The Host Unknown Podcast - Episode 63 - The JavAndy Show
Episode Date: July 9, 2021This weeks show is 33% off but the content is still as average as ever!This week in Infosec - 3 mins 11 secsBilly Big Balls - 12 mins 49 secsRant of the week - 20 mins 52 secsIndustry News - 30 mins 5...6 secsTweet of the week - 38 mins 20 secs THIS WEEK IN INFOSECWith content liberated from the “today in infosec” twitter account4th July 1994: John Markoff's article "Cyberspace's Most Wanted: Hacker Eludes F.B.I. Pursuit" was published by the New York Times. It was about Kevin Mitnick.Cyberspace's Most Wanted: Hacker Eludes F.B.I. Pursuithttps://twitter.com/todayininfosec/status/14118918491329249328th July 2008: Dan Kaminksy gave a press conference announcing a DNS vulnerability he discovered 6 months prior. RIP, Dan.Fix found for net security flawhttps://twitter.com/todayininfosec/status/1413206908882804739 BILLY BIG BALLSRansomware-hit law firm gets court order asking crooks not to publish the data they stoleCriminals break into your systems, they do the usual, exfiltrate data, deploy ransomware, and leave you nasty messages about how they pwned you while blackmailing you.However, New Square Ltd may have found a way to stop the criminals from capitalising on the data they have stolen by making it illegal for the criminals to release any of the stolen information. RANT OF THE WEEKThis TikTok Lawsuit Is Highlighting How AI Is Screwing Over Voice ActorsVoice actors are rallying behind Bev Standing, who is alleging that TikTok acquired and replicated her voice using AI without her knowledge.At the center of this reckoning is voice actress Bev Standing, who is suing TikTok after alleging the company used her voice for its text-to-speech feature without compensation or consent. This is not the first case like this; voice actress Susan Bennett discovered that audio she recorded for another company was repurposed to be the voice of Siri after Apple launched the feature in 2011. She was paid for the initial recording session but not for being Siri.Find a job with TikTok Resumes INDUSTRY NEWSREvil Group Demands $70 Million for 'Universal Decryptor'Suspected Cyber-Criminal "Dr Hex" Tracked Down Via Phishing KitBA Settles with Data Breach VictimsOfficial Formula 1 App HackedBiden Administration Cancels $10bn JEDI ContractOver 170 Scam Cryptomining Apps Charge for Non-Existent ServicesRegulator Probes Former Health Secretary's Use of Private EmailTrump Sues Facebook, Google and TwitterNew PrintNightmare Patch Can Be Bypassed, Say Researchers TWEET OF THE WEEKhttps://twitter.com/sherrod_im/status/1412856171652861953https://twitter.com/doctorow/status/1412923242273140736?s=20Full story - Delivery Drivers Are Using Grey Market Apps to Make Their Jobs Suck LessDrivers are there virtually, using GPS-spoofing apps to position themselves right in the center of the McDonald's lot while they physically wait under nearby shelters. Using these unofficial apps, known as tuyul, drivers can set their GPS pins at the optimal location they would like orders from, without having to physically drive there. And with that we leave you to enjoy the weekend! Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
So, Geoff, do you think it's feeling a bit younger around here at the moment?
Only by about four decades, yes.
So I guess we should explain what's happened.
We actually hit the target, and so Tom is not here.
Last week, we said on the podcast, if we raise £100, then Tom gets the day off.
Less than four hours after the podcast was published the duchess of ladywell aka mrs langford senior went to church on sunday got up and asked
for contributions so that she could see her son one day in the week yeah and the community pulled
together and they made it happen.
So thank you.
Yeah, and had we known that's all it took to get some money,
I guess we would have asked for that a long time ago.
If you want to give us money,
we'll make sure Tom does not come back to record.
That's it.
A younger podcast, a more ethically diverse podcast.
What more could you ask for?'re listening to the host unknown podcast
good morning good afternoon good evening from wherever you are
well heaven knows that was a tough job to replace
jeez it's making out you know it does all the heavy lifting on this show Well, heaven knows that was a tough job to replace.
Jeez, he's making out.
You know, he does all the heavy lifting on this show.
I will play the role of Tom today.
So, Jev, how are you, sir?
I'm doing great, my man.
What could be better is just chatting to my best mate without Uncle Tom overlooking us and trying to censor us.
Oh, dear, it's going to be a fun show today.
I'm still nervous about how we actually get this published.
You know, I'm sure we'll figure something out.
But do you have the logins to the site that we need to load it to in order to publish it?
It doesn't matter because Tom has three passwords he uses for every single website he's ever logged onto in his life.
