Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
It's the security
0:02
we clean news episode two hundred
0:04
and sixty five. I'm Doug White,
0:06
and it's Friday on the
0:08
week of one January
0:10
twenty twenty three, so New Year's was feeling like
0:13
we got virtual smells wear
0:15
false or I don't know how you say that. Server
0:17
twenty twelve, ChatGPT, Captcha,
0:20
rust hyper, Qualcomm, and more
0:22
on the security, weekly news. This
0:27
is security weekly. For security
0:29
professionals, buy security professionals.
0:35
It's the show that keeps you up to date on the latest
0:38
security news twice a week, your trusted
0:40
source for security information and
0:42
expert analysis. It's time for security
0:44
weekly news. How does
0:46
your business stay once step ahead of cyber
0:49
criminals. Secure your email applications
0:51
network and data with Barracuda. Protect
0:54
your business and go from zero to security
0:56
in no time flat. Whether your team is working
0:58
in one location or many, Barracuda has
1:00
solutions that are easy to buy, deploy,
1:02
and use. Learn how Barracuda can protect
1:04
your business against ransomware, phishing, and
1:07
other cyber attack. Visit security
1:09
weekly dot com forward slash barracuda.
1:11
That's securityweekly dot com
1:13
forward slash barracuda. Barracuda,
1:16
your journey security. Welcome
1:20
to the SecurityWeekly News, and here
1:22
we are. In a New Year,
1:24
in a happy New Year, and all that good stuff. Although I
1:26
said all that on Tuesday, so it's but it's still
1:28
happy New Year time. People keep saying that.
1:30
A recent study looked at
1:33
breaches which occurred from July
1:35
of twenty twenty one to July of twenty
1:37
twenty two and examine what the attackers were
1:39
primarily trying to do. And
1:41
forty two point seven percent of
1:43
the time in these studies they went
1:45
after the personal information, so
1:48
the PII. And that
1:50
seemed to be their main focus. According to the study
1:52
from IMBRUVA, PII is the most
1:54
valuable information to steal since it can
1:56
be combined with this is interesting actually.
1:58
It can be combined with other info in the dark
2:00
web. To try to assemble a much fuller
2:03
representation of an individual. So
2:05
it's basically database. Right?
2:07
I mean, if you can get one piece of information
2:09
from the breach, And then that also
2:11
has some kind of common key like a credit
2:14
card number or an address or a ZIP code.
2:16
Even, you know, I mean, even very vague things
2:18
may work or an email address. Then
2:20
you can actually create a join, right,
2:22
just like in a relational database. You you
2:24
match that information up with the information
2:26
from another breach. And create
2:28
a join, and then you can fully exploit
2:30
the person for identity theft. The
2:33
simple fact is that there've been so many
2:35
breaches is the sad you
2:37
know, the sad part of this whole thing. Finance,
2:39
professional services, healthcare, and public
2:41
administration were the top four industries which
2:44
had recorded the most breaches during that
2:46
time period. So, you know, if
2:48
you haven't reached yet, you probably will
2:50
be soon and probably in more than one way.
2:53
Windows pro on reporting, which
2:55
is called where fault dot EXE is
2:57
is a component of all the Windows systems,
2:59
and it's an error reporting tool that's
3:02
now being used to side
3:04
load malware. So and this was
3:06
actually pretty complex side loading
3:08
here. Basically, what
3:10
happened is, I mean, side loading is very stealthy.
3:12
Right? And it's really hard for antivirus to
3:14
detect side loaded kind of stuff. And
3:16
and normally in sideloading attacks, which
3:18
they also did here, you actually
3:20
put something into the path ahead
3:23
of this the something that's expected with
3:25
the same exact name, and then that something gets
3:27
loaded, usually a DLL. The campaign
3:29
was being reported by k seven security labs
3:32
and they said they did not know who the attackers
3:34
were, but they were very likely based
3:36
in China. Now, this
3:38
particular malware arrives
3:40
in a not so sophisticated way, but
3:42
as an email with an ISO attachment.
