The Host Unknown Podcast - Episode 58 - Ha Ha Ha
Episode Date: June 4, 2021This week in InfosecLiberated from the “today in infosec” Twitter account1st June 1864: The first record of electronic spam was broadly revealed. A recipient was so infuriated by the dentist's pop...pycock that he composed a letter to the editor of The Times about the telegram, begging the newspaper to kindly demand a stop to the nonsense.https://twitter.com/todayininfosec/status/139986437741571277328th May 2014: The TrueCrypt website unexpectedly announced that the development of TrueCrypt had ended and that the tool wasn't secure.The Fall of TrueCrypt and Rise of VeraCrypthttps://twitter.com/todayininfosec/status/1266260968004136962 Rant of the WeekDeadline draws near to avoid auto-joining Amazon's mesh network SidewalkOwners of Amazon Echo assistants and Ring doorbells have until June 8 to avoid automatically opting into Sidewalk, the internet giant's mesh network that taps into people's broadband and may prove to be a privacy nightmare.'A stalker can abuse it to stalk people better. There are no mitigations mentioned'Sidewalk privacy and security whitepaper by Amazon Bill Big Balls of the WeekAntivirus that mines Ethereum sounds a bit wrong, right? Norton has started selling itNortonLifeLock, the company that offers the consumer products Broadcom didn’t want when it bought Symantec, has started to offer Ethereum mining as a feature of its Norton 360 security suite. Industry NewsNCSC: Act Now to Protect Streaming AccountsInterpol Seizes $83 Million Headed for Online ScammersMeat Processing Giant JBS Pulls IT Plug After Cyber-AttackScripps Notifying 147K People of Data BreachTeen Crashes Florida School District’s NetworkSextortion Lands Inmate in Federal PrisonBattle for the Galaxy: 6 Million Gamers Hit by Data LeakRansomware Disrupts Largest Ferry Service in MassachusettsMandiant to Re-Emerge After $1.2 Billion FireEye Sale Tweet of the Weekhttps://twitter.com/Cyber_Cox/status/1400082437095387137https://twitter.com/ryanaraine/status/1399724475092983812?s=20 (Edited 00:18 7the June 2020 to seed Apple Podcast update.) Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
the coming up today so you can put it in your own words what would i want to put it in my own words
for there's words already here uh you can do that or you can like read it word for word
you mean like i normally do is that is that what you're trying to say
yeah on the the physical representation of phoning it in well you know i i'm still in bed if i'm if i'm perfectly honest
i'm just rolled over speaking talking into my iphone at the moment standard yeah yeah well
you know this is what happens you you you pay peanuts you get lazy tom in bed i'm quite cheap
really you must have been busy this week, though,
because I noticed the Smashing Security podcast
said they didn't have a guest,
and you obviously weren't available for it.
No, that's right.
Yeah, exactly.
You missed a renter guest.
Obviously, my rates of a packet of peanuts
was too much for them this time.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening, and welcome to
the Host Unknown Podcast from wherever you are joining us.
Episode, well, we're episode 58 now.
Although, as I met with some team members recently,
and this guy was telling me he's listening to our podcast in order,
and he's not quite worked out the numbering scheme yet.
No, because it is actually 62.
Is it really?
We're going to have to go through and actually do it. Not by your labelling.
No, your labelling is consistent.
But in terms of actual podcast produced.
Certain amounts of effort.
We technically are putting in more than 100% of effort.
But that diminishes with every episode we add.
Yeah.
Yeah.
So welcome. Welcome. andy how are you
uh i normally say not too bad but today i've had a bit of a uh a sparky situation in my office
uh my recently renovated office with my ceiling fan and uh the light switch is made it was making
some very crackly noises earlier uh so much so that i had to reach for the fire extinguisher
i thought i'd get through this recording you mean you shook up a can of red bull is what
yeah the russian fire extinguisher but no i i've actually had to uh surrender her and i called a
called around for some sparkies to uh so you can ASAP. I'll have to switch off the lights in the house.
Flick the fuse at the household unit, unwire it.
That's what I'm worried about.
That didn't trip.
Well, no, because it's not overloading.
It's just loose.
You've just got a loose cable, that's all.
I'd quite like a professional to come out and give that assessment.
Professional.
Rather than you hearing my description of what I believe the problem to be
and then diagnosing.
I'm well aware of Google.
I've had the 240 volts through me more than once.
It's fine.
It's absolutely fine.
Oh, dear.
In fact, I remember electrocuting myself as a kid
when I stuck my fingers into my nightlight socket.
I took the bulb out.
Curiosity, right?
Yeah, basically.
Do that thing where you could see your skeleton through your skin.
Yeah, that's right.
My hair went.
Quite literally went.
That's where it starts.
That's your origin story, isn't it?
Yeah, that's right.
It's my Professor Xavier origin story.
Oh, dear.
Talking of X-Men and mutants, Jav, how are you?
I'm very good.
Well, I'm saying very good.
Having a garage door replaced today because...
Is that a euphemism?
No.
Oh, right.
I thought that you converted your garage into offices,
into an office.
Half of it.
The other half.
It's bikes in.
Yeah, yeah.
The bike, the tools, and every bit of junk from the house is in the other half.
It just gets thrown in there.
Yeah, yeah, exactly.
So what happened is, it's one of those electric rolling shutter ones yeah and uh a few weeks ago um i parked my bicycle in and the wheel was still sticking out a bit and
i didn't notice and it came down the the shot i went on the wheel when it kept on unrolling
unrolling unrolling and it snapped at the top so i had no usable rolling shutter but the people that are uh probably are sitting on the
edge of their seat wondering what the the cliffhanger is to this story uh it basically
broke and um new people are in and they're fitting it as we record so you're you're pushing
you're pushing crisps capabilities to the limit i am yeah this is the the field test of crisp is it as good
as what it says yes it is also while they're there what you should do is you know thunderbird style
have some palm trees put outside the garage so as the doors open the palm trees kind of
flick down and open so that you know and then i some sort of like... Oh, that is such a good idea.
