NC_2024_05_12

Discussion on Programming by Stealth, home network troubleshooting, YubiKeys for security, cybersecurity news, VPN vulnerabilities, digital defense strategies, data breaches, and staying informed on cybersecurity updates.

2021, Allison Sheridan
NosillaCast Apple Podcast

Automatic Shownotes

Chapters

0:00
NC_2024_05_12
0:59
Request for Your Input to Commemorate Allison’s 1000th NosillaCast Episode
2:05
CCATP #793 — Bart Busschots on PBS 165 of X – jq: Variables
2:50
Find Any File – ScreenCastsONLINE Tutorial
4:59
Eero, MoCA, ONT – Not a Happy Networking Story
15:09
2024 CES: YubiKey Online Hardware Security Keys
23:23
Support the Show
23:47
Security Bits — 12 May 2024

Long Summary

Today's show kicks off with some housekeeping notes - there will be no live broadcast on May 19th to accommodate a family visit, while also marking the 19th anniversary of podcasting. We put out a call for suggestions from our dedicated audience for the upcoming milestone 1000th episode. Moving on, we delve into the intricacies of Programming by Stealth with Bart Bouchat, shedding light on JQ's minimal reliance on variables and its impact. A review of the Find Any File app sparks a detailed narrative about troubleshooting home network woes, involving interactions with Eero representatives, network diagnostics, and the eventual decision to upgrade to new Eeros. The session wraps up with an enlightening conversation on fortifying security through YubiKeys.

Transitioning to a hands-on guide, we meticulously outline the steps to enable two-factor authentication using a YubiKey in conjunction with Gmail, detailing the array of YubiKey options and their robust security features. This segues smoothly into our Security Bits segment, where we dissect the latest in cybersecurity news, including vulnerabilities in Docker repositories and evolving VPN strategies amidst emerging security threats. Stressing the importance of staying informed and adjusting recommendations based on fresh insights, we touch on the favorable reception of PassKeys by tech giants Google and Microsoft, bridging technical insights with cybersecurity updates for our audience's benefit.

The conversation deepens as we explore the vulnerabilities of VPNs and the critical notion of "tunnel vision" in security strategies. Unpacking the limitations of VPNs in offering comprehensive protection, we urge a reevaluation of assumptions regarding VPN efficacy, notably in public Wi-Fi and ISP privacy scenarios. Delving into the technical nitty-gritty of how threat actors could exploit routing tables to sidestep VPN shields, we highlight the intricate race condition inherent in such attacks.

We unravel the intricacies of attackers manipulating DHCP configurations and routing tables to divert specific traffic beyond the VPN veil, underscoring the method's fallibility and constraints. Emphasizing that such breaches don't compromise the encryption of VPNs or analogous technologies like HTTPS and SSH, we touch on Android devices' immunity to this specific threat due to Google's overlooked DHCP implementation. Proposing potential mitigations for users to bolster their digital defenses, including customizing DHCP settings on non-enterprise Windows versions to disregard select directives, we aim to demystify the technical complexities and raise awareness about VPN vulnerabilities and protective strategies.

In the closing segment, we explore prospective remedies for cyber perils, like incorporating toggles for feature control and enriching VPN applications for heightened security. Emphasizing vigilance against counterfeit websites and the paramount role of two-factor authentication, we shed light on recent cybersecurity developments, encompassing data breaches by Dropbox and Dell, alongside hefty fines imposed on non-compliant firms. Wrapping up with guidance on online discourse and a podcast series spotlighting the OpenAI CEO's dismissal, we underscore the significance of staying abreast of security updates and avenues to engage with our content for a fortified digital presence.

Brief Summary

Housekeeping notes are shared, and the podcast delves into the intricacies of Programming by Stealth with Bart Bouchat, discussing the minimal reliance on variables in JQ. A review of the Find Any File app leads to a narrative on troubleshooting home network issues and upgrading to new Eeros. The conversation continues with insights on fortifying security through YubiKeys and a guide on enabling two-factor authentication with YubiKey and Gmail. In the Security Bits segment, cybersecurity news is analyzed, focusing on VPN vulnerabilities and evolving strategies. The limitations of VPNs and potential exploitations by threat actors are explored, emphasizing the need for users to enhance their digital defenses. The episode concludes with discussions on cyber perils, including tips for improved security, data breaches by Dropbox and Dell, and the importance of staying informed on cybersecurity updates and protective strategies.

Tags

Housekeeping notes
podcast
Programming by Stealth
Bart Bouchat
JQ
Find Any File app
troubleshooting
home network
Eeros
security
YubiKeys
two-factor authentication
Security Bits
cybersecurity news
VPN vulnerabilities
threat actors
data breaches
protective strategies

