The Host Unknown Podcast - Episode 60 - Guaranteed Jav Free May Contain Nuts
Episode Date: June 18, 2021Artist - Carole Theriault This week in InfosecWith content liberated from the “today in infosec” Twitter account (and embellished by us 😉)11th June 2008: Verizon released the first edition of ...its annual Data Breach Investigations Report (DBIR).Incidents are still a thing. Data breaches are still a thing. Some stuff has changed. Some hasn't. Time keeps on ticking. ¯_(ツ)_/¯Verizon Business Releases Trailblazing Data-Breach Study Spanning 500 Forensic InvestigationsAnalysis of the 2021 Verizon Data Breach Report (DBIR)https://twitter.com/todayininfosec/status/1271264648986124289 17th June 2010: The Stuxnet worm was first discovered by Sergey Ulasen at Belarusian antivirus software vendor VirusBlokAda. Announcement: http://anti-virus.by/en/tempo.shtmlInterview with Sergey Ulasen in 2011: The Man Who Found Stuxnet – Sergey Ulasen in the Spotlighthttps://twitter.com/todayininfosec/status/1273501720723648512 Rant of the Week[Carole saves the show by having something prepared (even if it is from the cutting room floor of Smashing Security)]ICO watchdog 'deeply concerned' over live facial recognitionhttps://www.bbc.co.uk/news/technology-57504717 Billy Big Balls of the WeekDoctors and Scientists Are Fighting Vaccine Misinformation on TikTokThe experts of the Team Halo initiative have taken to social media in order to combat falsehoods about COVID-19 and promote accurate vaccine science. Industry NewsVW Vendor Leaves Data UnsecuredIKEA Fined $1.2m for Spying on EmployeesThird of Staff Use Security Workarounds at HomeIoT Supply Chain Bug Hits Millions of CamerasMost Ransomware Victims Are Hit Again After PayingFootball Fever Puts Password Security at RiskHackers Can Spy on Peloton WorkoutsA Billion CVS Records ExposedPuzzling New Malware Blocks Access to Piracy Sites Sticky Pickle of the WeekA Neighbourly Pickle Tweet of the Weekhttps://twitter.com/InfosecMiles/status/1405194858965475328 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
So Andy, have you heard from Jav yet?
Cannot get hold of him at all.
That's going to be a bit of a problem, isn't it?
Because we need it.
I mean, he's the one that...
We've given him the hour and a half that he normally needs.
Yeah, yeah.
And frankly, we need somebody to take the mickey out of throughout, right?
Guys, guys, guys, guys, I'm here.
Don't panic.
It's me.
You can take the mickey out of me.
Hooray. It's Carol. You can take the mickey out of me. Hooray!
It's Carol from Smashing Security.
Oh.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
And welcome to the Host Unknown podcast.
Well, well, let's let's talk about the elephant in the room.
Andy, how are you?
Good, thank you. Not too bad. That diet's going well. How are you doing?
Very well, too. This biggest loser thing is not working.
Carole, hello and welcome to the show.
Thank you for having me.
How are you guys?
You guys are in good shape?
Thank you for being the Jav replacement.
Well, you know, there's no way I can fill his monstrously sized shoes.
Or trousers or shirts or anything really absolutely he does leave a huge
hole in our lives but uh i'm very happy to be seen as a jab replacement exactly exactly or all we ask
is upgrade we'll say upgrade you keep that beard that we sent you in the post if you could keep
that on oh i've been growing my own i've been growing my own it's
not worked very well so as you're seeing there's a stroke in your chin yeah
so yes folks uh javad is unable to make it this week uh so we thought we would well go for mark
two the show must go on version the show must well the. The show must go on. The show must go on. The show must go on. The show must go on. Well, the show will go on anyway. Trust me.
I think it's got a life of its own anyway.
All three of us.
We'd be like the Trigger's Broom of podcasts.
You know, in a few years' time, the Host Unknown podcast will have three entirely different presenters on it, but we'll still be the Host Unknown podcast.
So, yes.
Yeah.
But welcome, Carole.
How have you been this week? I've been very, own podcast. So yes, yeah. But welcome, Carole. How have
you been this week?
I've been very, very well. Thank you very much. How have you guys been this week?
Well, we're good. We're good.
Okay, well, we're going to have a good show then.
We've been looking forward to this all week. We've heard you've got a rat in the garden.
I do.
Now, why is Graham coming around so often?
I do have a rat in the garden i've talked about it on smashing security
and i actually act less well-known song and i even i even said my pick of the week is going
to get rid of this rat and it has not so i have to come through next week no yeah yeah yeah so
yeah so that's not fun but uh Wire Wool is now my new friend.
For those of a certain age who may remember the comic Jasper Carrot,
look him up on YouTube and look for the Jasper Carrot mole hunt.
And basically he sits on a swivel chair with a shotgun trying to shoot moles in his garden.
And it's hilarious.
And I can, you know, well, Carole, what have you got to lose?
You know?
I don't know, gun laws.
I don't know a number of things.
Yeah, license for that.
Don't worry.
Don't worry.
You know, but.
I don't want to kill him.
I just want him to not hang out at my place.
So I'm trying to make it as least comfortable for rats as possible.
So, what, so you're making it filthy and dirty and, you know.
No, I've just gotten rid of all the food and the water the birds aren't
coming anymore it's just yeah how are we going to get little birds next year then
um andy so what you've been up to this week uh i went into london for the first time yesterday
and um what we were alone did you see anyone else i say first time since february 2020
i had to return to the office my first time in the big smoke yeah return to the office to collect
all of uh all the stuff that i'd left there uh in a little box in the house yeah well no so they've
the office they did uh quite honestly cleared everything that was on the desks.
You know, pedestals were kind of left as they were if they were locked.
