Episode Transcript
[00:00:00] Speaker A: You're listening to Technato.
Welcome and thanks for joining us for another episode of Technato. I'm your host, Sophie Goodwin. And before we jump in, I want to take a moment and thank the sponsor of Technato, ACI learning, the folks behind it pro. If you're interested, you can use that code, Technato 30, for a discount on your it pro membership. Once again, I'm Sophie, and I'm not alone here. Of course, if you've been here before, you know that I've got Don Pezette to my left, a legend. Don, how are you today?
[00:00:29] Speaker B: A legend in what?
[00:00:32] Speaker A: Chat GPT knows who you.
[00:00:33] Speaker B: Oh, all right. That's our new marker of if you've made it, if you're in Chat GPT. No, I'm doing well.
It's that time of year where companies are starting to release some new stuff. Right. It's January. They want to get things out there. So we got some cool things to talk about this week. But I will say that 2024 is not shaping up to be a good cybersecurity, so it'll be a fun show.
[00:00:58] Speaker A: Oh, boy. Well, that means more news for us to cover, I guess.
[00:01:01] Speaker B: So.
[00:01:01] Speaker A: Silver lining there, Dan. What do you think about that?
[00:01:04] Speaker C: Well, the year is young, Don. We like to start off with a bang, but maybe it'll peter out after something. There'll be no more cybersecurity incidents.
[00:01:12] Speaker B: It'll peter out around December.
[00:01:16] Speaker A: It's interesting, you said this is the time of year companies are starting to release more stuff. That makes me wonder, is there a time of year for you that the news cycle, there's more stuff going on than any other time of year. Like, oh, it's always right around this time that all these new updates are coming out or anything like that.
[00:01:31] Speaker B: Yeah. So the beginning of the year is usually busy. And then in the fall, like August through October, those are like Apple, Microsoft, they all make big pushes to release new os versions in that time. They have new hardware that they release. The phone vendors, they always want to get their new phones and tablets out because they want them to be ready for Christmas time. Right. And so you see a lot of technology on that timing cycle.
[00:01:54] Speaker C: Any phone you're excited about, like, we don't talk about phones too much. No, I just realized my phone is like six years old, and it's like, oh, maybe I'll upgrade. It still works great. I love it.
[00:02:07] Speaker B: A couple of thoughts on it. With this podcast, we always try to think about our audience, and our audience is typically the people who have to suffer through this it out there in the real world. Right? So network admin, sysadmins, cybersecurity people. So I always want to keep it. Things that are irrelevant to them. Phone news usually isn't.
[00:02:23] Speaker C: That's true.
[00:02:24] Speaker B: But the other thing is, what innovation has there been in phones in the last six years?
[00:02:29] Speaker C: They fold.
That's about it, right.
[00:02:33] Speaker B: And they make the cameras better each time. That's true. And if your phone is your primary camera, then that's exciting. But this would be the world's most boring podcast if we just talked about that versus the old days. I mean, remember early days of Android, early days iPhone, there was all sorts.
[00:02:46] Speaker C: Of blazers was still in the mix. That was kind of cool stuff.
[00:02:49] Speaker B: There was neat stuff coming out all the time. Now they're so focused on inapp purchases.
[00:02:54] Speaker C: We'Ll have to start talking more about more security news focused around mobile devices, because there's a lot of things that happen, like apps that you can get from legitimate sources that could be malicious. So maybe we'll throw those in the mix from time to time.
[00:03:08] Speaker B: It does happen.
[00:03:09] Speaker A: We're two weeks into January and we've still got resolutions that we're coming up with. We'll have to see how that unfolds. The resolution this year. Yeah, resolution month. And that's when everybody's at the gym and then they slowly peter out towards the end of the month. Well, speaking of news and updates and things coming out, we've got some interesting news from Microsoft here for our first article. This comes to us from ours, Technica. Microsoft is adding a new key to pc keyboards for the first time since 1994. It is the, I believe, the copilot key. So that's interesting. This is just a key for their little virtual assistant that they've got.
[00:03:40] Speaker B: That is it.
And Sophie, you wouldn't remember this, but way back in 1995, like when Windows 95 came out, that was a huge deal. And there were people waiting at midnight for the software to go on sale. It was a big change in computing and keyboards up until that point, at least in the US, had pretty much standardized on IBM's model where there were 102 keys. And then Microsoft decided that Windows was popular enough and there was this start button on the screen that would bring up your start menu that people would use so frequently that it warranted having its own button. And so they started rolling out keyboards and we ended up with 103 key keyboards. Now most keyboards are 104 key, at least again in the US. It varies by country, but we haven't really seen much change in decades since then. And now Microsoft has decided that it's time that copilot, or AI in general Chat GPT is so significant, such a revolutionary game changer that they have no financial interest in whatsoever except for that multi billion dollar investment they made in OpenAI that they need to have a physical key on the keyboard. And so they are looking at replacing.
On a normal keyboard it would most likely be your right control key that the right control key will go away and be replaced by the copilot. Now we don't really know what that's going to look like. The only demo they've shown was of a surface tablet, which a surface tablet doesn't have a right control key anyway. And so it's kind of in between the spacebar and the arrow key as they stick this copilot button in there for you to use if it's as useful as the Cortana button on the Cortana. Cortana button on the taskbar. I suspect that other vendors won't pick up this button. And that was my initial thought was like, other vendors aren't going to do this until I read the quote from their product person saying the button is not required for third party oems at this point. Which means it absolutely 100% will be required by oems within a year or two.
[00:05:54] Speaker C: Why do they do this? They insult us, Don.
[00:05:57] Speaker B: They do. So expect to see Dell and HP, Lenovo, those guys having to put a cortana button on your cortana.
What the hell is it called? Copilot. There we go.
[00:06:09] Speaker C: It's all the same stupid brain.
Yeah, you made me look the fool.
[00:06:15] Speaker B: For the last time, brain.
So it's exciting new button, right?
[00:06:20] Speaker C: Daniel, I am losing my mind with excitement. I don't know how many times know cursed the Windows key when I accidentally hit it and go nope, that's not what I wanted. But it's super key. I call it super key now. Right, because you use a Windows based keyboard so often in so many different places that it might not be Windows Linux user here that we end up calling it a super key because it does whatever you want it to do.
[00:06:47] Speaker B: I was about to say, in the Linux world they do refer to it as a super key and canonical is the one to really push that forward. Outside of the Linux world, nobody calls it a super key Windows key, it's just the Windows key because it has.
[00:06:57] Speaker C: A Windows logo on it.
Talk about your branding.
[00:07:01] Speaker B: I always liked how if you bought and I don't recommend this. But if you buy a system 76 laptop, they put the Ubuntu logo on that button.
[00:07:10] Speaker C: Oh yeah.
[00:07:10] Speaker B: So they changed it a little bit.
[00:07:12] Speaker C: Yeah. Well, hey, it'd be nice to have I guess quick access to copilots and AI.
[00:07:19] Speaker B: Yeah. Now I'm an edge user, a Microsoft edge, not like some kind of Internet deviant.
So I use Microsoft Edge a lot and they added the copilot button to the top right of it. So that copilot logo is on my screen all the time and you can't make it go away like it's there.
So do I need a keyboard shortcut for it? I did read that they were introducing another shortcut. If you don't have the button, you can just hit Windows key c. Okay. And I was like, windows key c, that sounds familiar. And Cortana, it actually is tied to the search functionality that's part of the start menu already. So I don't know if copilot is going to be replacing that soon.
[00:08:07] Speaker C: Right. Because it'll search for you. Right. So I guess it makes kind of sense to dovetail those two things together. Yeah, wasn't that kind of the thing? I remember you talking about this a while back because you were a Mac user for quite some time and how used to having what's the finder in macOS? And it was command space or command space C or whatever it was. And that you liked having that feature in Windows as well.
[00:08:36] Speaker B: Yeah. So it's rare that I click on an icon anymore on any OS, right. So if you're on a Linux OS and you're in gnome, you can just hit your super key and start typing something. So if I want to launch a terminal, hit the super key type term, it comes up in the search, I press enter. Right? In windows I can just press the start key and type term and it finds it and I press enter. And on a Mac a little bit different because of finder or spotlight or whatever you want to call it where you have to do the command space and then you type term and it comes up and you press enter like that. That's how I launch apps. So I rarely use icons that are on my screen.
[00:09:12] Speaker A: Interesting.
[00:09:12] Speaker C: Uncluttered Don is, I was going to.
[00:09:14] Speaker A: Say I personally can't say the same. Maybe that would improve my organization a little bit if I did things that way.