3:45
So, you know, don't click those anyway.
3:47
But the ISO, if you click it, it
3:49
mounts as a new drive letter, which has
3:52
dot EXE on it, and then a DLL
3:54
file called rep dot DLL, which
3:56
is loaded by where fault EXE
3:58
is is also placed right there with it.
4:00
It also is an XLS file called file
4:03
dot XLS. There's a
4:05
shortcut file called inventory and
4:07
our specialties dot LNK.
4:09
So if you click that that shortcut
4:12
link, it actually executes all
4:14
this stuff. And because that
4:16
DLL file is right there,
4:18
then it's gonna get executed. So
4:21
once you start the link script runner
4:23
runs, executes Werfault dot EXE,
4:25
all completely legit. So the antivirus stuff
4:28
is going, well, this is a normal operation. But
4:30
then that DLL gets loaded because
4:33
it's closer. You
4:36
may well not get detected it's basically
4:38
just a path priority kind of problem,
4:40
but it is a pretty bad thing that that
4:42
you can do that. The malware
4:44
then runs puppy or I guess,
4:46
pup y. I don't know how you say it as PUPY.
4:49
Puppy remote access Trojan DLL.
4:51
I know that they know the tool, but I
4:53
don't know how you say And opens an
4:55
Excel spreadsheet on your screen as a decoy.
4:57
So while you're looking at this weird spreadsheet that
4:59
popped up, you know, it's running this access Trojan.
5:02
The Trojan, of course, allows people to have full
5:04
remote access to your system. SWN, yeah, loads
5:06
of fun. Microsoft announced
5:08
the end of mainstream support more
5:10
than four years ago. For Windows
5:12
Server twenty twelve. And, I mean, it is called Server
5:14
twenty twelve, you know, for a reason.
5:17
But they reminded all the customers, and I'm
5:19
reminding you again that you're that are still
5:21
using server twenty twelve and and
5:23
server twenty twelve RR2
5:26
that extended support for all additions of the
5:28
product will end on
5:30
ten October twenty twenty three, sort
5:32
of. Customers were advised to
5:34
either upgrade to server twenty twenty two,
5:36
which I'm still in twenty nineteen. I haven't upgraded
5:38
to twenty twenty two yet. Migrate to
5:40
Azure, which is what they were recommending, that's
5:42
their cloud based or purchase an
5:44
extended service plan before the end date. So
5:46
they are gonna actually continue to support it,
5:48
I guess. I mean, that's what they do. Right? They
5:50
say that's ended, but then they offer to sell you an
5:52
extended service plan. After the
5:54
date, in October, you
5:56
will not get security updates, non
5:58
security updates, well, pretty much anything.
6:00
You can however purchase up to three
6:02
more years of extended updates, which
6:04
will last until October of twenty twenty
6:06
six. As your virtual machine
6:08
provides three years of extended security updates
6:11
as well that I think is included with that subscription.
6:14
Server two thousand and 8R2
6:16
That's a classic. Their
6:19
extended service updates are actually
6:21
gonna reach end of support next week.
6:23
So if you're still using two thousand and eight,
6:26
you might wanna seriously consider maybe
6:28
an update or something because you're about
6:30
to actually run out of it even extended
6:32
security updates. As of next week.
6:36
The New York City Department of Education
6:38
has banned the use of GPT
6:40
by students and teachers in
6:42
city schools. Saying they're concerned
6:44
about its use, hampering
6:47
learning and leading to misinformation. So
6:50
I think part of this was about
6:52
that they're really, really worried about
6:54
these these bots being, you know,
6:56
I I mean, part of this worry, of course, is plagiarism.
