343: Who Asked For This? (NOBODY!)

Episode 343 January 18, 2024 00:59:11
343: Who Asked For This? (NOBODY!)
Technado
343: Who Asked For This? (NOBODY!)

Jan 18 2024 | 00:59:11

/

Show Notes

This week on Technado, the team is feeling cynical: who wants a laptop that runs Windows AND Android? Then, Chicago public schools lose over $20M in electronics in just ONE year. And to wrap up the tech segment, someone's washing machine is sending gigs of data every day...and no one knows why.

In security news, Framework fell victim to a data breach due to a contractor slip-up. Then, Don and Dan break down the 0-days that are letting hackers backdoor networks in Ivanti VPNs. And to close out the show, we revisit a long-running saga involving eBay, a Massachusetts couple, and some questionable (read: terrifying) packages.

 

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: You're listening to Technato. Welcome to another episode of Technato. I'm Sophie Goodwin, one of your hosts. And really quick, I want to thank the sponsor of Technato, ACI learning, the folks behind it pro. Just a reminder that you can use that discount code Technato 30 on your it pro membership. Once again, I am Sophie. Looking forward to jumping into this week's tech news. I know we definitely have some throwback pieces, so I'm looking forward to this. Don, how are you feeling? [00:00:30] Speaker B: I am feeling, know we had the big tech conference last week, and so several vendors have been pushing out new technology. So we have a couple of new devices to talk about today. Not a ton, but there's some neat stuff that's out there. Then we have our standard cybersecurity world, which is a giant dumpster fire, so keeps us busy. [00:00:48] Speaker A: Can you attest to that, Daniel? Is it a giant dumpster fire? [00:00:50] Speaker C: Oh, we just keep pouring gas on it so it won't stop just how it goes. [00:00:54] Speaker A: Just kerosene, soak rags. [00:00:56] Speaker C: If you were ever against fossil fuels, this would be the issue that might get you there. [00:01:02] Speaker A: You have been warned. We cannot be held liable for any of that. [00:01:06] Speaker B: Yeah. [00:01:06] Speaker C: By the way, that's just a marvel to how Don and I at least reached 7th grade and stopped maturing. [00:01:12] Speaker B: Yes. Yeah. [00:01:13] Speaker A: I like that he excluded me from that. I do appreciate that, but you're giving me a little too much credit. [00:01:18] Speaker C: You got at least an 8th. [00:01:20] Speaker A: Well, that's just because I was homeschooled, so I had a little bit of extra time. It was bound to happen. We'll go ahead and jump into the news that we have this week. Before we get too far off the rails, this first one comes to us from ours. Technica detachable. Lenovo laptop is two separate computers, runs windows, and. [00:01:39] Speaker C: Like the, it's like the king laptop. [00:01:42] Speaker A: Yeah, that's interesting. I have like, a surface that's like detachable. So when I first saw this, I was like, oh, this is nothing new. I've seen laptops like this, but two separate computers. That's interesting. [00:01:51] Speaker B: Yeah. Yeah. So they went an interesting route. Like you said, sophie, we have seen computers where the monitor would detach, and now it was a tablet, which just meant that they took the cpu and hard drive and all that and stuck it up in the monitor instead of in the base. Makes you wonder what all is in the base. But that's what they did. But in this case, Lenovo went a different angle and they said, here's what we're going to do. We're going to make the display a full blown Android tablet. So it's going to have an ArM processor in it, its own memory, its own storage. It is going to be a standalone tablet. We're going to make a laptop base, keyboard, touchpad, speakers and all that intel processor SSD that runs windows. And when you snap the monitor into the base, well, you see the windows screen and that Windows computer. But when you pop the tablet off now the tablet flips into Android mode and you're looking at that and the base of the laptop, you can actually hook it up to a monitor, keyboard and mouse. And it's still a functioning computer. So it really is two computers. It's an Android tablet and a Windows half top or half laptop, whatever we want to call it. Crop top. It's a crop top, halter top. You stick them together like Voltron or something and you have a laptop. [00:03:04] Speaker C: Now the Voltron song is in my head. Thank you. [00:03:10] Speaker A: Well, the price on this definitely aligns with the fact that it's two computers. I just looked it up, $10,000. It looks like the surface book right now goes for a little over 1000, or at least the one that I'm seeing, and this is 2000 because you are paying for the two separate computers. So not a cheap price tag on that. [00:03:27] Speaker C: Any kind of like details on whether or not these two things talk to each other in some way, shape or form. [00:03:33] Speaker B: So there's obviously some gray area here and some marketing speak or whatever. But allegedly when you plug the screen into the base, so you put it in the lions combine and you get the laptop mode because everybody knows the car of Ultron sucked the lion one. And they combine, you get the windows screen is what's displayed up on the tablet. But the Android system is still running in the background and the base is able to remote in to view the apps that are running on Android. So it looks like the Android apps are running on your Windows instance, but they're actually just being remotely displayed. Now they didn't really describe how that's working. Is it networking over a USB C connection through the dock or is it a wireless connection or whatever? [00:04:17] Speaker C: Like some weird built in Wi Fi AP that only they talk to. [00:04:20] Speaker B: Maybe you see that like Roku remote controls with that weird network that they make that's part Bluetooth, part Wi Fi and all that. That throws off all your security. [00:04:33] Speaker C: Do and do like a network capture of your home. If you've got any kind of Roku's and you're like, what the hell is all of this? [00:04:40] Speaker B: Yeah, they don't follow the rules. So Lenovo is trying something new and I can get kind of excited about stuff like this. It seems like a neat idea, but I can tell you what would happen with me is this is going to be a not popular device. They're not going to sell a lot of these, if they ever sell it at all. Right? Sometimes these never actually makes the market any sense. That aside for me, let's pretend that I had this laptop in front of me right now, right? And I pop that display off now I got a sweet tablet. Okay, well, tablets get dropped, get scratched and so on. So I'm going to want a screen protector on it, but I won't be able to buy that because they're going to sell 100 of these and that's it. Right. Or I want to put a case on it. [00:05:25] Speaker C: So it's two things put together that nobody wants together, right? I want my tablet and I want a laptop. I don't care about turning my laptop into a tablet. And if you do, if you're like, you know what would be really convenient right now is if my laptop was a tablet. Then you've got those Lenovo flexes or whatever and they just kind of fold over the back and everything's there and you go into tablet mode and you're having a great time. I've got one. It works great. It's a little hefty, but other than that I don't use it that way a whole lot. But when I need it that way, it works great. I do it and I pull it back as a laptop because what I want is a laptop, right? Because that's what I do most of my stuff on. If I needed just a tablet, guess what? I bought a tablet. [00:06:07] Speaker B: Yeah. They are priced low enough where you just buy the device and then it's. [00:06:12] Speaker C: Not a huge massive screen. I'm not an iPad pro guy or whatever, where I need this massive full screen thing because I'm not using it in that way. If I did like that tablet form, I probably would buy an iPad Pro and get the connected screen, the keyboard and call it a day. I don't understand the purpose of this. [00:06:32] Speaker B: Yeah. Did you ever have a Asus transformer? [00:06:36] Speaker C: I did not. [00:06:37] Speaker B: Okay, so a million years ago I had one of these. [00:06:39] Speaker C: Was that when the thing with the phone went in the back? Right. [00:06:41] Speaker B: What was that? Oh, no, that was the padphone. But the transformer was neat because it was an Android tablet, which Android tablets are totally not popular, right? So they're already like a dead market basically. But it was an Asus Android tablet and then it had a whole keyboard clamshell