[00:09:19] Speaker C: Man, have you ever seen that video?
It's sales guy versus help desk guy or sale guy versus tech support or something like that. And the tech support guy gets a call from a salesman in his company.
And it's really funny because the tech guy opens his browser and his homepage is monster and that kind of stuff. But when he logs in to the dude's pc, like using go to pc or whatever remote software is, the guy's desktop has like 200 icons on it easily and they're in the shape of something.
[00:09:56] Speaker B: And he's like, whoa.
[00:09:58] Speaker C: He's like, you can't do this. People might see this. And he rearranges the icon and the guy freaks out. He's like, oh, I'm supposed to buy anything. I knew exactly where everything was.
[00:10:08] Speaker B: It is so funny.
People get creative.
[00:10:17] Speaker A: Well, looking at some of the comments for this, there were people that were kind of joking about it, like, well, this is actually good because that key can probably be remapped to something useful. So they're excited about the addition of this new key. Others have genuine concerns. Somebody said that, I guess write control is a dedicated necessary button for Korean. If you're typing in Korean.
[00:10:36] Speaker C: Really?
[00:10:36] Speaker A: So they're concerned about that change. Somebody else was just angry. You don't need a dedicated key for that. What the f. Microsoft. Stupidest idea I've seen from them in a long, long time.
[00:10:45] Speaker B: You know, I did think about how it would impact me, and I'm glad you mentioned that because I was like, when do I use the right control key? Right? It is not a frequently used key and there's only one time that I use it, virtualbox. Do either use virtualbox.
[00:10:59] Speaker C: I was going to say I use it all the time with virtualbox.
[00:11:01] Speaker B: If you want to go full screen, write control is considered the host key and so you would hit ctrl f to go full screen, control s to go scale mode or whatever. That was the one scenario I had that would impact me.
[00:11:12] Speaker A: Interesting. Yeah, you would think, I was going to say you'd think they'd make this optional, but I guess if it's going.
[00:11:18] Speaker B: To be on how they work, it's.
[00:11:20] Speaker A: Not really an option.
[00:11:21] Speaker B: Think about that one comment where the guy said, I'm really looking forward to this extra button. I could program it for something useful. Yeah, right. I don't need copilot, but here I.
[00:11:29] Speaker C: Am buying extra keyboard so I have more keys.
[00:11:32] Speaker B: I can program this button to be a control key.
[00:11:34] Speaker A: Yeah, somebody mentioned, why not just double tap the Windows key? Like there were other solutions here, like the Windows c shortcut, something like that. It's an interesting choice for sure. I can't say that I use Cortana or any other virtual assistant like that. Terribly often. So I guess I probably can't really speak on this. Maybe there's people out there that are like, yes, finally, a dedicated button for copilot. So happy day for you. I'm excited and congratulations. But yeah. Any final thoughts on this decision, or are we just kind of in agreement that this is a little odd?
[00:12:04] Speaker C: It's just, yeah, it's a button. It's going to be life. It's going to be there and you're either going to use it or you're not. That's about how it boils down to it. Like, if you're marked out for AI in Windows operating systems, you're going to love it because you're going to be like, cool, I just hit my button.
[00:12:17] Speaker A: That's true.
[00:12:18] Speaker C: And I get that AI tasty. I love it.
[00:12:21] Speaker B: Yeah. And we'll have to see how the implementation goes outside of a surface tablet. Right. Because like here on my Azus laptop that I use for work, I've got a right control key. That's what would be replaced on my Lenovo that I have at home on the right side. Instead of that control key, I have an FN, a function key. And I do use that function key because you've got the row of function buttons across the top about like, if you want, what is it? Like f seven. If you want that to be brightness versus f seven, use that function key. So that button is going to have to move somewhere. And we do have a number of crazy buttons on our keyboard that aren't really necessary anymore that could probably stand to change.
This might encourage companies to start changing keyboard buttons, which will make us have to relearn things that will be unpleasant.
[00:13:07] Speaker A: Yeah.
[00:13:07] Speaker C: I wonder if this will spark a religious war on keyboards. Maybe. I am a traditionalist of 103 key keyboard, you crazy heretic, you.
[00:13:16] Speaker B: Do you ever meet anybody that was like passionate about the Devorac layout?
[00:13:20] Speaker C: Yeah, I mean, there are some obvious benefits to learning Devorak. Like, you can type wicked fast if you get good at it, but I.
[00:13:29] Speaker B: Think this might be a hot take. But I think that if somebody really likes the should, like, that should trigger red flag laws.
[00:13:38] Speaker C: That's a profiling.
It was like that scene in Talladega nights and the dude Sasha Bourne's character puts some jazz on at their bar and they're like, hey, he's playing that jazz. You got to get out of here. He's like, why do you have it in the juice box? He's like, for profiling purposes.
[00:14:03] Speaker A: I think from that, like two minute conversation alone I have several new things to Google, so I'll add that to my list.
[00:14:09] Speaker C: Did you see someone in the comments from last week's told you what the toe reference was?
[00:14:13] Speaker A: Yeah, my grandma did too. She texted me a link.
[00:14:15] Speaker C: Your grandma knew what it was.
[00:14:17] Speaker A: My grandmother said, oh, here it is. You should watch it.
[00:14:19] Speaker C: I was like, awesome.
[00:14:20] Speaker A: I had totally forgotten about it by that point, so she sent me this clip about toes, and I was like, grandma, what is going on? She had my back on that one. She was looking out for me.
[00:14:28] Speaker C: Awesome.
[00:14:29] Speaker A: She's like a dedicated Technato fan. She watches and comments every week. So thanks for that, grandma.
[00:14:34] Speaker C: Shout out to grams.
[00:14:35] Speaker A: Shout out to grams. But we're curious to hear what you all think about this copilot button. If this is something you're excited about, if you find it a little interesting, or if you're just plain outraged like some of the people in the comments. But moving on, we've got another article here from Tom's hardware a sus. I'm sorry. Asus teases rog nuck. Is that how you would say that? The rog nuck that sounds like a Star wars character? Ready to be unveiled on January eigth. So this is obviously, as of this episode, it's been unveiled. I guess so. What was the outcome of that?
[00:15:06] Speaker B: All right, a couple of months ago, we talked about how intel was ending their venerable Nuc line.
What does Nuc stand for? Novel unit of computing or something like that? They're small form factor computers, right? They were little tiny squares that had full blown intel processors in them. So they were powerful computers in a very small form factor. And intel was ending the line. And at the time, Asus stepped up and said, hey, actually, intel is going to end it. That's fine. We're going to take it over. And so if you love intel nux, which I think they're great, then, hey, you can jump over here and we'll start manufacturing them now with Intel's blessing. Right? So intel was all on board with this, and off they go. And we didn't really know how long it was going to take for Asus to start training that out. Now, we knew that Asus was already manufacturing these on Intel's behalf. Intel doesn't have Computer manufacturing facilities, so they were using Asus before. Well, Asus has announced their first official Asus Nuc, which is now going on the market. You can't purchase it today. They've announced it. They've shown it. It's going to be available for purchase soon. It's different than what I thought. I thought they would play it safe. I thought they would take the traditional square nook that we all know and love that easily fits behind a monitor. But instead they did a Rog nook. Now, if you're not familiar with ROG, that's Republic of gaming. And it's Asus is like, high end gaming brand.
[00:16:34] Speaker C: It's a really cool handheld.
[00:16:36] Speaker B: Is it?
[00:16:36] Speaker C: Yeah.
[00:16:36] Speaker B: Rog ally? Yeah, I've heard a little bit. I've never seen one.
[00:16:39] Speaker C: It's cool.
I think it might be one of the full windows based handhelds that are out there. Emulate anything you want. Just about. And, yeah, it's a pretty sweet machine.
[00:16:51] Speaker B: Well, what they did is they basically wanted to create the smallest computer possible that contained a full blown desktop graphics card in it. So you can purchase it with either a Nvidia RTX 40 70 or a. I think there was a 40 80 model. Or was it just 40 70?
Which. I mean, a 40 70, that's a big car. Generates a lot of heat. It's got to have fans. And I'm not talking about the mobile version. Like, you see these laptops. So, like, here's a laptop with a 40 90 in it, but it's this mobile one that's not even as good as a 30 80. It's marketing hand waving garbage.
[00:17:28] Speaker C: The mobile 40 90.
[00:17:30] Speaker B: So this one, it's not exactly small because it's got that full size graphic card in it. So it's a decent size. I would say it's closer to the size of a laptop than like the intel nux used to be.
