The Host Unknown Podcast - Episode 59 - We Voted For The Lazarus Heist
Episode Date: June 11, 2021This week in InfosecLiberated from the “today in infosec” Twitter account.5th June 1991: Philip Zimmermann sent the first release of PGP to 2 friends, Allan Hoeltje and Kelly Goen, to upload to th...e Internet.Read his story about the release, including his disclosure of how little he understood about Usenet and what newsgroups even were. http://www.philzimmermann.com/EN/news/PGP_10thAnniversary.htmlPGP Marks 30th Anniversaryhttps://twitter.com/todayininfosec/status/1269043313404862465 7th June 1989: The beta release of the Bourne Again SHell (Bash) was announced as version 0.99. 2 months later Shellshock was introduced into the Bash source code and persisted in subsequent versions for over 25 years.https://groups.google.com/g/gnu.announce/c/hvhlR1Vn1P0/m/NYwp-4_0CaUJ?pli=1https://twitter.com/todayininfosec/status/1269788726156124160 9th June 1993: The first DEF CON hacker conference was held at the Sands Hotel & Casino in Las Vegas, Nevada. Initially planned by Jeff Moss as a farewell party for a hacker friend, about 100 people attended. It has since grown to become a 4-day conference with 30,000 attendees.https://twitter.com/todayininfosec/status/1270389947753627648 Rant of the WeekThere was widespread panic on Tuesday after a major Internet outage knocked dozens of websites offline.Amazon, Reddit and Twitch were all affected, as were the Guardian, the New York Times and the Financial Times.Additionally, the UK government website crashed – on the day that Britons aged 25–29 were invited to book their COVID-19 vaccines.Despite initial speculation that the outage was the result of a cyber attack – with ‘#cyberattack’ trending on Twitter – the true cause of the incident was less sensational, although nonetheless concerning.What caused the Internet to crash?Websites begin to work again after major outage Billy Big Balls of the WeekAlleged drug syndicates, contract killers and weapons dealers thought they were using high-priced, securely encrypted phones that would protect them as they openly discussed drug deals by text message and swapped photos of cocaine-packed pineapples. What they were really doing, investigators revealed Tuesday, was channeling their plots straight into the hands of U.S. intelligence agents.An international coalition of law enforcement officials announced they had ensnared alleged criminals around the world after duping them into using phones loaded with an encrypted messaging app controlled by the FBI.Street value of cocaineANOM: Hundreds arrested in massive global crime sting using messaging appFBI-controlled Anom app ensnares scores of alleged criminals in global police stingTrojan Shield: How the FBI Secretly Ran a Phone Network for CriminalsANOM: Alleged drug kingpin told to hand himself in after being tricked into spreading fake phone app Industry NewsBiden Expands Trump’s Investment Ban on Chinese FirmsMore US Kids Warned About Internet Than Unsafe SexUS to Treat Ransomware Like TerrorismHacker Group Gunning for MuskFrench Antitrust Regulator Slaps $268 Million Fine on GoogleMicrosoft Fixes Seven Zero-Days This Patch TuesdayA Third of Execs Plan to Spy on Staff to Guard Trade SecretsJBS Admits Paying REvil Ransomware Group $11 MillionSchools Forced to Shut Following Critical Ransomware Attack Tweet of the Weekhttps://twitter.com/Eskenzi/status/1402684475243438081https://twitter.com/KimZetter/status/1402695107640393729 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
A message from episode 232 of Smashing Security from Graham Cluley and Carol Terrio.
We'd like to extend our congratulations to the winners of the most entertaining content
award and hope to replicate more of your ideas in the future. You're listening to the Host Unknown Podcast Hello, hello, hello, good morning, good afternoon, good evening
From wherever you are joining us
And welcome to episode...
Oh, what episode are we?
Episode 59 of the Host Unknown Podcast
And what a week it has been for the Host Unknown podcast.
Hello, gentlemen. Hello, Tom. Yeah, very good. Very good. So, Jeff, how was your week,
specifically Wednesday evening? Wednesday evening. Well, you know, it was really good.
Eskenzi put on the EU Blogger Awards, as they do every year,
and this was the second year it was virtual.
But it was good to see everyone, albeit virtually.
And now Host Unknown have won the Most Entertaining Podcast Award.
And I don't think it's worth putting in any more effort.
I just don't care anymore.
No, no, it's all right.
Didn't we win an award the other year as well for it?
Probably, yeah.
Yeah, the Lost All The Money.
Ah, yes, the most educational content.
Oh, yeah, that was at the Security Unsung Hero Awards.
That's right.
Yes, that's right.
I mean, they all blend into one, all these awards.
Maybe I just never cared then.
Yeah.
I mean, you were the only one who attended,
and I think you actually have still got the trophy.
Well, of course, it belongs in my trophy cabinet as sole founder,
along with the other.
Otherwise known as the downstairs toilet.
Yeah.
No, I do have a big shelf,
and it's getting quite crowded with all these trophies and awards
and accolades that I've bought.
I mean, collected over the years.
They only cost me nine hundred and ninety nine dollars.
Andy, how about you? How was your week specifically Wednesday evening?
Oh, fantastic. Absolutely glorious on Wednesday evening.
