The Host Unknown Podcast - Episode 51 - Punking the Punkbuster
Episode Date: April 16, 2021We think we sound much better this week, all thanks to Krisp! Tighten up your audio, remove background noise, and annoying work colleagues, all with Krisp. Download it here:https://ref.krisp.ai/u/ue2a...67ba76 One advantage of being short is that you get to be in the front of all pictures taken of a group and that is all we have to say about Little People this week. This week in InfosecLiberated from the “today in infosec” twitter account:15th April 2000: The RCMP arrested a Canadian juvenile known as MafiaBoy for a DDoS attack against cnn.com.https://twitter.com/todayininfosec/status/1250622615204454400 https://en.wikipedia.org/wiki/Michael_Calce14th April 2005: It was announced that the National Infrastructure Advisory Council (NIAC) had chosen FIRST to be the custodian of the Common Vulnerability Scoring System (CVSS), the then-emerging standard in vulnerability scoring.https://twitter.com/todayininfosec/status/125025120339027558416th April 2014: Host Unknown released their debut music video to great acclaim within the Infosec echo-chamberhttps://twitter.com/HostUnknownTV/status/456395301159305216Jav’s proposal for Pulp Security from 2011 (cue Mesirlou clarinet version to avoid copyright infringment notices)Cynic: So tell me more about America.Jester: Well it's the same shit we got here, it's just a little different.Cynic: Example?Jester: Well I mean, you can get encryption products out there. It's legal for you to own it, it's legal for you to install it… but get this. If you try to export it out of the country it's illegal for you to do it.Cynic: Damn man, that's harsh.Jester: You know what they call a router (pronounced rooter) out in the US?Cynic: They don't call it a Rooter?Jester: Nah man, they got their own system, they call it a Router (pronounced rowter)Cynic: haha Rant of the Week Industry NewsHackers Hacked as Underground Carding Site is BreachedFacebook Removes 16k Groups for Trading Fake ReviewsBrits Still Confused by Multi-Factor AuthenticationFood Shortages at Dutch Supermarkets After Ransomware OutageCyber-Attack Shutters Half of Tasmania’s CasinosMicrosoft Patches Four More Critical Exchange Server BugsLawsuit Filed After Facial Recognition Tech Leads to Wrongful ArrestMan Gets 10 Years for Multimillion-Dollar Medicare Fraud SchemeEurope's Data Protection Guardians Green Light EU-UK Data Flows Javvad’s Weekly StoriesHow I pwned an ex-CISO and Smashing Security https://youtu.be/lb5htJmjcFM Tweet of the WeekRobert McArdle - @bobmcardleDirector FTR - CyberCrime Research for @TrendMicro. Lecturer in Malware Analysis.https://twitter.com/bobmcardle/status/1382602129005772801 Sticky Pickle of the WeekYour company is looking to promote an upcoming Women in Security webinar and you’re looking to maximise engagement on your social media channels so you come up with a single question which you believe will solicit engagement and believe the structure of the question is in a way that keeps responses on topic:“What according to you are the most common challenges faced by women in the cybersecurity domain?”.Sound good so far? Can you make it simpler by providing multiple choice answers to choose from? It’s not a bad strategy so what are the optional responses to the most common challenges faced by women in the industry are?A: “Only men can do this job”B: “Women can’t handle this job”C: “Women aren’t encouraged enough.”Now the responses you’re receiving to this insightful quiz are not going in the direction you thought they would - what are your next steps?https://www.infosecurity-magazine.com/blogs/the-story-of-the-eccouncil-gender/ Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
are we are we still being sponsored by crisp uh it depends on whether or not you can hear this
okay ready after three one two three did you hear that no no what was it 0.4 kilos of jelly beans
my friends you didn't hear them me shaking them like maracas no go okay let me switch off crisp oh that holy moly oh blimey right
now with crisp back on let's see if you can hear this anything that is just amazing either
either crisp is brilliant or you're just not shaking them no you know i think crisp really
is that good it's a virtual microphone that you download
that removes all the background noise.
And this reminds me,
do you remember those double glazing ads
when they first came out?
And there's a helicopter in the garden
and it's really loud.
Then the guy closes the double glazer and it's quiet.
And then he drops a feather down the side
and it just...
Get the best Everest.
And folks, if you'd like crisp, and then he drops a feather down the side and it just... Get the best Everest. Yeah.
And folks, if you'd like crisp, then link in the show notes.
You're listening to the Host Unknown Podcast.
Hello, hello, hello.
Good morning, good afternoon, good evening from wherever you are joining us.
Welcome to episode 51 of the Host Unknown podcast. Blimey, folks. 51 episodes or 53 or 54.
We've got to 55.
Yeah. I tell you what, your numbering is streaking ahead of my numbering.
I'm sure you add extra episodes every time.
Yeah, blimey, episode 51.
Andy's like the Jim Ross of commentating or podcasting.
He's like, oh, my God, that must be at least 200 foot off the air.
Is that Jim Ross, the Channel 4 interviewer guy?
Yeah, that's exactly who it is.
With the list.
Okay.
Just checking.
Just checking.
So, Jav, how are you?
Yeah, good, thanks.
Good.
Ramadan started this week.
So you're grumpy, basically.
No, no, no.
It's week one, so I'm still very happy.
It's still like I've got plenty of reserves, as we know from our biggest loser challenge.
Yeah. So you haven't accidentally slipped and fallen onto a shawarma or something?
No, not yet. Not yet. It asked me in like 15 days.
I slipped, fell and the shawarma entered me via my mouth.
Yes. And do you do that thing where you brush your teeth
and accidentally swallow water during the day?
For someone that's not fasting,
you surprisingly know all the tricks.
This is from my time when I was living in the Middle East
and I had to blend in.
