July 4, 2025 • 35 mins
Quantum tech is coming — and with it a risk of cyber doomsday
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
So I was reading up on the Old West, which
nobody really knows much about the American Old West because
it was mostly invented by Hollywood. But apparently cowboys who
wrote at night would sometimes hook a lantern to their
saddle so they could find the trail when they were
far from home. This was clearly a first attempt at
saddle light in navigation.
Speaker 2 (00:24):
I can't even that was wow. Yeah, I astonishing, isn't it? Yeah? Astonishing.
I didn't see where that was going, and when I
saw where it was going, and I didn't want to be there.
So thank you for that.
Speaker 1 (00:45):
Well, welcome to Security this week. Carl Franklin, s Duainn Laflotte,
who was just speaking, and Patrick Hines, who was just groaning.
Speaker 3 (00:52):
Shaking my head back and forth.
Speaker 1 (00:54):
All right, so the first story here is hearkens back
to last week's story of this old Linux vulnerability, and
so much so that I thought it was the same story.
But that one was twenty something years old and this
one is twelve years old.
Speaker 3 (01:10):
So this goes to show that that vulnerabilities lurk, and
just because the vulnerability is there doesn't mean anybody's gonna
find it. They might never find it. We might we
probably retire systems with vulnerabilities in them, oh yeah, and
never discover them. And that's good, but that's also bad
because it could be that hackers have discovered them and
are using them and we never find out.
Speaker 1 (01:31):
Well, here's the headline. Twelve year old pseudo Linux vulnerability
enables privesque privileged escalation to root user.
Speaker 2 (01:38):
So here's what I think we need to do. We
start We need to start taking these Linux because Linux
has been around a long time, right, started off as
Unix and then became Linux used for micro PCs. So
I think we start rating these Linux bugs that we're
finding that are twelve and twenty years old like a
fine scotch. Right, twelve years old is it's kind of mature,
(01:58):
but not really And when you're get to a twenty
year old exploit, that's when you get to find nice
and smooth exploit that we're all looking for.
Speaker 1 (02:07):
Right yeah, So are we rating it in terms of
entertainment value? Is that?
Speaker 2 (02:13):
I think we? I think we are. Honestly, I honestly
I love vulnerabilities like this, you know, side, we all
know listen, all the stw are their vulnerabilities. Who don't
love that there aren't. Honestly, you know what, it's funny
you say that, No, there is no they're all they're
all part of my family. But the we you know
stw people know side channel attacks or are my one love? Right,
(02:36):
that's the like that's that's the one that got away.
Those are the beauties. But yeah, the when you start
looking at old vulnerabilities that have been around for a
long time. For those of you who might like, uh,
you know, build old cars, it's it's like the barn find,
right you go to you go on Ohio and you
go find this guy who's like, yeah, I got this
(02:57):
clunker in the barn, can you grab it? And you
look in there and you're like, oh my god, it's
a Shelby, right exactly. And that's what these are. These
are like the Shelby's sitting in the barn. So I
always love finding these, which is really kind of cool.
Speaker 1 (03:09):
All right, So do we have to worry about it?
That's the real question.
Speaker 2 (03:12):
So if you're a Linux administrator, yeah, absolutely, there's there
are very specific roles and this is very much a
privileged escalation on a local host. So it's not something
that you're going to see like oh my god, I
can anybody can exploit my systems over the internet. It's
just not going to happen. But if you do have
a pretty active Linux system that somebody could gain access
(03:34):
to you if they have limited pseudo users access, which
means they have limited privilege access.
Speaker 1 (03:41):
Yeah.
Speaker 3 (03:41):
Yeah, pseudo is super user. Do yeah, basically yes, do
this as a super user. Run as administrator in Windows parlance, and.
Speaker 1 (03:48):
You have to have administrator access to do it. Yeah,
super access exactly.
Speaker 2 (03:53):
So if you do have some commands you can run
as sudo, and you do have a host file that says, oh,
on this particular remote host, do you have full privileges
et cetera, et cetera, then yeah, there is a bug
here where you can convince the local host that you're
running remotely but running the command locally, right, so you
privilege escalate on the local box. Is what one ends up.
Speaker 1 (04:13):
Is there such a Is there such a command in
Linux called coup k U. Then you'd write take charge
to the country. Then you'd write pseudou.
Speaker 2 (04:28):
And it only takes numbers? Is that what it? That
would be? Because now it's not another thing yet, but
we could write it.
Speaker 1 (04:36):
I'll be here all day.
Speaker 2 (04:39):
Everybody else may leave, but he's here all day. That's right. One.
Speaker 1 (04:42):
So all right, so basically what Dwayne said, you know,
you know if you're vulnerable or not, so go patch.
There is a patch, right.
Speaker 2 (04:51):
There is and ultimately and there is no work around,
but there is a patch if you're if you're running
I think it's one dot nine seven Team a Legacy
one dot eight dot eight. Yeah, you're gonna want to
go and make sure you go update and patch because
there are patches that fix this.
Speaker 1 (05:08):
All right, Moving right along, Patrick's favorite Microsoft three sixty
five direct send feature abuse to send phishing as internal users.
Speaker 3 (05:20):
We've used this, right, Duane, when we get into a printer,
I can't confirm or deny, okay, using this, but if
you were to send an email to whatever the tenant,
dot mail, dot protection, dot outlook, dot com, and you're
on the inside, it does absolutely bypass SPF, d KM
and d mark, which is kind of nice.
Speaker 1 (05:38):
SPF d more Oh okay, yeah, those are email Okay,
so let me things that you set up on your server.
Speaker 3 (05:44):
Yeah, yeah, so those are technologies that have been built
into DNS so that you're your mail server can verify
with the sending mail server that it's legit, but it's
real that it's not spoofed. This eliminates that. This goes
around that. So if you have like printers are the
best example, but but it's really any device on the
on the local network. It's a way for it to
(06:08):
send emails as an internal email without credentials. Right, sounds convenient.
So if you do that, then now I can spoof
an email. It looks just like somebody inside and it's
really hard for any detection to figure out that it's
not an internal email because when you're internal, especially with
(06:30):
Office three sixty five, you don't get SPF D mark
and and you don't get those settings.
Speaker 1 (06:37):
Ueah, you don't need to because it's behind the firewall.
Speaker 3 (06:39):
Right because right, yeah, Well they would be handy because
one of them checks for that it goes through a
valid mail server and that would that would probably pass.
But the other one is that it's signed. Right oh right, Okay,
so I'm not sure whether it would be signed.
Speaker 1 (06:57):
And well, if you know, somebody brings and then maybe
it would be a customer brings an iPad to a
lunch meeting and then they get your get on the
Wi Fi and try to send email. Sure there could
be a problem there if they're using the local email server.
Speaker 2 (07:13):
Right, yeah, and Patrick's right, it is a convenience thing,
but it's also sometimes you're kind of backed into a corner.
Like if I have a bunch of printers on the
network and let's say we lock down Office three sixty five, right,
where you can't send an email without some sort of
multi factor authentication. And there's all sorts of which is
a good idea, right absolutely, But now you have these
(07:35):
scanners like where you can scan the email, or you
have a printer where I can you know, print taking
information and maybe as a print is coming in, send
it to an email and that sort of stuff where
they can't send emails right because they don't have the
ability to do multi factor authentication. So you need this
almost like device code. And we've talked about this before,
like if you try and add a TV to your Netflix, right,
(07:57):
you go to Netflix and you say, you know, I
want to log in, and it says, okay, here's the code.
Go to Netflix slash joint or Netflix slash device, right,
and you go there on the Internet and you say, okay,
here's the code. You type it in and now that
TV is automatically authenticated to log into your Netflix, right,
same type of thing is happening here where Microsoft's like, listen,
(08:17):
we know there are devices, there's these IoT style devices
that can't provide multi factor authentication, can't force somebody to
log in every time. Unfortunately, they also then give them
all of the ability to bypass the protections we typically see.
Speaker 1 (08:34):
So it sounds like this feature is like a workaround
for people who don't want to deal with the real
security issues.
Speaker 2 (08:40):
Yeah. Yeah, or devices honestly, devices that the programmers have
not given the customers the ability to deal with these features, right,
they're just legacy devices where that like we don't know
how to handle you know, timeout and devices or MFA.
Speaker 1 (08:55):
So our real advice is turn it off.
Speaker 2 (08:57):
Yep, yeah, absolutely, I mean honestly, it should be should
be restricted and are turned off a lot of times.
You can restrict this to a certain IP address because say,
here are my IPS for my printers, and those should
he be the only ones sending This.
Speaker 3 (09:09):
Is the surface area problem. You get a device and
it has crap wear, it has convenience features turned on,
and you really are better off without those. You should
have to turn those on explicitly.