that it snapped into and the keyboard, they needed to make it heavy so it would hold the tablet up and the way they did that was that the keyboard, it had the keyboard, a touchpad and it was all battery, like massive battery, which was awesome because. [00:07:16] Speaker C: You dock it and you could run. [00:07:18] Speaker B: For charges and it would charge the tablet and I loved that thing. And just repeatedly Google has not done a good job maintaining tablet support and so it quickly got to where it wasn't getting updates anymore and I had to get rid of it. I only got rid of it because I couldn't get newer versions of Android on it and that was years ago. I love that thing. [00:07:37] Speaker C: Yeah, that's what I'm saying. [00:07:39] Speaker B: But it's like you said, it was one device, it wasn't two devices, it was one. And you could put it into a clamshell mode if you want. [00:07:44] Speaker C: Maybe I'm just being too myopic or near sighted or whatever you want to say that. I don't see the obvious advantage of having this device, but I don't obviously see what the advantages of having this device is. [00:07:56] Speaker A: Yeah. When you all started talking about like, this is pointless, it was a little bit of a relief for me because sometimes you cover stuff like this and I'm thinking in my head like when would anybody ever use this? And then you start talking about, oh, this is great for people that do such and such and I'm like, well duh, of course, now that you mention it. And in this case I don't do a lot of the highly technical stuff that you guys do. I just don't, don't see somebody like me using something like this to its full capacity. If I wanted something where I could detach the top and use it as a tablet or whatever, I would just get like a surface book because when am I ever going to plug that keyboard into a monitor and oh, now I've got a separate screen. It's a lot of work for a lot of money that I really just don't need it. [00:08:36] Speaker C: We should probably make a whole new segment called like technato shits on blank where we pick something we're like, this is completely useless. Tear it apart. [00:08:46] Speaker B: It's neat to see Lenovo do this. Samsung has done a few weird things over the years. The Samsung Dex. [00:08:53] Speaker C: Oh yeah. [00:08:53] Speaker B: Where you could hook it up to a monitor and keyboard. You could drop your phone in it and bam, you'd get a full size desktop with mouse and keyboard and so on. It was a neat idea. [00:09:02] Speaker C: It came in handy like once in. [00:09:03] Speaker B: A while and it was just inconvenient enough that you didn't want to use it, right, because you had to have it at home or you had to take it with you on a trip and you weren't going to take it with you. [00:09:13] Speaker C: You mean the little thing like you could still use Dex without having that dock station? [00:09:17] Speaker B: If you had the right cable, it. [00:09:19] Speaker C: Was just USBC cable. You just plug it in, Dex just runs. [00:09:21] Speaker B: Yeah. [00:09:22] Speaker C: So, yeah, that little thing was just nice because you would have it sitting on your and you would just dock your phone and that would be what's up. But no, you could just plug in with a regular USB C cable and Dex would just pop up. I used it here a couple of times at ACI for demonstrating mobile x, y or z thing and it was really nice because that was easier than trying to do a screencast or whatever the case. [00:09:45] Speaker B: I used it this one time when I was arrested and they put me in a hotel and all I had was my phone and a fire stick. That was it. [00:09:56] Speaker C: I liked it. [00:09:57] Speaker A: Somebody in the comments raised the point, I really like the specs, but let's see how the battery life is. And that's what will really sell me on it. Yeah, poop skunk says that it's an utterly clownish product. I thought you might enjoy that. Yeah, that's the name he's chosen. [00:10:14] Speaker C: Poop stinks worse. [00:10:16] Speaker B: Probably not, right? [00:10:19] Speaker C: This is two things. Like you put two stinky things together, sir, madam, whatever you might be. [00:10:25] Speaker A: Oh boy, that was a mistake. But yeah, generally it seems like 7th grade. I told you the comments on this article pretty much are in agreement here. I'm sure there will be maybe somebody that comments on this video in disagreement and says that I'm stupid for saying what I said. I'm curious if you have any opinions on this and if you can think of it like, no, this would be perfect for this and it's filling this gap. Please let us know because obviously there's a consensus here that who's going to use this? [00:10:52] Speaker C: Yeah, we're struggling, we're struggling. [00:10:54] Speaker B: Somebody's going to take that literally and say like, oh, filling a gap. My washing machine is level and it fills the gap right beneath that one leg. [00:11:03] Speaker A: I think we have actually got an article on a washing machine in a little bit, but we won't jump to that just yet. That was foreshadowing on Don's part. We'll head into our next article here. We're pulling this one from slash. It says, Chicago public schools lost over $20 million in electronics in one year. [00:11:18] Speaker C: It's schools. Detachable electronics, supposedly. [00:11:23] Speaker A: Yeah, it seems like some people think they're detachable. So is this like a theft issue? [00:11:28] Speaker B: I wouldn't go so far to say theft. I'm sure some of it is right. But let's understand the scope of this. So schools today are way different than when I was in school. That we are a technology enabled society, and so many schools issue out chromebooks or iPads or full blown laptops to their students as a part of their education. And Chicago public schools gave out over $127,000,000 in hardware last year to their students. Right. Kudos to them. Students get assigned a laptop. They can take it home, do their homework on it, bring it back to school and use it. That's phenomenal. When I was in school, each classroom had one Apple. Like an apple, two c or something. Yeah, two e, maybe. And that was it. And I got to use it maybe once a month. And you just played Oregon trail. [00:12:20] Speaker C: That was it. That was the only thing waiting to die. Dysentery. [00:12:24] Speaker B: It's going to happen. [00:12:25] Speaker C: That's it. [00:12:26] Speaker B: So nice to see that students have access to a lot more, because, hey, when they get out in the workforce, they're going to need those computer skills no matter what career they go into. So that's all positive. Right? But they have a budget deficit this year, and so they had auditors start to take a look and see what's going on. And one area where they got dinged is over $20 million of that equipment that went out. So practically a fifth or 20% of that hardware never came back. That just got marked as lost or stolen. Right. So it's gone and that's that. And so we don't know. Were the 6th graders taking it down to the pawn shop and pawning the laptop, or did they legitimately get lost because they're kids, right? [00:13:10] Speaker C: Met kids. They are famous for losing expensive things or breaking it. [00:13:15] Speaker B: I'm sure some of them got sat on or dropped in a pool or whatever. [00:13:20] Speaker C: Speaking of that phone pad or whatever it was, isn't that what happened to it? [00:13:25] Speaker B: Mine got sat on. Yeah, it did. Not by me, but your child. So not in Chicago. So I got that going. [00:13:35] Speaker C: For me, it was a Chicago school. She's like, let me borrow that. [00:13:41] Speaker B: So they started digging into it, saying, like, what the heck? How can we lose a fifth of our hardware? That seems a little on the high side. You expect attrition. You expect hardware to die. But I don't think it's unreasonable to expect to get a couple of years out of hardware. The school had spent over 20 million. Sorry, not over 20 million. They had spent several million dollars on software to be able to track these devices, to keep track of where they are. Turns out they weren't using it. They bought the software, they installed it, and they just didn't use it. [00:14:12] Speaker C: Well, that makes sense. [00:14:13] Speaker B: And as they dug in deeper, they found where if you reported a device as stolen or lost, there was no negative repercussion. And so they would just say, all right, hey, you lost your laptop. Here. Here's your new one. [00:14:25] Speaker C: Wow. [00:14:25] Speaker B: And that was it. And so nobody really felt like accountability or responsibility. And so they're losing one out of five. [00:14:33] Speaker C: Welcome to the modern