It's by eating toothpaste.
It was tough during Ramadan, I tell you.
Durka, durka. Durka you andy how are you good thank you i'm uh i'm excited for the weekend it's uh it's been a
long week so i'm just glad that the weekend's in sight excellent excellent believe it or not
this is the fourth podcast i've been on this week i do believe it because i i know for
a fact that you've been whoring yourself around it's almost like we're a side note these days
so on monday i started a brand new podcast with somebody i work with um and that's called two
great nations it streams live every monday i'm leaving all the production to him, so I've got no idea what the links are.
So, you know, maybe you'll find it.
Maybe you won't.
I don't know.
And then, what was it, Wednesday I recorded – no, yesterday, sorry,
I recorded the new Sentinel One podcaster with Rowena Fielding.
That was good fun.
Sentinel One podcaster with Rowena Fielding.
That was good fun.
And then I recorded the Sticky Pickles podcast with Carole and Maria.
That's actually released now as we are recording.
It's just been released.
I'll tell you what, Jeff, if you've got Maria's number,
I'm thinking we need to replace her presenter.
I know we had a talk about Tom's performance review and his end end of year is not looking good it was going to be a pip it was going to be an
improvement plan but i just don't think it's even worth it i think you know we need to manage him
out that's fine that's right maria and i can swap out not a problem at all so this is pickles
podcast i've not heard of it is that a spin-off from the sticky pickles of the week segment that
we did it is it is do you know what i think i think they stole the idea from our sticky pickles
of the week uh this is like better call saul it's like a prequel to breaking bad yeah it's got some
of the fun elements but it's not quite breaking bad i mean i mean let's let's let's be clear we
we've pretty much launched uh graham cluley and Corral Terrio's careers in the
podcast industry, really.
Yeah.
You know,
we've got it in black and white about how,
how our first episode inspired the Smashing Security podcast and our,
and our Sticky Pickles.
And yet both of them have got more followers and listeners than we have.
It's debatable.
It's outrageous.
We go for quality, not quantity.
Absolutely.
We do try to maintain the quality.
We don't get people to pay money just to listen to the podcast a day early.
All of that stuff.
So it's all good.
It's all good.
Anyway, I think we should probably move on,
unless anybody's got some amazing news this week.
No, no.
Okay.
Well, actually, we've got some amazing stories this week.
That's for sure.
We've got coming up.
We've got today in InfoSec, a very musical themed one as well.
We have got a story about awful banking when it comes to rant of the week.
We've got industry news, obviously. We've even got some Jav's weekly stories as well.
Funnily enough, all Ramadan related. And a tweet of the week, again, musically themed.
And we do like to go back to our roots,
and we've got a sticky pickle of the week, original.
The original and still the best sticky pickle of the week coming up.
So, Andy, shall we go straight into...
This week in infosec
uh so the part of the show where we take a stroll down memory lane
liberating content from today in infosec twitter account and uh embellishing it by uh i kind of
mixed up my uh my taglines there.
I didn't know where I was going with that one.
You completely messed that up.
But hey, you know, that's why this is quality and not quantity.
This is live, people.
So the first story I have is from the 15th of April 2000,
a mere 21 years ago.
And as we do more and more of these stories it actually horrifies me
at how recent these things were so this week 21 years ago the royal canadian mountie police
arrested a canadian juvenile hacker known as mafia boy and it was originally for a ddos attack against cnn.com and it turned out it was actually
against more sites than that so mafia boy his real name was michael hauchi uh i think and what's
funny about this you know he's now a security expert and you know he described himself as a
computer expert former computer hacker uh from can. And he launched like a series of like highly publicized
denial of service attacks in February of 2000.
But what was amazing about these is they were all against
really large commercial websites.
So they included Yahoo, FIFA, Amazon, eBay, E-Trade, CNN.
Wow.
Yes, it's a quite big one.
So as a 15-year-old, he targeted all of these sites with a project he called Revolta, which meant rebellion in Italian.
And at the time, Yahoo was the multi-billion dollar web company and the top search engine in 2000, believe it or not.
Google had only launched like 18 months or so before that.
So, you know, all the big players...
It would still be run by two servers under their desks, probably.
In a garage somewhere, yes.
I mean, you know, back then the big players were still AltaVista,
MSN Search, Excite had recently acquired WebCrawler,
and AskJeeves was on the up as well but he managed to shut down yahoo for an
hour with his ddos attack um and while all of this stuff was going on it's funny buy.com you know the
big us retail actually switched off their website in response you know they were like actually do
you know what this stuff's looking bad let's just switch it off um and this is what happened back
then you know 21 years ago if you couldn't protect your website you just shut it down so yeah because actually it was it was a
it was a side thought right it was an afterthought yeah it yeah 21 i know it doesn't seem that that
long ago but it really is um so he then turned up the heat he also brought down ebay cnn amazon
believe it or not um although dell is often reported in the same series of
attacks he didn't successfully bring them down and he later claimed in an interview that the
attacks were launched unwittingly after he'd plugged known addresses into a security call
that he had downloaded and then he left for school and he didn't realize
what happened yeah he'd done an andy what he said he came home from uh school later that day his
computer had crashed and then you know he overheard the news and recognized the company's being
mentioned on the news um but yeah i, his story sort of breaks down.
So he also launched a series of failed attacks against, you know,
nine of the 13 root servers on the Internet.
So there's a lot of figures that are always bandied about with this one
because some senior analysts at the Yankee Group said that he told reporters
that the attacks caused $12 billion dollars worth of economic
damages and then you know other media outlets would then do the conversion to Canadian dollars
and make that 1.7 billion Canadian dollars but in court the actual trial prosecutor said the
figure was about seven and a half million dollars but what was also interesting was whilst testifying
at a hearing before members of the congress uh jav a colleague of yours and uh known computer
expert win schwarto said that the government and commercial computer systems are so poorly
protected today that they can essentially be considered defenseless. He coined the phrase that they were an electronic Pearl Harbor waiting to happen.
