The Host Unknown Podcast - Episode 57 - The Deleted Show Notes Episode
Episode Date: May 28, 2021This Week in InfoSec20th May 1993: Neil Woods (24) and Karl Strickland (22) became the first people imprisoned under the UK's 1990 Computer Misuse Act.Ā Hackers given six months for 'intellectual joyr...iding': Judge says jail sentences inevitable to deter others 'similarly tempted'https://twitter.com/todayininfosec/status/139571116658073190822nd May 1991: Michael John Lauffenburger's logic bomb was set to detonate on a system at General Dynamics. He'd implemented it 2 months prior. Lauffenburger later pleaded guilty to a misdemeanor charge of computer tampering.Hacker Pleads Guilty in āLogic Bombā Scheme : Crime: Ex-General Dynamics programmer tried to sabotage computers so the company would have to pay him to fix the problem.https://twitter.com/todayininfosec/status/1396858379285549059Ā Rant of the WeekCitizen is an app where users report "incidents" in their neighborhoods and, based on those reports and police scanner transcriptions, the app sends "real-time safety alerts" to users about crime and other incidents happening near where a user is located. It is essentially a mapping app that allows users to both report and learn about crime (or what users of the app perceive to be crime) in their neighborhood.CITIZEN CEO OFFERED TO PERSONALLY FUND LA ARSON MANHUNT ā FOR THE WRONG PERSONMore on Citizen Shithousery:Leaked Emails Show Crime App Citizen Is Testing On-Demand Security ForceCitizen data scraped and dumped on dark webĀ Billy Big Balls of the WeekNigerian cyber criminals target Texas unemployment systemCyber criminals use Gmail feature to register the same email address multiple timesĀ Industry NewsTelemarketing Fraudster Jailed for 10 YearsRansomware Gang Gifts Decryption Tool to HSEAir India: Supplier Breach Hit 4.5 Million PassengersAmex Fined After Sending Over Four Million Spam EmailsFBI Employee Indicted Over Illegal Document RemovalEuropeās Top Human Rights Court Rules UK Mass Surveillance IllegalInfluencers Offered Money to Vilify VaccineData Breach at Canada PostChinese Phishing Attack Targets High-Profile UyghursĀ Tweet of the WeekStudents Stuff the Context Boxhttps://twitter.com/todayininfosec/status/1395843517189132300 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
well i was i was on last week's this week's episode last week this way were you yes i was
ah excellent yeah so what so what stories did you cover i didn't really cover
i didn't cover any stories i was the the sponsored guest
ah i see i see yes um so i mean how much is sponsorship? Because, you know, I've been on there quite a few times
and all it's cost me so far is four quid a month as a patron.
Yeah.
Well, this cost me the same.
It cost me four quid a month as a patron if you backdate it for about 10 years.
So what you're saying is you too can be a guest on Smashing Security,
but only if you pay a lot of money.
Well, I'm sure they, you know, money isn't the only thing that drives them.
They clearly, like, get lots of offers for money and they say,
no, no, they turned it down.
And when it came to me, they said yes.
So I think the short answer you just meant there was yes.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
Welcome to episode 57 of the Host Unknown podcast.
Welcome one and all.
And Jav, welcome from your illustrious sponsor tour of Smashing Security.
Thank you. Thank you.
Not only that, I'm still like bopping my head to the Zoom song all this week.
I have been, as have many others.
What's the Zoom song?
The Zoom song is, well, I have a group called Host Unknown,
which I'm the sole founder.
Oh, that song.
Sorry, is that what it's called, the Zoom song?
I just thought it was, you know.
What do you think it was?
I'm on Zoom all day?
Yeah, something like that.
I don't know.
Tom Langford sings.
You've been bopping to the Zoom song then?
Yes, I have indeed.
I have indeed.
As have many hundreds and hundreds of other people all around the world.
Many hundreds.
Yes.
Yeah, I think, folks, we need those numbers slightly higher.
Do you know what the big problem was?
You sent it around on WhatsApp before actually,
like the actual whole video rather than the link to the YouTube channel.
So, yeah, we don't count views for that.
Yeah.
Do you know what?
I have had a whole bunch of messages about my backside in that.
Really?
I didn't even notice it.
They've slipped into my DMs I tell you what
oh my god
you show a bit of skin
and people take it as an excuse
to just
it wasn't
no no no
do you feel objectified?
is that what you're saying?
it's wonderful
but
it's not a bit of skin
it's a bit of lycra actually
in my cycling shorts
since when do you cycle?
I'm a mammal I'll have you know.
A mammal?
A middle-aged man in Lycra.
I cycle.
I've got my bikes in the hallway.
I'm looking at it right now.
And I have another bike on order for the last 18 months.
If I turn around, I can see an entire gym.
There's a squat rack, everything, you know.
No, no, you're mistaking your gym for a laundry.
You see all that fabric hanging on it?
That's your clothes drying.
Oh, dear.
So basically, all you've been doing this week at Jav
is listening to our track.
Yeah, refreshing it, going through different proxies.
Yeah, trying to get those numbers up.
Andy, how are you? What about you?
Good, not too bad.
I'm still perplexed by your decision to go to DEF CON this year.
Really? Why?
I'm vaxxed and I'm waxed.
I'm ready for it.
I'm ready for Vegas.
Yeah, but is Vegas ready for you, Tom?
No, but in terms of just the rules about...
Obviously, you've got a lot of people out there
that don't believe in masks and vaccines.
