The Host Unknown Podcast - Episode 20 - Dr Foster Went to Gloucester
Episode Date: August 21, 2020The one without Jav. Mostly.Tweet of the WeekKnowBe4 release thier Organisational Cyber Security Culture Research Report, and no registration wall to download it!https://www.knowbe4.com/organizational...-cyber-security-culture-research-reportBilly Big BallsAthena Health guy holds his hands up after Host Unknown attentionIndustry Newshttps://www.infosecurity-magazine.com/news/reported-data-breaches-down-2020/https://www.infosecurity-magazine.com/news/huawei-phones-updates-ban/https://www.infosecurity-magazine.com/news/outsource-cyber-services/Rant of the weekhttps://www.theregister.com/2020/08/20/uber_sullivan_chargesAs Uber's chief security officer, Joe Sullivan broke the law by hushing up the theft of millions of people's details from the app maker's databases by hackers, prosecutors say.Sullivan, 52, formerly of eBay, Facebook, and PayPal, was today charged with obstruction of justice and misprision – concealing knowledge of a crime from law enforcement – by the US District Attorney for Northern California, an office he briefly worked for back in the day. These come with potentially five and three-year prison sentences, respectively, and a fine of up to $250,000 apiece. Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
don't say his name he'll appear yeah
yeah some say that if you look in a in your bathroom mirror
at night and say uh jav's name five times he'll appear behind you
shouting cisp cisp unfortunately it didn't work for now because he's not here right now
no it's okay 29 minutes late we're good 29 minutes late i think we're good to go
you're listening to the host unknown podcast
hello hello good morning good afternoon good evening wherever you are and welcome to episode 20 of the Host Unknown podcast. We have, well,
just Andy with us, as you might have gathered. Jav has failed to turn up yet again. Andy,
how are you? Not too bad. Not too bad. It was, I was out in nottingham this week this is really the first
uh sort of in-person meeting i've had with uh anyone since march was was everybody like
really socially awkward because they they'd forgotten how to interact with real people
uh sort of but also because they're auditors. Well, so they've forgotten how to interact with real people.
Exactly.
But it was interesting, to say the least.
So I drove up to Nottingham.
I didn't sort of go out the night before.
You know, I'm very familiar with the journey.
So I gave myself, you know, four hours to get there, left at half four in the morning.
And what, obviously obviously i've not done
since march i've been just wearing shorts and t-shirts like rain shine you know it's been very
good weather yeah not really leaving the house anyway so no just shorts and t-shirts all the
time so um i packed all my stuff and i drove up in my comfy clothes uh obviously and then i usually
get changed in the car park.
And proper schoolboy era. That must be a sight to behold.
I'll have to ask security about that one.
I have no shame.
I've tried getting changed in the car.
It's difficult.
Yeah, I don't actually sit in the car when I do it.
I happily sit in the car.
Oh, right.
Okay.
I'll just drop trowel. No issue uh yeah anyway so schoolboy yes uh believe it or not but my um diet and
sedentary lifestyle um often has side effects and the side effect of uh this since March appears to be that my shirts have shrunk.
And I was like, oh, this was a bit snug.
And I kid you not, none of my clothes fit properly.
Obviously, I didn't try anything because I've just been hanging in the cupboard since March.
Yeah.
Slowly shrinking.
Exactly.
Slowly shrinking on their own.
So after that day, I actually just wore polo shirts for the rest of the week.
It was... I was like, sorry, guys, we're all friends here,
but here's my jeans and polo shirts because that suit's been shrinking.
So I presume when the audit report comes through,
you'll be marked down for that.
Well, they're going to need to find something to mark us down with, right?
Oh, very good. Very good.
How's your week?
Good. Good. Busy. Busy.
I've been struggling to get a bit of client work out, but managed to spend some, well,
basically about 10 or 12 hours on Tuesday getting it getting it out it's just some test scripts effectively right you didn't find
anything in the uh ncc files you could use do you know what i looked that is the story that keeps on
giving at the moment isn't it oh my god i'm impressed by the amount of memes that are coming from you around this.
This is,
I just,
I just,
the more I look into it and you know,
I'm not even going to begin to say I,
I completely understand exactly what I've done.
Cause I think everything's,
everything's,
you know,
it's still,
the story is still to be told in its entirety,
but what I can make out.
So they were a test center as well.
Right.
in its entirety but what i can make out so they were a test center as well right and they cloned the test center machines to then train in adverted commas their people by basically getting them to
take tests until they passed them regularly and then gave them the real tests right this is uh
very much like those remember in the old days the sort of boot camps in india yeah for your
system not even just india i mean everywhere
let's face it yeah but no so there was a big company in india that sort of did three in one
it was like your cisp ceh and something else all in one go it's like a wow you spent a month in
india uh you know all accommodation paid for and stuff and then just guaranteed pass i think that's the um
yeah that's the issue isn't it the guaranteed pass exactly but i think you know surely if i'm correct i'm very happy to be proven wrong but if if ncc are you know running as a crest test
center and they're cloning the test machines that's that's got to be against that you know even if it's not in the letter of
the contract they signed with with crest surely that's very much against the spirit right some
sort of ethical um morally dubious exactly exactly like i say you know if i've got this wrong and
and you know they weren't a test center and they didn't clone the actual test machines and
in fair play but you know and let's face
it i'm getting most of my information from memes on this particular thing but this this is how we've
we've done it for you know millennia uh if you go back to the cave drawings this is this is how we
understand stories right yeah yeah very true, images and storytelling. That's right. That's why little kids have picture books at the end of the day.