It's such a good idea.
I think that would be awesome.
I'll be right back.
You know what?
I kid you not.
Last week, and I've forgotten the name of the show.
All I remembered was the name Dan Tanner, the main character from it.
And last week, someone reminded me the show was called Vegas,
with the S was a dollar sign.
Oh.
And this is a cop show
he was a private investigator in the 70s or so yeah but he was so cool he had this red convertible
car and the garage door would open and he would pull into his living room basically it was like
a big open plan living room his car would be in one corner his kitchen would be on the other it
was just absolutely and i saw that and i thought you know that's what i need to do here i need to not
through the partition wall in the garage yeah have my bike just come straight into my desk
yeah and then and then but as you drive in you'd hit all the cardboard boxes wouldn't you
well i was wondering did his family die from carbon monoxide poisoning? Yeah, yeah.
Because they're like in the 70s,
Lynx, you know.
Health and safety is not what it was today.
It was either that or the asbestos in the roof or the lead in the paint.
It was one of those,
but whatever time they lived,
they lived it well.
Those old 70s cars,
and even the newer ones,
I mean, like mine, 2004,
they smell of petrol constantly.
Yeah.
So what have we got coming up for you today?
Well, in our regular and most favouritist slot of the week,
this week in InfoSec takes us back to the earliest reported spam complaint,
which is apparently probably older than you realise.
I mean, I don't know how much older, but, you know, what are we talking about, 70s, 60s, something like that?
Rant of the Week tells another story of big tech chipping away at privacy like it's no big deal.
Billy Big Balls this week sees Norton doing something either really smart or really stupid. We'll let you
make up your own mind on that one. Industry News brings us the latest and greatest infosec news
from around the globe. And Tweet of the Week resurfaces the debate on the difference between
conferences. We no longer bring up the topic of little people on this show, but when we do have something to say, we do like to keep it short to confirm the little people will never be returning.
So anyway, let's let's move on, shall we, from carbon monoxide poisoning and electrocution.
And let's go straight on to this week in infosec
yeah it's that part of the show where we take a stroll down infosec memory lane to revisit events
of yesteryear uh via content liberated from the today in infosec twitter account and i'm talking
wondering whether or not jav and tom are on the other end of this because
i'm here i'm here tom's tom's dealing with a delivery and uh jav is dealing with his uh
i'm here i'm here what can we Shouting from across the room. No, no. This is not added in in post at all.
Ha, ha, ha.
So there was actually, I'll just actually mention something.
Ha, ha, ha.
To a story on the Host Unknown Supplemental Podcast.
Ha, ha, ha.
Which also goes by the name Smashing Security.
Ha, ha, ha.
So obviously the Host Unknown Podcast is the Smashing Security release candidate. And then what they a known podcast as the Smashing Security release candidate.
And then, you know, what they do is the addendum.
So Gramps was talking about the movie War Games, and he totally exposed himself by admitting
that he's never seen such a great piece of history.
But he also missed the opportunity to highlight the fact that it was released in the US 38
years ago this week on the 3rd of june in 1983 um and if you recall back
then obviously it wasn't released in the uk until the 18th of august you know nearly four months
later because back then movies in the u.s used to come out way before we got them in the uk yeah um
and i'm still not quite sure why but there's always like one kid in school that had gone to
the u.s seen a film and then come back and ruined it for everyone.
But yeah, anyway, for anyone who hasn't seen that film should definitely watch it.
A film about a high school hacker who war dialed a NORAD computer, guessed a weak part of the word and then nearly triggered World War Three.
However, that is not the main story.
I just wanted to get out there because as soon as I heard him talking about war games,
I thought, damn, they've already stolen one of the stories.
But they didn't.
They missed it.
So anyway, this first one, and unfortunately, Jav,
your younger years will preclude you from being expected to know this one.
But Tom, can you guess when the first record of frustration with electronic spam was referenced uh
1950 not too close at all um it was actually the first of june 1864
well so the first record of electronic spam they didn't even have electricity then so i mean they
had to do email in the dark didn't they it yeah email was so much harder at night time
so a recipient was so infuriated by the dentist's poppycock that he composed a letter to the editor
of the times about the telegram he received,
begging the newspaper to kindly demand a stop to the nonsense.
Begging the newspaper. Interesting.
Yeah. So there is a great screenshot here and it's addressed to the editor of The Times.
Sir, on my arrival home late yesterday evening, a telegram by London District Telegraph,
addressed in full to me was put
in my hands it follows messrs gabriel dentists 27 harley street cavendish square until october
messrs gabriel's professional attendance at 27 harley street will be 10 till 5 he goes on to say
i have never had any dealings with messrs gab, and beg to ask by what right do they disturb me by a telegram,
which is evidently simply the medium of advertisement.
A word from you would, I feel sure, put a stop to this intolerable nuisance.
I enclose the telegram and am your faithful servant.
And that is possibly the first recorded version of Unsubscribe
that we have on record.
Asking the editor of The Times to deal with this is, you know,
it's a bit like us tweeting Piers Morgan and saying,
can you keep telling this guy to shut up?
Well, do you say that?
But you think like in the 90s,
the amount of people that would contact your ISP.
Do you remember that?
If people didn't like some of the stuff that you had going on,
they'd contact your ISP.
Yes, abuse at ISP.net.