And I look back on the group chat at the time where I sort of suggested
right everyone be prepared to drop at the exact same time if we do not win this award
followed by the message did you drop are you still there it's like oh damn man we won
yeah it was good it was good I was I was i was quietly hopeful but you know there was some
stiff competition up against the lazarus heist yeah well you know i mean it's it's it's interesting
and it's educational but entertaining i mean there's probably not a huge number of laughs in
there is there yeah true a valid point valid point but entertainment is more
than just comedy it is it is but you know that's all we've got and so so as far as i'm concerned
that's all it should be actually let's just stop there because i think the more we talk about it
the judges might reconsider yeah you know what guys you've got a point let's let's do water the lazarus but hang on you were one of
the judges jav in fairness so is is this insider dealing absolutely not anyway moving on is the
right answer yeah oh dear oh dear well i mean and also that wednesday night was uh was excellent for me as
well for obvious reasons thursday morning less so because i had a little uh contretemps in my car
the week before last and yesterday morning i found it's been written off so i am song car at the
moment which is curved that car hard i did curb it extremely hard that's what i
said a little contretemps you you know i i now i i actually looked at the pictures that you sent
off the alloys being bent in a shape that they were not designed to be bent in
basically i went outside looked at my my car's alloys that are a bit scratched up i turned to
my wife and say you're a fantastic driver i'll never do you for that ever again
oh dear yeah it wasn't my finest hour but in fairness it's the first time i've had to be
sort of recovered from the uh uh from the roadside because of an accident i well in fact it's the
first sort of traffic accident
i've ever had unfortunately a traffic accident that involved me and nobody else but me uh but
uh but yeah it was written off my my lovely little uh smart roadster so um yes which i just made you
know i just put the hardtop in two weeks before it's been seven hours putting in a new hardtop in it.
Time you'll never get back.
Time I'll never get back.
I'm hoping to get the hardtop back, though.
Yeah.
See, and this is it when people say, Andy, why don't you do more DIY?
Why do you pay professionals to do jobs for reasons like this?
I'm not wasting my time.
Who knows what's going to happen in the future?
Yeah.
Yeah, absolutely. So you'll have spent twice as much and then two weeks later think,
shit, if I'd done that myself, I would have only lost half the amount of money.
Exactly, exactly. Good maths.
You assume Andy actually looks back and ever calculates his expenses
or whatever.
He's financially free. Yeah, well, the only time Andy looks back you know he's financially free yeah well the only time andy
looks back is when he's in the car driving and wondering why there are all these accidents behind
him well i think i am the luckiest driver i always see accidents behind me and it's like wow
yeah dodged another one now now now tom i think for your next car you can just get one of those
knobs installed where you just hold it like a big truck wheel.
You just, like, turn it around.
Every car I've got in has got a big knob installed.
Yes, that is true.
That is true.
Always in the driver's seat, right?
Yeah.
Now, that's either me expanding on my prowess or just calling myself a big knob.
I can't work out which.
We'll leave it to the listeners to decide.
Exactly. Exactly, exactly.
In fact, write in, let us know, which one am I?
Tom, knob or big knob?
We could do that as a little feature.
What have we got for you coming up today?
Well, all our regular features this week in InfoSec
takes us back to the birth of PGP.
Rant of the Week asks the question, what were you doing for about 45 minutes on Tuesday, June 8th this year?
Billy Big Balls is a true Billy Big Balls move, ensnaring smooth criminals from around the world.
Industry News brings us the latest and greatest InfoSec news from around the world. Industry news brings us the latest and greatest InfoSec news from around the globe.
And finally, Tweet of the Week asks,
what's in a name?
And also highlights how good our Wednesday evening was.
So let's, why don't we move on into this week's...
This week in InfoSec.
It's that part of the show where we take a stroll down InfoSec memory lane
to revisit events of yesteryear
via content liberated from the Today in infosec twitter account and this
week there was a smorgasbord of stories to flick through um but i settled on a couple which are
very much like your wardrobe tom they're so old they're almost fashionable again in an ironic way
my uh fellow infosec luminaries does the name
philip zimmerman mean anything to you yes he invented that walking frame isn't it exactly
that's the one uh yeah so story number one is can you believe only a mere 30 years ago but it does feel like it was even longer to me um but on the 5th of june 1991
philip zimmerman sent the first release of pgp to two friends alan hoichi and kelly going to
upload to the internet and in the show notes you can read his thoughts about the release including his own uh i guess
disclosure on how little he actually understood about usernet and what news groups even were
so yeah they were new to everybody let's face it uh yeah they were but uh i don't know i guess
you just imagine someone that's you know was such a pillar of of uh internet history you maybe thought you
know he knew a bit more than we did um but i guess in 1921 i mean how much did you know about usenet
and i wasn't born yet i was still uh yeah still a twinkle still a twinkle twinkle in Mr. and Mrs. Agnes' eyes. Yes. So Philip R. Zimmerman, the creator of PGP,
or better known as Pretty Good Privacy,
which was an email encryption software package,
he originally designed it as a human rights tool,
and he published it for free on the internet via anonymous FTP,
which is obviously the early internet equivalent of
available from all good bookstores yeah and he had no idea how successful it was going to be
so he sent this first release of pgp to a couple of his friends who uploaded it
alan posted it to peace net which was an isP that specialised in grassroots political organisations.
If you imagine back then, ISPs actually specialised in certain domains
and they weren't just commercial corporate entities to take money.
Well, it was all dial-up as well for a start, wasn't it?
It was.
It was just a phone number effectively rather than someone you were permanently tethered to.
Yeah.
So PeaceNet was available to, you know,
political activists all over the world, you know,
so they sort of distributed that way.
He also sent it to Kelly Gowan who uploaded it to Usenet groups
that sort of specialise in distributing source code.
