The Host Unknown Podcast - Episode 224: Where we argue about Cyber Essentials
Episode Date: June 30, 202517th June 1995: Spyglass goes publicWorld Wide Web software producer Spyglass Inc. went public, the year after it had begun distributing its Spyglass Mosaic software, an early browser for navigating t...he Web. With previous year's earnings at $7 million, Spyglass was founded by students at the Illinois Supercomputing Center, which also inspired Netscape Communications Corp.https://www.computerhistory.org/tdih/june/27/#spyglass-goes-public 26th June 1989: Robert Tappan Morris (who released the Morris worm in 1988) became the first person to be indicted under the US's Computer Fraud and Abuse Act (CFAA), enacted by Congress 3 years earlier. He was later sentenced to three years of probation and fined $10,050https://x.com/todayininfosec/status/1938292354965770278Visiting students can't hide social media accounts from Uncle Sam anymore Meta’s AI training on copyrighted content is ‘fair use’, US judge sayshttps://x.com/filip_dragovic/status/1937932750415086010 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
that is not a good in let's let's well you want to start again do you yeah
okay let's start like this god damn it that would have worked perfectly
Hello, hello, hello. Good morning, good afternoon, good evening and welcome everyone.
Welcome one and all dear listener and everyone else to episode 220.
224.
Of the Host Unknown podcast. In fact we were talking the other day about we
definitely need to get that episode number two posted. We really do. Yeah but
we're I've got to dig it out somewhere. I mean it's under some old iCloud account
from a long time ago but yeah one of these days though one of these
days anyway talking of dusty and old and needs to be dug up occasionally Jav how
are you I'm very good I'm very happy bunny I finally finally this week I
received a birthday present and Christmas presents from last year and
it's absolutely
amazing one of the best things I got was this little hackety keyboard fidgety
thing and for those of you who can't see us like that it's like the most annoying
thing in the world and it's for your personal use not to be used in front of
us it is the most annoying thing in the world Andy
and you're absolutely right on that but who actually ordered it and gave it to him?
He can annoy whoever he wants just not us. This is a classic
mistake it's like when you have kids you know you never buy them those noisy toys.
Drunk kids. You get that for your nieces or nephews or whatever it's like you never buy him those noisy drum is it? Yeah. You get that for your nieces or nephews
or whatever. It's like you never were your own kids. But this is what you've done. You
just got me the noisy clackety thing. And the thing about this, which I was just telling
you guys before we started, is that now even though I've got a nice clackety keyboard,
these clackety clacks just make my one seem a bit dull by comparison so now I'm really tempted
that I need to get so if if any of the listeners have got any recommendations
on what a good clackity keyboard that that sounds like this
yeah like that's the sound I'm going for because my existing keyboard it sounds more like this
for because my existing keyboard it sounds more like this. Sounds like an old cherry keyboard, like an old IBM cherry style keyboard. Yeah it's kind of like that. I mean I can see Andy here
trying to claw his ears off. You know we need to go back to what was that software that takes out
all sort of noise background noise, filters it just purely to voice only. We need that again.
noise background filter just purely to voice only we need that again you know the problem with that and sometimes in the edit i've noticed this if i so the the software i use dscript to edit the podcast
you can apply what they call studio sound which removes a lot of the background sound the problem
is it also ends up chopping off a lot of the the the jingles because like there's
that build up and everything it and also Tom's laugh gets chopped off so much
because it's like this is just someone dragging a chair across the floor this
is just a spider a seal. And the other thing I got
was this other key, it's just a one solitary keyboard key with a duck on top and you press
it and it gives you a little quack. So yes, I'm happy. A happy bunny. and talking about be feeling a bit quackers about things
Talking about happy bunnies
Yeah, you weren't happy while he was clicking on that thing no that does I can feel my blood pressure rise every time I hear
Not too bad I've had a couple of
Colleagues comment they say good, you know a of people, a lot of respectable people in the industry.
I say, I actually do.
I say, I'm not friends with any of them, but I know a lot.
You're right, I'm connected to them.
But yeah, Jack, you're having praise heaped on you this week for keynoteing the ISACA
London conference.
I know, there's bought accounts where it finally paid off.
Right, exactly, all your shit accounts, I've now identified them all.
