The Host Unknown Podcast - Episode 88 - Only 345 Days Until Christmas
Episode Date: January 14, 2022This week in Infosec (06:30)With content liberated from the “today in infosec” twitter account12th January 1981: Time Magazine published "Superzapping in Computer Land". Its primary focus was four... 13-year-olds from New York City who broke into 2 computer networks and destroyed 1 million bits of data. Yes, a whopping 0.125 MB. Have a read of the article.Superzapping in Computer Land - The ride of the "Dalton Gang"https://twitter.com/todayininfosec/status/148135276347683225613th January 1989: The “Friday the 13th” virus strikes hundreds of IBM computers in Britain. This is one of the most famous early examples of a computer virus making headlines.THE EXECUTIVE COMPUTER; Friday the 13th: A Virus Is Lurking Rant of the Week (13:43)Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of appsUsers of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking.Some surmised if the NPM libraries had been compromised, but it turns out there's much more to the story.The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on 'colors' and 'faker.' Billy Big Balls of the Week (23:18)Info-saturated techie builds bug alert service that phones you to warn of new vulnsAn infosec pro fed up of having to follow tedious Twitter accounts to stay on top of cybersecurity developments has set up a website that phones you if there's a new vuln you really need to know about. Industry News (30:37)FlexBooker Reveals Major Customer Data BreachForensics Expert Kept Murder Snaps on PCRomance Scammers Stole £92m From Victims Last YearEuropean Union to Launch Supply Chain Attack SimulationEuropol Ordered to Delete Vast Trove of Personal InformationTeen Makes Tesla Hacking ClaimTwo Years for Man Who Used RATs to Spy on Women and ChildrenFCC Proposes Stricter Data Breach Reporting RequirementsNew "Undetected" Backdoor Runs Across Three OS Platforms Tweet of the Week (38:32)https://twitter.com/dominotree/status/1481646565869584385?s=21 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
I just can't remember.
I honestly can't remember where I was last weekend.
No, me and Andy went to Pizza Express, didn't we?
Our Andy, not the other Andy.
So I don't actually sweat.
I don't know if you know this about me.
You're listening to the Host Unknown Podcast.
Hello, hello, hello, good morning, good afternoon, good evening from wherever you are joining us.
And welcome to episode 88-ish of the Host Unknown Podcast.
92.
92, whatever.
Yes, welcome one and all to our second show. I'll say that again, our second show of the year.
We are not slow out the traps. We are not, we are not. We even come and do these things on our holidays, is all I can say.
Not that any of us are on holiday right now. So Andy, how are you?
Good, I cannot complain. I literally just have nothing to complain about in my life. I honestly thought you were going to say that I
cannot confirm nor deny that I was attending a party there or not. A party is so good you have
to order an investigation to figure out if it was actually a party yeah and if you were there yeah oh my god it would be
it would be funny if it wasn't just quite so sad uh the leader of this great country exactly
exactly oh don't don't i'm not going to change the tone i'm not changing the tone not this time
not this time so i take it you have
been busy making lots of coin for the big man this this week absolutely i'm busy making investors
rich it is a solid q3 for us in the uh in the corporate world and we are looking for a very
strong finish to our q4 and uh year end so you've got another sort of four months to your year end then?
Another year end for us is end of March.
So we've got another three months, final quarter.
Okay.
There's only three months and a quarter.
Yeah.
Well, no.
Interestingly, year end for us is January,
except as of February, we'll be going into our financial year 2023.
It's really bizarre.
I can't get my head around it.
That's a strange bit of creative accounting,
but I'm sure there's a reason for it.
Yeah, yeah, absolutely.
Well, when the company was invested or something like that,
I don't know, but yeah.
It was an American company, though, isn't it?
Did they sort of confuse the – you know how they spell dates wrong?
Yes.
It's like one person read it one way, someone else read it the other way,
and they're like, ah.
Is it 1st of October or 10th of January?
I don't know.
Exactly.
Whichever one is more advantageous from a tax position.
Exactly.
Wow.
Welcome to the Host Unknown podcast folks the
the place where accountants the world over come to listen for tidbits of information.