Speaker 1 (09:21):
Like the first thing you do when you buy a
new laptop is you remove all the crap that came
with it, the bloatwear. Bloatwear. Yeah, that got the price
down low, right, so that they could sell it to
you at a cheaper price, because it's basically not just advertising,
but well it is advertising because they're usually trial periods
(09:43):
for these.
Speaker 2 (09:43):
Things, right, yep. Absolutely.
Speaker 1 (09:46):
That brings me to you know, like McAfee and all
of these anti spyware and anti malware things. It's been
my understanding that you know, when you have Windows Defend,
you don't need not only do you not need those,
but they kind of get in the way of things.
And the only one that I recommend is malware bites.
(10:08):
But I only use that if some you know, if
a machine has visible malware, you know, it's probably good
to run it once in a while. But you know,
Grahma Franklin for example, Hey, I'm getting all these pop
ups and I don't understand what they are. I think
I clicked one of them and blah blah. You know,
(10:29):
that's when I take a USB stick that has malware
bites on and you know, install it and run it. Yeah,
what do you think about that?
Speaker 2 (10:36):
Yeah, and I so I agree in like, Defender is
great for really hardcore malware or something you're going to
download your computer and that sort of stuff. I have
seen malware bites be useful for browser cleanup. But you're
sort of going to tell you recently, I want to say,
within the last two weeks, who maybe actually the last week,
(10:57):
Microsoft has said that they're ticked off at this point
point with companies like CrowdStrike causing issues in kernel level Windows,
and they're actually contemplating kicking out everybody out of the
kernel except for Defender. So you may, yeah, you may
find that a lot of the anti the crowd strikes,
(11:18):
the carbon blacks, the you know, sentinel ones, You may
find a lot of them have to move out of
the kernel, which means that they're going to be second
class citizens, if you will, when it starts coming to
the operating system. So we'll keep track of that and
see what's going on. But that hasn't happened yet, No,
but Microsoft is pushing hard for it.
Speaker 1 (11:35):
So the end result would be uh, slower working computers
for the end user, right most likely?
Speaker 2 (11:41):
Yeah, because everything's in user mode at this point.
Speaker 1 (11:43):
Yeah.
Speaker 2 (11:43):
Right, so they're going to have to process everything in
user mode. And and right now, if you're you're a
malware writer like myself, you're constantly looking for I think
that's a gift for malware, It is, honestly, because you're
constantly looking for how do I unhook Yeah, the EDR,
the anti virus, how do I unhook it from the
operating system in a way that still allows me to
(12:05):
execute my malware. And if it's in a higher level
of the kernel, that that may be easier to do.
So we'll see what happens.
Speaker 1 (12:11):
All right. Uh, Google fixes fourth actively exploited Chrome zero
day of twenty twenty five. Yeah, well, thanks Google, appreciate it.
Who I mean, I'm I'm not sure what else to
say about that.
Speaker 2 (12:25):
For all of you that are using Chrome. And if
you see in the operanian corner it says, hey, there's
an update waiting to get download and installed.
Speaker 3 (12:34):
Why are you waiting?
Speaker 1 (12:34):
Yeah?
Speaker 2 (12:35):
Yeah, ball means absolutely. You know, it's funny. Google has
done a great job to say we'll automatically update, don't
worry about it. Yeah, but the problem is you have
to close all your tabs and close your browser occasionally. Yeah,
and if Grandma Franklin is anything like my wife. I
love my wife, but she has Chrome opened, and there's
a bazillion tabs in there.
Speaker 1 (12:53):
All probably fifty years older than your right rapin.
Speaker 2 (12:57):
Right. But it's like I keep saying like, oh, can
I close your browser? And she's like, oh my god, no,
I got tons of stuff open.
Speaker 1 (13:02):
Yeah.
Speaker 2 (13:03):
IM right. So eventually you do need to close your
browser so that updates.
Speaker 1 (13:06):
But when you do that, Chrome remembers your tabs and
it reopens them. Yes, so yes, what's the problem.
Speaker 3 (13:12):
So we have somebody who I will not name, that
works with us that has so many browsers that they're
all little exes. It's there's no title, it's just the
X right. So I don't know how he can navigate
those without closing them.
Speaker 2 (13:27):
Right.
Speaker 1 (13:27):
Our friend Jeff Maciolic, who used to work for me,
was like that when that feature came to Chrome. And
we're talking what twenty years ago, maybe you know, fifteen
years ago. It was the same way with him, like
he had so many tabs open. Yeah, if you're listening, Jeff,
I'm sorry. I didn't mean to throw you under the bus.
Back come on, come on, man.
Speaker 2 (13:47):
So that the reason I wanted to bring this up,
like everybody should update their browser. I get that, right,
and we always talk about update, update, update. But the
interesting thing about this is this is a type confusion
weakness in Java script type confusion. Type confusion weakness. Now,
we've talked about type confusion in the past every once
in a while. Type confusion is interesting where you're as
(14:09):
a developer, you're dealing with a particular object and you're
expecting let's say it's an integer, and it happens to
be a string. Right, It just happens to somebody passed
you a string and you try and deal with it
like an integer and your code crashes.
Speaker 1 (14:22):
Right. By the way, those are the only two types
in JavaScript. I'm kidding, that's not really.
Speaker 2 (14:29):
It's it but close. So in most cases, what happens
where they type confusion exploit is you cause a denial
of service. I'm like, man, okay, that sucks. Your browser crashes,
you open it up again, you don't view that website.
In this particular case, they have they have seen this
(14:51):
active actively exploited in the wild where it actually can
execute a remote code execution. Wow, and that's rare to yeah, right,
and that's why Google's all over this one. They're like, listen,
this one's important. Like, I know, we talk about type confusion,
we talk about you know, denial of service, and that's
sortched up, but this is this is actually an important one.
So if you are running Chrome, go update. This one's
(15:13):
actually important.
Speaker 1 (15:13):
Yeah, if you need to update, and Chrome will tell
you when. Yeah. And Windows has a similar thing in
the lower right hand corner of the taskbar, which is
why I always keep my taskbar visible.
Speaker 2 (15:23):
Yeah.
Speaker 1 (15:23):
Absolutely, yeah, Okay, I guess this is the time to
take a break, isn't it so I think so. Yeah,
we'll be right back after these very important messages. And
if you don't want to hear these messages, you can
get a feed with no ads for five bucks a month.
Go to Patreon. Dot Security this week, dot com. We'll
be right back, and we're back. It's Security this Week
(15:49):
Carl Franklin, Stwayne and pat and we're now over to
a hacker news story. US agencies worn of rising Iran
cyber attacks on defense, OT networks and critical infrastructure.
Speaker 3 (16:06):
Raise your hand if you're surprised by this OT orational
technology Yeah, okay, like factories and power generation, water treatment.
Speaker 2 (16:19):
Power grids and yeah, water treatment plants.
Speaker 1 (16:22):
Yeah, all right, cool sort of stuff. Yeah, so not surprised.
Speaker 3 (16:26):
Things you don't want to be controlled.
Speaker 2 (16:28):
Yeah yeah. Those types of devices typically will communicate over
what's called mod bus, which is a protocol for those
types of devices to control dams and whatever.
Speaker 1 (16:38):
I used to ride the mod bus in the seventies.
Speaker 2 (16:41):
The the mod do you remember the mod Squad was great?
Speaker 1 (16:46):
What a great show that was down.
Speaker 2 (16:53):
I think that just dated all of us because who
else would.
Speaker 1 (16:56):
Pre seventies, But you know what, afros have come back,
so it was predictive style.
Speaker 3 (17:06):
So you know, this is the concern. This is what
a lot of people were saying. Well, you know, we
we bombed a rand. Uh, they're going to retaliate, and
this is how they retaliate. They retaliate with you know,
over terrorism, which luckily we haven't seen any of that,
and also cyber attacks.
Speaker 1 (17:20):
I thought that's what OT stood for, actually terrorism networks.
Speaker 3 (17:25):
Yeah, well sometimes it can be. But you know this
is the the world is becoming a more dangerous place,
and we thought it would you know, this goes up
to eleven, Okay, we thought the knob would stop. It
stop at ten.
Speaker 2 (17:39):
A spinal tap reference is that it just.
Speaker 3 (17:42):
Keeps going well, I think it's going to get to
twelve soon. It just keeps going up. Remember when we
thought they wouldn't attack at a hospital.
Speaker 1 (17:49):
Remember when we thought they wouldn't attack Pearl Harbor.
Speaker 3 (17:52):
Yeah, you're adorable.
Speaker 2 (17:55):
You're adorable.
Speaker 1 (17:56):
What I'm saying is I don't agree that the world
is becoming more dangerous.
Speaker 2 (18:00):
It's a good point.