And my pedestal was locked, full of junk, full of expenses from, like, the before times,
which I need to put in, and lots of chocolate as well.
So it was actually a worthwhile haul.
Which has gone white and crumbly.
I don't know.
I've not opened it yet, but I think it'll be fine.
It was all steel-sealed.
It's just like best before, really.
That stuff doesn't really go off.
Worst case, it'll taste like Hershey's, right?
Yeah.
You mean vomit.
So hang on.
Just to go back there, you've got some expenses from the before four times
that need to be submitted so this is
they're like 18 months old right well yeah so but to be fair so in what january 2020 i went to peru
for work and when i got back you know to the office i then went to germany and so i'd put
all my receipts in the drawer and then obviously I've not had the chance
to go back to get them since.
Well, not strictly true.
Well, I've not had the chance to go back.
You know, it's been difficult to get into the office.
You know, there's been a lockdown going on.
Have you been travelling a lot or something?
There's been a lockdown going on, right?
Yeah. Are we seriously going to talk about expenses for
five minutes only because andy can afford to not submit expenses for flights and things like that
so no it's not it's just hotel do you know what hotels graham was very very bad at doing expenses
when we used to work in corporate land and he used to have this huge spike with about 50 000
invoices on it and i was we had a big deadline to get them in if we wanted to get them paid and i said graham i'll do them
for you for 20 right for 20 of the cash because otherwise you're going to get zero percent of the
cash he said no he said no and he he well he was able to talk those his way around it six you know
18 months later and get the money back but you know what i mean so tom's offered to do that for 10 and jab for nine percent no he's the other way
around i said nine jabs for 10 yeah absolutely i'll do it for 20 i think you're right i'll do
it for 20 done sold the trustworthy one there you go it's not about the price, only the quality.
Yeah.
So I heard you're isolating this week, Tom.
I am.
My NHS test and trace app told me that I have to isolate until next Wednesday.
Oh, you're double jabbed, right?
Yeah, I'm double jabbed, but I obviously licked the wrong person over the weekend.
The wrong door handle, yeah.
Yeah, exactly.
He was like, he has googly eyes on the door handle.
They googly after I've licked it.
But, yeah, so I went out to Bristol on Saturday with a friend,
did a bit of shopping and dinner and all that sort of stuff.
And then Wednesday morning got told that I had an encounter on Saturday.
Well, I could have told you that, but I had an encounter with someone who was apparently infected on Saturday.
So I've had to isolate, take a PCR test, which, and this is a bizarre thing.
isolate take a PCR test which and this is a bizarre thing so you're told to isolate then you're told you have to have a PCR test which you either go somewhere to take the test which
not not good if you if you have to isolate but you can have one delivered to you so get it delivered
and then you have to take it to the post box so yeah absolutely I thought i thought they sent someone to pick it up no it's a pcr test no no no no it
goes into the post box so i i double masked up and all that sort of thing but my friend who is
with me on saturday she had a pcr test and hers came back negative this morning uh unfortunately
my son uh he had a pcr test and his came back positive this morning. So I am waiting with bated breath to see whether I'm going to turn
into one of the zombie hordes or not.
You poor son.
Patient zero for a whole wave of people.
He's on Instagram charting his isolation journey.
Nice.
He said he's going to grow a beard.
I love that so much.
Yeah, he said he's going to grow a beard.
Can he do that? He said he's going to grow a beard.
Can he do that?
Yeah, he's 18.
So legally he's allowed to grow a beard.
But I hate to tell him that, frankly, mate, at 18,
that any beard you grow would probably be on the endangered species list,
let's face it.
You're going to be out of isolation.
Yeah. So, yeah, i've been quite a week really
oh my car was written off did i say that last yes we talked about it last yeah because you
can't drive so yeah yeah so you yeah it's book a job for you isn't it sir it's like
well you know what else could go wrong don Don't answer that universe. Do not answer that universe.
Oh, dear.
So what have we got for you coming up today?
In this week in InfoSec, the most famous of DBIR's launches
and the source of security talks for a decade hits the wild.
In the rant of the week, Carole obviously saves us all
with some real journalistic content and integrity.
Billy Big Balls of the week,
Project Halo versus TikTok's anti-vaxxers.
Who will win?
Industry News brings you the latest and greatest news
from our PA Newswire from around the world.
Sticky Pickle of the week makes a long-awaited return
where our protagonist deals with a neighbourly pickle.
And finally, Tweet of the Week has crime professionalised at long last.
So, Andy, I think we should move on to the very first item on our agenda.
This week in InfoSec.
Love that jingle.
I do love that sweeper.
Love it.
Absolutely love it.
It's that part of the show.
Never heard anything like it before.
Totally unique, but yet just familiar as well.
It is that part of the show where we take a stroll down InfoSec memory lane
to revisit events of yesteryear.
And this is with content liberated from me today in InfoSec Twitter accounts
and embellished by us.
Just thought we'd get in there so there was do you know
there was a story i dropped and now i'm wondering whether it would have would have fit in better but
the original um story i was going to go is was from 14th of june like 2001 so 20 years ago
the adjective cyber was added to the oxford english dictionary so so all that stuff you were doing with strangers on the internet prior to 2001
wasn't cybering.
It was just being perverted behind the keyboard.
So I was just a pervert then, not a cyber pervert.
Exactly.
But the words that went in on the same day, on the 14th of June 2001,
were obviously cyber, cyber cafe, cyber cultural, cyber culture,
cyber nought, cyber phobia, cyber sex, cyber shop,
cyber squatter and cyber squatting.
They couldn't have just said cyber hyphen and said, you know, yeah.
Well, they had that at the top as a combination of other,
but these were the actual other words.
Most of those don't exist anymore.