6:58
So they're they're worried about the fact
7:00
that students are gonna tell GPT,
7:03
I need an essay. Write the essay for
7:05
me. And there I've already seen numerous
7:07
art about, you know, beating chat, GPT,
7:09
requiring students to handwrite. And I'm like, you
7:11
don't think the students can then just copy the
7:13
thing. I mean, people are always gonna
7:15
cheat. But the ban is is
7:17
it will apply to all school
7:19
devices and all school Internet networks
7:21
in New York City. So personally, it's just
7:23
a waste of time. Because students and
7:25
teachers will still be able to use chat GBT
7:27
on their personal devices. So
7:29
if they're cheating with it, then they're just
7:31
gonna use it anyway. I'm
7:33
really not sure what the point of the band is, but,
7:35
I mean, I guess it makes them feel better. I
7:37
get that everybody's afraid that their kids are
7:39
gonna use at GBD to write their essay
7:41
on Melville. And honestly, it
7:43
is sort of good at this kind of thing. But
7:45
then again, maybe not. But but,
7:47
you know, cheaters are gonna cheat. SWN that
7:50
part, I think, is just a moot point. I mean, I
7:52
mean, people have been cheating since, you know,
7:54
somebody cheated in Socrates class
7:56
by writing the answers on their leg or
7:58
whatever. You know, but,
8:00
I mean, I remember people fighting to get
8:02
to the encyclopedia first when you got
8:04
that assignment in a class in, like,
8:06
middle school. We didn't have the Internet
8:08
mind you. And, you know, you ran down there to the
8:10
encyclopedia Britannica and the first
8:12
person who got there copied the article
8:14
word for word out of the encyclopedia Britannica
8:16
everybody else had to come up with something different so
8:18
they didn't get accused of copying off the first
8:20
person. You know, because there's there are
8:22
a little essay on Martin Luther
8:25
you know, is is gonna be, like, word
8:27
for word out of encyclopedia Britannica.
8:29
And I guess the teachers never went and looked to see
8:31
if it was word for word. But when you use
8:33
ridiculous ancient language like duffed
8:35
his hat or whatever, you know, the teachers are
8:37
going, that's weird. You use very archaic
8:39
language But it is ridiculous
8:41
and sad, I think, to see these kinds of
8:43
bands because I just don't know where that
8:45
goes. But You
8:47
can't use chat GPT on your school
8:50
issued stuff, but everybody's got a phone.
8:52
So the only people who won't be able to
8:54
access it are people without personal devices.
8:56
And, I mean, I don't know. I mean, I
8:58
if I catch people plagiarizing, I failed them.
9:00
I mean, that's just what I do. And I actually try
9:02
to catch them. And when they copy stuff off
9:04
the Internet, don't cite their sources, I failed them in
9:06
the class, and and it's right there in the syllabus.
9:09
I mean, I guess the ban though,
9:11
primarily, they said was focused on inaccurate
9:13
and misleading information that the
9:15
chatbot does often provide, because there's
9:17
no guarantee that the chatbot actually
9:19
telling you the truth. You say, give
9:21
me an essay on Herman Melville, you
9:23
know, with five hundred words and it will
9:25
produce something. But is
9:27
it accurate? You know, who knows? And how long will
9:29
it be before it goes racist anyway?
9:31
I mean, you know, that seems to be sort
9:33
of a a progression of these things.
9:36
If you copying that word for word, you may get
9:38
into jail. A South
9:40
African group, not Deonford,
9:43
who's a very cool South African group.
9:45
But a new South African group called Automated
9:47
Libra is using Captcha Solving
9:49
System to allow them to create accounts
9:51
according to Palo Alto Networks. I
9:53
I really hope they can help me. I'm I'm looking for a
9:55
tool because I I always get the capture which
9:57
says something like, choose all the squares
9:59
that contain feeble users
10:02
and I keep clicking on all of them so much that
10:04
my mouse button is just covered in blood, but
10:06
no, I'm not bitter. But anyway,
10:08
the group is focusing on continuous
10:10
integration and deployment service providers like GitHub,
10:12
Heroku, Buddy Works, Toggle
10:14
Box, and those to set up new
10:16
accounts very quickly on the platform
10:18
so they can run Crypto miners in
10:21
containers. Now according to the story, what
10:23
it was really interesting what they were doing.