Speaker 1 (18:00):
I think your chances of being involved in any of
these things are pretty low, and they're getting lower. So
I don't think nation state attack. But yeah, but I
think a nation state attack could be dangerous. Sure, if
it was widespread and it's fact.
Speaker 3 (18:17):
I disagree. I think if you're less likely to be murdered.
Speaker 1 (18:20):
Yeah, yeah, I guess that's what I'm talking about.
Speaker 3 (18:22):
I think you're less likely to be mugged, But I
think you're more likely to be cyber hijacked, and you're
more likely to be ransomware. I think those risks are increasing.
Speaker 1 (18:30):
Fair point.
Speaker 3 (18:31):
You're less likely to get hit by Iran because you're
not a nation state or you're not representing a nation state.
Speaker 1 (18:36):
Okay, okay, we're in violent agreement here. Okay, yes, all right, yes,
I agree, we're in triple violent agreement.
Speaker 3 (18:42):
People's right, the People's Front of Juda. No, People's People's
Front that Bryan Xerence.
Speaker 1 (18:49):
All right, so this is a warning about potential cyber attacks,
but how do they see that bubbling and has anything
action happened?
Speaker 3 (19:00):
Yeah, it's increasing activity from activists and a rank I'm
in a fill in vectors. So they're not saying, well,
they did this, they did that. It's just that there
there there's more chatter, there's more attempts, there's more pings.
Speaker 2 (19:14):
You know. You know what I love about this article
though at one point one fight, they say I'll keep
the the it says I Ranian groups have previously used
remote access trojans. Okay, we know what those are. Key loggers,
got it? And even legitimate admin tools like ps exec,
which is PowerShell to execute commands remotely. Yeah, that's a
legitimate admin tool. Or mimic ats pro mimic cats. Those
(19:39):
peopho don't know. Mimicats. That's a way to illegally to
strip all of the passwords and or hashes out of
a window service. That as a legitimate admin tool.
Speaker 1 (19:49):
But oh no, no, that was a Disney cartoon in
the nineties.
Speaker 2 (19:53):
Come on the mimic cats.
Speaker 1 (19:56):
Yeah that is not Yeah, so it does it trips
off what.
Speaker 2 (20:01):
Yeah, So if you're using mimicats, what you're doing is
you're actually going into memory in what they call the
l SASS, which is a local security authority, and pulling
out hashes and or passwords for user names good Lord
for people who have logged into that system. Definitely not
a legitimate admin utility, but something we use all the time.
Speaker 3 (20:17):
It's kind of like.
Speaker 1 (20:18):
Saying, you know, I want Dwayne, Dwayne and Patrick, I
want you guys to just like live with me and
stand by my computer and like watch the traffic and
Patrick can carry a gun and you know, then I'm
then I'll feel safe.
Speaker 2 (20:31):
Flipper zero Yeah, yeah done, there you go.
Speaker 3 (20:33):
Then you'll feel nice and safe. So saying that mimicats
is like an admind thing is like saying that, you know,
normal things you find in my in your in your
tool chest, like hammer nails, fingernail extractor.
Speaker 2 (20:46):
Those are normal things exactly exactly, Like wait a second,
I just saw the spelling.
Speaker 1 (20:52):
It's am I am i Atz Mimi cats. She was
my neighbor when I.
Speaker 2 (20:57):
Was a kid, owned a deli maybe cats in New York.
I think that's why I've been there.
Speaker 3 (21:05):
Yeah, made a nice mutton, lettuce and tomato with a.
Speaker 2 (21:15):
Yes.
Speaker 1 (21:16):
Oh you should have seen her brisket.
Speaker 2 (21:20):
Okay, so good.
Speaker 1 (21:22):
So I mean we're laughing because we're terrified. But yeah,
what so we got to take this seriously. I mean,
but they say increased you know, vigilance diligence, right.
Speaker 3 (21:35):
I mean, I can't get any more vigilant. I'm sorry.
Speaker 1 (21:37):
Be careful, you know we've we've heard this before. Doing
you'd love to say, you know, you just got to
be careful? How not use your computer?
Speaker 2 (21:46):
Pretty much?
Speaker 3 (21:46):
Ding ding ding?
Speaker 2 (21:47):
Yeah? Yeah, Honestly, if you're managing an out network.
Speaker 3 (21:51):
You gotta get educated. That's the big thing.
Speaker 2 (21:54):
Get educated, exactly.
Speaker 1 (21:55):
Yeah, I got to listen to this show. Oh I
didn't you said education?
Speaker 2 (22:00):
All right, listen, you want to get educated, listen to
de Defender. That guy's awesome, but listen to something else, right, exactly.
But if you want to, you want to listen to
those clowns, that's fine. But I would say, yeah, absolutely,
A lot of it is the operational technology. You can't patch, right,
if it's controlling a power grid usually over you know,
a mod bus protocol. There's not much you can do
(22:21):
there from a patch standpoint, and sometimes the systems that
are controlling those are like Windows XP. But what you
can do is be good about isolating those devices, making
sure that the rest of your network is secure and
or patched, and making sure people don't have access to
those systems who shouldn't so that and that's where you
really need this cyber hygiene is just making sure that's
nice and clean.
Speaker 1 (22:39):
Well, that's good, good to know. Okay, let's move on.
And this is the hmm, this is an interesting one, Patrick,
you I think you put this one up right. Ic
CES detects and contains new sophisticated cyber security incident, but
they don't really save a lot of details do that.
Speaker 3 (22:57):
So I see c A is the International Criminal Court,
and they've they've irritated quite a few people who have
like hacking stuff behind them. You know, I think Vladimir
Putin is on their like must arrest list. Yahoo is
now on that. I don't think it.
Speaker 2 (23:13):
Ran is that a search engine that I'm pretty sure Israel.
Speaker 3 (23:19):
Isel's prime minister. And I don't think Israel's doing it.
But I wouldn't be surprised to see that this is Russia.
And they don't give a lot of details. But what
they do is they they detected it, they reported it,
they've notified the countries that participate in the International Criminal Court,
and they're handling it. And it looks like they didn't
get what they wanted. It was an espionage attempt, so
(23:41):
the fact that they got caught means they didn't get espionage.
You always want to not get caught. That's a rule,
that is the rule generally. Yeah, rule number one. Don't
despise number one.
Speaker 1 (23:52):
Rule.
Speaker 3 (23:52):
Yeah, Sometimes when a hacker gets into a network, just
before there, they start getting flagrant because they're done, they've
gotten what they want. And then they get flagrant and
they get caught, they get they get slopped, and it's
not a big deal because they're gonna, they're gonna, they've
they've got ransomware, they've got the data they want, whatever
it is. They don't care anymore. When it's espionage, you
never want them to know, you know, because it degrades
(24:14):
the value.
Speaker 1 (24:14):
Loose fingers sink shingers. I think that was the saying, yeah, definitely,
that was yes, loose fingers sink shingers.
Speaker 3 (24:23):
Okay, okay, yeah, they we could come up with a
packets version, right, Oh yeah, yeah, loose protocols loose packets
or something like that, that something you can rhyme with. So
this is like a an organization that is a high
profile nation state like organization that he's going to get
(24:43):
attacked by nation states and they I'm betting that they've
got pretty good detection and controls and and they're on
guard for this because in twenty twenty three they had
a similar incident happen and they handled it the same way.
Speaker 1 (24:56):
We're going to have so much century like protective of
stuff in our routers and stuff that we're going to
need quantum computing to run all of those filters at
the speed of light or faster so we don't detect
a drop in service and we shill maintain security.
Speaker 3 (25:18):
Fortunately. And now our next story is quantum tech is
coming and with it a risk of cyber dooms day.
So that's a nice story.
Speaker 1 (25:25):
That's nice. Yeah, that's a happy little story.
Speaker 3 (25:27):
Yeah, that was your intro. But I got to correct something, Carl. So,
quantum computers aren't faster than classical computers. They're not the same,
and they're not going to replace them. They're an augmentative
technology that can do things that classical computers will never
be able to do, and that's their value.
Speaker 1 (25:46):
Well, then why does the news always say, you know,
a quantum computer can do more calculations in a nanosecond
than the entire country of India could make us some
in five hundred thousand years.
Speaker 3 (26:01):
So because what they're talking about is something that's so
hard to do it can never be done by a
classical computer.
Speaker 2 (26:07):
Well you say never though, like cracking trillions of years
measured in trillions of years, but craggy exactly, like cracking
four thousand bit rsa encryption can be done by a
classic computer. We'll all be long dead by the time
it happens.
Speaker 3 (26:22):
If you have the trillions of years, the sun will
have burned out.
Speaker 2 (26:27):
Yes, yeah, exactly, But that's the that's the thing, Patrick
is like, I could see how the perception is. It's faster. Okay,
classic computer takes a trillion years. The quantum computer will
do it in seconds. That seems faster.
