364: Apple REFUSES to pay $1 Million Bounty! (Plus, WWDC Updates!)

Episode 364 June 13, 2024 01:09:48
364: Apple REFUSES to pay $1 Million Bounty! (Plus, WWDC Updates!)
Technado
364: Apple REFUSES to pay $1 Million Bounty! (Plus, WWDC Updates!)

Jun 13 2024 | 01:09:48

/

Show Notes

Get ready for a lot of opinions on this week’s Technado - Apple’s WWDC 2024 is underway, and we have some thoughts. In other breaking news, Black Basta threat actors may have exploited a Windows 0-day, and Fortinet has patched multiple vulnerabilities in FortiOS. And WWDC isn’t the only Apple news this week: the tech giant is refusing to pay a $1 million bounty to Kaspersky labs for some iOS zero-days.

After our Apple tirade, we cover some malicious VSCode extensions with MILLIONS of downloads. Then, we take a look at not one, but TWO 4chan data leaks of some major companies: the New York Times and Disney.

Following a quick break, we say hello to an old friend in this week’s D’oh! Segment: it’s LastPass! The company essentially DoS’ed themselves thanks to a faulty Chrome extension. We also have yet another Recall update - Windows heard the call for better security, and they’re responding by…making Recall an opt-in feature.

Next up, a new ransomware variant dubbed ‘Fog’ that’s targeting US businesses, and NY is introducing mobile IDs to replace physical ones. To wrap up the episode, British semiconductor giant Arm is warning customers about a use-after-free bug.

Want to read further? Check out the articles we covered this week:

https://thehackernews.com/2024/06/black-basta-ransomware-may-have.html
https://www.securityweek.com/fortinet-patches-code-execution-vulnerability-in-fortios/
https://www.engadget.com/apple-intelligence-ai-ios-18-and-the-biggest-announcements-at-wwdc-2024-184422501.html
https://gbhackers.com/apple-kaspersky-zero-days/
https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-with-millions-of-installs-discovered/
https://www.bleepingcomputer.com/news/security/new-york-times-source-code-stolen-using-exposed-github-token/
https://www.bleepingcomputer.com/news/security/club-penguin-fans-breached-disney-confluence-server-stole-25gb-of-data/
https://www.bleepingcomputer.com/news/security/lastpass-says-12-hour-outage-caused-by-

