347: Ubuntu Core Desktop's Debut Has Been Pushed Back Indefinitely!

Episode 357 February 15, 2024 01:05:10
347: Ubuntu Core Desktop's Debut Has Been Pushed Back Indefinitely!
Technado
347: Ubuntu Core Desktop's Debut Has Been Pushed Back Indefinitely!

Feb 15 2024 | 01:05:10

/

Show Notes

This week on Technado, the team is feeling the love: Happy Valentine's Day! In Linux news, Ubuntu Core Desktop's debut has been pushed back indefinitely. Then, Broadcom is ending support for their free ESXi Vmware Hypervisor effective immediately, and old systems won't be able to update to newer versions of Windows due to an arcane CPU instruction (don't worry, it's not what it sounds like).

After a quick break and a moment of silence for our fallen bird friend, Authy is shutting down its desktop app, forcing movement to the mobile version or a different provider altogether. In the return of the Pork Chop Sandwiches segment, BitLocker's encryption was broken in 43 seconds...with a device that took MUCH longer to create. And finally, Fortinet got PWNED yet again - this time, with a flaw in SSL VPN that's likely already being exploited.

View Full Transcript

Episode Transcript

[00:00:04] Speaker A: You're listening to Technato. Welcome to another episode of Technato. I'm Sophie Goodwin, one of your hosts for the show. And before we jump in, I want to take a moment and thank the sponsor of Technato, ACI learning. Those are the folks behind it pro. And if you didn't know, that's what we do in our day jobs. We teach those courses about audit, cybersecurity, and it. And we have a great time doing it. So if you haven't already, take a look over at that website and check out what we do in our day jobs. Once again, I'm Sophie, and of course, I'm not alone here. You may have noticed I'm decked out. Happy Valentine's Day. We love you guys. We hope that you love the show just as much as we love you. Don, do you concur? [00:00:38] Speaker B: I know pressure's on. I do concur that it is indeed Valentine's Day. That is a fact. Hallmark has added it to all of our calendars and spend appropriately. [00:00:49] Speaker A: Great. I mean, it is a real holiday. It just wasn't. [00:00:52] Speaker B: It's a real holiday. [00:00:55] Speaker A: It was definitely not originally, like a love. It was like a saint Valentine thing, and there was death involved. [00:01:01] Speaker B: Originally, you covered yourself in leeches. That's why red is the official color of Valentine's Day. People don't know the backstory. [00:01:08] Speaker A: You heard it here first. Come to Technato for all your misinformation needs. Daniel. Any misinformation to add to that claim? [00:01:14] Speaker C: All I know is, like, apparently, there was some unrequited love to a bird outside because we heard it hitting alive itself against the window about today. Just right now. [00:01:24] Speaker A: Is that what that was? I thought you hit the microphone. [00:01:27] Speaker B: It probably got the lizard. [00:01:30] Speaker A: No. Well, all right, we'll go check on him after the. Oh, God. [00:01:35] Speaker C: Okay, Valentine's Day. [00:01:37] Speaker B: People listening for the first time are totally confused right now. [00:01:40] Speaker C: That's right. There's a big picture window to this side of me that you can't see. [00:01:45] Speaker B: But the birds, they can't see it either. [00:01:50] Speaker C: They just go, I got a lizard at 12:00 I'm going in for the hill. [00:01:55] Speaker A: Well, as hard as it may be to believe, based on that conversation, this is a tech and cybersecurity podcast. So we'll jump into our first article here. This comes to us from, OMG, Ubuntu, which is a fun website name. Ubuntu core desktop debut no longer planned for April. Indeed. So, for those of you thinking. Wait, what? I guess they announced that it was going to be released and be available to download in April. And they've pushed it back. It sounds like. [00:02:19] Speaker B: Yeah, back in December, we covered this on the podcast, the brand new Ubuntu core desktop that was coming out. And if you don't remember, no sweat. It's a new desktop role or spin that they're doing. And the idea is that it's an immutable desktop. In other words, the main file system will not be writable and all of the applications will be run from inside of snaps. And if you've listened to the podcast over the years, you know, my, it's. [00:02:45] Speaker C: A good thing it's Valentine's day, because how much you love snaps. [00:02:48] Speaker B: There we go. I'm waiting for the purge day. Then we can go after snaps. [00:02:56] Speaker C: Don's got a freaky mask waiting. [00:03:00] Speaker B: So basically what they're saying is, look, hey, you don't need to mess with the operating system. The operating system is perfect, and all of your apps can run in these little containerized snaps, and you'll be happy and you'll like it. And that's what they're telling us. And who knows? Maybe we will. Maybe we'll love it. It is actually out in a beta form. You can install it and run it. They were hoping to get it rolled out in April. Now, why does April matter? That's when the long term support releases come out. The LTS, right? So when Ubuntu 24.4 drops in April, that will be supported for eight to ten years, depending on how you look at it. That's why people care about that date. It looks like Ubuntu Core is not going to make it. In fact, when I say it looks like it's not, they've said we're not going to do it. [00:03:43] Speaker C: This is definitive. [00:03:44] Speaker B: And so that means we won't get an LTS version of this. I don't blame them because we don't really know if this is going to work or not. We don't know if people are going to adopt it and be ready to go for it. But in a way, it's really like the way mobile phone operating systems are, right? When you have an Android phone or iOS phone, they don't want you messing with the OS and you install apps that are in these little containers. That's what they're trying to do with the desktop OS, and we'll have to see if that works. [00:04:11] Speaker C: Well, I feel like it's the frog in a boiling pot, right? Like they'll continue to turn the heat up on these snaps businesses until it's just the way it is and you don't have an option. [00:04:25] Speaker B: It's just the way it is. Some things will never change. [00:04:27] Speaker C: That's right. Who was that song? Goodness, Thurgood. [00:04:33] Speaker B: No, somebody like that. [00:04:36] Speaker C: Yeah. I wanted to say like Brian McDonald or something, but it's not right. [00:04:39] Speaker A: This is where I know I'm definitely out of touch because you said some things never change. And then who wrote that? And I thought frozen too, because that's a song. [00:04:47] Speaker C: That's true. It is a song. On frozen two. I have little girls, you know. I'm very familiar with that. [00:04:53] Speaker A: He knows the lore. He's familiar with Don says that's just. [00:04:55] Speaker C: The way it is. Some things will never change. That is a lyric. [00:04:58] Speaker A: Well, yes, I'm sure. [00:04:59] Speaker B: I assume he wasn't Bruce Hornsby. Yes. [00:05:02] Speaker A: Okay. Yeah, I assumed he wasn't talking about Anna and Elsa. I didn't think so. But that's just where my mind went. You never know. [00:05:08] Speaker C: And you kind of got the Anna thing going on today, don't you? This was not intentional. [00:05:13] Speaker A: I just didn't do my hair in this. [00:05:15] Speaker C: She's like, I was just lazy. [00:05:17] Speaker A: I slept in these. So this is her leader hose. [00:05:21] Speaker B: And we're in the hamper. [00:05:22] Speaker A: I was thinking more Pippi Longstock. [00:05:24] Speaker C: Where's the beer style going for you? [00:05:27] Speaker A: Don't know. [00:05:27] Speaker C: What good schnitzel. [00:05:30] Speaker B: She is in a good mood today. [00:05:31] Speaker C: She's very lively. [00:05:33] Speaker A: I get to wear bright colors today. It's fun. [00:05:35] Speaker C: You can wear bright colors anytime you. [00:05:37] Speaker A: Like in the lack of pink and red on the other side of the room. [00:05:40] Speaker C: Well, we don't dress up for me, the holidays. [00:05:42] Speaker A: All right, fair enough. Fair enough. So it doesn't seem like it's been pushed back, right? And there's not really an estimated release date for when this will be pushed through. So unfortunate. Do you think we'll have an update on this soon? [00:05:56] Speaker B: I mean, technically, if you want to try it, you can go and download it right now and do it in beta. They're just saying like, we don't have anything production ready. And I appreciate that. So just wait and see. [00:06:04] Speaker C: Do you think they just under promised and over promised and under delivered here? How's it go? They messed up. They told us it was going to be now and they didn't. They should have set a more proper expectation. [00:06:16] Speaker B: I think when you have a deadline six months away, it's easy to promise a lot of stuff. But all of a sudden, when that deadline is one month away, you're like, oh, we got to prioritize. [00:06:24] Speaker C: Yeah. You've been sitting there eating cheetos for. [00:06:26] Speaker B: The last five months. [00:06:27] Speaker C: Like, oh, shit, man, I better get to the doing this. [00:06:30] Speaker B: So I am certain that they're all focused on the 24.4 release, like the main operating system release, which makes sense. And so they're pulling resources off of this, and that's totally fine, because I can tell you right now, a ton of people will run 24 four. The main lts. Not so many people are going to jump onto Ubuntu core, right, on day one. They're