The Host Unknown Podcast - Episode 47 - What's Happening With ISSA UK?
Episode Date: March 19, 2021Our regular know our regular features, so here is our regular update for our regular features for our regular listeners.This week in InfosecTweet of the WeekBilly Big BallsRant of the weekIndustry New...sThere is no Little People, there has never been a Little PeopleWill we have a Sticky Pickle of the Week? This Week in InfoSec(Liberated from the “today in infosec” twitter account):6th March 1995: The SATAN (Security Administrator Tool for Analyzing Networks) security tool was released by Dan Farmer and Wietse Venema. The release stirred huge debate about security auditing tools being given to the public.Fun fact: @neilhimself drew the tool's documentation artwork. https://www.latimes.com/archives/la-xpm-1995-03-01-fi-37458-story.htmlhttps://twitter.com/todayininfosec/status/1240452423778308097 Rant of the WeekCatalin Cimpanu:Check Point says it is seeing a doubling in ProxyLogon exploitation attempts every few hours.Please, red teamers, explain it to us like we're 5 how releasing PoCs for highly-dangerous bugs too early doesn't help threat actorsWe're listening!Dave Kennedy:Blaming red teamers is already an inaccurate statement as it's typically security researchers who publish these.It was already actively exploited with hundreds of thousands of already compromised systems with little to no direction from Microsoft.Yet offsec is to blame?https://twitter.com/HackingDave/status/1370424240801996809?s=20 Billy Big BallsTIKTOK INTRODUCES NEW ‘KINDNESS’ FEATURES AS IT URGES PEOPLE TO BE NICER TO EACH OTHERTikTok has introduced new features in an attempt to make its users be “kinder” to each other.They include a new prompt that will attempt to spot cruel comments and advise people to reconsider their posts before they are sent.Video creators will also be able to filter comments – removing any comments at all, unless the owner of the video approves them.That feature is called “filter all comments” and TikTok said it was an extension of existing tools that look out for “spam and offensive comments” so they can be filtered out, as well as a feature that allows for the hiding of specific keywords.https://www.independent.co.uk/life-style/gadgets-and-tech/tiktok-update-new-feature-kind-comment-b1815148.html[That was this week's BILLY BIG BALLS]Our source on probation over at the Infosec PA newswire has been very busy bringing us the latest and greatest security news from around the globe! Industry NewsEncrypted Comms Firm Denies Police Cracked User MessagesEncrypted Comms CEO Indicted in Drug Trafficking ConspiracyExchange Exploit Attempts Surge Sixfold as Ransomware LandsOVH Data Center Fire Impacts Cyber-criminalsUK Nurseries Get First Official Cyber-Attack WarningTwitter Updates 2FA to Enable Use of Multiple Security KeysDropbox to Make Password Manager Feature Free for All UsersSecurity Consultant Indicted on Cyberstalking ChargesMom Charged in Deepfake Cheerleading Plot Javvad’s Weekly Storieshttps://mashable.com/article/joe-biden-green-screen-conspiracy-debunked/?europe=truehttps://futurism.com/the-byte/deepfake-elon-musk-zoom-meetings Tweet of the Weekhttps://www.nytimes.com/2021/03/18/business/hacking-cars-cybersecurity.htmlhttps://twitter.com/WeldPond/status/1372530409536380931 Sticky Pickle of the WeekTheree is no Sticky Pickle of the Week Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
I cannot believe it. It's shocking.
That has just messed up totally.
Yeah, and that's why they have to work through the lawyers now.
Unbelievable.
Harsh, harsh.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening
from wherever you are joining us.
This is the Host Unknown podcast. Week, or no, sorry, not week, episode 47, I think it is.
51.
My goodness. Sorry?
51, but yeah, whatever.
51, 47, 51. Yeah, it doesn't matter. It doesn't matter.
Just because you didn't hear them, it doesn't, it doesn't matter. It doesn't matter. Just because you didn't hear them doesn't mean they weren't recorded.
That's all I'm saying.
Exactly.
Does a podcast that isn't listened to not make a sound when it falls down in the forest?
No.
Hang on.
If there's a podcast that no one's listened to, is it still a podcast?
Yeah, exactly.
Please tell us the answer to that, Graham.
Yeah.
You should know. So, Andy the answer to that, Graham. Yeah, you should know.
So, Andy, how are you, sir?
Not too bad, thanks.
All good, can't complain.
The sun is shining today, so it's going to be a good weekend.
Did you rage mail anybody this week?
I always rage mail people, as you know. I am very short-tempered.
I'm a keyboard warrior in the professional arena.
I mean, thank goodness you haven't got a keyboard like Jav's
because otherwise, you know, we get news reports of sonic booms.
Jav, I don't know if we've ever heard it on the show.
Jav, just give us a quick toot on your keyboard.
Not the euphemism.
It's like Sammy Davis Jr. tap dancing on my desk.
It is beautiful.
It's a work of art.
It's more like a training exercise at military barracks or something.
Yeah, that's right.
Well, you know, can never be too prepared.
Oh, dear.
Jav, how are you?
Me?
I only offended or made my colleagues uncomfortable two times this week,
so I'd say it's been a win.
So the recovery programme is working.
It is, it is.
You're on, what, step five now, is it?
The fact that Eric was awful this week sort of helped
because he normally receives the brunt of my, I was going to say abuse,
but no, my good-natured humour at work.
Yeah, bant, I think they call it in the UK,
and locker room pork in the US.
Yes.
So who did you upset and why?
I can't go into details.
And that's why we have to go through the lawyers.
That's right.
What do we have up for you this week?
We've got This Week in InfoSec, Tweets of the Week,
Billy Big Balls, Rants of the Week, Industry News.
We don't have a little people because there's never been a little people.
That's a fun fact.
People think that our host unknown podcast had a little people segment,
but according to our lawyers, never been.
No.
Why would we be so derogatory towards people?
Exactly.
Exactly.
It's just not what we do.
But do we have a sticky pickle of the week?
We'll find out. I suspect not.
But who knows?
