The Host Unknown Podcast - Episode 69 - Think of a Number Bill and Ted
Episode Date: August 20, 2021This week in InfosecWith content liberated from the “today in infosec” twitter account14th August 2013: Affinity Health Plan was fined $1,215,780 for a HIPAA violation after a photocopier purchase...d by CBS for an investigatory report in 2010 revealed medical info.At $1.2M, photocopy breach proves costlyhttps://twitter.com/todayininfosec/status/1294252352191565824 17th August 2005: Jason Smathers, a former employee of AOL, was sentenced to 15 months in prison for selling screen names and email addresses of 92 million users to spammers.Ex-AOL worker who stole e-mail list sentencedJason Smathers: Internet Criminalhttps://twitter.com/todayininfosec/status/1295500512830394371 The Box incidental music © Charlie Langford Rant of the WeekYou can post LinkedIn jobs as almost ANY employer — so can attackersAnyone can create a job listing on the leading recruitment platform LinkedIn on behalf of just about any employer—no verification needed.And worse, the employer cannot easily take these down.Now, that might be nothing new, but the feature and lax verification on career websites pave the ways for attackers to post bogus listings for malicious purposes.The attackers can, for example, use this social engineering tactic to collect personal information and resumes from professionals who believe they are applying to a legitimate company, without realizing their data may be sold or used for phishing scams. Billy Big Balls of the WeekWoman accessed ex-partner’s Alexa to torment his new girlfriendPhilippa Copleston-Warren terrified love rival by using smart device to switch lights on and off and tell her to get out of the houseChelsea woman used Alexa to scold ex-lover’s new girlfriendA management consultant from west London accessed the Alexa device at her ex-boyfriend’s home from more than 100 miles away to tell his new partner to get out of the house.Philippa Copleston-Warren, 46, logged into an app linked to smart devices in the victim’s Lincolnshire home, and was able to see her ex’s new girlfriend on the property’s CCTV system.Prosecutors said Copleston-Warren was able to tell the woman “to get out” and used the app to turn the bedside lights on and off.At Isleworth crown court, Copelston-Warren admitted posting a naked photo of her ex-boyfriend on Facebook, accompanying it with the caption: “Do I look fat??? My daily question”.[That was this weeks BILLY BIG BALLS][SEEN ON REDDIT] Thom:Antivaxers Think Their ‘Pure’ Semen Will Skyrocket in ValueI’m going to retire as a “cum cow” Industry News"Jigsaw Puzzle" Phishing Attacks Use Morse Code to HideCadbury Campaigns Against Cyber-bullyingMisconfigured Server Leaks US Terror WatchlistYik Yak ReturnsAirline Employee Jailed for Spending Passengers’ MoneyT-Mobile: 49 Million Customers Hit by Data BreachJPMorgan Chase Notifies Customers of Data BreachCoin Ninja CEO Admits Operating Darknet Bitcoin MixerWomen Charged Over Sexually Exploitative Child Modeling Sites Tweet of the Weekhttps://twitter.com/Kaipo_Rozwolf/status/1428426623091724289OnlyFans Will Ban Pornography Starting in October, Citing Need to Comply With Financial Partners Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
So just a biggest loser update.
Oh, yeah.
Yeah, we haven't spoken about that for a long time, have we?
We haven't, no.
But collectively, I think this is probably the biggest update we've had, right?
Actually, we've lost a huge amount of weight.
A huge amount.
A 14 stone of ugly fat is gone.
Yeah, absolutely.
Maybe just for this week because you know how much, you know,
weight comes, you lose weight and it comes back really, you know,
in a really unwelcome manner and very quickly and just makes you feel
very sad and upset and lonely when it comes back.
But for this week, let's just celebrate the fact that we are, you know, 14 stone lighter.
Well, 14 stone minimum, I think.
Yeah, at least 14 stone.
At least.
I mean, you know, certainly in bare feet.
But yeah, we've lost 14 stone this week
and we've never felt better.
You're listening to the Host Unknown Podcast. better. Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are
joining us and welcome to episode 69. 69, dude. Yeah, Of the Host Unknown podcast.
Wow.
Episode 69.
I call this the Bill and Ted's episode because that's the number they always think of in the films.
Think of a number.
69.
So, yes.
Yes, very good.
Very good.
Andy, how are you, sir?
I am good.
I'm feeling good about this weight loss.
Yeah.
Which has been going on. But I think we should probably just clarify. Actually, why don't we ask feeling good about this weight loss yeah which has been going on but i
think we should probably just clarify for actually why don't we ask jav about this weight loss jav
jav jav well there you go evidence of our weight loss
oh indeed how are you doing anyway this week i'm all right i'm all right i'm on holiday this week like jav but i'm you know i'm committed to the cause um you know i i don't just not turn up for
the hell of it i actually there has to be pure financial reasons for me not turning up but jav
no he just didn't feel like it and also i think jav's in that american mindset isn't he where
you just take time off without notice uh you know in the uk it's polite to give
notice when you're going to be off so yeah exactly he just said last night oh i'll send you something
you can play it as if i was there and it's like yeah we're still waiting jav you know i mean we
we do try and do everything live in this show we don't pre-record everything it's just phoning it
in from another level though isn't it oh this is completely well if only he would phone it in because at least he would be committed and
hit being here on time right you know you know he's not even recording it in uh so uh but no
jav if you're listening because we know you are uh i hope you had a lovely time i hope the court case went well
and um that we'll that we won't be seeing you in three to five you know that he'll plead guilty
the first opportunity oh my god yeah absolutely absolutely yeah and and he and he's only the
witness yeah yeah i'll take a plea agreement I want to go super grass
it was all Andy and Tom
Mr Malik we'll hear about your wife's parking ticket
but yeah it's been nice
couple of days up in London
with my mother which which was fun.
