The Host Unknown Podcast - Episode 65 - Its Too hot
Episode Date: July 23, 2021This week in Infosec (08:10)With content liberated from the “today in infosec” twitter account16th July 2001: Russian programmer Dmitry Sklyarov was arrested the day after DEF CON for writing soft...ware to decrypt Adobe's e-book format. Charges against him were later dropped and the trial against his employer resulted in not guilty verdicts. United States v. Elcom Ltd.https://twitter.com/todayininfosec/status/1416188118655459329 15th July 2011: Microsoft Hotmail announced that it would be banning very common passwords such as "123456" and "ilovecats".Weak Passwords Banned from Hotmailhttps://twitter.com/todayininfosec/status/1414330928537686021 Rant of the Week (24:29)Majority of Britons convinced their phones and smart speakers are listening without being prompted. Billy Big Balls of the Week (33:48)Accuracy at any cost? Gamer leaks British military secrets to company founded in Russia to prove its tank model is wrong Industry News (43:05)Amnesty International and French media protection org claim massive misuse of NSO spywareUS legal eagles representing Apple, IBM, and more take 5 months to inform clients of ransomware data breachVerified: UK.gov launching plans for yet another digital identity schemeNorthern Train's ticketing system out to lunch as ransomware attack shuts down serversJourno who went to prison for 2 years for breaking US cyber-security law is jailed againSpanish cops cuff Brit bloke accused of playing role in 2020 celeb Twitter hijackingNSO Group 'will no longer be responding to inquiries' about misuse of its softwareChina pushes back against Exchange attack sponsorship claimsThales launches payment card with onboard fingerprint scanner Tweet of the Week (48:26)Tennessee Man Died After He Was 'Swatted' by People Targeting His Twitter Handle https://twitter.com/ThomLangford/status/1416690928354463744Police forces in brazil celebrating a thief's 18th birthday because they can't arrest anyone under 18 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
well I was going to say you know two weeks ago I did interview Jav to see whether he was a
suitable co-host and this week it's your turn to be interviewed ah right well well you know like
I said last week and you know and I'll say again this week it's you know that episode with just him
was the lowest uh lowest listened to episode for a while statistics don't lie
you're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us. us and welcome to what is it episode 65 this is uh um this is the too hot episode yeah i'm looking
forward to four episodes time i'm sure we can have a lot of fun with that one but um yeah it's got
it is just too hot isn't it it is ridiculous yes absolutely melting here been and well fortunately
i mean the weather's going to break, right?
We're going to be taking a break from it for the next few days.
Storms are coming.
The summer is over.
Exactly.
It's going to break apparently tomorrow, which is when I'm going to be helping with someone photographing a wedding
that has apparently been rescheduled three times already
and they managed to pick the the day after two weeks of the best weather that it's likely to
rain so i i can't even begin to imagine how that must feel but yeah we're sweltering i think
you know iphones are going into panic mode heat panic mode at the drop of a hat and you know you
know it's bad when the iphones are falling over
right absolutely well and this is the i speak to colleagues in arizona and you know they ask what
the temperature is and i say so you know it's like 32 degrees and they just kind of laugh and
chuckle yeah and it's yeah okay yeah but they laugh and chuckle from their air-conditioned rooms
you know and their air-conditioned homes i was this close
to buying an aircon unit this week yeah i looked at it and it was like can i get away with this in
the house for those three days a year i need it yeah that's what i was saying that to somebody
the other day it's like you get to this point and you think right i am not going to get caught out
next year i'm going to i'm going to buy an air conditioning unit i'm going to get one for this room and that room and blah blah blah and then
the heat stops and then you say right let's get look at that air conditioning unit five grand i'm
not paying five grand for an air conditioning unit it's not that hot now anyway um and rinse
and repeat every uh every year after that really it yeah, it just simply isn't worth it.
But, yeah, so what have you been doing this week, Andy,
apart from sweating, I would imagine?
So I actually learned a lot about wasps this week.
Oh, no.
Yes.
Did they, through your broadband connection, by any chance?
No.
So I, I mean, I've dealt with wasp nests in the past, right?
They've been up in the loft before, like in the previous house as well.
And I'm normally like, you know, I wrap myself up.
I will get the hoover and like a lot of bug spray.
And I'll just take care of it like face to face.
So the last couple of weeks at nighttime,
while I've been like watching TV,
I've heard this kind of almost like a purring noise.
And I thought it was coming from outside.
No, I kid you not.
You can look it up on YouTube, like what a wasp's nest sounds like at night time.
And this purring noise was starting to become more frequent every night.
And it was going on for longer.
And yeah, it turns out that noise is the worker wasp
like um regurgitating the wood that they gather from the day or whatever and building the nest
and wow yeah and i thought because i thought it was coming from outside the window really
it was actually coming from inside the wall um between the internal and external wall
and uh yeah so i started like really banging on the wall like you
know one o'clock in the morning really sort of like banging and kicking it every time i heard
this purring there's such inconsiderate wasps inconsiderate wasps i know you know but yeah i
heard this uh this buzzing noise and um yeah it went outside so there's like this vent thing uh
really old vent like really low down on the wall outside, and that's where they've been getting in and out.
And then I actually started noticing the wasps coming in and out,
and I was like, wow.
So how long have they been? A good couple of weeks.
But yeah, I called some guys out who came and took care of it.
He just sort of said, look, I advise you to keep your windows shut
for the next two hours. It's going to get a bit crazy around here.
