October 10, 2025 • 40 mins
Carl, Duane, and Patrick recorded this week's episode in front of a live audience at CyberSecurity Intersection, a cyber conference held at Universal Studio in Orlando, FL the week of October 5.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Hey, guys.
Speaker 2 (00:00):
You know what I hate when Marcus is talking next
to us.
Speaker 1 (00:03):
No, well that, but I hate when you ask somebody
a boolean question and they return a string you know
what I'm saying. All Right, Well, welcome to Security this
(00:26):
week Live at Security Intersections. And that lack of applause
you hear is because it's an empty room.
Speaker 2 (00:34):
I'm totally empty, alright, not totally empty, but yeah.
Speaker 1 (00:40):
This is the first time we've done a live version
of this podcast, and it shows maybe the last one. Anywat.
That means we're here for the last time twice, the
first time twice. Okay, anyway, let's get started with our
week's story. So Siso Warrens of critical Linux pseudo flaw
(01:05):
exploited in attacks. Everybody should know what pseudo is. Even
if you don't use Linux, you should probably know what
that is.
Speaker 2 (01:12):
Super user do, yep, super user.
Speaker 1 (01:15):
Do how you can escalate your privilege? You have to
have privilege, but well, go ahead take it away one
of you guys. Yeah, I don't understand this.
Speaker 3 (01:27):
This is this one's actually really kind of cool and
I'm surprised we didn't talk about it last week. It
came out I think late September. But we're talking about
it now. So's what's interesting about studo. You're absolutely right, Carl,
Sudo you're going to use to elevate your privileges to
do something. Right, So an administrator on a Linux box
(01:48):
will say, Karl has the ability to run I don't
know nano, which is a text editor, as a privileged user,
and he only can run that, right, you can't run
anything else.
Speaker 1 (01:57):
Right.
Speaker 3 (01:58):
When you go to run that sudo command, it looks
for a file called ns switch dot com. Okay, now
what ns switch dot COMF does is it actually says
where should I verify who Carl is? Should I look
at the filesystem? So there's a place for your passwords
in slash, etc. There's a passw D or a shadow file.
(02:19):
Should I look there for Carl and look for his
user I D If I don't find it there, where
should I go next? Right? And it may say, well,
I want you to go to l dap right and
search for Carl out and el dap and we'll verify
who Carl is. What with they're saying here is they
found this unique bug. You can't edit that ns switch file.
You can't change it because we're not administrators. Right, we're
(02:40):
just normal users on the system. But what I can
do is what's called cha root. So if I change my.
Speaker 1 (02:46):
Root cha root, it's not a cigar.
Speaker 3 (02:49):
It's a beautiful chat root. So what char root means
is I can say, okay, pretend this user. Let's say
the user is Vaughn Vaon, logs into the system, and
his home directory is all he sees. So when when
you're on that Linux box, you're at slash. Really he's
he's in his home directory, he sees nothing else. Okay, yeah, okay,
(03:10):
So it's a good way to keep users contained. Sandbox
them if he was or it was, So what happens
if yeah, what happens if Vaughn in this little sort
of sandbox creates a Slash etc directory, right, it would
look like the real Etsy directory. And then from there
(03:30):
he can put in his own ns switch can fig file,
and he can then sideload different DLLs or so what
they call so files in Linux. So what that allows
them to do is anybody when he goes to run sudo,
even if he's not a valid Sudo user, suit who
(03:53):
is going to run his root and it's going to
connect out and read that file and now it's going
to sideload any DLLU want. It's like DNA poisoning of
the file system in Linux. Yes, and everything's a file,
and so I wonder how many other places this kind
of manipulation is possible.
Speaker 1 (04:07):
So I'm just amazed that Linux works at all because
of this file system. I mean, it's so easy to
hack in traverse directories and stuff that it's it's amazing
that there haven't been more of these kinds of things,
and they actually have.
Speaker 3 (04:20):
I was going to say, well, and su do. We've
noticed a lot of Sudu bugs that have been around
for decades, the studo edit bug. I think we talked
about probably I don't know ten or twelve podcasts ago
that had been around for like fifteen years, sixteen years.
So some of these bugs were just discovering in Linux
that give you kind of all all knowing power.
Speaker 1 (04:41):
Is this patched?
Speaker 3 (04:42):
There is no patch that I know.
Speaker 2 (04:44):
Of works as design?
Speaker 3 (04:45):
Yeah, or you meant to do that, yeah? They What
they say you need to do at this point is
just mitigate your users and make sure that they're not
either don't have access to the cha root or whatever
they do. Any recommendations right or they're yeah, make sure
your users are not evil, that's what you.
Speaker 1 (05:02):
I like the researcher that they quote here, rich merch,
rich Merch. What a name?
Speaker 3 (05:09):
Uh huh?
Speaker 1 (05:10):
Do you have any merch? Yeah? We got rich rich
merch in rich merch. Yeah, it's not speaking of merch.
We have some merch. You're gonna give it away, and
it looks like you're gonna be taking most of them
back on the plane with.
Speaker 3 (05:20):
You guys, know right, Yeah, we brought some lock picks
security this week, lock picks to give away.
Speaker 1 (05:25):
Yeah, all right, So what's the story with this? Do
we just not run Linux?
Speaker 2 (05:30):
Uh?
Speaker 1 (05:31):
No?
Speaker 3 (05:31):
So right now, CIS is given until October twentieth to
apply certain mitigations or discontinue to use the pseudo entirely.
So we have those recommendations that we'll post with the
with the show.
Speaker 1 (05:43):
How do you dis Yeah, stop using pseudo?
Speaker 2 (05:46):
It's I mean, well, go Windows maybe.
Speaker 3 (05:49):
Yeah, yeah, yeah, that's it. Switch to Windows that'll work.
Speaker 1 (05:52):
Yeah. We're saying that with a tongue firmly planted on
our cheek.
Speaker 3 (05:56):
Yeah. So it I guess it depends, right if you're
the user has to be on the system, right, right,
So if you have an isolated system that you're not
having just random users connect to, it's not as risky, right.
And we talk about this where we see the CVE
is super high. I think this one's nine point three. Yeah,
I was gonna say this one's pretty high. But a
(06:17):
user has to be on the box for it to matter, right,
So in this particular case, I would just make sure
that your your Linux boxes are pretty secure from people
just logging in.
Speaker 1 (06:27):
And I think.
Speaker 2 (06:28):
Kids in schools where they're using Linux based systems, that's
where we're going to see this abused event yep.
Speaker 1 (06:34):
Okay, let's move on to the next one.
Speaker 3 (06:36):
Did you say kids using Linux.
Speaker 1 (06:38):
I don't know, well define kids high school kids. Maybe
maybe I knew plenty of the high school kids that
were Linux whiz is in my when we were in
high school.
Speaker 3 (06:49):
Well where we were in high school, there was.
Speaker 1 (06:53):
Yeah, they just embedded glass all right. So the games
and Steam and all this death has been in the
news lately, but this one story is about Unity. Unity
discloses a year's old security exploit and urges developers to
update their games. Valve has released an updated version of
(07:14):
Steam as well.
Speaker 2 (07:15):
This one's overblown them based on what Duwayne's been saying.
Speaker 1 (07:18):
Okay, well what happened.
Speaker 3 (07:19):
So we've seen in the news a lot of games
getting hacked where I think it was Call of Duty
we talked about. Yeah, Call of Duty recently was released
on Xbox and remote people could connect to your lobby
and do a buffer overrun and at that point take
control of your computer.
Speaker 1 (07:36):
Yeah, so we're.
Speaker 3 (07:37):
Starting to see games as a larger surface of attack
right where. I mean, I know plenty of administrators who
run with administrative privileges and also install Steam in games
on their computers, which we never recommend here at Security
this week, But that being said, this is a continuation
of that where we're starting to see researchers really focus
(07:57):
on the game market. If you're looking for a large
user base of people who have stuff installed, right, gamers
is a great place to look, well.
Speaker 2 (08:06):
Especially if you're going to be doing crypto mining, because
they have video cards, they have hardware, So if you
if you're trying to do ransomware, I'm not sure there's
a lot of money there, but if you want to
get control of a powerful rig with a good bandwidth
connection and and a video card, it's not a bad
way to go.
Speaker 3 (08:21):
Yeah, or even if you want to implant a credential
stealer right right, you want to start grabbing credentials out
of the users browser.
Speaker 1 (08:27):
That one.
Speaker 3 (08:29):
Yeah, I want this though, so I won't disrupt the
viewing audience. Our viewing audience. Actually, h so there's a flipper.
I don't know if you guys have seen this before.
I'm actually cloning my hotel room key right now and
pulling cracking all the data on the hotel room key.
But what's really kind of nice? I won't announce the
hotel we're at.
Speaker 2 (08:46):
They are illegal in Canada.
Speaker 3 (08:48):
They are legal in Canada. You can't buy them anymore
on Amazon because the technically it's a skimmer. Technically, so
I can bust a skimmer, I can brush by a
credit card and it will pick up all your credit
card data within a fraction of a second. So anyway,
this back to the story. So this story, you're absolutely right, Patrick,
this is a little bit blown out of proportion. So
(09:11):
imagine if you will. We have Unity, which is for
an a game engine for running games, and it takes parameters.
When you try and run Unity, you can feed it
a place to load a sideload a DLL or something
along those lines, a library of some sort, and you
can have it sideload that library over the Internet and
that sort of thing. Wow, well, none of that is
(09:33):
potentially checked. So the risk here is somebody has you
install a malicious app on your Android phone and that
that's a big deal. Right, So here we're already dialing
this down like this is they say this is like
super bad and everybody should be patching right now. But
let's break down how that attack works. The user has
to install a malicious app on their Android device, right
(09:57):
That malicious app is going to make an int tend
to call out to the out to the game engine,
right out to Unity. So it says I intend to
use Unity right on the local box at local phone,
and then it says these are the parameters I want
to use, and gives it the ability to then run commands.
