The Host Unknown Podcast - Episode 143 - The Flat Roof Special Episode
Episode Date: March 10, 2023This week in InfoSec ( 11:47)With content liberated from the “today in infosec” twitter account and further afield4th March 1989: The article "COMPUTER DETECTIVE FOLLOWED TRAIL TO HACKER SPY SUSPE...CT" was published. It covers how Clifford Stoll's discovery of a 75¢ accounting discrepancy led to the arrest of Marcus Hess. It was also the topic of Stoll's book, The Cuckoo's Egg. COMPUTER DETECTIVE FOLLOWED TRAIL TO HACKER SPY SUSPECThttps://twitter.com/todayininfosec/status/1632213421268533250 8th March 1993: AusCERT (@AusCERT) began as the Security Emergency Response Team (SERT), when it commenced incident response operations in Australia.Forming an Incident Response Teamhttps://twitter.com/todayininfosec/status/1633511448000299014 Rant of the Week (16:45)https://sports.yahoo.com/ransomware-group-posts-nude-photos-003700829.htmlTwitter just let its privacy- and security-protecting Tor service expireTwitter has allowed the certificate for its Tor onion site to expire, effectively killing off a privacy- and speech-protecting service that it introduced last year. Visiting the Tor-specific onion site address will now deliver a warning that the certificate verifying the site’s authenticity has lapsed; proceeding past that point (which is highly not recommended) currently delivers a Twitter error page. The certification expired on March 6th, just shy of two days before the site’s one-year launch anniversary.Twitter no longer has a communications department to ask about the change, but the Tor Project confirmed the service’s lapse to The Verge. “The onion site is no longer available seemingly with no plans to renew. The Tor Project has reached out to Twitter to look into bringing the onion version of the social media platform back online,” said communications director Pavel Zoneff in a statement. “People who rely on onion services for an extra layer of protection and guarantee that they are accessing the content they are looking for now have one fewer way of doing so safely.” Billy Big Balls of the Week (25:23)Where are the women in cyber security? On the dark side, study suggestsIf you can't join them, then you may as well try to beat them – at least if you're a talented security engineer looking for a job and you happen to be a woman. As we've noted before, the infosec world moves at a glacial pace toward gender equity. It appears that's not the case in the cyber criminal underground, according to Trend Micro, which recently published a study in which it claims at least 30 percent – if not more – of cyber criminal forum users are women.For its study, Trend Micro looked at five English-language cyber crime forums: Sinister, Cracked, Breached, Hackforums and (now defunct) Raidforum. And it inspected five Russian-language sites: XSS, Exploit, Vavilon, BHF and WWH-Club. To be fair, Trend Micro's methodology is a bit iffy – and the report itself admits as much. Users on these forums are are largely anonymous, necessitating use of tools like Semrush and uClassify's Gender Analyzer V5 to make what amounts to guesses – at best. Nonetheless, Trend Micro said it analyzed posts and traffic on the ten forums and found that, for English language sites, some 40 percent of users appear to be women, and 42.6 percent of Russian cyber crime forum users were women, or at least write like them."When compared to Stack Overflow, a developer and programming forum, only 12 percent of visitors were female," Trend Micro said of its use of Semrush. Gender Analyzer V5 is trained on 5,500 blog posts written by women, and the same number by men, in order to analyze language for signs of gendered usage, which Trend Micro used to analyze a subset of profiles on English site Hackforums and Russian XSS. According to the report, 36 percent of users at Hackforums were likely women based on their use of language, and 30 percent of XSS forum users were reportedly women based on the same analysis. So, what does that all mean? According to Trend Micro, it indicates that the cyber criminal underground is more meritocratic than the white hat world. "Developers are valued for their skills and experience, and not necessarily for their gender when it comes to conducting business in the underground," Trend Micro said. As such, they say that investigators should avoid defaulting to "he" when discussing cyber criminals. But there's a more obvious lesson to be learned here.If you overlook qualified security professionals on the basis of gender, don't be surprised if they end up on your radar again. Though perhaps in the form of a researcher bearing a friendly breach notice, and not someone out for criminal profit. Industry News (30:57)DoppelPaymer Ransomware Gang Members Busted in Germany, UkraineTwo-Thirds of European Firms Have Started Zero TrustRussian Disinformation Campaign Records High-Profile Individuals on CameraShein App Accessed Clipboard Data on Android DevicesGovernment Claims New UK GDPR Will Save Firms BillionsUS RESTRICT Act Gains Support, Empowers Biden to Ban Foreign TechHouse Members at Risk After Insurer Data BreachTehran Targets Female Activists in Espionage CampaignTikTok Initiates Project Clover Amid European Data Security Concerns Tweet of the Week (38:04)https://twitter.com/pookleblinky/status/1633359031875039234 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
this feels like it's going to be a particularly high energy episode
i know i'm trying to think um sorry i'm just multitasking you know it's like two days at a
conference and you come back and like there's emails and messages and everything.