So almost like, you know, an early version of GitHub back then.
And at Zimmerman's request, she marked the usenet posting as us only
and then she uploaded it to as many bbs systems in the country as she could as well
um and in zimmerman's own words he basically admitted he didn't know enough about usenet
groups to realize that the us only tag is basically just an advisory tag that has no
real effect on how,
you know, Usenet actually propagates his findings.
He thought it actually controlled how Usenet rooted the postings.
And in his own words, he actually says,
back then I had no clue how to post anything on a news group.
I didn't even know what a news group was.
So he got so obsessed with creating this software,
he actually missed five mortgage payments developing the software
at the start of 1991.
And to add to his stress, before he released it,
the week before he was about to release it,
he discovered the existence of another email encryption standard,
which was called Privacy Enhanced Mail, or PEM.
And that was actually backed by several big companies,
as well as RSA.
And even though he was stressed,
he managed to plow through because he didn't like their design,
mostly because it used 56-bit DES to encrypt messages,
which at the time Zimmerman didn't believe was strong enough cryptography.
And was proven correct.
And was, yeah, ultimately proven correct.
So he did release it, you know, divert his attention back to, you know,
paid work so he could try and catch up on his mortgage payments.
And then before he knew it, volunteers from around the world
were just sort of clamoring to help import it to other platforms,
make enhancements, generally promote it. And he basically built a team of volunteers, you know, back then from all these people that wanted to help import it to other platforms, make enhancements, generally promote it.
And he basically built a team of volunteers,
you know, back then from all these people
that wanted to help.
They ported it to every platform available
apart from Mac, obviously, because Apple.
And in 15 months after he first released it,
September 1992, PGP 2.0 was released for MS-DOS, various flavors of Linux,
Commodore Amiga, Atari, and various other platforms
in 10 different languages.
And it was shortly after that release that US Customs
took an interest in the case.
I know we spoke about Zimmerman before in that sort of criminal investigation.
It was a three sort of criminal investigation
it was a three-year criminal investigation um because the government held that belief that you
know u.s export restrictions for cryptographic software were violated once pgp was spread
worldwide um you know under that whole munitions uh act which they did but yeah so despite the
lack of funding any paid staff um lack of any company backing him and government persecution, PGP did go on to become the most widely used email encryption software in the world.
So a couple of things, Springtime.
I remember printing out the manual for PGP.
Yeah.
Thinking, this is great.
This is amazing.
Nobody can see what I'm going to email.
I'm going to work this.
And then failing entirely to understand a word of it it was difficult wasn't it and i think like to me
yeah pgp was never really easy to certainly for the home user so i mean when i was really getting
into it you know once i'd got off uh confuscan aol you know when i moved into real internet
service providers demon internet back then,
it came with this sort of package software called Turnpike.
And that had all the tools.
You had your FTP program.
You had your finger program to get the message of the day.
You had, you know, all these other tools, trace route.
But PGP, I could never get working.
The only time it did was I got it working was when it i literally bought it as a package and it came you know on however many floppy disks or whatever
and it installed as like you mentioned with that other software it installed installed like a suite
and she said do this do that do the other if you're still right yes i got it working after
they're acquired by Network Associates.
Yes.
In a corporate environment, obviously.
But then, you know, all encrypted,
any encrypted email a company wanted to send us had to come to me,
you know, or rather the administrator account,
because we all had the shared key for that account.
It was difficult to, you know know we couldn't trust sales people to
yeah yeah absolutely in the nicest possible way uh it is it's very barely trust most of the it
team to be fair yeah oh my god yeah but it was bought by no i mean from a technical perspective
on pgp because it was so complex but but yeah, you were right. They were bought by network associates. Are they still around now as PGP?
I don't think it's around as PGP.
It's now the open PGP standard, I think.
But there are commercial variations of.
But obviously, people have now moved on to TLS security.
Well, it's all built in and just entirely transparent, isn't it?
But I thought there was a company called PGP, wasn't there?
There was. I thought there was a company called PGP, wasn't there? There was.
I thought that was – I'm not even going to say it because I may be entirely wrong.
I don't want to give out factually inaccurate information.
But I thought that was from Network Associates.
Yeah, maybe just a subsidiary.
But I remember getting some swag for them and thinking –
Of course you would.
Yeah, I haven't got any more, though.
I haven't got room.
But, yeah, I think it was a beer glass off the top of my head,
which kind of tells you why I probably haven't got it now.
But, yeah, I remember thinking, you know, God, times have changed, you know,
from when I had to print off a manual to when somebody's handing me
a PGP-branded beer glass.
You know, the thing's grown up.
Fascinating. Yeah, now I just type type uh you know encrypt in the subject header and it's automatically encrypted when it's sent yeah uh for me but isn't
it just automatically oh it's encrypted in transmission isn't it in fact yeah but yeah
but um yeah anyway our second story this week um and because things like pgp don't seem that old to me um i i need another point
of reference to remind me of where we are so if you imagine back jason donovan was number one in
the song called sealed with a kiss yes and if you don't know who jason donovan is uh also at the top
10 at the same time was cindy lauper's i drove all night uh guns and roses with sweet child of mine and soul to
soul with back to life uh and so we are talking about good times in this year that i was born
which was obviously 32 years ago and this is a story on the 7th of june 1989 uh the beta release of the born-again shell, aka Bash, was announced as version 0.99.
And two months later, still in 1989, two months later, Shellshock was introduced into the Bash source code and persisted in subsequent versions for over 25 years.