I mean, even cyber cafe. I mean, come on. combination of other but these are the actual words most most of those don't exist anymore i
mean even cyber cafe i mean come on that's what i mean don't you think like by 2001 this stuff
should have already gone what taking things out of it is kind of interesting yeah
yeah i mean yeah yeah we've got cyber squatting, which exists, and cyber crime that exists.
But most of that other stuff doesn't really exist anymore.
It just seemed like it got in late anyway.
But yeah, good times back then.
So the first...
I think we know why you left that story out.
Anyway.
Yeah, I was thinking about the time when, you know,
the chat rooms in the late 90s where men were men,
women were men, and children were FBI agents, right?
That was the thing I always think of about cyber.
But the real first story is on or around 13 years ago,
the 11th of June, 2008,izon released the first edition of its annual data
breach investigations report and obviously instance is still a thing data breaches are still a thing
some stuff has changed some hasn't time keeps ticking um so i've included a link to the original
press release which you can see in it also says also says Baskin Ridge, New Jersey.
Nearly nine in 10 corporate data beaches could have been prevented had reasonable cybersecurity measures been in place, according to a comprehensive report issued today by Verizon Business.
And then it goes on to say that, you know, the 2008 data breach investigations report.
They do. And also that doesn't roll off the tongue.
So I know they've abbreviated DBIR in future years.
But at the time, they said it spanned more than 500 forensic investigations,
analysing hundreds of corporate breaches, including the three of the five largest ones ever reported.
But if you think 2008 only 500 investigations so
obviously unless you've been living under a rock you know that this investigation report
provides you know the annual analysis for all security instances and data breaches
um you know cross-sector categorized by sector i think public sector is the biggest contributor
um often referenced in marketing
materials you know where whatever product the company's selling is you know solved by whatever
they highlight in the verizon report um but from the 500 investigations 13 years ago this year's analyzed 79,635 incidents, of which only 29,207 met their quality standards.
So I think the numbers indicate there is still life left in these reports.
Yeah, totally.
And I'm just reading this 2008 one, the recommendations for enterprises.
I mean, all those points are still perfectly valid
still valid like align with policy create a data retention plan control data with transaction
zones you know so it's interesting you see this is what happens when you invite somebody on the
show actually reads things sorry tom's already moved on to the next should i put my brain on the shelf i can do that
bubble gum for the brain that's what this show is you don't have to think about stuff
the second story i had the 17th of june 2010 so a mere 11 years ago the Stuxnet worm was first discovered by Sergei Ulasen at the Belarusian antivirus software vendor VirusBlockade.
And then there's the announcement in there.
But if you've heard of Stuxnet and don't really get what the fuss was about at the time, uh you know what made this unique was that it was
yeah it was huge it was really sophisticated type of worm that sort of exploited multiple
previously unknown windows zero day vulnerabilities to infect computers but its purpose wasn't just
to infect you know all pcs it you know actually had a real world you know physical payload at the end of it so it used
to target centrifuges that we used to produce enriched uranium that powered nuclear weapons
so it was first discovered in 2010 but they believe that development actually started in 2005
and it spread like crazy but it actually did little or no harm to computers
that basically weren't involved in uranium enrichment.
Yeah.
So the way it worked...
It used them to hop along.
You know, it used those mushrooms.
Yeah.
It didn't have a payload on them, but it used them to spread.
Yeah, the specific uranium enrichment facility
in a specific country,
well, Iran, wasn't it?
It literally targeted those actual,
well, it's targeted at a single physical location.
So it wasn't just all uranium enrichment facilities
because it's been found in the wild since
and in various other industrial control systems around the world.
It simply hasn't executed because it didn't meet the criteria that it needed to,
which was these centrifuges in this environment.
Yeah.
Absolutely fascinating.
Okay.
I was going to say, yeah, so the way it worked, obviously,
it looked for specific PLCs or programmable logic controllers
that are made by Siemens, and then it would alter that programming,
which would make the centrifuge spin too quickly for too long
and then damage the sort of equipment that's used in the process.
But while it's doing that, it tells the controller that everything's working fine,
which obviously makes it difficult to detect
or diagnose what's going on until too late.
Yeah, definitely not script kiddies.
To your point about the different,
definitely not script kiddies, yeah.
So this is to your point,
where it's targeting specific companies.
It is accepted that Stuxnet was created
by the intelligence agencies of the United States and Israel.
The worm was given the codename Operation Olympic Games under George W. Bush.
And I think it was it was although neither government officially acknowledged it.
um when the head of the israeli defense forces retired in 2011 he did actually list stuxnet as one of his successes under his watch so it's like although no one officially admitted to it
this guy was like yeah one of my proudest moments is you know creating this um so yeah stuxnet
often heard but um yeah very big in InfoSec history.
Good memory lane piece.
It's almost like it's...
This week in InfoSec.
We are officially the most entertaining content amongst our peers.
Can I take...
Okay.
What? It's true.
It's true. We've got a certificate
to prove it. Have you though?
Yes. Actually
I do.
They sent it.
What? What's wrong
with that?
We are officially the most entertaining content amongst our peers.
I just think, you know, congratulations.
Oh, dear. Anyway, this week's...
Listen up!
Rant of the Week.
It's such a mother f***ing rage.
I love that. So is it over to me it's over to you carol
thank you okay so we're going to uh talk about britain's privacy chief so elizabeth denham
the head of the ico blogged a warning yesterday about facial recognition technology.
And she was saying that people should be free to go shopping or walk around a town without having our biometric data collected and analyzed with every step
we take. Hallelujah. I think to that.
Now, yeah.
And Denim's comments follow a warning by the EU data protection authorities
last year over this unfettered use of biometric data and facial recognition.
And they urged companies and agencies to consider less intrusive tools.
So do you guys think they're right to get their knickers in a twist about face prints?
Yes, I think so.
I think so.
