The Host Unknown Podcast - Episode 68 - One More Show Until Dinner
Episode Date: August 13, 2021This Week in Infosec (14:29)With content liberated from the “today in infosec” Twitter account10th August 2001: A Japanese woman, Kumiyo Kishi, was arrested for accessing her coworker's email acco...unt, then contacting the user's ISP to regain access after the coworker changed their password.Japan arrests woman for email snoopinghttps://twitter.com/todayininfosec/status/1425123899474423811 7th August 2010: Terry Childs was sentenced to 4 years in prison for network tampering after refusing to hand over network passwords to his supervisor. He was later ordered to pay nearly $1.5 million in restitution. S.F. computer whiz Childs gets 4-year sentenceSorting out the facts in the Terry Childs casehttps://twitter.com/todayininfosec/status/1291377901456232448 Billy Big Balls of the Week (28:34)https://twitter.com/J4vv4D/status/1425381977482539008?s=20My scooter was stolen last week. Unknown to the thief, I hid two Airtags inside it. I was able to use the Apple Find My network and UWB direction finding to recover the scooter today. Here’s how it all went down: - Dan Guido Industry News (38:51)Disney Employees Among Those Arrested in Child Abuse StingNCSC Sticks by 'Three Random Words' Strategy for PasswordsMartial Arts Instructor Accused of Spying on StudentsFraudsters Impersonate DPD in "Convincing" New Smishing ScamHouse of Commons (HoC) Beefs up Cyber Training Following Matt Hancock CCTV Leak ScandalChinese Espionage Group UNC215 Targeted Israeli Government NetworksSalesforce Communities Could Expose Business-Sensitive InformationOver $600 Million Stolen in Biggest Ever Cryptocurrency TheftAccenture Tied Up in $50M Ransom Lockbit 2.0 Attack Tweet of the Week (46:45)https://twitter.com/runasand/status/1423810127451365382?s=20Looks like pornhub is always bending over backwards, doing far more than any other social media platformIn a Huge Policy Shift, Pornhub Bans Unverified Uploads The Box incidental music © Charlie Langford Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Andy, have you got crisp on?
I do, but I was eating cereal.
Yeah, I know, and I could hear the clink of the bowl.
Oh, really?
Oh, maybe I don't have crisp on then.
Or maybe you're just a really loud eater.
Right, let me do the old jelly bean test.
Oh, Jesus Christ.
Yes, yes.
Okay, so crisp is not on, it would appear.
I tell you what, that jelly bean can is definitely getting emptier and emptier.
That's on his third refill.
Yeah, that's right.
You ever seen those Americans or the Gun Rangers and, like, the ones that are really good?
They're, like, bam, bam, bam.
It empties and, like, within half a second second they've emptied the magazine stuffed a new one in
you're listening to the host unknown podcast
hello hello hello good morning good afternoon good evening and welcome to the host unknown podcast episode 68 and yeah
i know i know who'd have thought it who'd so do you know what that means for episode 69 although
in reality it has already passed because this is really episode 73 yeah for episode 69 i think we
should bring back smutty or security oh absolutely In fact, why aren't you working on it right now?
Because Crisp isn't working, so you'd hear me typing.
Yes, indeed. Yes, indeed. Very true. Very true. Yes, we are episode 68, 70, whatever.
It doesn't matter. We've lost count.
Andy, how are you? You've had a busy week.
It's been a crazy week. I've been up in Nottingham, one of the offices we have up there,
like up and down the country this week. Lots of driving. Got back late last night.
And I haven't told you guys this yet. When I got back late last night,
I had a notification that my 23andMe DNA results were in.
Whoa.
So I just took a DNA test.
Turns out I'm 100% that bitch.
If you're a TikTok user, you'd get that.
I have no idea what you're talking about.
So, yeah, so i mean this is
one of these things i have debated for years about whether or not i'm prepared to submit my dna to
you know companies like this because of misuse and obviously showing up and unsolved cases
somewhere across the country um but no it's actually really interesting and i was reading it and i was
so i did it on prime day right i bought it uh through amazon at the time when it was nice and
cheap and it comes like you get this like you got spit in a vial and it's actually a lot harder to
generate the amount of saliva you need to top up without like dropping a you know a pavement
oyster in there so it was like uh
it goes into a box in its second class and i thought you know should i just get this done
expedited you know should i pay for the extra and i was like i didn't bother at the time
stuck it in a second class box posted it and um then you can track it and i'm like okay you know
like a week later you know you open the app and it says waiting waiting for your receipt and i'm like okay you know like a week later you know you open the app and it says waiting waiting for your receipt and i'm like jesus what's going on and then it's like 10 days after that and
then all of a sudden it says oh you know we're now going to post your kit and it's like what
the kit goes to the us and it takes forever to go through so if you think of when prime day was
like back in when was it end of june six weeks ago yeah so they registered oh i
registered the kit um on the 4th of july uh yeah funny enough and i got the results yesterday
so it's been a while and you know i posted it straight after i spat into it so so so just just
to clarify is your spit covered under GDPR?
I believe it is.
But it's an American company, so you never know.
Okay.
You never know.
Yeah, they're not big on privacy.
Any privacy lawyers out there, is spit covered under GDPR?
Yeah.
So, yeah, I mean, it was quite interesting.
Under the health analysis, they do things like i'm predisposed to like some of the personal traits were a bit um you know a bit too personal
um you know i'm predisposed to basically hoarding items i never use seriously it gets to that level
of detail it says that yeah i'm predisposed to uh favoring sweet things over salty things
well no shit sherlock they could
probably tell by the by the m&m colored spit that was in there i uh i did not fill in any of the
data like it says while you're waiting why don't you fill in some of this information to help us
make your results more accurate and i was like no i'm not telling you nothing like you know you
you tell me all about this.
