The Host Unknown Podcast - Episode 33 - Went Wrong Right From The Beginning
Episode Date: November 20, 2020Join us for possibly the most incompetently performed and produced infosec podcast available today. At least we have some of your favourites to share and enjoy: This week in InfoSec(Liberated from th...e “today in infosec” twitter account):14th November 1990: During an NBC News broadcast, two computer hackers from the hacker group MOD identified only by the aliases "Acid Phreak", "Phiber Optik" and “Scorpion” took responsibility for posting the "Happy Thanksgiving" message on the Learning Link's system after destroying data on it.https://twitter.com/todayininfosec/status/1327615750564179970?s=2016th November 2000: The FBI released a second batch of documents related to its Carnivore email surveillance program as a result of a FOIA request by EPIC.https://www.cnet.com/news/new-documents-shed-more-light-on-fbis-carnivore/https://twitter.com/todayininfosec/status/1328481891901726721?s=20 Tweet of the Weekhttps://twitter.com/lapcatsoftware/status/1326990296412991489?s=20https://9to5mac.com/2020/11/15/apple-explains-addresses-mac-privacy-concerns/https://appleinsider.com/articles/20/11/15/big-sur-telling-apple-what-app-youve-opened-isnt-a-security-or-privacy-issue Billy Big Balls of the WeekTimothy John Watson of Ransom, West Virginia, was arrested by federal agents this week for selling full-auto AR-15 sears disguised as “portable wall hangers” from a website dubbed portablewallhanger.com (still up as of 11/5 @ 2:07PM).The product is ostensibly designed to hang keys, lanyards, and other small objects in a place where they can be easily accessed because, according to the site, “searching for your keys really sucks!”They even provide a helpful assembly video.https://www.gunsamerica.com/digest/man-selling-full-auto-ar-15-sears-as-portable-wall-hangers/ Industry NewsIT Leaders Reliant on Data for Threat Insight#ISSE2020: Look to Decentralized (Rather than Legacy) Identity ApprovalsEmployees Have Access to an Average of 10 Million Files#ISSE2020: ‘Real’ Digital Identity Can Exist with New TechnologyIncrease in Ransomware Sophistication and Leverage of Legacy Malware Predicted for 2021#DxPsummit: Use Quarantine in Your Ransomware Recovery#DxPsummit: How Zoom Met 2020’s Security ChallengesMoD Receives Funding Boost and Confirms Increase in Cyber-Spending Javvad's Weekly StoriesLazarus malware deployed in South Korea supply chain hackData belonging to 27.7M Texas drivers stolen in latest case of unsecured storageAnimal Jam Hacked, 46M Records Roam the Dark Web Rant of the WeekA Muslim prayer app with over 98 million downloads is one of the apps connected to a wide-ranging supply chain that sends ordinary people's personal data to brokers, contractors, and the military.https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x The Little PeopleSeriously? You honestly thought Jav could get a hot-trick of these together? Jog on! Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
so you're gonna unmute andy now it's friday then it's saturday sunday yes i think i will
actually because he's just gonna keep doing that sort of oh jesus
yeah yeah definitely discovered the mute button here right it's friday then oh god It's Friday then. Oh God!
Right, I think we need to share the power of this mute button between us, Jeb.
We do. I will use it wisely.
Indeed.
I am worthy.
You're listening to the Host Unknown Podcast. Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are.
We are in the grand old UK at the moment. Only the second worst nation to be in in the world, I think, right now.
And how is everybody? Andy, can we hear you now?
I think you can.
No, boring. Jav, how are you?
I'm doing a lot better now. You know, this week has been one of those weeks where I've
realised, I've reignited my passion for hating people.
Oh, really?
One of the reasons that, so, so you know there's so many zoom
meetings and webexes and you remember you remember the days tom when if you want to speak to when you
if you wanted to speak to someone you would pick up the phone and you'd dial them and if it was a
good time they'd talk to you if not they'd say no or they wouldn't pick up but now it's like
someone sends an email can i call you at this time oh wouldn't pick up. But now it's like someone sends an email.
Can I call you at this time?
Oh, no.
What about that time?
And then it's like a Zoom meeting.
Anyway, I got this meeting.
This happened three times to me this week.
So where someone said, are you free for a call between?
And someone said, so the most recent one the other day was,
are you free for a call between 1 and 5?
Tell me what time works for you.
And I said, okay, how about four o'clock? And then they came back saying, oh, you know,
I was really hoping we could speak a bit earlier. I said, well, why did you give me the option then
you Muppet? It's like when people are on WhatsApp and all that sort of stuff. Oh,
I've got so much on. All these people want to talk to me. Well, just don't respond.
Yeah. You don't have to respond to every message. You can just say nothing. That's a perfectly
acceptable response. The whole point of these things is that somebody can deliver a message.
You don't have to respond to that message, right? It's a bit like chatting to Andy.
You know, we can talk to him, but we can block him talking to us if we want to.
Yes.
Although I promise I won't do it anymore, Andy.
Andy, how the devil are you?
Probefully a little bit more cheerful than Jav.
Oh, he's sulking now.
We could just hear his traffic going outside his window.
Yeah, we know he's there you know what
i thought that was a setup because i was waiting for that mic the mute button to go on so i thought
i'm not going to give you that satisfaction i am a man of my word i said i wasn't going to press
the mute button anymore even though i've just discovered it after 33 bloody episodes just
discovered that i can mute people that this is going to be well i actually
did a count it's probably it's actually about 35 episodes you've really mislabeled them
in the early days is it really that bad yeah
so we're underselling ourselves
does that include the dubious that does include there's nothing dubious about the second episode
but it does include the second episode.