10:25
They use Image Magic, to convert
10:28
image images into art their
10:30
RGB equivalents. So this is a feature
10:32
of Image Magic. And then they
10:34
use the image magic identity
10:36
tool to extract the
10:38
red channel skewness for
10:40
each image. So this is some
10:42
component of that, I guess. The value
10:45
from the identity tool is then used
10:47
to rank the images in ascending
10:49
order and they select the top
10:51
one which apparently is usually the answer.
10:53
So I I guess these are Captcha that
10:55
you just select one square, not the ones I
10:57
keep getting where they say choose everything
10:59
in here that looks like Mickey Rooney.
11:01
And I can't decide if if the
11:03
pumpkin is supposed to look like Mickey
11:05
Rooney or it is Mickey. I mean, you just
11:07
can't tell. But, anyway, they're they've been creating
11:09
hundreds of thousands of accounts on these
11:11
services using these automated tools. So
11:13
now capture is gonna have to get even more
11:15
difficult. Right? I mean, I don't know
11:17
what exactly constitutes a bus in
11:19
their ideas, and I do want to know
11:21
because I keep screwing that one up where it's like
11:23
choose everything that's a bus. And I'm like,
11:25
well, is that VW a
11:27
bus or is it not a bus? What
11:29
do you mean by bus? You mean like a city
11:31
bus? A trailways bus? A grayhound?
11:33
A yellowhound? I don't know.
11:35
Tell me, give me some
11:37
guidance here. Well, Rust
11:40
Hyper has some problems in in
11:42
a in a very popular library.
11:44
Hyper if you've not used that handled
11:46
HTTP request in Rust
11:48
and other languages as well.
11:50
Jfrog found that projects which use the
11:52
library like Axsome Salvo and
11:54
Conduit Hyper were all
11:56
susceptible to denial service
11:58
attacks which resulted from HTTP
12:00
request taking advantage. Now
12:02
Axsome Salvo and Conduit Hyper said
12:04
they have all fixed their codes.
12:07
Or I'll fix their code, but there is
12:09
some number of the two
12:11
hundred the two thousand five hundred and seventy nine
12:13
projects listed in the rust
12:15
package repository, crates dot I o, which
12:17
depend on high on the hyper.
12:20
And they have been downloaded white for
12:22
this one more than sixty
12:24
seven million times. SWN,
12:26
what happens is there's a function in
12:28
this hyper library called two
12:30
bytes, two underscore bytes, which
12:32
is a mechanism, which copies
12:35
quest or response into a bytes
12:37
buffer. So this is a programming
12:39
thing where you set up a buffer of
12:41
bytes. And you can size
12:43
this according to how much bytes
12:45
you wanna set up. Right? So you the buffer can
12:47
be bigger or smaller depending on what you
12:49
wanna do. But if the header size
12:51
limits are not set, then
12:53
the function can actually create a vector
12:56
that, you know, is not the correct
12:58
size. SWN they can actually
13:00
make it oversized and make it so large
13:02
that it actually crashes the whole operation,
13:04
which effectively caused it in all
13:06
the service. So if you are using this
13:08
library or using tools that use this
13:10
library, you may want to investigate
13:13
has this been patched or not because they are
13:15
apparently actively exploiting it. I
13:17
mean, it just caused a denial of service, but,
13:19
you know, that's not always great if you're
13:21
a business. Well,
13:24
Rackspace blamed ransomware
13:26
attacks on a zero day. So
13:28
they confirmed that the play ransomware
13:30
game, which is a relatively new one, was
13:32
behind the attack on rent on Rackspace
13:34
last month. And they have now said
13:36
they will not bring back
13:38
hosted Microsoft Exchange email service. You
13:40
remember this is a huge deal where all these
13:42
people who were using Rackspace for Microsoft hosted
13:45
exchange email, lost all their email.