And yeah, I looked at the old wing camera on the outside after they had sprayed and uh it
really was crazy as the wasps uh were they flying around and then and then getting to the front of
the camera and screaming at the camera oh the be manatee of it all and they were banging on the
window as well funny enough like flying into the window to try and get there.
Please, please, I have children.
Oh my God.
I also have images of these guys
coming up with a huge kettle
that they pour the hot water down.
Well, that's how I'd normally deal with it, right?
If it was something low enough.
Or, you know, in the old house,
I don't like knock it off the,
knock it off the side of the house
into a bucket of hot water.
Yeah, yeah.
Knock it off the side of the house.
Jesus.
I mean, you see that on YouTube,
you know, people are like
trying to catch, you know,
very big spiders
or trying to knock a wasp nest out
and, you know,
just clipping it or something
and then ending up with the wasp nest on their
head or whatever. It's like, Jesus, you know,
I know we take the mickey out of you for getting people to cut, you know,
trim your hedges and stuff, but blimey, I, I, I wouldn't mess around.
I did, I did go on a walkabout once with a gamekeeper.
Cause my grandfather used to run a pheasant shoot up in Shropshire.
Of course, I expect nothing less for your time.
Of course, of course.
Although I was expecting you to say, like,
wild game there for a minute, like, you know,
some rare lions or something.
That's the one we don't talk about.
Oh, right, OK, that's the taboo one.
That was the eccentric granddad.
But, yeah, walking around with this gamekeeper,
and, you know know gamekeepers are hard
bastards anyway right and uh i think his name and mac that's right mac was his name he's walking
around in you know in shorts and a t-shirt and whatever and um he had to get rid of this wasp's
nest so he he just got a bunch of this goop you know anti-wasp goop or whatever it was
scooped some up into his hands walked into the you know into the undergrowth found the wasp goop or whatever it was scooped some up into his hand walked into the you know into the
undergrowth found the wasp nest shoved his hand you know into the middle of the wasp nest to
daub it around the inside of this thing you know and then walked out i'm like and you know me is
like sort of 16 or whatever going ah wasps wasps you know it's like oh my god you know and this
guy was just like brushing stings off him you know it's like jeez yeah God. And this guy was just brushing stings off him.
Jeez.
I don't know how people do that.
I'm impressed.
I'm impressed by that sort of thing.
So what have we got coming up for you today?
Well, this week in InfoSec brings us another DEF CON related story.
It's almost like DEF CON is coming up.
Billy Big Balls shows how an attention to detail
can end up with you being put behind bars.
Industry News brings us the latest and greatest news stories
from around the world, only this time, again,
from our temp news agency.
Rant of the Week asks the real question
we should all be asking ourselves.
Do the walls have ears?
And finally, Tweet of the Week
brings us a new angle on freedom
all the way from the land of Murica.
So shall we, let's move straight on, shall we,
in the great spirit of things and onto our favourite part of the show, the part we like to call...
This Week in InfoSec.
See, I'm not sure if I love it because of the content or because of the wholly original sound
that you put together for that one yeah i know i know it's great right but it's hard to tell
it's it's it's the fact that we can use royalty-free music like this and know that we're
not kind of imitating or copying anyone exactly royalty-free baby it's out there uh so this is that part of the show
where we take a stroll down infosec memory lane with content liberated from the today
and infosec twitter account so our first memory takes us back a mere 20 years to the 16th of July 2001 when Russian programmer Dmitry Skylarov was arrested the day after DEF CON
and he was arrested for writing software to decrypt Adobe's ebook format and although
charges against him were later dropped it was actually actually quite an interesting case.
So it became known as the United States versus Elcom Limited,
and Elcom, a.k.a. Elcom Soft,
who are well known for producing sort of password recovery kits
and forensic analysis tools, you know,
really easily usable for non-technical people as well.
And so, I mean, this was a case that blew up right in
20 years ago uh so skylar of uh i might just call him dimitri because you know i'm struggling with
that name uh he was arrested um the day after giving his a talk at defcon which was titled
ebook security theory and practice um and his whole presentation sort of delivered this
message saying how adobe was careless violated the rights of authors by using a security system
that was unapproved by professional cryptologists and basically applying these restrictions to what
was then you know 20 years ago a fast-growing electronic books market um and so his that
seems a little bit that seems a little bit odd he's one he's saying that um by using poor standards
he they're not representing the authors but on the flip side they're saying but they're also
restricting the authors is that what they're saying uh well not so much yeah so adobe were anything that they were
putting through their market you know they were adding these drm restrictions uh yeah i got a few
of those books from back then back on the the days remember the compact ipac and yes uh the the
burgeoning windows pc market and all that sort of stuff yeah so i bought a bunch of those books and
i've still got them somewhere.
And you couldn't open them on other devices?
No, exactly.
I could only ever read them on a tiny low resolution screen.
Well, at least by today's standard.
Anyways, it was amazing at the time.
But yeah, I remember only getting halfway through the books
and then getting rid of the iPack and then realizing I couldn't read them.
You couldn't finish it.
And that was, I guess, ultimately the crux of what went on here.
So although it was 16th of July, all of this stuff, actually,
the wheels were set in motion a few weeks prior to this.
So on the 22nd of June, 2001,
Alchemsoft hosted a press release announcing this new software program
called Advanced Ebook Processor.
announcing this new software program called Advanced Ebook Processor.
And it basically removed the encryption coding from Adobe Acrobat PDF files and Adobe Ebook Reader software.
So it let users make backup copies of ebooks that were protected with passwords,
any sort of needed security plugins, various DRM that was in there,
which made you able to read these protected,
formerly protected PDFs with any PDF viewer without plug-ins.