Do you know what?
One of these days I will edit that together
and release it as like a special edition.
I think we're waiting for a certain event to occur.
That's right.
The way 2020's gone, it's not out of the question.
No, but that's going to be like that famed Star Wars Christmas episode.
Yeah.
They're bringing that back.
They're bringing back the Star Wars Christmas show.
Are they?
Yeah, but it's Lego based.
It's all Lego.
Excellent.
Yeah, it's going to be superb, unlike the original Christmas show.
You know, yesterday I saw on Twitter
Disney pay up was trending
because some writers
have not been compensated for writing
for Star Wars.
Some Star Wars
episodes or shows or something, I don't know.
Oh really? Which show? I hadn't worked
out, I hadn't got to the bottom of which show.
I don't know, do you think I read through
the stories? Do you think we research what we talk about on this show?
In fact, Andy, you were saying the other information security podcast
that's worth listening to, they always know what they're talking about.
They've actually read the stories, right?
Absolutely, yeah.
They don't just chuck stuff together like in the five minutes
before they dive into the same number.
They're not actually making edits as we're talking right now to the show notes, are they?
But yeah, folks, if you're listening to us for in-depth analysis, you are on the wrong show.
That is not what we are about.
But give us a headline and we will give you an opinion.
We will.
We will tell you exactly what we think.
Exactly what we think.
We will tell you exactly what we think.
Exactly what we think.
So talking of headlines, I got a Google Alert the other day because I've set up Google Alerts for Host Unknown.
Hold on, Tom.
Are you not going to run the intro first?
What intro?
The intro for the show.
We've done it.
We've done it.
When did we do that?
Oh, my God, Jack.
At the start of the show.
Yeah.
Really?
Yes, really.
Hold on, I want to go back.
I've got this without Tom.
No, forget that.
Oh, my God.
I honestly can't remember hearing the jingle.
You see, folk, this is what we have to deal with.
Anyway, so I have a Google Alert set up for Host Unknown,
and I'm obviously not very good at doing host alerts because we don't get many,
but we got one the other day.
Do you know what it was for?
Do tell.
It was about Host Unknown.
It was about Host Unknown.
Do tell.
It was about Host Unknown.
It was about Host Unknown. It said, and in fact, it just proves we have more than just an international audience.
So it says, is there life on Venus?
Here's what the discovery of phosphine means.
Now, you're wondering where your favourite podcast infosec show
hosted by three people is in this particular story.
Well, it goes on.
The gas detected in the atmosphere suggests the planet could host
unknown photochemical or geochemical processes.
We'll take it.
News, you know, a headline is a headline and uh that's one of ours i don't see uh anyone else
been mentioned in podcasts on venus so uh yes no exactly once again we're there first and uh expect
them to follow in the next couple of years absolutely absolutely there's going to be something about i don't know pluto um smashing something to do
with security i don't know you know they'll clutch at whatever straws they can to try and compete
god will we ever get through an episode without talking about them i don't know i much rather
when we talk about your mum actually shut up she said to me oh she got my christmas present have you
yes we didn't tell her it was the ad3000 shut up i'm gonna have to i'll have to you know use the
the mute on you jab anyway anyway shall, anyway, shall we move on?
Yes, please.
Swiftly on.
I'm so sorry, Mum.
Swiftly on.
Let's, should we,
should we get on to This Week in InfoSec?
Let's do it.
Let's do it.
This Week in InfoSec.
InfoSec.
So this week in InfoSec sees us go back 30 years, back to 14th November 1990, when during an NBC news broadcast, two computer hackers from the hacking group Masters of Deception,
identified only by the aliases Acid Freak and Fiber Optic,
took responsibility for posting the happy Thanksgiving message on the Learning Link system after destroying the data on it.
Why can't they just call each other Dave and Trevor?
Well, you've got to think back then it was cool to have cool names,
you know, and I miss those days.
Really?
Yeah.
I mean, who else did they have in there?
Scorpion.
Crazy Eddie, Scorpion, the Plague Seeker.
The Plague.
I mean, you'd hear the handle.
You knew that they were computer hackers.
There's no doubt in that.
But, yeah, so this was referring to an event that occurred back in just November 89
when they destroyed most of the information on the Learning Link computer.
And they just left a message saying,
Happy Thanksgiving, you turkeys,
which is timely at this time of year as well.
The FBI, on 16th November 2000,
the FBI released a second batch of documents
related to their carnivore email surveillance program
under the Freedom of Information Act, which was requested.
Now, if you don't recall this, Carnivore was the system used by the FBI
that was designed to monitor email and all electronic communications.
So it was a customisable packet sniffer
that could monitor all of a target user's internet traffic,
thousands of users at a time, and put it all into massive databases,
which could then subsequently be queried for names, email addresses, and keywords.
And obviously, its name didn't do any favors in the in the pr department and it was subsequently renamed in
2005 what's a fluffy puppy uh dcs 1000 i think i would need to go back and uh check but yeah
its name was changed to something a lot more dcs 1000 that sounds like a sex toy uh yes along the
theme of the ad 3000 i'm guessing yeah apparently but just not as good
just not as good no but um yeah so i mean a lot of pressure came out and the eff were pretty big
on this at the time um and you know with all the pressure review was conducted and i think you know
what they but one of the conclusions out of that review was that Carnivore didn't snatch more data from networks that networks than it should.