But one part I was very disappointed in.
They said that I am 82% unlikely to have any bald spots.
So I was like, guys, you're way off the mark with that one.
It's certainly the other way around. But conversely, they're saying you're 18% likely to have bald spots.
You always were an outlier, well exactly yeah but no other than that it's quite
interesting and i've got it sort of populates a family tree of people dna relatives yeah um
and i do have it looks like relatives in the us who have they share my uh share my mother's maiden name, but a
different spelling of it, which we are
aware of. So it's accurate
that at some point... Which trailer park are they in?
Well, funny you say
that. A couple of them are in North Carolina.
So that is proper
you know.
We are in Trump territory up there.
But yeah, no, the other
we've got some in California as well, by the looks of it.
So hippies on that side.
That's the side of the family you don't talk about.
Yeah, exactly.
But yeah, no, interesting.
Wow, that's fantastic.
So what was the most mind-blowing thing from the whole test?
Do you know who your dad is?
Yeah, so I do.
It's quite interesting so i am
55.9 percent european of either british or irish heritage which i think i knew my mother's irish
makes sense yep and then the next highest one is the sub-saharan african at 25.7 percent obviously
my father's mauritian but then they break it down by a bit further and
it's not just uh sub-saharan african i'm also 14.1 percent central and south asian right what
yeah so um on my father's side there's some um sri lankan um central asian northern indian and
pakistani uh which is obviously why you know i think me and jav have a good bond
uh you know probably better than than me and me and you tom yeah against the imperialist invader
yeah absolutely so yeah it's a nice but i'm 55 percent uh irish and 45 percent um african
wow yeah which which to be,
to be honest with you,
never have guessed from looking at you.
Let's face it.
Um,
yeah,
fair comment.
Yeah.
I'm a man of the world,
you know,
I blend in anywhere.
That's why I don't know.
You blend in anywhere where there are other pale skinned people.
Yeah.
In Africa.
In Africa. Yeah. In Africa. In Africa, yeah.
That is quite fascinating.
Yeah.
Jav, what about you?
How did your DNA test work out?
No, like Andy said, you know, there's just too much risk
for being implicated in something.
The child support agency might get hold of it.
Yeah, yeah, you never know.
You never know.
So I'm keeping shtum on that.
But no, speaking of child support agencies, like yourself,
well, both your kids, Tom, I believe they had major educational milestones this week.
Yes.
They had major educational milestones this week.
Yes.
And my daughter also, she gave her GCSEs. It was all teacher assessed, but she got her results.
And I was very happy, pleasantly surprised.
And, yeah, so she's now on to do A-levels.
Nice.
Very good.
Yeah, same with my daughter.
She said she was a bit disappointed with the results,
but it was enough to get on to the next step, right?
You know, you just do a reset and to be blunt,
you start to forget about your O-levels,
or sorry, GCSEs after a while, don't you?
Yeah.
I'll tell you honestly, were they still called O-levels when you did them?
Yes.
Damn, man, you're old i was i was the last year of o levels in fairness in my defense i thought they got rid of o levels a lot later than that but okay in 1987 was the last year of
o levels there you go um and yeah my son got son got his results. He did very well.
He got, was it, well, his highest grade, which was an A star,
was in drama, which given, you know, for a young man who stammers,
I find incredible.
I just, he gets on stage and it's gone.
It's like there's, it's as if it's never happened to him at all.
It's quite incredible.
And obviously we talk about it with him, and he doesn't really get it either.
He just knows he likes getting up on stage and having a laugh.
Wasn't there that, this going back years and years,
but there was one of those Popeye doors or something like that?
Gareth Gates?
Yeah.
Yes.
He wouldn't stutter when he sang, but when he spoke,
he could have controlled it.
I was saying Ed Sheeran was a stammerer as well.
So it's interesting.
It's one of those things, funnily enough,
and obviously we've done a bit of research on it and all that sort of stuff,
but we still don't know what causes it. Still have no idea
what triggers, you know, what actually triggers a stammerer to continue to stammer. Because we
all stammer to one extent or another, right? You know, if we're stressed and we can't get our
words out, it's effectively the same thing. Recording a podcast.
Recording a podcast, yeah, under stress and duress in most cases but
um you know so everybody has it but it's just that it sticks with some people more than others and
nobody knows why yet uh so it's fascinating but yeah so he's off he's taking a year off we're
going to be doing some uh um uh film work videographer work and uh you know anybody need a good talented sort of uh director
editor etc films just let me know uh and then he's off to the london film school next year
well let me well hope hope so that that one year off doesn't turn into uh
four years four years yeah exactly a A trip round Thailand. Yeah.
Well, at the moment, right.
Yeah, well, we're going to... I say we, he doesn't live with me,
but that's going to be discouraged by ensuring he pays rent.
Yeah.
If you're working, you're paying rent, end of.
It's only fair.
Yeah, absolutely. And to be blunt blunt it just all goes into the big pot that pays for his university education anyway right yeah well or your apple gadgets
yeah yeah yeah like i'm gonna see any of this money come on is it better to call it rent or Call it parent tax. Board and lodging.
Good one.
So, you know, I was reading this interesting thing about how calling different things something different actually makes a profound impact on how people perceive it.
Yes.
And the one example they said was student loan.
They said, we call it a student loan.
And in our minds, it's always that, oh, we've borrowed the money and we have to give it back.