So you weren't just limited to using Adobe.
So it made it, to your point,
it made it easier to decrypt these e-books
because people wanted, at the time,
to load them onto their Palm Pilots and other,
like your iPhone said, like the other...
The Palm Pilots. Well, exactly., like your iPhone. The Palm Pilots.
Well, exactly.
I mean, these were like godsends, right?
For those who travel.
Love the Palm Pilot.
The handwriting on the Palm Pilot was actually really good.
Yeah.
Total segue, sorry.
But, you know, total segue.
But this is always a trip down memory lane.
Do you know what?
It makes me want to go and see if I can pick up another Palm Pilot from eBay.
I have to say.
I think it would be one of those.
I do wonder whether it's one of those things that's best confined to nostalgia.
Like,
you know,
you don't really want to see it because if I recall,
it took about 40 minutes to boot up anyway,
right?
You wanted to check your diary
so okay yeah hold on a minute right let's go and get another drink while my diary loads up
yeah connectivity was not wonderful on them no well you had to sync it didn't you it wasn't uh
yeah the early versions weren't even over the over the air it was actually connected to your laptop
well yeah that's right that's right. And then I remember... Yes.
Oh, my God, the cradle.
With the synchronization button.
Yeah.
And it was a serial port, wasn't it?
It was a serial port connector.
Only the fancy ones that came along later had a USB port.
So you could spot the execs as to who had a cradle on their desk.
Yeah.
It wasn't just about an office.
And as I recall, Thinkpad did them as well ibm
before they sold the brand they the ibm ones because that's i i had some of the 3com ones
and then the thinkpad ones came when i was at pwc and then uh i got involved in a pilot
which allowed you to connect your little mini thinkpad to uh a nokia 6310 um okay you know it's a choice back then
absolutely and you know to get your mail but oh oh my god i now i now i want to get not only
i mean palm pilot i want to get a 6310 and just to see what oh god play with those this is going to cost me a fortune this
episode um so i mean yeah so obviously this whole the removal of this protection it allowed you to
like annotate pdfs as well so they're really useful features right um so anyway all this these
wheels were set in motion at the time so adobe then updated like a week later adobe updated its
software to prevent the um you know outcome Elcomsoft software from working, that whole sort of cat and mouse
thing that we see. So Elcomsoft then released a new version, which again, you know, circumvented
Adobe's protections. And in parallel, Adobe met with the FBI. And a week after that meeting,
the FBI filed an affidavit with the Northern District Court of California.
It wasn't a copyright violation. This is the great thing.
I'll come back to you and tell you exactly what it was about.
About the ability to circumvent protection.
It was the DMCA.
DMCA? Yeah, the Digital Millennium Copyright Act.
It was the Copyright Act, yeah, but they weren't going...
They were going for...
It wasn't actually about the copyright violation.
They were going about providing tools that can circumvent copyright.
Yeah, so it was a very...
Yeah.
You know, like, it was very legal, you know, sort of...
Well, these were early days of this sort of thing as well.
It was.
Even 2001. And this was one of the first cases tested. Yeah, this was one days of this sort of thing as well. It was. Even 2001.
This was one of the first cases tested.
Yeah, this was one of the first cases tested.
Yeah, that's right.
So, yeah, so Dimitri, you know,
when he was getting ready to check out of his hotel
after giving his talk in Vegas,
he was arrested by the FBI, held without bail.
And what's really important about this one
is that one of the selling points at the time, according to Alchemsoft's website, was the ability to make backup copies of this electronic software or documents, which was actually required by Russian law, where the software was developed and sold initially.
initially so you know it was really sort of interesting adobe like to their surprise did not realize how much of a national outcry this would cause um there are actual protest marches
as well over um dimitri's arrest my god really yeah yeah and then the eff electronic frontier
foundation got involved um at which point Adobe requested Dimitri be
released and they wouldn't be pressing charges themselves.
But despite Adobe's willingness to back down, the DOJ actually continued to press on with
its own prosecution.
And this is where it all sort of comes down to it, because it's not illegal in Russia
for programmers to develop circumvention software.
But U.S. prosecutors argued that because he was on
american soil the federal government had authority to establish jurisdiction um i mean the whole
thing turned into a complete cluster right and yeah ultimately the u.s government agreed to drop
all charges against skylar of provided he testified at a trial against his company so he was permitted
to return to Russia um on you know later that year um but then on the 17th December the following
year there was a two-week trial in uh California um and the federal jury found Elkhornsov not
guilty on all charges under the DMCA that the US side has been against them.
I mean, you have to have these cases
in order to sort of help...
To establish a...
Flex and establish law and all that sort of thing.
But it does feel like such a waste of time and effort
for something that feels, you know,
like it's stretching the credibility of the law to its very limits
it did feel like an yeah but sometimes you need to do it yeah and this was uh like as you say the
early days of the dmca but it actually raised all the concerns that you know the individual
being prosecuted for active activities are actually fully legal in the country where they occurred
yeah that's right so it's you know breaking a doing an activity in the country um that is not
against the law and then traveling to a country where it is and then getting arrested for it
wow i mean at that basic level surely they could have seen that it was not in their interest to do that,
but obviously it's not quite so good.
Trying to establish a new, you know,
the DMCA trying to establish a base on it so they could use for future cases.
Right. You've got to get that one ruling to go in your favor.
Yeah. Yeah, that's right. And then that will establish the future,
but blimey. It's a bad case to choose.
Yeah, I'd not heard of this case particularly,
but I had heard of the overarching furore,
if you know what I mean.