Memes are just individual pictures for a much larger sociological picture book.
Yeah, yeah. And talking of pictures and potential addiction to pictures.
This is not good.
This is sad to say.
You know, I don't know if you know,
there's a footballer called Georgie Best.
Yes.
Georgie or George.
Oh, sorry, George Best.
Oh, right.
Yeah, I was going to say.
Affectionately referred to as Georgie Best.
I love some of his quotes, but I'll talk about those in a minute.
Yes.
But he also was well known for having a drinking problem.
Yes.
And even during his sort of punditry days, he was a consummate professional on air.
But, you know, there were stories about how people were worried about him when he sort of came in, you know, in the morning.
It was obvious he'd been on the source the night before.
and it was obviously he'd been on the source the night before and um i mean it it breaks my heart to say that uh part of me wonders whether jav is late today because of um a slippery slope that he
fell into quite rapidly really i guess and i can only imagine it's like what happens when you try
meth for the first time yeah and he's found a particularly addictive
substance i have to say he has and uh he fell hard i mean i feel partly responsible for it
for i mean you did hang around outside the school gates giving out free crack let's face it exactly
sorry that's an analogy folks by the way yes legal would just like me to clarify but uh yeah i i feel that maybe i glamorized uh
you know sort of the the benefits of it yeah um and sort of only showed him the the positives
uh not really knowing whether or not he could handle it i mean i mean let's face it on our on our sort of um uh host unknown uh whatsapp chat yesterday he he tried it initially
in the morning then literally jumped in with both feet and then that's all we heard from him was all
about you know the experience he was having yeah it was a little scary i have to say because you
know it wasn't like real jav no and uh so and you're right
it was actually yesterday i'm just thinking like you know for the for everything that's occurred
it has all been you know barely 24 hours yeah and so to clarify this um it's sort of a message
came through it you know sort of to well i guess the first one was that he was drinking
non-alcoholic jose cuervo that's right yeah that was very strange at 2 40 in the morning i know
i know i mean that's a bad sign in of itself as an ex-drinker i can tell you you know drinking
any jose cuervo alcoholic or otherwise at at 2.40 in the morning. Yes.
And then, you know, I think the reality of what happened,
you know, I think it's sort of partially whether he's asking for help or not
or just sort of letting us know at 2.47 a.m., you know,
sort of seven minutes later, he sent the screenshot and he's done it.
He has finally done it.
Actually, we should have heard that cry for help, I have to say, I feel, you know, you say you feel responsible.
And I understand why, given it was, you know, your particular, you know, addiction of choice.
Just try it.
I was telling him to try it.
I was going to him.
Yeah, exactly.
But, you know, and here I am, you know, the elder statesman here, you know, been there, done that.
I know all about this addiction thing.
It's kind of like, and I was just watching it happen.
I did not step in.
I feel very concerned.
Yeah.
And so there it was.
Was that 240?
No, no, it was actually 252.
And there it was.
We got the screenshot.
He has installed TikTok on his phone.
Yesterday was just a day of TikTok from Jav.
I think you were offline and you came back to about 72 messages,
which, to be blunt, is what happens to me with you and Jav.
So that must have come as a bit of a shock, actually.
It was a real shock and even more of a shocker
just to see tiktok
video after tiktok video which is yeah you know which you'd already seen and in fact he repeated
even repeated some stuff that i'd i know that's it he's just lost all sense of reality and then
you know as i scrolled through it was you know so much goodness on there i mean at this point
no one was even replying to him you know in the middle of the night yeah you know three in the morning neither of us yeah but sort of you know
half ten uh half nine everyone else is working yeah and um you know he's just kind of sending
so much goodness in here like you know yeah yeah that's right uh you know i'm only on a free account
now so you know i can't like anything and you know, less than two minutes later. OK, I've set up my own account now. Yeah. Yeah.
And then it's video, video, video, video, video. This is awesome.
Video, video, video. Love this video, video, video.
And then it was I've got to stop and do some work. And then 10 minutes later, video, video, video.
Yeah. And unfortunately, we've not heard from him since.
No, which is why we think he's late now.
I mean, even if he thought, we normally start this at half past the hour
or start our session at half past the hour.
We did it a little bit early today because I got a commitment I need
from later on.
He would anyway be 10 minutes late already.
So, you know, I think he is in bed tick tocking yeah not a euphemism
i think he uh so it was uh sort of half 11 last night as i check uh i'm just itching
itching blood with tick tock on phone yeah i did not get that just one more video before i sleep what's this itching blood i did not get
that i know i i he i mean you know maybe he's so he's passing blood yeah yeah god so deep
his eyes are bleeding maybe haven't seen some of those videos anyway i think that's enough about
jav's addiction you know we yeah we don't want to air, you know,
wash his dirty linen in public as such.
No, that's fair.
And we will offer him as much help and support as we can.
Absolutely.
We'll bring him down.
We'll perhaps, you know, give him like a, you know,
a safer alternative like Instagram first.