The Duchess?
Yeah, the Duchess.
Yeah, she says hello.
She always likes being mentioned.
She said she especially likes it when Jav apologises to her.
Sorry, Mrs Lengford.
And then what did we do?
Oh, yeah, came back to Chippenham, and son's got some work going on.
He's got six days' worth of work, so he's busy doing that at the moment.
Daughter and I went to Oxford yesterday, and we basically went coffee shop,
book shop, coffee shop, restaurant, bookshop, coffee shop, home.
That's like your perfect day out, isn't it?
It was wonderful.
And did you take your iPad for each place?
I did, and I didn't open it.
Well, I only opened it once.
I'd send one email.
In the meantime, we were just reading books and chatting.
Yeah.
Yeah, it was really nice.
It was really nice.
So, yeah, the absolute perfect nice. It was really nice. So, yeah, the absolute perfect evening.
Perfect day, sorry.
And, yeah, now I have to come back and do this.
And now you've got this rubbish to contend with.
Exactly.
I've got to get this shit out of the way.
What about you?
What about you?
You've been busy as ever.
It's always been.
It's just crazy at the moment.
I don't know why.
There's just so much work on.
But much like yourself and Jav, I will actually be taking a week off next week.
Oh, really?
Yeah, I won't be skipping the show, obviously.
No, obviously.
I mean, what kind of shit heel skips the show just because they're on holiday?
Yeah, just lying in bed.
In fact, to be fair, he does that when he's due on the show anyway.
Well, yes.
It's hard to tell the difference.
But in Jav's honour, I will disagree with you on most things you mentioned today,
just for the sake of it.
Oh, thanks, mate.
Because it would feel odd.
It would be the same.
It would feel odd, you know, me going off on something and Jav saying,
well, no, once again, you're half an hour late and, you know,
£2.50 short or whatever it is.
And that, of course, is after setting me up to say the thing I said anyway.
Here's a story you should cover, Tom.
Yeah, yeah.
Oh, and by the way, that story's ridiculous.
What are you covering that for?
It's last week's version of it anyway.
Yeah, that's right.
I'm not bitter at all.
Oh, dear.
So what have we got coming up today then?
Oh, let's see.
What have we got coming up today?
So this week in InfoSec reminds us of the dangers of leasing equipment.
Mostly financial, I would have thought.
Rant of the week is offering you a job.
Billy Big Balls gives a scary insight
into the houses of the rich and famous.
A new feature seen on Reddit
brings us commentary from peak Reddit.
I think we could probably leave that description
in there every week.
Industry News brings us the latest
and greatest security news from around the world
and finally tweet of the week this week shows us that we don't learn from history
again i think we could probably leave that description in there every week as well
but yeah we've got a new feature in fact we've got a whole bunch of new features coming up over
the next few weeks so uh you've been having fun with the jingles andy i have yeah i got uh got a bit carried away well
i didn't get so carried away uh you know i came up with some uh requests and uh our man mr fiverr
got very carried away with the jingles uh he's totally brought into host unknown yeah yeah because
you i think you only asked for three and we got seven or
something didn't we yeah he knows it i got you man yeah yeah i said uh yeah he understood the
assignment and then some yeah and gave us everything we asked for and more yeah well i mean you know
we have to we have to evolve the show right i mean
it's not like we can just run with the same three topics or two topics even every single every single
week that's just terrible there's no future in a show like that no that's right i mean
that's that's the only reason you do that is if if is if you're extremely successful and need to
keep um your sponsors happy yeah we
of course are not constrained by such uh such issues no you can't you can't constrain the
creative genius no that's right that's right and once we find the sweet spot and the sponsors come
flooding in then we stay the same yeah oh dear all right should we uh move on uh straight away on to
this week in infosec
it's that part of the show where we take a stroll down infoSec memory lane with content liberated from the Today in InfoSec Twitter account.
And our first story was only eight years ago, on or around the 14th of August 2013.
Affinity Health Plan was fined $1.2 million for a HIPAA violation after a photocopier purchased by CBS for an
investigatory report in 2010 revealed medical information.
Just saying this,
this title is definitely from America because investigatory,
surely that should be investigative.
Yes.
Also it was a as well instead of an.
Yeah. Yes. I did have to correct that as i was reading um but this is a story which did like it sounded familiar when i heard it and i
can't remember if this is because this is the original story of just one of many that occurred
around that time um so in this particular instance the the US Department of Health and Human Services
settled with Affinity Health Plan for HIPAA violations to the tune of $1,215,780
after a photocopier containing patient information was compromised. So Affinity had to file a breach
report as required under the Health Information Technology for Economic and Clinical Health Act or HITECH.
Their breach notification rule requires any HIPAA covered entities notify HHS of a breach of unsecured protected health information.
So what had happened is that as part of this investigative report, CBS purchased a photocopier that was previously leased by Affinity.
And obviously that photocopier had a hard drive on it full of confidential medical information.
And Affinity stated it was about 344,000 individuals were affected by that.
So small by modern day standards but still a big
issue at the time and obviously at the time yeah yeah and hippo was you know flexing its muscles
as well to sort of let people know that it wasn't a um you know they're not just a nobody organization
not just an african mammal yes exactly um and uh yeah so basically they were charged with failing to incorporate
the electronic protected health information stored on the hard drives
in its analysis of risks and vulnerabilities, which was required.
