August 26, 2024 • 51 mins
Stay informed with The Audit, your go-to podcast for the latest in cybersecurity insights, best practices, news and trends. In this month's news episode, we tackle the most significant developments shaping the industry today.
We'll cover:
- The latest insights from CrowdStrike on evolving cybersecurity threats
- The impact of the Supreme Court ruling on cybersecurity regulations
- The massive 10 billion password leak and how to protect your organization
- Guard Zoo malware targeting military personnel in the Middle East
- How AI is transforming proactive cybersecurity measures
- Best practices for password management and multi-factor authentication
- The role of AI in optimizing and simplifying policy management in organizations
New episodes air every 2 weeks -- Don't miss out on expert insights that will help fortify your defenses against emerging cyber threats.
#Cybersecurity #AI #TechNews #ITSecurity #Malware
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Joshua Schmidt (00:04):
Welcome to the Audit presented by IT Audit Labs
.
I am your producer, joshuaSchmidt.
I'm joined today by Nick Mellomand Cameron Berkland.
We're here to chat about thenews today.
We're going to talk today aboutCrowdStrike.
We're going to talk aboutApple's new OS Sequoia, the DOJ,
an FTC suit, tiktok, and wemight even get into a
conversation about passwordmanagers.
(00:26):
But first I wanted to do alittle icebreaker and ask you
guys if you have done anythingfun this summer.
We're kind of in the dog daysof summer here.
So first week of August is over.
Have you done anything fun oryou got any big plans for the
fall, nick?
Nick Mellem (00:40):
Well, I'm just going to shout out that it's
super hot in texas so I've beenstaying inside a little bit more
.
Uh, august is the worst, worstmonth, so it's consistently
around 100, which thank god forac, but uh, I don't haven't done
anything.
Probably notable um, but I didget um just on tuesday.
(01:00):
Uh, starlink, starlink internet, that's the satellite internet
for backup, so I've been toyingwith that, so I've kind of been
using that as the backup,especially if any systems go
down, just as a secondary device.
But I guess that's just mynotable tech fun that I've had
over the past week.
Joshua Schmidt (01:20):
The reason I ask is I just got back from a
camping trip so we took our twodaughters out into the woods.
We did two nights.
We were thinking aboutextending it to a.
The reason I ask is I just gotback from a camping trip so we
took our two daughters out intothe woods, we did two nights.
We were thinking aboutextending it to a third night in
northern Minnesota, but we werepretty well exhausted by the
end of the second day.
Full day in the woods.
But there's nothing better thanswimming in a lake, in a nice
(01:40):
crisp, clean northern Minnesotalake.
It's one of my favorite thingsto do.
I also like to paddle the canoearound and listen to the loons
late at night by the campfire.
Uh, it's a lot of work gettingthe car loaded up and everything
and packed up and all the food.
It's quite the list, but it'salways worth it when we get
there and, um, yeah, but now I'mhome, back to work.
How about you, cameron?
(02:00):
You got any big plans this fallor done anything of note this
summer?
Cameron Birkland (02:05):
Yeah, I mean, I feel like my summer has been
like.
Just it feels like it's goingaway.
It's already so cold today I'mwearing a sweater here.
Yeah, it does feel like.
Joshua Schmidt (02:16):
Minnesota.
It's actually kind ofrefreshing though.
Cameron Birkland (02:24):
Well, that's true, because it was a little
unbearably hot for a little bitthere, and yeah.
So I've just been.
I feel like I'm running to somefamily event every weekend and
now everything's just gone by soquickly.
I'm trying to recoup what'sleft of summer.
You know I want to try to dosomething, so I'm hoping to go
out.
My grandma lives on a lake uphere.
She has a pontoon, so I want totry to get out there at least a
(02:47):
couple weekends this summer thewater's still warm.
The water's still warm but I sawthat the algae is starting to
come out, so it's getting alittle dirty.
Nick Mellem (02:55):
That will happen the summer is dwindling for you
guys are you a state fair guy,cameron?
Cameron Birkland (03:02):
oh, I have gone probably twice in my life,
wow okay and I was thinkingabout going this year, but I
don't have anybody to go withyet.