Transcript

[0:00]
NC_2024_05_12
[0:11]
And this is show number 992. Well, before we dig into the show, I have a couple of announcements. First, I want to warn everyone that there will not be a live show next Sunday, May 19th. Steve and I are going off to Texas again to visit the grandkids. I know this is a hardship, but take it up with my son. He's the one who moved my grandchildren to Texas, okay? It's not my fault. Anyway, you'll get a reminder that there's no live show when you see the Nosilla cast come out on Wednesday before we leave. Secondly, let's all say happy 19th anniversary to the Nocella cast.
[0:46]
Tomorrow, May 19th, I will have been podcasting for 19 years. I absolutely couldn't have done it without you and especially without Steve. And in the spirit of celebration, we have a little request from Steve.
[0:59]
Request for Your Input to Commemorate Allison’s 1000th NosillaCast Episode
[0:59]
Hello, Nocella castaways. This is Steve. Allison is coming up on her 1000th Nocella cast episode in July of this year. She began this journey over 19 years ago when she first picked up a microphone and decided to start recording. Since then, she has produced a NosillaCast podcast episode every week without missing a beat. To commemorate this milestone, I'm soliciting input from all of you to convey your thoughts about any of the Podfeet podcasts, or Allison herself, or both. I'll assemble all of your inputs for Allison to hear and play on the 1,000th NoCillaCast episode on July 7th. I'd like your input in the form of an audio file that is 30 seconds or less, and I'd prefer your input in the form of an AIFF or WAV file for better audio quality, but I'll accept M4A or MP3 files as well. Please identify yourself in your recording, and you can email your input to me at steve at podfeed.com by June 23rd. I hope to hear from you. Thanks.
[2:05]
CCATP #793 — Bart Busschots on PBS 165 of X – jq: Variables
[2:05]
This week's episode of Chit Chat Across the Pond is another installment of Programming by Stealth with Bart Bouchat. And Bart explains why JQ is uniquely designed not to need variables most of the time. And then he explains how to use them in the few instances when there's no other way. It's a fairly straightforward lesson as Bart set up some very clear examples and solves them with some very simple variables. It's one of my favorite episodes because the problem is clear and the solutions are clear. And it really shows off how clean JQ is as a language. You can find this episode in either the Programming by Stealth feed or the Chit Chat Across the Pond feed. And of course, there's a link in the show notes to Bart's fabulous tutorial show notes over at pbs.bartificer.net.
[2:50]
Find Any File – ScreenCastsONLINE Tutorial
[2:50]
In December, Christian from Germany sent in a review of an app called Find Any File. In his review, he explained that when he deletes an app, he uses Find Any File to hunt down all the little remnants of the app so he's sure his system stays clean. At the time, I downloaded Findanyfile from findanyfile.app, and I gave it a play, and I found a lot more problems it could solve for me. Think of Findanyfile as an extension beyond what Spotlight can do, kind of augment Spotlight. Over the last few months, I've noticed I've been reaching for Findanyfile more and more often. When it came time to pick a tool to teach for my latest Screencast online tutorial video, I thought Find Any File would be a great choice. I always run my ideas past my editor, my good friend, JF Brissett, and I warned him that I was a little concerned this particular app might not have enough meat on them bones. By that, I meant it was useful, but I might have trouble coming up with 20 to 30 minutes worth of instruction on how to use the app. As it turns out, I could not have been more wrong. As I dug in and did my usual discovery process, I found more and more and more that Find Any File could do.
[3:58]
At the time, I was in contact with a delightful developer and like so a responsive developer, Thomas Templeton, and I asked him if he'd mind getting on a call with me to answer some of my questions. And my goal in talking to him was to have him help me like bundle this and focus the vast capabilities into just the most important features so I could cram the video into my 20 to 30 minute time limit. But instead, the more I talked to Thomas, the more I learned it could do. He kept telling me, oh, it can do this and it can do that and it can do that. Now, oh, did you know these keystrokes? And hold down the option key, it can do that. And I was actually like holding my head going, no, no, no, Thomas, stop it. Stop teaching me more. I need to narrow this down. Anyway, I was successful in getting it in and out of the time limit. And I've included a teaser video in the show notes for my tutorial on Find Any File. And I got to tell you, this is a tool I reach for at least a couple of times a week. If you want to try out ScreenCastsOnline to see the entire video, you can sign up for a free trial over at ScreenCastsOnline.com.
[4:59]
Eero, MoCA, ONT – Not a Happy Networking Story
[4:59]
You know what's a super fun way to spend Mother's Day? Diagnosing network problems! All right, let's back up and I'll tell you a story that might give you some insight into your own networking problems someday, some different ways to troubleshoot. A few weeks ago, our network started to get dodgy. While all network speed tests showed everything was dandy with our Frontier Fios, our TV playback was stuttering, and our Eufy security cameras kept going off and online throughout the day. The speed test kept showing that we were getting the 500 megabits per second symmetrical up and down that we were paying for through Frontier, but things were definitely dodgy. Now, Wi-Fi in my house is served by four Eero mesh routers, which is really supposed to be a bit of overkill for our 2,800 square foot home, but had been serving us well for quite some time. Our dear friend Pat Dangler, you know her as the certified Apple support person, is really well versed in Eero, and she suggested actually calling them on the phone. I know, sounded drastic, but after unplugging and plugging everything back in a few times, I was pretty much out of ideas.
[6:05]
John the Eero rep started by complaining about how I had too many devices on my network, but when I demanded to talk to a higher level of support, support he suddenly got more helpful. It's pretty clear that the Eero people are really trained to try really hard not to get you to the next level of support, so I found that kind of interesting. Now I'm not going to take you through all of the troubleshooting steps we tried, but instead I'm going to take you to the first end game. Three of my four Eeros are Eero 6 Pros that I bought a long time ago, and one is an Eero 6E, which is the newest one. The 6E was in our dining room while one of the six pros was acting as the gateway Eero. The gateway is the one connected to your modem. The rep suggested swapping them so that the best one was the gateway. And I was kind of like, well, that does kind of make sense. As soon as I did that, after much rebooting of things, the network stabilized. We were so happy.
[6:59]
But then yesterday, we had a completely different problem. Bart and I were recording, and we had a few hiccups, and after the call, Bart told me that my video was terrible for the entire call. He said it was really pixelated. I hadn't noticed anything wrong because his video looked grand. I ran a speed test from my den, where my Mac is hardwired to the Gateway Eero via Ethernet through a gigabit switch. I was getting my full 500 megabits per second down, but I was only getting around 20 megabits per second up. Now in the old days, that would have been acceptable, but we demand so much from our network these days. To give you an idea of the impact on me, it took a little over three hours for programming by stealth to upload, so I don't even think it was a stable 20 megabits per second. I unplugged the switch and plugged my laptop directly into the second ethernet port on the Eero, and I was still only getting 20 megabits per second up, so that meant it wasn't the switch. Now, over Wi-Fi, it was even worse. I was getting numbers as low as 6 megabits per second. After recording with Bart, I called Eero again, and RAM started helping me out. One of the first things he did was have me look at the Eero app to see what speeds were being measured at the Eero gateway.
[8:11]
Every test I ran from the Eero app showed we were getting roughly 500 down and 500 up. That told us there was nothing wrong from the Frontier FIO side. It had to be something wrong with the Eero. My Frontier service used to come in over the coax cable, and then I had a Frontier wireless modem, and I would bridge it across to my Eero's. But a few years back, they replaced the modem with a little Mocha multimedia over coax box that converts coax to Ethernet. Before I called Eero, I had power cycled the Mocha box and all of the Eero's. Now that I was on the phone with Ram from Eero, we discovered that of my 67 devices on my network, 50 of them were connected to the Gateway Eero. For some reason, they didn't connect to the Eeros that were right next to them. So they were sprinkled all over the house, but they decided, nope, we're all going to the Gateway. That's where the party is. Ram was convinced this was the problem with my upload speeds and suggested I go turn off Wi-Fi on every one of those 50 devices. Yeah, that wasn't really a workable plan. No, was it? How am I going to turn off Wi-Fi on my thermostat, my doorbell, my garage door? I mean, this just, I mean, just unplugging everything. No, no, no, no, no. I'm not going to go do that.
[9:25]
Well, we decided to power cycle everything again, and he said to power cycle the Mocha adapter, which I've been calling a modem, which, by the way, I'm going to find out later on that I'm wrong, but this little Mocha adapter, he made me wait three minutes for every device in serial, one after another, to boot back up. Now, after we did all that, around 45 devices had decided that the dining room Eero was the place to be, and there were only three left on the gateway. Gateway. However, I was still getting 20 megabits per second upload speeds. At this point, I had to break for the night and I said I'd call back today. By this time I was convinced that the Gateway Eero 6E had a hardware problem. Because it wasn't working hardwired directly into it, it wasn't working over WiFi, I'd changed cables, I tested two different Macs hardwired into it, it wasn't the switch because I'd removed the switch, so that Eero had to have a hardware problem and it was somehow affecting both both Wi-Fi and hardwired.
[10:27]