going to wait a couple of years, so I fully expect that'll play out. [00:06:55] Speaker C: Other than it being just completely snaps, is there any big changes that are coming in Ubuntu as far as like, oh, make you kind of perk your ear up and go, that's kind of cool. I want that. Not that you're aware of. [00:07:08] Speaker B: Not as far as this. Over in the main Os, there's some things, especially when it comes to enterprise deployments with their installation wizard things. We talked a bit about that earlier in other episodes, like the ability to boot from NVMe over TCP and stuff like that. So there's some really neat technologies that are in there. None of that really comes into play with the Ubuntu core desktop. Right. [00:07:30] Speaker C: Because it's just meant to be that kind of pristine file system. It never gets changed. It never gets modified. It stays exactly how it should. So that when those bad things happen. [00:07:40] Speaker B: And they will, and I do want to acknowledge, because if I don't, this is going to be on the YouTube comments that I fully am aware that I pronounced ubuntu three different ways now in just this one segment. So sorry about that. [00:07:54] Speaker C: We're trying to cover all the different. [00:07:56] Speaker A: He's trying to make everybody feel included. No matter how you pronounce it, you're welcome here, but you might be wrong. [00:08:01] Speaker C: I pronounce it Shyson. [00:08:05] Speaker B: It's very close. [00:08:06] Speaker A: Yeah, close enough. [00:08:08] Speaker C: I like the. [00:08:09] Speaker A: So the ubuntu. Okay, well, speaking of pronouncing things, sometimes I need a little bit of a hand, especially with things that are acronyms, because I maybe am inclined to spell it out. And there's a way that you're supposed to say it. So in this one, Esxi. Is that how you would say that? [00:08:24] Speaker C: Nailed it? [00:08:24] Speaker A: Or is it. [00:08:25] Speaker B: I'm always tempted. It's the Eski. [00:08:30] Speaker C: Yeah. Is it the key or the. [00:08:33] Speaker B: It is Esxi. [00:08:35] Speaker A: Esxi. All right, so this next article leading us into that, we're pulling this from slash shot broadcom and support for free ESXi VMware hypervisor. So I was looking at Bronx had made an announcement about this, and it looks like the availability of the free vsphere hypervisor is going to go away. So the free edition is no more, but you can still do the paid version. [00:08:55] Speaker B: You can still buy it. [00:08:56] Speaker C: Yeah. I keep seeing these memes about VMware and how they're like hiking prices up 600% and stuff like that, and just throwing double birds up at people, basically going, this is how we roll. [00:09:09] Speaker B: So I don't want to aggrandize all of this stuff. [00:09:12] Speaker C: I don't know. Like I said, this is a complete meme. That's all I've seen of it. [00:09:15] Speaker B: Well, so I think there's some basis for that. [00:09:18] Speaker C: Okay. [00:09:18] Speaker B: And there's a trend going on right now. Right. Normally, corporations have to make decisions and they have to think about how their customers will react, and they have to behave appropriately. And if they do something crazy wacky, the customers get mad and they lose their customers. Right. But we're in a weird time right now in the year 2024, in case you're watching this down the road, where a lot of companies are hurting for cash and their investors are telling them, you need to squeeze. We need our dividends, we need our payouts. Right? You make that money, it's like, sucker. [00:09:53] Speaker C: It's hard out there, man. You got to go down, too. [00:09:56] Speaker B: And it used to be that companies like Twitter and Uber and stuff could say, hey, we grew our customer base 10,000% last yesterday, right? And the investors would be happy with that and say, well, eventually they'll make money. Right? And now they're in the stage where it's, no, you got to make money. And these companies are making decisions that are very anti customer. And in the past when somebody did that, the customer would get really upset and the companies would have to backtrack. They say, whoa, we screwed up. We made a mistake. We're going to undo that. We're not going to do that after all. But this year in particular, more and more, we're seeing companies say, no, you suck it up, and if you don't like it, then don't be our customer. Right. And that's how Netflix was with password sharing and the fact that they keep raising their monthly price. Even library gets smaller. [00:10:48] Speaker C: The Amazon prices have gone. [00:10:49] Speaker B: Amazon. [00:10:50] Speaker C: Yeah. [00:10:50] Speaker B: Oh, you had free video with no ads. Now you don't, you pay another $3 and then we'll hook you up. So it's a weird time. And VMware, recently acquired by Broadcom. Broadcom immediately made changes to how subscriptions are handled. They got rid of their perpetual licensing because it used to be you could buy a license, and whether you chose to maintain support or not didn't matter. Your license lasted forever. It was perpetual. Now they said, nope, nope. You get a subscription or nothing. And people got upset about it. And Broadcom said, hey, whatever. [00:11:26] Speaker C: They were like, who are you again? [00:11:28] Speaker B: Go kick rocks. [00:11:29] Speaker C: I'm your customer. That sounds nice. [00:11:31] Speaker B: Well, for years, decades, really. Esxi, the hypervisor that's underneath VMware, they've given it away for free. And Dell made a big deal about this when they acquired VMware back forever ago, or technically, VMware acquired Dell. It's complex. They even made it where when they were rolling their servers out, that they had a copy of ESX that was integrated into the motherboard where you didn't have to install. You could just boot the system up and have it ESX node. If you had a home lab like me, I can't tell you how many times I've stood up an ESX machine at home just to have something quick and dirty to run some virtual machines on. And it was free and it was nice, but it didn't have all the bells and whistles. If you wanted vmotion and vsphere management and any of the VDI stuff, you want any of that. I mean, that is nice. [00:12:15] Speaker C: Clone a physical machine to have that. That's super sweet. [00:12:19] Speaker B: Yeah, so it was nice to have that, and now they're taking it away. [00:12:26] Speaker C: It's like a filthy pusher, right? Like the first one's free. Enjoy. Oh, that's real good. Now you got to pay. [00:12:33] Speaker B: So the days of having a free hypervisor are gone. Now Microsoft does still have the Windows Hyper V server, right? That special version of Windows that is very stripped down, that is just the hyper V virtualization server. But hyper v kind of sucks. I think most people know that. So not really a viable option for a lot of people. You've got Nutanix and Proxmox and a few others that are out there that, oh, Proxmox has a free version. I think that's where a lot of these people that use ESX will likely move over to. But. Or they'll pay, right? Because it's hard to find a more stable hypervisor than mean. [00:13:11] Speaker C: That's. I would assume this is going to breed more competition because before when they were given away for free, it was like, why compete with free, right? And now it's like, well, I can undercut you maybe by 200% and give you similar functionality. All I got to just get to work and build a product. And now you create a more competitive market. [00:13:31] Speaker B: Yeah. Although I will say as someone who has created a tech startup and grown. [00:13:37] Speaker C: What would you know about it, don? [00:13:38] Speaker B: Well, if I were looking at it and said, hmm, I could compete with this other company by creating a free product, I would just go out of business on day two. [00:13:48] Speaker C: Right. [00:13:49] Speaker B: There's not really good. [00:13:50] Speaker C: Well, I'm not saying don't make a free product, just make a less expensive product with the same kind of bells and whistles. [00:13:56] Speaker B: Yeah. And that's where I think I'm going to pull it up here real quick. This is where I think that Proxmox really has an opportunity. Yeah. Because they use KVM and QEMU, so open source virtualization platforms, which honestly all of AWS is built on top of Zen, which is KVM, Qemu. So completely proven technology. But they add Proxmox, adds a Gui to it, makes it easier to use and so you can go and get it. So I feel like that free competitor is already there and that's likely what happened. [00:14:32] Speaker C: Everybody's just going to migrate over. [00:14:33] Speaker B: But Broadcom is looking at it and saying, well, oh great, we lose our free customers. Who cares? We just want the customers that pay money. That's the year 2024. [00:14:43] Speaker A: I was looking at through the comments and some people talking about how they're going to be trying alternatives because what else are you going to do? Xcpng, does that sound like I'm pronouncing that right? Was one that was brought up. Xcpng. [00:14:55] Speaker C: XCP Ng, right? Yeah. I don't know, everything's got Ng on the end of it. [00:15:01] Speaker A: And then Proxmox was another one and Windows server Hyperv, that these are free options. And so I'm going to download these, I'm going to try this. Do you think that realistically, because I know you had said that Esxi was one that was kind of the standard, that was the default. [00:15:15] Speaker B: Yeah. [00:15:15] Speaker A: So I mean, these other free options, is it going to be like, now I have to switch to Proximox and it's just