The Host Unknown Podcast - Episode 25 - The Duchess of Ladywell Special
Episode Date: September 25, 2020Andy's microphone is miraculously fixed, Thom's story is broken and Jav joins The Lemon Party.This Week in InfoSec19th September 2011: Thai Duong and Juliano Rizzo demonstrated a proof of concept at t...he Ekoparty security conference to decrypt encrypted cookies, exploiting a vulnerability in TLS 1.0 and earlier. They named the attack BEAST (Browser Exploit Against SSL/TLS.https://www.theregister.com/2011/09/19/beast_exploits_paypal_ssl/21st Sept 1996: An email began spreading about a destructive virus named Irina. Friend of the show Graham Cluley discovered it was a hoax "marketing ploy" from Penguin Books.http://web.archive.org/web/20170924094557/http://download.adamas.ai/dlbase/Stuff/VX%20Heavens%20Library/static/vdat/ephoaxes.htmBilly Big Balls of the WeekHow to Sell Protest Footage to FOX AND CNNhttps://youtu.be/xiYZ__Ww02c“This isn’t even satire anymore. You are just giving away industry secrets.” Rant of the Weekhttps://www.epicgames.com/help/en-US/epic-accounts-c74/general-support-c79/how-do-i-delete-my-epic-games-account-a3636Industry NewsActivision Denies Hacking Claims Over Leaked AccountsUncomplicated Cyber Insurance Program LaunchedCisco: Ensure Collaboration to Better Survive Remote WorkingCisco: How Real is a Passwordless Future?Shopify Insiders Attempted to Steal Customer Transactional RecordsDoes Cybersecurity Have a Public Image Problem?Tweet of the WeekSwitching off a faulty telly sees internet speeds increase"The source of the ‘electrical noise’ was traced to a property in the village. It turned out that at 7:00 am every morning the occupant would switch on their old TV which would in-turn knock out broadband for the entire village,"https://twitter.com/BBCWalesNews/status/1308315605272080386Fake News! TV Did Not Wipe Out aa Villages Internet! Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
that's not sounding too good i'll be i'll be honest this is the last episode folks uh
actually talking of not sounding too good andy you're sounding a lot better this week
so what the hell did you did you wet the string between the two cans or something
oh no you bought a new microphone yes so you know the funny thing about that i was uh
i was gonna tell jeff before the show
um so as you know desperately in need of a new microphone after the issues last week in the bad
sound quality the week before um so ran down this morning before uh because i had a meeting between
you know now and and this or this morning and this uh ran down try to find out which box of
microphone arrived in so i've got like 30 amazon boxes in the hallway just so i was like you know yeah just trying to oh no that stuff comes from um aliexpress yeah
so uh yeah anyway found it came up and it's a new uh desk stand one with like this anti-shake
stuff on it so you know you can wobble the desk it's not going to move um but i quite like my
current microphone or you know my
old microphone with the arm uh so i thought maybe i'll just take this mic out plug it into the arm
and uh you know keep my existing setup i think i know where this is going lo and behold i was like
right now where do i plug this end into and And sure enough, yeah, the cable has come out on the old microphone,
which is why no one could hear me last week.
It was poor quality the week before.
I'd obviously loosened it.
So bottom line is you bought a new microphone
because your old one had become unplugged.
Well, I didn't say exactly like that.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening,
and welcome to the new high-definition sound quality Host Unknown.
Well, certainly improved sound quality from last week.
That was a foxy one. That was a boxy one last week andy blimey yeah i mean short of have you tried switching it on and off
again i know making sure it's gee do you know the funny thing is that obviously you know i need a
new microphone so i was was looking at this mic.
This one's got good reviews.
This is a bit pricey.
I might as well get it.
It's like, well, if I'm going to get a new microphone,
I might as well get all this acoustic foam as well, you know?
And it's like, well, if I'm getting that foam. Oh, you really went for it?
Yeah.
So then I was like, well, it's going to darken the room,
so I'm going to need some more LED lights for the office.
And I was like, yeah, I've just kind of gone on from there so i've got a shit ton of stuff
downstairs that's so you've got you've got a contractor in they're building you a new room
and uh yeah all because i uh left my mic unplugged so hang on you've got all this acoustic foam but
it's downstairs yeah i've not uh i've not had time to let me tell you how
so i was gonna uh yeah just uh wrap it around my missus
oh yeah yeah it's a joke absolutely a joke yeah oh dear me so so how are you apart from being mildly incompetent andy uh well this week i think
it's just i've had much sleep this week i'll be honest it's been a very long week um i'm glad
it's friday other than that but uh yeah i can't complain how's um. I noticed you guys have been pretty busy this week on various conferences
and not accepting phone calls.
Yeah, well, I know I have been.
I don't know about Jav.
Yeah, I've had a few speaking.
Everything's virtual these days, so every day or every other day.
So you've virtually had some speaking gigs?
Yes, I've virtually had some speaking gigs.
So what was yours?
Well, I was on a debate panel for Info Security magazine there.
Dan Raywood, our good friend, friend of the show, Dan Raywood,
he moderated it.
And so, yeah, that was a...
That's right.
And joking aside, I did actually listen to that one.
It was very good.
Well, half of it was very good.
Thank you.
I won't ask this half.
I'm glad to say it was your half.
I thought the arguments against were quite poor,
if I'm perfectly honest.
But nothing against the individual.