It kept me gainfully employed for a couple of years,
so don't knock it.
As an abuser?
No, basically pretending that I understood
what the IDOS S-logs were saying.
Reverse looking up anything that looked like,
ah, there's a bit too many connections here coming in for my liking
and sending abuse at ISP.net.
And then on the week I said, yes, I detected and put an end to
at least 24 attacks this week.
Proactively mitigated.
weeks proactively mitigated uh yeah but yeah 157 years ago the uh first times have changed how times have changed yeah but but the best part was you know gabriel's dentist at harley
is a brilliant dentist he should have gone
well he certainly knew how to advertise right he probably bought a mailing list of He's a brilliant dentist. He should have gone.
Well, he certainly knew how to advertise, right?
He probably bought a mailing list of people.
Yeah, that's right.
Telegram them.
Did his pay-per-click or whatever.
Telegram.
That must have been a really expensive form of direct mail,
of direct advertising.
So there's a couple of things in mind.
One, this is to the times so it's we've already sort of established the um the readership the social strata of the of the
readership the other is um it's a dentist in harley street and harley street has always been
the inflated prices the medical center of of london it were, from a private practitioner's perspective.
Yeah, so I think we're talking just a lot of money
flapping around here.
Probably worth it, right?
Yeah.
Anyway, so the second story I have is only from seven years ago,
but I do feel that I still don't have the answers
that I'd be looking for to truly understand what happened here.
So if anyone can fill in the blanks for me, it'd be great.
So this is from the 28th of May, 2014.
The TrueCrypt website unexpectedly announced that the development
of TrueCrypt had ended and that the tool was no longer secure.
of TrueCrypt had ended and that the tool was no longer secure.
So any visitors who went to the website from 28th May 2014 found a message which just simply said, the development of TrueCrypt has ended in May 2014
after Microsoft terminated support of Windows XP.
Windows 8, 7, Vista vista and later offer integrated support for
encrypted disks and virtual disk images such integrated support is also available on other
platforms um so if you didn't know true crypt was this uh open source sort of disk crypto package
which had been around you know quite a while like 10 years i think you know from
2004 onwards uh maintained by a group called the true crypt foundation had versions for windows
osx linux android uh really popular over 30 languages supported across the world and it
worked by creating this virtual disk on your computer and then anything written to that disk
was encrypted um and it didn't sort of give a – it didn't let you know that –
it wasn't obvious to see that there was an encrypted disk on the machine,
but, you know, if you use forensic tools,
you could actually reveal that there was this TrueCrypt bootloader.
But you could also – didn't it also have little tools,
like if you typed in a different password, it would show a different folder?
So it was like, you you would if it was demanded
that you open up your files on oh i didn't know that or whatever yeah i'm i think it did i think
it did because that was one of the advantages rather than it just being an encryption tool it
was a the full suite um maybe many of our listeners i'm sure are well no better sit there going no no
tom you got it wrong yeah You're thinking of something else.
Yeah, exactly.
But it was strange that this open source project,
which supported all these different environments,
would just suddenly suggest people move to commercial solutions.
And to this day, we're still not sure what happened.
So internally, what we do know is that with version
7.1a there had been an audit on the code yeah and then the announcement came sort of shortly after
and that there'd be discontinuing true crypt um and then they released version 7.2 which was
intentionally crippled and contained a lot of warnings in the code. And a lot of people believe,
or the most common or widely spread story
is that an ongoing code audit,
during that sort of ongoing code audit,
an NSA-created backdoor was expected to be found in it.
And it's really weird.
Even now, the Wayback Machine doesn't have the pages
from truecrypt.org.
It just says it's been excluded from the archive.
But never in the history of software development
had there been such an abrupt end,
certainly where the developers didn't even fork their code.
So still a lot of questions to be answered with this.
Because I used to use TrueCrypt,
and they were working on a full disk encryption because that was that
was the difference yeah you know because you can get FTE wasn't that uh widespread well it was
third party wasn't it yeah you know whereas as as as they said you know Windows 7 7 uh onwards
uh sorry Vista and onwards had um BitLocker and full disk encryption and then shortly afterwards osx
uh they have it by default as well yeah well yeah but originally it was just you know by folder as
well and then it was and then i think shortly after bitlocker came out they released their own
um but um it was odd because it was like fully on. I'm pretty sure I read that they were going to expand
into full disk encryption, blah, blah, blah.
And they were doing the audit because companies were using it
and the use of open source was very popular.
But as an auditor, well, it's open source.
Anybody can find access to this code.
So I thought they were doing an audit to prove quite how good it was you know and i i
don't know but the um uh part of me thinks maybe they found something in there that they hadn't
put in the code maybe something had been included and they just thought we're completely uh
compromised here yeah i think that's what yeah that's where a lot of the theories have been.
Yeah, but it's a really unfortunate demise
because that sort of thing really, I think,
helps keep those kind of technologies moving forwards.
Yeah.
But I see there's a new one coming out with Veracrypt,
which is based on their code or is yeah they did something
clever with that uh oh did they yeah so i'm not entirely sure but yeah they got around the
um the light so they changed the license of um true crypt just before they ended it saying that
you know you couldn't fork it but yeah vera crypt actually did something clever with that licensing
where a lot of it is based on TrueCrypt.
Did they do like a search and replace on the phrase True
and replace it with Vera?
Classic, yeah.
There you go.
It's our license now.
Don't make it obvious.
Yeah.
Oh, dear.
Wow.
God, I hadn't thought about TrueCrypt for a long time. No. Well, seven years roughly. Excellent. Thank you, dear. Wow. God, I hadn't thought about True Crypt for a long time.
No.
Well, seven years, roughly.
Excellent.
Thank you, Andy.