Speaker 3 (26:39):
You're never going to play tetris No on a quantum computer.
You're never going to balance your slide like.
Speaker 2 (26:45):
A challenge you're never going to.
Speaker 3 (26:47):
Because the thing, so, the thing about quantum is that
it does things in parallel.
Speaker 2 (26:55):
Where so if I play, if I play Tetris on
a quantum computer, it will play every game of time
it could ever be played exactly.
Speaker 3 (27:02):
Yes, that's the way you'd have to play it. And
that would be and I will win every time.
Speaker 2 (27:06):
All right, I love it done. It would be great.
Speaker 1 (27:08):
Yeah.
Speaker 3 (27:08):
So the thing about quantum is, I'll give you a
quick quick summary. If I have a ten bit value,
there's a thousand, twenty four combinations of that. In classical computing,
I typically have to try all zeros, all zeros in
a one, all zero's one zero, all zero's one to one,
(27:30):
and I have to go through that one thy twenty
four times to enumerate all the potential values. With the
quantum computer, with ten quantum qbits that are that are stable,
that's the challenge. Right now, I can do them all simultaneously.
I can do them all in parallel. Now with ten bits,
it's not that impressive. But with thirty two bits, now
I'm talking about four billion iterations with a classical computer,
(27:53):
where they can be done all in one step. And
so it's that is what happens here. So what we're
talking about here is there's an algorithm called Shor's algorithm.
Peter Shore is a professor of mathematics at MIT. I
took a class that he was one of the professors,
and he came up with an algorithm a long time
ago that said, like, if we had a powerful enough
(28:14):
quantum computer, we could use that parallelism to find a
hint to break the current asymmetric encryption that everybody's using now.
Asymmetric encryption is used not to encrypt files and communicate them,
but to share a key so that we can share
a private key and then encrypt and share things. So
(28:37):
it's the first part of that conversation. If we get
a classical a quantum computer that's big enough, then RSA
twenty forty eight, which is the standard today, Diffy Hellman,
elliptical curve computing, all those things have the vulnerability.
Speaker 1 (28:52):
Okay, we just lost our last listener. Okay, thanks Patrick.
Speaker 3 (28:56):
You're welcome. So understand that this is coming. We see
it coming. No one can predict exactly when it will be.
I don't think it's this year, I don't think it's
next year. But it could very well be this decade
and by the time it happens, if you're not into
post quantum security, if you're not using algorithms that don't
have this weakness against quantum computers, they're not based on
(29:17):
the new algorithms aren't quantum. They're just geometric based instead
of algebraically based.
Speaker 2 (29:22):
Hey Carl, Hey, you want to lose the rest of
our listeners. Hey uncle Patrick, can you explain the quantum
substrate and how it allows? No? Please, it's to be
more stable over.
Speaker 1 (29:34):
Maybelease, don't. I would like to do something in the
opposite direction, which is explain how TLS transport levels security works,
because because Patrick kind of glossed over it, but if
you understand how it works, then you it makes a
lot more sense. It will make a lot more sense
(29:55):
of how quantum is going to bust it.
Speaker 3 (29:57):
So before we do, if you're worried about the quantum stuff,
we get a whole podcast called Entangled Things at entangled
things dot com. Every other week I talk to guests
and I talk about this stuff, like.
Speaker 2 (30:08):
Don't you other podcast?
Speaker 1 (30:10):
Hey it came, Hey, that'll be one hundred thousand dollars
to me.
Speaker 3 (30:17):
What you just said we have no listeners. Yeah, that's true.
Speaker 1 (30:21):
I can't charge that much. All right. So so Patrick
mentioned RSSA, right, and that's real smart authentication. No, it's
it's not, it's a it's a VEST. Yeah, yeah, I can't.
Speaker 2 (30:33):
Revest Adaman and Samar Come on, boys, that's what I'm
talking about.
Speaker 3 (30:38):
You said it in the wrong order.
Speaker 2 (30:39):
Yeah, okay, I'm sorry, Revest, Schamar and Adalman.
Speaker 1 (30:42):
There you go about attorneys at law.
Speaker 3 (30:44):
Adaman lost the flip the coin flip.
Speaker 2 (30:47):
Do we cheat them in? Now?
Speaker 1 (30:48):
All right? So our RSA basically provides a private key
and a public key. And you said two four eight
bits or.
Speaker 3 (30:57):
Characters eight bits is kind of like considered that's really secure. Yeah,
the standard, that's standard A.
Speaker 2 (31:03):
Yes, I think.
Speaker 1 (31:04):
All right, So this isn't. This isn't how stuff is
encrypted in transit. In other words, when I go to
a website, it doesn't package up stuff with the public
key and I decode it with the private key. It's
not how it works. So what happens is I have
the public key because I'm a browser, right, I'm a user.
(31:25):
The server has the private key. Now, both are just
gobbledygook keys, but the server knows the public and the
private key. All right, So what I do is I
create a real key, if you will. Actually the server
creates it. So when I go on, the server creates
(31:45):
this key and encrypts it with this RSA private key.
I decrypt it with the public key, and then I,
now we both have the same key that.
Speaker 2 (31:58):
Is used to it.
Speaker 1 (32:00):
Can get it backwards, encrypt the data and transit. They
can get a backwards So I got it backwards. I
thought it was the server that encrypted it.
Speaker 3 (32:06):
So what happens is, Dwayne, Let's say I'm a web
server and I've got a public key in the cloud.
Dwayne doesn't need to have a public key or private key.
I have the private key locally. I never shared that,
but I create I basically created a public private key
share pair pair. So I have the I have the
private key. He has access to the public key. He
(32:27):
can take the public key and encrypt a message for
me and say we're going to use Yoyo skateboard five
nine seven as our key.
Speaker 1 (32:35):
For okay, all right, So so and then he.
Speaker 3 (32:38):
Sends it to me, and I'm the only one that
can decrypt it.
Speaker 1 (32:40):
It's the sender that creates the key.
Speaker 3 (32:42):
And then I start, but it's getting with the key.
Speaker 1 (32:45):
Yeah, it's two way.
Speaker 3 (32:47):
So we use that public private key and if we
want to do we can also do encryption where like
if I want to talk to him, I can do
the same thing if he has a public key.
Speaker 1 (32:56):
Yeah. So yeah, yeah, And so what would really be
deal is if we could create these new asymmetric meaning
both ways keys on every request, right, because I don't
think that's how it works. I think once we have
those asymmetric keys, yes, accession.
Speaker 3 (33:13):
So there's a movement a foot too with let's encrypt
to change the life cycle the lifespan of a key
to only forty seven days.
Speaker 1 (33:25):
Forty seven days, I would say, once a request.
Speaker 3 (33:27):
Yeah, but the problem is it's hard enough to compute
because you have to get it.
Speaker 1 (33:31):
Yeah.
Speaker 3 (33:32):
And if you'd basically if you did it every request,
they'd be all sorts of side channel attacks and transmission
attacks we'd use okay probably.
Speaker 2 (33:38):
Yeah, And I think you know you talk to Carls
right in that the asymmetric algorithm is typically only used
to exchange a key, and then we're using some sort
of some sort of shared symmetric key exactly, Okay, yeah, yeah, right,
because it shared symmetric keys are lower compute for high
volume traffic, right, We really just need to get that
secret key back and forth, and then that key in
(34:01):
essence becomes a one time pad, right, something that's harder
to break because it's not shared with really anybody and
it's only used for that session.
Speaker 1 (34:08):
Okay, yeah, right, there you go. Okay, yeah yeah right.
Speaker 2 (34:11):
So so done. That's all of it.
Speaker 3 (34:13):
The moral of the story is that quantum quantum as
a threat is coming and you need to be moving
towards quantum safe encryption, which doesn't mean you have to
use quantum, right, it just it just means that you
have to use the new algorithms that are that are
quantum safe.
Speaker 1 (34:29):
But also don't be fooled by products that label themselves
quantum safe, right, agree, It's just like any other moniker,
Like as soon as the ketogenic diet was popular, everybody
put keto on their labels even though they weren't, so
you know, don't be fooled. So basically you should join
(34:49):
our discord and if you get a product that labels
itself as quantum resistant, just as Twain, yeah heck yeah,
I'm on it, Yeah.
Speaker 3 (34:57):
Don't or go to entangled things dot com and go
to entang Things and and don't ask.
Speaker 1 (35:03):
Don't ask Dad. Don't ask because Dad Dad will give
you a very confident answer that will sound great, all right.
And with that we will talk to you next week.
Speaker 2 (35:16):
Bye bye bye
So I was reading up on the Old West, which
nobody really knows much about the American Old West because
it was mostly invented by Hollywood. But apparently cowboys who
wrote at night would sometimes hook a lantern to their
saddle so they could find the trail when they were
far from home. This was clearly a first attempt at
saddle light in navigation.