Don't be clapping loud on your keyboards.
No, I actually got out my Apple keyboard for this,
so it's a bit quieter than my mechanical one.
So you're basically multitasking your way through this episode.
Well, don't you all?
I mean, our listeners multitask their way through listening episode. Well, don't you all? I mean, our listeners multitask their
way through listening to us.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us. And welcome, welcome one and all to episode, he says, looking quite quickly, episode 143.
147.
Of the Host Unknown podcast. Yes, indeed.
How the hell have we made it this far?
Is it just, it's more work to stop doing it?
Yeah, I think persistence is key.
Persistence.
No one preparing to accept defeat.
I think it's just pure stubbornness.
I think we're persistent like a rash,
not persistent like as in good habits.
The athlete's foot of podcast
speaking speaking of athlete's foot i i told you i've got an emri done a few weeks ago
and the report came back it's got loads of weird terms and what have you and one of the terms i
googled and it said runner's knee so i am literally turning into a full-blown olympic
athlete as we speak athletes for runner's knee i don't know like power lifters appendix soon i i
don't know i'm getting wanker's wrist yeah let's call it a wanker for sure oh dear anyway jav how are you apart from your uh athletic uh abilities and prowess
you know if you do a dna test i'll score 99 athletic that's me
but the problem is if you do an iq test you'd come back as negative
that's only from doing this podcast for so long
i was at the cloud cyber security one of these events at excel center for the last two days i
can't remember the name the ones that blend into each other they all sound the same because there's
something to do with cyber and they're co-hosted with like some data center and some dev it's just
different sponsor on
the door isn't it every time you go honestly because they're all in excel they all blend
into one you could you could take a picture there or video then you could say this is infosec and
you say yes it is or you could say it's a cloud world yes it's blackout yes they're all the same
it's uh but it was it was good it was it was quite a busy thing i had a a speaking slot
which went immensely well um what were you talking on um about i was talking about security
yeah security awareness i think that was what i was talking about okay um okay that's that was a
terrible recovery but yes yes yes but the the the the bit of sad news I've had this week is that you might remember going into DIY mode, housing mode, middle-aged men speaking about their housing problems.
Ah, yes, I'm sure we'll hear about Andy's bushes next.
Or his boiler.
And today we're talking about my flat roof roof which started to leak a couple of nights ago
when the the rain was a risk with flat roofs terrible honestly cannot get so we this was
from the extension downstairs and the builders they didn't do a good job on that roof they put
on that that new fiber thing so instead of the felt it's like this this fiber that you
all meant to go on in one piece once it hardens and whatever.
There wasn't enough of a slope in it they put, and, you know, it was just –
and you can never get hold of them again.
And now it's slowly like the damp has been coming through.
First it was like near the skylight a bit, and now it's like the other night
it was just like literally like a crack appeared
and water started dripping through.
So I've chucked the kids a summer splash pool on the roof over the crack.
That's the temporary fix.
You're going to do a Shawshank Redemption and have them up there with buckets of tar and mops.
I think that's the way to go.
Honestly, I've been Googling this stuff, YouTube.
It seems pretty easy.
And so next week we'll be hearing about
how you're having a brand new extension built
after you caved in the roof of your last one.
And he'll be calling from his hospital bed
after putting his back out,
falling through a flat roof.
Well, not me.
One of my kids, maybe, but not me.
One of his kids landed on him after falling through a flat roof
whilst he was directing from the ground.
Entangled him in his deck chair.
Andy, what about you?
Any home disasters or bush trimming required?
No bush trimming of the variety you're thinking of.
Home disasters of...
Do you know what?
I'm not even going to.
For some reason, the top half of my house will get warm,
but the bottom half won't.