Remind me again about shell shock so shell shock's a vulnerability that allows systems
that right yes you know contain the the vulnerable version of bash to be exploited to execute
commands with high yes yes yes um so attackers could potentially take over that system um so
somebody basically added to bash and the vulnerability that later became known as shell
shock was was in there ever since yeah exactly, exactly. Yeah, so it exists up until, I think, version 4.3
and still exists today despite being discovered
as a significant threat back in 2014,
which was some 25 years later after it was introduced.
That's a long period of not being discovered, actually.
It is, yeah.
And if you think as well, so Shellshock was one of the –
did we have a phrase for it?
You know where it got its own domain and its whole sort of marketing brand?
Yeah, it was branded, yeah.
Yeah, it was one of those.
A bit like Heartbleed.
Yeah, exactly.
Yeah, it was around those, you know, that sort of –
It made presentations to the board so much easier to have a logo.
Yeah, but – yeah, no, i agree with you on some parts but it was a bit wanky let's be honest i get it we do need ways of making people take this seriously and it does
it sticks with people yeah but i need brightly colored logos to talk to the boards yeah but i
mean yeah and like i say it was persisted for so long without
people knowing i think you know all we can say is update your systems if you can't update systems
don't make them internet facing if you don't have to if they do need to be internet facing
sanitize your inputs um and if you can't do that just switch your computer off unplug it
switch the lights off in your office and go home.
Yeah.
Well, I say we're not actually giving you the technical,
the technical content or technical advice.
If you want technical content,
you need to listen to the Hackaway podcast who were fellow winners at the
European Science and Technology Blogger Awards.
There you go.
Yeah.
Yeah.
But I'm actually going to sneak in just one last story because uh
it seems like only yesterday um but it was only 28 years ago uh on the 9th of june 1993
the first defcon hacker conference was held at the sands Hotel in Las Vegas. And it was initially planned by Jeff Moss,
a.k.a. The Dark Tangent,
as a farewell party for a hacker friend.
And about 100 people attended,
and it has since grown to become a four-day conference
with 30,000 attendees.
So just a hint, guys,
if you ever want to throw me a party in Vegas,
you never know where it might lead to.
Yeah, or we'll just take you to Defcon and say, Andy, this is for you.
We threw this for you.
We'll throw the finest party in Tunbridge Wells we can find, Andy.
Tunbridge Wells.
Nottingham.
Yeah, I don't think there'll be 30,000 people there this year, though.
No, you're going, though, aren't you?
You're still insisting that you're going.
At the moment, yeah, yeah.
Honestly, just such a...
It was nice knowing you.
I'm vaxxed and waxed.
I'm done.
Yeah.
Midlife crisis, wrecking cars, you know, hasty decisions.
Wrecking convertible cars yeah yeah yeah small convertible cars that you make grunty noises as you get in and out yeah yeah this this is exactly like you
know we should have seen the signs andy but well maybe we did but we just chose to ignore them
well that that actually makes much more sense. Yes.
Anyway, thank you, Andy, for...
I can't wait for this part to be replayed in court, Andy,
once Tom's gone.
Once I've done what?
Once I've gone what?
Once, you know,
youth in Asia, is it?
Something like that.
What?
What is that?
Don't worry about that.
Let's move on.
All right.
We are officially
the most entertaining content
amongst our peers.
It is now...
Listen up!
Rant of the Week.
It's time for Mother F***ing Rage.
Okay, so Rant of the Week is with me this week.
And now, we made mention of wednesday evening and thursday morning but do you
remember this tuesday morning now what what what is the date that this is released is friday the
11th of uh june that this was released so that i mean tuesday the 8th of june do you remember
where you were on tuesday the 8th of june um you remember where you were on Tuesday the 8th of June?
I think I was pacing around the house because Reddit was down.
Yeah, exactly.
Yeah, pacing around the house looking at TikTok, right?
Yeah.
Saying, I told them, I told them, I told them TikTok is stable.
But, yeah, there was.
There was widespread panic on Tuesday morning after a major internet outage
knocked literally dozens of websites offline. So Amazon, Reddit, Twitch were all affected.
Guardian, the New York Times, the Financial Times, the UK government websites, gov.co.uk,
um the uk government websites uh gov.co.uk they all crashed anything so that and that was the day of course tuesday the 8th of june that um uh all britains aged between 25 and 29 were invited to
book their covid19 vaccine so if you're a conspiracy theorist, I think you know exactly what this was about.
Can I just check?
Did, Jev, were you called for a quote a minute after this happened?
And did you provide a quote about, you know, if this is ransomware, it could be bad?
And we should be doing the basics.
No comment, no comment.
For a change.
But if you do want to hear my comment, please reach out to me.
I'll be happy to provide you with one.
Yeah, me too.
So, of course, everybody started running around in circles,
waving their hands in the air, crying,
think of the children, thinking it was a cyber attack.
I mean, even hashtag cyber attack was trending on Twitter.
And it turns out that, as is so often the case, Occam's Razor,
the true cause of the incident was significantly less sensational,
but potentially just as concerning.
So there are these things called CDNs, content delivery networks. And
what they do is basically their aim is to bring the servers that you talk to and the companies
that you talk to physically closer to where you are. So if you're talking to a server in, oh, let's say San Francisco, then what this does is duplicate, effectively
duplicate that content and that server somewhere else on the internet, i.e. if you're in the
UK, probably somewhere in the UK or Europe.
And so you don't have to make quite so many hops around the internet to get there.
This is all well and good.
