May 23, 2025 • 44 mins
Chinese ‘kill switches’ found hidden in US solar farms
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Hey, so guys, you know, Columbia Pictures just released a
sequel to groundhod Day.
Speaker 2 (00:04):
No, that sounds redundant.
Speaker 1 (00:06):
It's a re release of the original.
Speaker 3 (00:10):
That would actually be awesome. Just do it on April Fools,
it'd be perfect.
Speaker 2 (00:14):
Oh they just skipped the first day, that's all.
Speaker 1 (00:15):
Yeah, all right. Well, I'm actually in my hotel room
Microsoft Build in Seattle, and tomorrow's the last day here.
Richard Campbell and I have been busy talking to people
on dot net rocks out here. A lot of stuff
(00:36):
is happening with AI. I don't mean to hijack the show,
which is about security, but just let it be known
that Dwayne and Patrick and I do have some security
concerns about some of the one protocol in particular that's
going to be used for agents to access things. So
we're going to just be watching that Space Yeah film
(00:58):
at eleven.
Speaker 2 (00:59):
All right, it'll be watching us as well.
Speaker 3 (01:01):
Yeah, of course.
Speaker 1 (01:04):
All right, So you guys remember when we heard about
the North Korean IT workers who were pretending to be
I don't know, South Korean or whatever and infiltrating these
IT departments and then started hacking around. So here's a
Wired story from May fourteenth. North Korean IT workers are
being exposed on a massive scale, so they're getting their
(01:28):
come up.
Speaker 3 (01:28):
And I love this exposed on a massive scale, thousand
lots of photos of men allegedly involved in this scheme.
Speaker 2 (01:37):
So North Korea is pretty famous and has a long
track record of doing all sorts of illegal things in
the West to try to bring money home because as
as a pariah state, they've isolated from a lot of
things under heavy sanctions, and so these people are made
to go get these jobs and then their pay is
delivered to the government, but they're also used as platforms
(01:59):
to infiltrate and steal further.
Speaker 1 (02:01):
Right, Yeah, you know, it seems this is May fourteenth,
so this is actually a last week show thing. But
I but it seems like a redundant story. But anyway,
security researchers are publishing one thousand email addresses that they
claim our link to North Korean IT worker scams that
(02:23):
infiltrated Western companies, along with photos of men allegedly involved
in the schemes. So you know, it's it's good, but
it's also as Patrick said, you know these pariah states,
you enter into deals with them or you don't even
know you're entering into deals with them, and their their
primary goal is to you know, steal information and intellectual
(02:46):
property from you.
Speaker 2 (02:48):
Yeah. I mean the most famous example of this that
I know of is a company called No Before who
actually hired somebody. They're down in Florida. They're they help
people with you know, information and phishing stuff. But they
actually hired one of these guys and then they, to
their credit, they did confess it in the blog post
and talk about it as a risk, but they gave
(03:11):
the guy a laptop and he put all sorts of
nasty stuff on it on the company laptop. So this
is a real threat. It's not a joke.
Speaker 1 (03:19):
Yeah.
Speaker 2 (03:20):
You've got to make sure that the people you hire
are real and where you think they are and doing
what you think they are, and you certainly have to
either segregate their systems or monitor their systems.
Speaker 1 (03:29):
Yeah, don't vet them with a chat butt. Okay, don't
do that, all right? Moving on, Coinbase data breach exposes
customer info and government IDs. So Coinbase is a cryptocurrency, right.
Speaker 3 (03:43):
No, yeah, no, no, no, they're a what would you
call it, crypto broker, a brocto house.
Speaker 1 (03:49):
Ye, there.
Speaker 2 (03:49):
Yeah, they're they basically is where you can keep your
your you can buy and sell there, and you can
also have an account. So when I when I had
a lot of ethereum, this is where I kept it.
So it's kind of like get versus GitHub.
Speaker 3 (04:02):
Right right, Yeah, I get you, Yeah, get hit you
get it. Got.
Speaker 2 (04:07):
I mean, it's it's it's had the best reputation because
it had avoided this kind of thing for so many years.
When they, like Mount Cox and other early vendors a cryptopia,
they all fell and had people lose assets. At least
in this case, they had some stupid employees that did
some stuff and ended up falling for a ransomware twenty
(04:30):
million dollar ransom demand to not publish the data. But
they didn't get like people's wallets and stuff. They got information.
Speaker 3 (04:38):
I do love their tactic though. The criminals said, hey, listen,
we've stolen all this stuff, you know, name, address, phone, email, mass,
social security number, masked bank account numbers, government IDs, potentially
account data, and limited corporate data. So there's there's not
like passwords and that sort of stuff. Like Patrick had said.
They said, we want twenty million dollars or we're going
(04:59):
to we're going to publish, right, and coinbase said, you
know what we're gonna do. We're not for twenty million
dollars to the person who tells us how this has happened.
Speaker 1 (05:06):
Hmmm, nice, we.
Speaker 3 (05:08):
Have to pay twenty grand. We're gonna pay to somebody
who helps us, right in twenty million or twenty million. Yeah,
And they and they found out that through the help
of contractors or support staff outside of the US, somebody,
some of them were paid and coerced into, you know,
giving access to coinbases system.
Speaker 1 (05:26):
So wow, did they catch those guys.
Speaker 3 (05:29):
It is an ongoing investigation as we speak. My guess
is yes.
Speaker 2 (05:34):
And that's a tactic that's been used on TV and
movies in the past, where it's like I've got your
ransom here, but I'm not giving it to you. I'm
giving it to the people who kill you. I was
on the Rookie recently.
Speaker 1 (05:47):
Recently.
Speaker 2 (05:47):
I guess the rookie guy did that.
Speaker 1 (05:49):
Yeah, turning the tables, see what I did?
Speaker 4 (05:51):
Dad?
Speaker 2 (05:51):
All right, I have a particular set of skills.
Speaker 3 (05:55):
That's the best movie. Oh my god. So what should
a normal user be worried about? Right, don't use crypto?
I thank you, Carl, You're probably right.
Speaker 1 (06:05):
Thank you. I'm done now, Thank you.
Speaker 2 (06:07):
B Franklin. If you own crypto then I still think
Coinbase is the best of the of the brokerage places
because they haven't leaked data and wallets like Mountgawx and Cryptopian, others, Binance.
My understanding is it's China heavy influence in China. As
(06:31):
you see from later stories, that's probably not a good idea.
So Coinbase is probably the gold standard still for doing this. Now,
if you're going to have cryptocurrencies and you're not going
to stake them and you're not doing anything special with them,
you can take them and put them in an offline
wallet or a digital wallet. But if you lose it,
it's over. And there's a lot of TV shows that
talk about that too. So if you want to have
(06:52):
it online available tradeable, Coinbase is probably the best game
in town. And this is not a paid advertiser nor
yeah no, but it should be though, yeah yeah coin
pase OK not really all right?
Speaker 1 (07:06):
So Patrick, I know this next one is near dear
to your heart, so why don't you take it?
Speaker 2 (07:10):
So Google, Google's Advanced Protection for Vulnerable Users comes to Android.
So this is basically the lockdown feature that we talked
about for iPhone coming to Android. A new extra secure
mode for Android sixteen will let at risk users lock
their devices down, so it's even says lockdown in the description. Basically,
(07:30):
I'm still living on lockdown mode on Apple since since
it came out. Shortly after it came out, I haven't
had any problems with it, Maybe because I use my
phone like an old grandpa and I'm not doing enough
interesting sexy things with my phone. As I said before,
I've had to exempt one app and one website so far.
(07:51):
Other than that, my phone works exactly as I would
have it.
Speaker 1 (07:54):
You know, if you were doing sexy things with your phone,
I think you need a little bit more than secure
mode to clean it.
Speaker 3 (08:00):
You might need some right.
Speaker 2 (08:02):
May so I think this is great news. Most of
the people who are going to want this are the
ones who are literally nation state targets. If you're not
a nation state target, you probably don't need it. But
if you just like really paranoid.
Speaker 3 (08:13):
Like me, well, and I think yeah, and there's more
more than that. Like you see a lots of times
it's battered spouses and that sort of stuff. Who are
afraid that stockers the x spouse still has access to
phone and tracking data in life through sixty and whatever. Right,
So those those types of people that will help out
a ton, because it's really easy for you to grab
(08:36):
someone's Android phone and install a piece of Spirer on
it and then hide it so that they don't know
and now you still know exactly where they are on
that sort of stuff. Right. Yeah, So this is this
is a it's a good it's good news. I mean,
it's still terrible.
Speaker 2 (08:48):
But you could get a new phone and not restore
from backup, which is another thing we suggest. Huh, painful
but very effective.
Speaker 3 (08:55):
Make that new phone and iPhone.
Speaker 1 (08:56):
So if you don't restore from backup, you have to
enter in all your compt contracts and all that stuff.
Speaker 2 (09:01):
It's super inconvenient, which makes it super secure. Yeah, which
is what I do every time. Every time I get
a new phone, I do not restore from god couple.
Speaker 1 (09:09):
You know, if I was in the Witness Protection program,
I'd think about that. But if I'm just you know,
like my wife's not going to do that, my parents
are not going to do that, you know.
Speaker 2 (09:18):
And that's why we're going to own them.
Speaker 3 (09:24):
Yeah. But you must have. You must have picked up
a stalker or two and donnet Rocks. I'm just saying
maybe I have.
Speaker 1 (09:31):
But at least you know they they talk to you
face to face. You know, they come up to you
cyber references, and they just they just invite you to
their D and D games exactly, exactly. Harmless.
Speaker 2 (09:43):
They're harmless, well unless they throw twenty and then dangerous.
Speaker 3 (09:47):
Yeah, exactly, and that I wish I knew what that meant.
Speaker 2 (09:53):
So you're you're one of the musical nerd geeks and
nerds yes, be enjoying your gamers.
Speaker 1 (09:59):
That's right. I you know, if I'm gonna like nerd
out on something, I'm gonna write some code to get
paid for it, and I'm gonna write some music, I'm
gonna play D and D. It seems like a colossal
waste of time to me, but hey, you know, to
each their own. Mark Miller, I love Dragon Humpers. You
guys are great. My daughter plays D and D. I
don't tell her not to.
Speaker 3 (10:19):
You know, I've been playing for a long, long long time.
Speaker 1 (10:22):
Yeah. See, there you go. So there is proof that
just because you play D and D doesn't mean you're.
Speaker 3 (10:27):
An idiot, Thank you, question Mark, I think that is
even No, no, no, we also we also do martial arts.
I'm just saying we have some sort of fill.
Speaker 1 (10:41):
All right, So I really shouldn't have insulted you, because
now you'll kick.