I think it should be used in the same way as wire taps and
stuff like that if there is a a valid and you know public good reason to start yeah yeah yeah
to start scanning people's faces in a crowd in a particular location or in a city for a period of
days yeah for a specific uh threat etc then. But it should not be done en masse, just in case.
No. And the way that these kind of technologies gain momentum is by scaring the public and saying, this is really good to catch the bad guys. So you want that, don't you? And the costs of it are not often communicated, I'd say.
And the costs of it are not often communicated, I'd say.
So ever since the New York Times first reported on Clearview AI, that was back in January 2020.
Goddamn flies, eh?
But since then, people have been paying a bit more attention to this and getting a bit more worried.
Now, Clearview AI, for those that don't remember, is this crazy controversial company, in my view. They built a business based on the faces of 3 billion people
by scraping the web without the knowledge of the people,
like the Facebooks that were holding the pictures
or the individuals like you and me whose pictures have been scraped.
Oh, that's right. Yes.
Yeah.
And this tech was then made available as a SaaS
for cops looking for suspects or rich fat cat investor types wanting to identify hot young things or whatever.
There was one report in New York Times that said this guy used it to identify his daughter's date in a restaurant just by taking a snap and running it through the Clearview AI on his phone.
For fuck's sake.
I mean, how outrageous is that?
Right?
for sake i mean how outrageous is that right um it's so well the thing is now we've known about clearview and its operations now they uh and there's many lawsuits uh both national in the
states and there's like legal complaints lodged in five different countries at the moment um but
clearview continue to operate and by its account grow.
The company says it now has 3,100 law enforcement agencies using its services.
The Army and the Air Force are customers.
ICE signed a $224,000 deal in August.
Child Education Investigation Units are supervising the deployment of Clearview in a variety of investigations.
And even the Canadian RCMP.
So they've been dealing with months of bad press for having trialed this software.
I actually talked about it last year on Smashing Security. The Canadian commissioner, Danielle Therrien, said, in our view, our government institutions simply cannot collect personal information from a third party agent if that third party collection was unlawful in the first place.
And I agree with that. I agree with that 100 percent.
So you can't collect information unless you collect it legally.
And by killing people.
Or for the greater good.
Yeah, well, that's yeah, it gets complicated, doesn't it? Yeah. And even Tuesday this week, a group of lawmakers, including Bernie Sanders and Elizabeth Warren, reintroduced their Facial Recognition and Biometric Technology Moratorium Act, which would halt federal government use of biotechnology like facial recognition.
recognition so the question that uk ico elizabeth denham uh asked in her blog post was how far should we as a society consent to police forces reducing our privacy in order to keep us safe
and i think that's yeah i'm not a fan of this yeah yeah so what is go ahead i i think you know elizabeth denny and has not done much
at all in the ico she's she's been very ineffective but she every single privacy professional i know
disparages her greatly this sounds to me like the the single most important thing she's done is to
publicly come out to get at this and i think like any new any new technology, it's a case of the technology
will race ahead of legislation.
Well, it already has, I would argue.
Yeah, no, exactly.
But we'll race ahead of legislation
and it takes governments
with certain ethical and moral convictions
to actually rein that back
because what they're being seen to do
is to rein back free enterprise.
I just, yeah, there should be like this ethic committee where software like this that back because what they're being seen to do is to rein back free enterprise i just yeah there
should be like this ethic committee where software like this needs to kind of you know be kind of go
go through get tested to make sure that it meets you know whatever yeah but then you lose all all
the elements of um of uh research and development and the actual, you know, all the good stuff that can come out of it.
We end up with a, you know, a technology industry
that is actually hamstrung in its ability to develop stuff and test stuff.
I don't know.
For example, the antivirus industry,
you certainly have testing units like Virus Bulletin and ANSO
and all kinds of, you know, bonafide groups that are there saying
yeah this software we've looked at it and this is good you should you can install this and not be
worried no absolutely absolutely but if if for instance um you know those anti-virus companies
are told you know you cannot release anything until it goes through this government regulation
committee that's going to cause problems that's going to cause problems.
That's going to cause problems in the innovation space, right?
No, and certainly we're not going to solve it here
because it is a big issue, right?
Well, I think we should solve it here.
We've got at least another half an hour.
Well, I can tell you the issues.
We'll take a vote at the end.
Okay.
I was going to say, we'll take a vote at the end and whatever that,
what can we decide?
Yeah, okay.
So whatever we decide, Elizabeth Denning,
you just make it happen, okay?
I think that's fairly straightforward.
Absolutely.
Like in the issues, one of the big issues is many algorithms
that basically were facial recognition algorithms
have been found to be much less accurate in identifying people of color or women, right? And this, of course,
means, you know, its use could worsen systemic bias, right? Leading to the wrong arrests
or name and shame campaigns, right? This is not just in the hands of, you know, law enforcement.
Apparently, the way this is getting in is by free trials, right?
So somebody gets targeted by Clearview AI's marketing firm,
and they're like, here, try it for free.
They kind of go, wow, this is amazing.
And people like the NBA are using it, right?
Probably to scam the crowds.
I don't know.
But maybe someone does something i mean their
argument would be uh we had an issue over here so we identified the culprit and his name is this and
they sent it to the cops surely that's just you know if nothing doesn't need facial recognition
just take a photo and use the old mark one eyeball yeah the cctv stuff you don't need for a loyalty
scheme loyalty scheme this person keeps coming probably no but and there's no law to
say that you can't do that in a moment is it to catch out cheaters on the kiss cam okay so when
the kiss cam goes around and two people kiss yeah you can go there's a bit of facial recognition it
works out that that's not mr and mrs smith yeah and i know I'll call her up. That's Mrs. Smith and her neighbor.
Yeah. And if you think about just facial recognition being a problem, think about multi-factor biometrics, which are well underway, where you would take things like a facial recognition or face print, but also a gait, a walk, the way they walk or the length of their strides.