going to be such a disappointment? Or is it close enough that it's like, well, I'd really rather just switch to this free version. I'm getting most of what I need rather than paying for the paid version of this other one. [00:15:30] Speaker B: Well, I can give you my personal experience, which is performance. Virtual machines perform better on VMware platforms than they do on any other hypervisor that I've worked with, and that's Hyper V KVM, even AWS for that matter. When you bring up virtual machines in a properly sized vmware data center, they perform better and the enterprise support is really good and stuff like that. So if those are the features that you care about, then do they basically. [00:16:02] Speaker C: Have a monopoly on this? [00:16:04] Speaker B: It's hard to say they have a monopoly when Azure and AWS are kicking so much butt, right? I would say for on prem data centers. [00:16:11] Speaker C: They're killing it. [00:16:12] Speaker B: They're killing it. Yeah, they're doing a really good job. [00:16:14] Speaker C: It's kind of like Cisco, right, where they do have competitors, but they have the lion's share of the market. [00:16:19] Speaker B: Yeah, I would say their biggest commercial threat is Nutanix. And Nutanix has focused a little more on not just straight virtualization, but containerized applications. Almost like when you look at Kubernetes, you don't think, oh, Kubernetes is a competitor for VSphere. No, vsphere can do virtual machines and containers. Kubernetes just does containers. Right? So Nutanix is a little bit closer to that. I don't know. It's tough. I recently moved some virtual machines from some old vms that I had from hyper V over to Virtualbox. And Virtualbox sucks for performance. And if you're okay with like, maybe performance isn't what you care about in this case, it's not something I cared about. Then it was fine. I just needed these old machines available so I could get data out of them from time to time. Every now and then I need access to like a 16 it application. And so I need to boot Windows XP in order to run that. And I don't want to run that on a physical machine, but I don't care about performance either. I just need the VM to run. [00:17:20] Speaker C: Isn't virtualbox like the one, if not one of the few virtualizations that will allow you to do macOS? [00:17:29] Speaker B: I don't know. I've not done macOS. [00:17:31] Speaker C: I have done macOS on Virtualbox and it ran not too bad. I was like, it ran better than not, which is what I experienced with the other platforms that, you know, virtualbox. [00:17:43] Speaker B: Most of you have probably heard of it. It's controlled or owned by Oracle. It used to be open source and free. Now it is open source and not free. And that's a really weird thing. You don't see that very often. And a lot of people don't realize that when you spin up a virtualbox instance, it's free for personal use, right? It's not free for commercial use. You're supposed to pay for it. And I don't know anybody who's ever paid for it. But I do know if you fire up two computers behind the same ip and they're both running virtualbox, they phone home to Oracle and Oracle will reach out to you and say, hey, it looks like you need a commercial license. And I don't know if you guys have encountered that or not, but most people don't realize that virtualbox is not free. [00:18:27] Speaker C: I did not realize that myself. [00:18:29] Speaker B: And if his performance didn't suck, I wouldn't have a problem with that. But performance does. Yeah, yeah, it's a good time. [00:18:39] Speaker A: I'm really feeling the love today. It sucks. Everything sucks. Yeah, Valentine's Day. It's not a real holiday anyway. It doesn't matter. [00:18:47] Speaker B: Well, that is, we've ruined Valentine's day. [00:18:50] Speaker C: We really took a giant piss all over it. [00:18:53] Speaker A: Crushed my dreams. It's fine. No big deal. It's fine. We don't do like Valentine's in the office, so that's fine. I just celebrate goodness privately, my own time. So we'll move on to our next article here. Maybe we'll feel some more love with this one, though something tells me probably not. This comes to us from Tom's hardware. Older systems now won't be able to update to newer versions of Windows due to reliance on an arcane cpu instruction often used for AI neural networks. Now that's interesting. I don't know that that's how I expected that article title to end. [00:19:25] Speaker B: Yeah. So when I saw this headline, it's Tom's hardware, right? We commented on this. They always have long headlines. Yeah. [00:19:31] Speaker C: They're like, here's the article in the headline. [00:19:34] Speaker B: It didn't make any sense to me. And this should have been a don't make no sense segment if I would have thought of that. You're right, but I didn't. But when I saw this, like, oh, you won't be able to update to new versions of Windows eleven if you don't have support for this arcane feature. Wait a minute, you can't upgrade to Windows eleven unless you have a TPM. So what computer is going to be missing an arcane feature but have a TPM? Like, it doesn't make any sense. And so I dug, I did actually a decent bit of research into this. It literally doesn't make any sense. [00:20:07] Speaker C: Literally. [00:20:08] Speaker B: There are a ton of tech news outlets that are reporting this like it's a big issue. It is a total non issue. It is not something anyone has to worry about. I cannot think of a single computer on the planet that would fit this model for this to be an issue. So let me kind of summarize things here. There's an instruction called Pop. [00:20:29] Speaker C: Don't say it the way it looks. [00:20:33] Speaker B: Pop CNT, which stands for population count. And it's just a simple instruction that says if you give me a string of binary bits, tell me how many ones there are. Are there seven ones? Are there three ones? Are there 19 ones? Just tell me that. That's all this instruction is. Right? That sounds pretty basic. Right? So basic that it's been included in every cpu manufactured in the last 15 years. So if your computer is over 15 years old, there's plenty of other things that are broken on it. This is one thing, but if your computer is manufactured in the last 15 years, it's got this instruction in it. Now tpms have only been commonplace in computers really for like the last five to seven years. Right. And when Windows eleven was first released, it was a big deal. You can't run windows eleven without a tpm on your system. And a lot of people got upset saying, like, I got this laptop that's only five years old and now I can't run Windows eleven. [00:21:31] Speaker C: Yeah, my Dell GXA is going to have trouble. [00:21:34] Speaker B: And Microsoft just said, buy a new computer. Your computer is old. [00:21:39] Speaker C: That's not look like I'm made of money, Don. [00:21:41] Speaker B: Yes. And they want you to give it to them so you won't be made of money. They're trying to help you with this condition that you have. [00:21:47] Speaker C: They figure if they make me more poor. [00:21:50] Speaker B: Yes. There you go. You need a new surface tablet. [00:21:52] Speaker C: Yeah. Then I'll just get the government to give me money. [00:21:55] Speaker B: Give you a laptop? [00:21:56] Speaker C: That's right. [00:21:59] Speaker B: The way all these different news outlets have kind of put this out is like, hey, you may have upgraded to Windows eleven, but now you won't be able to run the 24 h two update when it comes out because 24 h two requires the population count cpu instruction. [00:22:15] Speaker C: I'm going to tell you, Don, my GXA ain't running Windows eleven very well. I'm just saying it's just not as all it's cracked up to be. Yeah, I thought Windows eleven was going to be awesome. [00:22:22] Speaker B: Well, I guess it doesn't change the fact that Windows ten is still supported. That's true. So you could. [00:22:27] Speaker C: How much more support do we have on Windows ten? [00:22:29] Speaker B: I think two years. [00:22:30] Speaker C: Okay. [00:22:31] Speaker B: I feel like it's two years. I looked that up but a little while. Right. So you could stay on Windows ten. But the reality is if your computer is old enough not have the instruction set, it really is too old to be running. It probably didn't support Windows ten in the comments. [00:22:47] Speaker C: Put what's the oldest computer you have in operation that you're currently that you use for whatever reason? Put that in the comments. Love to hear. Yeah, I have a laptop sitting right over there on my desk. That joker is a good twelve to 15 years old. I run it every day. It's got Linux on it. I just use it as like just a simple server, like HTTP server and that kind of stuff. Surf the web, it just random functions, but it's got a full size keyboard, it's got a decent hard drive in it. I upgraded the Ram and that all cost me like $60 to keep that thing limping along. So I would love to hear what you guys are using stuff for that you would upgrade to like a raspberry PI or whatever. [00:23:31] Speaker B: Yeah, I'm trying to think. What is your question out? So I have my Lenovo T 480 laptop that I absolutely love. It was my work computer for years and years and then it got decommissioned and I took it home. I use it when I do personal travel as a personal laptop. And I would have bought that in 2016. Okay, so it's seven, eight years old. Okay, that's the oldest I've got. Yeah. And it's running windows eleven. It has a TPM. [00:24:07] Speaker C: Yeah. I've got older computers like laptops that I've had just for doing testing or whatever with the kids to do