The Host Unknown Podcast - Episode 50 - The Midlife Crisis Episode
Episode Date: April 9, 2021This week in Infosec(Liberated from the “today in infosec” twitter account):4th April 1977: Ron Rivest first introduced Alice and Bob in the paper "A Method for Obtaining Digital Signatures and Pu...blic-Key Cryptosystems".https://twitter.com/todayininfosec/status/1246652917605527554http://web.mit.edu/jemorris/humor/alice-and-bobhttps://xkcd.com/177/Javvad explains it better: https://en.wikipedia.org/wiki/Alice_and_Bob8th April 2014: Extended support for Microsoft Windows XP Service Pack 3 ended, nearly 6 years after SP3's release and 12 1/2 after general availability of Windows XP.https://twitter.com/todayininfosec/status/1247920644030738433 Rant of the WeekThe UK Cyber Security Council launches itself by pointing world+dog to domain it doesn't ownThe UK Cyber Security Council announced itself to the public realm last week by touting a domain it doesn't own. Helpfully, internet jokesters then bought up variations on the official address.A brainchild of the Department for Digital, Culture, Media and Sport, the UK Cyber Security Council is billed by the government as "the regulatory body, and voice, for UK cybersecurity education, training, and skills." As part of that it "drives progress towards meeting the key challenges the profession faces."All very worthy and important. When British infosec folk noticed that the official press release mentioned an email address for ukcybersecurity[.]org[.]uk, however, everything started unraveling.Why? Because the UK Cyber Security Council didn't own ukcybersecurity[.]org[.]uk. Nobody did – until Adrian Kennard bought it and pointed it at his personal blog, where he dispensed some gentle advice to the new org."One of the tips I can give you when it comes to cybersecurity is that you should be careful to ensure that contact details you publish actually belong to you," wrote Kennard, who runs a UK ISP, adding: "It took a while to stop laughing at the irony first, but now, yes, the UK Cyber Security Council are welcome to ukcybersecurity.org.uk. They can email me at press@ukcybersecurity.org.uk for more information (be nice)."https://www.theregister.com/2021/04/06/uk_cybersecurity_council_domain_fail_launch/ Billy Big Balls of the WeekThis Tech Exec Had Her Kids Sign a User Agreement Before She Got Them Their First PhoneWhen it came to tech and their own kids, both Steve Jobs and Bill Gates were famously strict about how much screen time they allowed. Jobs didn't let his kids use the iPad he helped invent. Gates banned his kids from getting phones until they were 14. Just like Gates and Jobs, Jennifer Zhu Scott, a Hong Kong-based tech executive and TED speaker focused on privacy issues, was concerned about the dangers of giving her two children, aged 10 and 11, smartphones--given her deep understanding of the power and perils of technology. She drew on her professional experience and made them sign a three-page, 15-point "user agreement" for their phones. They had to agree to share their passwords with her, ask for permission before signing up for social media accounts, be open about harassment or strange phone calls or messages, and answer any questions about how they were using their phones.Part of the agreement is a crash course in internet privacy. It tells her daughters what we adults so often forget--that everything we put online is likely to be read, used, and sold in ways that we can't begin to imagine.Etiquette and overuse are also covered by the agreement. It bans phone use after 8 p.m. and requires the girls put their phones down while socializing and walking. It also contains a strong warning about the long life of potentially embarrassing photos and posts shared online. A copy of the agreement is in the show notes. https://www.inc.com/jessica-stillman/this-tech-exec-had-her-kids-sign-a-user-agreement-before-she-got-them-their-first-phone.html#:~:text=Try%20a%20'user%20agreement',power%20and%20perils%20of%20technology.Link to the agreement: https://drive.google.com/file/d/1Yc3Np00vEgAIvNV7VzEIHoxbWqqC0Oon/view Industry NewsMicrosoft Suffers Second Outage in Two WeeksData of Half a Billion Facebook Users LeakedAustralia Considers Social Media ID RequirementFlorida School District Held to Impossibly High RansomCybersecurity Industry Must Find Solutions for Third-Party Data SecurityChemical Weapon Shopping Sends Dark Web User to PrisonItalian Arrested After Allegedly Paying Hitman to Murder Ex-Girlfriend College Track Coach Accused of CyberstalkingWormable Netflix Malware Spreads Via WhatsApp Messages Tweet of the Weekhttps://www.teiss.co.uk/ziggy-ransomware-admin-to-refund-victims/The administrators of Ziggy ransomware have reportedly decided to lead an honest life and refund the victims of their ransomware attacks. This historic announcement comes a couple of months after the hacker group decided to shut shop and release decryption keys for free.As admitted by the ransomware's operators in statements given to the likes of Bleeping Computer and Threatpost, the Ziggy ransomware gang decided to shut shop in February following a string of law enforcement successes against well-established ransomware gangs, notably Emotet and NetWalker. Gripped by the fear of being next, the ransomware gang quickly released an SQL file with 922 decryption keys that could be used by the victims to unlock their files.https://twitter.com/M_Shahpasandi/status/1376116414608736258?s=20 Bonus Tweet of the Weekhttps://twitter.com/yarden_shafir/status/1380147188416778245 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
And his not being in the...
I was in the room.
You were in the room.
Were you getting told off for your language again?
I was going to say, this is what it's going to be like when you die, Tom.
You'll just be looking in on us, listening to us, taking the piss out of you.
Shouting obscenities.
No, we're not like you.
We don't want to get told off for shouting obscenities.
What, we had a complaint, did we?
To you.
To me? Who was that we? To you To me?
Who was that from? What did I do?
Yeah, your mum's not happy with you, Tom Oh
Oh, what did I do?
Mrs Lankford, we're just as disappointed in Tom
as you are
What did I do?