I mean, hey, we've all been put into situations
where you have to defend the indefensible.
So what was the topic?
The topic was, does security awareness training work?
And so I was the case for,
and the gentleman opposite was for the case against.
Yeah, yeah, absolutely.
So, I mean, in fact, around about the time we first met, Jav,
we did a very similar debate at RSA conference, didn't we, about just that?
And I had to argue against, even though it was the polar opposite of what I believed, which made it quite interesting and also meant for the next two or three years, everybody thought I was against awareness training, which is a bit painful.
training so which is a bit painful so until you've done the uh the surprise kaiser soze move at rsa later like a few years later 2015 yeah that's right yeah where i said
educational awareness is wonderful especially when you make it funny but uh but yeah it's um
i certainly don't blame the gentleman involved i I'm sorry. I can't remember your name, Mr. Gentleman.
Aaron.
But, yeah, a tough line to argue against, I have to say.
So, yeah.
Oh, and me, I was hosting a bunch of webinars for TICE, TICE R3.
So I did a bunch.
In fact, I think I said this last week.
I did a bunch last week and the last for this week.
And it all went very well, actually, I have to say.
See, I tried calling you to wish you good luck
and you didn't pick up.
I know.
I know.
You get really unsociable, Tom, when you're presenting.
I tried calling Jav, but it went straight to voicemail.
He'd actually switched his phone off which i think is just outrageous so for for my session i actually had to phone in so the
the computer was only there for the slides where they were none you phoned in did your did your
webinar oh right like like jazz never phoned it in before well this is true yeah i mean let's reference our last video right but um
but yeah i thought web conferences where you phone in were a thing from like the 90s weren't they
well like i said this was an info security magazine
brought on by a friend of the show dan raywood so hey dan so you know what we haven't you know
we have to keep it to 30 minutes.
And I said to Dan, look, this is a debate that we can go on for longer.
And Dan said, no, I've only got enough change to put in the payphone to last.
This is Dan who's complained about our levels on this podcast.
So, Dan, the gloves are off, mate.
You are going to be the recurring
comment throughout this uh today's podcast about sound quality we'll always find a slot in the show
for dan yeah we will somewhere somewhere you know nowhere but we'll always find him in somewhere
yeah exactly oh dear so uh what else have you been up to apart from that?
Any actual proper job, proper work, Jeff?
This is my proper job.
It's me going out debating fools, knocking them out.
Is that in the job description?
No, but it should be.
I take a pay cut for that kind of job title.
Oh, man.
You just need to caveat,
you were actually joking about taking the pay cut.
Yeah.
Yeah, that's right.
It's a vigorous speech.
It's not a real thing.
Yeah, that's right.
I mean, I might take a few less share options,
but yeah, pay cut.
He's definitely not handing over the key to the executive bathroom no so what have we got up for you this week uh we have our regular items tweets of the week
billy bit boils around to the week um i'm pretty sure we won't have a little people
but we will be kicking off with our new slots which we still don't have a jingle for you've
let us down host unknown listeners uh with the lack of free jingle that you were going to supply
us um but our our um our new slot entitled today oh no that's who we've ripped it off from today
in infosec uh this week in infosec i wouldn't say ripped off. I'd sort of say liberated.
Redistributed.
Yeah, taxed.
Taxed.
That's right, yeah.
But this week in InfoSec.
And Andy, I think we can leave this one to you, sir.
Is it because the pronunciation of the names in the first article? So this week in InfoSec, back on the 19th of September in 2011,
Tai Duong and Giuliano Rizzo demonstrated a proof of concept
at the Echo Party Security Conference to decrypt encrypted cookies,
where they exploited a vulnerability in TLS 1.0 and earlier.
And this became known as the Beast Attack, which stood for browser exploit against SSL
slash TLS.
And this actually, you still see it a lot in pen test reports or vulnerability scans,
like SSL labs or QALY scans, that type of stuff.
But when I saw this, I was thinking,
these were actually good days that we took the piss out of it at the time.
But you don't see so many sort of beast, poodle, heartbleed, drown type.
You mean ones with a logo?
Yeah, exactly.
I hated it at the time, but I do kind miss it you know it's a very simplistic time uh you know i mean this stuff's long ago you know
2011 but if someone says beast it like straight away i remember what it's about yeah i i wonder
who gets the commission to do the logos because the logo standardizes really quickly it does
so where does it come from?
I guess whoever registers the domain first, really, isn't it?
Yeah, yeah, yeah, that's right.
That's very true, very true.
Mind you, this is the internet.
Like, anybody takes any notice of that.
Well, yeah, exactly.
Just add a, yeah, instead of a.com, it's now a.cc or a...
Yeah, that's right.
That's right.
But the second story, so that was obviously 2011 the
second story which caught my eye this week was um from 21st of september 1996 um yeah friend of the
show and um co-host of the second best infosec podcast in the UK. Assistant co-host.
Assistant host, not even assistant co-host. Oh, assistant to the host.
Yeah, that's it.
That's the one, yeah.
But this was about an email began to spread
about a destructive virus named Irena.
And a friend of the show, Graham Cluley,
discovered it was a hoax marketing ploy from Penguin Books.
Who'd have thought Penguin Books would have been so lit that they would have done like a hoax marketing ploy from Penguin Books. Who'd have thought Penguin Books would have been so lit
that they would have done like a hoax virus?