Speaker 2 (10:44):
My well honestly that the music nerds tend to be
much more earthy crunchy PBS people too.
Speaker 3 (10:51):
Pes people.
Speaker 1 (10:52):
We're not all earthy crunchy PBS people, you know.
Speaker 3 (10:57):
Like NPR people.
Speaker 1 (10:58):
Yeah, PBS. Not all NPR people are crunchy.
Speaker 2 (11:04):
At all, No, at all, not at all.
Speaker 1 (11:07):
I don't you know. I don't do yoga. I don't
take essential oils in my house.
Speaker 3 (11:13):
Never.
Speaker 1 (11:16):
Well, my mother used to make granola. But no, I'm
not a fan of We're about what's that?
Speaker 2 (11:22):
We're about corp?
Speaker 3 (11:23):
I mean corpse corpse good, corps good, it's good for gorp.
Speaker 2 (11:27):
Yeah, like trail mix isn't just unhealthy, U, it's just
a term for trail mix.
Speaker 1 (11:34):
You know, pumpkin seeds raisins, and then it turned into
chocolate chips and Christmas. I don't know what you would
put raisins in something that? All right, So before we
take a break, this next story is near and dear
to my heart and it struck fear in my heart
because you guys know about a new car recently, right, yeah,
(11:54):
you know you know what kind?
Speaker 3 (11:56):
Uh?
Speaker 2 (11:57):
Four wheeled?
Speaker 1 (11:57):
I think I don't know, it's five wheels. Actually no,
it's a Volkswagen out lists.
Speaker 3 (12:04):
So that's why I put that's why I put this
story in here.
Speaker 2 (12:07):
Well, the good news is they patched it.
Speaker 3 (12:09):
No, no, gret what this.
Speaker 1 (12:12):
Let's let's read the headline first before he jump into it. Now,
packing my car and probably yours security flaws in Volkswagen's app. Now,
before you talk about it, Patrick, I just got to
say I read through this. Yes, this is about an
old Volkswagen app that doesn't isn't available anymore, but but
(12:32):
it's more about what this guy did to find the
Vultas altes in it in his story, so go ahead
take it away.
Speaker 2 (12:38):
So, so this guy bought I used Volkswagen. He wanted
to use the app because he was a geek and
probably more of the the D and D geek than
the music gek, but who knows. Probably so, so what
he did was what you know, Dwayne and I would
do if we got hit with a roadblock. Because he
had the vin but he also needed an OTP code
four digit OTP code, and he couldn't get it. He
(12:58):
tried to contact the previous owner, they wouldn't respond, and
he wanted to register his app, and so he decided
the brute force hacket. So we got Burke Sweet, which
is a tool that we use all the time. He
tore apart the requests, figured out what it looks like,
wrote a script to brute force it, and he got
his app, you know, built it. He got his app registered.
(13:18):
He basically used all ten thousand of the possible codes
and got it to work. Well, that's the first problem
is they didn't protect against brute forcing. Well, he said
he only made about ten to fifteen filled attempts and
the app didn't lock him out. No, no, that was manually.
That was manually. And then he had to go to
brute force. Oh yeah, and then he brew forced all
ten thousand combinations. So this is an example of where
(13:40):
the company has made it difficult for you if you're
not the original owner. They didn't foresee that somebody would
buy the car and not have access to the original
owners vote, So they should have had a recovery mechanism
or something of that nature. They didn't. This caused him
to go down this rabbit hole, and once he was
in the code, he's like, I'm seeing all these requests.
(14:02):
He found like four different vulnerabilities. Well, this is how
we we attack an application. An API is will like
a lot of people think that if they put security
code in the browser, they're protecting things, right, But anything
that's in the browser is exposed to us, and we
know how to read the code, right, and so that's
that's the lesson here is this is a textbook. You
(14:24):
should have played the the music before we talked.
Speaker 1 (14:28):
About it's criminal career advice. Okay, Brandon, roll the music.
Speaker 3 (14:33):
It's criminal.
Speaker 2 (14:37):
Because this because this is really a very good example
of what you do in order to like rip something apart.
Speaker 3 (14:43):
Finally, I think a lot of app developers, a lot
of people who are developing web pages go, well, you know,
what do I care? If? You know, if I put
the security in the browser and I make calls to
the API in the back end, nobody's going to man
in the middle of that. Nobody's because it's in probably
an SSL connection and cryptic connection to the back end APIs, right,
(15:03):
so nobody's going to see that traffic, so it doesn't matter.
What I think is lost on some developers is sometimes
it's the user at the browser who's doing this, right, sure,
so I'm I say, oh, yeah, trust that certificate from burpsuite,
and it's okay for it to intercept the traffic and
now you can read all the traffic going back and forth.
Speaker 2 (15:24):
Newslash hackers have browsers.
Speaker 3 (15:30):
I don't know if you know this, So it is
it is weird when you think.
Speaker 5 (15:36):
About it around, like, oh man, if there's only some
way I could this browsed the world Wide Web, I
can look at the job biled again, I have no browser.
Speaker 3 (15:54):
Yeah, So sometimes it's the person actually at the website,
you know, manipulating the traffic. And then when you see
all that traffic, when you see all the calls to
APIs and that sort of stuff, more often than not
we see there's just not authenticated calls to an API
or very in a very basic sense, if you are
authenticated to an API, lots of back end APIs assume well,
(16:15):
you're authenticated, so you've given us a valid user name
and password. We don't care. You can see anything your
browser allows you to see. Like I put in other
people's vins and I can see their data, right because
it's not actually checking in it's my car.
Speaker 1 (16:27):
So let's talk about the problems with this app. So
the number one problem is there wasn't any API throttling.
There wasn't anything saying, hey, there's this one IP address
that keeps sending us these sequential OTP codes and you know,
one after the other, and one of them hit Hey,
maybe we thought not allowed these to go through.
Speaker 3 (16:47):
Although I can I can tell you how to break
that too well.
Speaker 2 (16:51):
And I think there's a problem here as well. Yeah,
but at least it's a more sophisticated or hacker that
can break that. It's not the script case.
Speaker 3 (16:58):
It's called pire frocks kids.
Speaker 2 (16:59):
The problem here is also that they put an obstacle
in the place of the user that they shouldn't have
made intermountable. So if you're not the original loan of
their car, you can't get the OTP. There's no recovery process.
It shouldn't have used that. I don't know what they'd
use instead, but maybe that you need to send them
in an image of the registration, but it won't work for.
Speaker 3 (17:23):
Them, yeah, right, or yeah, the moment that a car
changes hands, the registration of a car changes hands, in
some way, you erase the old customer's data.
Speaker 1 (17:32):
That's right. I don't know that simple, I think. But
here are some of the other problems. Internal credentials were
leaked in clear text. Yeah, so an API n point
exposed passwords, tokens, and user names for various internal services
in clear text encrypted.
Speaker 3 (17:49):
But now I ask you, if the web application itself
is only communicating to the web front end over SSL,
it's encrypted in motion. So the developer might go, you
know what it is, encryptio. We're just gonna have it
over SSL. It's never going to be nonest He was right, yeah, right, exactly.
Speaker 1 (18:09):
Yeah, so the vulnerability number two owners personal details were
exposed via the VIN Yeah. So you put in the
VIN number or whatever and you can get all of
the personal details of the owner. Yeah.
Speaker 3 (18:24):
Other than that, it worked great.
Speaker 1 (18:25):
I mean, it's it's it really is. So what is
the end story of this? Did they actually fixed it?
Speaker 3 (18:33):
Yeah?
Speaker 2 (18:34):
Yeah, only took only took almost a year, almost only
took six months, six months.
Speaker 1 (18:39):
And this guy deserves credit for that, I think, because
if he hadn't exposed all these problems, they may not
have ever fixed it. So no, he's a good guy.
Oh yeah, understand that for every good guy, there are
ten bad guys that aren't going to disclose and are
just going to use All right, well that let's take
a quick break. We'll be right back after these very
important messages. Don't go away, and we're back. It's security
(19:05):
this week. I'm Carl Franklin, that's Patrick Kines Andtoine Laflatte,
and we're counting down the news of the week related
to security. Hopefully you can learn something. And by the way,
if you don't want to hear those ads, you can
opt for a five dollars a month Patreon account where
you will get an ad free feed. Just for that
(19:27):
pittance of five dollars a month, you don't have to
put up with those ads anymore. Okay, word Press yay
or nay?
Speaker 2 (19:34):
Well, well, I mean this is again has said a
million times before patch. But also this is not this
is not WordPress proper. This is a premium theme called
the Motor's Theme that is vulnerable to admin take over text. Unfortunately,
when the when the ad ins go bad, it takes
(19:56):
down all of WordPress.
Speaker 1 (19:57):
Oh right, so it's kind of like Windows ninety five.
One rogue application could bring down the entire thing. So
the problem is so we know that word Press plugins
can cause problems, but now themes are themes just plug ins?
Speaker 2 (20:14):
Yeah right, Well they're adding functionality to them.
Speaker 1 (20:17):
Yeah, but are they the same architecture as the plug ins.
Speaker 3 (20:20):
There, So they're not exactly the same architecture, but they
do have a little bit. They have more functionality than
you would just think as CSS, you know, style sheets
and images, right, because sometimes it's active JavaScript, moving buttons
and you know, changing the way things look on the
screen and that sort of stuff. So themes are are
more powerful than people think. And that's why we thought
(20:40):
this was actually a really interesting story this week, is
we you know, we pound on plugins all the time
saying plugins have a lot of power, but nobody thinks
about the themes and what a theme may actually have
access to and could do. So this is yeah, this
is an interesting one. Definitely go patch.
Speaker 2 (20:58):
And in this case it's basically the theme allows you
to change the password without identifying verifying your identity, so
I could.
Speaker 1 (21:06):
That is not a theme. A theme is bray one white,
you know that's right, right?
Speaker 3 (21:13):
That seems more functionality than themes. Absolutely, yeah, so it's
it will if you think about it. Though a lot
of times these themes might be like, how do I
want to organize the shop? Right, and it's accessible bland
administrator or a shop owner or something along those lines. Yeah,
but this this also brings up another interesting point. We
(21:33):
see this a fair bit in privileged escalations where I
have a very low level account and I get onto
the you know, I log in a WordPress or whatever,
and I start watching the commands, the calls out to
the back of APIs and that sort of thing, and
when I say I want to change my password. Sometimes
we've seen that one of the parameters that is passed
(21:55):
in is who are you as a user? Sort of say,
you know you equals deala flot and the new password
equals this. Sometimes they don't even ask for the old password,
which suits they don't right, So once you see those requests,
you go, oh, well, instead of deala Flot, let's put
ce Franklin on there and change a password and we'll
and then we'll replay that attack, and at that point
(22:17):
I've changed your password.