[00:17:43] Speaker C: That is bigger.
[00:17:44] Speaker B: It is bigger. That is bigger. But it's small for a gaming pc. And so if you're looking for a compact gaming pc, this is the first thing they've released under that brand.
[00:17:53] Speaker C: And is that how they're billing? It is. This is a gaming small form factor gaming.
[00:17:58] Speaker B: You know, intel did this, too, except it wasn't Nvidia cards. They did their crappy mean. They're outstanding proprietary.
Whatever. Where you had the regular square nook, but then you had the longer one that had a skull logo on it. Looked kind of cool, but I never thought it was worth the money. So it's not out of blue. Out of the blue. It's just not what I thought they would lead with.
[00:18:26] Speaker C: Yeah.
Okay, well, we'll see what happens. I mean, gaming pcs obviously get repurposed for things other than gaming because they have great graphics cards. And then you can do a bunch of cool stuff with that, like if you wanted to have a small, yet probably usable, decent, like password cracking rig or something to that effect, this would be kind of cool. Turn that into something that's more security minded, a lot of fun.
[00:18:50] Speaker B: On my computer at home, I have an Nvidia RTX 40 80 80, whatever it is. And I can run stable diffusion right from my own system, leveraging my own gpu as opposed to like cloud resources. So yeah, you can do some crazy stuff.
[00:19:05] Speaker C: That's cool.
[00:19:07] Speaker A: I think it's interesting to see how one of the functions it lists is like, you can chat, browse, stream, edit, record and play without skipping a beat. And it seems like more and more now for people that do actually use these for the intended purpose of gaming, how streaming has become almost like synonymous with it. So many people that get into this stuff, it's like they become a Twitch streamer automatically. Even if it's small, even if their channel and following is small. It's just like something that goes with it. If they're going to hop onto game, they're going on twitch. It's never just. I'm just hopping on a game for a little bit.
[00:19:37] Speaker B: Yeah.
[00:19:38] Speaker A: So I think that's interesting how now I wonder how long it will be before that kind of stuff is just the norm. Like you can't buy a pc or a gaming system that doesn't have that ability because they just assume this is something that you want. I know that's more the gaming side of it. And you mentioned you can use this for other stuff, but for those that.
[00:19:54] Speaker B: Do game well, I think we know firsthand that the bar is really low for creating podcasts online.
So more and more people are doing it and hopefully better than we are.
Absolutely.
[00:20:10] Speaker A: It's not to knock the people that are doing it because I certainly would not know how to figure that out. But it's just interesting that it's something so many. I mean, I've got little cousins that are doing it. So it's interesting that that's now become kind of more commonplace. So curious to know what y'all's thoughts are if you're. If you're watching this on YouTube or even if you just want to send in a comment on socials. Curious to know what you think about this and if this is something that you'll be picking up for yourself, but we'll go ahead and move on. We do have some Apple news. It is not about the AR VR spatial goggles. It's not that. I'm sure we'll talk about that, but it's not that. This comes to us from nine to five Mac. It says Macs can now inform Apple if any liquids have been detected in the USB C ports.
[00:20:46] Speaker C: It's about time.
[00:20:47] Speaker A: I was going to say, I'm not a Mac user, so this was not a feature.
[00:20:51] Speaker C: You know, I like to bathe, know, MacBook it up from time to time. So this is going to be really.
[00:21:02] Speaker A: Like for my phone. If it thinks there's something in the port, it would tell me, like, there's an issue with the charging port or something. So I guess I thought maybe. I thought it was the same for Mac.
[00:21:10] Speaker B: So Apple's had a bit of a sordid history with moisture detection. And where it all started was the original iPhone. Like, when the first one came out, really didn't have any water resistance to it. And so if it got wet, it was broken. And that's how most electronics are. That's not a knock against Apple. Most of the electronics you use are not water resistant in any way.
But because people take phones with them everywhere and people get caught in the rain, people fall in a puddle, somebody pushes them into a pool. These things happen, right? And phones are expensive, so we don't want them to get damaged if they just get a little bit wet, like you drop in the toilet.
[00:21:50] Speaker C: My cricket phone was not that expensive, Don.
[00:21:52] Speaker B: Well, we don't have to spend all that much on a phone, do we? But people choose to.
So they started making the phones water resistant. Right. The IP, what is it? IP 87. I forget the numbers. When they do a water resistant phone, the IP freely, whatever it is. I had no idea this was a thing. No. Well, the next time you buy a phone, like I said, we don't talk.
[00:22:15] Speaker C: A lot about phones here.
[00:22:16] Speaker B: That's true. I'm breaking the rules.
So they rolled out this moisture detection thing, right? So if a phone got wet, the reason they did it was they wanted to avoid your warranty. So if you said, oh, my phone stopped working and you brought it to an apple care, they would look at it and say, oh, you got a wet dude, that's on you. We make it water resistant. But that's outside of the warranty, right? Yeah. So they got sued and they ended up settling out of court on this because there were people who lived in humid environments, like right here in Florida.
[00:22:49] Speaker C: Like us, where it's humid here, where.
[00:22:51] Speaker B: Your moisture sensor might trigger. Just because you live in Florida.
[00:22:55] Speaker C: Yeah, because it's 90% humidity in the.
[00:22:57] Speaker B: Air all the time. On a good day, yeah, you walk.
[00:23:00] Speaker C: From inside of a building to outside and you immediately become, like, damp.
It's not. Well, my glass is just flash fog.
[00:23:10] Speaker B: It's Florida. Yeah, welcome to Florida. So they set a latter court on it and said, okay, these people who did warranty claims, we'll go and honor the warranty claims and so on. But that was all in the phone world, and we don't talk about phones a lot.
[00:23:21] Speaker A: Yeah, right.
[00:23:22] Speaker B: Well, now it's jumping over to the desktop side now, or laptop side. MacBook pros are not water resistant, so that's just how it is. This moisture sensor is being introduced and their pr team is putting the big spin on it. Like, we want to help you. You don't want to plug a USBC cable in. If there's moisture in that port, you want to wait. But they are absolutely not saying, oh, by the way, this is totally going to void your warranty.
[00:23:50] Speaker C: So if the sensor pops and tells you to get moisture on it and then you try to take it in for a warranty work, it will be like, nope, you got it wet.
[00:23:58] Speaker B: So they have not come out and said that, but I can almost guarantee you that is a track record that Apple has. This is what they've done in the past, and I can't see them going any other way because the devices are not water resistant.
[00:24:10] Speaker C: Yeah, there's one thing we know about Apple, it's their integrity, is that they're looking out for you and they do not want you to spend more money than you have to on their products.
[00:24:22] Speaker A: Well, it looks like this isn't even going to alert end users. It looks like it's similar to the feature on the iPhone, but it says the code suggests it's only used for analytics, so they might eventually implement an alert that will let you know, like the one in iOS. It seems more likely that this is going to be used for technicians to determine whether a Mac is eligible for free repair. So it might not.
[00:24:38] Speaker B: There we go.
[00:24:39] Speaker A: Tell you, hey, there's something wrong. It'll just be. They'll look at it and, oh, sorry, you're out of luck.
Not our fault.
[00:24:47] Speaker B: I think this is another thing that contributes to the right to repair movement. Right. Remember, like the John Deere tractors, whoever part breaks, you have to get the part from John Deere, otherwise the tractor won't start. And so they're being sued. And there's a whole big thing. Apple's been trying to dodge that with their crazy repair kits they push out now. So if you have moisture in your port and you go to Apple and Apple says it's not under warranty, but you don't have a way to repair it yourself. That's where they break the law. And so now they're trying to skirt the line. I'll be curious to see where this goes. This is not consumer friendly behavior.
[00:25:23] Speaker C: Wait for the EU to mandate it.
That's what they did with USBC, right? They were like, hey, none of this lightning crap. Like, you're e wasting, you bastards.
[00:25:36] Speaker B: And that's it.
The lightning cable. I've heard a number of arguments about why the lightning cable should exist, but there is no valid argument there.
[00:25:45] Speaker C: No, it's stupid.
[00:25:47] Speaker B: Absolutely.
[00:25:48] Speaker A: It's just stupid.
[00:25:50] Speaker C: We've got USBC. Just do the USBC thing.
[00:25:54] Speaker B: Do you ever see that video where it was a guy pretending to be Steve Jobs and he was all afraid and terrified of Johnny Ive? Like Johnny Ive was forcing him to have no ports on the phone whatsoever?
[00:26:06] Speaker C: No, it's a very funny, yes.
[00:26:10] Speaker A: Add it to the list of things that I get to Google afterwards on here.