After a confab with Pat this morning, Steve and I decided to get a whole new set of Eero 6Es. I was going to replace them all. At $650 for four of them, it wasn't a cheap solution, but you know, I was just getting weary of this whole mess and I knew that it would be overall better to have all 6Es. By the way, I briefly considered going for the new Eero 7s, but at $2,300 for four of them, I thought maybe not. Anyway, Steve ran over to our local Best Buy and he bought the new Eros.
[10:56]
But before doing any hardware swap, I gave Eero a call again. I'm not going to go through in detail how incredibly annoying the next person on the phone from Eero was, but let's just say it was not a happy time as they asked me the same question over and over and over again and didn't understand my answers. Now, she did have me connect my laptop directly to the little Mocha adapter instead of using one of the Eeros. And she asked me to tell her what the model number was, because I remember I kept calling it a modem, and I flipped it over and saw that it said it was a Mocha adapter. Anyway, she said to plug directly into the Mocha adapter, just skip the Eero's entirely. Now, I tried to do that the day before, and I kept getting a self-assigned IP address. I wasn't getting any network at all, but maybe after all the power cycling, something kicked loose, and now I was able to get an external IP. That scared me, because that meant I had my Mac on the the open internet with no firewall while I was doing these tests. However, it was worth it because the speed test completely eliminating the Eero's directly through the Mocha adapter showed even worse than I'd seen before. I was only getting 2.64 megabits per second up.
[12:07]
So that meant this has to be a problem with Frontier FIO service, nothing at all to do with the Eero's and all of that work we did on the Eero was wasted time. What I don't understand is why the Eero app continued to tell me, oh yeah, I'm getting 500 down, 500 up, I am good to go, and the input's great. At no time did it report any problems at all.
[12:29]
At this point, I hung up on the annoying rep from Eero, and Steve suggested we take my laptop outside to connect it directly to the optical network terminal that's an ONT from Frontier. This is where things get even more interesting. The ONT is really the modem. Now remember, I told you we have that little Mocha adapter that turns coax into ethernet inside my house. I didn't realize or remember that there was another Mocha adapter outside that takes ethernet from the ONT and turns it into coax into the house. Both of these little adapters only need to exist because there's no ethernet in my house. If I had ethernet, we wouldn't need either one of them. And let me tell you, Pat tells me probably two to three times a year that I should just get my house wired for ethernet and I'm starting to think she's probably right. Anyway, so when Steve first opened the little doghouse outside on our house and he looked at this Mocha adapter that was connected to the ONT, he said the Mocha light was blinking. He wiggled the power and coax cables and then it turned solid green. That was curious and maybe a clue. We unplugged the Mocha adapter and plugged my Mac directly into Ethernet, directly into the ONT, and Bob's your uncle, I got 439 megabits per second down and 539 megabits per second up.
[13:48]
Wow, this was fantastic news because that means it's not a frontier service problem, so I don't have to wait two, three, four, five days for them to come out and fix something.
[13:56]
So Steve then unplugged the coax cable from the Mocha adapter outside, and he blew into the connector because, you know, that's the well-known connector fixing protocol, right? So then he securely reconnected it to the Mocha adapter, and he plugged power back into the Mocha connector, and we waited for the lights to be happy, and then we went back inside the house. I plugged my Mac back into the indoor Mocha adapter via Ethernet and boom, 563 megabits per second up. It was working. Final step, we plugged the Eero Gateway back into the Mocha adapter and waited about the 300 years it takes an Eero to connect. And then we ran into my office and we tested the wired connection and I got the same 563 megabits per second up. So now I'm actually getting higher upload speeds than download because at download I'm getting around 400. Victory is ours so this was a harrowing way to spend mother's day but i think this is why it's an advantage to have two engineers marry we did controlled experiments we changed one thing at a time we did fault isolation that way and we came to the answer the only question left is whether to keep three of the
[15:09]
2024 CES: YubiKey Online Hardware Security Keys
[15:04]
four brand spanking new euro 6es we bought and just return one would you believe that we're still milking the CES audio train here. We have another review. I think we've only got one or two more left, but let's kick in and listen.
[15:21]
On the Nocella cast, we're all very security conscious, thanks to Bart Bouchats and his security bit segment he does on every other show. One of the things we've talked about a little bit, but we haven't really dug into, is the YubiKey from a company called Yubico, which can give you some enhanced security. security and I've got Karen, let's see, I'm going to get it right, Karen Muscoff to tell us about the YubiKey. Yeah, absolutely. Thanks for stopping by. So we're really excited about the YubiKey. We've been around since 2007. We think of the YubiKey as kind of the key to your online security and your online account. So just as you would think about a key to your house or a key to your car, this is the key to your online accounts to keep you safe online. Okay. So I see a lot of the little devices, I see actually seven different YubiKeys here of different varieties, but just before we talk about what they look like.
[16:09]
They're USB-C, they're Lightning, they're USB-A, we've got NFC. But what's the use case? How do you use it? What do you use it for? Yeah, the main use case that I tell people to use it for is to secure things like their Gmail, their social media. So if you're talking to a consumer specifically, those are the things they're going to care about the most, right? They're going to care about their bank accounts. They're going to care about their Gmail. They're going to care about nobody hacking into their X account or into their Instagram or any other social accounts too. So what this does is a second-factor authentication. So it replaces like an SMS text or it replaces an authenticator app. And it allows you to authenticate into your accounts very securely. So you use it instead of an authenticator app. Absolutely. So if I'm using 1Password today, which I live and die by, but this is a step beyond what that can do. So 1Password is a great example. What we tell people to do is secure 1Password with YubiKey. So you can still use 1Password. use that to generate your passwords. It's a great product. We partner with them. Then we tell people, secure that 1Password with that YubiKey. And then that way, if anybody's ever trying to hack into your 1Password, they can't get in because the YubiKey is securing it. I see.
[17:19]
Okay. I can show you how to use it, if that would be helpful. That would be great. Okay. So this is an audio podcast that also some people watch video. So talk through what you're doing as we walk through. Yeah, absolutely. So we're going to use an example of how to do it in Gmail. So I'm going to lean in so I can do it. She's on an iPad here. Actually, in Microsoft Surface. Oh, sorry. Well, we'll allow it. We'll allow it. OK. So I'm going into a Gmail account right now. I'm clicking on my account to log in. So it's asking me for my password. So I'm going to put my password in.
[17:54]
We're not watching. We're not memorizing. I'm putting my password in right now. Please don't. I won't be tricked. And neither will the YubiKey. Now it's saying it's making sure that it's me. So what it's doing is starting to authenticate to the YubiKey right now. Oh, wait a minute. Oh, so the YubiKey is already plugged into the site. I plugged it in already just for the example. And now it's telling me to touch my security key. So the YubiKey is plugged in. I'm touching my security key. It just authenticated me just like that. And I'm just clicking that. and it's now going into my Gmail.
[18:25]
So rather than... It entered not your username or password, but your second factor authentication. I entered in a password to start with, which was getting me into the account because again, the YubiKey is your second factor or your multi-factor. So that's the backup to getting into your password. So that's how it authenticates that it's you. And so now I'm in my Gmail. So she's got it on her key chain here. Actually, hers is all blinged up. It's got little sparkles on. It's got a YubiStyle. Of course, I have to have it unique and original so I have made that very golden sparkly And it even it even lit up when you authenticate about it So, you know that it is authenticating when it lights up and you touch it so you know that it's happening So is that a fingerprint sensor? This is a fingerprint sensor, but it's not biometric. So we do offer a biometric key This is a sensor for your touch. So it's just I could I could have touched it No, what about you gonna touch it if it's authenticated to your machine to your accounts it has to be authenticated to your products that you're going into your accounts. But if it's not biometrics how does it know it's you and not me?
[19:26]
Well you would have you're logged into your account so you're logging in with your password and with your keys so you'd have to have those things to two things together to make it work. Okay so just this is an artificial situation because you were standing here having put in your username and password and then but I could have touched it. You could have touched it because we're having a demo to show you. You're having a worse day because I have a gun to your head or something. Correct, yeah. So you have to have the key authenticated to you, but the biometric is to that same point. This is a true biometric. Let's show that to the camera here.
[19:58]
So you've got another YubiKey, and this one actually has a fingerprint sensor. Like this. It's a fingerprint sensor, and so this holds up to, I believe it's eight fingerprints, maybe ten fingerprints, so you can use your fingers, all your fingers if you want, to record it, and then it's touching it that way. So it just depends on the form factor that you like to use and what people are prefer So that would take it up a notch in security. I would think it's the same same protocols on the inside It's just a different form factor and how people like to touch and how people like to use their keys all the keys do something Slightly different you were asking about the lineup of keys that we have so let's find our way down down the line So the one you just did those are biometric C C and A Yeah, and these are the These are our security key series. So these are our entry point security key. This is what we recommend for consumers or small businesses as well. These keys start at $25, so it's a really low cost point entry.
