Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
It's time for security now.
0:02
Steve Gibson is here, we'll answer the musical
0:04
question. How long were bad guys
0:07
inside GoDaddy's network.
0:09
We've got some good news for our sponsor
0:12
BitWarden and its customers, and then
0:14
he's gonna talk about chat GPT. How
0:17
useful would chat GPT be at detecting
0:19
malware? It's all coming up next,
0:22
but security now. Podcasts
0:26
you love. From people you trust.
0:30
This is great. This
0:36
is security now with Steve Gibson. Episode
0:38
nine hundred eleven recorded Tuesday,
0:41
February twenty first, twenty
0:43
twenty three, a clever regurgitator.
0:47
Security now is brought to you by,
0:49
brought to Too often, security
0:51
professionals undergo the tedious,
0:54
arduous task of manually collecting
0:56
evidence Thrada, say goodbye
0:59
to the days of manual evidence collection
1:01
and hello to automation. All
1:03
done at Thrada's speed. Is it throuder
1:06
dot com slash TWiT to get
1:08
a demo in ten percent off implementation.
1:11
And by ACI Learning, Tech
1:14
is one industry where opportunities outpace
1:16
growth, especially in cybersecurity.
1:19
One third of information security jobs
1:21
acquire a cybersecurity cert to
1:24
maintain your competitive edge across audit,
1:26
IT, and cybersecurity readiness?
1:29
Visit go dot ACI learning
1:31
dot com slash tweet.
1:35
Thanks for listening to this show as an
1:37
ad supported network. We are always
1:39
looking for new partners with products
1:41
and services that will benefit our
1:43
qualified audience. Are you ready
1:46
to grow your business? Reach out to advertise
1:48
at TWiT dot tv. And launch your
1:50
campaign now. It's
1:52
time for security now, the
1:54
show where we get together and talk about
1:56
security. Right now,
1:59
Steve Gibson is here. I want to Steve.
2:02
think that's how we came up with a name Leo.
2:04
I think I don't
2:05
know. Might have been. I don't
2:07
know. Well, it was better than security
2:09
yesterday.
2:11
Oh, yeah. That was that's, you know, that
2:13
has been
2:13
Nobody cares about that. We don't want that yet.
2:16
Nope. So we're here to
2:18
answer some questions. As
2:21
we've been doing so far this year,
2:24
one, is how long were bad
2:26
guys inside GoDaddy's networks?
2:29
Oh, what
2:32
important oral arguments is the
2:34
US Supreme Court hearing today and
2:36
tomorrow. What has
2:38
Elon done now? What's
2:41
bid warden's welcome news? What's
2:44
meta gonna begin charging for? Should
2:46
we abandon all hope for unattended
2:48
IoT devices? Are
2:50
all of our repositories infested with
2:53
malware? How would last Tuesday's
2:55
monthly PatchFESHIT go anyway? Why
2:58
would anybody sandbox an image?
3:00
What can you learn from TikTok that
3:02
upsets Hyundai and
3:05
Kia? Oh.
3:08
And are there any limits to
3:10
what chat chat GPT can
3:12
do if
3:13
any? We're gonna find out by the
3:15
end of today's nine eleven emergency
3:18
podcast. I'm
3:20
gonna give you the short version so you don't have to list
3:22
the whole thing. A
3:24
long time, Gonzales versus
3:26
Google, TWiT, argon
3:29
two, Verification,
3:33
yes, no,
3:36
yes, yes. About
3:38
that. Very nice.
3:41
Very, very good. We
3:43
will get to the actual I see you next
3:45
week. If only,
3:47
we're that simple. In just
3:49
a moment, we also have a very good picture of
3:51
the week that you can decipher on your own.
3:53
But first, Let's talk about
3:56
Prada, our sponsor for
3:58
this segment security now. Is
4:00
your organized these we've got questions for
4:02
you from Prada. Is your organization
4:06
finding it difficult to achieve
4:08
continuous compliance as
4:10
it quickly grows and scales, Did
4:13
you know, Steve? I mean, I this is kind
4:15
of a newer area to me. I didn't realize how
4:17
big deal compliance was for
4:19
security
4:20
professionals. You're approving
4:21
more so in the future. Yeah. It's getting more and more
4:23
so. We're heading toward regulation land.
4:25
Well, yeah. That's the thing. I mean, you gotta comply
4:28
with various frameworks
4:30
you have to prove to partners and
4:34
clients and customers that you're probably
4:36
investors. Investors. TWiT becomes
4:38
more and more important. What I didn't know
4:40
is that a lot of companies are doing this
4:42
manually. If manual evidence
4:45
collection is slowing your team down,
4:47
you need to know about Drought a leader
4:50
in cloud compliance software g
4:52
two crowd says So draw to streamlines
4:54
your SOC two ISO twenty
4:56
7001 PCI DSS,
4:59
GDPR, HIPAA and
5:01
other compliance frameworks providing twenty
5:04
four hour automated
5:07
continuous control monitoring.
5:10
So you and your team get to focus
5:13
on the important things scaling securely
5:16
and let Drowda do the proven. That
5:19
should be their slogan, but they don't want it.
5:21
With this but try to
5:23
do the proven. With a suite of more than
5:25
seventy five integrations, try to integrate
5:28
so so seamlessly with
5:30
your tech stack. I mean, it supports
5:32
AWS, Azure, GitHub, Okta,
5:34
Cloudflare, on and on. Countless
5:37
security professionals to companies like lemonade,
5:40
that's a big insurance exchange. They I
5:43
mean, you can bet that securities is
5:45
a big part of their job. Right? Notion,
5:48
Bamboo HR, they've got social security
5:50
numbers in need to prove to their clients
5:52
that they're keeping them secure. They've
5:55
shared how crucial it has
5:57
been to have drada as a trusted
5:59
partner in the compliance process.
6:02
And another another point that
6:04
might help, you know,
6:07
prove to you that Dreda is all
6:09
that, is that they are
6:11
backed by SVCI. Who's that? Well,
6:13
that is a venture fund. Angel investors
6:16
that are all CISOs. And,
6:19
you know, from some of the most influential companies
6:22
in the world, I mean, if not if
6:24
Nobody knows better than a sees how important
6:26
this is. They put their money in and
6:28
said, yeah, we need Prada. Prada
6:30
allows companies to see all of their controls.
6:34
Easily map them to compliance frameworks
6:36
so you'll have immediate insight of one
6:38
thing to save you money right away to where there's overlap.
6:41
Right? Companies can start building
6:43
a solid security posture. They can achieve and
6:45
maintain compliance. They can expand
6:47
their security assurance efforts.
6:50
The key though is Drada. It's automated,
6:53
it's dynamic policy templates,
6:56
support companies new to compliance, help
6:59
alleviate hours of manual labor.
7:02
Their integrated security awareness training
7:04
program helps keep your team up
7:06
to date, your staff They're the front
7:09
lines, aren't they safe and
7:11
secure? Their automated reminders
7:13
ensure smooth employee onboarding They're
7:16
the only player in the industry that builds on
7:18
a private database architecture, but
7:21
seems to me that's gotta be table stakes for
7:23
this business. means your data can never be
7:25
accessed by anyone outside the organization.
7:28
Right? Customers receive
7:31
a team of compliance experts you'd be surprised
7:33
how many people don't do that. Drata does.
7:35
Customers receive a team of compliance experts,
7:37
including a designated customer support
7:39
success manager. Your success is so
7:42
important them. They actually
7:44
have a team of former auditors. They've conducted
7:46
more than five hundred audits. They
7:48
are available. You can call them up for support,
7:50
for counsel, to help prep you
7:53
for your your upcoming
7:55
audit. They will make
7:57
sure that there's a consistent meeting cadence
8:00
with you and Dreda so they keep you on track.
8:02
No surprises, no barriers. They'll
8:05
they even do pre Dreda does pre audit
8:07
calls. So you're you're fully
8:09
prepared for when the audits begin. With
8:12
drada, DRATA, drada.
8:14
With drada's risk management solution. You
8:17
can manage end to end risk assessment and treatment
8:19
workflows. You can flag risks. You could score
8:21
them. You can decide whether you're gonna accept them, mitigate
8:23
them. Transfer them, avoid them,
8:26
draw the maps, appropriate controls to the
8:28
risks, simplifying risk management,
8:30
automating the process. You are you getting an
8:33
idea you need this? Right? And Granite's trust
8:35
center provides real time transparency into
8:37
security and compliance postures, which
8:40
improves for you, improves sales, security
8:43
reviews, gives you better relationships
8:45
with customers and partners, investors, like
8:47
you said, Steve. Say goodbye to manual
8:49
evidence collection. Say hello to
8:51
automated compliance by visiting drada
8:53
dot com slash twit DRATA
8:56
dot com slash twit drada.
8:59
Bringing you automation to compliance at
9:02
Drada Speed. Get
9:04
it ten percent off when you ask for a demo, but make
9:07
sure you use that address. Because I I want them to
9:09
know you saw it on the security now. Drada
9:11
dot com slash tweet.
9:15
Alright. Picture of the week.
9:18
So today's picture of the week or
9:20
this week's picture of the week was actually
9:22
taken by one of our listeners who
9:25
was up in the attic of
9:28
some sort of charitable organization,
9:31
maybe his church, I don't quite remember now.
9:33
What what he said. But this was a he was
9:35
working on fix fixing
9:37
their DISH network installation. Uh-huh.
9:40
And when when he saw the
9:43
ground wire attached
9:45
to a nail that was
9:48
nailed into some wood -- Okay. --
9:50
he thought Okay. I gotta take a picture of
9:52
this and share it with the security
9:54
now audience because here we
9:56
have another
9:58
weak understanding of the
10:00
goal of grounding. Where's
10:03
the other wire go? It
10:06
not clear. It kinda waters off somewhere.
10:09
And, you know, what occurred to me was that
10:11
maybe whoever it is who installed
10:13
this thought
10:15
maybe that the the electrons would pay attention
10:18
to the color of the installation because,
10:21
you know, if they if they realize that
10:23
it was a green a
10:25
green wire. They're traditionally
10:28
in electronics, electricity, you know, green
10:30
is ground. So they go, oh, everybody
10:33
over this way. Of course, the problem
10:35
is when they get over to the nail, which
10:37
is stuck into some wood, wood
10:40
is, you know, a very good insulator.
10:42
So it's a little bit like sticking
10:44
the wire into that pail of dirt, which is
10:46
one one of our all time favorite pictures.
10:49
So anyway, thank you very much to our
10:51
listener Mark for, you
10:53
know, thinking of us. What do you? What
10:56
do you thought? What's wrong with
10:57
this? What's wrong with this DISH Network installation?
11:00
Don't you love it? The when when they
11:02
see stuff like this, they think of you immediately. Right?
11:05
Senator
11:05
Steve?
11:07
Okay. So I titled this one,
11:09
GoneDaddy. Last
11:12
Friday, revealed a
11:14
rather astonishing bit of news. Its
11:17
network and organization has
11:20
suffered a multi year
11:22
security compromise that
11:25
had allowed attackers attackers who
11:28
to this remain this day remain unidentified
11:31
to exfiltrate the company's source
11:33
code customer and employee
11:36
login credentials, and install
11:39
their own malware, which redirected
11:41
customers' websites
11:43
to malicious side sites.
11:45
For years. Years. Years.
11:47
Years. So, you
11:50
know, They're they're big. Right?
11:52
They have got nearly twenty one million customers.
11:55
They're the number one registrar in the
11:57
world. Their last new revenue
11:59
was nearly four billion dollars.
12:02
So, you know, many years ago,
12:05
when I was making my move away from
12:07
network solutions, I
12:09
gave GoDaddy some consideration. It
12:12
is the choice of a very techie friend of
12:14
mine whom we both know Mark Thompson
12:17
Maybe because he's in Arizona. I think
12:19
that's where they're based also. But
12:21
for me, it just looked too
12:23
bubble
12:24
gum. They're terrible. Commercial
12:26
I'm not surprised to hear this. Yeah.
12:29
We buy our search from them because their
12:31
search prices are so cheap. For
12:33
the for the, you know, e v cert.
12:36
Right? But,
12:38
I mean, that's a cert. That doesn't you know, that's
12:40
our security, not theirs. Yeah. So
12:42
anyway, you know, what I want
12:45
from my domain registrar is
12:48
stayed stodgy and stoic. I
12:51
don't want the main registrar that
12:53
looks like romper room. And
12:55
as I was as I was putting that in the
12:57
show notes, I thought, wonder how many of our listeners
13:00
will relate to Rompa
13:01
Room. I
13:01
know I'm getting to I think I'm beginning to date
13:03
myself here little bit. I see Stevie.
13:06
And I see
13:08
Laurie. I used to
13:09
know miss Nancy, our local Ramper room.
13:12
Lady, actually. So anyway,
13:14
I I from a from a
13:16
registrar, I don't want entertainment and
13:18
upselling. I just want something solid.
13:20
Anyway, as we know, I chose hover
13:23
and I've been very happy. And just to be
13:25
clear, my choice was made years
13:27
before Hover became a
13:30
TWiT sponsor. So it wasn't
13:32
like, you know -- Yeah. -- it wasn't after the fact.
13:34
So in a filing Thursday,
13:37
last Thursday the SEC, you know, our US
13:39
security is an exchange commission. GoDaddy
13:42
admitted that three
13:44
serious security events, the
13:46
first occurring three years ago
13:48
in twenty twenty. And
13:51
the way they put it, you know, somehow lasting
13:53
through twenty twenty two were
13:56
all carried out by the same intruder. Now,
13:58
okay, that but but they're also saying,
14:00
but we don't know who, but we know it's the same.