Who knows? It depends what Andy
can do to the show notes between now
and 50 minutes time.
Let's go straight on now to
This Week in
InfoSec.
So this is part of the show where we take a stroll down InfoSec memory lane with content inspired by the Today in InfoSec Twitter accounts and embellished by us.
So I'm still deciding if that tagline works for us.
You know, I like it.
It's unique, but you know, it does lend itself to being Belford. Although I did
have a very angry voicemail
from somebody earlier this week.
Really?
Yeah. Unrelated,
I'm assuming. Unrelated.
Wait, let me guess. Was it from
Royal Mail? No.
It was...
Was it from Royal Mail? No, it was. Was it?
Carol Baskin?
Carol Baskin.
John Terrier?
I can't remember.
But anyway, she was upset about our jingles.
Weird.
I can't say.
Anyway, so.
Anyway, this week in InfoSec, a mere 26 years ago, on or around the 18th of March 1995, the Satan security tool was released by Dan Farmer and Weetzie Venema.
And the release of this stirred a huge debate about security auditing tools being given to the public.
leads to this stirred a huge debate about security auditing tools being given to the public.
You know, can you believe it? So for those who don't know or didn't know Satan at the time,
it stood for Security Administrator Tool for Analyzing Networks. And it arrived on the scene to like great fanfare, thanks to some amazing press which came its way, you know, ahead of its
release. And I think we'll stick a link to the article in the show notes.
But just to give you a little taste of this one, L.A. Times writer Amy Harmon,
you know, created this hype prior to the release with, you know,
an article that really sort of helps set the scene for the era,
if you want to sort of put yourself in that mindset.
So at the beginning of March 1995, she wrote,
Mountain View, California.
Now that hacker legend Kevin Mitnick is safely in federal custody
after an elaborate electronic chase ended last month,
the biggest threat to the security of the world's computer network
may well be Dan Farmer.
And it says, yeah, he would disagree,
but if all goes according to the 32-year-old security expert's plan,
his controversial brainchild, a soon-to-be-released program called Satan,
may in fact render the internet safer for private information
than it ever has before.
And this all came off the heels of Dan and Weetzie
after they wrote and published an article titled
Improving the Security of Your Site by Breaking Into It,
which at the time just caused heads to explode
because that type of thinking was just too far out there.
So Pharma had previously written software called COPS. He's a big fan of the
acronyms. And that stood for Computer Oracle and Password System, just to date how old this is.
That was, I think, 89 he wrote that. And Wixi was famous for writing the Postfix Mail program,
which I'm sure we've all experienced in our time uh i used to place heavy
reliance on that in a high transaction environment um so anyway these guys were the pioneers they
developed satan one of the earliest automated vulnerability scanners and they gave it away for
free via anonymous ftp which as was the way you receive software back then um so the article went
on to say you know pharma Pharma and Venom have planned to
release Satan over the internet where anyone who wants a copy can get it for free. And therein lies
the rub. The analogy we use is that Satan is like a gun. And this is like handing a gun to a 12 year
old. And this was a quote from Mike Higgins, who's on the steering committee chairman for the Forum of Incident Response and Security Teams,
which was a group of 43 cyber cop squads responsible for security on the Internet.
And he said, you know, an awful lot of people are going to use this in a bad way.
And it's like they're holding the network hostage.
And this guy, Higgins, was also the chief of the Defense Department's computer security team.
And he had actually asked Farmer to limit the release of the program, you know, just to a small
number of people who he said could be assured to use it responsibly. But obviously, Dan refused on
that. And Dan's whole position on this was that you know you need to hold internet
operators to account you know to make sure that computers they put on the on the network um you
know are secure uh and you know the reason i mean this was you know back then no one thought about
just going out and automating tools to hack things for there and satan was the the first tool that
was like easy to use it um mimicked Mosaic web browser.
So it was proper GUI related, really easy.
And law enforcement thought this was going to be this massive tool
that people just used to find vulnerable systems across the internet,
not dissimilar to Showdown these days.
And it's so bad at the time, Dan actually lost his job.
His employer terminated his employment.
Really?
Yeah, it's like a real big thing.
You know, no one did this.
No one had these tools back then.
And so, you know, obviously not for the first time.
They had to write their own, in which case they had to have a certain level
of expertise in the first place.
Yeah, and that's the thing.
I think, you know, the term script kidKitties came along a bit later on
after these tools went mainstream.
Well, ScriptKitties really became mainstream after HDMore stuff, right?
Because that was the stuff that really made it easy.
I mean, I think even with something like Satan and given it's 95,
you had to know what you were doing in order to use it anyway.
Yeah, but also the other good thing about Satan is that, you know,
it wasn't just like, you know, it didn't, well, not meta-sploit,
you know, it didn't have like an autopone feature.
Yeah, yeah, exactly.
It wouldn't actually exploit the vulnerabilities.
It would just identify them.
So you still had to have that knowledge back then.
It wasn't like, you know.
Well, it's a bit like, you bit like the cult of the dead cow tools
and all the back orifice and all that sort of thing.
Well, I mean, that stuff did actually exploit.
Come on, that...
You ejected people's CD trays or turned their screen upside down.
How malicious.
I mean, having said that, back in the day,
as Andy probably knows all too well,
even if you ran a scan at the wrong time, you'd pop laser light.
Take systems out.
Yeah, there's a large credit bureau,
which may have experienced an outage around about 2000
when I got my hands on ISS for the first time.
And who knew there's an unpatched SCO Linux box in the comm room,
connected to the network.
Oh, dear.
Teach you to give me root access.
But fun fact about that Higgins fella,
after he got sacked,
he then became Magnum PI's sidekick.
Yes, that is.
So it worked out well for him.
It did.
His fondness for dogs.
Yeah, although he had to grow sort of like 20 years older overnight
in order to take the role.
Well, if you see what these guys had to deal with back then,
they aged quickly.
Yeah.
It wasn't a young person's game.
Well, when you see, you know, Magnum driving off in your red sports car,
that's going to age you.