Speaker 2 (22:18):
So if you're listening to this to learn about hacking,
to learn about pen testing. You need to learn burb
suite merb Suite's an excellent tool that lets you take
a web request, make it, capture it, and then go
edit it in a very very seamless way, very easy way.
And it's a free tool. We have subscriptions because we
use it more than most and we use more advanced features.
(22:40):
But it's an absolute must have and it opens your
eyes about what we're talking about as far as how
the hacker can be the browser. Yeah, the person who's
using the browser, and the browser can be an attack
tool if you if you know how to manipulate it. Now,
you can manipulate this up by hand with a with
a word editor or a text editor. You don't want
to sweets the tool.
Speaker 3 (23:01):
Yeah, And I've I've said many times, even if we
were to get rid of all of this subscriptions, of
all of the software that we use for offensive cybersecurity,
like Burke would be the last one I would let go.
It's actually a fantastic tour.
Speaker 2 (23:14):
On a desert island. It's the only hackey you'd have,
your firestarter, your pot for cooking, and your Burke.
Speaker 3 (23:22):
Sweet.
Speaker 6 (23:23):
I loved that movie all right. I was just thinking
of that movie Today, Star Starter, which she got angry
or upset, like fireballs shot from her eyes.
Speaker 2 (23:38):
I thought you, I thought you were going to be
talking about Castaway because I was describing Tom Hanks's situation.
Speaker 1 (23:43):
All right, Wilson, here we go. Yeah, okay, European Union
sanctions Stark Industries for enabling cyber.
Speaker 2 (23:52):
Attacks, and Tony is so mad.
Speaker 3 (23:55):
So right right, no iron Man suits for anybody. I
really did.
Speaker 2 (24:00):
Goes there and I realize there really is a Stark Industries.
I think they're out of Russia.
Speaker 3 (24:05):
Yeah, and that's the problem, not the voice. No, no,
So this is Stark Industries is a web hosting provider
right where you can host virtual machines and websites and
that sort of stuff. And lo and behold, they have
been tied to and oddly, and it's a weird company
(24:26):
because it's Russian backed. They've been tied to attacks that
have happened through their through their hosting provider, where they're like,
oh it's not us, just wow, bad customers. They've helped
you takedowns. But they also seem very aligned with any
time a cyber attack from Russia comes, it's like straight
through their their organization and they go, wow, it wasn't us.
(24:49):
That's weird, guys, right, Let's let's see if we can
find it.
Speaker 2 (24:52):
I mean, and and their names are Yuri and Yvonne,
so I think I think they're failure Russia.
Speaker 3 (24:58):
From from southern California.
Speaker 1 (25:00):
The other one is Shaggy that's me.
Speaker 3 (25:05):
So yeah. And they started to then correlate like, Okay,
when did this company start? And Stark Industry is although
it's incorporated in the UK and provides services in the UK, Netherlands, Germany, France,
Turkey and the US, they actually were historically started two
(25:26):
weeks before Russia invaded Ukraine.
Speaker 2 (25:28):
Yeah wow, which could be a coincidence. But so here
here's the thing. The Europe because of what's going on
with the NATO Alliance and Europe versus the United States,
you're getting to a point where a lot of European
nations Germany, England, et cetera, are just absolutely done with it.
So basically, this company, from what I've read, from what
(25:48):
I've seen, has operated in a plausible deniability mode where
they're definitely doing something shady, not in the spirit of
the law. Perhaps may be the letter alone, not the spirit.
But but now Europe is saying that's not good enough.
We're going to sanction you anyways, and we're not playing anymore, right, right, right, right.
(26:10):
So I think this is the beginning of something we're
going to see more and more often in geo politics.
Is where it's it's not shoot first, ask questions later,
it's shoot once you're pretty confident.
Speaker 1 (26:20):
M m okay.
Speaker 2 (26:22):
So you have to see the movie We Were Soldiers.
Speaker 1 (26:24):
I was going to say, Patrick, isn't that your motto army?
Speaker 3 (26:28):
I think I think Patrick's a shoot first, asked questions,
ready to shoot aim is how I've been accused some
of those.
Speaker 2 (26:34):
There's a movie called We Were Soldiers and it's about
a real unit in Vietnam in the I think it
was the Iadrang Valley in nineteen sixty five, and they
went in and they got surrounded by a massive North
Vietnamese force, much more massive than it was expected, and
they were almost they were almost overrun. They were overrun
to some extent, and coming around dawn, the commanders like,
(26:55):
I want every man he passed aroundline, I want every
man to put three rounds into anything suspicious, anything you see,
anything that's been bothering you, just put three rounds in it.
And when they did that, they broke the back of
a planned attack by the North Vietnamese because they're going
to overrun them a little after dawn, and instead they
ended up killing, like wounding, a lot of the force
(27:16):
that was ready to go, and they set off the
attack early with every man ready and pointing and aim. So,
I mean, this is what Europe is getting to the
mode of is they're trying to buckle down. I don't
know if you heard this, but Germany has just agreed
to go to five percent of their GDP spending for defense.
Oh I know, yeah, Wow, it's been a while since
(27:38):
Germany spent that much in defense.
Speaker 1 (27:40):
Yeah. The last time they the last time they did that,
it didn't work out so well for the rest of
the world. Let's just say, let's just say they get
restless every fifty years or so. At least they're on
our side now, man.
Speaker 2 (27:52):
So anyways, I think you're going to see more of this,
and I think Star Stark Industries is on the point
the end of it's coming down.
Speaker 3 (28:01):
Great name though, right, I'm just saying just throwing out there,
all right, shall we move on, Let's do it.
Speaker 1 (28:08):
Power School hacker pleads guilty to student data extortion scheme.
First of all, what's power school?
Speaker 3 (28:14):
Power school is a place that teachers and students and
parents can keep track of students grades and parent teacher
conferences and homework assignments and all sorts of stuff. So
it's used to organize a lot different than when we
were kids.
Speaker 1 (28:29):
Right, No, there was no such things.
Speaker 3 (28:31):
Yeah, I mean you could just take your report card
and turn a turn a D into a B just
by not anymore. Yeah, it's hard.
Speaker 1 (28:40):
I gotta tell you. I was watching Stupid Guys grocery
games on Food Network and this guy Carl Ruiz, who
was dead now but he was, and Mark Murphy was
was give it was the guy who's making this dish.
And one of the I don't know what was one
of the ingredients was like not cong you know, right
(29:04):
for the dish. So he hit it. Yeah, I let's
say it was like snails or something, and Carl he said, man,
you hid those snails in that dish like a bad.
Speaker 2 (29:15):
Report car when he tried them into a garnish or something.
Speaker 4 (29:23):
No, he just made a puree and spread it on
toast or something. You know, that kind of stuff made
it disappear, made it disappear. Yeah, so Power School, that's
what Power School is. But you can imagine they have
a lot of sensitive data, right, and sensitive data about
you know, underage operators of their of their website, right
because it's students. So although interestingly enough in the story here,
(29:47):
so it's we always assume that.
Speaker 3 (29:49):
The hackers are are outside the walls. But in the
story here, this is a nineteen year old college student
from around here, Worcester, Massachusetts.
Speaker 2 (29:57):
Well, if I had to guess former college student.
Speaker 3 (30:01):
Which is yeah, hmm, I actually know a lot of
college students in Western I'll look around there.
Speaker 1 (30:08):
Who has one of them lived next to and got arrested?
Speaker 3 (30:11):
Right? No, right has agreed has agreed to plead guilty
to massive cyber attack on Power School that extorted millions
of dollars in exchange for not leaking personal information. So
the way that this person broke in is they actually
broke into a Telco company.
Speaker 1 (30:31):
Wow.
Speaker 3 (30:32):
Once they broke in the telco company, they found that
one of the employees at the telco company was actually
had a side hustle as a contractor for Power School.
So they used that contractor's login, which they found on
the network to get into power School, and they were
using the administrative tools to then download the database inputformation.
Speaker 1 (30:52):
I wonder if he had his username and passed we're
not a post it and it stuck to s.
Speaker 2 (30:58):
This kid is this kid is exploded bad op sect
And he must have had that op sect because they caught.
Speaker 3 (31:03):
Him right right. Yeah, it's it is interesting. No, I
won't say that Dwayne's learning practice one of the one
of the hardest places.
Speaker 1 (31:12):
Dwayne is learning. No I want to say that. No,
I don't think I want to say that.
Speaker 2 (31:17):
Yeah, ever since I got the shot callar.
Speaker 5 (31:21):
I was going to say the best don't say what
you were going to say, but move Onwayne, move on.
Speaker 3 (31:28):
He was going to say, pass is yes, Yeah, the
great Cruskin says, so needless is saying it is hard
on school networks sometimes to attribute traffic to a particular user.
And I think whichever school did this is on their game.
(31:49):
I think that's all We're gonna leave it. That's where
we're going to leave it right there, right there. We're
going to not pick it up.
Speaker 1 (31:55):
We're to leave it right So now we come to
the click baits, which is on the surface kind of
disturbing and very when you dig into it, it's still disturbing.
Speaker 3 (32:08):
Uh huh.
Speaker 1 (32:09):
Chinese kill switches quote unquote found hidden in US solar farm.
Speaker 2 (32:16):
In the past, we have had situations where chips from
China and other devices have been there's been like suspecting
that there's a chip that doesn't have an explanation, but
it's very hard to ascertain in this case. In this
case inverters that are being used by US solar farms
and probably by US consumers as well. I don't know
that exactly, but still the inverters had had had cellular communications,
(32:42):
which they didn't have any features around cellular communications, which
means it's a back door that's untraceable without you know,
checking radio frequencies. So this is a very stealthy, very
high cost because you don't add you don't add cellular
capability to something that doesn't need it, because it adds
a lot of cost. Well, first of all, I want
(33:03):
to put people's minds at ease who have solar panels
on their homes. So this says hidden cellular radios could
be activated remotely to cripple power grids in the event
of a confrontation between China and the West. Okay, so
cripple power grids.
Speaker 7 (33:18):
No, I don't know about that, but they can certainly
shut down the solar power, which just means and if
if you have solar panels on your house and they
get deactivated, well guess what.
Speaker 1 (33:29):
You're gonna get electricity from the electric company if it's
still running. But if their goal is to yeah, but
if their goal is to shut down the power grid,
it's not your solar panels you have to worry about.
It's the ones that are feeding the grid that you have.