Oh, dear God.
I know.
And the fact that the largest website in the world could be rendered inaccessible by a 15-year-old schoolboy created widespread concern.
What about a cleaner?
I'm plugging something to plug the vacuum cleaner in.
Well, yeah, it's on par with that, isn't it?
Yeah, so former CIA agent Craig Dewant actually credits Mafia Boy
for the significant increase in online security that took place in the following decade.
So whether he set out to do that or not,
he has had a massive impact on the information security
industry um so so mafia boy my family thanks you for the uh the roof over our heads and the joins
up joins up meat that we get to eat every day yeah yeah and the best thing about this was the
following year is when he was actually sentenced and can you guess how severe his sentence was? 15 years.
Six months.
70 years.
A month. It was eight months of open custody, one year of probation,
and restricted internet use.
So basically they put him onto AOL.
Pretty much, yeah.
Pretty much, yeah.
But that's actually very light compared to some of the sentences that are being handed down today and even just over the last decade.
I mean, members of Anonymous and some, well, in fact,
the members of the public who used, you know,
the low orbit ion cannon-like tool,
they were threatened with 100 years in jail.
Well, that's how it starts, isn't it?
That's just like the normal legal process.
It starts really high and then it ends up being like,
OK, you paid a £60 fine.
Well, I don't think it went quite like that.
But the fact is, legally, they could have gone down for that amount of time
because of how the offences were interpreted,
rather than actually, legally, the most we can impose is, I don't know,
five years or whatever.
That's the difference.
That's the distinction.
Anyway, sorry, you were saying?
But thank God for Dudley Do-Right being there on time.
What?
Do you not remember the cartoon?
It was like a Canadian Mountie police cartoon.
Yeah.
Do you know what that vaguely rings a bell?
That vaguely rings a bell.
Was it in colour?
It must have been.
I never had a black and white TV.
You never had a black and white TV you never had a black and white tv
well not personally oh my goodness i had one in my room black and white tv do you remember
back in the day sorry i'm going on complete tom your back in the day is very different to our
back in the day yeah channel four had just come online right when the centurion messenger arrived
but channel four and international folks channel four
is funnily enough was the fourth channel that came online in the uk because unlike most other
countries you know when i grew up originally we only had three channels um but channel four was
the brand new channel and um to sort of mark them out as slightly edgy, a little bit like the very imaginatively named Channel 5 did a few years later.
But to mark them out as slightly edgy, they started to show sort of soft porn and erotica in the evening.
And I say evening, like after 11 o'clock.
And in order to warn viewers that it was time to get sexy they'd put a little red triangle in the corner
of the screen uh which is a bit of a problem on a black and white telly is this uh where you learned
uh french yeah yes i learned a lot of things i can tell you
anyway sorry to go on andy i know we've got a couple more stories yeah so secondly i'll
whistle this one is only a mere 16 years ago uh again 15th of april 2005 it was announced that
the national infrastructure advisory council uh that's the niac had chosen first to be custodian
of the common vulnerability scoring system uh which is better known as CVSS,
which was a then-emerging standard in vulnerability scoring.
So what you're saying is that NIAC chooses first for CVSS?
Yes, pretty much so.
Obviously, this is a free and open industry standard
for assessing the severity of vulnerabilities.
And CVSS tries to standardize or assign severity scores to vulnerabilities so people can prioritize responses.
It's something I depend on a lot when working with potential targets.
In the world of M&A, there's lots of posturing and people think we're looking to knock the price down by highlighting deficiencies and things like that, which is furthest from the truth you could possibly believe.
It's, you know, we really don't care. We just need to know what the risks are.
But, yeah, I mean, this is an internationally recognized standard. So it's not just, you know, one party saying this is a serious problem.
just you know one party saying this is a serious problem uh you know this is people around the world all agreeing that you know on the same scale um you know this problem is serious in any country
and it gets a bit more complicated than that you know you can there's a calculator where you can
add in sort of you know mitigating controls but essentially it's based on you know the
attack vector complexity privileges required whether interactions required
um you know and the effort required to achieve that so it's a great standard if you do any kind
of technical risk management i have no doubt you will be familiar with the cvss score and i don't
even know how people survived in a world without it absolutely and little known fact actually for our american um you know brethren chums over over the pond you can also go to cvss to get your um
uh pharmaceutical and chocolate to get your vaccination yeah to get your covid19 vaccination
that was really labored
i stumbled on my words a little bit come on give me a break uh so right
i'm sticking in a third story this week and it's last and definitely not least it was a mere seven
years ago today that the infamous host unknown released their first music video to the public to greater claim within the infosec echo chamber um i'm a
ci double sp reached 100 000 views on on youtube just in time for its seven year anniversary
that's the one so just this week we've just cleared 100 000 views on that video
100 000 views wow that's amazing that is that is pretty amazing
i mean you should be so proud of that jav i mean that video
i get people tagging me all the time saying i love your music videos
well so obviously at the time host unknown the group that i put together were mostly bound at uh industry events taking uh
taking the mic and do you remember we used to have a regular column in the infosec buzz magazine
when you say regular comma column well every month that guy would email us and say right you know
and every month we go oh god we've got time for that i know we'd also done a so i went like way back
uh you know looking through um uh all my archives and uh you know at the time we've done a few rant
events we've done a couple of videos with jim shields of twists and shout fame um you know
we've done videos causing mischief infoset europe Europe, 44 Facts About 44 Con, which I enjoyed.
That's one of my favourites, actually.