And I'm just generalising an entire country here.
I do realise that.
But just the thought of having to quarantine should the slightest thing change.
Ten days in a hotel at the company's expense.
Oh, sounds blissful.
I don't know.
I've seen you're allowed to exercise in the car park.
I've seen you're allowed out to walk in circles in a car park.
You know the vaccines don't protect you against syphilis?
Just throwing it out there.
Actually, one of my colleagues, she was saying her friend is going to Mexico this week for a holiday,
and they have to get tested before they're allowed to leave for the airport.
And if they test positive, the hotel offers them two weeks free stay in their room.
What? Seriously?
Yeah, yeah. But they're only stuck in the room.
And my thought is, well, you form a positive club where anyone that's tested positive,
you put them all in rooms next to each other and they all have a big party.
There's one downside to that.
Okay.
Which, possible death.
Well, didn't this happen in Australia?
Like, you know, Australia had the quarantine hotels
and all the security guards were sort of in on it as well.
And there was sort of, it it as well and they were sort of
it was like just a massive orgy that was going on uh with this particular company but then obviously
the security guards were then leaving at the end of their shift uh having mixed with uh covid
positive people oh my god so literal orgy yeah yeah it was huge it's like a big set did you not
see this in austral I did not see this.
I'm going to have to find the link now.
Australia's only had like 20 cases in the whole year or something, haven't they?
Well, they just contain it really well.
That's because it's such a big fecking country and there's hardly anybody living there. They take them out into the bush and leave them there.
So you walk back, it'll take you 10 days.
They're all about, you you know at least 20 meters
away from each other at the best of times as opposed to like the uk where you're living
literally on top of each other it seems yeah okay so this is from july 2020 uh this is
hotel sex scandal linked to australia coronavirus outbreak are we talking about australia or defcon well this is what i mean
this is this is what's going to happen to you guys like in uh i mean i'm all for traveling
like i love it but this is so so i'm i may be subjected to an orgy
i'm sorry i'm still not seeing the downside. Yeah, I know exactly how you're putting him off, Andy.
All right, stuck it in the show notes.
Okay, show notes.
Yeah, so folks, if you fancy an orgy and possible death three to six months later, then follow the show notes.
So what have we got coming up for you today?
Well, as usual, our favourite spot this week in InfoSec
takes us back to a time of
legislative history. This sounds very complicated, Andy. Rant of the week, we'll show you what
happens when the Nextdoor app takes steroids. Billy Big Balls this week sees remote working
scammers get efficient at scamming. Well, I was going to say even more efficient, really.
But an industry news, bring us the latest and greatest
news from around the globe.
Tweet of the week is a throwback, no less,
to the time students did some actual studenting
and gamed the system to stick it to the man.
I don't think I ever did studenting.
I just sort of occasionally turned up really
i did many students in my time yeah yeah exactly um so and funnily enough early this week i did
see a dwarf climbing down a prison wall and i thought to myself well that's a that was a little
condescending um and that's all we have to say on the topic of the little people this week so yes um i guess we should move on uh
andy to this week's this week in infosec
love that jingle uh so this is the part of the show where we take a stroll down infosec memory
lane to have a look at notable events of yesteryear uh so this week i'm going to depart
from the normal of reminding people how old they are uh because i think you know there's a fine
balance between nostalgia and feeling old uh and i'm still really have you also have you also
misplaced your calculator
yes and so i'm really struggling right i don't have enough crayons to draw this out uh no but
i am still reeling from a comment i saw on tiktok which i think i told you the other week um where
this girl referred to lincoln parks in the end as classic dad rock yeah and that really hurt like that was i was like wow honestly everybody
hurts from comments like that just like rem the the bottom line and is are you a dad yes
is it rock music yes are you over 40 yes no classic yes you are. No, I'm not.
Right, edit this.
Stop the show.
Just because you've come to accepting your old age doesn't mean everyone...
I am not in my 40s.
You know that.
I'm not in my 40s.
No, you're not.
You're not even in your 50s anymore.
I know, like, sidebar.
Remember, I think you saw it this week like how dad are you
it's like a quiz
yes
it's like
so scary
so would you say things like
yes it's free then
yeah
you know when a cashier
can't scan an item
yeah
or if you pick up
a stud finder
and you're holding it
at your chest
and you say
oh found it
yeah
yeah
or like you see
a neighbour washing their car you say oh can i bring mine around
should be just resting my eyes like after falling asleep on the sofa yes
no no your other right when a kid mistakes they left for their right. I said that just the other day to someone
who was showing me something on a screen share.
And I was like, no, no, on the right.
No, your other right.
Guess they'll let anyone in here
when you see a friend in public.
God, I remember doing that to an old boss.
Oh, dear.
We need to put that in the show notes as well that was that was hilarious yeah
yeah but anyway yeah so that whole nostalgic stuff you know just uh i guess yeah moving
towards that acceptance um so what story do we have this year so the first uh story we have is
from 28 years ago uh all this stalling was me just working out the timing, obviously.
You found the crayons.
Yeah.
The 20th of May, 1993,
Neil Woods and Carl Strickland became the first people imprisoned
under the UK's 1990 Computer Misuse Act.