And talking to people who desperately need a good accountant. Jav how are you? I was going to say
talking to tidbits. How are you Jav? I'm good likey i have well i had nothing to complain about until you sent me
this ridiculous two minutes eight second video this morning of your coffee machine and it just
wasted that time of my life so yeah but it was a slow-mo video i'll put it in the show notes folks
because it's great no it's not great we're gonna lose viewers do, folks, because it's great. No, don't. It's not great. We're going to lose viewers.
Do not do that.
People, it's a trap.
Tom, how have you been?
I've been good.
I've been enjoying my espresso with chocolate mixed into it
in a fashionable tweeting, tweeting Instagram-y kind of way recently.
But, yeah, first week back at work, it's been good to get up early,
not and, you know, do everything else except what I particularly want to do.
So, yeah, it's first week back.
We're doing OK.
I don't think you could have sound any less motivated when you're saying that.
It's like you're trying to convince yourself or convince us because I'm not buying it.
It sounds it reminds me of those hostage videos where they're reading off a teleprompter.
I think the challenge is I actually had two and a half weeks off over Christmas,
except for the morning where you made me come in and switch on my computers and do the podcast last week.
me come in and switch on my computers and do the podcast last week.
But I had two and a half weeks off, and so I just kind of reset into a different frame of mind.
A great reset.
Yeah, and so coming back, it's been challenging, but it's good.
I'm looking forward to the year.
We've got a blank slate of months of events to do
and all that sort of thing, so lots uh fun projects so yeah it's it's going
to be fine but yeah it's that first week back is challenging right so so folks um look up on
youtube the apology that johnny depp and amber heard issued when they went to australia that
one time and they they took their cats over or something and it wasn't allowed.
It was dogs.
Dogs.
And yeah, I think even they sound more enthusiastic and genuine in their apology than Tom does right now.
Well, I know at least one person from my workplace listens in.
So just between the two of us.
So what have we got coming up for you this week?
Well, this week in InfoSec talks about bit-sized bandits.
I think I saw a film like that one time.
Rant of the Week is a story about a dev who adopts a scorched earth approach
because we all know that devs are nothing if not fully calm and rational human
beings. Billy Big Ball's attempt to reinvent the wheel and give it a different name. Industry News
brings us the latest and greatest security news stories from around the world and Tweet of the
Week talks about factors of authentication. So moving swiftly along, let's go to our favorite part of the show the part of the
show that we like to call this week in infosec
it is the one and only this week in infosec which is the part of the show where we take a stroll down InfoSec memory lane with content liberated from me today in InfoSec Twitter account and further afield.
the 12th of January 1981 way before I was born when the respected Time magazine published a feature in its science section which was titled super zapping in computer land and I love this
because it starts the story in the middle of an incident a telecommunication provider which has
been going on for probably like over the span of at least a
week um but but it introduces this interest saying operating out of unknown terminals possibly
hundreds of miles away the intruders had tapped into or accessed in computer jargon the company's
computers even worse they had seized control of the electronic brain, blocking the network's legitimate users from getting online and were systematically destroying data.
The raids continued for more than a week. And during one foray, 10 million bits of information, almost one fifth of the company's storage capacity were temporarily lost.
were temporarily lost.
And it is just absolutely fantastic.
It goes on to talk about the sting that they went through with the Royal Canadian Mounted Police along with the FBI.
And when they actually caught the criminals,
they actually found out the culprits were 13-year-olds
who were sort of students at one of New York's Dalton School,
a posh private institution on Manhattan's Upper East Side.
And they refer to them as the bit-sized bandits,
perhaps the youngest computer con men ever nabbed.
And they had obtained the Telnet phone number,
coupled their school terminals to the line,
and probably by nothing more than trial and error,
punched out the right combinations
in this case five letters to link up with the computers so i mean just the way they describe
how this uh this digital breaking goes is absolutely fantastic and it's they said it's
basically nothing more than a schoolboy lark um Well, they were rich and white, so they probably didn't go to prison.
Funny you should say that.
They were not prosecuted.
Despite costing the firm thousands of dollars
in computer time,
the incident was one more irritating example
of the vulnerability of systems
that can hide price tags in the millions.
So it's, yeah, boys will be boys.
It's interesting.
The first part you read out, it sounded like the blurb
for a 60s sci-fi movie about a computer gone rogue.
But you'd imagine just describing, how did they do it?