I came so close to commenting on those LinkedIn posts that came up,
basically saying, are we talking about the same person here, the same Jav?
Exactly.
And then I thought, no, no, be the bigger man.
Be factual.
Yes. Did we watch the same talk?
Yeah, exactly.
The one at 9.30 in front of everyone.
Yeah.
Although, interestingly, we did get the inside track
on Jav's talk, didn't we, from Jav?
We did.
Told us that basically he made the whole thing up.
Yeah.
Well, the funny thing was he kind of presented it as a made-up story.
Like, you know, he had a story, then confessed it was made up.
But then...
No, confessed that the details...
The details in the story. But then what he didn't tell everyone was that...
He actually made the entire thing up.
The entire thing. Yeah, it's like inception.
It is. It is.
That's it. it was inception and
this is the whole thing because the whole basis of the talk was about trust
yeah and I wanted to build something up and then destroy every feeling of trust
that people had and in the end like you two you just don't know what to trust
so let's not trust you anyway We are absolutely zero trust over here. There's no doubt about that.
Zero Jav Trust, it's a new framework.
But talking of, I don't know, old frameworks.
Old frameworks.
Oh.
Yes, I'm very good.
I was, well as you said, I was at that conference
on Wednesday, it was excellent. Thoroughly enjoyed it.
I think we saw about two talks each and then we just did the hallway track.
It was good. Lots of people wandering around and saying hello and all that sort of thing.
Thoroughly enjoyed it. I've been up in London for a couple of nights so staying with the Duchess which is always a pleasure and back home this afternoon
or late late this afternoon finally so yeah long week long hot week right
Duchess is very well she is very well yeah yeah has you got a go fund me to
get aircon installed in a place because you're complaining about
the heat?
Yeah, not yet.
Not yet.
But funny story though.
So she said to me on Wednesday night, she said, oh, I got an email from Aldi saying
that they've got projectors on sale for 40 quid.
Aldi.
I thought you meant Aldi and I thought she meant you. Aldi. They've got projectors on sale for 40 quid all D. I thought you meant oldie and I thought she meant you
Oldie they've got projectors on sale for 40 quid. I'll go and get one
Do you want one too? Yep, fantastic So she she got up in the morning got got a projector and we set up hers
And you know, I've got to buy a few bits to make it fully work on her in the in the office in her study
It's a trouble works perfectly. So I transferred her some
money, you know, to pay about the 40 quid and I put it from your second favourite son.
What? Why are you second favourite? You're at least third or fourth. Exactly, yeah. You actually give yourself a promotion. If you count the quack and the quack, then like...
Moving swiftly on, and I'm not even going to know how to transition from that one, shall
we see what we've got coming up this week?
You're going to be glad you're editing this week, aren't you, Joe?
This week in InfoSec gives us all the pieces of the mosaic. Rant of the week is another nail in the coffin of
American privacy. Billy Big Balls is proof that stealing copyrighted
information is absolutely fine if you are a billionaire.
Industry News is the latest and greatest security news story from around the world and
Tweets of the Week demonstrates that not all CVEs are
created equal. So without further ado let's move swiftly on to our favorite
part of the show, it's the part of the show that we like to call...
This Week in InfoSec
It is that part of the show where we take a trip down Infosec memory lane with content liberated from the today and Infosec Twitter account and further afield.
And our first story shall take us back.
Amir, I see Tom doesn't even have his finger on the button.
Amir! Where is it? What's it got, oh there we go, 30 years to the 17th of June 1995
when Spyglass went public and so this is World Wide Web software producer
Spyglass Inc went public the year after it had begun distributing its Spyglass
mosaic software,
which was an early browser for navigating the web. And with previous year's earnings at $7 million
back in 95, Spyglass was founded by students at the Illinois Supercomputing Center, which also
inspired Netscape Communications Corp. So, Spyglass wasn't exactly a household name back then,
but it did play a key role in the browser wars. Before browser wars were even a thing.
So they licensed tech from the original Mosaic browser, which came out at the University
of Illinois Supercomputing Center. The same place that inspired some folks to start a
little company called Netscape that we all know about. So by 1994, Spyglass was selling its version Spyglass Mosaic,
not bad earning 7 million a year, you know, for a company spun out of a uni lab,
but their pitch, they weren't building a free for all browser for the masses.