13:47
They lost their servers or being advised to
13:49
switch to something else, like, you know, three sixty
13:51
five or whatever. But
13:53
it is continuing. They said they were gonna
13:55
continue trying to recover all the customer
13:57
email data, which was lost in this
13:59
attack on December second. They
14:02
indicated that more than half the customers
14:04
who lost their hosted email service
14:06
now have some or all of
14:08
their data available to them for download. But they
14:10
also said a very small number of people that actually
14:12
downloaded this data, so they probably have their
14:14
own backups and so forth. Nearly
14:16
thirty thousand customers were on
14:18
this hosted exchange email environment when the
14:20
attack occurred. The company
14:22
blame play play
14:24
for the intrusion and said they used
14:26
a previously unknown exploit
14:28
to break into the environment. Now
14:30
when I read this, it was a little bit complicated
14:32
to me. It sounds
14:34
more like it wasn't an unknown exploit
14:36
as much as it was a an
14:38
exploit that was not known to do
14:40
what what happened here. CrowdStrike
14:42
was, you know, involved in this and
14:44
was doing all the analysis and said
14:46
they discovered this new exploit while
14:49
investigating the attack. But they said
14:51
the the attack was a combination
14:53
of some proxy not shell
14:55
exploits, which have been around for a while, that had been and
14:57
they had been patched. But that another
14:59
exploit, which was not part of proxy not
15:01
shell, and had not been
15:03
documented as a remote code
15:05
execution bug, was actually used. It was it was
15:07
documented as a privileged execution
15:09
bug. But no but when it was
15:11
combined with these other proxy
15:13
not shell components, that
15:15
actually created a remote execution
15:17
bug and as such a whole new attack
15:19
vector and pretty much put Rackspace
15:21
out of the, you know, Microsoft Exchange email
15:23
business. So That's that's a pretty big
15:25
deal. And for a lot of people, this being a
15:27
huge change late in the year, so they had to
15:29
actually deal with it. More
15:32
than two hundred million,
15:35
two million with an m, Twitter,
15:37
user information is now publicly
15:39
available to download for free. This
15:41
new data dump contains account
15:44
names, handles creation
15:46
date, follower counts, and email addresses
15:48
And it is the same data that was actually leaked
15:50
last month, which had more than four hundred
15:52
million Twitter accounts in it. But apparently,
15:54
they cleaned it up. The having of it was
15:56
a result of the according to this
15:58
article, the removal of duplicates in
16:00
the dataset. So and
16:02
that was done by privacy affairs.
16:04
The leaked data does not not
16:07
include phone numbers, physical addresses,
16:09
or passwords, but it does
16:11
enable a lot of social engineering and boxing
16:13
type activities. The records
16:15
are apparently acquired from Twitter in twenty
16:17
twenty one via a security flaw that
16:19
Twitter says has been fixed.
16:21
So I guess we'll see. I mean, they
16:23
they continue to seem to lose this stuff. And,
16:25
you know, I I don't think they got anything
16:27
on me that's not already been got a dozen
16:29
other ways. But like I said earlier,
16:31
they are using these kind of data
16:33
dumps to combine that with other, you
16:35
know, data dumps online and
16:37
see if they can match things up by email
16:40
or by, you know, your your
16:42
handle or whatever. So be careful,
16:44
and they also do the course for social engineering.