Fascinating stuff, even though I missed half of it.
This week in InfoServe.
Sketchy presenters, weak analysis of content,
and consistently average delivery.
Like and subscribe now.
So, time, I believe, to move on to this week's...
Listen up!
Rant of the Week.
It sounds like mother f***ing rage!
So, this week's Rant of the Week falls to me.
And I'm desperately trying to work out how I can bring Apple into this.
But it's about Amazon and their new mesh network called Sidewalk, of all things.
You can tell they're an American company.
It's very American, isn't it?
Yeah, let's just call it pavement so they talk about this about six months ago
who did me okay when they actually announced sidewalk back then but go on
yeah this is just a refresher jeff just talk to me like that, Geoff. Talk to Andy.
He does the show notes.
He gives us stories.
You guys give me so much grief when I'm like,
hey, do you remember that story?
And you're like, yes, we covered it in episode 37 or 42,
depending on how you're counting it.
Like I say, Andy, speak to Andy.
I don't remember anything.
I just read the words in front of me
um and if oh anyway uh so um yes so sidewalk is a mesh network so all of amazon's like echo devices
and ring doorbells etc are from june 8th going to automatically or default to being able to create their own mesh network
that taps into other people's broadband and other people's broadband
through their Echo devices as well as, you know,
any public Wi-Fi and all that sort of thing.
The interesting – and it sounds kind of, you know,
makes sense in a way.
I know BT and BT Broadband, they have their own, what is it,
that you can share your Wi-Fi with the public on their thing by default
and all that sort of thing.
And, you know, I think there's a certain community spirit
mindedness to
it. But the thing that really gives me pause for thought and makes me think that this is
possibly not in retaliation, but in response maybe to Apple and Apple's AirTags, is that one specific device outside of the Amazon network
that is specified as being able to take direct advantage of this is Tile,
the little sort of personal tracking devices that Apple's AirTags are up against.
And Tiles are now also able to take advantage of this
mesh. So as you walk past someone's house with sidewalk enabled with your tile device, your tile
will actually communicate with said network. Now, a bit of the tech here, the mesh network is
created through either low energy Bluetooth, through Wi-Fi, through basically
anything that it can use to talk to the network. And then it means that the devices can continue
to talk to Amazon and phone home, even if your internet has gone down. Although they do say
that they're going to cap Amazon data to, what was it, 500 meg a month, something like that.
But that's probably more than enough if all we're talking about
is just basic logging and stuff like that.
Obviously, they've done some security papers and stuff on this.
And on the face of it, they look all right.
They look okay.
But the challenge is that what something like this does is
enable uh people if not immediately but certainly in the near future as vulnerabilities are exposed
etc to to to snoop on other people the use of the tile network to because the tile network, for instance, doesn't have an anti-snooping mechanism and can allow people to stalk someone using a tile device without them realising it
because there's no method or notification that allows them to tell that person
that they're being tracked by the tile
so this could i'm i'm personally i'm not a huge fan of this um i think it's just a little bit
too close it's it's it's potentially creating almost a uh uh almost its own an amazon dark web
as it were but you know because this is almost creating an internet pipe of its of its own an amazon dark web as it were but you know because this is almost creating an
internet pipe of its of its own creation um in order to tom tom you've got a trademark that term
amazon dark web and this is your this is this will be the title of your talk at defcon this
will be my moment this is my moment it is your moment i would go and see that talk absolutely i'm gonna
have to tweet something about sidewalk being amazon's dark web so yeah tweet it now quickly
so you gain the ownership of that term and then it will be like the amazon dark web and you know
you can just like come up with whatever convoluted, far reaching one in a billion hypothetical scenario through which something
bad could happen.
But it would be great.
I think it will draw the crowds.
Man.
Well,
I'm glad you're my agent.
So you really helped point me in the right direction.
Although you did bring me off midstream.
I'm like,
Oh my God,
what the hell was I talking about now? I forgot. It it doesn't matter no one was interested in what you were saying
we just need the soundbites no one cares about the full story actually you know what i'm going
to contradict you a bit i think it's not such a bad idea that you're making it out to be at least
not from the amazon context i think this is a direction which a lot of technologies have been
heading for a long time like you rightly rightly pointed out with BT and everything.
Yeah, yeah.
I think what I've put into the show notes now, Amazon actually did publish a privacy and security white paper on this.
Yeah, that's right. That was the one I was referencing.
All right. Yeah. And it is very detailed. I don't understand all of of it so that means it is quite technical
but um um i think i think what what we need to do is rather than say oh i feel a bit uncomfortable
with it like old people would say is to say well this is kind of like the future of the internet
of things um how do we ensure that it's managed in a secure manner and i think
yeah i i get that i think partly i just don't trust jeff bezos no that's probably my biggest
challenge here and the fact that it's these big companies that are normalizing this sort of abuse
of of uh data yeah you know facebook have been doing it for years amazon are on that bandwagon google
have you know used to do it uh probably still do it but you know it's these big companies that
just own the own the entire industry and you know you can't do anything about it and you know once
one person gets it in you know just makes it normal everyone does it yeah like yeah that's what you said absolutely anarchy podcast the
the anarchy podcast quite the reverse no i think it's yeah you're right i mean
but i think that's this is just a symptom of that bigger cause you're absolutely right that
we've given far too much power to far fewer, a collection of companies and they dictate everything.
So we can agree or disagree,
but you know,
these things are going to go ahead.
So they are,
they are.
Life is pointless.
Let's give up.
No,
no,
no.
That cuddly man,
Tim cookie told,
you know,
I trust him.
I'll give him,
I'll give him all my money.
You know, the only problem is they can't deliver like a dog bouncy ball,
you know, rubber ball by 10 o'clock tonight.