So I'm sure we can
get in right okay that's uh password one two three four password four three two one and just uh
password all lowercase isn't it yeah that's the one cool coming up today what do we have for you
we have this week in infosec you've got quite a lot of resource pursuing a guy and they're not entirely
sure why they're pursuing him barely big balls i have no idea it's genius isn't it it's absolute
genius rant of the week like you just put me on the spot there and said like what would i say
and i don't have an elevator pitch ready industry news and of course our favorite tweet of the week so you know using one technique over
the other just to stick it to the man so we will kick off the show with this week in InfoSec.
So it's that part of the show where we take a stroll down InfoSec memory lane by regurgitating content liberated from the Today in InfoSec Twitter account.
And so this week, I am going to remind you of two InfoSec luminaries with very different paths. On the 4th of July 1994, a mere 27 years ago, and it's a day, 4th of July, that's
a date that, you know, Americans celebrate. Not entirely sure why. It's just a regular week regular day for us so 4th of july 1994 john
markoff's article titled cyberspace is most wanted hacker eludes fbi pursuit was published by the new
york times and it was of course a story about kevin mitnick no less so cyberspace is most wanted
obviously what an accolade and obviously you know these days it is a very different life for kevin of course, a story about Kevin Mitnick, no less. So cyberspace is most wanted. Obviously,
what an accolade. And obviously, you know, these days, it is a very different life for Kevin,
as you well know, you work with him. But for those of us of a certain age who missed the
stories of Kevin's past, he's probably these days most well known for his business cards,
which double as a lockpick set rather than you know people fully understanding what he went through so regardless of anyone's like anyone's views on
mitnick he has been a main player in the infosec story so i'm going to quote directly from the new
york times article it states that combining technical wizardry with the ages old guile of
a grifter kevin mitnick is a computer programmer run amok and law enforcement officials cannot seem to catch
up with him at the time this article was written you know he had actually already served time in
jail for you know previous computer computer crime and he was now one of the nation's most
wanted computer criminals so he was being pursued under under suspicion of stealing software and data from like half a dozen different
phone companies and he did it by coaxing employees into giving him passwords what we refer to these
days as socially engineering but this article in the new york times and there's a link in the show
notes went on to basically liken him as the kid that foreshadowed the plot of the 1983 movie War Games.
Ultimately, on this occasion, he was accused of causing $4 million in damage to computer operations at the company
and stealing a million dollars worth of software.
Now, obviously, we know how companies come up with this number.
It's a bit tedious.
But in 1993, so the year previous while a fugitive he managed to gain control of a phone
system in california that allowed him to wiretap the fbi agents that were actually searching for
him so he pulled like a proper uno reverse card on them to you know to sort of stay ahead of the
game but what the article goes on says it's not clear if he was using his computer
skills, or it's not clear that if his computer skills were unusual in the world of programming.
But obviously, he was very good at socially engineering. So, you know, even at the time,
1994, they were unsure, you know, what a hacker was, what a social engineer was,
they didn't really understand, you know, what everyone's able to do. But I mean, there's
no evidence that he actually used his skills illegally to make money, right? And the phone
companies who say that he stole this software, they were worried that he would sell it to
competing manufacturers in Asia or offload it to criminals who want to make free phone calls.
And even at the time, the FBI and Justice Department said they didn't have absolute proof that he was behind any of these attacks on the phone companies.
And this is really what made him one of the main characters in this story, is that you've got quite
a lot of resource pursuing a guy, and they're not entirely sure why they're pursuing him.
But eventually, they caught up with him in the february of 95 this is like a year later he was charged with wire fraud possession of unauthorized access devices interception of
wire or electronic communications unauthorized access to federal computers and of course damaging
causing damage to a computer which is you know it's kind of standard in the 90s if you wanted
to arrest a hacker um and obviously you know know what the justice process is like. It
takes a while to get there, right? So it wasn't until four years later in 1999 that he actually
got the opportunity to plead guilty to a number of counts of these charges as part of a plea
agreement. So he was sentenced to 46 months in prison, plus 22 months for violating terms of a previous 1989 supervisor release
and he admitted to violating terms of that release by hacking into Pac Bell's voicemail
and other systems so he served five years in prison four and a half years pre-trial and then
eight months in solitary confinement and that was because law enforcement officials convinced
a judge that he had the ability to start a nuclear war by whistling into a payphone.
So just to make this absolutely clear, the police managed to convince the judge that
Kevin Mitnick would somehow be able to dial into the
norad system via a payphone from prison and communicate with the modem by whistling
like nuclear launch codes right yeah the judge believed it is eventually released in uh 2000 on
you know again superfiles released and although he was convicted of copying software unlawfully,
you know, at the time, supporters argued that his punishment was excessive. And a lot of the
charges against him were like fraudulent, not actually based on actual losses. And even Kevin
himself in his book, The Art of Deception, he actually says that everything he compromised
was using passwords and codes that he'd gained by socially engineering.
He didn't actually use any tools or crack passwords or otherwise exploit vulnerabilities.