16:47
Well, for this week, throughout the week, I'll
16:49
talk about supply chain again. I
16:51
mean, I don't even know how many times since we've
16:53
been doing this show that I've had supply chain
16:55
down is my thread of the week. But but, you
16:57
know, it's a huge threat. And and right in
16:59
front of my eyes, when I pull up stories
17:01
this week, where two significant
17:03
supply chain threat kind of issues which makes many
17:05
these things are actually out there lurking
17:07
that we don't even know about yet, and how
17:09
many are that we don't realize
17:11
that we have these kind of
17:13
vulnerabilities. I mean, you know, and by we, I
17:15
mean, there's some thirteen year old kid named Anna
17:17
who was poking around at a UIFI stack and
17:19
figured out a bug. So when you go, Anna, you you
17:21
you keep this up. But but first
17:23
of all, I think the story I was reading that made me start thinking
17:25
about this again was Qualcomm. And
17:28
Qualcomm is a major
17:30
manufacturer of firmware chipsets, and they've been around
17:32
a long I mean, as long as I can
17:34
remember building computers, I remember Qualcomm
17:36
chipsets and things like that. And,
17:38
you know, anybody there who's been involved in
17:40
building computers or working on computers or building your
17:42
own equipment and so forth are familiar with the
17:45
idea of firmware. And I mean, most people
17:47
that are building computers don't
17:49
usually spend a lot of time worrying about firmware. They
17:51
just sort of buy a motherboard they like that will
17:53
that will do what they want and they hope the firmware
17:55
is is, of course, compliant.
17:57
Well, Qualcomm has always
18:00
manufactured chipset, and this particular
18:03
article is about the Snapdragon chipset.
18:05
And so the Snapdragon chipset was
18:07
a piece of firmware that is
18:09
used in a wide variety of applications.
18:12
And in January, they released so just just recently, because
18:14
January just got started. Right? They released
18:16
a security bulletin that
18:18
listed twenty two separate
18:21
software issues related to the Snapdragon
18:24
chipset. There were bugs
18:26
in automotive components of this, power
18:28
line communication firmware tools,
18:31
and anywhere this chipset gets implemented.
18:34
So it could end up being in a thermostat.
18:36
It may end up being in a blast furnace at
18:38
a factory. It may be in
18:40
your car, it may be wherever. But
18:42
in this case, it's in some power line
18:44
communication components, which always scary.
18:46
And it's in some sort of automotive system. They had a picture
18:48
in the article of something called Snapdragon
18:51
Ride platform RideVision. Which
18:54
looked like it controlled maybe cameras
18:56
in a car because they were that's what they
18:58
were showing. But
19:00
apparently, this this plot was gonna be released
19:02
for motor vehicles starting in twenty twenty four, so it's
19:04
not even out yet. They're finding all these problems with
19:07
it. All these vulnerabilities were rated
19:09
high or severe SWN it's
19:11
not just that weird esoteric stuff. It's
19:13
things that could actually result in massive
19:15
compromise. So I really think these have the potential
19:17
to have a significant impact because they're
19:19
so pervasive in sneaky and and they're underneath everything. And
19:22
we don't necessarily know what chipset is
19:24
running all the stuff around us. I mean, I don't know
19:26
what chipset's running that, you
19:28
know, the sound board or these these
19:30
cameras or whatever. So even
19:32
if the impact's only economic, you
19:34
know, I mean, if you have a chipset that's used in
19:36
a blast furnace and some of us certainly
19:38
been in this kind of scenario where you go
19:40
to the owners of the steel mill and you
19:42
say that chipset is this, this,
19:44
this, and it needs to
19:46
be updated and it could have an impact all the
19:48
way from the bottom of the of the
19:50
stack all the way up to, like, say,
19:52
a GUI. That runs this the
19:54
blast furnace. And, you
19:56
know, so you maybe
19:58
can make that change quickly. Maybe it's something that
20:00
you just literally plug something in and do
20:02
an update. not usually that simple
20:04
with things like blast furnaces because you
20:06
don't know the impact, so maybe you
20:08
can't just update it. And maybe
20:10
somebody like me comes out and says, well, you
20:12
need to update your equipment because you've got a
20:14
huge vulnerability here. And
20:16
they say, well, we we've done
20:18
some testing in the next off
20:20
cycle of the blast furnaces in
20:22
two years. And you're like, what? Yeah.
20:24
We don't shut down. We run three shifts a day.
