0:00

It's the security

0:02

we clean news episode two hundred

0:04

and sixty five. I'm Doug White,

0:06

and it's Friday on the

0:08

week of one January

0:10

twenty twenty three, so New Year's was feeling like

0:13

we got virtual smells wear

0:15

false or I don't know how you say that. Server

0:17

twenty twelve, ChatGPT, Captcha,

0:20

rust hyper, Qualcomm, and more

0:22

on the security, weekly news. This

0:27

is security weekly. For security

0:29

professionals, buy security professionals.

0:35

It's the show that keeps you up to date on the latest

0:38

security news twice a week, your trusted

0:40

source for security information and

0:42

expert analysis. It's time for security

0:44

weekly news. How does

0:46

your business stay once step ahead of cyber

0:49

criminals. Secure your email applications

0:51

network and data with Barracuda. Protect

0:54

your business and go from zero to security

0:56

in no time flat. Whether your team is working

0:58

in one location or many, Barracuda has

1:00

solutions that are easy to buy, deploy,

1:02

and use. Learn how Barracuda can protect

1:04

your business against ransomware, phishing, and

1:07

other cyber attack. Visit security

1:09

weekly dot com forward slash barracuda.

1:11

That's securityweekly dot com

1:13

forward slash barracuda. Barracuda,

1:16

your journey security. Welcome

1:20

to the SecurityWeekly News, and here

1:22

we are. In a New Year,

1:24

in a happy New Year, and all that good stuff. Although I

1:26

said all that on Tuesday, so it's but it's still

1:28

happy New Year time. People keep saying that.

1:30

A recent study looked at

1:33

breaches which occurred from July

1:35

of twenty twenty one to July of twenty

1:37

twenty two and examine what the attackers were

1:39

primarily trying to do. And

1:41

forty two point seven percent of

1:43

the time in these studies they went

1:45

after the personal information, so

1:48

the PII. And that

1:50

seemed to be their main focus. According to the study

1:52

from IMBRUVA, PII is the most

1:54

valuable information to steal since it can

1:56

be combined with this is interesting actually.

1:58

It can be combined with other info in the dark

2:00

web. To try to assemble a much fuller

2:03

representation of an individual. So

2:05

it's basically database. Right?

2:07

I mean, if you can get one piece of information

2:09

from the breach, And then that also

2:11

has some kind of common key like a credit

2:14

card number or an address or a ZIP code.

2:16

Even, you know, I mean, even very vague things

2:18

may work or an email address. Then

2:20

you can actually create a join, right,

2:22

just like in a relational database. You you

2:24

match that information up with the information

2:26

from another breach. And create

2:28

a join, and then you can fully exploit

2:30

the person for identity theft. The

2:33

simple fact is that there've been so many

2:35

breaches is the sad you

2:37

know, the sad part of this whole thing. Finance,

2:39

professional services, healthcare, and public

2:41

administration were the top four industries which

2:44

had recorded the most breaches during that

2:46

time period. So, you know, if

2:48

you haven't reached yet, you probably will

2:50

be soon and probably in more than one way.

2:53

Windows pro on reporting, which

2:55

is called where fault dot EXE is

2:57

is a component of all the Windows systems,

2:59

and it's an error reporting tool that's

3:02

now being used to side

3:04

load malware. So and this was

3:06

actually pretty complex side loading

3:08

here. Basically, what

3:10

happened is, I mean, side loading is very stealthy.

3:12

Right? And it's really hard for antivirus to

3:14

detect side loaded kind of stuff. And

3:16

and normally in sideloading attacks, which

3:18

they also did here, you actually

3:20

put something into the path ahead

3:23

of this the something that's expected with

3:25

the same exact name, and then that something gets

3:27

loaded, usually a DLL. The campaign

3:29

was being reported by k seven security labs

3:32

and they said they did not know who the attackers

3:34

were, but they were very likely based

3:36

in China. Now, this

3:38

particular malware arrives

3:40

in a not so sophisticated way, but

3:42

as an email with an ISO attachment.