Yeah, you know, you immediately lost.
The reference is lost on like half our four viewers.
Well, I don't think anyone that was around when Satan was released
will get the references.
But unfortunately, when you think it's 26 years ago,
and I'm thinking about, you know, mentees that you have had
at recent B-Sides events when, you know, rookie tracks were running,
none of them are anywhere near 26 years old.
Even now?
Even now, yes.
Yeah, so this is a long, you know, a key pillar of Internet history here,
security history.
And just off the back of Satan's reputation,
there was a tool released called Saint,
which stood for the Security Administrator's Integrated Network Tool.
And Saint still runs today.
That went commercial
and that is i thought roger moore was the same yeah again i mean we're losing people
we've lost people hey my mother knows it my mother's getting this oh yeah this episode's
for the duchess so anyway, Satan's no longer in development,
but it did pave the way for other tools such as Nmap, Nessus,
and all these youngsters who take Metasploit and Kali Linux for granted.
Which I think is really interesting because you said it paves the way
for Nessus, Nmap, et cetera, et cetera,
which have done a huge amount of good for the industry, right?
Yes, of course they can be used badly, you know,
and you can use them, you know, as an attacker, et cetera.
But actually those tools have done immense good for the industry.
And so I think it's really interesting to see how when Satan first came out
and it was demonized almost as a, as a, as a tool. Oh God. Yeah. Pun.
Sorry. That pun was unintended. Anyway, it was demonized for,
for, you know, handing a loaded gun to teenagers, forgive the, you know,
the analogy there but borrowing their own but uh and yet
ultimately what came out of it was was a whole bunch of good and some good changes in practices
as a result of um of testing basically yeah and uh just to say you know that whole demonizing thing
so he actually did release an update for it.
And I think it was called Remorse or something like that, which changed.
Well, no, what it did, it changed the references to Satan to Santa.
Oh, that's right.
Yes.
Yes.
I do remember that.
So, yeah, it was.
Yeah.
Either that or he became dyslexic.
Yeah.
Which is, what is it the dyslexic
insomniac
who
and demon worshipper
who sold his soul to Santa
yeah
wow that was a laborious
set up there that was painful that was painful because i forgot
the third part that he forgot the punchline yeah i knew it was a funny joke i got the punchline
actually no i had the punchline i had to work backwards
oh it's like jeff isn't it i like that one cool yeah so that's uh yeah that's what we got this week there was a fun fact to go with that is that the tools documentation artwork uh was written by neil
gaiman oh sorry drawn by uh neil gaiman was it really yeah so yeah the uh the guy wrote bale
wolf and uh various other more recent famous things um and there's a great uh if you actually follow the the link in
the show notes the original tweet you've got uh dark tangent himself jeff moss uh provides a link
to when dan farmer talked about um uh satan at the first defcom and you also got neil gaiman as well
um tweeting that yes he did he did draw that artwork.
So it's like a real party bringing people back from the 90s.
Yeah.
Yeah.
And a little bit of showing off who you know.
It was, yeah.
Oh, man.
This is like the original old boys club, you know?
Yeah. Yeah, that's right, Old Boys Club, you know? Yeah.
Yeah, that's right, except it's a lot cooler.
Yeah.
Excellent.
Thank you, Andy.
This Week in InfoSec.
Oh, I like that.
I like that a lot.
That was actually from the This Week in InfoSec Twitter feed, wasn't it?
It was, yes.
We're back, baby.
We're back.
Or rather, what they did was they did this for about, I don't know,
a six-month period in the middle of the year.
And so in six months' time, you're going to have to start researching your own again.
Yeah, well, to be fair, this wasn't actually from this year's.
This was from last year's.
Why would you not just repeat the same stuff?
I don't know.
Well, yeah, exactly.
And then seed in a few different ones.
I mean, like, who's checking?
Exactly.
Who's checking?
Anyway, let's move on to this week's...
Listen up!
Rant of the week.
It's time for Mother F***ing Rage.
So who doesn't like a good bit of drama on the internet?
We all bring the popcorn, right?
Yes, exactly.
And this is really interesting because this actually ties in a lot
to what you just spoke about, Andy, with the Satan or Santa.
So this is inspired by a tweet conversation between Katalin Kimpanu,
one of my favourite reporters, journalists, and Dave Kennedy.
Dave himself.
Dave himself.
So Kathleen put out a tweet saying,
checkpoint saying it's seeing a double in proxy logon exploitation
attempts every few hours.
Then he goes, please, Red Teamers, explain to us, like we're five,
how releasing POCs for highly dangerous bugs too early doesn't help threat actors. We're listening.
So, you know, and this goes back to that age old argument, you know if if there's a vulnerability um or or some sort of known
exploit you know how quickly do you release it is it full disclosure is it not you know why have you
it's it's very similar to the satan example in the sense that you're giving tools in the hands
of people and you know there's no assurance you don't know how they're going to use it and what happened.
So Dave Kennedy, he came back.
He's saying blaming red teamers is already an inaccurate statement, as it's typically security researchers who publish these.
Get your facts right, girlfriend.
It was already actively exploited with hundreds of thousands of already compromised systems with little to no direction
from Microsoft.
Yet, OffSec is to blame?
So this kind of went back and forth. And some people are saying that, well, yes, it was already being exploited,
but exploited by, say, some Chinese state actors by releasing the POC too early.
You've given it in the hands of every criminal out there or a curious researcher and hacker.
criminal out there or a curious researcher and hacker um and then the the counter argument is well you know releasing stuff does make us stronger we know what to look for we know how to search for
it it's the same old arguments that were made against satan it's a meta exploit has has faced
these for for years and you know all these tools these tools. So if you just go to the Twitter link we'll put into the show notes,
grab yourself some of those Butterkist toffee popcorns
and start having a read through.
Post Unknown, sponsored by Butterkist.
Yes, exactly.
I don't think we're going to ever...
Get a sponsor?
Yes, we're not going to...
Well, yeah, I suppose their sales have been dropping
ever since cinemas have been closed.