world. [00:14:35] Speaker B: Yeah, that's it. [00:14:36] Speaker C: I just do whatever you want. [00:14:38] Speaker B: And this is just Chicago public schools. We've got numbers because the audit. But I bet it's a similar situation across the country. [00:14:44] Speaker C: Guarantee it. Because I know people that work in school systems. I remember them having, like, brand new laptops, like, nice ones, or iPads and stuff. Like, where'd you get this? Oh, well, the school issued it to us. I'm like, why? Because we need something to work on. I go, yeah, no, I get it. But you have a laptop and $1,000 iPad. What's up? She said, oh, yeah, we give them to the students, too. I'm like, I'm sorry, what? That seems like a mistake. But if we don't use that money, we won't get it again. [00:15:14] Speaker B: Makes total sense. [00:15:15] Speaker C: There you go. [00:15:16] Speaker B: Total sense. Go. [00:15:17] Speaker A: It is interesting now that because this has become kind of the norm in schools, is for kids to either have chromebooks or some kind of a tablet. Even though most teachers are like, we don't want you having your phone or any kind of device in the classroom. Like, they're banned. Keep them away. If I see it, I'm taking it, because a lot of the stuff is done online. You kind of need a device all of the time, so I guess maybe they lock them down and make it so you can't access certain stuff. But I can goof off just as much on a computer as I can on my phone. [00:15:39] Speaker C: You can boot a Chromebook into developer mode and then get full access to Linux inside of it, and then you can start doing a lot of things. [00:15:46] Speaker A: I was just thinking more from an end user perspective, just goofing around on like, pop tropica or something. [00:15:51] Speaker B: But that too, yes. [00:15:51] Speaker A: You've got, like a child prodigy. Hey, I'm not going to put. [00:15:55] Speaker C: It's a Google search away. How to unlock my Google Chromebook. [00:15:59] Speaker B: You mentioned child prodigies. I think if there's one thing we've learned about these hackers is that many of them are child prodigies. [00:16:06] Speaker A: Yeah, got a couple of goodwill huntings in Chicago. They're just waiting to unlock their chrome. [00:16:11] Speaker C: Kids get real curious, especially when you like, what did Samuel Clemens say the most powerful word in the English language is? No. Right? And you say, no, you can't. And they go, can't I, though? Yeah, I mean, I get to take it home, and if I mess it up, I'll just be like, I miss so and so. My Chromebook broke. It won't boot now. And they go, okay, here's another one. [00:16:30] Speaker B: Cool. [00:16:30] Speaker C: Let me try something else. They don't care. They're kids. They don't understand the consequences and repercussions of the things that they do. That's why we don't let them vote and drive cars and drink beer. They still do those things, obviously, and we usually regret those decisions quite often, which is why we tell them, don't. [00:16:50] Speaker B: Do that right now. I do want to say just people are clear on this. I think people should be responsible for the equipment that they're issued. But these are kids. And I don't think it makes sense to say, like, oh, you lost your laptop, now you got to pay for it, of course. But certainly if the school district has tracking software, use the stinking thing, they should be using that. And if a laptop is reported as stolen, they need to be filing a police report. They need to do those things, right? I'm not saying blame the kid. I don't think it's fair to expect a ten year old to be responsible for a laptop, but if you're going to do it, at least try and be respectful to the taxpayer dollars. [00:17:31] Speaker C: I like that. That's a good parting word by Don Pezet. [00:17:33] Speaker B: Right, there we go. [00:17:34] Speaker A: I think most people would probably agree with you there. Well, hopefully they figure out a solution to this, because I would imagine if they continue to issue electronic devices like this, they're going to continue running into this problem. Kids are going to become responsible overnight, so hopefully they find a solution to this. [00:17:49] Speaker C: How do we get those admins to care? [00:17:53] Speaker B: I feel bad for the admins because the admins are probably wanting to do. [00:17:56] Speaker C: This stuff, not doing it. [00:17:59] Speaker B: Yes, that happens a lot. [00:18:02] Speaker C: Making me mad. [00:18:04] Speaker A: Well, then we'll go ahead and move on then. Before Daniel gets too upset. I made mention earlier of an article having to do with a washing machine. So we've arrived. This comes to us from Tom's hardware. Your washing machine could be sending 3.7gb of data a day. LG washing machine owner disconnected his device from wifi after noticing excessive outgoing daily data traffic. So was somebody like bitcoin mining on his washing machine? [00:18:29] Speaker B: So I'll ruin the end of the story. We don't really know. He doesn't know what this traffic was, right? But he happened to notice that his washing machine was uploading about three and a half gigs of data every single day, just constantly throughout the day. It is a lot, right? If that was just like raw text, say it's telemetry data for those machines. [00:18:49] Speaker C: Insane amount of data. [00:18:50] Speaker B: It is. The entire text of the encyclopedia Britannica is under 1 mb. [00:18:58] Speaker C: Obviously it's an it device. I wonder if it was compromised and. [00:19:02] Speaker B: He suspects that might be it. But the takeaway for this for me was not like, don't buy LG washing machines, or this guy got hacked or whatever it was. The fact that at least he was monitoring outgoing traffic, so few people do. [00:19:17] Speaker C: That, that was my next question is like, how did he know? He just happened to be like, I monitor my outgoing traffic to see how much data I'm uploading. [00:19:24] Speaker B: Now, I don't think of myself as an overly paranoid person, but I do monitor outgoing traffic in my home network. What do you use? So I have a firewalla. Okay. Which is pretty sweet firewall, and it does a lot of things. And I have a rule in it that just says if you see an upload over 100 megabytes, send me an alert. And I get an alert on my phone every time I watch your plex server. Actually, that's true. So when somebody watches my plex server, it'll set that off and I'll get a message and I just clear it and it's not a big deal. Other times I'll look at it and I'm like, what is that device? And it does reverse DNS lookups on the IPS. So I have an idea of where the person is that this is going to. If I see it, like, hey, you just uploaded one gig to China. [00:20:11] Speaker C: No, I didn't. Well, I shouldn't have. [00:20:14] Speaker B: There's something I need to look at, right? But if I see that I uploaded a gig to Microsoft Azure. Well then I'm like, okay, well, that might have been my onedrive syncing. And did I just drop about a gig of data in the onedrive? Oh, I did, right. So I can see that and I know it, but I assume most people don't do that. Do you monitor your up on traffic? [00:20:34] Speaker C: Not like continuously. No, I do like random samplings. I'll be like, yeah, let me take a look. Let me take a snapshot of what's going on right now and see what's up. And I'll just run a wireshark capture and start looking at, and I'll run some scripts that help it to do some reverse dnsing and all that stuff. [00:20:52] Speaker A: One of my first thoughts on this was, why does the washing machine need to connect to anything at all? [00:20:58] Speaker C: Because it's an IT device, right? [00:21:00] Speaker A: Yeah. Well, but I'm thinking like, what are you needing to download or upload? But I guess you can download presets for different types of apparel. So the washing machine has like different cycles and settings it'll use other than wash. [00:21:10] Speaker B: Right. My mind went a whole different way when she said, like, why does it need to upgrade? I immediately thought of Star Trek five. Why does God need a starship? So you haven't seen that one. [00:21:24] Speaker C: He's never seen anything. [00:21:25] Speaker B: He allegedly meets God and God wants the Enterprise and he's like, well, wait a minute, why does God need a starship? Right? He's supposed to be able to do. [00:21:34] Speaker A: Something Abraham style test. [00:21:36] Speaker B: That's what it was the idea here with a Internet connected washing machine. So we actually have an Internet connected washing machine at home and I have that stuff turned off. And the reason is it's supposed to be able to connect up so you can download washing