Yeah, we'd done The Three Wise Men, Greatest Story Ever Told,
which was pretty fun.
And that was in the December prior.
It's just, unfortunately, Jim refused to use YouTube in those days.
So that video was on Vimeo, and it didn't get much organic traffic
until we'd we'd uh
sort of published it on youtube ourselves about six months later but um yeah by april of 2014
you know we're so happy to take mickey out of ourselves we went all in on a topic that was
it just seems to be coming up all the time you know within within the industry um and you well you'll probably recall
obviously jav was already well known for his youtube security videos and um you know by this
point he'd already become the poster child for isc squared uh you know for his cisp certification
with this whole uh cisp cisp mother you know video uh and tom as you rightly highlight tom you do remember ambitious jab in 2014 is very
different to the animal um of the you know the karma uh you know more team playing jab that we
know and love today um and this is yeah well i think it's it's funny because he obviously took
all the credit for that video when it was published uh yeah he didn't necessarily say he created it but he certainly never corrected anyone who sort of
only did praise at him for it a hundred thousand views you know why would you correct anything with
what exactly so you know people just assumed it Jav because obviously he'd already had his own InfoSec Cynic brand, which had been running.
But, you know, it reminds me of the tagline from the Zuckerberg movie.
It's like you don't get to a billion friends without making a few enemies.
And never has that quote been more applicable to me.
Tom, you remember, obviously, the funniest thing about this is that jav almost didn't even
get involved in the video he didn't turn up it did turn up you turned up late but you couldn't
even be asked beforehand you were like uh i don't know whether you guys go ahead you guys do it
yeah oh i'm gonna be late i gotta buy a. No idea what you're talking about. What's really funny is that a few months prior, Tom had been to Abertay to speak at Securite.
And had become really good friends with a bunch of all the students there and what have you.
And they saw the video and they loved it and they were watching it and they all saw it at home.
Then they went to uni and they were playing it and they they they all saw it at home then they went to to uni
and they were playing it on the on the projector at uni and then someone piped up and said like
tom was in that video too and it was like what what no it's like the invisible gorilla all over
again oh yeah that is tom yeah well you know the camera adds a few pounds right
so i'd say we're all a little bit slimmer in those days yeah definitely i do need to give
credit to uh obviously chris rice uh ricey uh someone i used to work with in another life
um so happy birthday for this week as well right so we actually released this uh on your birthday
seven years ago um but he was responsible for changing uh some of the key lines within that song
um so the original chorus as it was written was i'm a mother c-i-s-s-p um you know and he's just
scrapped the whole thing said it was a whole load of crap and he changed it to uh you know i'm a in ci double sp which which flowed a lot better um yeah we're not
talking about flow andy i'm not even gonna go there i'll tell you what we'll bring that up in
september okay but the other thing i'll say is obviously uh i did a mini vanilli on that whole
video um you know they are rice's dulcet
tones that you can hear in that song and i obviously mimed over the top um but yeah i mean
that whole day i mean i don't know if you guys remember we obviously hired a nightclub bought
some prop paid some extras had a cameraman uh the man they call moo uh that was his house featured
at the beginning of that video where you know you two come to the front door. But the thing that I really recall about that whole day, you know, it's always the emotional part you remember.
And it's how you two took the piss out of my singing all day long.
Like you made me sing the whole thing and obviously overlaid the track on top.
But then when we recorded the accepted the risk video jav was too embarrassed
to sing in front of others and on the money video tom you couldn't even remember more than three
words at a time even now i tell you man that your lips were hardly moving when you were trying to
lip sync over c i w s p i've even now if look at it, I tell you that some of those fake app videos,
you know, those deep fake video apps,
they do a better job of imposing lip movement than you did over your own face.
It was just the worst.
And I think 100,000 of my fans will agree.
I think 100,000 of my fans will agree.
I just remember thinking, oh, my God, I have to look in a certain direction,
move my body, move my legs, walk somewhere and sing at the same time and remember the words.
It was, oh, my God.
Do you remember we got Lee Munson came into the Accepted the Risk video, right?
Yes.
All he had to do was pretend to type on
a keyboard in with them yes you couldn't do that if you look at the concentration on his face in
that video oh that was brilliant but yeah I mean that was one of the I think once everyone realized
how hard the whole thing is everyone sort of cut some slack right yeah well actually it's a long boring day right
it is really you know or there are long periods of boredom yeah early starts for most of us jab
just rocks up with yeah just rocks up whenever it's uh yeah but uh yeah my biggest worry at the
time was obviously the um uh being sued by ic squared uh so i think it was slightly lucky in the early days and sort of jab
did take a lot of credit for it because obviously they had no incentive to go after their poster boy
with cash yeah exactly uh and although we say it's only a hundred thousand views on youtube
um it was copied some facebook group and then you know elsewhere after that and that had a lot of
views that we weren't getting credit for yes indeed but we're not bitter about that we're not no I did I did speak to some
people at IC squared uh afterwards and there was a few people that worked they said we absolutely
loved it it goes like they said they actually played it in one of their team meetings internally
but the direction from the top was this is funny hilarious we love it but not a single one of their team meetings internally but the direction from the top was this is funny hilarious
we love it but not a single one of us is allowed to even click like on that thing so you forget
about sharing it or talking it it doesn't exist oh dear but i mean talking about you know i know
this is the whole point of going down memory lane but you know going through my archives um i did find some
hysterical content that we had so we obviously bounced a lot of stuff back and forth um back
then there's a lot of bitterness uh particularly for me for not winning the pony award best song
oh my god i remember that yeah i was annoyed in that one but you know anyway i could talk another
hour on that one but i did find some hilarious stuff which never made it to air.
You know, I think, you know, Jav had his ideas.