So maybe we can help them boost some sales if they sponsor us.
Yeah, Butterkist actually started doing home packages
during the first lockdown, where they would send you
like these giant cinema-sized bags of popcorn.
That's basically all the stuff they'd had popped ready
and going stale.
Yeah.
No, it was, yeah, good bargain.
But, yeah, I mean, going back to the whole, you know,
old is new and new is old.
Same old arguments.
And where do you go with this?
So there's an exploit out there and there's facts to prove.
You can disclose to a company responsibly.
Depending on the maturity of that company, they'll do something, come back to you and say, right, give us two weeks.
Other times, there are stories of companies that have known about stuff for three months, done nothing on it until it's been released to the public.
And then, you know, that, that pressure gets to them.
So I don't know what the answer is on this one.
The thing is I, years ago, I was on the end of a,
a researcher, an independent researcher.
This particular chap was in India and he did a responsible disclosure to us about a site
that we were working on for a client.
And it took so long for us to respond to him,
not because of what we as information security,
the GSO wanted to do, but because everybody else felt
that they had to do something different, if you see what I mean.
So, you know, do we need to get legal involved?
Let's get legal involved.
We need to, you know, send a cease and desist.
Get that gagging order out there.
Yeah, it took more than one phone call, which I find utterly astounding, but more than one phone call to put across to them that actually,
you know, one of my guys knows this person.
They've already reached out to him.
All he's looking for is an acknowledgement that we're going to fix it and can he have a bit of our swag, you know, like branded stuff.
Yeah.
And that's all it took.
And, you know, I met him at at um uh besides delhi and handed over a
bag of stuff he was the coolest guy he was like oh this is awesome you know he was like really
pleased he was just happy that something that's a piece of work that he'd done was ignored she
resulted in something but but i i can actually empathize with companies that don't do anything until it goes public because it's almost like analysis paralysis.
Do you know what I mean?
They just,
you know,
they just want to,
well,
we should do this.
We should do this.
No,
we should do something else.
No,
we should,
we should,
we should,
we should sue him.
We should cease and desist him.
We should,
you know,
it was,
it was ridiculous when actually just had to cut across and say,
it's fine.
Yeah, that's why all these things like incident response or whatever,
and everyone says it, but you need to just have playbooks well in advance
when you can sit there with a clear mind without the heat of the intensity
of battle on you and say, okay, what is our stance on X, Y, and Z,
and what's the process process and just really streamline it
and just go through that.
I mean, granted, nothing's going to be the same on every one,
but you at least know what, from a corporate perspective,
what your stance is and who are the people that do need
to get involved and they have a rough idea as to what what their processes are i have a slightly different view on
that go for it i love it when you disagree i'm not a huge fan of playbooks because every situation
is unique um although you know they are but all derivatives of well yeah and also but it's also
what do you define as a playbook as well.
You know, the playbook could have three things, you know,
three sentences in it, or it could be 3,000 words.
You just don't know.
But my thing is that in any given instance,
there is always a single person who is clearly identified as the final decision maker.
And it's that person that has to...
The Ouija board, right?
Sorry?
Ouija board.
Ouija board, yeah.
Yeah.
But that person is actually identified by the group
the moment the incident starts.
So who is best qualified to be the sort of the you know
ultimately accountable for the decisions in this incident and that could be the most junior analyst
on the call you know or it could be the ceo it depends you know yeah exactly the company the uh
the lower the rank no but but if if that analyst is the one who has, you know,
all of the, actually understands all of the detail,
there's no point the CEO saying, well, I'm going to make the decision.
You know, actually, whilst the CEO might be saying, yes,
you go ahead and I'll support whatever you decide,
but actually it's that person that decides what needs to happen.
And I think that is a playbook, isn't it?
That is your method because you're going to have a way of deciding
who that most competent person is and you're going to have agreement
up front from, say, the CEO or the CISO, whoever that, yes,
I will let so-and-so take that responsibility.
I think, again, my problem was that the term playbook
is often misused. And before you know it, you've got a 50-page document trying to outline
every activity and therefore every action that needs to be taken. And that just doesn't work.
Yeah, no, fair point. Fair point. I think there's, you're right, the term is used in,
I was talking more from a broader response perspective,
not necessarily from a SOC perspective where, hey,
if this port is left open and this happens, then what, you know,
then let's use our automation system to do this, that, and the other.
And that's called a playbook as well, but that's completely different.
Yeah, yeah.
Cool, right.
Thank you very much, Jav.
You're welcome.
Rant of the Week.
Right, that was this week's Rant of the Week.
But, by the way.
Sketchy presenters, weak analysis of content,
and consistently average delivery. Like and subscribe now. So Andy
let's move on
shall we
to Billy Big Balls
Thank you
and just a
quick reminder
please do not
assume a gender
of Billy Big Balls
No
We should change this to billy
billy big cojones william grande cojones yeah yeah or something else it begins with c's katie's
colossus
yes we could have billy big balls and Katie's Colossal Cajonas.
Boom, we're there.
Yeah, we'll leave that one on the scratch pad for now, Tom.
We might revisit that.
This is the planning session, right?
Yeah.
So I love the idea that people think we actually have a planning session.
If I read this morning, it was like's like hey andy are you joining us and then it's like yeah i'm just brewing my tea yeah then i get here and like
you're on the phone and jab's like i don't know he's been gone for a while
it's like right let's just go straight into it uh anyway so this is uh slightly different um from the norm
it's a bit more to me it's a bit more of a positive story um and you probably may not be
aware and certainly i know regular listeners will not be aware either but i am a fan of a social
media platform called tiktok um and they have recently introduced a new kindness feature in the app which urges people to be
nicer to each other so the introduce this feature in an attempt to make people be nicer to each
other and it basically includes a prompt that attempts to spot cruel comments and advise people
to reconsider their posts before they're sent. And also it gives the power to video
creators who are able to filter comments, you know, removing any comments that, you know,
may trigger these things. Or they can just, you know, just keep comments stored until they approve
them. So that features, you know, filter all comments. And TikTok basically says an extension
of existing tools that look out for spam and offensive comments. So they can be filtered out
as well. And also allows you to hide specific keywords or any posts that contain specific
keywords. And I think, you know, the reason I like this is that if you think TikTok is a relatively
new platform, you know, when you compare it to the likes of YouTube, to Facebook, to Twitter,
and these guys have just tackled it straight on. You know, we know it's a
platform that, you know, prior to lockdown was predominantly used by the younger generation,
the type of age group that's typically targeted with bullying and harassment and things like that.