He absolutely just targeted the people.
This is one of those cases that tested the new laws that had been created to deal with computer crime as it was evolving.
And it really sort of raised that public awareness involving network security.
But the controversy remains today.
The Mitnick story is still often cited as an example of the influence that newspapers and media outlets have on law enforcement personnel.
So it was an interesting time back in the 90s, but to me, definitely a main character in what has become this industry.
The book you mentioned the art of
deception i remember stephen bonner recommended that to me back in the early 2000s i think it
even today it's so relevant because the same techniques he used then are applicable today
yeah and this is i guess this is one of the things that we try and highlight is that
it's exactly that there's not much that has changed
in terms of techniques that people are using to exploit, you know, social engineering. It's still
the same, like password guessing, convincing people to release information they wouldn't
otherwise. And, you know, we're just doing different delivery methods, I guess, these days.
It's easy to laugh at the judge who got convinced by the police that he could whistle codes down. But then I thought, how's this different from any CEO who approves a CISO's
request to have, we need a three-year identity and access management project to go on, and we need to
hire big consultants here, and we need to spend two million on this product over here.
It's about selling a story, isn't it? It is.
Briefly, I will uh mention just the other
person you know i'll mention is someone who is on the polar opposite end of the scale to kevin and i
guess his origin story really started you know 13 years ago on around i think it's the 8th of july
2008 um and it's a guy called dan kaminsky who gave a press conference announcing a dns
vulnerability that he had discovered six months previously obviously rest in peace dan i know
with a heavy heart we obviously lost him earlier this year age only 42 so you know went really
early but you know dan was known for his many contributions you know in the
industry including the discovery of the dns cash poisoning vulnerability you know in 2008 early
work in developing a framework to address sql injection and cross-site scripting but i guess
what differentiated dan from other figures who might be considered amongst you know the elders
of the internet was his kindness and the help and encouragement that he offered to other hackers,
you know, particularly those making their start in the industry. So I'm not gonna be able to do
him justice, you know, without preparing way more notes on this one. But you know, his influence
does reach areas that you might not even realize. So I've included a link in the show notes,
it's got a video which talks about some of the influences that he's had on people but there's one quote which i did like and i think
summed it up is you know we owe him so much and people who will never know his name oh dan and so
there you have it yeah i mean there's two different types of people in this assorted box of
infosec main characters and whether you believe it not, your life is probably better because of them.
Absolutely.
Can't underestimate the impact that some of the early Piners had
on the direction of the industry.
Yeah, and that was...
This Week in InfoSec.
This is the podcast the Queen listens to.
Although she won't admit it.
So I guess we should head straight into this week's...
I was going to say the ball's in my court this week
because I've been watching a bit of Wimbledon.
But did you
actually see before I get into the story there was uh I saw a clip of it Federer played a little
kid on court some kid came onto court and he had a little rally with him and the kid lobbed him
and got it through I didn't say that no I saw it on LinkedIn what was great is someone posted it
and one of the first comments or one of the
top comments were nice video but LinkedIn isn't the place for it yeah and so many people get
flamed is he got flamed so hard everything ranging from you know who are you are you the LinkedIn
police yeah but but lots of people actually made the comment this is actually good leadership and making other
people feel good about themselves and what would he have achieved had he just like beaten the kid
or or what have you a lot of it's just about how to win friends and influence people and that kind
of thing people do love getting the pitchforks out in a public forum though don't they they do
it's why i've got i've been getting more and more scared to post anything on these days that's just it's a minefield out there you just don't know
what you're going to get you're going to get cancelled if you do it wrong what is perfectly
acceptable today in two weeks time it's going to be the thing that will get you fired from your job
so i think we should start auto deleting old podcasts as well especially the ones with tom in
it and hopefully by the end of the year people actually forget that tom was an original part So I think we should start auto-deleting old podcasts as well, especially the ones with Tom in them.
And hopefully by the end of the year,
people actually forget that Tom was an original part of this.
Yeah, exactly.
Yeah, an original team member.
Anyway, the Billy Big Balls of the week.
It's a usual story.
Criminals break into an organisation.
They do the usual.
They'll do some lateral movement.
They'll exfiltrate some data, deploy some ransomware, and then leave you nasty messages about how they pwned you.
They will blackmail you, and they will want some money. Standard MO for one of these groups.
Exactly, standard MO. It's an unfortunate pattern that is repeated a bit too often around the world on an almost daily basis.
And up until now, it's been very difficult. You either pay the criminals the ransom they want.
And nowadays, it's actually double extortion.