3:45

So, you know, don't click those anyway.

3:47

But the ISO, if you click it, it

3:49

mounts as a new drive letter, which has

3:52

dot EXE on it, and then a DLL

3:54

file called rep dot DLL, which

3:56

is loaded by where fault EXE

3:58

is is also placed right there with it.

4:00

It also is an XLS file called file

4:03

dot XLS. There's a

4:05

shortcut file called inventory and

4:07

our specialties dot LNK.

4:09

So if you click that that shortcut

4:12

link, it actually executes all

4:14

this stuff. And because that

4:16

DLL file is right there,

4:18

then it's gonna get executed. So

4:21

once you start the link script runner

4:23

runs, executes Werfault dot EXE,

4:25

all completely legit. So the antivirus stuff

4:28

is going, well, this is a normal operation. But

4:30

then that DLL gets loaded because

4:33

it's closer. You

4:36

may well not get detected it's basically

4:38

just a path priority kind of problem,

4:40

but it is a pretty bad thing that that

4:42

you can do that. The malware

4:44

then runs puppy or I guess,

4:46

pup y. I don't know how you say it as PUPY.

4:49

Puppy remote access Trojan DLL.

4:51

I know that they know the tool, but I

4:53

don't know how you say And opens an

4:55

Excel spreadsheet on your screen as a decoy.

4:57

So while you're looking at this weird spreadsheet that

4:59

popped up, you know, it's running this access Trojan.

5:02

The Trojan, of course, allows people to have full

5:04

remote access to your system. SWN, yeah, loads

5:06

of fun. Microsoft announced

5:08

the end of mainstream support more

5:10

than four years ago. For Windows

5:12

Server twenty twelve. And, I mean, it is called Server

5:14

twenty twelve, you know, for a reason.

5:17

But they reminded all the customers, and I'm

5:19

reminding you again that you're that are still

5:21

using server twenty twelve and and

5:23

server twenty twelve RR2

5:26

that extended support for all additions of the

5:28

product will end on

5:30

ten October twenty twenty three, sort

5:32

of. Customers were advised to

5:34

either upgrade to server twenty twenty two,

5:36

which I'm still in twenty nineteen. I haven't upgraded

5:38

to twenty twenty two yet. Migrate to

5:40

Azure, which is what they were recommending, that's

5:42

their cloud based or purchase an

5:44

extended service plan before the end date. So

5:46

they are gonna actually continue to support it,

5:48

I guess. I mean, that's what they do. Right? They

5:50

say that's ended, but then they offer to sell you an

5:52

extended service plan. After the

5:54

date, in October, you

5:56

will not get security updates, non

5:58

security updates, well, pretty much anything.

6:00

You can however purchase up to three

6:02

more years of extended updates, which

6:04

will last until October of twenty twenty

6:06

six. As your virtual machine

6:08

provides three years of extended security updates

6:11

as well that I think is included with that subscription.

6:14

Server two thousand and 8R2

6:16

That's a classic. Their

6:19

extended service updates are actually

6:21

gonna reach end of support next week.

6:23

So if you're still using two thousand and eight,

6:26

you might wanna seriously consider maybe

6:28

an update or something because you're about

6:30

to actually run out of it even extended

6:32

security updates. As of next week.

6:36

The New York City Department of Education

6:38

has banned the use of GPT

6:40

by students and teachers in

6:42

city schools. Saying they're concerned

6:44

about its use, hampering

6:47

learning and leading to misinformation. So

6:50

I think part of this was about

6:52

that they're really, really worried about

6:54

these these bots being, you know,

6:56

I I mean, part of this worry, of course, is plagiarism.