View Full Transcript

Episode Transcript

[00:00:04] Speaker A: You're listening to Technado. Welcome to Technado, sponsored by ACI Learning. The folks behind it pro. Quick reminder before we get started, you can use that code, Technado 30 for a discount on your itPro membership. And that is what we do in our day jobs, and we have a lot of fun doing it. So we're working on a cloud related course right now, cloud security course. And, well, man, we just. We try to make it fun. So I recommend that you check it out, if you haven't already. But I'm Sophie, if you don't already know me. And I'm here with Daniel Lowry. And we have got some fun stuff going on today. Apple's WWDC conference happened this week, so we're gonna talk about that. Cause that's pretty big. I think some cool stuff came out and, yeah, I think we got a lot to cover this week. What say you, Daniel? [00:00:42] Speaker B: Plenty of security and other tech related news for us to get through today. I'm feeling the Saturday morning just got out of bed vibe with both of us today. Very. Just like, throw on t shirts and watch the cartoons. Listen, you can't be a little laid back on a podcast. Well, what's the purpose of doing it? [00:01:01] Speaker A: What's the point? What's the point? [00:01:02] Speaker B: That's right. [00:01:02] Speaker A: We don't want you to feel like you gotta get dressed up to watch Technado. [00:01:05] Speaker B: No suit and ties here. [00:01:06] Speaker A: We want your authentic self here on Technado. So before we get into the articles that we have picked out here that we wanted to talk about, there's always some stuff that happens. Like, right as we're getting ready to record stuff that comes out that it's like, oh, this is new. [00:01:19] Speaker B: Yeah. [00:01:20] Speaker A: So we, you know, we want to talk about some of that stuff, right? And it's breaking news, so, you know, we want to cover that stuff as best as we can. So this is a new segment we call breaking news. [00:01:31] Speaker B: Breaking news as I smash this. [00:01:37] Speaker A: Wow. All right. Thor without his hammer. This is great. [00:01:40] Speaker B: Hammer. [00:01:42] Speaker A: I guess he is british, isn't he? [00:01:44] Speaker B: He's got a british accent, but even though he's australian. Yeah, the actor. [00:01:47] Speaker A: It's an interesting choice if you haven't. [00:01:48] Speaker B: Seen the interview where the girl that is interviewing him is saying that his accent, his australian accent is very alluring, and then he proceeds to make the case that it's not. It's very hysterical. Very funny. You should check that out. [00:02:02] Speaker A: Oh, that was gratis. Bonus information. Bonus from Daniel here on Technato. [00:02:06] Speaker B: Yeah. [00:02:07] Speaker A: So the breaking news that we've got here today. First up, blackbasta ransomware may have exploited Ms. Windows Zero day flaw or may have exploited Ms. Windows zero day fly. I read that incorrectly. I love the lack of articles that appear in, like, headlines. The. There's no the or a or anhe hard for me to read. Yeah. What do you need English for? So threat actors may have exploited a recently disclosed, disclosed privilege escalation flaw in the Microsoft Windows error reporting service as a zero day. Kind of scary. Anytime you see zero day, it's like. [00:02:35] Speaker B: Uh, oh, yeah, you better, better start looking for them patches, right? And, uh, hopefully there is a patch out for this already. I know. I noticed that my Windows system patched this morning. I came in and I said, oh, look at that, I'm at the login screen. That is, that's kind of funny because that's not where it was when I left it last night. But yesterday was Tuesday. Is it pat? Was it patch Tuesday? Or is this the first Tuesday of the month? No, the last Tuesday is second Tuesday of the month. [00:03:02] Speaker A: And that, and that would be this week. [00:03:03] Speaker B: That would be this week. [00:03:04] Speaker A: So I bet you it was patch Tuesday. [00:03:06] Speaker B: I bet it was. [00:03:06] Speaker A: So smart. This is why he's the expert. Expert. Strong word. [00:03:13] Speaker B: I feel like you're setting a bar here. Yeah, you need to go a little. Couple rungs lower. [00:03:17] Speaker A: I'm trying to set you up for failure. That's my only, that's my only role. [00:03:20] Speaker B: Here to bust chuck me right here. [00:03:23] Speaker A: So I'm looking at the CVE that Microsoft has listed here. It's 7.8 is the score that they've given it. [00:03:30] Speaker B: So decently high. [00:03:31] Speaker A: Decently high. Like I say, I'm desensitized because I'm so used to like, oh, it's a ten. It's a 9.57.8. Still pretty high. [00:03:37] Speaker B: I mean, if you got black bastard already, like, taking advantage of it, I feel like that is a worthy thing to be concerned about at this point. [00:03:46] Speaker A: Yeah. I wonder though, like you said, I don't know that it says anything in this. We're pulling this from the hacker news. I wonder if there is a fix for it. I'm not. Maybe I'm missing it, but I'm not seeing anything about nothing patch or fix. [00:03:58] Speaker B: And then there, I did see an article today. I want to say that there was like 51 patches released last night. [00:04:06] Speaker A: Oh, good. Okay. [00:04:07] Speaker B: And there you go. So it's probably rolled up in that, I bet. [00:04:11] Speaker A: Okay. I would assume that makes sense. Okay, well, hey, if you happen to know, let us know in the comments. Cause like I said, this is breaking. So we are just. [00:04:19] Speaker B: Yeah. [00:04:20] Speaker A: Looking at this right now. [00:04:21] Speaker B: You're watching us process this info in real time. [00:04:24] Speaker A: So you're seeing the wheels turn very slowly. Yes, in real time. The lawn mowing shirts. [00:04:30] Speaker B: The lawn mowing shirts. [00:04:32] Speaker A: Interesting. Okay. We're hearing our director. I'm wondering if he's just trying to make me feel like I'm crazy. So that was the one of the things. [00:04:38] Speaker B: He's sitting behind the chair and he's like, I feel like I'm going for a lawn mower shirt. [00:04:44] Speaker A: I don't think you realized his mic was on. [00:04:45] Speaker B: Yeah, yeah. [00:04:46] Speaker A: He's adding surprise commentary to the show. [00:04:48] Speaker B: Yeah. [00:04:49] Speaker A: Well, that was one of the breaking news articles we wanted to cover. This next one also come into us from the hacker news. China backed hackers exploit Fortinet flaw, infecting 20,000 systems globally. So also some pretty big numbers that we're dealing with here. State sponsored threat actors backed by China gained access to several thousand Fortinet fortigate systems, exploiting a known critical security flaw. But now this says it was between 2022 and 2023. So it's just recently finding out that the impact was a bit broader than we initially thought, it seems like. [00:05:20] Speaker B: I guess. So I'm reading on security week where they have an article about Fortinet patches, code execution vulnerability in Ford Os. Right. So I'm wondering if these are related because. Yeah, Fortinet. [00:05:33] Speaker A: Okay. Yes, that is true. Yeah. We do kind of see them pop up. [00:05:36] Speaker B: We hear them a lot. [00:05:37] Speaker A: I mean, they're no lastpass, but they do, you know, they do pop up from time. Time. I guess when you have a big organization like that, it follows that the bigger the organization, maybe the more issues. [00:05:49] Speaker B: You'Re going to have. A lot of it comes from where you have these companies that build a good reputation. They build an amazing tool, and then they get acquired, and then after the acquisition, it's not as good as it once was. That seems to be the modus operandi of a lot of things, how that just kind of works itself out that way because there's no longer that tight knit focus. So, unfortunately, you do see that happen a lot. [00:06:19] Speaker A: Oh, you know what? The story I'm looking at about Fortinet is different from the one you're looking at, really, same, same day. So they're both very recent. So they're dealing with. There's a. [00:06:29] Speaker B: Mine is about. There's a patch. [00:06:30] Speaker A: Yes. [00:06:30] Speaker B: Right. [00:06:31] Speaker A: Yes. Different flaws. [00:06:32] Speaker B: Patching flaws. [00:06:32] Speaker A: That one has a patch. [00:06:33] Speaker B: This. [00:06:34] Speaker A: Yeah, I think the one I just found. The one that you're looking at. [00:06:36] Speaker B: What's your CVE? [00:06:38] Speaker A: This one says, the findings build on an earlier advisory dealing with CVE 2022 42, 475, with a score of 9.8. So these threat actors are building on a previously exploited flaw. [00:06:51] Speaker B: But it says, my cve's are CVE 202-42-3110 and CVE 2024 26, 10260 10 and CVE 2023 or 6720. [00:07:11] Speaker A: Okay, gotcha. So this, the one that I'm looking at was just. There were recent findings. They just now are figuring out, oh, it happened a year or two ago, and now they're just realizing, oh, this is worse than we thought. But yours, I feel like, is more pertinent because it's a patch and it's good news. [00:07:27] Speaker B: Get that patch. [00:07:28] Speaker A: Yes. [00:07:29] Speaker B: Feels safer. [00:07:30] Speaker A: He's like a band aid commercial. Yeah, I'm stuck on patches. [00:07:34] Speaker B: Patches stuck on me, mom. I skinned my elbow. [00:07:39] Speaker A: Those are catchy commercials. They did a good job with. [00:07:40] Speaker B: They have, like, Burton Ernie on them. [00:07:43] Speaker A: Births. Quite a few Disney stars from those commercials. They're like I said, I'm like, she's on, like, good luck, Charlie, now. Like the heck. So, yeah, that's a good commercial series. Anyway, that's gonna do it for breaking news. [00:07:53] Speaker B: Breaking news. [00:07:54] Speaker A: But of course, we've. We've got so much more that we want to talk about here on Technato. Like I said, that Apple WWDC did happen this weekend, so that's gonna be our first thing that we wanna talk about. Just get it out of the way, because I know it's not particularly super security focused. There weren't a lot of, like, security related things that were announced. [00:08:10] Speaker B: Well, we can throw it out there, right? Like, there are. I'm very security focused because that's what I do. She is security focused as well, but she has other interests. And it's like, cool, start throwing anything you want on the fire. So we're gonna probably start kind of taking the role of Don. Yeah, he rests. [00:08:27] Speaker A: I'm gonna try. He's retired. [00:08:31] Speaker B: Yeah, he's retired. He is resting on some beat somewhere. Except Nicoladas laughing at us hysterically. Yeah, but you're gonna take a little more of a Don role on this now. [00:08:39] Speaker A: I'm gonna try to. I can't say that I'm gonna really pull a lot of hardware news, because I'm just not as well versed in that area as Donegan was. But that's also not his full name, I don't think. But I'm gonna. [00:08:49] Speaker B: Donaghan. [00:08:49] Speaker A: I'm gonna choose to call him that. Donegan. It's more fun than Donald, I feel like. [00:08:52] Speaker B: Donwell. Noriega. [00:08:54] Speaker A: Huh? That didn't sound like a word at all. [00:08:56] Speaker B: So there was a guy named Manuel Noriega. [00:08:58] Speaker A: Oh, okay. [00:08:59] Speaker B: He was the leader of Nicaragua, was it? Forget why. [00:09:03] Speaker A: Why do you know that? [00:09:04] Speaker B: Because I grew up in the eighties. [00:09:06] Speaker A: Okay. All right. [00:09:07] Speaker B: We watched the news growing back in my day. That's right. We knew what was happening in the world. [00:09:14] Speaker A: We didn't get our news from the TikTok. [00:09:16] Speaker B: You crazy kids and your tech ticks and your. Well, Instabrand. [00:09:23] Speaker A: Instabrand. [00:09:24] Speaker B: I'm trying to make old stuff up. [00:09:25] Speaker A: Awesome. [00:09:26] Speaker B: On the fly. [00:09:27] Speaker A: No, that was beautiful. That was truly beautiful. There are a lot of things that I missed out on that happened in the eighties. There are a lot of things that folks that grew up in the eighties didn't have. New developments, new technology that people, my generation, are gonna get to benefit from. Like, a lot of the stuff that was announced at WWDC, as you could probably guess, a lot of AI related stuff. But important clarification, they didn't refer to it really as AI. It's Apple intelligence. That is their AI, but it's Apple intelligence. Full