The radiators downstairs are not coming on when the upstairs is.
And I'm like, I do want to call the plumber but it's like i just can't be arsed so this is going to be what's going at the
moment no one thermostat like it used to work it just it's just a random system um but it's like
we're only like one week one more week of snow and then we're back here into summer basically
right so you can ignore it until until the snow comes in december when you go bloody where did i get this yeah no i will get him out
um yeah in the summer other than that no busy week coming up to the end of the financial year
so yeah just a bit chaotic and i went out with the uh a couple of the girls from the team
a couple of lawyers a couple i think you went out with all of the girls in all of London last night
I saw the bill
for Christ's sake
there's only five of them
but no
they are
yeah
incredibly
intelligent people
so
what
women generally
well no
these ones in particular
they're all lawyers
right
they're all licensed
to practice law
in like different
countries and you know there's there's me barely able to speak English They're all lawyers, right? They're all licensed to practice law in, like, different countries.
And, you know, there's me, barely able to speak English.
What's the point in Brexit if you're going to learn law for other countries?
Everyone should be doing English stuff anyway, right?
Yes.
We're going to colonise half the world to have to follow some damn...
I know.
Tell me about it.
Some bloody fuzzy wuzzy legalese.
Dear me.
Yeah, nice little de-stress.
The first time I drank alcohol
since Friday the 6th of May 2002.
Wow.
2022, sorry.
Oh, that's good.
2002? 2022. So you went nearly a year nearly yeah it
was uh yeah i didn't set any sort of expectations or anything but uh yeah last night they actually
only serve wine in this bar um didn't even have sparkling water what seriously yeah i guess you
could have had a jug of thames or something like that
uh well they serve that anyway yeah yeah which uh isn't for me but yeah no how was your week
very good do you know i i thought i was gonna go for a microsoft office um uh what you what
you call it hat trick this week it was it was it was quite funny because on let's see, Monday night, I went into well, Monday, I went into London and a friend of mine is applying for a new job.
So she sent me her CV and the, you know, applying statements or that sort of thing.
So I spent two and a half hours on word all night Mondayay um basically going through everything and you know
upgrading and you know all that sort of stuff and then tuesday another friend grading word or her cv
what her cv upgrading so you basically just took the template you took the template and uh
just changed to put her details into it yeah did a big grammar check and all or anyway so a couple
of hours on that.
And then the next night, another friend of mine,
she had problems with Excel.
So I spent two and a half hours working through these really complex
formulas on Excel.
And then when I heard…
So, auto-sum, right?
Yeah.
Well, yeah.
Select the column auto-sum.
Complex for me, obviously.
And then Wednesday, when I heard that Jav was at a conference,
I thought, God, what are the chances if he asked me to look over
his presentation in PowerPoint?
That would be hilarious.
And he didn't.
So unfortunately, I didn't get the hat trick.
Well, so you know why?
The problem was, had he had told you he had a presentation,
it would have alerted us to the fact that he was speaking.
Yes.
Well,
yes.
And so no,
he,
you know,
he didn't tell us who was there until after he had been on stage or
whatever.
So yeah,
it's like,
he said,
you know,
there's no point in trying to call my phone or blowing up my phone
because yeah,
I'm finished.
And let's face it,
Jav is the sort of person who'd leave his phone on.
Yeah.
Absolutely.
And then last night I went out to a concert in bristol with all the young people uh i was stood at the side while they were all in the mosh pit and there was me thinking if it
wasn't for my knees i'd be in there too and you wonder why your persistent cough isn't going
anywhere you're burning the candle at both ends you can't do that I know I know
I know
but yeah it was very very good
very good
I tried to sneak into
a VIP area
and got told off
by a security guard
so that was fun
very unlike
your experiences
at security conferences
and stuff isn't it
exactly
you walked up to me
and said
you know what
I'm going to say to you
don't you
innit
so but yeah very very good fun very good fun He walked up to me and said, you know what I'm going to say to you, don't you? Isn't it?
So, but yeah, very, very good fun.
Very good fun.
So talking of having security whispered into your ear, shall we see what we've got coming up for you today?
Very smooth.
That was good, wasn't it?
I thought I was going to say talking of having fun.
No, no, certainly not for this podcast.
This week in InfoSec takes us back to a time
when a group of security professionals decided
that they wanted something done right.