And they also failed to implement policies and procedures
when returning photocopiers to its leasing agents.
So now, I was going to say, go on.
Well, no, I was i was gonna say i know you
probably recall i think there was another one at the time where i don't know whether it was canon
or i want to say that say it was canon but there's like a whole warehouse full of these photocopiers
um you know that people had leased and then sent back but essentially what's happening is that when
people have these uh office devices or you know they were network printers back then, they did everything,
sort of fax, photocopy, you know, print, all of that.
But whenever you sent something to the printer,
it automatically stored a copy on the local hard drive.
And, you know, depending on the settings,
it would either keep it perpetually or until it ran out of space
and overwrote it.
it would either keep it perpetually or until it ran out of space and overwrote it um so yeah it's a long um long old long old process to clear those devices down and not everyone did it
um and i don't really think people added it to that i think not everybody knew about it because
because printers and photocopiers for the longest time were separate and just fairly straightforward.
I remember you used to buy RAM for your HP printers so that it could store stuff.
But, of course, the moment you switched it off, then...
Store a PowerPoint presentation with a clip-up.
Yeah, yeah, exactly.
Exactly.
You know, but they didn't have massive storage devices.
And then, of course, the multifunction stuff came along
and they needed the the storage
device nobody really knew about it it was kind of it then suddenly became because originally i i
always saw photocopiers as being like you know part of facilities not it yes suddenly it was an
it problem but nobody told the it folks actually what you've now got is a computer with a printer
attached they just saw it as a printer and a photocopier combined.
And I think there was this sort of mismatch of expectation and responsibility for the
devices.
And I wouldn't say it was a, you know, back in 2013, it was a massive, oh my God, there's
a, you know, there's a computer inside here
with a hard disk.
We must make sure that it gets wiped before it leaves.
But it certainly was a little bit of a shock, I think, to some people
that that was the case, that it had this big sort of computer inside
with storage.
Yeah, it's funny you mention that facilities thing because my previous
company, it was the office manager that sorted.
We just plugged it in.
The IT team just plugged it in.
And then when I moved to Big Corp, it did actually fall under facilities in the early days.
The contracts were with facilities to have those serviced and maintained.
But you're right. It's not quite shadow IT.
It's sort of like someone else has dumped something on your doorstep
that you just didn't know was there.
Well, that you think is a photocopier but is actually a Decepticon.
Yeah.
I mean, I remember and I certainly don't think I'm unique in this
by any stretch, but I think I realised these were potential problems
because back in 2002 when I moved to a company there,
they were doing massive print jobs.
They had a system called a Fiery, and it actually required a Mac
stuck on the side of the printer to print to it, you know, because the print, a native printer couldn't handle it.
So you had this, basically it was a processing unit, the Mac,
that actually converted these huge plots into things that could be printed by
regular plotters. And so you kind of realize, well, that's a computer.
Therefore, if it leaves, I have to, you know, blank it.
I have to do something with it.
Decommission process.
Yeah, exactly.
And then, of course, these things started to, you know,
you plug them directly into the network and all that sort of stuff.
And, yeah, it just took off from there.
But it was a big deal.
But the thing is, so you've got on the one side,
you've got the IT folks on here going, well, it's just a fancy photocopy.
What the hell do I need to worry about it?
But you've also got the manufacturers who are really,
I wouldn't say negligent, but quite sort of profligate with their policies
in that, oh, we'll just leave it so it fills up.
We'll just wait for the disk to fill up with all of these documents
because they're confidential, but they're on a hard disk.
It'll be fine.
Nobody will think to look for a hard disk on there.
Encryption?
No, we don't need that.
Just slow it down.
So you've got this kind of perfect storm just waiting to happen.
Yeah, it's just been one of those things. of those um the things i say it just came in it
just sounded so familiar because i think this wasn't just a one-off you know this occurred a lot
um you know in that era yeah yeah yeah i haven't heard anything since but i guess it kind of ties
in with that buying x equipment off um ebay and stuff like that as well yeah yeah i think so i think so but uh yeah fascinating fascinating i um you got you got
a lot of a good uh copy of story especially as as i know quentin will probably uh chime in on this
as well qa by q qa by q he'll say no it wasn't canon it wasn't i was thinking as i was saying
i was thinking oh maybe it's not yeah and there's one of our listeners may well correct me
so so come on qaq uh let us know let us know if if this was all your fault
excellent that was a that was a short one this week but um since we're missing
jav we have to make up with the other short things uh thank you very much
this week in infrasound wake up with the other short things. Thank you very much.
So let's see how many Jav gags we can get in this week.
We've had basically fat and short so far.
Oh, and ugly, for that matter.
Right, I'll come up with something lazy.
Yeah.
Oh, what, you mean Jav's lazy?
Yeah.
Easy.
Right, let's move straight on, shall we?
Let's get on to this week's... Listen up!
Rant of the Week.
It's time for Mother F***ing Rage.
So this was one Andy and I were discussing this morning.
It took me a little while to unpick it,
mainly because I just read the headline.
I hadn't actually read the story.
But this is a jab at LinkedIn.
So we all know when we're looking for jobs that LinkedIn is actually
one of the places we go to.
You can set up rules and reminders.
And employers also use LinkedIn quite extensively as well.
It's a good way.
You have your company profile on there.
People can find out all about you.
They can find out who works for you.
And then you can also apply for jobs there.
It's wonderful.