So you pay them once to decrypt the data on your servers, and then you pay them again as a hush money to not steal or to not leak or publish
the the data that they've stolen yeah and they're going to release that you know you've been hacked
as well aren't they yeah they are but one company may have found the solution news square chambers
which counts it dispute experts amongst its ranks, obtained a privacy
injunction from the High Court at the end of June against person or persons unknown who were
blackmailing the firm. So basically what they're saying is criminals who have stolen our data and ransomware dust, we are now making it illegal for you to capitalise on the data you've stolen.
No one think of this before.
I have no idea. It's genius, isn't it? It's absolute genius.
It's just like, well, you know, the laws didn't stop them from breaking in or ransomware or stealing the data,
but now you've got a specific injunction against them, which is more likely it's going to be outside of your jurisdiction anyway
and it reminds me when you log on to a system and there's that little banner that pops up and
it's just like hey this is a restricted network please leave if you are not not authorized and
and i'm sure hackers look at and go oh my god my God, I shouldn't be here. You got me.
No, wrong system.
My bad.
Sorry to disturb you.
Maybe you could just threaten to tell the hacker's mum,
like, your child's been very naughty.
Oh, this is like what the girls that receive unsolicited pictures
in their DMs have done, isn't it?
They just face the person back and then contacted their mum.
This is what your son sending me yeah no that that could work obviously you know that assumes that you have a bit of
knowledge about the hackers although i did post this question and online and and someone actually
responded saying that you should put a 14-day waiting period on new computer purchases and limit purchases to one computer per month. It's worked to eliminate criminal use of firearms.
Interesting. That sounds like someone who has very strong feelings about Second Amendment rights.
That's right. I mean, I think there is some merit to this. Actually, I was digging into this story
a bit more after I said I'm going to talk about this one. And apparently this story a bit more after after i said i'm going to talk about this one and apparently this happens a bit more often than some people think and part of it is insurance claims
and what have you it's just to cover your ass for all eventualities and say you've done everything
you can in your power to stop it and prevent it and you took all these steps and what have you
so some of it comes down to that. It's like the banners.
It's like everything else.
Yeah, I mean, I know we joke about the banners,
but that is a genuine legal.
If you're going to prosecute someone
for unauthorised access to your system,
you need to show that you have made it very clear
that they shouldn't be doing that.
It's a unique way to go about it,
but I think it also just shows how badly
the security industry is scraping the bottom off the barrel,
where that's the best they can do in reaction to data being stolen.
Well, yeah, I mean, with this whole ransomware thing, it's massively getting out of control, right?
Every day we could talk about another company that got hit with ransomware or someone that's paying it.
And it seems to still be headline news and what makes me laugh is that you know as an industry i think
over the last few years in this sort of real explosion of um infosec experts and professionals
is that we've all got opinions on how other departments should run what other teams should
be doing and like how they should be tackling problems and like why is it this
simple it's that simple and yet we have a problem that is in our court this is our domain and no
one's able to solve it all the advice that we give marketing people about how they should market
stuff all the advice we give tech people about how they secure no one's got a solution to how we
should prevent ransomware other than keep your systems patched but then even
then with example acacia it's not even you know you pay professionals to patch your systems
and even they get hit with ransomware and then distribute it out to you it's it's a massive
problem you're absolutely right and hypocrisy really does show because it's not even a broad problem. It's a technical security problem. It's not like it's a policy problem, procedural problem or other people can't do it. And then on the other hand, when you walk the floors off a trade show, everyone's touting how they've got some really new fancy technology, yeah, AI, ML, whatever.
They make it sound like they've got Jarvis that can protect you.
And this is a problem that's been going for years now.
Yeah, we're not getting any closer to solving it.
No, no.
But we're experts at shitting on other people. Yeah.
Oh, nice one.
No, I enjoyed that one.
No, thanks, Jeff, for this week's... Billy Big Balls of the Week.
Sketchy presenters,
weak analysis of content
and consistently average delivery
but they still won an award. Like and subscribe now.
So let's head straight into this week's...
Listen up! Rant of the week. It's time for Mother F***ing Rage.
So this is one which I have got and it is my beloved TikTok and I guess with this rant of the week
I went off on a tangent believe it or not I know it it happens often on TikTok you going off on a
tangent I've never heard of it it's one of those things right obviously we are men of culture
obviously Tom's not a TikTok aficionado so he doesn't quite get the trends and where we go.
And I heard a disturbing rumour that, you know,
those people that we respected over at the Smashing Security podcast,
they are not TikTok users either.
And they're out there giving people advice and stuff.
Dinosaurs, they're just not used to keeping up with the times.
I mean, that's why Tom and Graham get on so well,
because Graham and Tom, they just talk about everything like,
oh, if they just installed Dr. Solomon's,
they wouldn't have ransomware.
They've got no idea what's going on in the real world.
It's just choogy.
So anyway, this is a story of a TikTok lawsuit,
which is highlighting how AI is screwing over voice actors.
And this is the...
