclude social engineering?
Because you can attribute a lot of things to social engineering.
But even now, if you can attribute it to a nation state attack,
you know, this ransomware commonly associated with Russian nation states,
then, sorry, you're no longer covered.
It's a good move for Lloyd.
I think they'll continue to take your premiums
and all their members will continue to take your premiums.
Yeah.
I don't know, Geoff.
I'm not a fan of this one.
No, no.
And one of the challenges is that
when you do a lot of third-party assurance reviews,
a lot of companies will be like, oh, make sure that you have, you know,
insurance as part of your coverage plan or something like that.
And so it's kind of one of those things that people feel like they have to have it,
but without realising how little it might actually protect them for.
Protect them, yeah.
They're actually worried about...
I mean, little Tommy DDoSing them from his basement
is not really something you're going to go to the insurance for
because, you know, you've probably, like,
got some kind of protection in place
or you'll have just absorbed the hit.
But it's really when, you know...
The nation state hits. Yeah, Northa gets in and deploys ransomware
and whatever that you really socially engineering one of your your admins
oh man someone at lloyd's has uh just guaranteed their bonus for the
for fy24 i know i know that they've already picked out the yacht
yeah what color is your brigade
brilliant thanks jeff billy big balls of the week you're listening to the host unknown podcast with your award-winning hosts
javad and andy and insert name here
can't help but think there's something different about this week's show
not sure what it is but the rhythm's getting there. I don't know. I can't really put my finger on it,
but it feels like I'm more streamlined and I'm enjoying it today.
Yeah.
Yeah, a lot more fun.
Just that it feels younger and vibrant.
It does.
By at least like three decades.
It's quite amazing.
Quite amazing.
So anyway, you know what?
The weather's been really weird.
Look out the window and the shadows are being cast.
And I thought if I had one of their sundials, I could actually tell what the time is.
Do you happen to have the time on you, Andy?
I do.
And I do know that it is that time of the show where we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News.
Counterfeit Android devices revealed to contain backdoor designed to hack WhatsApp.
Industry News.
Ex-security chief accuses Twitter of cyber security negligence
Industry News
Facebook bug causes users' feeds to be spammed
Industry News
Plex suffers data breach, warns users to reset passwords
Industry News
Scammers create AI hologram of C-suite crypto exec. Industry News. Workplace stress
worse than cyber attack fears for security professionals. Industry News. US firm pays
$16 million to settle healthcare fraud claims. Industry News. telos renews cyber security support for ukraine on independence day industry news
microsoft attributes new post-compromise capability to nobelium industry news and that was this week's
industry news And that was this week's... Industry News.
Huge if true.
Huge if true.
I'm interested in that scammers create AI hologram of C-suite crypto exec.
I know.
This is something that was the next in the deep fakes for a couple of years now wasn't
it like the theory of what could actually happen yeah yeah this is like shaggy is looking at this
saying if only i had this technology back then my whole song would have been it was a deep fake
okay so forces use deep fake technology to impersonate the identity of a senior
binance official in online meetings
with clients okay right so okay despite having previously had one of the world's largest cyber
security teams i was not prepared for the onslaught of cyber attacks phishing attacks and
scams that regularly target the crypto community i mean it's a the whole industry is a scam. Built on a Ponzi scheme.
Oh, no.
Scammers getting scammed.
I don't know.
If someone comes on screen and tells you where to start transferring money,
are you really going to be paying attention?
Without reading the story, I'm looking at the Facebook bug causes users' feeds to be spammed.
And I left Facebook a long time ago, but isn't that just the general working and design?
It's a feature, not a bug.
Yeah, exactly.
Operating as per usual.
Yeah.
The counterfeit Android devices was an interesting one,
because this is like no longer going through the App Store, right?
So rather than, you you know sort of released fake
products on the app store get people to download them and install them because you know now app
stores are getting better at making sure stuff's clean they're actually just releasing dodgy
hardware so the phone there's four different types of smartphone um well at least four that have been discovered in july 2022 which are basically hacked and they're designed to read your whatsapp messages so now
are these actual phone models themselves or are these components used in phones or
actual phone models themselves yeah so there's well mean, three phone models I'm not familiar with, but the Mate 40 I've heard.
These are things, right, not everyone will have a, you know,
a Samsung or an iPhone.
It's just quite popular in other parts of the world
to not spend two months' salary on a phone.
You know, particularly, you know, these sort of cheaper devices
that come with your airtime packages, and they're functioning they run android um operating systems they do the same
things that everything else does but um yeah i mean this is you know for what we know this is just
reading your your whatsapp messages but it could be used to do other stuff right it could be used
to do your online banking or you know anything else but yeah is it now cheaper to because i guess
there's less checks on hardware is it now cheaper to attack people by giving out fake hardware than
it is to actually try and get through the filters on an app store that people have we start to see
phones being left lying around like we used to with usb sticks in car parks yeah congratulations you've got a phone
it's like you know click here to claim your phone and you really do get a phone
oh man and then i guess the other big one this year it was plex i saw this story going around
the socials um so they're like a streaming media platform and also without giving too much detail
they just kind of said hey you know what everyone should change their passwords as soon as possible
yeah and uh yeah it turns out that a uh a third party was able to access a limited subset of data
that includes emails usernames and encrypted passwords what else is
there on pex you're viewing my screen but no they did come out with the classic line uh rest assured
that credit card and payment data are not stored on our servers and we're not vulnerable in this
incident yes we say with all of that data is handled by a trusted third party block so you are
yeah
oh fantastic but um yeah no otherwise i think uh yeah i can see why the biggest
content i guess the biggest discussions of the week have been around uh obviously twitter's
ex-security chief because it's been a slow news week elsewhere well also because you know this
is just generally how the security twitterati respond because even before the details were
known or people had even read the story,
there was a whole... Sides had been taken.