So, you know, this is an act that's been around
you know for well since since around 1990 i guess uh but you know these two uh hackers
they're given six months prison sentences first to be jailed under this legislation
um they both pleaded guilty i think you know which led to a you know lighter sentence so
paul bedworth was a third person who was regularly
in communication with these guys who was also arrested at the same time um but he had pleaded
not guilty and claimed that he had become addicted to hacking uh which is a you know very
modern day famous excuse i think cliff um who's that sort of pr specialist um you know news of the world
when to guy oh yeah yeah whatever the um the shamed one yeah but he like the classic excuse
is always i'm seeking help for my addiction you know like harvey weinstein yes seeking help for
my idea it's just classical like footballers that get caught drink driving i'm seeking help
my addiction you know all of that thing so all three of these people were trapped by and i'm you know paraphrasing
the article from back in the time were trapped by sophisticated police and british telecom telephone
tracking in several countries um so prior to the computer misuse Act in 1990, those who gained access to other people's computer networks had to be prosecuted for causing damage or stealing information.
Now, the judge in this case accepted that these guys had not intended to cause damage conspiracy to obtain telegraphic services dishonestly and engaging in the unauthorized publication of computer information.
Now, essentially what they did was they swapped people's user IDs and authorization codes, which enabled them to dial into systems belonging to companies, education establishments, BT and NASA.
And all evidence, which they also kept on a floppy disk at the time.
So I think we spoke about just recently how in the old day
you had to dial into companies via the phone.
And that's where they're getting you.
You're then dialing into that and then using their phone lines
to dial elsewhere.
Therefore, you're running up a bill with those people.
And that's basically using services dishonestly uh you know using other people's usernames and passwords stuff like that um but what i love about these sort of groundbreaking
cases is that you know someone has to be responsible for that um you know that sort
of neil armstrong moment uh you know where you have to think about what you say.
Your words are going to be echoed for eternity.
And I'm sure that at the time, Judge Michael Harris did not think
that 28 years after this judgment, I'd be quoting him on this show.
But fortunately, he did come up with something cool.
And he said, like when sentencing the two graduates at Southwark Crown Court, Judge Michael Harris said,
I have to mark your conduct with prison sentences, both to penalise you for what you have done and for the losses caused and to deter others who might be similarly tempted.
If your passion had been cars rather than computers we would have called your conduct
delinquent and i don't shrink from the analogy of describing what you were doing as intellectual
joyriding i think that's beautiful that is that's it's so good and that is really what you know in
in the current or in that legal parlance is what hacking is. I know there's this whole thing about hacking is not illegal,
blah, blah, blah.
But in this kind of criminal legal sense, that is exactly what it is.
You're taking someone else's computer for a spin.
Yeah.
Yeah.
So, I mean, almost 30 years ago, you know, this non-technical judge,
or I say non-technical, we don't know, but, you know,
he managed to sum it up nicely into that.
That's a great quote to live today.
They're updating the Computer Misuse Act now, aren't they?
They've been talking about updating it for years.
I was talking to somebody last night, and they're on part of the group
or part of the sort of public group or interested stakeholders or whatever that's part of it.
I haven't heard, you know, I don't know any other details on the fact that they said that they're working on it
and it's going to be updated.
Oh, man, this is classic Tom, isn't it?
So, Tom, what do you do in your spare time?
I make Legos.
I'm on the ISC Squared local chapter.
And I have friends who discuss the computer misuse with me.
No,
no,
it was the,
it was actually the second one that I had this discussion with.
So you could just scratch that.
Your Lego buddies.
Yeah.
Next week,
Tom talks records management.
Do you know,
I just,
I did get a new turntable for my birthday,
so I'm busily investing in vinyl.
Wow.
It's the future.
It's the future.
You've got to jump on this bandwagon before.
Yeah, I'm investing in vinyl for my gramophone.
So speaking of jumping on bandwagons,
how's your cum rocket going, Andy?
To the moon. No, it's not.
Well, it took a little bit of, I think we're seeing a dead cat bounce,
if I believe is the correct investor terminology.
But yeah, as with all the other crypto stuff, it did tank.
Is it dying on its ass?
No, no, it's still got life in it.
It's just, it's a slow burner, is what I would say.
Right, so a dead cat bouncing is a slow burner.
Just to mix our metaphors there.
In a slightly unpleasant way, actually.
You know, last week, Andy, you spoke about the guy who bought pizza with Bitcoin. bitcoin yeah and we're going down a bit of a
rabbit hole but i i was intrigued by that story so i was like has anyone else done something similar
and i i found out one of dogecoin's creators a guy called billy marcus uh he worked at IBM when he created it as a joke. And he got laid off in 2015.
And so he spent all of his Dogecoin. He just sold it all. And he got about 10 grand for it. And he
bought a used Honda Civic. And he's not part of the Dogecoin project at all anymore, and he doesn't own any of it.
But with the recent peak, the Dogecoin market cap went up to about $80 billion.
And just to put it in context, Honda's market cap is around $55 billion.
So he didn't make anything and uh well i mean he said did he take investment
advice from me probably well you know what this remind this reminded me of something i've read
about the gold rush back in the 1850s or something in that in that the miners there was a few that made big money because they found
massive nuggets of gold or whatever but ultimately it was the merchants that made more money than the
miners and and there was a guy called samuel brannan and in 1847 he owned the only store between san francisco and the gold fields and in a stroke of marketing
genius he he first bought up all the picks and shovels and pans and all the other digging
equipment he could find and then he went up and down the streets of san francisco shouting gold
gold on the american river and so he paid only something
like 10 20 cents each for the pan and he sold them for 15 each and and in like a couple of
months he made something like 30 or 40 grand which back in 1847 is a huge amount.