But this is nearly 25 years ago this occurred.
This is a long time ago.
It's exactly 24 years, almost.
Well, yeah.
Funnily enough, we're almost at 24 years this week.
Funnily enough, yeah.
What are the chances? Coincidental.
I tell you what, this is such professionalism on display here.
But it's just the message from it.
And do you remember back in the day,
the amount of email warnings that you would get from other people,
you know, like forward, forward, forward, forward, forward, forward, forward,
forward, forward, like in the subject line
and it would always have the there is a computer virus that's been sent across the internet
if you receive an email message with the subject line IRENA great big capitals do not read the
message delete it immediately it's uh basically if you open this it's gonna you know rewrite your
hard drive obliterate anything on it you know forward this to anyone you care about and um i kind of miss those emails as well imagine 96 when it rewrote
your hard drive it was all a five meg in fairness well yeah couldn't actually delete the hard drive
while you were using it as well that was always a problem with windows 95 but uh yeah it reminded me of uh i don't know if it would call the irish good times
virus that went around where it um it basically just sort of said hello hello sorry you know i'm
a virus but you know not very sophisticated one please delete all your own files and
and forward me on to your friends I was talking of a friend of the show,
Graham Cluley.
I was talking with our other sponsor just last night,
the Duchess of Ladywell,
my mother.
And she said,
you mentioned Graham Cluley and Carol Terrio an awful lot on your podcast.
And I said,
well,
they are sponsors.
And do you know what she said?
So am I.
Fair comment.
So I thought I'd best make mention of the Duchess of Ladywell
just to balance the scales somewhat.
So hello, Mum.
Excellent.
Thank you very much, Andy.
Much appreciated.
That must have taken some real digging to get those gems out.
It did. I had to literally go to twitter.com forward slash today and infosec.
Pick out my favourite ones.
Oh, dear me.
Right. I'm going to go off script here.
What's being script?
Oh, what's script?
Sorry.
Actually, we're not going to go in the order.
It says here we should do Tweets of the Week,
but since we've just heard so much of you, Andy,
talking about Graham Cooley, as always,
and your broken microphone,
we're going to go straight away to this week's...
Billy Big Balls of the week and i think that's you jab yes it is yes it is so it this whole segment today is about the duchess
of ladywell no it's not. Thanks, mate.
Thanks, mate.
I think I'm backing credit now.
We're all right.
Yeah, okay, cool.
So this was a video that was forwarded to me.
There's a YouTuber by the name of Ryan Long,
and he goes, I'm a videographer who has figured out the technique
to sell my footage to both of these news outlets,
both Fox News and CNN. And his whole video has the tips of how he uses the same footage,
but literally all he does is change the headlines and sends it to both,
and both will run with the exact same footage with his headlines.
So say like there's a white cop beating up a black person.
He'll send it to CNN with the caption police brutality,
and he'll send the same footage to fox news saying um uh you know brave hero police
on the front line it's saving neighborhood from from thugs and uh and some people say this is
a satirical video in this day and age i really cannot tell the difference between the two. Yeah, exactly.
I mean, there are some classics.
I saw this video when you sent it around.
It is just absolutely fantastic.
And as you say, I think the top comment on that video is,
you know, this isn't even satire anymore.
It's like now you're just giving away the industry secrets.
It really is just fantastic.
And it's really short video it's
well worth uh well like two three minutes or whatever to see it it is it is and and this is
the problem that people won't even research anything um and we we spoke about this last
week when uh andy you sent that video of the the guy breaking the knocking the guy out breaking his two arms and uh i'd forgotten
about that oh sorry uh anyway the original caption like like like that one was oh this guy was a
pedophile and you know the girl's uncle found out so so you're like okay he's justified in it then
you find out no it's just some some gangsters and drug dealers and casino owners. Just, you know, whatever.
And it's so easy to put a spin on anything.
And this is what, you know, a lot of people have been talking about
the documentary on Netflix called The Social Dilemma,
where it talks a lot about this, about how polarisation is the business model
because the more polarised you are, the more you're going to get drawn to those. Outrage is also the business model, because the more polarized you are, the more you're going to get drawn to those.
Outrage is also the business model.
Yeah, outrage, polarization,
and getting people to react and share
and build their own narratives
of what the world actually looks like.
So I thought this video was a really good way
to give the same message in a not so serious way.
And I'm going to try the same things as well.
So I'm going to start making videos and put them on YouTube channel as here are some security tips.
And then I'm going to put them on some other place saying here are some hacking tips you need to really know.
And then I'm going to put it on a conspiracy theory site. The secrets the government does not want you to know.
Hacking tips security professionals don't want you to know.
Number three will amaze you.
That's it.
So thank you to the late Duchess of Ladywell
for bringing that one to my attention.
Indeed.
Billy Big Balls of the Week.
Very good.
Very good.
Oh, dear.
So, well, now we've gone off script.
I have absolutely no idea where we are at all in this.
Chaos.
Let's just call it quits now.
Do you want to do your rant of the week, Tom?
Shall I do my rant of the week?
I'll tell you what we can do is we can do one of these.
You're listening to the host unknown podcast more fun than a security offender's briefing i thought something had gone wrong
with the with the jingle then oh yeah what am i gonna say what am i gonna say all right you know what let's go
completely off script i am gonna do my rant of the week uh as soon as i can find the jingle so
yes this is me with uh this week's rant of the week really so i had a late night last night i'm
not really not feeling with it i've got a bit of a cough, which is not great.