I haven't found anybody thatwants to go, so I might not end
up going.
Joshua Schmidt (03:18):
I'm good with kids you could help us with our
crew.
You want to come with us, Nick.
Sorry, what were you saying?
Nick Mellem (03:30):
No, I was just going to say that we haven't
made it to the Texas State Fairyet, but I think we're going to
try this year.
I think it's in October andit's almost a month long, so I'm
looking forward to doing that.
The big fair I would say downhere, closer to Houston, is the
rodeo in February, which isbasically another state fair.
Good times, a lot of crowds.
So it's kind of get what youwant, walk around, see what you
(03:54):
want to see and that's that.
Joshua Schmidt (03:57):
Do you have a belt buckle Nick?
Nick Mellem (03:59):
I don't.
I have not earned one yet, so Imight have to jump in the ring
with the rodeo clowns.
You have to get one the ringwith, uh, with the rodeo clowns.
Joshua Schmidt (04:05):
You have to get one as the size of like a
pancake I'll see what I can dobefore uh, our next live all hat
no cattle.
I got a hat it's downstairs nobelt buckle stetson.
Nick Mellem (04:19):
Uh no, you know, I can't remember what uh resistal,
I think that's how they say it.
Yeah, you got to have someboots too probably.
Joshua Schmidt (04:26):
Oh yeah, Multiple pairs.
That's a standard issue forTexans, I suppose.
Nick Mellem (04:31):
Standard issue.
Yeah, you got to have a goodpair of boots, good one for
around the house doing somechores and another pair to take
the wife out.
Take the cats out, yep, takethe cats for a walk.
You need a good pair of boots.
Joshua Schmidt (04:44):
I always thought it was cool those rattlesnake
boots that have the actualrattlesnake or the cobra or
maybe the python or cobra orsomething that actually have the
snake on the toe.
You can get any flavor of bootyou could ever want, we got to
get a pair of those for Eric tobe walking around the office
with.
Let's get that project underway, a early christmas gift or
(05:11):
something that's on you, man?
Nick Mellem (05:11):
I think you got the outlets for that down there, so
we can put the it out of labslogo on the side of the there
you go, made out of snake skinfor sure he'll be in on it all
right.
Joshua Schmidt (05:24):
Well, I hope he's listening.
Uh, yeah, eric's taking the dayoff today, so I hope I hope
he's resting up.
Um, we're going to jump rightinto it.
So cyber security companycrowdstrike has published
published its root causeanalysis detailing the falcon
sensor software update crashthat crippled millions of
windows devices globally.
I'm sure we all know someonethat had a rough flight or a
(05:45):
delayed vacation.
So it gets a little technicalhere and I'm going to rely on
you guys to break this down forus.
So it says the channel file 291incident, as originally
highlighted in its preliminarypost incident review, has been
traced back to the contentvalidation issue that arose
after it introduced a newtemplate type to enable
visibility into the detection ofnovel attack techniques that
(06:08):
abuse named pipes and otherwindows interprocess
communication mechanisms.
That goes right over my head.
Can one of you guys jump in andbreak down what's going on here
and what this article istalking about?
Cameron Birkland (06:19):
yeah, I think we can talk about this a little
bit.
So essentially with the way theCrowdStrike Falcon works, is it
needs like the lowest level ofaccess to the system possible to
be able to fully see everythingthat's going on for visibility
purposes.
So it runs as a driver, it runsin the kernel.
(06:41):
What this ends up meaning isthat any code that it executes
it's kind of up to it tovalidate it right.
Usually normal application onthe system is going to have
checks and balances, whereaswhere the CrowdStrike agent is
running, it's kind of runningunchecked, right.
It's up to itself to check it.
(07:02):
And what CrowdStrike was doingwas pushing out sort of updates
to these devices.
And it was doing it.
They were validating everythingon their end, but what ended up
happening was their validationprocess didn't catch this one
little thing and they pushed itout to all customers at once.
(07:27):
The update wasn't actuallytested on any live systems, they
just put it through theirproprietary validation process
and then pushed it out toeverybody all at once and sort
of found out what would happenin a real world scenario.