But they did highlight it had no auditing functions and significant deficiencies in the protection for the integrity of the information it collects.
Oh, so anyone could check the data and then anyone could tamper with the data and frame anyone and there'd be no way to prove or disprove that.
Pretty much. And in terms of its usage, you know, I think they only counted requests for wiretaps that were done electronically. They didn't do any illegal wiretaps or, you know,
they didn't count those or wiretaps that were requested via pen and paper.
So, yeah, lots of that.
You know, today this software or variants of it are still running,
but without the scary name, I don't think they're being picked up too much.
So it's very secretive in terms of what the FBI can monitor
and how they monitor it these days.
Why don't we ask Edward Snowden?
Maybe he should be a little person on the show.
Do you know what a better idea?
You just remind me, Ed the Fed.
Tom's mate.
Ed the Fed, yeah.
Friend of the show and Tom's very good friend.
Yes.
Yeah, that's right.
Who hasn't returned my emails recently.
Tom's very good friend.
Yes.
Yeah, that's right.
Who hasn't returned my emails recently.
But what I find quite interesting about this is that they released this because of a Freedom of Information Act, right?
Yes.
And it becomes apparent that actually this stuff is spying
and that anybody can have access to it, anybody within the FBI
or wherever can have access to it.
You're surprised by this?
I mean, the governments have been doing this for decades and hundreds of years.
Well, was it called Echelon before that, wasn't it?
Or a similar sort of way?
Or the stuff that Snowden exposed.
Yeah.
Shocking as it was, and headline value.
Actually, really?
Are you surprised?
Of course, of course, governments do that. We're lucky that they're just benign governments at the
moment, maybe less so in America right now. But even so, I'm amazed. It's almost a level of
naivety that I find surprising that people are surprised that this happens.
He's just talking about this week in InfoSec.
Yeah.
He's talking about something that happened 20 years ago. This isn't new news.
Excellent. Excellent. So that was a fascinating...
This week in InfoServe.
I tell you what, it's like we practice this all, you know, all day, every day in readiness for Friday.
But for those that know us, obviously.
You know, one thing I've found, like, doing online presentations is really hard
because there's nothing to motivate you to get into the, oh, there's an audience there
or something or walking.
There's none of that walking onto stage.
There's none of that.
Yeah.
None of that.
And actually, this week it was IC Squared Congress, and they had it virtual.
And I didn't see it, but I saw some of the – they put up some YouTube compilations of it,
and one of the keynote speakers – well, Graham Cluley was one of the keynote speakers.
What, friend of the show, Graham Cluley of Smashing Security?
Yes, yes, yes.
But other than him, because he was sitting there
in his professional podcast setup,
I don't know if he's a friend of the show,
but InfoSec legend, closest thing that InfoSec has to a rock star,
Bruce Schneier was keynoting at Congress.
And he was actually standing up during his presentation.
He was doing it from home on a webcam, but he was stood up.
And there was someone else, I can't remember the lady's name,
but she was also standing up and doing the presentation.
I thought, hey, that's pretty good. You could actually, when you're
standing up and you're presenting and you could probably get a bit more energy, maybe I should
do that for the podcast. But I got my coffee and I sat down and thought, you know what? I'm too lazy.
I'm not going to do that. Funny enough, I do that when I'm presenting on webinars now,
because I got one of those upydowny, razy desks.
So I put the desk up and stand in front of it,
and it does make a difference, I think.
It does change the energy somewhat.
So you should try it.
Okay, this money-saving tip was brought to you by...
Yeah, money-saving tip.
Go and buy an upy-downy desk from Ikea.
Yeah. I mean, where else
would you get one, right?
Wayfair? I was about to say
Wayfair. I've been looking at desks recently.
Who's Wayfair? Wayfair.
Wayfair.
I've never heard of them. I literally sent
you a link about desks the other day
when I'm choosing which desk I'm going for.
Oh, Christ, that looked like Viking Direct.
No, it wasn't.
Wayfair, they're the ones that traffic kids and they sell you kids with the furniture you get.
So if you get a desk with the brand name Andy, it's just, you know, £200.
But if it's like brand name, I don't know, whatever, Little Tommy,
then it's like, you know, £10,000.
Where are you going with this?
No, that was the conspiracy.
I remember this story.
I do, I do.
Yeah, that's right.
But wasn't that the result of a hack or something?
No.
It was some weird, well, allegedly,
it was some weird configuration on their back end
that if you bought, say, cushions with certain names on it,
they would be like 10 times the price of the ones without.
Well, even more than that.
It was like ridiculously high.
It was a ridiculous amount.
And people were matching those names up with missing kids from wherever.
And they were like, oh, they're trafficking kids in plain sight.
And it became one of those things.
Well, no, not in plain sight, in furniture.
Yeah.
God, there's a – can we get back to being incompetent and unprofessional?
Because that's just too depressing.
If we have a mind map of this show,
we can actually explain the segues
and how we get to the topics we talk about.
I think our behind-the-scenes show would be about five times longer.
The director's commentary would never end.
Yeah, I mean, it makes sense to us.
Yeah, exactly.
And regular listeners.
So the clue or the key here is to listen every week.
Exactly.
You've got to stay with us on this one.
Yeah.
We deliberately leave Easter eggs and you need to go back
and listen to it again and again to pick them out.
Post Unknown, the Easter Bunny of InfoSec.