(10:17):
All right, So you have to have a Unity style
game installed on your phone. Possible, you have to have
installed a malicious app that then requests access to the
Unity game and then from there it's only going to
run commands in the space of the game.
Speaker 2 (10:33):
And there's so much more you can do. If you're
on the Android device.
Speaker 3 (10:36):
Exactly, So you're already a malicious app on that device.
So I downgrade this. Yes it's important, Yes things need
to be patched, but I don't know that. It doesn't
seem like it's that big.
Speaker 2 (10:46):
It's like saying, well, this intruder is in your house
and they might use.
Speaker 3 (10:48):
All the toilet paper, right, But what's funny is they yeah, exactly,
you're like, as.
Speaker 1 (10:55):
The best analogy, and I bet you just came up
with it.
Speaker 3 (11:00):
I did, I couldn't tell. So they do say that
this can affect Unity games in Windows, so it's not
just on Android devices. But there again, you still need
to be running something malicious, right, You still have to
have clicked done something over the web or on the
internet or whatever.
Speaker 1 (11:19):
So and that never happens, no, I mean, come on, yeah,
What's what I like about this story is that Unity
already has fixes available to developers. According to a post
from Larry Harb h R y b a ka Major Nelson,
it's Larry Hagman. Come on now, yeah, isn't he dead though? No,
(11:42):
Larry Hagman's not dead. I don't think he's living with gosh.
Speaker 3 (11:45):
I hope not, because he's the one who announced.
Speaker 2 (11:46):
That I think he was having a stroke. He misspelled
his name.
Speaker 1 (11:52):
I used to call him Master, right, they probably should
Major Nelson, Major Nelson. All right, So patch right and
don't worry some.
Speaker 3 (12:00):
Yeah, and honestly, it's not even you patch it. You
do have to make sure your games are patched, but
it's really the developers of the games have to recompile
the game and deploy a patch.
Speaker 1 (12:09):
So, okay, Discord discord data breach exposed. What you need
to know? Now this is unsettling to us because we
actually have a Discord, sir.
Speaker 3 (12:19):
We do have a digit patch. No, but I'm gonna
explain why.
Speaker 1 (12:24):
Oh yeah, okay, let's talk about the story. Discord uh
has a data breach? And Discord is, you know, a
platform for what do you call it? Just like communities,
community chat.
Speaker 3 (12:38):
Community chat. It's like a bloom you can share. I
think originally it was designed as a way do you
remember Roger Wilco no long time ago a band?
Speaker 2 (12:51):
No?
Speaker 3 (12:52):
All right, So Discord was designed as a chat app,
slash share your screen, slash voice chat app for gamers. Right,
so it has probably some of the highest best sharing
and frame rates, Like if you play games and you
want to share the screen with a friend or whatever.
(13:13):
If you use Zoom, it looks terrible. If you use
most other platforms, Discord does an amazing job at sharing
the screen in full frame right, so it looks looks amazing.
So it's usually targeted towards gamers. Originally, however, Discord has
now become sort of a really large chat application for
all sorts of communities, for creating communities, absolutely.
Speaker 2 (13:33):
Betraying your country.
Speaker 3 (13:36):
Wait a second, portraying your country.
Speaker 2 (13:38):
I didn't think that was a kid in Massachusetts.
Speaker 1 (13:42):
It was your neighbor.
Speaker 3 (13:45):
The Russians are my neighbor.
Speaker 1 (13:48):
Yeah, so what happened to worry about it?
Speaker 3 (13:52):
You don't have to worry about this. This is an
interesting story of having a having someone you use for support,
like a supply chain attack. Think of it that way.
So Discord outsources their support. And if a customer of
a Discord server went in and said, I'm having issues
with permissions this particular user, I ban them and they
(14:16):
keep coming back. Whatever it may be. OK, Right, I
bought the Discord subscription a year, you know, and now
I'm having troubles boosting servers. Whatever it may be. You
would open a support ticket. There was a third party
company that handled those support tickets. They got breached, and
so Discords like, listen, this sucks. However, A, it wasn't
(14:40):
our servers defense. Yeah, exactly, it wasn't made So could
they have gotten sensitive information? Yes, they got the people's
potential real names, user names, they got potential credit cards,
they got potential credit card data because A, if you're
having issues paying for you, then you would have probably
(15:01):
sent in your credit card data. The most damaging stuff
that they were able to steal, though, was Discord does
different things based on the user's age. So kids as
they become adults get more ability and rights whatever. Right,
So there were a lot of people who submitted pictures
of their licenses to this support company so that they
(15:23):
get age verification. That's so that's probably not great. But
from what I've heard, A, it wasn't too too many
users that were affected here, yeah, and be they've all
been notified. So this sounds like a lot of hype.
Discord was you know, data breach exposed as blah blah blah, Yes,
but is really through through support.
Speaker 2 (15:43):
So this brings up We talked about s BOMP software
Bill of materials. It's kind of like food labeling. You
need to know what's in the application. Do we need
to get to a vendor bill of materials? I like
that so that we have something, Yeah, something where I
know who you're using for if you're using Salesforce, if
you're using even even for sales because if they get
(16:05):
breached and your client data is in there. I think
we need more transparency on this stuff. And what that
would do is maybe put pressure on these vendors to
actually have pen tests and red team engagements and show
that they're patching and have policies.
Speaker 3 (16:18):
About that stuff.
Speaker 1 (16:19):
They mentioned that right here. Yeah, it's time for devs
and players to demand ironclad vendor checks yep, turning potential
pitfalls into fortified fronts.
Speaker 3 (16:28):
You heard it here first v bom vemo VBA. I
think it's interesting. Let's say every company was required to
list out all the vendors they worked with, right right
A as an attacker, as the guy who thinks all
the bad thoughts, I think that would be That would
be awesome because I can then look at say Bank
of America and find all their vendors and find somebody
who's weaker at cybersecurity than bank.
Speaker 2 (16:51):
That doesn't have to be public. It could be something
after I signed, when I'm signing the contract, it could
be part of negotiation. Sure, because I do, I may
be able to see features and things like that. And
if it's a fifty thousand dollars service, you're not going
to get people who are going to buy a fifty
thousand dollars service in order to get that information.
Speaker 1 (17:07):
And during an investigation, that's when you're using it, right,
But you.
Speaker 3 (17:10):
Give a good point, I would, but they're in the
is the argument. Okay, So would we do that with
like software? Right? And if you do that with software,
it's like you should be going out and making sure
that all of the software packages I'm using third party
s bomb LG for are lugforge are secure, right, They
go through code reviews, they have pen tests that sort
(17:31):
of stuff, so I know I can use it. So
here in maybe a public vendor list would actually force
those vendors to go get an pen test done and
security reviews and.
Speaker 1 (17:43):
Be in their best interest.
Speaker 2 (17:44):
Yeah, because it would be a sales advantage.
Speaker 1 (17:46):
Would be a sales advantage, yeap, yep, all right, we
moved on the DoD You know who they are or
is it Department of War now dow not legally to
cut back on mandatory cybersecurity training because who needs that?
I know, that's so superfluous. We don't need cyber security training.
Speaker 2 (18:06):
I'm gonna take a deep breathlem Okay, moment of silence.
Speaker 3 (18:10):
Silence, sanity.
Speaker 2 (18:13):
So, as an army veteran, I think this is preposterous
and crazy. And the fact that we have like a
space force and now you're gonna say we're gonna do
less of this. We need more of this, not less
of this. So this would be a historically bad decision.
Speaker 1 (18:29):
I think it's an HBD.
Speaker 2 (18:30):
It's absolutely obvious, and it comes from a point of
view of someone who doesn't really understand how wars are
fought because cyber is part of the battlefield.
Speaker 1 (18:40):
It's a big part of the battle field, right.
Speaker 3 (18:43):
Yeah, we absolutely see cyber attacks happening before the land war,
right and we've seen it time and time again where
they'll be in the power grid, in the water stations
and that sort of stuff. And then the land war
happens and everything.
Speaker 2 (18:57):
Is And when I was an infantsryman, we used to
call tanker dats dumb ass tankers and now commander no,
well no, it was Bradley commander, very big infantry. That
was an infantry battle. That was an infantry fighting vehicle. Sorry,
but now they're sea dats, computerized dumbass tankers.
Speaker 1 (19:16):
You're going to say s SATs.
Speaker 2 (19:18):
No, but they're very computerized and they have systems and
I'm not revealing anything you know that's not secret secret,
not secretly secret. They have systems that tell them friend
or foe. And and that's not really where the problem is.
The problem is with if they connect the wrong thing,
if they use their personal devices. We were talking last
(19:40):
night about the fact that if you if you have
these these problems like the running apps, the fitbits, and
we were discovering secret bases in Syria because soldiers had
fitbits that were broadcast around. Right, So yeah, less less
of this training is probably not a good idea.
Speaker 3 (20:00):
Well, I think we've seen time and time again, and
in Paula's keynote, yes, right, sixty eight sixty percent of
most attacks are just human error, right, someone clicking on
something they should n't have, plugging something in that they
shouldn't have, or really having a crappy password, right, something
along those lines. So that being said, why would you
lessen cybersecurity training? Now in the article they talk about, yeah,
(20:23):
we want to get rid of cybersecurity training for war
fighters who don't need it. A everybody needs cybersecurity I
just explained seatats I know. But also one of the
things that cybersecurity training does. First off, this would save speculating.
Right now, they say this will save the war fighter
maybe an hour a year. Wow, So okay, that's fantastic.
Speaker 2 (20:45):
Wow.
Speaker 3 (20:45):
How are ships? Yeah, yeah, exactly. However, one of the
things we see that's a problem with education and cybersecurity
is the fact that most people want to do a
two day, sixteen hour training, right, which is exciting, but
then people go home and forget about it. Right, it's
not you needs to be continuous exactly, continue drip training
(21:07):
five ten minutes a week just to keep it top
of mind.