So they did it themselves.
Rant of the Week continues to gaze at the Twitter fecal performance
from a safe distance.
Billy Big Balls pays homage to the underappreciated women
in cybersecurity. Industry News brings us to the underappreciated women in cyber security.
Industry News brings us to the latest and greatest
security news stories from around the world and
Tweets of the Week is someone making
the best of the previously referenced
Twitter fecal performance.
So
let's move on to our
favourite part of the show, the part
of the show that we like to call...
This Week in InfoSec.
It is that part of the show where we take a stroll down InfoSec memory lane with content
liberated from the Today in infosec
twitter account and our first story shall take us back to the year i was born a mere 34 years ago
to the 8th of march no even the 4th of march um 1989 there going to be a lot of use of the calculator sounds in this.
So, 4th March 1989, the article Computer Detective Followed Trail to Hacker Spy Suspect was published.
And this basically covers how Clifford Stoll's discovery of a 75 cent accounting discrepancy led to the arrest of Marcus Hess.
It was also the topic of Stoll's book, which was called The Cuckoo's Egg.
And if you don't know about it, you absolutely should.
So it's a nonfiction book, obviously written by the aforementioned Clifford Stoll.
And he essentially became a computer security expert, you know, as he went on this journey.
So, you know, he wasn't prior to that, but he basically tracked down a hacker that had infiltrated the US government, you know, computer network.
All because he discovered a 75 cent accounting error, you know, on the network of Lawrence Barkley National Laboratory.
And he couldn't let it go. everyone was saying hey look it's just a
rounding error it happens this stuff but no these guys were actually siphoning off um you know like
yeah and it was just using the university's like a jumping off point weren't they or something yeah
but this book is i mean it's probably one of the first books i read getting into security
it was definitely my first book.
And you'll never guess who introduced me to it.
Was it Clifford Stoll himself?
Oh, no, I wish.
Now that would be a story, wouldn't it?
It was my grandmother.
She read it.
Ah.
She read it.
There's a recipe for Clifford Stoll's mother's cookies in there.
And she thought she'd also try and make the cookies
as well so yeah she said i've read this book i think it's brilliant i think you'll enjoy it and
this was back in well the late 80s so yeah but yeah absolutely it's a book that you absolutely
shouldn't i think we did talk about this maybe this time two years ago on this weekend but um
yeah definitely uh if you haven't read it, get out there.
You can even download it for free now.
There's various copies.
But alas, our second story takes us back a mere 30 years
to the 8th of March, 1993, when the OSERT,
the Australian Computer Emergency Response Team,
began as the Security Emergency Response Team,
also pronounced CERT, but with an S,
when they commenced an instant response operations in Australia.
And the funniest thing about this is it started off
as three Brisbane-based universities,
Queenstown Uni, Griffith university and university of queenston they
all applied to the federal government for funds to establish this response team
um saying like how important it was you know like the internet's expanding we need to protect
against you know various nefarious activities and you know sort of set standards um and so they
applied for federal government for funds and the government rejected them they're like no interest in funding this uh and the university's just decided to do it anyway and uh self-funded it
um now mate you're gonna have to do that yourself yeah but if you think like you know back then
everyone say that this is really important that we have some type of coordinated you know response
team for this thing called the internet which is coming and the government's like nah not on my watch
it's a bloody flash in the pan that
internet thing
exactly and now look at like
every country or almost every country has
a recognised cert
that plays a critical
role in defending national infrastructure
and many
of them volunteer driven and
funded right yeah certainly in national infrastructure. And many of them volunteer-driven and funded, right?
Yeah.
Which is still shocking.
So you've got to set the standard.
Yeah, that's right.
Set the standard for saying, now, mate.
Brilliant. Excellent.
Thank you very much, Andy, for this week's...
This week in InfoSoul.
This is the podcast
the king listens to.
Although he won't admit it.
No, he
won't. Let's get
cracking, shall we? Because we've all got
meetings to get to.
To the angry part of the show
that we call... Listen up! Rent rent of the week it's time to
mother rage so uh there we've got the story about twitter but there is one that i would like to uh
reference first of all just very briefly and i don't want to talk about it too much because i
think i might actually explode when i when i uh talk about it too much uh but there was a there
is a russian ransomware gang uh sorry a ransomware gang with russian ties let's be clear uh has been
accused of posting nude photos of cancer patients online after a Pennsylvania health care group declined to meet its demands.