[20:57]
But what's the difference in the technology between these and the biometric? One of the things about this is they have pass keys all stored in them, which is good. But the biometric is just going to have a deeper security that typically an enterprise would use to be securing on the back end. So these lower end ones, that's the kind that you have on your keychain? That's the kind I have out there, yeah. So then again, there's three of them here because it's USB-C, one's USB-A, and this one's USB-C and Lightning. Exactly, exactly. So people are transitioning between old and new. Yep, yep, that's exactly right. Now you've got two teeny little mini chip ones here.
[21:29]
I always call these my favorites. These are the Nanos. So these are the YubiKey Nano. You can see that little guy right there. That is like the size of my tooth. It's tiny, it's tiny. The use case scenario for this is really putting it into your laptop or putting it into your desktop and having it there so it's nice and convenient it's almost flush with your machine and so then you can just touch it and have it there. So I keep mine in when I'm working during the day I take it out at night I put it in a secure place just in case somebody were to you know break it and grab my laptop I have my UV key separate from that. So when you go to authenticate you still have to tap it right? You still have to tap it but one of the things that's really important that I didn't mention is you don't have to tap it all the time. So once you've authenticated to your accounts and to your phone or your device or whatever device you're using, you only have to every now and then re-authenticate to show that it's still you. So it's a nice convenience. So, for example, if you were to get, like, an SMS text for authentication, you do that every single time you're authenticating into your Gmail or into whatever account it is. With the YubiKey, you don't have to do that. So this helps people stop using SMS. If you could just talk to all of the banks in the world that for some reason use SMS, I'd really like you to fix that one.
[22:41]
We would like all the banks in the world to start using YubiKeys too because it really truly is a safer technology to secure your accounts. Now you gave us two of these YubiKeys and you said you recommend people have two keys. We always recommend that you have a backup. If you lose your first key, you need to have that backup key to be able to log in. If you don't want to have two keys, you can back it up with an SMS, you can back it up with an authenticator app. There are other ways to back it up, too. You're kind of defeating the purpose when you do that. We always recommend the two keys, exactly. Right, right, right. This is very cool. So if people want to find this, I assume they go to ubico.com, U-B-I-C-I-O. Yep, ubico.com. Really appreciate your work here. Thank you. Thank you. Thanks for stopping by.
[23:23]
Support the Show
[23:23]
Well, as you can tell, this whole networking problem is going to cost us some money to keep the show coming to you and not take three and a half hours to get the files uploaded. loaded. So if you have some spare change and would like to help fund that experiment and everything that we're doing here on our network, can you possibly consider going to podfeet.com slash Patreon and becoming a patron of the Podfeet podcast? I'd really appreciate the help.
[23:47]
Security Bits — 12 May 2024
[23:48]
Music.
[23:57]
Well, it's that time of the week again. It's time for Security Bits with Bart Buschatz. How awful is the news today, Bart? Uh-oh. You know those VPN things we all use that we say that are the perfect way to protect yourself on hotel Wi-Fi? Yeah. About that. Uh-oh. Slight reappraisal needed. Yeah. You know the way you like a deep dive with a bit of meat? We're on T-bone steak today.
[24:27]
Yay. But there is plenty of good news, too. There's lots going on. There's lots going on. A few little quick follow ups of long running stories. Three little, four little, three little cat came today for Digital Markets Act updates. The first third party store is live. American developer Riley Testut has published his alt store to iOS in Europe. There are some exclusive games, including his Delta emulator, is exclusive to his store here in Europe. I haven't heard any fallout from it. People who care seem to be using it. Are you using it, Bart? That is a thing now. Nope, because I have no interest in going into the Wild West or in emulating Game Boys. So for now, I'm ignoring it. Okay. The EU has decided that iPadOS is going to come under the same rules as iOS after all. It shall be a gatekeeper too, and Apple have six months to comply, which they said they will. So by the autumn, there won't be this weird difference between iPadOS and iOS in terms of these third-party app stores. Okay.
[25:42]
Underlining how many new APIs Apple have had to make and how that's not going to go without flaws. The API Apple have in beta at the moment for websites sending apps straight to people's devices without going through a store, that API, we now know thanks to some security research, can be used as a kind of an undeletable tracking cookie, which is definitely not what Apple intended from that API. So they have a little bit more homework to do on that API before it's quite finished. I'm not surprised that they have some teething problems on, what did I say it was, 70 new APIs or something they've done. They said it would be a ton of work and it was going to cost them a bunch of money to do this. They weren't lying.
[26:34]
This would appear to back them up, yeah. Yeah, and I'm not surprised. Or, you know, it's not a big deal. It's just, hey, it's a beta. This is what happens. And then definitely good news. So I don't know how much you followed about the core technology fee and the very real fear people had that if you were, say, a really keen kid listening to the Nacilla cast and you wrote an app that you make zero money from and it happened to go viral, you could end up owing Apple hundreds of thousands of dollars by mistake or by no real fault of your own and that. Yeah. Got a lot of people worried. And when it was pointed out to Apple in a recent hearing, they literally said, stay tuned. We understand. We will get back to you. They did.
[27:19]
There is now an exemption for true freeware. So true freeware means it is not monetized. Ads are not true freeware because the ads are monetization. But a truly free app is truly exempt from the core technology fee. So no more stomping on kids' creativity. No more making charities terrified of ios if you're genuinely not doing this i like that ads though count as monetized and it's like yeah don't don't try to play both sides of that coin that's kind of fun unfair right i think so but i'm i'm very biased on this whole topic i'm i'm not in the least bit uh a critical thinker on this topic i think apple's right on all of this and everybody else is wrong. So I try not to actually talk out loud because obviously that's not the right answer. But I just like, I don't care about any of this and everybody's all bleh about it.
[28:17]
I feel bad that kids were ending up in a position that was kind of like, well, let's hope you're successful, but not too successful. And this just seems like a better answer to me. Well, but go be successful in the app store. Don't do it. But this is in the app store. Oh, I thought this was in the alternative app store. No, this is an Apple's App Store, but if you use the European contract instead of the American contract. I thought the European contract was the alternative. Oh, I congealed those two. That's not the right word. Conflated those two.
[28:53]
They are sometimes both true, but they don't need to be both true. Okay. It's complicated. Yeah. All right. Well, anyway, they fixed it. Yay. Exactly. Precisely. We had a good discussion. We had a discussion that I think was good, and I think we got some decent listener feedback too on TikTok last time. And, of course, just after we're done recording, I end up reading a fantastic analysis piece over on the Intego Mac Security blog. So there is a link in the show notes to that piece by... Oh. Anyways, by one of the researchers who generally writes really good stuff. It's a very thoughtful breakdown of what we know, what we don't know, and, you know, sort of a high-fact, low-emotion analysis of the reality of the situation. I don't think it contradicts anything either of us said, but it's good to have someone else's, you know, explanation. Okay. I don't believe this is a coincidence, but China has decided that WhatsApp and Threads is not allowed in the Chinese App Store anymore on iOS. Yes. They obviously did not say this is this is what we're going to do if you if you're naughty to our beloved TikTok. But come on. But to be fair, they don't allow TikTok either, which is ironic, right?
[30:14]
Fair. Very fair. Yeah. And purely for fun, there is a 20,000 hertz episode that has come out this week on TikTok's audio icon that they know. Now, I don't use TikTok, so I'm just parroting what I heard on the podcast. But apparently, whenever you download a TikTok video out of TikTok, when you hit the export button, they append a little audio chime at the very, very end of the video so that every time you hear a TikTok video on a news website or on Twitter X or anywhere else that has been exported, apparently it has this little audio jingle on the end. And apparently everyone knows that this is a TikTok video because of it. And it does kind of sound like TikTok only in music. And the story of how they did it is fascinating. And the episode is basically an interview with the creators of that audio icon. And I really enjoyed it. I've never heard that. I've never heard there be any noises.
[31:18]