name every time. They will not refer to it as AI. So they're their purists about this, I guess. So they talked about updates, right? They talked about updates coming to iOS, ipados, Mac OS. One of the ones that people were really, really excited about is, I guess, iPad's finally getting a calculator app. It has not had one until now. [00:10:10] Speaker B: The heavens have opened. [00:10:12] Speaker A: Yeah. [00:10:12] Speaker B: And angels have descended. [00:10:14] Speaker A: I know, I know. So big one was definitely Apple intelligence. They've talked about incorporating AI into their devices at the operating system level. So that's interesting. People had some opinions about that. [00:10:26] Speaker B: Yeah, that's interesting that the operating system will be run by AI or will have some sort of. How. How does AI integrate with their operating system? And why is AI incorporated into. [00:10:39] Speaker A: Well, yeah, I feel like a lot of this stuff, it's like, do we need this? But what do I know? You know? I think. I mean, I. A lot of times I see this stuff and I'm like. It's like the windows recall thing. I'm like, what problem is this? Solving this problem didn't exist, so it. [00:10:54] Speaker B: Was a hammer looking for nail. [00:10:55] Speaker A: And a lot of people are like, Apple's late to the AI race. Like, wow, you're. You're several years too late. Andre's had all this stuff. Other folks though, are taking the, the opinion that, well, maybe they're a little bit later to the game, but maybe that's because they were taking their time to try to do it right and do it securely. That could very well be the case. So, I mean, if I have to wait a little longer for certain features and they're maybe a little bit better and more secure as a result, I'm not mad about that. As impatient as I am, I was. [00:11:19] Speaker B: Really hoping to give a crap. [00:11:21] Speaker A: You're also not like an iPhone user. [00:11:23] Speaker B: So I don't use Apple, bro. [00:11:24] Speaker A: It makes me speak too soon. [00:11:28] Speaker B: Honestly, for the most part, this is just like my work machine. [00:11:31] Speaker A: Yeah, yeah, yeah. Hey, I'm a PC user, I don't fault you. But I am also an iPhone girly, so I can't. [00:11:37] Speaker B: All my Apple hardware at home has a Linux on it now, so. [00:11:39] Speaker A: Really? Yeah, see, I can't be bothered to do that. But one of the main things concerning Apple intelligence is Siri is going to be getting an AI infusion is going to be working hand in hand with chat GPT. You might have heard that Apple's got kind of a collaboration going with OpenAI. So in theory, the way this is going to work is when this finally rolls out, when you ask Siri a question, she'll be, she'll either answer it the way she usually does and deal with it herself, or she'll be like, hey, this seems like it'd be better suited for you to ask chat GBT. Are you okay with me passing it on to them or to that, you know, system? And you could say yes or no. You want this to be answered by chat GPT, you can use it for free. You don't need an account, it's just incorporated into Siri. So kind of cool in theory. I don't know if there are really any security implications that would come with that. [00:12:23] Speaker B: I'm sure there are. [00:12:24] Speaker A: I know there are companies that like. [00:12:25] Speaker B: Well, because people will do stupid things like, hey, if I had an API key that is this, and then all that data kind of gets pushed in. People will do dumb stuff just because we don't think our way through a lot of stuff. We just want an answer. [00:12:40] Speaker A: Yeah, absolutely. [00:12:41] Speaker B: I'm not trying to like, you know, just on the user or whatever, we just end up doing human things. [00:12:48] Speaker A: Sure. [00:12:49] Speaker B: I'm using the word dumb facetiously. [00:12:52] Speaker A: Well, a couple of the other things. There was a lot that was announced and some of it is updates for watchos, updates for vision OS and all this stuff. And that's cool. But a couple of the things that stood out to me were they're going to have their own passwords app. Now you can save your passwords in your phone or whatever and go into your settings app and look at them. But this is a separate app. So it's available for or will be available for iOS, Mac OS, iPados and Windows. They'll have a Windows. [00:13:15] Speaker B: So it is a password manager. Right. But it's a password manager. But it is a part of the operating system. So if I have an Apple device, will it come with this password manager by default or will I need to go and download and install said app? If I want another password manager? I want to stick into that Apple ecosphere as so many people like to do. Make sure you wear the uniform. But Apple user. [00:13:37] Speaker A: That's a good question. [00:13:38] Speaker B: Right. [00:13:38] Speaker A: It doesn't say if it's going to come installed the way that like the voice memo, Safari or whatever comes installed. It just says that it builds on the technology of iCloud keychain to save passwords, login credentials. That was the other thing I thought was interesting that they're developing this and this is going to be available because Apple has talked quite a bit about wanting to go passwordless. Right. [00:13:55] Speaker B: I thought that was no idea. [00:13:56] Speaker A: That's like one of their. [00:13:57] Speaker B: We talked into Apple. [00:13:59] Speaker A: Yeah. That's fair. Well, I mean, I guess you don't really have to because you don't use a lot of their stuff. [00:14:02] Speaker B: It's fun for me. [00:14:02] Speaker A: It's fun. It's fun for you. Must be nice. But they've definitely talked before and we've had articles here where they've mentioned wanting to go passwordless. So interesting now that this is something they're offering, but a lot of people are, oh, this is going to be better than bit warden or Lastpass. Well, it's not hard to be better than Lastpass. [00:14:17] Speaker B: No, Lastpass is that scraping the bottom. [00:14:19] Speaker A: Bars, the bars on the phone. [00:14:20] Speaker B: I would assume that all their comparisons will be to Lastpass so that they can look good. [00:14:24] Speaker A: Yeah, right. Exactly. As opposed to Lastpass, who's had this list of problems and this has. [00:14:29] Speaker B: And they're going to lean heavily on the fact that if you're running an iOS device, why go somewhere else? Yeah, this is built by us. You've already trusted us, you love big brother. [00:14:41] Speaker A: And I guess that maybe the other thing would be because they are gonna offer a Windows version of the app if you're using it on your Mac and on your iPhone. And then maybe you have like a PC you use for some stuff you could still have. You could be using the same. You don't have to. Well, I can only use this for my Mac and I gotta use bit warden or whatever for my PC. I'm happy with what I have. I don't think I'll probably switch, but. [00:14:59] Speaker B: They still allow you to use third party, so yeah, that's cool. Go out and use a third party if you like it. If you like the, the Apple built one, get buck wild. [00:15:07] Speaker A: It'll be interesting to see if it's any better. Maybe it'll just be a better UI. Like maybe it'll just look nicer. Who knows? [00:15:13] Speaker B: We will see. [00:15:14] Speaker A: Wait and see. The other thing that I wanted to mention is probably one of the bigger things that folks are excited about. RCS support is going to be coming. That stands for rich communication services, I. [00:15:24] Speaker B: Believe no longer will get a. Sophia liked this message because I'm an Android user. [00:15:32] Speaker A: Yes, that is true. That is true. And then the other thing that was a positive development that comes with that is end to end encryption, it's going to be by default now included. So thought that was kind of neat. Better media sharing support for better group chats is. It's great for convenience sake and it'll make it easier to have group chats between the Android user. And it's a pain. [00:15:52] Speaker B: They are a pain in the a. [00:15:54] Speaker A: Even if you're not dealing with different devices. Even if I'm in a group chat with all iPhone users, it's just annoying, right? [00:15:58] Speaker B: Because now everybody that responds to then they're probably not responding to something you said care about. And now it's the never ending chat that you got to keep getting. It's like, okay, mute notifications from this and then you miss whatever because they randomly bring you up into the conversation. Like, why didn't you answer? Yeah, here's the thing. You and your damned group chat I got. Yeah, I hate group chats. [00:16:20] Speaker A: I end up muting them every time. [00:16:21] Speaker B: Just call me. [00:16:22] Speaker A: It's just too much. It's just I don't even like it. I mute half of my regular text threads cause I just get annoyed by the notifications. A couple other things before we move on to this, this next article, a couple new privacy features. You can now lock apps specific apps behind, like a Face ID or Touch ID wall. So if I let somebody borrow my phone and I want to lock like my messages app, my banking apps, my email apps or whatever. Cause I don't want them messing with them. I can do that. Some of those apps come with a. Like, my banking app has a Face ID and Touch ID wall anyway. But regardless, you can also hide apps in, like, little folders, like, hidden folders. I thought you could kind of already do that. But I guess the difference is you can hide an app and what looks like another app where. And that's like a. You know, they'll have, like, it looks like a calculator app, but it's actually a hidden photo album with stuff on it that you probably shouldn't have. Right, exactly. But hidden apps, I don't know why you would want to, other than maybe I'm just jaded, but the only reason I can think that you would use, like, oh, I want to hide this app in a folder would be for, like, nefarious purposes. Yeah, that just seems like if I told my mom I had, like, a hidden app on my phone, she'd be like, what are you. What are you. [00:17:26] Speaker B: What are you hiding? [00:17:27] Speaker A: Yeah. [00:17:27] Speaker B: Yeah. [00:17:28] Speaker A: What. What wrong thing are you doing? [00:17:30] Speaker B: I mean, again, it's tools. You can use tools for good or evil. [00:17:33] Speaker A: So some cool privacy stuff that's. That's gonna be coming. A lot of this is gonna roll out in the fall or later, towards the end of the year, so be interesting to see how it actually plays out. Smack the mic in real life. And then, of course, there was the hit. [00:17:44] Speaker B: That stupid mic. [00:17:44] Speaker A: I was mad. I was mad about these updates. There was the gen emoji stuff, too, where you can generate an emoji with AI, like, tutu wearing, t rex riding a surfboard. So, like, fun stuff that got announced. [00:17:55] Speaker B: But that's what you call it. [00:17:56] Speaker A: You can go and watch that keynote and review the. We're gonna put all of these articles in the. In the description as well, if you want to look at them in more detail, but. [00:18:02] Speaker B: All right, we hit that horse enough. [00:18:03] Speaker A: Let's speak. Well, well, we're not done talking about Apple. [00:18:05] Speaker B: No, we're not. But we're done with that article. [00:18:07] Speaker A: We're done with that article. Yes. But Apple, in other news, has refused not. See, now I don't believe you. You're holding the label facing away from me, so I can't see. Suspicious. Apple refused to pay a $1 million bounty to Kaspersky lab for iOS zero days. And this, to me, I was like, well, that just seems mean. That seems rude. Why would you do that? But, Daniel, you kind of gave me some insight that I didn't have previously as to why this might be the case. [00:18:35] Speaker B: Okay, so there's a lot that kind of goes along with this anytime, especially in, like, the United States. When you mention the name Kaspersky, you think Russian because they are a russian company. They are in Russia. All their, most of their holdings, if not all of them are in Russia. The employees are russian. Fun fact, we're not real friendly with russian people. And the country, I say, well, I'll say it's people not to be country. Yeah, right. As a state, they're not our best friends. We're not going camping anytime soon. [00:19:10] Speaker A: Right? [00:19:11] Speaker B: So the fact that we have a russian cybersecurity company going, hey, I found