6:58

So they're they're worried about the fact

7:00

that students are gonna tell GPT,

7:03

I need an essay. Write the essay for

7:05

me. And there I've already seen numerous

7:07

art about, you know, beating chat, GPT,

7:09

requiring students to handwrite. And I'm like, you

7:11

don't think the students can then just copy the

7:13

thing. I mean, people are always gonna

7:15

cheat. But the ban is is

7:17

it will apply to all school

7:19

devices and all school Internet networks

7:21

in New York City. So personally, it's just

7:23

a waste of time. Because students and

7:25

teachers will still be able to use chat GBT

7:27

on their personal devices. So

7:29

if they're cheating with it, then they're just

7:31

gonna use it anyway. I'm

7:33

really not sure what the point of the band is, but,

7:35

I mean, I guess it makes them feel better. I

7:37

get that everybody's afraid that their kids are

7:39

gonna use at GBD to write their essay

7:41

on Melville. And honestly, it

7:43

is sort of good at this kind of thing. But

7:45

then again, maybe not. But but,

7:47

you know, cheaters are gonna cheat. SWN that

7:50

part, I think, is just a moot point. I mean, I

7:52

mean, people have been cheating since, you know,

7:54

somebody cheated in Socrates class

7:56

by writing the answers on their leg or

7:58

whatever. You know, but,

8:00

I mean, I remember people fighting to get

8:02

to the encyclopedia first when you got

8:04

that assignment in a class in, like,

8:06

middle school. We didn't have the Internet

8:08

mind you. And, you know, you ran down there to the

8:10

encyclopedia Britannica and the first

8:12

person who got there copied the article

8:14

word for word out of the encyclopedia Britannica

8:16

everybody else had to come up with something different so

8:18

they didn't get accused of copying off the first

8:20

person. You know, because there's there are

8:22

a little essay on Martin Luther

8:25

you know, is is gonna be, like, word

8:27

for word out of encyclopedia Britannica.

8:29

And I guess the teachers never went and looked to see

8:31

if it was word for word. But when you use

8:33

ridiculous ancient language like duffed

8:35

his hat or whatever, you know, the teachers are

8:37

going, that's weird. You use very archaic

8:39

language But it is ridiculous

8:41

and sad, I think, to see these kinds of

8:43

bands because I just don't know where that

8:45

goes. But You

8:47

can't use chat GPT on your school

8:50

issued stuff, but everybody's got a phone.

8:52

So the only people who won't be able to

8:54

access it are people without personal devices.

8:56

And, I mean, I don't know. I mean, I

8:58

if I catch people plagiarizing, I failed them.

9:00

I mean, that's just what I do. And I actually try

9:02

to catch them. And when they copy stuff off

9:04

the Internet, don't cite their sources, I failed them in

9:06

the class, and and it's right there in the syllabus.

9:09

I mean, I guess the ban though,

9:11

primarily, they said was focused on inaccurate

9:13

and misleading information that the

9:15

chatbot does often provide, because there's

9:17

no guarantee that the chatbot actually

9:19

telling you the truth. You say, give

9:21

me an essay on Herman Melville, you

9:23

know, with five hundred words and it will

9:25

produce something. But is

9:27

it accurate? You know, who knows? And how long will

9:29

it be before it goes racist anyway?

9:31

I mean, you know, that seems to be sort

9:33

of a a progression of these things.

9:36

If you copying that word for word, you may get

9:38

into jail. A South

9:40

African group, not Deonford,

9:43

who's a very cool South African group.

9:45

But a new South African group called Automated

9:47

Libra is using Captcha Solving

9:49

System to allow them to create accounts

9:51

according to Palo Alto Networks. I

9:53

I really hope they can help me. I'm I'm looking for a

9:55

tool because I I always get the capture which

9:57

says something like, choose all the squares

9:59

that contain feeble users

10:02

and I keep clicking on all of them so much that

10:04

my mouse button is just covered in blood, but

10:06

no, I'm not bitter. But anyway,

10:08

the group is focusing on continuous

10:10

integration and deployment service providers like GitHub,

10:12

Heroku, Buddy Works, Toggle

10:14

Box, and those to set up new

10:16

accounts very quickly on the platform

10:18

so they can run Crypto miners in

10:21

containers. Now according to the story, what

10:23

it was really interesting what they were doing.