Speaker 2 (00:24):
I can't even that was wow. Yeah, I astonishing, isn't it? Yeah? Astonishing.
I didn't see where that was going, and when I
saw where it was going, and I didn't want to be there.
So thank you for that.
Speaker 1 (00:45):
Well, welcome to Security this week. Carl Franklin, s Duainn Laflotte,
who was just speaking, and Patrick Hines, who was just groaning.
Speaker 3 (00:52):
Shaking my head back and forth.
Speaker 1 (00:54):
All right, so the first story here is hearkens back
to last week's story of this old Linux vulnerability, and
so much so that I thought it was the same story.
But that one was twenty something years old and this
one is twelve years old.
Speaker 3 (01:10):
So this goes to show that that vulnerabilities lurk, and
just because the vulnerability is there doesn't mean anybody's gonna
find it. They might never find it. We might we
probably retire systems with vulnerabilities in them, oh yeah, and
never discover them. And that's good, but that's also bad
because it could be that hackers have discovered them and
are using them and we never find out.
Speaker 1 (01:31):
Well, here's the headline. Twelve year old pseudo Linux vulnerability
enables privesque privileged escalation to root user.
Speaker 2 (01:38):
So here's what I think we need to do. We
start We need to start taking these Linux because Linux
has been around a long time, right, started off as
Unix and then became Linux used for micro PCs. So
I think we start rating these Linux bugs that we're
finding that are twelve and twenty years old like a
fine scotch. Right, twelve years old is it's kind of mature,
(01:58):
but not really And when you're get to a twenty
year old exploit, that's when you get to find nice
and smooth exploit that we're all looking for.
Speaker 1 (02:07):
Right yeah, So are we rating it in terms of
entertainment value? Is that?
Speaker 2 (02:13):
I think we? I think we are. Honestly, I honestly
I love vulnerabilities like this, you know, side, we all
know listen, all the stw are their vulnerabilities. Who don't
love that there aren't. Honestly, you know what, it's funny
you say that, No, there is no they're all they're
all part of my family. But the we you know
stw people know side channel attacks or are my one love? Right,
(02:36):
that's the like that's that's the one that got away.
Those are the beauties. But yeah, the when you start
looking at old vulnerabilities that have been around for a
long time. For those of you who might like, uh,
you know, build old cars, it's it's like the barn find,
right you go to you go on Ohio and you
go find this guy who's like, yeah, I got this
(02:57):
clunker in the barn, can you grab it? And you
look in there and you're like, oh my god, it's
a Shelby, right exactly. And that's what these are. These
are like the Shelby's sitting in the barn. So I
always love finding these, which is really kind of cool.
Speaker 1 (03:09):
All right, So do we have to worry about it?
That's the real question.
Speaker 2 (03:12):
So if you're a Linux administrator, yeah, absolutely, there's there
are very specific roles and this is very much a
privileged escalation on a local host. So it's not something
that you're going to see like oh my god, I
can anybody can exploit my systems over the internet. It's
just not going to happen. But if you do have
a pretty active Linux system that somebody could gain access
(03:34):
to you if they have limited pseudo users access, which
means they have limited privilege access.
Speaker 1 (03:41):
Yeah.
Speaker 3 (03:41):
Yeah, pseudo is super user. Do yeah, basically yes, do
this as a super user. Run as administrator in Windows parlance, and.
Speaker 1 (03:48):
You have to have administrator access to do it. Yeah,
super access exactly.
Speaker 2 (03:53):
So if you do have some commands you can run
as sudo, and you do have a host file that says, oh,
on this particular remote host, do you have full privileges
et cetera, et cetera, then yeah, there is a bug
here where you can convince the local host that you're
running remotely but running the command locally, right, so you
privilege escalate on the local box. Is what one ends up.
Speaker 1 (04:13):
Is there such a Is there such a command in
Linux called coup k U. Then you'd write take charge
to the country. Then you'd write pseudou.
Speaker 2 (04:28):
And it only takes numbers? Is that what it? That
would be? Because now it's not another thing yet, but
we could write it.
Speaker 1 (04:36):
I'll be here all day.
Speaker 2 (04:39):
Everybody else may leave, but he's here all day. That's right. One.
Speaker 1 (04:42):
So all right, so basically what Dwayne said, you know,
you know if you're vulnerable or not, so go patch.
There is a patch, right.
Speaker 2 (04:51):
There is and ultimately and there is no work around,
but there is a patch if you're if you're running
I think it's one dot nine seven Team a Legacy
one dot eight dot eight. Yeah, you're gonna want to
go and make sure you go update and patch because
there are patches that fix this.
Speaker 1 (05:08):
All right, Moving right along, Patrick's favorite Microsoft three sixty
five direct send feature abuse to send phishing as internal users.
Speaker 3 (05:20):
We've used this, right, Duane, when we get into a printer,
I can't confirm or deny, okay, using this, but if
you were to send an email to whatever the tenant,
dot mail, dot protection, dot outlook, dot com, and you're
on the inside, it does absolutely bypass SPF, d KM
and d mark, which is kind of nice.
Speaker 1 (05:38):
SPF d more Oh okay, yeah, those are email Okay,
so let me things that you set up on your server.
Speaker 3 (05:44):
Yeah, yeah, so those are technologies that have been built
into DNS so that you're your mail server can verify
with the sending mail server that it's legit, but it's
real that it's not spoofed. This eliminates that. This goes
around that. So if you have like printers are the
best example, but but it's really any device on the
on the local network. It's a way for it to
(06:08):
send emails as an internal email without credentials. Right, sounds convenient.
So if you do that, then now I can spoof
an email. It looks just like somebody inside and it's
really hard for any detection to figure out that it's
not an internal email because when you're internal, especially with
(06:30):
Office three sixty five, you don't get SPF D mark
and and you don't get those settings.
Speaker 1 (06:37):
Ueah, you don't need to because it's behind the firewall.
Speaker 3 (06:39):
Right because right, yeah, Well they would be handy because
one of them checks for that it goes through a
valid mail server and that would that would probably pass.
But the other one is that it's signed. Right oh right, Okay,
so I'm not sure whether it would be signed.
Speaker 1 (06:57):
And well, if you know, somebody brings and then maybe
it would be a customer brings an iPad to a
lunch meeting and then they get your get on the
Wi Fi and try to send email. Sure there could
be a problem there if they're using the local email server.
Speaker 2 (07:13):
Right, yeah, and Patrick's right, it is a convenience thing,
but it's also sometimes you're kind of backed into a corner.
Like if I have a bunch of printers on the
network and let's say we lock down Office three sixty five, right,
where you can't send an email without some sort of
multi factor authentication. And there's all sorts of which is
a good idea, right absolutely, But now you have these
(07:35):
scanners like where you can scan the email, or you
have a printer where I can you know, print taking
information and maybe as a print is coming in, send
it to an email and that sort of stuff where
they can't send emails right because they don't have the
ability to do multi factor authentication. So you need this
almost like device code. And we've talked about this before,
like if you try and add a TV to your Netflix, right,
(07:57):
you go to Netflix and you say, you know, I
want to log in, and it says, okay, here's the code.
Go to Netflix slash joint or Netflix slash device, right,
and you go there on the Internet and you say, okay,
here's the code. You type it in and now that
TV is automatically authenticated to log into your Netflix, right,
same type of thing is happening here where Microsoft's like, listen,
(08:17):
we know there are devices, there's these IoT style devices
that can't provide multi factor authentication, can't force somebody to
log in every time. Unfortunately, they also then give them
all of the ability to bypass the protections we typically see.
Speaker 1 (08:34):
So it sounds like this feature is like a workaround
for people who don't want to deal with the real
security issues.
Speaker 2 (08:40):
Yeah. Yeah, or devices honestly, devices that the programmers have
not given the customers the ability to deal with these features, right,
they're just legacy devices where that like we don't know
how to handle you know, timeout and devices or MFA.
Speaker 1 (08:55):
So our real advice is turn it off.
Speaker 2 (08:57):
Yep, yeah, absolutely, I mean honestly, it should be should
be restricted and are turned off a lot of times.
You can restrict this to a certain IP address because say,
here are my IPS for my printers, and those should
he be the only ones sending This.
Speaker 3 (09:09):
Is the surface area problem. You get a device and
it has crap wear, it has convenience features turned on,
and you really are better off without those. You should
have to turn those on explicitly.
Speaker 1 (09:21):
Like the first thing you do when you buy a
new laptop is you remove all the crap that came
with it, the bloatwear. Bloatwear. Yeah, that got the price
down low, right, so that they could sell it to
you at a cheaper price, because it's basically not just advertising,
but well it is advertising because they're usually trial periods
(09:43):
for these.