They actually wanted to be the browser engine for hire and actually licensing
their tech to others. And it worked.
So Microsoft actually eventually licensed Spyglass
to build what became Internet Explorer.
Yes, that Internet Explorer.
But here's the kicker for them,
Microsoft paid them a flat fee.
So while IE went on to dominate desktops for a decade,
Spyglass didn't get rich off any royalties. played that game with IBM as well didn't know with yeah
What did they pay him though? What was that flat fee?
Don't know undisclosed, but if they had earned seven million in the previous year, I'm pretty sure that it's not gonna be
You know seven million certainly for IE to dominate browsers for a decade
That's even at seven million dollars. That would be chump change. Yeah, at $7 million, that would be chump change.
Yeah, it would be chump change,
but then I'm just trying to say,
when you're a bunch of students,
you just spun something out,
and someone says, we'll give you some money,
and you all walk away with two million each.
Yeah, walk away with two million each.
I mean, you kind of would, wouldn't you?
I mean, if Microsoft came to me today and said,
Jav, we want to buy your podcast
For five million. I'd say fine. I wouldn't really care if it went on to become bigger than the Joe Rogan podcast I mean, I probably would but I might say oh, I wish I'd royalties
But I'd still have five you actually don't have a podcast. This is my podcast. Well, you have a third share of a podcast
You don't have that. He's like this is I'm just going to edit this this part out. It's
I'm just going to add in some laughter some yep yep yep. So anyway going back to the point is mosaic
are they still around are they still producing things as a as a company? I genuinely don't know
but I would be surprised if they were. Yeah you know what this is one I'm going to look into this
is this is fascinating because like mosaic and mozilla and all of the you know what? This is one I'm going to look into. This is fascinating. Because like Mosaic and Mozilla and all of those underlying companies that we don't hear about
who are actually doing all of this, you know, supporting all of these products that we use
daily almost.
Indeed. But while you do that you can hit the calculator button.
No, no, no. Don't hit the calculator, sounds like we can do it in practical. Oh okay. Oh! Jav you're taking on another job from me.
Going analog. Right I'm off I'm off the calculator noises from now on you've
heard it here first. Our second story takes us back a mere... That is so much better! That is so much better!
36 years to the 26th of June 1989 and this is my favourite ever story.
When Robert Tappan Morris, who released the Morris worm in 1988, became the first person to be indicted under the US's Computer Fraud and Abuse Act enacted by Congress three years earlier and he was later
sentenced to three years of probation and fined $10,050. So here's a throwback from cyber history
which you should all know. 26th of June 1989 a 24 year old grad student named Robert Tappenmores
became the first person ever indicted under the CFAA and his crime was accidentally breaking the internet. So back in 1988 Morris wrote
what was supposed to be a harmless academic experiment which was a self-replicating worm
that would measure the size of the internet and And so yes, back then it was still possible.
The problem was he made a coding error.
So the worm didn't just spread,
it infested like digital locust plague type.
It crashed thousands of computers,
slowed networks to a cruel, caused chaos at universities,
military labs, businesses.
He didn't intend to cause any harm.
In fact, he actually tried to make
it subtle, but subtle he was not. And they said that, you know, the cleanup costs were
estimated in the millions. So in 89, he actually got slapped with a guilty verdict and his
sentence three years probation, 400 hours of community service and that $10,000 fine.
But not bad considering he accidentally rewrote cyber history.
But on top of that, a little fun twist here, Morris actually went on to co-found Y Combinator,
which is the startup incubator that helped launch Reddit, Airbnb and Dropbox.
So the first person convicted for hacking also helped fund half the internet.
The first person convicted for hacking also helped fund half the internet. It's amazing isn't it?
I had no idea that it was entirely accidental as well.
Oh yeah, he wasn't a malicious person.
That's his story and that's what he's...
He's stuck with it.
Yeah, that's fair.
That's fair.
Excellent, thank you.
That was this week's...
This week's
this week in infosur
30 nostalgic 30 ranty 30 ballsy and 30% terrible at maths
You're listening to the award-winning post unknown podcast
Indeed which means it's also now time for It sounds a motherf***ing rage! Here's another story from the good old US of A, where you can't even make it up anymore, can you?