Oh, they guessed five characters after they dialed the right number from hundreds
of miles away yeah oh absolutely fantastic i did like that one so what does what does you said 10
million bits of data what does that translate to in actual uh so that translates to uh 10 million
bits of data is uh just just 1.2 megs,
almost just less than a floppy disk.
Wow.
For our listeners, the floppy disks that we refer to in this industry...
It's the save icon.
Yeah, the save icon, the ones that weren't floppy.
Yeah.
Yeah, so just imagine less than that disk size,
and it's a fifth of your company's total information.
You say that.
I used to work with a contractor once, and he was Australian.
And I kid you not, I don't know whether it was all Australians
or whether he was just winding us up at the time,
but he always used to refer to the floppy disk as a stiffy.
And he goes, that's what they call it in Australia.
I think they did.
I think they do.
Well, Aussies do, they kind of like shorten everything, don't they?
It's always got like a, they won't say like bottle shop.
They'll say like bottle-o or afternoon.
It's arvo.
It's everything.
A chicken is a chuck.
Yeah.
They just shorten everything.
I remember when I was out there and I was going to the beach and my,
my friends said, you're taking your thongs. I'm like, I out there and I was going to the beach and my friend said, you're taking your thongs?
I'm like, I didn't know it was that kind of beach.
But you were gay.
For your feet, mate.
What?
You mean they're going to be around my ankles?
Was that embarrassing when you got down there?
Yeah, exactly.
Exactly.
No, flip-flops.
Flip-flops.
Invented by the Frenchman.
And they always ask you what your colour is and answer it.
What's your favourite colour, blue?
No, it's green.
Yeah, exactly.
Anyway, I'll take us on to our second story,
which takes us back just a mere 33
years to the 13th
of January 1989
when the Friday the
13th virus struck hundreds
of IBM computers in Britain
and the article says
London, Friday the 13th
computer virus struck personal computers
in Britain today, wiping out program
files and annoying businesses.
Annoying businesses.
Annoying businesses.
Mildly inconveniencing.
Yeah, mildly.
Well, you know, the British don't like to over-exaggerate things.
But I have a great snippet from an article.
It says, hundreds of personal computer users found the virus was programmed
to delete files on Friday the the 13th said alan solomon managing director of sns enterprises
a data recovery center in cheshire the virus which might be a new species had been slowing
down computers made by ibm and compatible models telephone lines to the center were busy with calls
for help from businesses and individuals whose computers were struck by the virus he said it has been frisky and hundreds of people
including a large firm with over 400 computers have telephoned with their problems and i think
that is just such a product of its time and and i've i've even had to go and hire people that
really aren't up to my standards in order to meet this unprecedented demand.
Yeah.
Yeah, definitely an origin story.
Yeah, I like it.
I like it.
Nice one.
Excellent.
Thank you, Andy.
I enjoyed those.
And that was this week's...
This week in
infosec
attention this is a
message for our
friends over at
smashing security
busted we call you
listening again this
is the host unknown
podcast
well they're not
going to listen to
their own are they
anyway let's move
swiftly on to this
week's listen up on to this week's...
Listen up!
Rant of the Week.
It's time for Mother F***ing Rage.
As tradition dictates, it falls to me to talk about this one
and about a developer who went a bit...
Well, he went a bit mental, if you ask me.
He went a bit mental. Chicken he went a bit mental, if you ask me. He went a bit mental.
Chicken Oriental.
Chicken Oriental.
So as many of our listeners will know,
there are developers out there who, through the goodness of their heart
and because they frankly either enjoy coding
or they're using it to further their skills, etc., they will create repositories of libraries, of tools.
And these tools will do very specific things.
You know, think of it as like a black box.
You put some data in and it spits out data in a different way, different format, different whatever.
in a different way, different format, different whatever.
And many of these are posted on repositories for free.
They're open source.
You can use them.
You're not allowed to sell them as your own. They're covered by an open source license agreement.
So there is a legal framework in which you can use the software.
But many companies will use this because, frankly, as I understand it,
and not being a developer, the most important keystrokes that a developer can use are Ctrl-C and Ctrl-V, so I'm told.