We can't promise it gets better, but it does make sense.
It's like in 50 years' time when we're all dead,
everyone's like, these guys were geniuses.
Have you seen this?
They spoke about this in episode three.
And then in 33, they linked it together.
Wow.
That's right.
Comic geniuses. In right. Comic geniuses.
Incompetent geniuses.
Anyway, shall we move on to this week's...
Tweet of the Week.
So this one is me.
And you may have recalled, in fact,
I do believe we spoke about this briefly, didn't we?
There was a tweet from a chappy called Jeff Johnson,
a security researcher, that said, hey, Apple users, if you're now experiencing hangs launching
apps on the Mac, I figured out the problem using a little snitch. It's trust D connecting to
ocsp.apple.com. Denying that connection fixes it because OCSP is a soft failure.
Denying that connection fixes it because OCSP is a soft failure.
And then went on to basically say that this is a massive security vulnerability.
Apple needs to repair it.
They're snooping on everybody, et cetera, et cetera.
Apple didn't address this for quite a number of days,
which is pretty normal for Apple.
But then, and in fact, it was a painful period. It was around about the time of the Big Sur update. And it affected me as well. So I couldn't run apps.
So you say painful period, and like, you know, in concept, we're in the middle of a pandemic here.
And, you know, I think in years to come, people will talk about the year 2020 and say, you know,
it was a painful period. You're talking about the problems 2020 and say you know it's a painful period um yeah you're
talking about the problems you had updating your mac right yeah it was a painful period for us fan
boys just getting the context there right that's it yeah the context was that you know lockdowns
are fine but if you can't open your apps you're screwed fair point You know, if you want context. You need that Netflix. Yeah, exactly.
Exactly.
And then the chill.
But basically, the end result is that that analysis was picked apart
and it's not the security flaw that everybody thinks.
No.
Exactly.
The data that Apple are gathering as a result of this is exactly,
in fact, less data than what the average ISP will collect from you anyway.
And frankly, this is all a little bit over-egged.
What it did do as much as anything is actually highlight the fact
that when you're online and you open an app,
Apple know about it because this thing phones home uh and of course that whole phrase phones home is never good right because it's you know they're often related with chinese malware or
hardware or firmware that sits in your you know unknown unbeknownst to you on your network and
then occasionally phones home with a bunch of data. The Chinese government has ruined ET for me.
Yeah, exactly.
Yeah, precisely.
But as funny enough, it also turns out this is exactly what Windows does
with Microsoft.
This is a perfectly standard thing because it's around confirming
that the application that is launching has got the correct certificate
and is actually the application that it says it is.
So there's also an element of security on there and making sure that you're not vulnerable to malware that has been installed in place of certain applications.
So, oh, and the other thing as well it it fails gracefully and promptly when you're
offline so it doesn't stop you from opening the apps when you're offline obviously because we've
all been offline occasionally uh dreadful dreadful period of my life but um and the application still
work but the moment you connect it will it will uh check it will phone home and check for you so yeah this became quite a
massive uh non-event yeah yeah well a non-event absolutely but like many things people are still
latching on to that first report this is awful blah blah blah and then forgetting the actual
follow-up which kind of mirrors us somewhat, our political environments on both
sides of the ponds and probably elsewhere in the world as well at the moment, which is,
you know, this whole thing of fake news, really it comes about that someone says something,
it gets promoted around the world. And then when it's proven to be untrue or at the very least,
not as bad as it was originally, that bit seems to get forgotten.
But ultimately this story died a death after about a week or two.
Were we talking about last week or the week before?
We talked about the hanging last week.
Yeah, yeah, yeah.
So, yeah, quite an interesting one here that uh what was the a really hot topic on
on the on the bulletin boards show my age there that um that has literally just sort of disappeared
into nothingness so quite an interesting one i thought
thank you for that very good time you're the one with the outro so uh
i was assuming there might be might be a little bit of commentary but you know
well you know other than
other than what other than the fact that you just like you know let's oh there's an update quick
let's roll it out quickly into all my production machines immediately before the Chinese hack into me.
And then it's like, oh, this has balked some process then, yeah.
Yeah, but it balked it at 10 o'clock at night
and then I was able to work again the following morning,
so it's fine.
Yeah, whatever, trust in Apple, my son.
Anyway, that was this week's...
Tweet of the Week.
You're listening to the Host Unknown Podcast.
More fun than a security vendor's briefing.
All right, let's move swiftly on, shall we?
We've got this up next.
Ah, and this is you, Jav.
I'd like to rephrase that.
That's not you specifically.
No, no, it's all right.
It's fine. I'm happy with that so this week's billy big balls
uh is a person by the name of timothy timothy john watson sounds american sounds american and you
are right you won the washing machine andy so um i bet he goes by Timothy J. Watson though, doesn't he? I bet he really says John.
Yeah, yeah. Or TJ
to his friends. TJ Watson, that's
it.
Yeah, TJ.
Do you think he watched TJ Hooker growing
up? Yeah.
He's got the Dodge Charger
with the Confederate flag on the roof.
You know, I would not
be surprised.
And a sister called Daisy.
A sister cousin.
A sister cousin.
Okay, so we already let... I think we're letting on how we feel about TJ.
He's secretly homosexual as well.
Listen...
But won't admit it. it well it wasn't really it
was his uncle who made moonshine in the shed and he'd go help him and then anyway yeah it's not a
slur by the way it's just it's a slur against tj because he won't admit it by the way i'm just just
being clear here stop digging tom i know anyway before we know, I'm going to be taking over the African continent again.