You're listening to the host unknown podcast
hello hello hello good morning good afternoon good evening from wherever you are joining us
on to our host unknowns unofficial half century episode 50 52 53 51 whatever it doesn't matter uh and he still hasn't got round
to um totting up the numbers just yet but so i have the numbers okay do you know what i noticed
is that episode one is missing yes because we did that on a different platform many many years ago
right and we couldn't be asked to transfer it across, no? I could try, I don't know.
No, it's fine.
I guess we should.
We can put it in the Lost Archives with the other four that have gone through.
Yeah.
And we're waiting for a death in the family before episode two, of course.
Correct, yeah.
Yes, yes, so blimey.
We've been at this for at least a full year now.
That's incredible. Absolutely incredible. Blimey, we've been at this for at least a full year now. That's incredible.
Absolutely incredible.
Blimey.
Anyway, so Andy, how are you?
All good.
Can't complain.
I actually went for my second batch of the vaccine already.
Second?
Yeah.
That was great.
You've been double dipped already.
I got double dipped.
I had a shot in each thigh and my thighs are killing me.
Oh!
Oh!
Very good.
No, it's not good.
Don't encourage him, Tom.
I am so going to steal that.
I'm so going to steal that.
Jav, please tell me you got a better joke than that one.
It's just completely ripped out my soul today.
I was feeling in a good mood.
I didn't know that's where they put the jab these days.
Well, yeah.
Andy's been subject to a lot of experiments over the years.
Mostly with sugar yeah
I'm still on those
experiments what are you talking about
that's right
how much more can this man take
push it up to 11
it reminds me
there's this old movie from the 80s
old
what's that comedian name?
I can't remember, I can picture him.
But he's basically in the US military and he's their guinea pig
to test out all the gases and biological warfare, basically.
And he ends up developing an immunity to it.
And so it's a comedy. I'll have to look it up. But that's how I think Andy's going to it. And so it's a comedy.
I'll have to look it up.
But that's how I think Andy's going to be.
It's like doctors studying diabetes
and the effect of sugar on the body
will look at Andy as a case study
in years to come and say,
he actually developed an immunity to diabetes.
An immunity to sugar?
Yeah.
Wouldn't that be nice?
Yeah, it would.
It would.
For us mere mortals.
Oh dear. Well, mere mortals. Oh, dear.
Well, for me, this week is podcast week, like something crazy.
So obviously got this one.
I'm recording a podcast for the company,
and then some other fellow wants me to do a podcast with him,
a colleague in the U.S.
And then I'm going on to a Friends podcast next week as well,
which I'm preparing for.
So it's like just a podcast 10 days.
It's going crazy.
I like how you make out like you've got so many friends.
Well, I was going to say.
When I say friends, you know, they're people whose names
and addresses or, you know, email addresses are in my iPhone, you know.
Email addresses, right.
Yeah.
Yeah, I tell you what, that Have I Been Pwned database is great.
Yeah.
I have millions of friends around the world.
Anyway, what have we got up for you today?
So this week in InfoSec, it takes us back to the 60s. A 60s swinging movie, it says,
blimey. Rant of the week has got some domain name shenanigans in it. Billy Big Balls,
well, in this case, it's Karen's Colossal Cajonas in the form of a techno tiger mum.
Industry news bring us the latest and greatest InfoSec news from around the globe.
the latest and greatest infosec news from around the globe and a tweet of the week uh asks if you've paid ransomware because you might be entitled to a refund ransomers hate this one trick so uh yeah
and also apparently hire cars are no good for short people and that is all we have to say about
little people on this show so yes i think we've got quite the show ahead of us.
I think Andy has outdone himself with the stories this week.
You know what, Tom? You're absolutely right.
Yes, I am. Let's move straight on that in that case into...
This week in InfoSec.
InfoSec.
So it's that part of the show where we take a stroll down InfoSec memory lane to bring you content liberated from the Today in InfoSec Twitter account.
So this week, let me bring up the most well-known names of the cybersecurity industry from a time before it was even known as cyber security. So taking us back to the 4th of April 1977, a meager 44 years ago,
Ron Revest first introduced Alice and Bob in a paper, a method for obtaining digital signatures and public key crypto systems.
Wow.
You are reading that really carefully.
I am because it's a real tongue twister for me on this one.
Do you know what it is?
There's something about cryptography that I've never liked.
I've always struggled with it.
I always hated the idea of it you know whenever
you do like certifications they always want to go through it that's my weeks but i just absolutely
hate everything about it so with this apart from the privacy apart from the privacy aspect so
there's so much infosec history in this one um and i will firstly say that through my own wikipedia
cross-referencing um the paper referenced in this tweet is actually released in February
the following year.
And the paper from April 77 was actually called
On Digital Signatures and Public Key Crypto Systems.
So I just wanted to state that to save QA from Q on that one.
And show that you've actually put some effort in.
And show that I've put some effort into this one.
But anyway, you know, it was 10 months between friends.
So the origin stories of so many cryptography and engineering lessons
are the Alice and Bob characters that were invented by Ron Revest,
Adir Shamir, and Leonard Adelman.
Those initials sound familiar.
Well, I was about to say, you know,
can you think of anything else that may still be running in these days
that those initials were an origin story for?
Soz.
Soz.
So the name...
Smashing Security.
Well, we're getting closer.
So these people were the RSA, or still are the RSA, in RSA Security.
And, of course, the RSA refers to the public key encryption technology
first developed by the RSA Data Security Inc. back in 1982.
So the abbreviations stand for Rivera, Shamir, and Adelman,
you know, the inventors of the technique.
And the idea for the first RSA conference was conceived in 1991.
And that conference had just one panel, and that panel was called DES and DSS, Standards
of Choice.
And so that focused on why attendees should not adopt DSS, which is a standard that is expected to challenge RSA security status as the de facto standard for digital signatures.