And then we'll pull him down onto maybe Snapchat and then,
and then maybe,
you know,
Facebook messenger or something,
you know,
we'll just take him down gradually when,
you know,
cause it's dangerous just to come up.
It is.
Well,
I mean,
the danger is you can't go from,
you know,
meth to marijuana,
which is essentially what,
uh,
you know,
TikTok is that,
yeah,
you know,
any of the others.
So it's,
it's going to be a long journey, but we are here for you, Jeff.
Yeah, absolutely.
We'll help you.
Emphasis on we're here and you're not, Jeff.
Yes.
But talking of other addictions, so, you know,
I have a little addiction for tech and toys and stuff like that.
So I got a new coffee machine this week.
Oh, good.
I didn't know Apple made coffee machines.
No, no, good. I didn't know Apple made coffee machines.
No, no, no.
I get my coffee machines from the Apple of the coffee machine world, Nespresso.
Oh, very nice.
And so I joined Nespresso last year.
They have this, you know, buy a machine for a pound.
You pay us a sum of money every month for 12 months.
But that sum of money goes into your account and you can use to buy coffee.
Okay.
It's a really good scheme.
So if you're at all interested in, you know, exploring coffees and stuff,
it's a great way to do it because you literally,
the money you pay every month for your machine, in inverted commas,
you can use for coffee from Nespresso.
Obviously Nespresso coffee is slightly more expensive than the stuff in the shops.
You know,
the Nespresso compatible stuff,
but it is very,
very good quality.
I think anyway,
I'm not a real,
I'm sure there are people out there who do their cold press,
blah,
blah,
blah,
who are sort of,
you know,
screaming in their heads,
but nonetheless,
you know,
you and I know each other. I think we're on a sort of similar you know par and that sort of thing
anyway so i bought the very basic machine um the cheap what the cheapest one but the lowest spec
one last year on the premise that you know if i if i'm really enjoying this then i'll upgrade
and so i upgraded and it arrived yesterday it's great it connects to the app
obviously and you can even you can you can alter the water volume and all that sort of stuff
and then set it so that make this coffee uh with this volume of coffee and this volume of water
and this temperature at this time and then just put your your capsule in close the lid and you
know and um put the cup underneath.
And then you're waking up to freshly brewed coffee.
Nice.
It's lovely.
It's a smell wafted through the house as well.
Yeah, absolutely.
Absolutely.
Like making bread, you know.
So, yeah, that's been the highlight of my week, I have to say.
But, you know, I can appreciate uh because you probably know until this year
i never actually used to drink coffee and i didn't know you did drink coffee at all anyway
no so i've never been a coffee drinker until uh january um this year um and i was in i'm not
flexing but i was in south america uh so and uh well yeah in in meetings and the only options they
had was um tap water or coffee yeah and you're in a foreign country with you know unknown quality
levels of um standards of water filtration exactly and uh so i had this coffee and it actually wasn't bad
so i you know i've tried coffee on occasion i've always found it quite bitter um but this was
actually really good coffee i always put in like you know a spoonful of sugar as well uh and then
i was drinking eight cups a day and then when i got back home yeah uh i was buying uh capsules um so we also have a and oh no we've got a dolce
uh whatever the other one is not dolce gusto yeah so my wife's a big coffee drinker um so i was
buying all of these uh different coffee ones uh trying to replicate the taste yeah of this coffee
which i hadn't proven i can't i just generally
i've tried everything just but it was just black coffee that's how i drank it no milk yeah just
black coffee yeah well same now that's what i do either espresso or or a short americano
yes uh so i like long americanos yeah it's no but yeah but, you know, I'm still craving for that, you know,
that actual taste.
I still drink, you know, coffee now on occasion,
but I just haven't quite found that one taste.
And it has been queried whether or not my craving is for the actual coffee
or that white stuff I assumed was sugar.
Yeah.
was sugar yeah what you should do is um put something really unpleasant into your cold water tank um so that you can't drink the tap water and then that coffee will taste as sweet as
anyway that's that's that's some advice for you on this Host Unknown's InfoSec Consumer Advice Show.
We've spoken about addiction, coffee and addiction again.
Anyway, I think we should swiftly move on.
What have we got for you this week?
It will come as no surprise to you that we have a
tweet of the week of billy big balls a rant of the week um which one is which one is jav supposed to
be doing so jav does a little people uh he's on the hook for that once no i think he's oh he's
doing rant of the week so we best leave that one till last. Good plan.
Because it might be us covering it.
Not sure what's going on there.
And yeah, so we'll see how we go with that.
And yeah, as you rightly say, Andy, he's on the hook for a little people. We're not sure if it's if we're not even sure if he's going to turn up,
let alone the little people.
So, oh, well, anyway.
You're listening to the Host Unknown Podcast.
More fun than a security vendor's briefing.
I think we should move on.
Shall we move on to the Tweet of the Week?
Let's jump into it.
Okay, Andy, let's go for...
Tweet of the Week.
And it will come as a surprise this week.
It is InfoSec related.
Yay!
A topic.
And I do not actually have the supporting tweet which
goes with this so i know various people have tweeted it um but it would be most likely friend
of the show kai rower yeah who will have tweeted this originally uh i'm sure of it even though
my evil twin yes your evil twin um very similar hairstyles, the two of you.