And what it does is it also means that there's lots of redundancy.
So if there's a denial of service attack on a particular website,
it can be worked around, et cetera.
The problem is, is that when they go wrong,
lots of other stuff goes wrong,
like having all of these websites taken offline.
stuff goes wrong like having all of these websites taken offline um so this particular uh who was this uh fastly was it fastly that's it it was fastly in this case who frankly i was not
that familiar with if i'm perfectly honest no i think you know probably one of the big companies
you've never heard of yeah yeah i was expecting to see Akamai or Cloudflare or something like that.
But, yeah, Fastly.
And they just had a configuration error, which, I mean, well, two things.
One, the outage lasted barely 45 minutes, less than an hour.
You know, so all this, you know hand wringing and um wailing and gnashing
of teeth was you know somewhat over overhyped uh broken like a man who's never run a high
transactional operation yeah exactly yeah that was 45 minutes yeah yeah dude 45 seconds is too long
yeah 45 minutes of advertising and click-throughs gone,
it's no biggie.
Yeah, but you know what?
My product is so good and so strong and so reliable
that I'm selling, they'll come back.
You know?
They'll come back.
And also, what else am I going to do?
Anyway, so people just need to chill the fuck out.
But it does go to show quite how delicate and fragile the internet is
and how much we rely on, you know, just a handful of suppliers. It's a bit like when, you know, AWS goes down,
you know, the Amazon Web Services goes down in a particular region. It can take out, you know,
loads and loads of companies. And the one thing is at least Misery does love companies. So,
you know, all of these, all of these organized, you know, Amazon, Reddit, Twitch, you know,
all of these organized, you know, Amazon, Reddit, Twitch, you know, the gov.uk,.co.uk,
at least they're not alone, right? At least they are. It's not something that they did per se. So I, you know, on the whole, I think their CISOs are probably going to be all right. The CISOs and CIOs
are probably going to be all right. But yes. And will it happen again? Absolutely. And it will
continue to happen again until there's, you know,
a complete re-architecture of the internet,
which will be no doubt done by people significantly younger
and more intelligent than me.
And either of you two, for that matter.
Oh, far more intelligent than me, yeah.
Yeah, we just know how to complain about it.
Yeah.
They're younger than us now, but will they be younger than what we are now
when they actually solve the problem?
And will we be still around and care?
Well, you know, like I said, I don't even care today.
So I'll suddenly begin to start caring about stuff.
Well, Jav, may I just say, spoken like somebody who's never run a high-volume transaction or something.
I mean, please.
Exactly.
As long as I can still sell my DVDs on eBay, I'm happy.
That's right.
Yeah, since you haven't got a pub to walk around in.
No.
DVDs.
Got any blueys?
I've got blueys.
Don't worry.
Oh, dear. dvds yeah got any blueys i've got blueys don't worry oh dear this is uh i mean it's it's gonna happen you're right it's gonna happen again it's yeah you know all you do you learn from it and put in more more redundancy double your cost
all that money you're saving with cdn to now double it because you need more redundancy
yeah yeah that's right that's right yeah or you just building uh you know proper compensation into your contracts for yeah you know the SLA so that's
or you just chill the fuck out yeah the problem is that um we we're more dependent on CDNs now
than before because we need more content pushed out closer to the customer especially with as
as customers get more and more devices and they pull down more and more content pushed out closer to the customer, especially as customers get more and more devices
and they pull down more and more content,
especially with things like 5G and what have you.
And people streaming more video and audio and more things.
It's not just posting on a bulletin board anymore.
And on the other end, we've got so many more services
that are dependent on things.
And so, like you mentioned, AWS went down uh if that goes and that went down on the east coast i think last
year or something ec3 or something yeah and people were complaining their rumbas weren't working they
couldn't vacuum their their apartments they're like two foot by two foot new york apartments
where they were having to manually get up and do it so um
you know although in fairness that that's poor design on rumba as well you know can't talk to
the internet can't go i mean that's that's ridiculous but that's what more and more
services these devices are turning into they they're so dependent yeah uh on on having the
internet connection because they don't want any of that.
Well, they're designed so that all the data is sucked up to Uncle Bezos
in one of his data centers so that they know what your room looks like,
all the devices, and how long you clean for.
But not even having a failover mode or a limp home mode or whatever.
Fail open, yeah.
Yeah, exactly.
And they're afraid of people hacking the devices when frankly um there's a handful of people that would be doing
that most people even those that could do it just can't be asked you know i didn't buy a robot vacuum
cleaner for me to you know invalidate the warranty and start
hacking around with i bought a robot vacuum cleaner so i don't have to vacuum the floors
you know if you were the uh this the seesaw uh um roomba yeah you know you can just imagine the
product design meeting where they could we've got this fantastic new product we're gonna
but no one's gonna be asked to hack that do what you want get up and walk out the room yeah yeah but you know it's it's this thing of materiality it's
what my accountant often talks to me about when i say should i put this in nah don't worry about it
materiality um but it is it's about materiality if five percent of your devices get hacked so that you don't get the data from them, really, is that a problem?
You know, because frankly, those 5% is not your target market anyway.
And they would find other ways of you not getting the data.
Don't get me wrong.
You've got to put good security
protocols in it and all that sort of thing
but if it comes down to
will people still have their
vacuums cleaned i.e. doing
the single thing that the product
is designed to do
will they still be able to do that if the internet
goes down? No. Well in that case
we've failed to produce the
single thing that we bought this
product for as a product. It's ridiculous. And that should not be seen as a security thing.