Yeah.
So I remember this one because he got arrested.
Yeah, he got arrested.
Yeah, I was actually late coming back from DEFCON,
and it was like a joke at the time whether I got arrested
because there's a story about someone...
As well, yeah.
...at a hotel.
Yeah, as well.
But, yeah, no, I was having a great time in Vegas.
So was Dimitri until the day he tried to leave.
Yes, poor old...
What's his name?
Marcus Wanakwai,
I forget his surname.
He was also arrested at Vegas, wasn't he?
It's actually a bad idea to go to Vegas, people.
It is.
Even if you don't believe it's illegal,
there's a chance you can get arrested.
Which I am no longer going to Vegas.
I heard an echo there.
What?
What?
Oh, my God.
Seriously, dude?
Are you turning up now?
How long have you been recording for?
You are an hour and a quarter late.
Wow.
You know, I thought the clocks changed last night.
In which case, you're 15 minutes late.
I'm 15 minutes late?
Oh, OK.
I apologise for being too late.
Oh, sorry.
No, the clocks did change.
You're two and a quarter hours late.
So I assume I've just missed the good morning, good afternoon, good evening.
How are you all doing?
Yeah, we're halfway through this week in InfoSec.
We're about to do the second story,
which was only 10 years ago.
And the account actually, I'll correct the website,
the account actually stated this was 18th of July.
But fact-checking this story, because that's what I'm doing,
it actually came out on the 15th of July, 2011.
So that's mere 10 years ago, plus a week.
Microsoft Hotmail
announced that it would be banning
very common passwords, such as
123456
and ilovecats
to be used to secure
their accounts.
You'd think more companies would be doing
stuff like this now, wouldn't you?
They'd be loading up
you know, effectively a basic rainbow table, right?
You know?
Yeah.
But yeah, yeah.
And this is why I thought it was a good one,
like I say, 10 years ago.
You know, Microsoft was doing...
That's actually quite a forward-looking move
in hindsight, isn't it?
You know, that's it and we're still not
seeing companies do this now
so that's quite impressive
excellent
well thank you Andy for
this week
in InfoCirc
so Jav how was it last night in InfoServe.
So, Jav,
how was it last night?
What's the ditch like that you've just woken up in?
So, no, so,
I was up in Birmingham for a...
You drank the wrong drink, didn't you?
Yeah, I thought it was a monster
energy drink.
It was something else.
You sound dreadful i literally rolled out of bed like thinking it was like that scene from back to the future where he waits something he's like
oh shit duck i'm late for school and he's jumping over hedges and like skateboarding on the back of
hanging on to the back of
I just literally
rolled out of bed, looked at the clock and I was like
oh crap and I ran downstairs
and
did you run really or did you jog?
jog?
I think you probably fell
have you seen those penguins on the Discovery Channel?
Not too dissimilar to that.
Was that the drunk penguin episode?
Yes.
Oh, my goodness.
Well, you know, well, we've got stories already dished out,
so you might have to just, you know, I'll tell you what,
you can do Tweeter the week later.
How's that? Yeah, sure. i'm here to add value to our listeners it's only for our beloved listeners that i showed up i don't care about you two as you know
but you know i know the listeners would be severely bitterly disappointed and i'm sorry
i wasn't here with you from the beginning you love them so much that you just can't be asked to turn up for an hour and a quarter.
Oh, dear me.
Oh, man.
I'm so glad I woke up whilst having the worst nightmare.
What?
Was the nightmare that you were late for your own podcast?
No.
No, I woke up and I thought, well, I had a dream that I came to the back of my office,
like my whole garage had been broken into overnight and everything had been taken.
So I came to the back and it looked exactly like it was in my dream, except it wasn't robbed.
It was just me being a messy slob.
Yeah, exactly. Exactly.
Oh dear. Right. Oh, dear.
Right, let's move swiftly on here.
I think it's time now for...
Listen up!
Rant of the Week.
It's time for Mother F***ing Rage.
So this one is on me. This is actually a story that ran just late last week.
It was about the journalist was basically asking the question,
are our online devices, are our phones, smart speakers, et cetera,
listening without us being prompted?
And it turns out that something like 70-odd plus percent of Britons actually are convinced their phones and smart speakers are listening into us without us being prompted.
Now, that's all well and good.
The thing that gets me here, though, is I'm kind of amazed that, well, one, that this is a story in in a sense but also the fact that some of the
people seem quite so upset by it um we are buying these devices and um buying them quite cheaply i
mean let's face it an alexa you can get for like 30 quid now um and in wondering why it's so cheap and how it's so good at knowing it
knowing what we want and when we want it without realizing actually they're they're they're there
because they're they're listening into us and uh selling our data on because that's what the uh
what the product is it's a bit like smart tvs when you buy a large sort of, you know, 40 inch TV for 200 quid, basically most of that
money goes into the cardboard that the thing is packed into because the cost of the TV is being
subsidized by the data that it's gathering on you. So we didn't we know that this was occurring
before, like the various ways that you can actually,
not just iPhones, but all phones can listen to you.
I think we did as a sort of industry and a set of security professionals.
I think what's interesting here though
is that that's now shifting
and the general population is now a lot more aware
that this sort of thing can happen,
which I think is a good thing in a sense.
But, you know, goodness me, it's taken long enough for people to work that out.
You know, oh, I was just talking about, I don't know, rucksacks just the other day in my kitchen
and then, you know, in front of my Alexa and then I go onto Amazon and it's, it's suggesting, you know, brand new rucksacks to me. It's like, God, you know,
you've got to put, it's, it's, it's, you know, it's amazing that you're not realizing this when,
you know, all you have to do is shout out Alexa and she's already listening to you and recording.