And one of the ideas was, well, think about you only have to pay it back if you're earning over whatever, 35,000 a year or something.
So they said, rather rather than calling a student loan
call it a future wealth tax so you only get to pay it if you are wealthy wealthy yeah and if
you don't then you won't have to pay it and that actually um you know for a lot of people then that
actually removes a lot of the negative connotations.
And the stigma as well.
Yeah, exactly.
Yeah, I like that idea.
I like that idea.
Yeah, the problem is because he's going to a private institution,
the London Film School, rather than a sort of regular university,
so he can't even take advantage of full student loans, I hope.
Harsh.
That's what Dad's for.
Sorry, that's what? That's what what Dad's for. Sorry, that's what, what?
That's what his dad's for.
Oh, my God.
Yeah, but, you know, that's not going to pay for the next iPhone, is it?
Perhaps you should call it the Future iPhone Renewal Fund.
So when he's big and famous and he's getting sponsorship
and all that sort of stuff i
i get all that all the benefits of that right so what have we got coming up for you today well
this week in infosec warns of when cis admins go rogue uh rant of the week is actually mia this
week bully big balls gives us a blow-by-blow
account of scooter theft
and recovery. Industry
News brings us the latest and greatest security
news stories from around the world.
And Tweet of the Week
shows Apple possibly
tripping up on their own shoelaces.
Alright.
Andy, I think it's time for
our favourite segment of the week in its...
This week in InfoSec.
Yeah, it's that part of the show where we take a stroll down InfoSec memory lane
with content liberated from the Today in InfoSec Twitter account.
So the first story is going to take us back a mere 20 years ago,
on or around the 10th of August 2001.
Good times back then.
So a Japanese woman.
I was actually in the US, I think, around about that time.
2001?
Yeah.
Good times.
A Japanese woman, Kumio Kishi, was arrested for accessing her co-worker's email account,
then contacting the user's ISP to regain access after the co-worker changed their password.
So the source is El Reg.
So I believe they do have some integrity but i struggled to
corroborate this story but the story basically goes that this uh japanese lady um was just
reading her colleague's email just like out of interest okay just can't why not right um and she
was given this dubious honor of being the first person in the country to be arrested for breaking what's called the electronic communications law, according to the Manichi Daily news reports.
But I can't find any more information about that law either.
At least not in English, anyway.
At least not in English, no.
Yeah, and that's right.
It could just be something, you know, not...
I mean, most laws are translated for international purposes.
Anyway, this 30-year-old lady from Tokyo,
once she was caught reading her co-worker's emails,
her co-worker changed her password.
And then Kishi just contacted her ISP.
And she was like, hi, I'm so-and-so.
I forgot my password.
And the ISP help desk was like, oh, no, I hope we can help you.
Can you confirm that you are this person?
And she says, yes, I am.
And the help desk person says, excellent, okay.
Your new password is 123456.
You know, please change it when you log in.
Have a nice day.
Oh, my God.
And then she continued to read the emails for another couple of weeks.
Yeah, but how, if the password was changed how
was the other person really that that was the giveaway oh i see right okay yeah yeah i mean
obviously that makes sense but but did she not think that part through well do you know 2001
different times right it was uh you know i don't think people are attached
to you as it as attached to email as they are now this is true i definitely had a lot more memes
back then yeah and it will also span you know when you used to get those executable files via email
um and it's like oh you know check this and it's like gnome bowling. Yeah. You know, you double-click the X,
and it turns your screen into like a puzzle,
and you have to solve the puzzle in order to get back to your work.
Yeah.
All those kind of, like, you know, a virtual Rubik's Cube type thing.
The one I remember was,
and I stood in the Charing Cross offices of PwC
on the fifth floor, I think it was,
which is like a hot desk in floor.
And I think I had a locker there and I was just opening the locker
and suddenly I heard from one of the desks,
hey, everybody, I'm watching porno.
I knew you were going to say that one.
That was a classic.
Which was a classic.
But do you know what?
Not a single reaction.
Nothing.
Nothing.
Not even somebody kind of like slapping their keyboard or looking around.
Because I was like, where was that from?
That is awesome.
Oh, dear.
Yeah, good times.
But then, you know, one person ruined it for everyone. You could no longer send XEs or things like that to people. Yeah, good times. But then, you know, mouse, one person ruined it for everyone.
You could no longer send XEs or, you know, things like that to people.
Yeah.
And then you had to embed them in Word documents and shit like that.
Yeah, exactly.
It's just been a game of cat and mouse ever since.
It was.
It was.
So, you know, the interesting thing about reading emails is that nowadays what you see a lot,
well, I say a lot, but there's been a few cases where I've seen they gain access to an email
and they know they're going to get caught or the password's going to change at some point.
So they end up just setting up an inbox rule to forward all the emails to them.
Brilliant.
So that way, even if the person changes their password,
unless they actively
go in to check their their rules yeah make sure that it's not being copied and forwarded on uh
they'll just never know and uh you can just read their emails forever forward to jay malik at aol.com
yeah yeah exactly we had um yeah what's it like yts what's the equivalent yts uh that you call these days but anyway these kids
were in the office and they used to just keep leave leaving their laptops unattended right and
so in the old days would go to like hotmail.com but as in like h-o-t-m-a-l-e yes um you know and
so set that as a default browser so it kind of loads up it's almost like lemon party like when
it loads um but obviously in the corporate environment you got like filters and you know that sort of stuff
doesn't fly so what i typically do is set myself as um like administrator of the mailbox and um
you know control the calendar as well if people leave their machines and then you know i go to
friendlies that i know so you know i knew these girls in the other office and i sort of gave my heads up i said hey look you know i'm gonna
send you some stuff it's obviously from me but can you act outraged and stuff like that
i remember this one guy nathan and uh i basically sent um a calendar invite to this girl i said hey
look you know i saw you walking around uh you know the office do you fancy meeting behind the bike shed you know i'll block out 30 minutes in the calendar so she got this invite she replies and she's like this is
wholly inappropriate inappropriate i'm gonna contact hr and oh my day is like just the panic
you know when someone goes bright red and it took him like a while to figure out what was going on. Oh, unsurprisingly.