So, you know. Ladies and gentlemen, I'll actually submit this as evidence.
Exhibit 22 as to why Tom is an ex-ceaser.
It's in support of the business.
For goodness sake.
I don't get it.
It's almost like this is a rant, I have to say.
Almost.
Almost like this is a rant.
But to have a commercial, a home commercial product that fails
when the internet goes down,
known for its fragility and outages, that doesn't do its single purpose
that it was invented for is ridiculous.
Utterly ridiculous.
Because, oh, we might not be able to get the data from it.
For goodness sake.
Anyway, that was this week's rant of the week
that was a rant it was a rant i was i was afraid tom's gonna give himself a stroke or something
no i've been doing that all this time
this is the host unknown podcast home of billy big ball energy
of billy big ball energy and talking of which let's go straight on to this week's
and the billy big balls landed my court today lucky me so um if you're a if you work in law enforcement and you're trying to track down these no good people who are involved in guns, drugs, people smuggling, murder, all sorts of bad things.
You must get really frustrated with the likes of WhatsApp and Signal
and all this end-to-end encryption stuff.
And you've been trying to convince the public that you need backdoors,
but they just won't listen for some reason.
So what do you do?
Well, you can take matters into your own hands.
About three years ago,
is into your own hands. About three years ago, officials took control of a communications firm called ANOM, A-N-O-M, after a criminal promised them access to it in return for lenient sentences.
So these devices were billed as super secure.
So it's super secure, highly, they're basically high priced encrypted phones that would be able to communicate with each other.
So think of it like a WhatsApp platform, but for criminals to chat to each other.
These phones couldn't do anything else. They couldn't make phone calls or text messages.
You couldn't talk to anyone else. It's only within that particular circle they would work.
You couldn't actually go and buy one of these things yourself. You had to be recommended by a fellow criminal. So the scarcity drove up demand. So the authorities even copied
whatever trends that are out there.
And they said, oh, there's a monthly subscription fee for this.
And they got about 12,000 of these encrypted devices out there in the hands of around 300
criminal syndicates in more than 100 countries.
Because they owned the entire network, they could very easily sit back and see where all the deals were being made, who's importing what kind of drugs, who's exporting drugs, who's buying, selling guns, what type of hits are being taken out, the value of contracts, all the kind of things.
These law enforcement got together and they went in and swooped in and done their raid.
They confiscated, across about 12, 15 countries, they confiscated eight tons of cocaine.
What? Eight tons?
Exactly. Eight tons.
And this is really interesting so i was i i went to the internet i was like well what's the street value of cocaine uh and i found this really good resource
and we'll put it in the show notes uh which has got cocaine retail prices um uh on the street and
then the wholesale prices so on the street it's sold by the street, it's sold by the gram. Wholesale, it's sold by kilogram.
So let's go to the kilogram prices.
And it's broken it out in terms of country and what have you.
And this ranges from 1990 to 2010.
And overall, it's a bad investment.
I was about to say, should I have invested?
Should I have got my pension provider to invest in cocaine to the moon?
You would have lost money what so that's incredible why is it still a criminal enterprise then if you're
going to lose money well if you'd hold on to it as a form of fund or long term yeah you're generally
shipping it out the door aren't you so yeah i would not do it for uh true true yeah this is
exactly this is a you know pilot high
you know stack it high and sell it cheap or yes expensive yes kind of operation and also also has
the cost of production gone down as well probably probably there's probably more synthetic stuff
coming out of china then you get the the the the challenger criminals coming in with their kind of non-traditional approaches of synthetic cocaine.
Yeah. Ironically, the South American ones have gone all artisan.
And, you know, the purest suppliers of cocaine.
Yeah. Yeah. This cocaine has been has been hand produced on the thighs of South American beauties.
Yes.
And picked by monkeys off the side of a cliff.
So if you were in Sweden.
And picked by monkeys off their tits on cocaine.
If you were in Sweden in 1990 and you wanted to buy a kilo of cocaine,
you were a wholesale.
It would have cost you 80,000
US dollars. In 2010, if you wanted to buy a kilo of cocaine, it would have cost you a mere
45,500 US dollars. So nearly halved in value. That's quicker than a BMW goes down in value.
I know. I know. So you're definitely better off investing in Bitcoin.
Anyway, they found eight tons of cocaine.
There were 250 guns confiscated.
That's a lot of guns.
Now, let's put this in context.
On screen, who's the biggest killing machine out of the action heroes?
It's Arnold Schwarzenegger in his
career of his top five movies he's only had 312 kills it feels like a lot more uh the most were
in commando he made 81 kills in commando total recall 44 true lies 51 anyway uh dolph lundgren
239 career kills so even if you add up all of his movies his bloodiest
movies he still couldn't take out 250 people with guns so that's just to put it in context
how does that put in context you're talking about deaths or numbers though right it's numbers it's
numbers it's numbers man come on it's tenuous links right we're not exactly you're putting
the number of guns versus the
number of people that schwarzenegger has killed on screen so you're linking them there's 250 people
with a gun each year yeah how many of them do you think the top uh action heroes can take out and i
think they won't be able to take them out and And that's the point I'm trying to make.
Yeah, but across five films, though.
Yes, exactly. And it's not an even spread.
And everybody knows.
They also confiscated $48 million in various worldwide currencies
and cryptocurrencies.
So European Union Police Agency, Europol,
described Operation Trojan Shield slash Greenlight
as the biggest law enforcement operation against encrypted communication.