14:03
So I'm like, what? Anyway, they wrote,
14:06
quote, based on our investigation, we
14:08
believe these incidents are part
14:10
of a multiyear campaign by
14:13
a sophisticated threat actor group
14:15
that, among other things, installed
14:18
malware on our systems and
14:20
obtained pieces of code relating to some
14:22
services within GoDaddy, unquote,
14:25
and they said that their investigation was still
14:27
ongoing. The most recent
14:29
event occurred last December So
14:31
just, you know, three months ago, when the threat
14:33
actor gained access to the hosting
14:36
servers, GoDaddy's customers
14:38
used to manage websites hosted
14:41
by GoDaddy that they got into their cPanel
14:44
hosting servers. The thread
14:46
actor installed malware on the servers
14:48
that, quote, intermittently redirected
14:51
random customer websites to
14:54
malicious sites because, you know,
14:56
that's what you want from your registrar. GoneDaddy
14:59
was unaware of the presence of
15:01
this malware and learned of it from their customers
15:04
who were complaining that
15:06
visitors to their sites were
15:08
occasionally being redirected elsewhere.
15:13
So GoneDaddy said we have evidence, and
15:15
law enforcement has confirmed that
15:17
this incident was carried out by
15:20
a sophisticated and organized group
15:22
targeting hosting services like
15:24
GoDaddy They said
15:26
according to information we've received, their
15:29
apparent goal is to infect
15:31
websites and servers with malware
15:34
for fishing campaigns malware distribution
15:36
and other malicious activities. Now,
15:39
okay, saying hosting services
15:41
like GoDaddy that sort of
15:43
begs the question whether other
15:45
hosting services have been similarly affected.
15:48
If so, which ones?
15:50
And by whom, Those questions remain
15:52
unanswered. It appears
15:55
that the first of several intrusions
15:58
took place in March of
16:00
twenty twenty. When so
16:02
fully, you know, three years ago, when
16:04
a threat actor obtained login
16:07
credentials that gave it
16:09
access to employee accounts and
16:11
the hosting accounts of roughly
16:13
twenty eight thousand of
16:16
GoDaddy's customers. Fortunately,
16:19
those those Hosting login
16:22
credentials that were obtained for
16:24
the twenty eight thousand customers did
16:26
not also provide access to the customer's
16:29
main GoDaddy account. Otherwise,
16:31
damage would have been more severe. That
16:34
first breach was disclosed two
16:36
months later in May of
16:38
twenty twenty in a notification letter
16:41
sent to the affected twenty
16:43
eight thousand customers. The
16:45
company said on Thursday, it's
16:47
responding. Get this responding
16:51
to subpoenas related to
16:53
that incident that the
16:55
Federal Trade Commission issued in July
16:57
twenty twenty and October twenty
17:00
twenty one. So there's doesn't
17:02
it be any big hurry over in
17:04
GoDaddy land to to
17:06
do much of anything? Then
17:10
discovered another incident in November
17:13
of twenty twenty one. Two
17:15
months after, the threat actor
17:17
obtained a password that
17:19
gave access to source code for
17:21
GoDaddy's managed WordPress service.
17:25
So beginning two months earlier,
17:27
in September of twenty twenty one,
17:29
this unauthorized party used
17:32
their access to obtain login credentials
17:34
for WordPress admin accounts FTP
17:37
accounts, and email addresses for
17:40
two point one million. Current
17:43
and inactive on his previous managed
17:46
WordPress customers at GoDaddy.
17:49
And these were not the first of GoDaddy's
17:52
many problems. Through the years,
17:54
security lap and vulnerabilities have
17:56
led to a series of suspicious events
17:58
involving large numbers of sites hosted
18:01
by GoDaddy. For example, back
18:03
in twenty nineteen, a misconfigured
18:06
domain name server at GoDaddy allowed
18:08
hackers to hijack dozens
18:11
of websites owned by Expedia,
18:14
Yelp, Mozilla, and others, and
18:16
used them to publish a ransom note
18:19
threatening to blow up buildings and
18:21
schools. The DNS
18:23
vulnerability, which was exploited
18:25
by the hackers, had come to
18:27
light three years earlier. Yet
18:30
GoDaddy never took any action
18:33
to mitigate the risk. You
18:35
know, again, this is this is not the
18:37
registrar you want. Also in twenty
18:40
nineteen, a researcher uncovered a campaign
18:42
that used hundreds of compromised
18:44
GoDaddy customer accounts to create
18:47
fifth thousand websites
18:49
that published spam promoting
18:52
weight loss products and other goods promising
18:54
miraculous results. So,
18:57
okay. So, you know, pushing
18:59
back from this a bit, you know,
19:01
the one question I had was
19:04
how it was that GoDaddy could assert
19:08
through the, you know, these more
19:10
recent three attacks spanning the same
19:13
number of years. That they had
19:15
been repeatedly plagued by
19:17
a single threat actor, yet
19:20
somehow have no idea who
19:22
this individual or group is.
19:25
So I did a bit more digging. And
19:27
I found that in their ten K filing with
19:29
the SEC, They stated
19:32
that the most recent December twenty
19:34
twenty two incident is connected
19:37
to the two other security events they
19:39
suffered in March twenty twenty
19:41
and November twenty twenty one. Okay?
19:45
Connected how? This reminded
19:47
me of what we recently saw from
19:49
LastPass, where we were told
19:52
that the second attack The one
19:54
remember where all of our backed up lastpass
19:56
vaults were stolen was
19:58
enabled by the initial
20:01
intrusion. Mhmm. That was
20:03
worrisome since it suggested to us
20:05
that LastPass had not fully
20:07
cleaned up after the first
20:09
intrusion. In the GoDaddy
20:12
case, they appear to be stating
20:14
that they know that it's the same
20:16
threat actor because information presumably
20:19
obtained during the initial
20:22
intrusion three years ago
20:24
back in twenty twenty was
20:26
subsequently used in
20:28
both twenty twenty one and
20:30
twenty twenty two. Unfortunately,
20:33
this suggests as with LastPass that
20:36
post intrusion cleanup may
20:38
have been minimized. And
20:40
boy, given their track record
20:42
and their apparent negligence
20:45
based on the actions that we've seen, who
20:48
would be surprised by that. But
20:50
in any event, the cleanup was
20:52
ineffective. A
20:54
full post intrusion cleanup
20:57
means that nothing that
21:00
an intruder could possibly
21:02
have obtained remains
21:05
valuable once the cleanup is
21:07
concluded. We know that didn't
21:09
happen in the case of LastPass, and that
21:11
also appears to have been the case for GoDaddy.
21:14
You know, as we've had occasion to note on this podcast,
21:16
Leo and you and I've talked about it years ago,
21:19
once malware has had
21:21
access to a system, You
21:23
can never fully trust it again.
21:26
And I should really remove the qualifier fully.
21:29
You know, you cannot trust any
21:32
system after it's been compromised
21:34
because you just don't know what could have been done.
21:36
You know, these days, we have malware
21:39
burrowing into our motherboard firmware.
21:41
To maintain persistence even
21:44
across wipes and complete
21:46
reinstulations. You know? So
21:48
the only course of action then
21:50
is to refresh the firmware, wipe
21:52
the drives, rebuild from scratch,
21:55
and change everyone's
21:57
access credentials. You
22:00
know, yes, this is a huge
22:02
nightmare in the case of a large
22:04
sprawling enterprise, but there's really
22:06
no choice After GoDaddy's initial
22:09
twenty twenty breach, either
22:11
something lingered in a system
22:14
that was never found, you know, some
22:16
latent advanced persistent threat
22:18
presence, or they failed
22:21
to rotate all of the keys
22:23
and login credentials across the entire
22:25
enterprise something remained.
22:28
Either malware tucked away in an
22:30
unexamined corner or someone's credentials
22:33
that were never changed. Thus, the
22:35
same guys came back later for another
22:38
dip and and a year
22:40
later for yet another one. Wow.
22:44
Okay, today
22:46
and tomorrow, the
22:49
US Supreme Court will be hearing
22:51
initial oral arguments. And Leo,
22:53
in your quick summary of the podcast, you
22:56
properly named the the first of the
22:58
two K dollars versus
22:59
Google. Yeah. I listened to
23:00
all morning. It went on and on
23:02
and on and on and on. Yeah.
23:04
Well, those attorneys do. Yeah.
23:07
Anyway, they're the US supreme court's hearing oral
23:09
arguments in a pair of cases which
23:11
will open the door to allow
23:13
the court to reexamine the Now
23:17
famous and infamous, section
23:19
two thirty of the communications decency
23:22
act, which was passed into law by congress,
23:25
twenty seven years ago back in nineteen
23:27
ninety six. There are
23:29
a crucial twenty six words.
23:32
From sector two thirty of that law
23:35
that are what enable our Internet's
23:37
media companies to remain
23:39
unresponsive and some would
23:41
say irresponsible for
23:44
the content that their users post
23:46
online for consumption by others.
23:49
Those twenty six words are, quote,
23:51
no provider or user
23:54
of an interactive computer service
23:56
shall be treated as the publisher or
23:59
speaker of any information provided
24:02
by another information content
24:04
provider. Unquote. Twenty
24:06
six words. And they mean, this
24:09
essentially, this blanket protection provides
24:12
that none of the day's media companies,
24:14
you know, the way this has been used to
24:17
to to fort any attempts
24:19
at at civil liability, is
24:22
none of today's media companies can be held
24:24
responsible for the content that's being
24:26
served by their technologies. Thus,
24:30
it serves as powerful in what has
24:32
now become crucial protection for
24:34
them. But many many
24:36
wonder whether it might have been taken
24:38
too far. The specific
24:41
question that the cases address
24:44
focuses upon the content promotion
24:47
algorithms used by Google,
24:49
for example, for YouTube, and
24:51
also Facebook, Twitter, and others to
24:53
provide their users you know,
24:56
more relevant content. So
24:59
the question may be whether
25:01
our social media companies have
25:04
actually crossed the line
25:07
to become publishers of this
25:09
content, the moment they involve
25:12
themselves in that content's
25:14
deliberate selection and promotion,
25:17
even if that involvement is entirely algorithmic.
25:20
The argument then is that they're no longer
25:22
acting as passive repositories of
25:25
user provided content and that
25:27
the selections made by their algorithms are
25:30
ultimately motivated by profit.
25:34
There's a cybersecurity law
25:36
professor Jeff Kossef.
25:39
He's with the US Naval Academy who
25:41
wrote an entire book on section
25:44
two thirty titled the twenty
25:46
six words that created the Internet. And
25:49
in some reporting by the Washington Post
25:51
early last October, which is when
25:53
the supreme court decided that they would hear
25:55
the two cases, which are now before them,
25:58
and for which they're now hearing these oral arguments
26:00
did today and tomorrow. Tomorrow is is about
26:02
TWiT. Today is about Google, the
26:05
and and YouTube, they quoted
26:07
Professor Koss of saying the
26:09
entire scope of section two thirty
26:11
could be at stake depending on
26:13
what the supreme court wants to do.
26:16
And, you know, although the stakes could not be
26:18
much higher, The way these things go, we
26:21
won't have a decision anytime soon, probably
26:23
not till way later in the year,
26:26
like, toward the end of the year at the earliest. But
26:28
this will certainly be one to watch. And
26:31
for their part, the plaintiff's attorneys
26:34
say that applying the sweep being civil
26:36
immunities created by section two
26:39
thirty to algorithmic recommendations
26:42
incentivizes the promotion of
26:44
harmful content and that section
26:46
two thirty denies the victims of
26:48
such content. Any opportunity
26:50
to seek redress when they
26:52
can show those recommendations caused
26:56
injuries or even death. So
26:59
this will be very interesting. And I
27:01
forgot. Light Leo, where were you come
27:03
down on two thirty? Oh, well,
27:05
let me put it this way. You like
27:08
the chat room? You
27:10
like the discord, you like your forums,
27:12
you like our forums, you like our mastodon.
27:15
If two thirty is overthrown, all
27:18
of those go to world as we know it. Yeah.
27:20
I'm go away because right now,
27:22
I can't and you can't be sued for anything
27:25
anybody post on those forums even
27:28
if it's defamatory or whatever
27:30
they're liable for, not you, which
27:33
is reasonable. Right? Furthermore,
27:37
thanks to section two thirty, if you take
27:39
something down on your forums, And
27:43
because it's, you know, racist hate speech,
27:46
that person can't sue you either.
27:48
And that's really important. It's the right both to
27:51
publish and to moderate and
27:53
not be liable. And because it's
27:55
it's such it's so it's you can codify
27:57
them to law that way, you don't even have
27:59
to go to court, you know, the justice the judge
28:01
would immediately say, no, I'm sorry, that he's protected
28:03
by two thirty. So if
28:06
they strike it down or even weaken it in
28:08
any way, you
28:10
know, it's not Google and Facebook and Twitter who
28:12
are gonna suffer, they can defend themselves. They have
28:14
lawyers by the
28:16
fistful. Is is
28:18
you and me?
28:19
Glad that the Supreme Court has
28:21
a conservative bias at this
28:23
point in time. Well, right? They don't have conservative
28:26
bias. That's a misnomer. They're
28:28
not a originalist. They just
28:30
make up whatever they want and then
28:32
find and then find something just
28:34
to fight. I would be much happier
28:37
if they were. Yeah. But remember, this is a
28:39
nineteen ninety six law. Ron
28:42
White wrote it, and he was very very smart
28:44
guy. And it was it was it was
28:46
while they were passing the communications decency
28:48
act, he said, you know, this could really
28:50
screw up the Internet. We need to provide
28:54
you know, safe harbinger. Yeah. Yeah.
28:56
And so it's very, very important
28:58
to the Internet. You know, that you you
29:00
quoted the exact right book. Jeff Kossov's
29:02
book is often referred to on this week in Google.
29:05
Jeff Jarvis is a big fan of it. I've
29:07
read it. It's a very, very good book and you read
29:09
it and understand it. I listened to the arguments
29:12
this morning. And
29:14
and you ever can tell with the oral
29:16
arguments in front of the Supreme Court because justices
29:18
will sometimes play devil's advocate their
29:20
actual opinions aren't always on display.