Speaker 1 (21:11):
Now, there is there is an upside to this story.
If you scroll all the way down to the bottom,
it says that instead of this training, it's mandatory that
everybody listens to security that.
Speaker 3 (21:21):
Well, well, yeah, so they'll get their training here that
that works.
Speaker 1 (21:24):
That's drip training right there, isn't it?
Speaker 3 (21:26):
Because we're a bunch of drips.
Speaker 2 (21:28):
I do want to address that hour week, Come on,
I do want to address that. Well, I don't really
hate tankers. I feel like it's like Army Navy, Are
you kidding infant?
Speaker 1 (21:37):
It was a joke. Everybody knows it was a joke.
Speaker 2 (21:40):
I know, but they might they have big guns.
Speaker 1 (21:43):
Be careful what everybody knows.
Speaker 3 (21:45):
That the reunion is going to be tough.
Speaker 1 (21:46):
Yeah, all right, Signal we've been talking about. Are we
done with that story?
Speaker 3 (21:50):
Yeah?
Speaker 1 (21:51):
This is mine.
Speaker 3 (21:52):
Yeah, we've been.
Speaker 1 (21:53):
Talking about signal. You signal instead of WhatsApp because while
WhatsApp is encrypted between you and Facebook and face Book
and your other person.
Speaker 2 (22:02):
Vague and China's in there somewhere and.
Speaker 1 (22:07):
The other person right, they can see your messages, there's
a man in the middle. With signal, it's end to
end encryption. And that's good because we always use signal
for our military secrets.
Speaker 3 (22:17):
Yes and yes.
Speaker 2 (22:20):
We do, so we do, but the military shouldn't. Okay different,
So I'm excited about this because signal has been kind
of at the forefront. There's a company called PQ Shield.
Speaker 1 (22:29):
Well, first of all, read the.
Speaker 2 (22:32):
Science, right, So signal, according to Bleeping Computer signal adds
cryptographic defense against quantum attacks. And this is important and timely,
and no one knows when a sufficiently powerful quantum computer
will be available to break all of our asymmetric encryption.
Speaker 1 (22:52):
But if you're listening to security this week, you'll know.
Speaker 2 (22:54):
Yes, well you'll know better, you'll have a better guess
than most. So the best guess right now is sometime
I'm in the next five to ten years. The problem
is store now, decrypt later. So it's known that China
and other adversaries are grabbing encrypted data that they can't decrypt,
they're grabbing the public keys, and they're waiting for them
to get a sufficiently powerful cryptographic computer, a quantum computer
(23:18):
to break it using Shores algorithm. And we've talked about
this before.
Speaker 1 (23:21):
Enough, they'll find out that my mother's email password is
Fluffy one two three.
Speaker 2 (23:25):
But they'll also find out be able to read the
files they stole from you know xyz contractor about our
new polymer stealth technology that it replaces the paints and
things like that. No, but it'll still be useful. And
so we don't know when that's going to happen, but
it's probably coming sooner than we will expect. What they're
(23:48):
doing is they're getting ahead of this, like every organization should,
every organization should already be doing this unless your secrets
just are so trivial that in three weeks they don't matter.
So what they're doing is they have this thing called
the double ratchet where they take the old encryption key
with a new encryption key and they blend them to
make the next encryption key. And their their mission with
(24:10):
the double ratchet is to protect the conversations prior to
a breach and post a breach. So if I'm communicating
with Jared, for example, Jared and I are talking on signal,
and some hacker will call him Dwayne, just you know, random,
although Jared could be a hacker than I, so we could. Uh,
(24:33):
by the way, Jared is Dwayne's twin brother, so and
sitting in the front row. So what happens is if
if the if the bad guy gets the breaks that message,
they that doesn't mean they automatically get all the old
message and it doesn't mean they get the new messages
because they're constantly ratcheting forward. I see the thing, and
and now they're calling it a triple ratchet because they're
(24:54):
adding into it. They're replacing the Diffie Hellman elliptical curve encryption,
which is vulnerable to shores algorithm.
Speaker 1 (25:01):
You know, you're always talking about my favorite bands, Diffy Hellman.
Speaker 2 (25:06):
It's actually a good man is they were around in
the sixties.
Speaker 1 (25:10):
They burned out on LSD and they're having a comeback reunion.
Speaker 2 (25:14):
So elliptical Curve, Diffy Helman with Dippy, Diffy Hellman, and
RSA are all vulnerable to quantum sufficiently powerful quantum computer.
Speaker 1 (25:26):
So I'm just happy I know that they're all in
the same category. Now.
Speaker 2 (25:29):
Yeah, So now I was a little skeptical at this
because I'm like, it's a bad idea to roll your
own encryption. But they've actually worked with the Premiere organization.
So they're using what used to be called Crystal's Kiber,
which is now called mL KEM, and it's the key
encapsulation mechanism that is post quantum and so it's it's
(25:51):
shown to be sufficient well. P q shield is one
of the organizations that helped define that as part of
crystals dot org. And so the the bottom line takeaway
is that Signal is doing what everybody should be doing.
They're preparing for the future. They're they're helping us be
more secure. If you're not the government, then Signal is
a really good platform for communications. We use it as well.
(26:14):
We're always looking to see whether it's you know, it's degraded,
but this shows that they're actually probably going to be
the best for a for a good while to come.
Speaker 3 (26:25):
I got a question, Patrick, sir, So this quantum thing,
when do you think it's going to be real? Since
the beginning of the universe, the quantum thing, you mean
quantum computing, No, I mean quantum like out of sci fi. It's,
you know, a real thing at some point.
Speaker 2 (26:39):
Right again, at the beginning of the universe, quantum was
a real thing.
Speaker 3 (26:42):
So none of it makes any sense to me.
Speaker 2 (26:46):
It is my greatest frustration.
Speaker 3 (26:50):
It's trying to teach you quantum.
Speaker 2 (26:52):
So I really like quantum and we have a podcast
Entangle Things dot com, and we talk about it.
Speaker 1 (26:57):
When he says he means me and not us some
but it's really exciting.
Speaker 2 (27:04):
And the problem is the barrier to entry, because once
you get to the point where you understand, you're not
allowed to understand it. But you're fine, I see, all right,
we'll get we'll talk, we'll continue that sometimes all right,
some other times talk amongst yourself.
Speaker 1 (27:19):
Needless to say. Signal is trying to h get get
a leg up, signal is yeah, okay, new satellite will
help cyber defenders train to stop hackers in orbit? Do
they know about this lack of training thing? Now? Though?
Speaker 3 (27:32):
I mean do they?
Speaker 1 (27:35):
Which which article was written first?
Speaker 2 (27:37):
I mean, well, the NSA is cyber defenders, so maybe
that they're maybe they'll get training.
Speaker 1 (27:42):
Okay, somebody tell me about that.
Speaker 3 (27:43):
I mean, oddly enough. Space Force, yeah, is also some
they because they manage space. Your air quotings, Yeah, they
manage space. You know they can't see air quoting, but
they managed space. Yeah. They also manage cyber space. So
Space Force does attacks and defense in cyber space because
they both have the word space.
Speaker 2 (28:03):
Well, and you can't really talk.
Speaker 3 (28:05):
I'm not making this up, but I wonder if Space
Force just one up and they just plug a USB
into this thing.
Speaker 1 (28:12):
And I think there is a Space Force really really don't.
Speaker 3 (28:15):
There's a base near our there are space rangers, which
is kind of cool, but that neither neither here nor there.
This is actually so Deloitte U, which is a defense contractor,
has put a satellite up in space. So there have
been there have been platforms where attackers can attack a
satellite actually in space def Con they actually brought a
(28:37):
satellite to Vegas, just a tiny little CubeSat.
Speaker 2 (28:41):
Throwing it up in the air, just sticking dispenses vodka.
Speaker 3 (28:47):
But they did bring a satellite so that people could
try and hack the communications and that sort of stuff
of the satellite locally. But there have been a few
satellites in space that were specifically designed for attackers to test.
The French there's a French company that worked with an
aerospace in France to actually put a satellite up in
space that was used specifically forget's target targeting and attacking
(29:11):
and that sort of stuff. Yeah, there, so there are
a couple of them up there. This is the first one,
interestingly enough, this is the first one that not only
has gone into space specifically for hacking, but also specifically
for defending. So what's really interesting about Deloitte's design is
they've put a board in there that they call silent shield.
(29:34):
Silent shield has a they describe it like a diode.
So for anybody, for all of you who love electricity, right,
diodes only go one way electrical current. So they have
this shield that can see all of the telemetry and
metrics coming from the satellite, and then it outputs what
it would do to protect the satellite, whether the satellite
(29:55):
is degrading, whether it's whatever. So now they're inviting first
to the military to try and break into it, and
then some of their other partners that they didn't name
to try and break into this satellite, and all the
while this silent shield will be recording these attacks and
making its recommendations on how it would fix. My guess
(30:16):
is give it a year. And even in this article
they say Deloitte has already said that they could retrofit
existing satellites with this.
Speaker 1 (30:25):
So it's a honey shield.
Speaker 3 (30:26):
So it's a honeypot. But I think their design is
ultimately in the future to have this firewall board that
they can put on satellites in the training. For any
of you who have tried to hack satellites, they're actually
not that hard. There's very little authentication satellite honestly, yeah, exactly.
It's if you want some criminal career advice really with
(30:53):
if you buy, if you buy a satellite, are you really.
Speaker 1 (30:57):
Going to do this? Now? Are you're really going to
tell everybody out of hack satellites.
Speaker 2 (31:00):
I mean it's out there.
Speaker 3 (31:02):
There are there, yeah, exactly in the facts, but you
don't know. Yeah, there's there's a board that you can
buy for your computer that you can just plug It's
a direct TV style satellite board, okay, that you can
plug into your satellite dish, like a direct TV dish
or whatever, and you can actually pick up signals communications.