And these devices are known for, you know,
taking these recordings and sending them off to, you know,
phoning the recordings back to base
without any kind of permission to do so as such.
It's only, you know, even now, only, for instance,
Apple devices are starting to process that speech on device and not send anything out until you tell it to.
So, yeah, it's a fascinating subject in a sense.
But I do find it frustrating that, one, the fact that we're still talking about this one, this should have been known for such a long time.
Such a long time such a long time
indeed and i think um you know the only way that we're going to um uh force this and make this
actually far more apparent is for you know governmental regulation to force that kind of
transparency and to make sure that these manufacturers are very open and honest about this tradeoff that's going on between the cost of a device and the data that it's selling as a result.
And being much more transparent about it rather than just bearing it deep in the small
print of a, you know, a hundred page end user license agreement. So yeah, I think it's,
it's, it's, I'm ranty about this because this conversation is still happening when it should
have gone on, when we should be knowing this already and it should be managed. It should
have been dealt with by now yeah so i'm trying to think
so what was the big scare so yeah this does happen i'll say we know so i'm looking at an article from
2017 in the new york times where you know the people people of a sports app um didn't realize
that they were being monitored um and what was occurring at the time was that, you know,
if you want to play sports games in a pub or have it on big screens,
you need a separate licence, right?
So what this company was doing was checking where people were
at the time of game.
That's right.
To see whether they were watching the game obviously yeah that's
right yeah and from that they could then check cross-reference whether that place was licensed
to show the game or not uh you know with a large group of people so yeah i mean this as you say
this isn't anything new this was like you know nearly four years ago yeah um that was occurring and i guess you're right new sort of privacy uh the way the
phones tell us how these apps are using their data um you know so this requires access to the
microphone or etc but what um you know people have been doing or you know theories that came
out i think it was last year was that they were no longer actually directly using the microphone.
They could do it from the vibrations that the phone was picking up.
So they could tell what you were watching.
From the accelerometer.
That's the word, yeah, from the accelerometer.
So, you know, what adverts you're listening to,
what words you're saying and stuff like that.
And none of that goes through the app permissions,
you know, the permissions for using your microphone or that stuff so that was um you know it's not that whole
cat and mouse i i'm absolutely this this both amazes and astounds me in both a good way and
a bad way one the fact that they'll you know people these companies will do anything to ensure
that they can still listen into you and two the fact that a piece of technology like an accelerometer
can use vibrations pure vibrations to listen into a conversation or to ascertain what's being said
which i find technologically speaking absolutely amazing yeah yeah there's also this
other um patent that i think facebook's one that came out earlier this year maybe or or sometime
last year that they they're looking at the the dirt on the lens or scratches on the lens to
uniquely identify the cameras that's right you talked about that in an earlier episode actually yeah that's right that's right it's um but also yeah yeah yeah no i think i think what it is is it's also it's not just the
microphone and the audio it's a lot of other data they can collect so i was reading this piece ages
ago as a thread on on on uh twitter that someone said that um they went to their mother's house and um there was
it's actually a lot of its gps location as well so so if say i come to your house tom and i say
oh that's a nice lego set you've got and you're like yeah yeah i i like to build legos in my spare
time for example when i come home and i suddenly start seeing adverts for legos yeah it's not
necessarily through the voice that they've detected it.
It's because geolocation wise,
they know that from your interest that you buy a lot of Legos.
And now we're both in the same geolocation,
connected to the same Wi-Fi.
And I've come back.
And that's why it's now advertising me with that.
And that happens a lot.
I've got one problem with what you just said there i i it's not legos i know you keep getting it's lego right yeah yeah
and it's lego not legos see now you know how we've i've done that on purpose just to let you
know how it feels when you talk about putting things on the line on the line you mean on the washing line
yeah send it to the internet no it's the internet
internet
anyway so that that was um i think it it's a really good article it's well worth a read
um so yeah that was uh that was this week's...
Rant of the Week.
Right.
Okay.
So, going freaking back to the notes.
Let's see.
So, I think, Andy, I think we could probably move on to you, shall we, for this week.
Billy Big Balls of the Week.
As I'm standing in for people that didn't want to turn up anyway, so I have come together.
This Billy Big Balls this week is actually a continuation of something you mentioned last week, Don,
where you said perfection is the enemy of good enough.
Stand by it. Stand by it.
And you still stand by it.
So this article is titled Accuracy at Any Cost.
So let me say this.
Have you ever played Flight Simulator?
Yep.
I used to play a lot of those.
Comanche was my favorite one that that old uh that helicopter that never made it into production but yeah playing those sorts of
things loved it so yeah i mean it's it's got a real um a real big fan base right and they love
the detail of it you know of all the planes and everything like that so imagine a equivalent of that there's
something called war thunder okay now it's not something i was familiar with but war thunder is
or sorry a challenger to um sorry uh war thunder is what i'm going to refer to as the equivalent
of flight simulator but for tanks, right?
Right. Yeah.
And so imagine, you know, you've got the same sort of people that are really absolutely fanatic about the detail and all of this kind of stuff. has apparently decided that preserving British state secrets is less important than proving to a game company
that its digital model of the UK's main battle tank is inaccurate.
And so rather...
And this is genuine.
So ultimately, you know, this guy saw this new tank
which they produced in this game, War Thunder,
and he was not happy at the level of detail.
So he decided to send them a copy of the actual schematic for this tank
so they could improve the accuracy.