29:23
But I was pretty encouraged by
29:26
the questions they asked the council
29:28
for the plaintiff And
29:30
and I I think they get
29:32
how important it is. They even one
29:35
of the justices even said you
29:37
know, this could have a real impact on the
29:39
economy. And then
29:41
justice Kagan, who's who I love
29:43
and was very funny, said You
29:46
know, you don't have the smartest internet
29:48
brain sitting in front of you right here, so you better
29:50
explain this to us. It was Okay.
29:53
So why why did they even choose
29:55
to take it up last October? They could have
29:58
let the ninth court decision stand
30:01
because it upheld the section two thirty
30:03
rights. Right. It was appealed, and you're
30:05
right. That's the question. Why did they take it up?
30:07
And I think, you know, there there probably
30:09
is some reasonable discussion around
30:11
this. What they're really battling over
30:13
not is not so much the right
30:15
to publish or the right to moderate. But
30:18
but whether a recommendation algorithm
30:21
-- Right. -- is is
30:23
in some way now editorializing. And
30:27
at first, I I'll be honest with you when
30:29
when I first read the facts of the case, I said,
30:31
well, you know, that's actually a good point.
30:33
You know, in way Google's algorithm is
30:36
choosing what to show isn't that
30:38
isn't that Google creating content. But
30:40
I've since seen the light
30:43
and been persuaded by a lot of smarter
30:45
people than I, including Kathy Gellis
30:47
from Tectors who were trying to get on the show tomorrow.
30:50
She wrote an amicus brief for this. They also
30:52
allowed multiple anonymous
30:54
redditor monitors redded moderators
30:57
to file an amicus brief. As
30:59
did the EFF. Unfortunately, both
31:02
the White House and the
31:05
Wright, Josh Holly, and Ted Cruz,
31:07
want this to be struck down. For
31:09
different reasons, you know. But
31:13
the wiser heads point out that
31:15
it's all algorithmic. If you have
31:17
a search engine and you go to the search
31:19
engine, what's on top of the search
31:21
unless it's completely
31:23
chronological? Is algorithmic.
31:25
The only reason that we all switch to Google,
31:27
went well, went away from Alta
31:30
Vista. Exactly. Google appeared.
31:32
And the editors say the Reddit moderators
31:34
say, no. We can use algorithms to
31:36
help us moderate. Algorithms
31:38
aren't inherently bad. You
31:41
might have an algorithm that's optimizing for profit
31:43
that as a result surfaces more controversial videos,
31:46
but that's not the same thing as writing
31:49
an article saying, I think ISIS
31:51
is fantastic. It's and
31:54
and and so it's very risky
31:57
And I certainly hope the judges don't do this
31:59
to slow solely par away
32:01
at two thirty. It's only, as you say, it's
32:03
only twenty six words. Right. And
32:05
it is black and white at the moment. Very
32:07
clear. It's I think one of the best
32:10
written laws ever. It's it's it's kinda like
32:12
constitutional amendment. It's a precise
32:15
it's it's it's broad enough
32:17
to have lasted twenty years,
32:20
thirty years. And But
32:22
at the same time, it, you know, it's
32:25
it's clear. And I think its intent is clear.
32:27
And I'm hoping that the court does not
32:29
override what was clearly the intent
32:31
of congress when they wrote that law. Yeah.
32:34
So let's yeah. Let's cross your fingers. I don't know
32:36
if they're conservative, but let's hope they make
32:38
the right choice.
32:41
So the Virgil's headline
32:44
was it's official. TWiT
32:47
will now charge for SMS to
32:50
factor authentication. Only
32:52
Twitter blue subscribers we'll get
32:54
the privilege of using the least secure
32:56
form of two factor
32:59
authentication. And
33:01
they were having fun with this. The the verge
33:03
continued. Now it's official.
33:06
You can pay for the privilege
33:08
of using Twitter's worst form of
33:10
authentication. In fact, if
33:13
you don't start paying for Twitter blue,
33:15
eight dollars a month on Android, eleven a month
33:17
on iOS, or switch your account
33:19
to use a far more reliable authenticator
33:22
app or physical security key
33:24
Twitter will simply turn off your two
33:26
factor authentication after March twentieth.
33:30
The writer adds he says,
33:32
I know which one I would choose. Good
33:35
riddance to SMS is my feeling.
33:37
Given how common SIEM swap hacks
33:39
are these days, he says heck.
33:42
Twitter's own Jack Dorsey was successfully
33:44
targeted by the technique four years ago.
33:46
You don't want someone to get access to
33:48
your accounts by proving they
33:51
are you simply because they've stolen
33:53
your phone number. That's how Twitter
33:55
is trying to justify this change
33:57
too. But I wouldn't be surprised if there's
33:59
a simpler reason. It costs money
34:02
to send SMS messages, and
34:04
Twitter does not have a lot of money right
34:06
now. The company had been phasing
34:08
out SMS even before Elon
34:10
Musk took over. Twitter's own transparency
34:13
data shows as of December twenty
34:15
twenty one, only two point
34:17
six percent of Twitter users
34:20
had two factor authentication turned on,
34:23
and seventy four percent of those
34:25
users were using SMS
34:27
as their two factor authentication method.
34:31
Okay. So here's what Twitter
34:33
posted and explained last Wednesday.
34:36
Their blog was titled an update
34:38
on two factor authentication using
34:40
SMS on Twitter by Twitter
34:43
Inc. We continue to
34:45
be committed to keeping people
34:47
safe and secure on Twitter. And
34:49
a primary security tool we offer to
34:51
keep your account secure is
34:53
two factor authentication. Instead
34:56
of only entering a password to log in,
34:58
2FA requires you to
35:00
also enter a code. Use a security
35:03
key. This additional step
35:05
helps make sure that you and only
35:08
you can access your account. To
35:10
date, we have offered three methods
35:13
of 2FA text message,
35:15
authentication app, and security
35:17
key. While historically
35:20
a popular of 2FA,
35:23
unfortunately, We have seen
35:25
phone based phone
35:27
number based to FAA be used
35:30
and abused by bad actors.
35:33
So starting today, we
35:35
will no longer allow accounts to
35:38
enroll in the text message
35:40
SMS method of two factor
35:43
authentication unless they
35:45
are Twitter blue subscribers. The
35:48
availability of text message
35:50
to f a for Twitter Blue may
35:52
vary by country and carrier. Non
35:56
Twitter Blue subscribers that are already
35:58
enrolled will have thirty days
36:00
to disable this method and enroll
36:03
in another. After March twentieth,
36:05
we will no longer permit non
36:07
Twitter blue subscribers to use text
36:09
messages as a two factor authentication method.
36:12
At that time, accounts with text
36:15
message two factor authentication still
36:17
enabled will have it disabled.
36:20
Disabling text message two factor
36:22
authentication does not automatically disassociate
36:24
your phone number from your Twitter account. If
36:26
you would like to do so, instructions to
36:28
update your account phone number are available
36:31
on our help center. Finally, we
36:33
encourage non Twitter blue subscribers
36:36
to consider using an authentication app
36:39
or security key method instead. These
36:41
methods require you to have physical
36:44
possession of the authentication method
36:46
and are a great way to ensure
36:48
your account is secure. Okay.
36:51
So some other reporting
36:54
I found stated that Twitter
36:56
took this step because SMS
36:58
two factor authentication was being
37:00
abused by fraudsters who
37:03
would establish accounts using
37:06
something called application to person.
37:09
Or A2P premium
37:11
telephone numbers. Then when
37:14
Twitter would send two factor
37:16
authentication text to these
37:18
numbers, the fraudsters would get
37:21
paid. So it costs Twitter much
37:23
more money than just a regular SMS
37:25
to regular people. Estimated
37:28
losses were claimed to be around sixty
37:30
million dollars a year from
37:32
this. Okay. So, of course,
37:34
everyone's piling on Elon these days.
37:37
And his decisions that Twitter have been a source
37:39
of controversy. Seventy
37:41
four percent of two
37:43
point six percent is
37:45
one point nine five percent. So
37:48
as of the end of twenty twenty one, when
37:50
we had those stats, one
37:52
point nine five percent of
37:55
all Twitter account holders were
37:57
using SMS based two
37:59
factor authentication. On
38:01
the other hand, that's three out of every
38:03
four of the Twitter users
38:05
who use any form of two factor
38:07
authentication were using SMS. And
38:10
the use of any form of two factor
38:13
authentication certainly prevents
38:15
some amount of abuse. And
38:18
even though SMS is not we know
38:20
the best solution, it's still better
38:22
than having none. And using
38:24
it doesn't create any new
38:26
vulnerability where none existed before,
38:29
unless I guess you were to, like, become
38:31
dependent upon it and, like, had a crappy
38:34
password because you figured, oh, well, factor
38:36
authentication will protect me. You know,
38:38
so it's, you know, not something
38:40
that can be relied upon, you know,
38:42
nearly as much as one time passcodes
38:45
or security keys. So,
38:48
I don't think this is great news. Because
38:51
it seems to me that it might end up
38:53
causing Twitter users to simply disable
38:55
all use of two factor authentication without
38:59
upgrading their existing SMS,
39:02
you know, least of the
39:04
three good authentication methods
39:07
to one time passcodes or security key.
39:10
At around four hundred and fifty
39:12
million monthly users of Twitter,
39:15
That one point nine five percent
39:17
who have been using SMS based two
39:19
factor authentication is eight
39:21
and a quarter million SMS
39:23
users per month. So that
39:26
likely adds up. And I can see Elon
39:28
wanting to cut costs. And,
39:30
you know, if there's, you know, if
39:32
there's no way for Twitter to determine whether
39:34
the phone numbers being registered are
39:37
paid to send numbers, then I suppose
39:39
he doesn't have much choice. On the other
39:41
hand, a great many other large social
39:43
media organizations offer SMS
39:46
based two factor authentication, and
39:48
they don't appear to have any similar problems.
39:50
In any event, I hope that those who need
39:52
some form of authentication
39:54
will move to passcodes at least
39:57
rather than just putting off, you know,
39:59
all extra
40:00
authentication when Twitter kills two
40:03
factor authentication a month from now.
40:05
I think it's actually on March twentieth,
40:08
so a month from yesterday. We
40:11
have some good news. We knew
40:13
it was coming. It has actually happened.
40:15
And I've seen I've seen texts or tweets
40:17
rather. Speaking of Twitter from our listeners
40:20
wondering if they should move yet.
40:22
Maybe is the answer. The argon
40:25
too, Memory Harsh, TEKDF.
40:29
Yep. Which promises to be
40:31
far more resistant to brute
40:33
forcing is now
40:35
available for BitWarden and
40:38
is present on some
40:40
BitWarden clients, and that's
40:42
the keyword. Before
40:45
switching to it, since the switch
40:47
must be made system wide
40:49
per user, you'll need
40:52
to wait until and make sure
40:54
that all of the platform clients,
40:56
the bit the the bit word
40:58
and platform clients you use,
41:01
have been upgraded to support
41:03
Argonne two, which
41:04
is the record. Twenty twenty
41:06
three dot two. That's the version you need.
41:08
Zach That's the one you
41:09
want. Twenty
41:10
twenty three dot I have it on my iPhone.
41:12
I don't yet have it on Android. And
41:15
you but you even have to have it on wherever you use
41:17
it on your
41:17
desktops, on your plugins, and
41:18
all that. It's gotta be in in your browser extensions.
41:21
And currently, it's not not quite there yet. You'll be
41:23
blocked. Right? If you you won't be able to use it,
41:25
if it incorrect he will not be able to authenticate
41:28
on that new device. Right.
41:30
Six days ago, a bit worn employee
41:33
named Ryan he posted
41:35
to Reddit. He said for those curious as
41:37
to why not everything is rolled
41:39
out at once. Each browser
41:41
extension and mobile app
41:43
needs to go through an approval process
41:46
with their respective app stores. Please
41:48
be patient Usually, the approval
41:51
process takes about a week. So
41:53
now, this is fresh news, but
41:55
it's coming soon. To
41:57
BitWarden platform clients
41:59
near
42:00
you. That that's the good news is that BitWarden
42:02
has approved the poll request, added
42:04
it and it isn't the new version. Just wait
42:06
till you get the new
42:07
version, you will. And
42:08
then if you if you have it in iOS, then
42:10
that that's Yeah. That's significant.
42:13
Yeah. I just got it a couple of days ago in
42:15
the IRS. I've been watching with great interest
42:17
of as you might
42:18
imagine. And I will switch as soon as
42:20
I can do that safely. Yeah. So
42:23
Mark Zuckerberg posted an
42:26
announcement about some a little change
42:28
in meta He
42:30
said, good morning, and new product
42:32
announcement. This week, we're starting
42:35
out, we're starting to roll out meta
42:37
verified. A subscription
42:39
service that lets you verify your
42:41
account with a government ID, get
42:44
a blue badge get extra impersonation
42:47
protection against accounts claiming to be
42:49
you, and get direct access to customer
42:51
support. This new feature
42:54
is about increasing authenticity and
42:56
security across our services. Meta
42:59
Verified starts at
43:01
twelve dollars per month on the
43:03
web or fifteen dollars per
43:05
month on iOS. Yeah. It will be roll
43:08
I know. We'll be that's exactly
43:10
my feeling. He says we'll be rolling out in
43:12
Australia and New Zealand this
43:14
week and more countries soon. So,
43:18
okay, Facebook is adding
43:21
paid identity verification and
43:23
more. So elsewhere in their announcement
43:25
they wrote, some of the top quest
43:27
we get from creators are
43:29
for broader access to verification and
43:32
account support. In addition,
43:35
to more features to increase visibility and
43:37
reach. Since last year,
43:39
we've been thinking about how to unlock
43:42
access to these features through a paid
43:44
offering. meta verified,
43:47
you get. A verified badge
43:50
confirming you're the real you
43:53
and that your account has been authenticated with
43:55
a government ID. By that
43:57
by by I've I've also also mentioned
43:59
that I don't think they say it here. You
44:02
have to be using your real name on
44:05
your Facebook page, not some random
44:07
handle. Also,
44:09
you get more protection from impersonation with
44:11
proactive account monitoring for
44:13
impersonators who might target people
44:16
with growing online audiences. Third,
44:19
help when you need it with access
44:21
to a real person for common account
44:24
issues. Fourth, increased
44:26
visibility and reach prominence
44:29
in some areas of the platform, like
44:31
search comments and recommendations. And
44:34
finally, exclusive features to
44:36
express yourself in unique ways, and
44:38
we don't know what those are. So first
44:41
of all, I reacted exactly as you did Leo,
44:43
twelve bucks a month for the on the web and
44:45
fifteen bucks a month on iOS strikes
44:47
me as really expensive. It's
44:50
not a one time verification fee,
44:53
which would seem reasonable. This
44:55
is an ongoing cost. You know?