10:25

They use Image Magic, to convert

10:28

image images into art their

10:30

RGB equivalents. So this is a feature

10:32

of Image Magic. And then they

10:34

use the image magic identity

10:36

tool to extract the

10:38

red channel skewness for

10:40

each image. So this is some

10:42

component of that, I guess. The value

10:45

from the identity tool is then used

10:47

to rank the images in ascending

10:49

order and they select the top

10:51

one which apparently is usually the answer.

10:53

So I I guess these are Captcha that

10:55

you just select one square, not the ones I

10:57

keep getting where they say choose everything

10:59

in here that looks like Mickey Rooney.

11:01

And I can't decide if if the

11:03

pumpkin is supposed to look like Mickey

11:05

Rooney or it is Mickey. I mean, you just

11:07

can't tell. But, anyway, they're they've been creating

11:09

hundreds of thousands of accounts on these

11:11

services using these automated tools. So

11:13

now capture is gonna have to get even more

11:15

difficult. Right? I mean, I don't know

11:17

what exactly constitutes a bus in

11:19

their ideas, and I do want to know

11:21

because I keep screwing that one up where it's like

11:23

choose everything that's a bus. And I'm like,

11:25

well, is that VW a

11:27

bus or is it not a bus? What

11:29

do you mean by bus? You mean like a city

11:31

bus? A trailways bus? A grayhound?

11:33

A yellowhound? I don't know.

11:35

Tell me, give me some

11:37

guidance here. Well, Rust

11:40

Hyper has some problems in in

11:42

a in a very popular library.

11:44

Hyper if you've not used that handled

11:46

HTTP request in Rust

11:48

and other languages as well.

11:50

Jfrog found that projects which use the

11:52

library like Axsome Salvo and

11:54

Conduit Hyper were all

11:56

susceptible to denial service

11:58

attacks which resulted from HTTP

12:00

request taking advantage. Now

12:02

Axsome Salvo and Conduit Hyper said

12:04

they have all fixed their codes.

12:07

Or I'll fix their code, but there is

12:09

some number of the two

12:11

hundred the two thousand five hundred and seventy nine

12:13

projects listed in the rust

12:15

package repository, crates dot I o, which

12:17

depend on high on the hyper.

12:20

And they have been downloaded white for

12:22

this one more than sixty

12:24

seven million times. SWN,

12:26

what happens is there's a function in

12:28

this hyper library called two

12:30

bytes, two underscore bytes, which

12:32

is a mechanism, which copies

12:35

quest or response into a bytes

12:37

buffer. So this is a programming

12:39

thing where you set up a buffer of

12:41

bytes. And you can size

12:43

this according to how much bytes

12:45

you wanna set up. Right? So you the buffer can

12:47

be bigger or smaller depending on what you

12:49

wanna do. But if the header size

12:51

limits are not set, then

12:53

the function can actually create a vector

12:56

that, you know, is not the correct

12:58

size. SWN they can actually

13:00

make it oversized and make it so large

13:02

that it actually crashes the whole operation,

13:04

which effectively caused it in all

13:06

the service. So if you are using this

13:08

library or using tools that use this

13:10

library, you may want to investigate

13:13

has this been patched or not because they are

13:15

apparently actively exploiting it. I

13:17

mean, it just caused a denial of service, but,

13:19

you know, that's not always great if you're

13:21

a business. Well,

13:24

Rackspace blamed ransomware

13:26

attacks on a zero day. So

13:28

they confirmed that the play ransomware

13:30

game, which is a relatively new one, was

13:32

behind the attack on rent on Rackspace

13:34

last month. And they have now said

13:36

they will not bring back

13:38

hosted Microsoft Exchange email service. You

13:40

remember this is a huge deal where all these

13:42

people who were using Rackspace for Microsoft hosted

13:45

exchange email, lost all their email.