And all this information working together to truly
identify an individual who is just on the street. We should just stick to passwords.
Now, the reason I'm talking about this is because I wanted to finish with this cute little story,
ridiculous really. I want to know what you think about this too. Okay canon uh the camera and tech company have implemented an unusual way
to deal with workplace morale that involves facial recognition are you ready interesting can you guess
can you guess i'm interested they get quentin taylor to wander around and regale everybody
that he recognizes with a hunting or fishing story.
It's better than that.
No, really?
It's horrible.
Because I'd pay for that.
So this is AI-enabled smile recognition technology.
They have installed this in their Chinese subsidiary,
and cameras only let smiling workers enter rooms or book meetings,
ensuring that every employee is definitely 100% happy at all times.
Interesting.
Now, come on.
Well, Tom, can I just say?
I don't want to do it.
I don't want to do it.
Tom, your previous office, when we used to visit you there,
you had a machine that would dispense Haagen-Dazs if you smiled at it.
It wasn't Haagen-Dazs. It was walls.
But yes, it was free ice cream. That's what I remember.
It was free ice cream.
That's why I smiled all the time.
You haven't stopped smiling.
But yeah, we built a vending machine that would vend ice cream to you if you smiled at it.
For free.
For free.
It cost a smile.
It cost a smile, which for some people was a lot.
And do you not remember, it took about four attempts for it to dispense an ice cream for Jav.
Yeah, it can tell when you're faking it.
Well, that's just true i i don't know if
it's just because i'm a girl or whatever but i don't like being told smile right i think i was
told that a lot as a kid like yeah yeah yeah it's so much prettier if you smiled like all that
garbage i hate all that shit yeah so i find it kind of just like but would you smile for an ice
cream if it was yeah maybe if it was a free ice cream? Yeah, maybe.
If it was a free ice cream, definitely.
Yeah, absolutely.
If it was a good one.
Yeah, it's much easier.
Yeah, absolutely.
They were good.
Just offer ice cream.
Exactly.
Yeah, yeah.
No, very good.
Very good.
Thank you.
I like that one in China.
Yeah.
I'd never go to meetings.
The door would never open for me.
Exactly, right?
I wonder if they put it on. I wonder if it's just the employees maybe it's also the visitors yeah it really does add to the i can't
come into work today because my dog died yeah quite literally i physically cannot get in because
the building won't let me in because i'm unhappy imagine you're firing someone you're about to fire
someone you're going into the meeting room
and you've got to smile your big cheeky grin
before you go in and go,
I'm sorry, your life's over.
And you have to smile to leave the room as well.
Excellent. Thank you very much
Carole for this week's
Rant of the Week.
Very welcome.
It doesn't matter if the judges were drinking.
Host Unknown was still awarded Europe's most entertaining content status.
Just milk that cow.
Oh, we will milk that until there's nothing left.
We've got 12 months to milk it.
And even then, we'll still say that we're still the most popular.
So moving swiftly on, it's now me for this week's...
Look at the size of that thing.
Carol's Colossal Cajones.
We had that redone just for you, Carol.
I don't know how I feel about that.
What, about your colossal cojones?
Well, you know, we're an open team here.
You know, we're gender neutral.
In fact, I don't know what the gender neutral version of that would be.
Something like, who knows?
Anyway, this week's Bully Big Balls of the week.
There is a team
on TikTok.
Well, obviously there's a team on TikTok.
Everybody's on TikTok except me.
But see,
only the best people stay off TikTok.
Come on, you've got to get on there.
No, I've seen
what it does to you.
Three o'clock in the morning, oh, look at this one, Jav, isn't this good?
Yeah, brilliant, Andy.
God.
Oh, look, our news feeds or whatever it's called are aligned.
Maybe we're like my little top brothers.
It's called a 4U page.
4U page.
Yeah, your fap is aligned with my fap or whatever it is.
Anyway, so Team Halo is an initiative on TikTok primarily,
but, you know, social media generally,
where healthcare professionals are producing the kind of content that you would the falsehoods of COVID-19
and to promote accurate vaccine science, which, Christ, has it really taken this long for us to get our act together for something like this?
Well, yeah, it's astounding, though, if you ever Google the terms that, for example, an anti-vaxxer might Google, all the results seem to me to be in support of that viewpoint.
Like, it is really scary.
Yeah, absolutely.
Google, Facebook, you've got a lot to answer for here.
I think it was in their local, in their sort of state senate,
going up and talking about how the science was saying that the vaccines were dangerous, et cetera.
And there was an MD, an actual doctor up there talking about
how the fact that there was metal inside of the vaccine
caused her to be magnetic.
And another woman, and in the background,
there was somebody in the audience looking at her really seriously,
but there was a woman who went up and testified again,
and she said, why is this key sticking to me?
And she's got a key stuck to the sweaty skin on her chest.
And there's a woman in the background who, well,
has just got a face like a, what the hell are you talking about?
But the amount of utter rot that is out there,
I mean, magnetic keys to stick into your body. What happens if they need an mri are they actually
going to die having one oh they stick to the top yeah here's hoping here's hoping because that'll
thin the crowd out a little bit right tom tom what i'm these these people are putting yours and my lives at risk. No, I agree.
You know, they would do less harm
if they went out with a semi-automatic...
I'm just not thinking that, you know,
wiping them off the existence of humanity
is the way forward, maybe.
But so a misinformation campaign...
It feels like there's steps in between
we could probably take before we get there.
Yes, like these doctors and scientists are doing
by fighting with the misinformation.
No, let's just suggest that they go for a little scan at the hospital.
And anyway, it won't kill them because it isn't true.
So my threat is entirely hollow.
So my threat is entirely hollow.