Like I say, I'm going by what the episode said. Apparently, whenever you hit the export button or the share button, that's what happens. And apparently it was very, very clever of TikTok to do that, because it means that even when TikTok videos get shared, not on TikTok, they're still branded as TikTok. Oh, OK. Interesting. I have been saying that attackers are trying to go after developers and I don't like it, but it continues to be true. We've had them go after Python. We've had them go after Node.js. Well, the next one they're after is the Docker repository. A lot of people use Docker to run like mini virtual machines that are even more compact than a full virtual machine. Yeah. Just be careful. Those naughty people want you. So it's the containers themselves they're attacking? So there's a place you can go to get free containers written by other people that give you like out of the box without having to do any work, Homebridge and those kind of things. So it's like just a repository of useful Docker containers people have made. Should be an amazing community thing, but now we've got to be careful. Because we can't. How do you be careful?
[32:32]
I'm not a Docker user, so I'll be honest, I'm not going to give advice that I can't back up. So I'm just going to say whatever kind of reputation system there is where you know if someone who you trust tells you this is a great docker image for doing homebridge, okay if it's the first hit on google this kind of advice is always hard it's like well how do i know if that's a good one or not but yeah i mean there is there are reputation things but if they've gotten infected in some way then you i don't know how you'd be careful and know that, It's a best effort thing, I guess. You know, I often outsource trust. If I see a recommendation from someone I trust, I'll follow their recommendation, sort of going, well, I can't be sure. But hey, you're at least informed about this and I'm not. So less bad than if I just guess. OK, yeah.
[33:28]
Switching to happier news, the rollout of passkeys is continuing apace. Google have said they have crossed over the 400 million threshold of accounts now using PassKeys to authenticate and not nothing and people with personal Microsoft accounts can now use PassKeys to log into outlook.com and all the other Microsoft services so again you know not a small player so yay good, right now let's dive deep get your propeller beanie and spin it right up and just to confuse us there are two completely unrelated stories about VPNs that have been in the news since we last recorded. One of them is a small issue that's easy for Google to fix and it's just not something we're going to need to worry about in the long term and even in the short term I wouldn't get too worried about it. The other one is a fundamental shift in our thinking about VPNs because we have been making an assumption we should never have made but I'm guilty of making it I have shared it on this very show, we need to understand reality, and I need to update my recommendations okay let's do the easy one first.
[34:45]
The easy one. On Android, there exist two different standard system APIs that do the same job. They will turn a DNS name into an IP address. One of them is part of the Android API, and the other one is part of Android's implementation of the standard C library.
[35:05]
When they added a setting into Android to block everything that's not going through a VPN, they updated one of those two functions to actually check if that checkbox is checked and then to obey it and they forgot about the existence of the other one so if you're using a VPN client that is using the C library instead of the Android library and for a few milliseconds seconds as a connection is being established or renegotiated, it will leak your DNS queries outside the VPN when it shouldn't. Which means that an adversary in the middle can see DNS queries, which means that they can get some sort of information about the domain names you're interacting with.
[35:55]
And if there are malicious adversary in the middle and the domain is not using DNSSEC, They could also mess with the answer and give you the wrong IP, which hypothetically could trick your client into connecting to the wrong VPN server. Yeah. But that should never, that shouldn't work because the VPN client absolutely should be checking the validity of the certificate handed by the VPN server. And only the true VPN server can hand a validly signed certificate. So unless the VPN client is very sloppy and doesn't check the certificates, it should fail with an error. So that's a denial of service condition then. It'll just say fail to connect to your VPN. But it shouldn't do it. Hmm.
[36:44]
So real-world risk, it's a small window every time you start and stop your VPN. The biggest danger is leaking one or two domain names. It really shouldn't be possible to intercept your VPN because of digital certificates. It's very, very easy for Google to fix this. And it's also very easy for every VPN app to, while they wait for Google to fix it, to use the other API. So it was Mulvad VPN discovered this little quirk. So all they needed to do was just change which of the two APIs they use and everyone else is free to do the same and really Google need to add one if statement to one C function this is just not a big deal good good good good okay so can we just stop there? It depends on whether we're in the la la la la la mood or if we're trying to learn something.
[37:38]
So this vulnerability as we're going to call it is called tunnel vision and it's a vulnerability in the sense that this is a thing that if we're not careful will expose us to risk but it's not a bug it's not that someone did something wrong it's that we have been laboring under an assumption that never was true and we just happened to be getting away with it. Only now someone's looked down, realized we've all been running off a cliff, and now we've got to accept reality. VPNs solve some problems perfectly. They don't solve all problems and we have been wrongly assuming they solve a problem they don't. Now I'm being very vague here because I'm just trying to say that this is a big picture. This is a big picture. No one wrote a software bug. We have had a marketing bug.
[38:39]
Because we've been parroting what is effectively a marketing line that this is what VPNs can do for customers and we shouldn't have been parroting it because it was never true and it definitely isn't true now. So if you look at any ad for a VPN, the chances are they're going to hit on three sales pitches to you. Sales pitch number one. If you install our VPN, then you can go to any untrusted Wi-Fi network, be it a coffee shop, in a hotel, whether it's Wi-Fi or Ethernet, you can plug in or connect and you will be safe when you browse the Internet. That isn't true and it never was. The other promise they probably made is that you can connect to the Internet without your ISP spying on you. That is still true and always has been. And the other promise they made is that you can use it to get to geo-restricted content, which is not security-related and is every bit as true today as it was yesterday. So...
[39:44]
It's a very similar story if you think about why people use VPNs in the corporate world, too, because the three common sales pitches there are that an employee can securely connect back to the corporate network from anywhere, which is only partly true, and it remains only partly true because only a trusted remote network can be used safely. So connecting from home to work, no problem. Connecting from the hotel to work, problem. The other thing corporations use VPNs for is to take two physical campuses and make them appear as one network. That's still secure. Or to take one physical network and connect it into a cloud network securely, and that's also still true. So where have we gone wrong? It's one sentence.
[40:38]
Uh actually sorry i'm going to before people get all confused and panicked there is something we can do that will solve this problem for us and it's very easy we don't know what the problem is yet you've just said it i know not never been true that we are securely connecting using a vpn and i'm paralyzed on that sentence and you've gone on you're going to explain that i am definitely going to explain that i'm going to back it up but before i do i'm just going to say don't panic the The easy fix is to use cellular when you're in a hotel. Connect over cellular to line your VPN. It's a terrible fix. I can't. Okay, but it is a thing you can do. Okay. Okay. Right. So, yeah.
[41:26]
Okay, I'm trying to set it up so that I don't over-scare or under-scare. So the current attack that I'm going to ascribe in detail is one way in which this fundamental problem can be exploited and we can add workarounds for this one known problem, but there are infinitely many possible unknown problems because the real fundamental issue is that VPN technology exists high up in the network stack it is on top of tcp ip so everything more, fundamental than tcp ip is beyond the ability of a vpn to affect in any way so that means that ethernet is beyond the vpn's control dhcp is beyond the ethernet's control and so is ip p routing and that means that if there's something going on that low down in the stack your vpn can't protect you from it because it's just it doesn't exist at that level it's like a seat belt can't stop you from having your engine backfire it's just that's it that's not what it does.
[42:42]
So did we not know i know at that lower level for the last 25 years we didn't appreciate we We knew that was a true fact, but we didn't appreciate the implication of that fact. We didn't quite comprehend the conclusions we should draw from that fact. Which is, in hindsight, stupid. But that's the way hindsight always is, right? So there's no point in using a VPN at all to protect yourself on an open, unsecured network in a hotel or coffee shop. There's nothing to do. In that, throw away all the VPNs.
[43:24]
Don't throw them away because they're useful for different things still, but they're not enough to keep you safe if you are directly connecting to someone else's network that you don't trust. So that's the only reason I use a VPN, Bart. And I think that's the reason most people use VPNs. I mean, there are people who use it to get around, you know, I want to watch the BBC, but that's... Some right but you can still securely connect through a malicious network so all of the people who are hiding from their isp because their isp is literally selling their personal data for double profit because they're profiting off them twice that still works completely it's only if the very very very edge that you're on like if your device is straight onto a bad network then the problem is you're straight on to a network you don't trust and they can mess about with your computer at a lower level than the VPN. But in your house, you're on your home network. So you are connecting through your ISP, not from your ISP. You're connecting from your home network. So setting all that aside, let's just talk about protecting yourself from a dodgy network. When you say that it's not protecting us, do you mean that adversaries in the middle can get to you with a VPN on?
[44:50]