bugs. Now, I will say this. Like, back a few years ago, Don asked me to kind of round up what would be a good EDR solution for it, pro and aci. And I looked at Kaspersky, I looked at Sophos, and I want to say there was one other, but I forget what it was. As soon as Kaspersky got out of my mouth, he's like, no, they're Russians, right? I was like, oh, well, yeah, they are russian. That's right. But I've used Kaspersky and it's really good software. He goes, I don't care. It's russian and I don't trust them. So. Okay, so maybe there's some of that kind of baked into what's going on here, because basically what ended up happening was Kaspersky discovered that there was a flaw in the iOS, in the most recent iOS, and they called it Operation triangulation. I think we've reported on this in the past. If not, we should have, because it's a really big deal. That was a zero click, zero day full takeover of Apple phones, iPhones. You would think that that's, that's kind of scary right there, right? We. We don't like these things. They did disclosure. They gave it over to Apple. Apple has created patches for it, and we're off to the races. Now, this is a bug. Kaspersky does not work for Apple. They are entitled to bug bounty fees, which Apple is not going to pay them. Apparently, they have made no indication that payment is coming and forthwith. And this is the kind of flaw that would normally garner a bug bounty hunter large sum of money up to the tune of $1 million. Right? So you start to put all the pieces together. It's like. So Kaspersky comes out and says, hey, we're not even really looking to get the money. We just don't understand why you're not paying out. We have plenty of money, but we typically take these kind of large bounties that we get and give them to charities. So I think in the article, they said, we even told Apple, you can just give it straight to charity. Here's a list of charities. Pick one and give it to crickets. Other than a thanks, we patched it. [00:21:30] Speaker A: Yeah. All they said was, oh, due to internal policies, we. We will not be providing payment. Internal policy. Whatever the internal policy, there was no context. That was it. [00:21:38] Speaker B: Now, I'm not trying to say that they should or shouldn't give money to russian companies that may or may not be arm of the FSB, because it is interesting, and out of their own mouths, they do say that they discovered that this x, this is how they discovered the operation triangulation malware was that their FSB phones and foreign dignitaries and others had their phones compromised, and that that was due to that. They had heard by a little birdie that Americans were performing espionage to infiltrate into those phones to try to gain access and learn a little bit more about what's going on in russian intelligence. So that's why they started investigating the phones, discovered that they had this malware reverse engineered, figured out the flaw, and then disclosed that flaw to apple. Again, this all comes from Kaspersky. So you take it or leave it as you will. I'm just reporting the news. These are the quote unquote facts of the matter. You do with it as you will. So Kaspersky did say that they now have taken all iPhones out of their corporation, that they no longer will use iPhone. They are using Android based devices. Now, they didn't say that was because of this flaw or that they were less secure phones, but they wanted to have more visibility into the operating system that their organization uses for more control and more options. So I can. I can see that. [00:23:08] Speaker A: I think it is interesting. I mean, I understand it's. It's a complicated political climate. [00:23:12] Speaker B: Absolutely. [00:23:13] Speaker A: So it's. It's hard to say definitively whether, like, yeah, you should definitely pay them or, yeah, good on Apple for standing their ground, if you can call it that. But it is interesting that if. I wonder if it was any other country, for instance, like China. Yeah, there's obviously a little. Some tension there. Right. So I wonder if there was a company like Kaspersky that was based in China, that was chinese, you know, and that TikTok. Okay, let me start over. They did the job that Kaspersky Labs does, that they had found a zero day zero click flaw and reported it. And Apple was like, thanks for not paying you. I wonder if it would be the. [00:23:47] Speaker B: Same because I would think probably not. They probably would pay because while we're not friendly with China as a government, we are friendly with China as a business. So my guess would be that they would. Right. Whereas we have like complete sanctions on, on Russia. [00:24:05] Speaker A: Right? That's true. Yeah. [00:24:07] Speaker B: Like, so I'm a guitar player and if you are a guitar player, you might be into tube amplifiers. And there was, there are three places in the world where tubes are still built. Vacuum tubes as. And so most technologies move to transistors. There are three places in the world. One was in China and it burned to the ground. Another is in like Slovakia. And the most since the chinese place burnt to the ground. The biggest player is in Russia. And so you can't get tubes from Russia anymore. [00:24:39] Speaker A: Wow. [00:24:39] Speaker B: So if you have guitar. And good news is those tubes last forever. [00:24:44] Speaker A: So if you can get your hands on some. [00:24:45] Speaker B: Yeah, there's like fifties Fender amps that still have the original tubes in it that still play just fine. Now they do blow and they do, you know, fizzle out and then you would need to replace them, but if you don't push them hard, they'll last a long, long time. So interesting stuff. [00:24:59] Speaker A: I have no musical talent, so I wouldn't know. I don't play any kind of instruments. It's, you know, it's just not my thing. It's not where my talents lie, but it's an interesting fact. And that was gratis. That was free. I'll be interested to see if more comes out about this. If Apple does end up getting more specific with why or if they just leave it where it is, but there is a patch for it. They acknowledge the folks that found it, the Kaspersky labs, folks that were involved, I think it was four of them. So they named them, gave them credit when they said, hey, there was this flaw discovered by these people. So they're not denying that. [00:25:27] Speaker B: I mean, you got bragging rights. What more do you need? [00:25:30] Speaker A: Yeah, what's a million dollars to a, to a big firm like that, to a big company like that? But I know Daniel's probably. [00:25:38] Speaker B: We're just not privy to the inside baseball that goes on at Apple and or Kaspersky. [00:25:42] Speaker A: Hey, baseball's not allowed in Russia. [00:25:44] Speaker B: That's right. [00:25:44] Speaker A: That's an american sport. [00:25:45] Speaker B: American sport, damn it. [00:25:46] Speaker A: It's America's pastime. Dang it. [00:25:47] Speaker B: America. [00:25:49] Speaker A: But I know that Daniel's probably tired of talking about apple. Cuz he's not an apple dude. She's not a big, big apple fan. [00:25:55] Speaker B: I thought that is more of a Kaspersky thing than an apple thing. [00:25:58] Speaker A: Well, that's where we differ, you and I. We're not so different, you and I. Couple other articles we want to talk to before we take a break here on Technato. This next one comes to us from bleeping computer malicious versus code extensions with millions of installs discovered. That's always fun. This was a group of israeli researchers that discovered this. They were looking at the security of the visual studio code marketplace. And this is something that I've poked around with versus code before and tried to learn it. And I haven't been super successful so far, but I'm trying, you know, so hearing that, oh, okay. Millions of downloads with this, I got concerned because I have a little extension that I use and I was like, is it that extension? Am I screwed? It's not. It's a theme. Okay, gotcha. [00:26:41] Speaker B: So when you download something like versus code and other editors, a lot of them will have the ability to do extensions, because when you're standing there banging away at a screen all day trying to get some code to work, it's nice to be able to see things, bring attention to certain things. And so we have like, themes that will help with. So it'll colorize different things. So if you're creating a function, it'll colorize the function. If you're creating an if statement, a block, a block of text will look a certain way. If you're creating variables and stuff, it will kind of highlight these things in various colorized fashions. And of course, do you want a very contrasty white background or a much more contrasty black background? Are you working in the daytime or nighttime? A lot of people have different tastes when it comes to what it looks like visually. That's where these themes can come into play. You can find a theme that works really well for you, that makes the visuals much more easy for you to kind of parse through and see. And the Dracula official theme is one of those. And it's a very popular theme for versus code. So these israeli researchers went, I wonder, I wonder if what if we did a little experiment. Let's see what would happen if we created basically a copy of the Dracula dark theme, stuck it in the versus code repository. It's like a. They call it a marketplace, I believe, the versus code marketplace, and see what happens. Will people get fooled? So they took the code for Dracula, and then they embedded some stuff, basically some phone home. Who is it? What are they doing? Just some, some basic ideas. And it'll phone back to a kind of a, for lack of a better term, like a c two server. It's not really doing c two. I don't think they're, they're taking any control. They're just, just gathering data about the people that have downloaded there. And they did a typo squat. So they mimicked everything about the Dracula theme and they typo squatted it as darkula. [00:28:53] Speaker A: And see, I don't even know that I would register that as a typo because I would think it was a pun like, oh, it's Dracula, but it's a dark theme. That was on purpose. So that maybe I'm stupid, but I. [00:29:03] Speaker B: Would just think that was the uninitiated tough. Definitely going to get those people. And honestly, it's real easy to make these kind of mistakes in your head. You just see it in your eyes. Your brain kind of fills in the gaps. You ever seen those, those things where it's like a block of text as if you can read this, you're smarter than. [00:29:21] Speaker A: Right? [00:29:22] Speaker B: Yeah, there's no real words there. It's just the beginning and ending letters for each of the words. [00:29:26] Speaker A: And your brain, your brain kind of. [00:29:27] Speaker B: Fills in the middle parts. That's what happened. They're just taking advantage of how the human brain works. You're hacking humans. Fun, right? And through that they were able to do this. Now here's where the real fun comes into play. Because visual studio code is a Microsoft sanctioned piece of software. It's an application that Microsoft makes and is used for the purposes of writing, running and working with code and executing, allocating memory, doing all sorts of stuff. It has basically a do whatever you want ticket when it comes to most antivirus and EDR solutions. So this is a hackers playground. A threats are going to go, what? Hold up. Swelled up. This is going to be fun because they're so. We've seen this with NPM, we've seen this with Pypy, we've seen this with other repository software repositories where I can put in useful pieces of code. You download them. Aha. That was malware player. Enjoy. That's what's going to happen here. And it's going to be very difficult. So it's going to take a lot of eyes and curators and people that are vigilant to watch what goes into the marketplace and call out bad stuff and doing a lot of. Anytime something new hits the hits the marketplace, download it, put it in a sandbox, evaluate, reverse engineer, see what it's doing. Does it do anything malicious? And then warn and so on and so forth. That's, that's basically at this point what's going to have to happen. I'm sure there's other things you could do as well. I'm just spitballing off the top of my head, uh, some of the things that I know that they're going to have to do just to keep those places safe. [00:31:13] Speaker A: Well it looks like they, they did. These same researchers found like it wasn't just the, the Dracula