I had a lot of ideas and we bounced some stuff between each other.
And there was one which Jav came up with in 2011.
And bearing in mind that this is probably, you know, I would refer to the original host unknown you know for the uh
for for any like really old school people and you wouldn't actually believe who was involved
in this conversation thread jav it was you me and remember who the third person was
no it was steve lord no way what yeah this was in the run-up to a 44 con and so Jeff put together this skit that
never made it to air and I have no idea why it never made it to air but I'm going to paste it
in the show notes now and I want to read through it quickly okay let me let me let me help set the scene, shall I? Yes.
So, Andy, tell me more about America.
Well, it's the same shit we got here.
It's just a little different.
Example?
Well, I mean, you can get encryption products out there.
It's legal for you to own it.
It's illegal for you to install it. But get this.
If you try to export it out of the country, it's illegal for you to install it but get this if you try to export out the country it's
illegal for you to do it damn man that's harsh you know what they call a router out in the us
they don't call it a router no man they got their own system they call it a router
router get out of here
it's like i was in the room
we absolutely have to move on
we do but so you've got three
for the prize Mafia boys CVSS
and CI SSP
this week in
InfoSoul
anyway I think now we can move on to this week's
listen up rent of the week it's time to mother rage so this one's uh from me and this is
a a personal story because a good friend of mine, he's in the building trade.
He owns and runs his own company.
Very, very successful, very large company.
And he texted me over breakfast the other day.
Obviously, I put a screen grab of this and a screen grab of this into the show notes.
But let me read out his text and then we can discuss.
So his text reads, being an IT security man, I thought this would make you laugh as it did me.
Got to give out works bank details to give internet access for another user.
Enter security details and then card reader, fill in personal information, print, and all account holders need
to sign. All going well. Then with all this information on paper, I need to send by post
to Lloyds Bank, internet banking team, and over. May as well have put, please steal my personal
details written on the envelope. Can't believe it.. Which really goes to show you I'm appalled by this because, one,
you've got to authenticate yourself multiple times on the internet.
So you go to change your bank details,
and I'm doing this with the Thames Valley chapter of the IRC Squared,
and it's a real pain in the bum hole to do. But in this case,
you go online, you authenticate that it's you. You then have to enter security details,
use your card reader, fill in that personal information. And the fact that you then have
to print everything out and post it, surely in this day and age, things can be done a little differently, right?
Surely we can do things differently.
It's like all you're doing is helping to automate a paper process
rather than actually changing the process to be more secure.
And then with details like that on the envelope itself, internet banking, of course, there's going to be sensitive data in there.
But the irony of even having to put internet banking team onto the front of a paper envelope that you put a stamp on and put it into the postbox seems to be lost on Lloyd's. And I know Lloyd's
is not the only one that does this. But really, can we not do better than this now? I mean,
for instance, I've had business accounts with Revolut and Starling and various other companies and banks,
all handled through an app and online.
Absolutely everything.
No need to print anything off.
No need to put anything in the post.
And yet when last year working through some of the government processes
and government loans and stuff and using a traditional bricks and mortar bank,
had to print everything off again.
Ridiculous.
I just find it absolutely stunning that there are businesses
that are able to operate entirely digitally,
who are operating in exactly the same space as traditional banks,
as traditional banks and um you know basically building in this kind of of just slack-minded thinking i can only assume it's cost because you know there are plenty of services uh like you say
that support the revolutes the monzos the m26 um that you know can do all of this verification
online so i can only assume that for you know some of these all of this verification online. So I can only assume that for, you know, some of these banks,
it's just cheaper for them to have people do it manually
than it is to automate it.
Talk about being customer-focused.
Jeez, ridiculous.
It reminds me of that meme or that joke.
It's like someone's trying to do something and, you know,
the other party says, can you fax me
over the details and he goes i don't have facts where i am he goes where are you because the year
2021 so that's what this reminds me of it's like can you post stuff it's like yeah i i think it
yeah i agree with andy i think it's cost and then there's probably some process reengineering that needs to be done in the back end to support all of that.
And I don't think anyone's put forward a good enough business case internally for a lot of these banks.
But you're right. It's just this is actually going back to the year 2000 or the early 2000s.
to the year 2000 or the early 2000s this is how a lot of companies approached um the the e-commerce or the whatever everything was e uh something before that um they would just take a a manual
process and say how can we add a computer into one of these processes at some point so it would
be exactly the same thing print it off and then email or like email it here and then we'll print it off and post it back.
You know, it was it was never it just gave me the feeling or the impression, the thin veneer of like this technology involved.
It must be better, but it was still a manual process.
It made it worse and less secure and more clunky as a result, because I must admit, you know, signing up to things like Monzo, Revolut, Starlink, etc.
a result because i must admit you know signing up to things like monzo revolute starling etc is so easy so easy um that it i i can't believe part of me can't believe that people are still
using traditional banks and going to traditional banks i mean why would you want to i don't
understand what needs there is for a traditional uh bank for the vast majority of people.
So if anyone from HMRC is listening to this podcast, I'm sure you're just as interested
as me into how many accounts does Tom actually have? He's got some traditional banks account
and he's signed up for every new challenger bank there is. Why does he need to do that?
But my ears did prick up when he said he's getting access to the ISC squared bank account.
I was like, hmm.
Nice little earner there, isn't it?
If you think I might be signing my name, but if you think I'm touching that bank account at all, that's what the other committee members are for.
That's what I'm for, Tom.
I'm your fool guy.
Don't worry about it.
Yeah, exactly.
Yeah.
Anyway, I'm El Presidente of the IC Squared Thames Valley chapter.
I've got the committee members to do it.
Precarious liability, Tom.
Yeah, I know.
Do you get to fly on the private jet called Air AMF?