Speaker 2 (09:43):
Things, right, yep. Absolutely.
Speaker 1 (09:46):
That brings me to you know, like McAfee and all
of these anti spyware and anti malware things. It's been
my understanding that you know, when you have Windows Defend,
you don't need not only do you not need those,
but they kind of get in the way of things.
And the only one that I recommend is malware bites.
(10:08):
But I only use that if some you know, if
a machine has visible malware, you know, it's probably good
to run it once in a while. But you know,
Grahma Franklin for example, Hey, I'm getting all these pop
ups and I don't understand what they are. I think
I clicked one of them and blah blah. You know,
(10:29):
that's when I take a USB stick that has malware
bites on and you know, install it and run it. Yeah,
what do you think about that?
Speaker 2 (10:36):
Yeah, and I so I agree in like, Defender is
great for really hardcore malware or something you're going to
download your computer and that sort of stuff. I have
seen malware bites be useful for browser cleanup. But you're
sort of going to tell you recently, I want to say,
within the last two weeks, who maybe actually the last week,
(10:57):
Microsoft has said that they're ticked off at this point
point with companies like CrowdStrike causing issues in kernel level Windows,
and they're actually contemplating kicking out everybody out of the
kernel except for Defender. So you may, yeah, you may
find that a lot of the anti the crowd strikes,
(11:18):
the carbon blacks, the you know, sentinel ones, You may
find a lot of them have to move out of
the kernel, which means that they're going to be second
class citizens, if you will, when it starts coming to
the operating system. So we'll keep track of that and
see what's going on. But that hasn't happened yet, No,
but Microsoft is pushing hard for it.
Speaker 1 (11:35):
So the end result would be uh, slower working computers
for the end user, right most likely?
Speaker 2 (11:41):
Yeah, because everything's in user mode at this point.
Speaker 1 (11:43):
Yeah.
Speaker 2 (11:43):
Right, so they're going to have to process everything in
user mode. And and right now, if you're you're a
malware writer like myself, you're constantly looking for I think
that's a gift for malware, It is, honestly, because you're
constantly looking for how do I unhook Yeah, the EDR,
the anti virus, how do I unhook it from the
operating system in a way that still allows me to
(12:05):
execute my malware. And if it's in a higher level
of the kernel, that that may be easier to do.
So we'll see what happens.
Speaker 1 (12:11):
All right. Uh, Google fixes fourth actively exploited Chrome zero
day of twenty twenty five. Yeah, well, thanks Google, appreciate it.
Who I mean, I'm I'm not sure what else to
say about that.
Speaker 2 (12:25):
For all of you that are using Chrome. And if
you see in the operanian corner it says, hey, there's
an update waiting to get download and installed.
Speaker 3 (12:34):
Why are you waiting?
Speaker 1 (12:34):
Yeah?
Speaker 2 (12:35):
Yeah, ball means absolutely. You know, it's funny. Google has
done a great job to say we'll automatically update, don't
worry about it. Yeah, but the problem is you have
to close all your tabs and close your browser occasionally. Yeah,
and if Grandma Franklin is anything like my wife. I
love my wife, but she has Chrome opened, and there's
a bazillion tabs in there.
Speaker 1 (12:53):
All probably fifty years older than your right rapin.
Speaker 2 (12:57):
Right. But it's like I keep saying like, oh, can
I close your browser? And she's like, oh my god, no,
I got tons of stuff open.
Speaker 1 (13:02):
Yeah.
Speaker 2 (13:03):
IM right. So eventually you do need to close your
browser so that updates.
Speaker 1 (13:06):
But when you do that, Chrome remembers your tabs and
it reopens them. Yes, so yes, what's the problem.
Speaker 3 (13:12):
So we have somebody who I will not name, that
works with us that has so many browsers that they're
all little exes. It's there's no title, it's just the
X right. So I don't know how he can navigate
those without closing them.
Speaker 2 (13:27):
Right.
Speaker 1 (13:27):
Our friend Jeff Maciolic, who used to work for me,
was like that when that feature came to Chrome. And
we're talking what twenty years ago, maybe you know, fifteen
years ago. It was the same way with him, like
he had so many tabs open. Yeah, if you're listening, Jeff,
I'm sorry. I didn't mean to throw you under the bus.
Back come on, come on, man.
Speaker 2 (13:47):
So that the reason I wanted to bring this up,
like everybody should update their browser. I get that, right,
and we always talk about update, update, update. But the
interesting thing about this is this is a type confusion
weakness in Java script type confusion. Type confusion weakness. Now,
we've talked about type confusion in the past every once
in a while. Type confusion is interesting where you're as
(14:09):
a developer, you're dealing with a particular object and you're
expecting let's say it's an integer, and it happens to
be a string. Right, It just happens to somebody passed
you a string and you try and deal with it
like an integer and your code crashes.
Speaker 1 (14:22):
Right. By the way, those are the only two types
in JavaScript. I'm kidding, that's not really.
Speaker 2 (14:29):
It's it but close. So in most cases, what happens
where they type confusion exploit is you cause a denial
of service. I'm like, man, okay, that sucks. Your browser crashes,
you open it up again, you don't view that website.
In this particular case, they have they have seen this
(14:51):
active actively exploited in the wild where it actually can
execute a remote code execution. Wow, and that's rare to yeah, right,
and that's why Google's all over this one. They're like, listen,
this one's important. Like, I know, we talk about type confusion,
we talk about you know, denial of service, and that's
sortched up, but this is this is actually an important one.
So if you are running Chrome, go update. This one's
(15:13):
actually important.
Speaker 1 (15:13):
Yeah, if you need to update, and Chrome will tell
you when. Yeah. And Windows has a similar thing in
the lower right hand corner of the taskbar, which is
why I always keep my taskbar visible.
Speaker 2 (15:23):
Yeah.
Speaker 1 (15:23):
Absolutely, yeah, Okay, I guess this is the time to
take a break, isn't it so I think so. Yeah,
we'll be right back after these very important messages. And
if you don't want to hear these messages, you can
get a feed with no ads for five bucks a month.
Go to Patreon. Dot Security this week, dot com. We'll
be right back, and we're back. It's Security this Week
(15:49):
Carl Franklin, Stwayne and pat and we're now over to
a hacker news story. US agencies worn of rising Iran
cyber attacks on defense, OT networks and critical infrastructure.
Speaker 3 (16:06):
Raise your hand if you're surprised by this OT orational
technology Yeah, okay, like factories and power generation, water treatment.
Speaker 2 (16:19):
Power grids and yeah, water treatment plants.
Speaker 1 (16:22):
Yeah, all right, cool sort of stuff. Yeah, so not surprised.
Speaker 3 (16:26):
Things you don't want to be controlled.
Speaker 2 (16:28):
Yeah yeah. Those types of devices typically will communicate over
what's called mod bus, which is a protocol for those
types of devices to control dams and whatever.
Speaker 1 (16:38):
I used to ride the mod bus in the seventies.
Speaker 2 (16:41):
The the mod do you remember the mod Squad was great?
Speaker 1 (16:46):
What a great show that was down.
Speaker 2 (16:53):
I think that just dated all of us because who
else would.
Speaker 1 (16:56):
Pre seventies, But you know what, afros have come back,
so it was predictive style.
Speaker 3 (17:06):
So you know, this is the concern. This is what
a lot of people were saying. Well, you know, we
we bombed a rand. Uh, they're going to retaliate, and
this is how they retaliate. They retaliate with you know,
over terrorism, which luckily we haven't seen any of that,
and also cyber attacks.
Speaker 1 (17:20):
I thought that's what OT stood for, actually terrorism networks.
Speaker 3 (17:25):
Yeah, well sometimes it can be. But you know this
is the the world is becoming a more dangerous place,
and we thought it would you know, this goes up
to eleven, Okay, we thought the knob would stop. It
stop at ten.
Speaker 2 (17:39):
A spinal tap reference is that it just.
Speaker 3 (17:42):
Keeps going well, I think it's going to get to
twelve soon. It just keeps going up. Remember when we
thought they wouldn't attack at a hospital.
Speaker 1 (17:49):
Remember when we thought they wouldn't attack Pearl Harbor.
Speaker 3 (17:52):
Yeah, you're adorable.
Speaker 2 (17:55):
You're adorable.
Speaker 1 (17:56):
What I'm saying is I don't agree that the world
is becoming more dangerous.
Speaker 2 (18:00):
It's a good point.
Speaker 1 (18:00):
I think your chances of being involved in any of
these things are pretty low, and they're getting lower. So
I don't think nation state attack. But yeah, but I
think a nation state attack could be dangerous. Sure, if
it was widespread and it's fact.
Speaker 3 (18:17):
I disagree. I think if you're less likely to be murdered.
Speaker 1 (18:20):
Yeah, yeah, I guess that's what I'm talking about.