one. They found like a, over a thousand extensions that had similar issues where there was risky code and stuff in there. Um, and a whole bunch of other issues that popped up. It was over 8000 communicating with hard coded IP addresses, almost 15,000 running unknown executables. So other issues and reported all of this to, I guess, Microsoft, I think. And Microsoft hasn't really said anything. Vast majority are still available for download on the versus code marketplace and Microsoft has not responded at this time to any. [00:31:47] Speaker B: Makes me feel better. [00:31:48] Speaker A: Oh yeah. I mean to be fair, it was patched Tuesday, yesterday. They've been busy. [00:31:51] Speaker B: Yeah, they were busy. They had a lot of patches. [00:31:53] Speaker A: Yeah, a lot going on. [00:31:54] Speaker B: And like last thing I need is this bull crap. [00:31:57] Speaker A: They probably sent some people as spies to WWDC, see what Apple's doing. So, you know, I can't blame them. They got a lot going on. Activision won a lawsuit last week. That's a Microsoft thing. [00:32:06] Speaker B: Lot of irons in the fire over for Microsoft. [00:32:09] Speaker A: But I thought that was kind of interesting how they, I mean it was neat that they didn't just stop there, that they developed their own tool to find all these other extensions that had issues. And then we're like, hey, here on a platter is all of this stuff that's going to be. [00:32:21] Speaker B: The researchers plan to publish their quote extension, total tool along with the details about its operational capabilities next week, releasing it as a free tool to help developers scan their environments for potential threats. So thank you so much, israeli hackers and researchers doing a great job and we appreciate it. [00:32:37] Speaker A: That's neat. Gives you a little bit of hope with all of the bad actors that are out there. [00:32:41] Speaker B: Absolutely. [00:32:41] Speaker A: Folks trying to balance it out. Well, speaking of bad actors and threats, well I don't know if you call this a threat, this might just be a kid being dumb, but we had a couple of four chan posts this week. I'm not on four chan, I'm not on four chan. I know well enough to stay away from that. It's not. It's just a bad idea. [00:32:57] Speaker B: I had a phlebotomist who was a four Chan user because I mentioned that I was in cybersecurity. She's like, you know, yeah, me and my boyfriend, we go on this site, you've probably maybe never heard of it, but maybe you have. And I was like, what do you do there? She kind of explained the idea. I go, oh, you mean four chan? She's like, yeah, you know about it? I go, yeah, I know about it. [00:33:17] Speaker A: You're one of the chosen few. Yeah, if I know about it, it's not a secret. It's if I'm. I'm not informed on this stuff at all. But there were a couple posts that went up on message boards this week. One of them had to do with some source code that was stolen using an exposed GitHub token. This is the New York Times that was affected by this. And the New York Times did confirm, yeah, this happened. They responded to a request for comment, said, yep, this did happen back in January. There were, I believe there was some credentials to a GitHub repo that were exposed. So it wasn't like a, somebody hacked into their system and da, da, da. It was probably, I guess, an employee that exposed their creds and didn't mean to. And so somebody was able to get in to their GitHub repo, steal 273 gigabyte archive with stolen data. And it was source code. It was data. There's this big post that I don't know if I can. Maybe we can show a Christian. But this was the post that went up on four Chan bleeping computer did not download the archive. Probably smart, but they were able to see a list of all of the folders that were stolen. And it looked like it was quite a bit of stuff. Of course, New York Times did release a statement and said, hey, this happened in January. There was a credential that was made available, but we identified it. We took measures to respond. There was no unauthorized access to our systems, no impact to our operations. We, our security is good. Security good here at New York Times. [00:34:36] Speaker B: Step one from the we got breach playbook. Step one, deny, admit but deny. [00:34:41] Speaker A: Admit but deny. [00:34:42] Speaker B: Yeah. [00:34:43] Speaker A: Now, this, this by itself is, you know, okay, somebody posted some stuff on four chan, and there was a leak of stuff. And, okay, by itself, maybe not, not that big of a story. I just thought it was interesting because this is the second time this happened. This week to a company where somebody has leaked a bunch of stuff on four chan. The other one that happened, this one was some club penguin fans that were behind it. They breached the Disney confluence server and stole two and a half gigs of data. Now club Penguin is basically a defunct game at this point. [00:35:09] Speaker B: There's like a game where you hit penguins as a club or you use penguins as a club. [00:35:13] Speaker A: Yeah, club seal was a little too real. [00:35:15] Speaker B: Oh yeah. [00:35:15] Speaker A: So they, they switch it to Club penguin and you know, you have fun, you take out your anger, you club other penguins. [00:35:20] Speaker B: With, with a penguin you can be. [00:35:22] Speaker A: A penguin and club other. It's like GTA, but for penguins you can just kill. [00:35:26] Speaker B: Gotcha. [00:35:27] Speaker A: We're kidding. [00:35:28] Speaker B: We're having fun. [00:35:30] Speaker A: My grandma's gonna watch us be like, what are you talking about? [00:35:32] Speaker B: So confluence is a basically like a collaboration software, right? [00:35:36] Speaker A: I believe so. [00:35:36] Speaker B: So within there, they were able to exfiltrate it. So they, they infiltrated into the confluence server and were able to exfiltrate a bunch of sensitive information. [00:35:44] Speaker A: They stole a bunch of information about the game or that's what they were going for, information about this game. But they ended up walking away with two and a half gigs of internal corporate data. So it wasn't just club Penguin stuff. The club Penguin stuff was like upwards of seven years old. It's really only interesting to fans of the game. So if you're a fan of the game, hey, look at that. You've, you've got some data you can look at now, I guess. But the, the big thing was, oh well, it's not just this club penguin stuff. It was, let's see, it was only a small part of much larger data set. Documentation for various business software and it projects used internally by Disney API. Internal API endpoints, credentials for things like s three buckets. So probably not stuff that Disney really wanted exposed, I would imagine. [00:36:25] Speaker B: Yeah. As a company that builds internal applications and systems, we know that there are things that they tell us, you can't talk about this, right. But we are doing X, Y and Z and it's going to be awesome and we're going to be changing the game and all that. So I'm assuming the same happens at such a large of an organization as Disney that they are building things and creating tools and stuff to help make their business practices more efficient, effective and so on and so forth. Not really stuff that they want to release to the public's per se. Probably not super damning or crazy, you know what I mean? It's just internal stuff, right. [00:37:04] Speaker A: That stuff by itself isn't really like, it's like, if somebody, if I found out that some of my information got leaked and it was like, my name and my email address, and then maybe like, an address I used to live at, I still wouldn't love that. I'd still be like, eh, somebody could still use that to try to get to me. But I'd be a lot more concerned if it was like, my Social Security number or something like that. Or my credit card number. Right. [00:37:21] Speaker B: Credit card number. [00:37:23] Speaker A: That's a rough one. So I feel like something like this is. You could potentially use this information. One of the things that they mentioned was links to internal websites used by Disney devs that could be valuable for threat actors that are trying to target the company. So, like anything else, you could use this stuff to try to craft an attack, I guess, and sneak your way in there. But, yeah, by itself, I don't know that it's particularly damning, I guess. Disney obviously did not respond. I'm not surprised. They also have a lot of irons in the fire and, yeah, no reply from them. [00:37:54] Speaker B: Just Mickey Mouse. Like a person in a Mickey mouse who came out, shot the bird at him. [00:37:59] Speaker A: He's like, huh? [00:38:00] Speaker B: Yeah. [00:38:00] Speaker A: Disney is very secure. Oh, gosh, I'm sorry. That was rough. And then the other thing was, this data was fairly new. The club penguin stuff was upwards of seven years old. But all this other internal data was from this year, from 2024. So it's not like this is outdated. It's fairly recent. [00:38:17] Speaker B: Some outdated stuff, some fairly new stuff, and probably a variety in the middle. [00:38:21] Speaker A: Yeah. For a plethora of information and bleeping. Computer said, they said it's not known if it was the same person that conducted the New York Times and the Disney breaches. I don't know that that would have even crossed my mind. I would have just been like, oh, it just so happened that, yeah. [00:38:34] Speaker B: Two hackers like, ships in a night. [00:38:36] Speaker A: Yeah. [00:38:37] Speaker B: Hey, I see you're grabbing data too. High five this, Disney. Did you get in the same confluencer. Oh, yeah. [00:38:44] Speaker A: Joining forces. [00:38:45] Speaker B: Man, that is weak software right there. [00:38:48] Speaker A: So I don't think it was like a collaborative effort, but who knows? Who knows? Maybe we'll find out later. [00:38:52] Speaker B: Actually, it was VPN creds, right? That's how they got in. VP GitHub, Token. [00:38:56] Speaker A: That's what. Yeah, yeah. So I think, well, we'll talk about something later that has to do with, with some VPN issues. [00:39:04] Speaker B: It's really just a dart board. [00:39:06] Speaker A: Yeah. [00:39:06] Speaker B: You know, you just go. How'd they get in? Well, they either exploited software. No. It's VPN credits. No. Oh, API key. No. [00:39:13] Speaker A: Yeah. [00:39:14] Speaker B: VPN credential stuffing. [00:39:16] Speaker A: Cover our eyes and throw a dart at a board and it'll be one of those things. Router hacking and fishing. Yeah, we'll look it up and it'll be there. We're going to take a quick break because we are, we are, we have been rambling. We're going to ramble some more after this, but we'll give you a little bit of break from us. We'll be right back here on Technato. Tired of trying to schedule your team's time around in person learning? Isn't it a bummer to spend thousands of dollars on travel for professional development? What if we said you can save money and time and still provide your team with the best training possible? The answer to your woes is live online training from ACI learning. With live online training, we provide our top in person courses in private online instructor led formats. You get to provide professional development in a manner that fits today's expectations. Entertaining, convenient and effective. Our exam aligned courses inspire the full potential of your team. Visit virtual instructor led training at ACI learning for more info. Welcome back for more tech nado. Thanks for sticking with us through that break. Consider subscribing to the channel if you haven't already, and drop a like if you're enjoying the episode. Courtesy of our wonderful director Christian and his sidekick Calista, we have a lovely new graphic today for one of my favorite segments that we haven't seen in a long time. It's dope do Ramey faso Latino. [00:40:30] Speaker B: So do. [00:40:32] Speaker A: I didn't think I'd be able to hear it, but I can. I thought the sound wasn't gonna go through it. [00:40:35] Speaker B: Now we can all kind of like, really easily judge your dough to the actual Homer doe. [00:40:42] Speaker A: That one wasn't very good. It was too. It was too truncated. [00:40:44] Speaker B: Too truncated. Yep. [00:40:45] Speaker A: Yeah, I'll work on it. I'll work on it. Well, this do segment. Do segment has to do with shocker. Lastpass, our favorite company. Crap on Lastpass says twelve hour outage was caused by a bad chrome extension. Update to my understanding here, Daniel, I'm oversimplifying it here, but