(31:24):
There are militaries on this planet that send all of
their data unencrypted, so you can see airplane movement from
South America all.
Speaker 1 (31:33):
Sorts of stuff.
Speaker 3 (31:35):
Just yeah, so it's it is interesting.
Speaker 2 (31:37):
Outside of Europe. I'm sorry.
Speaker 3 (31:42):
Well, and that's the weird thing about satellite Like satellite
communications is not pinpointed. It's not like I'm just shooting
straight down at that ground station. Yeah, it's blowing it out.
So if the satellite is anywhere on that horizon, you
can you can potentially pick that.
Speaker 1 (31:56):
Like Ham radio.
Speaker 3 (31:57):
Oh I love Ham radio. Yeah, with your Ham radio
Wi Fi on steroids.
Speaker 1 (32:01):
Like Turkey radio better. But you know, I'm just trying
to watch my pork intake, all right. So so there
really isn't anything we can do about this. It's just
an interesting story, right.
Speaker 2 (32:11):
We should practice hacking, yeah.
Speaker 1 (32:13):
I know.
Speaker 3 (32:14):
Well well yeah, and this is a good way for
people who want to practice hacking. Eventually, when this opens
up to more people other than just the military, rather
than trying to hack real satellites and dropping them.
Speaker 1 (32:28):
So contact Dwayne the Flat and he'll give you a
private class.
Speaker 3 (32:32):
Yeah, I'll give you alli dollars. I'll give you. I'll
tell you how to break into satellite.
Speaker 2 (32:36):
And the solution to security is not less hacking, it's
more hacking by good people.
Speaker 1 (32:39):
Yes and true.
Speaker 2 (32:40):
That's the problem is we need more people to hack
so they can say, you know, you should you should
not have a screen door on our submarine. Well, they
should solve these problems.
Speaker 3 (32:47):
And it's funny you see that because I get this
a lot where I'm hanging out with friends or whatever
and you know, taken down a satellite, taking out a satellite,
like we'll talk, we'll talk about work and that sort
of stuff, and they're like, dude, you know how to
write you know how to write viruses?
Speaker 1 (33:02):
It's like, yeah, I can write a virus.
Speaker 3 (33:03):
They're like, can you write ransom Moore? I'm like, yeah,
I can. I can write ransomwore. They're like, why don't
we And now it's like we why don't we do
this right? And I'm like, what's the.
Speaker 2 (33:13):
What I've never had that conversation with you. Let's just
have the record show you've always talked you down from
those No.
Speaker 1 (33:19):
I've asked you before, why aren't you a criminal? Answer?
Because I like to do the right thing and I
want to.
Speaker 3 (33:24):
Go to jail exactly. Yeah. So I was like, listen,
I also know how to break into your car and
steal it, and I know plenty of places that I
could get it chopped up and sold and make money.
And he's like, whoa, whoa. I'm like, all right, there's
a reason I don't do that too, right. So yeah,
it's you people.
Speaker 1 (33:43):
If you're a criminal, you can live vicariously through Dwayne
by listening security this week every week.
Speaker 3 (33:49):
Yep.
Speaker 1 (33:49):
All right, So that's an interesting story. Now we get
to our clickbait story because we're in the land of
the mouse.
Speaker 3 (33:55):
I love this story, all right.
Speaker 1 (33:56):
First, I'll read the headline, then we'll explain what is
Motion sensors in high performance mice can be used as
a microphone to spy on users to AI mike e
mouse technique harnesses mouse sensors converts acoustic vibrations into speech.
I know what you're thinking, little mice like the animals
(34:18):
running around. Nope, it's computer mice.
Speaker 3 (34:21):
Mickey mickey mouse here. So this is an awesome attack.
Speaker 1 (34:26):
That means heinous. Let me translate that for duynism.
Speaker 3 (34:30):
So for those of you who haven't listened to the
podcast before, I generally geek out about side channel attacks.
So side channel attacks if you remember, like, does anybody
remember roe Hammer?
Speaker 1 (34:41):
Right?
Speaker 3 (34:41):
So row Hammer was like I would ask the computer
to perform the same mathematical calculation over and over and
over and over and over again loop, and it would
heat up a pin on the CPU, and then I
would say, hey, can I be an admin which just
happened to be answering to the pin next to it,
And when that heat emission hit that pin, it would
say yes. So if I heat it up one pin enough,
(35:04):
I could then control the output of becoming an administrator
on the ball. Heinous, some side dreeneral attack heinous, so
one of many. I love it, brilliant, so good. So
in this particular case, I don't know why we hadn't
thought of this before. These mice, especially if they have
twenty thousand DEPI mean, we're talking very very gaming mice
(35:26):
are so accurate.
Speaker 2 (35:28):
So like Razor mice is in this.
Speaker 3 (35:30):
Actually, like Razor mice, any of your gaming mice have
enough DPI so that the laser that's shooting out of
the mouse as you talk, the tabletop is vibrating ever
so slight.
Speaker 1 (35:41):
As you talk.
Speaker 3 (35:42):
As you talk.
Speaker 2 (35:43):
Well, just as like this is like the idea of
using a laser mic on a window. It's just you're
using the laser and the mouse against the desktop instead.
Speaker 1 (35:52):
So somebody's recording the vibrations of the desktop.
Speaker 3 (35:55):
Yes, you're like, you know, well same yeah, same thing.
It would come out as allowed. But even if we're
just talking, they were able to sideload. And what's interesting
about this is that detail of the DEPI of the
mouse is non It doesn't require elevated privileges.
Speaker 1 (36:12):
It's just a peripheral.
Speaker 3 (36:13):
Right, So they can do it in a web browser
tab and request access to the DEPI of the mouse
and as.
Speaker 1 (36:20):
It jiggles, good god.
Speaker 3 (36:22):
Now they can pick up the words you're saying while
you have the table.
Speaker 1 (36:25):
So the songs you don't talk and use the mouse
at the same time. You're probably screwed if you don't talk,
and if you talk and use the mouse at the
same time, you may be protecting yourself.
Speaker 3 (36:35):
Yeah, exactly, because there's so much fluctuation, so much fluctuation. Right,
But if you're just if we're just like, here's the
mouse on.
Speaker 1 (36:40):
The table right now and we're talking, somebody could be
recording the vibrations in the table and picking up turning
that into.
Speaker 2 (36:49):
Why don't we just record our podcast that.
Speaker 3 (36:51):
Way through the mice. Yeah. So what they did is
they took these vibrations, these changes in DPI readings, and
they it through machine learning, and then we're able to
reconstruct the speech and what people were saying, which is awesome.
It's so cool.
Speaker 1 (37:08):
So Marl of the story, don't use a gaming mouse.
Speaker 3 (37:10):
Or use a really thick mouse pad. Oh, I would
assume maybe a damponge, you know, sponge sponge, right, Yeah,
I don't know, meoprem Maybe I'm not entirely sure, but
it's uh, it's actually a really cool.
Speaker 1 (37:24):
But first of all, they wouldn't be able to they'd
have to be recording from the table, right, It's not
like they can just record the mouse data.
Speaker 2 (37:34):
Yes, just the mouse, just the mouse, just the change
in the value. The mouse has everything you need to
distant laser.
Speaker 1 (37:42):
I get it.
Speaker 3 (37:43):
That's it.
Speaker 2 (37:43):
Wow, because the mouse reads the laser's intensity and and
so you don't have to be local.
Speaker 1 (37:51):
I'm never using a gaming mouse ever.
Speaker 2 (37:54):
You should use a computer.
Speaker 1 (37:55):
If you get that out of dude. Okay, maybe I'll
just cut off my hands and live in a box. Right,
So cool and well, I guess that's it. But before
we go, we want to pass out some swag, don't we.
Oh yeah, tell everybody about what they're going to receive.
Speaker 3 (38:09):
So here's the deal. We have a discord server, and
we have hundreds of people on discord server who join
up who have been listening to the podcast and that
sort of stuff, and they ask cybersecurity questions, they throw
up funny stories, and that's.
Speaker 1 (38:20):
Completely hacked, as we just learned.
Speaker 3 (38:22):
Yeah, what's neat about the discord server is anytime somebody
throws an article up in the discord server or helps
other people on a discord server and that sort of stuff,
I always want to have a giveaway for them. So
I do have these giveaways that I will give to
people all around the world. This is a this is
a set of an official set of security this week
(38:43):
lock picks, and you'll have the yeah, you have the Yeah.
They haven't been paid. Okay, So funny story about that.
Funny story about that. I'm flying down here yesterday and
I have ten sets of lock picks in my carry on.
Oh boy, and I live up in New Hampshire. I
was flying through the Manchester Airport that they have seen
me go through there all the time, right, and I
(39:05):
always go through their and every time every time I
go through, if I have my walk picks in my
carry on, they pull it aside, they open it up,
they hold it in front of me and they go
you realize this slows things down, right, And I'm like yes,
And then they put it back because it's not illegal,
and they zip it up and then they let me
go through every time.
Speaker 2 (39:21):
Okay, since I literally hate you, I.
Speaker 3 (39:24):
Have ten sets of lock picks and there I put
them in the outside zipper pocket because I was like,
they're going to pull me aside. This is what I got.
Guys sitting there at the terminal and it's it zips
through and he's looking at his X ray screen. He
just does this and he looks over at me. The
bag goes through and I pick it up and he's
just staring at me.
Speaker 1 (39:42):
That's funny.
Speaker 3 (39:44):
Just does that. I was like, bye, Bob, Yeah, so yeah,
I had there was peril in getting these here, but
we did. We wanted to give out some lock picks.
So I have some lock picks with the Security this
Week logo. So yes, so we have an enough.
Speaker 1 (40:02):
Come on up and grab one and with that, we'll
see you next time on Security this week.
Speaker 2 (40:07):
Thanks everybody,
Hey, guys.
Speaker 2 (00:00):
You know what I hate when Marcus is talking next
to us.