Speaker 2 (33:44):
Remember that about a week ago Spain lost power. Spain
and Portugal about a week two weeks ago, actually they
lost power because of a wabble in their electrical grid
that they couldn't compensate for because they had too much
renewable and not enough steady state controllable. It's a big
deal if you take off gigawatts of power suddenly by
shutting off you know, power, you know in different fields,
(34:08):
and it could we don't know that. It doesn't affect
personal power raise on people's houses, don't. We don't know.
Speaker 3 (34:14):
No, we see it well, And that's it's an interesting
question because you as an invert, like I've installed inverters,
and inverters do have the ability to connect into a
remote clouds that you can use an app and you
can see how much power you're pulling down and all
that good stuff, right, And most of the time you're
going to be doing that over your own home Wi Fi, right, right,
So imagine you connect your inverter to your home Wi
(34:34):
Fi and you don't most of us, most of people
listening maybe don't know what a five G cellular card
looks like. Like if I opened an inverter, I would
ninety nine percent chance be able to see and and
see a five G cellular card. But it's really easy
to hide on the backside of a board or someplace
you wouldn't absolutely see.
Speaker 1 (34:55):
Right most of the time, though, they have a little
antenna that pops up and you know, most of the time.
Speaker 3 (35:01):
No man, you can use Have you guys ever heard
of fractal antennas? Actually these really tiny.
Speaker 1 (35:08):
No, but now that I now that I think about it, though,
your phone has a five G antennae, right, and you
can't see it as no book, yeah, right.
Speaker 3 (35:16):
So there's so you could you could if it were me,
but you could have that connect out to five G
and actually pull date off your home Wi Fi, right,
because it's connected your WiFi pulling data.
Speaker 2 (35:28):
But they've they've emphasized the kill switch potential, but there's
other potentials too. Yeah, because you're dealing with electricity. Could
you start a fire?
Speaker 3 (35:37):
Sure? Absolutely could?
Speaker 2 (35:38):
Could you feed the wrong kind of power into the grid.
Speaker 3 (35:41):
Feed it out of phase? Sure?
Speaker 2 (35:43):
Yeah, which is exactly what caused the kind of problem
that we saw in Spain, so it could take down
the whole break.
Speaker 1 (35:48):
Well, okay, maybe if you're an American company that sells
solar panels to American consumers and you buy them from China,
wouldn't you and you know you have the software capability
unless I guess, unless you had the source code to
what they're doing, you wouldn't know these chips what they'd
be able to do.
Speaker 2 (36:08):
These chips weren't listed in the components of the system. No,
that's the whole problem is they weren't disclosed. No. Yeah,
it's like how much glass is in your your your taco. Yeah,
they didn't get an extra glass, every extra glass, right,
extra glass please? But I was just saying, it's a
significant emission. My sister's putting solar in right now, and
(36:28):
I made it a very clear specification that they used
US infrastructure. US. It raises the price a little bit,
but eventually the price of security is not is going
to be factored in well.
Speaker 3 (36:40):
And and if you do put that inverter on your
local network, which you generally have to so you know
what it's doing and can control power and that sort
of stuff should be on its own isolated network, right
So it didn't. It doesn't have access to internal data
and that sort of stuff. But I would even say,
like let's say you were to take a software defined radio,
just an SDR and listen to the five G range,
(37:01):
just just to see if they're signals from the five
G range.
Speaker 2 (37:04):
As one does.
Speaker 1 (37:05):
Yeah, you want to you want to know, don't pick
on my hobby.
Speaker 2 (37:10):
Right, Well, that's why my house is in a Faraday
cage all the time, the whole.
Speaker 3 (37:17):
A big cage right now.
Speaker 2 (37:21):
Thank you for noticing.
Speaker 3 (37:24):
But there's not a lot of people who are going
to do that, right who are going to isolate the
inverters so they are not getting five G signals from
everywhere else on the planet. And then and see what
what the system is is omitting.
Speaker 2 (37:35):
Just but you could take the device and put it
into a test chamber and test it. But that's that's
what we have. I mean, the good news is Reuters
did that or they did something to figure this out,
and that's good. Think back, So carls old enough, I
don't know about Dwayne, to remember the Cold War, the
actual first Cold War, not the current one. The old, oh,
the old Cold War when the Soviet Union was still
(37:56):
a state.
Speaker 3 (37:57):
Yeah you have.
Speaker 1 (37:58):
I remember installed called.
Speaker 2 (38:00):
Anything electric from the Soviet Union in the United States. No,
you would not know.
Speaker 1 (38:06):
This is why, believe it or not. There were some
tubes for guitar tube amps made in the Soviet Union
called Sovtech that were freaking amazing. But there were tubes
like there was no digital snooping or anything.
Speaker 3 (38:23):
They were just really good tubes, right.
Speaker 1 (38:25):
And I remember guitar players replacing their tubes with sov
Tech tubes to get a better sound.
Speaker 2 (38:31):
And I don't think the electricity grill grid uses those tubes.
Speaker 1 (38:34):
Now they may have.
Speaker 2 (38:38):
But what people have to But but for those who
remember and those who don't remember, you have to think
about the fact that we are very likely at the
very beginning of what will be known as a Cold
War between the United States and China. We're not sure.
We're not on friendly terms. There's a lot of hubbub
about will China invade Taiwan? And if they do, will
we you know, we cut them off. We could seriously
(39:01):
see ourselves in a shooting will with China in the
next ten years or maybe not. But even so, I
think we are by definition in a cold war, and
I don't think it's going to end in my lifeten.
Speaker 1 (39:10):
You know what, though, you and Campbell both predicted that
China would self implode like ten years ago.
Speaker 3 (39:16):
So how's that going?
Speaker 1 (39:18):
So I'm going to call a little bit of BS
on that.
Speaker 3 (39:20):
How's that going?
Speaker 1 (39:21):
Okay?
Speaker 2 (39:21):
All right, that's fair, that's fair. I'll give you a
couple of statistics that show why we're right, even though
it hasn't visibly imploded. So, China's national debt grew nine
percent last year, which is a lot nine percent national debt.
They went from three hundred percent GDP national debt to
(39:42):
three h nine Okay, China Japan if you count, if
you count things about like pension plans and stuff like
that could be argued to be at five hundred percent.
But that means that even though China only lists their
their national debt as as like fifty four percent, they're
real national debt is close to three hundred and nine
percent the uster national debt.
Speaker 1 (40:02):
Bonus content. Bonus content brought to you by Patrick Hynes.
That's right.
Speaker 2 (40:07):
The other side of it is the housing market has collapsed.
They've overbuilt their housing market so much that they could
have India move in. They're never going to recover their
housing market. It's estimated that there could be a billion
empty apartments and houses in China. Yeah, that's insane, and
the population is now declining. Right, Okay, they got old
(40:28):
before they get rich, is what some people say. Foreign
direct investment to China has dropped by ninety eight percent
over the last two years, so they're not getting money
from the West anymore the way they used to. I
think it was last year one hundred and for every
hundred restaurants that opened in China, one hundred and fifty closed.
People aren't spending, so every bagflation, so everything except exports
(40:52):
has imploded, and now exports is imploding. China has more
money in circular then the US by a factor of three,
but it's all in China, so they've done everything Japan did,
and then they kept doing it for ten years without
the press being able to reveal it and fix it.
(41:13):
So their collapse is going to be spectacular. I think
that any of that disagrees with me should take their
whole life savings and invest it in China.
Speaker 3 (41:21):
Good luck.
Speaker 2 (41:22):
But I think there's the other The big thing is
that they get to cheat fair and square, so therefore
they get to make the problem so big until it's
just unbelievably bad. So I stick by it. I think
China is a bad investment, and I think we're going
to see a cash traffic player.
Speaker 1 (41:39):
You may be, you guys, may have been a little
premature with your predictions, but you still think it holds up.
Speaker 2 (41:44):
If they were a reasonable country with a press that
could actually report on things the way they normally were,
then yeah, but now they're not even gathering They stop
gathering statistics. They don't gather youth unemployment statistics anymore.
Speaker 1 (41:57):
Well, you know, it sounds like it sounds like the
current state here in America.
Speaker 2 (42:03):
I wasn't gonna say any same situation, different reasons.
Speaker 1 (42:05):
Well it kind of does. I mean, I'm a little
divided because I definitely don't want China stealing our intellectual
property anymore. And I don't want them putting backdoors into
solar panels. And they do all that stuff because they
know that we're gonna keep buying their stuff because it's cheap. Sure,
and so I kind of like the pressure on China
right now. But you know it's yeah, but we don't
(42:26):
need it everywhere else. We don't need it everywhere else,
and it's really painful right now for Americans. All right,
that's all I'm gonna say. So you know, I'm divided,
But I guess when it comes to these solar panels,
I mean, if you have solar panels that you've purchased
from an American company or whatever, how can you be
sure that there isn't a kill switch on it? And
(42:48):
even if you care, do you care?
Speaker 2 (42:50):
It's the same reason when you buy a taco, you
decide whether you think there's glass in it or not.
It's reputation of the seller, right.
Speaker 1 (42:57):
So I guess what I'm saying is, could I call
my solar company and say, hey, what's the origin of
these solar panels and can you prove it?
Speaker 2 (43:03):
Yes?
Speaker 1 (43:04):
Yeah, yeah you should. Yeah that's good. That's a good
place to leave it. Guys. It's always a pleasure talking
to you. It's always fun and scary at the same time.
And thanks. Then go to our discord our, Discord Server,
Discord dot Security this Week, dot com. A lot of
stuff happening over there, Dwayne. We get a lot of
new activity there. What heck?
Speaker 3 (43:25):
Yeah, actually, and interestingly enough, just as a as a note, yeah,
there's a lot of activity in the security forums where
people are asking questions. Seems like our latest drop. If
people are having issues with the podcast from last week,
some people say it ended a little early. They might
They ended on Patrick saying, uh, whistleblower, it probable and
(43:47):
that's it, and then the whole thing ended. So we'll
we'll take a look at that and take a look
at it.
Speaker 1 (43:51):
Oh okay, I will. We'll take a look at that
and figure it out. But anyway, join us in Discord,
and you know, if you send us stories and we
read them on the air, will send you a Security
this Week official lock pick set. It does not come
with a lock pick instruction manual written by Dwayne, however,
(44:13):
but the information's out there. All right, guys, have a
good week and we'll see you next week.
Speaker 3 (44:17):
Bye bye, thanks, thanks guys.
Speaker 2 (44:18):
Bye
Hey, so guys, you know, Columbia Pictures just released a
sequel to groundhod Day.
Speaker 2 (00:04):
No, that sounds redundant.
Speaker 1 (00:06):
It's a re release of the original.