Someone hit the small violin sound effect.
And yeah, just not really with it at all.
But nonetheless, I've got a doozy for you today.
There's an image in the show notes.
But what it is, I found this on Reddit.
And it was, you know, when you go to delete your account,
you normally get put through all sorts of hoops you have to jump through to,
you know, do you want to cancel this account?
Yes.
Are you sure you want to cancel this account?
And they swap the buttons over and you go, yes.
You know, press cancel if you don't want to, you know,
delete the account and they make the cancel green and the, you know,
and the delete red, you know, do you know what I mean?
They swap all these things around.
I think we found the very worst way to delete an account.
And this is from Epic Games Player Support.
And I'm going to read out the first part and then i'm just gonna
summarize uh what's required so thanks for contacting epic game player support my name is
and it will be a pleasure to assist you today i don't know why i said that because we're going
to post this anyway charlie romeo recently fake name recently you requested to delete your epic
games account for security reasons we need to verify some details before deleting your account. Please provide the following information within the
next five days. Okay, that's fair enough, right? You don't want to make sure that it's not being
deleted maliciously and all that sort of thing. And as they often say, when you delete this,
there is no coming back. We remove it entirely, you know, legal reasons, etc. However, here's what's required.
I'd try and do this all in one breath, but I don't think I could.
So a screenshot of your oldest available receipt made on this Epic Games account,
your public IP address, the date you created your Epic Games account,
location, city, state, province, where you made purchases on the account,
the original display name of the account, the last four digits of the where you made purchases on the account, the original display name of the account,
the last four digits of the first payment card used on the account,
the date you last logged in,
the names of any PlayStation, Switch, Twitch, or Xbox accounts
connected to your Epic Games account, and the dates when they were connected,
the invoice ID or transaction number from your Epic Games purchase,
the invoice ID is located at the top of your Epic Games receipt
and begins with an A, blah, blah, blah. The transaction number can be found in your emailed exola receipt if you don't
provide us with the requested information in the next five days and we can't verify you own this
epic games account you will not be able to delete it that is nine pieces of information some of which
you may no longer have access to like the last four digits of the first payment card.
Why would you have that information on a card that you may have replaced three or four times since?
So I think this is a really, really interesting topic. And I'm glad you brought it up under
rant of the week, because we were just talking about outrage. And we were just talking about how
these things and these are the particular things that scammers and phishers love to do.
So I just done a quick Google search,
and I've just put the link into the thing about how do I delete my Epic Games account?
And it brings up a help page on epicgames.com.
And if you follow the link, it says to delete your account,
log on to your Epic account, go to general info, scroll,
select delete account, and on to your Epic account, go to general info, scroll, select delete account,
and request account be deleted.
You'll be emailed a security code for verification,
put in the code, select a reason, click log out,
and within 15 seconds you'll be logged out and your account will be disabled.
Your account will be permanently deleted in 14 days.
Have I just been set up?
You've just been played, son.
Son of a bitch.
Oh, man. Scammed. Absolutely scammed. That's brilliant. Brilliant.
So when did they change from this old process to that new process?
I don't even know if that was a process at all.
Have you and Andy been planning this for the last week since I sent that out?
No.
Literally, as you were reading it out, my spidey senses started tickling.
And I was like, you know, this has got too many red flags in it.
Why would an account actually ask you to do this
but you know it is actually believable that i think that's because it's 2020 right so well
it should be but uh that i mean do you remember the old dilbert uh comic sketches um doug adams
you know there's one where you know the pointy head bosses you know he's received this
request and he's like oh this this crosses all departments you know you need a signature from
every department head plus griffin um you know before i can do anything with it and like deal
was like you know is that ted griffin in finance or the mystical beast that you're talking about it's like whichever's hardest
and you know it generally could i mean this is a reason why you know i've got gym memberships
at like you know 40 gyms across the country i just can't cancel them you know yeah and you
wonder why you're in debt exactly yeah but you know i mean i would genuinely have believed that
yeah but you know i mean i would genuinely have believed that um yeah as i did yeah 2020 or not i could easily have fallen for that one yeah yeah but but you know jav decided to play it for last
but no this is good no no no this is good this is a good education moment for you and if you
you and if the listeners want um to know how to spot phishing emails
or, you know, be better trained, you know,
you want some good security awareness training,
then check out the world's largest,
most popular provider of security awareness training.
Know before.
Oh, yes, because this was the company that provided the template.
Was it a news organization
recently they they'd laid off a whole bunch of staff um but they uh but they but the um that
news organization with the uh the skeleton crew they had left they wanted to make sure they weren't
going to suffer from fishing so so they used some of the templates that you guys provided
and one of the templates was we're going to give everybody a bonus no it's true which is a little bit tone deaf you know read the room guys
notice that there's nobody in the room because you've sacked them all
let's just clarify one thing they use the the KnowBe4 platform, but what they did, they actually modified, they heavily edited an existing template
to make it relevant and timely to their current thing.
And they sent it out that way.
And secondly, it's up to the customer how they send,
what they send.
You know, because especially when you're a global company,
certain things are very acceptable in certain geographies and completely unacceptable in others.
And that's why you leave it to the customer to make that choice.