Sides had been taken, exactly.
It was like, I do not care.
I'm jumping on that grenade to save Mudge.
And that's fine.
You know, there's a lot of that camaraderie there,
which is good and warranted.
But, you know, there's also like a lot...
There was a lot of that going on way too soon, but, you know, there's also, like, a lot... There was a lot of that going on way too soon.
And, you know, and some people were like,
no, Twitter's OK, or this is how every organisation is,
and it's just...
Like I said, there was a lot of bad, bad takes,
which is just entertaining for me,
and I just sort of, like like collect bad takes for a living
i mean so much did it so he actually used the words that he fears twitter could suffer an
equifax level hack right did he take that he did actually say yeah that's an actual quote
um and i just want to be clear that twitter does not hold anything near the sort
of data that equifax holds you know two very very different industries so whilst you know they may
get exploited by a vulnerability that should have been patched at six months previously
i think the fallout is very different right because you're not using twitter to secure your you know mortgages
you're paying me to get credit to you know all that kind of or are you i don't know how people
are using twitter these days but i think it's that okay it might be bad but ultimately at the end of
the day you're still gonna lose history to you know you know, your 140-character ramblings, right?
It's not...
Is it the end of the world?
So I think there's a couple of things there.
One is, like, whenever Musk tweets,
he can influence prices of stuff really easily.
True.
And I think you saw that,
how a former president
used to use Twitter as well
was quite damaging in some ways
but I think that
the underlying thing again
is being lost in the security discussions
is that the disclosure
was really to Congress or whoever
because there were violations of...
It basically felt that the board had been lying to the regulators.
That was the real thing.
And obviously, as part of his remit and what have you,
they were lying about how seriously they take security
and that's where all the things are.
So I don't think it's the actual technical things, in my opinion,
that is the story here.
The story here is that a company deliberately misleading the board
or the regulators or whoever they're responsible to.
And I think that's where the real issue is.
Everything else is kind of like secondary in the story.
the real issue is everything else is kind of like secondary in the story um and in that regard i think he's he took the right approach of you know reporting it in in the correct manner but um
but yeah i i interesting interesting take thank you very much for this week
industry news Thank you very much for this week's... Industry News.
The Host Unknown Podcast.
Orally delivering the warm and fuzzy feeling you get when you pee yourself.
Ah.
Indeed.
And so we are rapidly running towards the end of time,
which just leaves us with one more section.
Tweet of the week.
And because Tom always likes to play that twice,
oh, it actually went off on its own.
I think he's actually fixed it so it plays twice
rather than having to press it twice.
Nothing to do with you, premature, like, you know, tweeting.
nothing to do with you premature like you know tweeting hey me and me and premature stop stop using those words together i'm getting fed up with it
um that's how a rumor starts so i uh you know we talk about um you know tom always talks about how
he has to edit the podcast and stuff i'm literally thinking there's nothing here that needs editing right what the only things you will hear if i can uh is insert those sort of calculator sounds that
tom always puts in when we say hey you know when i'm saying oh you know 15 years ago tom always
adds in the old calculator sounds taking the piss out of the historical times when you know i
literally used to read things on the fly and then work out the
the dates on that and um i think yeah they're coming up this is the other one coming up today
he always inserts a little bit of background music which he did share so i may actually insert uh
something a bit more upbeat i don't know you're not going to be bothered just hit publish as soon
as we're done i know this will be this this podcast will be out by friday afternoon
because uh it's coming straight out war um but alas where was i oh yeah sweet of the week
perfect so this week's treat of the week is from eva who's either side on twitter and she says by age 30 you should know a grifter a hacker a thief
and a mastermind in order to assemble your heist team at a moment's notice
which i think is absolutely fantastic and um by age 30 i think i did know all those people
jav how about you i didn't by age 30 but right now I can say that I know a burnt out
CISO, someone with OCD, a confidence person who has no clue, and a millennial that only communicates
in memes. So as long as the heist is to create a fake cyber security company to get VCs to invest in,
then I think I've got the perfect heist planned.
This could actually work.
I see money in our future.
Yes.
Well, that went quick this week.
It did.
It was just painless.
It was very fluid.
Enjoyed the conversation.
Didn't have to repeat ourselves, speak louder because of the harder hearing.
No, or explain.
Didn't have to explain things.
Cop culture references.
So I should actually pre-warn you.
I'm not going to be here next week.
So you'll be doing the show solo.
What?
So everyone else has taken time off, right? So I'm going to to be here next week so you'll be doing the show solo what so everyone
else has taken uh time off right so i'm going to take time off next week uh last week of the
school holidays so uh yeah uh well i don't know i might be or else i might be going to heaver castle
it's uh it depends on the weather so if it's terrible weather i'll be here if it's not you know i'll just keep keep people in uh
keep people on tent hooks i don't know should we should we pray for rain or not i don't know
that's the question let us know anyway thank you jeff for your time this week it has been
a pleasure as always you're welcome, always a pleasure, never a chore
and for the rest of you, stay secure
my friends
you've been listening to
the Host Unknown Podcast
if you enjoyed what you heard
comment and subscribe
if you hated it, please leave your best insults
on our Reddit channel
and we're out it please leave your best insults on our reddit channel worst episode ever r slash smashing
security and we're out that was um relative see he's got a whole you know like stream deck and
stuff where he presses the uh the jingles and you know i've done it all with soft buttons it's all
here on the panel it's seamless it. It's over-complicated stuff.
He sent a picture of his new desk set up the other day,
isn't it?
Like three monitors, a laptop, a MacBook Pro, an iPad.
There's all these things.
What did you do that for?
For PowerPoints and Excels.
It's just over-complicated.
It is.
Keep it simple