As it happened.
Nick Mellem (07:46):
It says further down the article, here too,
where it it you know, opposed tothe 20 supplied content yeah
Right, that's Nick's paragraph,right there versus the 21 that
were in this update, and the21st portion of it was the one
that actually crashed the, thesystems, yep, yep.
Cameron Birkland (08:07):
So to get a little more technical with it,
ultimately what happens was anout-of-bounds.
So the CrowdStrike agent wasexpecting 20 input fields, right
, and it reserved enough memoryfor those 20 and um.
The new update required 21.
(08:27):
So it read past that memorythat it had reserved that 21st,
pushed it outside of thereserved memory and that's what
caused the crash.
And since it's running in thekernel, there's essentially um,
it essentially just has to takedown the whole system, right?
Nick Mellem (08:44):
which, which is unfortunate, obviously.
That's why we kind of use thatmethod of, let's say, you have
one big square and then you havea square in the center right,
and the square in the center islike the kernel right, where you
have the keys to the kingdom.
You have systems like Falconrunning in there, what you want
most secure, and everythingoutside of that center box is
going to be like office.
You know, teams work thingslike that and if they fail in
(09:09):
the outer ring, it just bringson that application.
And that's what we want, right,we want those lower game for
ones.
They can fail outside andthat's fine that we can
troubleshoot it.
If it's running in the kernellike crowd strike falcon, it
there's no way around it.
It craps everything out, uh,everything goes dark.
So that's why everybody wasgetting the blue screen and even
(09:30):
if you didn't get the bluescreen, you were still affected,
um, and we saw this in allhealthcare.
You know flights, um, I knoweven a family member of mine
this is, you know, not acritical system but was going to
their service provider to get anew cell phone, not knowing
that this happened becausethey're not in the tech industry
, and there was a big sign onthe door that said basically, we
(09:52):
can't help you, so go home.
And I'm sure we all have peoplethat were affected by it.
But I think that's the basis,josh, of what had happened, what
Cam and I were just talkingabout.
Joshua Schmidt (10:04):
So lots of people affected and probably
still dealing with it now wasthis like worst case scenario,
or could it have been worse,because it seemed to be really
disruptive, you know, across theentire globe I think this was
pretty worst case for this umand I.
Nick Mellem (10:24):
This was as real as it gets, obviously, because so
many things were down criticalsystems and this was a real life
tabletop exercise that peoplewere flung into in the middle of
the night and I think peoplethought it was either a cyber
attack or you know an outagethat they were having, you know,
overnight.
Overnight people, IT guys, gals, you know, were flung into
(10:45):
action and had to starttroubleshooting things right
away.
So I think this is as real asit gets.
I think a lot of people werethinking we were under attack.
Right, we're in World War IIIwas kicking off systems were
going down all over the place.
But, uh, got anything to add tothat Cam?
Cameron Birkland (11:00):
Yeah, no, it's .
Um, it's pretty crazy how thatone little thing ended up
causing such a huge dominoeffect.
It took down some criticalsystems and caused an incredible
amount of disruption.
And there's been a lot of, Iwould say, criticism of
Microsoft, and maybe evenCrowdStrike as well, on having
(11:22):
that kernel level access.
For that reason Right, becauseobviously there was some
validation, some checking thatshould have happened.
That didn't.
I think this was ultimatelypreventable, but it happened,
and so now we kind of have to,we have to go back and look at
how could this be prevented,ideally, I think.
(11:43):
Some people say that thereshould be a sort of api for
these things.
Right, like we don't do, wereally need to have the falcon
sensor running in the kernel,like as a driver.
Shouldn't it have some sort ofapi to be able to access the
system and prevent that kind oflevel of damage?
(12:04):
Or I mean, at the same time,crowdstrike should probably do a
little better with theirtesting methodology and make
sure that they're not pushingout updates to every single
customer at the same timewithout any real-world
validation.
Nick Mellem (12:23):
Yeah, it was.
No matter which way you cut it.
There's probably going to be alot of after actions on how we
can prevent these things fromhappening.