Comedy writers around the world are just scratching their heads because every time they come up with something that just sounds entirely outrageous and impossible,
something entirely outrageous and impossible definitely starts to happen. So the headline is visiting students can't hide
social media accounts from Uncle Sam anymore. This headline's got
these students and their social media feeds nervous because last week the US
State Department said that foreign nationals applying for student or exchange
visas and in technical terms that's F, M and J visas, don't ask I have no idea what that
means, will now have to make all their social media profiles public as part of the vetting
process.
It's not a typo, if you want to study in the US,
the government wants full access
to your entire social media history.
All the way back to when it even started.
You can't make any part of your social media presence private.
The official line is that every visa adjudication, this is a quote, is a national security decision.
Eh, okay, fair enough. I mean, it goes back to San Bernardino in 2015,
when one of the attackers had posted about extremist views on private social media.
And so the government has been inclined towards using social media to try and root out
people who may wish to do harm.
And it was initially introduced under Obama.
So this isn't just a Trump-bashing thing.
But it was introduced under Obama.
And it was a voluntary.
Please volunteer your social media profiles here.
We can take a look and see what happens happens which in itself is kind of an indicator because if you don't put your
social media profiles there that can raise a flag that would require further
investigation anyway. Under Trump it became mandatory to hand over your
social media handles but of course you could just set everything to private
and nobody could see anything
and they would have to subpoena the individual companies.
But the latest move is the first time
that applicants are being told,
you have to set it to public.
You have to set every single social media platform
you have to public.
No more privacy settings, no more friends only posts. You
want a visa, you've got to open everything up. And well one, that's the end of
privacy right, because you're opening up everything. You can't hide anything and
in theory, and we've said this about privacy in the past, you know, if you've
got nothing to hide, you've got nothing to worry about, blah blah blah blah blah. The problem being of course is that even under a somewhat
benign government, even if you open up your privacy doors etc, and they get access to
everything, you might not have anything to worry about today. If that government policies
change, then you may find yourself at well either Her
Majesty's pleasure or someone else's pleasure as a result of things that you
have you have said in the past. We still have free speech in this country so it won't be Her
Majesty's pleasure. His Majesty's. His Majesty's pleasure. You'll be a
you'll be a prisoner in El Salvador. Yeah, well that's just it. Namely a country that has undergone a more radical political change in the last
six months than America at the moment. I mean it was bad enough even under Biden with
the number of, the amount of partisanship that was going on but so much significant change
happening in the US that you have no idea how this data is going to be used
and even who it's going to be sold to as we've seen with Elon Musk and Doge
although Musk is out of favor so obviously it's gonna be still got the
data it's still got the data but it's either Zuckerberg or Bezos who's going to get access to this
stuff and they're going to monetise it all anyway.
So students are responding to this.
So South Korean applicants are turning to digital undertaker services.
Don't get excited you two, this is not a game featuring the undertaker from your favourite
wrestling pastime, I'm just saying.
But it's a digital undertaking services to clean up their profiles
Indian students and mass deleting posts
Basically spring cleaning season for anyone applying to a unit US University
Which in itself tells you you know a huge amount of about what's what's going in there State Department hasn't said exactly
How the content will be judged well of course not huge amount of about what's going in there. State Department hasn't said exactly how the
content will be judged. Well, of course not. But Politico, the news site, has got its hands
on the guidance. It says officials should be looking for signs of hostility towards
US citizens, culture or institutions and for any support of terrorism or anti-semitic
violence which is very specific. So one, you know, support of terrorism. I mean
what's your definition of terrorism for a start, right? You know, two, hostility
towards US citizens, culture, institutions. It's hard for anyone not in the US to be
sort of hostile towards the US in
many cases. In fact, many governments have issued travel warnings to people traveling to the US,
to its citizens, saying that the US is a more hostile place to tourists and visitors. And
we've seen a number of people. So even liking tweets that you
know maybe Obama put out back in 2016 you know that goes against the current
administration's view. Yeah exactly. This is exactly the goalposts move according to
each administration. I think one of the couple of people you know people from
the Electronic Frontier Foundation have called it a fundamental
breach of privacy.
