The Host Unknown Podcast - Episode 29 - Probably
Episode Date: October 23, 2020Perhaps a total IQ of 197 is a little ambitious, as this podcast clearly shows:This Week in InfoSec20th October 1995: Mudge published "How to Write Buffer Overflows", one of the first papers about buf...fer overflow exploitation. Then @dotMudge sent a copy to @aleph_one, who wrote "Smashing the Stack For Fun and Profit" in 1996. Seminal paper to seminal paper.https://insecure.org/stf/mudge_buffer_overflow_tutorial.htmlhttps://twitter.com/todayininfosec/status/1318551462000185353?s=2020th October 2006: IBM announced it had completed its acquisition of Internet Security Systems, Inc. (ISS).https://twitter.com/todayininfosec/status/1318652004894412808?s=20Billy Big BallsJavvad wouldn't say who he chose this week...https://news.sky.com/story/goldman-snubs-2bn-darktrace-float-amid-lynch-extradition-battle-12075941Sky News has learnt that Goldman has declined to seek a role on the initial public offering (IPO) of Darktrace, a leading player in the provision of artificial intelligence (AI) cybersecurity services. Tweet of the Weekhttps://twitter.com/wimremes/status/1318981442114867201?s=20 Industry NewsElection Security and Confidence Can Be Enabled Through Public-Private PartnershipsBA GDPR Data Breach Fine Lowered to £20m Due to COVID-19DDoS Attacks Triple in Size as Ransom Demands Re-EmergeModern Attacks Include Supply Chain "Hopping" and Reversing Agile Environments#InfosecurityOnline: Beware of Malicious URLs and Rogue Redirects#InfosecurityOnline: Consider Flexible Training for Different Skill SetsTrust in Remote Working Tools Declines as Need for Security Increases#InfosecurityOnline: Are the Cloud and Automation Driving or Hindering Your Business?#InfosecurityOnline: Tactics for Defending Against Credential Stuffing Rant of the WeekContributions from: @notameadow @astr0sec @Sinwindie @ginger_hax @Jaysonstreet @Mattjay @chrisculling @zwned @krypt3ia @0xBanana @gossithedog @secops_and_hops @dfirsamurai @stuarthare @lee_holmeshttps://en.wikipedia.org/wiki/List_of_burn_centers_in_the_United_States The Little People Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
ease into it.
That's what she said.
Whee!
Oh!
Did you...
Oh, yeah, that was quick.
That's what she said.
I didn't hear that come in, actually.
Oh, you don't even...
Why is that coming out on there?
What the hell?
Okay, I know.
That's what she said.
I can't hear it. Can you hear it every time yes oh i know why i got it i got it i thought you i thought you were actually deliberately being funny there there we go i can hear it now
the time was not being funny he was hilarious. Do you want to do a sound check?
Oh, yes.
Thank you very much.
Let me go through my pre-checks
and making sure that all the sound is set as it needs to.
That one sounds good.
And...
Tweet of the week.
That sounds good, yeah?
Yeah.
You know, you need a checklist like a pilot's,
like go through everything.
If only I had some show notes or something like that.
Yeah, yeah.
I might put something together.
Yeah, yeah, exactly.
You know, if we could pop something into some show notes,
you know, something also encourages me to press record as well.
You know, if between us we had an IQ of 197, we might be dangerous.
We might be.
And if we each knew 5% of the entire show,
we could probably get away with it.
I think that's true.
I heard it from very reliable sources.
Very, very reliable.
The genius sources.
You're listening to the Host Unknown Podcast.
Well, that intro went well. Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
And welcome to episode 29 of probably the best podcast in the world, Host Unknown.
Hello gentlemen, hello Andy.
Good morning, how are you doing?
I'm very well thank you, how was your breakfast?
Well I didn't know we were going into the intro there so I've just finished my breakfast.
You can hear the spoon and the bowl. I've been interviewing people this morning.
Over breakfast of course well no so i've got my timing all wrong so i actually had to come literally out the shower and then
straight into the interview um and obviously i didn't you know play the alpha move and put my
camera on so i left my camera off i thought you were having a business breakfast because it's the
only way you could eat out at the moment well there were eat out with uh more than six people but uh i eat for six people there's a slight difference
there and that's not impacted by current i think it's just a multiplier isn't it so therefore it's
you know anyway jeff how are you i'm very good thanks very good um i'm glad it's friday for a
change normally i'm not really happy it's fr, but this has been a particularly long week, but it's good.
It's Friday,
yeah, or whatever that song is.
Oh, I was going to cue that up.
Oh, where are you going then?
I was going to cue it up, like now if I do it,
it's going to be like three minutes.
You were going to cue that up after Jav said
that, and then in three minutes you were going to play.
No, before I came on today,'ve had that song in my head all day
like all morning i uh yeah it's sung did you see it on tiktok somewhere
oh man you see it on tiktok every week it's uh fantastic this is uh this is the tiktok
equivalent of the remember the old follow fr follow Fridays on Twitter before they became shit?
When they stopped mentioning us,
right?
Oh,
they used to be creative.
That's the thing.
But then people started doing,
you know,
like you'd literally just mentioned the people you thought were good to
follow,
but then people just started posting everyone they actually follow.
And then,
you know, and it's like, man, what's going on?
Like, why am I seeing like a thousand tweets from this person?
Honoured to be in such a prestigious company.
There's only so many times you can reply with that, right?
Before people get suspicious.
But actually you think they're a bunch of knobs and, you know,
who the hell are these people?