something, give them something and bang. I don't care if they stick their foot through it, but in actual production I got that one. I think it's a dell. Is it an e 6500? I think that's what it is. Don't quote me on that one though. But I think that's what that sucker is. And it's pretty turning along, man. And it works. That's what I love about Linux. That's one of the things that endears me to Linux is there are some stripped down Linux oss out there that you can throw it on these older hardware and it supports everything. Right. And for doing simple stuff that, yeah, it eats a whole lot more power than a Raspi would. But I already have this, right? And I don't have to keep it on. It's not like a 24/7 server. It's, hey, I needed to do x, y or z, turn it on, do the thing. You know what, I do it a lot with it. I rip DvDs because it's got a DvD burner in it and I use it for like ripping DVDs or sharing files or whatever through HTTP, use it for an SSH server. I can do all sorts of fun stuff with it, and it doesn't take a lot of horsepower to do. And it keeps earning its money with me. [00:25:23] Speaker B: Sophie, oldest computer I don't know if. [00:25:26] Speaker A: This counts, and I don't mean to brag, but I've got an iPod touch fourth generation laying around somewhere in my home from when I was a child. [00:25:37] Speaker C: I'll bring mine in because at the. [00:25:38] Speaker A: Time, one of those, too. It was like I was so young. It was like I was not old enough to have like a cell phone, but my mom was like, well, you can play games on it, whatever, and it's an ipod. What's the worst you can do with it? Right? So mean. I'm pretty old. The fourth gen came out in 2010, so that makes it like 14 years old, I think. I don't use it. [00:25:55] Speaker C: I've got one of those as well, but it's around sitting on my guitar amp right now. [00:25:57] Speaker A: As far as computers, I use, yeah, I don't use pretty much this. And that baby's got to be at least two years old. It's getting up there. [00:26:06] Speaker B: If we're going to cheat with consumer electronics, then don's got us beat. [00:26:09] Speaker C: My oldest computer, I qualified that. You have to use it. [00:26:13] Speaker B: I still have my PlayStation one. [00:26:16] Speaker C: Do you really? [00:26:16] Speaker B: Oh, yeah. That I bought in 1996. [00:26:20] Speaker C: Nice. [00:26:21] Speaker B: So I still have that very unit and I used it last month, like, sweet. [00:26:26] Speaker C: Hey, listen, retro games, baby. Retro games. [00:26:29] Speaker A: Look, if a computer is defined, as the Google says here, as an electronic device that manipulates information or data and can store, retrieve and process data, I say that counts. [00:26:39] Speaker C: I mean, we are cast much wider than that at this point. I feel like in the comments, they're going to be like, I have a tandy. [00:26:47] Speaker B: I've got my pacemaker keeping me alive since 1974. [00:26:53] Speaker A: That counts. [00:26:54] Speaker B: Yeah. [00:26:54] Speaker A: Good on you. It'll be interesting to see what people have to say. What is the oldest? What's the oldest that you have? I'm just curious. But yeah, the oldest is currently in use, that you actually use for work or hobbies or whatever. So as far as this article goes, I looked through the comments on Tom's hardware on this article, and it was basically, oh, yeah, this is a big nothing burger. Everybody was just like, why are you even talking about this? So people are to let people know. [00:27:17] Speaker C: It'S a big nothing burger. [00:27:19] Speaker A: Yeah. People are real over Tom's hardware, apparently, at this point. [00:27:22] Speaker B: Well, let's not just blame. I mean, that's the one that I picked. But I did some research on this. There were a number. Ars Technica covered it. And I have a ton of respect for Ars Technica. They always do a really good breakdown of stuff, but even they missed the mark on this. Just. It's not an issue anybody's going to the. The original tweet. Oh, do we have that? [00:27:43] Speaker C: I'm sure you do. [00:27:44] Speaker A: It's somewhere in there. [00:27:44] Speaker B: It is. So the person who discovered this, because Microsoft didn't come right out and say, oh, by the way, we're adding this new requirement. So this guy discovered it, and I'm doing air quotes here. And so he posts on Twitter. So huge. This is all capital. Huge discovery. Found in Windows eleven, version 24 h two. Since build 25 nine five, a cpu with the instruction pop CNT is now required. All capitalized. Like, this is shocking breaking news. If you don't have it, you're screwed. Right. I editorialized that last part started a couch fire. I think shortly after. We see this, usually more in cybersecurity, where somebody makes some discovery of some really esoteric fringe thing, and they're like, oh, the whole world is compromised now. [00:28:33] Speaker C: Yeah, we tend to be a little knee jerk reactionist. I think we get caught up in the idea that this is so crazy and so cool. If it were to make it into the wild, this would be a barn burner and a seven alarm fire kind of thing. And that tends to be. Get sensationalized by people that write articles and titles for those articles so that you'll click on them and making it seem like we're a little more excited about it than we are. It's just more like, oh, yeah, this is bad. If it were to get out in the wild, it'd be really bad. [00:29:04] Speaker A: Yeah, I would think that if I've discovered something like that, right. Was maybe not that big of a deal, but maybe it could be potentially. I know there's like the whole boy that cried wolf thing, right? You don't want to be like that all the time. But I don't know. I'd almost rather be like, hey, here's this new thing. And it might be a big deal. Rather than if it really is like, oh, this has huge implications, and then just be like, oh, by the way, here's this thing I found. Don't pay no mind. Then later it's like something. Why didn't you say something? But that's, I guess, more a cybersecurity thing for this. Yeah, it does seem like it's like, okay, it's neat that you found that, but I don't know that I would panic over. [00:29:40] Speaker C: Ultimately, let's say that it was like a problem. What are you going to do? You're going to buy a new computer, right? [00:29:45] Speaker B: Yes. [00:29:46] Speaker C: If you're running a 15 year old computer, it's probably about that time to upgrade anyway, right? At least for your daily driver. So this is why this is like a big nothing burger, because I agree. Go buy a new. I get it, man. Get a chromebook, something. Don't worry about it. Get you a new one. [00:30:02] Speaker A: Something's better than nothing. [00:30:03] Speaker C: You don't even get a new one. Buy a used one that's five years old, you're good to go. Save a bunch of money on your car insurance when you switch to we. [00:30:14] Speaker A: Are not sponsored by any insurance company. Named, run. [00:30:16] Speaker C: Not sponsored by. [00:30:18] Speaker A: Yeah, not sponsored by any brands. [00:30:20] Speaker C: This tasty and delicious remembered unnamed energy drink. [00:30:23] Speaker B: It's like some people only do things for money. That's sad. [00:30:29] Speaker A: Daniel's made of doesn't. [00:30:31] Speaker C: Yeah, that's it. [00:30:33] Speaker A: We'll go ahead and take a quick break and collect ourselves and figure out our brand deals in the meantime. But don't go away. We'll have security news coming up in the second half of Technato. Tired of trying to schedule your team's time around in person learning? Isn't it a bummer to spend thousands of dollars on travel for professional development? What if we said you can save money and time and still provide your team with the best training possible? The answer to your woes is live online training from ACI learning. With live online training, we provide our top in person courses in private online instructor led formats. You get to provide professional development in a manner that fits today's expectations, entertaining, convenient, and effective. Our exam aligned courses inspire the full potential of your team. Visit virtual instructor led training at ACI learning for more info. Welcome back. Thanks for staying with us through that break. If you're enjoying the show so far, maybe drop a like if you're watching here on YouTube or listening on Spotify, Apple podcasts, wherever you get your tech news, wherever you listen to Technato. And if you haven't already consider subscribing, so you never miss an episode of Techno in the future. And here on the ItPro channel, you can also see all of our past episodes, as well as any webinars that ItPro has done in the past, starring Don, Daniel and myself, and lots of other stuff, giveaways, things like that. So it's a pretty cool place. Check it out. Maybe stay a while. But that being said, we're going to jump into our security news for this half of the show. We'll just go ahead and get right into it. This article comes to us from the Verge. Authi is shutting down its desktop app and saying that name makes me feel like I've got a lisp. So the two FA app Auth will only be available on Android and iOS starting in August. Now, is this something, I've personally never used this app, but I'm sure plenty of people do. So the fact that it'll be gone on desktop app, only available on Android and iOS, is this, do you think, going to affect a lot of people? [00:32:08] Speaker B: So it is going to affect some people in a very bad way, which I'll talk about here in just a minute. But if you're not familiar with Authi, because it sounds like Sophie, you've never used it. All