A lot of money.
A lot of money.
And apparently.
So just for that in context, I just dropped 100 quid into Ethereum.
You know, so there's gold in them there, Ethereum hills.
And if you've just joined us, this is the host unknown, you know,
cyber Bitcoin stroke investment advice hotline you should actually
leave all this stuff in rather than cut it out let's just you think i'm gonna cut this out
the moral of the story is don't buy bitcoins set up your own exchange and take a commission
of everyone else buying bitcoins or whatever cryptocurrency. There's lots of people doing that at the moment.
There's lots of...
What's the group? Some group actually
disappeared with like $32 million this
week. Duran Duran.
No, they won't call Duran Duran.
No, they actually left
a... You know, they updated their website to say,
see you later. We're gone.
I'll dig that out. Yeah, I'll have to dig that. Yeah, they let people know that they've their website to say, see you later. We're gone. I'll dig that out.
They updated their website.
Yeah, I'll have to dig that.
Yeah, they let people know that they've just been screwed over.
Damn.
But I think we should start up our own coin, Coin Unknown.
Coin Unknown.
Coin Unknown.
I see it.
Oh, dear.
Have you got another story for us, Andy?
I do, right, yeah.
60 seconds, though. Yeah. Oh, dear. Have you got another story for us, Andy? I do, right. You've got literally about 60 seconds, though.
Yeah.
No, okay.
So second story from 30 years ago on around 22nd of May 1991,
Michael John Laffenberger's logic bomb was set to detonate on a system
at General Dynamics.
He had implemented it in the two months prior,
and he later pleaded guilty to a misdemeanor
charge of computer tampering so this is a story of a former general dynamics computer programmer
he planted a destructive in air quotes logic bomb in one of the san diego defense contractors
mainframe computers and he had done it on the weekend it was set to activate 6 p.m on may
the 24th which was memorial day weekend in the u.s at the time uh when no one was going to be around
he then resigned and hoped you know it with the hope that uh he would the company would rehire him
as a highly paid consultant to fix it once they uh discovered the damage um and the
reason i like this story is because when i was first getting into infosec i thought that logic
bombs were going to be a bigger issue than they were or than they are because you know it's
something in all the old textbooks um you know and i think it's like around about 1999 i was the
security guy for a company and um you know what happened this this
guy you know he's basically got sacked uh he went down the road got into a pay phone called the
switchboard and said that he'd put a logic bomb although he didn't say it was him he said he was
calling from the kosovan mafia and he'd put a logic bomb in the mainframe and so i got called
in by the uh the cto at the time
and saying like you know well yeah is this a credible threat or so and i was thinking well
no it's like so and so has just walked out he's gone down the road it's a payphone right now we
got the number we know it's a payphone it's down the road it's obviously this guy um and also i
knew nothing about mainframe so what the hell was i gonna look for more importantly yeah so it was uh yeah i mean it was a funny uh story but i mean logic bombs
i'm sure they are around i just can't think of any great use case so you know where this has
actually come to fruition in recent times where it's been a massive problem. Did the judge in the case describe his crime as intellectual joyriding?
He didn't.
No, it wasn't that clever.
I'm trying to think what he said.
Oh, he did use a quote, though.
I'm going to have to go and find that quote now.
Oh, no worries.
Yeah, no, but it'll be.
Oh, so the, oh, no, it wasn't a judge.
Federal prosecutors called the incident a new wave type of crime.
A new wave, and shortly followed by the new wave of music at the time.
Yeah.
Of Depeche Mode, Duran Duran, et cetera.
Yeah, so I guess it was one of those things which,
he used language that was fitting for the time,
whereas I think the judge in the previous story had used language
that is still valid today it's still yeah runs the test of time absolutely brilliant
thank you very much andy uh for this week's this week in infosur
sketchy presenters weak analysis of content and consistently average delivery like and subscribe now so uh i know this isn't this week in infosec but it's uh something historical that i'm sure
both of you will be able to it's from history from our childhoods i i should say well mine
and andy childhood and Tom's teenage years.
Do you remember Rod, Jane and Freddie?
Yes.
And Bungle.
Barely.
George, Zippy and Bungle. Bungle, Zippy, George.
Yes, yes, yes.
For our international listeners, it was a kid's show called Rainbow.
Rainbow, yes.
Unfortunately, today, Freddie has passed away at the ripe age of 71.
And five years ago, he actually married Jane.
What?
I always knew there was something between those two.
What?
Five years ago. I wonder if he spent all this time in unrequited love but spent the last five years
just you know well whatever but but i can't believe freddy is hang on which one was freddy
again freddy was the darker hair the curly there was a blonde guy he was oh no i was thinking of
jeffrey no no jeffrey yeah okay oh that. Freddie. Geoffrey was the pink hippo.
No, Geoffrey was the main anchor on the show.
Yeah.
Oh, that's right.
And Roger and Freddie were like the...
Side act.
They were like...
Japan's people of Rainbow.
Yeah, yeah.
The pink...
The pink...
Whatever it was, was George.
George.
Yeah, George, Zippy and Bungle, they were the three puppets.
There was Geoffrey, who was the main host with them.
Yeah.
And then Rod, Jane and Freddie were the singing, dancing,
entertaining band that used to come.