[00:26:12] Speaker B: Yeah, it's on like YouTube somewhere.
[00:26:14] Speaker A: Maybe I'll, I'll look it up during the break because we are going to take a short break. So if you're listening on Apple Podcasts, Spotify watching on YouTube, we'd love to hear from you. Feel free to leave a comment or send us a little note on socials and let us know what you liked about these articles. But don't worry, we're not quite done yet. We'll be back in the second half of Technato for some security news.
Tired of trying to schedule your team's time around in person learning? Isn't it a bummer to spend thousands of dollars on travel for professional development? What if we said you can save money and time and still provide your team with the best training possible? The answer to your woes is live online training from ACI learning. With live online training, we provide our top in person courses in private online instructor led formats. You get to provide professional development in a manner that fits today's expectations, entertaining, convenient, and effective. Our exam aligned courses inspire the full potential of your team. Visit virtual instructor led training at ACI learning for more info.
Welcome back. Thanks so much for sticking with us through that break. If you are enjoying the show so far, whether you're watching on YouTube or listening on Apple Podcasts or Spotify or whatever podcast platform you choose, maybe consider subscribing so you never miss an episode of Technato in the future and check out some of the previous episodes as well. We're going to go ahead and jump into some security news. We have to kind of stop ourselves during the break sometimes from talking about it too much, because is that's what you're here for. So we'll go ahead and jump right in. This first one comes to us from the hacker news. It says malware using Google multi login exploit to maintain access despite password reset. So one of the things that they tell you if they think your account's under attack or whatever is go ahead and reset your password. But it sounds like it doesn't matter in this case. Even after you reset your password, there's a chance that they could still hijack a session. Is that right?
[00:27:52] Speaker B: I wish I could give you a clear and concise answer on this, but there is so much information floating around on this exploit right now that it's hard to get some clarity on what's going on. But the basic story here is that inside of your web browser, there is in ram a table where it maintains your cookies that are active as you authenticate in various services. Right. And Google services are no different. If you have multi factor authentication turned on and all that good stuff, after you jump through your MFA hoops and you've proven that you know your password, you've got your code from your app, you can recognize a bus or a giraffe in a picture. Once you've leaped through all of that, a token is issued for your session, and that's what you authenticate with the whole rest of the time that you're logged in. Right. That's a very standard practice that's used in applications all over the world. Well, what these security researchers found was there were multiple ways that they could get control of that token, or at least get a copy of that token and begin to use it, even if you were done with that session. And that's obviously a bad thing, right? We don't want people being able to bypass MFA and so on. Well, Google came out and know, yes, this is a real thing. Attackers do have a mechanism they can use to try and access this table to get access to the token, but it's actually not a big deal because, well, the first thing they said was it's only if the session is active, so you just close your window and that's that. But the researchers found where you could actually. What was the term, Daniel, to reanimate? Restore.
[00:29:33] Speaker C: I think you said restore, recover, restore feature. Yeah.
[00:29:37] Speaker B: So you could actually restore a token that had been removed and bring it back to life, right? This is like a reanimator.
[00:29:46] Speaker C: Another movie for Sophia.
[00:29:48] Speaker A: Add it to the list.
[00:29:49] Speaker B: And that one. That's a big shocker right there when you think that a token is out of commission and all of a sudden it comes back in and they said, well, all right, it's still not a big deal because all you have to do is just log out of your session. When you log out, then it goes away. And the official Google quote shoot, which I meant to have handy, I showed this to you, Daniel, where they basically came out and said, it's not a big deal.
They said, oh, here it was.
They said, and this is a quote from the Google representative, that what was previously described as incorrect, they said stolen sessions can be invalidated by simply signing out of the affected browser or remotely revoked via the user's devices page. We will continue to monitor the situation and provide updates as needed. But, Daniel, you've heard differently on this, right? That it's not good enough for me to just log out of the browser session.
[00:30:41] Speaker C: So it is good enough to log out of the browser session. That can work, right? That does work. The problem comes into so, like, this multipoint session thing, that this is a very technical hack. So technical and so sophisticated and secretive. These info stealer malware organizations are basically trying to beat each other to the punch on this because the first person that came out with it, I believe, let's see here, was revealed on the Telegram channel. Luma was Luma. So Luma was the first to figure out how to do this, and then they kind of, like, let some details slip. And then other info stealers started reverse engineering this thing, and they figured out their way to do it as well. So, like, we had Luma implemented this steel sea medusa rise pro white snake. Right. There was a ton. Very, very rare. Yeah, it's not something you're going to see at all. Obviously, this is an important thing, but it's kind of black boxed, right. There's still some, like, what's going on underneath the hood over here. You'd have to reverse engineer their malware to see how this is actually working, which some people have actually done. There's a lot of technical information. There's this Gaia thing. I'm completely.
I was like, okay, there's a lot happening under hood of this year attack. Very technical. But ultimately, you have profiles, right? Maybe I'm not just logged in to my browser here. Maybe I'm also logged into Google here. And maybe I'm logged into Google at my other computer and I've got ten different devices that are logged into Google, and they all have a profile, and they all have their own tokens.
If I have access to a certain browser, I can use the encryption key that is stored in the Chrome browser to reanimate an old token or something, or create my own. And this is where it's getting kind of iffy on the technical issues, at least from my. I haven't had a lot of time to dive into this.
[00:32:36] Speaker B: So here's my question. When you start to look at an attack like this, that's super duper complex, right? Normally I look at some of these and I say, you know what? This is so complex. This is the type of thing that a nation state funded organization might use against specific targets. The regular rank and file among us don't really have to worry about this. But in this scenario, you were able to rattle off six or seven different malware providers, so that's active in the real world that are able to leverage this. So now I'm torn. Is this something we need to worry about or not?
[00:33:14] Speaker C: I would say absolutely, you need to worry about this. If all these high profile stealer, I don't know if they're necessarily ransomware, but they're definitely stealerware, where the stealer malwares are collecting credentials, account numbers, sensitive information, doing key logging, all sorts of stuff. That's what stealer does is it grabs all this personal information about you that they can then sell or utilize for other purposes, but typically probably sell and make money off of, and that they're basically racing each other to make sure that they have this available so they can maintain a competitive edge in the market.
That tells me this is important. It's more important than Google seems to be making it out to be, because if I can use it, you got to remember, the average end user out there. Grandma, right? Grandma, she don't know. She downloads stuff from the Internet. She installs it, and now she's got stealer malware. Heck, she may have even downloaded it from, like, the Google Play Store. These things happen. So she installs some piece of software, and now it's stealing all her information. People gain access to her accounts, and now they can pilfer her pockets directly or use that information to sell to other people so they can pilfer her pockets directly. They don't know about this.
So that's why it's important. We tend to think of this as being like, hacks are only important if they go after government or medical or critical infrastructure. But the rank and file hacks that are happening out there are against average, everyday citizens, where you become a part of somebody's botnet, or they are using it for identity theft or to steal your credit, to steal your money directly and then use that for nefarious purposes, things like drugs and human trafficking.
[00:34:55] Speaker B: Right.
[00:34:55] Speaker C: So that is why this is important. I was actually at a family function this weekend, and some of my wife's family, they live up north, and they came down and they were like, I don't have anything, anyone who care about. I'm like, yeah, you do. You have an identity. That is what the hackers want. That's why the number one stock and trade in hacking right now is stealing people's information, not necessarily their direct money. They steal that information and they sell that information. Google makes a ton of money off of what your information.
Facebook makes a ton of money off of what your information. Information warfare is the name of the game nowadays, so that's what they want. Because then they can use that to fund their nefarious.
[00:35:42] Speaker B: You know, you should start a show around that. And it could be. That's too long a title.
[00:35:48] Speaker C: Yeah, we'd have to shorten that.
Very important. Okay. This is not something we can joke around about.
[00:35:59] Speaker B: Good impression.
Now, Daniel, let me tell you what I did, or both of you, because I want an opinion here, because here's how I mentally process this. And I don't know if it makes sense or not.
It's difficult sometimes to recognize which of these we need to react to and which ones we don't. Right? So this news actually broke last week, right after we filmed last week's podcast. So it didn't break in time for us to cover it. But even at the time, I said, you know what? I'm going to wait for more details. And Cloudseek, the researchers who found this, they put out a huge write up. I've got it pulled up on my laptop right now as well. On it. And they go into a lot of detail. And at the time. So this probably would have been Saturday, that I said, you know what? I think it's odd that there's no, you know, let me wait. They've shared it with Google. Google's repudiated. This is out in the public. So we're, like, beyond responsible disclosure at this. It's. It's out. Fully disclosed. It's being used by malware packages, but there's no CVE. And I just checked while you were talking, Daniel, and there's still no CVE on this.