And so for them to actually, you know, just do something about it and not worry about, you know,
reducing the usage or, you know, be concerned that it's going to drive people away. Or, you know, just do something about it and not worry about, you know, reducing the usage or,
you know, be concerned that it's going to drive people away. Or, you know, Facebook saying,
oh, you know, they've got too many false positives. You know, they couldn't possibly
manage every comment. Yeah. You know, these are people who can, you know, 11 years ago,
can identify people you might know based on proximity.
Trashes on your camera lens. Yeah, and yeah, they'll say, yeah,
but it's too difficult to sort of filter out comments
that might be offensive.
Yeah, you know, TikTok have done it, you know,
within three years of, you know, going live.
And, you know, I mean, the whole platform, you know,
there's far less advertising, you know,
intrusive advertising like, you know, Snapchat. If you ever use that, you know, there's far less advertising uh that you know intrusive advertising like um
you know snapchat if you ever use that you know you can scroll through videos and like every two
videos you've got to watch a a 10 second video you know before you can continue and stuff like that
um you know the adverts on tiktok don't follow me around like facebook you know if i go to you know
walk down the street and say mcdonald's that smells good you know i don't then get home
and open my phone and see an advert for mcdonald's or you know something like that um and it also
tells me to go to sleep when i've been using it for a while you know you know it's literally you'd
be scrolling through the uh through your timeline and the video pops up and it's like interesting
engaging and then it realized you know that the girl turned around says you, don't you think you've been on for a bit too long?
Time to go to sleep.
And it's actually from TikTok.
I think what you'll find, Andy, is that's when you're hallucinating.
Well, the best thing is when you go to the comments
and everyone's like, hey, this is the fifth time I've seen this today.
It's like, me too, me too.
It's like, yeah, where's my 2am crew at?
But it is, like to me, it's a platform that,
despite all that, you know, the initial press it got,
you know, about being Chinese owned,
and I wouldn't put it past Zuckerberg to be behind a lot of that campaigning.
I'm just saying, you know, potentially he could be.
He has the power to do that.
But, yeah, just the fact that these guys are really taking the lead on this
and trying to make platforms safer for people.
And it's, you know, every year I think there's a committee after, you know,
a teen suicide or someone that was bullied, you know,
with classmates and things like that. So for me it's really good, you know, with classmates and things like that.
So for me, it's really good, you know, they do something like this.
And even Jeff this week, I think, you know,
you got hooked on a lot of wholesome content that came through TikTok
rather than the usual sort of, you know, funny, witty stuff
that we normally send around as, you know, you're like, man,
I just love this wholesome content, you know.
It is. Honestly, it was so good. But thanks for bringing this topic. send around is uh you know you're like man i just love this wholesome content you know it is
honestly it was so good but but uh thanks for bringing this topic up though i think it is
such a positive spin and i think it goes back to stuff that we've kind of discussed in the past is
where you know the technology is there to do good but if you put profits before your social
responsibility or what have you you're never going to see these come through.
I mean, we were talking about this yesterday,
and it's like Google has probably some of the best speech detection
and analysis, context analysis out of all the platforms.
The voice recognition is so good on the Android phones.
In your Gmail or in your search,
it can autocorrect stuff for you. It can find out the context, all that kind of good stuff.
Yet, if you go to YouTube, which is owned by Google, and you go into the comments section,
it's the most vile pit of horrendous malice and nothing really good comes out of it.
And to your point, I mean, they've been around for years, decades,
and TikTok comes along and they're like, hey, you know what?
We want our platform to be a bit nicer.
Let's introduce this feature.
And, you know, for these other companies, it shouldn't be a big thing.
But I was telling Tom about this a bit earlier.
I think one of the problems is that there are bean counters
that are just counting stuff.
Beans?
Yeah, they're counting stuff, and that gives them the valuation
of their product.
So it might be number of active users, but also number of active comments
and what have you.
And this is what gives them leverage to say to advertisers hey
look we can put you in front of this many viewers an audience of 10 million and of which 3 million
are highly engaged they don't say that these are highly engaged because they're like bullies or
trolls or what have you the majority of them um and and this is what how they inflate their their value and self-worth and um i think
for for tiktok to do it is is brave from a financial position but also like how much money
do you actually need where you put all those profits before the well-being of of the actual
people that use the platform.
Yeah.
I mean, even –
I'll start going.
Well, I was going to say, I think YouTube, the best they do,
in the comments section, actually just says,
please keep it civil or, you know, follow community guidelines,
keep it civil.
And that's it.
That's all it says at the top.
Yeah.
There's nothing proactive about that.
Yeah.
I must admit, when I read this story, it did warm my cockles a little
bit, I have to say, because I felt like everything you've just been saying, both of you, it's so
true. Why can we not use all this technology that allows us to connect people to actually try and
induce some positive behaviours rather than just allow space for people to run riot with their
negative behaviors. I think, I won't say the jury is out on TikTok for me because I think, you know,
they keep surprising me with the types of things that they do. And this is probably one of the
biggest ones. And I think it's a massive move.
But they are still a very young company
and I think there's still time.
I mean, Facebook was never as bad as it was today
as it was 10 years ago or whatever.
It's almost like the death of a thousand cuts.
It's just gradually become more and more, you know, poorly.
The culture at Facebook seems to have sort of gradually fallen down
and become just very commercial and therefore, in adverted commas, evil.
Well, all right, in adverted commas, evil, if you will.
But I think it's, you know, it's a really insidious platform.
I don't like it in that sense.