Absolutely.
Certainly from behind, you can't tell the difference.
It's astounding.
That's what I've heard you say before.
Excuse me, I'm just choking.
Got to set a muscle memory.
No.
Oh, God.
Stop.
Stop.
I'm joking joking right so this tweet of the week is about um
a company that jav is familiar with uh it's a company now called no before
um but this used to be kai's company before it was acquired um and not no before not no before no
the uh so k Kai had a company.
Yeah, and his company was called Culture, wasn't it?
Get Culture.
Get Culture, yeah.
Get C-L-T-R-E.
Yeah, but it was kind of pronounced Culture, wasn't it?
And this is a really difficult thing.
I think it's one of the things we really struggle with in InfoSec.
I think, you know, yourself um myself jeff we're all big fans
of that um how you can influence a culture change in people you know it's very easy to stick tools
and technologies in but you know ultimately people need to um you know step up and and sort of really
take that responsibility um you know be aware of what they do but how do you measure that in an organization and this report
i don't know is this the third year or fourth year it's been running um i i think it's more than
three um but i yeah i i remember i think this is his oh i don't know something like that anyway
yeah but it gets better every year i I see. Oh, yeah, absolutely.
More in depth.
Yeah, fantastic.
So it's really sort of come on to the next level.
But it's essentially a report,
how are you measuring your security culture?
And, you know, they've managed to sort of baseline it
across various sectors, you know, education,
financial services, government, healthcare, insurance.
And, of course, they're able to get more and more data
because as their product is rolling out
to more and more companies,
and that's generating more and more data as a result.
Yeah, and it's just, it's a fantastic read
because there really is, you know,
I think with the Verizon data breach report
is obviously a big one that
the industry knows about. And you'll find that every other vendor has its own sort of version,
you know, the trend in cybersecurity or, you know, and it's very similar, very small sample sets,
or, you know, very custom to their product offering. Whereas this, to me, genuinely is,
you know, a massive-section of all the
industries um and i've never seen anyone else do this um you know to such detail and you know fully
um you know it's not just opinion based it's very uh well um he was very he was very careful from
the get-go to to make it as well i want to say academic but that makes it sound
quite dry but certainly it's a grounding in proper academic levels of research which then
which are then translated into um you know into into real world um approaches and outcomes. Yeah.
So this is, if you haven't seen it,
I highly recommend you search online. It's actually on the KnowBe4 website.
It's a direct link.
There's no paywall, which I'm also a big fan of.
It's a direct link.
You can download the report.
and download the report um it's no k-n-o-w-b-e the number four dot com uh slash organizational hyphen cyber hyphen security hyphen culture hyphen research hyphen report just rolls off the tongue
that one but uh it can also go in the show notes yeah but yeah absolutely but if you just search
for a cyber security culture research you'll find it. Yeah, it's just fantastic.
So that is my tweet of the week.
And it's just very educational.
It's one of those things I highly recommend everyone read, even if it's not really something you do.
It just helps you understand.
It brings a different perspective or even brings more color to the picture of security, if you see what I mean.
It's not the be all and end all.
I think it's like saying that the Verizon data breach report is the absolute one and only InfoSec report that you should read.
That's not the case at all. It's the same with this.
But what it does is it brings a completely different angle to our view of the InfoSec industry and challenges
and, you know, what we need to do on a regular basis,
you know, to us and allows you to modify your approach accordingly.
You know, so yeah, completely agree. Completely agree. to us and allows you to modify your approach accordingly. Um,
you know,
so,
so yeah,
completely agree.
Completely agree.
That's,
that's,
that's a really good tweet of the week.
That was a smooth,
smooth cut into that one.
I'm getting there.
Do you know what?
It's,
it's almost like,
like you just before.
It's almost muscle memory now,
you know, it's, it's getting there for me. It's almost muscle memory now. You know?
It's getting there for me.
It is getting there.
Oh, dear.
No, it was a good one.
And I know Kai very, very well.
In fact, last time I saw him was in February.
I was in Norway.
He had a little birthday celebration.
Okay.
Was there barbecue involved by any chance? because it was february in norway but um i don't think that's ever stopped
him though does it no i don't guess it don't guess he did show me his barbecue it's it's it's
not a euphemism okay uh he did show me his barbecue but but it was a big affair.
You know, he had family and friends and it was at a restaurant.
It was called Monty Python's Flying Kitchen.
Interesting.
But it was like an eight course meal or something.
Do you know what I mean?
It was because he's a bit of a foodie anyway.
It was it was absolutely fabulous.
So I was there with I was at the same table as one of his twin brothers.
He's got brothers that are twins and an older sister, I think is if I get that right.
If I got that wrong, Kai, my apologies.
So I was at the table with one of his twin brothers, not his twin, but you know what I mean?
at the show on the table with one of his twin brothers not his twin but you know what i mean one of his brothers who is a twin um and uh quentin and his wife so uh friends of the show
quentin taylor so yeah it was a really nice evening um and uh uh yeah so that was the last
time i saw him and of course um you know not being able to catch up at all the world's gone to shit since then exactly
not necessarily related to Kai's birthday
maybe it was
maybe there was patient zero there
so yes very good
very good
right
I'm going to move straight on I think
let's move straight on
to the
Billy Big Balls of the
Week.