Gregory Noang from the Center for Democracy and Technology has put it very bluntly and
I think very, very well.
And this could filter out people who criticize the US, not people who threaten it.
People who threaten it will not have a social media
presence or at least one that they are going to be
that their passport might be attached to. He reminds us that criticizing
your government, it's a national pastime at least in an open
democracy. You are allowed to criticize your government, you are allowed to show that, you're allowed to
to say you don't agree with them. And if this is all a bit sort of Machiavellian,
just imagine if another country demanded American students go on public with
their social profiles before
studying abroad. I think the Americans would lose it if it was turned
around the other way. And there's an economic angle according to NAFSA, I
don't know who that is, international students contribute 43.8 billion dollars
to the US economy last year.
I think it's gonna be fascinating to see
how much they contributed this year
since the new administration came in.
And the irony, just one day after announcing
this public profile rule, the US said it would deny visas
to foreign officials who censor American citizens online.
Just don't get it. So yeah, if you're looking to study abroad, either don't go on the socials ever.
So you know, maybe this is a good thing, maybe this will stop people from doom scrolling
every day. But just make sure that your accounts are fully deleted before you go over there.
Or don't apply to study in the US. Or don't apply to study in the US.
Or don't apply to study in many of the other countries that offer that.
It's not the land of the free. Yeah, it's not anymore. It is not. I mean,
I'm probably going to have to go to the US in the next few months.
And I'm, you know, I'm not entirely sure.
Oh, and I'll clip this round and put it as your tag you on LinkedIn as your...
If I go there and they turn me around, at least I have something to talk about in the following week's podcast.
Oh, no, it'd be great if they don't turn you around.
They put you in the connecting flight.
Yeah, I wish you'd be back in a week.
Jesus. I look awesome in orange. You'd come back
with a Spanish accent. And boyfriend. But if you want our respect you'll have like three
teardrop tattoos. Very good. Right, okay, anything else to add? I think we all agree this is just outrageous,
right?
Outrageous.
That was a long rant.
It was a long rant. I blame Andy for his OPA chat GPT notes he gave me. Right, excellent.
That was this week's...
Rant of the week.
If good security content were bottled like ketchup, this podcast would be the watery juice which comes out when you don't shake properly.
In a niche of our own, you're listening to the award-winning Host Unknown Podcast.
How do you like them apples? Oh no, wrong one. Right, Jav, your turn.
Okay, you know how we often say that there's a very thin line separating a rant from I believe big balls. Absolutely. This is one of those times. Yes this is what this is the Invisalign
of the border between the two you just can't tell it exists. So I've got
some great news from the world of AI. There are a bunch of authors and
content creators and publishers probably wearing tweed sipping Earl
Grey I'm just imagining you Tom but you know but they're having the right old
moan about AI nicking their precious words there's a whole thing about
copyright infringement and how AI sucks up all their work so far and uses it for whatever. But Judge Vince Chabria and he has declared that Metta's use of their books is fair use.
That's pretty harsh.
It is.
And then, that's not enough, Judge William Alsop, not wanting to miss out on the fun, chimes
in to say, anthropics AI can gorge itself on copyrighted works. It's tremendous. So basically
what they're saying is that the AI companies can profit from copyrighted works?
From other people's hard work?
Other people's hard work without paying them.
No, no. Look folks, this AI, it's tremendous.
It's like turning War and Peace, a great book, very long.
Many people say too long into a chat work faster than Crooked Hillary deletes emails.
It's true because nothing says transformative quite like turning War and Peace into a chatbot that can also write your Tinder bio.
It does remind me that orange and brown are quite similar colors in some lights, aren't they?
Now I know what you're going to say, what about the poor starving artists?
Well you know if they can't compete with a glorified calculator that's been
force-fed the entire works of humanity then maybe they should consider a career change.
Maybe they should become AI programmers. Did you get Grok to write this for you?
I was going to say, I don't know what prompt you used in this, but you've gone too far the other way, Geoff.
Exactly.
Ordinarily I can agree with you on some things, but this is just...
Like I said, the line was non-existent. I had to make something up.
Yeah, the job description says Billy Big Balls, you're going to defend the Billy Big Balls
all the way.
All the way.
Otherwise, what's the point?