I'm just laughing because you almost implied that Facebook had a culture.
Let's not forget it was founded on the principle of waiting
for the hotness of females at college.
Yeah.
Actually, you know what?
You're right. Well, yes, you know what? You're right.
Well, yes, you're absolutely right,
which should have been a bit of a giveaway in a sense.
But it didn't peddle false narratives deliberately.
It didn't get involved in-
Influencing elections.
Yeah, exactly.
But it's almost like it can't help itself now.
And I think, you know, I think if TikTok carries on like this and actually has some morals in its core values, etc., I think it's going to grow to be a much better platform as a result. Yeah. But, you know, I can also hear the opposition
and what their concerns are going to be,
that this is just another form of censorship.
It's against freedom of speech.
This is how they start.
They call it the kindness feature,
but then they're going to start stifling any voices
that, you know, the Chinese government finds,
you know, distasteful and
there's a history of that so i'll just say a key part of this is that the control is with the uh
the creator to um so that the people that i know jav you were uh in the old days you didn't used to
uh put comments allow comments on a lot of your videos you were no no i don't think yeah whereas here you know
this is by default you know the creator is um you know someone that may get unwanted attention
um you know they can actually control whether they allow these comments or not
so to your point of censorship it is actually still within the creator's control
yeah that's what they want you to believe.
I'm waiting for Quentin Taylor to send me a DM at the end of this saying,
Andy was wrong about this, that, and the other.
He's been doing it for three weeks in a row.
Yeah, exactly.
Tell me how Andy is wrong.
Q, if you send us another correction this week, we'll get a jingle made up just for you.
QA by Q.
Yeah, exactly. QA by Q
or quack for short.
But
picking up on something you said,
Jav, about people complaining about
freedom of speech, the people who
complain the most about freedom of speech
don't understand what freedom of speech
actually means. Let's face it. Freedom of speech means that you're not going to get arrested for
what you say. It doesn't mean that people have to listen to you or have to, you know, have to air
your views on their platform. It just means that your government can't arrest you for what you have to say.
So to say that TikTok or Facebook or whatever,
this is a restriction of my freedom of speech, no, it's not.
Not that I feel strongly about it.
Anyway, thank you very much, Andy, for this week's billy big balls of the week
that was a good one that's good i like that so andy what time is it uh it's that time where we
head over to our sources on probation over at the infosec pa news
wire who have been very busy bringing us the latest and greatest security news from around the globe
industry news
encrypted comms firm denies police cracked user messages Industry News Encrypted comm CEO
Indicted in drug trafficking conspiracy
Industry News
Exchange exploit
Attempts surge sixfold
As ransomware lands
Industry News
OVH data centre
Fire impacts cyber criminals
Aww
Industry News UK nurseries get first official OVH data centre fire impacts cyber criminals. Aww.
Industry news.
UK nurseries get first official cyber attack warning.
Industry news.
Twitter updates 2FA to enable use of multiple security keys.
Industry news.
Dropbox to make password manager feature free for all users.
Security consultant indicted on cyber stalking charges.
Mom charged in deepfake cheerleading. Industry News.
And that was this week's...
Industry News.
Huge if true.
Huge if true. Huge if true.
So very quickly now over to...
Javad's Weekly Stories.
So what we should just call this is Jav's kind of like deep insight
into some of these things.
Or how about Jav's Weekly Excuse?
Javad weekly excuse? Jav's weekly stories.
So what I really liked was the last story was the mum charged
in the deepfake cheerleading plot.
And that is absolutely true.
That is not a sensational headline.
So she wanted her daughter to be on the cheerleading team
or she had some rivals.
And she used deepfake videos to besmirch.
A smear campaign.
A smear campaign, yes, against some of the other girls.
And she just used one of those phone apps and created these deep fakes of them engaging in bad behaviour or unapproved behaviour.
What?
Yeah.
And photos and videos.
And sent it to the coach saying, you need to kick these girls off the team.
Look at how inappropriate they are.
Oh, my God.
That girl, that woman's daughter,
must be beside herself with shame.
Yeah, yeah.
So there's no evidence found by police
to suggest that the daughter was aware of what her mum did.
I bet she wasn't.
I bet she wasn't.
But they found the images and the evidence on the mum's phone.
God, she didn't even have the sense, mind you,
if she didn't have the sense to not do it in the first place,
she wouldn't have the sense to remove the...
Yeah, yeah.
She's arrested and charged with three misdemeanor counts
of cyber harassment of a child
and three misdemeanor counts of harassment.
That's going to stick.
That's going to hang around for life.
It is. Cyber harassment of a's going to stick. That's going to hang around for life. It is.
Cyber harassment of a child as an adult.
She's 50 years old.
She's like, you know, she should know better by this point.
Well, actually, whilst, you know, she's absolutely right,
she should be charged, she needs help.
It's as much an indictment, again, of America's healthcare
and mental healthcare care services.
Yeah, you're not wrong there.
I mean, come on.
The one I liked, though, was UK nurseries get their first
official cyber attack warning.
And all I could hear was, in a kid's voice,
my first cyber attack.
I'm sure Fisher-Price will come out with a little set,
a play set to reflect that.
Yeah, yeah.
You know, on the topic of deepfakes,
there was a video that was circulating about Biden
a couple of days ago.
Oh, yeah.
Was it not real, though?
It wasn't.
No, that's the thing.
It's been discredited by all these fact-checking sites and everything.
Okay.
Was this when he forgot somebody's name?
I don't know.
He was doing this interview outside,
and there's some microphones just in the thing.
It was just on the lawn of the White House or something.
Yeah.
And it's been disproved as being a thing.
But the thing is that it's been circulated widely amongst the QAnon
and what have you because if you believe in something,
then you can be shown all the evidence in the world that this is fake
or look at the shadows don't match or this is inaccurate.
The thing is that you've already made up your mind
and this just serves, you know, only serves to reinforce that fact.
It's like the moon landing, you know, the fake moon landing stories.
Yes.
You know, the people who think that we, you know.