But yeah, so the reason why I wanted to bring this up as a colossal cojones is that finally educated people and not educated people have been told to go and educate yourself. know about the subject, people who actually work in the field are fighting back against this wave
of misinformation and dangerous data that's being used to basically prolong human suffering.
I think the issue though, is I think a lot of people are actually spreading this this misinformation in good faith and i don't
really feel that people who are duped by something maybe due to lack of information or access to
information or education or whatever should be held accountable if they're just trying to save
theirs so i can see it's a very sticky situation right they? They're not doing it to be, to spread shit.
I'm sure there are some, but most of them aren't.
I think there's a core of people that are,
and those are the ones that I'm particularly concerned about.
I would agree with you on that.
Yeah, absolutely.
They're the ones that are doing this deliberately
or are actually so misinformed and so out of touch
and how can I, not uneducated, that's the wrong term,
lack even the most basic form of critical thinking?
I don't know.
Oh, come on.
No, I don't know.
I think also that we are very lucky in that I spend every day looking at media
or distilling media or writing media or doing some kind of something with it.
So I'm able to slalom around them in a way that I feel confident I'm getting the right information that I need.
But that's a skill that I've honed over 20 years.
But we have access to more information than we ever have had in our lives.
to more information than we ever have had in our lives. And yet we go with, you know, we go with something that's bright, shiny and loud. It's kind of hard to find the right information if you don't
have the right words, I'll tell you. Well, it doesn't help when all the media is being influenced
against you, as it were. So you've got these people that are actually deliberately misinforming.
Yes.
Absolutely.
Absolutely.
But yeah, I just, I find it, you know, some of the leaps of logic that people take completely astounding.
Completely astounding.
This whole, you know, when I was talking to somebody about the test and trace thing and the fact that I got notified that I was in contact with someone
and they said, well, that's why I turned my notification off on the app.
You just don't need that type of bad news to ruin your day, do you?
Yeah, exactly.
It's like, as you say, Andy, I'm getting these chest pains around my heart.
And, you know, so I'm going to have another bacon sandwich to make me feel better.
Exactly.
It's, you know, well, I switched that off so I don't have to get, just uninstall the app then.
I know, but then you're not, I think people are actually addicted to these things.
Like I do think we will learn in the next decade or so that there is actually addictive things that happen in your brain when it comes
to certain of these apps the psychological warfare that's happening is astounding yeah
anyway just give people a break just blame the baddies well well i am and also stop being so
damn reasonable for goodness sake yeah we're here very funny, Carole. Yeah, exactly.
I'm saving my jokes for my shows.
Well, okay, so this, well, okay, well, that was this week's
Carol's Colossus Cajones.
Is that Andy saying that?
No, no, that's Mr Fiverr.
Oh.
Right, moving very swiftly on because we're short of time
because Andy's computer's failed us again.
Let's move on to this week's...
Industry News.
VW vendor leaves data unsecured.
In the Stream News.
IKEA fined $1.2 million for spying on employees.
In the Stream News.
A third of staff use security workarounds at home.
In the Stream News.
IoT supply chain bug hits millions of cameras.
In the Stream News. Most ransomware victims are hit again after paying. IoT supply chain bug hits millions of cameras.
Most ransomware victims are hit again after paying.
Football fever puts password security at risk.
Hackers can spy on Peloton workouts.
A billion CVS records exposed.
Industry News.
Hustling new malware blocks access to piracy sites.
Industry News.
And that was this week's... Industry News.
Parole, where's the...
You sounded like you were multitasking while reading those out.
Did I?
Yeah.
Making show notes for...
She thought of a funny joke that she's going to use on Smashing Security.
Oh, it's my time.
A billion CBS...
No, I just...
I was worried I would get the acronym wrong,
because I normally...
I'm a bit dyslexic, actually, when it comes to acronyms.
I find $1.2 million for spying on employees.
I've just been doing this for an hour and a half.
It's like my limit.
Insult the guest, Tom.
Good work.
Exactly.
Yeah.
I like you, Andy.
You're going to come on my show, aren't you?
I'm going to love it.
Oh, dear.
We're going to love you.
As long as he goes on there one more time
than jab that's all he asks maybe three times tom four thank you you'd have to go on there five
times you have to go on there every week for the next five weeks we'll talk we'll talk eddie
look if you need if you ever need someone as a last resort,
you can not bother calling me now.
He's the last resort, yeah.
Okay, no problem.
What? No, no, no.
He's just kidding.
That's not what I meant.
That's not what I meant.
This is the Host Unknown Podcast.
The couch potato of infosec broadcasting
so in honor of you carol and we're running very short of time but we've got one more um uh thing
to get through for you it's not security related either is it is it not it's not excellent
ever found yourself stuck in a fick, knee deep in a dilemma?
Like and subscribe to the Host Unknown podcast while you figure out your sticky pickle.
I think I need a copy of that.
I'll just cut it out.
Send to your lawyers.
No, I'll put it on our show.
Now tell me, someone has a sticky pickle for me? Fantastic.
Yes.
So I have a neighborly sticky pickle this week.
This story has come in.
Obviously, it came to us instead of going direct to the Sticky Pickles podcast.
That's okay.
You guys are perfect doormen for me.
Yeah.
So, you know, we'll filter out the chuff and, you know, send you the good stuff.
But as you hear, we've got the chuff.
Filtering out the chuff is something else entirely rule 34 yeah that's what chav does on whatsapp isn't it we're
now we're now in sticky pickle land so so the protagonist in this story is a young man uh named
anthony okay now anth Anthony moved into this neighbourhood
about six years ago.
Generally keeps himself to himself.
Always been very polite with his neighbours,
even though he has suspicions
that his neighbours maybe look down on him.
Why would that be?
Well, it kind of goes back to
when Anthony first moved in.
Is it because he's 5'4"?
Yes.
Yeah, exactly that.
It's the height thing.