44:57
Hundred and forty four dollars a year or
44:59
hundred and eighty dollars a year on
45:02
on iOS. And so, you know,
45:04
I I expose this not for everyone. If
45:06
you know, if so it uses Facebook as
45:08
a major platform that I could see how
45:10
it makes sense to pay something, to
45:12
obtain spoofing pro prevention, and
45:16
apparently, higher visibility
45:18
in search ranking results. But
45:21
You don't get ad free though. Right? I mean, it's
45:23
not like You only pay us
45:25
seven bucks and you get to add free. I don't,
45:27
you know, don't I don't really understand.
45:30
And it's not for businesses. It's only for
45:31
individuals. Very strange. Right.
45:33
Correct. That's not available for for
45:35
businesses. Yeah. They they said at
45:37
this time. So Well, we'll see we'll
45:39
see it not gonna generate ten billion dollars
45:41
a year, and that's what Mark's spending on VR right
45:44
now. So No. Yeah.
45:47
M SciSoft. A company we
45:49
spoke about. A name. Yeah.
45:53
This they they basically provided
45:55
us with a reminder of why
45:58
simply having code signing is
46:00
not and
46:02
should not be sufficient to
46:05
have antivirus and download
46:07
protection warning silenced.
46:11
So the antivirus publisher m
46:13
SciSoft, has put out a
46:15
public service announcement warning that
46:18
threat actors are currently using
46:20
fake m size soft coat signing
46:22
shirts to sign their malware.
46:25
This results in attacks appearing to
46:27
come from m size soft products as
46:30
well as to slip past anything
46:33
that refuses to run unsigned
46:35
software. So At
46:38
some point, I think what's gonna happen,
46:40
you know, code signing will become necessary
46:43
but not sufficient. At the moment,
46:45
it's entirely optional, but
46:48
mostly is there for user assurance.
46:50
And, you know, I'm signing all of my
46:52
apps now because it just
46:54
seems like a good thing to do. I know
46:56
that when I'm sometimes
46:59
I'm digging around on the Internet, looking
47:01
for some obscure thing because, you
47:03
know, a part of my life is still tied
47:06
to dos. When I
47:08
know, if I see something on some download
47:10
site, I will check to see if it's
47:12
signed because although not
47:14
as as this as this little warning reminds
47:17
us, it's not absolute assurance,
47:19
but it's sure better than not
47:21
having something signed. So and
47:24
it does it does it's certainly if
47:26
nothing else, it sends an it's a
47:28
it's a signal that AV
47:31
and systems like Microsoft Defender,
47:33
you know, can add to their to
47:36
to the agglomeration of other signals
47:38
to decide, you know, what level of warning
47:40
they wanna provide the user. Okay.
47:47
DDoS attacks are
47:50
always resource depletion
47:52
or resource consumption
47:55
of one kind or another. Today's
47:58
modern DDoS attacks are
48:01
typically no longer floods of
48:03
TCP SIM packets like they
48:05
were in days past. Those
48:08
now seem quaint by comparison. Modern
48:11
attacks are aimed less
48:13
at consuming or clogging
48:15
raw bandwidth. Then at
48:17
asking web servers, to
48:19
generate more pages per second
48:21
than they possibly can. Since
48:24
modern websites are generally
48:26
the front facing surfaces of
48:29
a complex content management system
48:31
on the back end, which is driven by
48:33
some form of SQL database Individual
48:37
HTTPS queries have
48:39
become much more computationally intensive
48:42
than yesterday's serving of static
48:44
web pages. The
48:46
previous contemporary
48:49
style DDoS attack
48:51
blocking record was
48:53
set by Google Cloud, which
48:56
last June, reported blocking
48:58
an attack rate of forty
49:01
six million HTTPS
49:05
requests per second. But
49:08
that was then. Now,
49:10
last week, Cloudflare has
49:13
reported that it successfully fended
49:15
off an attack that was thirty
49:17
five percent greater than that. Mitigating
49:20
a now new record
49:22
breaking and now setting, HTGPSD
49:25
dos attack, of seventy one
49:28
million requests
49:30
per second. That's
49:33
a lot of bots. Spread around
49:35
the world all concentrating their
49:37
fire onto a single target.
49:41
There are a growing number of strong
49:44
website DDoS defenders.
49:46
They include Akamai DDoS
49:49
mitigation, AWS Shield,
49:52
Cloudflares, DDoS Protection, Google
49:55
Cloud, F5's DDoS
49:57
Hybrid Defender, Imperva, DDoS
50:00
protection, and Microsoft Azure
50:03
DDoS protection. Websites
50:07
that pay to be located behind them
50:10
are able to remain online even
50:12
during an attack of such scale.
50:14
That alone is somewhat astonishing.
50:18
And an attack of this scale would
50:20
utterly obliterate any
50:22
other site that's simply on
50:24
the Internet. The mitigation
50:27
of attacks of such scale while
50:29
avoiding collateral damage to
50:31
nearby resources requires
50:34
carriers of the attacking traffic,
50:37
which are is bound for a site
50:39
under an attack. To block
50:41
all traffic as far away
50:44
upstream from the target
50:46
as possible. To prevent that
50:49
traffic's aggregation as
50:51
it moves from router to router
50:53
approaching its destination. If
50:56
we picture the Internet as a highly
50:58
interconnected global network of
51:00
individual routers, which is exactly
51:03
what it is, each one,
51:05
forwarding traffic towards its
51:08
destination. A useful
51:10
overlay for this is the image
51:12
of a great funnel. Where
51:14
incoming traffic is being funneled
51:17
toward its target. In
51:20
the model of a funnel, The closer
51:22
we approach the funnel's neck, the
51:25
greater the traffic burden becomes.
51:28
Since the physical implementation of this
51:30
traffic movement, are individual
51:32
routers, the best defense
51:35
against too much traffic
51:37
is to cause attacking traffic
51:40
packets to be dropped far
51:43
out at the funnel's mouth.
51:47
But doing this effectively inherently
51:50
requires a large traffic
51:52
provider. If the provider's network
51:55
is not sufficiently large, to
51:57
allow the incoming traffic to be blocked
51:59
before it has the opportunity to
52:02
concentrate, then the provider's
52:04
aggregation routers would be swamped
52:06
themselves. Before it even gets
52:08
to the user's web server and
52:11
many other of the provider's
52:13
customers who are also being
52:15
served behind those aggregation
52:17
routers would have their access,
52:19
their site access impacted, by
52:22
the collateral damage caused by
52:24
a failure of the packet transport
52:26
fabric. An organization
52:29
of Cloudflare size, to name
52:31
just one, has the advantage of
52:33
operating at global scale. And
52:36
when we're talking about handling a tax
52:38
of this size, the network size
52:41
is not only an advantage, it's
52:43
a necessity. Since attacking
52:46
bots are also globally spread,
52:49
traffic bound for one customer's
52:51
website will be entering the
52:53
network of a global carrier
52:55
such as Cloudflare at many
52:57
peering points across the globe.
53:00
So the moment an attack is detected,
53:03
all of the provider's edge
53:05
routing infrastructure can
53:07
be informed of the attack and
53:09
switched into an attack mitigation
53:12
stance. We
53:15
talked many years ago about the sheer
53:17
brilliance of the Internet's design.
53:20
And, you know, with the original concept
53:23
of autonomous packet routing,
53:25
being at the at the heart of this,
53:27
that the original concept
53:30
has withstood the tests of time
53:33
insane growth in usage and
53:35
application stands as a testament
53:38
to those who created this system so long
53:40
ago. But its great weakness
53:43
is that it was never designed to withstand
53:45
deliberate abuse. The
53:47
idea that someone would flood
53:49
the network with attack traffic was
53:51
something that this system's gifted designers
53:54
could never have anticipated. Even
53:56
so, the Internet's basic architecture
53:59
has been adaptable to incorporate such
54:01
protections over time. So,
54:04
wow, hats off to them.
54:08
And Leo drinks up for me.
54:12
We use we do have DDoS.
54:14
I actually shouldn't talk about our DDoS mitigation.
54:17
Should I but we use it. We
54:19
and it's not Cloudflare. How about
54:22
that? We
54:24
might be using Cloudflare. We use somebody else. There
54:26
are a number of people that do this. People
54:28
with big fat
54:29
pipes, basically. Yep. That's
54:32
the key.
54:32
It's no mystery though. Anyone can check to
54:34
see where the Oh, they can tell. They suck. Yeah.
54:36
guess you're right. Come to think of it. So
54:38
we use AWS. They have a very good
54:40
DDoS protection solution as well.
54:44
Let's AWS Shield. Yes.
54:47
You mentioned and now I can tell the
54:49
world, we use it. Our
54:52
show today is brought to you by our
54:54
great friends at ACI Learning IT
54:57
Pro for years supported
54:59
this show since their since they started
55:01
in twenty thirteen. And we've supported
55:03
IT pro right back. They've now
55:05
partnered with ACI Learning to
55:08
bring you the
55:10
best way to learn IT.
55:13
For decade now, our partners at
55:15
IT Pro brought you entertaining engaging content
55:19
so that you can learn IT, level up
55:21
your career organization, or get that first
55:23
job at IT. Now that
55:25
IT pro is part of ACI Learning, you
55:28
can expect an expanded reach.
55:30
Production capabilities, second
55:33
to none, the content
55:36
and the and the style of learning you
55:38
want at any stage in
55:40
your development. Now I say style because
55:42
while pro of course focuses on
55:44
remote learning, ACI also
55:46
has hubs where you can go and learn from instructor
55:49
in person. They also have
55:51
the practice labs. They have the tests
55:53
you take before you take the TWiT. All
55:55
the tools you need to get that first job
55:57
in IT or to level up
56:00
in IT. Whether you're
56:02
at the beginning of your career, or
56:04
looking to move up in your sector, ACI
56:06
Learning is here to support your growth.
56:08
Not only in the IT, but also in
56:10
cybersecurity, and audit
56:12
readiness. Now they have audit pro as well.
56:15
One of the most widely recognized beginner certificates
56:17
we've talked about many, many times CompT
56:19
is a plus cert I think lot
56:22
of our listeners have a plus search.
56:24
That's probably how they got into IT. Comptia
56:26
courses with IT pro from ACI
56:28
learning. Make it easy to go from daydreaming
56:31
about a career in IT. Heck, if you're
56:33
listening to this show, you probably know more
56:35
already. Than most IT people.
56:37
You're ready to get a job at IT, but
56:39
you gotta get that cert, and
56:42
that's how you launch that career. Earnings
56:44
Search opens doors to most entry level
56:46
IT positions and supplies
56:48
potential promotions for those already in the
56:50
field. We also know that cybersecurity searches
56:53
are even more important if you're already in
56:55
IT, but you wanna get the cybersecurity. About
56:57
a third of information security jobs
57:00
in cybersecurity, one third require
57:02
a cert So that's important
57:05
to know. You need that cert to get that first job. But
57:07
if you wanna become a cybersecurity pro,
57:09
you need you need that cybersecurity
57:11
cert. And that makes sense. Employers
57:14
wanna see that you've not only got the knowledge,
57:16
but that you put in the time to study, the
57:18
work, to become adept in
57:20
that field. That's that's kinda what
57:22
that cert tells them. And let
57:24
me tell you, organizations are desperate
57:27
right now for cybersecurity talent. The
57:30
skills gap in cybersecurity is
57:32
growing every single day. The average salary right
57:34
now for cybersecurity professionals
57:36
is the average. Is a hundred sixteen
57:39
thousand dollars. ACI
57:41
Learning's information security analyst and
57:43
cybersecurity specialist programs can
57:46
get you even more. Get certified. You
57:48
had a great job. The
57:50
gap is huge. Last year, the global cybersecurity
57:53
workforce gap increased by increased by
57:55
twenty six point two percent. It's
57:57
more than a million unfilled
58:00
cybersecurity jobs. Great
58:03
jobs waiting for you. ACI
58:06
Learning offers multiple cybersecurity training
58:09
programs can prepare you to enter. Or
58:11
advance within this exciting industry. Most
58:13
popular cybersecurity search offered,
58:16
they have set quite a few, but the
58:18
the big ones are the CISSP. How
58:20
many of you have that? EC Council
58:22
certified ethical hacker. That's the one
58:24
I've always wanted. Certified network
58:26
defender. Cybersecurity audit
58:29
school. We're just talking about auditing. Right? There's
58:31
a huge need for people with the audit capabilities.
58:34
And cybersecurity frameworks gotta know
58:36
how to use them. You're probably gonna
58:38
take multiple courses to get any one of these certs.