Yes. Anyway, for all his flaws, TJ was a hardworking entrepreneur.
I'm assuming he made his way out of poverty and lack of opportunity, but he saved up enough money.
He learned about coding and he bought himself a 3D printer.
And he thought he'd set up his own shop and 3D print items and sell them online.
And he found out he was very good at printing little hooks.
Following the American dream then?
Yeah, American dream.
Portable wall hangers, as he'd call them.
You know, it's used to hang keys lanyards and other
small objects in place where they can be easily accessed because according to the site searching
for your keys really sucks i get it yeah but you know uh america being america they can't
But, you know, America being America, they can't bear to see an honest, hardworking entrepreneur get ahead.
So federal agents busted him into his house and arrested him last week.
And what for? The FBI accuses TJ of using the product as a thinly veiled cover for manufacturing and selling 3D printed plastic sears
that allow semi-automatic AR-15s to be converted
into fully automatic machine guns.
Oh, Jesus Christ.
His website's down now, but there are photos on the other link there.
Yes.
And they do look like a very odd hook, in fairness.
You wouldn't design a hook to look like that.
No, no, it's absolutely not a hook at all.
It's just a very weird design.
But yeah, one of them has got a black base with a red tip,
and they call them the Red Coat Hanger Pack.
So, you know, but it's just quite...
If you go on Twitter, the tweets are still up, you know,
and it's like, you know, what if you don't have any red coats?
You know, and all that kind of stuff. But, yeah, I think it's like you know what if you don't have any red coats you know and uh all that kind of stuff but um but yeah i think it's it's really interesting story because uh we're probably going
to see more and more this kind of stuff and it's been spoken about for a while just related to 3d
printing that with the right designs you could 3d print pretty much anything uh i think if they
redone the A-Team,
instead of locking them in a shed full of tools,
they'd just lock them in a shed with a 3D printer
and they'd make themselves a tank and bust out of there.
Although you'd hear the occasional scream of,
fuck it, the spool's broken again.
Yes.
Oh, we're going to have to start again.
It's just buggered up.
I know, I know. It's really weird. It's just buggered up. I know. I know.
It's really weird.
It's just like, well, obviously there's this.
I don't want to go into Americans and guns and, like,
why they actually have AR-15s and, you know.
Self-defense.
We've got them in semi-automatic or semi-automatic mode.
And, you know, because that will save a lot more lives and then people
are going and converting them into fully automatics and apparently there was one person who was
arrested who was a customer of his uh who was arrested uh during a bank robbery or something
so but no word on whether he actually had installed that sear on his gun but you know there's a close correlation
between people that buy stuff from his website or his ex-website and actually go out and commit
some crimes but um i i think this this certainly increased i mean i'm a i've just been getting into
uh just understanding a bit more about 3d printing and there are some fantastic use cases to it. Like I found this online forum, which I joined a couple of weeks ago.
It's called e-nable.com and it's a volunteer organization
and they share designs for prosthetics.
Yes.
And this is especially for children.
So anywhere in the world, and they have like a few standard designs.
They've shared all the designs for it.
And there's a volunteer network.
So if you're, say, anywhere in the world and you're a child that's lost a limb or a hand or something in an accident or by birth or what have you, you can find a local volunteer.
They'll take your measurements.
They'll print one and send it to you and and you've got a prosthetic hand it just literally
costs like what 20 30 dollars in in raw material so i think there's some fantastic uses to it
fantastic absolutely but um but then you know it goes both ways the thing this story really reminds
off is is what somebody was telling me the other day about how you can make people believe the most outrageous things by adding just two words on the end of a sentence.
arrested uh because he was selling coat hooks that people were using to convert guns from semi-automatic to full automatic unbelievable story yeah in america
now it makes sense now it makes sense so you literally just add those two words on the end
and everything becomes believable so did you hear about this woman who um her husband died like 20 years ago and then she fell in love with a goat that she was convinced
was the reincarnation of her of her husband and decided to marry it like what seriously in america I like it. I like it. Uh-huh. Uh-huh. So that's exactly what I think of with this story is, you know,
by adding that simple two words in America,
actually so much more makes sense.
And to our American fans, because we know you're out there,
tell us this isn't true, right?
I absolutely challenge you to tell us it's not true because
you couldn't say in england it wouldn't work or in spain or or even in mexico it just it does not
work at all there's no other country maybe in russia maybe oh but that's usually if it's involving
dash cam footage or wrestling bears and vodka and vodka yeah yeah yeah yeah that's usually if it's involving dash cam footage or wrestling bears.
And vodka.
And vodka, yeah.
Yeah, yeah, yeah, yeah. That's right.
Yeah, exactly.
Anyway, go on, sorry.
Did you hear that Smashing Security won another award?
What?
Seriously?
In America.
Oh, Jav, I see what you did there.
I see what you did there.
Anyway, thank you, Jav, for this week's...
Billy Big Balls of the Week.
Okay, so...
Did I just crash the jingle?
That is a really long one.
So, anyway...
And here's you telling us you're a professional.
So, our reliable sources over at the InfoSec PA Newswire have been...
I'm going to cut in just there.
I'm going to cut in just there.
Very busy.
I'm going to cut in just there and talk about how professional Andy is
and competent Andy is here.
Because what you will not know, dear listener,
from listening to this podcast,
because it will have been so expertly cut together,
is that we've had a few
technical difficulties and I've had to tell the in America story,
I think three times now,
but the first time I told it,
Andy said,
but that's three words.