it sounds like they basically dossed themselves. [00:41:05] Speaker B: That does seem what it'd be. What happened? Yeah, can you imagine? You're a lastpass user, and for 12 hours we're going to play a game of I can't get to your passwords. Neither can you. Fun, right? Hope you didn't have anything important hidden behind that lastpass app because it's not going to happen and nor could we help you if, if we wanted to. We're, we're trying. So this is another reason for it. Like at this point, who the heck is using Lastpass? [00:41:33] Speaker A: That's true. [00:41:34] Speaker B: I mean, basically, was it, was it all the beginning of this year or last year? I think it was last year. They just had a string of real. [00:41:43] Speaker A: It did, it was like every other. [00:41:45] Speaker B: Week we were talking, right? They were just folly after folly after folly. And now here they are again with another one. [00:41:52] Speaker A: It was only a matter of time. [00:41:53] Speaker B: Who is, who is trusting Lastpass at this point, if you are? I mean, maybe this is the straw that maybe you're just like giving them the benefit of the doubt. That's cool, I get that. But maybe this is the straw that broke the camel's back. If I did not have access to all my passwords for twelve hour period, I'm basically like, I can't, I can't do any work, I can't do anything. My whole life is in my password manager and if I can't access it, I'm kind of host, I think, and. [00:42:24] Speaker A: This is just a theory, but I could see this particular event being something that causes a lot of people like not so much the last straw, but the first draw that people were aware of because I think if the other issues that LastPass had were more security issues, if you weren't directly impacted by that and you don't really follow that kind of news if you're a Lastpass user and you're, you know, I added all my passwords and I don't feel like migrating stuff over, I'm just going to continue to use it. And you're not really aware of the security issues that are going on, this could be the first time that you've actually been directly impacted by it. Like I can't get to my passwords and now suddenly you're like, well, screw it, I'm done with Lastpass. [00:42:55] Speaker B: Now I'm wondering, you probably have to log in. Yeah, I guess you would have to log in. Which they could not do, right? Yeah, they could not log in at all. They couldn't even use offline login that was broken. This thing was broke. Broke as a broke dog, as they say. [00:43:12] Speaker A: The saying. Yeah, classic saying. [00:43:14] Speaker B: Keep it kid friendly here. But definitely see predator for the full quotation. [00:43:20] Speaker A: Oh, okay. [00:43:20] Speaker B: Yeah, I see for all of us that have seen predator, but yeah, this was not a good thing does not seem. Put them in a good light. They're probably going to now. So this was through the browser extension though, right? [00:43:34] Speaker A: It was the chrome one. [00:43:35] Speaker B: Listen, I'm trying to help them out. I'm trying to give them as much credit as I can. Yeah, I would. I would like the same to be extended to me if I was making a bunch of mistakes and that obviously they're not doing this on purpose because it's just bad business practice. But maybe. Maybe there's somebody at last pass with just the. The cannon pointed toward the bow of the boat. [00:43:52] Speaker A: Yeah. [00:43:54] Speaker B: And is like trying to torpedo them. But does lastpass have an installable app? Like, not a chrome extension but an actual app? I think they do your machine, because maybe you could install that. Maybe that would have been a good workaround at the be. [00:44:10] Speaker A: So if I go to the Google Play store, I can get the lastpass password manager. I can install. I'm not going to, but I can install it. And I know there's an app for the iPhone as well. [00:44:21] Speaker B: So you went straight for phones? I meant my laptop. [00:44:24] Speaker A: Okay, well, I just mean, like, in general, but that works as well because I've used my password manager up on my phone sometimes. [00:44:30] Speaker B: You know, I barely ever use my password. [00:44:33] Speaker A: That's because you don't use your phone. [00:44:34] Speaker B: For much else besides as God intended. [00:44:37] Speaker A: Yeah, yeah. On the. [00:44:38] Speaker B: Your phone is for calling people. Twist my arm. Send a text. [00:44:44] Speaker A: You need one of those light phones that, like, only let you call, text and take pictures. [00:44:47] Speaker B: So I'm straight up, like, in the market for one of those things. [00:44:49] Speaker A: Really? They just upload the. Released a new one or they're about to. Yeah, it's. They added some stuff, though, so it's not just calling text anymore. Now you can take pictures and listen to music, I think. [00:44:57] Speaker B: Okay. [00:44:58] Speaker A: So they added a few things that. Still not bad, I guess people were like, we really can live without the. [00:45:02] Speaker B: Niceties of life, right? [00:45:03] Speaker A: Yeah, but, yeah, still no, like extra apps or anything like that, so. Okay, well, if you're not one of those people, maybe you do have a lastpass app on your phone. [00:45:10] Speaker B: So I ran into somebody at Wild west hacking fest who had one of those. [00:45:13] Speaker A: A light phone. [00:45:14] Speaker B: Yeah, she had. It was like. Yeah, it was either that or was another variation. Same kind of idea though, right? And she was like, my. My whatever phone. Her at and T phone or Verizon, whatever she had. She was like, I'm not getting any signal out here, but my light phone, full bars, full signal. And the battery lasts forever. I'm like, all you're doing is selling this. Yeah, you're just selling me this thing. [00:45:40] Speaker A: I think the initial one was meant to be like, if you just wanted to take a break from your regular phone and kind of step away. But this new one they're marketing is like, they're trying to pitch it as you can. You can get rid of your, I have the picture. [00:45:50] Speaker B: Phone sales went up by like crazy percentages within the last couple of years because people are like, I need to step away from social media and all the stuff that. It's just, it's too easy to get kind of sucked into this. I know this has nothing to do with last pass, but. [00:46:05] Speaker A: Well, but this was also something. [00:46:06] Speaker B: And if it isn't a good time. [00:46:07] Speaker A: They announced this this week. The, the light phone three was announced this week. I almost pulled it for an article, but I ended up. So I'm glad you brought it up anyway. Yeah, it is relevant. [00:46:14] Speaker B: Never know. [00:46:15] Speaker A: But I mean, yeah, if, if you are a, a lastpass user, maybe you do have the app on your phone. This particular issue stemmed from the Google Chrome extension, but it resulted in, like, it caused issues with Lastpass server. So it's not like, oh, you only had issues if you were using the extension. [00:46:29] Speaker B: It's because the extension was kind of like bombing the server. Yeah, right. The server could not process the request of the extension and that was causing the issue. Right. [00:46:38] Speaker A: Yeah, but even if I wasn't using the Google Chrome extension, I would still have run into this issue. [00:46:41] Speaker B: Right. Because the server's all like going, I don't feel good. [00:46:45] Speaker A: That's exactly how they said it too. Yep. [00:46:48] Speaker B: Please stop. [00:46:50] Speaker A: And some people have said even since they installed the update, they still can't log in or they still can't access certain features. So the outage was done, but it still was causing problems for users. So like you said, at this point, if you're still using Lastpass, I have to wonder why. [00:47:04] Speaker B: It's dubious. [00:47:05] Speaker A: I want to understand the dubious thing. Please inform me, educate me. You know, I will sit myself down and listen. [00:47:12] Speaker B: What about Lastpass has just marked you out for him. [00:47:15] Speaker A: So like, you're in like a bad relationship. Yeah, it's like, I just can't explain it. Like the lows are low, but the highs are so high. He's so great. [00:47:22] Speaker B: I love her so much. [00:47:23] Speaker A: I just love lastpass so much. Maybe it is, maybe it's like once you've committed to an app like that, it's hard to make the switch. [00:47:29] Speaker B: I mean, she verbally abuses me every day. It makes me feel really bad, but. [00:47:32] Speaker A: I can't get in touch with her ever. She has twelve hour outages. [00:47:35] Speaker B: Soul person. [00:47:36] Speaker A: Soul person. Like mate's not already a gender neutral term. [00:47:41] Speaker B: I'm trying to be PC here. [00:47:43] Speaker A: All right, fair enough. Well, this is of course not the first time we've seen an issue with lastpass, and I'm sure it won't be. [00:47:49] Speaker B: The last until they finally put the last nail in the last pass coffin. [00:47:52] Speaker A: That was wow spitting. That was Eminem level lyrics right there. That's the eminem of marketing calendars because. [00:48:00] Speaker B: It doesn't happen very often out of this guy. [00:48:03] Speaker A: Oh boy. Well, like I said, we do see stuff from last past pop up time to time, from time to time. And we're also seeing a repeat of something we've talked about in the last few weeks. You might have heard us mention a feature coming to Copilot PCs called Recall, Total Recall. And I have seen that one. [00:48:21] Speaker B: I've seen the commercials. Recall, recall, recall. [00:48:25] Speaker A: That was a good movie. I enjoyed that. I was, I was sat, I was like zoned in for that movie. [00:48:31] Speaker B: So that movie will get you. [00:48:33] Speaker A: I would recommend it. It had me in its grip and that wasn't even like a reboot or anything. That was the original. [00:48:37] Speaker B: That was the OG. [00:48:38] Speaker A: It was very good. Has not, it's aged very well, I think. I thought it was very good. But Microsoft's recall, which is decidedly, I mean, I guess it's probably just as problematic as the recall in the movie, maybe in a different way, but there was a lot of backlash to this feature when it got announced that it's not super secure, it's storing things in plain text. And also it kind of is trying to solve a problem that I'm having trouble understanding what problem it solves. Microsoft has responded. They said, hey, we have received a clear signal, we hear you loud and clear that maybe we could improve it a little bit and make it an opt in service. So we're still going to do it. It's still going to be a service that we're offering or a tool that comes out, but instead of making it default, we'll let you opt in. [00:49:19] Speaker B: It still begs the question, so we'll give credit where credit is due. Let's start there. Microsoft is listening to their, their market. The users have spoken and they have heard the clarion call and said, hey, I hear you. You know what? Let's go ahead and add some of that functionality and those features around. Recall that you have kind of complained about, let's make it a little more safe, let's make it an opt in feature. But it's still going to be there. Why? Why is it there? Yeah, why do we need this? [00:49:54] Speaker A: And the way they phrased it was, we've heard a clear signal, we can make it easier for people to choose to enable recall on their PC and improve privacy and security safeguards. To me, maybe I'm reading into it. To me, the implication there is to improve privacy and security safeguards don't enable recall. [00:50:11] Speaker B: Right. So I'm going to turn this into a tinfoil hot section right now, right? Because what the hell are you doing with all. I feel like I cannot substantiate this. That's what makes it a conspiracy theory. But a leap of logic to the idea that you are looking at that data. Right. This is the company, don't forget that wants to and does basically like brute force their way into your zipped archives and emails on attachments to see if it's malicious. Would it be a stretch of the imagination? [00:50:47] Speaker A: Paul McCartney's been dense. There it is. [00:50:50] Speaker B: It is now a temporary 5g causes syphilis. They are using this information for their own purposes. Maybe to train AI, maybe to do whatever, but I guarantee you ain't reading that. EU la that says, yeah, I'd like that. I. Especially with, now that you opt in that you're gonna get hit with the end user