Yeah.
All I can say is look at yourselves in the mirror
and go and call your mothers.
Please.
Just.
It's just a special place in hell for these people.
It's disgusting.
And I think one of the reasons why we're not covering this as well apart from me exploding is that even jav couldn't disagree with me on this
one no no just please oh my god scum of the earth anyway let's go on to the one that jav probably
could find a place to disagree with me because that's where the fun lies. So Twitter just let its privacy and security protecting Tor service expire.
So Tor, as you know, the onion router ring?
I can't remember.
It's just Tor now, which is one of the ways you can access what's often known as the dark web but also a protected version of the web used
and in fact created i believe by the u.s navy to allow uh people to communicate during the
arab spring wasn't that the the origination of it was that the start of it i don't know
generally yeah any sort of repressed uh people that have got censorship. Yeah, exactly.
Exactly.
You know, because it basically creates its own encrypted tunnel
within the internet and host sites there and allows communications,
et cetera.
So it's seen as, you know, having communications services on tour
is seen as actually a very, very good thing.
Well, Twitter, well, in order to to access this site you obviously have to have a
security certificate to obviously have to be maintained and you know otherwise just anybody
can get on there blah blah twitter has allowed its certificates to expire uh which basically
essentially kills off the the uh the the service uh for tour and it only introduced it last year pre
Elon Musk of course. So when you visit the Tor specific onion site address that
go for Twitter it now delivers a warning that the certificate verifying the site's
authenticity has elapsed and proceeding past that point currently delivers
a twitter error page and you shouldn't even you know go past the point of anywhere that's got an
expired but we all click i understand the risks we all do yeah exactly yes but i want what's on
the other side of this um so the certificate expired march 6th just a few days ago uh so and this comes down
to i believe effectively i don't even think elon was even interested in this he doesn't even know
it existed and he just fired all the people in the company that did. And so therefore there's nobody to do it. But what's happened is a service that actually many people rely on
for their, quite literally, their personal safety has just disappeared.
So it's, you know, to not only, and Twitter have now got a habit of this, right,
to not only just, you not only just stop the service,
but unceremoniously so with no warning,
no impact assessment,
no kind of, you know,
what is this going to do to people?
It's just stopped.
And I think it winds me up
because the incompetence of the man knows no bounds.
He's really been exposed, isn't he? People used to think he was an absolute genius but sorry sorry the incompetence of the man who
who uh put electric cars on the map who put reasonable rockets into space no so he acquired
a company that put electric cars on the map.
So anyway, regardless, I'm not here to make personal attacks
against people who aren't here to defend themselves.
That is very beneath me.
What I will say, though, is you say this is a bad thing.
I say this is a great thing because...
For oppressed people or everyone.
So the Chinese government can finally find out
who's been leaking information about the Uyghur Muslims
being tortured and stuff like that, right?
Because I truly think at this point in time,
Twitter is an untrustworthy site.
You shouldn't be having any expectations
that you can have private DMs or private messages on it,
generally at all without,
you know, them folding over like Graham Cluley at the first sign of a legal request.
Oh, the irony. The irony of you saying...
People in glass houses, Jay.
With a leaky flat roof, might I add.
Yeah, that's right.
But what's to say if the government doesn't go to Twitter right now
and say, give me all the list of people who, you know,
live here or do this or do that, what have you,
they're going to do it anyway.
Well, they can do, but, yeah, one, they don't have to, you know,
you don't have to register with the real details.
And two, the whole point of Tor is that it's protecting that information it does so twitter wouldn't even be even regards of what
twitter handed over they would not have your location or your details they won't they won't
but i i just think it's good because i think people who they are literally in dangerous positions i
think even with tour i wouldn't recommend they use twitter
that that's just my personal and i so i think in this way it's a good thing that by turning
yeah if they're posting stuff publicly it's different like what you're talking about dms
and stuff like there isn't everyone knows no expectation of privacy there but if you're
publicly posting stuff you know photos of like you know riots you're in posting stuff, you know, photos of, like, you know,
riots you're in and, like, you know, where people are getting, you know,
human rights abuses and stuff like that, they are posting it publicly.
Use another platform.
Use Telegram and send those pictures to your favourite journalist
at the Beeb or something.
I don't know.