20:26
And and, you know, two years from now, we do an update
20:28
when that's when we'll do the patches. So,
20:30
you know right. Sure. And,
20:32
you know, and if it is even just like a PC
20:34
and you go in and flash it,
20:36
think about that. I mean, in the modern age,
20:38
it's still a big deal. If the power fails
20:41
during that update, you can brick the thing and and on
20:43
and on and on. So you can't
20:45
necessarily just do that, and you can't necessarily
20:47
just do that to every sort of equipment that
20:49
exists around. And, I mean, on an
20:51
airplane, you can't just jump on the plane
20:53
and say, here I got a a USB stick. I'm gonna
20:55
update your firmware. You have to get
20:57
the FAA to approve it. The airline has to test it. They have to
20:59
make sure it's not gonna impact all this other equipment.
21:01
And you're gonna have to probably take
21:03
a plane on a service for a couple of days, and we all know much fun that
21:06
is with air travel. So you update
21:08
the chipset, maybe the operating system
21:10
doesn't load anymore, maybe the operating system
21:12
needs to be reinstalled. You know, all those
21:14
fun things that we've all been through when we
21:16
did firmware updates at at least in the I haven't
21:18
had much trouble with them recently, but in the
21:20
old days, or, you know, it's just like
21:22
there's a a component in the system that
21:24
just seems to have a curse on it. You
21:26
know, that sound card never works again
21:28
because you patch the firmware. So, you
21:30
know, these things are very serious,
21:32
very severe, very dangerous and
21:34
scary issues. And, you know, this is just
21:36
one of the stories that came out
21:38
this week. That's a complete supply chain nightmare.
21:40
I mean, if that update causes
21:42
that robotic arm that that feeds the
21:44
furnace to fail and go
21:47
crazy, It's not rebooting, and that's how
21:49
you get Skynet. Right? So the second
21:51
story that we had that this week about
21:54
it was I did on Tuesday. So if you
21:56
wanna check it out, you can find the link on the Tuesday
21:58
show. But was about Pytorch.
22:00
And Pytorch is a library in Python
22:02
that you install with PIP
22:04
or I think you can install it manually. III think I
22:06
installed it manually once because I was trying to use
22:08
PyTorch and I couldn't get it to work somehow with
22:11
PIP. But it's used machine learning and writing your own chat bots,
22:13
which is what I was fooling with. And, you know, all
22:15
kinds of fun stuff. And, you know, I
22:17
played with the chat, And
22:19
like most things, it had some dependencies. And like
22:21
most everything else, when you install it, you're just wanting
22:23
to get busy writing your code and setting
22:25
up your chatbot. SWN you install the
22:27
library dependencies that it has, and those libraries have other
22:30
dependencies. And, you know, next thing, you know, you
22:32
spend all day installing dependencies, and this
22:34
needs this, and this needs that, you put
22:36
another piece of software in, you downloaded this
22:38
tool and on and on and on and on and, you
22:40
know, it turns into that horrible. I was just
22:42
gonna install this and then get something
22:44
done. And now two days later, I'm still sitting here
22:46
trying to figure out what these dependencies actually
22:48
mean. But regardless of that, it's a huge
22:50
issue because PyTorch had a
22:52
dependency library called Torch Triton. either
22:54
that or was Triton torch. I think it was Triton.
22:56
But it's a dependency that most people are
22:58
just gonna SWN, yes, install all the dependencies.
23:01
And when you did that, that secondary
23:03
library had been injected with
23:05
malware. And, you know,
23:07
and and these dependencies may not come from
23:09
IBM engineering. I mean,
23:11
this is some guy named Sid posted this
23:13
somewhere on Paypay, and it was in a
23:15
GitHub. And then they used that in
23:17
another GitHub. And Sid used two other
23:19
libraries that some guy named Bernie wrote back
23:21
seven years ago, and he, you know, had his
23:23
own problems. And all this stuff just kinda
23:25
flows into one big horrible
23:28
seething, oozing, greasy
23:31
lump. And all that
23:33
combined with firmware and such
23:35
starts to get really, really scary
23:37
to me. So I think based on all these stories
23:39
that we see every week, and and I mean,
23:41
literally, I could put up a story about supply
23:43
chain issues, you know, every week, maybe every
23:45
day of every week, whether you're going back
23:47
to SolarWinds or all these
23:49
UEFI issues we see all the time that Paul likes to
23:51
talk about. I think we
23:53
and by we, I mean, the
23:55
security industry, are gonna have to start
23:57
working to build better assessment models,
23:59
not just of of tools, but of the whole
24:01
supply chain related to those tools.