But taking it back to Alice and Bob, Alice and Bob were the names given to the fictitious characters used to explain how the RSA encryption method worked,
with the thinking being that using names instead of letters like a and b
would make a complex subject far more easier to grasp but they're now so commonly used that most
educators don't even give a second thought to where they came from so for someone like me who
needs to create an image in my head you know when understanding something uh you know cryptography
is hard when i first you know did my cisp as i say you know the encryption or you know c understanding something uh you know cryptography is hard when i first you know did my
cisp as i say you know the encryption or you know ci double sp uh i was gonna say you did you what
yes yes correctly shall we uh yeah we don't want to spread misinformation uh you know that was
generally the only domain that i was worried about i absolutely you know i could i have no issues
with telling you what type of fire extinguishers theoretically be placed in,
what fire suppression system, inert gas ratios.
A candela of lighting in an underground garage.
Exactly. None of that bothers me whatsoever.
But over the years, the Alice and Bob storyline has become more complicated,
something on par with a high-tech reality show.
become more complicated uh something on par with a high-tech reality show uh not only are alice and bob trying to share a secret but carol and dave want in on it and eve is trying to eavesdrop
so obviously a whole cast of characters being introduced to explain everything from
micropayments to ssl and quantum cryptography and some people suspected the name actually stemmed from the
swinging 60s movie Bob and Carol and Ted and Alice. However in a 2005 Networking World interview
Rivest said that he came up with the Alice and Bob to be able to use A and B for notation
came up with the Alice and Bob to be able to use A and B for notation and that by having one male and one female the pronouns he and she could be used in descriptions. I'm not entirely sure I buy
that but it is a plausible explanation and Rivera says that it's possible the Alice name came to
mind because it's something out of a Alice in Wonderland movie you know which he's a big fan.
it's something out of an Alice in Wonderland movie, which he's a big fan.
So there is additional links in the show notes because this is a really complex topic.
And there's a link in the show notes to John Gordon, who's a data security expert. He did a 1984 after-dinner speech at a technology seminar in Switzerland, which I highly recommend
you read.
But as a sort of too-long-didn didn't read, he basically sums it up as saying, Alice has never met Bob. She has
no idea what his voice sounds like. All in all, Alice has a whole bunch of problems. And there's
one other thing to say, Alice doesn't trust Bob. Now, most people in Alice's position would give up but not Alice. She has
courage which can only be described as awesome. Against all odds over a noisy telephone line
tapped by the tax authorities and the secret police Alice will happily attempt with someone
she doesn't trust whom she can't hear clearly and who is probably someone else to fiddle her tax
return and to organise a cooped attack
while at the same time minimizing the cost of the phone call
so alice and bob and bob and carol and ted and alice rsa and the rsa conferences
have had a massive butterfly effect in our industry all because three guys wrote a paper
44 years ago this week you know what it all because three guys wrote a paper 44 years ago this
week you know what it means we have to write a paper ourselves in 44 years time maybe this
podcast will be held in high esteem or maybe not conferences yeah so um there's uh
targe conferences where do I get the tam from?
The Malik.
Oh, yeah, there we go.
So I just want, in the show notes, I've put,
you talk about how cryptography is difficult.
I actually wrote a blog about this a while ago.
Of course you did.
There's two images I created to explain it.
And if I don't say so myself because
neither of you are going to pat me on the back uh these explain it really well it's like
using uh magic to explain how symmetric and asymmetric cryptography work uh yes remember
that yeah so um uh you can educate yourself in there. So, you know, I can also get some technical creds, let's say.
You mean hits to your website?
No, no, I've just pasted the images into the show notes.
Well, I've also put a link into the Wikipedia as well
because did you know, maybe you did,
that there's a whole host of other characters.
Yes.
You've obviously got the Cs.
You know, it's not it's Carol, Carlos or Charlie, Chuck, Craig or Dan, Dave or David.
But you've also got Erin, Eve, Faith, Frank, Grace, Heidi, Ivan, Judy, Mallory, Michael or Mike, Niaj, I don't know where that came from,
Olivia, Oscar, Peggy or Pat,
Rupert, Sybil, Trent or Ted,
Trudy, Victor or Vanna,
Walter and Wendy.
You can already tell the ethnicity
of the people that created these names,
can't you?
Yes.
I mean, this is like the...
I mean, this is like the... This is like the cyber security cinematic universe
and all the superheroes that are within it.
Well, there is one.
So Nyage, which I did stumble on,
is used as an alternative to the eavesdropper Eve
in several South Asian nations.
Okay.
So the hard to pronounce name is the bad guy, I get it.
Yeah, exactly.
Heidi, a mischievous designer for cryptographic standards,
but rarely used.
Grace, a government representative.
I love it. Okay. I love it. We'll buy the comics. Yeah, that government representative. I love it.
Okay.
I love it.
We'll buy the comics.
We'll get it.
Mallory, a malicious attacker associated with Trudy, an intruder.
Nice.
Oh, dear.
I mean, I bet they would never have guessed that it spawned a whole sort of
subculture of names.
Very good.
Do you have another one for us?
This one was really just a quick one.
This is just only seven years ago on the 8th of April 2014.
Extended support for Microsoft Windows XP Service Pack 3 ended,
which is nearly six years after the SP3's release
and basically 12 and a half years after the general availability of Windows XP.
And this was interesting for me because I don't know about you guys,
but I still occasionally come across Windows XP machines in use in a production manner.
So XP was, I think, Microsoft's best operating system.
It just did everything for everybody and did it well and was stable.
And then they started to bugger about with the interface
and bugger about with everything else.
But it was all things for all people.
I think it was a fantastic operating system.
Is that the last
windows machine you ever used yep he's he's not forget xp he's not seen windows ever since then
actually no i did i did have a i built a water-cooled machine many years ago and i did
have uh i did put vista on it and it was horrible oh after xp it was just horrible i think microsoft
don't talk about vista though, though, do they?