Use Telegram.
So the Russians can control it.
Yeah, and have Putin get access to it.
And also, I love the way you call Twitter untrustworthy.
So untrustworthy that you give them money every month.
You know what?
Keep your friends close.
Keep your enemies closer.
That's why I give Elon Musk money and I chat to you two every Friday.
I'm trying to work out which one we are.
I'm trying to work out which one we are.
But anyway, I do think that we're going to see a lot more of this sort of thing coming through on Twitter with things failing.
And in fact, we've even got a little bit on it later on as well.
Things failing, things falling over, things not being renewed.
Like I've been saying, in two weeks, Twitter will fold. And i've been saying you know in two weeks twitter will fold and i've
been saying that for months now so it wasn't going to make it past the weekend wasn't it
no that's right if it's not down yet listen to this podcast again next week yeah that's right
or next year one or the other yeah yeah so if you keep saying every episode tom then at least when
it does go down you'll say see i called it listen to this week's episode broken clock is right once a day twice a day twice a day well it depends if
you've got a 24 hour clock on who the hell has a 24 hour clock on that anyway 24 hour clock that's
how you tell the time the best way anyway uh that was this week's slightly less head-exploding rant of the week.
Rant of the week.
This is the EasyJet of security podcasts.
Let's be honest, your cheap ass couldn't tell the difference between us
and a premium security podcast anyway.
Right, let's move on.
We're going to move on to the, well, slightly incorrectly termed this week, I think,
Billy Big Balls.
Yes, yes, yes.
So, like you said, alluded to, the topic is,
where are the women in cyber security the answer may surprise
you so if you can't join them then you may as well try to beat them at least if you are a talented
hungry you know security engineer looking for a job and happen to be a woman or identify as a woman
most most people who need a job are probably hungry
actually given the state of the economy people with jobs are even hungry as well so yeah this
is true there's only there's only so many tomatoes you can buy for a thousand yeah yeah but you know
we've been talking about equality gender equality for a long time and it it moves very slowly it it's um you're
doing your best to slow it down though aren't you jeff like every time momentum gathered you
managed to you know find a way to raise that glass ceiling wow okay is that the glass ceiling underneath the flat roof? Yeah.
Guys.
So, glass ceiling aside,
apparently where there isn't a glass ceiling is the cyber criminal underground,
according to a report by Trend Micro,
which it claims at least 30%,
if not more, of cyber criminal forum users are women.
Interesting.
So I was going to say, do you know what?
I'm fed up with criminals doing cybersecurity better than us in everything.
First of all, you know, they're, they're, they're organized and they're creating,
you know, as a service products.
And then they've created marketplaces where you can rate each other
and score each other's products.
Sales structure, commission schemes.
Sales structures, incentives.
They've even got HR managers that actually listen and are just as stressed.
And now they've beat us at the gender equality thing.
I know, I know.
What the hell?
I wouldn't be surprised if they get two years paid maternity leave beat us at the gender equality. I know, I know. No word on what they're... No word.
I wouldn't be surprised if they get, like, you know,
two years paid maternity leave and all that.
Flexible working hours.
Flexible working hours.
A crash in the office.
So, for its study, and this is a bit of the methodology
that I think people were like, well, how did Trent come
to that conclusion?
They looked at five English-language cybercrime forums
and it inspected five Russian-language sites.
And, you know, the methodology is a bit like, okay.
But it's consistently applied, though, isn't it?
Yeah, it's consistent.
And because the users are largely anonymous,
so it looked at some tools,
there's called SEMrush or Uclassify's gender analyzer
to guess whether this was written by a male or a female
because there's slight changes in the way the language are.
Yeah.
And based on that they
said that it was uh you know some 30 40 percent of the forum users were women or at least right
like them which is which i don't know if they're what that means but um you know what what i'm interested in is that what were
they are these actual hardened criminals on these forums or are they like just women on the forum
saying i think my boyfriend's cheating on me can i track him can i hack into his phone can i like
you know put a tracker on his car kind of thing i i don't know i suspect it's probably more management i reckon it's the
uh the women that actually organize everything probably probably yeah they're probably like the
the intermediary like yes um maybe you you never know but um yeah so um if if you overlook qualified
security professionals on the basis of gender don't be surprised if they end up on your
radar again perhaps on the side of a researcher bearing a friendly breach notice and not someone
out for criminal profit
well yeah i didn't know where he was going with that but
i'm just reading the notes that was in the document yeah I didn't know where he was going with that but brilliant
brilliant
because never let it be said
we research our stories
in depth before we go online
and say them
brilliant thank you Joe
Billy Big Balls
of the week.