I'm glad we've got a children's shows of the 70s expert on on today
1980 they uh their first episode rod jane and freddie their actual episode separate from rainbow
oh right oh they had a separate show yeah i a friend of mine at school he set up a um a band uh and they were called rod jane and freddie
that's awesome i mean the good thing is that none of these uh presenters and i see a picture of
just done a search to see a picture with timmy mallet as well and the good thing is none of
these presenters have come out as um you know operation utry or any of the you know, Operation U-Tree or any of the stuff that goes on.
Not paedophiles is what you're saying.
Yeah, exactly.
So, yeah, may they rest in peace.
Absolutely.
Absolutely.
Right, on that note.
Listen up!
Rant of the week.
It's time for Mother F***ing Rage.
Is it me or am I getting a lot of rants at the moment?
I don't know.
Who knows?
And this one isn't even about Apple,
although Apple will be mentioned, of course.
So I think I said in the intro,
this is the Nextdoor app on steroids.
So Nextdoor app, and if you listen to one of our,
it was a supplemental episode,
something like 50A or something like that.
We talked about the Nextdoor app, which brings together your local community
so you can start asking questions, find out whose dog was pooping on your lawn
and find out if there are different facilities around
and if other people are suffering from spam and who's wearing PPE and not PPE and all that sort of thing.
It's a very gossipy thing.
It's great fun, et cetera.
Link in the show notes to the other episode, of course.
But the U.S. has its equivalent.
And as you might imagine, the U.S. has got the same kind of thing
but has gone a bit more bigly on it.
And it's called Citizen.
Now, this was an app that was on the App Store
and was removed in 2017 because Apple decided,
or not decided, Apple stated that it would encourage people
to directly address crime and put themselves into dangerous situations.
And just to, you know, you might think, well, that's ridiculous.
You know, that's, you know, that's a bit overreaching on behalf of Apple.
Well, just to set the scene a little, the app at that point was called Vigilante.
I don't joke about that so
this app when you vigilante did it go america yeah and every time you reported a crime an eagle would
fly across the screen you know it was um the way up to unlock the Charles Bronson icon.
And all the adverts were vouchers for the local gun store, right?
Three boxes of ammo with every...
Are your two shotguns not quite enough?
You need another two.
So we sell depleted uranium ammunition for your complete home defense uh so so yeah it's
it's an app that allows uh communities to keep an eye on crime it scrapes uh data from
uh police records etc etc it's a. It's a little bit scary.
And apologies in advance to our American friends of the show here,
but it's also a little bit American as well in a very stereotypical way.
Now, it's back on the App Store. It's called Citizen, which, again, just now reminds me of Starship Troopers.
But it's called Citizen, and it's essentially a mapping app
that allows users to both report and learn about crime
or what users of the app perceive to be crime in their neighborhood.
So not necessarily a bad thing.
People upload videos of crimes as they're happening,
which, as we've seen in many cases, can be very useful,
certainly if it involves police officers as well.
But as you can imagine, with anything like this in the hands of the general public,
and I'm not stating in this case, the American general public, just generally,
it actually prompts some very poor behavior relating back to its original name of Vigilante, with people actually trying to identify who they perceive to be the criminals
and actually pointing fingers at innocent people, all that sort of thing.
And, you know, lots of pitchforks being raised.
Now, any sensible developer of an application like this would be very clear about, you know, this is not acceptable.
This is this is, you know, for to allow us to make certain decisions in our lives, not to allow us to go out and pitchforks, etc.
Well, no, the citizen CEO offered to personally fund an L.A. arson manhunt.
So L.A. suffered a big set of fires. It was an arson,
you know, and LA and California have seen a lot of fires. So these are big deals, right?
And he said, I will offer money to any user of this app who can identify who the arsonist is. He originally offered $10,000.
It then went up to $30,000. And it didn't take long before the citizen apps or the citizens of the citizen app had identified the individual who was arrested and, as it turned out, was the wrong person, funnily enough.
So, yeah, this is just scary shit.
And it gets even better.
a complete spree of leaked emails that show that the company is testing an on-demand security force.
So you can call in your own private cops, which obviously in the US can be armed,
to anything that you perceive to be a crime happening in your area.
And presumably if you pay a certain fee, you will get access to faster response times or response times at all and all that sort of thing.
And this could be used really,
well, this is the privatisation of swatting, let's face it.
You can get a private, untrained and unregulated security force
armed to the teeth, sent to somebody's house
who you suspect their dog is pooping on your grass
and telling them that you're hearing gunshots
and whatever from there.
I mean, it just, you know, real citizen shithousery,
I think is the phrase.
Also, the citizen data has been scraped and dumped onto the dark web.
Now, this is data that technically is available through the app. But two things are of concern
here. One, the fact that it can be scraped in the first place shows that the application,
the platform it uses is not secure. But um by having it dumped uh on the dark
web in en masse allows for a lot more correlation and manipulation of that data to be carried out
and synthesis of that data um you know by journalists by you know criminals as well by
by anybody you know and so you can actually make certain, you can
probably identify people, you can identify who actually reported a certain crime. So if you're
a criminal wanting to find out who snitched your gang boss, you may be able to find it out on this So overall, this is just horrible, horrible, horrible.
And it just, all I can see in our future is the omnicore of Robocop.
And, you know, I'm telling you, we're just a short skip and a jump away
from having Ed 109s on the street.
Ed 209.
209, sorry.
109 was the one that kept on going wrong. Ed 209s on the street. Ed 209. 209, sorry. 109 was the one that kept on going wrong.