And then the other one is when you just, I call it like a chat roulette,
you know, where you just open up someone's Skype or Teams and then just message a random person in the address book
and ask if they sell drugs or anything, or like where you can score some drugs.
Hey, I'm coming to the office on such and such,
and I was told that you might know where I can score two grams of Coke or something.
I mean, these are the only ways you can do it these days with all the filters and stuff.
But anyway, I digress.
Moving on to the second story.
Ten years ago, on the 7th of August 2010,
Terry Childs was sentenced to four years in prison for network tampering after refusing to hand over network passwords to his supervisor.
What?
And he was later ordered to pay nearly $1.5 million in restitution.
And I know you say, well, you remember this when you um hear where it was
and i when i read this i remember the story because it freaked out the md of the company
i was at at the time um because he was trying to figure out how an entire city government could
apparently lose control of its network oh that's right yeah san francisco it's exactly yeah san
francisco terry charles um i looked at a few stories in this one so one of them even gives That's right. Yeah, San Francisco. Exactly. Yeah, San Francisco. Terry Charles.
I looked at a few stories on this one.
One of them even gives his CCIE number.
So he's a certified Cisco internetworking engineer.
So he was a member of the San Fran DTIS,
the city's IT department for five years.
And he was part of the group that built and managed the whole city's networks he was one of the most experienced and advanced network administrators and he basically single
handedly designed and built like this this fiber wan that they had across the city um that sort of
connected the fiber to to the mpls and it's a really complex network and it's core to all of the city services.
And when Terry Charles created this, following its completion,
he actually looked at it as a creation of art.
And so much so that he actually applied and was granted a copyright for the network design as technical artistry.
What?
But only as technical artistry, though.
As technical artistry, yeah.
So if you, yeah, but what kind of ego have you got to apply, you know,
and get that right?
I mean, he basically did not trust his colleagues at all.
You know, so he essentially became the sole administrator of this fiberware.
And as a result, the only person with the passwords to the
routers and switches um you know that controlled the whole network so it was it was known throughout
dtis um you know he was the only point of contact for changes troubleshooting and just basically
overall management and so there was a new um security manager that was brought into the DTIS,
you know, a couple of weeks prior.
And there was what they call an altercation between Charles and the security manager, Jenna Peralde.
And essentially, like, the court ruling was that, you know,
he started harassing her and then confronted her,
took photos of her with his mobile phone.
And, you know, she feared for her safety. So she locked herself in a room, called the CIO for help.
The CIO came and then, you know, had words with Charles and Charles later left.
But, you know, what caused this altercation? I guess you may ask.
So basically, no one told him that she was coming in as a security manager to audit his network.
And so he perceived that as like an insult and a threat to, you know, whatever he did.
So, I mean, the exact details of what happened over the next couple of weeks is still a bit of a mystery.
But essentially his boss basically asked him for the usernames and passwords and he refused to give them.
So he was suspended for insubordination uh and then it led on to other things like then he was put under surveillance
because you know now he was he didn't actually make any demands but you know they were worried
that he was now holding the city to yeah yeah um and they found like guns and ammunition all
kind of stuff at his house when they put him under surveillance. It's America. Of course,
yeah. I mean, you know what they're...
They'll find something on you if they want to, right?
But even after he was arrested, he refused
to give up the passwords to the network
and he said that he would only give
them to the mayor.
So, you know, get me the mayor down here if you want
these passwords. And then it was about
three weeks later, the mayor
actually visited him visited him
in prison uh met with him for 15 minutes got the passwords um and then yeah but like following just
one bit of clarification after that uh you know with his boss that they did actually have
have access to the network again after that but um yeah utterly crazy that he could just
take control or you know he did have
control of this entire network and there's nothing anyone else could do you see this is less about
sysadmins holding organizations to ransom and more about the average american's access to mental
health care potentially yeah i mean but a good uh you know password management system
you know something like last pass hey i understand they're on a break for a couple of weeks so hey
last pass did that exist in 2010 though yeah um no maybe so we've just discovered the origin story
of last pass right so all right yeah i'm sorry i thought you had i thought that was a different story and from that the mayor
of san francisco established a task force called last pass that guy's name albert einstein
but yeah no but last pass yeah no interesting story, yeah, a warning as to, you know, what can occur
if you don't treat your sysadmins with the, you know,
if you insult their technical artistry.
You understand that these guys are not just, you know, tech monkeys.
They are proper artists.
Well, or if you just don't provide them access
to regular mental health care.
Yeah, well, you know, potato.
Well, it's more about, I think, like, if you put all your eggs in one nut basket, then...
Nut basket?
That just sounds wrong, Jack.
I know. I said it and it sounded wrong, but I tried to ignore it and keep rolling with it and you had to point it out.
Thank you.
Try to ignore it and keep rolling with it.
And you had to point it out.
Thank you.
But yeah,
I mean,
it's,
um,
I mean, say he didn't,
you know,
take this order as an insult or something,
you know,
say he was actually hit by a bus or a tram in San Fran.
There is that.
Yes.