No.
Well, Vista has been consigned into the same bin as Windows ME.
Oh, ME.
God, that was awful.
See, I'll always have a soft spot for NT4.
NT4 Service Pack 6A.
Yeah.
The most stable production server you can get.
You're just showing your age, Windows NT 3.
Let alone, in fact, my first machine was MS-DOS 2, I think it was.
Good times.
Was it 2 or maybe 3?
I can't remember.
303 rings a bell.
But, yeah, and then upgrade into windows uh windows 3.1 that's right and then
and then for work groups which added an extra floppy and not much else because nobody had a
network then oh dear excellent thank you very much andy for this week's
this week in infosur.
So let's move swiftly on, shall we?
And I think, well, I think this one's me.
And I think we're going to go straight on to... Listen up!
Rant of the week.
It's time for Motherf***ing Rage.
Now, as always, just before the show,
we always decide who gets what stories.
And the stories that I tend to get tend to be the ones that I can understand, which kind of cuts it down somewhat.
But this one definitely, this one just comes down to sheer bloody common sense and semi-decent project management.
common sense and semi-decent project management. But the UK Cyber Security Council launched itself this week, but managed to launch itself with a huge, huge mistake, which could open itself up for
huge amounts of malevolent behavior, ridicule, and just a massive loss of trust in what should
be applauded as a good initiative, a new cybersecurity initiative. So what they did,
the UK Cybersecurity Council, they announced itself last week.
Very, very good.
It's a brainchild of the Department for the Digital Culture, Media and Sport,
a government department that even Jav and I have had something to do with,
although we got a bit busy and couldn't be bothered after that.
But the UK Cyber Security Council is billed by the UK government as the regulatory body and voice for UK cyber security education, training and skills.
And as part of that, it drives progress towards meeting the key challenges the profession faces.
Great. This is putting some, you know, some government clout, some government money and hopefully some, you know, potentially some regulation, be it formal or informal,
if such a thing exists, but you know what I mean, making this all very worthy and important.
The official press release mentioned an email for ukcybersecurity.org.uk.
cyber security.org.uk uh it was unfortunately at that point that it all started to unravel because the uk cyber security council didn't own the domain uk cyber security.org.uk
that their press release had made reference to and had email addresses to in fact nobody owned
it and in fact i'm quite surprised that that hadn't already been registered, but nobody owned it until, you know, all around good egg. Adrian Kennard brought it or purchased it, I should say, and pointed it at his own personal blog where he dispensed some, in adverted commas, gentle advice to the new organization.
One of the tips I can give you, he says, when it comes to cybersecurity, is that you should be careful to ensure that contact details you publish actually belong to you, who wrote Kennard.
And Kennard should know because he runs a UK ISP.
And he goes on to say, it took a while to stop laughing at the irony first.
But now, yes, the UK Cybersecurity Council are welcome to ukcybersecurity.org.uk.
They can email me at press at ukcybersecurity.org.uk,
which was also the email address they published in their media release,
for more information, brackets, be nice.
You know, there's some person in that office that's sitting there looking at their to-do list and they realise that, you know,
there's a record-scratching moment in the background.
Yeah.
Or like me the other day looking at my handwritten to-do list thinking,
what the – what was that?
What did I write then?
What was even funnier, I think, is while they were trying to sort it out,
they tweeted, I think they tweeted or someone tweeted out on their behalf
saying, for these matters, please use the hashtag UKCSC.
And what they didn't realise is that hashtag is well used
by the UK Cannabis Social Club.
So it just goes from bad to worse.
I mean, it's such a shame because, you know...
Much needed org.
It's a much needed org.
I think on the whole, the UK government has been doing,
and you know my views on the current UK government,
or should I say raft of politicians,
but UK government has on the whole been doing quite a good job.
The National Cyber Security Centre is stepping up, putting out some really good advice.
The DCMS are building IoT regulations for the sale and purchase of IoT devices in the UK.
There's this, the UK Cybersecurity Organization.
These are good things.
Oh, yeah, they also established the Cyber Essentials thing a few years back,
which has many flaws, but it actually moves the needle
in the right direction for all companies.
And then something like this happens, and it's not even,
oh, well, we unfortunately configured the back end to use a beta version of a more advanced cryptographic technique.
No, we forgot to register the damn domain name, for goodness sake.
This is not a complex mistake that comes about as a result of very complicated systems. This is,
this is, this is table stakes stuff. You know, this is, you know, not surprising. This is a rant
of the week. Uh, but hopefully, hopefully they've, uh, got it all sorted out now and they can
actually put this behind them, the intern obviously um hopefully whoever
put this together will also after firing the intern be able to get a keynote at uh this year's
rsa conference to talk about how it was the intern's fault and how they fired it so am i
getting this confused with someone else yeah anyway um but um yeah i think you're being very very optimistic tom um i've been doing some research
on the internet and uh oh so there's been people tweeting about this as well and um so friend of
the show gabe he said uh 16 ish professional bodies and talking heads and committees they
wrote a bunch of papers white papers last year but I haven't seen them come out.
He goes on to say, when I was with ISSA UK, we evaluated them, but found them too difficult to get involved.
We had over 20 hands on contributors.
Wow.
So, yeah, I think it's.
Whatever happened to the ISSA UK?
I don't know.
I haven't been involved with them for a while.
It seems to have gone a bit quiet recently.
But now we're really mixing up rents.
Yeah.
But, yeah, I think...
Whatever happened to rent?
That was a good event.
Oh, dear.
Okay.
So, could I just add, so back in 2001 i think it was towards my end of time a former
employer a big press release went out that they were divesting one of their businesses or you
know spinning out one of the businesses and they basically published it to us internally
with the name of that new company and back then then, I literally just looked up, went to UK2.net, whatever,
and then just checked to see if that domain name was available,
and it was, like the UK one was.