So, last
week, I
told a story about a chap
called Taylor Lehman,
who is the CISO of Athena Health.
And this caught my eye last week
because a good friend of mine works at athena health um and uh but taylor lehman basically
uh effectively ripped a new one for any kind of salesperson trying to contact him. And it did produce quite a reaction. Mostly, you know,
on the whole, it was, you know, these guys have got to, or these guys and girls have got a difficult
job, you know, but, you know, cut them some slack, Taylor. Some people backed him up, obviously.
He was in the process of implementing a tool called Taylor's list, I think, or something like that.
And obviously we took the piss.
We also,
you know, talked about the fact that actually without,
without vendors and without salespeople,
very often you don't have any kind of events or anything like that.
But the big kicker was that his company was also advertising for cold
callers at the exact same time he's slating them.
At the exact same time.
Yeah.
So we took the mickey.
We felt that Taylor was, to be blunt,
being a bit of a dick about this.
Yeah.
Now, not less than, well, no, a week later,
he actually sends out another message on LinkedIn, basically apologizing.
So I think after we raised this issue, Host Unknown has actually helped deliver some change in the industry.
We're claiming it.
We're claiming it.
No one else has claimed it. Yeah, exactly. Tell us we're claiming it we're claiming it no one else has claimed it yeah exactly tell us tell us
we're wrong i mean you gotta listen to the podcast first mate but and tell your friends too yeah
absolutely we'll take you down loads um and it's quite a long tweet um so, so I'm not gonna, I'm not gonna read it out, but basically he,
he effectively says I was wrong. I can't say I particularly know about how the sales industry
works and, you know, and how we generate stuff. Um, and actually I'm, you know, I'm all about
helping people grow and do better and all that sort of thing. And I should do, I should have
done better. Um, and you know, he even said. And I should do, I should have done better. And, you know,
he even said in the last few days,
I got some perspective of how hard sales is and works.
I got some one-to-one time with an expert in this business that helped me
build perspective now, et cetera, et cetera. And again, we'll, I'll put the,
I'll put the screenshot in the, in the show notes. But big props to Taylor for this.
Yeah.
Sometimes, you know, and not many people do this, actually.
Many people, when they're proven wrong or actually face a huge wall of,
I don't want to say outrage.
It's not, you know, it's not that big of a deal.
But, you know, when they face such a backlash
like this they'll just you know mumble something under their breath and wander off but taylor owned
this and uh actually learned from it i think yeah and and i think with uh particularly in our
industry it's very funny you know when people sort of talk about security should have a seat at the
table uh you know but we as an industry like you know a lot of people will sort of tell other It's very funny when people talk about how security should have a seat at the table.
But we, as an industry, a lot of people will tell other departments how to do their job.
And you imagine if the people from marketing told security how to do their job.
You'd be back on that high horse saying, don't you talk to me.
You don't know what you're talking about.
And we have to respect that all of these fields are expertise. expertise you know we do joke that you know sales monkeys anyone can do their job it is a difficult job yeah i couldn't do it i could not no not at all well do you know you're
sort of dabbling you did get your mother to sponsor the show you sold a sponsorship are you
saying i cold called my mother hello is that my mother i'm speaking i'm
not saying it was a cold call it was more of uh you know um also upselling an existing relationship
is the way they do you know how you're my favorite mother would you like to become my
number one favorite mother yeah our uh my strat my strategic mother um puts you on a preferred
list uh you get my direct mobile number um i will react you know much better support um but no it is
fair you know like sales uh marketing you know product guys developers they all part you know all on the
same boat going in the same direction yeah and um you know it doesn't help to think that your part's
bigger than someone else's because uh you know unless you actually know what that is um you know
you're not talking from a position of knowledge it's no uh yes of you which is why yeah this was
a i know when you um sent this out it was quite a. It's a breath of fresh air, to be honest with you.
And I have to say, you know, the automatic, I don't know Taylor from Adam,
but, you know, the automatic drop of respect that he had from me last week
has been more than made up with this.
Because I think this shows real maturity
and, like I say, ability to learn and grow and stuff like that,
as you rightly say.
So, yeah, very impressed by this.
So, Taylor, if you'd like to be on the show, or perhaps you could get…
If InHealth would like to sponsor us.
Indeed. Indeed.
So, Taylor, if you're listening...
This could be your company.
Of course you're listening because you changed
your approach after
listening to our podcast last week.
But, Taylor, if you're listening,
this could be you.
Host Unknown. Sponsored by
Insert Name Here.
Athena Healthcare.
That's Athena Healthcare in case you're wondering.
But I know I used to know one of their senior execs as well.
He moved on to a different company,
but I used to work with him a number of years ago.
So I think the place where I used to work,
of course, one person goes there, one senior person goes there,
and then they start siphoning out all the old stuff.
Standard stuff.
Yes.
Standard stuff.
Yeah.
So there we go.
So, yes, actually, that was this week's
Billy Big Balls of the Week.
I like that one.
I think it's been very positive.
Yeah.
Yeah, it's good to...
Positive to drive today.
Exactly.
It's good to not moan about everything all the time.
It's easy and it's funny.
But it doesn't always do anybody any good.
So, yes, there we go.
So we are half an hour in, still no Jav, a little bit concerned,
but we will cross that bridge when we get to it.