Well, they used to be a lot more creative.
I remember in the old days, I'm pretty sure I paid some guy
to strip down to his boxer shorts and he had Jav's name
on the front of his boxer shorts.
Oh, yes, that's right.
And the fact that you paid somebody to strip down to his boxer shorts
when, frankly, with your pure animal magnetism,
you could have probably just asked him.
Well, there is that, but I'd also, I'd already used up favours for other Follow Fridays that I'd done.
Used up favours?
Yeah.
And that's the real reason you're not on Twitter anymore.
It's because you're bankrupt.
You've got the debt collectors after you.
And you had to pay him to put the boxes back on.
After one of your favours.
Oh, dear me.
That is...
Right.
Let's raise the bar a little, shall we?
Not going to be difficult, let's be honest.
No, it's not.
Not after a start like that.
Exactly.
All I can say is, sorry, Mum.
So, what do we have on this week's show?
We have our new segment or not so new segment now this week in InfoSec.
We have Tweets of the Week, Billy Big Balls, Rant of the Week,
and Will We Have a Little People Today?
We had one last week.
Jav promised us he would make sure there was something for this week.
My word is strong as oak.
Strong as oak.
So, yeah, those recent winds that we've had
have actually brought down a few of the oak trees
in the aerodrome where I live.
In the aerodrome?
They have oak trees on your aerodrome?
Yeah.
Don't the planes find it difficult to land?
So it's uh yeah big don't the planes find it difficult to land uh so it's limited now it so used to be uh the aerodrome uh we're playing to a landing during the war but uh now it's mostly
a gliding club um but it's obviously still called the aerodrome so yeah it's um yeah it's sort of
limited what you can do um but it's fantastic for the dog to run up and down and chase them all that's brilliant it kind of
reminds me I was listening to this Russell Peters comedy and he's talking about this time he went to
Lebanon and they said do you want to go to a club he goes yeah it's called he goes what's it called
because it's called the bomb shelter and he goes that's a cool name and he goes there and he goes
it's literally a bomb shelter.
They were just like, well, we haven't been bombed for a while.
Let's go to waste.
Let's put some speakers in there and call people down for a rave.
Oh, my God.
Fair point.
Yeah.
So I think we could be doing more of that kind of stuff around the world.
We could be learning from that.
Anything that's not being used or not being used to full capacity,
just keep it for what it is, but then use it for a rave.
Boris Johnson's brain.
Oh, well, yeah.
There's a lot of noise going on in there already.
The Tory government's promises.
Yeah, we're not going to get political, though.
No, we're not.
No, no, no.
Matched only by the Labour government's spine.
Anyway, for the sake of balance.
Yeah.
So why don't we get straight on to... This week in InfoSec.
Love that jingle.
I love that intro.
That's just fantastic.
It's got a certain familiarity to it
that just sticks with you
and, you know, absolutely fantastic.
Anyway, I will open up with this one
unless any of you guys want to jump in.
So this week in infosec we shall be transporting
back 25 years where um a guy called mudge uh or peter zatko um is his real name um no relation
to the karate kid um so much network security expert uh programmer, hacker,
former member of Loft Heavy Industries,
as well as cult of the dead cow.
So back then he was not only a very clever person,
he was also quite a prominent figure
who knew how to conduct himself in company as well,
which not many of the old guys could do back then.
But he published a paper called How to Write Buffer Overflows, which is one of the first
papers about buffer overflow exploitation. And he then sent a copy to a left one who wrote
the infamous Smashing the Stack for Fun and Profit back in 1996.
So this was a defining moment in InfoSec.
You know, buffer overflow is still very much something
we should be concerned about today.
And little did we know, it's just a mere 25 years ago
that someone actually sat down, documented it, and published it.
And, you know, Aleph1 has a lot to answer for
for calling it whatever for fun and smashing the stack for fun and profit yeah i know because
because fun and profit is now it's it's so overused in every single security talk
it's in the vernacular it completely it is And this is what I miss about all these guys.
You know, they had cool, catchy names.
Their hacking groups were fun.
You know, Loft, Cult, The Dead Cow.
You just don't seem to get, you know, real sort of catchy names like that anymore.
Like Anonymous.
I mean, really.
You couldn't think of something more nameless than that, really.
It doesn't describe anything about who they are.
Weird.
Yeah, weird.
It's funny you should talk about Loft and Cult of the Dead Cow
because I did a telephone interview just a few days ago
and they asked about interesting stories.
I won't ruin the punchline, but I talked about how I use some tools.
Literally back in round about, I think it must have been about 95, 96 or so.
Back orifice.
Yeah, back orifice, laugh crack, stuff from Cult of the Dead Cow.
And it was because, bottom line, I was trying to get money for a firewall.
And I really enjoyed it, as in using those tools.
And it could have been for me a turning point
to be blunt of going into the into the more sort of um you know technical side of of security as
it were um you know looking back anyway not at the time i didn't recognize it at all but looking
back i was thinking that could have been the point where i just suddenly thought this is what i want
to do. Absolutely.
So it really does bring back memories, you know, hearing those names.
And I'm certainly going to click on those links,
links in the show notes, folks, to take a look at those papers.
So, yeah, I mean, it's definitely nostalgic.
As you mentioned, those tools back then were just widely circulated,
just so easy to use as well but i remember installing um back orifice um in an office purely just so i could eject co-workers
cd trays um that was literally the only thing you know i'd say hey yeah i'll say school boys
to shut down computers come on but. But I'd always be like,
do you need a coaster to put your copy on?