profiles. So your normal washing machine has delicates, whites, colors. You flip between the different modes, what you want to do, and then you can get all these extra ones you can download and store and it can report back diagnostic information. So if something's going wrong, you can get an alert. But all that stuff is stupid. So I just blocked that again on the firewall. I don't allow that one to go out. But in my house, between things like that washing machine, our Amazon echoes our Roku devices, my wireless access points. All this stuff is Internet connected. And you'd be surprised how much data you upload, send out to other people without even knowing it. [00:22:36] Speaker C: That's right. [00:22:36] Speaker B: You need to monitor outbound traffic or. [00:22:38] Speaker C: At least throw like a pie hole on your system. Something easy lived that will just start dropping a lot of that traffic to nowhere, and then at least you're not sending it out. [00:22:48] Speaker B: Yeah. I get frustrated with my echoes and ring cameras because they're Amazon and they phone home and upload, like, the ring cameras upload video all the time, so I expect high traffic there. But because they go into AWS, and AWS is open to the world, really, I don't actually know. Is it truly uploading to Amazon, or is it uploading, uh, president Medvedev or whatever? General Medvedev, whatever his name. [00:23:19] Speaker C: It was funny. Last night, my wife and I were getting ready to go to sleep, and we were talking about something, and she randomly thought, is Alexa listening to what we're saying? And she very quietly, and Alexa is like, in the bathroom, which is a good 15ft away in another room. And she goes about this loud, Alexa, what's the weather? She's like, it is 45 degrees. I was like, holy crap, that thing. [00:23:43] Speaker B: Can hear you, and it can do some creepy stuff. Have you tried whispering to it? [00:23:46] Speaker C: Oh, I've heard about the whisper thing. [00:23:47] Speaker B: Yeah. [00:23:48] Speaker C: You say, alexa Whisper and it'll whisper back. [00:23:51] Speaker A: I don't like that at all. [00:23:52] Speaker B: Yeah, that's uncomfortable. Or if you just whisper to it, it'll whisper back. Know you're whispering, and it'll do the same. Yeah. [00:23:59] Speaker A: Honestly, I'm surprised you have an Alexa in your house. [00:24:01] Speaker C: Dude, I've got, like, three or four. [00:24:02] Speaker A: You, my wife, are the last person. [00:24:04] Speaker C: Listen, happy wife, happy life. [00:24:10] Speaker A: You know what? [00:24:11] Speaker C: Hey, she loves those things. [00:24:13] Speaker A: They are handy. They're convenient. [00:24:15] Speaker B: Back in the pre plex days, I had a Windows media center. Oh, yeah. And the Windows media center edition and all that stuff. And it was funny in the forums, people would always describe the things they were doing to get the set up for tv, and they always had what they called the Waf that they would have to measure, which was the wife acceptance factor. You can only have so much technology before the Waf started to go down, you couldn't do it anymore. [00:24:44] Speaker A: I imagine someday I'll understand, but for now, I don't have a wife, so I can't really say one way or the other. [00:24:50] Speaker C: One day. [00:24:51] Speaker A: Well, sure, yeah, that's on my to do list. So it looks like towards the end of this article, they do add this thing in there that know it could very possibly be something relatively innocent. It might not know, oh, my gosh, you've been hacked. It could just be an issue with the Asus router firmware. So I guess the hope is that maybe that's all it is, and it's not sensational enough. And to give you some context, it says usually these appliances will use less than 1. Guy was seeing 3.7. Just to give you a little context for the increase there. Hopefully it's something innocent. Hopefully. [00:25:23] Speaker C: Cool is if he measured whether or not his clothes were getting cleaner, and he was like, heck yeah, keep them to you. This is good, man. My clothes are sparkling clean. [00:25:33] Speaker A: Would this actually affect. Other than just. I mean, if somebody was using his machine to do something nefarious, would it affect his power bill or anything like that? [00:25:42] Speaker B: No, probably not. [00:25:43] Speaker C: Power bill data caps or something, though. [00:25:45] Speaker B: And most people with broadband have less upload than they do download. Right. You get a big download speed and a small upload speed, so it could impact upload. But most people aren't uploading at all, really, so it's not a big deal. [00:25:59] Speaker A: Okay, well, then I would assume we probably won't see this on deja news anytime soon. [00:26:05] Speaker C: Washing machine as a c two server for some ahole in North Korea. [00:26:09] Speaker B: I'm sure LG will ignore it, right? Because there's no benefit in them responding to this at all. And if it's not doing it anymore, or if it was an Asus router issue, then he's just not going to be able to track it down. And that is a challenge we have today is when you see this traffic, it's almost always encrypted now, right? So it's using TLS, and you can't see what that traffic is like. You used to. It used to be you could run a protocol sniffer, capture it, look at it, and figure out what was going on. Now it's a lot harder. [00:26:38] Speaker A: Okay, well, we'll go ahead and we'll end this first half of Technato there. I think that's as good a place to stop as any. But we do have more coming up. We're going to talk about some breaches, some zero days, and some big money payouts. So don't go away. We'll see you right here on Technato in just a few minutes. Tired of trying to schedule your team's time around in person learning? Isn't it a bummer to spend thousands of dollars on travel for professional development? What if we said you can save money and time and still provide your team with the best training possible? The answer to your woes is live online training from ACI learning. With live online training, we provide our top in person courses in private, online instructor led formats. You get to provide professional development in a manner that fits today's expectations. Entertaining, convenient, and effective, our exam aligned courses inspire the full potential of your team. Visit virtual instructor led training at ACI learning for more info. Welcome back for our security news segment here on Technado real quick. Just want to thank y'all for watching. If you're enjoying this episode, feel free to leave a like comment down below. Let us know what you want to see in the future. And if you haven't already, maybe even subscribe if you're watching on YouTube. Or hit that follow button if you're listening on a podcast platform so you never miss an episode of Technado in the future. Like I said, this is the security half of our show, and I would ask if they're ready, but they're always ready, so we'll just go ahead and jump right in. Our first segment today is who got pwned? Looks like you're about to get pwned. [00:27:59] Speaker B: Fatality. [00:28:03] Speaker A: So this article comes to us from security week. Laptop maker framework says customer data stolen in third party breach. I warned you we were going to talk about some breaches today. So personal information was stolen at a data breach at its external accounting partner. What are the details we need to know on this? [00:28:18] Speaker B: Yeah, this is another example of a phishing attack, although I believe. Well, no, it is straight up phishing attack. Yeah. So what happened here is framework. If you're not familiar with them, they make modular laptops that are completely able to be repaired. They sell all the parts, which is great. You can even upgrade them. I like them. I've bought a couple of framework laptops over the years, and they've made a bit of a name for themselves in that space. And they're definitely a company founded on technology and engineering, not accounting. And so like many startups that are out there, they have leveraged an external accounting firm. In this case, a firm called. What are they called? Like Kent or something? Keating. That's it. Keating Consulting. Well, their accountants got a phone call from somebody. Sorry, not a phone call. Got an email from someone alleging to be the CEO of framework, but in reality was a malicious threat actor. Right. So they forged an email and sent it into the accounting firm, and they said, hey, I need to get a list of all outstanding payments for laptops. Give me a list of what customers have not completed their transaction yet, any outstanding invoices. And the accountant