13:47

They lost their servers or being advised to

13:49

switch to something else, like, you know, three sixty

13:51

five or whatever. But

13:53

it is continuing. They said they were gonna

13:55

continue trying to recover all the customer

13:57

email data, which was lost in this

13:59

attack on December second. They

14:02

indicated that more than half the customers

14:04

who lost their hosted email service

14:06

now have some or all of

14:08

their data available to them for download. But they

14:10

also said a very small number of people that actually

14:12

downloaded this data, so they probably have their

14:14

own backups and so forth. Nearly

14:16

thirty thousand customers were on

14:18

this hosted exchange email environment when the

14:20

attack occurred. The company

14:22

blame play play

14:24

for the intrusion and said they used

14:26

a previously unknown exploit

14:28

to break into the environment. Now

14:30

when I read this, it was a little bit complicated

14:32

to me. It sounds

14:34

more like it wasn't an unknown exploit

14:36

as much as it was a an

14:38

exploit that was not known to do

14:40

what what happened here. CrowdStrike

14:42

was, you know, involved in this and

14:44

was doing all the analysis and said

14:46

they discovered this new exploit while

14:49

investigating the attack. But they said

14:51

the the attack was a combination

14:53

of some proxy not shell

14:55

exploits, which have been around for a while, that had been and

14:57

they had been patched. But that another

14:59

exploit, which was not part of proxy not

15:01

shell, and had not been

15:03

documented as a remote code

15:05

execution bug, was actually used. It was it was

15:07

documented as a privileged execution

15:09

bug. But no but when it was

15:11

combined with these other proxy

15:13

not shell components, that

15:15

actually created a remote execution

15:17

bug and as such a whole new attack

15:19

vector and pretty much put Rackspace

15:21

out of the, you know, Microsoft Exchange email

15:23

business. So That's that's a pretty big

15:25

deal. And for a lot of people, this being a

15:27

huge change late in the year, so they had to

15:29

actually deal with it. More

15:32

than two hundred million,

15:35

two million with an m, Twitter,

15:37

user information is now publicly

15:39

available to download for free. This

15:41

new data dump contains account

15:44

names, handles creation

15:46

date, follower counts, and email addresses

15:48

And it is the same data that was actually leaked

15:50

last month, which had more than four hundred

15:52

million Twitter accounts in it. But apparently,

15:54

they cleaned it up. The having of it was

15:56

a result of the according to this

15:58

article, the removal of duplicates in

16:00

the dataset. So and

16:02

that was done by privacy affairs.

16:04

The leaked data does not not

16:07

include phone numbers, physical addresses,

16:09

or passwords, but it does

16:11

enable a lot of social engineering and boxing

16:13

type activities. The records

16:15

are apparently acquired from Twitter in twenty

16:17

twenty one via a security flaw that

16:19

Twitter says has been fixed.

16:21

So I guess we'll see. I mean, they

16:23

they continue to seem to lose this stuff. And,

16:25

you know, I I don't think they got anything

16:27

on me that's not already been got a dozen

16:29

other ways. But like I said earlier,

16:31

they are using these kind of data

16:33

dumps to combine that with other, you

16:35

know, data dumps online and

16:37

see if they can match things up by email

16:40

or by, you know, your your

16:42

handle or whatever. So be careful,

16:44

and they also do the course for social engineering.