58:41
There's a lot to learn, but boy, why not
58:43
do it the right way with ACI learning? Where
58:46
and how you learn really does
58:48
matter? ACI learning offers
58:50
fully customizable training for
58:52
all kinds of learners you might like
58:54
it in person, they've got that. On demand,
58:57
they've got that remote, live
58:59
remote, they've got that too. Take
59:01
your learning beyond the classroom exploring everything
59:04
ACI learning offers. IT
59:06
pro, we know we already know how
59:08
great they are. That audit pro
59:11
includes enterprise solutions. They've
59:13
got webinars. They have a great podcast if
59:15
you haven't heard of the skeptical auditor. Podcast.
59:19
Practice labs. I mentioned those, the learning hubs
59:21
where you can go in and in person. They've got a partnership
59:23
program too. Tech
59:25
is one industry where
59:28
opportunities are outpacing growth in
59:30
a in a big way, especially
59:33
in that cybersecurity area. So
59:35
if you're already an IT, think about cybersecurity.
59:38
If you're not an IT, that might be a focus for
59:40
you. If if you listen to the show, probably already
59:42
something you're interested in. Right? One
59:44
third of information security jobs require
59:46
cyber security certification. Were you gonna
59:48
get it? Were you gonna get it?
59:50
ACI Learning? Yes. To maintain
59:52
your competitive edge across audit, IT,
59:55
and cyber security readiness, visit
59:57
the website, go g
59:59
o dot ACI learning
1:00:02
dot com slash twit.
1:00:05
That's go dot ACI learning dot
1:00:07
com slash twit. We also
1:00:09
have that offer code. Still have a twit thirty
1:00:11
Twit three zero, that's that's gonna
1:00:13
get you thirty percent off, thirty percent
1:00:15
off of standard or premium
1:00:18
individual IT pro membership. is
1:00:21
a resource for everyone. This is your
1:00:23
chance to get a great job, to
1:00:25
improve your work prospects Go.
1:00:27
There's no reason in the world not to do
1:00:29
this. I'm telling you, if you listen to
1:00:31
this show, you're ready, baby.
1:00:34
Thank you so much for supporting. Security
1:00:36
now and supporting all of our security now listeners
1:00:38
too, I might add in. And if you wanna support
1:00:40
us, make sure when you go there, you use
1:00:42
that TWiT and the offer code twit
1:00:44
thirty. Okay? I'll say it one more time. Go
1:00:46
dot ACI learning dot com slash twit.
1:00:49
That's part one and the offer code twit
1:00:52
thirty. TWiT three zero. Alright,
1:00:55
Steve. On we go, speaking
1:00:58
of DDoS attacks, I've
1:01:01
often worried out loud here, you know,
1:01:03
for at least the last couple of years about
1:01:06
what would happen when malicious actors
1:01:09
finally got around to focusing their
1:01:11
evil intent upon and
1:01:14
commandeering for their nefarious needs.
1:01:17
The truly countless number
1:01:20
of Internet connected low end
1:01:22
IoT devices. Well,
1:01:24
those worries are beginning to manifest.
1:01:28
Last year, from
1:01:30
the summer, July through December
1:01:32
of twenty twenty two, Palo Alto
1:01:34
Networks unit forty two researchers
1:01:37
observed a Marai botnet
1:01:39
variant known as V3G4
1:01:43
predominantly leveraging IoT
1:01:46
vulnerabilities to spread. V3G4
1:01:49
targets thirteen separate vulnerabilities
1:01:52
in Linux based servers and
1:01:54
Linux based IoT devices. The
1:01:57
devices are commandeered for use in
1:02:00
DDoS attacks. The malware
1:02:02
spreads both by brute forcing weak
1:02:05
or default Telnet and SSH credentials
1:02:08
and by exploding known but
1:02:10
unpatched firmware coding
1:02:12
flaws to perform remote code
1:02:14
execution on the targeted devices. Once
1:02:17
the device is breached, the malware
1:02:19
infects the device and recruits it into
1:02:21
its botnet tribe. And,
1:02:25
you know, this is exactly what we've
1:02:27
been worried about for years. Though it
1:02:29
makes no rational sense at all,
1:02:32
We know how difficult it is
1:02:34
to even update big iron systems
1:02:37
that need to be kept current. Where there's
1:02:39
a well established notification and
1:02:41
patching infrastructure in place to
1:02:44
support that. Just look at the recent
1:02:46
VMware ESXI fiasco.
1:02:49
Those systems should have been readily
1:02:51
updated. But as we know,
1:02:54
they weren't. So compare that
1:02:56
to some modern or to some random
1:02:58
IP camera, which
1:03:00
was long ago installed and
1:03:03
has since been forgotten. What
1:03:05
about patching it? Good luck with
1:03:07
that. We can't even keep our servers
1:03:09
patched. Today, as
1:03:12
I've often lamented, we have
1:03:14
a literally unaccountable number
1:03:16
of gizmos and gadgets attached
1:03:19
to the internet. Why? Because
1:03:21
we can. While
1:03:23
most of those in our homes are safely
1:03:25
tucked away behind the one way valve
1:03:28
of our Nat routers and also
1:03:30
hopefully on their own isolated network
1:03:32
where possible, A great many,
1:03:35
due to their role and application, have
1:03:37
deliberately been given access to the public
1:03:39
internet. In the present
1:03:42
case of V3G4,
1:03:45
unit forty two tracked
1:03:47
three distinct campaigns. Laporte
1:03:50
two believes all three attack waves
1:03:52
originated from the same malicious actor
1:03:55
because the hard coded command and controlled
1:03:57
domains contain the same string. The
1:04:00
shell's script downloads are similar,
1:04:02
and the botnet clients used in all
1:04:04
attacks feature identical functions.
1:04:07
Yeah. That'd be enough to convince me. Okay.
1:04:09
So what does V3G4
1:04:11
attack? It exploits one
1:04:14
of the thirteen vulnerabilities. There's
1:04:17
a CVE twenty twelve forty
1:04:20
eight sixty nine, which a free
1:04:22
PBX Elastic's remote
1:04:24
code execution. There's a
1:04:27
notorious remote command execution.
1:04:29
There's a CVE twenty fourteen, ninety
1:04:32
seven twenty seven, FritzBox, webcam
1:04:35
remote command execution. Mitel,
1:04:38
AWC remote command execution.
1:04:41
There's a CVE twenty seventeen, a fifty
1:04:43
one seventy three, a
1:04:45
Good Brook IP camera remote
1:04:48
code execution. Also a twenty
1:04:50
nineteen fifteen 107 web
1:04:52
bin command injection, spree
1:04:55
commerce arbitrary command execution,
1:04:58
FLIR thermal camera
1:05:00
remote command execution. A
1:05:02
twenty twenty eighty five
1:05:04
fifteen DreyTek V Go
1:05:07
remote command execution. Also,
1:05:09
same year, fifteen four fifteen,
1:05:12
DreyTek V Go remote command execution.
1:05:15
Also in twenty or in twenty twenty
1:05:18
two last year twenty twenty
1:05:20
two, thirty six two sixty seven,
1:05:22
airspan, air spot, remote
1:05:24
command execution. Atlassian confluence
1:05:27
remote command execution. See
1:05:29
data web management system command
1:05:31
execution. Thirteen in total.
1:05:34
And notably, some
1:05:36
of those CVEs were from twenty
1:05:38
twelve, twenty fourteen, twenty
1:05:41
seventeen, and twenty nineteen. There's
1:05:43
no reason to imagine that any
1:05:45
of these problems will ever be
1:05:47
repaired. And why would they
1:05:49
be? The device is apparently working?
1:05:53
Just fine. And who
1:05:55
even knows whether the company that
1:05:57
created it still even
1:05:59
exists? A new trend
1:06:01
we've
1:06:01
observed is that companies are
1:06:03
formed on the fly by
1:06:06
pulling together the know,
1:06:08
the individual required resources,
1:06:11
device devices are designed, they're
1:06:13
manufactured, They're sold,
1:06:15
then the entire briefly assembled
1:06:18
organization dissolves returning
1:06:20
back to its original component parts.
1:06:23
There's no one to call for updates.
1:06:25
There's no follow-up. There's no accountability.
1:06:28
There's no aftermarket after sales
1:06:30
support. Yet, an
1:06:32
Internet connected gadget can
1:06:35
now harbor hostel code and
1:06:37
be used probably throughout the rest
1:06:39
of its long service life as
1:06:41
one more tiny cog in
1:06:44
a massive and untraceable global
1:06:46
attack launching platform. That's
1:06:49
where we are today. Again,
1:06:51
in the case of VG sixty four,
1:06:53
I mean, v three sixty four, after
1:06:56
compromising the target device, a
1:06:58
MirrorEye based payload is
1:07:00
dropped onto the system and attempts
1:07:03
to connect to the hard coded command
1:07:05
and control address. Once
1:07:07
running, the bot terminates a
1:07:09
large number of known
1:07:11
processes from a hard coded
1:07:14
list. Which includes other competing
1:07:16
botnet malware families. Hey,
1:07:19
I'm here now. You guys get out. You know?
1:07:22
Now there's a new king of the hill, a
1:07:24
characteristic that differentiates V3G4
1:07:28
from most other MirrorEye
1:07:31
variants. Is that it inter it
1:07:33
interlaces the
1:07:37
use of four different
1:07:40
malware xor encryption
1:07:42
keys rather than just one.
1:07:45
This was clearly an attempt to
1:07:47
make static analysis reverse
1:07:49
engineering of the malware's code
1:07:52
and decoding its functions more challenging.
1:07:55
As I briefly noted earlier, when
1:07:57
spreading to other devices, the
1:07:59
botnet uses a Telnet SSH
1:08:01
brute force that tries to connect
1:08:04
using default or weak credentials, and
1:08:06
those thirteen known vulnerabilities.
1:08:10
Once set up and running, with a connection
1:08:12
to the bot in its command and control, the
1:08:14
compromised devices are then given
1:08:17
DDoS commands directing their
1:08:19
attacks. This variant offers
1:08:22
TCP, UDP,
1:08:25
sin, and HTTP flooding
1:08:28
methods. The unit forty two guys
1:08:30
suspect that V3G4
1:08:34
sales DDoS services to
1:08:36
clients who wanna cause service
1:08:38
disruption to specific websites
1:08:40
or other online services through
1:08:43
although the front end deicing
1:08:45
service associated with this botnet
1:08:48
has not been identified at the time
1:08:50
of Unifirty two's report. So,
1:08:52
you know, this is what was expected
1:08:55
for a number of years was that eventually
1:08:58
people were gonna get around to getting
1:09:00
serious about taking over
1:09:02
our IoT devices and enlisting
1:09:05
them in DDoS attacks, and
1:09:08
we're now seeing a classic perfect example
1:09:10
of that happening. So
1:09:15
week after week, I encountered
1:09:18
news of malware stashes
1:09:22
being found on this or that
1:09:24
or sometimes all popular
1:09:27
code registrations and repositories. An
1:09:30
example of such a piece of news
1:09:32
from last week is that checkpoints research
1:09:35
team detected sixteen malicious
1:09:38
JavaScript packages uploaded
1:09:41
on the official NPM registry.
1:09:44
The researchers said that all packages were
1:09:46
created by the same author and were
1:09:48
designed to download and run a
1:09:50
hidden CryptoMiner on a developer
1:09:53
system. The packages pretended
1:09:55
to be performance monitoring So you'd
1:09:57
expect them to use your your
1:09:59
computer's resources in order to
1:10:01
to determine how well AAAA
1:10:04
package is TWiT, however,
1:10:06
stays around afterwards, unbitten
1:10:09
to crypto mind in the
1:10:11
background. All
1:10:13
sixteen of the packages haven't since
1:10:15
been removed from the NPM
1:10:17
registry. Anyway, so
1:10:20
I just wanted to say that this is a
1:10:22
constant flux. It's like that week
1:10:24
after week endlessly. I'm
1:10:26
mentioning it this week because I
1:10:28
don't mention all of this happening every
1:10:30
single week in one form or another.
1:10:33
Sometimes NPM. Sometimes it's
1:10:36
PIEPIE. Sometimes something else.
1:10:38
Basically, wherever security
1:10:40
firms are looking, they
1:10:42
are now finding malicious packages.
1:10:45
So I just wanted everyone
1:10:48
to be aware that there is
1:10:50
this constant flux of
1:10:52
malware dribbling into
1:10:54
the open source ecosystem. It's
1:10:57
now another one of today's
1:10:59
realities. It's used everywhere
1:11:02
too, this package managed. And system
1:11:04
out on Max. We have homebrew. Every
1:11:06
Linux distro has a package manager
1:11:08
that downloads stuff. And
1:11:11
security is really a is afterthought?
1:11:13
You know, I
1:11:15
I use a password. Hey. It's
1:11:17
it's free. It's free. It's downloadable. Grab
1:11:19
this. You know, grab And the other
1:11:22
thing is sometimes when you install
1:11:24
something, it comes with this massive
1:11:26
list of dependencies.
1:11:27
Right. Right? Because So those all downloaded
1:11:30
and installed. Yeah. Exactly. Right. You
1:11:33
know, I some of the package managers I
1:11:35
use on Linux give you a chance
1:11:37
to review the changes ahead of
1:11:39
time. But even then, most
1:11:41
of us just go, yeah. Yeah. Yeah. Whatever.
1:11:42
Leo, it's like a license agreement. It's like
1:11:45
yeah, fine. So this page after page do
1:11:47
I put a code of make file
1:11:49
code and, you know, weird code
1:11:51
and who I don't really and ain't nobody got time
1:11:53
to read that. Nope. So
1:11:55
I'm not
1:11:56
surprised. think we've gotta solve this
1:11:58
though. They're gonna find a way to fix this somehow.
1:12:00
Yeah. And and you know, the the problem
1:12:03
is when you talk about closing
1:12:04
it, well, closing it is again is against
1:12:07
the spirit of it and open -- Yeah. -- which is
1:12:09
the right point.
1:12:10
Right? I don't know how you do this.