And then if they said yes, I'd just eject the CD tray.
And then queue.
Wait 30 seconds, let me ask the next person.
But obviously installing back office across a corporate environment,
it's frowned upon these days.
Yeah.
Was that connecting to the C dollar share?
I remember years, well, actually not even years ago, it was about 20,
when it must have been 2010, I was in the hotel in India with my brand new boss, the new CISO that had come in, you know,
and been sort of dropped in over the top of me.
And we were both on the hotel network
and I found his computer name
and then basically dropped a file on his desktop
by connecting to the C dollar shop.
And said, we should be aware of this.
He was like, what the fuck?
How did you do that?
Yeah.
Oh, dear.
So, you know, still got some of those chops.
Yeah, you don't lose it.
It's like riding a bike, right?
Absolutely.
I mean, I had 15% of the password and, you know,
an IQ of 197.
That's all I needed.
Brilliant. Dear. Brilliant.
Right, so moving on.
So that was story number one,
just about such a massive part of the InfoSec history.
I was struggling to land on story number two,
because also this week in Info know infosec back in 2009
metasploit was acquired by rapid seven oh yeah 2009 yeah 11 years ago wow um my god and then
it's only a mere four years ago since the mirai botnet was uh used in multiple large-scale DDoS attacks,
which took out high-profile sites such as Netflix, PayPal, Reddit, Slack, Twitter.
And the world was calm for a day.
It was for at least two hours, apart from, I think, all of a sudden,
Facebook accounts, which hadn't been logged into for four years, suddenly started having people pop up and complain about not being able to get onto their preferred social networks.
Yeah.
But that is not the story I'm landing on.
So story number two.
And this was a personal one to me, and it made me smile when I saw it.
It made me smile when I saw it.
But October 2006, so 14 years ago, IBM announced it completed the acquisition of Internet Security Systems, Inc., known as ISS.
And they had a product called the Internet Security Scanner. So it was ISS, ISS, ISS.
But this was my first intro into, so I was working for a Fortune 500 company at the time in the late 90s.
And then 2000, I thought I was the Billy Big Balls.
I thought I knew it all about security because I had a checkpoint firewall one book, you know, and I could install it.
It had a GUI, which made it really easy. So I'd turn my nose up at the PIX engineers and laugh at how –
You had a book.
You had a book.
I had a checkpoint firewall support contract.
So, I mean, I remember thinking I was the Billy Big Boys,
and this guy came and just dropped off this Solaris box on my desk.
And I'm like, what's that?
He's like, it's your firewall.
I'm like, okay. I was like,'s your firewall i'm like okay i was like how
do i connect to it he's like we'll build it i need a solaris book next yeah come on you're
the billy big ball build the damn thing so this was a uh fortune 500 company you know i went uh
you know an american-based credit reference company i was gonna say it's all right mate all we do is get onto linkedin you're yeah so anyway so i was uh and bear in mind so security
was still part of it back then you know it wasn't a defined discipline it was like right
uh it's it it's networks give it to andy um but you know also you know i was like the security
billy big balls yeah antivirus i deploy deploy antivirus across the European part of the business.
I'm a security professional.
I know how to install it.
I've got the ePortal, ePolicy Orchestrate.
I deploy patches once a week or whenever they come out.
You pressed a button once a week.
Yeah, exactly.
And then we got um internet security scanner you know
it's given to me with a license and you know the the funny thing was like the license key was
actually the company name and i was like this is it this is what i need and this is like um you know
the the old version to metasport it's autopone like you know you could go onto it and i remember
sitting there i installed it i was so excited I was like you know domain admin credentials I'm like here we go get it to run
tick all the boxes what I want to scan everything every subnet every account do I want reports on
yes like light up everything and I'm sitting checking all the boxes is how you do it properly
yeah and I was like right I'm hacking now and uh so I set it off you do it properly. And I was like, all right, I'm hacking now.
And so I set it off to scan.
It was brilliant.
So I was sitting there, and I'm sitting in my chair,
and it's like waiting, it's thinking, and then a couple of the phones ring.
And all my colleagues' phones start ringing, and it's like,
what, where is it?
Locked out?
What's it?
Locked out?
And everyone's sort of saying, what, locked out?
Then my phone starts ringing, like the overflow.
It's like, hmm.
And then you hear all the overflow phones going through the various teams.
And literally, I just locked out the whole company trying to brute force their accounts.
And not only that, it actually exploited.
Because there's an option like exploit if you can.
We had this really old SCO Unix box in the comm room that was never to be touched because it was too unstable.
Yeah.
Killed it, absolutely killed it.
I remember sort of slowly terminating that application.
Sort of like, hmm, really, locked out.
Okay, let's see what we can do.
I was like, are you guys seeing this?
Everyone's locked out on the network.
Thankfully, Stellaris boxes are thin,
so you could slide it back and put a folder over the top of it, right?
Sort of hide it on your desk.
Put a couple of bags of Haribo on the top.
Oh, dear.
But this was...
Yeah, that ISS was a fantastic tool.
Certainly in the early days.
Before you go on there, Andy, I think you deserve this.
Billy Big Balls of the Week.
Yes.
Never felt more powerful.
And then more vulnerable in such a short space of time.
And like you sort of mentioned,
my life could have gone in a different direction
had I relied on tools a lot more than I did.
See, your and my experiences of ISS are very different.
So back in like 2000, 2001, we were using their IDS.