said, okay, and put it together and emailed it to that outside threat actor. Well, that means it was a spreadsheet that contained names, email addresses, and how much money was due right now, if you think about it, how would a threat actor use that data? And I know how I would use it, which is if I look on here and I see Daniel's name and it says that he's preordered a laptop for $2,000, even if it says he's paid it, right, I might call Daniel and say, hey, I'm Bob Smith with framework, and it looks like your payment was declined for your, you know, we may have gotten some information wrong. Can we just handle the transaction right here over the phone? I can update your payment details and then you get the payment details from that person. They think they're just fixing their pre order. They haven't received their laptop yet, so they want to get that updated. And now you've got credit card data, and you can probably do plenty of other things from there too. [00:30:26] Speaker C: But they really like the credit card data. That's their favorite. [00:30:29] Speaker B: That pays. [00:30:29] Speaker C: Yeah, we'll take that over. I mean, of course, even if they didn't have the credit card data, if they just got a list of valid user ids, they could try to do something like identity theft and that kind of stuff. But obviously what they really are looking for is to say, hey, I'm posing as the company that is legitimate, that, you know, you have an account with and get you to go, oh, I didn't pay that. Let me pay that now. And of course they use all the standard social engineering premises and whatnot to get them to believe and feel the urgency to do that right now. Let's take care of that right now and we can just put this matter to bed and reap the benefits and rewards. Unfortunately, a lot of that money goes to not good things. I'm not sure if this falls under specifically. I can't remember if business email compromise that type of attack. I know that definitely if I were to gain access to a CEO or somebody in finance, their actual email account and then I'm sending emails out from their actual accounts, definitely falls under business email compromise. But I want to say could be wrong on this, that even if I created a very similar looking account with typo squatting or domain fronting or that kind of stuff to look like I came from there. And of course, if I had all the right information, you would still believe and interact with me as if I were that person. [00:31:55] Speaker B: I feel bad for the framework team because they're a small company. They're trying to do something different. They're competing against some really big like Dell and HP and stuff. They've obviously taken steps to make sure that they're secure. But here's a subcontractor that they use, and now it's all over. The news framework has a breach, when in reality, it's not like hackers were able to penetrate the framework network and gain access to intellectual property. It was. Somebody at the accounting firm was a sucker and fell for the fishing and probably very unwittingly. [00:32:27] Speaker C: It's so funny. Look at red team engagements and pen tests. A lot of times when they are scoping that workout, they will be like, so how about some fishing? We get to do phishing and social engineering. You're like, no. Why not? Because it will work. That's why we want you to test our technology, not our people. It's like, okay, but in real life land, this is the vast majority of compromises that I see come from. There was a phishing link, somebody clicked it, and welcome to breach land. [00:33:02] Speaker B: So the lesson here, we know we need to train people on phishing. End user security awareness should teach people to be on the lookout for that stuff. That's important. But also, when you look at your company's cybersecurity posture, you need to be looking at your subcontractors as well. I'm actually in a bit of a tiff right now with a subcontractor that we're trying to onboard in our day job, really, where I asked them if they were ISO certified or if they had a soc two type two report, and their response was, our information security policy completely conforms to ISO 27,001, and we follow these practices, blah, blah, which is a really long worded way of saying, no, we're not certified. Okay. [00:33:45] Speaker C: Right. [00:33:46] Speaker B: So then I said, okay, well, I have to treat it as if you're not certified. You're not telling me you're not certified, but I have to treat you that way because you're not giving me certificate. Yeah. And so I said, I need you to answer these questions about where you're at with your security policy. Like, what is it that you do? How do you ensure your end users are trained? And so on. And one of the questions was on whether or not they had had a penetration test done on their network. And they said, yes, well, at this point, my red flags are kind of up, and my level of trust is down. And so I said, okay, I would like to see that pen test report. And they said, no, whoa, now your. [00:34:22] Speaker C: Trust is way down. Yes, in the gutter. [00:34:25] Speaker B: So I said, well, I don't believe he did it. And so if you expect us to be your customer, because we would be the customer at that point, I want to see it. And they said there's vulnerabilities that are listed in there. And if we gave that to you and we got breached tomorrow, we would think that you did it, and we would sue you, and then you would have to prove that you didn't do it. No. [00:34:51] Speaker C: You would run an incident response, and they would find that we did not do that. [00:34:55] Speaker B: Well, no, that's just bullshit anyway. It doesn't matter. But to me, if there's vulnerabilities in there, you should be showing me that you've already catched those, right? [00:35:04] Speaker A: Yeah. Why would there be vulnerabilities in an old pen test report? [00:35:07] Speaker B: Correct? [00:35:08] Speaker C: That's a good question. [00:35:08] Speaker B: Correct. And I think that the truthful side of it. And we'll see. The reason I'm not naming the company is I don't know yet. I don't want to slander them, but we'll see. But I think the truth will be that they don't have a pen test. Yeah. [00:35:22] Speaker C: Or it's like some automated scan, and. [00:35:24] Speaker B: This is a BS line they've handed to other people and other people have bought it. [00:35:28] Speaker C: Yeah. I would assume you'd be under NDA with them anyway. [00:35:30] Speaker B: Yeah. [00:35:31] Speaker C: Right. What purpose would it serve for me to want to do business with you and then just breach you for the fun of it? [00:35:38] Speaker B: Yeah. [00:35:39] Speaker C: It doesn't make any sense. [00:35:40] Speaker B: No. So you have to treat your subcontractors. They need to be at the same level of security that you are. [00:35:49] Speaker C: I'm sorry. We do have ISO 27,001 certification. Right. And sock two type two. We're not the people without the creds here. If anybody's suspect, it ain't us. [00:36:00] Speaker B: And our sock two report has, like, five things in it. [00:36:04] Speaker C: Right? [00:36:04] Speaker B: So if you skip all the way to the last page, there's five things in there that they found. [00:36:08] Speaker C: Right. [00:36:08] Speaker B: And we fixed all five of those things. And that's in the report, too. [00:36:11] Speaker C: Yeah. [00:36:12] Speaker B: And so I will gladly share a copy of that with somebody if they ask for. [00:36:15] Speaker C: Because they're fixed. [00:36:16] Speaker B: Yes. And that's how cybersecurity is supposed to work. Yeah. You don't find a problem and ignore it. [00:36:21] Speaker C: Wow, that's an interesting little tale you got there, Don. [00:36:24] Speaker B: It is. [00:36:25] Speaker A: Wow. That's so crazy to be like, well, no, we're not certified. Well, we did a pen test, but, no, you can't see it. That's giving, like, oh, yeah, I cleaned my room mom. But no, you're not allowed to look. Just trust that I cleaned it. [00:36:34] Speaker C: Remember that dumpster fire you were referring to earlier? [00:36:36] Speaker A: Yes. [00:36:37] Speaker C: This is where the kerosene comes from, my favorite. [00:36:41] Speaker B: And here, I'll share this with you guys because I deal with this stuff every day and I forget sometimes you guys don't deal with this. So to me this is all happening. You get a subcontractor and you ask them like, hey, are you ISO certified or whatever? Right? There's all sorts of standards out there. PCI. Are you PCI compliant? PCI DSS? And they say, well, we use all AWS servers and AWS is PCI DSS compliant? Okay, I didn't ask about AWS, I asked about you. Well, no AWS. So we're certified because AWS