Speaker 3 (00:10):
That would actually be awesome. Just do it on April Fools,
it'd be perfect.
Speaker 2 (00:14):
Oh they just skipped the first day, that's all.
Speaker 1 (00:15):
Yeah, all right. Well, I'm actually in my hotel room
Microsoft Build in Seattle, and tomorrow's the last day here.
Richard Campbell and I have been busy talking to people
on dot net rocks out here. A lot of stuff
(00:36):
is happening with AI. I don't mean to hijack the show,
which is about security, but just let it be known
that Dwayne and Patrick and I do have some security
concerns about some of the one protocol in particular that's
going to be used for agents to access things. So
we're going to just be watching that Space Yeah film
(00:58):
at eleven.
Speaker 2 (00:59):
All right, it'll be watching us as well.
Speaker 3 (01:01):
Yeah, of course.
Speaker 1 (01:04):
All right, So you guys remember when we heard about
the North Korean IT workers who were pretending to be
I don't know, South Korean or whatever and infiltrating these
IT departments and then started hacking around. So here's a
Wired story from May fourteenth. North Korean IT workers are
being exposed on a massive scale, so they're getting their
(01:28):
come up.
Speaker 3 (01:28):
And I love this exposed on a massive scale, thousand
lots of photos of men allegedly involved in this scheme.
Speaker 2 (01:37):
So North Korea is pretty famous and has a long
track record of doing all sorts of illegal things in
the West to try to bring money home because as
as a pariah state, they've isolated from a lot of
things under heavy sanctions, and so these people are made
to go get these jobs and then their pay is
delivered to the government, but they're also used as platforms
(01:59):
to infiltrate and steal further.
Speaker 1 (02:01):
Right, Yeah, you know, it seems this is May fourteenth,
so this is actually a last week show thing. But
I but it seems like a redundant story. But anyway,
security researchers are publishing one thousand email addresses that they
claim our link to North Korean IT worker scams that
(02:23):
infiltrated Western companies, along with photos of men allegedly involved
in the schemes. So you know, it's it's good, but
it's also as Patrick said, you know these pariah states,
you enter into deals with them or you don't even
know you're entering into deals with them, and their their
primary goal is to you know, steal information and intellectual
(02:46):
property from you.
Speaker 2 (02:48):
Yeah. I mean the most famous example of this that
I know of is a company called No Before who
actually hired somebody. They're down in Florida. They're they help
people with you know, information and phishing stuff. But they
actually hired one of these guys and then they, to
their credit, they did confess it in the blog post
and talk about it as a risk, but they gave
(03:11):
the guy a laptop and he put all sorts of
nasty stuff on it on the company laptop. So this
is a real threat. It's not a joke.
Speaker 1 (03:19):
Yeah.
Speaker 2 (03:20):
You've got to make sure that the people you hire
are real and where you think they are and doing
what you think they are, and you certainly have to
either segregate their systems or monitor their systems.
Speaker 1 (03:29):
Yeah, don't vet them with a chat butt. Okay, don't
do that, all right? Moving on, Coinbase data breach exposes
customer info and government IDs. So Coinbase is a cryptocurrency, right.
Speaker 3 (03:43):
No, yeah, no, no, no, they're a what would you
call it, crypto broker, a brocto house.
Speaker 1 (03:49):
Ye, there.
Speaker 2 (03:49):
Yeah, they're they basically is where you can keep your
your you can buy and sell there, and you can
also have an account. So when I when I had
a lot of ethereum, this is where I kept it.
So it's kind of like get versus GitHub.
Speaker 3 (04:02):
Right right, Yeah, I get you, Yeah, get hit you
get it. Got.
Speaker 2 (04:07):
I mean, it's it's it's had the best reputation because
it had avoided this kind of thing for so many years.
When they, like Mount Cox and other early vendors a cryptopia,
they all fell and had people lose assets. At least
in this case, they had some stupid employees that did
some stuff and ended up falling for a ransomware twenty
(04:30):
million dollar ransom demand to not publish the data. But
they didn't get like people's wallets and stuff. They got information.
Speaker 3 (04:38):
I do love their tactic though. The criminals said, hey, listen,
we've stolen all this stuff, you know, name, address, phone, email, mass,
social security number, masked bank account numbers, government IDs, potentially
account data, and limited corporate data. So there's there's not
like passwords and that sort of stuff. Like Patrick had said.
They said, we want twenty million dollars or we're going
(04:59):
to we're going to publish, right, and coinbase said, you
know what we're gonna do. We're not for twenty million
dollars to the person who tells us how this has happened.
Speaker 1 (05:06):
Hmmm, nice, we.
Speaker 3 (05:08):
Have to pay twenty grand. We're gonna pay to somebody
who helps us, right in twenty million or twenty million. Yeah,
And they and they found out that through the help
of contractors or support staff outside of the US, somebody,
some of them were paid and coerced into, you know,
giving access to coinbases system.
Speaker 1 (05:26):
So wow, did they catch those guys.
Speaker 3 (05:29):
It is an ongoing investigation as we speak. My guess
is yes.
Speaker 2 (05:34):
And that's a tactic that's been used on TV and
movies in the past, where it's like I've got your
ransom here, but I'm not giving it to you. I'm
giving it to the people who kill you. I was
on the Rookie recently.
Speaker 1 (05:47):
Recently.
Speaker 2 (05:47):
I guess the rookie guy did that.
Speaker 1 (05:49):
Yeah, turning the tables, see what I did?
Speaker 4 (05:51):
Dad?
Speaker 2 (05:51):
All right, I have a particular set of skills.
Speaker 3 (05:55):
That's the best movie. Oh my god. So what should
a normal user be worried about? Right, don't use crypto?
I thank you, Carl, You're probably right.
Speaker 1 (06:05):
Thank you. I'm done now, Thank you.
Speaker 2 (06:07):
B Franklin. If you own crypto then I still think
Coinbase is the best of the of the brokerage places
because they haven't leaked data and wallets like Mountgawx and Cryptopian, others, Binance.
My understanding is it's China heavy influence in China. As
(06:31):
you see from later stories, that's probably not a good idea.
So Coinbase is probably the gold standard still for doing this. Now,
if you're going to have cryptocurrencies and you're not going
to stake them and you're not doing anything special with them,
you can take them and put them in an offline
wallet or a digital wallet. But if you lose it,
it's over. And there's a lot of TV shows that
talk about that too. So if you want to have
(06:52):
it online available tradeable, Coinbase is probably the best game
in town. And this is not a paid advertiser nor
yeah no, but it should be though, yeah yeah coin
pase OK not really all right?
Speaker 1 (07:06):
So Patrick, I know this next one is near dear
to your heart, so why don't you take it?
Speaker 2 (07:10):
So Google, Google's Advanced Protection for Vulnerable Users comes to Android.
So this is basically the lockdown feature that we talked
about for iPhone coming to Android. A new extra secure
mode for Android sixteen will let at risk users lock
their devices down, so it's even says lockdown in the description. Basically,
(07:30):
I'm still living on lockdown mode on Apple since since
it came out. Shortly after it came out, I haven't
had any problems with it, Maybe because I use my
phone like an old grandpa and I'm not doing enough
interesting sexy things with my phone. As I said before,
I've had to exempt one app and one website so far.
(07:51):
Other than that, my phone works exactly as I would
have it.
Speaker 1 (07:54):
You know, if you were doing sexy things with your phone,
I think you need a little bit more than secure
mode to clean it.
Speaker 3 (08:00):
You might need some right.
Speaker 2 (08:02):
May so I think this is great news. Most of
the people who are going to want this are the
ones who are literally nation state targets. If you're not
a nation state target, you probably don't need it. But
if you just like really paranoid.
Speaker 3 (08:13):
Like me, well, and I think yeah, and there's more
more than that. Like you see a lots of times
it's battered spouses and that sort of stuff. Who are
afraid that stockers the x spouse still has access to
phone and tracking data in life through sixty and whatever. Right,
So those those types of people that will help out
a ton, because it's really easy for you to grab
(08:36):
someone's Android phone and install a piece of Spirer on
it and then hide it so that they don't know
and now you still know exactly where they are on
that sort of stuff. Right. Yeah, So this is this
is a it's a good it's good news. I mean,
it's still terrible.
Speaker 2 (08:48):
But you could get a new phone and not restore
from backup, which is another thing we suggest. Huh, painful
but very effective.
Speaker 3 (08:55):
Make that new phone and iPhone.
Speaker 1 (08:56):
So if you don't restore from backup, you have to
enter in all your compt contracts and all that stuff.
Speaker 2 (09:01):
It's super inconvenient, which makes it super secure. Yeah, which
is what I do every time. Every time I get
a new phone, I do not restore from god couple.
Speaker 1 (09:09):
You know, if I was in the Witness Protection program,
I'd think about that. But if I'm just you know,
like my wife's not going to do that, my parents
are not going to do that, you know.
Speaker 2 (09:18):
And that's why we're going to own them.
Speaker 3 (09:24):
Yeah. But you must have. You must have picked up
a stalker or two and donnet Rocks. I'm just saying
maybe I have.
Speaker 1 (09:31):
But at least you know they they talk to you
face to face. You know, they come up to you
cyber references, and they just they just invite you to
their D and D games exactly, exactly. Harmless.
Speaker 2 (09:43):
They're harmless, well unless they throw twenty and then dangerous.
Speaker 3 (09:47):
Yeah, exactly, and that I wish I knew what that meant.
Speaker 2 (09:53):
So you're you're one of the musical nerd geeks and
nerds yes, be enjoying your gamers.
Speaker 1 (09:59):
That's right. I you know, if I'm gonna like nerd
out on something, I'm gonna write some code to get
paid for it, and I'm gonna write some music, I'm
gonna play D and D. It seems like a colossal
waste of time to me, but hey, you know, to
each their own. Mark Miller, I love Dragon Humpers. You
guys are great. My daughter plays D and D. I
don't tell her not to.
Speaker 3 (10:19):
You know, I've been playing for a long, long long time.
Speaker 1 (10:22):
Yeah. See, there you go. So there is proof that
just because you play D and D doesn't mean you're.
Speaker 3 (10:27):
An idiot, Thank you, question Mark, I think that is
even No, no, no, we also we also do martial arts.
I'm just saying we have some sort of fill.
Speaker 1 (10:41):
All right, So I really shouldn't have insulted you, because
now you'll kick.
Speaker 2 (10:44):
My well honestly that the music nerds tend to be
much more earthy crunchy PBS people too.
Speaker 3 (10:51):
Pes people.
Speaker 1 (10:52):
We're not all earthy crunchy PBS people, you know.