And I always maintain that if you send a phishing email and people get vexed at you and they get annoyed at
the security team then it's not the phishing email that was the problem it's just brought to
to light a lot of underlying issues uh between your relationship with the the general population
within the company i don't know about you andy but i think he's protesting a bit too much
i mean unless there's a sponsor jingle coming at the moment,
I'm happy to move on.
Post Unknown. Sponsored by
Know Before.
Stu, if you're listening,
we're available.
Really good rates. Company your
size. You wouldn't even notice
the money funneled our way. It's a rounding error company your size. You wouldn't even notice the money funneled. It's a rounding error.
It is.
It wouldn't even appear on the spreadsheets put in front of you
because the decimal point is so far to the left on the percentages.
Shush.
How do you think I got hired there?
You can't play the same trick twice.
You've got to come up with something.
I used to work somewhere.
It was about 10 years ago when I was working the budget
and I sat down with my finance contact and we were looking at my budget
and I said, context-wise, where are we in the bigger picture?
And he said, your entire budget is at the third decimal point
on the spreadsheets.
We only report to two decimal points.
So I said, so basically I could spend, and I think at the time,
I worked out about 150 grand.
I could go 150 grand over budget and it wouldn't even be reported.
He said, yep.
So that was quite handy to know.
And that's how Tom bought his first iPhone.
His first 150,000 iPhones.
Oh, dear me.
Blimey, we hit a whole bunch of topics all in one there.
Oh, and actually, that was my contribution contribution to this week's rant of the week
but you know it the reason it's believable is because they're not actually asking you for
i guess that personal information yeah i mean the stuff that you've got there you know you're
looking you think well what do they gain by this you know and it is actually ridiculously complex enough that you know i would believe them but uh you know from a security
angle you're thinking well there's nothing here that's actually gonna you know give me away
nothing here that flag you know flags up you know if it asks for my entire credit card number yeah
i'd be concerned but it's not it's the last which is, you know, well known to be not much use.
Yeah, yeah.
Well, I consider myself schooled, Jav,
and you should be ashamed of yourself.
So with that, do you know what?
So one thing you said, this is 2020.
So I guess it's not the security angle,
but there is that story of, you know,
the monkeys that go up the ladder.
I'm sure you'll tell it better
than i could but you know you uh yeah it wasn't one of my talks but you do tell it better than i do
yeah so anyway do go on andy i think i don't know i think listeners might not know about this story
so let's hear your interpretation of it. I was always a fan of it.
Okay, so the story is, in fact,
I thought this was just like one of those apocryphal tales,
but I did read somewhere, and it had some primary source information that scientists did a version of this.
Oh, yeah.
They may not have actually used a ladder, I don't know,
or a banana on a string. Well, a creative license.
Yeah, exactly.
It was conceptually the same, though.
And the principle is you put five monkeys into a room,
sorry, five, or chimpanzees, whichever way,
whatever primate you might have to hand,
although you need ten in total.
And you put these five primates into a room as a ladder with a banana at the top of the ladder. One primate goes up to grab the banana. Cause obviously bananas, primates, you know, these things go together. Um, and you flood the water with freezing cold water, which of course freaks them out. Uh, and they don't like it. And then, you know, another primate or even the same one tries to go up the ladder flood it with cold freezing cold water they get to they get the point very quickly that uh you don't go up the
ladder to get the banana because you get soaked and wet and you know cold etc you then take a
one of the primates out and you put a fresh dry primate in who's not seen or heard any of this and of course looks at the um at the banana uh tries to get it the
four wet chimpanzees beat up you know the the one that's going up the ladder because they don't want
to get wet and eventually the the um that you know that the dry primate agree you know understands it
goes up the ladder gets beaten up banana bad You take out one by one, you take out
one of the wet ones and put a dry one in and the same thing completes until you've got five dry
chimpanzees in the room, never been soaked, you know, with the cold freezing water. You put another
one in and goes up the ladder and they all beat him up because actually they don't know why,
but that's just how they've always done it.
That's how they've always learned that you don't go up the ladder for the banana because you get beaten up.
And so therefore they beat the the the you know, the chimpanzee up.
So and the moral of the story is saying that we've always done it this way is the most dangerous words in security.
Thanks for coming to tom's ted
talk exactly exactly if only it was an original yeah no but i think you're right i think that's
how a lot of security processes and procedures and standards and guidelines have have come to be
over so so long it's uh it's like i mean how long did it take them to change guidance
on 90-day password rotation?
Well, do you know what?
You're absolutely right.
And on one of these talks I was hosting this week,
one of the vendors there, and in fact,
I think I complained to you guys privately that the vendor
was actually selling rather than educating.
But anyway, one of the vendors there said, well,
we change our passwords on a regular basis, blah, blah, blah.
And then carried on as if, you know, and I very nearly picked him up,
but I thought I should really ask questions rather than criticize his
corporate environment.
But it's still there.
It's still very common.
You know, the place I left, you know, nearly two years ago,
it was still very common there.
And, you know, trying to get IT to change their minds on that
would have been virtually impossible.
Yeah, and I see it as well.
You know, it's difficult with certain clients,
particularly in the financial sector.
They will insist, you know, contractually,
you are required to change your passwords at least once
every you know whether it's 60 days um you know but it is you know despite you know the wealth of
you know information that's out there saying it's actually uh you know better to you know
change passwords maybe once a year or something and have additional factors of authentication
um you know you'll never get past it because you know the bank passwords maybe once a year or something and have additional factors of authentication.