right. In the early days of multi factor authentication. So, you know, five years ago, so when people really started rapidly adopting MFA, Google had their Google authenticator, right? And you'd install it on your phone and you could start adding in your MFA codes there. And life was good until you got a new phone. When you got a new phone, you had to go and disable MFA on all your accounts and then take your new phone and re enable MFA and generate all new codes. It was a huge pain in the butt. And if you lost your phone, oh, you were screwed, right? I mean, that was a big deal. Microsoft released their authenticator, same exact problem. [00:32:53] Speaker C: If you lose your phone, you're screwed. [00:32:55] Speaker B: It was tied to your device, and people got really upset about that because they wanted to upgrade their phone. I didn't lose my phone. I bought a new phone. [00:33:03] Speaker C: The phone just died. That happens, right? Like, you drop it and then a truck runs it over and it's like, well, that's gone, and it goes in the toilet. [00:33:11] Speaker B: And if you just had like one or two sites with MFA, like in the early days, you did, it wasn't that big of a deal. You'd go through the password, recovery, whatever, and deal with that nightmare. But now fast forward to today, where you use MFA on most of your sites. It's unacceptable. So Authi was the first one to really step in and say, you know what? We're going to take the plunge, and we're going to make it where you can synchronize your MFA code generator across more than one device, and you can easily move it from one to another. And so if you wanted to go from an iPhone to Android or Android to a new phone, you could log in with your authenticator and easily restore a backup or synchronize your codes over and go. And they even went a step further, and a lot of people weren't happy about this. They released a desktop app where you can have an app running right on your desktop and not have to get your phone out of your pocket, right? [00:34:02] Speaker C: So it's tied to the app and not so much the device, right? [00:34:05] Speaker B: And many security researchers at the time said, hey, the whole point of multifactor authentication is that there's something you know and something you have. There's something you know, something you are, something you have, right? So they wanted to diversify, and they felt like having the authenticator right there on your computer where the codes are being requested. It just made it too easy for the attackers. You would notice if somebody stole a key fob out of your pocket, and. [00:34:33] Speaker C: Why that's kind of defeating the purpose. [00:34:36] Speaker B: So some people didn't like it, but it fit a need. And you fast forward to today, and Google, Microsoft, all the major authenticators allow you to synchronize your codes between devices. And if you want to move from one device to another, you don't have to start all over from scratch. So everything Authi pushed for in the beginning really has become commonplace, except for the desktop app. Right now, you could argue that Lastpass and Bitwarden and those guys allow you to do it on the desktop, too, but it's not as common. Most people don't even know that feature is there. Most people just use their phone like it was originally intended. Now, here's the reason why I think this is important. So Authi is shutting down the desktop app. It's going away again. Most people use their phones or their password manager has that functionality anyway, so not a big deal from that perspective. But here's what you might not know when you disable your authi account, the desktop authenticator, when you remove it and delete it as an authenticator, there are some services, and twitch is a great example of this, because I know twitch does it for a fact, where they synchronize and it actually talks to the might. I'll tell you how to tell the difference. You ever go to a website and you go to login and it prompts you for username password and then it prompts you for the MFA code, right? And normally you just have to go to the app and find it, but sometimes you get a notification and on your phone will say, hey, you're trying to authenticate here and it'll take you, that's one that's synchronized with your client. And when you disable the Authi desktop client, it phones that home to that company to say, hey, this authenticator is no longer valid. And even if you've synchronized it to another device, you just invalidated that code. What is it, a key, a seed? What do they call that? Whatever the thing is, the private key that's generated, that is tied to your code, so it invalidates that. And so now you will have to jump through some hoops. So you might think, I don't care about this desktop client. I don't use it anymore. I'm just going to delete it and call it a day. But any of those services that pop notifications automatically, those are two way communications and it will impact those. So you need to be ready for that. [00:36:49] Speaker C: Yeah, that sounds like workstation support, or not workstation support, but their customer service representatives are going to be slammed with people that were like, oh, I deleted it and now I can't log into anything. What's going on? And they're going to have a lot of fun fielding those calls. I did see a lot of people say that one possible solution is using subsystem for Android and Windows environment. So that sounds like a good stop gap for if you're running the desktop app and now that is no longer supported. [00:37:23] Speaker B: Yeah, that would give you another desktop app. It wouldn't solve the problem of when you remove the one authenticator. [00:37:28] Speaker C: That's still an issue that you need to think ahead of before you get crazy and uninstalling stuff. [00:37:37] Speaker B: I did at one point use the authi desktop authenticator. I was like, this is convenient. But in the end I ended up moving them into Bitwarden. I use one password for my personal stuff. I moved them in there. I can use my phone to get the codes if I want, but on the desktop I can use my password manager's system to get it. And again, I know security researchers are going to disagree with this and say, don, you're storing your password and your OTP token. That's a token, that's what? I was looking your OTP token in the same place, and that defeats the purpose. And to which I would say, yeah, all right, you got me. [00:38:15] Speaker C: What do you want to make of it? No one's perfect, okay? [00:38:20] Speaker B: I'm a grown up. I've made this decision, and I'll accept the consequences. [00:38:25] Speaker A: Well, it looks like if you are using Authi, at least the desktop version, and if you're running a Mac with M One or M two silicon, it says that you can still download the iOS version of the app on your device. So I guess that's kind of a workaround for it. If you're using the desktop version currently and otherwise, you can switch to the mobile version and you can automatically sync the mobile version with the app on your computer. But if you want to switch apps altogether, there's no export feature. So you have to manually disable two Fa on all of your connected accounts before you can link them to the new one. So it's not like, oh, I want to switch from Lastpass to Bitwarden and I can just export all my stuff. This doesn't exist. [00:38:57] Speaker C: That is like the sucky thing about two fa. I mean, I totally am for two fa. I think it's a great thing. It helps definitely keep us much more secure. I'm not saying it's the end all, be all to security, but it's a definite step in the right direction. But, man, if you've got to change that at all, that is a bit of just a slog. [00:39:17] Speaker B: I just remembered something, and it's important that the Verge article, we got this article from the Verge. It hasn't been updated to reflect this yet, but when this was originally announced, they announced it in early January, and they said, you have until August. In August 2024, we're getting rid of this app. Well, yesterday. So just yesterday they announced, oh, we said August. What we really mean is March. [00:39:40] Speaker C: That's a lot less time. [00:39:42] Speaker B: And so they just cut five months off. So if you're listening, weeks, right? Yes. So you got about 30 days, but by the end of March, desktop app going away, not August like they originally said. So that's a bit of a moving goalpost on that one. [00:39:59] Speaker C: Fun. I'm sure nothing bad will happen. [00:40:03] Speaker B: It's great. It's fine. Totally fine. [00:40:05] Speaker C: Yeah. [00:40:05] Speaker A: But before we jump to our next article, I have a quick question. So, like I said, it doesn't have an export feature. The way this, I guess I wouldn't know because I've never really had to undergo a whole, like, oh, my authenticator app is not going to work anymore. I got to make a switch. I've never had to do that before. So I've never looked to see if, I mean, is an export feature for two FA stuff, is that common? Or are they just saying like, in general, if you're dealing with two FA apps, you can't really export your account. [00:40:28] Speaker B: Sure, it used to not be common. It is now. If you go into Lastpass, Bitwarden, one password they all have where you can fully export your unencrypted database. [00:40:41] Speaker C: I think a lot of us around here did that when LastPass kind of like crapped a bit. [00:40:44] Speaker A: Hopefully everyone. [00:40:46] Speaker C: Yeah, I moved a bit, Warren, and it was such an easy process. [00:40:51] Speaker B: I actually know this one. So on the Authi desktop app, it doesn't