[00:37:06] Speaker C: Interesting.
[00:37:06] Speaker B: And in my mind, and this might be naivety, but I look at things and I'm like, if it's not good enough to get a CVE assigned to it, then maybe this is not actually something we need to worry about.
[00:37:18] Speaker C: And based off of the fact that it doesn't have a CVE.
[00:37:21] Speaker B: Yeah.
[00:37:22] Speaker C: Zero days don't have cves, and you got to worry about those.
[00:37:25] Speaker B: But they will have a CVE within days. Right.
[00:37:28] Speaker C: CVE is just something that we do as a way to identify a specific threat. Just because something doesn't have a CVE doesn't mean it doesn't warrant one or whatever. Somebody might not have to.
I say, register. What's the word? Apply for a CVE. You say, I have found this. If nobody's done that, it's not going to get one.
[00:37:48] Speaker B: Yeah.
[00:37:48] Speaker C: Right. Well, somebody would want to take credit for this malware. Steelers, they don't give a crap about having a CVE in their cap. All they care about is making that doe ray me.
[00:37:59] Speaker B: But I have to imagine cloudseek does maybe. Right.
[00:38:03] Speaker C: Maybe they don't know everything there is to know about this quite yet.
[00:38:07] Speaker B: Maybe. Yeah. Their original announcement, their very first thing that they put out was way back on, I believe, December 29, which was twelve or 13 days ago. So almost two weeks ago. Seems like in that time it would have been one created or prior to a public release. Like what we've got.
[00:38:24] Speaker C: Yeah. And here's what's funny, is you talk about it not having a CVE and therefore maybe it's not that important. You can get a CVE because your home router will open your, if you have a thumb drive attached to it, open it to the Internet. Right. How many people are attaching thumb drives to their home router? But that's got a CVE.
[00:38:44] Speaker B: Yeah.
[00:38:44] Speaker C: Right. Very low. So again, CVE isn't necessarily a litmus test of whether or not this is important. It's just a, hey, here is something you can reference and then you can add that to scanners and things of that nature.
[00:38:56] Speaker B: All right.
[00:38:56] Speaker C: Right.
[00:38:57] Speaker B: So I may have developed a bad habit then, because I've started to do this where if I see a threat and it doesn't have a CVE attached, especially if it's been weeks since the announcement. To me, that's like, hey, other people in the security industry have looked at this and nobody felt that it warranted documenting. Yeah.
[00:39:13] Speaker C: That's not necessarily the case. And not all cves are created equal as well. Right.
[00:39:18] Speaker B: Because they have that rating, cvss. It's either different, a ten or a two, right? Everything's a ten or a two.
[00:39:26] Speaker C: That's right, yeah. Did you look up a CVSS score for this? Because that's different.
[00:39:31] Speaker B: I didn't because it doesn't have a CVE. That's how I normally got you.
[00:39:35] Speaker C: Which is probably pretty good correlation to whether or not it has a CvE. Whether or not it has a CVSS score. But that said, there are steps you can take. Now, don, you mentioned just changing your password. Or was it Sophia? One of you two mentioned. I think it was Sophia mentioned changing the password. If you're just logged into one browser, that should work. Here's what cloud seek says. It says this is important stuff, right? This is especially crucial for users whose token and guy ids might have been exfiltrated. Resetting your password effectively disrupts unauthorized access by invalidating the old tokens, which info stealers rely on, thus providing a crucial barrier. Oh, that's great. But it says, make sure that you sign out of all browser profiles to invalidate current session tokens. So it's not just one, it's all of them. Cool thing is, you can go into Google, into your account settings. There's an area that says sign me out of everything that I'm signed into, and that's a one stop shop to make that happen. So that's an easy win here. And that seems to be the prevailing win on helping. And maybe that's why Google isn't taking us that seriously. Oh, you can just go into Google and sign out of everything and then sign back in and you're fine. Okay, cool. Does grandma know to do that?
[00:40:51] Speaker A: My grandma does, because she watches techno shameless plug.
[00:40:58] Speaker C: But if you know to do that, then that's cool. If you're only signed into one thing, then yeah, you just sign out, change your password, sign back in, change your password, do the whole thing, and invalidate all that stuff, and then hopefully you're good. But there's some things about this that seems like that might not be enough, but maybe there's enough cloud of secrecy and veil of fog of war kind of thing going on. And that's maybe why there's no CvE. Maybe there's no. We're not sure yet. It seems like, again, I would base this off of if info stealers find this to be credible enough of a tactic to make sure that it must be in their software package, then I would take this seriously.
That's my litmus test.
[00:41:46] Speaker B: Yeah. Well, the danger part here to me is even if you follow the instructions, right? So if you think that a malicious actor has somehow managed to compromise your tokens like this, and you do exactly what Google said, you log out of all of your sessions and you log back in, then you've now validated those tokens. Great. But you haven't fixed whatever method it was that malicious actor was able to get at your tokens in the first place. So something else led to that, and you got to deal with that, too. So I think this is a symptom, not a cause, right?
[00:42:19] Speaker C: Yeah.
The cause is going to be that initial compromise. What allowed them to be able to do this? You downloaded something from an untrusted source. You had an exploit because you didn't do a patch or an update, and that allowed them to do a drive by download or whatever the case is you to make sure that your systems are fully patched and updated, you're following proper operational security with all of your devices. And don't get janky on the Internet. Don't click links, don't download attachments. These are the kind of things that get us in trouble, ladies and gentlemen.
[00:42:52] Speaker B: Now let me tell you what I hope doesn't happen. So this is all the result of functionality in Oauth two, that allows you to stay logged in after resetting your password, right? So if you're logged into five machines and you reset your password on one machine, it doesn't log you out of all five, it's just your password is new. Next time you have to log in, it's a new password, right. They could say, okay, we'll turn that functionality off. So now whenever you change your password, you have to relog in everywhere, right. Then, like, your access is immediately cut off as it is. You'll have to relog in eventually anyway. But now they could be all at once. That could be really frustrating.
[00:43:27] Speaker C: You know, to me, that's like the lesser of the evil style. Okay, so I got to log back in. Oh, my goodness. Right? Yeah. Is it frustrating? Big deal. What's more frustrating, having your crap stolen and your identity taken or logging back in?
[00:43:41] Speaker B: So this isn't a I'll use. This happened to me with Blizzard. Really? The game company, right.
[00:43:48] Speaker C: Shout out to pirate software.
[00:43:54] Speaker B: Blizzard. They have an authenticator that you can run from your phone. And there was one time where I logged into the desktop, this was years ago, and reset my password, which logged me out of the app. But the app was my authenticator, and so when I tried to log back in, I couldn't get to my authenticator. And I ended up having to do a support ticket to reset the account. Like they created a scenario where you could effectively lock yourself out.
[00:44:20] Speaker C: Doesn't Microsoft do the same thing with teams?
[00:44:22] Speaker B: They can. There is a very specific flow you can follow to lock yourself out. But, yeah, that's the risk. And that's why we have things like this multilogin functionality to prevent that exact scenario.
[00:44:32] Speaker C: Right.
You don't have single source of failure. You cannot have a single source of failure.
[00:44:38] Speaker B: I don't like it when companies have their own dedicated authenticator apps.
[00:44:42] Speaker C: What the heck, man? Come on.
[00:44:44] Speaker B: I want to have my two factor authentication held with a different company, like true separation. And you don't get that when it's two Fa with Microsoft, my passwords with Microsoft, and my authenticators with Microsoft. It's not as good, in my opinion, as if it was another company.
[00:44:58] Speaker C: Agree to agree.
[00:45:02] Speaker A: All right, then I feel like I need to be taking notes over here on the conversations that happen here. We'll go ahead and jump into our next article. This is part of a fan favorite segment here on Technato called who got pwned? Looks like you're about to get pwned.
[00:45:15] Speaker B: Fatality.
[00:45:17] Speaker A: So this comes to us from TechCrunch. It says, law firm that handles data breaches was hit by data breach. That is just a black fly in the Chardonnay. Isn't that.
[00:45:26] Speaker C: That's what we call ironic.
[00:45:30] Speaker B: It's true irony. Not like Alanis Morsette irony. It's like real irony.
Yeah, this one. All right, well, let's just get the elephant in the room done, which is nobody likes attorneys. Attorneys don't like attorneys.