You know, you'll never get past it because, you know,
the bank auditors will have these are the requirements.
It's a tick box.
If you do not do these, you fail as a vendor.
You know, you have to fix it.
But NIST, and I'm not a fan of NIST,
mainly because there's too many pages in their standards,
but even they have clearly stated,
don't change passwords unless you believe they have been compromised.
Yeah, and even close at home, the NCSE.
Oh, yes, they did.
Yeah, you're absolutely right.
Yeah.
I don't think ISO has caught up yet, have they?
No, I don't think so.
Although, do they even specify it? I'm not sure that they do.
I think they just say secure password protection.
As long as you've got a process, yeah.
So the ISO standard is very, you know, very sort of take a step back
and, you know, we're not going to tell you what we mean,
but you know what we mean.
Very liberal.
Well, I'm a fan of ISO, I have to say.
So, you know, my view is they're a bit more business-focused
than pure security focused.
It's kind of like, but if your business isn't aware of the risk and hasn't made a decision on it, then you fail.
Yeah.
Then you don't pass the certification.
So that's the clear, that's their distinction, which I think is quite an important one.
But yeah, yeah, absolutely.
Absolutely.
I can't even remember how we got onto this now.
Doing things the same all the time.
Oh, yeah, there we go.
Not changing, standing still, not adapting.
Absolutely.
And talking of which, doing things the same every time,
I think it's time to go to our industry news, isn't it?
Yeah, I know that our reliable sources over at the InfoSec PA Newswire
have been very busy bringing us the
latest and greatest security news from around the globe. Industry News. Activision denies
hacking claims over leaked accounts. Industry News. Uncomplicated cyber insurance program
launched. Industry News. Ciscoisco ensure collaboration to better survive
remote working industry news cisco how real is past wordless future industry news shopify
insiders attempted to steal customer transactional records industry news does cyber security have a public image problem industry news damn it i
pressed it and it didn't happen and that was this week's industry news do you think our
pa newswire infosec stig was um at cisco was at Cisco. That's right.
Sat in on a Cisco webinar this week.
I'll tell you what, we could use this podcast as almost like source material for OSINT courses.
Do you know what I mean?
So listen to this source material and work out
who they're talking about based upon the information they give you.
If you haven't worked it out yet, please, really.
It's the Duchess of Ladywell.
Everyone knows.
She's on my payroll.
Mind you, given the fact that she sponsored us, we're on her payroll.
Yeah.
Conflict of interest there, I'm sure.
Yeah, that's right.
That's right.
Do you know what?
conflict of interest there i'm sure yeah that's right that's right do you know what next week i'm gonna i'm gonna um retype something in between our reliable sources over at and from around the
globe and see if you just read it andy i gotta say you know you know you you talk about conflict
of interest and i just saw this thing on twitter earlier today and it just reminded me so there's
this paper um published uh called improved
metabolic function and cognitive performance in middle-aged adults following a single dose
of wild blueberry that's the heading i haven't read the article but that's the heading so you
have a single dose of wild blueberry and you get basically um the it's the same effect as the um limitless pill
i suppose that's what it's saying limitless so it's uh the blueberry is slang because you know
i'll have blueberries on my cereal in the morning and no no no it's it's wild blueberries and i was
gonna say blueberries on your cereal have obviously not helped, Andy, because you forgot to plug your mic in last week. What?
It's there.
Limitless, Tom.
Limitless.
Check this out.
Check this out.
Acknowledgements.
The study was funded by... The Blueberry Association.
The Blueberry Association of North America.
The funder made no contribution to study design,
its implementation, or any subsequent data analysis uh the freeze-dried wild blueberry powder was supplied by by them and then ethics
declaration conflict of interest the authors declare no conflict of interest
and i was like this is just like infosec practices elsewhere
tobacco industry style uh yeah i'm reading a book by ben goldacre called um i think you'll
find it's a bit more complicated than that and it's about some of the papers it's it's like a
consolidation of some of all of the articles he's written and stuff and one of the things he says is how the media reports um you know health um information so classic daily mail scare
such and such causes cancer and then a week later the same thing causes long life you know all that
sort of stuff and his his big thing is about citing primary sources of of um you know of the
medical papers themselves because the number of times throughout
this book and throughout all of his articles, you have something like the Daily Mail or the Daily
Express saying, you know, eggs cause cancer. And in citing, quoting a doctor as saying,
eggs cause cancer. And then when you look at the piece of research
and in conversation with the doctor,
the doctor says, I never said that.
And the finding was that eggs don't cause cancer.
Do you know what I mean?
It's like absolutely the bare-faced opposite
and they're putting it on their front pages.
And it's exactly like that.
But 5G causes corona corona let's just be very
clear on that well this is true this is true and the masts burn a pretty color in the night sky
so do you remember um i mean this is really old now this is so back in the day when you like see
stuff on the notice boards like that's where jokes used to go on the notice boards where they went
around on emails um you know and uh just as you were talking about that you know the the way things
get translated um there was one called the plan and how shit happens do you ever remember this one
um and it's like i just uh googled it so it says like in the beginning was the plan
and then came the assumptions.
And the assumptions were without form, and the darkness was upon the face of the workers.
And they spoke among themselves, saying, it is a crock of shit, and it stinketh.