NASA faked it.
Yeah, the whole thing that NASA faked it.
And the fact is that statistically, or rather I should say mathematically almost,
you could say it's impossible because the sheer volume of people
that would have to be involved to know that it wasn't
and who knew that it was faked, you could never keep that quiet.
Yeah.
And it's also not just NASA that have done it.
You know, you've got the Chinese agencies, the Russian space.
Yeah.
Various people have been to the moon.
Well, we all know anyway that, and let's face it,
the moon landings were faked and they actually hired Stanley Kubrick
to do the filming based on his 2001 footage and all that sort of thing.
But he was such a perfectionist that he insisted on filming on the moon.
Yeah.
Oh, dear.
Well, I thought that was funny.
It was, yeah.
It was funny the first, like, 50 times I heard it, I think.
Mum, he's bullying me!
Don't get mums involved now, don't you dare.
Otherwise, I'll get my mum to start making deep fakes of you
and sending them around.
Yeah, well, that's it.
Mum, get the deep
fake machine out now i was going to say let's put andy in some compromising positions but actually
there's no need for deep fakes well that's i've got a video yeah i've got that video the other
day of uh you know some guy is death snorting coke and it was me and i I was like, hang on a second, I don't remember that. But no, it was a deep fake, fortunately.
It was.
But they are looking more convincing.
It was the part where I stood up with a gun that gave it away.
Yeah.
Do you remember years ago, it's the early days of deep fakes.
Someone sent Gemma Patterson at rant events a deep fake
off your bare bottom, Tom, at the urinal.
No, there was no bare bottom involved.
I remember that.
You could tell the moles were out of place anyway.
What was I going to say?
Oh, God, I can't even remember.
Oh, yes, that's right.
So I did a talk yesterday and I was asked afterwards about, you know,
what do I think is going to happen this year, blah, blah, blah.
And as Jav knows, Andy, you won't be familiar with this, but as Jav knows, as respected
industry commentators, we always get asked every year what are our predictions for next year.
And in December, I said that this year, we're going to see our first deep fake phishing campaign,
video deep fake phishing campaign,
whereby somebody is phished for money by who they think is their boss
on a Zoom call or whatever.
I reckon that's going to happen.
Oh, I thought you were actually going to say, yeah, that's happened
and here's the proof.
No, no, no.
But it's going to happen.
I've got nine months.
I'm only just starting to sweat.
So I've got nine months.
You know, I did see a story about that not too long ago.
There was an audio deepfake.
No, no.
I'll find the link.
I'll put it on it.
But someone's got this open source software you can use
and they actually had Elon Musk on the call.
Oh, dialing to a call.
Well, yeah, it was basically the other person,
but, you know, puppeting what looked like Elon Musk's face.
But it didn't look very good, though, did it?
No, but, you know, it's, you know...
And that was 18 18 months ago something
like that yeah from concept to uh to improvement and execution it's not going to take too long
no absolutely yeah absolutely it's uh it's a bit like there's stuff that they is it on
ancestry.com you can load up your your pictures of your ancestors and then they uh animate them yeah and that's that's and and
actually some of the you know just seeing these these old pictures come to life is amazing enough
but then um there was some sort of well reaction videos which normally i think are just the
cheesiest thing in ever but um there were reaction videos of kids showing their parents pictures
of their parents that they had done.
And their parents were just really overcome with emotion
because they looked so good, you know, and actually seeing them move.
And it was, I think that's where stuff, that's where the technology
can actually be used for good in the sense of, you know,
bringing the past to life and all that sort of stuff.
Incredible stuff.
Yeah.
I mean, I went to Hogwarts, so, you know, that stuff wasn't.
That wasn't deep faked.
No, absolutely not.
Yeah.
Well, it's nothing as great as when they hologrammed, was it,
Tupac at Coachella.
Yes.
Well, I remember the hologram of Liam Neeson
in War of the Worlds, the stage show.
That was good.
Except he kept on shouting into his phone
about having a special set of skills
and honed over a very long period of time
or something like that.
It was very off script.
Anyway, anyway, let's move very quickly.
I'm going to run this next story very quickly because we're running over time.
But let's look at this week's Tweet of the Week.
We always play that one twice.
Tweet of the Week.
So this tweet is from Chris Weisepal or at Weld Pond.
And it's a picture of the inside of a car.
And it says, it's even possible that future Windows stickers on new cars may point out that a vehicle meets cybersecurity standards.
We should rate vehicles for cybersecurity the same way we rate them for crash protection.
I'm presuming he means the physical kind of crash,
not the computer kind of crash there. But this, I think, is really very interesting. If we see
the amount of autonomous vehicles hitting the market and electric vehicles generally,
the increasing amount of computer control systems, drive-by-wire, brake-by-wire,
all that sort of stuff involved in cars, all of which is ultimately, I think, a good thing
because it can improve massively the efficiency and the safety of a vehicle,
but only if it's done on a secure platform in the first place.
But this reminded me of, in the same way that we rate cars
for crash protection, I think it's the NAACP or something like that.
The people who use the crash test dummies and rate cars for how many stars
they get for crash protection and all that sort of thing.
And I think I absolutely agree with Chris on this,
that there should be an equivalent agency for any car that has any kind
or meets a certain threshold of computer integration.
Obviously, you know, cars from 10 years ago may have some very basic
engine management systems that you can only get into if you're physically attacking, etc.
But certainly some of the later stuff is really quite intrusive, I would say, possibly the wrong word, but is integrated as better across the entire car.
We certainly need something that can test that.
And we should do this without security vendors per se.
It should not be an industry-funded effort.
I believe it should be a government and international effort.
Well, I mean, there's so many threat vectors that need to be thought of for this.
I mean, I know that article sort of covers a couple,
but things like, you know, your car reading the signs wrong
because someone's manipulated the road signs.
You know, over-the-air updates.
You know, you can make an entire fleet of cargo disappear
just by editing, you know, the location of a vehicle
and deleting those logs.