have that feature. And so what they want you to do is just move to their other app. You do a backup, restore, whatever. But you can using a web browser, you go into the developer tools. [00:41:07] Speaker C: It's so easy. [00:41:08] Speaker B: You throw a little Javascript in there. It's not easy, but you can get there and get it to give you the decrypted tokens. Right. But it's not something a regular end user could do. [00:41:17] Speaker C: Yeah. [00:41:18] Speaker A: Okay, interesting. I guess I was just curious if that's something like with other authenticator apps, if that's a common thing that you can export. Okay, got you. [00:41:26] Speaker B: Absolutely. [00:41:27] Speaker A: Because I know password apps because it. [00:41:29] Speaker C: Took them 5 seconds to go. Someone might not want to use our product one day, or we might want to migrate to a different product that we build. [00:41:36] Speaker A: Right. [00:41:37] Speaker C: How can we do that? Easily. And just forwardly thought, after a few times of that actually happening, it didn't take long for those companies to figure it out. [00:41:44] Speaker B: But this is 2024, and so now they'll broadcom it and say, we got you, son. [00:41:51] Speaker C: Where are you going? Nowhere. That's right. [00:41:55] Speaker B: Pay us the bill. [00:41:57] Speaker A: Well, if you are an author desktop user, godspeed, and we hope that this works out for you and you're able to hopefully seamlessly transition to a different solution. We'll go ahead and jump to our next article. And this is part of an old favorite segment. We haven't seen this one in a while. It's pork chop sandwiches. [00:42:12] Speaker B: Pork chop sandwiches. [00:42:16] Speaker C: Pork chop sandwiches. [00:42:19] Speaker A: Props to our director Christian for on the fly updating that graphic this morning. So appreciate you for doing that. This is another article comes to us from Tom's hardware bitlocker encryption broken in 43 seconds with sub $10 raspberry PI pico. The key can be sniffed when using an external TPM. Am I saying that right? Raspberry PI. Pico. Like pico de gallo. [00:42:37] Speaker B: Yeah. [00:42:37] Speaker A: Okay. Wow. [00:42:39] Speaker C: It's unpoquito. It's littles. Okay. [00:42:42] Speaker A: I got food on the brain. [00:42:44] Speaker C: Plus they're super cheap. [00:42:45] Speaker B: Yeah. [00:42:45] Speaker A: $10, sub $10. It sounds like it. And broken in 43 seconds. [00:42:49] Speaker C: Don, correct me if I'm wrong. I watched the video on this. Did you watch the video on this? [00:42:53] Speaker B: I did. [00:42:53] Speaker C: Did you watch the video on this, Sophia? [00:42:55] Speaker A: I did not. [00:42:55] Speaker C: You should totally. It was very interesting. It's only about 10 minutes long. [00:42:59] Speaker A: Okay. [00:43:00] Speaker C: Saying that it took him 43 seconds is a bit of a misnomer. Right. Ultimately, after he did a shit ton of work and he built the device, then after that, if you have the device in your hand, you can do it in sub 60 seconds. Don't get me wrong. So the youtuber that created this stack. Smashing. Very smart, great YouTube channel. Him and another youtuber have a training company where they do like, binary reversal. And so great training. Very nice stuff. I would highly recommend checking that out if you're interested in those things. But I just want to say, like, the way that that title and that is formulated, I just did not. That's not really how that went down. And if you watch the video, he kind of goes into saying that this is. Oh, this is not that difficult. We just read this and then we're reading the electrical signals on this pad in nanoseconds. I just whipped up a program that did that and then automated this process. It's a little more complex than if you're like, oh, I just got my security plus I want to get down with this. It's probably a little above your pay grade at that point. It's above my pay grade at that point. This is a lot of work that went into this. They used a lot of specialized equipment that's necessary. But it definitely made it a whole lot easier than you might think, just from the title and even maybe the. [00:44:43] Speaker B: And you know, let's talk about the attack, because the attack doesn't work on every computer. So what's going on here? If you think about a computer that has Bitlocker encryption, right? So Bitlocker encryption is what's built into Microsoft Windows. Definitely in the pro editions. Is it in the home edition? [00:44:56] Speaker C: I don't know. [00:44:57] Speaker B: I don't remember. [00:44:58] Speaker C: I don't follow. [00:44:59] Speaker B: Windows has that, but the pro edition has it. And so you can encrypt your system. And when you do that, you have to generate a private key so that you can encrypt and decrypt data, right? And that private key gets stored in your TPM, your trusted platform module. Now, on many modern systems, you go, my computer today, the TPM is likely a part of your cpu. It's on the same die. It's just built into the processor, and that's that. Nice and secure and safe. But on systems built even a couple of years ago, the TPM was external. It was on the motherboard somewhere. It might be near the cpu, might not be just, it was on the motherboard somewhere. And what the researcher found was, when there was an external TPM, when the system would boot, the private key would have to be sent from the TPM to the cpu, and it was crossing certain circuit traces, unencrypted. And so there was a brief period of time on the electrical wiring on the motherboard where the key was transmitted, unencrypted. And so what he did is he built a little raspberry PI pico device that had some cool copper leads. [00:46:04] Speaker C: He had to figure out the correct spacing to be able to just easily touch that pin pad and get the right spacing for where those pins go. So that alone took a little bit of time and effort, and then he had to have that thing produced. He didn't just kind of, like, put it all together, he sent it off and had it built. [00:46:25] Speaker B: So it only works on devices that have an external TPM, that have this exposed pad for a connector that's not installed on the motherboard. And so if you meet all these little criteria, and if you're an attacker, you've stolen somebody's computer and taken it. So you can take it apart and get at the motherboard. You have to be able to power the device on while it's disassembled, which is hard for a laptop, easier on a desktop. And then you can hold this device to those electrical contact pads, and when you power on the device, it can sniff and capture the private key whilst being transmitted, and then you can decrypt the system. Now, this is something that the FBI would do if they seized your computer, and they could use it to decrypt, right? But for a regular hacker out there in the field, not so realistic. [00:47:15] Speaker C: Yeah, this is more like some state sponsored stuff that would happen, like actual spycraft espionage kind of stuff that you think of in the movies where some agent has infiltrated or they've got an inside man because they're paying them buku bucks from China or Russia or whatever to go into their boss's office, open their laptop, put this thing on. Like Don said, they've specked out the device specifically, learned that it is susceptible to this specific type of attack and then built the device necessary and all the software that goes around it to pull that off and then they can decrypt. They would have to have a sled to pull that off their own laptop. Read that, give it the key, copy the files off, maybe do like a backdoor action and throw in a reverse shell or some sort of root it into the system, put it back. It's a lot more than that's going on. It's highly unlikely that this is going to be something that you have to worry about necessarily as an attack vector to your stuff. [00:48:22] Speaker B: You know what, I equate it to the lock picking lawyer. You ever watch the lock picking lawyer? [00:48:26] Speaker C: I love the lock picking lawyer. [00:48:27] Speaker B: Have you seen him? [00:48:28] Speaker C: We got to get you squared away. [00:48:30] Speaker B: It's on YouTube. He's this guy you're like out there. [00:48:33] Speaker C: Living your life, doing stuff outside, going outside. Sick of this. [00:48:38] Speaker B: So he picks locks. He was a lawyer. I think he still is, but not practicing anymore because he makes so much freaking money on YouTube with these videos. But every time he takes a lock, right, a padlock that somebody bought at a store and sent to him or whatever, and then he goes and explains how easy it is to pick it and he says all you need is this tool and this tool. And then he goes and he does it and within seconds he's got the lock open, right. And each time he's using these tools, these lock picks that are sub $10, you can go get them on Amazon, cost a couple of bucks, right? But every lock he's using a slightly different tool, like, oh, I need to use an eight inch pressure bar or whatever. But he's got all that so you don't see it on camera. But behind him somewhere he's got a whole case full of 1000 of these little pick things. He knows exactly which one to use. And so yeah, you could say, hey, took less than $10 and it took this guy 40 seconds. I couldn't do it. I could go, even if I had the right tools, I'd just break them. [00:49:32] Speaker C: So I pick locks and that's why I watch the lock picking lawyer, because a Set of sparrows will probably run you 50, $60 or whatever for a full set, which is a really nice set of lock picks, depending on the type of lock. When you buy a lock pick set, they