In effect, yes, with lots and lots of stars to make it a subset of as bad as you think. OK, so what could. OK, so the scenario would be you go to your local coffee shop, your hotel, some sort of Wi-Fi that that is not or Ethernet that is not trusted. And you don't know this, but sitting next to you is a person with their laptop that are out to attack you. And what they can do is they can, behind your back, reconfigure your computer so that traffic to specific IP addresses goes around instead of through your VPN. And it has to be to specific IP addresses so they can use it for a fine focused. I want to steal all of their traffic to their mail server or to their corporate network or to 8.8.8.8 to see their DNS traffic. But they can't take all of your traffic and just hope for the best. They can only make a pinhole in your VPN that you won't notice.
[45:59]
Hmm yeah that doesn't sound nearly as bad as what you said to start with okay so right but that we assume they can't do anything right we have been assuming you are completely safe and we need to puncture that assumption because it is possible for very good reasons are very understandable reasons to trick your computer into sidestepping your vpn but only side i'm going to describe how How does this work? It's a pinhole. Like, they can't know who my bank is.
[46:32]
They can't, I'm sorry, without knowing who my bank is, they can't specifically target me for that bank. Bingo. Bingo. Exactly. Yes. Okay. Which limits the usefulness of the attack to more targeted, more focused attacks instead of just a fishing expedition, which is good. But if I was being malicious, my phishing expedition might be to sneak the traffic to only 8.8.8.8 outside of the VPN. And the chances are high that of all the people in the hotel, a bunch of them are using Google's DNS. And therefore, I can see everything they're doing. And then I can see, ah, Bank of America, you say. Okay, then. Now we're off to the races. Don't you think it's mostly nerds that know to use 8.8.8.8? I mean potentially our entire audience but, okay yeah potentially so it may be a case that you're going to a conference, like there's a meeting of intel execs and so you're like well i'm just going to steal intel's dns servers ip and sneak that one around i'm bound to get someone okay.
[47:45]
Yeah, I'm just trying to figure, you know, I go to the same hotel, but I'm using Cloudflare's 1.1.1.1, and I won't get caught up in that. Or I'm using my, whatever comes with my Mac, whatever was built into it, I'm just going to use whatever that is. I don't see how they would know what your DNS would be. They can make educated guesses, like lots of people use Cloudflare, lots of people use Google. I'm only interested in peep. Really? You think? I mean, they're the two most popular, right? Or the attacker could be coming from the point of view of I don't really care if I miss 99% of people, but I'm very interested in attacking PayPal users. So they're just going to say, I don't really care who you are. I'm after this particular type of user. And just create their pinhole to select for the people they're interested in attacking. So, like I say, it's far from the world is over, but it's a bit like Mac users used to say, oh, we're completely safe from all viruses. And it's like, well, you're pretty safe and the world isn't ending, but you do still need to be aware that you're not actually perfectly safe. Okay, so what do we do? I mean, if your only answer is you have to tether, that's impractical.
[49:08]
Okay i'm gonna can i suggest that we describe how this works and then i'm hoping we can have we can have a better conversation about what we can do to limit the effect okay so in order to understand how this works there are seven facts that i'm going to share with you and please Please stop me if I'm not making sense. Okay. So every time you connect your computer to the network over IP, i.e. to the internet at all, your computer has a little table inside it called a routing table. And it's literally a list of rules that says if the IP address begins with this.
[49:50]
Send it through that network interface. If the IP address begins with that, send it over there. and at the very very very simplest level it says 127.anything that anything that anything never leaves myself it stays internally and everything else goes to the router that is most people's full routing table but it can have extra entries and the rule it uses so fact number two the rule it uses is it will always use the most specific rule so if you have an ip address that is 127.0.0.2, and it has a rule that says 127.anything.anything.anything does this and 127.0.0.2 does that the second rule is more specific so it wins over the first rule so a bit like in CSS the more specific your rule is it wins so that's important.
[50:43]
Do you remember the last time you entered IP details into your computer? And you're a big nerd, right? You probably don't.
[50:53]
Yeah, I do. Okay. Actually, this is a terrible day to have this conversation with you because I'm sure the listeners are about to find out you're not having a good time of things with your home internet right now. Right, right. Most of us, though, we connect to a network and our computer magically learns this IP address and it magically learns the DNS server it should use by default and it magically learns lots of stuff. Now, it's not magic. It's actually DHCP, the Dynamic Host Configuration Protocol. Basically, when we connect to a network, we trust that that network is going to tell us how we connect to that network. It's one of those old protocols that predates security of any form. So we kind of trust that. That. The other thing is that it's a race. Your computer literally shouts to the whole network – helloooo, someone, anyone, tell me what my settings are – and it will believe without thinking about it the first answer it hears back. 99.9% of the time it only hears one answer back, the answer from the router. If you're a naughty person and you shout faster than the router, you will win the race and your answer will be believed, not the router's answer. So that is just a reality of DHCP because it's old.
[52:17]
Internally within your computer, when you double click the button to launch your VPN, the way the VPN works is it creates a pretend network card that your computer sees as being just like adding a second Wi-Fi card or just like making an extra Ethernet port appear. It's a whole separate network connection as far as your computer is concerned. And VPN software configures your routing table to say Internet traffic goes through that network card over there. So you use your VPN like it's another network card. So it is routed to with the routing table that uses the most specific rule wins algorithm.
[53:06]
And it is completely legitimate for devices to be configured to send some network traffic through a VPN and some network traffic not through it. It's called a split tunnel. And a very common use is so that you can see your LAN without being blocked so you can print stuff in your house, but all of your internet traffic goes through the VPN. Well, that's down to your routing table having one rule for your 192.168 addresses and a different rule for everything else. And I skipped over fact number five, which is that DHCP can tell your computer to save extra entries into the routing table. And that is a thing that is completely legitimate and it's a feature of DHCP that we need.
[53:55]
So with those seven facts what happens is the malicious actor joins a network where they expect to find some victims and they run some software on their device to do two things act like a DHCP server and act like a router and before they do anything malicious they sit back and they listen and they basically say to the network, hello, I'd like to join. Dear DHCP, what are the settings for this network? And they just record the legitimate correct answer for how this network is supposed to be set up.
[54:31]
And then they start to be malicious. And they just listen to the network waiting to hear a DHCP request. If they hear a DHCP request, they answer it very, very quickly with a reply that is 99% correct, and has as a bonus extra in all the wrong senses of the word bonus, an extra option that says, and add a rule to the device's routing table that sends my target, my little pinhole IP address to me. I am the router for that network address. And that will win in the routing table as being more specific, and so that computer will correctly obey the routing table and send traffic to that IP address around the VPN.
[55:29]
Does that make sense? I think so, yeah.
[55:34]
So based on that fact, there are some key things we should notice. So one piece of good news for us is that this attack can never be 100% successful because it depends on a race, and the attackers are never going to win the race all of the time. So best case scenario, this is a let's try to be fastest attack, and they will succeed sometimes and they will fail sometimes. So that's, you know, it's not ideal protection, but it's better.
[56:05]
And because they have to have their malicious entry be more specific than the VPN's legitimate configuration, they can't use this to just steal all of your VPN traffic because that would be a really generic rule and that's not going to win the fight to be the most specific rule. So that limits the damage to being specific. They can definitely get away with being specific to a a single IP address, they can probably get away with being specific to a subnet or two, but they can't just say, give me everything.
[56:38]
So that's good. Okay. Another giant silver lining here. This attack is happening really low down by making your computer never send the content into the VPN. It doesn't in any way compromise the VPN's encryption. So it doesn't destroy the VPN. If traffic goes through the VPN, it remains encrypted. It also doesn't destroy other encryption that has nothing to do with VPNs. So an SSH connection is secured by its own encryption, whether or not it goes through a VPN, and nothing here can change that fact. So this doesn't allow the attackers to break into SSH. It allows them to see the SSH they can't break into. This won't break the padlock on HTTPS without causing a certificate error because they haven't broken encryption. And HTTPS will detect if it has been a malicious attacker in the middle by having a certificate error. So they can't break HTTPS or SSH. They can only cause errors, which users may socially engineer into going, ah, whatever, I don't care about this certificate error on my bank. I'll just connect anyway. Well, okay, that could happen.
[57:50]