Oh, they can for me though.
No, Amazon, Apple can't.
Oh, good point.
Amazon can, and that's the real challenge here.
So I'm an Amazon user.
You know, I've got a Prime account, and I use them an awful lot just because,
frankly, I can't be asked to go out shopping. It's much easier from here. But I dislike the
fact that they actually have so much of my information and they know so much about me.
And the fact, as I said, I don't trust Jeff Bezos. And that's a very personal and subjective
opinion. And that's where my concern comes from. So we did that story a few months ago about the
US law enforcement getting access to the ring cameras. So that's another example of Amazon just handing over people's personal stuff.
I wouldn't say without their permission,
but certainly it's opting out rather than opting in.
Yeah, which goes against everything that GDPR was supposed to protect people against, right?
Yeah, but this service is an opt-out, not an opt-in.
Yeah.
And that, I think, in itself sets it up for a bad precedent.
You're right, Jack.
I mean, I love a good bit of tech, and I love a good –
I've got more tech in my house than I know what to do with.
But sometimes I just think – I get that really sort of uncomfortable feeling
that we are on the brink of the Amazon dark web.
Trademark.
Yeah, trademark.
Yes, very good.
We need a logo with it.
We need a jingle.
We need a website.
Right, I'm on Fiverr.
I'm on Fiverr now.
Yeah, that's right.
So, Tom, you are into tech, and this is going down a slight tangent,
but I think it's an important point.
You've got a ton of tech.
You've got all your things.
You talk and your curtains open and close, your lights change and everything,
and, you know, the robotic vacuum comes out, everything.
Have you ever considered, like, adding up the cost of everything you spent on tech
and then the annual cost of things
like electricity that you're to run it and the internet you know and um maintenance fees and
subscription fees and everything and have you worked at maybe it could be cheaper to just hire
a butler who do you think talks to the blinds to tell them to open i i don't do it it's beneath me but i think you could get an alfred
come in and like you know you make your tea exactly how you like it yeah yeah you know
you would open the curtains close the curtains do, do your bed, everything. That would be nice, wouldn't it?
That would be nice.
Read me a story with a happy ending to help me go to sleep at night, you know.
When you said that, adding up the costs, I was thinking, yeah, but, you know,
if I add up the costs, you know, obviously I'm spending a certain amount of money
on this stuff, but, frankly, it brings me joy.
And there's very few things in this world
that bring anybody joy anymore.
So yeah, I'll take joy from my inanimate objects.
Wow, this should be renamed to sad ending of the week.
Yeah, yeah.
That's Apollo existence.
I'm sorry, Tom.
That's right, yeah.
You know, when Tom dies,
we'll be listening through all these podcasts and like
the signs were there yeah he says he's going off to uh get a delivery from the door he's actually
just you know sitting in the corner of the of the room rocking and weeping why can i hear a car
engine running?
Oh, that's my red sports car. He finally did it.
He finally got it in the living room.
You need to find out it's an electric car
and it doesn't work that way.
Yeah.
Yeah, it took me ages to find the exhaust pipe on the thing.
Anyway, that was this week's...
Rant of the Week.
Sketchy presenters,
weak analysis of content,
and consistently average delivery.
Like and subscribe now.
So, Jav, I think we're going to move over to you now
onto a story that we're pretty sure is new.
Maybe we ran it a little few weeks ago
maybe you mentioned it a few weeks ago but we're going to give it to you again anyway
folks um after installing antivirus software is your computer still usable do you still have a few CPU cycles available after the crap software
has forced it to its knees? Well, well, well, Norton have a solution for that.
Built-in crypto mining in your antivirus. Norton LifeLock, the company that offers the consumer products Broadcom didn't want when it bought Symantec,
has started to offer Ethereum mining as a feature of its Norton 360 security suite.
This feature, creatively called Norton Crypto, is going to harness the power of your graphic cards to mine Ethereum.
And I think that is a genius because literally it will pay for itself, won't it?
You buy the product and within like a month you'll be breaking even
and after that it's all quids in.
I think it's a brilliant idea.
So hang on, hang on.
An antivirus company, you install their antivirus software
and then it mines cryptocurrency for you.
Mining cryptocurrency in a country where electricity is expensive
and where the most people who would buy this product in the first place
probably don't have the most powerful computers anyway.
And you're probably going to have to give them your...
Well, it's probably going to have to store your wallet
and your credentials and all sorts of stuff on this
said dodgy computer yeah this sounds like a bad idea but you know if i had a granddad still alive
i can imagine this is you know i would turn up for sunday lunch one time and he would start
telling me about this this new thing that he's purchased now he's into the bitcoin market yeah i think that this is bringing or the thought of bringing
crypto to the masses but there's no way your home computer is going to mine fast enough to make
any sort of dent on no not at all yeah something something valid here but what would be great is
if you could actually hack this
and then get everyone else's machines to do this for you,
you know, when you start pooling resources.
They could call it, was it Symantec Zombie?
Yes.
Botnet.
Yeah, Norton Botnet.
Yeah, Norton Botnet.
There we go.
No, the Norton Dark Web.
Hey, hey, hey, hey, hands off.
Yeah, we've just received a takedown notice from Amazon Dark Web Incorporated.
I think it's such a stupid idea.
It's awful.
It's just ridiculous.
I mean, antivirus or whatever,
it just hasn't got the best reputation to begin with.
And a lot of these things are…
Certainly not traditional antivirus.
No, no, not traditional.
But a lot of these are intensive on your CPU
and it grinds your computer to a halt and what have you.
On top of that, you're going to be like, you know,
your lights are going to be flickering like Andy's office lights
as the computer crunches its way through.