Speaker 3 (18:22):
I think you're less likely to be mugged, But I
think you're more likely to be cyber hijacked, and you're
more likely to be ransomware. I think those risks are increasing.
Speaker 1 (18:30):
Fair point.
Speaker 3 (18:31):
You're less likely to get hit by Iran because you're
not a nation state or you're not representing a nation state.
Speaker 1 (18:36):
Okay, okay, we're in violent agreement here. Okay, yes, all right, yes,
I agree, we're in triple violent agreement.
Speaker 3 (18:42):
People's right, the People's Front of Juda. No, People's People's
Front that Bryan Xerence.
Speaker 1 (18:49):
All right, so this is a warning about potential cyber attacks,
but how do they see that bubbling and has anything
action happened?
Speaker 3 (19:00):
Yeah, it's increasing activity from activists and a rank I'm
in a fill in vectors. So they're not saying, well,
they did this, they did that. It's just that there
there there's more chatter, there's more attempts, there's more pings.
Speaker 2 (19:14):
You know. You know what I love about this article
though at one point one fight, they say I'll keep
the the it says I Ranian groups have previously used
remote access trojans. Okay, we know what those are. Key loggers,
got it? And even legitimate admin tools like ps exec,
which is PowerShell to execute commands remotely. Yeah, that's a
legitimate admin tool. Or mimic ats pro mimic cats. Those
(19:39):
peopho don't know. Mimicats. That's a way to illegally to
strip all of the passwords and or hashes out of
a window service. That as a legitimate admin tool.
Speaker 1 (19:49):
But oh no, no, that was a Disney cartoon in
the nineties.
Speaker 2 (19:53):
Come on the mimic cats.
Speaker 1 (19:56):
Yeah that is not Yeah, so it does it trips
off what.
Speaker 2 (20:01):
Yeah, So if you're using mimicats, what you're doing is
you're actually going into memory in what they call the
l SASS, which is a local security authority, and pulling
out hashes and or passwords for user names good Lord
for people who have logged into that system. Definitely not
a legitimate admin utility, but something we use all the time.
Speaker 3 (20:17):
It's kind of like.
Speaker 1 (20:18):
Saying, you know, I want Dwayne, Dwayne and Patrick, I
want you guys to just like live with me and
stand by my computer and like watch the traffic and
Patrick can carry a gun and you know, then I'm
then I'll feel safe.
Speaker 2 (20:31):
Flipper zero Yeah, yeah done, there you go.
Speaker 3 (20:33):
Then you'll feel nice and safe. So saying that mimicats
is like an admind thing is like saying that, you know,
normal things you find in my in your in your
tool chest, like hammer nails, fingernail extractor.
Speaker 2 (20:46):
Those are normal things exactly exactly, Like wait a second,
I just saw the spelling.
Speaker 1 (20:52):
It's am I am i Atz Mimi cats. She was
my neighbor when I.
Speaker 2 (20:57):
Was a kid, owned a deli maybe cats in New York.
I think that's why I've been there.
Speaker 3 (21:05):
Yeah, made a nice mutton, lettuce and tomato with a.
Speaker 2 (21:15):
Yes.
Speaker 1 (21:16):
Oh you should have seen her brisket.
Speaker 2 (21:20):
Okay, so good.
Speaker 1 (21:22):
So I mean we're laughing because we're terrified. But yeah,
what so we got to take this seriously. I mean,
but they say increased you know, vigilance diligence, right.
Speaker 3 (21:35):
I mean, I can't get any more vigilant. I'm sorry.
Speaker 1 (21:37):
Be careful, you know we've we've heard this before. Doing
you'd love to say, you know, you just got to
be careful? How not use your computer?
Speaker 2 (21:46):
Pretty much?
Speaker 3 (21:46):
Ding ding ding?
Speaker 2 (21:47):
Yeah? Yeah, Honestly, if you're managing an out network.
Speaker 3 (21:51):
You gotta get educated. That's the big thing.
Speaker 2 (21:54):
Get educated, exactly.
Speaker 1 (21:55):
Yeah, I got to listen to this show. Oh I
didn't you said education?
Speaker 2 (22:00):
All right, listen, you want to get educated, listen to
de Defender. That guy's awesome, but listen to something else, right, exactly.
But if you want to, you want to listen to
those clowns, that's fine. But I would say, yeah, absolutely,
A lot of it is the operational technology. You can't patch, right,
if it's controlling a power grid usually over you know,
a mod bus protocol. There's not much you can do
(22:21):
there from a patch standpoint, and sometimes the systems that
are controlling those are like Windows XP. But what you
can do is be good about isolating those devices, making
sure that the rest of your network is secure and
or patched, and making sure people don't have access to
those systems who shouldn't so that and that's where you
really need this cyber hygiene is just making sure that's
nice and clean.
Speaker 1 (22:39):
Well, that's good, good to know. Okay, let's move on.
And this is the hmm, this is an interesting one, Patrick,
you I think you put this one up right. Ic
CES detects and contains new sophisticated cyber security incident, but
they don't really save a lot of details do that.
Speaker 3 (22:57):
So I see c A is the International Criminal Court,
and they've they've irritated quite a few people who have
like hacking stuff behind them. You know, I think Vladimir
Putin is on their like must arrest list. Yahoo is
now on that. I don't think it.
Speaker 2 (23:13):
Ran is that a search engine that I'm pretty sure Israel.
Speaker 3 (23:19):
Isel's prime minister. And I don't think Israel's doing it.
But I wouldn't be surprised to see that this is Russia.
And they don't give a lot of details. But what
they do is they they detected it, they reported it,
they've notified the countries that participate in the International Criminal Court,
and they're handling it. And it looks like they didn't
get what they wanted. It was an espionage attempt, so
(23:41):
the fact that they got caught means they didn't get espionage.
You always want to not get caught. That's a rule,
that is the rule generally. Yeah, rule number one. Don't
despise number one.
Speaker 1 (23:52):
Rule.
Speaker 3 (23:52):
Yeah, Sometimes when a hacker gets into a network, just
before there, they start getting flagrant because they're done, they've
gotten what they want. And then they get flagrant and
they get caught, they get they get slopped, and it's
not a big deal because they're gonna, they're gonna, they've
they've got ransomware, they've got the data they want, whatever
it is. They don't care anymore. When it's espionage, you
never want them to know, you know, because it degrades
(24:14):
the value.
Speaker 1 (24:14):
Loose fingers sink shingers. I think that was the saying, yeah, definitely,
that was yes, loose fingers sink shingers.
Speaker 3 (24:23):
Okay, okay, yeah, they we could come up with a
packets version, right, Oh yeah, yeah, loose protocols loose packets
or something like that, that something you can rhyme with. So
this is like a an organization that is a high
profile nation state like organization that he's going to get
(24:43):
attacked by nation states and they I'm betting that they've
got pretty good detection and controls and and they're on
guard for this because in twenty twenty three they had
a similar incident happen and they handled it the same way.
Speaker 1 (24:56):
We're going to have so much century like protective of
stuff in our routers and stuff that we're going to
need quantum computing to run all of those filters at
the speed of light or faster so we don't detect
a drop in service and we shill maintain security.
Speaker 3 (25:18):
Fortunately. And now our next story is quantum tech is
coming and with it a risk of cyber dooms day.
So that's a nice story.
Speaker 1 (25:25):
That's nice. Yeah, that's a happy little story.
Speaker 3 (25:27):
Yeah, that was your intro. But I got to correct something, Carl. So,
quantum computers aren't faster than classical computers. They're not the same,
and they're not going to replace them. They're an augmentative
technology that can do things that classical computers will never
be able to do, and that's their value.
Speaker 1 (25:46):
Well, then why does the news always say, you know,
a quantum computer can do more calculations in a nanosecond
than the entire country of India could make us some
in five hundred thousand years.
Speaker 3 (26:01):
So because what they're talking about is something that's so
hard to do it can never be done by a
classical computer.
Speaker 2 (26:07):
Well you say never though, like cracking trillions of years
measured in trillions of years, but craggy exactly, like cracking
four thousand bit rsa encryption can be done by a
classic computer. We'll all be long dead by the time
it happens.
Speaker 3 (26:22):
If you have the trillions of years, the sun will
have burned out.
Speaker 2 (26:27):
Yes, yeah, exactly, But that's the that's the thing, Patrick
is like, I could see how the perception is. It's faster. Okay,
classic computer takes a trillion years. The quantum computer will
do it in seconds. That seems faster.
Speaker 3 (26:39):
You're never going to play tetris No on a quantum computer.
You're never going to balance your slide like.
Speaker 2 (26:45):
A challenge you're never going to.
Speaker 3 (26:47):
Because the thing, so, the thing about quantum is that
it does things in parallel.