1:12:12
Yeah. So,
1:12:14
patch Tuesday. I was last Tuesday.
1:12:18
Many well known publishers were got in
1:12:20
on the action. The industry
1:12:23
was made aware of security updates released
1:12:25
by Apple, Adobe, Git
1:12:27
Microsoft and SAP. The
1:12:29
Android project, Open SSL
1:12:32
and VMware also released security
1:12:34
updates last week. Microsoft patched
1:12:37
eighty eight zero vulnerabilities, including
1:12:40
three zero days, and Apple
1:12:43
got a lot of attention releasing surety
1:12:45
updates that included a patch for an
1:12:47
actively exploited safari web
1:12:50
zero day vulnerability. So everyone
1:12:52
was told, you know, don't delay on that one.
1:12:55
We know that the sometimes crucial
1:12:58
mistakes many large and
1:13:00
small organizations make is
1:13:02
in ignoring these fixes. You
1:13:04
know, if everyone kept their software patched,
1:13:07
we'd be seeing many fewer widespread problems
1:13:09
such as that VMware ESI debacle,
1:13:12
which is still ongoing, by the way, more
1:13:14
than five hundred newly
1:13:16
compromised systems just last
1:13:19
week. So still happening
1:13:21
but slowing down. As
1:13:23
it turns out, however, and this is one
1:13:25
reason that at least enterprises need
1:13:27
to be a little careful, it wasn't
1:13:29
all smooth sailing. this month's
1:13:32
security updates, Microsoft has
1:13:34
stated that some Windows Server
1:13:37
twenty twenty two virtual machines
1:13:40
may no longer boot after
1:13:42
installing the updates released last
1:13:44
week. This issue, they
1:13:46
said, only impacts VMs
1:13:49
with secure boot enabled and
1:13:51
running on VMware's vSphere,
1:13:55
ESXI6 point 7U2
1:13:57
and u three, or v square
1:14:00
v sphere ESXI7
1:14:03
point zero point anything.
1:14:06
The culprit is patch KB
1:14:09
five thousand and twenty two thousand eight hundred and forty
1:14:11
two, which if installed on
1:14:14
guest virtual machines running
1:14:16
Windows Server twenty twenty two may
1:14:18
no longer start up. VMware
1:14:21
and Microsoft are working to determine
1:14:23
the cause. Interestingly, even
1:14:25
though Microsoft says that only VMware
1:14:28
ESXI VMs are affected, some
1:14:31
admin reports point to other
1:14:33
hypervisor platforms, including
1:14:35
bare metal, also being impacted
1:14:37
by this issue. So again,
1:14:40
end users should, you know,
1:14:42
upgrade enterprise users are always
1:14:45
gonna have to be on guard. Last
1:14:48
Friday, Samsung announced
1:14:50
a new feature for, at
1:14:52
the moment, only its Galaxy
1:14:55
s twenty three series smartphones
1:14:57
called message guard. Now
1:15:00
the details are sketchy and it
1:15:02
sounds like it resembles Apple's blast
1:15:05
door technology which Apple
1:15:07
introduced back with iOS fourteen.
1:15:10
Both technologies, message
1:15:13
guard, which is Samsung's
1:15:15
and blast door apples, are
1:15:18
image rendering Sandboxes. We've
1:15:21
often talked about the difficulty of safely
1:15:23
and purely rendering images because
1:15:25
image compression encodes
1:15:28
images into a description that
1:15:31
must later be read and interpreted
1:15:33
in order to recover a close approximation
1:15:36
of the original image. It's
1:15:38
those image decompressing and
1:15:40
rendering interpreters that have
1:15:43
historically harbored subtle flaws
1:15:45
that malicious parties have leveraged
1:15:47
to create so called zero
1:15:49
click exploits. Meaning that
1:15:52
all the phone needs to do is
1:15:54
display an image in order to
1:15:56
have it taken over by remotely
1:15:58
located malicious party. So
1:16:01
Samsung now has this technology
1:16:04
added added to its
1:16:06
s twenty three series, and it
1:16:08
has said that it plans to expand
1:16:10
it to other Galaxy smartphones and tablets
1:16:13
later this year that are running on
1:16:15
one UI five
1:16:17
point one or higher. The
1:16:21
addition of these technologies represents a
1:16:23
maturation I think of
1:16:25
our understanding of the
1:16:27
problems we face. It is
1:16:30
so easy to imagine and
1:16:32
every developer does that any
1:16:34
problem that's found will be the
1:16:36
last one that will ever be found.
1:16:39
And of course, that's true,
1:16:41
right up until the next problem is
1:16:43
discovered. Experience shows
1:16:46
that we're not running out of such problems
1:16:48
anytime soon if ever. Hey,
1:16:50
everybody. Leo Laporte here. I'm the founder
1:16:53
and one of the hosts at the TWiT podcast
1:16:56
network. I wanna talk to you little bit about
1:16:58
what we do here at Twitter because I think it's
1:17:00
unique and I think for
1:17:02
anybody who is bringing
1:17:05
a product or a service
1:17:08
to a tech audience, you need to
1:17:10
know about what we do here at
1:17:12
TWiT. We've built an amazing audience
1:17:14
of engaged, intelligent, affluent
1:17:17
listeners who listen to
1:17:19
us and trust us when we recommend.
1:17:21
A product. Our mission statement is
1:17:23
TWiT is to build a highly engaged community
1:17:26
of tech enthusiasts. Already,
1:17:29
you should be your year should be working up at
1:17:31
that because highly engaged is
1:17:33
good for you. Tech enthusiasts, if
1:17:35
that's who you're looking for, this is the place.
1:17:37
We do it by offering them the knowledge they need,
1:17:40
to understand and use technology in today's
1:17:42
world. And I hear from our audience
1:17:44
all the time, part of that knowledge comes
1:17:46
from our advertisers. We
1:17:48
are very careful. We pick advertisers with
1:17:51
great products, great services, with
1:17:54
integrity, and introduce them
1:17:56
to our audience with authenticity and
1:17:59
genuine enthusiasm. And
1:18:02
that makes our host red ads different from
1:18:04
anything else you can buy. We are
1:18:06
literally bringing you to
1:18:08
the attention of our audience and
1:18:11
giving you a big fat endorsement.
1:18:14
We like to create partnerships with trusted
1:18:16
brands, brands who are in it for
1:18:18
the long run, long term partners
1:18:20
that wanna grow us
1:18:22
and we have so many great success stories.
1:18:25
Tim Broom, who founded IT pro
1:18:27
TV in twenty thirteen, started
1:18:29
advertising with us on day one has been with
1:18:31
us ever since. He said, quote,
1:18:34
we would not be where we are today. Without
1:18:37
the TWiT network. I think the proof is
1:18:39
in the pudding. Advertisers like
1:18:41
IT pro TV and Audible that have
1:18:43
been with us for more than ten years. They
1:18:45
stick around because their ads
1:18:47
work. And honestly, isn't that
1:18:50
why you're buying advertising? You
1:18:52
get a lot with Twitter. We have a very
1:18:54
full service attitude. We almost think of
1:18:56
it as kind of artisanal advertising,
1:18:59
boutique advertising, you'll get a full
1:19:01
service continuity team.
1:19:04
People who are on the phone with you, who are in
1:19:06
touch with you, who support you from
1:19:09
with everything from copywriting to
1:19:11
graphic design. So you are
1:19:13
not alone in this. We
1:19:15
embed our ads into the
1:19:17
shows. They're not they're not added later.
1:19:19
They're part of the shows. In fact, often,
1:19:22
There's such a part of our shows that our other host
1:19:24
will chime in on the ad saying,
1:19:26
yeah, I love that or just the other
1:19:28
day. One of our host said,
1:19:30
man, I really gotta buy that. That's
1:19:33
an additional benefit to you because
1:19:35
you're hearing people Our audience trusts
1:19:38
saying, yeah, that sounds great. We
1:19:41
deliver always overdeliver on
1:19:43
impressions, so you know you're gonna get the
1:19:45
impressions you expect. The
1:19:47
ads are unique every time. We don't
1:19:49
prerecord them and roll them in. We are genuinely
1:19:52
doing those ads in the middle of the show.
1:19:54
Will give you great onboarding services, ad
1:19:57
tech with pod sites that's free for
1:19:59
direct clients, gives you a
1:20:01
lot of reporting, gives you a great idea of how well
1:20:03
you're ads are working. You'll get courtesy
1:20:05
commercials. You actually can take our ads and share
1:20:07
them across social media and landing
1:20:09
pages that really extends the reach.
1:20:12
There are other free goodies too, including mentions
1:20:14
in our weekly newsletter that sent the
1:20:16
thousands of fans engaged fans
1:20:19
who really wanna see this stuff, we give you
1:20:21
bonus ads and social media
1:20:23
promotion too. So if you
1:20:25
want to be a long term partner, introduce
1:20:27
your product to a savvy, engaged
1:20:30
tech audience. Visit twit dot
1:20:32
tv slash advertise Check
1:20:34
out those testimonials. Mark McCreery is
1:20:37
the CEO of Authentic. You probably know him
1:20:39
one of the biggest original podcast
1:20:41
advertising companies. We've been with him
1:20:43
for sixteen years. Mark
1:20:46
said the feedback from many advertisers over
1:20:48
sixteen years across a range of product
1:20:50
categories everything from
1:20:53
razors to computers is
1:20:55
that if ads and podcasts are gonna work
1:20:57
for a brand, they're gonna work on twitch
1:20:59
shows. I'm very proud of what
1:21:01
we do. Because it's honest, it's
1:21:03
got integrity, it's authentic, and
1:21:05
it really is a great introduction
1:21:08
to our audience. Of your
1:21:10
brand. Our listeners are smart.
1:21:13
They're engaged. They're tech savvy.
1:21:15
They're dedicated to our network. And
1:21:18
that's one of the reasons we only work
1:21:20
with high integrity partners that we've personally
1:21:22
and thoroughly vetted. I have absolute
1:21:24
approval on everybody. If you've got
1:21:27
a great product, I wanna hear from you.
1:21:29
Elevate your brand by reaching out today at
1:21:31
advertise TWiT dot tv,
1:21:33
breakout of the advertising norm, grow your
1:21:35
brand, host red ads on TWiT
1:21:38
dot tv, visit twit dot tv
1:21:40
slash advertise for more details or you
1:21:42
can email us advertise at
1:21:44
twit dot tv if you're
1:21:46
ready to launch your campaign now. I can't wait
1:21:48
to see your product. So give us a ring.
1:21:52
Okay. So TWiT
1:21:55
turns out that millions
1:21:58
of Hyundai and Kia autos
1:22:01
which is to say approximately three
1:22:04
point eight million Hyundai
1:22:06
and four point five million
1:22:09
Kiyas. Are vulnerable to
1:22:11
being stolen using
1:22:14
just a bit of technology and
1:22:16
that Indeed, once
1:22:18
the method of doing so became
1:22:20
common knowledge in some circles,
1:22:23
Los Angeles reported an
1:22:25
eighty five percent increase in
1:22:28
Car thefts of those two brands.
1:22:31
And not to be outdone in the Car thefts
1:22:33
category, Chicago, saw
1:22:36
a nine fold increase,
1:22:38
nine hundred percent in
1:22:40
the theft of those cars. Okay.
1:22:43
So first, how was the new spread?
1:22:45
Believe it or not, by something being
1:22:48
called a challenge? Which
1:22:50
has been heavily promoted on TikTok
1:22:53
since last summer, July twenty
1:22:55
twenty two. TikTok presented
1:22:57
instructional videos showing
1:22:59
how to remove the steering column
1:23:01
cover to reveal a
1:23:04
USB a format
1:23:06
connector. Which can then
1:23:08
be used to hotwire the car. Hyundai
1:23:11
is in Kia's first low tech response,
1:23:13
which began last November, was
1:23:15
to work with law enforcement agencies across
1:23:18
the United States to provide tens
1:23:20
of thousands of steering wheel
1:23:22
locks. You know, a big
1:23:24
red steering wheel locking bar
1:23:27
has the advantage of letting TikTok
1:23:29
watching car thieves know
1:23:32
that even if they're able to
1:23:34
enter and start the car, aiming
1:23:37
it will still present a problem. The
1:23:40
fundamental problem surrounds
1:23:42
a coding logic flaw that
1:23:45
allows the turnkey to
1:23:47
start system to bypass
1:23:50
the engine immobilizer, which
1:23:52
is supposed to verify the authenticity
1:23:55
of the code in the Keyes transponder
1:23:58
to the car's ECU. In
1:24:00
other words, no key is needed.
1:24:03
This allows car thieves to
1:24:05
activate the ignition cylinder using
1:24:08
any USB cable to
1:24:10
start and then drive off with with
1:24:12
the car. Hundai
1:24:14
wrote, quote, in response to
1:24:17
increasing thefts targeting
1:24:19
its vehicles without push button ignitions,
1:24:22
any mobilizing anti theft devices
1:24:24
in the United States, Hyundai is
1:24:27
introducing a free anti
1:24:29
theft software upgrade. That's
1:24:32
nice of them. To prevent the
1:24:34
vehicles from starting, during
1:24:37
a method of theft popularized on
1:24:39
TikTok, and other social media
1:24:41
channels. Okay. So
1:24:44
the software upgrade will be provided
1:24:46
at no charge. You better
1:24:48
believe it. For all impacted
1:24:51
vehicles, TWiT a rollout which
1:24:53
began last Monday, a
1:24:55
week ago yesterday, initially
1:24:58
to more than a million twenty seventeen
1:25:00
through twenty twenty Elantra,
1:25:03
twenty fifteen through twenty nineteen
1:25:06
Sonata, and twenty twenty
1:25:08
and twenty twenty one venue cars.