The US one wasn't.
And this was the problem with being a US-based company
is that everything was very US-focused.
And so this press release went out and i literally i locked it
and i just registered the uk uh.co.uk domain just like straight away and um it was funny because it
you know back then it was actually getting quite a bit of traffic just like organic traffic people
going to the co.uk one and over the course of like the next it's probably two years uh first
of all i did nothing with i was getting
emails from uh ironically people that i knew within the company because they didn't know it
was me that registered so i was actually getting emails from people um asking me if i'd be willing
to sell it and i was like oh i can't sell it because that's like domain squatting and it's
like you know uh like withholding something for money And that's how they're going to get me.
And so I ended up switching it to an advertising company at the time, just paid for impressions.
So I put this big advert on the page, moved it to a mate's name as well.
So I was getting all this.
We're talking about pennies for ad impressions that were going on.
And it was all good and literally forgot about it for like two years.
And then got a phone call from my friend that I hadn't spoken to for a while.
He was very distressed.
He had received a legal letter from Equifax's legal department,
accusing him of cyber squatting.
And they were going to sue him unless he turned over the domain immediately uh and obviously he was like dude this is your domain you deal with
it so then i had to just like create an entirely fake name and um like all these fake contact
details i used to use uh like this fax uh you know pay to fax service on um oh like in fulham on um i can't
remember the name of the road but there's like some little news agent so i do use that guy's
details of how they could contact me by fact just because i was like absolutely paranoid
that we're gonna sue me and i literally turned over that domain with no questions
this is like as i'm at a breaking bad, honestly.
But honestly, the lengths you went to and everything,
and you folded so quickly, man.
You didn't even fold.
You were just like completely uprooted and like, yeah, whatever, mate, whatever.
You've been waiting for that opportunity to say Andy has folded like a pack of cards.
20 years ago, this was. a leopard never changes its that that is fascinating though that that's great however
however if if we want to talk about domain registration it'll be remiss of us not to
mention our good friend khalil who's Senahoy on Twitter.
Oh, that.
Whose pinned tweet to this day is,
coffee shop, people next to me are loud and rude.
They just found the perfect name for their new business.
I just bought the domain name.
And to this day, he maintains that that's his tweet
and that really happened despite that,
those very words being on Reddit two years prior.
And we do know, if there's one thing we do know about him
is that he likes to recycle content from Reddit.
Yeah.
Now, Khalil, friends of the show, we know you listen.
If you want to set the record straight, please come on.
Please send us an email, preferably not via your solicitors.
Anyway, that was this week's Rant of the Week.
Very, very good.
Sketchy presenters, weak analysis of content,
and consistently average delivery.
Like and subscribe now.
Indeed, you can even sponsor us.
Go to our website for details.
Hostunknown.tv.
Andy, I think it's time for this week's...
Do not assume gender.
No, not at all. In fact, this week's is Karen's Colossal Cohoners.
Karen with a C.
Karen with a C.
Yeah.
So this is a story about a tech exec who had her kids sign a user agreement
before she got them their first phones.
And I guess this is one of those uh signs at a time so
what we do know is that when it came to tech and their own kids both steve jobs and bill gates were
famously stripped about how much screen time they allowed their kids to have um so jobs didn't let
his uh kids have an ipad um and gates banned his kids from getting phones until they were 14 years old, which,
you know, I don't have a 14 year old kid yet. But I do do. I can appreciate how, you know,
these phones, I guess the lifeline for kids nowadays, when they go to schools,
it seems to be more and more normal. You see kids of at least secondary school age, almost everyone's got a phone.
Yeah, I think 14's not late, but it's certainly not early.
I mean, it's not late, late.
I think my kids had a regular phone at about 10,
a little sort of non-smartphone.
And then when they went to secondary school,
they got a smartphone.
But that was at like 11, 12.
But yeah, it's...
Yeah, Jav, what about your daughter?
Yeah, I think she got a phone, a smartphone, like about 14.
I think 13 or 14 is probably when she got her own one.
Yeah, you're up to secondary school.
He's like four and he's forever got a phone or device in his hand.
We don't know where he gets them from.
He's just like, one minute you're sitting there,
the next minute your phone's gone and he's unlocked it
and he's downloading some games onto it.
It's truly bizarre.
Yeah, yeah.
It wasn't me.
It was the little one, love.
I didn't download those photos.
He thought Tinder was a game.
He used daddy's profile picture to bypass the validators.
Right. Yeah. So this. So just like Gates and Jobs before her, Jennifer Zhu Scott is a Hong Kong based tech exec and a ted speaker who focuses on privacy issues and
she was obviously concerned about you know the i guess all parents would go through the dangers
of giving her to children aged 10 and 11 smartphones because obviously she understands
you know the the positives and the negatives of you know the power that comes with these. So she drew on her own professional experience,
and she made them sign a three-page 15-point user agreement
in order to receive their phones.
And this is, I know, Tom, you said this is sort of Tiger Mum vibes,
you know, when you saw the headline for this one.
So within it, you know, there are things like, you know,
they had to agree to share their passwords with her,
ask for permission before signing up for social media accounts.
They had to be open about any harassment or strange phone calls
or weird messages they were receiving.
And they had to answer any questions that she had about how they were using their phones.
So this is sort of part you know maintaining control but also you know her intent is to give them a sort of crash course in internet privacy and you know she tells her daughters that
you know everything we put online is basically there forever you know it's there available for
anyone to be read used used, sold in ways
that even we would struggle to understand, let alone a 10, 11-year-old.
So there's some other good behaviours that I guess go with this etiquette
and overuse, banning the use of phones after 8pm.