This individual, he has got a couple of libraries, one called Colors and one called Faker.
a couple of libraries, one called Colors and one called Faker. And they've been used an awful lot by even some very large enterprises to put into their enterprise software and rely on these,
as you can imagine. They're part of a larger product offering or a service or whatever,
and they rely on these to do their job. Well, suddenly they stopped working. And in fact, they were
going into sort of loops and garbage data was being produced, et cetera. And this was very odd
because these projects had had millions of downloads. I think the Colours Library had 20 million weekly downloads on NPM.
Faker had over 2.8 million.
I mean, this is huge.
These figures are only dwarfed by the host unknown listenership viewers,
really.
But so something had obviously gone wrong.
And there had been in the past a case where on GitHub, for instance, certain libraries had been deliberately
or attacked and infected with malware, nothing to do with the developers. So that was the first
thought that might have happened. As it turned out, the developer, the actual developer of these libraries, a chap called Marek Squires, added a code into it to break them intentionally because they were fed up that these enterprises were using his free-to-download under the open source licenses libraries without giving him any
money. And that he felt that he should be paid, in his words, a six-figure salary for providing
these. So rather than actually go out and start to build perhaps a commercial framework around his libraries and provide
some kind of support for them or even offer updates to paid subscribers only or that sort
of thing. Rather than do anything like that, he just broke them and broke a whole bunch, intentionally broke a whole
bunch of corporate systems as a result of this. And his phrase, I love this phrase because it's
this comment, because his comment starts with respectfully. And I tell you this, anybody who
starts a sentence with respectfully or with respect is not meaning it respectfully or with respect whatsoever.
But his statement was, respectfully, I am no longer going to support Fortune 500s and other smaller size companies with my free work.
There isn't much else to say.
How's he supporting them?
Is he providing, you know, Is he providing online support? Is he popping down to their offices to
help them install it? What he's doing is just writing these libraries and then posting them
and saying, please download my libraries for free. So this is utterly bizarre, especially as he goes
on, take this as an opportunity to send me
a six-figure yearly contract or fork the project and have someone else work on it
brilliant you know with a name like maric uh what's his surname sorry squires maric squires
is a a cool name yeah b this if this isn't a Billy Big Balls move,
misguided maybe,
but if this isn't a Billy Big Balls move,
I don't know why you're ranting about it.
You're right.
You are right.
And I think the definitive proof that he's in the right
and he's a hero is that a tweet he sent out
GitHub has suspended
My access to all public
And private projects
I have hundreds of projects
And then it's like hashtag
Aaron Swartz
Aaron Swartz
How dare he I I know, I know. That's a bit of a stretch. But, you know,
it's a weird one. I think we live in this kind of economy system now where people don't just do
things for the sake of it. There's always an agenda and and like you said tom and
as much as it pains me i think he went about this the wrong way he did because 20 million people
have downloaded stuff that's your ticket not to charge those people who've downloaded it because
literally when you're developing stuff like that you're throwing spaghetti against the wall and to
see what sticks yeah but you can then say hey look here's something that's got like 20 million downloads um can you give me a job
because clearly i know what i'm doing and i can add value or or even i would you know if you
if if we go into a commercial arrangement i will make sure that i provide malware free. You can ask me for details on what I'm doing for log4js.
I will make sure it's updated every month. It will, whatever. I will provide a fully supported
version. Otherwise you're all using 1.0 and I'm not doing anything on that unless I particularly
feel charitable or whatever. And there's nothing wrong with that. You know, if people want something,
you either take it for free and shut the hell up about it
or you pay for it and get something in return.
Oh, you know, this article that we've got linked to,
Bleeping Computer, they've actually got comments enabled.
I mean, not many websites have comments anymore.
Oh, wow.
Oh, this is brilliant.
So one guy's saying, in all honesty,
the guy's absolutely
within his rights to sabotage his own work especially if he's doing it in his own free
time and not seeing one nickel in compensation uh he goes on and some replied saying well yeah
a guy's within his own rights to poison his own cupcakes especially if he's doing it in his own
free time for the bake sale and not seeing any compensation yeah exactly exactly another one says that this guy sounds like
a socialist who got greedy i think he's forgotten the spirit of open source yeah uh yeah this whole
line log 4j i mean that was open source as well right and people are going mad about it yeah and
you've got to remember that someone is volunteering their time you know or many people are volunteering their time to make this available
to yeah and if enterprises are using this software and it doesn't meet security standards or whatever
then do something about it you know go and pay for something or go and make an offer to the
developer to you know hey we'll we'll give you know, 20 grand a year to provide us with updates on this or whatever.