It also has the added benefit
i mean i use it for motivational pep talks like if i ever feel down i like to go into linkedin
and see you know other people that get up at 4 a.m and achieve all of this this great stuff before
you know before the working day starts um so i mean yeah i use it for motivation at all rather
than anything else right just to see who else is up at four o'clock like a exactly like an insomniac who's so overly stressed they can't cope they can't
you know get more than two hours sleep a night 24 usable hours and every day
so um but the the and and employees would go on to linkedin obviously and they would create a job
and you'd apply through LinkedIn,
and, you know, brilliant, all very transparent, all very lovely.
Although a researcher, a Mr. Singh, I think it was,
links in the show notes, folks,
has found that anyone can create a job listing
on the leading recruitment platform, LinkedIn, on behalf of just about any
employer. And you don't even, I'm going to say all that again, because that really did sound
like I was reading it. So it turns out that anyone can create a job listing on LinkedIn,
even on behalf of virtually any employer as well without any additional verification. And to make it worse,
it's not actually that easy to change the settings. So what happens is you set up your
profile on LinkedIn. It can be false entirely, obviously, in a false company etc you then can create a job listing for that company
sorry for any company you want and then tell it to forward all of the cvs and resumes and
inquiries on it to an entirely different email address so using your own credentials, you can create a job, say it's from, for instance,
Canon. And that's just an example. I don't know if Canon have fixed this or not.
But say it's from Canon, put in your email address of the very fine chaps at hostunknown.tv.
And everybody who applies for that job at Canon will be sent to you so you will start
harvesting huge amounts of data some of it you know fairly personal given the the contents of a
of a cv etc um we're talking here like typically i know a lot of people put their name address
um phone number which yeah depending which country you're in as well they include a photo yes your country
um also you know a lot of personal details as well maybe links to personal websites uh hobbies
things like that sometimes pets you know all you know all fairly valuable data let's face it um
i'm gonna play devil's advocate is it a, you know, you're putting this information out there anyway
for the purposes of job search.
Yeah, there's two sides to this.
One is, is it a problem in the grand scheme of things for you as an individual?
Possibly not, but you are sharing data with someone
who you don't realise you're sharing data with. And you could actually maintain some kind of dialogue with that person,
thinking they're from a company.
They could be prompting you to log into various websites under the guise of,
you know, can you send us a photo?
Can you prove you're a real person?
We need to get your passport details.
So we're talking about the next level, like how you escalate this attack.
Yeah, this is a great sort of foot in the door way of getting data,
you know, social manipulation way of getting data.
That's just on the side of the individual.
The actual companies themselves could actually suffer a fair amount
of sort of credibility damage because if you want to, you know,
screw up a company, probably one of the smaller ones,
if you're disgruntled, you could, you know,
gather all this data for a supposed job and then just wind these people up, lose their
data, uh, telling the job no longer exists and that they're, they're dickheads and all, all,
all that sort of stuff. And nobody would really know that it wasn't the company. They would just
think, you know, and then they get onto Glassdoor and start slamming the, you know, uh, the company
for, you know, poor employment practices, know poor employment practices you know all all that
sort of stuff as well so it can be quite damaging for the employer too the worst so i can think of
two things where this is uh so firstly if you are applying for a job at a company then you obviously
create that exact same job but for a a different company with a very high salary.
Get people to apply for it and then pick out the best CVs
and use that in your own application.
Which is probably the most benign of uses for something like this.
It is, but the other way is if you want to create one for your competitor
and see how many of your own staff are applying for jobs with your competitor.
Yeah, yeah.
Yeah, that would be an interesting way to see who's disgruntled.
Or even if you're guessing at salaries, right,
you put up particular salary ranges and see whether those ranges
are attractive to your own staff for the jobs that they're currently doing.
It's a free way of getting that kind of data.
Yeah.
And not a particularly good way. I mean, it's not's a free way of getting that kind of data yeah um but and and not a particularly good way i mean it's not well it's not a transparent way anyway or or a formal way
but the worst part about this is that linkedin are completely aware that this
happens and that this can be done and that there are ways of addressing it um and the prime you know and it's all it's all in. And it's all in the detail.
It's all in the settings and click this, tick that.
But the primary way is an email address that you contact to say,
we need to have X, Y, Z switched off, blah, blah, blah.
All very well, except that email address is not available on the website.
It's not available on LinkedIn.
So not only do you have to know that this is a problem,
you then have to work out what email address to send this to,
to send your concerns to, to have it sort of disabled.
So Bleeping Computer did a little investigation.
So the researcher did everything except post a job
um so he didn't want to sort of go that far bleeping computer this is one of those um our
our reporter made their excuses and left yes yeah yeah exactly but they actually posted a job
um they tried to do it for google and it didn't work because they'd actually put all these other
um you other things in
place. As you'd imagine, Google, they probably got the resources for it. They tried it with
another company and it worked. And they were able to get applications for a job with a different
company sent to them. And I think the rant side of this is LinkedIn knew about this years ago
and they've still not openly, transparently and easily addressed this.
They've just made it like some kind of arcane amulets
that you need to know about and to have and to circle around
a dead chicken anti-clockwise whilst chanting something in order to switch
it off and that's just appalling i mean this is this is lazy system admin at the end of the day
yeah so this is something companies have to control themselves yes exactly so you need to
set up your own only these people are allowed to post jobs on behalf of companies. But there are no guidelines or even an email address published
that you can use, even though that email address is the way that you do it.
That's crazy.
Link in the show notes, folks.
Credit to Mr Singh, who found this, and also to Bleeping Computer
actually tested it fully as well.