So if you're not a TikTok user,
there's a thing that people are doing at the moment. Well, I mean, it's been going on for a
while and it's to enable accessibility, right? And this is the thing, it is quite an inclusive
platform. A lot of deaf people look at TikTok or blind people look at TikTok as well, believe it
or not. And so they're saying with this text to speech, they have this text to speech feature.
Sorry, so you can, when you're
talking, it will automatically put the text on the screen and vice versa. If you just want to type it,
it will automatically play a voice. And it's quite a popular thing when you're narrating videos or
trying to draw attention to something. And so this lawsuit is about a voice actress called Bev
Standing, who's suing TikTok after she's alleging that TikTok were
actually using her voice for its text-to-speech feature without compensation or consent.
And parallels have been drawn to another case. So this isn't the first case something like this
has happened. A voice actress called Susan Bennett discovered that the audio she recorded for another company was repurposed to be the voice of Siri after Apple launched the feature in 2011.
She was paid for the initial recording session, but not for being Siri.
And similarly with Beth Stanley, she's saying that she recorded this demo for a Chinese company.
And she's not been compensated for that whole text to speech voice now
I get it okay I am annoyed that someone's been taken advantage of right a professional has
has done some work they were misled into what they were doing or their work was
stolen or misappropriated but on something like textspeech on TikTok and there's a very clear distinction
between the text-to-speech and Siri on Apple whereas I think Siri actually sounds like a
real person but the text-to-speech feature on TikTok is very clearly a computer generated voice.
Yes. What sort of sample set did they get of her voice in order to create this whole library of words that it can create just by you typing?
At what point does it stop becoming her voice?
And, you know, what's the scale for the type of, I guess, compensation she's looking for?
You know, what would she think was fair for her voice?
This is what I'm really struggling to get, you know, wound up about.
This is what I'm really struggling to get, you know, wound up about.
I want to get annoyed about it, but I just can't find that, you know, that sort of crux of the issue.
Yeah, that's the exact point.
So, I mean, the lawsuit is basically saying that, you know, they didn't pay or notify her to use her likeness for its text to speech.
Some videos using her voice for foul and offensive language, which she claims causes irreparable harm to her reputation.
And also brands advertising on TikTok had that text-to-speech function at their disposal,
meaning that her voice could be used for commercial purposes.
But again, like, maybe my ear's just not tuned to it.
I would not be able to pick out her voice,
you know, as a computer-generated voice.
It's such a fine line and what
if they change the pitch by a few decibels or something does that make it not that person's
voice anymore as well you have voice actors anyway who imitate other people's voices and
Morgan Freeman's a huge hugely popular one on Fiverr yeah and so where do you stand on that
I completely agree I think it's it's interesting because this is more about where the future's all
heading today it's just one person tomorrow you're going to get pictures of people or videos of them
when they're younger it's a bit like they had a two-pack in a hologram didn't they once performing on stage that's a few years back yeah yeah but that kind of thing if that technology becomes more accessible
which it will then what's to stop people creating their own deep fate type of content online which
features you know young people or whatever it's it's challenging yeah you know, young people or whatever. It's challenging.
Yeah, you know those chatbots that pop up on a screen
when you go to a website.
They'll have one of those talking heads, you know, the likeness of someone.
I mean, they can already do it with, you know, Snapchat and TikTok
have that feature where you can point the camera at a normal photo
and it'll animate it, right?
So like the whole Hogwartswarts thing like in harry
potter films like where the photo so you can actually generate that artificially as it stands
yeah no interesting but the other thing as i was obviously and this always happens when i go on
tiktok right i just go off on a tangent i discovered something called tiktok. And I'll stick a link in the show notes. And this is,
I think, slightly worrying me in terms of, like, I always kind of think, right, I'm staying up to
date with stuff. But this is really sort of caught me off guard. It's now people are now
publishing their resumes or CVs on TikTok, creating virtual videos. And obviously, you've got up to three minutes to get
your message across. And I mean, it's tricky. There's some good examples of what people are
doing so far, you know, the stuff they've done. A lot of media savvy kids out there using this
media to sort of demonstrate why they would be a good hire for your company. And I feel that this one has completely passed me by. And so I am slightly worried that this is that point where I'm kind of
no longer looking over my shoulder, but starting to look at this new generation overtake me.
So I guess this is what, you know, Tom felt like maybe sort of 40, 50 years ago.
Yeah. You shared this story with me and I thought the first thought I had was what an
absolute terrible idea. And then when I started to look at it, I saw a couple of examples and I
thought, wow, this is so amazing. But I think you're right. I think there's two types of
companies. There's types of companies that will accept these resumes and they want that kind.