Anyway,
carry on Andy.
So yeah,
I'm going to explain that the technical difficulties were caused by you
knocking a giant dildo off your desk and pulling out your mic
we want to you know start throwing the mud that's going if we start airing the dirty laundry like
I'm happy to go don't blame blame Harry for this. True story.
Don't blame Harry.
I learned a long, long time ago, never mess with Andy.
There are two stories here that are not related
but have suddenly become one story in Andy's mind.
That's what I like.
No, no, no.
You know that saying, like, never wrestle with a pig,
it will drag you down into the mud and then beat you
with experience.
Yeah, never wrestle with an idiot.
Never
trust me a campaign against Andy.
The amount of data
he has and the desire,
inner desire, to prove
himself right.
Do you remember a few years ago,
we're at B-Sides London and we were sat there with some of the people from
Twist and Shout.
I think it was Jess and someone else.
And Andy said something and I completely refuted it.
He goes, no, I've got it in writing.
I said, go on then.
And he sat there for 45 minutes.
He went quiet for 45 minutes. That's right.
That's right, yeah.
Oh dear.
Do you know what? When Andy
and his missus have an argument and she
says, you didn't say that. And he says, yes, I
did. And then he goes off to a massive
set of cupboards
and open and catalogue
goes through and then pulls out a tape
cassette and plugs it into something and goes, and then pulls out a tape cassette and plugs it into something.
He goes,
and then it plays exactly what he said,
you know,
guarantee tape cassettes were a very long time ago.
So now it's just all the memory cards.
Yeah.
All right.
Well,
okay.
So they're all,
all in a little drawer.
They know whatever.
So as a visual,
it's not very,
um,
you know,
not,
not as exciting anyway.
Well,
well, oh yes. Do go on. So this is part, you know, not as exciting. Anyway, where were we?
Oh, yes.
Do go on.
So this is the part you can just hit the jingle.
Should I just hit the jingle?
Okay, but that means I have to know where it is.
Okay.
Industry news.
IT leaders reliant on data for threat insights.
Industry news.
Hashtag ISSE 2020.
Look to decentralise rather than legacy identity approvals.
Industry news.
Employees have access to an average of 10 million files.
Industry news.
Hashtag ISSE 2020.
Real digital identity can exist with new technology.
Industry news.
Increase in ransomware sophistication and leverage of legacy malware predicted for 2021.
Industry news.
Hashtag DXP Summit.
Use quarantine in your ransomware recovery.
Industry news. Hashtag DXPSummit. Use quarantine in your ransomware recovery. Industry news.
Hashtag DXPSummit. How Zoom met 2020's security challenges.
Industry news.
MOD receives funding boost and confirms increase in cyber spending.
Industry news.
And that was this week's...
Industry News. And that was this week's... Industry News.
What?
WTF, guys?
I may have made a mistake in the show notes.
It was fine.
It was absolutely fine.
No, it's not fine.
What's the problem? You know what?
You guys do this to me.
You started off by cutting off my last story,
and now you've just completely omitted me altogether.
It's all right.
The audience will fill in the gaps.
Don't worry.
You know what?
I think I should bring in my own news section.
Look, you can only bring in your own news section
if you've got your own news jingle.
I do.
I do.
Hold on.
Okay.
Play it then.
Go on. Give me a sec. go on. Give me a sec.
Go on. Give me a sec. Play it.
Sounds familiar.
Javad's Weekly Stories.
Are we getting our
value for money from that free jingle?
Okay.
Javad's Weekly Stories.
Lazarus malware deployed in South Korea supply chain hack.
Javad's Weekly Stories.
Data belonging to 2.7...
27.7 million Texas drivers...
Javad's Weekly Stories.
...stolen in latest case of unsecured storage.
And finally, Animal Jam
hacked 46 million records
roam the dark web.
And that was this week's Javad's
industry stories.
Okay, play the outro jingle.
Go on.
Give me a sec, it's not working Now, Host Unknown is all about cheap and nasty
but god damn that was cheap and nasty
The guy freelanced.
I see you've added the stories into the show notes now.
Is this an official thing now?
You're doing Jav's industry news? Well, I'm just looking.
I can't help but notice that as I check through, that's the first one.
Oh, no.
Second one.
I think I know what you're checking.
So, Geoff, you happen to be quoted in all of these stories.
Oh, seriously?
To Matt Malek, security awareness advocate
at Security Awareness Training Club, pointed out, yeah,
so this is your...
Do you know what?
I'm going to go on record and
say security advocates
they just sort of
prostitute
themselves out for this sort of thing
and only
to get some cheap
bloody coverage
in
mainstream podcasts like this.
Don't be haters, guys.
Look, these are top quality news stories.
It's dragging down the already poor reputation of security advocates.
And it's just the standard.
I love this one.
It raises the question as to how deeply embedded technology has become
in all aspects of our lives.
I think he said that in one of the stories
last week. But it says, Malik said by
email.
Oh dear.
This has been doing a public service.
I'm sharing the wisdom, the knowledge to
people who don't listen to this podcast.
And I know there are a few of them out there.
So it's important that we,
we close the loop and bring the stories into the podcast as well.
Very good.
Would you ever become a security advocate,
Andy?
Definitely not.
No,
I'm not a whore.
I'm not a media whore.
No,
no,
I don't think so.
I don't think,
I don't think I could bring myself to.