Speaker 1 (00:03):
No, well that, but I hate when you ask somebody
a boolean question and they return a string you know
what I'm saying. All Right, Well, welcome to Security this
(00:26):
week Live at Security Intersections. And that lack of applause
you hear is because it's an empty room.
Speaker 2 (00:34):
I'm totally empty, alright, not totally empty, but yeah.
Speaker 1 (00:40):
This is the first time we've done a live version
of this podcast, and it shows maybe the last one. Anywat.
That means we're here for the last time twice, the
first time twice. Okay, anyway, let's get started with our
week's story. So Siso Warrens of critical Linux pseudo flaw
(01:05):
exploited in attacks. Everybody should know what pseudo is. Even
if you don't use Linux, you should probably know what
that is.
Speaker 2 (01:12):
Super user do, yep, super user.
Speaker 1 (01:15):
Do how you can escalate your privilege? You have to
have privilege, but well, go ahead take it away one
of you guys. Yeah, I don't understand this.
Speaker 3 (01:27):
This is this one's actually really kind of cool and
I'm surprised we didn't talk about it last week. It
came out I think late September. But we're talking about
it now. So's what's interesting about studo. You're absolutely right, Carl,
Sudo you're going to use to elevate your privileges to
do something. Right, So an administrator on a Linux box
(01:48):
will say, Karl has the ability to run I don't
know nano, which is a text editor, as a privileged user,
and he only can run that, right, you can't run
anything else.
Speaker 1 (01:57):
Right.
Speaker 3 (01:58):
When you go to run that sudo command, it looks
for a file called ns switch dot com. Okay, now
what ns switch dot COMF does is it actually says
where should I verify who Carl is? Should I look
at the filesystem? So there's a place for your passwords
in slash, etc. There's a passw D or a shadow file.
(02:19):
Should I look there for Carl and look for his
user I D If I don't find it there, where
should I go next? Right? And it may say, well,
I want you to go to l dap right and
search for Carl out and el dap and we'll verify
who Carl is. What with they're saying here is they
found this unique bug. You can't edit that ns switch file.
You can't change it because we're not administrators. Right, we're
(02:40):
just normal users on the system. But what I can
do is what's called cha root. So if I change my.
Speaker 1 (02:46):
Root cha root, it's not a cigar.
Speaker 3 (02:49):
It's a beautiful chat root. So what char root means
is I can say, okay, pretend this user. Let's say
the user is Vaughn Vaon, logs into the system, and
his home directory is all he sees. So when when
you're on that Linux box, you're at slash. Really he's
he's in his home directory, he sees nothing else. Okay, yeah, okay,
(03:10):
So it's a good way to keep users contained. Sandbox
them if he was or it was, So what happens
if yeah, what happens if Vaughn in this little sort
of sandbox creates a Slash etc directory, right, it would
look like the real Etsy directory. And then from there
(03:30):
he can put in his own ns switch can fig file,
and he can then sideload different DLLs or so what
they call so files in Linux. So what that allows
them to do is anybody when he goes to run sudo,
even if he's not a valid Sudo user, suit who
(03:53):
is going to run his root and it's going to
connect out and read that file and now it's going
to sideload any DLLU want. It's like DNA poisoning of
the file system in Linux. Yes, and everything's a file,
and so I wonder how many other places this kind
of manipulation is possible.
Speaker 1 (04:07):
So I'm just amazed that Linux works at all because
of this file system. I mean, it's so easy to
hack in traverse directories and stuff that it's it's amazing
that there haven't been more of these kinds of things,
and they actually have.
Speaker 3 (04:20):
I was going to say, well, and su do. We've
noticed a lot of Sudu bugs that have been around
for decades, the studo edit bug. I think we talked
about probably I don't know ten or twelve podcasts ago
that had been around for like fifteen years, sixteen years.
So some of these bugs were just discovering in Linux
that give you kind of all all knowing power.
Speaker 1 (04:41):
Is this patched?
Speaker 3 (04:42):
There is no patch that I know.
Speaker 2 (04:44):
Of works as design?
Speaker 3 (04:45):
Yeah, or you meant to do that, yeah? They What
they say you need to do at this point is
just mitigate your users and make sure that they're not
either don't have access to the cha root or whatever
they do. Any recommendations right or they're yeah, make sure
your users are not evil, that's what you.
Speaker 1 (05:02):
I like the researcher that they quote here, rich merch,
rich Merch. What a name?
Speaker 3 (05:09):
Uh huh?
Speaker 1 (05:10):
Do you have any merch? Yeah? We got rich rich
merch in rich merch. Yeah, it's not speaking of merch.
We have some merch. You're gonna give it away, and
it looks like you're gonna be taking most of them
back on the plane with.
Speaker 3 (05:20):
You guys, know right, Yeah, we brought some lock picks
security this week, lock picks to give away.
Speaker 1 (05:25):
Yeah, all right, So what's the story with this? Do
we just not run Linux?
Speaker 2 (05:30):
Uh?
Speaker 1 (05:31):
No?
Speaker 3 (05:31):
So right now, CIS is given until October twentieth to
apply certain mitigations or discontinue to use the pseudo entirely.
So we have those recommendations that we'll post with the
with the show.
Speaker 1 (05:43):
How do you dis Yeah, stop using pseudo?
Speaker 2 (05:46):
It's I mean, well, go Windows maybe.
Speaker 3 (05:49):
Yeah, yeah, yeah, that's it. Switch to Windows that'll work.
Speaker 1 (05:52):
Yeah. We're saying that with a tongue firmly planted on
our cheek.
Speaker 3 (05:56):
Yeah. So it I guess it depends, right if you're
the user has to be on the system, right, right,
So if you have an isolated system that you're not
having just random users connect to, it's not as risky, right.
And we talk about this where we see the CVE
is super high. I think this one's nine point three. Yeah,
I was gonna say this one's pretty high. But a
(06:17):
user has to be on the box for it to matter, right,
So in this particular case, I would just make sure
that your your Linux boxes are pretty secure from people
just logging in.
Speaker 1 (06:27):
And I think.
Speaker 2 (06:28):
Kids in schools where they're using Linux based systems, that's
where we're going to see this abused event yep.
Speaker 1 (06:34):
Okay, let's move on to the next one.
Speaker 3 (06:36):
Did you say kids using Linux.
Speaker 1 (06:38):
I don't know, well define kids high school kids. Maybe
maybe I knew plenty of the high school kids that
were Linux whiz is in my when we were in
high school.
Speaker 3 (06:49):
Well where we were in high school, there was.
Speaker 1 (06:53):
Yeah, they just embedded glass all right. So the games
and Steam and all this death has been in the
news lately, but this one story is about Unity. Unity
discloses a year's old security exploit and urges developers to
update their games. Valve has released an updated version of
(07:14):
Steam as well.
Speaker 2 (07:15):
This one's overblown them based on what Duwayne's been saying.
Speaker 1 (07:18):
Okay, well what happened.
Speaker 3 (07:19):
So we've seen in the news a lot of games
getting hacked where I think it was Call of Duty
we talked about. Yeah, Call of Duty recently was released
on Xbox and remote people could connect to your lobby
and do a buffer overrun and at that point take
control of your computer.
Speaker 1 (07:36):
Yeah, so we're.
Speaker 3 (07:37):
Starting to see games as a larger surface of attack
right where. I mean, I know plenty of administrators who
run with administrative privileges and also install Steam in games
on their computers, which we never recommend here at Security
this week, But that being said, this is a continuation
of that where we're starting to see researchers really focus
(07:57):
on the game market. If you're looking for a large
user base of people who have stuff installed, right, gamers
is a great place to look, well.
Speaker 2 (08:06):
Especially if you're going to be doing crypto mining, because
they have video cards, they have hardware, So if you
if you're trying to do ransomware, I'm not sure there's
a lot of money there, but if you want to
get control of a powerful rig with a good bandwidth
connection and and a video card, it's not a bad
way to go.
Speaker 3 (08:21):
Yeah, or even if you want to implant a credential
stealer right right, you want to start grabbing credentials out
of the users browser.
Speaker 1 (08:27):
That one.
Speaker 3 (08:29):
Yeah, I want this though, so I won't disrupt the
viewing audience. Our viewing audience. Actually, h so there's a flipper.
I don't know if you guys have seen this before.
I'm actually cloning my hotel room key right now and
pulling cracking all the data on the hotel room key.
But what's really kind of nice? I won't announce the
hotel we're at.
Speaker 2 (08:46):
They are illegal in Canada.
Speaker 3 (08:48):
They are legal in Canada. You can't buy them anymore
on Amazon because the technically it's a skimmer. Technically, so
I can bust a skimmer, I can brush by a
credit card and it will pick up all your credit
card data within a fraction of a second. So anyway,
this back to the story. So this story, you're absolutely right, Patrick,
this is a little bit blown out of proportion. So
(09:11):
imagine if you will. We have Unity, which is for
an a game engine for running games, and it takes parameters.
When you try and run Unity, you can feed it
a place to load a sideload a DLL or something
along those lines, a library of some sort, and you
can have it sideload that library over the Internet and
that sort of thing. Wow, well, none of that is
(09:33):
potentially checked. So the risk here is somebody has you
install a malicious app on your Android phone and that
that's a big deal. Right, So here we're already dialing
this down like this is they say this is like
super bad and everybody should be patching right now. But
let's break down how that attack works. The user has
to install a malicious app on their Android device, right
(09:57):
That malicious app is going to make an int tend
to call out to the out to the game engine,
right out to Unity. So it says I intend to
use Unity right on the local box at local phone,
and then it says these are the parameters I want
to use, and gives it the ability to then run commands.
(10:17):
All right, So you have to have a Unity style
game installed on your phone. Possible, you have to have
installed a malicious app that then requests access to the
Unity game and then from there it's only going to
run commands in the space of the game.
Speaker 2 (10:33):
And there's so much more you can do. If you're
on the Android device.
Speaker 3 (10:36):
Exactly, So you're already a malicious app on that device.