Yeah, we'll just have two rants.
I commit to the character I'm playing.
That's what makes John Cena's current heel turn so unbelievable because he's meant to
be the heel but he hasn't truly
embraced it he's still being like a baby face in the interviews and the way he
conducts himself and everything. Does John Cena need a digital undertaker?
Maybe if we can get a digital hell in the cell I think we would be in a good
place. So the thing about this is it was only 20 odd years ago that all the
courts took Napster to court because they were copying or taking in...
It was like December 2001 wasn't it? Yeah something like that but they were
ingesting all of this copyright material and making it... well
basically it was a point service, it was a point service it was a pointer service a finder service wasn't it yeah here's
where you can find people that have got copies of this that you can download and
they were they were fine millions and it basically put them out of business
didn't it because they they went legit and it would just didn't work no but
even individuals like there's some grandma who's like grandson might
downloaded two songs or something
And you know they got raided and fine, but this is okay because billionaires
I was gonna say now the billionaires are funding the and that's where the
Billionaire big balls, that's why there's a there you go
Billionaire e big balls
Yeah, it's Oh there you go! Billionaire-y Big Balls. Mmm. Mmm. Yeah.
Obviously the double standards are
blatant to anyone.
But it's
quite a sad
day isn't it?
In reality.
I think you've given up on this one haven't you?
I have, yes.
Thank you, Jarve 4. We're just energy efficient. Like and subscribe to the Host Unknown podcast for more ESG adjacent tips.
So Andy, it's still very early o'clock on Friday morning here, so without wishing to
give the game away, what time is it?
It is that time of the show where we head over to our news sources over at the InfoSec
PA Newswire who have been very busy bringing us the latest and greatest security news from
around the globe.
Industry News
Cyber Essentials breaks quarterly record for certifications.
Industry News Half of customer sign-ups are now fraudulent. Quarterly record for certifications. Industry news.
Half of customer sign-ups are now fraudulent.
Industry news.
Common Good Cyber Fund launched to support non-profit security efforts.
Industry news.
UK ransom payments double as victims fall behind global peers.
Industry news.
Hackers use open source offensive cyber tools
to attack financial businesses in Africa.
Industry news.
Interpol warns of rapid rise in cybercrime
on African continent.
Industry news.
French authorities arrest four
with suspected ties to notorious breach
forums. In the stream news. Patient death linked to NHS cyber attack. In the stream
news. Move it transfer systems fresh face fresh attack risk following scanning
activity surge. Industry news.
And those random words put together into a vague sentence
is this week's industry news.
Industry news.
Sorry, I got a bit lost there.
Huge if true, got a bit lost, sorry.
Miles away.
I'm not doing this from a normal desk
I'm on the I'm on the I'm traveling today. So you're on the move. I'm on the move. Yeah, the movie
Everything's on the wrong place
I'm sure we covered a story not too long ago talking about how cyber essentials was like
Low or something. There wasn't enough people
Doing cyber essentials.
Did we?
No, I don't remember.
I think cyber essentials is being abused especially in the public sector.
In what way?
So for instance, I know my last place, very very large technical consult technical consulting consultancy all of you know
140,000 people around the globe etc all of our sort of government-based
contracts stated that the company had to be cyber essential certified yeah so
that's mandatory if you want to deal with the public sector it's a mandatory
requirement but we had every every, you know, nest...
Yeah, but so from a procurement point of view for the public sector,
they know what cyber essentials is.
Like, so when you start getting people saying,
oh, we've got an ISAE 3400, that's better than us.
You know, you're dealing with procurement people being paid a government salary.
Which is why it's being misused because you can't apply Cyber Essentials,
which is aimed at the small to medium enterprise, to a large,
a massive enterprise. You can't apply.
I get it. The only thing you struggle with is the patches. So basically,
Cyber Essentials doesn't allow for risk mitigation.
Either you have the control or you don't.
There's no mitigating controls.
You're right, that is one of the downfalls for a bigger organization.
But considering the amount of public sector bodies that engage third parties,
it is the easiest way for them to just have a baseline standard. It's just about
having that baseline standard. Like public services don't always deal with large companies.
I have different baseline standards for different sizes.
This is the issue right? We always say we need more, more standardization.