Go and actually nurture these people, you know, but or replace it yourself.
Fork the project and do it yourself.
Not a problem.
But the flip side, the same level of accountability needs to be had on the other side as well.
Yeah.
I agree, but I still also think it's less ranty, more Billy Big Balls.
I don't know.
He went about it well.
Let's compromise.
How about this?
Billy Big Ranty Balls.
Tweet of the Week.
I think that's summed it up perfectly, yeah.
Very good. And talking of big balls, let's go straight on to you, Jav.
Billy, Big Balls, Tweet of the Week. So,
infosecurity professionals,
my colleagues,
my friends, are you fed up
of having to follow tedious Twitter
accounts to stay on top of
cybersecurity developments?
Yes, sorry, yes,
yeah, absolutely.
Are you tired of having to wait
for those lazy volunteers
who work at giving out CVE scores to give a CVE number to Fundability?
Yeah, definitely, definitely, especially if you tell us where they work.
Yeah.
Do you find yourself overwhelmed with all the alerts that are coming out?
Oh, constantly.
Of course.
I'm just crippled, of course. I know.
Well,
fear no more.
There is someone else who was also fed up of having to do this.
Matt Solomon.
And he founded bug alert.
And what this does is it scours information for you.
Well, I'll get to the details of how that happens in a bit.
But it doesn't rely on the CVE number association because that's just too slow in this day and age.
It took around a day and a half.
Can you believe it a day and a half for the uh initial log4j vulnerability to be given a cve
in november 2021 before an exploit made its way onto a twitter a week later and he's like 36 hours
it took 36 hours it's just absolutely too long too long too long so he set up Bug Alert. And what that does is...
Is it open source?
We're not falling for that one again.
Yeah. Yeah. The other one. Yeah.
It sends you a text message or a robo phone call to let you know when there's an issue. And he suggested that you can whitelist the number on your phone
so it bypasses your do not disturb notifications.
So you can be phoned at 2am, wake up and hear like,
there is a new alert.
CV, you know, CV is not there, but here is what it is.
And this is what you need to do about it.
So clearly, this is far more efficient way of getting information to you
without having to wait a measly 36 hours or until the morning for you to do it.
But here's the rub.
It's run by a group of volunteers.
It's not even an automated system. It's a bunch of people who plug it hard a bit like
the volunteers who assign cv numbers wouldn't it be funny if it's the same people
actually while we do this cv we might as well just send out an alert that people know yeah exactly so um oh dear god it's it's a billy big balls move in the way of reinventing the wheel
and making it worse than it was before right all right you you you came into mine i'm coming into
yours this is a rant as well i mean the phrase for fuck's sake springs to mind here.
What is this guy thinking?
It's like that XKCD cartoon where somebody's complaining
about there being 15 different standards
and they should all be consolidated into a single standard.
And then at the end they say, well, we now have 16 different standards.
And that's exactly what's happened here,
which is all they've done is create another service
that does exactly the same thing as everything else,
but in a slightly different way, but using the same mechanism.
And it's going to suffer from all of the same issues,
quite apart from the fact it will create more divorces
and breakups in marriages and partnerships
because the fucking phone rings in the middle of the night
just to tell you that some little bug in a bit of JavaScript somewhere
has been discovered that might execute on a machine made between November 1982
and December 1982.
It's ridiculous.
I'm trying to see how this works so basically you either get
a text message which is i guess the modern day equivalent of the old pager right when you get
alerts yeah he's also offering a text to speech version but that when that calls you that's what
but he's expecting users of bug alert uh allowing it to bypass the do not disturb settings
yeah yeah exactly so it'll ring you in the middle of the night yeah oh but thing is like
if you're getting a a phone call at three in the morning are you going to write down all the details
and then manually enter it into your whatever products to find out
where the vulnerabilities are and what you need to do or what the fixes are. Or are you just going
to pick up your phone and shout at it like, why the fuck did I sign up to this? Switch your phone
off and go back to sleep. So the problem is, especially if you're, I guess, a larger enterprise, so Log4j is an example, you know, details of that came out,
but the enterprise vulnerability scanners that were in use
didn't have a signature, you know, at the time,
because they needed time to develop one and test it and then publish it.