1:25:11
All of the rest of the affected autos and
1:25:13
there were too many of them to list here will
1:25:15
be upgraded through the summer of this
1:25:17
year. The upgrade will be installed
1:25:20
by Hyundai's official dealers and service
1:25:22
network throughout the US and is expected
1:25:24
to take up probably less than an hour.
1:25:27
Eligible car owners will be individually notified.
1:25:31
Hundai's announcement explained
1:25:33
that the upgrade modifies the
1:25:36
turnkey to start logic to
1:25:38
kill the ignition when the
1:25:40
car owner locks the doors
1:25:43
using the genuine key fob. After
1:25:46
the upgrade, the ignition will
1:25:48
only activate after the key
1:25:50
fob is first used to
1:25:52
unlock the vehicle, meaning that you
1:25:54
can't break in first, That
1:25:56
was the missing interlock which facilitated
1:25:59
this hack in the first place. So
1:26:02
the question remains. Though,
1:26:04
you know, without a big red steering
1:26:07
wheel locking bar, how
1:26:09
would thieves without wheels
1:26:12
know that your particular Hyundai
1:26:15
or Kia is no longer vulnerable.
1:26:19
Hyundai is solving this dilemma
1:26:21
by supplying its customers after
1:26:24
they get the upgrade with a convenient
1:26:26
window sticker and I
1:26:29
would love to see what the sticker says,
1:26:31
you know, like, upgraded. So
1:26:34
the TikTok hack no longer
1:26:35
works. Can you put blue
1:26:37
in the USB port? Would that
1:26:40
would that help?
1:26:43
Well, and the problem is your your car is
1:26:45
gonna get broken into before the
1:26:47
the bad guy is Put a sign in the
1:26:49
window that says glue in the USB
1:26:52
Do not attempt.
1:26:54
Yeah. So Hyundai is providing a sticker.
1:26:56
And I would love to see what the sticker says,
1:26:58
you know. I'll show you the this sticker.
1:27:00
We just got it Best Buy. You're gonna like this.
1:27:03
Remember to turn your computer off before
1:27:05
three fourteen o seven on one nineteen
1:27:07
twenty thirty eight? I
1:27:10
should send that to you. This
1:27:13
is picture of the
1:27:14
week. I just saw this one last time.
1:27:17
Hyundai's got a sticker that says what?
1:27:19
Software upgraded What?
1:27:22
You won't you won't be bet. You won't be able
1:27:25
to steal this car or something. But would it mean
1:27:27
I bet it doesn't want to get it. Is
1:27:29
it really gonna prevent that? I
1:27:31
don't know. Well, they're really gonna put a sticker in
1:27:34
the window. You know? And
1:27:36
and so TWiT only works for some.
1:27:38
Unfortunately, there are some models that completely
1:27:40
lack the engine immobilizer technology.
1:27:43
So it's enabled. Yeah. Yes.
1:27:45
They cannot receive the software fix,
1:27:48
which, you know, updates the missing immobilizer
1:27:50
logic. So to address that problem,
1:27:53
Honda will cover the cost
1:27:55
of steering wheel locks for their
1:27:58
owners. And, you know, this
1:28:00
is the definition of a collude. You know,
1:28:02
so far, all of this talk has been
1:28:04
about Hyundai. But as noted, Kia
1:28:06
has a similar problem. It's a same
1:28:08
company. Yeah. has promised to start
1:28:11
the rollout of its software upgrade soon,
1:28:13
but hasn't yet announced any specific
1:28:16
dates or details. The US Department
1:28:18
of Transportation was the source of those
1:28:20
stats about the number of affected vehicles
1:28:23
and also noted that these hacks
1:28:25
have resulted. In
1:28:28
at least fourteen confirmed
1:28:31
car crashes and eight
1:28:33
fatalities. No. So
1:28:36
what do you wanna bet that product liability
1:28:38
and personal injury law firms are
1:28:41
already rubbing their hands
1:28:42
together? Over this quite
1:28:44
significant screw up. Wow.
1:28:49
Okay. Who says TikTok isn't
1:28:51
useful? That's what I say. So
1:28:59
the astonishing success, and
1:29:02
the equally surprising performance
1:29:05
of OpenAI's chat GPT
1:29:08
three large language model
1:29:11
AI means
1:29:13
that a new phenomenon we'll
1:29:16
soon be entering mainstream use.
1:29:18
Leo, I'm gonna take a sip of water. Why
1:29:21
don't you tell our listeners about it? I will. I'll tell me
1:29:23
about club TWiT while we get ready for
1:29:25
I'm dying to hear Steve's taking
1:29:27
all this. This will be fascinating. We've been talking
1:29:30
about nothing else on all the shows
1:29:32
for the last couple of
1:29:33
weeks. It's a it's a hot topic.
1:29:36
But what gave our podcast the
1:29:38
name today, a clever Regurgitator
1:29:40
figured that as much.
1:29:42
Yes. There have been lots of names for
1:29:46
GPT, including man's
1:29:49
what is it? Man's planning machine a
1:29:52
spicy auto correct, but I like the
1:29:54
regurgitator. That's good. That's
1:29:56
good. You like this show? Would you
1:29:58
like to hear this show with that any commercial
1:30:00
interruptions, including the one year about the year,
1:30:02
I got a solution for you. Join
1:30:05
the club, club TWiT. We thank our club
1:30:07
twit members for making this show and all the shows
1:30:10
we do possible. I don't know if you've noticed
1:30:12
this show is short and ad. Many of our
1:30:14
shows have no ads at all. You
1:30:16
probably saw articles in The New York Times
1:30:18
and elsewhere saying the podcast advertising
1:30:21
is falling off a cliff. I don't know
1:30:23
if that's because of a bad economy or because
1:30:25
there's a million new podcasts every minute,
1:30:27
but TWiT is getting harder and
1:30:29
harder for us to to support this
1:30:32
network, this show, and all the other shows we
1:30:34
do through advertising. I wanted
1:30:36
to do that. That was the that's, you know, that's what we've
1:30:38
been doing for the last fifteen years,
1:30:41
but there is another way. And then in the long
1:30:43
run, I kinda like this way better. And
1:30:46
that's getting you the listeners
1:30:48
to support what we do. That's why we
1:30:50
created club to it. Lisa created it. We're on our
1:30:52
second anniversary in a couple of months, which
1:30:54
is pretty great. She
1:30:57
did a lot of research. She said, I don't
1:30:59
want this to be too expensive. So
1:31:02
we've priced it less than anybody else. It's a
1:31:04
buck less. Than Twitter's blue
1:31:06
check. It's five bucks less than
1:31:08
a blue check on Facebook to
1:31:10
seven bucks a month. Eighty four
1:31:12
bucks a year. You get ad free versions of
1:31:14
all the shows because you're giving us money. We don't need
1:31:17
to advertise to you. But you get
1:31:19
a lot more. You also get us to the fantastic
1:31:21
club discord, which is a place
1:31:23
you can go. Hang, I'm
1:31:25
more and more thinking discord. Is
1:31:28
a great social network, the
1:31:30
best social network. And I tell you, when
1:31:32
it's just club TWiT members in there,
1:31:34
it's so much fun. It's more than just more
1:31:37
than just the shows. Because you
1:31:39
we do have chat sections for all the shows.
1:31:41
But there's there's all the topic skeeks are
1:31:43
interested in. From beer
1:31:45
wine and cocktails to automobiles. We've
1:31:47
got Stacey's Foot Club ham, radio,
1:31:50
movies, TV, music, travel.
1:31:53
It's all in there. I hang
1:31:55
out in the coding group all the time. We've
1:31:57
got some great coders in there with lots
1:31:59
of good conversations going on. I
1:32:01
mean, and mean, real conversations. So
1:32:04
the Discord is another benefit. You get that
1:32:06
too. You also get the TWiT plus feed,
1:32:08
which includes shows we don't put on the regular
1:32:11
TWiT feeds. Shows like Micah Sargent's
1:32:13
hands on Macintosh Windows
1:32:16
Weekly. We've got Stacey's book club,
1:32:18
the entitled Linux show that gives Fizz lots
1:32:20
of other stuff. We do special events, Lisa and
1:32:22
I did an inside TWiT couple of weeks ago.
1:32:25
All of that on the TWiT plus feed. So
1:32:27
ad free versions of all the shows access
1:32:29
to the Discord. Many
1:32:32
of the hosts are also in there. You also
1:32:34
get the TWiT plus feed seven bucks
1:32:36
a month. But here's the most important thing. You
1:32:38
can feel good. Because that money
1:32:40
really helps us keep the lights on, keep the
1:32:42
staff employed. We use it to generate
1:32:44
new shows. That's why we have this week in space.
1:32:47
The club helps foster it. Grew it
1:32:49
in the club. Once it got to a certain size, we were
1:32:51
able to put it out to the public. That's the plan.
1:32:54
It's right now, think
1:32:56
we have a six thousand users, that's less than
1:32:58
one percent of the whole audience. If
1:33:00
we got to about five percent of the whole audience,
1:33:03
you wouldn't hear any more ads. We could just,
1:33:05
you know, it would simplify life for all
1:33:07
of us. That's all it would take. You
1:33:09
don't all have to pay. Just just all I'm
1:33:11
asking, You know who you are. If you can
1:33:14
afford seven bucks a month, TWiT
1:33:16
dot tv slash club TWiT. Help us out a
1:33:18
little
1:33:18
bit. That's all. I'm not gonna beg you. This
1:33:20
isn't public broadcasting.
1:33:23
But may well, maybe we could be. If we if
1:33:25
we if we if we did it right. Twitter
1:33:27
dot tv slash club, Twitter.
1:33:29
It also gives Steve a chance to quaf,
1:33:32
a fine beverage,
1:33:34
and continue on. Talking about
1:33:36
chat GPT. Okay. So
1:33:41
as I started to say, the astonishing success
1:33:44
and the equally surprising performance
1:33:47
of OpenAI's chat GPT3
1:33:50
large language model AI means
1:33:52
that a new phenomenon will soon
1:33:54
be entering mainstream use. I think that's
1:33:57
absolutely clear. Right
1:33:59
here on this podcast, thanks to
1:34:01
Rob Woodruff's inspiration to
1:34:04
enlist Chat GPT in assisting
1:34:06
him authoring that last
1:34:08
past Vault de obfuscating PowerShell
1:34:11
script, we've all witnessed firsthand
1:34:14
just how significant these coming changes
1:34:16
will be. And anyone who's been
1:34:18
following the news of this may have, you
1:34:21
know, continued to be somewhat astounded
1:34:24
by what this technology appears be
1:34:26
capable of accomplishing. I
1:34:29
think that the most accurate
1:34:31
and succinct way of describing
1:34:34
what we're witnessing is that
1:34:36
it is astonishing to see the
1:34:38
degree to which a neural
1:34:40
network using large language modeling
1:34:43
as exemplified by chat GPT
1:34:46
is able to simulate intelligence.
1:34:50
And I think that is the key concept to
1:34:52
hold on to. Chat GPT is
1:34:55
not itself in any way
1:34:58
intelligent. TWiT is a clever
1:35:00
Regurgitator of
1:35:02
intelligence. One
1:35:04
of the dangers, which we can
1:35:06
feel present, is that this
1:35:08
turns out to be a surprisingly subtle
1:35:11
yet crucial distinction, which
1:35:14
is guaranteed to confuse many
1:35:16
if not most people who casually interact
1:35:18
with this mindless bot. After
1:35:22
absorbing, The historical global
1:35:25
output of a truly
1:35:27
intelligent species, namely
1:35:30
man, We have an
1:35:32
automaton that's able
1:35:34
to take our entire historical production
1:35:38
all at once as a whole
1:35:40
and quickly select from that massive
1:35:43
corpus, the right thing
1:35:45
to say, It's able
1:35:47
to choose it because that right
1:35:50
thing has been expressed before
1:35:52
by man in thousands
1:35:55
of different contexts. So
1:35:57
it appears intelligent because
1:35:59
it's mimicking and intelligent
1:36:02
species. A parrot
1:36:04
in a cage who says, Poly
1:36:07
wants a cracker, is more
1:36:09
intelligent because it really
1:36:11
does want a cracker. Although,
1:36:15
although, chat GPT may
1:36:17
be induced to express a desire,
1:36:21
that's still nothing more than mimicry
1:36:23
since it has previously absorbed
1:36:26
all of humanity's past expressions
1:36:29
of desire. It doesn't
1:36:31
ever actually want anything because
1:36:34
there's not any act there's
1:36:36
not actually any it there
1:36:39
at all to do any wanting.
1:36:41
Again, I
1:36:44
come back to yes, what
1:36:46
it does is astonishing, but
1:36:48
that's only because is the
1:36:50
first thing we've ever encountered that's
1:36:53
able to convincingly sound like
1:36:55
us. But that's all it's
1:36:58
doing. It's sounding like
1:37:00
us. The parrot in its
1:37:02
cage is extremely limited
1:37:04
in its ability to sound like us.
1:37:07
A sufficiently large language model
1:37:09
neural network is potentially unlimited
1:37:12
in its ability to sound like us.
1:37:15
And if we can be certain of anything. It's
1:37:18
that this simulation will be
1:37:20
improving over time. Especially
1:37:23
now that this technology has left
1:37:26
the lab and that capitalistic forces
1:37:29
of commerce will be driving
1:37:31
and funding further advancement. But
1:37:34
nevertheless, in no
1:37:36
way should sounding like
1:37:38
us ever be confused
1:37:41
with being like us. A
1:37:44
high fidelity recording, a
1:37:46
Pavarati, may sound exactly
1:37:49
like Pavarati, but it isn't
1:37:51
Pavarati. It's just a recording.
1:37:55
Okay. So what got me started
1:37:57
on this? It was an interesting
1:38:00
experiment by some researchers at
1:38:02
the company any dot run
1:38:05
who wanted to explore an
1:38:07
aspect of chat GPT's limitations.