16:47

Well, for this week, throughout the week, I'll

16:49

talk about supply chain again. I

16:51

mean, I don't even know how many times since we've

16:53

been doing this show that I've had supply chain

16:55

down is my thread of the week. But but, you

16:57

know, it's a huge threat. And and right in

16:59

front of my eyes, when I pull up stories

17:01

this week, where two significant

17:03

supply chain threat kind of issues which makes many

17:05

these things are actually out there lurking

17:07

that we don't even know about yet, and how

17:09

many are that we don't realize

17:11

that we have these kind of

17:13

vulnerabilities. I mean, you know, and by we, I

17:15

mean, there's some thirteen year old kid named Anna

17:17

who was poking around at a UIFI stack and

17:19

figured out a bug. So when you go, Anna, you you

17:21

you keep this up. But but first

17:23

of all, I think the story I was reading that made me start thinking

17:25

about this again was Qualcomm. And

17:28

Qualcomm is a major

17:30

manufacturer of firmware chipsets, and they've been around

17:32

a long I mean, as long as I can

17:34

remember building computers, I remember Qualcomm

17:36

chipsets and things like that. And,

17:38

you know, anybody there who's been involved in

17:40

building computers or working on computers or building your

17:42

own equipment and so forth are familiar with the

17:45

idea of firmware. And I mean, most people

17:47

that are building computers don't

17:49

usually spend a lot of time worrying about firmware. They

17:51

just sort of buy a motherboard they like that will

17:53

that will do what they want and they hope the firmware

17:55

is is, of course, compliant.

17:57

Well, Qualcomm has always

18:00

manufactured chipset, and this particular

18:03

article is about the Snapdragon chipset.

18:05

And so the Snapdragon chipset was

18:07

a piece of firmware that is

18:09

used in a wide variety of applications.

18:12

And in January, they released so just just recently, because

18:14

January just got started. Right? They released

18:16

a security bulletin that

18:18

listed twenty two separate

18:21

software issues related to the Snapdragon

18:24

chipset. There were bugs

18:26

in automotive components of this, power

18:28

line communication firmware tools,

18:31

and anywhere this chipset gets implemented.

18:34

So it could end up being in a thermostat.

18:36

It may end up being in a blast furnace at

18:38

a factory. It may be in

18:40

your car, it may be wherever. But

18:42

in this case, it's in some power line

18:44

communication components, which always scary.

18:46

And it's in some sort of automotive system. They had a picture

18:48

in the article of something called Snapdragon

18:51

Ride platform RideVision. Which

18:54

looked like it controlled maybe cameras

18:56

in a car because they were that's what they

18:58

were showing. But

19:00

apparently, this this plot was gonna be released

19:02

for motor vehicles starting in twenty twenty four, so it's

19:04

not even out yet. They're finding all these problems with

19:07

it. All these vulnerabilities were rated

19:09

high or severe SWN it's

19:11

not just that weird esoteric stuff. It's

19:13

things that could actually result in massive

19:15

compromise. So I really think these have the potential

19:17

to have a significant impact because they're

19:19

so pervasive in sneaky and and they're underneath everything. And

19:22

we don't necessarily know what chipset is

19:24

running all the stuff around us. I mean, I don't know

19:26

what chipset's running that, you

19:28

know, the sound board or these these

19:30

cameras or whatever. So even

19:32

if the impact's only economic, you

19:34

know, I mean, if you have a chipset that's used in

19:36

a blast furnace and some of us certainly

19:38

been in this kind of scenario where you go

19:40

to the owners of the steel mill and you

19:42

say that chipset is this, this,

19:44

this, and it needs to

19:46

be updated and it could have an impact all the

19:48

way from the bottom of the of the

19:50

stack all the way up to, like, say,

19:52

a GUI. That runs this the

19:54

blast furnace. And, you

19:56

know, so you maybe

19:58

can make that change quickly. Maybe it's something that

20:00

you just literally plug something in and do

20:02

an update. not usually that simple

20:04

with things like blast furnaces because you

20:06

don't know the impact, so maybe you

20:08

can't just update it. And maybe

20:10

somebody like me comes out and says, well, you

20:12

need to update your equipment because you've got a

20:14

huge vulnerability here. And

20:16

they say, well, we we've done

20:18

some testing in the next off

20:20

cycle of the blast furnaces in

20:22

two years. And you're like, what? Yeah.

20:24

We don't shut down. We run three shifts a day.