Air AMF.
Oh, dear.
Well, they're true, very true.
So, yes, come on, banks.
Pull yourselves together.
Sort it out.
Make it easier.
And, you know, perhaps you might start to recover some of that reputation
that you've been losing steadily.
Do either of you have any traditional bricks and mortar bank accounts?
I do. And funnily enough, Lloyd's is one that causes me a problem.
Yeah, I couldn't. It's all paper-based. I've got no online access to that. I can view my balances
as you can do with the open banking regulations, but I can't transfer money out of that account.
Oh God, I can't think of
anything worse it's like yesterday morning i literally woke up first thing you do of course
is reach across and get your iphone and see who's emailed you overnight and all that sort of thing
i don't check emails check your dating profile that sort of thing and um i'd found that i'd been
paid uh some expenses and so literally in the first couple of minutes of my waking day,
I'd transferred those expenses onto my credit card and Amex that I'd used.
Boom, done, everything.
I can't imagine doing that with some of these bank accounts,
some of these bricks and mortar banks.
I know they're getting a lot better with their apps.
I used to be with Royal Bank of Scotland
and theirs was one of the better ones.
But, yeah, I dropped them in 2017, 18, something like that,
and I'm now wholly, you know, Challenger Bank at the moment.
I couldn't imagine going back to another one.
Yeah, yeah.
I mean, I've got a few um
few traditional accounts and yeah lloyds is actually one of them as well and it is oh my god
it is the worst um but but the others are good actually speaking of old banks i remember like
do you remember griffin bank or midlands bank was it and they had a griffin account oh yeah and uh
i remember being like i was young i was about 12 or something and they had a different account oh yeah and uh i remember being like as
young i was like 12 or something and they had a child saver account but if you open up an account
with at least 20 pound they gave you like a whole bunch of swag it was just like you know a duffel
bag and a and a money box with a globe on it and and a whole bunch of things so i set up that
account just to get the swag yeah natwest did the same. They used to come into our schools.
Yeah, so they had pig money boxes.
Yeah, the pig events, yeah.
Yeah, I signed up to NatWest when I was 11.
They literally came into schools and signed you up,
which is crazy if you think about it these days.
Yeah.
I know my mother's goddaughter, she set up a NatWest bank account
and put money into it, and she got her the full set of the pigs,
which are worth a fortune now.
Because obviously the more money you put in,
you then get the next pig and the next pig,
and they gradually got bigger.
They're quite iconic now and quite sought after.
Yeah.
Excellent.
Thank you very much.
That was this week's...
Rant of the Week.
Excellent. Thank you very much. That was this week's Rant of the Week.
And I think we can also do one of these.
Sketchy presenters, weak analysis of content, and consistently average delivery.
Like and subscribe now.
So I've had a message come through asking if we're going to be doing a little people this week but all i can
say is that one advantage of being short is you get to be in the front of all the pictures taken
of a group and that's all we've got to say about the little people this week industry news
hackers hacked as underground carding site is breached.
Industry news.
Facebook removed 16,000 groups for trading fake reviews.
Industry news.
Brits still confused by multi-factor authentication.
Industry news.
Food shortages at Dutch supermarkets after ransomware outage
Industry News
Cyber attack shutters half of Tasmania's casinos
Industry News
Microsoft patches four more critical exchange server bugs
Industry News
Lawsuit filed after facial recognition tech leads to wrongful arrest
Industry News Lawsuit filed after facial recognition tech leads to wrongful arrest.
Industry news.
Man gets 10 years for multi-million dollar Medicare fraud scheme.
Industry news.
Europe's data protection guardians, Greenlight, EU, EU data flows.
And that was this week's...
Industry News.
So what have we got from you this week, Jav?
Jav Ad's Weekly Stories.
I'll start off by, yes, not even water.
That is an ancient Ramadan proverb.
You mean proverb?
Yeah, whatever. It's not like a professional verb. It's, you know, proverb. You mean proverb? Yeah, whatever.
It's not like a professional verb.
It's, you know, proverb.
It's not, okay.
Or it's not even, you know, an advocate for verbs.
We're very supportive of verbs here.
I am proverb.
And I'm pronouns.
Just not professional.
I'm just not really pro-objective also if if you missed it there's a link in the show note a little video i made about how i
owned an ex-ciso and smashing security the number two podcast in the uk uh in one don't click on it
don't click on it in one sweep uh along with and
I and I credit where credit's due because I some people do accuse me sometimes I'm not giving credit
um and he did help me out with this one he was my my Robin to to to my Batman yeah it was a it was
a fun story of how uh Tom uh his opsec failed him yet again.
His predictability failed him yet again.
And it's been a while since Andy and I took a look into, you know,
just poking a bit of fun at Tom.
And he failed miserably.
Been a while?
Been a while?
It's like daily.
Well, I mean, like at this level,
something that makes good hallway chat.
It was very funny, I have to say.
But I knew exactly what was going on.
That was the best part. I knew exactly what you're trying to do.
And you still couldn't stop us.
You had all the IOCs and you still didn't stop it.
Because my third party risks were not adequately dealt with.
Wow.
See, that's what you get.
That's what you get.
And Graham's a blabbermouth.
Graham's a blabbermouth.
Yeah.
And so is your son, actually.
I asked your son something in confidence and he went and told you about it.
Which is exactly right exactly right i i applaud
him for that absolutely anyway i am more that's the problem yeah yeah that's right that's right
you know what what got me was that there's this news story microsoft patches um for more critical
exchange server bugs and uh it reminded me of this story from this week. Well, it could have made a bit of big balls, actually.
We didn't put it in there.
The FBI was out patching Microsoft Exchange servers this week.
Really?
In the US, yes.
So there were so many servers that weren't patched.