And a big boo to LinkedIn for not fixing this. who found this and also to bleep and computer actually tested it fully as well. Um,
and,
a big boo to LinkedIn for not fixing this.
Although I'm sure having,
having listened to this episode,
Mr.
Lionel inked in will no doubt be,
um,
you know,
on top of this,
you know,
straight away.
So it is in someone's backlog somewhere.
It's somewhere.
Yeah,
exactly.
Exactly. It's actually probably in the inbox. It's somewhere. Yeah, exactly. Exactly.
It's actually probably in the inbox of that email address.
Yeah, it's just been promoted.
Yeah, it's right.
That's right.
So, yeah, yeah.
Terrible.
Terrible practice.
Don't like it.
Brr, ranty.
Yeah.
Rant of the Week.
Wow, it's a good one. We're burning through stories today aren't we i mean we have a big list you see what happens when we're when we're not carrying dead weight we're actually moving at speed yeah
that's right that's right i mean you know the carrying something that's lumpy heavy um awkward you know physically and emotionally yeah it's just baggage
isn't it just makes life so much easier uh we're gonna have to fill up some time so uh listen to
this you're listening to the award-winning host unknown podcast the show which smashing security
sets their out of office-office to.
They did as well.
Yeah, particularly during this holiday season.
And we're welcome all the new listeners as well.
I know, I know.
Both of them, really good to have you.
Yeah, kind of a different vibe though, isn't it?
Just a little, just a little.
All right, let's move straight on then to our very next segment.
It's the ladies, Billy Big Balls. Look at the size of that thing.
Carol's Coffee's Cajones.
We're playing that one because Carol was going to join us this morning
and she just blew us out last minute.
Yeah, although we will caveat we didn't tell her thatole was going to join us this morning and she just blew us out last minute. Yeah, although we will caveat, we didn't tell her that she was going to join us.
Until about 1am, wasn't it?
Yeah, it's understandable.
Yeah, may not have been able to drop everything to join us.
And even Graham, who'd go to the opening of an envelope,
wasn't able to make it either.
Well, the older you get, the harder it is to wake up in the morning.
It is.
This is true.
This is true, yeah.
Either that or he's been up since 5 o'clock.
Turning to his tomato plants or something in the greenhouse.
Sitting on his rocking chair.
Right, anyway, so this is a story about a woman who accessed her ex-partner's Alexa to torment his new girlfriend.
So this is the story of Philippa Copleston Warren.
Yes, that is a double barreled name. And you will not be surprised to know that she is from Chelsea.
So she is a management consultant from the same area she accessed her ex-boyfriend's Alexa device
more than a hundred miles away to tell his new partner to get out the house
so she still had after she split up with you know her previous boyfriend she still had access via the app um on her phone which was
linked to not only the alexa device but also the property cctv in the house so she could tell um
you know when his new girlfriend was in the house she could switch on the bedside lights and then
switch them off again um you know while she was there, you know, just generally harass her in the house, switch the lights on and off, you know, spoke to her through Alexa.
But the crazy thing was none of this was actually a crime.
I know. So the reason she actually got in trouble and she went,
I'm trying to figure out where her punishment was.
Oh, she's going to be sentenced on the 6th of October.
So the punishment's not going to happen.
Up to two years, I think, is the threat, yeah.
But what she actually got in trouble for was posting a photo of her ex
on Facebook where he was naked.
And she added the caption uh do i look fat and this actually fell under revenge porn category of crime and that's what she was
actually prosecuted for so despite the invasion of privacy that you know she went through like
you know violating his his uh you his privacy in his home,
harassing his new girlfriend in the house
while she didn't realise that she was being watched.
It was this photo that was her downfall.
And ultimately, even her lawyer put out a statement
saying that she had joint access to all of these accounts.
She was legitimately allowed to access the CCTV and all that kind of stuff.
How is this not illegal?
It's ridiculous.
Because she had the login details and the passwords,
there was no hacking involved.
And they were provided to her in good faith when she was with her old partner.
Yeah, and I guess you don't have this sort of joiners,
movers, leavers process, right?
When you tell your government, it's a case of, right. You guess you don't have this sort of joiners, movers, leavers process, right? Yeah, that's right.
When you tell your girlfriend, it's a case of, right.
You mean you don't? I know I do.
This is the acceptable use policy for being my girlfriend.
You'll be provisioned access to these accounts for the purposes of, you know,
whilst you are in a relationship with me.
But when you leave, you're no longer able to access and
obviously unless you've got that banner that pops up every time yeah in the front door we we reserve
the right to uh review your device etc yeah exactly so i mean this is just a crazy one i mean
you know there is a saying hell hath no fury like a woman scorned. And I do kind of admire the level of pettiness she went to,
like switching the lights on and off.
What I think is really interesting here is literally two-thirds
or three-quarters of the story is about what she did with the Alexa
and not the illegal thing.
It's then, oh, and she might be sentenced for up to two years
for revenge porn and posting a nude photo.
Yeah.
But that does go to show, I think, that this gross invasion of privacy
and breach of trust is actually a bigger concern than just posting
a naked picture of someone on Facebook to the average person,
if you see what I mean.
Yeah.
It's almost like, you know, what kind of world do we live in
where revenge porn takes a second seat to something, you know,
like an invasion of privacy?
And it's quite interesting.
And I have some personal experience with this,
and I won't get to any sort of significant details,
but a friend of mine, her ex, she shared a
couple of Alexa speakers, Bose Alexa speakers with her ex.
He took one, she took one, all connected to his account.
He borrowed it for a couple of days, handed it back.