20:26

And and, you know, two years from now, we do an update

20:28

when that's when we'll do the patches. So,

20:30

you know right. Sure. And,

20:32

you know, and if it is even just like a PC

20:34

and you go in and flash it,

20:36

think about that. I mean, in the modern age,

20:38

it's still a big deal. If the power fails

20:41

during that update, you can brick the thing and and on

20:43

and on and on. So you can't

20:45

necessarily just do that, and you can't necessarily

20:47

just do that to every sort of equipment that

20:49

exists around. And, I mean, on an

20:51

airplane, you can't just jump on the plane

20:53

and say, here I got a a USB stick. I'm gonna

20:55

update your firmware. You have to get

20:57

the FAA to approve it. The airline has to test it. They have to

20:59

make sure it's not gonna impact all this other equipment.

21:01

And you're gonna have to probably take

21:03

a plane on a service for a couple of days, and we all know much fun that

21:06

is with air travel. So you update

21:08

the chipset, maybe the operating system

21:10

doesn't load anymore, maybe the operating system

21:12

needs to be reinstalled. You know, all those

21:14

fun things that we've all been through when we

21:16

did firmware updates at at least in the I haven't

21:18

had much trouble with them recently, but in the

21:20

old days, or, you know, it's just like

21:22

there's a a component in the system that

21:24

just seems to have a curse on it. You

21:26

know, that sound card never works again

21:28

because you patch the firmware. So, you

21:30

know, these things are very serious,

21:32

very severe, very dangerous and

21:34

scary issues. And, you know, this is just

21:36

one of the stories that came out

21:38

this week. That's a complete supply chain nightmare.

21:40

I mean, if that update causes

21:42

that robotic arm that that feeds the

21:44

furnace to fail and go

21:47

crazy, It's not rebooting, and that's how

21:49

you get Skynet. Right? So the second

21:51

story that we had that this week about

21:54

it was I did on Tuesday. So if you

21:56

wanna check it out, you can find the link on the Tuesday

21:58

show. But was about Pytorch.

22:00

And Pytorch is a library in Python

22:02

that you install with PIP

22:04

or I think you can install it manually. III think I

22:06

installed it manually once because I was trying to use

22:08

PyTorch and I couldn't get it to work somehow with

22:11

PIP. But it's used machine learning and writing your own chat bots,

22:13

which is what I was fooling with. And, you know, all

22:15

kinds of fun stuff. And, you know, I

22:17

played with the chat, And

22:19

like most things, it had some dependencies. And like

22:21

most everything else, when you install it, you're just wanting

22:23

to get busy writing your code and setting

22:25

up your chatbot. SWN you install the

22:27

library dependencies that it has, and those libraries have other

22:30

dependencies. And, you know, next thing, you know, you

22:32

spend all day installing dependencies, and this

22:34

needs this, and this needs that, you put

22:36

another piece of software in, you downloaded this

22:38

tool and on and on and on and on and, you

22:40

know, it turns into that horrible. I was just

22:42

gonna install this and then get something

22:44

done. And now two days later, I'm still sitting here

22:46

trying to figure out what these dependencies actually

22:48

mean. But regardless of that, it's a huge

22:50

issue because PyTorch had a

22:52

dependency library called Torch Triton. either

22:54

that or was Triton torch. I think it was Triton.

22:56

But it's a dependency that most people are

22:58

just gonna SWN, yes, install all the dependencies.

23:01

And when you did that, that secondary

23:03

library had been injected with

23:05

malware. And, you know,

23:07

and and these dependencies may not come from

23:09

IBM engineering. I mean,

23:11

this is some guy named Sid posted this

23:13

somewhere on Paypay, and it was in a

23:15

GitHub. And then they used that in

23:17

another GitHub. And Sid used two other

23:19

libraries that some guy named Bernie wrote back

23:21

seven years ago, and he, you know, had his

23:23

own problems. And all this stuff just kinda

23:25

flows into one big horrible

23:28

seething, oozing, greasy

23:31

lump. And all that

23:33

combined with firmware and such

23:35

starts to get really, really scary

23:37

to me. So I think based on all these stories

23:39

that we see every week, and and I mean,

23:41

literally, I could put up a story about supply

23:43

chain issues, you know, every week, maybe every

23:45

day of every week, whether you're going back

23:47

to SolarWinds or all these

23:49

UEFI issues we see all the time that Paul likes to

23:51

talk about. I think we

23:53

and by we, I mean, the

23:55

security industry, are gonna have to start

23:57

working to build better assessment models,

23:59

not just of of tools, but of the whole

24:01

supply chain related to those tools.