Speaker 2 (26:55):
Where so if I play, if I play Tetris on
a quantum computer, it will play every game of time
it could ever be played exactly.
Speaker 3 (27:02):
Yes, that's the way you'd have to play it. And
that would be and I will win every time.
Speaker 2 (27:06):
All right, I love it done. It would be great.
Speaker 1 (27:08):
Yeah.
Speaker 3 (27:08):
So the thing about quantum is, I'll give you a
quick quick summary. If I have a ten bit value,
there's a thousand, twenty four combinations of that. In classical computing,
I typically have to try all zeros, all zeros in
a one, all zero's one zero, all zero's one to one,
(27:30):
and I have to go through that one thy twenty
four times to enumerate all the potential values. With the
quantum computer, with ten quantum qbits that are that are stable,
that's the challenge. Right now, I can do them all simultaneously.
I can do them all in parallel. Now with ten bits,
it's not that impressive. But with thirty two bits, now
I'm talking about four billion iterations with a classical computer,
(27:53):
where they can be done all in one step. And
so it's that is what happens here. So what we're
talking about here is there's an algorithm called Shor's algorithm.
Peter Shore is a professor of mathematics at MIT. I
took a class that he was one of the professors,
and he came up with an algorithm a long time
ago that said, like, if we had a powerful enough
(28:14):
quantum computer, we could use that parallelism to find a
hint to break the current asymmetric encryption that everybody's using now.
Asymmetric encryption is used not to encrypt files and communicate them,
but to share a key so that we can share
a private key and then encrypt and share things. So
(28:37):
it's the first part of that conversation. If we get
a classical a quantum computer that's big enough, then RSA
twenty forty eight, which is the standard today, Diffy Hellman,
elliptical curve computing, all those things have the vulnerability.
Speaker 1 (28:52):
Okay, we just lost our last listener. Okay, thanks Patrick.
Speaker 3 (28:56):
You're welcome. So understand that this is coming. We see
it coming. No one can predict exactly when it will be.
I don't think it's this year, I don't think it's
next year. But it could very well be this decade
and by the time it happens, if you're not into
post quantum security, if you're not using algorithms that don't
have this weakness against quantum computers, they're not based on
(29:17):
the new algorithms aren't quantum. They're just geometric based instead
of algebraically based.
Speaker 2 (29:22):
Hey Carl, Hey, you want to lose the rest of
our listeners. Hey uncle Patrick, can you explain the quantum
substrate and how it allows? No? Please, it's to be
more stable over.
Speaker 1 (29:34):
Maybelease, don't. I would like to do something in the
opposite direction, which is explain how TLS transport levels security works,
because because Patrick kind of glossed over it, but if
you understand how it works, then you it makes a
lot more sense. It will make a lot more sense
(29:55):
of how quantum is going to bust it.
Speaker 3 (29:57):
So before we do, if you're worried about the quantum stuff,
we get a whole podcast called Entangled Things at entangled
things dot com. Every other week I talk to guests
and I talk about this stuff, like.
Speaker 2 (30:08):
Don't you other podcast?
Speaker 1 (30:10):
Hey it came, Hey, that'll be one hundred thousand dollars
to me.
Speaker 3 (30:17):
What you just said we have no listeners. Yeah, that's true.
Speaker 1 (30:21):
I can't charge that much. All right. So so Patrick
mentioned RSSA, right, and that's real smart authentication. No, it's
it's not, it's a it's a VEST. Yeah, yeah, I can't.
Speaker 2 (30:33):
Revest Adaman and Samar Come on, boys, that's what I'm
talking about.
Speaker 3 (30:38):
You said it in the wrong order.
Speaker 2 (30:39):
Yeah, okay, I'm sorry, Revest, Schamar and Adalman.
Speaker 1 (30:42):
There you go about attorneys at law.
Speaker 3 (30:44):
Adaman lost the flip the coin flip.
Speaker 2 (30:47):
Do we cheat them in? Now?
Speaker 1 (30:48):
All right? So our RSA basically provides a private key
and a public key. And you said two four eight
bits or.
Speaker 3 (30:57):
Characters eight bits is kind of like considered that's really secure. Yeah,
the standard, that's standard A.
Speaker 2 (31:03):
Yes, I think.
Speaker 1 (31:04):
All right, So this isn't. This isn't how stuff is
encrypted in transit. In other words, when I go to
a website, it doesn't package up stuff with the public
key and I decode it with the private key. It's
not how it works. So what happens is I have
the public key because I'm a browser, right, I'm a user.
(31:25):
The server has the private key. Now, both are just
gobbledygook keys, but the server knows the public and the
private key. All right, So what I do is I
create a real key, if you will. Actually the server
creates it. So when I go on, the server creates
(31:45):
this key and encrypts it with this RSA private key.
I decrypt it with the public key, and then I,
now we both have the same key that.
Speaker 2 (31:58):
Is used to it.
Speaker 1 (32:00):
Can get it backwards, encrypt the data and transit. They
can get a backwards So I got it backwards. I
thought it was the server that encrypted it.
Speaker 3 (32:06):
So what happens is, Dwayne, Let's say I'm a web
server and I've got a public key in the cloud.
Dwayne doesn't need to have a public key or private key.
I have the private key locally. I never shared that,
but I create I basically created a public private key
share pair pair. So I have the I have the
private key. He has access to the public key. He
(32:27):
can take the public key and encrypt a message for
me and say we're going to use Yoyo skateboard five
nine seven as our key.
Speaker 1 (32:35):
For okay, all right, So so and then he.
Speaker 3 (32:38):
Sends it to me, and I'm the only one that
can decrypt it.
Speaker 1 (32:40):
It's the sender that creates the key.
Speaker 3 (32:42):
And then I start, but it's getting with the key.
Speaker 1 (32:45):
Yeah, it's two way.
Speaker 3 (32:47):
So we use that public private key and if we
want to do we can also do encryption where like
if I want to talk to him, I can do
the same thing if he has a public key.
Speaker 1 (32:56):
Yeah. So yeah, yeah, And so what would really be
deal is if we could create these new asymmetric meaning
both ways keys on every request, right, because I don't
think that's how it works. I think once we have
those asymmetric keys, yes, accession.
Speaker 3 (33:13):
So there's a movement a foot too with let's encrypt
to change the life cycle the lifespan of a key
to only forty seven days.
Speaker 1 (33:25):
Forty seven days, I would say, once a request.
Speaker 3 (33:27):
Yeah, but the problem is it's hard enough to compute
because you have to get it.
Speaker 1 (33:31):
Yeah.
Speaker 3 (33:32):
And if you'd basically if you did it every request,
they'd be all sorts of side channel attacks and transmission
attacks we'd use okay probably.
Speaker 2 (33:38):
Yeah, And I think you know you talk to Carls
right in that the asymmetric algorithm is typically only used
to exchange a key, and then we're using some sort
of some sort of shared symmetric key exactly, Okay, yeah, yeah, right,
because it shared symmetric keys are lower compute for high
volume traffic, right, We really just need to get that
secret key back and forth, and then that key in
(34:01):
essence becomes a one time pad, right, something that's harder
to break because it's not shared with really anybody and
it's only used for that session.
Speaker 1 (34:08):
Okay, yeah, right, there you go. Okay, yeah yeah right.
Speaker 2 (34:11):
So so done. That's all of it.
Speaker 3 (34:13):
The moral of the story is that quantum quantum as
a threat is coming and you need to be moving
towards quantum safe encryption, which doesn't mean you have to
use quantum, right, it just it just means that you
have to use the new algorithms that are that are
quantum safe.
Speaker 1 (34:29):
But also don't be fooled by products that label themselves
quantum safe, right, agree, It's just like any other moniker,
Like as soon as the ketogenic diet was popular, everybody
put keto on their labels even though they weren't, so
you know, don't be fooled. So basically you should join
(34:49):
our discord and if you get a product that labels
itself as quantum resistant, just as Twain, yeah heck yeah,
I'm on it, Yeah.
Speaker 3 (34:57):
Don't or go to entangled things dot com and go
to entang Things and and don't ask.
Speaker 1 (35:03):
Don't ask Dad. Don't ask because Dad Dad will give
you a very confident answer that will sound great, all right.
And with that we will talk to you next week.
Speaker 2 (35:16):
Bye bye bye
Popular Podcasts
Law & Order: Criminal Justice System - Season 1 & Season 2
Season Two Out Now! Law & Order: Criminal Justice System tells the real stories behind the landmark cases that have shaped how the most dangerous and influential criminals in America are prosecuted. In its second season, the series tackles the threat of terrorism in the United States. From the rise of extremist political groups in the 60s to domestic lone wolves in the modern day, we explore how organizations like the FBI and Joint Terrorism Take Force have evolved to fight back against a multitude of terrorist threats.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.