And unbeknownst to her, he'd switched on like active listening or something like that, you
know, like baby monitor mode.
And so for a good few weeks, he was listening in to everything
that was going on in her house without her knowledge.
And the only reason she found out was she was on the phone to him
and she could hear herself echoed in the background.
And he fessed up, et cetera, you know, and all was good.
And, you know, she, she i guess forgave him uh but i
was utterly incensed by this i found it awful she was really quite cool about oh it's just a
difficult time blah blah blah you know all that sort of stuff you know he's but it could be like
a you know abusive relationship type you know i be violent or, you know, intruded by certain things. It's going to be different.
But that fundamental breach of trust and that fundamental breach of privacy
just enraged me, enraged me.
And yet she was not hugely concerned.
Obviously she knew him better than I did, obviously.
And, you know, I totally get that.
But bloody hell, it was, you know, really, really quite shocking to hear,
you know, when she told me.
But, yeah, I don't think people are as upset by things like this
as they should be.
Yes.
Yeah, I think that's fair to say.
Carol's Colossus Cajones
well that wasn't very funny
well I say wipe down your devices
and have a decommission process when you break up
absolutely absolutely
blimey yeah not very funny at all
no
sketchy presenters
weak analysis of content and consistently average delivery
but they still won an award like and subscribe now
so we have a new feature tom uh yes we do and this feature is called this is the sound of the
host unknown podcast crew putting on their armour,
getting ready to do battle with the hordes of strong opinions.
This is As Seen on Reddit.
As Seen on Reddit. I like it.
Blimey. I tell you what, your Fiverr guy really went for it.
He did.
That was good. I like that.
Although, yeah, taking a look at Reddit does sometimes feel like you need
a suit of armour or at least something you can wipe down easily afterwards.
Fire has no suit, yeah.
Which in this particular one, we won't dwell on this,
but in this particular one is very, very true.
So, again, link in the show notes. And actually,
there's an archive link there because the subject has been suspended. The actual subreddit has
actually been suspended. And when I read out the title, you'll understand why. So it's about anti-vaxxers.
So absolutely no security in this whatsoever.
It's about anti-vaxxers.
And here's the title.
Anti-vaxxers think their pure, in inverted commas,
semen will skyrocket in value.
And the reason for this is
when you click on the link and you know even the even the short link you see there is that
they're they're honestly thinking that the fact that vaccinated people's semen is infected and bad and will spread faster than COVID.
I mean, jeez, I'm doing my best, but really, give me,
I need a couple of days in between times, lads.
But will spread and will basically result in two types of humans,
genetically modified humans, i..e ones that have been vaccinated and
and non-gmo um uh humans oh my god and then of course in pure reddit style somebody uh
comes on to oh dear no i'm going to rephrase that phrasing. Somebody jumps into this and on the realisation that actually
Siemen is going to be the next Bitcoin,
says basically that they're going to retire as a cum cow moving forward.
Oh, life goals.
Life goals.
oh life goals life goals so this is i mean these are the same people that think that um you know unvaccinated blood is in
high demand and because they started all these rumors that the red cross were turning away
vaccinated donors and all this yeah which again misinformation is not true at all well not even
misinformation it's utter lies. Which is just,
um,
yeah,
I don't know.
Or come cow to the moon.
It's,
uh,
I just,
I just can't help thinking,
you know,
they say all the QAnon stuff,
80% of it comes down to what?
Six people,
12 people,
something like that.
I just can't help but think that at the end of the day those people just
sit back and just laugh their asses off at how they've managed to manipulate vast swathes of
the world into thinking the dumbest shit possible i love the the uh the, mark my words, the unvaccinated sperm and blood
will be in high commodity in a few months to a year.
So we're not even going long term here.
We're talking about gains before the end of the year, potentially.
Yeah, that's right.
Damn, if only I didn't get those vaccines.
It's always the same.
I jumped out of Bitcoin just before it went big
i pulled out of this sewing i pulled out my shares before they went big and now i went and got
vaccinated before i you know before i could start all that money slipping through your hands
have you have you hacked my alexis
got it in listen mode it's just yeah
oh dear that must make some really interesting listening
oh my god so yes i'm
i just so can't even with these people.
I just think... We should sum up that medical advice is still,
those who are eligible for the vaccine should still get it.
Oh my God, yes.
Please get it.
Please go and get it.
And homeopathy is not an alternative.
I'm sorry, I'm going to have to stop there.
I just so can't even with these people.
Just remember to be nice in the comments section,
as seen on Reddit.
You're listening to the award-winning
Host Unknown podcast, officially more entertaining than Smashing Security. you're listening to the award-winning host unknown podcast
officially more entertaining than smashing security
so andy it's uh it's that time of the week isn't it it is it's that time of the show where we head
over to our new sources over the infotech pa newswire who has been very busy bringing us
the latest and greatest security news from around the globe industry news
jigsaw puzzle phishing attacks use morse code to hide industry news cadbury campaigns against
cyber bullying industry news misconfigured server leaks US terror watch list. Industry news.
Yik Yak returns.
Industry news.
Airline employee jailed for spending passengers money.
Industry news.
T-Mobile.
49 million customers hit by data breach.
Industry news.
JP Morgan Chase notifies customers of data breach. Industry News. JP Morgan Chase notifies customers of data breach.
Industry News.
Coin Ninja CEO admits operating darknet Bitcoin mixer.
Industry News.
Women charged over sexually exploitative child modelling site.
Industry News.
And that was this week's...
Industry News. And that was this week's...
Industry News.
Huge and true.