1:38:11
They wanted to see whether chat GPT's
1:38:14
otherwise impressive capabilities might
1:38:17
extend to analyzing real
1:38:20
world malware. If
1:38:22
so, it might make security
1:38:24
researchers lives more productive by
1:38:27
allowing them to dump a load of code into
1:38:29
chat GPT and have it figure
1:38:31
it out. Their blog
1:38:34
posting begins. Quote,
1:38:36
if chat GPT is
1:38:38
an excellent assistant in
1:38:40
building malware, can it
1:38:42
help analyze it too? The
1:38:45
team of any dot run malware
1:38:47
sandbox decided to put
1:38:50
this to the test and see
1:38:52
if AI can help us
1:38:54
perform malware analysis. Lately,
1:38:58
there's been a great deal of discussion about
1:39:00
malicious actors using chat GPT,
1:39:03
the latest conversational AI
1:39:05
to create malware. Malware
1:39:08
analysts, researchers and IT
1:39:10
specialists agree that
1:39:12
writing code is one
1:39:14
of chat GPT's strongest sides,
1:39:18
and it's especially good at mutating
1:39:20
it. By leveraging this capability,
1:39:23
even wannabe hackers can
1:39:25
build polymorphic malware simply
1:39:28
by feeding text prompts to the bot.
1:39:30
And it will spit back working malicious
1:39:33
code. Open AI
1:39:35
released chat GPT in November of
1:39:37
twenty twenty two. And at the time
1:39:39
of writing this article, the chatbot
1:39:41
already has over six hundred million
1:39:44
monthly visits. It's
1:39:46
scary to think how many people
1:39:48
are now armed with the tools
1:39:51
to develop advanced malware. So
1:39:54
going into this, our hopes
1:39:56
were high, but unfortunately, the
1:40:00
results weren't that great. We
1:40:02
fed the chatbot malicious scripts
1:40:05
of varying complexity and
1:40:07
asked it to explain the purpose behind
1:40:10
the code. We used simple
1:40:12
prompts such as explain what
1:40:14
this code does or analyze
1:40:17
this code. Okay? And
1:40:19
then they go on with examples. The
1:40:22
short version of what they discovered
1:40:24
is that chat GPT did
1:40:27
remarkably well when
1:40:29
the researchers gave it toy
1:40:32
code to examine. And
1:40:34
it really did surprisingly well
1:40:37
on that. But as the complexity
1:40:39
of the testing code increased, there
1:40:42
was a sort of complexity cliff
1:40:44
they ended up going over after
1:40:47
which Chad GPT collapsed
1:40:49
completely. And
1:40:51
knowing what we know now isn't
1:40:54
that exactly what we would
1:40:56
expect as a
1:40:59
as a large language
1:41:01
model neural network. Chat
1:41:04
GPT is not
1:41:06
in any way even
1:41:09
the tiniest bit sentient.
1:41:12
Our limited language parrot is
1:41:14
more sentient. So,
1:41:17
chat GPT is unable to
1:41:19
understand anything
1:41:21
at all. That means
1:41:24
it's not that means
1:41:26
that's not gonna be great. At the
1:41:29
true problem solving, that
1:41:31
reverse engineering complex
1:41:33
malware code or any
1:41:35
code requires. But
1:41:38
reverse engineering code is
1:41:41
very different from writing code.
1:41:44
Thanks to the explosion of
1:41:46
open source software. Chat
1:41:48
GPT has previously ingested
1:41:52
all of the source code on
1:41:54
the Internet. That's a
1:41:57
massive amount of real
1:41:59
working code. And as
1:42:01
we understand, it is
1:42:04
able to select, regurgitate,
1:42:07
and rearrange the code that
1:42:09
it has previously encountered. But
1:42:12
when it's asked to produce code that
1:42:14
it hasn't previously seen,
1:42:16
That's where things start to become
1:42:18
fuzzy and where it starts making
1:42:21
mistakes. Since, again, it's
1:42:23
not really under standing anything
1:42:26
about what it's doing. It's simply
1:42:28
searching for a matching context
1:42:31
amid all of the world's previously
1:42:33
written code. Last
1:42:36
week, I was corresponding with
1:42:38
two of the sharpest minds I've
1:42:40
ever had the privilege of knowing. And
1:42:42
I was talking about the idea that
1:42:45
I previously shared here, which
1:42:47
is that I think one of the things
1:42:49
chat, GPT's surprising
1:42:52
success at mimicry teaches
1:42:55
us is that a good portion
1:42:57
of the vaunted human intelligence we
1:43:00
make such a big deal about having
1:43:02
is mostly just repeating what
1:43:05
we've previously encountered and
1:43:07
anticipating what's gonna come
1:43:09
next based upon what
1:43:11
came next in the past. Here's
1:43:13
what I wrote to these two friends. I
1:43:16
said, if I look back,
1:43:18
over my creative life. There
1:43:21
have been a few moments that
1:43:23
I would say were truly inspired
1:43:26
invention. Where I created
1:43:28
something from nothing, something
1:43:31
that was actually new, but
1:43:34
far and away, ninety
1:43:37
nine point 99999
1:43:40
percent of everything I
1:43:43
do and have done, has
1:43:45
been holy derivative. As
1:43:48
it happens, I obtain immense
1:43:50
satisfaction and even some
1:43:52
joy from endlessly solving
1:43:55
combinatorial puzzles. Thus,
1:43:58
I love electronics and coding.
1:44:02
Okay. So to wrap it up, I thought it
1:44:04
was interesting and not at all surprising
1:44:07
that whereas chat GPT can
1:44:10
perform quite well at recombining
1:44:13
what it's seen in the past to produce
1:44:15
new and nearly functional code
1:44:17
in the future. is not
1:44:19
gonna be able to understand and
1:44:22
explain the detailed operation
1:44:25
of some piece of purpose written
1:44:27
malware that it has never encountered
1:44:29
before. Though, chat GPT
1:44:32
was initially a surprise. And
1:44:35
though I'm sure that this technology is gonna
1:44:37
continue to improve over time, I
1:44:40
believe that we now have a good foundation
1:44:43
for understanding what it can
1:44:46
and cannot do. And at
1:44:48
least for the foreseeable
1:44:49
future, it is at most
1:44:52
a very clever regurgitator. There's
1:44:54
a good piece I'd recommend people
1:44:57
to by Stephen Wolfram. Over
1:44:59
on wolfram alpha, in which he's it it's
1:45:01
called, I think, how chat GPT works.
1:45:03
And for the slightly mathematically inclined,
1:45:06
I think it'll be very interesting.
1:45:08
He, you know, he talks about the initial kind
1:45:12
of first approximation of how it
1:45:14
works, which is basically auto correct
1:45:17
using weighted values to predict
1:45:19
the next word. It's little more sophisticated than
1:45:21
that, but it's essentially predicting the next
1:45:23
chunk based on the statistical model.
1:45:25
And it's quite interesting. Highly
1:45:28
recommended. But, yeah, I mean, it's not
1:45:30
it's not sentient at all. Obviously.
1:45:34
And when and it's too bad because a lot of the
1:45:36
press's focus was, especially with the
1:45:38
the BingChat, just based on the
1:45:40
new Chapi QGTPGPQ4
1:45:43
model, they were,
1:45:45
you know, they were just needling it until it went
1:45:47
crazy, and they're going, you see, See,
1:45:52
and it it did feel like, you know, if it says
1:45:54
I love you or I hate you, or,
1:45:57
you know, I won't hurt you unless you hurt me.
1:45:59
It sounds sentient. But
1:46:01
it's honestly it's really lost. It's marbles
1:46:03
in Microsoft's response to that. Well, after five questions,
1:46:06
we're gonna reset. You can start over. You
1:46:08
you can't needle it to into the point of
1:46:10
insanity.
1:46:11
So Leo, I I really do think
1:46:14
We should not give it the nuclear
1:46:16
launch codes. No. Probably not.
1:46:18
And and I
1:46:21
I think resetting it after five questions.
1:46:24
Sounds like a good idea. Sensible. And I
1:46:26
hope that, you know, this
1:46:28
is a, like, maybe enough of a little bit
1:46:30
of a freaky yet
1:46:33
still benign wake up
1:46:35
call -- Right. -- that, you know, we're
1:46:37
we're not in the
1:46:38
future. Gonna give anything the nuclear
1:46:40
launch codes. I think it helps us
1:46:44
after the initial wave of wow,
1:46:47
understand a little bit
1:46:49
more about what this is.
1:46:51
It may pass the Turing test, but this is why
1:46:53
the Turing test was a bad idea to begin That
1:46:56
is not a measure of success really
1:46:59
in AAA general artificial
1:47:01
intelligence. We're still a long way
1:47:03
off from then. Yeah. But don't give it to nuclear
1:47:06
codes. There are
1:47:08
gonna be a lot of people who are gonna have long
1:47:10
conversations into the middle of the night
1:47:13
you
1:47:13
know, treating it like a therapist and a There
1:47:15
are. And a beer and a beer and a beer and a beer. It's
1:47:18
like Elijah. Yeah.
1:47:21
Elijah was dopey, but this is surprisingly
1:47:23
good, at least for the first hour
1:47:26
or so. It
1:47:28
really starts to get wacky after a
1:47:30
while. Steve can
1:47:32
go two hours and speak coherent
1:47:34
by the end. It's amazing. He's
1:47:37
much better than Chad GPT.
1:47:40
Steve's website, GRC dot
1:47:42
com, is the host of many fine
1:47:44
things, including spin right, the world's
1:47:46
best mass storage recovery and maintenance
1:47:48
utility, currently six point o.
1:47:50
Six point one is on the way. You'll get it for free
1:47:52
if you buy now. That Steve's
1:47:54
bread and butter. He offers a lot of other free stuff
1:47:57
there. Including shields
1:47:59
up and so forth, password, haystacks,
1:48:02
lots of information. We talked the other day.
1:48:05
Somebody was talking about your
1:48:07
DNS benchmark program.
1:48:09
And and what's the in control,
1:48:12
the Windows ten to
1:48:14
Windows eleven Steinier.
1:48:17
We were talking about that on Sunday and asked the tech
1:48:19
guys. Lots of great stuff there. Including
1:48:21
this show, Steve has the
1:48:23
audio versions, but couple of interesting versions.
1:48:25
He has a sixteen kilobit audio
1:48:27
version. Sounds a little scratchy. Like
1:48:30
it was recorded in the eighteen nineties, but
1:48:32
it's the smallest audio version available. He
1:48:35
has a sixty four kilobit full version.
1:48:37
He also has a transcript. Which
1:48:39
he's commissioned from Alain Ferris
1:48:41
who not only shoes horses, but is
1:48:43
a darn fine court reporter. She
1:48:46
puts all the words in the right order. Miraculously
1:48:49
so and never complains about,
1:48:52
you know, wanting to kill us. So
1:48:55
get those transcripts are good for searching or reading
1:48:57
along as you listen. Or get the
1:48:59
sixty four or sixteen kilobit audio at Steve's
1:49:01
site. We have sixty four kilobit audio
1:49:03
and video oddly enough
1:49:06
at our site, twit dot tv slash SN.
1:49:09
There's also video on the SecurityNow YouTube
1:49:11
channel. That's a fully dedicated YouTube channel.
1:49:13
That's probably the best way to send somebody
1:49:16
a snippet. I know for this show, especially a lot
1:49:18
of people say, oh, I gotta send that portion
1:49:20
off to my friend Joey, he was we were
1:49:22
talking about this or whatever. If you
1:49:24
do it on YouTube, it makes it very easy for anybody
1:49:26
even if they don't get the podcast to to hear
1:49:28
a little bit or see a little bit of the show.
1:49:31
You can watch us do it live as well.
1:49:33
All you have to do is tune in every Tuesday
1:49:36
around one thirty to two PM pacific.
1:49:38
That's a four thirty to
1:49:41
twenty one four thirty to seven
1:49:43
thirty Eastern twenty
1:49:46
one thirty UTC. Live
1:49:49
dot TWiT TV is the live stream. Of course, you
1:49:51
can chat along with us in our IRC.
1:49:54
Yes. We still use IRC after all
1:49:57
these years. The IRC
1:49:59
channel is now almost thirty years old. I should
1:50:01
figure out when it was first started. It's the early
1:50:03
nineties. So we've been doing it for
1:50:05
thirty years. IRC was all was just a child
1:50:07
when we started. Now it's an older man.
1:50:10
IRC dot TWiT tv. A
1:50:12
little more modern, little more giffy
1:50:15
is the discord. If you're club member,
1:50:17
chat there, we're chatting along as we listen.
1:50:20
Get the get the programs after the fact,
1:50:23
that's fine too. And and then
1:50:25
you can comment. Steve's got some great
1:50:27
forums at GRC dot com. This
1:50:29
DRC forms. We have our own forms
1:50:31
at TWiT dot community. There's also a
1:50:33
Mastodon instance at Twit dot social.
1:50:35
Those are free and open to all supported by the
1:50:38
club members. Still free and open to all.
1:50:41
I guess that's pretty much everything you
1:50:43
never need to know about
1:50:45
security now. Except that we'll
1:50:47
be back next week and I hope you will too.
1:50:50
Bye, Steve. Thanks Leo.
1:50:52
See you next week. For the last
1:50:54
day of the
1:50:55
month, last day of February. That was
1:50:57
fast. Yeah. It was. If
1:51:00
you love all things, Andrew, well, I've got
1:51:03
a show for you to check out. It's called all about
1:51:05
Android, and I'll give you three guesses what we
1:51:07
talk about. We talk about Android, the
1:51:09
latest news, hardware, apps.
1:51:11
We answer feedback. It's me, Jason. How
1:51:13
old Ron Richards went to a Dow
1:51:15
and a whole cast of awesome
1:51:17
characters talking about the operating
1:51:19
system that we love. You can find all about
1:51:22
android at TWiT dot tvAAA. Secure
1:51:28
ending now.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More