24:03

a lot of organizations can't even seem to tell you

24:06

where that twenty six twenty one router is physically

24:08

located. I've had that many times, you know, where is this

24:10

router? They're like, oh, no. Somewhere in

24:12

the building. I mean, that worries me. Right? Because when an

24:14

announcement's made that a Qualcomm chipset

24:16

has a vulnerability, I wonder how

24:18

many companies you could walk into this morning

24:20

as an auditor and

24:22

say, do you have any Qualcomm

24:24

Snapdragon chipsets? And they're

24:26

gonna look at you like you're crazy.

24:28

And if they do have them and I even know they

24:30

have them, how do they patch this?

24:32

And the answer is it's gonna be a problem. So I

24:34

think in the end, we're gonna have to do a

24:36

better job of pressing really

24:38

hard to get these kind of understandings in place. I mean, I've been

24:40

saying that for years about physical topology

24:42

and virtual topology. So, you know, companies should

24:44

know what they've got and where it

24:46

is and what it is and what version it is and there are

24:48

tools to help with that. Well, we're gonna have to

24:50

get even bigger picture on this because, you

24:52

know, things like the software bill of materials

24:55

don't really solve this. I mean, they they they start to

24:57

lean that way, but they don't really

24:59

solve it. Right? I mean so we're

25:01

gonna have to get on this by

25:03

the way, as you do your startup for this, you SWN send me some free shares. Thank

25:05

you very much, just for that idea. And

25:08

and when you when you sell it for thirty

25:10

billion dollars, you

25:12

know, remember your

25:14

friends here on security weekly.

25:16

Right? And finally,

25:18

a Vermont based startup is looking

25:21

to this this is

25:23

killing me. They're looking to

25:25

add something called OVR

25:27

technology to virtual worlds.

25:30

They basically want you to use their

25:32

add on to your VR headset, which

25:34

contains and wait for

25:36

it, odor filled

25:39

cartridge. Which pairs up with gaming system

25:41

via Bluetooth. So

25:43

I the test bed they were demonstrating

25:45

had things like rose fresh

25:48

roses, grass. Yeah.

25:50

Right. You know where this is

25:52

going. Right? I mean, I I guess that would

25:54

SWN some way enhance the experience

25:56

if you know, there was you walk past a bakery on Prince Street in

25:58

Boston and it smells like fresh bread. I

26:00

mean, okay. I mean, I I mean, I've had that

26:02

experience and it's pretty nice.

26:04

You know, is there gonna be like a virtual SWN

26:07

subway where they dump Hobo Bo

26:09

on you? Or you have to buy really

26:11

good tickets to the virtual concert?

26:13

Or you'll unfortunately have to stand really close to the portable

26:16

toilets. You know, so you get the full sensory

26:18

experience of urine vomit

26:20

and portable toilet odor, whatever you

26:22

wanna call that. I mean, I even

26:24

was thinking you can add a skunking type

26:27

attack in video games. Right? SWN like some

26:29

horrible odor that like blast

26:31

you right at the creaky moment when you're trying to

26:33

press all the buttons in the right sequence and

26:35

you're gagging because it smells

26:37

so bad. Like, I'm

26:39

thinking, like, a big pile of rotting

26:41

diapers on a hot summer day,

26:43

you know, blast you right in the face

26:45

right as you're getting ready to try to do

26:47

that thing. Smellovision. Here

26:49

we come. And that's the news. We'll

26:51

see you next week SWN the security

26:54

weekly. Huge.