is certified. Well, no, that's not how it works. You can bring up a linux server in AWS, be totally open, take the root user and change his password to be blank and turn the firewall off. Yeah. [00:37:23] Speaker C: And Ssh wide open. [00:37:25] Speaker B: Yeah, you can do that. And Amazon will not stop you. So they are compliant. You aren't. You are your own thing. But you'll hear a lot of companies, you have to be really careful to listen to their language. When you ask them, are you such and such certified? The answer should either be yes or no. If it's anything else, if there's more words, right. They're not, you have to treat it as no. [00:37:47] Speaker C: You were talking about, they said they had a pen test. I assumed that was a recent thing, but. Right. It could be a year old, it could be two years old, I wouldn't. [00:37:54] Speaker B: Know because they wouldn't give it to. [00:37:54] Speaker C: Me because they are being really shifty about whether or not that even occurred and letting you have any kind of. [00:38:00] Speaker B: Visual into that another one is, and this is important because people forget all the embargoes we have against Russia right now. So it used to be that we could get contract developers in Russia. People do it all the know, outsourcing, whatever. Now you can't do that. [00:38:15] Speaker C: Right. [00:38:15] Speaker B: And so when we take on somebody to do development work for us, we have to ask, where's your workforce? Where are they? Right? Are they in the US? And they go, we make sure that you are assigned a project manager in the US. [00:38:26] Speaker C: Not what I asked. [00:38:28] Speaker B: Okay, well, that's the project manager. Where's everybody? Well, you know, they're in various overseas locations. Earth. Okay, I need specific locations because if they're in any, there's a whole list of countries we're not allowed to do business with and so you can't let people snow you over on things like that. Now I'm way off on a tangent on this, right. But going back to the article, Keating consulting, they're an accounting firm. I don't know a damn thing about them. [00:38:54] Speaker C: Right. [00:38:54] Speaker B: So I don't know. I mean, apparently they're here in the US, but this is a scenario of framework had what they do to protect themselves, which is apparently working. The accounting firm did not. And so framework has done a great job with, first off, being very transparent about this. They announced it to the public. They told everybody within just a matter of days. [00:39:16] Speaker C: I thought it was even sooner than I thought. I said like within a half an hour or something. Yeah. Framework was made aware of the incident roughly half an hour after the response email was sent and Keating consulting was informed of the error. I don't know when they notified their. [00:39:29] Speaker B: People, it was a couple of days. [00:39:30] Speaker C: But they knew about this quickly, which. [00:39:32] Speaker B: Is good now that I wonder about that. Okay, so this accountant from another company gets an email from somebody pretending to be a CEO. They reply to that email. How did framework find out about that in half an hour? [00:39:46] Speaker C: Someone probably contacted them. Like that was on that little. Now that I know you're a legitimate user and have an account with framework, I'm going to contact you. I would assume that's what happened. Some end user got a vish or whatever. They got called, they got emailed and they said something about this doesn't look right. Let me contact them. [00:40:05] Speaker A: Do you think it's possible maybe the person that sent the information that shouldn't have thought about it after he did it and was like, this is kind of fishy. Maybe I should ask somebody about this. [00:40:14] Speaker B: Possible? Yeah, maybe. Half an hour is fast. Half an hour is fast. I was like, maybe if they replied to the fake CEO and copied in the CFO or something, maybe that was it, like auto fill thing. But if I was an attacker, I wouldn't do that. So there's something there and I read every forum post they did. I did as much research before we started filming today. I could not find out how. Did he figure it out in half an hour? [00:40:40] Speaker C: Would love to see the autopsy on that. [00:40:42] Speaker B: Yeah. And they might share it. I don't know, but that part seems weird to me. [00:40:46] Speaker C: Yeah, crazy, right? [00:40:47] Speaker B: Because if our accountant, we use external accountants, and if those accountants responded to a phishing email, I wouldn't know about it and I wouldn't know about it. And if they fell for the phishing attempt. They wouldn't know about it. So how would you see it in half an hour? I'm really curious about that. [00:41:04] Speaker C: Yeah, that'd be interesting. [00:41:05] Speaker A: Well, maybe this will appear on Deja news and we'll have some more information about it. [00:41:08] Speaker B: Yeah. [00:41:09] Speaker A: That's going to conclude our who got pone segment with a lovely aside, story time with Don, which is my favorite segment. I hope that we reintroduce that. I hope that comes back. But we'll go ahead and move into our next segment. This is one of my personal favorites. Dope do, Raimi Faso, latte. I always look for approval, and I don't always get it. [00:41:27] Speaker C: It was dark enough, but it wasn't, like, punctuated enough. Right. [00:41:32] Speaker A: There wasn't, like a finality to it. [00:41:33] Speaker B: Too short. [00:41:34] Speaker C: Right. There was too much breath on it. [00:41:36] Speaker B: Okay, I'll work on that. What does that even mean? [00:41:43] Speaker C: I know what it means in my head, Don. [00:41:44] Speaker A: That's all that matters. I'm a voice actor. You wouldn't get it. [00:41:47] Speaker B: Kill who? [00:41:50] Speaker A: Well, this article comes to us from Ars Technica. Actively exploited zero days in Ivanti. VPN are letting hackers backdoor networks. That sounds like not so great news. [00:42:03] Speaker B: Yeah, this is an interesting one. So, ivanti, a cybersecurity company that makes what we used to call VPN concentrator, but an edge device. They have a product called Avanti Connect Secure, or ICS. And ICS has basically been blown wide open. Like, there is no level of access, more than an attacker could have. [00:42:27] Speaker C: Say this like it's a bad thing. [00:42:28] Speaker B: It's a bad thing. If your ICS is connected to the Internet, which, by the way, is what it's designed to do, then any attacker can connect to the device without authenticating, have file system write access and the ability to remote tunnel to gain access to the private network behind it. It is a fully compromised device. Ivanti is aware of this. They have created a patch. It's being tracked with. It's got a CVE number. [00:42:56] Speaker C: Get the patch out. [00:42:56] Speaker B: Finally, they have a patch out and people need to apply it. So we know how that goes. Right. [00:43:03] Speaker C: I saw that they had released a mitigation, but not a patch yet. They said a patch was forthcoming. There's like a yaml file that you imported. And that was the mitigation for right now. And to employ their Integrity checker, they have some sort of integrity checker that checks how many files are in your directory for Monty's service. And if there are more or less or file hashes. Don't add up. It'll kind of report that and go, hey, this is different. And don't use the internal one because the internal one could be compromised. So you have to use the external one that you download and then apply that. And then apply that yaml file. But I saw that there was no. At least when I read it, this could be okay, right? Totally. That's why I was asking. Could be breaking an actual patch. [00:43:50] Speaker B: I could have swore that a patch was released, but I could be wrong. So I'm trying to research it right now and find out. [00:43:57] Speaker C: These things happen so fast. [00:43:58] Speaker B: Either way, I just found the workaround documentation that you were describing and not the patch. Patch availability. If I am reading this correctly. I don't think I'm reading this correctly. [00:44:13] Speaker C: They do word it oddly. [00:44:15] Speaker B: I will have to look things because it says that the first version of the patch will be available for customers the week of January 22. So that's next week, which is not now. So, yeah, so it looks like right now you got the workaround and that's coming. Good times. [00:44:33] Speaker C: Just keep on waiting. [00:44:34] Speaker B: All right, well, let's back up a second because when this first broke. So this is a big deal. When you hear about a VPN