It also depends on the victim device supporting the DHCP option for adding routes to the routing table. By 100% pure chance, Google never got around to implementing that on Android. So Android devices are by accident immune to this particular attack. The side effect is that they cause no end of trouble in corporate networks and the internet is full of people posting on Stack Overflow pulling their hair out, going, every device in our network works fine, but these Android phones can't connect to the dev server. It's because those Android devices are not seeing the network route to physically connect to the dev server because they're ignoring the DHCP option that tells your phone how to route to the dev server. So the side effect is, yay, Android devices. Exactly, right? So yay, it works. Or yay, Android is immune, but actually it has loads of other problems too. do. So far, I'm hoping I haven't lost you and I haven't broken your propeller beanie. No, I'm not following every single bit of it, but I think I get the gist.
[58:56]
Excellent. So now let's talk about how maybe we can mitigate things even more. So we still have this fundamental fact that a VPN can't control low-level LAN features. And so far there's only one known way of abusing those low-level LAN features to bypass a VPN in at least a limited way, but there's no reason other things can't be found in future. The VPN just can't work at that low level. But there are things we could do right now to protect ourselves. So other home users, it could be an option, say, on the not enterprise versions of Windows to by default ignore the DHCP option that Android ignores. Because for home users, it's just not a feature they need. It's only a feature that is relevant in large corporate environments.
[59:49]
Windows, Microsoft sell you a different version of Windows for home users that's missing half of its features. Well, why not make that a win? And why don't Microsoft just turn off that feature for home users? It would have no effect on them apart from making them safe. So that's something that could happen. There's no reason Apple or Microsoft or Linux or anyone couldn't add a toggle into the TCP settings inside your computer now with a toggle that says ignore DHCP routing table. It could just be a toggle. Maybe that's how we end up going. There's just a toggle. And on corporate networks, you're told by corporate IT. A toggle that you would decide whether to toggle or Apple would toggle it for us to keep us safe?
[1:00:30]
My hope would be, hypothetically, they could implement it either way, but my hope would be that they implement it toggled off by default and that if you're on one of the small subset of networks that need advanced routing via DHCP, that, you know, corporate IT would need to turn that toggle on using mobile device management or something like that. Okay. Technically, no reason that couldn't be done. I'm not saying anyone has announced plans, but that is absolutely no reason we couldn't simply say, this DHCP option defaults to off now. You know, we can't make it go away, but we can make it off by default. That would work.
[1:01:12]
VPN apps, the app itself is on your computer and you install it and give it system privileges. So the app itself doesn't have to limit its feature set to VPN protocols. Sure, the VPN protocols exist high up in the network stack, but the app could do more, right? The app could decide to use other features that exist inside operating systems to do clever things. And I have heard someone describe a very clever possible solution. On modern computers, you can virtualize a single app, which is kind of how Docker works. And so you could have the vpn app sitting in a pretend virtual machine which would mean it has its own virtual private its own virtual LAN so it's not it's connecting through your actual LAN which is safe not from your actual LAN so it has the same effect as why you're safe on a home network through your ISP you could be safe from the virtual machine that is your vpn client.
[1:02:20]
Through the ISP that is now your physical computer. It's really hard to explain, but basically, you can play the game of adding an extra layer so the computer isn't on the edge anymore. Okay, but how are you talking through the VPN? Would you have to do special traffic through the VPN, not through your LAN?
[1:02:47]
There are APIs, like I say, for virtualizing single processes. According to people who know a lot more than me, those APIs make it possible to have a single app work through a virtual network, which means that that app is now not vulnerable to being messed with. So that app can genuinely do the secure routing it needs to. Okay. I don't want to dwell on it too much because I don't know enough detail, but basically there are people who know more than me who say there is a potential solution here to these APIs. That's only going to get better, not worse. Okay. The other final point is that the routing table that is being messed with here is not hidden. It's not secret. It's a standard operating system feature. So these worst case scenario, VPN apps could provide you a human friendly visualization. I could sort of imagine it in my mind as a picture that shows, you know, here are all the places where the routing table is sending traffic. All this traffic is going through your VPN. This traffic is going around your VPN. 99.99% of the the time, that picture would show everything through the VPN and nothing around the VPN. So you could train users to say, if you see something going around, you have a problem.
[1:04:09]
Okay, okay. So plain old light. Can't I then just do my la la la thing that I wanted to do at the beginning of this conversation and ignore this because somebody's going to have to fix it in one of these ways? I think it's reasonable to make the informed decision to choose not to stress about this.
[1:04:33]
But I I have been telling people that it is safe right lots of people have been telling people that it is safe the amount of podcast ads I hear every week on shows I enjoy like mission log say that tell people it is safe those are not factually correct anymore they arguably never were but we didn't know it. So I'm not going to tell anyone they should stress about this, but I do think people should know that there's a star next to that promise. Yeah, yeah, I can see that. It's mostly, it's mostly safe. Probably, or probably safe. It's probably safe for regular home users to use their VPN from an untrusted network. It is certainly more safe than not using it. In fact, that's a really good point, right? Okay. This is like SMS multi-factor authentication. SMS multi-factor authentication has serious shortcomings, but you know something? Then it's a hecking lot better than no multi-factor authentication yeah vpns are imperfect they are so much better than not using vpns.
[1:05:48]
I'm really happy you made me try to find a silver lining because i should have thought of that one writing the show notes that is the takeaway message vpns are still better than not having a vpn by a country mile, but they are not perfect. I think it really helps me to think of it as SMS two-factor authentication. Like, well, you're nothing, but don't sleep well. Keep one eye open. Right, exactly. Exactly. Ah, that was good. All right, good. Okay. One action alert for you. If you are a Chrome user, turn it off and turn it on again. Because Chrome has had another zero-day patched, and if you don't restart it, you won't get the patch. So turn it off, turn it on again, carry on, and all should be well. I'm going to turn off Edge and turn it back on just in case, because it's a Chromium browser, just in case. I don't know whether it was affected or not, but I'm going to do it. That is a good thing to do, and actually it is common advice now from a lot of security people to say to your friends and family, turn your browser on and off again at least once a week.
[1:06:59]
Interesting because some some people have their browser open for months on end so they never get the security updates they download and they're ready but they never get applied yeah i know somebody who used to never reboot their machine for months at a time until they got a new yeah i know someone to max studio i'm intimately familiar with at least one such someone i call i know them as me. Yes, I love that now you can go, ah, this isn't working. Let me reboot. I'll be back in 30 seconds. Oh, isn't it magic? Isn't it magic?
[1:07:33]
We have a few worthy warnings. The FBI are warning that there is, something being done for real in America, but there is absolutely no reason for anyone in Europe or anywhere else on planet Earth not to assume the same is happening in their countries too. Evil SOBs on the internet have found a new way to trick vulnerable people on dating apps. It's devilishly clever. You strike up a rapport and then you say, to make sure we're all comfortable, I think we should move to a private messaging platform and I recommend this one that does security checks to prove that neither of us are on a sex offender list.
[1:08:20]
And the website looks legitimate it has testimonials from law enforcement it is of course completely fictitious and fake and it asks you for lots and lots of personally identifiable information to prove you're not a registered sex offender and steals it all nice yeah nice so be aware that is a thing another thing to be aware of again the nsa are warning about this. It's relevant to all of planet Earth, but the NSA are the people saying it. North Korea is right now exploiting something called DMARC, which is a technology designed to make email harder to spoof. But if you take a good tool and toggle the toggles wrong, it doesn't work. And there are lots of domains whose DMARC settings are wrong. I don't know what DMARC is. And the People's Republic... It's a DNS record that says these senders are legitimate and everything else is fake. But if you set it to trust everything for our domain, what you then end up doing is allowing anyone to spoof your domain and every antivirus software, be it, you know, Google's Gmail brain or Apple's iCloud spam filter. They will read the DMARC record. The DMARC record will say everything goes for this domain and they will go, oh okay then, this is not a spoofed email.
[1:09:48]
So a technology designed to stop spoofing, if you configure it wrong, makes spoofing easier.
[1:09:57]
The Koreans are looking for interesting domains that are, say, you know, major corporations or charities or other organizations that are legitimate organizations but have their DMARC records wrong. And they're piggybacking on that to send more believable spam that will appear valid even though it's not. So they're abusing validation. So the biggest danger here is to be, an unimportant person in an important organization where they're interested in you because you're a toe in the door, or to be an important person who has access to money in any organization anywhere because the Koreans are always trying to get money because they're under 20 million sanctions and they'd like a nuclear weapon, please. So this is very much for people in the Nacilla Castaway community who have a 9-to-5 job and receive email.