The workers went on to their supervisors and said, it is a pail of dung, and none may abide by the odor thereof. And so then the supervisors
went to their managers saying, it's a container of excrement and it is very strong such that none
may abide by it. And so then the managers went to the directors saying, it is a vessel of fertilizer
and none may abide by its strength. And then the directors spoke amongst themselves saying to one
another, it contains that which aids plant growth and it is very strong. And so the directors spoke amongst themselves saying to one another it contains that which aids
plant growth and it is very strong and so the directors went to the vice president saying to
them it promotes growth and is very powerful you know the vice presidents went to the president
saying this new plan will actively promote the growth and vigor of the company with powerful
effects and then uh you know the president looked at the plan and
thought that it was good you know the way that uh you know stuff gets translated yeah you know
throughout those ages but uh you know to your point on that you know citing the primary sources
with doctors i'm still confused as to that rule on uh you know a glass of wine with a meal
you know is it one week it causes cancer the next week it's good for the heart.
Yeah.
You know, it's safer.
I'd go for the one that works for you, if I were you.
Yeah.
It improves my driving, so I have a couple.
Yeah, exactly.
It takes the edge off.
I get nervous when I'm carrying that many people.
When I'm driving the school bus, you know, those kids.
Right, I think we need to move on to your thing now, Andy,
and this week's Tweet of the Week.
So this was actually a very light-hearted tweet, you know,
just because, you know, funny story.
And ironically, as i read it i now see how it uh could relate to my own personal situation with the microphone
on some level but uh this was uh this village um where i'm not sure i can't even pronounce it
because it's uh i believe you know it's a welsh Yeah, far too many consonants in those words.
Aberholson, I think, in Powys.
So every day broadband speeds in this entire village would be horrendous.
And Openreach, BT engineers, they recabled everything.
They couldn't figure out what this issue was.
It was an 18 month investigation
they sent people there and uh you know it's really difficult because it's a small village
um you know didn't exactly have hotels for like a big corporate like open reach to rock up in so
the these engineers had to stay sort of 50 miles away and drive in every morning and um every day
7 a.m like clockwork broadband speeds would just drop you know and
then come on again overnight and it'd be okay and um so they started going around the village with
uh you know like the spectrum and analyzer um so just to find any kind of electrical noise just to
help them try and pinpoint uh the source of this interference that was causing broadband to just drop throughout the day
and um they discovered it was the this occupant of a house would uh who had a second-hand tv
um every every morning at 7 a.m this occupant would switch on their tv. And whatever radiation that telly was emitting was literally knocking out
broadband for the whole village until he went to bed and switched it off.
And it's just like 18 months it took him to, you know, to figure this out.
And it was a very diplomatic statement from uh open reach um you know sort
of saying that uh anything with electrical components uh you know from outdoor lights
to microwaves could potentially impact broadband connections we just advise the public to make
sure their electric appliances are properly certified and meet current british standards
and uh yeah so this homeowner they didn't identify who it was um it was apparently
very um very embarrassed about the situation and promised not to switch it on again um but you know
even as as you know we progress technologically it's uh you can still get uh blown out by a um
you know an old tv that everyone used to have in their house
i have so many questions
but when bt engineers met the i assume elderly occupant were they shocked to find out that this
80 year old was actually only 17 because of the radiation coming from the TV.
Suddenly aged him or he had two heads growing.
I don't know what era this TV came from.
Yeah.
I reckon,
I reckon that guy could probably have counted seven mistakes on the fingers.
Yeah.
And the second thing is,
is,
you know,
broadband so weak. I mean, china's probably looking at it saying hey if we want to take these guys offline we just need to sell them some cheap tvs
with some embedded capabilities that we can turn on when we want to yeah and i think that that's
part of the problem is that you know this is it, you know, this is, it's not like a weapon. You know, it's not like something that was unobtainable.
You know, this person brought a secondhand TV and it was so powerful.
It wiped out connectivity for a whole village.
You know, you just strategically rent some houses across the country and, you know, load them up with secondhand TVs.
You can basically bring down critical infrastructure, you know know the way it's set up at the moment you're right there are
questions about this but uh i would like to assume that there was at least a flaw with that tv
and it wasn't just a you know operating as expected so so so just to clarify did it actually wipe out the whole internet or
do you not remember the great outage of the 21st of september
how concerned were they or did it just cause a bit of lag when you're like
so they i think it reduced audio quality on podcasts
yeah they uh they say it just uh caused instability uh so content like it caused
an outage first thing in the morning uh and then just caused uh stability issues throughout the day
well apparently it's fake news true story this one's uh bbc this was the uh tweet of the week uh from bbc where's no i put a link
into why it was fake news oh did you oh okay fake news tv did not wipe out oh right oh so we're
doing this now right okay so we set people up to tell a story and in the background we're actually
just gonna yeah wipe them out okay i like this game all right oh you son of a bitch that's a rickroll yeah
i did it i did it i did it
i was hoping you had your speakers on but i can't believe i clicked on that oh dear ah excellent thank you very much andy that was a brilliant uh
tweet of the week
i was like well maybe you did see me typing it and wondering what the hell i was doing but i'm
amazed i got away with that i didn't i'd actually actually flicked off. I don't actually keep the show notes open a lot on the thing.
But now I can see, what's Jav typing?
Some new government organisation called Lemon Party.
Who are they?
Lemonparty.org.
What's that?
When did I type that?
What is the Lemon Party?
Well, why don't you type it in?