So I downgrade this. Yes it's important, Yes things need
to be patched, but I don't know that. It doesn't
seem like it's that big.
Speaker 2 (10:46):
It's like saying, well, this intruder is in your house
and they might use.
Speaker 3 (10:48):
All the toilet paper, right, But what's funny is they yeah, exactly,
you're like, as.
Speaker 1 (10:55):
The best analogy, and I bet you just came up
with it.
Speaker 3 (11:00):
I did, I couldn't tell. So they do say that
this can affect Unity games in Windows, so it's not
just on Android devices. But there again, you still need
to be running something malicious, right, You still have to
have clicked done something over the web or on the
internet or whatever.
Speaker 1 (11:19):
So and that never happens, no, I mean, come on, yeah,
What's what I like about this story is that Unity
already has fixes available to developers. According to a post
from Larry Harb h R y b a ka Major Nelson,
it's Larry Hagman. Come on now, yeah, isn't he dead though? No,
(11:42):
Larry Hagman's not dead. I don't think he's living with gosh.
Speaker 3 (11:45):
I hope not, because he's the one who announced.
Speaker 2 (11:46):
That I think he was having a stroke. He misspelled
his name.
Speaker 1 (11:52):
I used to call him Master, right, they probably should
Major Nelson, Major Nelson. All right, So patch right and
don't worry some.
Speaker 3 (12:00):
Yeah, and honestly, it's not even you patch it. You
do have to make sure your games are patched, but
it's really the developers of the games have to recompile
the game and deploy a patch.
Speaker 1 (12:09):
So, okay, Discord discord data breach exposed. What you need
to know? Now this is unsettling to us because we
actually have a Discord, sir.
Speaker 3 (12:19):
We do have a digit patch. No, but I'm gonna
explain why.
Speaker 1 (12:24):
Oh yeah, okay, let's talk about the story. Discord uh
has a data breach? And Discord is, you know, a
platform for what do you call it? Just like communities,
community chat.
Speaker 3 (12:38):
Community chat. It's like a bloom you can share. I
think originally it was designed as a way do you
remember Roger Wilco no long time ago a band?
Speaker 2 (12:51):
No?
Speaker 3 (12:52):
All right, So Discord was designed as a chat app,
slash share your screen, slash voice chat app for gamers. Right,
so it has probably some of the highest best sharing
and frame rates, Like if you play games and you
want to share the screen with a friend or whatever.
(13:13):
If you use Zoom, it looks terrible. If you use
most other platforms, Discord does an amazing job at sharing
the screen in full frame right, so it looks looks amazing.
So it's usually targeted towards gamers. Originally, however, Discord has
now become sort of a really large chat application for
all sorts of communities, for creating communities, absolutely.
Speaker 2 (13:33):
Betraying your country.
Speaker 3 (13:36):
Wait a second, portraying your country.
Speaker 2 (13:38):
I didn't think that was a kid in Massachusetts.
Speaker 1 (13:42):
It was your neighbor.
Speaker 3 (13:45):
The Russians are my neighbor.
Speaker 1 (13:48):
Yeah, so what happened to worry about it?
Speaker 3 (13:52):
You don't have to worry about this. This is an
interesting story of having a having someone you use for support,
like a supply chain attack. Think of it that way.
So Discord outsources their support. And if a customer of
a Discord server went in and said, I'm having issues
with permissions this particular user, I ban them and they
(14:16):
keep coming back. Whatever it may be. OK, Right, I
bought the Discord subscription a year, you know, and now
I'm having troubles boosting servers. Whatever it may be. You
would open a support ticket. There was a third party
company that handled those support tickets. They got breached, and
so Discords like, listen, this sucks. However, A, it wasn't
(14:40):
our servers defense. Yeah, exactly, it wasn't made So could
they have gotten sensitive information? Yes, they got the people's
potential real names, user names, they got potential credit cards,
they got potential credit card data because A, if you're
having issues paying for you, then you would have probably
(15:01):
sent in your credit card data. The most damaging stuff
that they were able to steal, though, was Discord does
different things based on the user's age. So kids as
they become adults get more ability and rights whatever. Right,
So there were a lot of people who submitted pictures
of their licenses to this support company so that they
(15:23):
get age verification. That's so that's probably not great. But
from what I've heard, A, it wasn't too too many
users that were affected here, yeah, and be they've all
been notified. So this sounds like a lot of hype.
Discord was you know, data breach exposed as blah blah blah, Yes,
but is really through through support.
Speaker 2 (15:43):
So this brings up We talked about s BOMP software
Bill of materials. It's kind of like food labeling. You
need to know what's in the application. Do we need
to get to a vendor bill of materials? I like
that so that we have something, Yeah, something where I
know who you're using for if you're using Salesforce, if
you're using even even for sales because if they get
(16:05):
breached and your client data is in there. I think
we need more transparency on this stuff. And what that
would do is maybe put pressure on these vendors to
actually have pen tests and red team engagements and show
that they're patching and have policies.
Speaker 3 (16:18):
About that stuff.
Speaker 1 (16:19):
They mentioned that right here. Yeah, it's time for devs
and players to demand ironclad vendor checks yep, turning potential
pitfalls into fortified fronts.
Speaker 3 (16:28):
You heard it here first v bom vemo VBA. I
think it's interesting. Let's say every company was required to
list out all the vendors they worked with, right right
A as an attacker, as the guy who thinks all
the bad thoughts, I think that would be That would
be awesome because I can then look at say Bank
of America and find all their vendors and find somebody
who's weaker at cybersecurity than bank.
Speaker 2 (16:51):
That doesn't have to be public. It could be something
after I signed, when I'm signing the contract, it could
be part of negotiation. Sure, because I do, I may
be able to see features and things like that. And
if it's a fifty thousand dollars service, you're not going
to get people who are going to buy a fifty
thousand dollars service in order to get that information.
Speaker 1 (17:07):
And during an investigation, that's when you're using it, right,
But you.
Speaker 3 (17:10):
Give a good point, I would, but they're in the
is the argument. Okay, So would we do that with
like software? Right? And if you do that with software,
it's like you should be going out and making sure
that all of the software packages I'm using third party
s bomb LG for are lugforge are secure, right, They
go through code reviews, they have pen tests that sort
(17:31):
of stuff, so I know I can use it. So
here in maybe a public vendor list would actually force
those vendors to go get an pen test done and
security reviews and.
Speaker 1 (17:43):
Be in their best interest.
Speaker 2 (17:44):
Yeah, because it would be a sales advantage.
Speaker 1 (17:46):
Would be a sales advantage, yeap, yep, all right, we
moved on the DoD You know who they are or
is it Department of War now dow not legally to
cut back on mandatory cybersecurity training because who needs that?
I know, that's so superfluous. We don't need cyber security training.
Speaker 2 (18:06):
I'm gonna take a deep breathlem Okay, moment of silence.
Speaker 3 (18:10):
Silence, sanity.
Speaker 2 (18:13):
So, as an army veteran, I think this is preposterous
and crazy. And the fact that we have like a
space force and now you're gonna say we're gonna do
less of this. We need more of this, not less
of this. So this would be a historically bad decision.
Speaker 1 (18:29):
I think it's an HBD.
Speaker 2 (18:30):
It's absolutely obvious, and it comes from a point of
view of someone who doesn't really understand how wars are
fought because cyber is part of the battlefield.
Speaker 1 (18:40):
It's a big part of the battle field, right.
Speaker 3 (18:43):
Yeah, we absolutely see cyber attacks happening before the land war,
right and we've seen it time and time again where
they'll be in the power grid, in the water stations
and that sort of stuff. And then the land war
happens and everything.
Speaker 2 (18:57):
Is And when I was an infantsryman, we used to
call tanker dats dumb ass tankers and now commander no,
well no, it was Bradley commander, very big infantry. That
was an infantry battle. That was an infantry fighting vehicle. Sorry,
but now they're sea dats, computerized dumbass tankers.
Speaker 1 (19:16):
You're going to say s SATs.
Speaker 2 (19:18):
No, but they're very computerized and they have systems and
I'm not revealing anything you know that's not secret secret,
not secretly secret. They have systems that tell them friend
or foe. And and that's not really where the problem is.
The problem is with if they connect the wrong thing,
if they use their personal devices. We were talking last
(19:40):
night about the fact that if you if you have
these these problems like the running apps, the fitbits, and
we were discovering secret bases in Syria because soldiers had
fitbits that were broadcast around. Right, So yeah, less less
of this training is probably not a good idea.
Speaker 3 (20:00):
Well, I think we've seen time and time again, and
in Paula's keynote, yes, right, sixty eight sixty percent of
most attacks are just human error, right, someone clicking on
something they should n't have, plugging something in that they
shouldn't have, or really having a crappy password, right, something
along those lines. So that being said, why would you
lessen cybersecurity training? Now in the article they talk about, yeah,
(20:23):
we want to get rid of cybersecurity training for war
fighters who don't need it. A everybody needs cybersecurity I
just explained seatats I know. But also one of the
things that cybersecurity training does. First off, this would save speculating.
Right now, they say this will save the war fighter
maybe an hour a year. Wow, So okay, that's fantastic.
Speaker 2 (20:45):
Wow.
Speaker 3 (20:45):
How are ships? Yeah, yeah, exactly. However, one of the
things we see that's a problem with education and cybersecurity
is the fact that most people want to do a
two day, sixteen hour training, right, which is exciting, but
then people go home and forget about it. Right, it's
not you needs to be continuous exactly, continue drip training
(21:07):
five ten minutes a week just to keep it top
of mind.
Speaker 1 (21:11):
Now, there is there is an upside to this story.
If you scroll all the way down to the bottom,
it says that instead of this training, it's mandatory that
everybody listens to security that.
Speaker 3 (21:21):
Well, well, yeah, so they'll get their training here that
that works.
Speaker 1 (21:24):
That's drip training right there, isn't it?