24:03
a lot of organizations can't even seem to tell you
24:06
where that twenty six twenty one router is physically
24:08
located. I've had that many times, you know, where is this
24:10
router? They're like, oh, no. Somewhere in
24:12
the building. I mean, that worries me. Right? Because when an
24:14
announcement's made that a Qualcomm chipset
24:16
has a vulnerability, I wonder how
24:18
many companies you could walk into this morning
24:20
as an auditor and
24:22
say, do you have any Qualcomm
24:24
Snapdragon chipsets? And they're
24:26
gonna look at you like you're crazy.
24:28
And if they do have them and I even know they
24:30
have them, how do they patch this?
24:32
And the answer is it's gonna be a problem. So I
24:34
think in the end, we're gonna have to do a
24:36
better job of pressing really
24:38
hard to get these kind of understandings in place. I mean, I've been
24:40
saying that for years about physical topology
24:42
and virtual topology. So, you know, companies should
24:44
know what they've got and where it
24:46
is and what it is and what version it is and there are
24:48
tools to help with that. Well, we're gonna have to
24:50
get even bigger picture on this because, you
24:52
know, things like the software bill of materials
24:55
don't really solve this. I mean, they they they start to
24:57
lean that way, but they don't really
24:59
solve it. Right? I mean so we're
25:01
gonna have to get on this by
25:03
the way, as you do your startup for this, you SWN send me some free shares. Thank
25:05
you very much, just for that idea. And
25:08
and when you when you sell it for thirty
25:10
billion dollars, you
25:12
know, remember your
25:14
friends here on security weekly.
25:16
Right? And finally,
25:18
a Vermont based startup is looking
25:21
to this this is
25:23
killing me. They're looking to
25:25
add something called OVR
25:27
technology to virtual worlds.
25:30
They basically want you to use their
25:32
add on to your VR headset, which
25:34
contains and wait for
25:36
it, odor filled
25:39
cartridge. Which pairs up with gaming system
25:41
via Bluetooth. So
25:43
I the test bed they were demonstrating
25:45
had things like rose fresh
25:48
roses, grass. Yeah.
25:50
Right. You know where this is
25:52
going. Right? I mean, I I guess that would
25:54
SWN some way enhance the experience
25:56
if you know, there was you walk past a bakery on Prince Street in
25:58
Boston and it smells like fresh bread. I
26:00
mean, okay. I mean, I I mean, I've had that
26:02
experience and it's pretty nice.
26:04
You know, is there gonna be like a virtual SWN
26:07
subway where they dump Hobo Bo
26:09
on you? Or you have to buy really
26:11
good tickets to the virtual concert?
26:13
Or you'll unfortunately have to stand really close to the portable
26:16
toilets. You know, so you get the full sensory
26:18
experience of urine vomit
26:20
and portable toilet odor, whatever you
26:22
wanna call that. I mean, I even
26:24
was thinking you can add a skunking type
26:27
attack in video games. Right? SWN like some
26:29
horrible odor that like blast
26:31
you right at the creaky moment when you're trying to
26:33
press all the buttons in the right sequence and
26:35
you're gagging because it smells
26:37
so bad. Like, I'm
26:39
thinking, like, a big pile of rotting
26:41
diapers on a hot summer day,
26:43
you know, blast you right in the face
26:45
right as you're getting ready to try to do
26:47
that thing. Smellovision. Here
26:49
we come. And that's the news. We'll
26:51
see you next week SWN the security
26:54
weekly. Huge.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More