It's ridiculous.
Right.
So who are we going to get to sponsor us this?
Maybe Jav
with his industry news
yes
yeah
okay
host unknown
sponsored by
Jav's industry news
when are you going to
give us the money Jav
this feels remarkably
like a shakedown
this is like
it's like like two mobsters walking to my shop.
And like, you know,
it would be a shame if something were to happen to the shop,
wouldn't it?
Like it caught fire or something, yeah?
Why don't you give us some money
to make sure nothing happens to the shop?
What can I say?
The three of us are desperate for money,
so why don't you give us some?
Oh, man.
Let's move on and let's give Andy the last word.
Well, not the last word because you never know.
We might have another story at the end of this.
Let's go on to this week's...
Rant of the Week.
So this is a story about an app a muslim prayer app called muslim pro which is an app that reminds users when to pray and what direction mecca is in relation
to the user's current location and this is a very popular app so according to google play store the app's been downloaded over
50 million times on android devices and over 98 million times according to
or from the apple store according to the muslim pros website so what we can ascertain is that among the Muslim community,
Android is more popular than Apple.
50 million times on Android, yeah, if you do the math that way.
You mean correctly?
Yeah, but, I mean, I'm not going to say, you know,
they like a bargain is all I'm saying.
Wow.
Okay. they like a bargain is all I'm saying like you know wow wow okay
friends of the show that I know
like a bargain
any of them are just among us
just on the side note brothers I know where he lives
just out of interest
what
OS are you running on your phone?
So I have Android.
I love the fact that he doesn't just answer.
I have Android.
My wife and my daughter have iPhones.
My mum has an Android.
So we're like a 50-50 split smartphone house.
Well, maybe, you know 50 48
actually actually no my son's got an iphone now as well so that's
we've got three iphones okay but is it hand me down or did he actually get a separate iphone
hand me down even my dog's got him a hand me down up until up until two weeks ago even my wife had to hand me down so like
gee i don't know yeah so i'm just saying you're getting your money's worth right
so anyway right so this app um and this is the important part so 98 million downloads uh connected
to you know wide ranging um supply chain that's essentially what happens with this app is it sends ordinary people's
personal data to brokers contractors and the military what so a technical analysis done by
motherboard basically uncovered these parallel data streams that are sent to
the military as well as the usual data collectors.
And obviously, one of the key things about military
and knowing the location of a particular demographic
is that the military have used location data
to target drone strikes in the past.
So purchasing access to this sort of sensitive data um you know
especially when i guess the the entire uh or you know a high percentage of that user base are of
particular uh religion uh which is uh often persecuted by um americans with extreme prejudice
um but it wasn't just that app as well.
So there's another dating app called Muslim Mingle
that's been downloaded, you know, only a few hundred thousand times.
But that also, you know, sends data.
To the military.
Well, so they actually send it to something called Xmode
who then sell it on to the military.
Xmode sounds completely like a military company. It does, yeah.
Like one of these fronts. It's a little bit
derivative, but yeah. Yeah, but I mean
I will update that since
publication of this story earlier this week
they have
stopped doing business and
stopped selling data to Xmode
because of its
what they since found out happened.
This is the second company, not the first company.
This is the first company, yeah.
So this is the Muslim Pro app that 90 million people have.
I would be fascinated to understand who wrote the app.
Was it a Muslim company?
Oh, I don't know.
I guess what I'm saying is did somebody write this with the
explicit intention of sharing the data with the military with my tinfoil hat i don't think so i
so what i understand it it might not have originally been developed by a muslim i think
it was in singapore or Singapore or some country like that
where someone saw his friends were always like,
oh, what's the time for prayer?
And they're looking at printed timetables or what have you.
So he came up with the idea, well, why don't I make it into an app?
And then it's grown from there.
So I think, you know, I don't know.
So it came from a good place rather than a very cynical
place well yeah well i think like most of these things is um they often start from a good place
and then hey there's 98 million of these muslims data here how do we get our hands on a general and um that we throw money at them yes i oh my god it's it is quite worrying
and um you know because because like really worries me it is an app that i've got on my phone
i know most members of my family and friends have it as well as do i brother and i've got tinder it's just you know yeah yeah it's but
but the fact is that you know if you're not a muslim you're not going to have the app on it
on your phone or like maybe 10 people are because they're developers or testers or
or they're toying with the religion or something like that i don't know exactly but it gives you
such a specific i mean maybe that's why I get stopped at the airports all the time.
I don't know.
It's just really quite frightening.
It is.
It's shockingly frightening.
I should, I guess, you know, just tell about it.
It's not just these apps.
There were some other apps, like a step tracking app,
which I can't pronounce, Acupedo.
Acupedo? Are you sure that was a step tracking app which i can't pronounce acupedo um global storms are you sure that was a step track global storms app uh which follows hurricanes typhoons tropical storms and
one of the craigslist apps as well but what about stuff like grinder right you know that being
shared with government agencies and certainly in countries that,
you know, being gays, illegal and punishable severely,
potentially by death as well.
You know, that's... Yeah, that's exactly it.
That's exactly it.
That's why privacy is so important.
I know Andy doesn't agree with it, but there are so many people
throughout history have
been severely persecuted yeah because of um so even if you look at ireland it's not that far
and it's not that long ago even today like you see like you know if if your data is exposed as to
whether you're protestant or catholic and the area that you live in. And, you know, that could result in actual harm to you.
You know, you saw what happened in the Holocaust
and how, you know, religious data was used there.