Speaker 3 (10:57):
Like NPR people.
Speaker 1 (10:58):
Yeah, PBS. Not all NPR people are crunchy.
Speaker 2 (11:04):
At all, No, at all, not at all.
Speaker 1 (11:07):
I don't you know. I don't do yoga. I don't
take essential oils in my house.
Speaker 3 (11:13):
Never.
Speaker 1 (11:16):
Well, my mother used to make granola. But no, I'm
not a fan of We're about what's that?
Speaker 2 (11:22):
We're about corp?
Speaker 3 (11:23):
I mean corpse corpse good, corps good, it's good for gorp.
Speaker 2 (11:27):
Yeah, like trail mix isn't just unhealthy, U, it's just
a term for trail mix.
Speaker 1 (11:34):
You know, pumpkin seeds raisins, and then it turned into
chocolate chips and Christmas. I don't know what you would
put raisins in something that? All right, So before we
take a break, this next story is near and dear
to my heart and it struck fear in my heart
because you guys know about a new car recently, right, yeah,
(11:54):
you know you know what kind?
Speaker 3 (11:56):
Uh?
Speaker 2 (11:57):
Four wheeled?
Speaker 1 (11:57):
I think I don't know, it's five wheels. Actually no,
it's a Volkswagen out lists.
Speaker 3 (12:04):
So that's why I put that's why I put this
story in here.
Speaker 2 (12:07):
Well, the good news is they patched it.
Speaker 3 (12:09):
No, no, gret what this.
Speaker 1 (12:12):
Let's let's read the headline first before he jump into it. Now,
packing my car and probably yours security flaws in Volkswagen's app. Now,
before you talk about it, Patrick, I just got to
say I read through this. Yes, this is about an
old Volkswagen app that doesn't isn't available anymore, but but
(12:32):
it's more about what this guy did to find the
Vultas altes in it in his story, so go ahead
take it away.
Speaker 2 (12:38):
So, so this guy bought I used Volkswagen. He wanted
to use the app because he was a geek and
probably more of the the D and D geek than
the music gek, but who knows. Probably so, so what
he did was what you know, Dwayne and I would
do if we got hit with a roadblock. Because he
had the vin but he also needed an OTP code
four digit OTP code, and he couldn't get it. He
(12:58):
tried to contact the previous owner, they wouldn't respond, and
he wanted to register his app, and so he decided
the brute force hacket. So we got Burke Sweet, which
is a tool that we use all the time. He
tore apart the requests, figured out what it looks like,
wrote a script to brute force it, and he got
his app, you know, built it. He got his app registered.
(13:18):
He basically used all ten thousand of the possible codes
and got it to work. Well, that's the first problem
is they didn't protect against brute forcing. Well, he said
he only made about ten to fifteen filled attempts and
the app didn't lock him out. No, no, that was manually.
That was manually. And then he had to go to
brute force. Oh yeah, and then he brew forced all
ten thousand combinations. So this is an example of where
(13:40):
the company has made it difficult for you if you're
not the original owner. They didn't foresee that somebody would
buy the car and not have access to the original
owners vote, So they should have had a recovery mechanism
or something of that nature. They didn't. This caused him
to go down this rabbit hole, and once he was
in the code, he's like, I'm seeing all these requests.
(14:02):
He found like four different vulnerabilities. Well, this is how
we we attack an application. An API is will like
a lot of people think that if they put security
code in the browser, they're protecting things, right, But anything
that's in the browser is exposed to us, and we
know how to read the code, right, and so that's
that's the lesson here is this is a textbook. You
(14:24):
should have played the the music before we talked.
Speaker 1 (14:28):
About it's criminal career advice. Okay, Brandon, roll the music.
Speaker 3 (14:33):
It's criminal.
Speaker 2 (14:37):
Because this because this is really a very good example
of what you do in order to like rip something apart.
Speaker 3 (14:43):
Finally, I think a lot of app developers, a lot
of people who are developing web pages go, well, you know,
what do I care? If? You know, if I put
the security in the browser and I make calls to
the API in the back end, nobody's going to man
in the middle of that. Nobody's because it's in probably
an SSL connection and cryptic connection to the back end APIs, right,
(15:03):
so nobody's going to see that traffic, so it doesn't matter.
What I think is lost on some developers is sometimes
it's the user at the browser who's doing this, right, sure,
so I'm I say, oh, yeah, trust that certificate from burpsuite,
and it's okay for it to intercept the traffic and
now you can read all the traffic going back and forth.
Speaker 2 (15:24):
Newslash hackers have browsers.
Speaker 3 (15:30):
I don't know if you know this, So it is
it is weird when you think.
Speaker 5 (15:36):
About it around, like, oh man, if there's only some
way I could this browsed the world Wide Web, I
can look at the job biled again, I have no browser.
Speaker 3 (15:54):
Yeah, So sometimes it's the person actually at the website,
you know, manipulating the traffic. And then when you see
all that traffic, when you see all the calls to
APIs and that sort of stuff, more often than not
we see there's just not authenticated calls to an API
or very in a very basic sense, if you are
authenticated to an API, lots of back end APIs assume well,
(16:15):
you're authenticated, so you've given us a valid user name
and password. We don't care. You can see anything your
browser allows you to see. Like I put in other
people's vins and I can see their data, right because
it's not actually checking in it's my car.
Speaker 1 (16:27):
So let's talk about the problems with this app. So
the number one problem is there wasn't any API throttling.
There wasn't anything saying, hey, there's this one IP address
that keeps sending us these sequential OTP codes and you know,
one after the other, and one of them hit Hey,
maybe we thought not allowed these to go through.
Speaker 3 (16:47):
Although I can I can tell you how to break
that too well.
Speaker 2 (16:51):
And I think there's a problem here as well. Yeah,
but at least it's a more sophisticated or hacker that
can break that. It's not the script case.
Speaker 3 (16:58):
It's called pire frocks kids.
Speaker 2 (16:59):
The problem here is also that they put an obstacle
in the place of the user that they shouldn't have
made intermountable. So if you're not the original loan of
their car, you can't get the OTP. There's no recovery process.
It shouldn't have used that. I don't know what they'd
use instead, but maybe that you need to send them
in an image of the registration, but it won't work for.
Speaker 3 (17:23):
Them, yeah, right, or yeah, the moment that a car
changes hands, the registration of a car changes hands, in
some way, you erase the old customer's data.
Speaker 1 (17:32):
That's right. I don't know that simple, I think. But
here are some of the other problems. Internal credentials were
leaked in clear text. Yeah, so an API n point
exposed passwords, tokens, and user names for various internal services
in clear text encrypted.
Speaker 3 (17:49):
But now I ask you, if the web application itself
is only communicating to the web front end over SSL,
it's encrypted in motion. So the developer might go, you
know what it is, encryptio. We're just gonna have it
over SSL. It's never going to be nonest He was right, yeah, right, exactly.
Speaker 1 (18:09):
Yeah, so the vulnerability number two owners personal details were
exposed via the VIN Yeah. So you put in the
VIN number or whatever and you can get all of
the personal details of the owner. Yeah.
Speaker 3 (18:24):
Other than that, it worked great.
Speaker 1 (18:25):
I mean, it's it's it really is. So what is
the end story of this? Did they actually fixed it?
Speaker 3 (18:33):
Yeah?
Speaker 2 (18:34):
Yeah, only took only took almost a year, almost only
took six months, six months.
Speaker 1 (18:39):
And this guy deserves credit for that, I think, because
if he hadn't exposed all these problems, they may not
have ever fixed it. So no, he's a good guy.
Oh yeah, understand that for every good guy, there are
ten bad guys that aren't going to disclose and are
just going to use All right, well that let's take
a quick break. We'll be right back after these very
important messages. Don't go away, and we're back. It's security
(19:05):
this week. I'm Carl Franklin, that's Patrick Kines Andtoine Laflatte,
and we're counting down the news of the week related
to security. Hopefully you can learn something. And by the way,
if you don't want to hear those ads, you can
opt for a five dollars a month Patreon account where
you will get an ad free feed. Just for that
(19:27):
pittance of five dollars a month, you don't have to
put up with those ads anymore. Okay, word Press yay
or nay?
Speaker 2 (19:34):
Well, well, I mean this is again has said a
million times before patch. But also this is not this
is not WordPress proper. This is a premium theme called
the Motor's Theme that is vulnerable to admin take over text. Unfortunately,
when the when the ad ins go bad, it takes
(19:56):
down all of WordPress.
Speaker 1 (19:57):
Oh right, so it's kind of like Windows ninety five.
One rogue application could bring down the entire thing. So
the problem is so we know that word Press plugins
can cause problems, but now themes are themes just plug ins?
Speaker 2 (20:14):
Yeah right, Well they're adding functionality to them.
Speaker 1 (20:17):
Yeah, but are they the same architecture as the plug ins.
Speaker 3 (20:20):
There, So they're not exactly the same architecture, but they
do have a little bit. They have more functionality than
you would just think as CSS, you know, style sheets
and images, right, because sometimes it's active JavaScript, moving buttons
and you know, changing the way things look on the
screen and that sort of stuff. So themes are are
more powerful than people think. And that's why we thought
(20:40):
this was actually a really interesting story this week, is
we you know, we pound on plugins all the time
saying plugins have a lot of power, but nobody thinks
about the themes and what a theme may actually have
access to and could do. So this is yeah, this
is an interesting one. Definitely go patch.
Speaker 2 (20:58):
And in this case it's basically the theme allows you
to change the password without identifying verifying your identity, so
I could.
Speaker 1 (21:06):
That is not a theme. A theme is bray one white,
you know that's right, right?
Speaker 3 (21:13):
That seems more functionality than themes. Absolutely, yeah, so it's
it will if you think about it. Though a lot
of times these themes might be like, how do I
want to organize the shop? Right, and it's accessible bland
administrator or a shop owner or something along those lines. Yeah,
but this this also brings up another interesting point. We
(21:33):
see this a fair bit in privileged escalations where I
have a very low level account and I get onto
the you know, I log in a WordPress or whatever,
and I start watching the commands, the calls out to
the back of APIs and that sort of thing, and
when I say I want to change my password. Sometimes
we've seen that one of the parameters that is passed
(21:55):
in is who are you as a user? Sort of say,
you know you equals deala flot and the new password
equals this. Sometimes they don't even ask for the old password,
which suits they don't right, So once you see those requests,
you go, oh, well, instead of deala Flot, let's put
ce Franklin on there and change a password and we'll
and then we'll replay that attack, and at that point
(22:17):
I've changed your password.