And it turns out that by doing this,
he has violated the Official Secrets Act.
Really?
Yeah, believe it or not,
because the material is a classified manual
for the Challenger 2 battle tank.
And he didn't just send it direct to the game developers.
He actually posted it on a forum
just so he could prove his point to everyone.
Just so he could show what a Billy Big Balls he was.
Exactly.
Just so he could say, look, i'm not making this up but i do
know what i'm talking about um and so yeah this this story was actually reported by the uk defense
journal um and yeah this guy is in active duty stationed at the royal tank regiment well not
anymore well not anymore i imagine he's under this week he's under court martial at the moment
i would imagine a lot of pt uh while he considers what happened do you know what my my funny you
should say that doing a lot of pt my uh cousin is now the commander of uh what used to be called
the glass house the military prison right where you go after a war, a court-martial.
And it apparently is not all about PT and beasting and all that sort of thing.
It really is about re-education and all that.
Absolutely fascinating.
There was a thing on the TV about it, and he was interviewed on there.
And, yeah, so this view we have of being sent to military prison,
which basically means getting shouted at permanently
and flashbacks to Full Metal Jacket and all that sort of stuff
is just not true anymore.
Well, I don't know that.
I mean, I hear different stories.
Oh, really?
Yeah, well, so they do. Obviously, on paper paper they've got this whole um you know about
re-education all that stuff but then you know you get guys when they're out in uh combat um you know
away in afghanistan obviously they've got a lot of time sitting around so they get bored right
and they do some of the most ridiculous challenges right and it's like if you state something that
you can't back it up you know like we'd typically
say okay you know how much you want to bet right you know we'll make a bet okay what are you going
to lose right so these guys aren't you know betting money they're not betting like you know
i'll do your chores and stuff like that they bet um so a friend of mine like he's tried to introduce
it into a separate friend group it's just not working because we're not military right uh so
they bet on like eyebrows so it'd be like okay you know if you get this wrong it's like okay you know
what you want to bet and it's like eyebrows and so if you're wrong you have to shave off your
eyebrows right and then because they were you know on active duty for so long like no one had eyebrows
okay and so it's on to the next thing it's right okay what next i bet you're a fire tuck and that's
where you have to shave a fire tuck bald patch in your head and then the terry nutkins as well right so you got these
these 21 year old kids basically with terry nutkins hair like bald on the top long on the side
um and the reverse mo molen was the other one um but then other things i hear about like and i know we're going
way off on a segue here uh but something that just still cracks me up to this day is where the um
and it's because you mentioned full metal jacket you know the very famous thing with the drill
sergeant at the beginning where it's like yeah where you from private holy dog shit yeah um and
so basically they had uh this like an every morning like when
the drill sergeant came in like everyone stood up for the line and um if he smelled a fart he would
say hoovers and literally everyone had to stand there sucking through their mouth going until the
smell went.
Yeah, but that's not the military prison, though, is it?
That's just active duty.
But, I mean, just the whole point,
to think that actually going into prison is better than actually giving those things out.
That's why I think, you know, there's a part that's reported
and then the reality of what, you know,
serving personnel is saying is happening on the ground.
Not dissimilar to companies, right?
No, that's right. Exactly.
I mean, if this chap, this, let's just call him Billy, shall we?
Major Billy.
Or no, he'd be a captain, wouldn't he, if he's a tank commander
because he's in charge of a squadron of tanks or something like that.
Anyway, Captain Billy, let's call him.
Maybe he can draw some comfort from the fact that if he has a word with us,
I might be able to have a word with my cousin to get him to look after him.
Yeah.
And if you send us a copy of that manual as well, that would be...
Yeah, absolutely.
We don't believe you.
We don't believe you, Billy.
You don't know what you're talking about. Prove it talking about prove it eyebrows we'll put our eyebrows up at stake if you send us a copy we'll
we'll remove both of jav's eyebrows and trust me that's a lot of hair get the lawnmowers ready ready boys but isn't it again i'm i'm amazed and astounded again it's just an episode of being
amazed and astounded that somebody who is in the british army in a position of responsibility you
know supposed to be educated um certainly knows about the official Secrets Act and is quite happy to flout it,
not just as a, oh my God, you know,
I'm blurting something out,
but going through the process of berating them,
posting it onto a public platform, et cetera,
purely, but not realising that,
or just not seeing the bloody...
The errors in their ways.
The consequences of his action.
I find it astounding, but...
This is that meme, isn't it, where the wife's standing by the door
saying, aren't you coming to bed?
And he's like, no, there's somebody wrong on the internet.
Yeah, that's right.
That's exactly it.
Exactly it.
Oh, amazing.
So three things that would have helped there,
obviously, is proper awareness training.
Yes.
Proper, I'm sure the documents were classified,
so, you know, that may not be a thing.
But DLP as well.
You know, you should be letting confidential data
outside of your control.
Absolutely.
Absolutely.
Oh, excellent.
Thank you very much, Andy.
That was an awesome one.
Billy Big Balls of the Week.
This is the podcast the Queen listens to.
Although she won't admit it.
So, Andy,
what time is it?
So it's that time of the show where we head
over to our news sources over at the InfoSec
PA Newswire, who are still AWOL.
So for the second week running,
we've called in a temp agency
and they have been very busy bringing us
the latest and greatest security news from around the globe.
Industry News. and they have been very busy bringing us the latest and greatest security news from around the globe. Amnesty International and French media protection org claim massive misuse of NSO spyware.
US legal eagles representing Apple, IBM and more take five months to inform clients of ransomware data breach.
Industry news.