The business they do is essential, but not well loved. True. And in this case, the irony is this law firm specifically handles other companies that have dealt with data breaches and helping them negotiate the convoluted paths of what they need to do when there's a breach. And it is convoluted. Right. Especially if you're a public traded company, you've got certain obligations to your customer. You've also got regulations and GRC through things like the SEC and the FTA and all these other organizations. So how do you navigate all that stuff? Well, you bring in these attorneys who know it really well and they help you walk through it. Well, that company had a breach. Now, to me, I don't blame them for that. Any company can have a breach. It's just the world we live in. It's how they handled it. That's shocking, because they straight up got sued for not notifying people whose data was affected. And they.
Four times, four class action lawsuits, and they're class action. So those four represent thousands of people.
[00:46:54] Speaker C: You see, the problem is Don is the waft of human feces has affected their brain.
They got to start. Get some HEPA filters or something in their building. They're in San Francisco.
[00:47:06] Speaker B: Yeah, that'll do it.
Now I'm distracted because I'm going off the rails on this one. Did you see the newest space ice video that dropped?
[00:47:19] Speaker C: Yes, I did.
[00:47:19] Speaker B: On soldier.
[00:47:20] Speaker C: Yes, it was amazing.
[00:47:22] Speaker B: And, Sophie, you probably have not seen the movie soldier, but it was so fun. He gets dropped on this planet that's like the garbage planet where everybody else dumps their garbage and he's like. And then he gets dropped into the middle of San Francisco just as he remembered it.
That's what immediately popped into my head.
Know, there are times where getting back on track, where people might stand before a judge and say, I'm sorry, your honor, I didn't know the rules. I didn't know I was supposed to do X-Y-Z. And the judge will then say, ignorance is no excuse, and throw them in jail.
But in this case, it's pretty hard for these attorneys to say we didn't know because that's literally what their business is about. So they had to settle all of those court cases. And their quote is absolutely hilarious.
It's attorneys. But they said, and this is the official quote from Oric. That's the law firm. We are pleased to reach a settlement well within a year of the incident, which brings this matter to a close. And we'll continue our ongoing focus on protecting our systems and the information of our clients and our firm.
[00:48:36] Speaker C: Is that what they called?
[00:48:37] Speaker B: Yeah. It sounds like a real positive outcome right there.
And the other quote from them was, we regret the inconvenience and distraction that this malicious incident caused. We made it our priority to resolve it as quickly as possible for our clients, the individuals whose data was impacted, and our team. The problem was as quickly as possible was months and months and months.
[00:48:58] Speaker C: Right.
[00:48:58] Speaker B: Versus, like, with GDPR, where you have 72 hours.
[00:49:01] Speaker C: Yeah, you better get it taken care of.
[00:49:03] Speaker B: Yeah.
You need to notify people within 72 hours.
[00:49:07] Speaker C: I'm guessing they don't do business in the EU.
[00:49:09] Speaker B: I'm guessing not. But, hey, they're attorneys. They know the laws.
[00:49:13] Speaker C: Or in California, because doesn't California have the California Consumer Privacy act?
[00:49:18] Speaker B: They do.
[00:49:19] Speaker C: Isn't it similar to GDP?
[00:49:21] Speaker B: It is, yeah, in a lot of ways. And now we have. The SEC just passed that rule, actually, it wouldn't apply to here because of the time frame. But the SEC did the thing where you've got 96 hours, two days, two days, four days to notify if you're a publicly traded company in the US. So, yeah, there's new laws that are coming out to deal with this. But, hey, that didn't apply to these guys.
[00:49:44] Speaker C: Yes. The advantage of being a lawyer, don, you get to go, well, the law didn't say this.
And then they go months without actually informing anybody of their job, and then they happily say, look how good we did.
[00:49:58] Speaker A: Yeah, I know we beat this dead horse all the time, but once again, it's like there was never like an apology or even really an acknowledgment. They said, we regret the inconvenience and distraction, I'm sure you do, that this caused. Yeah, but don't worry. Oh, we resolved it very quickly and we reached a settlement well within a year, which is an achievement.
[00:50:18] Speaker C: What were you thinking?
[00:50:20] Speaker B: So I've noticed this, and I don't know if it's a cultural thing, a change in times or whatever, but people don't like to say they're sorry.
[00:50:28] Speaker C: No.
[00:50:28] Speaker B: And I know I'm going to sound like a movie here, but I see it on Kickstarter campaigns. Right? Kickstarter. Have you guys ever funded anything on Kickstarter?
[00:50:36] Speaker C: I've never funded anything, but, yeah, I'm familiar with it. Okay.
[00:50:39] Speaker B: I've done a number of them, probably 20 different things on Kickstarter. And sometimes they fall behind and sometimes they fall years behind schedule. And I'll see these companies where they post an update and they're like, hey, regret to inform you guys that we've got to delay another six months. But we got this popped up in China or the boat went the wrong direction or whatever. All sorts of different stuff. I've seen every excuse. But they don't say they're sorry. They don't apologize.
[00:51:07] Speaker C: Because that would admit wrong.
[00:51:09] Speaker A: Right?
[00:51:09] Speaker B: You're accepting responsibility, and that's what that, like, is that admissible in court? Like, oh, you said you were sorry. That means guilt.
[00:51:17] Speaker C: So it's funny. What does. I would almost guarantee it has to do with the legality of what they say. Because as a guitar player, right. Gibson, the guitar company, is very litigious. Very litigious. Another guitar company called Paul Reed Smith, or PRS, they made a guitar in the style of, like, very similar in style of a traditional Gibson Les Paul. Gibson sued him.
[00:51:42] Speaker B: Right?
[00:51:43] Speaker C: Sued him to the part where they had to halt production of those guitars, which were very popular, they had to halt that production until the court case was resolved. And the thing that resolved the case was the CEO or a senior VP or somebody that was highly involved with the court case. And in Gibson, somebody was asking them about, what do you think about know, do you think they're that close? He's like, well, obviously, no one would. You know, Gibson Les Paul's are so iconic that no one would ever make the mistake of thinking that a Paul Reed Smith was the same. And they're like, bam. You just said, it's not the same. And only an idiot would think that they were. And that's what closed the case. And Paul Reed Smith got to spin up their operations, and now they make a single cut, what looks like a Les Paul style guitar.
[00:52:36] Speaker B: Well, you know, the sad part about it, though, is, like, in some of these scenarios where if these companies would just say, look, we're sorry, we screwed up, for me in Don Pezetland, that would actually go a long way.
[00:52:48] Speaker C: Right. Because it restores my confidence in you. I understand people make mistakes, and I.
[00:52:52] Speaker B: Don'T need to be a part of a class action lawsuit. And you admit that this is something that you're responsible for, you take ownership of it and, you know, accountability. But when you say things like this, like, we regret there was an inconvenience to us.
I get no sympathy out of that.
That's just where we are, where we're at now.
[00:53:14] Speaker C: You start looking up their competitors.
[00:53:16] Speaker B: Yeah.
[00:53:17] Speaker A: When you first started talking about how people don't like to say sorry anymore, there is kind of like a movement of people that say sorry for everything, where it's like you bump into somebody, oh, I'm so sorry. And there was like, this whole, you don't need to say sorry. It's not your fault. You need to empower yourself. But it kind of went too far in the other direction where people were doing, like, awful things and then being like, well, it's unfortunate that it made you feel that way. It's like you hit her. You need to just say, I'm sorry.
[00:53:42] Speaker C: There was a comedian that did a bit about this years ago, right? And he was talking about how he thought it was funny how some of his family from New York would insult you and they thought they could get away with it. Because. I don't mean this. I mean no disrespect, but you're a douchebag.
Well, hold on. What? Just call me a douchebag. He's like, I said, no disrespect. That's not how this works.
[00:54:05] Speaker A: You can't say no offense and then say something offensive. But I said no offense.
[00:54:08] Speaker C: I said no offense.
[00:54:08] Speaker A: It cancels out.
[00:54:09] Speaker B: Yeah. Jeff Foxworthy did that with bless your. Bless her heart. Yeah, same thing. As long as you say bless her heart at the end of it, but bless her heart.
[00:54:17] Speaker A: Yeah.
[00:54:18] Speaker B: My wife and I, we have this thing that we do where, you know, Canadians. Canadians are unusually polite. Correct. Just as a culture, people from Canada tend to have far more manners and are just way more polite than other countries, including the US. And so they do apologize and things for even little things that wouldn't necessarily be even thought of. And because of accents, they don't say sorry. They say sorry. Right. And so in the pizzette household, we have multiple levels of sorry. Right. So if you're genuinely sorry for something, you say, I'm sorry that I did that. I didn't consider what would happen. Whatever. But if you say you're sorry, that's like you're saying you're sorry, but it's just formality. So we have the canadian sorry, and I probably use it once a week. At least if I drink the last of the coffee. Sorry.