And for those, these kinds of people who create these
resumes are a good fit i think that there's people who don't who would never be a good fit in creating
these or accepting these and i think that's good as well and i think just from that perspective you
get quite a good cultural um mix it in a way as long as it's not used as a tool to discriminate against which i think as
humans is is always a big challenge but i actually think it's in some ways i can get a feeling of
who someone is they can quickly tell me what they're about and in some ways it feels less
laborious than looking over a cv yeah it's that tell me in your own words you know that sort of question right
tell me in your own words how you got to where you are or you know what excites you they can do
this now and they can add backing music they can add green screen they can do all kind of like
quick examples of other stuff they've worked on scary i think you know this one is it's different
i don't think any of our platforms if i'm honest at my company is ready to receive you know video
resumes just yet or TikTok resumes just yet.
But I mean, the day is coming.
You heard it here first.
If you were to apply for a security job with a video resume, what would you put in there?
Let's see, three minutes.
I'll definitely drop in a chorus from CI double SP videos.
I don't know.
That's just it.
But it helps.
I mean, you can look at it saying, oh, it's just lazy. Like, you know, these kids are just looking to get around,
you know, creating a well-structured CV. But it's actually difficult. Like, you just put me on the
spot there and said, like, what would I say? And I don't have an elevator pitch ready. You know,
I mean, that's, you know, this really is essentially what that is, isn't it? It's that
elevator pitch. And it answers the question when people say, yes, fluent in English or fluent in whatever language.
How fluent?
Like, you know, you're actually going to hear them speak it.
Yeah, I don't know.
Worried about this one.
I'm not worried.
I think it's on the fringes for now, but it's probably going to be one of those things that that we will see expand going
forward to a degree but i don't think it will completely overtake traditional forms but i could
be wrong yeah we'll see we'll reassess in 12 months time i could just imagine someone applying
for a job at an amazon warehouse and say here's me packing 20 boxes in three minutes go yeah
gee that's not that would be just 20 boxes in three minutes go yeah gee that's not that'd be
just 20 boxes in three minutes get out of here i think we need uh yeah we're looking for someone
who can do like 200 boxes in three minutes yeah all right that was this week's rant of the week
this is the host unknown podcast the couch potato of infosec broadcasting So Andy, do you know what time it is?
I do. As I look at my clock, I realise it is that time of the show where we head over to our news sources over at the InfoSec PA Newswire
who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News
Revol Group demands $70 million for universal decryptor.
Industry News
Suspected cyber criminal Dr. Hex tracked down via phishing kit.
Industry News BA settles with data breach victims. Cybercriminal Dr. Hex tracked down via phishing kit. Industry news.
BA settles with data breach victims.
Industry news.
Official Formula One app hacked.
Industry news.
Biden administration cancels $10 billion Jedi contract.
Industry news.
Over 170 scam crypto mining apps charged for non-existent services. Industry News.
Regulator probes former health secretary's use of private email. Industry News. Trump
sues Facebook, Google and Twitter. Industry News. New print nightmare patch can be bypassed and that was this week's industry news huge if true amazing
yeah i just love trump trying to sue facebook google and twitter for allegedly violating his
first amendment right oh is that what the case is okay so i um the one that they're really called was the biden
administration cancelling that 10 billion dollar jedi contract so this uh 10 billion dollar jedi
cloud computing project was the the dod gave the contract to microsoft like a while ago and i think
it was what back in late 2019 and so it was i mean can you imagine
like you're at microsoft and you win a 10 billion dollar contract right so everyone like you're
going to start planning for stuff right you're thinking right we've got 10 billion dollars what
do we need to get how are we going to you know spend this money we need to onboard recruit you
know whatever manage this project and then amazon obviously launched a legal challenge against this because, you know,
Jeff Bezos saw some money that he wasn't receiving. I thought, this money needs to come this direction.
And I think, you know, Amazon basically claiming that that decision to award the contract to
Microsoft was full of errors and basically the result of improper pressure from Trump.
You know, they're actually stating or referencing a book
that reported that Trump had directed the Defense Department
to screw Amazon out of that Jedi contract.
So, you know, even as recently as like September,
I know that the DOD did re-look at it and they said that,
you know, Microsoft's admission was the best.
But yeah, Amazon have managed to get their lawyers in there.
And, you know, the whole thing's been axed until they can figure out how they're going to move forward.
I think this can become a multi-cloud procurement, is the proposal.
But I mean, that's a massive amount of money to be chucking around.