So it would just like throw up a bunch of alerts and i was working in
the it security team and we had this rotating thing where one week you'd be working on monitoring
so you'd monitor all the changes the admin team was doing then you'd work in operations
and then you'd work in projects so that when you went on to monitoring you weren't checking your
own change anyway one of the tasks was to look through the IDS logs, which were ISS.
Yeah.
And me and my colleague and friend, Krish, we were trained up on this.
And the guy training us had no idea what he was doing either.
So he would just say, look at these logs that come through, yeah?
Okay.
Now you see where there's like four or six in a row?
Yes, that's someone trying to brute force our network.
Okay, what do we do?
Well, copy it, copy the IP address, do a lookup, find out their ISP,
send an email to abuse at ISP.net.
Yeah, do you remember that?
We do that all the time yes
copy and paste the logs and say to and here's a here's the template email saying this person
is from brute force i network please you know get rid of them christ yeah uh we we have no idea
and and thing is the the isps they never ever reply or anything so you don't know whether it's going into uh a black hole whether that's being used to sell ppi or whatever it is
um but but yeah um and and and actually it was at that time steven bonner uh he was at
barclays at the time i don't think he was yeah friend of the show and he set up the iss user group so oh that's
right yeah yeah and uh so so any so a lot of the banks that were using iss for their ids they would
all get together and they would talk about what they're using it for and how it's doing it i think
i think basically it was a product that no one really knew how to use or it was just really buggy to get to work effectively.
So the user group was an idea to, A, get people together
to try and use it better, but also put a bit of pressure
on the vendor to sort it out a bit, which was genius.
But, yeah, met a lot of good people there and learned a lot of good things.
Like don't buy ISS.
Yeah, well, or buy it and then set up a user group
and get free tea and biscuits every month.
Very good.
Oh, man, that was excellent.
That was...
This week in InfoSoul.
That was a trip down memory lane.
I was about to say, that was a nostalgic walk, wasn't it, that one?
I think we all had a moment there.
The good old days when no one knew what they were doing.
Oh, dear, my eyes are misting over, you know,
I'm welling up a little bit.
How's that different from today when no one still knows what they're doing?
Well, I know.
Because all the people that didn't know what they're doing are now creating these jobs where they're saying you must know what
you're doing 10 years experience in this particular thing because they know how
fucking dangerous it was not knowing what you were doing yeah trust me you don't give someone
like me with uh absolutely zero knowledge at to be responsible to build the firewalls for us.
Because the thing is, 20 years ago, you could get away with taking a company down
for a few hours with setting up a dodgy firewall or a dodgy scanning system
or whatever.
Nowadays, you can't.
That would virtually put a business out of business.
It would put you out of a job at least.
Yeah, that's right.
Exactly.
Whereas back then, you could completely bluff it.
I remember deleting one of our leadership team's email account
because his name was very close to that of somebody who was leaving.
And I realised the moment I pressed delete, or the moment I said yes after it said are you sure this
will be irrecoverable um you know except for backups or whatever and the moment I pressed it
I went fuck it was the wrong guy I looked up we had an open plan office and this guy happened to be
you know working in the far corner of the of the looked at him and he suddenly sort of, you know, his head pulled back from his laptop,
like, what's going on?
So first thing you do, go to the logs, delete the activity.
Yes.
Second thing you do is walk over to Mr. Richard Erskine,
sorry, Dr. Richard Erskine and sorry, Dr. Richard Erskine, and say,
Richard, something's really gone wrong,
and I think your mail account might have been affected.
So what I'm going to do is restore from last night's backup.
I had good backups, I have to say, quite bad of them.
And at the end of it, he was like, oh, thank you so much.
I've only lost a couple of hours' worth of work.
I could have been so bad.
Thank you so much for dealing with that.
You're such a hero tom
it's all about the spin it is you know what you you say that and like this is like in mid
2000 like 2005-6 i think at that time there's a company i'm working at and they um there was this
guy who in security team and he was he worked with he was in charge of this two-year Oracle identity access management project
for the global company.
And he went through everything, and the way the system ended up working,
because it's a global system and you join these domains together
and what have you, and so it's looking everywhere,
it would provision anyone from when they join.
So the whole JML process was tied into it.
The problem is that when someone left the company
and you said, oh, Tom Langford has left the company,
let's delete him.
It would go and find every Tom Langford in the company
all over the world and delete all of them.
So after two weeks of it being live,
they quietly turned off the product and no one noticed.
And this was like a two and a half million pound project
he was in charge of or something.
Christ.
And then after a few weeks, he quietly left the company uh but i see other
interests to pursue other interests but i saw him he was a consultant charging like at back and back
in the day 750 pounds a day being an identity and access management consultant jeez he must he must
he must have had a bad reputation if he was only charging 750 a day
yeah I don't know
he wasn't in London that's the thing
ah right there you go
yeah chased out of there
right let's move on shall we
now we don't know what this one is
interestingly enough
but we do know that it's going to be
Javad who's doing it
Billy Big Balls of the week.
Okay, today's Billy Big Balls. Let's start with, let's start from the beginning. I'm going to read
out a blurb from a company's website. I'm going to redact their name and then I want you to have
a guess at whether you know which company this is. I'm figuring Andy might know because he deals, he's probably bought like three of their products over the time.
So let's go for it.
Self-learning cyber AI for your dynamic workforce.
Like an immune system, our world leading cyber AI protects against unpredictable threats.
Cloud native.
We cover the entire enterprise from workforce devices and IoT to SaaS and email.