You know, malicious code being uploaded, all and deleting those logs um you know malicious code
being uploaded all this kind of stuff uh you know tricking sensors and cameras there's just
so many angles to hack cars um you know when you lay out all these things so i actually agree with
you on this one it definitely can't be a um you know a particular vendor uh you know for example
you know we recently used a third party to carry out diligence for us
and they gave a maturity assessment on, you know,
the company we were looking at acquiring.
And, you know, it's a nice 21-page report
and it says maturity high, maturity high,
maturity moderate, you know, maturity.
Everything apart from where it comes to end point detection
and response and it says maturity low.
And it just so happens that the company we use
is specialists in endpoint detection and response.
And it's like, okay, it kind of discredits a lot
of everything else that's written here.
It's so transparent as well.
Yeah, you know, it just so happens the one thing
that you specialize in just happens to be the one thing that they need a lot of help with.
Yeah.
And that's what I think with these cars.
It would save each manufacturer coming up with their own security teams that specialize in a different standard.
Yeah.
Absolutely.
Because the NACP, whatever.
Sorry, NCAP. NCAP, yeah. Thank you. Yeah. Yeah. Thank, because the NACP, whatever.
Sorry, NCAP.
NCAP, yeah. Thank you.
Yeah.
Thank you for looking that up.
In fact, it could even potentially be a branch of NCAP, right?
In fact, why reinvent the wheel?
Just have that expertise grown within.
But isn't that like having InfoSec reporting to HR?
Yeah.
What? What?
When you say why not have it as a branch of, you know,
isn't it a different discipline?
Yeah.
It's the testing safety of vehicles, right?
They know vehicles.
Yeah, but I mean health and safety know, you know, health and safety.
But, you know, I wouldn't trust them to uh you know sign
off on in the nicest possible way without knowing their credentials i'd be looking for someone with
a bit more uh subject matter expertise and yeah well you can still build that internally you know
but i i take your point yeah then again then you get start to go down the vendor route oh well in
which case let's get somebody with credential oh this company they've got all the credentials oh you know i think there's two sides to this isn't it and and this
is like so i am the cavalry has been trying to i mean vehicles has been one of their focus areas
for for a while so it's vehicles and medical and healthcare yeah yeah whatever yeah so uh they they
have like a kind of like they laid out a five point safety program for vehicles.
And it was kind of like high level, like, you know, safety by design and evidence capture and security updates and isolation of systems, those kinds of things, which is fine.
I think that's one half of the equation.
It's like everyone agrees on what the standards should be.
one half of the equation is like everyone agrees on what the standards should be.
The second part, and to the point you two are just discussing about NCAP, is who's going to assure that the systems have been built to that specification.
And NCAP, they can easily do, they know how to do,
let's ram a car into a wall at this speed and see if the dummy survives.
And that's kind of like easy to do. It's not so easy.
That's easy to do. Are you kidding? Have you seen what's involved?
I said, it's, it's, it's easy to do.
It's easier to do by comparison because you have the physical evidence and
there's less ambiguity when you, when you, um, I, you know, it's like building a wall and stuff.
These disciplines have been around for much longer than the cyber discipline.
The threat vectors are far more limited, to Andy's point as well.
Like, you know, you're going to hit something or something's going to hit you.
Like, you know, you're going to hit something or something's going to hit you.
And you want to make sure that you can preserve the integrity of the cabin to protect the occupants.
That's primarily what it is.
But with the electronic component, the cyber component, there's so many things. It's not just about protecting the individuals in the car.
It's protecting other cars around it it's protecting pedestrians it's protecting the the the actual vehicle itself
and you know gaining assurance on that is difficult we can't even gain proper assurance
of websites today i mean this seems to me to be the cybersecurity equivalent of negging. Negging?
Negging.
You're putting down NCAP.
Well, you're okay, I suppose.
No, no, no.
But I bet you couldn't do this.
I bet you couldn't do anything to do with cybersecurity.
You know, I bet you.
I don't think it's just me.
You just throw things into walls.
No, no, no, no, no, no.
You just throw things into walls.
No, no, no, no, no, no.
You know, it's like you can't even build a reliable,
within cyber, you're not going to get like five security experts to agree on what good assurance looks like
or how you can do a pen test that absolutely guarantees
that website is not going to be broken.
You know, you've just got to reduce the risk.
That's exactly what NCAP do. They try and create as best they can the conditions in which
a normal, in inverted commas, crash would occur. But the fact is there are so many variables in a
crash, even down to the surface of the road. And if there's a tiny little
pothole somewhere or the height of the curb or, you know, how the tires are inflated on that
particular car and if they're in balance or not and all that sort of thing, you know, so they do
what they can and say, here's our rating based upon our testing. And by the way, here's the
testing criteria we use and you know check out our youtube
channel for some funny you know action videos sort of thing that's exactly what you do within a pen
test and no one's negging no one's negging end cap and and uh i i take uh offense to the point
that you're trying to put words into my mouth or Andy's mouth by saying that we are...
I'm just repeating your words back to you.
No, you're not. No, you're not. And you know very well
what you're doing, you weasel mouth.
What they do is easy.
Order! Order! Order!
I will not have this.
Right, I'm going all I****** this one right you can speak to my lawyers
allegedly allegedly anyway anyway that was this week's
i think we need to end very quickly
that's what she said oh dear so we don't have a sticky pickle of the week uh dude we've
got no time we're like no no time i've got a job to go to i'm out of here yeah it's same here i've
got a podcast all right see you liz's anyway thank you very much jav thank you so much uh for coming
out to play today really enjoyed it i was here first and you're welcome.
What?
And Andy, thank you very much, sir.
Stay secure, my friend.
Stay secure.
You've been listening to
the Host Unknown Podcast.
If you enjoyed what you heard,
comment and subscribe.
If you hated it,
please leave your best insults
on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
We almost got away with it as well.
It's all right.
Just bleep it out.
Bleep out the name.
Well, that means I've got to download the bleep sound effect again.
Why isn't that the number one button on your soundboard?
You're right.
You're right.
Because he doesn't actually edit anything.