We've got 14 standards that's consolidated into one standard.
Oh no, we've got 15 standards, let's consolidate it into one standard. Oh no, you've got 15 standards.
Exactly.
I know, I know, but it's not fit for purpose for any kind of large organisation.
Oh, I don't know about that.
I would disagree with that.
It is not fit for purpose.
I don't, you can, it is very, it is easy enough for larger companies to take on the responsibility of becoming cyber essential certified
enterprise organizations can't go into people's homes and audit their
Local environment and their father. They don't have to you don't have to controls on the laptop. They do that side
You don't cyber central says you have to look at every I used to be an auditor for the cyber... I used to award
cyber essentials. I know. You do not have to go into people's homes and do this at all. You can demonstrate
that the laptop has the controls. I think you're interpreting it all wrong in order to... No.
No. I know nothing but so I'm just like eating popcorn here.
You've completely misunderstood what actually needs to happen.
You don't need to go to anyone's home.
Unless they are a single person sole trader operating from that single laptop,
there is absolutely no requirement whatsoever.
If it's a company that has no office facilities...
You don't have to go to their home. You demonstrate the controls are on the end point.
But then why is there the requirement that the router, the firewall, has to be in place and has to have the password changed on it?
That's stated in the standard.
Only if that is your border gateway. If you're an enterprise, you're going to have a VPN.
No totally, but...
So you can centrally produce that information. This is what I'm saying, it's not unachievable
for big companies to do this. Like either you have controls, you just have to, like
literally cyber essentials cost 300 pounds.
Do you know what I mean?
To then go back to the government,
it's like it's impossible, it's not fit for purpose.
You're a big company, like 300 pounds is petty cash, right?
It is entirely possible to go for it.
But it's not 300 pounds.
It is.
It costs 300 pounds to become certified.
How much effort internally to do that is not free.
It's a piece of piss. It's like 60 questions.
It's a questionnaire that you have to answer.
This is brilliant. I mean, this is the first time I think anyone's ever had a serious conversation on this one.
Sorry, let's move on.
This is out of my wheelhouse, but I'm just loving how uncomfortable you two are
getting. Especially Tom, because he's like, slowly you can see like the cogs are turning. He's like, he might have a
point, but I'm so far up this hill, I'm gonna die on it.
Might as well.
Oh man. Apparently I'm being deaf anyway. Five things.
You secure you.
You've got firewalls and routers that secure.
You apply security updates.
You've got access to the firewalls.
Running interference.
Malware protection and secure configuration.
It is five basic things that you need to replace.
Okay.
How about this?
I'll deviate from the stories for a second because I've done some research while you
two were bickering
Spyglass Inc. Oh, yes the company. Yeah, so they made Mozilla and the the mosaic and
March 26
2000 they were acquired by Open TV
Open TV. Yeah,? Yeah. They do desktop set-top box operating systems.
Which they probably wanted to run in a browser.
Yeah, probably.
But then 10 years later, in 2010,
Open TV was acquired by the Kudelsky group.
And it still runs as a subsidiary of Kudelsky's
Group. Kudelsky is a Swiss company and they have several subsidiaries and they have an
IoT sort of subsidiary and they also have cyber security. Kudelsky Security is a cyber
security company.
Yeah.
So, and then Smart TV is, Open TV is still there for interactive and digital TVs, but
it's still primary sale of set top boxes, operating systems and software.
I wonder if there is at least one person from the Illinois super computer whatever.
They can talk about they can still employed by
Kudelsky who's just been there forever in the basement yeah yeah still
maintaining a bit of code that is fundamental to yes yes answering log4j questions and completing cyber essential certifications to the UK
government. So I just saw the headline of sorry Interpol warns of rapid rise in
cybercrime on the African continent. When, I mean, does no one remember the Nigerian 419 scams or anything?
I mean, I thought that was outwards.
I thought that was the motherland of cybercrime.
Oh, this is in...
This is the Kyrgyz now attacking Africa, not the other way around.
I see.
Yeah, very different.
Interesting.
And apparently us Brits are more likely to fall victim to ransomware.
More likely to pay ransomware.
More likely to pay?
Yeah.
And who said the economy is failing in the UK, eh?
We've got money to pay these things.
