Our C-level Friend

We all have a friend that’s made it to the upper echelons of success, they’re a C-level exec. They’re the ones with the tailored suit, VIP passes, and corporate cards that can help out friends in need.

But sometimes you do wonder how they ended up in the position they’re in – as did Kav, who told us all about Randy and their C-level friend Jhom. (names have been changed to protect the guilty innocent.) 

I have people to do that for me

Jhom likes to talk about technology, like how a shark talks about dental hygiene. Sure, it’s probably a concept the shark understands, but there’s no way it could hold a toothbrush in its fins.

Whenever called out about his lack of hands-on technical skills on any system after 1991 Jhom responds with, “I don’t need to know how to do that, I have people to do that for me.”

Social media what?

Jhom doesn’t know how to use social media. The only people that don’t use social media are people in prison without access to the internet, or members of weird religious cults.

For many years Randy and I told Jhom he should create a Facebook account to at least secure his identity. When he failed to do so, some unknown people setup a Facebook account under his name.

These people would post on Jhom’s behalf, made a whole bunch of new friends, as well as connecting with some old school friends.

Luckily, before things got out of hand, Randy and I were able to track down the culprits and gain access to the account before handing control over back to Jhom. I shudder to think what would have happened had we not been there to watch his back.

Instead of being thankful Jhom accused us of being behind the account all along.

If that’s how he treats his friends, I’m glad we don’t work for him.

Fanboi

Jhom refuses to own any electronic device that isn’t made by Apple. He believes linking all his devices through iCloud is the height of convenience.

One time, in a WhatsApp group chat, Jhom disclosed he wasn’t aware of what a “meme” was. For the sake of education, Randy and I started sending photos of “infosec memes” to Jhom – not realising that autocorrect had changed “infosec” to something else.

These somewhat unsavoury photos ended up in Jhom’s iPhone, and synched to his photo library, from there they were synched to his iCloud account. The photos in his iCloud account was used by his AppleTV box as a screensaver on his television at home.

Fortunately Jhom was working at home and valiantly jumped over the coffee table to rip out the cables to the TV before his wife and kids came into the room.

His shin hurt for a few days, but he learnt a very important security lesson that day.

Presentations

Despite only having 3 stories, Jhom is a rather competent speaker who knows how to work a crowd.

What he isn’t good at doing, is remembering to turn his phone off, or disabled notifications on his Apple Watch before going up to present.

Whenever Randy and I know Jhom is on stage, we start a barrage of calls and texts to remind him to turn his devices off.

We’re just nice people like that.

Hold my phone

Because we continually remind him to disable his phone during presentations, one time Jhom left his phone with Randy and I before going up to do a presentation.

While Jhom has a passcode on his phone, the camera was unlocked. So, we decided to take a bunch of selfies and weird photos for the full 60 minutes that Jhom was on stage.

We’re sure Jhom’s family was delighted to see our smiling faces on their AppleTV screensaver.

Podcast editor

We started the Host Unknown podcast three years ago. After a hugely successful pilot podcast, we recorded the second episode which Jhom said he would edit by the end of the week.

We’re still waiting for the final product. I sure hope he doesn’t deliver security initiatives with the same enthusiasm!

Hold my phone again

One time at RSA in San Francisco, Jhom and I were at an evening event. He left his phone on the table at some point and I thought I’d check to see if he’d secured his camera. Which to his credit he had.

So, I thought I’d check to see if Siri was disabled, unfortunately it was not. To test it out, I said, “Siri, send a text to my wife saying, I’m ever so sorry, please forgive me, I love you.” By accident Siri actually sent the message to Jhom… waking up his wife in London at 3am.

Clearly that was Siri’s fault, and nothing to do with me – and Jhom’s learnt about different threat vectors. 

Brutal Feedback

Jhom doesn’t mince his words. That’s not to say he’s a rude person – but if he feels like you did a bad job, he’ll tell you to your face. He won’t anonymously leave negative comments, and he certainly won’t shy away from a difficult conversation.

But perhaps more important than that is that Jhom is also very welcoming of brutal feedback. He understands how to separate the person from the problem, not afraid to admit when he’s wrong – and take steps needed to fix any issues.

And that, maybe, is why he’s far better-suited to being a C-level exec than I am.

The Host Unknown Vegas Party

Host Unknown sole founder Javvad Malik was accompanied by fellow sole founder Thom Langford in Las Vegas for what many affectionately refer to as ‘hacker summer camp’ which consists of three major events, Bsides LV, Blackhat, and DefCon.

We were proud to be a super donor for BSidesLV – and are glad that our credit card company hasn’t sent bailiffs around to confiscate office equipment yet.

But in order to really make it in Vegas, you have to really stand out and do something spectacular. And while other vendors are usually in the business of throwing lavish parties in loud environments filled with liquor. Host Unknown knows that the best party is one where you can have a conversation, and invite only people who work for vendors, or have a corporate card and then thank them publicly for being a generous sponsor.