We'll burn that bridge when we get to it.
We'll burn that bastard when we get to it.
So what have we got next then, Andy?
I was going to say our reliable sources over at the InfoSec PA Newswire
have been very busy this week bringing us the latest and greatest
in security news from around the globe.
Wow, that just rolled off the tongue.
It does.
It just flows naturally, I think it does our our infosec
stig yes uh some say that this week he's been a bit lazy though yeah not some i say that as well
sorry he or she and or she yeah
uh so i'm guessing he's uh or she is on holiday this week.
Yeah.
I would hope so because with this level of productivity,
not impressed.
Yeah, and they may be forced on a holiday if this is their normal for them.
You might be forced onto a permanent holiday,
if you know what I mean.
What accent was that?
I think it was a
little bit of welsh a little bit of italian maybe some pakistani in there right yeah so
my good fellas you know that oh god i was just thinking with uh this week there was um a guy
yesterday i didn't read the story um but it's one of putin's um sort of outspoken
critics um discovered he had an allergic reaction to polonium uh yeah i thought it was to tea yes
well it's the um it's the best part it's the head of the opposition party
right that's and you just think why would you why would you drink tea? Like in this day and age, it's just phenomenal that you would actually drink tea.
I saw this great picture. It was three people around a table, obviously, you know, political meeting or something.
Putin's on one side and there's two folks on the other.
And Putin's got a teapot in his hand and the two guys have basically got their hand up going no thank you yeah we're allergic to polonium thanks but let's find how batshit
crazy is that how obvious is it becoming that if you're on putin's shit list you're either
going to fall out of a window or have an allergic reaction to tea
I mean shit
this is not a political podcast
but bloody hell
he is up there in some Billy Big Bull's territory
though isn't he
I think this is where
Trump's trying to go as well isn't it
change the rules of the country to stay in power
well Trump wants to be
Mussolini to Putin hitler let's face it
oh dear we mentioned the word hitler we should probably move on to
so i thought you're going to say we mentioned the word trump i mean that's going to be
that is going to be the new hitler yeah well yeah Yeah, both of them. However, we were just about to jump into the InfoSec news.
What's been happening?
What's the big stuff that's been happening this week?
Indeed.
I'm conscious that Jav is hot.
So I'll tell you what.
Why don't you do the first one, I'll do the second,
and you do the third.
Okay, let's do that.
Okay, so in that case, folks,
with that really smooth segue in preparation,
it's time for this week's...
Industry News.
Reported data breaches down by 52% in 2020.
Industry News.
Huawei phones unlikely to receive security updates as trade ban begins.
Industry News.
Businesses opt to outsource cybersecurity services.
Industry News.
And that was this week's...
Industry News.
That last story, huge if true, Tom.
That could be a big one for you if more and more people
are outsourcing their cyber security services.
Fingers crossed, eh?
So actually, if NCC, if you could send me like a DVD with an ISO of a Crest testing machine,
then I could broaden my services.
So NCC, if you're listening that would
be great uh i'm just looking up here there's uh i actually clicked into the story more than 50
percent of uk businesses are opting to use outsourced partners for cyber security surveys
this is a research by a company called scurio if i'm pronouncing that right are they an outsourced
cyber security service quite
possibly a managed service provider yeah yeah of course and this is uh you know just sort of
touching back on that that culture report is uh you know there's a company here that's got benefit
in uh you know making these uh headlines sounds yeah uh you know put those things out there but
uh no no interesting but you know what that that um
the second one the uh huawei phone's unlikely to receive security updates as the trade ban begins
talk about unforced well i was gonna say unforeseen outcomes i mean i think i think
the backlash to huawei is heavy-handed to say the least um and well in fact let's face it if it's
come from the Trump administration,
of course, it's heavy handed and well, heavy, but small handed approach to to this. But it's true.
What's going to happen is, you know, people who buy Huawei phones, as as you know, and I've said
this time again, people who buy Android are people who either can't afford an iPhone or don't care about security.
Right. Yeah. Fact. Yeah. And so a lot of people who have Huawei phones because they're a good product, but they are obviously significantly cheaper than iPhones, maybe not going to be in a position to be able to buy a replacement phone.
replacement phone. And so they're going to be hanging on to these Huawei phones for a long time and they're going to become more and more vulnerable, especially as Huawei are not going to be
issuing security updates if they're unable to issue them in certain countries. So the US,
for instance, could have a whole bunch of, you know, very insecure phones being used
by people across the board. And that's going to, you know, increase insecure phones being used by people across the board.
And that's going to, you know, increase in massive
or potentially massive amounts of lost productivity
and lost money and all that sort of thing.
So, you know, it's a bit like, it reminds me of sort of like the,
you know, Mother Nature ecosystem thing.
You take one part of the food chain out and it screws up everything
around it
a similar thing to this, you take
one small player out
and actually the ramifications
are bigger than you think
so
very interesting
and quite scary
if I say so even even from my uh apple white ivory
tower sorry my my apple space gray ivory tower you didn't go for the bros gold no the bros gold
is that i'd never heard of that i like that one one. Oh, yeah, that's... Bro's gold.
Bro's gold if you go for that one.
Oh, dear.
I think we're going to have to move on.
Yeah, we've been skirting around it.