Speaker 2 (22:18):
So if you're listening to this to learn about hacking,
to learn about pen testing. You need to learn burb
suite merb Suite's an excellent tool that lets you take
a web request, make it, capture it, and then go
edit it in a very very seamless way, very easy way.
And it's a free tool. We have subscriptions because we
use it more than most and we use more advanced features.
(22:40):
But it's an absolute must have and it opens your
eyes about what we're talking about as far as how
the hacker can be the browser. Yeah, the person who's
using the browser, and the browser can be an attack
tool if you if you know how to manipulate it. Now,
you can manipulate this up by hand with a with
a word editor or a text editor. You don't want
to sweets the tool.
Speaker 3 (23:01):
Yeah, And I've I've said many times, even if we
were to get rid of all of this subscriptions, of
all of the software that we use for offensive cybersecurity,
like Burke would be the last one I would let go.
It's actually a fantastic tour.
Speaker 2 (23:14):
On a desert island. It's the only hackey you'd have,
your firestarter, your pot for cooking, and your Burke.
Speaker 3 (23:22):
Sweet.
Speaker 6 (23:23):
I loved that movie all right. I was just thinking
of that movie Today, Star Starter, which she got angry
or upset, like fireballs shot from her eyes.
Speaker 2 (23:38):
I thought you, I thought you were going to be
talking about Castaway because I was describing Tom Hanks's situation.
Speaker 1 (23:43):
All right, Wilson, here we go. Yeah, okay, European Union
sanctions Stark Industries for enabling cyber.
Speaker 2 (23:52):
Attacks, and Tony is so mad.
Speaker 3 (23:55):
So right right, no iron Man suits for anybody. I
really did.
Speaker 2 (24:00):
Goes there and I realize there really is a Stark Industries.
I think they're out of Russia.
Speaker 3 (24:05):
Yeah, and that's the problem, not the voice. No, no,
So this is Stark Industries is a web hosting provider
right where you can host virtual machines and websites and
that sort of stuff. And lo and behold, they have
been tied to and oddly, and it's a weird company
(24:26):
because it's Russian backed. They've been tied to attacks that
have happened through their through their hosting provider, where they're like,
oh it's not us, just wow, bad customers. They've helped
you takedowns. But they also seem very aligned with any
time a cyber attack from Russia comes, it's like straight
through their their organization and they go, wow, it wasn't us.
(24:49):
That's weird, guys, right, Let's let's see if we can
find it.
Speaker 2 (24:52):
I mean, and and their names are Yuri and Yvonne,
so I think I think they're failure Russia.
Speaker 3 (24:58):
From from southern California.
Speaker 1 (25:00):
The other one is Shaggy that's me.
Speaker 3 (25:05):
So yeah. And they started to then correlate like, Okay,
when did this company start? And Stark Industry is although
it's incorporated in the UK and provides services in the UK, Netherlands, Germany, France,
Turkey and the US, they actually were historically started two
(25:26):
weeks before Russia invaded Ukraine.
Speaker 2 (25:28):
Yeah wow, which could be a coincidence. But so here
here's the thing. The Europe because of what's going on
with the NATO Alliance and Europe versus the United States,
you're getting to a point where a lot of European
nations Germany, England, et cetera, are just absolutely done with it.
So basically, this company, from what I've read, from what
(25:48):
I've seen, has operated in a plausible deniability mode where
they're definitely doing something shady, not in the spirit of
the law. Perhaps may be the letter alone, not the spirit.
But but now Europe is saying that's not good enough.
We're going to sanction you anyways, and we're not playing anymore, right, right, right, right.
(26:10):
So I think this is the beginning of something we're
going to see more and more often in geo politics.
Is where it's it's not shoot first, ask questions later,
it's shoot once you're pretty confident.
Speaker 1 (26:20):
M m okay.
Speaker 2 (26:22):
So you have to see the movie We Were Soldiers.
Speaker 1 (26:24):
I was going to say, Patrick, isn't that your motto army?
Speaker 3 (26:28):
I think I think Patrick's a shoot first, asked questions,
ready to shoot aim is how I've been accused some
of those.
Speaker 2 (26:34):
There's a movie called We Were Soldiers and it's about
a real unit in Vietnam in the I think it
was the Iadrang Valley in nineteen sixty five, and they
went in and they got surrounded by a massive North
Vietnamese force, much more massive than it was expected, and
they were almost they were almost overrun. They were overrun
to some extent, and coming around dawn, the commanders like,
(26:55):
I want every man he passed aroundline, I want every
man to put three rounds into anything suspicious, anything you see,
anything that's been bothering you, just put three rounds in it.
And when they did that, they broke the back of
a planned attack by the North Vietnamese because they're going
to overrun them a little after dawn, and instead they
ended up killing, like wounding, a lot of the force
(27:16):
that was ready to go, and they set off the
attack early with every man ready and pointing and aim. So,
I mean, this is what Europe is getting to the
mode of is they're trying to buckle down. I don't
know if you heard this, but Germany has just agreed
to go to five percent of their GDP spending for defense.
Oh I know, yeah, Wow, it's been a while since
(27:38):
Germany spent that much in defense.
Speaker 1 (27:40):
Yeah. The last time they the last time they did that,
it didn't work out so well for the rest of
the world. Let's just say, let's just say they get
restless every fifty years or so. At least they're on
our side now, man.
Speaker 2 (27:52):
So anyways, I think you're going to see more of this,
and I think Star Stark Industries is on the point
the end of it's coming down.
Speaker 3 (28:01):
Great name though, right, I'm just saying just throwing out there,
all right, shall we move on, Let's do it.
Speaker 1 (28:08):
Power School hacker pleads guilty to student data extortion scheme.
First of all, what's power school?
Speaker 3 (28:14):
Power school is a place that teachers and students and
parents can keep track of students grades and parent teacher
conferences and homework assignments and all sorts of stuff. So
it's used to organize a lot different than when we
were kids.
Speaker 1 (28:29):
Right, No, there was no such things.
Speaker 3 (28:31):
Yeah, I mean you could just take your report card
and turn a turn a D into a B just
by not anymore. Yeah, it's hard.
Speaker 1 (28:40):
I gotta tell you. I was watching Stupid Guys grocery
games on Food Network and this guy Carl Ruiz, who
was dead now but he was, and Mark Murphy was
was give it was the guy who's making this dish.
And one of the I don't know what was one
of the ingredients was like not cong you know, right
(29:04):
for the dish. So he hit it. Yeah, I let's
say it was like snails or something, and Carl he said, man,
you hid those snails in that dish like a bad.
Speaker 2 (29:15):
Report car when he tried them into a garnish or something.
Speaker 4 (29:23):
No, he just made a puree and spread it on
toast or something. You know, that kind of stuff made
it disappear, made it disappear. Yeah, so Power School, that's
what Power School is. But you can imagine they have
a lot of sensitive data, right, and sensitive data about
you know, underage operators of their of their website, right
because it's students. So although interestingly enough in the story here,
(29:47):
so it's we always assume that.
Speaker 3 (29:49):
The hackers are are outside the walls. But in the
story here, this is a nineteen year old college student
from around here, Worcester, Massachusetts.
Speaker 2 (29:57):
Well, if I had to guess former college student.
Speaker 3 (30:01):
Which is yeah, hmm, I actually know a lot of
college students in Western I'll look around there.
Speaker 1 (30:08):
Who has one of them lived next to and got arrested?
Speaker 3 (30:11):
Right? No, right has agreed has agreed to plead guilty
to massive cyber attack on Power School that extorted millions
of dollars in exchange for not leaking personal information. So
the way that this person broke in is they actually
broke into a Telco company.
Speaker 1 (30:31):
Wow.
Speaker 3 (30:32):
Once they broke in the telco company, they found that
one of the employees at the telco company was actually
had a side hustle as a contractor for Power School.
So they used that contractor's login, which they found on
the network to get into power School, and they were
using the administrative tools to then download the database inputformation.
Speaker 1 (30:52):
I wonder if he had his username and passed we're
not a post it and it stuck to s.
Speaker 2 (30:58):
This kid is this kid is exploded bad op sect
And he must have had that op sect because they caught.
Speaker 3 (31:03):
Him right right. Yeah, it's it is interesting. No, I
won't say that Dwayne's learning practice one of the one
of the hardest places.
Speaker 1 (31:12):
Dwayne is learning. No I want to say that. No,
I don't think I want to say that.
Speaker 2 (31:17):
Yeah, ever since I got the shot callar.
Speaker 5 (31:21):
I was going to say the best don't say what
you were going to say, but move Onwayne, move on.
Speaker 3 (31:28):
He was going to say, pass is yes, Yeah, the
great Cruskin says, so needless is saying it is hard
on school networks sometimes to attribute traffic to a particular user.
And I think whichever school did this is on their game.
(31:49):
I think that's all We're gonna leave it. That's where
we're going to leave it right there, right there. We're
going to not pick it up.
Speaker 1 (31:55):
We're to leave it right So now we come to
the click baits, which is on the surface kind of
disturbing and very when you dig into it, it's still disturbing.
Speaker 3 (32:08):
Uh huh.
Speaker 1 (32:09):
Chinese kill switches quote unquote found hidden in US solar farm.
Speaker 2 (32:16):
In the past, we have had situations where chips from
China and other devices have been there's been like suspecting
that there's a chip that doesn't have an explanation, but
it's very hard to ascertain in this case. In this
case inverters that are being used by US solar farms
and probably by US consumers as well. I don't know
that exactly, but still the inverters had had had cellular communications,
(32:42):
which they didn't have any features around cellular communications, which
means it's a back door that's untraceable without you know,
checking radio frequencies. So this is a very stealthy, very
high cost because you don't add you don't add cellular
capability to something that doesn't need it, because it adds
a lot of cost. Well, first of all, I want
(33:03):
to put people's minds at ease who have solar panels
on their homes. So this says hidden cellular radios could
be activated remotely to cripple power grids in the event
of a confrontation between China and the West. Okay, so
cripple power grids.
Speaker 7 (33:18):
No, I don't know about that, but they can certainly
shut down the solar power, which just means and if
if you have solar panels on your house and they
get deactivated, well guess what.
Speaker 1 (33:29):
You're gonna get electricity from the electric company if it's
still running. But if their goal is to yeah, but
if their goal is to shut down the power grid,
it's not your solar panels you have to worry about.
It's the ones that are feeding the grid that you have.
Speaker 2 (33:44):
Remember that about a week ago Spain lost power. Spain
and Portugal about a week two weeks ago, actually they
lost power because of a wabble in their electrical grid
that they couldn't compensate for because they had too much
renewable and not enough steady state controllable. It's a big
deal if you take off gigawatts of power suddenly by
shutting off you know, power, you know in different fields,
(34:08):
and it could we don't know that. It doesn't affect
personal power raise on people's houses, don't. We don't know.