license agreement that says we are able to use this information to train and do whatever we want to with it. You. You're cool with that, right? Think of all the good things that we give you. Yeah, right. You must love big brother. It's not enough to agree with big brother. You must love big brother. [00:51:26] Speaker A: No, thought crimes here, read 1984. No, it is a good book. It's a high quality. [00:51:30] Speaker B: Make Orwell fiction again. [00:51:33] Speaker A: That's okay. Yeah, I thought that acronym was gonna be something different, but okay. So the other thing that they announced regarding recall was they heard the complaints and the issues people had with the fact that everything was. I thought, yeah, that's funny. I thought it was gonna. Yeah, if you, these mofas make Orwell fiction, obviously. [00:51:55] Speaker B: There we go. [00:51:57] Speaker A: You see where I was? [00:51:58] Speaker B: Great. [00:51:59] Speaker A: That's where my head was going with that. I'm sorry, mom. [00:52:02] Speaker B: So the other thing, that's good comedy right there, girl. [00:52:05] Speaker A: The other thing they announced was they are adding some measures in place to address the fact that everything was going to be stored in plain text. They are adding additional layers of data protection, including just in time decryption that's protected by Windows. Hello. Enhanced security. Sign in security, that's a, that's a big long one. Snapshots will only be decrypted and accessible when you authenticate. And they also encrypted the search index database. So like you said, credit where credits do. They're doing something. They did listen to a degree. But I think the consensus is still. Okay, awesome. Don't enable recall. Just don't, it's just a, it's, it's, you don't need it. And why take the chance? That's my opinion. [00:52:44] Speaker B: Yeah, that's like going, you know what I'm going to do? I'm going to download some malware. [00:52:47] Speaker A: Yeah. [00:52:47] Speaker B: Right. And I'm going to basically cut it off from anything. And it can still do all the malware functions, but no one can access it to control it. So like what the, what's the point? [00:53:00] Speaker A: Yeah, why do that? [00:53:02] Speaker B: Why do I need this? I feel like I don't need this anyway. [00:53:08] Speaker A: No, but yeah, that's my opinion. I mean, if you have a different opinion, I'd love to hear it if you can, if you could justify Microsoft recall, please, please tell me. [00:53:15] Speaker B: Saved in the cloud, it's like I just don't, I just don't get it. [00:53:18] Speaker A: The folks using recall are also the folks using lastpass. Still want to understand you leave a comment, please explain it to me. [00:53:24] Speaker B: Trying to find that common ground. [00:53:27] Speaker A: Trying to. Anyway, we got a couple more articles we want to jump through really quick. This next one comes to us from GB hackers fog ransomware attacking Windows servers administrators to steal RDP logins. This might have been the one that I mentioned earlier that had to do with the VPN's. [00:53:40] Speaker B: You are correct. [00:53:41] Speaker A: Okay, gotcha. I am correct. [00:53:43] Speaker B: You are correct. [00:53:43] Speaker A: So it was a new ransomware variant dubbed fog targeting us businesses in the education and recreation sectors. So I guess if you're a teacher, be careful. They access victim environments using compromised VPN credentials. [00:53:55] Speaker B: Yeah, I think it was a credential stuffing attack, if I'm not mistaken. Or they're using stuffing to find said credentials into these VPN areas and then install fog. And what's interesting about that is. So they're going after RDP, right. It's basically kind of their stock and trade here is to, we want to be able to log in through RDP, which makes me think, okay, well, RDP is a Microsoft technology. If I have a login to RDP, which means I have a login to a Microsoft server and they do say this in here is that they were seeing a lot of pass the hash functionality. So if I can just take the hash of those logins and pass it around instead of actually using the passwords, maybe they're gaining other passwords. So once I've logged into a machine, I dump the hashes for the passwords of that machine and then try to use those to gain further access to move laterally. [00:54:48] Speaker A: Huh? Yeah, you're right. There was credential stuffing that was evident, allowing for easier lateral movement. And I believe there were two specific VPN gateway providers that were used for the remote access. So I want to say, okay, Windows Server is running Veeam V eam. Is that how that's pronounced? [00:55:06] Speaker B: Veeam is like a backup software, if I'm correct. [00:55:08] Speaker A: Okay, I'm new to that one. The other one is hyper V, and hyper V, I've heard of. We've talked about that before, but Veeam was a new one to me. So maybe you've. Maybe you've heard of them. That doesn't really say much that I don't know about them because I'm not a big VPN user as far as. [00:55:20] Speaker B: Like, you can never spell veeam. It's v e e m b e. [00:55:24] Speaker A: A, but trying to spell the word vacuum. [00:55:26] Speaker B: Yeah, backup and replication. That's what it is. [00:55:27] Speaker A: Okay, gotcha. [00:55:28] Speaker B: So I haven't done backups and stuff in a hot minute, so. [00:55:32] Speaker A: Okay, that's valid. [00:55:33] Speaker B: The tip of my tongue. [00:55:35] Speaker A: That's valid. I didn't know it existed till today, so. Yeah, hey, we're on the same page. [00:55:38] Speaker B: Well, you know what they were doing, right? So they were going after hyper V and veeam, right? [00:55:42] Speaker A: Yeah. [00:55:42] Speaker B: That should be painting a picture to you right now. Ransomware. So I encrypt. I encrypt all your vms, although those. Those vmdks. And then I encrypt your backups, and I go, hey, how about that money? Y'all got that money? I'm gonna need some of that money. [00:56:01] Speaker A: Interesting. [00:56:01] Speaker B: Yeah. [00:56:02] Speaker A: Okay. And it was arctic wolf labs that that was responsible for. For disclosing this or that. Figured this one out. So shout out to them. I think we might know a couple people that work with them. So shout out to Arctic Wolf labs for that one. [00:56:13] Speaker B: I know dark wolf. I don't know. [00:56:14] Speaker A: Well, dark wolf, arctic wolf, there was. [00:56:16] Speaker B: We know someone. [00:56:17] Speaker A: There was somebody we met at Wild was hack and fest that worked at Doctor Wolf, whose name is escaping me right now. Like, recent. Like, they. They just started working there, like, last year. [00:56:24] Speaker B: Gotcha. [00:56:24] Speaker A: Or maybe it was black hat. I. There was somebody that I spoke to last year. The names escaping me right now, I feel so bad. I'll go in and find them in a second and shout them out. But yeah, they were starting to work at Arctic Wolf. [00:56:34] Speaker B: Gotcha. [00:56:35] Speaker A: Stand out names. Not a name you forget. So, yeah, that one we wanted to touch on and mention real quick, unless there was anything else about that. [00:56:44] Speaker B: Basically on the lookout. Make sure you're not reusing passwords. Okay, there's that. Use a password manager, not lastpass. Right? Use all the fun stuff. Two FA, MFA, whatever the case is, do all the password stuff to make it difficult for things like credential stuffing attacks to be effective. [00:57:03] Speaker A: Wow. This has been a PSA courtesy of Daniel Lowry. [00:57:06] Speaker B: The more you know, this one, I. [00:57:08] Speaker A: Think is gonna be interesting. I am interested to know your opinion on this. So, mobile driver's license are coming to New York State starting June 11. This is not new as far as, like, the idea of a mobile driver's license. I didn't know this, but this has already been implemented in, like, I think this is the 10th state now. Yeah. And it's in. I have like, a map here because you can go to the website and see, like, what the progress is in each state. I think 15 of the 50 us states plus DC have no MDL plans or anything like that. But the rest of them, it's either legal or there's some program in progress or it's active. So my first instinct was this is. It makes me apprehensive. A couple things were highlighted that I thought had positive potential. The idea that if I'm like, going to a bar and I need to verify my age, and I use my mobile id to do that, I don't have to show them anything else but my age, I can say, okay, I just show them the necessary information. All they can see is my date of birth, so they can confirm I am old enough, but they don't see my address, they don't see any of that other stuff. You can use it, like, at the TSA and stuff like that. Probably makes things a little bit faster. I'm sure it's convenient to me, though. I feel like I guess it. I guess it maybe makes it a little harder for people to get, like, fake ids and stuff, because a fake id you can get, you can print off and, you know. But something like this, no one could recreate a digital. I'm just saying maybe it'd be harder. Maybe it would take a little more effort. [00:58:27] Speaker B: It would just be different. Right. They would. It would just end up being a new skill that people that do this would acquire. Right. And then think about this. This app. If I can hack the app or the database that runs the app or the servers that run the app, then I have access to all of. Of those records. Now, you could. There's still a database with people's records in them now, right? So maybe that's a one to one comparison there. Like, doesn't really matter if it's on an app or if it's a hard plastic piece that you got in your wallet. I just don't. I. This gives me an uneasy feeling. [00:59:03] Speaker A: Yeah. [00:59:04] Speaker B: Right? [00:59:04] Speaker A: I could see that. You could make the argument, oh, the positive. It'd be hard. You wouldn't be able to lose it. Or it'd be harder to lose. Right. Because your people got their phone on them all the time. I think you're much more likely to accidentally lose your driver's license and not realize it than to lose your phone and not realize it. [00:59:18] Speaker B: Plus. Okay, let's go with your bar analogy. All right? Let's. Let's kind of walk our way through. Let's work it out. [00:59:23] Speaker A: Okay? [00:59:24] Speaker B: Let's take it for a test drive. Let's see what it does. Let's say you go up to a bar. You got the. At the door. You got a guy at the door checking ids. Right? He's memorizing your. Your specific address. [00:59:37] Speaker A: I guess that's true, right? Yeah. [00:59:40] Speaker B: It's possible that he's Mary Lou Henner and has a perfect recall of all the things he's ever seen, but. Unlikely. [00:59:47] Speaker A: Yeah. I'm trying to think of if there's any other information you'd want to withhold. But what else is there? I mean, weight or not weight, height, birth, eye color, hair color, all that stuff is like. It's not a single. [00:59:58] Speaker B: And then you'd have to take, like, a mental snapshot of that. [01:00:00] Speaker A: Yeah. [01:00:01] Speaker B: And memorize it because there's people behind you. You're not like, the last person in the line just happens to be the person that this person wants to target. It, just. It. Other question, how. How much of a problem are we having with that now? [01:00:18] Speaker A: Yeah, I guess maybe it's kind of like you're solving a problem that doesn't, like, is there a problem to be solved here with this? It is completely voluntary, so they're basically like, don't. It's not like, oh, I'm gonna leave my mobile id at home, because a lot of places still are. Like, we're gonna need you to show a physical id. But in theory, in the future, like you said, for now, it's voluntary. [01:00:38] Speaker B: Yeah. [01:00:38] Speaker A: At what point in the future? [01:00:40] Speaker B: They talked in this article about police as well, about when you enforce. Stop. You don't give your. You don't give your id over to the law enforcement. [01:00:49] Speaker A: Yes. Yes is never, not never freely hand a device over. So the app is supposed to be like, your phone stays in your possession. [01:00:54] Speaker B: That stays in your possession. [01:00:55] Speaker A: And then they, like, scan a QR code or something, and that's what shows them. [01:00:59] Speaker B: Guess what will happen when they scan the QR code. So what if I give them my id? Right. Well, what's the purpose of keeping it on the phone so I can keep it in my possession? Once