How is this against encrypted communication?
It's against criminals.
Just because you can't, don't be sour because you can't break
into end-to-end communication.
Yeah, that's an even more tenuous link than you were making just now.
Yeah, well, exactly, yeah.
Well, Europol, if you need someone who can make slightly less tenuous links
than your official spokesperson, get in touch.
Yeah, I mean, that's a real sort of ulterior motive to say that, you know,
the battle against encrypted communication.
We're just talking about that.
Everything's encrypted.
TLS, everything, you know.
Oh, for goodness sake.
Exactly.
This is a case of, like, governments repeating a lie time and time again
until they can convince people.
Do you know what?
I think I'm becoming more left-wing as I get older,
whereas most people become more right-wing, don't they?
Well, yeah, you're Benjamin Buttoning it, isn't it?
Yeah.
Anyway, do go on.
Anyway, the last part, there's an Australian fugitive, Hakan Ayik, who's an alleged drunk trafficker, a big king, dubbed the Facebook gangster.
He may be in big trouble because he's the one unwittingly who recommended the app to criminal associates after being given a handset by undercover police
officers so he's off uh hiding somewhere so he's not he's hiding from the police and probably
hiding from fellow criminals who probably think of him as a snitch or at least at very least
incompetent even criminals need to do third-party due diligence. They do. It's a high-chain risk, right?
Yeah.
That's exactly it.
Well, the diligence was,
oh, he's a good old lag and his mother loved him.
Yeah.
And I'll end with this quote by the police about Hakan.
And if this isn't a threat threat it's like he was best off
handing himself out into us as soon as possible as he may be in danger himself having unwittingly
helped the fbi with their sting oh dear god it'd be even funnier if it made sense and that was
this week's billy big
balls thank you
billy big balls of the
week
sketchy presenters
week analysis of
content and
consistently average delivery
but they still won an award like and subscribe now
andy what time is it it's that time of the show where we head over to our news sources
at the infosec pa newswire who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News
Biden expands Trump's investment ban on Chinese firms.
Industry News
More US kids warned about internet than unsafe sex.
Industry News US to treat ransomware like terrorism. More US kids warned about internet than unsafe sex. Industry news.
US to treat ransomware like terrorism.
Industry news.
Hacker group gunning for Musk.
Industry news.
French antitrust regulator slaps $268 million fine on Google.
Industry news.
Microsoft fixes seven zero days dispatch Tuesday. Industry news. Microsoft fixes 7 zero days this patch
Tuesday. Industry news.
A third of execs
plan to spy on staff
to guard trade secrets.
Industry news.
JBS admits paying Revol
ransomware group $11 million.
Industry news.
Schools forced to shut
following critical ransomware attacks
Industry News
And that was this week's
Industry News
Huge if true
Huge, huge if true
The one that catches my eye is a third of execs who plan to spy on staff
to guard trade secrets that's
a little bit shitty isn't it really uh well in your band you classify it as inside a threat
um so what's it global law firm cms have said that uh according to a survey uh which a study
which they did um the economic oh Intelligence Unit interviewed over 300 senior corporate executives
from various sectors across China, France, Germany, Singapore, the UK, and the US.
And, yeah, three-quarters agreed that greater investment was needed, obviously.
Half of them said employee leaks were going to be the most serious threat.
So the interesting here, I mean, you know, read the headline
and, you know, make assumptions here.
It says a third of execs plan to spy on staff.
That could just be putting in DLP.
Yeah.
Unless it's a third of the respondents were from the China part of the study.
And that's just like, you know, what?
China.
Yeah. Of course, we're going to spy on stuff.
Yeah, that's right.
What other way is that?
Yeah, exactly. In fact, all of the others said no.
All of the Chinese ones said yes.
And the Russian ones, in fairness, said yes.
And combined, that was a third.
Yeah. It would be interesting to see the breakdown by country, actually. Yeah. guessed and the russian ones in fairness said yes and combined that was a third yeah it would
be interesting to see the breakdown by country actually yeah because in some cultures that would
be far more acceptable than others so india for instance it's not uncommon at all and it's just
seen as you know one of those things well i'd say the same with china as well and russia to an
extent yeah yeah exactly exactly but yeah it But, yeah, it would be fascinating.
Obviously, I haven't clicked on the story.
Oh, actually, yeah, okay, so clicking it, it says,
those in China, Singapore, and the U.S. were most likely to snoop on staff,
with European respondents more reluctant due to GDPR safeguards.
And they needed a survey to confirm that.
Yeah, I was going to say, and also also isn't it ironic given you know how um you
know how freedom focused america is that actually they're in the same camp as china when it comes to
spying on their own employees because privacy just isn't or it's less of a thing out there it's
changing without a shadow of a doubt mostly from uh california and
all of you know their laws are uh their sort of privacy laws are being sort of enacted across
the u.s uh yeah uh copper for one for instance but nonetheless really ironic really ironic what
caught my eye on on a different story was the u.s to treat ransomware like terrorism and I was like
what? You know Muslims around
the world rejoice like the focus has been
shifted away from us.
It's just they're going to arrest more Muslims
and accuse them of ransomware.
Or just arrest more Muslims
from their mother's basements.