Huge and true, but that was mostly depressing or I'm really not sure what to say.
Yeah, so the Yik Yak one.
Yeah, I was looking at that.
So I uninstalled Yik Yak earlier this year.
What is Yik Yak?
So it used to be like this, I want to say social network.
It's like a platform where you can post things, but anonymously.
But you can only post and you can only view it if you're within a five mile radius of the person that posted it.
So it's very common on sort of campuses, universities and things like that.
Oh, right. very common on uh sort of campuses uh universities and things like that right and there were some classic sort of like one-liners little quips because it's not like you could post stories it
was you know it's almost like a tweet um it's like a local area twitter in effect um probably
a bad description but it kind of it did suffer massively from cyberbullying and racism.
Kind of unsurprising.
Anything that allows you to go anonymous,
that's going to be the next step.
Yes.
I mean, particularly in colleges where students were just called sluts
constantly, it did have a pretty toxic reputation.
I mean, I did use Yik yik yak uh you know to abuse
people uh just to practice my so it was you no but it was um i mean yeah it was different everywhere
you went so like i was in i went to center parks one time and like you know i logged into yik yak
just see like what's going on there's a couple of other people around.
Not aimed at the middle classes then.
No.
But there were, I mean, when I did post in my local area,
I got downvoted, like, genuinely for no reason.
It's like really sort of, you know, people just,
if they don't like it, that's it, you downvote.
And what happens is that once you receive a certain amount of downvotes your message disappears uh but then obviously because when you
get a pool of toxic people together they just keep up voting um and you know that message doesn't
appear so if you want to sort of you know call someone a slut or you know some racist comments
if you've got all your racist mates with you um you know it gets upvoted and stays there um but there were actually you know there's previous court case um i think where
students of the washington university somewhere yeah or mary washington university in virginia
um they sued the university over harassments and threats of physical and sexual violence which were
made over the app jesus christ so yeah so i don't
know i mean it did just disappear uh without a without a trace but it's come back sort of four
years later and i'm not entirely sure why uh they're saying it's got you know guardrails
um you know they're gonna be putting in place but yeah i don't know. Yeah. Well, it'll be interesting to see what happens with this, I have to say,
because I think, you know, any platform like that, like Parler as well,
you know, anything that's promoting that kind of thing,
of course it finds, you know, a small core group of people
who love that sort of thing.
But they eventually, you know, they eventually cross the line. You know, either the company you know they eventually cross the line you know either
the company or the users will cross the line and and and things get taken down right um yeah so
they eventually cross the line they cross that line very quickly yeah they eventually cross the
line to the point where law enforcement or the law steps in, right? Yeah. It always takes far longer than it really should.
But, yeah.
Oh, God.
Well, I mean, Yik Yak can stay Yik Yak'd as far as I'm concerned.
Yeah, don't want them back at all.
Even though I didn't know who they were in the first place.
Okay, let's go up to our last section of the week,
shall we?
And let's go to.
Tweet of the week.
Oh,
we always play that one twice.
Tweet of the week.
So this is a tweet.
And this is one of those,
do we not learn from our mistakes?
So similar to the Yik Yak,
you know,
giving people a platform to post things anonymously hasn't worked out well in the past.
I know. Let's try it again four years later.
Similarly, this is the strange news that a UK based company called OnlyFans has decided to kick the core base it built to the curb.
and so capo from twitter says i would like to remind them that tumblr was purchased by yahoo for 1.1 billion dollars in 2013 and following its ban of adult content was sold in 2019
for 3 million dollars so there's a huge difference between uh you know 3 million dollars and 1.1 billion outlay we can do a
sesame street episode on that yes get the old uh the the count to uh count them yeah so this is um
for those who do not know the the news only fans are going to ban pornography uh starting in october
um and they cite the need to comply with financial partners um so we saw this with youtubers not
youtube um pornhub pornhub yeah yeah a while back where you know they had to ban a whole load of uh
so i guess amateur content wasn't homemade well it was unverified content unverified yeah because
because there was copyrighted material being uploaded and yeah but it was to satisfy their
payment processes wasn't the likes
of these are and that mastercard and those guys um and it's similar with only fans right so only
fans have over 130 million users um and being blunt it is it is adult orientated uh subscription
pages like you know they so they've made this announcement that as of october the
first they're going to ban all sexually explicit content so their statement says only fans will
prohibit the posting of any content containing sexually explicit conduct in order to ensure the
long-term sustainability of the platform and continue to host an inclusive community of
creators and fans um so they are saying that, you know,
according to them, they're saying that creators
will continue to be allowed to post content
containing nudity as long as it is consistent
with our acceptable use policy.
Now, their acceptable use policy is artistic nude.
And, you know, people are kind of saying,
what's the clarification?
What falls under artistic nude?
What is, you know, sexually explicit? And it's kind of saying that what's the clarification what falls under artistic nude what is um you know sexually explicit um and it's it's kind of you know they'll know it when they see it
i think is one of that um but yeah so in the last five years since it's uh since it was created
they've paid out more than five billion dollars to creators of the platform um and the company keeps 20 of all revenue generated uh from its creators um but it
has been home to x-rated content for a long time and i guess this is the default platform for it
yeah um and this has been likened to sort of tinder saying they're no longer going to allow
people to look for dates you know because uh or hookups yeah exactly so yeah it's an interesting one i
said we've seen we saw what happened with tumblr in the past um you know when they prohibit content
that they are just widely known for so it's going to be interesting to see what happens with only
fans after october i find it frustrating that you know you know for our payment partners basically
the payment companies are saying to OnlyFans,
we don't want to be associated with pornography,
therefore kick them off or you can't make, you know,
process payments for us or something like that.