I think I could probably benefit with not using my phone
after maybe 2 in the morning or something like that and yeah that three hours on tiktok is just
i don't know it's killing my day it's killing yeah it's um and it also contains um you know
information about the the you know fallout from the you know sharing you know the lifelong fallout of sharing embarrassing
photos um and so i've included a copy of the agreement in the show notes but with this i know
you know there is some criticism for tiger mom vibes but to me you know she's really trying to
educate um in a way and i guess the kids are motivated they want phones and you know it
teaches them what we all do is just ignore what you're signing.
Just click straight through.
But, you know, I think in good host unknown style, I obviously read the headline and made my own mind up about and you gave my opinion about it.
But actually, frankly, it's whilst when you see the headline says, you know, makes a kid sign an agreement, blah, blah, blah.
It sounds very sort of Machiavellian. But when you read into it, as you say, it's talking about the dangers of it.
And the things you highlighted there are not unreasonable things to expect
from any normally socialised person, let alone kids, right?
You know, don't use your phone while you're walking or
you know off you know talking to someone or at the dinner table or whatever that should be
that's fairly normal stuff isn't it you know so um yeah you know i think i think it's good that
we've got a link to the agreement in the in the show notes because i think there's many parents
that probably uh and kids that would benefit from this no you're right you're right i think there's many parents and kids that would benefit from this. No, you're right. You're right.
I think it's actually good parenting.
It's getting the points across in a way, like Andy said,
the kids are incentivized at this point to listen and pay attention
and hopefully set up boundaries and barriers or enable a bit of self-control.
But I don't know.
We adults are really struggling with that,
so I don't fully blame kids for being on their phone all hours.
No, no, not at all, because, you know, let's face it,
we all are as well at the end of the day.
But I remember staying at a friend's house in Boston in 2010,
and his then 12-year-old daughter, she had one of the, you know,
an early smartphone. I think it was one of the you know an early smartphone I think it was
one of the it was like 2010 that would have made it an iPhone the first iPhone the iPhone 3 I can't
remember but um my friend showed me the contract that they'd drawn up and it was just you know one
page and it was 12 points or something but it had literally things exactly like this you know like
you know the phone you know after 9 p.m the phone needs to
stay in the kitchen can't go overnight in her bedroom you know that she needs to share her
passwords you know the agreement that any concerning activity is reported to them all
that sort of thing and i thought at the time that actually that's quite a good idea and maybe i'll
do that with my kids and then completely neglected to do so so um i guess my
only um and i know uh you know the same thing though is you have to share your passwords
because that straight away you know sort of tells me it's okay to share their passwords with certain
people um yeah you know there's ways around that i think certainly you know various password sharing
yeah uh systems you know i use last. I think I've said that before.
And we've got a family account.
And I know that as an admin of the account,
I can, if I need to, open up the kids' accounts,
anybody who's under the age of 18.
But it would have to be something I would actively have to do,
and there would need to be a reason for it, as it were.
But you're right.
I think sharing your password in the traditional sense, hey, write write it down on post-it note and give it to me and make sure i know it it's not that's not great but you
can understand where it comes from yeah after this is a trade-off i guess you know you can't have a
perfect solution for everything yeah in the same way that you know well their emails and their
messages should be private but as a parent of a 13 year
old girl 13 year old boy actually sometimes you really need to see what those messages are because
yeah yeah you're worried about the welfare of that child yeah yeah i mean you're the parent it's like
you know a 10 year old might still need assistance at times and getting dressed or having a shower
or something like that i mean the point is that the parent still has access to them to a far greater degree it's not
to say that oh now the child thinks that it's normal for any adult to yeah to to see them um
you know in a state of undress or anything so i think there is a different issue with with parents
and it's it's a balancing act at the end of the day you know to balance that because you want them to grow up with that sort of self feeling of self-worth and autonomy
and that you know what's theirs is theirs and they don't have to share things if they don't want to
and all that sort of stuff but as a parent so yeah i have to say i i had software definitely um
definitely a karen's colossal Cajonas award to this one.
I do disagree, though, that there's, you know,
I think there's a bit too much.
I mean, independence is one thing,
but I think the way technology is designed,
it's just too individualistic.
And, you know, I think that technology should be designed
with more of a family or a sharing environment in mind
if that's something that people choose to go for
um yeah yeah apple have those that family sharing stuff and the fact that you can control devices
and all that sort of stuff check it out kids mr apple no i just mean just generally like it's not
just phones it's computers it's tablets is everything it's it's just the whole the whole
way everything goes i mean if you think back to it's it's just the whole the whole way everything goes
i mean if you think back to it like when you had the home phone as the primary phone in the house
oh dear god it would just be there it would just be there it would ring and whoever was nearest
would pick it up or that you'd argue with with someone to you pick it up and you pick it up
and you know it's in the hallway which is always the coldest room in the house anyway and you
wanted privacy so you'd have to drag it as far as you could.
You might even have like the rotary, you know, part sitting on the floor
and you're pulling the cord even further into a room
where you can try and close the door.
My rotary phone was attached to the wall.
And I was always jealous of these American shows that I saw
where they had those massive cords that they could just walk around with.
You had this little half a metre one.
It's like, why have the Americans got these long cords
that they can literally walk into a different room
and close the door on?
Even that didn't make a difference
if someone else picked up the other phone
from the other room.
You had another phone?
You had another phone?
For goodness sake
what about if you had a party line where you literally shared the phone line with your next
door neighbor oh dear anyway excellent thank you very much andy for this week's billy big balls
of the Week.
This is the Host Unknown Podcast.
And I'm pretty sure it's that time of the week, isn't it, Andy?
It is. It's that time of the show where we head over to our news sources over at the InfoSec PA Newswire, who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News
Microsoft suffers second outage in two weeks.
Industry News
Data of half a billion Facebook users leaked.
Industry News
Australia considers social
media ID requirements.
Industry News
Florida school district held
to impossibly high ransom.
Industry News
Cyber security industry must
find solutions for third party
data security.