Yeah that's an interesting i mean the the only
thing because i mean the story doesn't really explain more about that no and the only story
is the headline yeah the only thing i can think of that is it means that they can now hold people
without charge uh you know in dark sites around the world because uh you know just suspecting
them of ransomware which again i think eroding the
freedom that's right that's exactly what it is not to put it down on it uh the other one i saw
was the hacker group gunning for musk uh now i don't know if you saw this uh you know anonymous
um allegedly but you know produce this video and they really slated elon musk and they sort of said
how you know he's not even the the the founder of tesla he makes up all this stuff he was actually
fired from paypal um you know he he wasn't one of the original creators and all this stuff and
they sort of debunked a lot of what we believe about uh musk um and sort of saying didn't go
so far it's called mccharlatan but he is just someone that's brought into his title.
And, you know, he is CEO, but he's certainly not the founder.
You know, he's not the ideas guy.
Yeah.
You know, he's just using his wealth to influence cryptocurrency markets.
So is Musk kind of like the techno Trump?
Well, it looks to be going that way.
You know, I don't know why there's
all the hate for Musk. I mean, I know
people just didn't take to him in the first place. I'm not
particularly a huge fan.
He's not the most likeable person, but
Tesla
is good. SpaceX
is good.
Tesla, he actually acquired from another
two people. Yeah, so he he actually acquired from another two people.
Yeah, so, you know, he's made more money in crypto than he has selling Tesla.
Well, he acquired it from another two people who weren't able to make it a success.
Yeah, there's always that side.
Otherwise, they wouldn't have sold it.
But then that being said, I think, you know,
it's always interesting to unpick the mythology of people,
if you see what I mean, because Trump is a perfect example of that,
you know, self-proclaimed billionaire, blah, blah, blah.
But when you, you know, you don't have to scratch particularly deep
to find out he is an utter charlatan.
Yeah.
So, yeah, interesting.
But, you know, people always tend to do that.
And what they forget is this is how most companies are made and run and what have you.
People like to say, pick apart Steve Jobs and say, well, you know, he wasn't a tech person.
He was more of a marketing person. He was fired from Apple.
Yeah. Yeah, exactly. So, you know, I think this is a bit there's a there's a lot of naivety around how the world actually works.
And it's really easy to take pot shots at people.
But even if he didn't invent Tesla or what have you, you know, being the face alone and creating that brand and creating that market interest alone is worth so much.
If it was easy to replicate,
everyone would be doing it.
Yeah, that's right.
That's right.
You know, they are still the best electric vehicles out there after a decade, at least.
Anyway, anyway, Elon, we know you're a friend of the show.
So please do sponsor us or just send three vehicles.
We will put the addresses in the show notes.
So we're rapidly running out of time, and we have to.
I did think about dropping Tweet of the Week, but not this week.
We have to move on this week to Tweet of the Week.
And we play that twice because it's so lovely.
Tweet of the Week.
And so Tweet of the Week this week is a really great tweet which i saw from a company called
eskenzi and it simply reads this year's eu sec blogger awards 21 winner of the most entertaining
content is at host unknown tv congrats and there's this uh great little uh you know piece of artwork
that says european cyber security blogger Awards Most Entertaining Content Winner,
Host Unknown.
Fantastic.
I've heard that's a really good podcast.
It's fantastic.
Absolutely fantastic, those guys.
Apparently they hate each other off when they're not.
Oh, yeah.
No, those guys don't get on at all.
No, no.
Absolutely.
Which just goes to show that you know the the level
of the professionalism for when they're actually doing the show exactly yeah you can never tell
never can tell never can tell but uh i snuck in another one just uh quickly the uh topic from
kim zeta asking the big questions uh so she was quote tweeting pwn all the things, who said, you know, in response to only if we agree the person in charge of
security in firms is a CISO.
CISO.
CISO.
CISO.
Well, exactly.
No, they're saying CISO.
Why do we pronounce CISO, CISO, yet people want to pronounce CISA, C-I-S-A is CISA.
And that's the agency, not the CISA C-I-S-A is CISA and that's the agency CISA CISA
exactly
so where do we start
CISO
CISO
CISA
CISA
it's not CISO
that's
or CISO
it's
it's CISO
yeah
it's CISO
and
CISA
I don't care
I don't care
CISA
all we know
like we've. As long as
us three can agree that
it's called a router,
then that's all we need.
And a CI double SP.
And a CI double SP.
Although the ISACA one,
the certified governance...
CISM, CISA.
No, no, certified in governance of enterprise it they say is pronounced
c git which i just can't get behind not that i can think of anything else you do it or whatever
well they're right it's like gif it's always gif it's good yeah yeah jif jif is lemon scented and
used for bathrooms yeah come on folks i don I don't care what the creator says.
Yes, yes.
So I think, you know, we are addressing.
That was very quick there.
Yeah, we've done it.
We've solved it.
It's CISO.
Yeah, CISO.
And we're addressing the real issues in the industry, let's face it.
So thank you, Andy, for this week's.
It's Leeds of the Week.
let's face it so thank you andy for this week's sweet of the week so we draw to an end so very very quickly again uh jav thank you so much for your time effort and
assistance and overall presence in today's award-winning show. You're welcome.
You're welcome.
And you know that without me, we would not have won the award.
I mean that in terms of talent.
I don't mean that I had any influence. Oh, because you were in the judging panel.
Yeah.
Double back, double back.
No, no, no.
And Andy, thank you so much for your contributions,
your show notes and everything else that goes towards making
this show award-winning stay secure my friends stay secure you've been listening to the host
unknown podcast if you enjoyed what you heard comment and subscribe if you hated it please
leave your best insults on our red channel. Worst episode ever. r slash Smashing Security.
It doesn't matter if the judges were drinking.
Host Unknown was still awarded
Europe's most entertaining content status.