[00:55:17] Speaker C: I guess the american version of that is sorry, not sorry.
[00:55:19] Speaker B: Yeah, right. Like that.
[00:55:22] Speaker A: Considerably less polite.
[00:55:23] Speaker B: You're right.
[00:55:24] Speaker A: Sorry, not sorry. Well, before we jump into the next segment, our director, Christian sent me a message that said, I guess the guy in the. Who got pone Gif is based on Pirate Software's dad.
[00:55:34] Speaker C: Oh, yeah. I said that a couple of weeks ago.
[00:55:35] Speaker A: I must have just totally missed that. I did not know that.
[00:55:38] Speaker C: Yeah.
[00:55:39] Speaker A: Well, there you go.
[00:55:40] Speaker C: Thank you for this. That's actually like his apartment and everything. Like everything you see there is an actual representation. He worked with Trey Parker and Matt Stone to recreate him and everything that he does, the way he sits, the wrist, everything about that is his father.
[00:55:55] Speaker B: So I remember us talking about that, but prior to today, I had no idea who pirate software was. I'd never even heard of this guy.
[00:56:04] Speaker C: We've kind of mentioned him a couple of times in the last few weeks, just not directly.
[00:56:08] Speaker B: I probably just thought you were talking about stealing software.
[00:56:09] Speaker C: Yeah.
[00:56:10] Speaker B: No, not a person named Pirate.
[00:56:13] Speaker C: He's a streamer.
[00:56:14] Speaker B: So is it like a YouTube channel called Pirate Software?
[00:56:16] Speaker C: Yeah, I think it's a Twitch stream as well.
I know he streams talking about. Because he's a game developer.
[00:56:25] Speaker B: Yeah. I wonder if he has an rog nook.
[00:56:27] Speaker C: Yeah, he probably does, because he's got to develop for it. To see if his game is going to work right.
[00:56:33] Speaker A: Well, thank you, Christian, for enlightening. At least Don and I. Clearly Daniel already knew and he's got all this just. We'll know better than to try to inform him next time. We'll go ahead and jump into our next segment. This is one of my personal favorites.
[00:56:50] Speaker C: That's all right.
[00:56:51] Speaker A: It's a little short.
[00:56:52] Speaker C: It was a little short. I didn't have to tell you. As soon as you let the ball go, you knew it wasn't hitting a strike.
I didn't have to tell you.
[00:57:01] Speaker A: You didn't have to tell me. I'm learning, I'm learning. This one comes to us from SC media. It says NPM registry prank leaves developers unable to unpublish packages. It sounds like what this was is he was just trying to be funny and troll a little bit and it went a little too far and then he regretted his decision. Is that right?
[00:57:16] Speaker B: Yeah. So what happened here? And this is symptomatic of a bigger problem with NPM. Right? So if you're not familiar with NPM. Right. Node JS is a Javascript framework that is wildly popular for writing web applications that run locally as well as in the cloud.
[00:57:32] Speaker C: Javascript or Java?
[00:57:33] Speaker B: It's Javascript.
[00:57:34] Speaker C: Okay.
[00:57:34] Speaker B: Yep. Yeah. Not Java. That's a whole different, completely different. So node JS is like an engine that runs Javascript as if it were an executable and gets things going.
So NPM is the node package manager. Think of like a Linux distro where you've got apt or yum or whatever, the DNF where you're installing packages. That's what NPM lets you do. And so there is a public repository where they have all these node packages. And the barrier of entry, the bar to get a package put into the NPM repository is practically non existent, having an mean, if you name it, crypto coin miner, like maybe they'll catch it, but probably not. The bar of entry on this thing is so low.
[00:58:25] Speaker C: Who's got that kind of time?
[00:58:26] Speaker B: Don, I know if you trust NPM packages, you are just like taking your life in your own hands. The problem is, damn near every developer does they all just trust it like there's no limit. And so every now and then we hear about thousands of packages being removed from the NPM repository because they have crypto miners in them or some developer. It was a few years ago, a developer decided they were angry and they wanted to protest, and so they intentionally damaged all of their packages. And everybody who depended on their packages. Their apps now broke. And so that was a very malicious thing. And NPM allows that. Well, the latest one is somebody thought. Not somebody, it's actually a group of people. So a group of people they thought, wouldn't it be funny as a little prank? Ha ha. Let's make a package that depends on literally every other package in the entire repository. Now, that's millions of packages. And so they couldn't just make one package that did it. They had to make over 3000 sub packages that then depended on everything else and then wrapped it all up into one NPM package that you could get that was called everything. And so the joke there was like, it's literally everything. Well, it was just a joke. It was a prank that they were pulling. And unfortunately it had some unexpected consequences, which is in NPM they have a policy where you can't delete a package if anything else depends on it.
[00:59:57] Speaker C: And why is that, don?
[00:59:58] Speaker B: Well, because if I make an application that depends on a package and that original vendor removes that package, my application now breaks.
[01:00:04] Speaker C: It does, yeah. And it came from things like what you were talking about earlier where the guy was like, I'm going to protest.
[01:00:10] Speaker B: Yes.
[01:00:10] Speaker C: So he couldn't remove the package. Right. Because there was somebody that had done that. That was their, I guess, protest or they were just being a jerk and they removed their packages, they unpublished them and then everybody's things broke. So NPM says you can't do that. If anything depends on it, then you can't unpublish.
[01:00:30] Speaker B: Yeah, that's basically the gist of it. And where this got really sticky, they released this everything package and it depended on everything. So now nobody could unpublish and they didn't know that was going to happen, which is somewhat surprising because this is literally the second time this has happened. It's happened before.
[01:00:47] Speaker C: How many times have you written a script, though, and thought, this is going to be awesome, and then you run it and it goes, oh, that's weird. Whoops.
[01:00:55] Speaker B: Well, somehow in the brief time that they had released this, some other package began to depend on the everything package. There was like a looped dependency. And so once they realized the problem, they went to remove the everything package and they couldn't remove it. It was stuck. And so all of a sudden NPM was like all the removal functionality was just.
So the pranksters had to reach out to the people that control NPM and try and address this. And it's been quite the debacle.
[01:01:27] Speaker C: So what's crazy is it's like you can make a dependency using a wild card like a star. And that's where the problem comes in, right? Is because if I just make a dependency that wildcard now, I can't unpublish, right. So I think the person that originally did this said that. They were like saying, hey, here we go. They said, okay, we can do these things. A allow folks to unpublish when packages depend on them, use a star version or b not permit star versions in published packages going forward, or as a last resort, c remove our NPM organization entirely and remove all the packages that are blocking unpublishing. This is what they reached out to NPM, said, do one of these three things, please. I don't care if it's c, but we got to do something. This is a problem.
[01:02:22] Speaker B: Yeah. And what's interesting here is in order to pull this prank off, let's just assume it was the funny prank. They had to push 3000 sub packages to do this. And so people are starting to ask the question like, why can someone publish 3000 packages? Shouldn't that set off a rate limit? Shouldn't that be looked at as spam? Because there has been a lot of spam in the NPM library over the years or in the repository over the years. So there are some challenges. I mentioned this is the second time this has happened. The last time that it happened, it wasn't really a prank. It was a malicious action. But they had 33,000 sub packages.
[01:02:59] Speaker C: That was the no one left behind.
[01:03:00] Speaker B: Yeah. So it was everything they said.
[01:03:02] Speaker C: That was also reminiscent of a package called hoarders that used to directly depend on every module on NPM. Approximately 20,000. This was in 2012. It was published by a software engineer. Josh Hallbrook. Created node js. Yes. Complete utility grab bag.
[01:03:17] Speaker B: Well, there we go. So this was not a surprise. Never seen before. Zero day. This is something that's been around for over ten years. And it was just a joke, but it did kind of go south. Now, I have noticed something interesting, which is a lot of people are blaming NPM for this and saying, how could they be so lax and why don't they have rate limits and stuff? And I agree with that. NPM is not known for being secure and trustworthy. You don't want to trust them.
[01:03:47] Speaker C: Right. They're open source repositories. It's like pypy, right? Yeah, same kind of idea. Yeah. There's cool stuff in there, but you have to be careful. The onus of security is on you. They do what they can, but at the end of the day, you install something on your system that's on you, player.