Industry News
Chemical weapon shopping sends dark web user to prison. Industry news. Chemical weapons shopping sends dark web
user to prison.
Industry news.
Italian arrested after allegedly
playing hitman to murder
ex-girlfriend.
Industry news.
College track coach accused of cyber
stalking. Industry news.
Wormwood Netflix
malware spreads via WhatsApp messages. Industry news. Wormwood Netflix malware spreads via WhatsApp messaging.
Industry News.
And that was this week's...
Industry News.
Javad's Weekly Stories.
I've been...
I've just recovered,
like, just slightly recovering
from that horrible chest infection I had last week.
So let's move on.
And that was this week's...
Javad's Weekly Stories.
Very good. Very good.
Oh dear, right.
Recording from the UK.
You're listening to the Host Unknown podcast.
And Jav, I think it's your turn now for Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
So this Tweet of the Week comes from M Sharpasandi.
It's at M underscore shapa sunday um and uh he's tweeted out
that the ziggy ransomware operators are now offering a uh a refund if if uh if you show
them receipts and sending your bank details and your mother's making it. So apparently a few months ago, the Ziggy ransomware operators sort of like decided to shut shop and they actually released the decryption keys for free.
So they shut down in February after law enforcement has been hot on the heels of ransomware gangs.
You know, they've been after like they shut down a bunch of them.
And so apparently they peed their pants.
They got a bit scared.
So they released all the decryption keys.
It's a SQL file with 922 decryption keys that could be used by the
victims to unlock their files.
Why did they release it in a SQL file?
I mean, 922. Surely Excel
would have done it.
Pure techies, I'm guessing.
They're not thinking about usability.
I guess also they're doing the equivalent of driving
off in the getaway car and throwing the cash
out the window, right? They're just not thinking about it.
They're literally just, oh shit oh shit oh shit so this this is kind of crazy because i can't believe that they have not already spent a lot of that money yeah or maybe they were too scared to move it out
of their bitcoin wallet and you know they it all sounds like a good idea until it actually
happens and then you're you're hit by the realization of all the implications,
especially when you see some of your role models like getting banged up.
And also a lot of these gangs, they'll use ransomware as a service, right?
And so isn't there the possibility that they may not have owned this particular ransomware
or they may have, you know, maybe modified it or whatever,
but by, you know, chucking out the window 922
decryption keys are they ones that could be used elsewhere as well i mean have they undermined
you know other criminals ability to to hold people to ransom as a result of this
no i think because they they generate a new key for every victim isn't it it's asymmetric uh yes of course they don't use the same you see
i'm with andy on this with with crypto i can't even say the words cryptography um this this is
i think this is like the manifestation of those youtube videos where someone does something really
stupid and when someone gets really angry then it's just angry, then it's just a prank, bro. It's just a prank.
We're giving you the decryption key so you can decrypt your data. And now we're offering to give you your money back. If you just email us, we'll refund it to your Bitcoin wallet.
A little too, little too late. You know what? Even if they don't get caught,
I'm very happy with the thought that they are scared.
And they're like more scared.
They're just as scared as Andy going down to Mr. Patel's shop
and like say, hey, can I give you your details
as the owner of this web domain?
I mean, just knowing that they're living in fear
just puts a big old smile on my face. And
I think that even might be even better than them going to prison because this is a cloud that will
be over them forever. I love the fact that you compare like a young 20 year old me to Mr.
Javad Dekcher Malik.
malik uh who is recently just like you know maybe two fake news fake news fake news no it is good that uh law enforcement is actually having that um you know deterrent
uh i think because that is certainly something we don't often see with ransomware.
They're like, dude, we're not even in your continent. You're never going to find us.
Yeah. And I really hope that we don't cover a story in a few weeks' time or a few months' time
that sort of says, this was all a ruse for something else and uh you know it's all part of a larger you know
masterminded criminal mastermind plan but actually this is them literally running scared and chucking
the money out of the car um well maybe they got hacked and so the people that hacked them are
trying to find their old customer base because you know they're susceptible to a secondary infection. They're just burning, you know, doing a scorched earth on the way out.
Maybe, maybe.
But, you know, we're all cynical.
We're going to say, like, no, this is the scam.
They're trying to get people to send them their details
and they're going to find a way to rip them off even more.
Well, it's almost like we've been burnt like this before.
Yeah.
Yeah. Yeah.
It's a good story.
It's a good one to, well, it's a feel-good story, right,
at the end of the day, because actually something somewhere
is making a difference.
Hopefully, yeah.
Yeah, very good.
Very good.
Thank you very much, Jav.
Tweet of the Week.
All right.
And we've got some of the tweets of that in the show notes as well.
So actually there was another tweet that I think we did consider putting in the show.
I think we should put that one in as well.
And it's this one from a chap called Yarden Shafir.
That's at Yarden underscore shafir uh basically said all those hacker movies really didn't prepare me
for how working in cyber security is mostly just moving jira tickets around uh which unfortunately
is about right is about right let's face it you know the days of hanging from wires like tom
cruise whilst you uh break into a server you know or secure a server or whatever are long gone and
it quite literally is everything's through tickets now yeah it's kind of sad as well
yeah it is the reality and i think that's where uh was it mr robot uh was probably the first
um i'd say the first it
was probably the most realistic show uh you know when it comes to what hacking looks like and
there's nothing flash and it's like you know i can't hack it from here i have to be there and
plug into their network yeah yeah and shove a raspberry pie into a hole in the wall in the
bathroom yeah you know that's although there was also that film by a guy called Jonathan Schieffer
who did Algorithm, and that was a very good film.
I never saw that one.
Yeah, it's available on YouTube now, I think it was.
He monetised it for a little while on Amazon Prime and elsewhere.