[1:10:57]
Great. Okay, so Dropbox have announced that they have had a data breach, and obviously that's not good, but it hasn't been catastrophic, and I realize I forgot to delete my paragraph that duplicates my nice, neat bullet points, so you can shrink those show notes quite a bit. Dropbox have an optional additional service called Dropbox Sign. That is what has been breached, not all of Dropbox. So if you have no idea what Dropbox Sign is, carry on. This doesn't affect you. If you are a user of Dropbox Sign, you are affected, but your documents are safe. What has been leaked is your account information, not the documents you've had digitally signed through the service. So that's not as catastrophic as it could be.
[1:11:49]
Dropbox's reaction is textbook perfect. They have done all the right things after the horse has left the barn. So they are letting all of the affected users know that they are affected users. They have done password resets on all the affected accounts they are forcing every affected account to re-register for two-factor slash multi-factor authentication and they also leaked api keys so they have limited those api keys so they can only do non-sensitive things until the owner of the api key regenerates it and then deploys the updated key into their plugins or you know integrations of whatever form and then they'll work properly again.
[1:12:36]
The API keys might cause issues for small businesses who set up some sort of a connector once and don't remember how they did it. And now that API key needs to be rotated and there may not be anyone around who knows how to rotate it. But that's not really something that's likely to affect our Nocilla Castaways. So the most likely thing here is some sort of a spear phishing attack against a Nocilla Castaway who uses this technology. And what really, really caught my eye is something Dropbox made a point of in their notification to users. They explicitly say, if you get an email that looks like it's from Dropbox, that's about this breach, and if that email has a link that it would like you to click on, that email is malicious. That email is a fake because we do not want you to click on any links. We want you to type Dropbox.com into your browser yourself. Okay. Which is amazing advice. And I just want to give him a pat on the back for giving such great advice. And I want to let people know that, yes, this breach is real. Obviously, it's not good, but Dropbox really have responded textbook perfect. Good. So they shouldn't. So, you know, I wanted to call that out. I also want to call out a Dell breach, even though Dell are notifying affected customers, because it has a very interesting data point. Yeah.
[1:13:59]
Dell had a third-party relationship with a service provider to them, and that service provider had an API, and that API was really badly written, so you could get your own data by using your user ID, and if you added one to your user ID, you got someone else's data. And if you added one again, you got someone else's data. So if you just cycled through all the numbers, you got everyone's data. And attackers were able to do that 49 million times without any sort of automated service noticing the really suspicious network traffic and stopping it. So, catastrophic fail for how not to write an API 101.
[1:14:41]
Leaving all of that aside, Dell are telling everyone who's affected, so if you haven't got an email from Dell you're probably not affected. But there is a lot, everyone I am reading in the cybersecurity press is warning that this attack leaves open an attack I had never even considered. I would have assumed the biggest danger in any of these breaches is spear phishing. They know your Dell account number. They know that you bought a server from them. They know that it's under warranty until next Tuesday. So they can send you an email saying, hey, your warranty is about to expire. You bought it on this date. The order number was this and if you click on this link we'll give you 50 off extended warranty and that could be really convincing because the attackers know all of this information because it is data breach and that's what i thought the real danger was and then the smart people at bleeping computer pointed out the fact that given that this contains physical mailing addresses, and given that dell sell a lot of stuff to corporate it including a lot of high-end servers and things on very high support contracts.
[1:15:49]
What would happen if an envelope arrived in the post with Dell logos all over it that said, Hi, you have signed up to our gold level support for the Dell PowerEdge 5550 you bought on the 3rd of March 2023, with five years extended warranty with order number this and service tag that. There is a critical firmware update you must apply immediately. It's on this thumb drive. Please plug it into your computer now.
[1:16:17]
I'd possibly even fall for it, right? Right, right, right. So this, do not believe anything pretending to be from Dell, whether it be through email or through the post. If you went to the Dell website, then it is Dell. All other permutations, do not trust. Okay, so good rule. Good rule. Good rule. And I was shocked when I read the bleeping computer thing. It's like, oh, goodness me, why didn't I ever think of that? Yeah. Right. Right.
[1:16:51]
Some notable news. I hate to give you the bum's rush here, but I'm going to have to have you go through the notable news pretty quick because we're running into some scheduling issues here. Not a problem. I will rattle through these on the assumption that it's all sensible and people can click the show notes for more information. Google have released their 2023 annual report for their play security efforts. Long story short, they literally have prevented millions of problems. Their security is obviously imperfect, but they've done a heckin' lot. They have also increased how much they're paying for bug bounties, so that can only make things more secure. The UK have passed a fabulous law that literally makes it illegal to import or sell a router with a default guessable password. Bad default passwords are illegal in the UK. If this law is enforced it will make every IoT device everywhere on planet earth safer because no one's going to make two of them. An insecure one for everywhere in the world and a secure one for the UK. We're all going to get the secure one. So I really hope the UK crack down hard on this and they are promising they will.
[1:17:59]
The Federal Communications Commission has rightfully fined major US carriers $200 million for illegally sharing users' location information to make extra profit off the customers they're charging too much for already. So yay. The Federal Trade Commission, similarly, have fined BetterHelp, which is a counselling service, 7.8 million dollars for 800 000 health data violation sharing violations in a settlement the state of pennsylvania has passed a bill that makes it explicitly illegal to use air tags or tiles or similar devices for stalking people yay um there are fake internet websites sites. Just because something has a website that has an add to cart button does not mean there is a real product anywhere involved.
[1:18:56]
850,000 people were caught up in one single fraudulent web shop that has been exposed by German researchers. Be careful out there. There are fake web shops, they really do steal people's money. In case you didn't realize how important two-factor authentication is a giant american healthcare organization called change healthcare was breached because they didn't have two-factor authentication on the connection to their citrix server which means no two-factor authentication protecting all of their virtual machines stupendous whoopsie yeah there is another specter style attack fire extinguisher all the existing mitigations work perfectly this is very good research an interesting journal paper not a problem yay and the only thing left is two very quick palate cleansers if you would like to read and you have a lot of time there is a fantastic article on Ars Technica about the what did we have for having online public discussions before we had Twitter. We had lots of really cool stuff. It's a fascinating story.
[1:20:09]
The wonderful podcast Business Wars have done a mini-series, they always do little short mini-series, that tells the backstory and the story and the implications of the rather dramatic firing of Sam Altman, the CEO of OpenAI a few months back. And that was quite the drama and it's quite important given how important AI is. So if you want to understand And why and what it means, those three episodes plus a bonus fourth episode from Business Wars tell the story extremely well. I learned a lot. Wow. So the mystery wrapped around that one is known now? Yeah.
[1:20:54]
A vast amount of it are. I won't say we know everything, but we know a lot more than I thought we did. And it's all explained how we know what we know. Okay. Oh.
[1:21:05]
Well, very good. Okay, I hope that was a... Okay, good. Sufficiently fast. Nothing else you'd like me to add? Nope, I think we're good. I appreciate you speeding up there a little bit at the end. Sorry about that. I hate to ever cut this off, but I have a Mother's Day breakfast to look forward to, and you might be cutting into my breakfast time here. I would hate to do such a thing. In that case, folks, remember, stay patched so you stay secure. Well, that's going to wind us up for this week. Did you know you can email me at allison at podfeet.com anytime you like? If you have a question or a suggestion, just send it on over. Remember, everything good starts with podfeet.com. You can follow me on Mastodon at podfeet.com slash mastodon. I post pictures of cats, and I repost pictures of flowers, and I talk space a little bit, mostly reposting. It's a lot of fun. If you want to listen to the podcast on YouTube, you can go to podfee.com slash YouTube. If you want to join the conversation, you can join our Slack community at podfee.com slash Slack, where you can talk to me and all of the other lovely Nocilla castaways. You can support the show at podfee.com slash Patreon and fund my networking costs or with a one-time donation at podfee.com slash PayPal. And if you want to join in the fun of the live show, you're going to have to wait an extra week. We will not have a live show on the 19th. The next one will be on the 26th, and when you do that, head on over to podfee.com slash live on Sunday nights at 5 p.m. Pacific time and join the friendly and enthusiastic Nosilla cast of.
[1:22:30]
Music.

Error: Could not load transcript. Please try again later.

Reload

Loading Transcript...