But you know, I agree with Cam.
Does it actually needkernel-level access?
That's something we need todiscuss.
But I think, flinging intoaction, you know a lot of
industries you know found, youknow they're strong individuals
(12:46):
that were ready to react to this.
Cam and I work for a pretty bigorganization that we were
involved with remediation Cammore so than I for all the
(13:06):
downed computers and sendingthem to the techs on the ground
at the site, because we hadessentially strike teams out to,
you know, bring back serversand everything that was affected
.
And then we also had, let's say, 2,500 to 3,000 machines, blue
screen.
Yeah, we had to set uplocations for individuals to
come in and rectify this.
Luckily, I'm remote and I didnot get affected with the blue
(13:31):
screen, so I was able to helppretty quickly getting those
BitLocker keys to come backonline.
But, cam, you were boots on theground, correct?
Cameron Birkland (13:41):
Yeah, so for me I guess it ended up similar
with what I.
What what happened to me was Ihad my workstation shut down
overnight, so when I had bootedit up in the morning, it had
already been reverted, and so Iwasn't.
I didn't end up being affectedby that blue screen, so I was
able to hop online.
By the time I was up, it waslike 7am at that point, so
(14:05):
people were already, you know,in calls and trying to figure
things out.
Luckily, I was able to getonline.
Wasn't able to get onto thenetwork, of course, because VPN
wasn't working.
I was able to use Teams andOutlook, and that's about it.
Nick Mellem (14:22):
Yeah, I got a very frantic call from one of our
colleagues pretty early in themorning and you definitely
thought something big waskicking off and the frantic
voice was well warranted.
So there's still so muchcleanup to do.
I think the biggest questionthat we're dealing with is how
do we prevent it, but we couldprobably talk about this for a
(14:44):
whole episode.
It's been affecting industriesall over the world and, as we
know, crowdstrike is heavilyinvolved with Microsoft and it's
going to continue, probablycontinue that way, but just
affecting so many differentindustries.
The scary thing is, like thehealthcare industry right On
surgical tables or whateverpeople that use computer access
(15:08):
for, whatever the reason mightbe, in those situations we
certainly want to safeguardthose industries.
Not that they're more important, you know, than others, but
critically life-saving devicesright running on software like
this is is rather scary yeah, no, I agree, and it's um also
(15:29):
important to mention, uh, whatcrowd strikes changing after
this some changes they'vestarted implementing.
Cameron Birkland (15:35):
I don't believe they're going to be
rolling out updates like theseanymore to all customers.
Some customers have stagingenvironments.
Uh right, this update obviouslydid not utilize any of that, so
now you're going to have theopportunity to actually apply
the update to a set ofdevelopment systems, for example
(15:57):
, before it takes down yourentire network.
I think CrowdStrike is going totake that a little more
seriously.
Nick Mellem (16:03):
I think it's kind of alarming too, just to show
show that you don't have to bein the IT industry to understand
this but just how easy this wasto happen.
Right, it was an update.
It ran out of memory when itwas doing the update and it
brought so many industries totheir knees that require the
software Well, require acomputer, I should say, because
(16:24):
it brought everything down.
So just showing how easy it isto bring those things down shows
the weakness that you can have,right, especially for a
critical infrastructure.
Like you know, we have anarticle that we could discuss
later about the water industry.
Right, critical infrastructurelike that goes down.
That's, running this kind ofsoftware is, you know, very
(16:44):
alarming yep, and that's.
Cameron Birkland (16:47):
That's the big takeaway.
I've heard from a lot of peopleoutside of the cyber security
industry as well, as you know,if it took this one little thing
to take down so many stuff like, or so much stuff.
How vulnerable are we, you know, and how easy is it for like a
nation state to do somethinglike this in a malicious manner?
Nick Mellem (17:06):
Right, yep Insider threat.
You know you think about allthose things.
If it was as easy to push anupdate to bring it down and have
that kind of effect, you knowwe need to to work on.
You know policies, procedures,know how, having these
conversations regularly and weyou know we had a real life
tabletop exercise, but I think,doing this more regularly right
(17:29):
In a, in a practice environment.