You know,
this is a,
yeah,
this is bad,
but he shouldn't have been allowed to get to that point in the first place.
Right?
No,
no,
but this is great.
This reminds me of
you remember the openings one of well uh in robocop when the guy he takes town hall
uh and he's like i want the mirror and i want to chop it and i want to go
a car that does really shitty gas mileage
uh oh man that's uh uh miracle excellent thank you very much andy America excellent
thank you very much Andy
this week in InfoSoul
we are officially
the most entertaining content
amongst our peers
yes we are the most entertaining content anyway jav i believe it's
time for you now for uh this week's okay so uh you know what I'm still daydreaming. I'm still thinking, like, how can I apply for a copyright in technical artistry?
That's something for the bucket list now.
You have to do two things, Jav, first.
You have to do something technical and something artistic.
And just in case you're wondering, I already own the copyright for this podcast.
Neither of which are technical nor artistic i i am the banksy of the infosec world anyway billy big balls of the work week work week
has to go to dan guido who is a friend of the show, a famous guy on Twitter, at Dan,
at D Guido, D-G-U-I-D. Oh, anyway, he's the CEO of TrailerBits. So he owns one of those electric
scooters. But please do not judge. I was about to judge and then I read the thread and, you know, he's not one of those guys. Anyway, so his electric scooter was stolen.
Unknown to the thief, he had hid two air tags inside it.
Apple air tags?
Apple air tags, yeah.
He's a man of taste and honour.
I just imagine the thieves, like, they take it to their chop shop
and someone's like, hey, do you know
whose scooter you stole? This is Dan Guido's
you crazy son of a bitch
Look, he has not just one head, I've got another two
And you killed his dog
Get it out of here
Anyway, so
he went out for dinner and he locked it to a grate with motorcycle
handcuffs because he finds them easier to use than a cable lock but apparently he's sorry so can we
just go back there what are motorcycle handcuffs is that when motorbikes want to get kinky or something?
Is it a type of bike lock?
It is a type of bike lock.
I've never heard it called a motorcycle handcuff.
I mean, I've seen those kinds of things.
They're just, yeah.
Don't we call them like bike locks?
Yeah. Well, yeah, exactly.
That's what I'm thinking.
Instead of a chain, it's a rigid hinged set.
Mechanism.
Mechanism that you lock around your.
Yeah, but bikes don't have hands.
A D lock.
Ah, right.
Now we're making sense.
No, but they don't have Ds either.
No, Prince Albert.
Oh, man.
No, Prince Albert. Oh, man.
Anyway, so the reason he had hit two air tags in there is that one was a decoy in the wheel
and the second, more subtle, one inside of the stem covered in black duct tape.
So if someone was actively looking for these, they would find the decoy one hopefully and think, job done.
Yeah.
So the next day, he had to fly to Black Hat.
So he wanted to try and find it.
He had NYPD meet him.
But they were reluctant to help because they weren't familiar with airtight thought i might be enlisting them to steal something and refused to walk me with me if i
knocked on a door or or on a store he only had an hour to hunt couldn't find its precise location
uh thought it was within an apartment but um you know but then he had to go um he couldn't get the the precise location why because
of apple's anti-stalking features um yeah yeah yeah you know three days or something like that
yeah yeah so they if you're an iphone user you receive a push notification if an unknown ear
tag has been like quote-unquote following you without its owner for a random time so between 8 and 24 hours
and then the air tag will start making sound with a built-in built-in speaker yeah um luckily for
him the air tags didn't move for the whole week so he caught up with a new plan so he got back
from black hat um called the police trying to convince the cops to help him. And this is really interesting
because he encountered resistance. So he, you know, some were saying, go back to where it was
stolen, call 911. Someone else said, that's not our precinct. Others saying, we can't help you
if he's inside a residence. Others are like, we're not familiar with your voodoo magic air tags.
But, you know, he said he was patient.
He tried to educate them, showed them what the air tags were,
you know, made a joke about it only costing $800,
so it's not a felony.
So eventually he got a two-man patrol to drive him to the current location
yeah uh pointed at apartments and then it is what i could imagine it being one of the films like
someone turned around and the camera pans around and everyone just stands there because there's a
e-bike shop right there underneath the apartments.
So they walked into the shop and he immediately got a ping that he's like about 13 feet away.
Yeah.
Gestured to the cops.
Seconds later, he walked right into his scooter.
The employees were in disbelief.
How did I know it was mine?
I played sounds from an ear tag
not good enough i paired it to the nine bot ios app that convinced the last holdouts
um what the nine bot i presume that's the make of his bike or something yeah yeah the ios yeah
so you know that that shows you like all your um riding history percentage battery range
anyway so um the at this point the one mechanic started making excuses for the current state of
it the woman who bought it in had complained about brakes so he cut the power line to the
handlebars and then removed this because this isn't really how you repair brakes um yeah cutting them yeah so as i further inspect the scooter the cops start asking questions do
you sell used e-bikes do you collect them from the seller do you ask they prove ownership what
is the contact info for the person who dropped this scooter off no no no and we don't know right someone dropped this off yeah at this point i noticed there were
cameras um i i gestured to the cops to get the video before they delete it um an employee
realized that they were investigating further so he started to become agitated saying that oh you
should be happy that you get a warrant
but you know it's your fault for letting for getting it stolen this isn't how we do things
in brooklyn oh my god so he goes he goes he stepped outside then while the let the cops do
their job one employee that the aggressive employee followed him he goes all you're doing is making enemies
gets closer to me and pantomimes shooting at me he implies i'd get murdered if he sees me again
as opposed to friendly brooklyn well exactly yeah can't read too much into that and the best part
is if he ever needs his bike serviced he he knows where to go now. Exactly, exactly.