So he was wearing a football shirt,
and he needed to borrow something from the neighbours,
knocked on the door,
and he noticed the neighbours were wearing rugby shirts.
So it's a day that rugby was on.
Oh, so it's completely valid then in that case.
Yeah, it's the type of thing I'd expect Tom to do,
you know, like if he saw his neighborhood um so although nothing's ever been said i think you know that there's always
kind of you know that they're kind of looking down at the shirt when he's wearing it and they're like
okay you know do we really want these kind of people moving in next to us um so this area that
anthony lives in it's a particularly green area okay there's lots
of mature trees um anthony is not a green-fingered person at all uh so you know he likes football and
does not like gardening yeah it doesn't appreciate you know these oak trees that have been there you
know 200 years or whatever it's kind of the roots are a problem okay um but you know it's all totally legal right so in the first couple of years um
you know this guy moved i think he had removed three full-size trees from the garden okay because
there's just no light in the back garden at all oh they're on his property they're on his property
yeah right and so there's um you know the neighbors to the right noticed
when he did this uh and they actually came around said hey look we know you're getting rid of these
trees like we've got this other tree that's on our boundary um do you want to go go harsh with
us to get rid of it and like anthony's like yeah sure you know what that's a great idea you know
i don't want this tree if you don't want this tree you know you don't want this tree, you know, we'll split the difference. And then we go. Okay.
Yeah, exactly.
Yeah.
Problem halved, you know, half the cost.
Good, good deal.
So another, like another time, you know, Anthony removed this other giant tree that was sort of on his side of the
boundary, but, you know, it was very noticeable to the neighbors.
And, you know, they were really happy when that went.
And they came out and said, oh, you know they were really happy when that went um and they came out and said oh you know it's amazing because they came out into the garden at the same time and they said oh it's amazing
that one's gone it's made such a difference to our garden um and then you know the following
year they had this new patio laid out it you know they had all this work done and so they can now go
out there but the problem is there's more trees at the back. And when the sun moves around by two o'clock in the afternoon, their new patio area is actually shaded by these trees that are in Anthony's garden.
OK.
And, you know, they kind of made some comments and they sort of said, you know, if you ever want to cut down those trees at the back, you know, would would happily contribute towards them, you know, sort of take some height off the top.
OK. And so, you know, sort of take some height off the top. Okay.
And so, you know, no big issue.
And, you know, it's kind of left for a while.
And then, you know, over time, these sort of trees have grown a bit more.
And then one day this neighbor came around and he said, look, you know,
we've got this tree that's at the back.
It's actually on your side, but I want to cut down, you know,
all these branches off it
the ones that come over our side and maybe take a bit off the top are you okay with that okay so
anthony's like you know what it really doesn't bother me that much right you know just
yeah i would do that you know and then just let me know how much it is for my for my share of it
okay okay yeah it's all neighborly yeah it's all neighborly and the neighbor is like
okay great you know i'll do that and then he went off and the next day he comes around uh anthony
wasn't available but you know he spoke to anthony's wife and said uh oh i'm gonna get the tree down
it's gonna cost uh 700 pounds you know for for your two trees um you know you're okay with that
and so anthony's wife's like okay no idea what's going on but sure and uh so the neighbor's like
well you know your husband said that you contribute towards it is that good and uh so she's like okay no idea what's going on but sure and uh so the neighbor's like well you know your husband said that you contribute towards it is that good and uh so she was like okay cool yeah
whatever so these gardeners came in and um and anthony just double checked with the guy with the
neighbor like one who's going out and he said right these trees that are coming down it said
you said 700 quid and he said actually it's 750 and it's like okay
well you know 50 pounds difference maybe there's a misunderstanding but you know 50 pounds not not
not the end of the world and so he goes out and then the gardeners come in they cut down with
these trees and you know everything's good and then Anthony gets this text from the neighbor
and it says hey Anthony hope you're happy with the tree work today. My account number is, you know, such and such.
And then he said, feel free to contribute whatever you feel the job is worth.
Okay.
Now, he's already said it was 700 to Anthony's wife.
He told Anthony it was 750, you know, specifically for the trees on his side.
Yeah.
Okay.
And so he said, contribute whatever you feel the job is worth now
anthony he's not uh you know he's not thinking well i'm gonna shortchange these guys um yeah
he's like well the guy said it was 700 then he said it was 750 but you know good neighbor i'm
not gonna you know argue with that i'll just give him the 750 right that's what i would do okay yeah
yeah exactly you think that's that's all good and then a few days later actually takes like a few days even though the money's gone in
you know bank transfer because anthony you know he pays his bills uh he got this note back said
hey anthony you know it's all by text you know these guys don't talk often he says hey anthony
thank you very much for your more than generous contribution you must let us contribute next time you get your hedges
done and then anthony's like this is a really weird situation like you know what what the hell
does he mean oh i see i think i know what happened so it later transpires that 750 was the cost of the entire job, including work done in their own garden that they have.
Now, what should Anthony do at this point?
Anthony should email and say, actually, no, let me go to Tom.
Let me go to Tom first, the picklet well i think anthony's the kind of person who can probably afford this because
they they they're probably the type of person who doesn't submit expenses for 18 months and
doesn't really feel the dent at all so So obviously money's not an issue here.
So, you know, just consider it a gift to the neighbor.
I think I would email going,
oh, I think there's been a bit of a misunderstanding.
We'd agreed to pay half the bill,
and when you came over and said the price,
we thought that was half the amount, you know?
Yeah.
So you would actually claim the money back.
You mean like a normal sane person would do.
And also if I were the neighbor that received the money,
I would not, I would just go,
I think there's a misunderstanding here.
You don't have to pay all the bill.
We got some stuff in our own garden.