We've been avoiding the... We've been...
Giving Jav a chance to come in and do something.
We've adjusted.
We've moved things around.
But actually, no, it is time for Rant of the Week.
Should we try and take this one together?
Absolutely.
We'll try and take this to the close together.
Okay, so now in lieu of Jav not being here,
this is going to be Tom and Andy's approach to –
sorry, I'm going to say that again.
This is going to be Tom and Andy's...
Rant of the Week.
Might have to edit that bit out.
Yeah.
So do you want to...
Go on, you start.
Okay, I was going to say, I skimmed the story.
I actually read some of this this morning.
In fact, I read El Reg this morning.
I read the whole thing.
So let me start and then we can chime in in that case.
So you may recall from, what was it, a year or two ago,
something like that, Uber had a breach.
In fact, it was their second big breach.
Yeah.
Lost a whole bunch of data.
And their CISO and CEO effectively hushed it up,
paid $100,000 in Bitcoin to the hackers,
two hackers in particular,
got them to sign NDAs and commitments that they would delete the data and then called
it a bug bounty
exercise. So it's
2016. 2016? Oh my
God. Yeah, time's moved.
Yeah, have indeed.
Yeah, got to
and called it a bug bounty.
Sullivan, who
actually used to work at eBay, Facebook,
PayPal, all the big names and is now at Cloudflare I believe. Yeah. Sullivan who actually used to work at eBay, Facebook, PayPal
All the big names
And is now at Cloudflare I believe
Yeah
Has basically, he's been arrested
Is that right?
He's been charged
No he's been charged
That's right
He's been charged with concealing knowledge of a crime from law enforcement
Yes
Which they're very
hot on in california i believe was the um well california is very good on the whole privacy
thing anyway yeah um they they are the trailblazers in the u.s on that front so it's potentially a
three to five year prison sentence um um and a fine of up to $250,000 per charge.
There's more than one charge there.
That's quite a big deal.
I mean, can you imagine as a CISO being hit with that
and being told that, you know,
I mean, that's, you know,
fine me my brown trousers time.
But especially from the past as well.
You know, so this has obviously been an ongoing investigation
that has finally come through.
But I guess it's harsh for Sullivan
because I think his current CEO at Cloudflare
came out in support of him, sort of saying that, you know,
he doesn't recognise
the way he's sort of been portrayed in the past as, you know,
this person that sort of tries to cover things up.
You know, they've spoken out in support of him saying,
you know, he's made a massive change to culture.
Yeah.
And I think it's probably worth pointing out as well that, you know,
Uber weren't exactly in a good position when he joined.
They were quite a toxic company.
Yeah, there's rumors of the internal employees
sort of stalking ex-girlfriends or celebrities,
like how they could just, was it called God Mode, wasn't it,
they had where they could just plug in and do that.
And then there was stuff where, oh, was where reporters were blackballed
from being able to get Ubers or something.
They knew people that had written negative reviews about them.
Oh, wow.
Yeah, there's all kinds of...
I didn't realise that.
So, yeah, it was quite an unpleasant environment.
Yeah.
And they were embarrassed, possibly, by those reporters
about a breach that they had suffered.
Yes, another previous breach in the year before, wasn't it?
And they did the tracking as well, didn't they?
That's right.
Your phone would track you after you'd finished your ride.
Yeah, that's right.
But the culture was such that between the CISO and the CEO, they were adamant.
No, no, I take that back actually,
it was Sullivan who was absolutely clear
that Uber could not be seen to have another breach.
Yeah.
And it had to be dealt with quietly and discreetly.
Even though he knew he was under complete obligation,
according to the californian regulation to inform not only um
the fbi about the crime but also uh the regulator and i don't know the name of the californian
regulator who it might be uh of the actual loss of data that's no john john that's it. Lives in Sacramento. suppressing this and getting people who were clearly criminals to sign NDAs and paying them
money. Apparently, there's also a third person involved who the two criminals got somebody else
to actually get access to the data and to supply it to them. And that third person they know nothing about,
so they don't even know if the data has actually been
completely deleted either.
Wow.
So, yeah, it's a little more to it than on the face of it.
So at the risk of having to state a retraction next week,
much like last week, I would say that I think although
the CloudFlare CEO said that Sullivan has done a huge amount of good work, which is no doubt true.
And he did, you know, to give him his credit.
And again, you know, from outsiders with absolutely no knowledge of what's inside and just reading what's being reported.
Absolutely.
He did make some massive improvements at Uber in his time there.
Absolutely.
So, you know, we are not seeing the entire story here.
But nonetheless, you know, you're only as good as your last crime, as it were.
Your reputation is as good as the crime you've committed.
You know, it was clearly a crime.
He clearly did something wrong and he knowingly did something wrong.
And yet, like many CEO or many C-level execs who go and fuck up a company,
he's managed to jump straight into another high-paying, high-profile role
whilst having the full support of the CEO.
Although the CEO of Cloudflare did say,
we hope this matter is resolved quickly or something
like that.
In the meantime, he's contacting HR
to post a job.
What are our options?
I mean, oh my god!
Oh, here we go.
Oh my god!
I've been here for ages listening to you guys.
Yeah, yeah.
I can see exactly when you joined, mate.
Didn't the clocks change today?
Only in your house.