And criminals, they'd broken in and they'd left web shells there so they could
get back in and the feds they went in the fbi they got a uh a warrant from a judge
it's uh uh it's what's it was an entry warrant what do you call it anyway yeah um and they were
going in without telling the companies and patching their exchange servers for them and removing the web shells so that criminals couldn't get in.
Well, what am I paying my security team for then?
Well, exactly.
Exactly.
Exactly.
And, you know, it's just I think it opens up a whole can of worms as to where that could go.
of worms as to like where that could go and yeah you know who knows the feds didn't put in their own back doors or or what what or what what recourse does the company have if they ended up
screwing up one of their production systems i think it just it just so much i mean what what
happened to just going to the organization saying hello i'm the fbi um please please sort your stuff
out and that would have involved a whole lot less work
right
and liability because you're right
if something screws up then
well this is America so of course
what is it
they wouldn't be held liable
but something immunity
I can't remember what it's called
for law enforcement
officers but yeah rock i thought you rock up
to work the next morning your mail server's falling over and you can't work out why because
nothing's changed bizarre it is but that's a miracle for you well indeed yeah yeah i do have
to wonder what what microsoft what what they you, they could have got involved,
because that's a legit way where you can push down updates and notifications to your customer base.
The Feds could have liaised with them, got it through to the customers.
It's really weird. It's really bizarre. I don't know what prompted it.
There's either a big part of the story that we don't know about
in the sense that the Feds knew something was coming
and it was in their interest to deal with this in a way
that they knew they could get it all done in a few days,
a few weeks or whatever, rather than,
yeah, we'll deal with that at some point, you know,
or it's just really poor.
It's just really poor it's just really poor it could be because the timing seemed um it seemed to coincide with the biden administration uh blacklisting a whole bunch of
um russian based uh tech companies a whole new oh that's right including one that uh a um a mutual
colleague works at right yes that Yes, that's right.
So it could have been a preemptive measure for that.
Who knows?
Yeah, because they were expecting a backlash as a result.
Yeah.
Yeah.
Yeah.
So that's good research.
Like I put out in a tweet the other day,
I'm hoping the London Met will one day break into my house,
fix the dodgy window I've got in the bathroom,
change the locks for me and fix the squeaky door.
And I think that's a good model to have.
And post the new keys through the letterbox for you while you're out.
Anyway, thank you very much, folks.
That was this week's
Industry News.
The host unknown podcast
orally delivering the warm and fuzzy feeling
you get when you pee yourself.
And we're going to move straight on to this week's tweet of the week and once more for fun
tweet of the week uh the tweet is from bob mcardle uh how am i only seeing host unknown tv
now question mark do yourselves a favor and watch and there's a link to accepted the risk and a link to uh lost
all the money for a good educational laugh impressive javad most impressive
impressive at tom langford i think you'll find then at suggester and then i think he's even
spelt javad wrong he's put fours instead of A's. Only an idiot would substitute numbers for letters.
Or an 11-year-old leet hacker.
Yeah, exactly.
J4, VV.
Is it a VV or is it a W?
I don't know.
It's hard to tell.
Javad.
Anyway.
But, yeah, and I'm glad to say that the link is obviously lost all the money because
that's the video that needs all the hits because he's only got 10 000 hits god oh 12 oh right oh
well done well done bob thanks for that how many is um lost all Money got? 12,000?
No, it's got a lot more.
Lost All The Money?
Oh, Lost All The Money.
Oh, not Lost All The Money.
Yeah, Accepted The Risk.
How many has Accepted The Risk got?
Let's have a quick look.
You mean you don't know?
69,000.
Whoa.
I hope it stays at that number.
Anyway, yes, so thank so thank you Mr McArdle
And shame on you
Is all I can say
I know you're a friend of the show
And you're an avid listener
So shame on you
For missing out on Host Unknown
For the last what
Seven years
No eight nine years.
Oh, my goodness.
It's quite a long time, isn't it?
So, anyway, thank you.
It's late of the week.
He probably stopped following us when Steve Lord left the group,
Mina, so.
I remember pitching, filming at 44Con for the entire two days.
We were going to be a part of the CTF, weren't we?
Do you remember that?
Oh, yeah, but then it got a bit too technical for everyone, right?
It just got very, very...
It seemed like too much hard work.
I know.
So we ended up with 44 facts about 44 kind of which.
No, no.
This is the year after.
Oh, yeah.
Oh.
Oh.
Yeah.
Yeah.
That's right.
Yes, indeed.
Right.
So, uh, chums, chums, chums.
We come to the part of the show that we like to call...
Sticky Pickle of the Week.
Sticky Pickle of the Week.
Sticky Pickle of the Week.
So the Sticky Pickle of the Week falls on my shoulders to do justice to
because I'm the only one that can.
shoulders to do justice to because I'm the only one that can. Your company is looking to promote an upcoming women in security webinar and you're looking to maximize engagement on your social
media channels. So you come up with a survey question, ask a question, give it some multiple
choice answers and you know you believe it will solicit engagement and uh you know
keep responses on topic so the question this company chose what according to you are the most
common challenges faced by women in the cyber security domain yeah i think I know the answer to this because I think it's definitely bad, bad questions and surveys.
Well, let's let's read the question first. Yeah. Yes.
Interesting. OK, so the the what is the most common challenges faced by women in industry today?
Is it option A? Only men can do this job.
option A, only men can do this job? Is it option B, women can't handle the job? Or is it C,
women aren't encouraged enough? It's a man's job. You've got to be honest. It's a man's job,
right? Is it option A? Is that where we should be going? Do you know what? It's very true. It's very true because I use my penis almost exclusively when it comes to handling cybersecurity incidents.
I'm a bit disappointed you're assuming my gender with the work I do.