Yeah, it's just, I don't know who thought this would be a good idea
or, you know, whether...
It does remind me of, you remember that SETI at home thing?
Yes.
The search for extraterrestrial life.
On the old screensavers in the office.
And there was a cancer one, you know,
folding that was,
it was decoding genetic sequences
to look for searches,
to cures for cancer and stuff.
You see, that stuff, I'm all for. You know, if you want to, you know cancer and stuff you see that stuff i'm all for you know
if you want to you know one you install it separately anyway and it's using your screensaver
and it's actually doing something for the greater good you know something that's for human betterment
the cure for cancer search for extraterrestrial life you know pay your money take your choice
whichever you want whichever one you want pay your money it's free but do you know, pay your money, take your choice, whichever you want, whichever one you want, pay your money, it's free. But do you know what I mean? And, you know, I remember they set up teams
that you could set up a team. So your IT department could go up against the finance department and,
you know, and see who was folding the most or who was, you know, who found more ETs than someone
else and all that sort of stuff. But this, well, this reminds me of that Amazon dark web story
in a sense that this feels like something that you have to opt out of
rather than opt in again.
It's like, install this, we'll give you AV.
And oh, and by the way, you've made 15 pence
in the last three months in Ethereum.
It doesn't feel right.
Yeah, but hats off to whoever works at um norton lifelock in their
marketing department and whoever convinced everyone it was a good idea i think that is a
proper big big big balls move but they they may be it may be a billy big balls remove um if if if
this doesn't go right for them you know That person was just looking at all the news about crypto, right?
Saying, right, how do we get on?
Damn, I wish I worked at another company because all we do is AV
and crypto is in the news every day.
Maybe they got given confusing sort of stats to hit
and they wanted to get, you know, they were told,
you need 100% utilization.
And they looked at the CPU utilization of the average computer running Norton
at 80%.
Unless we acquire McAfee.
Yeah.
How do I get the next 20% of that CPU usage?
I know I'll start crypto mining, you know.
So now your computer is running at peak efficiency at 100% all the time.
So what's weird about this is in the UK, a lot of the banks,
I think, was it Lloyds earlier this week,
have stopped allowing crypto payments.
You're not allowed to use Binance or certain exchanges.
Oh, really?
To pay into their accounts?
Yeah.
Is that a money laundering thing, do you think?
Or just a...
I think that's what they're shaping it up as.
Or just a flex.
Yeah, but Lloyd's obviously own Halifax,
Bank of Scotland, MBNA as well.
So you can't buy crypto with your credit card.
Yeah, they flagged the transactions as fraud
simply because they are crypto-related.
HSBC as well, I think.
Oh, yeah, the bank no longer supports deposits
and withdrawals from exchanges.
So maybe Norton's next move is to set up like a money handling service
that will take your Ethereum and will give you cash minus 10%
to then place that money into your bank account
because banks won't take the money from it.
Well, yeah, I mean, i guess we're gonna see the
norton bank uh norton bank is it gonna have one of those secured by norton things on the front door
so yeah not only do we secure your pc we also secure your money in our vaults and and your
stupidity this is just incredible yeah absolutely amazing But I think it does very much qualify for a...
Billy Big Balls of the Week.
I know we don't take this show seriously,
but really that company needs to take itself a little bit more seriously.
But, jeez.
Well, Andy, is it that time of day yet, Andy?
I can't believe it.
It's already that time of the show where we head over to our news sources
over at the InfoSec PA Newswire who have been busy bringing us
the latest and greatest security news from around the globe.
Industry News.
NCSC, act now to protect streaming accounts
Industry News
Interpol seizes $83 million headed for online scanners
Industry News
Meat-pulling giant, no, meat-processing giant JBS pulls IT plug after cyber attack
Industry News
Scripps notifying 14 147 000 people of data breach industry news
heen crashes florida school district's network industry news sextortion lands inmate in federal
prison industry news battle for the galaxy Six million gamers hit by data leak.
IndustryNews.
Ransomware disrupts largest ferry service in Massachusetts.
IndustryNews.
Mandiant to re-emerge after 1.2 billion FireEye sale.
IndustryNews.
And that was this week's...
Industry News.
Huge, if true.
Yeah, that Mandiant one is an interesting one.
So they've just sold to FireEye, have they? Or is it the other way around?
Yeah, they've sold FireEye assets.
Oh, they've sold assets to FireEye.
Okay.
No, no, no.
You know, so FireE mandian right yeah back in the
day yes yeah and then kevin mandia who was the ceo of mandian made his way as ceo of fire right
and and so it's fire right and mandian all together yeah so fire right is mainly the
product side and mandian is the services and the IOC sort of they they they they
popularize IOCs and what have you but now they're selling the FireEye side of the business which is
all their products um their their their their their what is it their tin uh to a private equity firm of all people called stg right and um uh for 1.2 billion in cash
stg actually is the private equity firm they bought mcafee enterprise a few months ago for
4 billion in cash and they also bought rsa security i can see a merger well they've got a bit of cash floating around right
yeah yeah but thing is the way private equity works though typically and this isn't true for
but yeah they flip that what they do they'll they'll get something that's sort of like flat
lining a bit and FireEye hasn't been the most profitable part of the business for a couple of years now.
So they'll get something that's flatlining.
They'll strip out any innovative parts of that business
and they'll sweat the assets that are making money.
And then they'll mush them together.
So there are quite a few of these things.
So they'll mush them all then together into this massive sweat box
that is making them some money. And then a couple of years down the line, they'll flip it all then together into this massive sweat box that is making them some money.
And then a couple of years down the line, they'll flip it all for a tidy profit.