Mate, you are an hour and 20 minutes late.
Hour and 18.
Let's not exaggerate.
Even for you, this is some...
We're wrapping up, mate. we're at the end of this what bothered you about this uber story
actually never mind those are good points you made and i concur
jesus christ mate do you know i was sick i was honestly starting to get a little bit worried
because even you aren't normally this late for a podcast.
To our listeners, I can only apologise
that you had to listen to these two ramble for over an hour.
Hey, you haven't heard the first part we covered.
Might have had something to do with tiktok
is that is that why you're late did you not go to sleep until like six o'clock in the morning
after just watching too much no no who do you think i am andy i i've got self-control and
self-restraint you know you can open a pack of haribos, I can have one and stop. Same thing with social media.
I can go on it for five minutes, turn it off.
I can cut it off any time I want.
I think the evidence would suggest otherwise.
No, I have been sleeping really, really badly for about a week now.
Oh, until today.
Yeah, because if you're looking at tiktok at three in the morning as
someone who knows what that is like of course your sleep regardless regardless you know like
let's not blame any social media here it's it's like you know it's like causation is
it's not correlation is not causation or anything like that yeah jav you have to remember that that
andy built up his tolerance to TikTok
over a long period of time you can't suddenly jump in with both feet and mainline TikTok
in the first 24 hours of exposure because what happens is that you wake up late or you you go
to bed really late you don't sleep and you let down your friends exactly you don't watch your
friend rolling marijuana joints for, you know, two years
and then suddenly inject heroin.
Good thing you're not my friend.
Anyway, industry news.
Let's do industry news, yeah?
We've done it.
We're genuinely done.
We're done.
Seriously.
It's good because I saw that our Stig
had only got three stories today.
And I was like, that's just not good enough.
Three stories, which would have been perfect.
But no, you had to go and screw that one up as well.
Did you do Taylor's apology?
I thought that was really big of him.
Dude, we've done everything.
Mate, we can only say this so many times.
We're done.
This was the last subject.
This was the last story.
I'm just recapping for the benefit of the audience.
Yeah.
Oh, man.
We didn't even close out the rant of the week jingle.
No, no, exactly.
So, folks, that was this week's rant Rant of the Week.
So before we go, everybody,
I know you've listened to these two ramble on for a while.
So just to let you know, this week Andy has been in Nottingham
and hats off to him for travelling the world and everything.
And Tom, uncharacteristically of him,
he's been knee-deep in the memes and NCC and Crest memes have been absolutely amazing.
We've done this. We've done this.
Oh my God. So this week you heard Tweet of the Week.
Tweet of the Week.
And you know what? I did have a little people for for you today but clearly these two are not in the
mood to give me any air time today which is a real shame a real shame you've obviously just loaded up
the show notes and uh you're trying to see where maybe these two wouldn't have mentioned it but
just i want to mention it no before release the culture report today. Oh, my God.
It's well worth going there.
Mate, don't reflect your level of professionalism onto us.
We covered everything that was in the show notes.
Just because you wouldn't.
Anyway, industry news. Reported data.
52% in 2020.
Industry news.
Huawei phones unlikely to receive security updates
at trade bans again. Industry News.
Industry News.
This is all about who outsources
cybersecurity services.
Industry News.
Industry News.
And then, you know,
it's...
You're like just desperate to try and be part of this now aren't you
no no he's he's like a little brother trying to sort of play with his teenager older brother and
his friends you know oh dear come on come on can i join in can i have a go can i have a go and and
you know what i okay so one thing i
just did want to add on to the rant of the week um about the uber sullivan guy is that um like you
said tom i think it's it's crazy how people can do ridiculous things they can be absolutely
incompetent and even illegal and still land themselves cushy job after cushy job.
Yeah, the Stamos effect.
Yeah, the Stamos effect.
So how shit a CISO were you, Tom?
But you went from global
CISO to now like,
you want a blogger? And I'll do that for you.
Tom, don't take it personally. He's obviously on a come down at the moment um yeah he is
he's he's suffering withdrawal no you're meant to say good points well made that's on the show notes
so what you're saying is that shit CISOs get given high paying jobs,
but good CISOs,
they just sort of go off.
Fizzle out.
Is that what you're saying?
Fizzle out into irrelevance.
Is that?
Okay.
So,
so,
so I'm a good CISO.
That's good.
I'm happy with that.
Why that standards,
you're the best CISO,
Tom.
You're the absolute best.
Good CISO.
Good CISO.
Back in your box. Good CISO. Good CISO. Back in your box.
Good CISO.
Right.
Well, folks,
thank you very much.
We apologise.
We seem to have had
some sort of
sound distortion
and interference
in the last
five or six minutes.
Yeah,
I could probably
remove most of it
in post.
Folks, this is all I could put up with for this week.
So on that note, Jav, thank you.
Oh, sorry.
Hello, Jav.
Welcome and goodbye, Jav.
Thank you for your contribution this week.
And, you know, have a good week.
Thank you. Good. And Andyy thank you very much sir stay secure my friends stay secure
host unknown the podcast was written performed and produced by andrewnes, Javad Malik and Tom Langford.
Copyright 2015 or something like that.
Insert legal agreements here as applicable and binding in your country of residence.
We thank you.
What the hell happened, Jack?
I just woke up.