they scan, they're gonna see exactly who I am and everything about me. [01:01:14] Speaker A: Yeah. [01:01:15] Speaker B: That they have in their records, I. [01:01:17] Speaker A: Guess, in the case of law enforcement. Yeah. And I guess I'm trying to keep, like, instinctively, I'm like, this seems. This seems like there's potential for this to go wrong. [01:01:27] Speaker B: Right. [01:01:28] Speaker A: I'm trying to keep an open mind only because I was also initially really, really, like, hesitant to adopt, like, the mobile pay and stuff like that, like, tap to pay and all those things. I was like, uh uh, I'm not doing that. That seems insecure. [01:01:39] Speaker B: So I don't do it with my phone. [01:01:41] Speaker A: But I mean, like, even with the card. [01:01:42] Speaker B: Like, tap card is fine because it comes with. [01:01:44] Speaker A: I'm like, no, I don't know how I feel about that because it was new, and I was being a cranky old man, and I was like, I don't want to. And I think I talked to don about it, and he was like, tab to pay might even be a little more secure than swiping to pay. And so I was like, I guess you have a valid point. So something like this, I'm like, watch somebody get a comment and be like, but did you consider these 17 ways? Watch. [01:02:02] Speaker B: Probably better, but we just learned about this today. Yeah. [01:02:05] Speaker A: Right. So I did think that was interesting. Totally voluntary for now. We'll see if this ends up becoming something that is the norm. But that, to me, it does always. [01:02:15] Speaker B: Some, like, hesitation around identification. Right. And how. [01:02:19] Speaker A: Yeah. [01:02:19] Speaker B: How we work with that. We've got these. I don't know. People are just really, like, inertia. There's. There's just, hey, I'm used to doing it this way. Why do I need to do it any other way? Is there something wrong with the current system in place? And if so, you're not doing a really good job of, like, explaining why we should adopt this other than we can. [01:02:39] Speaker A: Yeah. [01:02:40] Speaker B: And as Ian Malcolm says, we're too preoccupied with whether or not we could. We didn't stop and think if we should. [01:02:46] Speaker A: They did mention privacy concerns, how you could potentially be tracked, leave a detailed trail of where you've been, more so than with physical ids, storing all that data with a contracted third party vendor. There's risks that come with that. So they did acknowledge, hey, yeah, there. [01:02:57] Speaker B: Are some concerns there. [01:02:58] Speaker A: I think the main, like, benefit to be touted would be the convenience. Just, it's. Oh, it's easier. It's just on your phone, but that's almost never worked. [01:03:07] Speaker B: Are you using your id? [01:03:09] Speaker A: Yeah, not often. I don't really drink, so, like, that's the only time I would use. It would be if I went out somewhere, I wanted to order a drink, but I. Other than that, no. I mean, I don't. Maybe to log into my insurance app. Like, you put in your driver's license. [01:03:23] Speaker B: Sometimes, but that's not going to. That's not going to use this id. [01:03:26] Speaker A: No, no. It's putting in the driver's license number. Yeah, that's the only thing. [01:03:28] Speaker B: So putting your. [01:03:30] Speaker A: If I. Yeah, if I don't have my, like, password manager readily available and I can't remember my password, it'll let you log in with your driver's license number. [01:03:38] Speaker B: So that doesn't seem good. [01:03:40] Speaker A: It's interesting. It is very interesting, but I don't think that lets me access everything. That's just like, if I want to update my, like, odometer reading or whatever for, like, my. My discount that you get, you know. [01:03:50] Speaker B: Like, I give them nothing. [01:03:52] Speaker A: Oh, okay. Hey, look, every dollar counts. [01:03:55] Speaker B: You don't need to know what the hell I'm doing. It's worth my money to keep my privacy. [01:04:01] Speaker A: I'm not in a position to say that yet. So maybe. Maybe one day I'll give up that drive safe and save discount. [01:04:07] Speaker B: I don't have the stupid little plugins to your ODB port. I don't have any of that crap. [01:04:11] Speaker A: And make. It makes a difference for me, but that's just me, you know? [01:04:14] Speaker B: Not this cat. [01:04:15] Speaker A: I'm in a different place in my life, I guess. I don't know. But I'm a safe driver, you know, I try to be. [01:04:21] Speaker B: They don't need to know whether I'm a safe driver or not. [01:04:23] Speaker A: That's. That's valid. That's a. Valid. [01:04:25] Speaker B: And B, who are they to determine whether or not I'm a safe driver? [01:04:28] Speaker A: Yeah. [01:04:28] Speaker B: What if the reason maybe because I'm speeding to be safe? [01:04:32] Speaker A: Yeah, because you do have to stay with the flow. [01:04:33] Speaker B: What if I stopped hard because that was the safe thing to do? [01:04:36] Speaker A: Yeah. You have to go in and put. [01:04:38] Speaker B: In a report that doesn't like calculate like whether or not the person in front of me swooped and squatted and I moved really fast and stopped to get around them and then sped at a hard acceleration to get away. Yeah, they don't know that. [01:04:54] Speaker A: We need to make this. This is gonna become a point counterpoint podcast. [01:04:59] Speaker B: Y'all need to know what I'm doing. [01:05:01] Speaker A: That's fair, that's valid. Maybe I'll reconsider my usage of the discount in the future. But yeah, point being this is, you know, starting to be implemented in states around the Us and we'll have to see if it becomes the norm or if this is just kind of a passing thing. We got one. Yeah, sure. Various. [01:05:18] Speaker B: You gave it the beatbox, huh? [01:05:21] Speaker A: Yeah, you know me, it's just various noises of disapproval. We got one more we wanted to cover before we sign off today. This one comes to us from security week. Arm warns of exploited colonel driver vulnerability. I'm saying that slow because otherwise I'll stumble over my words. So it's a. I heard arm and I was thinking like the Amazon service or whatever. That's not, that's not what it is. Arm based chips, british semiconductor giant is how they are referred to arm. So you're clearly familiar with them. I was not. [01:05:47] Speaker B: Right. Is it arm based chips or are they called arm? [01:05:49] Speaker A: No, you're right, that's the company name. It says. [01:05:52] Speaker B: Oh, is it? Yeah, they're not arm processors. [01:05:54] Speaker A: Maybe they are. Maybe it's one of those things where it's like, okay, it's a tissue, but everybody calls them Kleenex. Why do they. [01:05:59] Speaker B: Why? Why? Right. If you're a processor, don't name your company arm because that's confusing. [01:06:06] Speaker A: It is confusing. Well, I mean, I didn't even go the direction of arm chips. I thought the AWS. [01:06:10] Speaker B: Yeah, no, they are called arm. British semiconductor arm. Stop. [01:06:17] Speaker A: We're gonna get an employee of arm watching this like, aye, that's quite offensive. [01:06:20] Speaker B: Yeah. [01:06:20] Speaker A: Cause they're british bottle water Tuesday, stupid. I want you to the whole next episode in that sense. So they're warning customers about a memory safety bug in some GPU kernel drivers that have been exploited in the wild and that's always scary. [01:06:39] Speaker B: So that's, that was the whole reason I saw this and thought it was like a worthy article was normally it would just be a, hey, if you're running these, these different GPU's, you know, there's a patch go patch. Because there is, there's a patch go patch. Use after free. We never like that causes bad things. Yeah, you're done with it, but you still are kind of dipping into that. But it's free for everybody to kind of play with now. So it's a bad idea. But there is this little, little problem. Threat actors know about it and they are currently exploiting that. So if you are an Arm capital a lower rm user of the. I think it's Bifrost and Valhall. [01:07:26] Speaker A: Yeah. [01:07:27] Speaker B: GPU processors and specific versions of them. You might want to go out there and make sure that you are getting those updates so that they are no longer exploitable for you. [01:07:37] Speaker A: Yeah. Not a lot of details on what the exploits were. Right. As far as like getting really specific. [01:07:41] Speaker B: With just to use after free, I think it's usually that kind of stuff just leads to like buffer overflows and. [01:07:46] Speaker A: Okay. [01:07:47] Speaker B: Like the ability for remote code execution. [01:07:50] Speaker A: Yeah. So they didn't share many details, but they, they're urging users to update devices as soon as possible. Which. [01:07:55] Speaker B: Short article, of course. More of a PSA, more of a heads up. Yeah. [01:07:59] Speaker A: I appreciate that, Daniel. I think that you care about our viewers enough to give them those heads up if you are a capital a lowercase rm user. Good to know. I think that's pretty much going to do it. For the stuff that we wanted to cover this week. I'm sure there was stuff that. What was your uncle Fanny's your aunt? [01:08:14] Speaker B: Yeah. [01:08:14] Speaker A: Is that how that phrase ends? [01:08:15] Speaker B: Robert's your mother's brother. [01:08:17] Speaker A: All right. That's a new one. [01:08:18] Speaker B: Bob's your uncle. [01:08:19] Speaker A: Oh, okay. I feel like he tries to like confuse me and trip me up because he knows I have trouble sometimes closing like the episodes and stuff. And I think he does his own purpose. [01:08:29] Speaker B: Little things in front of her and watch her fall down the stairs. [01:08:31] Speaker A: Yeah. I'm like an untrained puppy. I just, I can't, I cannot handle it. [01:08:34] Speaker B: She's all knees and elbows. [01:08:36] Speaker A: Yeah. Like a deer. I just can't, I can't handle it. Even though I've been doing this like a, what, a year and a half now? [01:08:40] Speaker B: Yeah. [01:08:41] Speaker A: I'm never gonna get used to it. [01:08:41] Speaker B: I will say I've been doing this for almost ten years. Endings are the hardest thing to do. [01:08:47] Speaker A: Yeah. [01:08:47] Speaker B: So if you're like, man, you guys can't end a show to save your life, go ahead and try it. It is difficult. [01:08:52] Speaker A: Go ahead. Go ahead. Leave a comment. Tell me how much I suck at it. I can take it. Can't be any worse, right? I can take it. [01:08:59] Speaker B: You got the armor on. [01:09:00] Speaker A: Yeah, I can take it. I'll cry about it in private like a professional. [01:09:04] Speaker B: That's right. [01:09:04] Speaker A: At home, on my own. [01:09:06] Speaker B: Real man. [01:09:06] Speaker A: I do not cry on company time. Dang it. [01:09:09] Speaker B: Single tear, you wipe it away. [01:09:11] Speaker A: I know Christian sitting out there like, wrap it up, wrap it up. So we'll go ahead and end it there. But we do appreciate you sticking with us through these conversations. Leave a comment let us know what you liked, what you want to see in the future, like the episode, if you haven't already. And we'd love for you to subscribe so you never miss an episode of Technado in the future. [01:09:25] Speaker B: Article suggestions as well article suggestions yes, we are both active on LinkedIn. It's a good place to get a hold of either of us. [01:09:30] Speaker A: We are. And we'll leave the articles we covered today in the description of this video. So hope you enjoyed and we'll see you next week. Back here for more Technado, thanks for watching. If you enjoyed today's show, consider subscribing so you'll never miss a new episode.

Other Episodes

Episode

June 02, 2022 00:47:31
Episode Cover

Technado, Ep. 258: Computex 2022 Highlights

There were two big events generating headlines in the IT world: Computex and Google I/O. The guys covered the highs from Computex with Nvidia's...

Listen

Episode 355

April 11, 2024 01:11:43
Episode Cover

355: One MILLION Sites Affected by Critical Flaw?! (Technado visits HackSpaceCon!)

Live from HackSpaceCon, it's Technado! This week, malware takes center stage: beware of bogus NordVPN downloads and YouTube videos promising Fortnite cheats. If you...

Listen

Episode

July 02, 2020 01:00:40
Episode Cover

Technado, Ep. 158: Thycotic’s Joe Carson

Joe Carson, the Chief Security Scientist at Thycotic, joined the Technado crew to talk about the importance of privileged access management. He also shared...

Listen