More than 4,000 organizations worldwide rely on us to understand their digital DNA
and autonomously respond to emerging attacks in seconds.
So I do know what this is.
I'm trying to think of it.
They're based in Cambridge.
They've got, like, a lot of scientists.
They're predominantly, like, data scientists that built this product.
Cambridge Analytica.
No, no.
They do, like, Dark Tr yes yes damn I was right I was
thinking I couldn't believe I got that right yeah so the thing yeah so I've seen this right and I've
seen this in many companies um haven't actually purchased it ourselves but you know I have uh
you know been through the trials I, you know, been through the
trials. I don't know anyone who takes it on as a full-time product after the trial.
And I don't know why, I don't know whether it's the pricing or whatever, but I just don't know
anyone that actually uses this in anger in production. I've been to a couple of their
sort of exclusive events and lunches and stuff like that. And it just seems to be a very pretty pew-pew map type interface
to a bunch of stuff.
There's a lot you can get away with by saying,
oh, it's still learning.
Yeah.
It didn't detect this, so it's still learning.
And it relies so heavily on the AI marketing term
that you're immediately suspicious anyway.
You are.
You are.
I think they got half of it right.
I think the A part is right.
They're just missing the I.
Yeah.
I mean, this is, you know, Dark Trace, if you're listening.
Post Unknown.
Sponsored by Dark Trace.
But, you know, come on the show and tell us we're wrong.
Yeah, but they're not the Billy Big Balls, actually.
Oh.
They're not.
Okay.
Oh, I like what you did there.
You did a little switcheroo.
Uh-huh, uh-huh.
So they've been growing rapidly.
They reckon they've been closed
they've made 200 million in sales last year nearly they they because they charge 500 000 a year
for yeah something like that they they they they say that they've they've got bookings of uh about
a billion for this year um now now one of their biggest investors,
who's basically pulling the strings behind the scenes,
is a billionaire, Mike Lynch.
He's the guy who sold something to HP, is that right?
He's the guy that sold autonomy to Hewlett-Packard in 2011.
Yeah, oh, Jesus.
And he faces an extradition hearing early next year
following because the US authorities want to charge him
with 17 counts of securities and wire fraud.
He needs to find a handy embassy to go camp out in.
Yeah, yeah.
Well, he's actually submitted himself for arrest, I think, back in early in the year, January, February,
but he was granted bail for 10 million.
Jesus Christ.
But also, like, the autonomy actual CFO
actually was sentenced to prison for five years in 2019.
For what?
For wire fraud and stuff.
It's all related to the autonomy.
Stuff to do with the acquisition.
Yeah, the acquisition.
Oh, right.
Okay.
And they're still not the Billy Big Balls.
Oh, my God.
You're really teasing us on this one.
This is why you didn't want to include any details.
Yeah, exactly.
We're getting into Graham Cluley smashing security.
Let me tell you a story, chums, chums, territory here.
No.
I'm glad that Carole is there to keep him in check.
We've got no chance with Jav, though. No. I'm glad that Carole is there to keep them in check. We've got no chance with Jav, though.
No.
Now, they're growing super fast.
They're alleging all these values.
So the valuation is through the roof.
And they've been teasing an IPO for ages.
And they wanted to go ahead.
So before you go ahead, you meet with all the investment bankers on Wall Street and everything.
And Goldman Sachs said no.
Basically, they snubbed them.
So they went there with a $2 billion flotation.
And they said, nah, you know, we're not interested.
We're all right, thanks.
We're all right.
We just want your lunches.
Which is basically the – it's like an incredible amount of shade
you can throw on a company that is growing so much.
And it's unheard of in Wall Street when, you know, people are trying to –
normally they're just interested in the money.
But the fact that they just said no, piss off,
is quite the Billy Big Balls move, I must say.
That could be like a headline from The Onion.
Goldman Sachs says no to investment opportunity.
That's right.
So unlikely, you know.
Wow.
So, I mean, I think it's actually really, really positive news
because, A, there's so much shadiness in some of the investors and the background of the company.
But also that, you know, cybersecurity isn't this magical thing that's always going to grow and grow.
And I think a lot of investors are getting wise to that when you look at how much some of these companies have gone for once they've IPO'd and you know then they've some of them have gone taken private again or some PE firms come in and
and got them um you know I think it's right for investors to be wary because it's not the the cash
cow that that's you know the bubble can't last forever so I say kudos to Goldman Sachs, and hopefully investors and bankers will take note.
Indeed.
Indeed.
So, Geoff, thank you for this week's...
Billy Big Balls of the Week.
Blimey.
Huge if true.
Huge if true.
Oh, sorry, I'm on the wrong page
of the show
oh dear
lucky I played
the right jingle there
I don't know
you see the thing is
I don't want to
I know we've sort of
you know
taken the piss
out of Dark Trace there a little bit,
and I don't particularly want to disparage a product based on, you know,
what actually was a very nice couple of lunches I had with them
and, you know, fairly impressive demos, et cetera.
But it's – you're right in saying that the industry is awash with products
that claim to do an awful lot of stuff for you, you know, and claim to fix an awful lot of stuff for you,
you know, and claim to fix an awful lot of problems for you,
when actually if you, you know, and for the unwary,
they're going to be buying this stuff at huge expense and actually it not doing much for them
because they frankly got bigger problems elsewhere.
So, yeah, I'd be interesting to see how this particular one plays out we'll keep we'll keep an eye on it and keep
our listeners informed indeed indeed and also if you are a dark tracer user not a trial use but
someone that's had it installed for uh you know sort of two years plus
um please do let us know because i if it looks good like i say i just i don't know anyone that
stuck with it and i don't know why if either of you could come forward that'd be great yeah
right uh let's move on to this week's Tweet of the Week. And this is me.