Ed 209s on the streets, you know.
So, yeah, it's a little bit concerning.
It's just amazing.
Like, can you imagine?
Like, you see the vitriol that comes up on these,
like just these sort of apps where you've got neighbourhoods
and everyone sort of, you know.
Just on Nextdoor, right?
Yeah, that mob mentality. I said in my days there's a local car park around here that um you know that charges
they've been charging since last year but people are still now just posting saying oh i've just
discovered you know i've just received a parking ticket it's like you know you don't know what
you're letting yourself in for in this conversation because there's a lot of people that have time to
spend on that app and respond to everything but you imagine if you can actually send someone
with guns to you know sort of represent you in person to get your views across it's a completely
different kettle of fish yeah yeah awful absolutely awful and it's so scary and the the problem we have one of the
problems we have today in and you see this on youtube and tiktok and all these other platforms
that there's so many people out there trying to get clout just by uh recording certain things and
they only record uh so they won't record a certain part of it and then they
record some retaliating and say look at this person going crazy or the classic it's just a
prank bro that kind of thing oh so so anything with bro at the end yeah yeah anything with bro
um but i think that's one of the problems is people are just so easily agitated and they react and you know who hasn't
lost their temper at some point or another but the point is that someone can record it and say
look at this guy they're road raging and i i'm in fear of my life at caronwood as a caron would say
and uh it just gets really messy i can't see anything good coming out of this no no not at all not at all it's it's frankly very very scary
to say the least uh i just and it i i i i hate to go on you know about america but it does concern
me how the privatization of things like this is seen as a good thing. There was a bunch of tweets this week that I saw about the health care system,
which is concerning in and of itself.
But a tweet about somebody saying,
my son was on a motorbike and was killed in a car crash.
He was kept alive.
I was asked if they could harvest his organs which i said yes
so they harvested his organs um and then obviously that dead at that point but they kept him going to
harvest the organs um and three days later was sent a bill for seventy thousand dollars whoa
oh that's yeah cold cold you know and, and that frankly is cheap because the person died. Do you know what I mean? It's just, oh, I just find it, you know, the push to privatise everything is scary, really, really scary.
scary um and i think it's part of that fear of socialism and inverted commas and all that sort of stuff but you know hey you know come send us an email talk to us about this stuff if you are
one of our friends of the show out in the us is it a good thing is it a bad thing you know we're
sitting here in somewhat of an ivory tower well that's a little bit tarnished at the moment under
boris but um you know but in an ivory tower you know just sort of
observing about america and a country that i really like and i really enjoy visiting and
i'm looking forward to visiting you know vegas and new orleans in august um but yeah i just i
sometimes i i find this um you know these the these kinds of stories really quite concerning
yeah and i think you made the perfect analogy to robocop
the original movie in 88 or whatever you that whenever it came out i think people should just
go watch it if they haven't seen it it's it's a it's a classic movie it's absolutely brilliant
and uh but you remember the the ceo of omnicorp dick jones and yes and he starts off and in the
beginning he goes
like you know he talks about how they've gambled in markets that are usually
regarded as nonprofit hospitals prisons space exploration I say good business is
where you find it and I think that just sums up the whole American mentality so well.
And then they're like, oh, we've got a contract to run law enforcement,
but, you know, we need something that's better than your local officer,
and I present to you, Ed 209.
Yeah, which then guns somebody down in the boardroom,
and, of course, it's not a problem.
No, no, they just, I'm very, very disappointed.
That's right yeah yeah it's scary although my son and i have an argument about the new um uh the new robocop film
so i really like it and he says i'm an idiot yes you are an idiot your son is coming with your son
yeah i really like that film i think think Michael Keaton is brilliant in it
for a start. And Joel Kinnaman,
he's a great Robocop.
It's just not Robocop the movie.
The original Robocop is just the
best.
I'd buy that for a dollar.
Exactly. Just like the original
Predator is the best out of all the Predator movies.
They're remaking that, aren't they?
It doesn't matter. The original is still the predator movies they're remaking that aren't they it doesn't matter it's the original is still the best they're remaking predator anyway that was this week
rant of the week
oh dear so jav should we move swiftly on i think we will to your so uh nigerian cyber criminals is kind of like a a phrase now the
associated with the 419 scams that have been going on for as long as i can remember. And now Nigerian cyber criminals
are targeting unemployment systems
in a place on earth that I like to call Texas.
So a Nigerian cyber crime gang
has allegedly attacked the Texas unemployment systems.
And there's some detailed tutorials and information that's
been shared. And this security company, Agari, has been involved in some of the investigations
and what have you. You know, fraud in the, you know, since in the last year, year and a half,
since the COVID pandemic started, fraud has cost cost 893 million at least in unemployment benefits
um so it's it's big business so you'd expect you know some really highly sophisticated scams going
on here uh and what was really interesting is that the basic uh loophole that they're using to try and put in many claims and streamline the whole process is a feature in Gmail where you can put in periods or full stops into any part of your email.
And Gmail recognizes them as the same.
and Gmail recognizes them as the same. So if your name, if your email is tom.langford.gmail.com,
that is, Gmail will recognize that exactly the same as t.homlangford.gmail.com, which is exactly the same as t.h.o. You know, you can put as many dots as you want, it will recognize it all as the
same email. So you can email any of those and it will all go to the same inbox. But the systems on the, what do you call it, the Texas
benefit system, they recognize each of those emails as separate emails. So they will register
them as different accounts. So they will be sending out these notifications or processes to all these different accounts,
and it will all be funneled to the same scammer.