And so, you know, although everyone was aware of it,
there was still like another sort of half day before, you know, before that scanning could take place to see how exposed we actually were.
And what are you going to do in that half day?
Very little.
Write your own.
But at least you didn't get any sleep because some American messaged you
in the middle of the night.
Yeah.
Yeah.
Anyway, anyway.
Sullivan has said he'll consider financial contributions or sponsorship.
Either or, he will continue to call you at three o'clock in the morning.
Yeah.
Hello, we've been trying to reach you about your subscription.
About your extended warranty to our service.
But he did reject the idea of sticking up banner ads um because i don't see how they will go on your phone call or text message but anyway it's um definitely you know you've got to be you know
the beautiful thing about billy big ball segments is there's always a large element of delusion in there oh my god do you know what we're gonna get our money's worth out of this new jingle do you
know that i'm gonna play the same one again i think this absolutely qualifies as a rant as well
don't you go for it billy big rant. Tweets of the week.
This is the Host Unknown podcast.
The couch potato of InfoSec Broadcasting.
Andy, how high is the sun in the sky relative to where you stand at the moment?
So where I stand, I am looking at the sun
and it is projecting a shadow on the sundial.
And that sundial is telling me that it's time for us
to head over to our news sources at the InfoSec PA Newswire
who have been very busy bringing us latest
and greatest security news from around the globe.
Industry News.
Flexbooker reveals major customer data breach. Industry news. Flexbooker reveals major customer data breach.
Industry news.
Forensics expert kept murder snaps on PC.
Industry news.
Romance scammers stole £92 million from victims last year.
Industry news.
European Union to launch supply chain attack simulation. Industry news. European Union to launch supply chain attack simulation.
Industry news.
Europol ordered to delete vast trove of personal information.
Industry news.
Athene makes Tesla hacking claim.
Industry news.
Two years for man who used rats to spy on women and children.
Industry news.
FCC proposes stricter data breach reporting requirements.
Industry news.
New undetected backdoor runs across three OS platforms.
Industry news.
And that was this week's...
Industry news.
Huge is true Huge
Amazing
Huge
How long did it take
That man to train the rats
To spy on the women and children
This is
This is the thing right
I mean rats are intelligent
They are
They are
So I was looking at the
Teen who makes the tesla hacking claim um and a teenage cyber
security entrepreneur in germany claims to have full remote control over more than 25 tesla cars
in 13 countries but then the article also says including switzerland and i'm not sure if that's
because people don't usually think Switzerland's a country
or if we're not really
allowed to touch them.
Or we're not allowed to touch them because they're neutral.
But how?
How did they get
I mean, that's
interesting. That's quite a claim.
19-year-old. Yeah, 19-year-old from
Colombo...
Oh, no. His name's colombo just one more thing
he says that he can remotely run commands on compromised vehicles without the owner's knowledge
um so he can disable sentry mode he can open car doors and windows flash their lights and
even start the keyless driving uh as well as being able to query the exact location of the vehicle
and check if the driver is present.
But he's not saying how.
He says he's contacted Tesla.
Yeah, he knows how to exploit the flaw.
He did not cause it.
But Tesla allows for effectively unsigned apps to be used
on its cars doesn't it well you say that right so as i read the article because you know i'm
kind of pretending i know what's going on uh he does state the vulnerability is not in tesla's
infrastructure but it's the owner's fault so i'm saying assuming the owner has uh installed some
something or they've got a particular setting, like not changing the default password or something, which allows them to take control.
I think I read something about it. It's basically like you said, it's either a third party app or they're just leaving default passwords on or no passwords on.
or they're just leaving default passwords on or no passwords on.
Yeah.
Yeah.
Although Tesla can address that by prompting for password changes when you first buy your car.
Exactly.
Or maybe they did and they just put password 123 in.
Yeah, they just left it blank.
Yeah.
Yeah.
They need to sign up to Troy Hunt's thingy,
the password.
Yeah, they need to sign up to Matt Stevenson's
or whatever his name was,
so that they get a phone call at 2 a.m.
telling them that they've got a vulnerability there.
I mean, cars, these Teslas are intelligent, right?
Can't you just get it to call the car direct? Like, why be a
middleman in this
interaction? That is
very, very true.