So FireEye, McAfee and RSA are going to be squashed together into some Frankenstein's monster of a thing to be sold in a few years time.
It's typically what happened. I'm not saying this is what's going to happen here.
of his time it's typically what what happened i'm not saying this is what's going to happen here i have no insider knowledge but be do not buy buy shares or or stocks based on my my opinion value
of your investments may go down as well as up exactly exactly but uh but yeah so um it's
interesting to see how this will pan out it's needed to be almost a billy big balls move because
you know mandian is acquired by FireEye.
Kevin Mandian then becomes the CEO of FireEye,
who then sells FireEye to retain Mandian.
Like, that's impressive.
That is impressive.
This is, what do you call it?
It's like a Melinda Gates move, isn't it?
Yeah.
Or a What's-Her-Face Bezos move. Yeah, exactly. I couldn't remember her name otherwise I've. Or a What's Her Face Bezos move.
Yeah, exactly.
I couldn't remember her name otherwise I've got to mention her.
Mrs. Bezos.
Yeah.
The ex-Mrs. Bezos.
Oh, man.
Sorry.
No, this is a joke, ladies and gentlemen.
We're not sexist.
Please don't cancel us.
Cancel Tom.
He's the old white man.
If anyone needs cancelling, it's Tom.
Yeah, that's fine. He's the old white man. If anyone needs cancelling, it's Tom.
Yeah, that's fine.
That's fine.
The one about meat processor or meat pulling, whatever you like to call it.
Yeah, the meat processor.
Meat processing giant JBS.
I heard the other day it was said without irony, JBS,
they're the fifth largest meat processing company in the USA.
It's the fifth largest.
What?
The largest meat processor in the world, right?
No, the fifth largest.
They're not the biggest.
In the world?
Fifth largest in the world.
No, I thought it was the largest in the world.
Literally the largest meat processor in the world. No, I thought, well, I heard they were the fifth largest.
Oh, well, if that's not true. Anyway, if there are any meat processing experts in the world i thought well i heard they were the fifth largest oh well
if that's not true anyway if there are any meat processing experts in the audience if you're
listening to this while you're plucking chickens yeah no we don't want we don't want anybody doing
that actually contacting us fucking chickens okay okay right choking yeah move on let's move what else we got yeah we'll pull this one
out and this one sextortion lands inmate in federal prison surely they were already there
well do you know i mean that i started reading it and it's like an inmate from the south carolina
and it's like okay right you're right as soon as we head to that direction of
the us like it's either going to be south carolina or florida right you know yeah yeah yeah so this
person uh yeah was already serving a 12-year sentence for a cyber scam to blackmail military
members uh already but yeah he basically posed as a young woman on a dating site um you know which he'd
yeah he'd smuggled a smartphone into prison with him uh and then just a very small one a very small
one in the prison pocket yeah and then the old uh the old classic get pictures of uh attractive
women online um you know nothing's doing him and then sort of tricking military personnel, you know,
to share personal information with them.
And, you know, nudes of themselves and then blackmail them.
That's quite impressive to do that from inside a prison.
Yeah, well, it is, but more impressive is that they state
that more than 300 military members throughout the US were victims.
What? they state that more than 300 military members throughout the U S were victims. Um,
and you know,
you can take military members in,
in two different ways in that story.
Um,
but yeah,
it's actually do this.
So yeah,
in such,
such a,
uh,
uh,
dedicated way is a fair play.
I guess there's nothing else to do all day,
right?
Yeah,
no,
I've got nothing else to do, so let me pretend to be a young woman
and speak to military members and try to blackmail them.
That's a plan because then I've got money that I can't spend
because I'm in jail anyway.
And at the end of every day, hide my smartphone back up the prison pocket.
Yeah. Right. Well, I think on that note, we shall move on to tell you about...
This is the Host Unknown Podcast, home of Billy Big Ball Energy.
So, and in fact, I've been meaning to say this for the last few weeks folks uh you've got to
give us if you're listening please do give us some um some likes and some and some comments on the
uh on the podcast pages uh like and subscribe that's what i'm trying to say um yeah we could
do some more some more um reviews that'd be great even if you think we're a bunch of
idiots that's fine it's a review nonetheless publish and be damned but uh yeah definitely
definitely need a few more of those uh so wow look at the time let's move swiftly on shall we to this
week's sweet of the week and we always of the week play it twice sweet of the week three times sweet of the week
there we go i don't know what happened there but we're going with it you got the shakes right you
think you got stuck well i'm drinking a coffee that i'll say that's the outsiders uh yeah not
the outsiders the uh parkinson's parkinson's yeah oh that's all right i'll take both yeah
so this uh i'm gonna stick in a bonus one first of all,
because there's one that made me chuckle.
A guy called Chris Cox simply made a statement.
Excuse me, but why would I pay money for full disk encryption software
when I can get Russian hackers to do it for free?
This is a man that's thinking ahead there.
Just like you actually pay for the decryption key, Chris,
not the encryption.
So this is one which Jav actually shared,
which I thought was quite funny because I could already hear the comments
before I even saw it.
And it was originally, well, it's a guy, Ryan Lorraine,
who is the editor-at-large
of Security Wheaton, fellow podcaster,
and he was quoting
Charlie Miller of the
Hacking a Running Jeep fame,
if you're a crew member, and obviously
a respected member of the
information security industry.