We must admit, it was probably the best party in town,

“The Host Unknown party was the best party in town” – Javvad Malik

This comment was reiterated by another random person we asked.

“I concur with this gentleman, this was by far the best party in town” – Thom Langford

After all that partying, you’d imagine Host Unknown would be running on empty. But no, these sole founders are deceptively resilient. Jayson Street made a point to find them at DefCon and requested an awkward hug.

Finally, before departing, the gents got a taste of some good old American Freedom!

Stay tuned for more awesome Unknown Parties coming to a security event to you soon. Time and venues are kept secret till last minute to keep numbers down, so prepare for disappointment if you can’t make it, and even more disappointment if you do make it.

Host Unknown, still supports the little people

Host Unknown, the undisputed leader in information-security based videos made by three random men out of London isn’t one to crave the spotlight.

It is why the group that podcasts, sings, acts, and dances, have been maintaining a low profile over the last year.

But that isn’t to say the group has cut down on it’s behind the scenes philanthropic mission.

A few weeks ago, Host Unknown was proud to sponsor BsidesLondon, providing the attendees with a wonderful selection of lanyards.

lanyard.jpg

One attendee said,

“This is the best lanyard I’ve ever received at a conference. I’m never taking this off, even when I sleep at night. It’s a symbol of quality right there. If I could ever meet Host Unknown, I’d shake their hand.” – Lom Thangford

Not just content with sponsoring one Bsides, the group also made a sizeable lanyard donation to BSidesAthens.

Screen Shot 2017-06-26 at 10.00.16.png

The sponsorship clearly had an impact as one attendee said, “As soon as I heard Host Unknown had sponsored Bsides Athens, I booked a ticket and flight over. When Host Unknown puts its name to something, you know it’s the seal of approval.” – Mavvad Jalik.

Not wanting to stop at lanyards, Host Unknown is also proudly supporting SteelCon in Sheffield, agreeing to host the wildly popular quiz night.

One attendee said, “We don’t get many nice things up here in Sheffield, not since my dad got laid off from the mill. But when I heard that Host Unknown were coming up and organising the quiz, it was as if all my Christmases had come at once. I’ll be right at the front hoping to catch the eye of the three men who’ve inspired me to remain strong and follow my dreams.” Agny Andreas

Accepting Risks

risksOne could argue that life is all a series of risks. Sometimes we remain in a state of ignorant bliss. Other times, we are aware of risks and take measures to mitigate it. But sometimes we choose to accept the risk.

Accepting risk is not a bad thing. Quite the opposite. Without risk acceptance, there would be no innovation. The reservoir of great ideas would dry up and bankers would have to make do make ends meet with mere six figure bonuses. Risk acceptance is the grown up thing to do. “We understand the risk, and chose to accept it. It’s the cost of doing business.”

But the question is whether some of the risks businesses accept are “unreasonable”. Like creating a toy that captures children’s information. Such as their name, address, birthday, photo, parents details, and allergies – then taking this information and putting it on an insecure website.  We don’t mean a website that is accessible over HTTP minus the S. But a website so insecure that it makes OWASP training websites look ‘military grade secure’ by comparison.

Thankfully though, whenever a company is breached and millions of customer records are exposed – a company can merely shrug and say sorry.  All the time while assuring they ‘take security seriously’.  Customers don’t like it.  Troy Hunt will upload the data to haveibeenpwned.com and the world will grit their teeth and take it.  This is the seedy world of corporate risk acceptance.  The terrifying underbelly of cyber-actuarial tables (if such a thing exists).

The point is that you can’t innovate and deliver new functionality to customers by building a secure website. Or waste precious time ensuring your hardware is hacker-proof. If you do, your competitors will have leapfrogged you.  Not to mention, no customer would want to pay a premium on your offering just because you say it’s more secure than the others.

Or maybe the real question is “how secure do I need it to be?”.

Host Unknown presents: Accepted the Risk (A Risk Management strategy for removing blockers to productivity)

Why waste time remediating when you can simply accept the risk?

@HostUnknownTV bring to life a Risk Manager who gets the balance of risk management very wrong.  Are the CISA auditors being inflexible or did Javvad skip a module on his CRISC?

Love it? Hate it? Leave a comment below!

http://hostunknown.tv

@HostUnknownTV

Produced by Mahmoud El-Azzeh @mantheycallmoo

Directed by Mahmoud El-Azzeh

Director of Photography – Caleb Wissun-Bhide

1st Assistant Cameraman – Iustin Filip-Mucenic

Editor – Lara Blanco

VFX and Colour Grading – Timothy Greenfield

 

Starring

Javvad Malik

Andy Agnês

Thom Langford

 

Dancers provided by Epika Dance http://www.epikadance.com/

Emiko Jane Ishii

Martha

 

Extras

Pauline Singh

Lee Munson

 

An Elazayan Films Production

https://www.facebook.com/Elazayan-Films-284223804977370/