[01:04:02] Speaker B: But at the end of the day, the pranksters caused this.
[01:04:06] Speaker C: They did cause this one. This is a denial of service. Normally, those packages that you need to be wary of are ones that are malware.
[01:04:13] Speaker B: Right.
[01:04:13] Speaker C: You were installing something malicious to steal or gain access to or whatever. This was a denial of service attack. And that's obviously going to make its way to the top of the list of, hey, this is a problem real quick because people are going to get.
[01:04:25] Speaker B: Yeah, yeah, absolutely. And I think there's. There's responsibility to be had for this on both sides. Oh, right.
[01:04:32] Speaker C: Of course.
[01:04:32] Speaker B: NPM should have had protection in for stuff like this, but the pranksters shouldn't have been doing what they were doing. It did bring to light a vulnerability. Right.
A malicious actor could have also done this and had in the past, it did come to light. But there was malfeasance on both sides, I think.
[01:04:50] Speaker C: Yeah, definitely.
[01:04:52] Speaker A: So this is obviously it was a prank. It wasn't intended to be malicious. He was just goofing around and it went a little further than he expected it to. But if this was causing a lot of problems, and like you said, a denial of service, I think, is how you classified it, could he get into actual serious trouble for this? Or is this something where it's just like, okay, it's really annoying, but he didn't intend to.
[01:05:11] Speaker C: He could be maybe civilly charged if a company lost money because they depended on this package. There's a possibility that, I mean, you can sue a ham sandwich if you want to.
[01:05:23] Speaker B: The problem here is it's a virtual crime, right? So it's a cybercrime, which, the way they've got it, is governed by NPM's terms of service. So they absolutely violated the terms of service. But terms of service doesn't really hold up well in criminal court. Most companies won't. Oh, yeah. It doesn't even apply in criminal court. So it would be a civil case like you described. And they certainly don't hold up in front of a jury. Juries never side with the terms of service. Right. So it's unlikely to go anywhere from a punitive side that way.
[01:05:57] Speaker C: It does pose an interesting question, though, of if I had criminal intent, if I did wish to cause monetary impact against companies that I know use these softwares, could I be criminally charged as like, computer fraud and abuse act, something like that?
[01:06:15] Speaker B: Yeah, you could, right.
[01:06:17] Speaker C: They could prove criminal intent.
[01:06:19] Speaker B: It's just been extremely rare.
[01:06:21] Speaker C: I hear that?
[01:06:22] Speaker B: That's happened. Remember when Kevin Mitnick was originally arrested? So way back in the 90s that before then, nobody else had been arrested like that. And there were plenty of other people doing crimes exactly like what he was doing. He just kind of became the first. But then you didn't hear about anybody for years. There was that guy who wrote Saint. I can't remember his name. He got arrested too.
Do you know the story behind administrative tools?
[01:06:48] Speaker C: Maybe.
What's the story you're referring to? Don?
[01:06:52] Speaker B: So he got arrested, got thrown in jail, and this was before they knew. Like, when somebody does a cybercrime and you throw them in jail, you need to take away their computers.
But he had access to the prison computer. And so he wrote an application called Satan.
[01:07:07] Speaker C: I remember Satan.
[01:07:08] Speaker B: Yes. And Satan was like an attack toolkit. If you wanted to take down a server, you just pointed this at it and it had all kind of like what Metasploit is now.
[01:07:17] Speaker C: Well, Saint was meant to be an administrative tool, and it was being used as an exploitative tool. So if I was a hacker and I had a copy of Saint, I could use that for remote purposes and doing all sorts of administrative things maliciously. So then he wrote Satan, which was meant to be.
[01:07:33] Speaker B: It was the other way around. So Satan came first.
[01:07:35] Speaker C: Oh, really?
[01:07:36] Speaker B: And he said this was when his jail term was coming up.
[01:07:40] Speaker C: Okay.
[01:07:40] Speaker B: He said, I've written a pretty sweet tool. He just rebranded servers down.
If one of you wants to give me a job, I'll turn it into a tool that protects your servers instead of one that attacks your servers.
[01:07:55] Speaker C: Interesting.
[01:07:56] Speaker B: Hard to get a job with a criminal record. Yeah, he got a job, and Satan became saint.
[01:08:00] Speaker C: Gotcha.
[01:08:01] Speaker B: And so the same basic tooling. And that was the way you can't do that stuff today. Right. But back then, it was a whole different world, so everything was new.
[01:08:09] Speaker C: I literally haven't even heard these words in this context since, like, 2002.
[01:08:14] Speaker B: Oh, yeah, these are old tools in a whole new world, but, yeah. So in this case, it was just a prank? Allegedly. Yeah. We don't really know, but they're saying that. I doubt this will ever go to court or anything, especially since this is the second time it's happened to NPM. But be aware, if in your workplace environment you rely on NPM, understand that that is a threat vector and not a threat vector because of security exploits. It's a threat vector because of stupidity and lack of effort on the staff that maintains NPM.
[01:08:44] Speaker C: What is it, Godwin's law? Right? Oh, no, that's the nazi thing. There's another law about, like, never attribute to malice what can easily be attributed to ignorance or just stupidity.
[01:08:58] Speaker A: Interesting.
[01:08:59] Speaker B: Well, there we go.
[01:09:00] Speaker A: Obviously, none of us are legal experts, and I know in our last segment we did spend some time poking fun at lawyers, but if you happen to be watching this and you have some legal knowledge, curious what your take is on that conversation we just had. What do you think? And of course, if you're enjoying this episode, if you had a good time, if you liked spending this time with us, maybe consider leaving a like and subscribing to the channel, if you haven't already, so you never miss an episode of Technato in the future. We've also got all of our old episodes, I say old, lovingly aged episodes here on the channel as well. And so much more. It's not just technato. On our YouTube channel, we've also got ACA learning has live webinars, live on social events that happen. We've got one happening. It'll be the day this episode is released and it's going to be myself and Don Pizzette. Don, are you excited?
[01:09:41] Speaker B: I am pumped up, ready to go.
[01:09:43] Speaker A: I can tell by the deadpan expression on your face he's got a good poker face. It is going to be a lot of fun. This is something that we do every year and always a lot of good questions that come in. So I'm looking forward to it. And I know Don is in his heart as well. So we hope that you join us and bring your questions. We had one last week as well, all things cybersecurity, Daniel Lowry. We had John Hammond on the show and that was a lot of fun. So if you missed that, encourage you to go back and check that out. Very fun. I said it was a lot of fun.
[01:10:08] Speaker C: I know, I'm just reiterating. He's just climbing, supporting your claim that it was.
[01:10:13] Speaker A: No, no, it wasn't a lot of fun. It was very fun accusing you of anything. Jeez, you can't work with something.
I've been traumatized.
We've got those the first Thursday of every month this year and hopefully in the coming years. But if you didn't miss that one, feel free to go back and check it out. And we'll have a new one every month, so don't want to miss those. And we've got another, yet another webinar happening later this month. We've got three, which is, I think, probably a record for us. We are webinar heavy, so if you're more on the auditing side of things. It's a skeptical auditor webinar going to be talking about some 2024 risk trends for auditors with Lindtron and Hernand Murdoch. So that'll be in a couple of weeks. Feel free to check that out when that does come out. And again, thank you to our sponsor, ACI learning, the people behind it pro. If you're listening from the Technato website, you can look for that sponsored by button. And if you click on that, it'll take you to the it pro website. So if you do want to support the podcast, check out those courses. It's what we do in our day job. You can use the promo code Technato 30 for a discount on an it pro membership. Drop a comment. Let us know what you thought about this week's news. That's going to do it for me. I think I talked for quite a long time, so if there's anything you'd like to throw in, now's the time to do it. You have 10 seconds.
[01:11:22] Speaker B: 10 seconds of silence to meditate. You looked up the Hanlon's razor, Hans Razor. That's what it was called. Hanlon's razor.
[01:11:28] Speaker C: Hanlon's razor.
[01:11:29] Speaker A: What's Occam's razor then?
[01:11:30] Speaker C: Occam's razor is that the most likely answer is the simplest. Is the simplest one. Okay, the simplest answer is most likely answer. That's what it is.
[01:11:38] Speaker A: Oh, I learned so much every week on this show. Doesn't even have to do with technology.
Join us for next week's episode of Life, where we. Yeah, exactly.
[01:11:45] Speaker C: Philosophical.
[01:11:47] Speaker A: Well, thank you so much for joining us for this week's episode of Technato, and we'll see you next time.
Thanks for watching. If you enjoyed today's show, consider subscribing so you'll never miss a new episode.