Or even, you know, you'll have to pay a higher percentage or something.
I'm not entirely sure, but, uh, but it just, it, it seems to, um,
it seems to sort of unfairly treat sex workers. Uh, it seems to unfairly treat that, you know,
there's a market for this and people are to put themselves through college and, you know,
supplementing their incomes and all that sort of thing with this.
And because it's a self-driven environment, it's sort of –
I don't want to use the word empowered because I don't think I'm kind of justified to,
but it allows people to choose how and when they – and what they do
in order to make money.
And I find this – it's almost exploitative in of itself,
the fact that they're saying you can no longer do it.
And I, you know, and I think as you said with the Tumblr
and Yahoo example, I think OnlyFans are going to regret this
because OnlyFans is synonymous with explicit content
and even more than Tumblr was i think yeah um and a lot of people
have um you know made a lot of money via um particularly throughout the pandemic yes um you
know a lot of people have survived yeah and you know done very well as well yeah i'm sure absolutely
but you know there's there's obviously a market for And I think, you know, if they had said something, if they'd done something like, we're going to put in more
safeguards, we're going to, you know, make sure that there is, you know, health warnings before
and after anything like this, you know, any sexually explicit material, something like,
I would get that. I would, you know, I would see that as a positive step to protection.
But just to ban it, I think, is just driving it elsewhere
and to less well-run and reputable platforms.
So I must admit, I find this sort of faintly depressing,
to be honest with you, as someone who does not have an OnlyFans account or has even paid any,
so I've never seen this, never used it, but I just think it's not going to end well.
No.
Not learning lessons.
Not learning lessons.
No.
And I think the lesson we've learned is, you know,
you've dropped us on a bum note again, Andy, at the end of the show.
Tweet of the week.
There we have it.
Well, we blasted through that this week.
Absolutely blasted through it.
Yeah, so, Andy, thank you very much indeed.
Stay secure, my friend.
You've been listening to the Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe. If you hated it, please leave your best insults on our Reddit channel. Right, well, I guess what we could do is,
since Jav said he was going to send us something today
and he hasn't arrived,
he did send us something a couple of months ago when he was last you know couldn't be bothered to join us so should we just put should
we just play that yeah and for everyone else that's listening this is the part where you can
drop off yeah yeah much like uh any other show really uh but uh but yes uh so i hope you enjoy it. Hello gents, I'm totally right here and this is definitely not pre-recorded the day
before. So yeah, I'm up for a rant of the week or tweet of the week or whatever the jingle was
that just played before me. So Peloton, the fitness company, can't seem to get a break. Not too long ago,
the treadmills had some serious design flaws in it, which meant that the screen could come off,
it could hit people, and pets and small children could get trapped underneath it. So, you know,
children can get trapped underneath it. So, you know, you thought you would think that that would be the end of its woes, but no, now the Peloton bike has had some issues. Researchers at McAfee
said they have found a flaw that let hackers bypass Peloton's boot verification process now what you've got to understand and
appreciate is underneath this whole fancy bike is basically an android device controlling it all
and what they can do is they can manipulate it they can install apps on it that say look like
netflix so when you go to click on Netflix to start it up
when you're on the bike and it asks you to log in, the bad guys can steal your credentials.
Even worse, even worse. These bad guys can remotely access the webcam and microphone
that are built into these devices. So if you're there sweaty, getting your workout on, not very attractive,
bad guys can get access to that footage remotely.
All sounds pretty bad until you actually look at the report and say,
in order for this to be successful,
the report and say in order for this to be successful criminals need physical access to the bike and to plug in the USB and that's kind of like buried in in the story when you when you
look at this headline and I'm looking at an article on uh Gizmondo it says the headline reads Peloton
bike plus was vulnerable to remote hacking researchers find
and there's no mention here is if you have to go down like three paragraphs in before it's
mentioned or four paragraphs in actually before it mentions uh the vulnerability may not sound
all that serious for home users as it requires physical access to the bike plus to pull off
well of course it's not serious if someone's got physical access to your device it's not your
device anymore that is one of the immutable rules of security if someone has physical access i mean
who would think that a criminal breaks into someone's house and they have got a plethora of technological devices there and thinks,
I'm going to hack that bike. That bike looks really juicy.
If I can catch someone full sweat on and take a picture, I could blackmail them with that.
It is just ridiculous. And this angers me. This angers me a bit because it's an overblown finding in the sense that it's an important finding.
We definitely shouldn't underplay that fact that someone can do this, but it's overblown because you need physical access.
If someone can have physical access to your home to install this, then you've got bigger problems to worry about.
all this then you've got bigger problems to worry about and by raising this as a massive issue you give this perception that oh my god these bikes these devices are terribly insecure which they're
not worst off there's no real solution to this if you're a home user and you see this well
well what can i do maybe there's an update process maybe there's not i don't know is there a patch there's no evidence of being exploited in the world so you're left
with this situation where you you you will contribute to that breach fatigue or that
security fatigue where everything is broken the the sky is falling all your devices are owned and they belong to us and people will typically just
start to ignore you so i think it's a bad piece of reporting for a non-issue this feels like one
of those issues that your pen tester would put in the report and say, well, it's informational or it's theoretical.
In theory, if someone broke into your office by rappelling down the side of the building, then if they had access to the machine and if they could cut this wire perfectly, splice it together, then they could intercept all your traffic well done
well done well that was really out of date it was but stay secure my friends stay secure