So, you know, other employees were more cooperative.
They provided video.
It's a woman.
They claimed that she didn't leave a phone, filed out a police report.
And, you know, he got his scooter back.
So, you know, some takeaways from this.
I mean, this could have been a black hat talk.
I don't know why he tweeted it out.
But some good takeaways were like,
use an airtacker adhesive that blends in and muffles noise.
It's clear that the thief was looking for them.
Do not turn on loss mode.
It immediately alerts the thief that looking for them. Do not turn on loss mode. It immediately alerts the thief
that they're being tracked. And number three, act quickly before the anti-stalking feature kicks in.
Damage done to a handlebars with likely in response to the regular noise from the air tag.
And four, limit your in-person interactions. Always involve the police. Don't try and retrieve your
stolen goods until you have backup. i imagine someone in america sitting
there they tap their the the the gun on their hip and they say i already have the backup i need right
here wow do you know what i think it was quite fascinating there is about is more about the um
the sequence of you know don't invoke lost mode don don't do this, do that. I think all the things that you'd automatically do, oh, my bike's gone.
Let me switch on lost mode and I can find it.
You know, all that stuff, it's slightly counterintuitive.
Yeah.
It is.
It is.
And I think it's really just useful just to hear the process
and how difficult it is to convince police,
but you need to persevere and get it back.
But I think it's kudos to him.
He done a fantastic job in keeping his cool,
sticking to it and getting it back.
So it's a happy, happy story all around.
Dan Guido, we have Host Unknown salute you, sir.
Yes, please, like and subscribe.
And, oh, Andy, what time is it?
It's that time already.
It's that time of the show where we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news
from around the globe.
Industry News.
on the globe.
Industry News Disney employees among those arrested
in child abuse sting.
Industry News
NCSE sticks by
three random word strategy for
passwords. Industry News
Martial arts instructor
accused of spying on students.
Industry News Fraudsters impersonate DPD in convincing Martial arts instructor accused of spying on students. Industry news.
Fraudsters impersonate DPD in convincing new smishing scam.
Industry news.
House of Commons beefs up cyber training following Matt Hancock's CCTV leak scandal.
Industry news.
Salesforce communities could expose business sensitive information. Industry news. Salesforce communities could expose business-sensitive information.
Industry news.
Salesforce communities could expose business-sensitive information.
Who wrote this?
Industry news.
Salesforce community.
No, no.
Over $600 million stolen in biggest ever cryptocurrency theft.
Industry news.
stolen in biggest ever cryptocurrency theft.
Industry News.
Accenture tied up in $50 million ransom lock bit 2.0 attack.
Industry News.
And that was this week's...
Industry News.
Were there only eight stories this week?
No, I clearly made a mistake when I was adding things in,
and I clearly got distracted at the time and thought,
hey, this one's good.
It'll go in twice.
You got distracted by your 24 and me.
I was going to say, I'm from Africa.
I can see the clickers on there. Who was was that that clicked on the house of commons one first uh that would be jav oh yeah because it wasn't me you don't care and jav likes to score
points so you know that's uh accenture one um one. So there's obviously global consulting firm Accenture.
They've been targeted by ransomware group Lockbit, right?
And apparently the group have taken data.
And I think I saw their share price hadn't dropped at all,
like completely unaffected by this detail.
And obviously you've got the likes of Accenture.
It's not
just going to be their data right they are a lot of people's data yeah to lots and lots of people
um you know similar to who was it uh which of the big four got done before was it deloitte
where they lost a whole load of their client data i can't remember actually but it may well be
i want to get one of them yeah
it may
maybe
I don't know
we're not saying it is Deloitte
but you know
it could potentially have been
one of the big four
but yeah
I think it just goes to show
you know
we now have this fatigue
against
you know
ransomware
it happens everywhere
right
oh you got hit
oh well
it's commoditized
at the end of the day
everybody's going to be hit by it
uh speaking of a shocking amount of money you know this story about the um 600 million stolen and biggest ever cryptocurrency theft yes and there was uh the company that was hit was kind
of like a broker they they sort of like joined different exchanges together of course and um the
they they found a flaw in the in the the way they assigned the contracts to, you know, assign the tokens to or the Bitcoins or whatever the currency to.
I don't understand the technicalities, clearly, but there was some vulnerability and that's how they made off with 600 million. And what was really interesting about this, as part of their incident response, recovery plan, incident response plan,
they put out a tweet and they said, please, bad hackers, you've stolen 600 million.
Can you give some of it? Can you give it back, please?
And as a result, I think as of yesterday, 260 million has been returned.
What?
Yeah, yeah.
It's really bizarre.
So it's been returned.
And then the person claiming to be behind it said,
oh, it was just a prank, bro.
We were only doing it to demonstrate the vulnerability.
We didn't really.
So here we're going to give you like a third of the,
or like nearly half of your money back, but not all of it.
It's just a prank, bro.
Yeah, exactly.
But my time costs money.
Yeah.
This is type of consultancy, money can't buy.
So it was just really, really weird how that all played out.
And I assume it might still be
playing out i mean we're probably going to find out oh it was the the uh the founders behind it
that were behind it yeah to begin with but uh it's uh you hear about these these things happening
all the time and and i read and i thought you know what, this is maybe why, you know, normal finance has so much regulation and what have you.
It's kind of like to stop this stuff from happening.
But in researching it, I actually found out, I was like, well, maybe they, I thought maybe they gave back the money because, you know, they were feeling some heat and, you know, they were finding it difficult to move the money out the wallets or something.