You're listening to the award-winning Host Unknown podcast.
Like a real security podcast, but lighter.
Ding!
Right, it is that time of the week where we are going to hand over to Andy to say the words that are written in the show notes.
It is our time of the show where we head over to our news sources
over at the InfoSec PA Newswire, who have been very busy
bringing us the latest and greatest security news from around the globe.
I bet you wish you made that shorter now.
I do.
In the stream news.
Doppel-Pamer ransomware gang members busted in germany ukraine industry news
two-thirds of european firms have started zero trust industry news russian disinformation
campaign records high profile individuals on camera. Industry news. Shine app accessed
clipboard data on Android devices. Industry news. Government claims new UK GDPR will save firms
billions. Industry news. US restrict act gains support, empowers Biden to ban foreign tech.
Industry news.
House members at risk after insurer data breach.
Industry news.
Tehran targets female activists in espionage campaign.
Industry news.
TikTok initiates Project Clover amid European data security concerns.
Industry news.
And that was this week's...
Industry news.
Huge if true.
Do you know how we know that we're going to save billions
through this new UK GDPR rule?
No.
Because it's written on the side of a bus.
And if it's on the side of a bus, it must be true.
Must be true.
I'm just trying to see what they're going to do.
Oh, I don't know.
They're going to do what Trump did, which basically just cut legislation and allow companies
to shaft people.
So I'm pretty sure these things are.
So recognising the need to protect and grow a digital economy, yada, yada, yada.
Government claim new legislation would provide business with greater flexibility about how they comply with data laws.
Flexibility with how they comply with data laws there you go right there yeah so ensure only
organization whose processing activities are likely to pose high risks to personal rights
and freedoms need to keep processing records uh so this is in gdpr already i'm not quite sure what
yeah i think i think they're trying to make it more flexible. If you're a Tory donor, then we won't really fine you.
That's right.
Strengthen the ICO by creating a new statutory board for the regulator.
Oh, here we go.
Introduce a new framework for optional digital identity verification.
Optional.
Interesting.
Yeah, that's how it starts yeah exactly exactly and i love this two-thirds of
european firms have started zero trust they probably started it about 10 years ago when
i know that's because everyone's gonna say yeah this used to be um whenever like you know you
do uh assessments on companies you go and look at them and you say, you know, if you got any...
They'd always say, oh, we're working towards ISO 27001.
That was the phrase that you used.
We're still using it today, come on, always.
Yeah, exactly.
So, yeah, you've been working towards it for the last nine years.
Yeah, yeah.
Has anyone got any plans to actually obtain it?
Yeah.
But also, you know, they've started Zero Trust,
which basically means they've got a bring-your-own-device policy
and MFA.
Yeah.
They've got a policy that says,
please apply principle of least privilege.
Yeah, yeah, exactly.
Exactly.
I mean, technically, that kind of falls into it, doesn't it?
I mean, tell me otherwise. Technically correct. Technically correct. Exactly. Exactly. I mean, technically, that kind of falls into it, doesn't it? I mean, tell me otherwise.
Technically correct.
Technically correct.
Exactly.
The very best kind of connect.
So what I love among these stories moving on is that on one hand,
you've got places like Twitter falling apart, no tour services,
certificates expiring, no HR department, no nothing.
And it's like, oh oh that's just elon being
elon and on the other hand you got tiktok who are like bending over backwards and now they
initiate their project clover just to try and appease these people out on a witch hunt and uh
you know they they've they've actually said that this project clover um will move away from meeting
industry standards to setting a new
standard all together when it comes to data security yeah they're spending 1.2 billion
to migrate all european data to norway or ireland yeah where is it at the moment
uh various places across europe i think because it because it connects. It can be supported by engineers in China.
Right, right, right, right.
Which, as a global company, is entirely reasonable.
Well, yeah.
Yeah, exactly.
Exactly.
Yeah.
Yeah.