Obviously, I mean, I was hacking cars
when they were still analogue, you know, so
it's good to see these kids uh coat hanger or uh you know the old classic with the remember
the wind-up windows before you had electric windows you could literally just stick your
hands on the side of the windows and pull the windows down yeah yeah it's brilliant like all
these people with coat hangers doing fancy stuff um so anyway ryan simply says charlie is wrong again and what
he is referencing is a tweet where charlie says even though everyone and especially ryan noreen
hates when i say it black hat should only contain highly technical talks less technical talks. Less technical talks are what RSA is for. Also, there shouldn't be a
business hall or pay to speak slots. He says, yes, I lose this argument every year. And I think it's
an interesting one because is Black Hat supposed to be technical? Do you want business talks at
Black Hat? And is RSA supposed to be purely business talks? And do you want technical talks at RSA?
It just feels a lot like gatekeeping.
Do you know what I mean?
Now, DEF CON, for instance, which is obviously on at the same time as Black Hat.
The thing is that DEF CON has naturally become a very technical place.
You know, I went there in 2018
and I didn't understand any of the talks,
I must admit.
And that's fine, but I really enjoyed
meeting people there and, you know,
chatting to people and actually sort of seeing
the community as a whole.
And I'm going again this year, as we know,
and I'm really looking forward to it. But it has naturally become a very technical environment, and that's great.
Black Hat is obviously a slightly more commercial offering. And so it's evolving and moving and it's basically finding its niche. And its niche is
a bit of both, I think, as is RSA. So there are technical talks at RSA, maybe not as heavily
technical, but there are technical talks at RSA as well. And that has found its niche. And obviously,
it's a very successful niche given that 40 odd thousand people go there every year if not more so you know black hat usa should be what it needs to be
not what other people necessarily want it to be in my opinion well yeah no i think i think you're
right i think so aziria replied on this Fox 0x01,
and she goes like, Black Hat has 18 tracks.
Most of them are highly technical.
Few of them are less technical.
But with almost 100 talks, I'm sure everyone can find their jam.
And I completely agree with her.
I think there's a bit for everyone there.
I think overall, I still think there are more technical talks in DEF CON
than there are at RSA.
Yes, of course.
But the thing that I really take, sort of like, really makes me scratch my head.
And I'm like, come on.
I thought I'd expect more from someone making this kind of statement.
It's like, also, there shouldn't be a business hall or pay-to-peak speak slots.
I mean, how do you think these conferences run
you know the money just doesn't fall out of a magical money tree somewhere yeah they are run
as corporations that you know it's it's not like a bunch of hackers just getting together and putting
on a conference which one could argue defcon still kind of is but black hat is is run by by by a by
a company and they have to make money and
you know this is how they make tom you and i spoke about this at rsa a couple of years ago
when we made a video about this yeah that's right that's people want the best of both they want
you know a conference that is heavily subsidized with free food and drink or uh and and venues to
meet people and everything but then they don't want to pay for
it and they don't want anyone else to pay for it either because then it feels like i'm being
you know marketed to let's look at yeah let's look at b-sides right some of the the most popular
um conferences around in fact you know they must there must be if you combine all of B-Sides versus all of RSA or all of Black Hat, there must be more people going to B-Sides conferences overall, or at least they're up there in sheer volume. run. They're not for profit, but they have talks from the community. But the reason they exist
is sponsorship and having vendors pay to be there. And if that means that your keynote speaker
is a pay to speak slot effectively, then that's a small price to pay. Now, if that keynote is crap, then that vendor
will not be asked back to become a platinum sponsor or whatever. But chances are, the way
those things are run, they know exactly what sort of keynote is going to be given, et cetera.
So again, you're right right jab look look at us
agreeing with each other like civilized people but but you're right jab you can't have you know
you can't have this entirely independent and holy technical stuff with a conference and get
togethers without somebody paying for the damn thing well i'm just surprised it's crazy like
dogs and cats living in harmony it's like what's going on it's it's just been a weird day all around i think yeah yeah
well your light's flickering as we were agreeing with each other yeah i think someone's trying to
contact me um no i would yeah no just that i think uh just to top that off i think uh b-size
london do a very good job at making sure that those type of sponsors that do get any sort of airtime
tone it down.
I think so much was learned from that very first B-Sides in London,
and it was really well put forward going forward.
And that was the only one I hadn't gone to.
So one of the sponsors did a talk, and it was basically a sales pitch.
So one of the sponsors did a talk and it was like basically a sales pitch.
You know, you've got sort of 30 minutes and it just,
it's just so out of touch with the vibe for the rest of the conference.
But to be honest, that was the first one.
Yeah, exactly.
Are we agreeing again?
It was the first one and we are learning. And actually like you go to a lot of places and companies that do pay for,
for that kind of sponsorship, they actually often do.
They get it.
Yeah, they get it.
They're considerate of the position they're in and they do try to send someone who's not going to give a sales pitch.
Yeah, yeah, exactly.
So, yes, Ryan, we agree with you.
Charlie is wrong again.
Yes, Ryan, we agree with you.
Charlie is wrong again.
Charlie, definition of insanity,
trying to do the same thing time after time and expect a different result.
I don't know.
Enough said.
By the way, Charlie, love you.
I think you're great.
Right.
So that, what was that?
Oh, yes.
Tweet of the Week.
Thank you very much, Andy.
Tweet of the Week. Thank you very much, Andy. Tweet of the Week.
Well, we are coming up onto the hour yet again.
So, gentlemen, thank you so much for your time.
Jav, thank you, sir.
Thank you very much.
It's always a pleasure and never a chore.
Always, always.
Thank you and have a lovely weekend. Andy, thank you, sir.
Stay secure, my friend. Stay secure.
You've been
listening to the Host Unknown Podcast.
If you enjoyed what you
heard, comment and subscribe.
If you hated it, please leave your
best insults on our Reddit channel.
The worst episode ever.
R slash Smashing Security.
No, so I know just on that uh sciencey thing uh i can tell
you the difference between an enzyme and a hormone what i've never heard an end