Speaker 3 (34:14):
No, we see it well, And that's it's an interesting
question because you as an invert, like I've installed inverters,
and inverters do have the ability to connect into a
remote clouds that you can use an app and you
can see how much power you're pulling down and all
that good stuff, right, And most of the time you're
going to be doing that over your own home Wi Fi, right, right,
So imagine you connect your inverter to your home Wi
(34:34):
Fi and you don't most of us, most of people
listening maybe don't know what a five G cellular card
looks like. Like if I opened an inverter, I would
ninety nine percent chance be able to see and and
see a five G cellular card. But it's really easy
to hide on the backside of a board or someplace
you wouldn't absolutely see.
Speaker 1 (34:55):
Right most of the time, though, they have a little
antenna that pops up and you know, most of the time.
Speaker 3 (35:01):
No man, you can use Have you guys ever heard
of fractal antennas? Actually these really tiny.
Speaker 1 (35:08):
No, but now that I now that I think about it, though,
your phone has a five G antennae, right, and you
can't see it as no book, yeah, right.
Speaker 3 (35:16):
So there's so you could you could if it were me,
but you could have that connect out to five G
and actually pull date off your home Wi Fi, right,
because it's connected your WiFi pulling data.
Speaker 2 (35:28):
But they've they've emphasized the kill switch potential, but there's
other potentials too. Yeah, because you're dealing with electricity. Could
you start a fire?
Speaker 3 (35:37):
Sure? Absolutely could?
Speaker 2 (35:38):
Could you feed the wrong kind of power into the grid.
Speaker 3 (35:41):
Feed it out of phase? Sure?
Speaker 2 (35:43):
Yeah, which is exactly what caused the kind of problem
that we saw in Spain, so it could take down
the whole break.
Speaker 1 (35:48):
Well, okay, maybe if you're an American company that sells
solar panels to American consumers and you buy them from China,
wouldn't you and you know you have the software capability
unless I guess, unless you had the source code to
what they're doing, you wouldn't know these chips what they'd
be able to do.
Speaker 2 (36:08):
These chips weren't listed in the components of the system. No,
that's the whole problem is they weren't disclosed. No. Yeah,
it's like how much glass is in your your your taco. Yeah,
they didn't get an extra glass, every extra glass, right,
extra glass please? But I was just saying, it's a
significant emission. My sister's putting solar in right now, and
(36:28):
I made it a very clear specification that they used
US infrastructure. US. It raises the price a little bit,
but eventually the price of security is not is going
to be factored in well.
Speaker 3 (36:40):
And and if you do put that inverter on your
local network, which you generally have to so you know
what it's doing and can control power and that sort
of stuff should be on its own isolated network, right
So it didn't. It doesn't have access to internal data
and that sort of stuff. But I would even say,
like let's say you were to take a software defined radio,
just an SDR and listen to the five G range,
(37:01):
just just to see if they're signals from the five
G range.
Speaker 2 (37:04):
As one does.
Speaker 1 (37:05):
Yeah, you want to you want to know, don't pick
on my hobby.
Speaker 2 (37:10):
Right, Well, that's why my house is in a Faraday
cage all the time, the whole.
Speaker 3 (37:17):
A big cage right now.
Speaker 2 (37:21):
Thank you for noticing.
Speaker 3 (37:24):
But there's not a lot of people who are going
to do that, right who are going to isolate the
inverters so they are not getting five G signals from
everywhere else on the planet. And then and see what
what the system is is omitting.
Speaker 2 (37:35):
Just but you could take the device and put it
into a test chamber and test it. But that's that's
what we have. I mean, the good news is Reuters
did that or they did something to figure this out,
and that's good. Think back, So carls old enough, I
don't know about Dwayne, to remember the Cold War, the
actual first Cold War, not the current one. The old, oh,
the old Cold War when the Soviet Union was still
(37:56):
a state.
Speaker 3 (37:57):
Yeah you have.
Speaker 1 (37:58):
I remember installed called.
Speaker 2 (38:00):
Anything electric from the Soviet Union in the United States. No,
you would not know.
Speaker 1 (38:06):
This is why, believe it or not. There were some
tubes for guitar tube amps made in the Soviet Union
called Sovtech that were freaking amazing. But there were tubes
like there was no digital snooping or anything.
Speaker 3 (38:23):
They were just really good tubes, right.
Speaker 1 (38:25):
And I remember guitar players replacing their tubes with sov
Tech tubes to get a better sound.
Speaker 2 (38:31):
And I don't think the electricity grill grid uses those tubes.
Speaker 1 (38:34):
Now they may have.
Speaker 2 (38:38):
But what people have to But but for those who
remember and those who don't remember, you have to think
about the fact that we are very likely at the
very beginning of what will be known as a Cold
War between the United States and China. We're not sure.
We're not on friendly terms. There's a lot of hubbub
about will China invade Taiwan? And if they do, will
we you know, we cut them off. We could seriously
(39:01):
see ourselves in a shooting will with China in the
next ten years or maybe not. But even so, I
think we are by definition in a cold war, and
I don't think it's going to end in my lifeten.
Speaker 1 (39:10):
You know what, though, you and Campbell both predicted that
China would self implode like ten years ago.
Speaker 3 (39:16):
So how's that going?
Speaker 1 (39:18):
So I'm going to call a little bit of BS
on that.
Speaker 3 (39:20):
How's that going?
Speaker 1 (39:21):
Okay?
Speaker 2 (39:21):
All right, that's fair, that's fair. I'll give you a
couple of statistics that show why we're right, even though
it hasn't visibly imploded. So, China's national debt grew nine
percent last year, which is a lot nine percent national debt.
They went from three hundred percent GDP national debt to
(39:42):
three h nine Okay, China Japan if you count, if
you count things about like pension plans and stuff like
that could be argued to be at five hundred percent.
But that means that even though China only lists their
their national debt as as like fifty four percent, they're
real national debt is close to three hundred and nine
percent the uster national debt.
Speaker 1 (40:02):
Bonus content. Bonus content brought to you by Patrick Hynes.
That's right.
Speaker 2 (40:07):
The other side of it is the housing market has collapsed.
They've overbuilt their housing market so much that they could
have India move in. They're never going to recover their
housing market. It's estimated that there could be a billion
empty apartments and houses in China. Yeah, that's insane, and
the population is now declining. Right, Okay, they got old
(40:28):
before they get rich, is what some people say. Foreign
direct investment to China has dropped by ninety eight percent
over the last two years, so they're not getting money
from the West anymore the way they used to. I
think it was last year one hundred and for every
hundred restaurants that opened in China, one hundred and fifty closed.
People aren't spending, so every bagflation, so everything except exports
(40:52):
has imploded, and now exports is imploding. China has more
money in circular then the US by a factor of three,
but it's all in China, so they've done everything Japan did,
and then they kept doing it for ten years without
the press being able to reveal it and fix it.
(41:13):
So their collapse is going to be spectacular. I think
that any of that disagrees with me should take their
whole life savings and invest it in China.
Speaker 3 (41:21):
Good luck.
Speaker 2 (41:22):
But I think there's the other The big thing is
that they get to cheat fair and square, so therefore
they get to make the problem so big until it's
just unbelievably bad. So I stick by it. I think
China is a bad investment, and I think we're going
to see a cash traffic player.
Speaker 1 (41:39):
You may be, you guys, may have been a little
premature with your predictions, but you still think it holds up.
Speaker 2 (41:44):
If they were a reasonable country with a press that
could actually report on things the way they normally were,
then yeah, but now they're not even gathering They stop
gathering statistics. They don't gather youth unemployment statistics anymore.
Speaker 1 (41:57):
Well, you know, it sounds like it sounds like the
current state here in America.
Speaker 2 (42:03):
I wasn't gonna say any same situation, different reasons.
Speaker 1 (42:05):
Well it kind of does. I mean, I'm a little
divided because I definitely don't want China stealing our intellectual
property anymore. And I don't want them putting backdoors into
solar panels. And they do all that stuff because they
know that we're gonna keep buying their stuff because it's cheap. Sure,
and so I kind of like the pressure on China
right now. But you know it's yeah, but we don't
(42:26):
need it everywhere else. We don't need it everywhere else,
and it's really painful right now for Americans. All right,
that's all I'm gonna say. So you know, I'm divided,
But I guess when it comes to these solar panels,
I mean, if you have solar panels that you've purchased
from an American company or whatever, how can you be
sure that there isn't a kill switch on it? And
(42:48):
even if you care, do you care?
Speaker 2 (42:50):
It's the same reason when you buy a taco, you
decide whether you think there's glass in it or not.
It's reputation of the seller, right.
Speaker 1 (42:57):
So I guess what I'm saying is, could I call
my solar company and say, hey, what's the origin of
these solar panels and can you prove it?
Speaker 2 (43:03):
Yes?
Speaker 1 (43:04):
Yeah, yeah you should. Yeah that's good. That's a good
place to leave it. Guys. It's always a pleasure talking
to you. It's always fun and scary at the same time.
And thanks. Then go to our discord our, Discord Server,
Discord dot Security this Week, dot com. A lot of
stuff happening over there, Dwayne. We get a lot of
new activity there. What heck?
Speaker 3 (43:25):
Yeah, actually, and interestingly enough, just as a as a note, yeah,
there's a lot of activity in the security forums where
people are asking questions. Seems like our latest drop. If
people are having issues with the podcast from last week,
some people say it ended a little early. They might
They ended on Patrick saying, uh, whistleblower, it probable and
(43:47):
that's it, and then the whole thing ended. So we'll
we'll take a look at that and take a look
at it.
Speaker 1 (43:51):
Oh okay, I will. We'll take a look at that
and figure it out. But anyway, join us in Discord,
and you know, if you send us stories and we
read them on the air, will send you a Security
this Week official lock pick set. It does not come
with a lock pick instruction manual written by Dwayne, however,
(44:13):
but the information's out there. All right, guys, have a
good week and we'll see you next week.
Speaker 3 (44:17):
Bye bye, thanks, thanks guys.
Speaker 2 (44:18):
Bye
Popular Podcasts
Law & Order: Criminal Justice System - Season 1 & Season 2
Season Two Out Now! Law & Order: Criminal Justice System tells the real stories behind the landmark cases that have shaped how the most dangerous and influential criminals in America are prosecuted. In its second season, the series tackles the threat of terrorism in the United States. From the rise of extremist political groups in the 60s to domestic lone wolves in the modern day, we explore how organizations like the FBI and Joint Terrorism Take Force have evolved to fight back against a multitude of terrorist threats.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.