Speaker 3 (21:26):
Because we're a bunch of drips.
Speaker 2 (21:28):
I do want to address that hour week, Come on,
I do want to address that. Well, I don't really
hate tankers. I feel like it's like Army Navy, Are
you kidding infant?
Speaker 1 (21:37):
It was a joke. Everybody knows it was a joke.
Speaker 2 (21:40):
I know, but they might they have big guns.
Speaker 1 (21:43):
Be careful what everybody knows.
Speaker 3 (21:45):
That the reunion is going to be tough.
Speaker 1 (21:46):
Yeah, all right, Signal we've been talking about. Are we
done with that story?
Speaker 3 (21:50):
Yeah?
Speaker 1 (21:51):
This is mine.
Speaker 3 (21:52):
Yeah, we've been.
Speaker 1 (21:53):
Talking about signal. You signal instead of WhatsApp because while
WhatsApp is encrypted between you and Facebook and face Book
and your other person.
Speaker 2 (22:02):
Vague and China's in there somewhere and.
Speaker 1 (22:07):
The other person right, they can see your messages, there's
a man in the middle. With signal, it's end to
end encryption. And that's good because we always use signal
for our military secrets.
Speaker 3 (22:17):
Yes and yes.
Speaker 2 (22:20):
We do, so we do, but the military shouldn't. Okay different,
So I'm excited about this because signal has been kind
of at the forefront. There's a company called PQ Shield.
Speaker 1 (22:29):
Well, first of all, read the.
Speaker 2 (22:32):
Science, right, So signal, according to Bleeping Computer signal adds
cryptographic defense against quantum attacks. And this is important and timely,
and no one knows when a sufficiently powerful quantum computer
will be available to break all of our asymmetric encryption.
Speaker 1 (22:52):
But if you're listening to security this week, you'll know.
Speaker 2 (22:54):
Yes, well you'll know better, you'll have a better guess
than most. So the best guess right now is sometime
I'm in the next five to ten years. The problem
is store now, decrypt later. So it's known that China
and other adversaries are grabbing encrypted data that they can't decrypt,
they're grabbing the public keys, and they're waiting for them
to get a sufficiently powerful cryptographic computer, a quantum computer
(23:18):
to break it using Shores algorithm. And we've talked about
this before.
Speaker 1 (23:21):
Enough, they'll find out that my mother's email password is
Fluffy one two three.
Speaker 2 (23:25):
But they'll also find out be able to read the
files they stole from you know xyz contractor about our
new polymer stealth technology that it replaces the paints and
things like that. No, but it'll still be useful. And
so we don't know when that's going to happen, but
it's probably coming sooner than we will expect. What they're
(23:48):
doing is they're getting ahead of this, like every organization should,
every organization should already be doing this unless your secrets
just are so trivial that in three weeks they don't matter.
So what they're doing is they have this thing called
the double ratchet where they take the old encryption key
with a new encryption key and they blend them to
make the next encryption key. And their their mission with
(24:10):
the double ratchet is to protect the conversations prior to
a breach and post a breach. So if I'm communicating
with Jared, for example, Jared and I are talking on signal,
and some hacker will call him Dwayne, just you know, random,
although Jared could be a hacker than I, so we could. Uh,
(24:33):
by the way, Jared is Dwayne's twin brother, so and
sitting in the front row. So what happens is if
if the if the bad guy gets the breaks that message,
they that doesn't mean they automatically get all the old
message and it doesn't mean they get the new messages
because they're constantly ratcheting forward. I see the thing, and
and now they're calling it a triple ratchet because they're
(24:54):
adding into it. They're replacing the Diffie Hellman elliptical curve encryption,
which is vulnerable to shores algorithm.
Speaker 1 (25:01):
You know, you're always talking about my favorite bands, Diffy Hellman.
Speaker 2 (25:06):
It's actually a good man is they were around in
the sixties.
Speaker 1 (25:10):
They burned out on LSD and they're having a comeback reunion.
Speaker 2 (25:14):
So elliptical Curve, Diffy Helman with Dippy, Diffy Hellman, and
RSA are all vulnerable to quantum sufficiently powerful quantum computer.
Speaker 1 (25:26):
So I'm just happy I know that they're all in
the same category. Now.
Speaker 2 (25:29):
Yeah, So now I was a little skeptical at this
because I'm like, it's a bad idea to roll your
own encryption. But they've actually worked with the Premiere organization.
So they're using what used to be called Crystal's Kiber,
which is now called mL KEM, and it's the key
encapsulation mechanism that is post quantum and so it's it's
(25:51):
shown to be sufficient well. P q shield is one
of the organizations that helped define that as part of
crystals dot org. And so the the bottom line takeaway
is that Signal is doing what everybody should be doing.
They're preparing for the future. They're they're helping us be
more secure. If you're not the government, then Signal is
a really good platform for communications. We use it as well.
(26:14):
We're always looking to see whether it's you know, it's degraded,
but this shows that they're actually probably going to be
the best for a for a good while to come.
Speaker 3 (26:25):
I got a question, Patrick, sir, So this quantum thing,
when do you think it's going to be real? Since
the beginning of the universe, the quantum thing, you mean
quantum computing, No, I mean quantum like out of sci fi. It's,
you know, a real thing at some point.
Speaker 2 (26:39):
Right again, at the beginning of the universe, quantum was
a real thing.
Speaker 3 (26:42):
So none of it makes any sense to me.
Speaker 2 (26:46):
It is my greatest frustration.
Speaker 3 (26:50):
It's trying to teach you quantum.
Speaker 2 (26:52):
So I really like quantum and we have a podcast
Entangle Things dot com, and we talk about it.
Speaker 1 (26:57):
When he says he means me and not us some
but it's really exciting.
Speaker 2 (27:04):
And the problem is the barrier to entry, because once
you get to the point where you understand, you're not
allowed to understand it. But you're fine, I see, all right,
we'll get we'll talk, we'll continue that sometimes all right,
some other times talk amongst yourself.
Speaker 1 (27:19):
Needless to say. Signal is trying to h get get
a leg up, signal is yeah, okay, new satellite will
help cyber defenders train to stop hackers in orbit? Do
they know about this lack of training thing? Now? Though?
Speaker 3 (27:32):
I mean do they?
Speaker 1 (27:35):
Which which article was written first?
Speaker 2 (27:37):
I mean, well, the NSA is cyber defenders, so maybe
that they're maybe they'll get training.
Speaker 1 (27:42):
Okay, somebody tell me about that.
Speaker 3 (27:43):
I mean, oddly enough. Space Force, yeah, is also some
they because they manage space. Your air quotings, Yeah, they
manage space. You know they can't see air quoting, but
they managed space. Yeah. They also manage cyber space. So
Space Force does attacks and defense in cyber space because
they both have the word space.
Speaker 2 (28:03):
Well, and you can't really talk.
Speaker 3 (28:05):
I'm not making this up, but I wonder if Space
Force just one up and they just plug a USB
into this thing.
Speaker 1 (28:12):
And I think there is a Space Force really really don't.
Speaker 3 (28:15):
There's a base near our there are space rangers, which
is kind of cool, but that neither neither here nor there.
This is actually so Deloitte U, which is a defense contractor,
has put a satellite up in space. So there have
been there have been platforms where attackers can attack a
satellite actually in space def Con they actually brought a
(28:37):
satellite to Vegas, just a tiny little CubeSat.
Speaker 2 (28:41):
Throwing it up in the air, just sticking dispenses vodka.
Speaker 3 (28:47):
But they did bring a satellite so that people could
try and hack the communications and that sort of stuff
of the satellite locally. But there have been a few
satellites in space that were specifically designed for attackers to test.
The French there's a French company that worked with an
aerospace in France to actually put a satellite up in
space that was used specifically forget's target targeting and attacking
(29:11):
and that sort of stuff. Yeah, there, so there are
a couple of them up there. This is the first one,
interestingly enough, this is the first one that not only
has gone into space specifically for hacking, but also specifically
for defending. So what's really interesting about Deloitte's design is
they've put a board in there that they call silent shield.
(29:34):
Silent shield has a they describe it like a diode.
So for anybody, for all of you who love electricity, right,
diodes only go one way electrical current. So they have
this shield that can see all of the telemetry and
metrics coming from the satellite, and then it outputs what
it would do to protect the satellite, whether the satellite
(29:55):
is degrading, whether it's whatever. So now they're inviting first
to the military to try and break into it, and
then some of their other partners that they didn't name
to try and break into this satellite, and all the
while this silent shield will be recording these attacks and
making its recommendations on how it would fix. My guess
(30:16):
is give it a year. And even in this article
they say Deloitte has already said that they could retrofit
existing satellites with this.
Speaker 1 (30:25):
So it's a honey shield.
Speaker 3 (30:26):
So it's a honeypot. But I think their design is
ultimately in the future to have this firewall board that
they can put on satellites in the training. For any
of you who have tried to hack satellites, they're actually
not that hard. There's very little authentication satellite honestly, yeah, exactly.
It's if you want some criminal career advice really with
(30:53):
if you buy, if you buy a satellite, are you really.
Speaker 1 (30:57):
Going to do this? Now? Are you're really going to
tell everybody out of hack satellites.
Speaker 2 (31:00):
I mean it's out there.
Speaker 3 (31:02):
There are there, yeah, exactly in the facts, but you
don't know. Yeah, there's there's a board that you can
buy for your computer that you can just plug It's
a direct TV style satellite board, okay, that you can
plug into your satellite dish, like a direct TV dish
or whatever, and you can actually pick up signals communications.
(31:24):
There are militaries on this planet that send all of
their data unencrypted, so you can see airplane movement from
South America all.
Speaker 1 (31:33):
Sorts of stuff.
Speaker 3 (31:35):
Just yeah, so it's it is interesting.
Speaker 2 (31:37):
Outside of Europe. I'm sorry.
Speaker 3 (31:42):
Well, and that's the weird thing about satellite Like satellite
communications is not pinpointed. It's not like I'm just shooting
straight down at that ground station. Yeah, it's blowing it out.