What are we going to do if thishappens?
This situation happens again.
You can use this, as you know,instruction, or look at this to
an after actions report on whathappened, and then you know
practice right, let's use thisas an example.
And how are we going to springinto action next time something
(17:50):
like this happens?
Hopefully it doesn't.
I feel like we should bepreparing like this is possible
every day.
So I just think this is a goodexample to practice on what we
should be doing day in and dayout.
If you're in the, especially ifyou're in the IT industry.
Joshua Schmidt (18:04):
It seems to me that, as Cameron said, it could
have been prevented.
It was a preventable situation.
But my mind goes to just theingenuity of human error is so
vast that it's hard to accountfor everything.
I was just talking to a buddywho lives in Arizona and they
have the self-driving cars thereright and you can take, and
(18:25):
they have the self-driving carsthere right and then you can
take the taxi with, you know,the self-driving car and these
cars are still making mistakesand they're still learning and
gathering that data.
But you know, the conversationrevolved around it had gotten
pulled over, you know, by apolice, no one in, you know, no
one in the driver's seat,because it had made a bad move.
(18:45):
It was waiting in anintersection or something like
that that it thought someone wascrossing but there was no one
there.
So the car was sitting in theintersection or something like
that.
But it's kind of hard toaccount for all of the crazy
ways things can go wrong whenthere's just an infinitesimal
amount of amount ofopportunities to fail.
So but yeah, crazy that thislittle human error that
(19:08):
seemingly could have beenprevented caused such a big,
dramatic outage.
And I hope, I hope you knowthat it, you know, kind of
informs people going forwardthat you know to be on top of
these things a little bit better, or yeah, don't roll out your
updates to everybody.
I'm I'm really quite surprisedto hear that.
Nick Mellem (19:26):
Well, if we're going to, if we're going to do
it, let's.
Let's not do it on a Friday,let's schedule this for like a
Tuesday or something.
Cameron Birkland (19:33):
Yeah, that was definitely the best part.
It was on a Friday.
Joshua Schmidt (19:38):
Do you think some of that is the climate that
we're in of just rolling thingsout, letting the people do be
the beta?
Cameron Birkland (19:45):
yeah, and I mean crowd strike's, always
trying to be on the bleedingedge.
Right, you know they're tryingto stay competitive so they
don't want to fall behindspeaking of which, that segues
us to our next article perfectsegue yeah, perfect segue to yet
another iteration of Mac OS.
Joshua Schmidt (20:03):
This is the time of Sequoia Yep, I think they
have so many updates rolling outthey're going to run out of
California-type names to calltheir OS.
Nick Mellem (20:13):
I love how they explain it, where they're
talking about.
All the engineers get into avan or whatever.
They talk about this in theirkeynotes and they do whatever.
They come up with these names.
It obviously a joke, but it'spretty fun yeah it's, it's
catalina, now it's sequoia.
What was it like they didn'thave animal names.
They've got all kinds of thingsyeah, tiger leopard snow
(20:34):
leopard, leopard.
Yeah, that's what I wasthinking about.
Joshua Schmidt (20:37):
Wasn't there one ?
That was this wine countryrecently, like sedona?
No, that's, that's, that's no,there was one like that.
Nick Mellem (20:45):
You can't think of it what's the one?
Weird one called maverick.
I think that was a while agothat was the only one I can
remember that wasn't a place oran animal yeah, well, at any
rate.
Joshua Schmidt (20:56):
Um, we're on sequoia now, I guess, so I have
to keep a close eye on myupdates.
I have mine turned off on myMac just because I don't want to
be running into any issues, butwe'll talk about that in a
second.
Apple's new Mac OS, sequoia,tightens gatekeeper controls to
block unauthorized software.
Apple on Tuesday announced anupdate to its next generation
Mac OS version that makes it alittle more difficult for users
(21:19):
to override gatekeeperprotections.
Gatekeeper is a crucial line ofdefense built into macOS,
designed to ensure that onlytrusted apps run on the
operating system.
When an app is downloaded fromthe outside of the app store and
open for the first time, itverifies the software is from an
identified developer.