So this is just like, you know, ridiculous level of, like,
investment by a social media company that just does dances primarily
and it's you know it's it just you know i i do think this is such a big witch hunt and what's
going to happen i think the problem people are shooting themselves in the foot is that tiktok
will set a far higher standard yeah and you're going to look at it and say like well facebook
doesn't meet that standard twitter doesn't meet that standard instagram doesn't meet you know whatever it is but china
but but china exactly exactly exactly yeah so and and and finally before we move on i think the shine
app access clipboard data on android devices well color me surprised it's an android device what
do you expect there was a i'm trying to think there was a couple of years ago there was something about other apps
doing the same thing and that was across fake fake news when it came to iphones definitely
it was on iphones as well it was uh i'm pretty sure it could have actually been um twitter or
tiktok that did it one of the t ones yes oh hang on yes an app that i used i do
remember that yeah um oh crap i think it was tiktok i think it was one of the original kind
of scare stories about you know china um yeah yeah i do remember that now
interesting right i think let's shall we move on i think so i think i think we've we've rinsed this for all we can uh that was this week's industry news
when listeners leave the host unknown podcast in favor of the smashing security podcast
they raise the average iq of both audiences you're in good company with the award-winning
host unknown podcast
once again andy it forced you to take us home with this week's... Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
And this week's Tweet of the Week is from Pookle Blinky,
who says,
It may surprise people to learn that I am a Twitter employee.
I make $156,000 a year and have literally done nothing.
Check deposits in my bank account. No one seems
to know what my job is or who my boss is. Tom's looking at that saying rookie numbers,
rookie numbers. This whole thread actually goes on to say that this person got hired during the chaos of the twitter transition
uh the person who hired them and their boss and the three departments above them vanished like
days after they were hired um you know but they had time to do the paperwork because you know
they get all the checks but not enough time for their existence to show up anywhere and it's like you know every single person that knows that this this person is an employee got
fired or left and it's only an automated payroll processing system that's that's paying them if
if this is like a movie like you know it's like it's like one of those undercover in superman yeah undercover
agent goes out for a few years and like their handler and like whoever the fbi contact they're
like dead or something and he come back and no one knows who they're all who can vouch for them
or what have you but they're like wow it's uh because there was there was another one on about
twitter about um years ago when Circuit City went out of business.
Yes.
People everywhere were –
The Circuit City shuffle.
Yeah, that's right.
Everybody was sort of burnishing their CVs to sort of say,
yes, I was the senior procurement manager of Circuit City.
Basically, this is exactly what's going to happen with Twitter
because nobody in HR, if they even exist anymore,
is going to return a call or even confirm anything.
So you could say you were whatever you wanted to be at Twitter.
I was deputy CISO for Twitter.
TikTok, that would be your dream.
Oh, man.
Yeah, madness, utter madness. Elon, man. Yeah, madness.
Utter madness.
Elon, please, come on.
Sponsor the show.
We'll give you a special deal.
Come on and chat to us.
He's not good for the money.
He's so...
He's hilted to the eyeballs with debt.
He's not good for it.
I'm sure he could reach into his pocket
and bung us a couple of grand,
and then we'll happily sponsor him.
Just put it on a recurring payment,
and he'll forget about it,
like his employees.
Yeah, through PayPal.
Yeah.
Exactly.
But, yes, if he doesn't want to come on,
then we'll just continue on this same vein, I think,
because it's so easy, so easy.
Thank you, Andy, for this week's Tweet of the Week.
So easy.
Thank you, Andy, for this week's Tweet of the Week.
Right, we have now come crashing into the end of the show.
Gentlemen, thank you so much for your time this week.
Jav, thank you.
Oh, you're welcome.
And Andy, thank you, sir.
Stay secure, my friends. Stay secure.
You've been listening to the host unknown podcast
if you enjoyed what you heard comment and subscribe if you hated it please leave your
best insults on our reddit channel worst episode ever r slash smashing security
so i just looked up sheen shine and they're also owned by china by chinese billionaire
yeah which is why they got so popular on tiktok so people do like sheen try on hauls and stuff
what is it it's like imagine if um uh what's that primani store that we have in the UK Primark imagine if Primark was mass produced
in China even more
and globalised
imagine if Primark was
so that's what
Sheen is
it's like just lots of cheap outfits
but apparently
the sort of disposable things that people wear
once and then just being
Talking of cheap outfits, have you listened to this week's
Smashing Security show?
I did, yeah
No, what's up with that?