And I've bought a digital copy in a blu-ray because I met him at a 44 con years ago
and the company I was working for we actually paid this is when it was a commercial release
we actually paid him some money to show it in various offices for like a film night
which went down really well actually and it's it's a slow-moving film, you know, and it's a low budget.
I think he said he shot it for something like $8,000.
And you'd never believe it by looking at it.
It's extremely high quality, extremely well put together.
But it is slow, and I think it underscores that actually, yes,
it's very insidious, Yes, there's very serious consequences,
and there are very serious consequences in the film.
But it's not all car chases and explosions and, you know,
reverse hacking the proxy on the firewall type stuff.
It's, you know, hard work and, you know,
plugging away at stuff until you can make it happen.
I'm sorry sorry are you
telling me that the hollywood movie swordfish isn't accurate yeah or the chris hemworth uh movie
black hat well i think swordfish is isn't accurate because it portrays uh john travolta as heterosexual
right oh okay not going allegedly allegedly you know you know what what what's
what thing i i might have considered giving algorithm a watch but because it's a recommendation
from you tom from someone you met at 44 con oh my I forgot. I repressed memories.
Oh, my day.
So this one, right?
So Tom met some guy in a bar the night before. No, it was a bar at 44 Con.
It wasn't just some random guy.
Yeah, the bar at 44 Con.
That was the night before.
Yeah, turned out to be one of the speakers.
And so Tom convinced myself and Jack to go to this guy's talk.
It sounded interesting.
And we sat right at the front.
No, second row, second row.
We were behind his missus, remember?
And this guy, the talk was called Punking Punk Buster.
And it was the most in-depth technical breakdown I have ever,
and it was just like, we were so lost,
but we're also right in the way where if we moved,
it was just too obvious.
And I think, Jav, you were the first to bail.
Jav banged out.
Yeah, he just sort of sent a text.
You're like, sorry, I'm out of here.
Bang down, bang down.
Because the way Tom sold it, I mean,
he didn't tell us it was so technical
it's something about it's something about removing privacy protections on um
on no no no no no it's punk buster was a thing that that um some gaming company used that if you
cheated it would basically um fingerprint every single device in your computer
and then ban you from the game.
And so you couldn't even rejoin under a new username
because it recognised your unique CPU, all that sort of thing.
And you sold it to us on the fact that he's built his own 3D model slides,
which he has.
Yes, he has.
That had nothing to do with the talk.
It was like Andy said, it was so technical.
And then we sat there and Andy was sending these messages
and I just got the giggles and I just couldn't stop.
So I was like, forget that.
I picked up my phone as if I'd got a phone call
and I just started walking out.
I think at that point point Andy and I looked at
each other and went god damn it we can't go now yeah and then also if you remember Andy
Tom also convinced us that the closing keynote was going to be fantastic and he spoke to the
speaker and that was dreadful actually we use that, Jav, you and I have used that as an example of good content,
bad storytelling, haven't we?
Because that was about Weave, you know, the troll Weave when he was in prison
and his friend who set up an ability for him, you know,
when he used his phone calls for him for that speech to text on Twitter,
something like that.
And she told it in the most uninspiring way.
And it was just really dull,
but it was actually quite an interesting story around, you know,
what he'd been arrested for and how he wasn't able to, you know,
connect through his chosen medium, et cetera.
And so how she'd enabled that to work.
But anyway,
the moral of the story is if Tom ever says that he's been hanging out with speakers at a bar the night before and he's got some recommendations for you, just go the other way because they're likely not going to be things of interest or things that you're going to understand.
one demo there where a guy was doing something with forensics on a hard disk or whatever like that and he was doing it live and then tapety tap tapety tap and it's all up on the screen and he
hit return and all his texts went up and the entire audience burst into applause yeah and we're like
what did he do i have no idea what he let's just clap anyway let's just clap anyway it must be good
didn't have a clue i think that was steve lord
he was doing something no no it was travis somebody he was the guy who designed the badges
that year oh right okay an american dude um but um he also he he does the um poc or gtfo books
oh right okay uh him but uh and and if you've got those well i've got them on the shelf
just so i can say i've got them i have no idea have them in the background when you're on video
calls i think you'll find i'm a genuine hacker do not question my authority sometimes you just
have to uh you know just sit there and remember that you're not anywhere near close to being the smartest person in the room.
No, no.
Wasn't that the year that Tom nearly had a nervous breakdown before his own talk?
I think that was that year or the year before.
That was 44, Tom, though, where, yeah, I was sat in the toilets trying to come up with an excuse to leave.
Did not enjoy that at all but the talk
went okay in the end um but it was that talk that i subsequently gave at four five one and i thought
you know i've nailed it i've got this talk sorted out and it was that one that andy then said yeah
i got to the end and thought so what and that that that that uh gave me a kick up the bum.
But yeah, what you said about, you know,
not being the smartest person in the room,
I can sit in a room by myself and not be the smartest person in the room.
I tell you, jeez.
I'm amazed I can, you know,
I can put both legs into my underpants
one at a time without tripping over sometimes.
Anyway, anyway.
Did we do the closing jingle on that?
Yes, we did, didn't we?
Yeah.
Completely lost track.
I think we're at time, gentlemen.
It is.
That one flew by.
It did.
It did.
Absolutely flew by.
Well, Jav, thank you so much for your time
and the fact that you weren't coughing and spluttering all the way through.
No, because I was muting a lot.
But, you know, I had to save you and the accordion from the coughing and spluttering.
The accordion?
Anyway.
Thank you so much.
Because it folds in and out.
Yeah.
Andy, thank you very much.
I thought you were going to say talking or folding.
But stay secure, my friends.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our reddit channel worst episode ever r slash
smashing security did we get through a whole episode without you swearing that time tom we
don't want to offend the duchess uh i think i said uh one fuck two shits and a bugger but as
as i think that was after the credits um that they're done now it
shouldn't count hopefully she doesn't listen for till the after credits i think we're okay now