And someone told me, no, there's loads of services out there.
They call them crypto mixers.
And they're basically money laundering for cryptocurrencies.
Oh, my God.
And so you just, like, dump them, like, 100 million.
And in the coming days, weeks, they'll take an percentage
and it comes out clean.
So those crypto mixers are the equivalent of all those mobile phone shops
that appear on the high street.
Yes.
And all those laundrettes are open 24-7.
That's it.
In fact, that's what those laundry machines are doing.
They're actually spinning around and generating Bitcoins.
Yeah.
It's not just metaphoricalical it is genuinely the other one i like was the ncse sticks by the three random
word strategy so i think that they're stuck they're really kicking out some sensible down to
earth uh advice at the moment yes um and i think it's true. These three random words. The only problem is of course, is that just about every, you know, everyone's password is horse battery
staple. Yeah. Correct. Horse battery stapler. Yeah, absolutely. There is still to be a singular
sensible down to earth approach to passwords across all, um, passwords across all areas of InfoSec.
So you've got the NCSC at the top end saying one thing,
and then you've got providers of services saying another,
where it's maximum 12 characters and you can't cut and paste
and it has to be a mix of everything except these individual characters
because we can't be bothered to code those in.
Yeah.
You're going to achieve peace in yeah you know you're going to
achieve peace in the middle east before you can uh agree to a resolution to what what makes a good
password strategy so well maybe the solution to peace in the middle east is the assertion of a
good password strategy who knows who knows excellent, that was fascinating stuff this week, as usual.
That was this week's industry news.
Industry news.
This is the Host Unknown Podcast.
Indeed.
And now we move on to this week's...
Tweet of the week.
And we always say it twice.
Tweet of the week. And we always say it twice. Tweet of the week.
Okay, so this is a tweet from Runa Sandvik,
who says,
I've lost count of all the odd choices Apple has made over the years,
and then goes on to count them.
But, one, gave us all U2.
Two, remove VPNs from the App Store in China.
Three, this new approach to scanning.
And four, suing companies which enable security research.
Interesting one.
I mean, to address those in order, one, gave us all U2.
Really?
Are we really that fussed about it?
Just delete it.
It's not a big deal.
Really.
You know what?
I wasn't happy at the time because if you consider back then,
I mean, not only are iPhones expensive, they always have been.
They do have very, very poor capacity.
Then delete it.
Well, it's more the fact they just did it without fucking.
No, they told you.
They told you they were going to do it.
When?
I had absolutely no recollection of them telling me.
In their announcements.
What announcements?
They made an...
I was watching it.
Clearly you're not a fanboy enough, Andy,
if you don't sit through all the keynotes.
Anyway, just delete it.
Number two, remove...
That's what I ended up doing,
but they did take up a lot of space by dropping that on there.
A lot of space.
They took up, up like 70 meg
dude the iphones were about like 128 meg in total capacity but i don't act like they weren't like
apple have always been pretty poor with the lowest one they've ever done was eight gig and that was
the very first one yeah i i love these apple Apple stories. You can hear the blood pressure of Tom raising.
We're trying to, Andy and me, have a little bet going,
seeing who can give Tom a heart attack.
This next one, remove VPNs from the App Store in China.
I think Apple need to show more balls when it comes to China.
They really do need to because doing shit like this is absurd and you know they need to hold their ground here i know
it's a big market but they can they can afford to lose a you know a few hundred million by not being
in china to be honest with you uh so i think that sucks. This new approach to scanning. That's a tough
one. I think we've spoken about that already. But let's actually get onto the tweet show.
The suing companies which enable security research. So they are suing a company called
Corellium, which is an iOS virtualization vendor. And they're being sued under the Digital Millennium Copyright Act,
that world-famous DMCA Act.
They initially sued the company for infringement in August,
alleging that the virtualization of iOS,
which is basically they're creating an iPhone in software on a computer so that you can then load the iOS operating system onto it
and then test various environments, et cetera, on there.
But it was violating Apple's ownership of the code.
So by creating this virtual machine and then taking a copy of iOS,
virtual machine and then taken a copy of iOS, that's against the end user license agreement that you can't do that. Their quote was, Corellium's business is based entirely on
commercializing the illegal replication of the copyrighted operating system and applications
that run on Apple's iPhone, iPad, and other Apple devices. And Corellium simply copies everything, the code, the graphical user interface,
the icons, all of it in exacting detail and providing its users
with the tools to do the same.
So it doesn't have any connectivity, so it can't be used as a phone,
but it does allow researchers to look at how certain software performs on iOS
in minute detail because obviously they have control over the virtual hardware
and they can see what's going on underneath the hood.
And it has been used as well to uncover surveillance related protocols in the United Arab Emirates Totok app.
So it's a good way of actually seeing when an app is installed, what it does, does it phone home,
all that sort of stuff. Corellium have said that the motion is part of a broader crackdown against jailbreaking.
And jailbreaking being that thing that we all did when we first had an iPhone,
where before there was an app store and before the phone was actually useful for anything other than just making phone calls,
you could actually break the code and install software on it that was not Apple authorized.
So Apple didn't like it was a real
cat and mouse game they would fix it in one software version then the the coders would
break it in the next version etc um i used to jailbreak when i first got my iphone because i
got my first one from the us and it was the only way you could get it tied to carriers yeah it was the only way you could get it to work in the UK.
And then literally the moment the App Store came out,
it was like, well, why am I bothering with this?