I'm surprised how once it's been agreed and and handed out that you know amazon and and you can imagine that the
lawyers on both sides of amazon microsoft are just the real winners in this whole story
yeah they're gonna be the only people that you know earning earning money equivalent to
to those guys and then the other story which caught my eye was and it's so much uh not not so much for
its impact on what it is but it's really you know this thing like everything old is new again and
like we're not inventing anything new so you remember whole trump's campaign about hillary
using her private email you know to do so all the scandal that went with that and then you know half
the trump family used their own personal email during his administration yes yes um but now the ico has opened an official inquiry into the health
secretary or the former health secretary matt hancock who also used private email and it's a
case of like guys if there's one thing that's happening out there that you should not be doing
right just use your corporate email right
this is where all the controls are these are the official documents we need to have transparency
and accountability um and the i can only assume that people are deliberately doing it to get away
with stuff that they don't want on the record yep yep no other reason no other reason for it whatsoever
this day and age it's so irresponsible when you've seen the impact it's had on other politicians like
hillary and or like how whatsapp messages being leaked when when has ministers are like colluding
with each other and was it cummings released some screenshots about
him and boris johnson the other week that makes me it's like if if any of us ever have a falling
out right it's like everyone's going down no one comes out of it looking good no no the screenshots
to ruin lives mutually assuredually assured destruction. Yeah.
God, if Tom ever figures out how to screenshot, we're in trouble.
Oh, man, that is massive trouble.
Well, we're in enough trouble, the fact that any photos we send him
get uploaded to his iCloud and synchronized across his 30 Apple devices.
How long ago was it when, when you know obviously it's a group
chat that you know we'll send controversial content to as well and so didn't he come he
sort of walked downstairs or something he received something on whatsapp it automatically saved the
photo uploaded to his iCloud and he kind of walked downstairs went into the living room
and that picture was on his tv his apple tv and in the living room or something wasn't it that's right his apple tv was using his his icloud photo reel as the the
screensaver for the tv that was a bad bad bad setup anyway i think i think a few weeks later
you were at the museum with your with your wife and your sister and your daughter and so you weren't checking the messages but they were getting downloaded into your photo reel so
after you came out from the museum you're on the train showing your wife or your sister the photos
and you're scrolling through innocently so you get like pictures oh do you know what my wife has
since learned not to just go scrolling for photos because some of
the stuff that comes in because i'll get i'm in like various group chats you know when you open
whatsapp it downloads all the photos from the different chat so i've actually started using
apple tags know how it identifies people based on their face and stuff so if my kid ever wants to
like old photos i will specifically search by her name and then use that as a tag and not search anything else but yeah no that's a risky
risky behavior i'm gonna tag every photo with your daughter's name when i send it to you
yeah cheers for that job Joe. Really helpful. You're welcome.
You're listening to the award-winning Host Unknown podcast.
Officially more entertaining than smashing security.
In your face!
So it's that time of the show.
We'll head over to... Tweet of the Week.
And because Tom likes to do it twice and it's now stuck in my head that I have to hear it twice. Tweet of the Week. And because Tom likes to do it twice and it's now stuck in my head, I have to hear it twice.
Tweet of the Week.
Excellent. Excellent. Yes, we do like to do it twice.
Phrasing.
We don't do it right. We do it twice.
So there's actually two tweets here. The first one's just a short one, which is a funny one.
It's by someone called Sherrod de grippo who said overheard in
yesterday's team meeting it's not supply chain unless it comes from the supply region of ukraine
imo yes yes some good risk management going on there with a bit of racism but we won't go there. Anyway, the real tweet is by the legend who is Corey Doctorow,
and he speaks about Gojek.
Gojek is a $10 billion Indonesian super app
that combines Postmates, Apple Pay, Venmo, and Uber,
serviced by an army of agile drivers
who are subjected to all the high-handed algorithmic
horrors that gig workers everywhere suffer through and there's a link to a vice story there's a long
twitter thread that will post into the the notes basically uh gig economy is everywhere and ever
since the the lockdown everyone's gotten really used to delivering, having their food delivered to them.
Yeah.
You can't drive past any McDonald's without seeing like a budget Hell's Angel on moped hang outside or waiting on their phones, waiting for a delivery to come through so they can go in, get your fish fillet meal and come deliver it to you
while it's still warm but in Indonesia that that is obviously taken off as well but there's little
parking space available and the weather's really bad in Jakarta a lot of times it could be warm
one minute pouring down with rain the next and there's nowhere really for the bike riders to to hang out
and all of them actually they figured out that the algorithm favors them if they're right in the
center or as close to the coordinates of that mcdonald's or whatever place it is to and then
they get preference on the order so they started using a gps spoofing app so they instead of
waiting next to the mcdonald's or in the car park or positioning them right in the center
they'll go wait under a bridge across the road in the dry and they will use a spoofing app to make
it look like their gps that they are sat right in mcdonald's so they get preference for whenever an order comes in. And this isn't
the only thing. There are a whole host of other features that are cropped up in this grey economy
to make it easier. There were some issues with the text being too small, so they'd magnify
certain parts. So it says, this is the order, here's it coming from, here's it going to,
this is the value of it. There's even some automation in there. So you can automatically
accept certain orders or decline certain orders if it's too far from you or what have you.
So there's a massive, massive gray area that's cropped up. And some of these apps have more than
half a million downloads on the Google Play store.