appliance or a security device getting compromised like this and blown wide open, that's a big deal. [00:44:46] Speaker C: Right. [00:44:46] Speaker B: It's a bad thing. Okay? Especially when in order for the device to function, it needs to be exposed to the Internet. That's its job. And so that's bad. But I wasn't familiar with ics. Actually, it made me think of the old Microsoft product, the Internet connection sharing tool. [00:45:04] Speaker C: Hasn't it been like, ten other product names? [00:45:07] Speaker B: That's the thing. When you back up, if you haven't heard of ics, you might remember it under its previous name last year, called Pulse secure. We reported on pulse secure when it got breached wide open. Exactly like what's happening with ics today. I think that this definitely falls in the. Fool me once, shame on you. Fool me twice, shame on me. This should be the nail in the coffin for this product. [00:45:38] Speaker C: Yeah. I saw a lot of people talking. One person specifically was saying that they do mergers and acquisitions, and one of the things they look for is has the company or the product changed names a lot? Because if they had, it's a surefire sign that they are trying to hide previous issues. [00:45:55] Speaker A: Yeah. [00:45:56] Speaker C: Right. So the fact that. Yeah, this hasn't just been pulse secure, it's been a bunch of other things as well. [00:46:01] Speaker B: Yeah. [00:46:01] Speaker A: Somebody in the comments said formerly pulse secure, formerly juniper, formerly Netscreen, formerly Neoteras, it had like a whole bunch of different names associated with this product and. [00:46:09] Speaker C: They just keep on moving those shells around to get around this. A lot of interesting stuff around this hack, though, as far as like the initial compromise. [00:46:17] Speaker B: Obviously. [00:46:18] Speaker C: Don, you mentioned that there was an authentication bypass also through their two Fa mechanism. So the hackers were able to bypass not only the main authentication mechanism but also the two Fa mechanism as well. And then they were able to find a command injection vulnerability once behind that firewall. Once they got that, this is when it got real bad. This is when it turns into like uhoh, this is not good. And they were able to backdoor certain functionality within the thing that allowed them to do credential harvesting, which they did a lot of. Once they had more creds, they started pivoting throughout that internal network. From there they were able to find vhds that had backups of like an active directory domain controller. [00:47:02] Speaker B: Oh wow. [00:47:02] Speaker C: And in there they were able to pull out some more credentials. [00:47:07] Speaker B: Right. [00:47:08] Speaker C: They found, also there was another one that they found like, oh yeah, domain controller, a veeam backup. [00:47:18] Speaker B: So now they're not just stealing like a database, they're stealing the whole server. [00:47:21] Speaker C: They basically have gone crazy. So they harvested creds from the fiend backup. Right. Then they uploaded their own custom Web shell, which is called I wrote it down because I couldn't remember, glass token, two versions of Glass token, which you can find in GitHub. [00:47:35] Speaker B: Nice. [00:47:36] Speaker C: Yeah. So if you're interested in building up your own little test bed here, you probably can make that happen. [00:47:41] Speaker B: At least the attackers are embracing the open source. [00:47:43] Speaker C: Really. Yeah. Giving back to the community. So yeah, this was a big fat dumpster fire of a hack here. And if you got one of these tools, I feel for you. [00:47:56] Speaker B: Yeah. Frustrating. [00:47:57] Speaker A: I can imagine that would be frustrating. We'll send good vibes your way if you're having to deal with this good. [00:48:04] Speaker B: From a software standpoint. Right. Take like LastPass where they had their egregious security handling it's software. So you can just say, you know what, I'm going to cancel that and we're going to switch to another product and off you go. But when it's hardware like this, implementing your network, it's a lot harder to say because you got to procure the new hardware. It's going to take you days, weeks, whatever to get the new hardware. Then you got to install it. There's going to be downtime. It's a lot harder to move between products. So I do feel for anybody who's currently affected by this or by this. [00:48:32] Speaker A: Absolutely. Well, we've done quite a bit of talking about dumpster fires here in this episode, and now we move on to one of our segments where we talk about dumpster fires past. This is Deja News. [00:48:41] Speaker B: Deja News. [00:48:47] Speaker A: So this article comes to us from CNN Business. You might remember, we've talked about it, I think, on the show before, a certain case involving some eBay employees and a bloody pig mask. So this says, eBay to pay $3 million after former employees sent live insects and a bloody pig mask to harass a couple. So this is maybe the final installment in this saga. [00:49:07] Speaker B: I believe this will be the final. [00:49:09] Speaker C: Installment, by the way, the pig mask and insects, that was the nice things they sent them. [00:49:15] Speaker B: Yeah. The guide to dealing with the loss of a loved one. The bestiality material sent to the neighbors. Yeah, we're getting ahead of ourselves. [00:49:28] Speaker C: It was crazy. [00:49:29] Speaker B: So this has been one of my favorite stories over the last couple of years. It's slowly developed and been released. So let's rewind to the beginning and recap for people who are just now hearing about this, because I think, Sophie, you might be in that category. So what happened was quite some time ago, eBay. EBay is loved and hated. The world around there are people have good experience or people have bad experiences. And there was a couple that had sold some stuff on eBay and had gotten jerked around somehow, and eBay withheld more funds or something. And so they wrote up a newsletter telling people about all the bad things that eBay does, all the ways that eBay cheats their customers, and they put it out there. Now, whether true or false, we do have freedom of speech. And unless you're outright lying for libel. [00:50:20] Speaker C: Lying for acts of violence. [00:50:22] Speaker B: Oh, yeah, there's that. Then it's largely protected speech. And so they put this stuff out there on the Internet. And inside of eBay, they had a division of people that were headed up by a, I remember I had a former police captain and people that were former law enforcement that were now working in the security division in eBay. And they said, you know what? We're going to get that stuff taken down. And so at first, they started threatening isps and so on, but then they started focusing on the couple and what they could do to get this couple to back down, to give up their fight and take down this disparaging information on eBay. And these eBay employees, they started doing some really bizarre stuff like Daniel mentioned sending in the beginning, it was sending things like live cockroaches in a package to them or sending a package to the wife about dealing with the loss of a loved one. Know your husband. Something's going to happen. Yeah. Then Daniel, you mentioned the bestiality porn. [00:51:26] Speaker C: You don't remember us having the conversation on whether or not it's bestiality versus bestiality? [00:51:30] Speaker B: I refuse to say bestiality. That's disturbing. And so they sent it to the neighbors with their name on the couple's name on it. Like he got misaddressed and stuff. So this was a straight up harassment campaign. And it's insane to think that a Silicon Valley company as big as eBay. As big as eBay, would do stuff like this. [00:51:55] Speaker C: Obviously, this wasn't a sanctioned action by eBay, though. [00:51:58] Speaker B: Allegedly. [00:51:58] Speaker C: Allegedly. [00:51:59] Speaker B: Right, allegedly. [00:52:00] Speaker C: I can't imagine it would be in any world we live in. [00:52:05] Speaker B: So eBay immediately terminated these employees. Right. But the employees, they went to court, and those people were saying, like, we were just doing what we were told. Wow. But they weren't. They were rogue. [00:52:17] Speaker C: Yeah. [00:52:17] Speaker B: So they got found guilty and they got sentenced last year. But it was yet to be seen what was going to happen with eBay. Now, eBay was being sued in civil court, and it had a maximum fine of $3 million. EBay settled out of court, but they settled for the maximum fine. So they are paying the $3 million to the couple. So good for