And anyway, they defraud Texas into, or unemployment benefits into, lots of things.
And then it's typical money laundering, offshore accounts, layering, placing, what have you prepaid cards loaded cash machines
used to take out the money um so this this is just interesting uh because a it's a massive
fraud that's going on but b it's just so simple it's it's like come on like you know we talk about
all these fancy solutions and next gen endpoint you know threat
detect edr solutions and what have you and that's all good no shade on tom or his employer at all
but um you know but if we can't get fixed these simple things then what hope do we have
it sounded a bit of a rant but uh it's uh no it's just smart move isn't it's just using what
you got it's um but i can't believe that google allow that to happen how well no it's actually
really useful so i mean you know when gmail first launched like when you had to get an invite for it
right it was um we used to use it for testing uh you know on a website like registration systems where you could
actually like jav said like you know put your just put the full stop anywhere uh you know and
you could do like you know either after the first letter after the second letter after the third
letter but you know similarly the system like system on our end would recognize them as different
email addresses but you didn't have to have multiple accounts so you know just for testing sites you'd have different logins based on different email addresses that the
system would see as unique but obviously it's the same mailbox for you so it's just really easy
now maybe things have changed but the whole point of an email address is it's unique
and they do show as unique on um you know to whatever system you're using they do show as unique to whatever system you're using. They will show as unique, but obviously to Gmail.
If you don't want to have 50 mailboxes, just start playing about with it.
And it's more than just the full stop as well.
I think you can use the plus symbol as well.
I don't know.
I can't see that this is anything but.
I mean, it may have made sense when it first came out and it you know
the the use case for something like this would never have been foreseen as being used for you
know anything but nefarious purposes you know what's the thing but i just yeah i can't i can't
think that there's any good in this in today's world i don't know so i do know that in corporate email accounts um it so so if you've
got it through your organization or your school or whatever uh the dots don't work it is a unique
address yeah but if it's a personal gmail then it it doesn't matter but i don't know exactly what what the the thing
is what i do really like in gmail is you can do the plus and then an alias at the end of your email
which is super useful so if your email is tom.lankford at gmail.com you can do tom lankford
plus and then write something like host unknown at gmail.com you can do tom langford plus and then write something like host unknown at gmail.com
and that will come through to uh tom langford at gmail.com as well which is superb whenever you
sign up for any marketing lists or what have you so then yeah you can identify where it comes from
yeah yeah you can identify if suddenly you start getting spam on, you know, Tom Langford plus newsletter at gmail.com,
then you know that that particular newsletter has either sold or reached.
Yeah, exactly.
Exactly.
Interesting.
Very interesting.
That is a good Billy Big Balls, but also a bit of a rant at Google in my mind.
You know, they wouldn't let it stand in Apple.
Billy Big Balls. Billy Big Balls. They wouldn't let it stand in Apple.
So we're rapidly burning through time here.
But what time is it, Andy?
It's that time of the show where we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News.
Ali Marketing fraudster jailed for 10 years.
Industry News.
Ransomware gang gifts decryption tool to HSE.
Industry News. Ransomware gang gifts decryption tool to HSE. Industry News.
Air India. Supplier
breach hits 4.5 million passengers.
Industry News.
Amex fined after sending
over 4 million spam
emails. Industry News.
FBI employee indicted
over illegal document removal.
Industry News.
Europe's top human rights court rules
UK mass surveillance illegal.
Industry news.
Influencers offered money to vilify vaccine.
Industry news.
Data breach at Canada Post.
Industry news.
Chinese phishing attacks target high-profile Uyghurs.
Industry news.
And that was this week's...
Industry News.
Huge, if true.
Who is offering money to people to diss the vaccine?
Oh, I saw this.
I saw this.
This was something on...
I think it was tracked back to some Russian gang or something.
But yeah, they're reaching out to some, in air quotes, some, what do you call it?
Influencer.
A think tank, that's what it was.
Or whatever.
But they're reaching out to different bloggers and YouTubers and everything.
And I think the main thing they're trying to say is that if if people
have taken the pfizer there's been lots of deaths as a result of the pfizer vaccine that haven't
been reported so um you know a lot and a few of the influencers have you know forwarded emails
onto journalists and what have you but um you know who knows how many people have taken the money and
have been uh spreading doing their part to disinformation,
spreading misinformation.
Influences are a scourge of this world.
For now, yeah.
I think we will sort of reset ourselves.
But no, they're just targeting the Pfizer vaccine.
No, they're not.
So potentially, is this AstraZeneca that's paying people,
or is it Moderna or someone else?
That's right.
It's Abdullah and Abdullah.
Yeah.
What we've got here is just some good old corporate sabotage.
Nothing wrong here.
Interesting stuff.
Amex fined after sending over four million spam emails i
think most of those came to me but um yeah it's you'd think a company like amex would get it right
so i think the reason their fine was so small um because it was worked out to like you know
it's pennies per email which they sent but i think because they genuinely um accepted that it was
a mistake i think it was mislabeling internally wasn't it so it was supposed to be sort of normal
system emails but they included information about how they could improve something or you know get
additional um offer more money or something yeah so they argued that those customers would be
disadvantaged if they weren't aware of um you know these sort of promotion things
so did amex say they're seeking help for their spam addiction they're retraining i think yeah
i think it's classic retraining in this it was the intern's fault. They pressed the button in MailChimp.