I think women could handle the job if they were out of the kitchen more.
Yeah, and had a penis.
Yeah, exactly, exactly.
So there you have it.
But no, this is actually...
This is dreadful.
This is by the EC Council.
What?
Providers of such fine certifications, such as ethical hacker and...
And how to ask a good survey question in three steps.
Exactly. Yeah. You know, it's not only was this asked in such a horrible way.
Some some people started complaining on Twitter to them and they started blocking them, especially the women.
So they started blocking all the voices that were,
because that makes the problem go away, doesn't it?
Yeah, not the, oh, the EC Council started blocking them.
Yeah, the EC Council started.
Oh, for God's sake, that's ridiculous.
Yeah, yeah.
And then, you know, then there was like,
I think there's a link in the show notes to an cybersecurity story by Eleanor Dalloway, in which she spent the weekend.
And you can almost feel the passion coming through the keyboard onto the words on the page, where she was desperately trying to get them to say, what's this all about?
What's happened? You you know what have you and uh you know that the ec
council gave a weasel worded uh statement we apologize for the wording and you know the
offense uh we've been working it was you know and then they they said it was like an over eager
member of the team that posted it.
And it's sorry, not sorry.
Yeah.
The intern.
Exactly.
Exactly.
And then it went on for a bit and then someone else came out and they said, well, we cannot
be sexist because all of our marketing team are females.
And this survey was come up by a bunch of females.
So therefore, it's impossible for
it to be sexist uh and then funnily enough someone on twitter actually uh they posted a picture of
from linkedin of all the profiles of people in their marketing team and they're all men so
seriously sometimes you just got to stop digging haven't you it's like you just got to hold your
hand up and be like okay i mean i mean there's you know if you feel that you're trying to do
something for the right reasons in the right way and all that sort of thing that's that's
absolutely fine and you can you can justify your your intentions and where you're trying to go but To blankly say, sorry, not sorry, it's you, not us.
I think, well, it's as bad as saying that you weren't breached
when you were breached and then saying, well,
you might have copied your own data up there, you know,
as a certain Indian fintech did, which we covered a few weeks back.
You know, ridiculous.
I can't be sexist.
Some of my best friends are women.
Yeah, exactly.
I can't be sexist.
My wife's a woman.
Forget that.
Awful.
My mother's a woman.
Yeah.
Top that.
Exactly.
And her mother was also a woman too.
Got a long history of women in my family.
I mean, come on, EC Council, really, really.
Well, it's also a thing of, or an element of crisis management as well, isn't it?
And how important crisis communications are.
Yeah, yeah. as well isn't it and how important crisis communications are yeah yeah i mean i think
when you when you go through the story and and as eleno rightfully teases out it just shows that
there's there's an underlying culture of fear and misogyny and and and what have you so that if
someone did do that say for example someone in the marketing team did put that out then instead of you know
backing it out they started blocking people that were complaining about it so that maybe their boss
doesn't see it or whoever it's it just shows a really horrible culture and it does and and the
thing is those are pretty terrible questions that you know or options i should say they're pretty
awful but you can understand okay
they're trying to you know maybe move the dial in the right direction all that sort of thing and
then when somebody says actually those are really bad questions no they're not blocked no they're
not blocked it's ridiculous that's that's not how you engage in um in moving the dial on these
important social issues that people face.
No, no.
What I am interested in is that with the screenshot,
over 500 people had voted by the time the screenshot was taken.
So I'd be interested in knowing what the responses were.
Yeah.
Yeah, shame there wasn't an option D.
Yeah. Yeah. Yeah. Shane, there was an option D.
See, I personally just fundamentally don't like these these panels which are set up in this way where it's a bunch of women and they talk about how they can encourage women to get into security.
I fundamentally think that's the female that's really good, that really knows her stuff and give her the keynote.
Why don't you do that?
Because then she'll be a female up there who's talking about security, demonstrating she knows her stuff.
and that acts far more as a far more stronger role model for other females looking to break into security than i think having a bunch of uh women just on a on a on a panel saying well why
aren't there more of us in the industry you know it's it's not productive and not only will she be
a female up on stage she'll be a woman up on stage as well yes it always reminds me of uh if you ever
watch star trek the way the ferengi speak about females
but whenever jeff uses the phrase female that's what it always reminds me
i'm i'll never look at a ferengi again in the same way oh you assholes oh dear excellent that was sorry to the female langford listening to this podcast
the female oh dear me mum i'm sorry i'm sorry about my uh appalling colleagues um don't complain
to jav because he'll just block you and tell you you're wrong. Well, tell you you're wrong, then block you.
Oh, my God.
Anyway, thank you, Jav, for this week's...
Sticky Pickle of the Week.
Sticky Pickle of the Week.
Sticky Pickle of the Week.
So thank you all for listening this week.
We've run our course.
We have built a, or sorry, dug a hole for Jav to fall into.
And yes, thank you very much.
Thank you, Jav, for a lovely week.
Jav's not.
Andy, thank you very much
stay secure my friends
stay secure
you've been listening to
the host unknown podcast
if you enjoyed what you heard
comment and subscribe
if you hated it
please leave your best insults
on our reddit channel
worst episode ever
r slash smashing security
Jan's gone very quiet I was going to say The worst episode ever. R slash Smashing Security.
Jav's gone very quiet.
I was going to say, I always love taking the piss out of people that, you know,
where English isn't their first language.
It makes me feel superior.
I wonder if he's a councillor hiring.
Yeah, we should get Jav to apply, innit?
You're so glad that Crisp is filtering out all the sounds I'm making on this.
Foreign language swear words, right?
Yeah.
I'm fasting. I shall not resort to swearing.
Wait a few weeks, then he'll come back to us.