And gosh,
reading this Tweet of the Week,
I think I saw my future.
Too close to home, right?
Oh my God.
I had to go round
and, you know,
re-secure and make sure
that everything in my home network
was exactly where it needed to be.
You had to get a UPS.
Yeah, exactly.
I had to put a UPS onto Yeah, exactly. I had to put a UPS onto my coffee machine.
So this is a tweet from a friend of the show, Wim Reams.
In fact, he was a little people at some point,
quite early on actually, wasn't he?
So his tweet is,
Living IoT hell right now ventilation box disconnected from its
dedicated network no way to reconnect it reset its wi-fi app keeps crashing when trying to connect
to box help page equals 404 so use website contact form and this is the autoresponder getting back to me. Fuck. And the autoresponder
has basically got some, uh, uh, some error codes to it. So basically when, if you're still alive,
can you send, you know, proof of life for a start? Um, and also I'm with you on this brother.
Uh, I know what you mean. I know what you mean.
Because as these two here will often tell you,
and with glee, my house is awash with useful and useless IoT.
Because you can, right?
Why not?
But yeah, this is really interesting.
It does smack a little bit of a uh was it the opening
episode of season two of mr robot where a woman's house go you know turns against her because the
heating goes on off the lights go on off the music plays really loudly she can't unlock the door and
all that sort of stuff and it's like this is so true and there's got to be you know the level of
resilience in some of this stuff is negligible, especially, you know, given the amount of stuff, you know, of cheap, unbranded stuff that you can
connect to your network. And to be frank, that I have connected to my network because I can't
afford the good stuff. Because at the moment it works, but not always. So yeah, I think it's worth ensuring you've got a big red switch somewhere
that allows you to power off and power on everything manually.
Yeah, you know, first when I read the tweet, I was quite concerned. I thought it's like a
ventilator box. I thought maybe someone's on some medical medical equipment and I'm like oh my god how
could medical companies be so so negligent and then he said ventilation box which I assume is
some sort of like aircon type yeah it's his extractor fan isn't it it's basically it's his
expel air yeah it's not coming on automatically when his's cooked you know first world problems when what the hell
so do you know i mean depending on what type of extraction fan those things can
actually be quite serious um i was in a hawksmoor restaurant uh
you know back in the days when you could go out freely um and was sitting there and this was i'll tell you a lot
i mean you know me i do like my food um and we were drinking we're savoring the craft beers we're
absolutely famished but um you know the big boss was in town he was paying for the night so group
first one out and uh we're sitting down drinking our craft beers like taking
our time we ordered some starters and he's like okay right um you know we'll just get starters
for now you go and bring those and then we'll order our mains in a bit we'll get a couple more
beers and i'm sitting there my stomach is rumbling and uh it was all going good and then the starters
came up they disappeared like locusts went across them because you know we're all so hungry um and more beers you know it gets to the point where you just can't drink until you've had
some food and i knew this steak was coming and um just as the steak came out and i i mean literally
as it's put on the table like the waiters looking around and sort of looking at this smoke going
across the restaurant and um and it wasn't
from your state and it wasn't from my much as i i do enjoy a well-done steak it was not going
coming from my steak and um you could see i mean there was a general sense of panic in the room
yeah that you know you can feel you can pick up on it and uh yeah my the big boss was literally
climbed over me to get out. He was gone.
Like there was just this big noise.
And obviously being in London, we just thought it was probably a tube
or something like that, you know, like slammed in.
You know, it just didn't sound right.
But this sort of black smoke went across the restaurant.
Essentially the kitchen caught fire and they had to evac the place.
And I was literally people sort of pushing past, you know,
grabbed me, get out, everyone get out.
And I couldn't quite reach the stake to grab it, you know.
I could just see you.
I could just see you sort of going off.
My baby, my baby.
I was sort of being pulled like, you know,
I was in a current being pulled out of the restaurant.
Oh, man.
Oh, man.
And, yeah, unfortunately, by that point in the night,
the only place we could go was a bar.
I could only eat chips with sort of cheese on them,
which was not – it's just not the same.
You couldn't find a Maccy D's or something.
I mean, at least that would have, you know, filled a hole.
Yeah, well, I actually did get Burger King on the way home.
Because not quite the same, obviously.
Like, you know, the flame-grewed patty burger is not the same as a Hawksmoor steak.
No.
Yeah, tough times.
But, yeah, sorry, extraction fans can be quite serious.
Oh, yes, yes.
I am feeling the pain there.
But, Tom, this is your future.
You need to be wary of this.
Absolutely.
I'm going to, you know know my future holds for me being six
foot four and dutch by the downs of it so um yes so a fascinating one you know folks with your iot
devices um you know let's uh uh let's just be careful out there tweet of the Week What have we got next Andy?
So we have our
reliable news sources over at the
InfoSec PA Newswire have been
very busy this week I will
point out bringing us the
latest and greatest security news
from around the globe
Industry News
Election security and confidence can be enabled through public-private partnerships
BA GDPR data breach fine lowered to 20 million due to COVID-19
DDoS attacks triple in size as ransom demands re-emerge. Industry news.
Modern attacks include supply chain hopping and reversing agile environments.
Industry news.
Hashtag InfoSecurityOnline.
Beware of malicious URLs and rogue redirects.
Industry news.