You're not familiar with the Lemon Party?
No.
Come on, click it.
It's a big government organisation who...
Sounds like it, doesn't it?
Screw it.
I'll click on it.
I have no idea.
Lemon Party.
Lemon Party.
Duchess of Ladywellwell please do not go to
www.lemonparty.org
your son is a
filthy old man
hang on
Andy's not her son
mum
Tom
me and your mum
would like a word with you
whatever I don't know and this is the point Tom, me and your mum would like a word with you.
Whatever.
I don't know.
And this is the point where quality just,
like clockwork at 50 minutes into the podcast,
it just falls off a cliff.
I'll get so serious we don't know who the hell we are. It almost like my uh attention span just expires after uh oh dear so so yeah we have a few minutes left and you you normally have some
great backup stories so what what have you got uh what have you got for us this so we had uh
a couple well actually there's two which i liked one was the um you remember the the disney show
hannah montana starring uh miley cyrus yeah and this is absolutely right this was actually which I liked. One was the, um, remember the, the Disney show, Hannah Montana starring,
uh,
Miley Cyrus.
Yeah.
And this is absolutely right.
This was actually something I was just going to talk.
This has nothing to do with,
um,
InfoSec.
Uh,
you know,
I'll put that out there,
but yeah.
So originally that show was going to be,
uh,
called Alexis,
Texas.
Um,
and then obviously Disney looked into it and found out there's actually a
porn star already
who goes by the name alexis texas not entirely on brand for that type of shows you know what
what kids may be googling but um this reminded me back in a previous company i worked at we had this
american cto and he was obsessed with this name uh for a company and i'll just tell you the name
was biz buzz and yeah and we didn't own the domain so we uh you know we had to go and acquire it and And he was obsessed with this name for a company. And I'll just tell you, the name was BizBuzz.
And yeah, we didn't own the domain.
So we, you know, we had to go and acquire it, negotiate, you know, with this person.
Paid a significant amount of money for it, because obviously the power is in the hands of the seller at that point.
And then we needed, you know, the associated domains as well.
And this was, you know know a long time ago and uh the funniest thing was you
know as a company we then did all this uh development um you know for this new product
that's gonna be launched on bizbuzz.com and bear in mind how do you even spell it you know is it
two zeds on the biz or is it one zed or is it bis or is it we had so many questions about this, but, you know, overruled, you know, go with it.
And the hysterical thing was literally a week before we were due to launch,
the porn industry launched a social network for porn stars called Jizz Buzz,
which was like the nickname we'd actually given this product internally.
Which was like the nickname we'd actually given this product internally.
And you just think, man, that is, you know, such a... There's always a link to porn somewhere when you're doing stuff.
Well, porn has driven the internet, let's face it.
Yeah, we always go back to the old Betamax example, don't we, in terms of...
But I guess the InfoSec story that we had as a backup was um
you know get your tinfoil hats out um this was uh where someone's saying that hacker one is a
complete and total scam wait wait before you get into that sorry i just missed the my opportunity
to get in but a friend of mine forwarded this to me yesterday because you just
mentioned it you mentioned jizz buzz and uh a friend of mine his sons go to martial arts so
all the parents have a martial arts group and uh what what they they for their martial arts
if anyone's familiar they wear a gi which is like the the traditional outfit i thought it was clarified butter uh a different type of gi that's one for our indian listeners yes i thought that was a
general infantryman oh oh my god so i've been on reddit too much recently they wear gi uh to to
practice and uh one of them is she's got mum, she's got two kids that goes there.
So she typed into it,
I need gis,
which is spelt G-I-S.
So I need gis.
And everyone started laughing on the group.
How did you respond,
Jav?
Yeah,
I responded,
I'm a married man.
I've got plenty.
Oh dear. I didn't expect you to say that Jav. Yeah? I responded, I'm a married man, I've got plenty. Oh, dear.
I didn't expect you to say that, Jav, actually.
Anyway, do go on, Andy.
After that rude interruption.
Oh, speaking of Mr Interruptions himself.
What?
He didn't even let me get to the punchline
without interrupting me seven times.
I thought the Duchess of Ladywell raised you better.
Yeah, look, we've met the quota
on mentions of my mother, thank you.
Oh, the Duchess will tell us
when we've hit the quota.
Oh, dear.
Well, we've actually run out of time now.
Yeah, I'm thinking, yeah, this is a good one.
We can save this one for next week.
We'll leave the Hacker One story for next week.
Yeah, absolutely.
Absolutely.
Anyway, folks, thank you so much for listening, all three of you.
It's been an absolute pleasure.
Jav, thank you very – what the hell was that?
That was my phone.
Oh, right.
God damn, you can't even wait for the finish.
Jav, thank you very much for today.
You're welcome, you're welcome.
I grace you with my presence and wisdom and wit every week.
Something like that.
And Andy, thank you very much, sir.
Stay secure, my friends.
Stay secure.
my friends.
Stay secure.
Host unknown.
The podcast was written,
performed and produced by Andrew Agnes,
Javad Malik and Tom Langford.
Copyright 2015 or something like that.
Insert legal agreements here as applicable and binding in your country of residence.
We thank you.
So I worked for some bank once and the group we were in was called Information Security Management, or ISM. And we had a new director come in and she goes, let's call it Group Information Security Management.
No!
Yeah, I don't know who tactfully explained to her that it would not make a good acronym.
No.