Yeah, exactly.
What Amex really need to do, instead of sending emails
and spamming people with offers and what have you,
is actually work on a way of getting their card accepted everywhere,
like a normal credit card.
That might actually drive more business their way.
Yeah.
To be fair, it's getting better um but
you're right i mean you know like even a few years back so most companies have sort of corporate amexes
and i just remember people coming over to the uk saying oh i'll stick it on my card and it's like
yeah not that card you won't yeah i've never had an issue in the uk but france you know in places
like cabs restaurants and stuff not a problem but cabs and smaller shops, that sort of thing.
Yeah.
But Europe has been a bigger problem than the UK.
UK, I've found it's pretty much everywhere.
It's getting better now, but certainly historically it wasn't quite up to.
Yeah, historically it was an issue.
And even now I think sometimes online you go
and the processor won't accept Amex.
But it's so much easier now with virtual cards and everything.
I mean, you can have like 20 cards right now.
Although, I mean, Curve is one of them.
In fact, I became an investor in Curve the other day.
I decided to drop a little bit of money that I'm willing to lose.
Investor in air quotes, right?
Yeah, exactly.
I'm an investor in Cum Rocket, but, you know.
Yeah, exactly.
I mean, I'm an investor because I bought 8.12 shares.
But you can't attach your Amex card to Curve yet.
So, yeah, very odd.
Anyway, we haveā¦
Tom Langford, advocate, influencer, cryptocurrency...
Investor.
Early stage investor.
Is there anything you don't do?
I'm a VC.
Or whatever it is.
Anyway, Andy, over to you for this week's...
Tweet of the Week.
Oh, I love that one.
Tweet of the Week.
So this is actually a cheat one.
I've taken it from the Today in InfoSec Twitter account, the tweet of the week this week. But it's because it didn't really strike me as InfoSec related. But it was from 1975. So this is like, what, 46 years ago.
go um mcdonald's in pasadena california ran a competition um and the rules only called for entries to be printed on a three by five inch card by a person who was over the age of 18
who had a valid driving license and you could also enter as many times as you like
um so what happened 26 science and math students from the california
institute of technology um you know got to work during their free time in their finals week
they spent 350 dollars to buy 20 hours of printing time on an ibm 370 so remember back there this is
like the 70s they had to pay for compute time um so they
produced 52 boxes of paper each box contained 2700 pages and each page contained eight valid
mcdonald's entries so by the time they were finished they had 1.2 million entries um but
they said that by the time they got through cutting everything up they you know all the individual entries there's only like 1.1 million so each of the 26 students had their names
printed 40 000 times they divided into eight groups and then they took their ballots to 98
of the 190 participating restaurants um and so bearing in mind this was 1975, they won 20% of the prizes,
which also included $3,000 in cash and a $7,000 car.
So McDonald's were not amused.
They had to change their terms and conditions after that.
That's probably now purchase required or something like that.
Yeah, and these guys did nothing wrong.
They just read the rules. However, their however their competitors burger king were amused and they gave
caltech a three thousand dollar scholarship in honor of the stunt um but yeah that's a great
story link in the show notes it's uh let's say 1975 um a lovely piece of...
Oh, I love that.
I love that.
Wow.
You know, that reminds me,
I've seen a trailer for a series.
I think it might be on one of these channels,
like HBO or something.
Or Apple, I think, is running it.
It's called McMillions, I think.
And there was a big scandal into the Monopoly game.
You know, the stickers you get and you put it
and there was some sort of insider fraud.
Okay, if any of our listeners have seen it.
We did cover it.
We actually covered it last year.
Okay.
That's where I heard it from then.
Andy doesn't remember many things,
but he remembers all the stuff that we don't.
No, we did cover it,
but it's definitely worth bringing up again
because it was, yeah, basically the security guy was in on it
throughout the whole thing.
But, yeah, no, it's a great story.
Well, we draw to a close, folks.
That was fun.
That was quick.
I don't know where the time went.
Absolutely.
Absolutely.
And we're only four minutes behind schedule for you to get to your next meeting, Andy.
Indeed.
That makes a change, doesn't it?
The person who you normally meet with this time on a Friday is like,
what do you mean you're on time?
Anyway, Jav, thank you so much for this week.
Always a pleasure.
Always a pleasure.
Never a chore. Indeed. Indeed. And, Andy, thank you so much for this week. Always a pleasure. Always a pleasure, never a chore.
Indeed, indeed.
And Andy, thank you very much.
Stay secure, my friend.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
The worst episode ever. R slash Smashing Security. If you hated it, please leave your best insults on our Reddit channel.
You know, there's that friends reunion where everyone looks really old and everything.
Do you think if we compared our first video or photos to how we look now, it would be the same?
I just look fat now. Now? i've i think i've grown in no
not then 2013 i was i was a slim man see you know what you have the the same genetics in in in terms
of like some people have it hulk hogan is a good example of that. Even 20 years ago... You're not comparing Tom to Hulk Hogan.
I'm sorry, I'm not having that.
Hear me out, hear me out.
20 years ago even, Hulk Hogan never actually looked young.
He just looked a little bit less old.
But he's always looked old, if you know what I mean.
Yeah.
And that's what Tom is like.
Last time I looked young young I think I was
19
I think that was
last time I looked
slim was I was
19