And a lot of this just started off because apps, they have some glitches or what have you,
and a lot of the drivers, they needed help with some of the glitches or malfunctions.
And there was a few that were a bit more tech savvy,
and they started helping each other out with technical support.
And they became known as IT Jalanan or it off the road
and they created a form of localized tech support that was easier to access than the the official
app support brilliant it champions exactly so this by now and this is a whole great market there
but it's actually helped a lot of these gig workers. It's made their lives easier or more bearable.
And it makes me think, is this what the algorithm wars
that we keep on talking about, AI attacking AI?
Is this what it looks like?
It's like people gaming the system.
So, you know, using one technique over the other
just to stick it to the man saying,
well, oh, Uberber you want me to
abide by these rules but haha screw you my algorithm is going to make you think that i'm playing by the
rules but i'm slightly bending them not not to make it illegal or break stuff but just to make
things a bit easier for for everyone yeah so i guess this is one that i i'm trying to think of
the negativities because you're right.
I mean, you know, the weather is changeable in some regions.
It's just absolutely downpour.
And when they're on these bikes, you know, it's not great to be sitting there and just get absolutely drenched.
And I'm guessing that like all these delivery companies have a light. says he's outside but then uber you know that driver then takes 15 minutes to pick up that
delivery and then you know takes an hour to deliver it he's clearly like not in the region
or you know do you mean it's like i feel like these platforms have the data to know
whether someone's taking liberties or if they are you know stuck in genuine traffic or something
like that and i think that they will then punish that person accordingly are you know stuck in genuine traffic or something like that and i
think that they will then punish that person accordingly because you know just because you're
outside it doesn't mean that you'll automatically get it right it's going to be a pool of people
you know and the one with the highest rating for example may get it if it's not an around robin
so like to me this is like one of those harmless enhancements maybe like i don't know yeah i'm trying to think
where you know where it's a real like is it a material problem no i think you're right it's
i think as long as it's just used to enhance the experience so this is like because this is
some developer sitting in silicon valley probably or india or someone who's never been to that region
who's not familiar with the local customs and traditions they've designed something based on
their own reality and what these people are doing from what i understand is they've just tailored it
so that it provides features that are more in line with their own reality so that it's just more
convenient so and i'm all for that i think that's perfectly fine obviously
i think if if you start using it for scams or you know what have you then then that that becomes a
problem or like an uber if you know one of the safety features is that the driver has to follow
the the set path that that's on their app and if they deviate from it you as a as the
passenger will get a message saying the driver's taking the wrong route do you approve or disapprove
of it or what have you yeah i guess the other thing is obviously if you and me were competitors
to these uh you know to the these delivery you know we could like spoof stuff sitting here in
the uk and say yeah yeah we'll be right outside and then obviously
never show up or deliver anything that's right so so i think there are sort of limits but i
that they can go wrong but generally speaking this this warms my heart i i know in the terms
and conditions and things that you sign up to it'll probably be illegal to do so
yes but you know it's it's people you know gaming they're not even gaming this i mean gaming the
system sounds a bit underhandish it's not that i think it's just tweaking it to work tweaking it
enhancing it getting it better and being more efficient. And I'm all for that.
And I think this is where we need to be more open in how things are designed and used and why.
Because these apps are everywhere and everyone relies on them so much.
And there should be some flexibility there or at least some QA done to make sure that they fit everyone's reality.
I mean, who's ever heard of a project pushing ahead without speaking to the users, right?
I know.
Unheard of.
Unheard of.
Brilliant.
Thank you for that, Jav.
That was this week's Tweet of the Week.
And so we draw to a close, dear listeners.
How did it go without Tom?
Do you think it's organised?
Is this show published on a Friday?
I don't know that's uh who knows right the time
now is uh 2 p.m on friday afternoon uh so we'll figure out how long it took to edit and publish
i'll catch when it goes out brilliant no i've really enjoyed this andy this has been super
cool we should do this more often feels feels more agile and relaxed and youthful.
You don't have to tone stuff down.
You can talk about TikTok because everyone understands it.
Exactly.
You can make wrestling references.
Exactly.
In fact, Tom should just spin off, do his own spin off.
Call it Tom Chat or something like that.
I don't think his own company wanted that one awkward okay so i would say thank you sir for for your time this
week no no no thank you you were far better than tom and you can be my wingman anytime
stay secure my friend oh you had to go there. You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash smashing security.
How did that go?
Yeah, it was fantastic.
We should have another whip round, right?
And we would just pay for Tom to stay off next week as well
Yeah, definitely
We can just keep a percentage off the top
Yeah, I think we've got enough money
We've received enough money for what
He can take the month off
Yeah, yeah
I see he's sent us a picture of him
Enjoying breakfast with his mum
Stop!