A couple of things I want tothrow at you guys, and maybe we
(21:39):
can pass it back and forth alittle bit.
There was the first thing Imentioned of, you know, just
rolling out these continualsecurity updates, seemingly
because it's the patching ofvulnerabilities and whatnot.
In this case, you know, withthird party software, you can
run into the problem, which Ihave frequently, of getting an
automatic update on my computerand then trying to sign into a
(22:01):
recording software or maybeyou're a gamer I'm sure this
happens to gamers or any kind ofthird-party software that might
require some hardware or somefirmware and those developers
aren't on the ball or just don'thave the budget or aren't aware
that there's an update beingrolled out and all of a sudden
it renders your softwareunusable.
(22:21):
It happened to me with Final CutPro.
I was, you know, bellying up tothe office computer here for a
little editing work and, lo andbehold, the Final Cut Pro would
just not open after my lastupdate.
It would roll through all mythird-party plugins which are
meant for, you know, audioediting and whatnot, and then it
would just stall, ended upgetting to the boss-level IT
(22:44):
people at mac where they takeover your computer to figure out
what's going on.
And the guy had already youcould tell he had already done
like 200 of these calls thatweek and he was just like, yeah,
we already have it documented,so you're just gonna have to
wait until they update.
And I'm like, really I can'twork on my project today.
There's no you don't have aworker for me yeah, because on
(23:05):
logic pro and some of the otherat you know um proprietary apps,
they have at least like acommand period.
You know, while you're bootingup, where you can get around up.
You know, scanning third-partysoftware, sure, but they didn't
have that, or still don't umseemingly have that for final
cut pro.
So that's the first problem,right?
Have you guys run into anythinglike that?
I mean, I know you're not a Macuser, cameron Do you find that
(23:30):
on Microsoft products as well?
Cameron Birkland (23:32):
Yeah, I only use Windows.
Ultimately.
I can't say I've ran intoanything specifically like that,
but I think it is.
You know it has a lot to dowith the separate ecosystems.
Like Apple wanting to keepeverything locked down secure,
microsoft has to keep things alittle more open, I would say,
(23:54):
because of all the you know thelarger amount of users that are
using their software.
Windows is designed to becompatible with a larger number
of devices.
You know that sort of thing.
Nick Mellem (24:04):
So I this seems like a very much an apple thing
to me, at least at first glanceI've run into this issue but
it's kind of because of my owndoing, and I say that because I
like to run the beta software.
So, like I have the latest betasoftware on my phone, I on my
Mac, right now that I'm on, I'mon Sequoia the beta software to
(24:26):
test the new things out.
It's running very smooth.
But on the Mac I haven't hadany issues.
But on my phone I've had some,you know, apps that I use daily.
Every now and again If youupdate to the newest beta it,
they don't open right, they justcrash right away.
Update to the newest beta itthey don't open right, they just
crash right away.
Luckily, none of those have beencritical, but I haven't had
anything directly affect me,like you're talking about, josh.
(24:48):
But I think a lot of times whatI see and this is, you know,
going back years and years is,let's say, on an iphone you open
it up and you had the newsoftware install overnight and
the next day or the day afterthat you might get a quick
update that said, oh, we have topatch something.
There's a security patch forsomething we found in the latest
update, so they're quicklygoing to another update.
(25:12):
So it's not directly affectingan application, but it kind of
goes back segueing toCrowdStrike.
These updates come out so quickand they have to patch
something that just came out.
Joshua Schmidt (25:28):
So there's a lot going on here.
But yeah, you get the updatewhen you wake up in the morning
and you're like on version 0.3before lunchtime, right, the
other workaround I kind offorgot to mention this.
Some of my buddies had the sameissue.
They were literally having touninstall their OS and then go
install a prior iteration of theoperating system just to get
their apps to work.
I was not willing to go therebecause I just seems like way
too much you just wanted to waitit out yeah, I just seemed like
(25:50):
something could go wrong.
although I'm pretty, uh, prettydiligent about backing up all my
data I usually do too, yeah,since I have so much um, so many
sessions and things like thatthat that I just can't lose or I
might need to reference twoyears from now or three years
from now I store all my sessionson two external hard drives and
(26:11):
a cloud, and I really try totake two or three times a year
to go through all my data andmake sure that it's backed up at
least twice.