So if the satellite is anywhere on that horizon, you
can you can potentially pick that.
Speaker 1 (31:56):
Like Ham radio.
Speaker 3 (31:57):
Oh I love Ham radio. Yeah, with your Ham radio
Wi Fi on steroids.
Speaker 1 (32:01):
Like Turkey radio better. But you know, I'm just trying
to watch my pork intake, all right. So so there
really isn't anything we can do about this. It's just
an interesting story, right.
Speaker 2 (32:11):
We should practice hacking, yeah.
Speaker 1 (32:13):
I know.
Speaker 3 (32:14):
Well well yeah, and this is a good way for
people who want to practice hacking. Eventually, when this opens
up to more people other than just the military, rather
than trying to hack real satellites and dropping them.
Speaker 1 (32:28):
So contact Dwayne the Flat and he'll give you a
private class.
Speaker 3 (32:32):
Yeah, I'll give you alli dollars. I'll give you. I'll
tell you how to break into satellite.
Speaker 2 (32:36):
And the solution to security is not less hacking, it's
more hacking by good people.
Speaker 1 (32:39):
Yes and true.
Speaker 2 (32:40):
That's the problem is we need more people to hack
so they can say, you know, you should you should
not have a screen door on our submarine. Well, they
should solve these problems.
Speaker 3 (32:47):
And it's funny you see that because I get this
a lot where I'm hanging out with friends or whatever
and you know, taken down a satellite, taking out a satellite,
like we'll talk, we'll talk about work and that sort
of stuff, and they're like, dude, you know how to
write you know how to write viruses?
Speaker 1 (33:02):
It's like, yeah, I can write a virus.
Speaker 3 (33:03):
They're like, can you write ransom Moore? I'm like, yeah,
I can. I can write ransomwore. They're like, why don't
we And now it's like we why don't we do
this right? And I'm like, what's the.
Speaker 2 (33:13):
What I've never had that conversation with you. Let's just
have the record show you've always talked you down from
those No.
Speaker 1 (33:19):
I've asked you before, why aren't you a criminal? Answer?
Because I like to do the right thing and I
want to.
Speaker 3 (33:24):
Go to jail exactly. Yeah. So I was like, listen,
I also know how to break into your car and
steal it, and I know plenty of places that I
could get it chopped up and sold and make money.
And he's like, whoa, whoa. I'm like, all right, there's
a reason I don't do that too, right. So yeah,
it's you people.
Speaker 1 (33:43):
If you're a criminal, you can live vicariously through Dwayne
by listening security this week every week.
Speaker 3 (33:49):
Yep.
Speaker 1 (33:49):
All right, So that's an interesting story. Now we get
to our clickbait story because we're in the land of
the mouse.
Speaker 3 (33:55):
I love this story, all right.
Speaker 1 (33:56):
First, I'll read the headline, then we'll explain what is
Motion sensors in high performance mice can be used as
a microphone to spy on users to AI mike e
mouse technique harnesses mouse sensors converts acoustic vibrations into speech.
I know what you're thinking, little mice like the animals
(34:18):
running around. Nope, it's computer mice.
Speaker 3 (34:21):
Mickey mickey mouse here. So this is an awesome attack.
Speaker 1 (34:26):
That means heinous. Let me translate that for duynism.
Speaker 3 (34:30):
So for those of you who haven't listened to the
podcast before, I generally geek out about side channel attacks.
So side channel attacks if you remember, like, does anybody
remember roe Hammer?
Speaker 1 (34:41):
Right?
Speaker 3 (34:41):
So row Hammer was like I would ask the computer
to perform the same mathematical calculation over and over and
over and over and over again loop, and it would
heat up a pin on the CPU, and then I
would say, hey, can I be an admin which just
happened to be answering to the pin next to it,
And when that heat emission hit that pin, it would
say yes. So if I heat it up one pin enough,
(35:04):
I could then control the output of becoming an administrator
on the ball. Heinous, some side dreeneral attack heinous, so
one of many. I love it, brilliant, so good. So
in this particular case, I don't know why we hadn't
thought of this before. These mice, especially if they have
twenty thousand DEPI mean, we're talking very very gaming mice
(35:26):
are so accurate.
Speaker 2 (35:28):
So like Razor mice is in this.
Speaker 3 (35:30):
Actually, like Razor mice, any of your gaming mice have
enough DPI so that the laser that's shooting out of
the mouse as you talk, the tabletop is vibrating ever
so slight.
Speaker 1 (35:41):
As you talk.
Speaker 3 (35:42):
As you talk.
Speaker 2 (35:43):
Well, just as like this is like the idea of
using a laser mic on a window. It's just you're
using the laser and the mouse against the desktop instead.
Speaker 1 (35:52):
So somebody's recording the vibrations of the desktop.
Speaker 3 (35:55):
Yes, you're like, you know, well same yeah, same thing.
It would come out as allowed. But even if we're
just talking, they were able to sideload. And what's interesting
about this is that detail of the DEPI of the
mouse is non It doesn't require elevated privileges.
Speaker 1 (36:12):
It's just a peripheral.
Speaker 3 (36:13):
Right, So they can do it in a web browser
tab and request access to the DEPI of the mouse
and as.
Speaker 1 (36:20):
It jiggles, good god.
Speaker 3 (36:22):
Now they can pick up the words you're saying while
you have the table.
Speaker 1 (36:25):
So the songs you don't talk and use the mouse
at the same time. You're probably screwed if you don't talk,
and if you talk and use the mouse at the
same time, you may be protecting yourself.
Speaker 3 (36:35):
Yeah, exactly, because there's so much fluctuation, so much fluctuation. Right,
But if you're just if we're just like, here's the
mouse on.
Speaker 1 (36:40):
The table right now and we're talking, somebody could be
recording the vibrations in the table and picking up turning
that into.
Speaker 2 (36:49):
Why don't we just record our podcast that.
Speaker 3 (36:51):
Way through the mice. Yeah. So what they did is
they took these vibrations, these changes in DPI readings, and
they it through machine learning, and then we're able to
reconstruct the speech and what people were saying, which is awesome.
It's so cool.
Speaker 1 (37:08):
So Marl of the story, don't use a gaming mouse.
Speaker 3 (37:10):
Or use a really thick mouse pad. Oh, I would
assume maybe a damponge, you know, sponge sponge, right, Yeah,
I don't know, meoprem Maybe I'm not entirely sure, but
it's uh, it's actually a really cool.
Speaker 1 (37:24):
But first of all, they wouldn't be able to they'd
have to be recording from the table, right, It's not
like they can just record the mouse data.
Speaker 2 (37:34):
Yes, just the mouse, just the mouse, just the change
in the value. The mouse has everything you need to
distant laser.
Speaker 1 (37:42):
I get it.
Speaker 3 (37:43):
That's it.
Speaker 2 (37:43):
Wow, because the mouse reads the laser's intensity and and
so you don't have to be local.
Speaker 1 (37:51):
I'm never using a gaming mouse ever.
Speaker 2 (37:54):
You should use a computer.
Speaker 1 (37:55):
If you get that out of dude. Okay, maybe I'll
just cut off my hands and live in a box. Right,
So cool and well, I guess that's it. But before
we go, we want to pass out some swag, don't we.
Oh yeah, tell everybody about what they're going to receive.
Speaker 3 (38:09):
So here's the deal. We have a discord server, and
we have hundreds of people on discord server who join
up who have been listening to the podcast and that
sort of stuff, and they ask cybersecurity questions, they throw
up funny stories, and that's.
Speaker 1 (38:20):
Completely hacked, as we just learned.
Speaker 3 (38:22):
Yeah, what's neat about the discord server is anytime somebody
throws an article up in the discord server or helps
other people on a discord server and that sort of stuff,
I always want to have a giveaway for them. So
I do have these giveaways that I will give to
people all around the world. This is a this is
a set of an official set of security this week
(38:43):
lock picks, and you'll have the yeah, you have the Yeah.
They haven't been paid. Okay, So funny story about that.
Funny story about that. I'm flying down here yesterday and
I have ten sets of lock picks in my carry on.
Oh boy, and I live up in New Hampshire. I
was flying through the Manchester Airport that they have seen
me go through there all the time, right, and I
(39:05):
always go through their and every time every time I
go through, if I have my walk picks in my
carry on, they pull it aside, they open it up,
they hold it in front of me and they go
you realize this slows things down, right, And I'm like yes,
And then they put it back because it's not illegal,
and they zip it up and then they let me
go through every time.
Speaker 2 (39:21):
Okay, since I literally hate you, I.
Speaker 3 (39:24):
Have ten sets of lock picks and there I put
them in the outside zipper pocket because I was like,
they're going to pull me aside. This is what I got.
Guys sitting there at the terminal and it's it zips
through and he's looking at his X ray screen. He
just does this and he looks over at me. The
bag goes through and I pick it up and he's
just staring at me.
Speaker 1 (39:42):
That's funny.
Speaker 3 (39:44):
Just does that. I was like, bye, Bob, Yeah, so yeah,
I had there was peril in getting these here, but
we did. We wanted to give out some lock picks.
So I have some lock picks with the Security this
Week logo. So yes, so we have an enough.
Speaker 1 (40:02):
Come on up and grab one and with that, we'll
see you next time on Security this week.
Speaker 2 (40:07):
Thanks everybody,
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
CrimeLess: Hillbilly Heist
It’s 1996 in rural North Carolina, and an oddball crew makes history when they pull off America’s third largest cash heist. But it’s all downhill from there. Join host Johnny Knoxville as he unspools a wild and woolly tale about a group of regular ‘ol folks who risked it all for a chance at a better life. CrimeLess: Hillbilly Heist answers the question: what would you do with 17.3 million dollars? The answer includes diamond rings, mansions, velvet Elvis paintings, plus a run for the border, murder-for-hire-plots, and FBI busts.