Well we're saving 250 million a week.
Oh, from Brexit. From Brexit. Yeah. 350 million, yeah 300 million a week from Brexit yeah 350 million
yeah from Brexit yeah yeah there you go I tell you what all those extra beds and
doctors and nurses that are paid for I think we got far too many British born
and bred doctors and nurses might have no foreigners yeah I'm not going to be treated by Johnny Forerner. No. Anything else here?
Oh, a patient death linked to NHS cyber attack. Is that a direct? So a patient's
death has been officially linked to the 24 ransomware attack on Sinovus, the
pathology service. So if you remember they do all the blood tests and everything so oh your neighbor was
impacted by yeah yeah well he couldn't he couldn't get his heart valve
operation done because he couldn't get the blood work done that was needed but
I just to let you guys know he did later have his operation he's very well and he's currently in East Africa I think
okay so he actually went on to commit commit he is now a victim of crime in
East Africa yeah either that or he he's actually executing the crime in East Africa
yeah yeah you don't know but but no he lives a wonderful life. He's traveled to I think 148 countries.
Him and his wife just travel all the time. What? The joke is that the house over here is his holiday
home because literally they're here for like a few weeks and like okay we're going for another
few weeks. So this house is empty a lot you're saying? No, no it's not empty. He's got a son and
No, no, it's not empty, he's got a son and... Who works like normal office hours, would you say?
Not from home?
I've got a key, if you're really that interested, you can come and have an audit.
You're making it far too easy now.
Taking all the change out of it.
Right, let's move on shall we? That was this week's... In 2022, you crowned us the best cyber security podcast in Europe.
You are listening to the double award winning Host Unknown podcast.
How'd you like them apples?
Right Andy, take us home. We've just got a few minutes left with this week's...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
This week's Tweet of the Week. And we always play that one twice. Tweet of the Week. This week's Tweet of the Week comes from Philip Dragovic and he's posted commentary on CVE
2025-49144 which is an elevation of privilege vulnerability.
However, it has a requirement that you need to execute the installer as admin.
Wow.
So it seems like anyone can publish vulnerabilities these days.
This is like the McDonald's caution coffee might be, contents might be hot kind of CV.
Yeah, that's right.
Here we are.
It's, you know, I guess when people have to write risks and, uh, you know, they
just want to make sure they've got everything documented.
Well, whoever submitted the CVE really wanted to submit a CVE.
And say that they have submitted.
They've got a CVE.
Yeah.
Yeah.
It's a privilege escalation, uh, CVE. say that they have submitted they've got a CVE yeah yeah it's a privilege escalation
CVE yeah but a pretty serious where are you going to go from that though you you you install it as
admin and now what are you super admin admin admin or do you get to root is that is that what the
escalation goes to yeah admin password root, no route and password tool
Yeah, I should look this up. Actually. He doesn't know
No, he doesn't. That's what as a man that's never used Kali Linux in his life
Backtrack, sorry backtrack. Sorry
I've got people to do that
Come on
You know this as well.
Damn me.
Anyway, that was this week's...
Tweet of the Week.
Gentlemen, thank you so much.
We've come to the end of the show.
We've run a little bit long this week,
but hopefully the audience will forgive us.
Either that or Jav will do an amazing editing job and remove
well about 43 minutes of this 47 48 minute podcast
So Jav, thank you so much as always with wisdom charm charisma and everything else
Yeah, and my amazing keynote earlier this week. You're welcome. No, no, I'm not thanking you for that
I thank you for that. Are you not entertained? Not today.
You're only as good as your last job and this has been pretty poor in
fairness. And Andy, thank you. Get cyber essential certified people and stay
secure my friends. Stay secure. You've been listening to the Host Unknown
Podcast. If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults
on our Reddit channel.
Worst episode ever.
R slash smashing security.
You know what's really funny is independently
I've both sent you a message with the same message saying
can't believe how poorly he understands cyber essentials
and now the gossip is just rolling in from both of you it's just unbelievable I might
even release this I might release the screenshots later
oh do it do it I might just take all the wind out of your
sails and say what I replied to you you can't do that'll post screenshots. That's what the real GC gossip
is. Because there's no way ChatGPT could ever emulate fake screenshots or anything. No,
no.