So let me, I think there's a, you know, I think all you need to give us is 300 or whatever yeah so i yeah i didn't but they obviously sound
nice and they want to contribute to the hedges i would just uh let them do that nice they've just
said thank you for paying for the entire bill including the work extra work in our in our garden
do you think anthony is a type of person that's going to probably point it out?
Because I think they probably should,
because otherwise it's going to breed resentment.
Yeah.
Or it's 325 quid at least.
Or, you know, Anthony owns these guys' asses now.
No, I think it's the other way around.
I think he should get asked for the 325 quid back and then buy his two best mates who he runs a podcast with some presents
what do you reckon interesting so what what did anthony actually end up doing
um can you just yeah okay no no wouldn't anthony just text rob and go hey
do you know let's go for a beer or something like invite him out for a beer and just say look
i had no idea he's not no he's not that close they're not close no no it's very little
conversation between those right and that's the way i wanted to keep it yeah right i mean the
neighbor obviously drinks real ale and walks around with a with
a barbara and wellies whereas andrew's like white trainers and anthony anthony
is white trainers and uh nylon football shirts right but yeah you could just cop it up to
something like a lesson learned as well i mean i that's a fucking expensive lesson well i i booked something at uh
champanese when the you know there was a break last summer and then the uh the lockdown came
in and they wouldn't give me my money back still haven't paid back ignored all my emails everything
and that was 500 quid for this you know the yoga retreat so you know guess what never going to
champanese again yeah yeah namaste dudes exactly but surely you've got a space on the uh you know, guess what? Never go to Chalmers again. Yeah, namaste, dudes.
Exactly.
But surely you've got a space on the, you know, at the next one, right?
No.
Oh.
No, not at all.
That's small claims court then.
Well, it could be.
I couldn't be arsed.
It's going to cost you 50 quid, a bit of paperwork,
and you'll get your money back.
Yeah, but a lot of mental you know don't yeah i can afford
not to what what i decided to afford it filling a forming yeah if you want to do it for me if you
want to do it for me yeah you want to be my 25 you can take it done okay right send me the details
you're on okay done did we help did we help and yeah absolutely so what did so who said about the uh he's going
to harbor resentment i mean because what what did happen was like the following day anthony noticed
they had uh pizza delivery delivered and they never get you know take out uh unlike anthony
and anthony was like oh so they're enjoying pizza on on his money
enjoying that pepperoni yeah free was it
you can afford takeaways now can you yeah yeah but having good neighbors is a good thing it is
important yeah it's a it's a nightmare to have neighbors you don't get on with yeah that is a good thing. It is important. Yeah. It's a, it's a nightmare to have no business.
You don't get on with.
Yeah.
That is a really,
really bad nightmare.
I've seen that.
Anthony's done nothing.
He's done absolutely nothing.
He's,
he's choked it down to a,
uh,
unfortunately Anthony's wife didn't find it as amusing as Anthony did.
Um,
I can't imagine why.
I,
what's going to happen though.
Next time there are more trees to be removed on their property or to be
trimmed. Is he going to come over and say, Hey there are more trees to be removed on their property or to be trimmed?
Is he going to come over and say, hey, I'm getting my trees removed or downed?
I think the phrase trim your own fucking bush is going to come to mind.
Need a bit of wonga.
Yeah, I'd be surprised if they, like I say, they did say, oh, you must let us contribute next time you get the hedges done.
So, yeah, contribute.
I'm incredulous at this.
I have to say.
So what would you do?
You'd go over and say,
give me my money back.
No,
I'd say there's been some misunderstanding.
Yeah.
Would you wear a football shirt when you do it just to sort of add to the
effect of,
you know,
I'd go around shirtless.
With your bulldog tattoo showing.
Yep.
Yep. Yep. Yep. With, you know, one of the bulldog tattoo showing yep yep yeah with uh you know one of the bulldogs eyes that's what i would do just clint eastwood it out get off my lawn
anyway so that was well we're definitely going to invite you on to sticky pickles at some point
that was pretty good yeah yeah absolutely want to find that out that was this week. Well, we're definitely going to invite you on to Sticky Pickles at some point. That was pretty good. Yeah. Yeah, absolutely.
We want to find that out.
That was this week's Sticky Pickles, which was an unexpected one.
Sticky Pickle of the Week.
Sticky Pickle of the Week.
Sticky Pickle of the Week.
Anyway, time for the world's fastest Tweets of the Week.
Tweets of the Week.
We always play that one twice.
Tweets of the Week.
Andy, I think this is you.
No.
Or me.
It's now me because the show notes have just said so.
So very InfoSecMiles at InfoSecMiles, tweet of the week.
This one's quite close to our hearts.
Do cyber criminals need three to five years experience,
a degree and a CISP for entry level crime?
Yes, I think they do.
I think they do.
It's late of the week.
That just went right over my head.
OK, good.
Right.
I think we are done.
Thank you very much, Carole, for your time today.
Yes.
It's billable now, isn't it?
All of it, yeah.
It's two and a quarter hours.
It's going to be billable.
Yeah, yeah, exactly.
I thought a half hour, no problem.
I'm happy to do that.
A half hour for a one-hour show?
Not bad, Matt.
Not bad.
I see the North American education system is still holding up strong.
Yes, Carole, thank you so much for joining us.
It was fun.
Thank you for having me, for having a sense of class
and education that uh jav never brings i was gonna say he always brings so i'm glad oh yeah that too
that too um and andy thank you very much stay secure my friends stay secure
you've been listening to the smashing unknown oops yeah let's do that one
you've been listening to the smashing unknown podcast with andy graham and tom no if you like
let's not do that one wow that was when graham was wow i forgot about that what a fucking blow, boys.
Holy shit.
That's like a slap across the face.
You know what?
You've been listening to the Host Unknown podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel. Worst episode ever.
R slash smashing security. Worst episode ever. R slash Smashing Security.
That was a slog.
It really was.
I don't know.
Oh, my days.