Hashtag InfoSecurityOnline.
Consider flexible training for different skill sets. Industry news. Hashtag InfoSecurityOnline. Consider flexible training for different skill sets.
Industry news.
Trust in remote working tools declines as need for security increases.
Industry news.
Hashtag InfoSecurityOnline.
Are the cloud and automation driving or hindering your business?
Industry news.
Hashtag InfoSecurityOnline.
Tactics for defending against credential stuffing.
Industry news.
And that was this week's...
Industry news.
Christ, my finger was getting cramped there
from pressing industry news so often.
Someone's been busy this week.
The InfoSec stick has been busy. Holy moly. Do you think they went to InfoSecurity been busy this week. The InfoSec Stig has been busy.
Holy moly. Do you think they went to
InfoSecurity Online this week?
Quite possible.
I think they might have. We don't know much
about the InfoSec Stig, but
I know they support
Spurs, and they had a
very disappointing result at the weekend. I know you
guys aren't football fans.
They had a good result last night,
but at the weekend, they were 3-0 up
in the first 15 minutes.
And with 10 minutes to go,
they were still 3-0 up,
and they ended up drawing the game 3-0.
No way.
Which was...
Is that bad?
It's the most Spurs-iest thing that you could...
It is classic Spurs, though.
It is classic Spurs. The other thing is, yeah. It is classic Spurs.
The other thing I know about the InfoSec Stig
is that they have a particular soft spot for Jav,
for some reason.
They're always quoting him.
Really?
So you say you know who this person is?
No, you mean the InfoSec...
Well, in these stories, if I'm quoted,
it's not because they have a soft spot for me,
it's because they recognise talent, they take the best quotes available huge if true and the fact and the
fact that you're the only one who made a comment so which which one of yours is is on here then
jeff well the uh the the infosecurity online i'd done the malicious urls and rogue redirects talk there so
that there was a write-up done of that which was uh oh really okay in the show notes folks hashtag
yeah well i mean it's just kind of uh good advice really isn't it beware of malicious urls and rogue
redirects i know really short presentation by java no no no because the slides then said malicious
urls for fun and profit and then it was rotary directs for fun and profit.
Oh, dear.
Thanks for coming to my TED Talk.
Yeah.
Oh, my.
I thought you were going to speak German.
I thought you were saying, oh, my.
Actually, I was reaching for this.
You're listening to the Host Unknown Podcast.
More fun than a security vendor's briefing.
I think we should move straight on, shall we?
Yes.
So what have we got now?
Oh, we've got a rant of the week, haven't we?
Oh, we do.
Rant of the week.
This week's one is a crowdsour a rant of the week, haven't we? Oh, we do. Rant of the week. This week's one is a crowdsourced rant of the week
because this seems to have got a few people's backs up.
You've got some people in support, some people not so in support.
I don't know the full split.
Would you say more people are against this or with this?
I guess we can go through and find out.
So at Tal Security on Twitter,
and I find it easier to say his handle than his name,
Richard...
Baitlick.
Baitlick.
Richard APT1 Baitlick has posted,
today's cyber and geopolitical headlines have been dominated
by the questions and answers
of attribution if you still think attribution is always too difficult or doesn't matter you're just
not relevant beyond middling technical work that's likely to be automated fairly soon he can jump off is that your your uh initial reaction keeping much i mean jesus there's more important stuff
than attribution when you're in the middle of either being you know attacked or having some
kind of breach and you just need to get to be back to business as usual in order to you know
do that thing that businesses do which is make money and provide product and value and all that sort of thing,
then carrying on for the next six months trying to work out which particular
Egypt from which particular bloody city or country that the attack came from.
Hint, it's always China.
It is with this chap.
Oh, dear.
So we've got some various responses from people um uh yeah on this one let's let's
read them out in turn yeah this is like industry news style i think it is isn't it it is it is but
this is a crowdsource rant of the week so it's not just us you can't say it's just three men's
opinions crowdsourced uh so yeah the first one i got here which is from at uh not a meadow i'm guessing that's how it's
pronounced sales people like the one quoted below need some milk for that burn who was so kind to
disable replies on this tweet are most likely to be replaced first by the same bullshit AI algos they're always trying to sell. They speak a lot, but nothing really comes out.
Wow.
Emphasis mine.
Harsh but true.
Yeah.
So the next tweet is from Astrosek with a zero instead of an O.
Oh, God, come on.
Who puts numbers in their names?
Tasteful people. taste have no idea who you are and i
don't care that you're verified you're an idiot don't shit down an entire industry because your
ego is beyond reach the fact that you don't even allow replies shows enough fair point fair point uh so this one is from
uh sin windy at sin windy imagine being so full of yourself that you think correctly identifying
state-sponsored actors that have money training ability need to constantly evade and evolve
is easy while simultaneously insulting the folks doing the middling technical work that make your
job possible yeah it's so true they're often so much better funded than than you and your
response team right who are just being told to fix this mess.
Yeah.
Yeah, I got one here from ginger underscore hacks.
Oh, boy.
I've made it from Texas.
Not sure.
What a great way to project your inadequacies.
Of all the takes you chose to hit.
Oh, sorry.
Of all the takes you chose to hit send on, you chose this one.
Folks, be better.
Okay, next one is by Jason E Street.
Jason Street says, the guy who never met an APT he couldn't attribute to China.
Face with rolling eyes.
This guy would eat up all my cookies if i actually followed his timeline
so next quiz culling has said i used to respect you even if you think this you don't have to say
it too many in this field already fight with their relevance for someone as experienced as you to kidney punch them with bullshit.