I mean, all of these things are...
I think just having a mobile phone in a concentration camp
was punishable back then.
concentration camp was punishable back then.
The point being that data is, a lot of this data is sensitive data and, you know, the privacy of it is really important.
Yeah. I mean, I think, you know, going back to that earlier story,
I think we understand that there is monitoring of communications.
We understand that, you know that we're carrying around a device
that is easily trackable.
We understand that there are many things that can be done
with that data, et cetera.
But to have something that is so blatantly targeting
a certain group of people and delivering it to a section of government
that is known for the prejudice and potential persecution
of that group of people in a global manner as well.
manner as well i you know yeah if this doesn't sway people's opinions towards things like why gdpr are important and why privacy is important along with security you know i i don't know what
does that's right oh thanks for bringing us down at the end of well it's a really enjoyable show
andy well i had no idea that we'd be running so far out of time.
So I thought we could obviously put in some positive stories before we go.
But no, no time.
The world sucks.
Your data's been misused against you.
Absolutely.
Time to change religion.
And preference of genitals.
To avoid being sued,
the Muslim Pro company did not know that this was happening.
Oh, what?
That's all right then, brothers.
They sold it on,
and they didn't know that those data brokers
were then selling it on to the military.
Holy moly, that's even worse.
But anyway, read about it,
because you're not going to get the facts from me, are you?
No, no, no.
You only read the headline, let's face it.
Exactly, yeah.
Excellent.
So thanks, Andy, for this week's Rant of the Week.
So I think I'm going to go out and try and find, like, Kosher Pro or something like that
and download that.
Confuse, really, the algorithm.
Yeah.
that and I download that.
Confuse really the algorithm.
Yeah.
It reminds me of that movie, The Infidel with Omar Dajjali
on it, where he's
Oh, yeah, yeah.
Where he's a Muslim
guy, but then he finds out that he was
actually given up for adoption by a Jewish
family when he was born.
It's
actually quite a funny film.
Oh dear.
No, we don't have time for
anything to cheer us up. We've only got
time for the little people.
Do we?
No, I don't think we've got time.
Let's crack on with
the little people.
Jav?
Yes, I have someone really interesting this week.
And so why don't you roll the jingle and we'll hear them.
Very good.
We don't have a little person this week.
Oh, well.
Oh, well.
So have you got anything, anything that a little bit more light of heart
that we could talk about and close out with instead?
So I was thinking,
when we're talking about the in America gag
and someone said in Russia.
It's not a gag, it's a life tip.
Well, no, a life tip.
There was, I remember a friend of mine saying
when someone said,
you're talking about Russia and bear wrestling.
Yeah, yeah.
And they said, have you ever wrestled a bear and he said no
but I've choked a few cougars in my time
oh dear god
sorry mum
no your mum's like oh can I
have that young man's number
sorry mum
on a more uh good uh positive security note uh despite covid going on and
you know the whole world economy in a downturn some companies are doing really really well and
actually i saw just a news story just like last week that one company actually tripled its valuation in nine months.
Really?
Yeah.
Who's that?
Sentinel One.
Did they really?
They have raised $267 million in Series F.
Series F? Blimey. Exactly. someone wants to get in on that game yeah yeah
so their valuation is now over three billion so that's like three unicorns um i see an ipo in the
future so are they really a unicorn then is that is that what's the rules for being a unicorn again
well when your valuation's at one billion.
So at their last Series E funding, they were just at a billion.
So they were unicorn then.
Oh, wow.
So they have like a stable of unicorns now. They have a stable of unicorns, yes.
What is the terminology for a herd of unicorns?
A sentinel one.
Ah, very good.
I'm guessing. I don't know, or a horn, a horn of unicorns.
Well, I thought it was quite good.
No, I'm just reading the press release and...
You know what?
Reading the press release in your head is perfect for an audio podcast, Gav.
Yeah.
Fascinating.
So we should keep an eye on Sentinel One.
I reckon they might be potential sponsors.
In fact.
Oh, post unknown.
Sponsored by Sentinel One.
They should be able to throw a few unicorns our way.
They should. They should. Yeah to throw a few unicorns our way. They should.
They should.
Yeah.
Anyway, anyway, thank you for that.
Fascinating stuff.
I'm sure we'll be hearing more about Sentinel-1 in the coming weeks.
Gentlemen, thank you very much for your time.
Javad, thank you, sir.
Stay secure, my friends.
Are you off landing? He literally just started. That is, my friends. Are you off, Andy?
He literally just started.
That is, ouch.
That's cold.
That is.
God damn.
I think we were right to strong arm him earlier, you know, Andy.
Anyway, Andy, and thank you, sir.
I'll be surprised if half of this show makes it to air.
Yeah.
But, you know, it's always a pleasure.
It's in three halves at the moment.
Anyway, yes, thank you, Andy.
Stay secure, my friend.
Stay secure.
Host Unknown, the podcast, was written, performed and produced
by Andrew Agnes, Juvad Malik and Tom Langford.
Copyright 2015.
Or something like that.
Insert legal agreement here as applicable
and binding in your country of residence.
We thank you.
Jeez, that was a painful one.
That was a pulling case.
That was horrible.
I thought my podcast yesterday was terrible with Eric because we were like 20 minutes in
and then realised I hadn't hit the record button.
Oh, what kind of idiot would do that?
I know, I know.
Complete amateur hour.
And we had our first proper guest on yesterday as well.
Oh, dear.