And you know what? I saw this thing, and I
remember Josh Corman had a really good quote,
and he corrected me as to what it was.
He said in his TEDx
talk, it was like, if it's
software, it's hackable.
And if it's connected, it's exposed.
And I think that's a really good quote, and it applies perfectly here.
How did you misquote it then?
I said that if it's code, it's vulnerable.
If it's connected, it's exploitable.
Well, no, you just made it your version,
and you can say he ripped you off.
Yes, well, I was going to say,
now you've got your own original quote, Jack, right?
Yeah.
That's how it normally works.
You know that, where did I go wrong?
Yeah.
Old Jav would have taken credit for that in a heartbeat.
Yeah, exactly.
You can tell you're getting old.
Yeah.
Oh, dear. taken credit for that in a heartbeat yeah exactly god you can tell you're getting old yeah oh dear i'm trying to think what else is of any interest here not a lot i mean obviously trained well yeah the backdoor malware that works across windows mac and linux that's impressive
it is i'm guessing it's a mcafee software yeah yeah it's the data mining state it's McAfee software Yeah It's the data mining stuff
It's the crypto mining stuff
Yeah
An interesting one
Okay
Malware is written in C++
With a customised
With each sample customised
For the OS it targets
Oh so basically
It's the same language
But then being compiled
For each platform
So it's not quite somewhere
And also They must be the other person that still codes in c++ right
yeah they're going to be found easily that person will be yeah that's right you just do a quick
yeah yeah
oh dear nice so you know i i clicked on the story about forensics expert kept murder snaps on pc
hoping this would be our real life dexter he's like someone that is taking on these cold cases
figuring them out them on himself and then like you know dumping their bodies in the river thames
but no it was just some sicko who who illegally accessed photographs of crime scenes and post-mortem examinations,
put them on a USB stick and took them home and transferred them to their own personal machine.
So hang on. It wasn't Dexter, that fine upstanding chap from the TV show.
It was some sicko.
Yeah, exactly. Exactly.
Not Dexter, that fine upstanding murderer who would torture.
A bringer of justice.
Exactly.
But just some sicker.
He was never actually convicted.
Exactly.
A vigilante at best.
He was doing the job that the police were incapable of.
Oh, dear.
Very good.
Very good.
Right.
Thank you very much, Japs, for this week's...
Industry News. the host unknown podcast orally delivering the warm and fuzzy feeling you get when you pee
yourself and now for the final segment of the show tweet of the week and we always play that
one twice tweet of the week and i shall take you home with this one. It's a tweet from someone called Freddie Kruganettis on Twitter.
Oh, brilliant.
They say, using dental records to confirm a person's identity is two-factor authentication.
Oh, that's clever. I like that. It it's very good and it's just a brilliant thread so
i posted the actual link to the tweet in the show notes but there are it's pun-tastic uh as you work
down as uh people yeah add their own own little things and all mfa vendors are reading it's like
that's a good name for our next product. Yeah, exactly.
They call it MFA stands for Mouth Factor Authentication.
That's the simple tooth.
There is a VC in San Francisco now being pitched a one-time password key
that fits and replaces one of your teeth.
Oh, that's actually not a bad idea.
That is not a bad idea.
You're always going to have it with you, right?
Yeah, well, yes.
You just have to clench your jaw to authenticate.
Oh, dear.
Excellent.
Thank you, Andy.
That sets the tone for the rest of the show.
As in we're done.
As in we're done. That is the rest of the show.
Folks, thank you all for listening to us.
We hope you enjoyed the show. We certainly enjoyed making it, as always.
Jav, thank you very much.
I trust you will have a lovely weekend, sir.
Yes, I hope so too, as long as you stop sending me pointless videos.
But I'm off to sign up to a new text-to-voice notification system.
So I'll see you on the flip side.
You'll be able to get my pointless voice messages, in which case.
Yeah, very good.
And Andy, thank you very much, sir.
Stay secure, my friends.
Stay secure.
You've been listening to the Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel. I am really thinking about signing up to that service.
Why would you do that?
No, what you're thinking about is signing Andy up to that service.
Well, what's the difference?
Every time Andy calls me up cussing me i said oh there's
a new vulnerability yes right you just get it you just get it two minutes later yeah