Verified. UK.gov launching plans for yet another digital identity scheme.
Industry news.
Scheme. Industry News. Northern train's ticketing system out to lunch as ransomware attack shuts down servers. Industry News. Journo, who went to prison for two years for breaking US cyber
security law, is jailed again. Industry News. Spanish cops cut Brit bloke accused of playing
role in 2020 celeb Twitter
hijacking. Industry
News.
NSO Group will no
longer be responding to inquiries
about misuse
of its software.
Industry News.
China pushes back against
exchange attack sponsorship claims. Industry News. China pushes back against exchange attack sponsorship claims.
Industry News.
China is launching payment card with onboard fingerprint scanner.
Industry News.
And that was this week's...
Industry News.
Huge if true.
You know what?
If an SO group don't want to put the effort into responding to inquiries,
perhaps they shouldn't have done some dodgy shit in the first place.
Well, they're saying it's not them, right?
It's not us that are using this stuff dodgily.
It's our clients.
It's our clients, the people who we sell it to
yeah but but we vet our clients so it's not actually them they must like not secure it
properly yeah they must have they must have it must have been stolen from them or it's our clients
who who sold it on or oh my god the the the sheer audacity you gotta or it could just be the PR people like, sorry, guys,
I just can't go out there with a straight face again today.
That's right.
Yeah.
It's like, have you seen The Dictator, the movie with Sacha Baron Cohen?
Yeah.
And in the beginning, he's giving a speech and he's like,
and we will not use nuclear weapons.
And we will only use them for peace.
Yeah, he can't keep a straight face, that's right.
Absolutely hilarious.
Oh, man.
Yeah, that was the one that just got to me the most.
I mean, you know, company accused of dodgy shit
refuses to talk about dodgy shit it's oh yeah but it was it was a massive investigation by all these uh many
journalists across different agencies and and uh and newspapers and what have you and they found
what a list of about 50 000 phone numbers i think that's i don't know whether that's
the entirety or not but there's like politicians on there there's like you know journalists on
there there's human rights activists on there there's people under protection on there there's
all sorts on there yeah and it's just really scary and uh it's not good it's not good at all
no well you know when amnesty international is publishing a report about stuff your company does it's never going to be in positive it's right
that's right it's you know publish and be damned is probably not the approach that they should be
taking on this one no no or or even a sort of you know um you know any publicity is good publicity except when
amnesty international are giving you the publicity well you know i think nsor are just part of the
problem the other part is how many governments out there and or agencies are willing to pay for
this software to track people in in these ways and you know it's it that's that's the real
scary thing because if there's a proper court order and whatever you can go through official
channels and you can find out pretty much the same information yeah yeah well you know that
all these government agencies right all the vendor managers and procurement people at these places
are contacting nso group and they're like just to remind you we have a confidentiality clause and
it's secure yeah exactly yeah we we don't want to stop answering inquiries either so yeah
do you think nso group has one of those pages on their website with a bunch of logos check
out some of our happy customers yeah that, that's right. CIA, FBI,
US government.
Yeah, Chile, Venezuela.
Yeah.
What is it? Saudi Arabia.
Yeah, exactly.
Right, Jav, I think it's time for your Tweet of the Week this week.
Are you ready for this?
I suppose so.
Tweet of the Week. we always play that one twice tweet of the week so i i was talking to you about this other
story during the week but that's quite depressing it's not a tweet of the week and it's really
depressing as well so it's not a note that i want to end on but okay but but I will touch on it a bit before
I go into the tweet of the week that you've kindly provided for me yes which is there was
uh Andy you've got a highly desirable um Instagram account name haven't you that constantly gets
hammered constantly and I don't know why Instagram don't do something about it.
So that's the problem.
If you've got a desirable handle,
before it used to be all about the domain names,
but nowadays the handles on the particular platforms are worth a lot.
So on Twitter or Instagram,
if you're one of those early people that went in
and you got one of those three-letter user IDs or something or something specific, it's quite desirable.
And many times people will either get lots of account lockout notifications or failed login notifications.
Or sometimes they'll get approached by organizations, say it's a corporate name that someone likes or something,
and they say, hey, we'll pay you a wheelbarrow full of money if you give us whatever the domain name or the handle is.
Yeah, and I will actually sell my Instagram account.
It's just no one's offered me money for it.
They just keep trying to break into it.
into it yeah so uh this goes to twitter where um a 60 year old man uh mark herring had the had the twitter id tennessee um and uh throughout many years people have asked him oh can you give
us uh the the domain the the sort of twitter id Tennessee
because we really like it and he's always refused he's like no this is mine I like it and what have
you then uh during March and April of 2020 um some people asked him for it he said no and they got a
bit miffed so they started harassing him a bit by you know
sending him and his family members things like pizza to their house with um with a payment on
receipt kind of thing and uh this escalated and unfortunately ended up being a case of swatting
where they phoned up police said that he shot his girlfriend or something like that.
Armed police showed up, surrounded his house.
He turned, he came out with his hands up,
but unfortunately he had a heart attack from the stress and died.
What?
Rest in peace, Mr Herring.
Really, really sad, sad, sad state of fear.
Anyway, they tracked down who was involved and there was a 18 year old in Tennessee and a minor based in the UK who were involved in this, apparently.
An 18 year old? 18, 18 okay okay yeah yeah he just turned 18 or something I think they waited a few a few months for for him to
actually turn 18 before they arrested him well you know normally I'd call that a dirty trick, but not in this case. Yeah, yeah.
So, you know, it's...
It's just a... I don't know what to say about it.