them. [00:52:39] Speaker C: Don't a lot of organizations do settling out of court so that the findings and things that are set inside of court are no longer public. [00:52:46] Speaker B: Right. They usually want to keep it secret, and eBay is not keeping this one secret. [00:52:49] Speaker C: I wonder why they did that, just not to have the adjudication against them. [00:52:53] Speaker B: Yeah. And just to stop lawyers fees. Let's just end this now and close it. We admit it, that this all happened. These people sucked. Well, good for eBay, I guess. [00:53:03] Speaker C: Yeah. If you had a rogue element inside of your company, like Sophia, and they've. [00:53:12] Speaker B: Accepted to have, not an auditor, what's it called? A monitor. When they assign a person, an independent person has to now work in the company to monitor everything they do to make sure they stay on the up and up for two years, and eBay will pick up the salary of that person. [00:53:28] Speaker C: Wow. [00:53:28] Speaker B: They're not an eBay employee, but their job is to make sure ebay doesn't. [00:53:33] Speaker C: Do CD stuff like this kind of stuff. [00:53:35] Speaker B: So eBay has, I mean, pretty much done whatever they could to just say, hey, this happened on our watch. [00:53:41] Speaker C: Did they apologize though? [00:53:43] Speaker B: I don't know. Did I talk about that last week? [00:53:46] Speaker A: It is unfortunate that you were bothered. [00:53:48] Speaker B: By the events that occurred. We regret that you were offended. Why don't you say you're sorry? I don't get it, but I don't know. Actually it does say, we continue to extend our deepest apologies to the apologies. That's close enough for me. Yeah, I'll give that day and age. [00:54:07] Speaker C: That's one. [00:54:08] Speaker B: I will count that. And then it goes on to say, since these events occurred, new leaders have joined the company and eBay has strengthened its policies, procedures, controls and training. [00:54:17] Speaker C: So, all right, don't send bloody pig masks to people we don't like. [00:54:21] Speaker B: I'm going to add that to our information security policy. [00:54:25] Speaker A: Put that in the new employee training just to make sure people know. [00:54:28] Speaker B: It's got to be well defined. Like, can you send them live cockroaches, dead cockroaches. Is that okay? [00:54:33] Speaker C: Because there's like chocolate colored cockroaches that you can get and you can eat that. [00:54:37] Speaker B: We have a plastic cockroach at the house and we have so much fun with that thing. I can't tell you how many people we have. It costs like twenty cents or something. [00:54:46] Speaker C: Every day for a lifetime of memories. [00:54:48] Speaker B: It really is. If you listener out there do not have a plastic cockroach in your home, you absolutely need to get one. [00:54:53] Speaker C: Did you ever see the movie Pacific Heights with Michael Keaton? It was about this couple that buy their dream home in San Francisco or something like that and they renovate it. And then because it's such a big house and to lower the cost for themselves, they rent out the rooms. Michael Keaton is one of their renters and he locks himself in his room and they can't get in. They have no access to the room. And he starts like doing crazy stuff, playing loud music and he infests the place with cockroaches. And all the other renters move out and they are forced to sell. It's lower the value and he buys it. And that's like his scheme. That's what he does. It's like kind of a suspense but psychological thriller. Yeah, it was very interesting flick. I have not since I've seen that one. [00:55:39] Speaker B: Now I have a plan. [00:55:39] Speaker C: Yeah. [00:55:41] Speaker A: You know how I feel. I've not seen it. So it's interesting to me that this or not interesting, but just crazy to me that this all started with this woman, I guess had a blog or a news site or something that was critical of eBay at times. Just imagine being so salty that somebody says something negative about you or your company and your response is to send them like a fetal pig. How sensitive do you have to be to have that be your reaction? You could insult me personally and attack my family and my character, and I wouldn't send you a fetal pig. [00:56:10] Speaker C: That's like sticks and stones, right? [00:56:12] Speaker A: Yeah. [00:56:13] Speaker B: The shocking part to me, I expect this kind of behavior from random people, right? Like a technato listener out there can hate something I said and send me a fetal pig and I'll be like, well, that's the Internet. [00:56:25] Speaker A: I signed up for this. [00:56:26] Speaker B: But for it to be like eBay corporate, that's what makes this so shocking. These are people who should have known. [00:56:34] Speaker C: Better, who were like, ex. Not military, but ex police, police officers. You know, what you're doing is harassment and breaks a bunch of laws. Obviously you don't care. Maybe they're used to breaking a bunch of laws. Maybe you basically got to revamp their hiring practice when it comes to who they put over that specific place. [00:56:57] Speaker B: Yeah. [00:56:58] Speaker A: Well, hopefully this is the last that we hear about this case. Sounds like it's all said and done. This is probably the final installment in that saga. So congrats to that couple for getting as much justice as you can get after going through the, I'm sure the mental exhaustion of that whole ordeal with. [00:57:13] Speaker B: This bit of closure. It's now at the point where they're ready to make the Netflix documentary on it. [00:57:16] Speaker A: Yes, Netflix dog or lifetime movie. What do you think would be a better fit? [00:57:20] Speaker B: I'm going mean they lifetime. There could be a lifetime angle on the the couple, elderly couple hiding in their house, terrified. That fits the lifetime model. But I'm thinking Netflix. Netflix doc. [00:57:34] Speaker A: Okay, well then maybe there will be another segment on this when they inevitably do that. I spoke too soon. [00:57:39] Speaker C: The article that will never are. [00:57:41] Speaker A: If you are enjoying this episode, if you had a good time hearing us talking about cockroaches and everything else that came up, we'd love it. If you like this video, maybe even subscribe if you haven't already. You can always check out all of the previous technito episodes. They live on the ACI learning it pro social channels, so check those out. We also have ACA learning webinars and live on social events that live on the channel as well. We had one a couple of weeks ago that was an all things cyber webinar. Last week, Don and I had one about getting into it. I believe there is an audit webinar this week that you might want to check out if you are into that side of things. And we do have webinars every single month, I believe at least two or three each month this year, so you can always check back for more of those. I think that's pretty much it. I want to thank our sponsor once again, AC CI learning, for sponsoring this show. If you are watching from the IT Pro website or the techno website, you can click the sponsored by button to go to the IT Pro website and you can use that code Technato 30 for a discount on your IT Pro membership. That's all I got. Anything from you guys before we wrap this up? [00:58:36] Speaker B: No, it's exciting times. I got to wait for my Lenovo Android laptop to come in. [00:58:41] Speaker C: I can't wait to go home and watch the final sacrifice MSD three k. [00:58:44] Speaker B: Yeah, yeah, I will have to hit up your plex for that. It'll set off your upload alarm. [00:58:50] Speaker C: Yeah, definitely. [00:58:52] Speaker A: And I can't wait to go home and nap. Thank you so much. Thank you so much for joining us for this episode of Technato and we'll see you next week. Thanks for watching. If you enjoyed today's show, consider subscribing so you'll never miss a new episode.

Other Episodes

Episode

December 10, 2020 00:43:46
Episode Cover

Technado, Ep. 181: Cyberbit’s Adi Dar

This week on Technado, Adi Dar from Cyberbit came on to talk about the importance of real-world cybersecurity training and shared how his company’s...

Listen

Episode

July 30, 2018 01:01:20
Episode Cover

The Technado, Episode 59: Week 30 in Review

There are big changes coming to the ITIL curriculum. In this episode of Technado, Don will talk with ITIL expert Jo Peacock before joining...

Listen

Episode

September 14, 2017 00:45:25
Episode Cover

ITProTV Podcast 5: Whitewood Security (Audio)

Up until now, random numbers have actually been anything but. And if you need entropy in your workflow, that's not ideal. Don Pezet talks...

Listen