Hot take like this.
Disappointing.
I think you mean disappointing.
Here's one from at Matt J.
What a punch down bullshit take.
I couldn't imagine a leader in my org saying,
your whole department's job isn't hard and you'll be a shell script soon.
Zoned.
That's like pwned with a Z or owned with a Z.
It's like Z-W-N-E-D.
Says, don't be this douchey.
Just don't.
That's true.
And then at Cryptia has said, super douche.
A man of few words.
You've got to love Cryptia.
Here we go.
Oh, my God.
Ox Banana, 0x Banana.
The leaders of the industry reminding you if you're not paying attention
to what they are, you're just a cog.
Well said, cog.
So Gossy the Dog says, good news, guys.
I'm going to get replaced by automation soon.
Yay!
Good old Gossy.
At SecOps and and hops has said richard makes sweeping comments about
an entire industry of professionals don't be like richard uh we've now got uh dfir samurai
i'm working on enterprise automation projects just now and can say middling technical
work will be around for a long time. Unless there is intrinsic value in making that effort,
attribution is nothing more than man gossip. Man gossip. That's a new one.
Okay. Stuart at Stuart Hare says, an interesting and insulting take here. To think that attribution is important in general cyber
and that the security is all about technical meddling
are very far from the mark.
Tau Security, can you give one valid reason
why attribution should be considered by most businesses?
Question mark.
And then the final one that I think we've got is from at lee homes or the
final one that we can actually say the final we can say there's yikes if you care about security
and protecting people you are not doing irrelevant middling technical work you matter and thank you
for your contributions well i think what's in I think what's interesting across all of these tweets is that they present a fairly balanced view on both sides of the argument.
Yes, they do.
They do.
It's very balanced.
And you know, this last one is especially like, I think it really hits home that for anyone new in the industry or working their way up the industry or considering
working in the industry don't be disheartened by um what dick moves
for lack of a better term i think yeah it's such a broad industry and there's so many facets to it
and so many people do stuff that actually makes a real difference to organizations and people's lives on a day-to-day basis. So don't let dicks get you down. I think also, I think it's someone like
Richard should also consider his medium, because this is something that could have been presented
in a far more balanced and intelligent way in, say, a blog post.
Obviously, the challenge with Twitter is you've got to put a lot of information across, or you may wish to put a lot of information
across in just a few characters.
And he did so, frankly, in a particularly crappy, nasty way.
May have been able to make a better point insulting a whole lot less people
if he'd actually
explained through in more detail where his thinking was.
But, you know, but unfortunately, you know,
his decision to put it onto this media means that, frankly,
people are taking exactly what he says at entirely face value.
Yeah. And he kind of knew that, which is why he disabled replying.
Yes. Yeah, absolutely.
Totally.
Totally.
But there's nothing wrong with, you know, engaging and conversating.
Oh, my God.
I just inherited some American.
Having conversations about some of these issues.
And if you feel that attribution is really important,
that's absolutely fine. But there's no need to insult people
and to basically tell people they're worthless
if they don't align with your worldview.
Exactly.
So in the show notes,
could you add a list of burn centers in the US?
So just so you can find the craziest one.
Oh dear. Yes, indeed. And that was this week's... US so just find the closest one oh dear
yes indeed and that was this week's
rant of
the week
we are
quickly approaching
the wrapping up point and I
have to ask Jav
do you have a little people for us
Andy over to
you so Andy have you got something I do and this Do you have a little people for us? Andy, over to you.
Oh, Andy, have you got something?
I do, and this is highly topical,
considering the person we were just speaking to.
So this week's little person.
Now, I know you're not practising this one, Andy,
so I've got to play the jingle first.
Oh, okay.
But, yeah, so, okay, we are going to move on.
Blimey, this is me panicking because I'm trying to work out what I need to do to get it all done in time
and not kick off Siri somehow, I don't know.
Anyway, right.
The Little People.
So this week's little person is none other than
at TAL Security himself.
What?
We have just spent all this time slating him.
And here we have him contributing to this week's show.
Don't trust China.
China is asshole.
The Little People.
The Little People.
I thought you were serious.
I thought you had a real clip of him.
Wow.
Wow.
Blimey.
Oh, man.
Gee.
Woo!
Well, Richard, I mean... Somebody shit Richard some aloe vera, please.
Wow.
Actually, can we have that one again?
Because that would work.
Have that one again,
and then I can play him out with the jingle properly at the end.
Okay, here he comes.
Right.
Don't trust China.
China is an asshole.
The Little People.
Good point.
Well, mate.
Wow.
I don't think we could finish on a better note than that.
Oh, my God.
Folks, so, Jeff, thank you so much.
Lovely to chat to you.
You're welcome.
Do have a great weekend.
Thank you again, sir.
You're welcome.
Thank you for having me, as always. As always. And, Andy Thank you again, sir. You're welcome. Thank you for having me as always.
As always.
And Andy, thank you, sir.
Always a pleasure and stay secure, my friends.
Stay secure.
Stay secure.
Host Unknown, the podcast, was written, performed and produced by Andrew Agnes, Javad Malik and Tom Langford.
Copyright 2015 or something like that. Insert legal agreements here as applicable and binding
in your country of residence. We thank you.
Wow. Big dick energy there, Andy. Do you think we're going to get sued or are we still sufficiently low-numbered enough to avoid it?
I can touch my toes.
Is that what you mean when you say you're folding?
Yes.