And then you could buy – I think my original iPhone was jailbroken i think i jailbreak jailbroke my three just because um because uh apple
number their iphones the same way we number our episodes um but um so i jailbroke my three because
i just did and that was the way it was and then by the time the 3gs came out or the 3g sorry the
3gs came out they had a proper app store and apps on there
that I liked and I just didn't bother after that because you know it was just no need um so yeah
and this is Apple's obviously declined to comment because that's exactly what they do
um I think being a spokesperson for Apple must be the easiest job in the world if you think about it
it must be and it's people like you that are doing it for free.
Yeah, yeah, there is that.
Well, there are comments here, and they're very, very split.
And I must admit, I do appreciate where they're going
because obviously software like Corellium does break the end-user license.
It does go against the license in terms of the software
and all that sort of stuff, you know, very clearly against the terms and conditions of use of the software.
And they've obviously managed to basically backward engineer some of the code to ensure
that it runs on their virtualization software. So that, you know, which are, you know, again,
against the licensing terms. But as we've seen that some valuable research has been found out so it's like any tool right you
know if you get a knife you can you can chop food to make dinner or you can stab somebody with it
and that i think is the is the problem here you can do good stuff with this but you can also do
bad stuff so you can look to subvert um um, you know, security within iOS, uh, you know,
for malicious means and all that sort of thing. Um, so we've got one half of, uh, the, the,
the commenters saying, uh, that, um, this is utter, you know, this is utter bull crap, you know,
the, this is Apple just being, you being you know big brotherish and we should just
let security researchers do their thing and the other one um basically saying um you know well
if you write if you can run apple software on non-apple devices i virtualize software
what's to stop samsung from making phones running ios or hp to sell Mac clones. That was already tested in court. I think
it was Psi Star, I think, did it. And there is no excuse that this is merely an emulator to
override the transparently obvious fact that they're breaking the software's license terms.
So it's interesting. So there's a legal side that says quite clearly you can't do this,
but there's certainly a moral and ethical side that says actually
there is benefit to this.
And I think probably the, you know, not that I'm any judge of this
or anything, but I'd say let's try.
But you vote for Apple.
Well, no.
Do you know what?
I'm not sure, but if I was Corellian, I'd say come work with us.
Let's get into something that allows us to provide these services to valid you know security
researchers so that you can derive the benefit from the work that they do um but who knows it's
probably more complex than that and we know that lawyers are not always the most uh well they tend
to think a little bit more black and white than that don't they but lawyers are not always the most uh well they tend to think a little bit
more black and white than that don't they but uh yeah this is a difficult one i think legally
apple is in perfectly entitled to do this um and uh you know corellium are uh profiteering from
somebody else's intellectual property um but conversely i think Corellium are filling a space in the market that
desperately needs filling. And Apple are not doing that. And so therefore, you know, Apple should be
looking to see how they can actually make this work for all parties rather than just suing the
crap out of them. Very good points, Tom. But as usual, you're a day late and a dollar short.
Very good points, Tom.
But as usual, you're a day late and a dollar short.
Marvellous.
Because a few days ago, actually, the negotiations were held and both parties have settled out of court.
So we know nothing about what happened.
No, there's confidential term sheets have been signed by both,
so there's no comments available by either.
But I'll tell you, I picked up this one detail from it,
and this explains why I think Apple backed down in the end.
So earlier in this week,
both Apple and Corellian filed papers
as to showing who they would be calling as witnesses
for the upcoming trial. So Apple included people like Craig Federici, who's the SVP of software
engineer, and security engineering chief Ivan Kristic. Corellium were going to call an executive from Azimuth,
the Australian company that was credited with this hack of the San Bernardo's terrorist iPhone.
Yeah.
Right.
And also they were going to call friend of the show,
former Facebook chief security officer,
Alex Stamos.
Really?
Yes.
And I think Apple thought,
fuck it.
Can't go.
We can't compete with that.
And,
and they,
they,
they,
they agreed to settle out of court.
Interesting.
Anyway,
that was this week's.
Tweet of the week.
And that brings us to the end of the show folks uh we may have missed one of the segments but
we're still running at close to an hour just goes to show how much uh jav likes to talk well well i
wouldn't need to talk so much if you had your stories up to date right well this is what you
mean the story that uh that in in whatsapp a couple of days ago you said, Tom, you can do this story.
Yeah, a couple of days ago before it was settled out of court.
Yeah, well, you know, if you want to set me up like that.
It wasn't a set up, far from it.
Revenge is a dish best served cold.
In my case, probably slightly mouldy as well.
Oh, Jav, thank you very much, sir. Thank you for this week, and I hope you have a lovely Jav Thank you very much sir
Thank you for this week
And I hope you have
A lovely weekend
Thank you
Thank you
Thank you
And Andy
Thank you sir
Stay secure my friend
Stay secure
You've been listening to
The Host Unknown Podcast
If you enjoyed what you heard
Comment and subscribe
If you hated it Please heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
So there's you stitching me up again, Jav, it would seem.
What do you mean stitching you up again?
Honestly, I just... Well, not just stitching you up, right?
So as I was reading that story, because it's the first time I read it,
as I was going through it.
It was actually from January 2020.
No.
The link is from January 2020.
So it's obviously been an ongoing case, which is why we've now got the conclusion of it.
Yeah, that's probably what happened.
But I don't know.
I just saw it.
The WhatsApp is a brainstorming platform.
It's not like a definitive truth.
The tweet was August 7th. So in fairness, the tweet of the week was up to date. The WhatsApp is a brainstorming platform. It's not like a definitive truth.
The tweet was August 7th. So in fairness, the tweet of the week was up to date.
Yes.
So let's just blame the...
Blame Runa.
Runa, this is your fault.