typically come with the most used picks that you would need on the generalized set. There are some very specialized locks out there where you would need specialized tool, which he obviously has, but I've seen him definitely. It's the knowledge of how to use them, because I could give them to Sophia and she still wouldn't be able to pick that. [00:50:09] Speaker A: Right? [00:50:09] Speaker C: And even with the right tools, because you got to also know how you got to have a user. Right? And it's the same thing here. Just because I gave you this pico device this guy developed, doesn't mean you're going to just run out and go, cool, I'm reading tpms. You have to know how to use it as well. So it's marrying the tool with the knowledge that makes this something that might be dangerous to someone. [00:50:30] Speaker B: But it certainly does highlight a flaw in TPM design. [00:50:33] Speaker C: Absolutely. [00:50:33] Speaker B: If you have an external tpm, it's going to be less secure than one that's built into a cpu. So if you're running a 15 year old system that doesn't have the population count instruction set, and you're worried about Windows eleven, now's the time to upgrade. And modern cpus. The newer AMD and Intel cpus have the TPM integrated in the cpu die and would not be vulnerable to this type of tech. [00:50:55] Speaker A: Wow. I feel like I just said deja vu there. [00:50:59] Speaker B: I'll say. [00:50:59] Speaker C: It's cool as hell, though. Totally. Watch. Super cool to watch. [00:51:03] Speaker A: Yeah, it's always like that though. It's like, dang. In theory. That's really cool. Could I do it? No, but it's cool to watch. It's cool to see. And they did. To be fair, they put in the article the disclaimer, after creating the device, the exploit only took 43 seconds. They just don't tell you how long all the prep. [00:51:17] Speaker C: They ain't going to get you to click on the articles. [00:51:19] Speaker A: Right? Exactly. Yeah. 43 seconds. What? This guy sandwiches what this hacker did. We'll shock you. You got to click on the link. [00:51:26] Speaker C: Yeah. Number three. [00:51:29] Speaker B: I think the lock picking lawyer even says this sometimes. He's going to show you how to pick the lock. But a pair of bolt cutters will normally work if you don't mind being destructive. You don't have to have skills, man. [00:51:41] Speaker C: I've seen a couple of lock videos here lately where a lot of these locks are susceptible to tapping attacks. Where you just tap them, you can smack them with your hand and they'll pop open. [00:51:52] Speaker A: If you do it like the right. [00:51:53] Speaker C: Way, they're showing these people trying to cut it, and the bolt cutters are like, this is like chrome molly, hard and steel, blah, blah, blah, blah. You can't actually get at it because of this sleeve that goes around the shackle, and you can't get to the thing to cut it with a bolt cutter. You can shoot it, you can dynamite it. It's not going anywhere. And then walk over and go like that, and it just pops open. I'm like, wow, that's not good. [00:52:15] Speaker B: That's a design. [00:52:15] Speaker C: Kind of defeats the purpose of the whole thing there. [00:52:19] Speaker A: Feel like Daniel speaking from experience here. We'll go ahead and jump to our next article. Pork chop sandwiches, though I'm glad to see that one come back. But this one, this is one we see a little bit more often. This segment's called who got poned? Looks like you're about to get poned. This article comes to us from the bleeping computer or bleeping computer. No article. New Fortinet RCe flaw in SSL VPN. Likely exploited in attacks. Unless a lot of acronyms for one. [00:52:43] Speaker C: Headline, you just said Fortinet, and I was like, yep, yep, here we go again. [00:52:48] Speaker A: Oh, it was that. That's kind of a compliment. [00:52:50] Speaker C: How many times we've talked, like, you have been on the show where we have talked about Fortinet. [00:52:53] Speaker A: That's true. [00:52:54] Speaker C: Multiple times. [00:52:56] Speaker A: It all runs. [00:52:58] Speaker C: Know, I know. [00:53:01] Speaker B: I'm not a fan of Fortinet. I wonder why about that before, what. [00:53:05] Speaker C: Could possibly deter you from their amazing security? [00:53:09] Speaker B: I'll be transparent here and set up the reason why I'm not a fan of theirs. They have been less than transparent about hard coded credentials in their firewall software for years. Right? And they got caught once and they tried to cover it up, and then they got caught again with a whole nother set of credentials. If you're a cybersecurity company selling a product as a firewall to protect people's networks, you're supposed to be trustworthy. [00:53:37] Speaker C: Isn't that like security 101? You do not hard code creds. It's just what you don't do. [00:53:43] Speaker B: So that's where my distrust of ordinate originates. But in the last six months, this is the fourth time we can report on vulnerabilities in their SSL VPN where an attacker can unauthenticated. So no authentication needed, bypass authentication and gain administrative privileges on the firewall device. And it's the freaking firewall. So from there, they then have access to your internal network. [00:54:14] Speaker C: I love that. That's the quote for this episode of Technato. It's the freaking Firewall. The thing that's supposed to keep you secure is really like basically an inside man that hates your guts is getting paid to give away all your secrets. [00:54:29] Speaker B: And I've taken some heat for this over the years. I've had viewers, listeners write in and say, don, I love Fortinet. Why don't you guys have Fortinet training at our day job? And I always tell people, I'm not going to make training for a product that I would not run myself. I refuse to use their products, so I'm not going to make training for it. And in these scenarios where you just keep seeing flaw after flaw after flaw, how long are you going to suck that up? [00:54:57] Speaker C: And it's not like what we've been saying earlier, how like, oh, yeah, some security researcher discovered this and they did responsible disclosure. And now there's a patch available. These are like constantly exploited. This is being exploited. It's being exploited patch. Now that is a typical tagline to a Fortinet security issue is currently exploited, is also a part of that title. [00:55:22] Speaker B: Now you might ask yourself, with all this in mind, why would people use their products? And I'll tell you some of the benefits of their products. Right. So first off, they are less expensive. If you put Fortinet stuff against like a Cisco solution, significantly less expensive. Also they have a software firewall where you can spec out your own hardware. And that's nice because you might need a high end beefy server to be able to handle your firewall traffic. You might need something light. You might want a raspberry PI, whatever. They'll allow you to do that. So you get a lot of flexibility. Kind of like, I don't know, pf sense. [00:55:53] Speaker C: I was going to say PF sense. [00:55:54] Speaker B: Yeah, similar to that. That's good. And that's what draws people to it. But there's saving money and then there's like negating the viability of a product. And that's really the stage that we're at when it comes to Fortinet. [00:56:09] Speaker C: Yeah. If saving a few bucks, I get it. Not everybody's got the cash necessary to get out there and buy something more expensive. Totally get that. I grew up very poor, so I get these hardships in life, but at one point the juice just isn't worth the squeeze, right. Where they're constantly got problems, it no longer becomes a viable commodity for you to purchase. You have to wipe it off the table and go, yeah, that is not something I'm going to. It's basically like introducing security issues into your. Instead of doing the opposite, which is what you want to do, and stopping security issues. Go with something else. Find a different avenue. They're still, like we mentioned, PF sense. I'm sure they're not the only game in town as well. You could stand up your own Linux server and build your own firewall through like iptables and stuff. Yeah. Does it take a lot of time and effort and know how? But you know, everything that's cracking through that thing. It's long well known to know that this can be used as a viable solution. It is secure. You just have to spend more sweat equity into getting it to work. [00:57:17] Speaker B: I think you've got Cisco, Juniper, Palo Alto. There's some good reliable players and they have vulnerabilities too. Things happen. Absolutely. But there's reliable players that are out there. And then you see people like Fortinet, not so much here in the US, but in Europe microtick, which is somewhat common. [00:57:34] Speaker C: And they've had a couple of issues as well. [00:57:35] Speaker B: They have a, you know, those are ones I don't recommend. And that's really a decision you make when you choose a firewall vendor. [00:57:44] Speaker C: Got to do your research, right? [00:57:45] Speaker B: You do. Yeah. So it's sad. I do think we need to start reporting these as like deja news because they seem to be almost on basically the same thing. Right. [00:57:55] Speaker C: What are you going to do? [00:57:56] Speaker A: And I'm sure the fact that it says likely being exploited in attacks contributes to this, but it does say it received a critical severity rating of 9.6. And I guess the same day that this was announced was just earlier this week, or that this was disclosed. I guess there was another critical flaw that was also disclosed and a