It's just really sad and, you know...
It's an all-round awful story, Geoff, thanks.
Yeah, it is.
Thank you.
Yeah, thanks for that, Geoff.
Yeah. So, Andy, andy give up your link
give up your instagram id it's better than getting shot or suffering a heart attack are you saying
someone's actually going to be sending pizza to my house because i'm down for that right
payment on delivery i i think you underestimate underestimate Andy's willingness to pay for pizza.
As long as there's no anchovies, right?
Or pineapple. Do you like pineapple?
I don't mind pineapple on pizza.
Yeah, you know, I'm a fan of pineapple as well.
I mean, as long as it's like, if it's constant,
I'm guessing I'm going to be getting different types of pizza.
If people just keep sending me margaritas or ham and mushroom, that's going to say, you know, as long as it's like, if it's constant, I'm guessing I'm going to be getting different types of pizza. If people just keep sending me margaritas or ham and mushroom,
that's going to annoy me.
No, it's going to be margarita with added anchovy.
You know that because you've said as long as it's not anchovy
and, you know, as long as it's not margarita,
in which case you're screwed, mate.
Yeah, I mean, what I really hate is a meat feast with no mushrooms.
A couple of deep pans, extra large.
That would be my worst nightmare right
so so you gave out your phone number on the smashing security podcast give out your address
now to andy and then people will have all the details they need to get everything we need
absolutely absolutely so anyway the tweet of the week is a bit more light-hearted it's from our
good friend tom langford, who says...
Oh, you're doing a story about me?
Oh, thanks.
It goes, this is from The Onion, right?
And that was this week's tweet.
And if you want to know what I was talking about,
listen to this week's episode of the Smashing Security podcast.
No, no, no.
If you want to find out what's that,
follow Tom at Tom Langford on Twitter.
There you go.
So Tom retweeted Eric Finman,
who I've never heard of,
but apparently according to his bio,
he is the world's youngest Bitcoin millionaire.
Yeah.
Okay.
He looks like a Chad.
He does.
He does.
So he's announcing
he's announced on July
14th the Freedom
Phone complete with
bald headed eagles.
This is the first major pushback
on tech big tech companies that attacked
us just for thinking different complete with its own uncensorable app store and privacy features
we're finally taking back control freedom phone.com so this looks like a classic case of um some misguided bravado and um snake oil if if the likes of philip zimmerman
who came up with their black phone a couple of years ago couldn't make it a raging success
then uh this thing that is a thinly veiled sort of um what do you call it rip off
veiled sort of um what do you call it rip off no not rip off what's that term it's a white list it's like a white labeled phone yeah it's a white label yeah it's it's a white label product that
they've probably changed a few things on engraved something else onto it and and launched it as
their own you know put some crappy software on yeah um the startup sound is uh star spangled banner and yeah the default ringtone
is an american eagle coring oh wow please are you joking or is that true well i don't know but it
seems about right yeah it does actually and and in all seriousness if you do check out the tweet
there's a there's some responses there including a thread from a bunch of people about actually why this is such a bad idea and why it is in all likelihood just a white labelled piece of kit.
And if this person is not completely lying through their teeth, he's certainly stretching the truth to extreme levels yeah about the quality
and security of this phone yeah and people will lap it up as well people will lap it well you know
it targets us yeah targets a certain market yeah especially when they're talking about uh make apps
great again oh for God's sake.
And when one of the apps that they're advertising
has come in pre-installed is Parler.
Just, oh dear God, that tells you.
Just call this the racist phone and be done with it.
The special white model, right?
Yeah, it only comes with a hood.
It only comes in white. Protective hood. It only comes in white.
Protective hood.
It only comes in white, exactly.
And a guy whose first statement about himself was,
it's a bit like Troy McClure of The Simpsons.
Hi, my name's Eric Finman.
You may remember me as the world's youngest Bitcoin millionaire.
That's all he's got going for him.
And he's going to be saying that when he's 60, I guarantee it.
Because that, don't get me wrong, being a Bitcoin millionaire is actually quite impressive.
But you're only as good as your
last job not the job you did you know five years ago so yeah i i just oh and also he tweeted this
from an iphone as well he didn't even tweet it from a you know an advanced model of his own phone
which you would have imagined that he would have done right you know because or at least you know
from a prototype or or if he's selling an android phone that would be from an android but you know
no so yeah dreadful yeah dreadful anyway that was uh this week's snake oil tweet of the week. Tweet of the week.
Sketchy presenters,
weak analysis of content and consistently
average delivery.
Like and subscribe now.
Excellent.
Thank you very much,
Jav, for that.
And that brings us
to the close.
Now, Jav,
I know you feel like
you've only just got warmed up,
but I'm afraid
that we've come to the end of the podcast. the close now jav i know you feel like you've only just got warmed up but i'm afraid that um
we've come to the end of the podcast um i hope you enjoy yourself jav it's like a really short
one i'm i'm just getting ready to go exactly yeah can't think why i mean geez so thank you jav
thank you jav for that uh scrabbling to recover from being late
and very sad in your storytelling today.
You're welcome.
That's what I'm here to do, keep the emotional highs and lows going,
keep people interested.
And, Andy, thank you very much, sir.
Stay secure, my friend.
Stay secure. and Andy thank you very much sir stay secure my friends stay secure you've been listening to
the host unknown podcast
if you enjoyed what you heard
comment and subscribe
if you hated it
please leave your best insults
on our reddit channel
you know when you do the
rollercoaster of emotions,
you're supposed to end on a high, not on a low.
That's where I've been getting wrong.