couple of other ones that were at like medium level, not marked as being exploited in the wild. [00:58:14] Speaker C: But still the CVE 2002 423113 had critical 9.8 rating. [00:58:20] Speaker A: Right? Critical. I just said it wasn't being exploited. [00:58:22] Speaker C: In the wild, but it's not being exploited in the wild. [00:58:23] Speaker A: But still, that was the. [00:58:25] Speaker C: Hey, we found this before it got too out of hand. [00:58:27] Speaker B: Yeah. [00:58:27] Speaker A: Which I guess that's the ideal scenario. [00:58:30] Speaker C: That is the ideal scenario. [00:58:31] Speaker A: It's good that you found it before it got bad. [00:58:33] Speaker C: Kind of like go, oh, holy crap. That's a crazy high rating for CVE. And it is. But they discovered it. They have a patch for it. So like you said, that's the ideal situation. [00:58:46] Speaker A: It does seem like maybe not just with Fortinet, but for the last several weeks, every time that we cover a flaw like this, it kind of seems like it's. Oh, it's critical. Oh, it's critical like all the time, which I guess makes sense because you're not going to write. If it's a flaw that always has a score of three, you're probably not going to write an article about that. So I guess maybe that's just, I don't know. [00:59:04] Speaker C: Hey, one day, maybe one day security will increase so much that we're like. [00:59:09] Speaker A: Oh, wow, that'll be news, right? [00:59:11] Speaker C: It's kind of high. [00:59:12] Speaker B: Don't you think we should do an episode where we only cover, like, cve. [00:59:17] Speaker A: Two mundane security news? Yeah. Interesting. Would we cover it as it is? [00:59:25] Speaker C: There's an information disclosure of the server. [00:59:29] Speaker A: Or would we sensationalize it? Like, this flaw will shock you with how low of a score it is? Well, of course they wrap this article up saying that, well, due to the severity and the likelihood of it being exploited, it's strongly advised that you update your devices as soon as possible in case that wasn't obvious. So they do put that little disclaimer in there and there's not. I know somebody. I looked through the comments and not a whole lot of activity on this one yet, but somebody had asked if there were any indicators of compromise published yet, and none that I could see. So unless I missed something, there was no, like, oh, hey, if you're seeing thus. And so, that's probably an indicator that this is going on. [01:00:02] Speaker C: Yeah, they just say it's likely that it's being exploited in the wild. So that probably means that someone noticed that this was being exploited in the wild, but they don't want to come out with that necessarily. Not yet, anyway. And that would be my guess. [01:00:17] Speaker A: Like a cya, it's likely being exploited. We're not going to confirm or deny. [01:00:21] Speaker C: Whether it absolutely is, but you should probably patch right now. [01:00:24] Speaker A: We plead the fifth. Yeah, well, I'm sure, hopefully Dave Chappelle sketch the fifth. [01:00:30] Speaker C: I plead the fifth. That's everything that they're lobbying against him in court. He just is playing this thing like, I plead the fifth and that's all he does. [01:00:37] Speaker B: The whole time. [01:00:38] Speaker C: The whole time. It's very funny. [01:00:39] Speaker A: I probably don't need to tell you I haven't seen that one. [01:00:42] Speaker C: Yeah, that was back in the Chappelle show days. [01:00:44] Speaker A: Well, then I guess it makes sense. [01:00:45] Speaker B: Yeah, I just checked and there is an IOC that was released just yesterday. [01:00:51] Speaker A: Okay, gotcha. So I missed that development. [01:00:54] Speaker B: I found it on threatintelligence.com. [01:00:57] Speaker A: Not sponsored? Not sponsored. Well, hopefully this isn't something that comes back up again. But I say that realistically Fortinet will probably come up again in future technos. [01:01:09] Speaker C: If I had to. [01:01:11] Speaker B: Hey, if you're going to short a stock, this is not investment advice. I'm not a broker. [01:01:19] Speaker C: No, you talk to your brokers about that. [01:01:22] Speaker A: Well if you enjoy hearing about your fortinet flaws here on Technato, feel free to subscribe. Like I said, if you haven't already, drop a like, leave a comment. Let us know what you liked about this episode, what you want to see in the future. If there's any news that you're like, hey, you didn't cover this. Was there any articles that came up this week? I know some weeks it's like real news heavy and it's hard to pick know. And so was there anything that we didn't cover that happened this week that was kind of newsworthy? [01:01:44] Speaker C: There was one thing, I forget exactly which company it was, but it came out that there was like a big flaw and then it was like, that's not true. But all the major outlets reported on it. You remember which one? [01:01:55] Speaker B: Oh shoot. Because it was funny, right? [01:01:57] Speaker C: It was funny, but because it was a big nothing burger it wasn't really reportable. [01:02:03] Speaker B: Shoot, yeah. [01:02:04] Speaker C: What the hell was that? [01:02:05] Speaker B: I think it was in our newsfeed. Now I got to look it up because I'm curious. But yeah, people were excited to report on it. [01:02:12] Speaker C: Like Arsetechnica didn't take the time to. [01:02:14] Speaker B: Verify it was, oh, Microsoft introduces Sudo. [01:02:19] Speaker C: That's what it was. [01:02:20] Speaker B: Windows. They were like, yeah, Windows is going to get the Sudo command. And then Microsoft came out and said, no, actually we're not. [01:02:25] Speaker C: I was so pissed because I have been begging for Sudo for actually. So technically Microsoft does have Sudo in a roundabout way. If you run, was it Windows subsystem for Linux? Yeah, WSL. Right. You can sudo inside of that sucker. And I have to do it from time to time. You want to run something like Netstad or start like an HTTP server with Python, you got to sudo that monkey if you're going to run on a protected port. And it does do it, it does work. So you kind of can sudo, but I long for the day when I ain't got a right click. Run as administrator, damned Powershell or terminal, whatever the hell it is now. It's like come on man, just let me elevate when I need to elevate. [01:03:10] Speaker B: Just one command without whole terminal. [01:03:11] Speaker C: Just like hold my right arm. The right way and let the stars align so that I can have an administrative terminal. [01:03:21] Speaker A: Well, this has been grind my gears with Don and Dan. Join us for next week's segment if you did enjoy this. Again, I want to thank our sponsor, ACI learning, the folks behind it pro, for letting us do this, for allowing us to do this. That's what we do in our day jobs. We make those courses about audit, cyber it. Anything you can possibly imagine in that sphere. Besides, don't. Don't count on that. You can check that out over at the ACI learning or the websites. If you haven't subscribed already, feel free to do so. You can use the code Technato 30 for a discount. And if you're watching from the Technato website, you can actually just click that sponsored buy button and it'll take you right there. So, nice little shortcut. Couldn't ask for anything better. I think that's pretty much going to do it, though. We have had a couple of webinars this month. If you missed them, check them out on the YouTube channel, the ItPro channel if you want to see those. We had an all things cyber. We had one last week about building a tech resume that was real helpful. And it's only like the second or third week of February, and we're cooking. Cooking on all. [01:04:11] Speaker C: Killing it, man. [01:04:12] Speaker A: Really killing it. [01:04:13] Speaker B: Fun. [01:04:14] Speaker A: Yeah. I was going to say happy Valentine's Day again, but I'll hold back. I know it's not really you guys'thing. I wasn't expecting the dropping an octave. [01:04:26] Speaker C: Yeah. [01:04:27] Speaker A: Anything else you all would like to add before we sign off? [01:04:29] Speaker C: No. [01:04:30] Speaker B: Don't forget the leeches. [01:04:31] Speaker C: Yeah, follow me. [01:04:32] Speaker A: Don't forget the leeches. Like I was saying earlier, Valentine's day was, there's a lot of St. Valentines that were martyrs in history, and so there's like, controversy about which one the holiday is actually about. But we've got our own martyr right outside our window. He died in his belief that there was no window there. So he did die for his beliefs. We'll go check on him, have a beautiful bird funeral for him in just a moment. So until next time, thanks so much for joining us for this episode of Technato, and we'll see you next week. Thanks for, for watching. If you enjoyed today's show, consider subscribing so you'll never miss a new episode.

Other Episodes

Episode 305

April 27, 2023 01:00:02
Episode Cover

Technado, Ep. 305: Google Authenticator Adds Account Syncing for Two-Factor Codes

Catch up on the cybersecurity and tech news of the week with Don, Dan, and Sophie as they cover the latest. This week in...

Listen

Episode

July 20, 2018 00:45:25
Episode Cover

The Technado, Episode 58: Week 29 in Review

It was a week of celebrations, and Peter and Daniel marked Amazon's Prime Day, Slackware's birthday, and emoji day. They also cover a myriad...

Listen

Episode 315

July 06, 2023 00:59:52
Episode Cover

315: Sony Spills Playstation Secrets With Sharpie?

In this episode Daniel, Sophie, and Anthony helm the ship while Don is away. Tune in as they discuss all the biggest tech news...

Listen