But, yeah, that's not reallyhelpful if you can't open up the
app.
Nick Mellem (26:24):
So that's good practice, though, to do that.
Joshua Schmidt (26:27):
Yeah Well, cameron the other, you kind of
brought up that it's kind of allin the ecosystem and I think
that's another one of the issuesor could be seen as an issue
right.
It's like now there's kind ofthis gatekeeping you know, pun
intended around what can beaccepted onto the App Store,
what can you actually use onyour Mac.
(26:47):
If you're a Mac user, youprobably are okay with that to
some degree, but you might runinto an instance where you want
to use something that's notapproved by the powers that be
on the Apple side of things andthat could be politically.
That could just be for edgingout competition for their own
(27:08):
apps.
It's kind of probably a mix.
Nick Mellem (27:12):
They are going through a little bit of an issue
right now with major entitiestrying to sue them for this, so
there is probably some fruit tothat.
Joshua Schmidt (27:20):
It's probably more cost effective for them to
kind of ride that edge though.
Right and like just be thecutting edge, and if they have
to take on a couple of lawsuits,so be it.
You know, we'll kind of figureit out as we go.
Yeah Well, here's something Ihope we don't have to deal with
forever, but it seems like wemight.
Uh, nick and I are parents, sothis is something that's, you
know, hits close to home for us.
(27:42):
Good to know, though, the DOJand FTC sued TikTok for
violating children privacy laws.
As of August 3rd this came outthe US Department of Justice,
along with the Federal TradeCommission, filed a lawsuit
against popular video sharingplatform and TikTok for
flagrantly violating children'sprivacy laws in the country.
The agency claims to thecompany knowingly permitted
(28:02):
children to create TikTokaccounts and to view and share
short form videos and messageswith adults and others on the
service.
Yikes, I don't use TikTok often.
I do post a few things on thereand then immediately scrub it
from my phone.
But one of my first questionsfor you guys was, like you know,
(28:22):
we know this is not just TikTok, you know violating these
things.
Why do you think that we see somuch about TikTok?
Maybe not as much these daysabout Facebook and Instagram
Because Zuckerberg was getting alot of heat until TikTok really
took off.
I feel like he's been a littlebit more low key.
Nick Mellem (28:40):
I think you're onto something there, and TikTok is
casting a shadow over a lot ofthese other applications and
really for all the wrong reasons, it's always in the limelight
for something and with all theusers of all ages, it's like the
cool thing is to have a TikTokand do the kids do their dances
or whatever they do.
(29:00):
I don't use TikTok myself, butI think that's a lot of the
reason we hear it.
Tiktok was also just like infront of Congress.
I think it was like what sixmonths ago for these issues like
this, and it's alarming thatit's involving children, right,
I mean, if you're 16, 17, 18,right, you can kind of think for
(29:21):
yourself a little bit more.
But a lot of these were kids 13and under utilizing TikTok,
harvesting data and whatnot.
But there's a lot to chew onfor sure here.
Yeah, I think.
Cameron Birkland (29:35):
TikTok is I feel like it's been in the news
just constantly for years nowjust related to all these
privacy concerns and, on onehand, the kind of stuff that
TikTok collects is kind of inthe nature of the application,
right?
I think Facebook, google, youknow they all have their own
(29:59):
versions of TikTok now and I'msure they all collect similar.
You know they all have theirown versions of tiktok now and
I'm sure they all collectsimilar um.
But I know that one big concernwith um tiktok is that it's not
based in the united states, orit wasn't in the first place,
whereas our you know ourfacebook and google and stuff
that's at least on our own soilyeah, so the conversation really
(30:21):
always is shifting to nationalsecurity.
Nick Mellem (30:23):
What are they listening?
What are they spying on?
So I think a lot of the threatis somebody needs to buy or they
want to force a sale of TikTok.
It sounds like to somebody likeMicrosoft or something US
stateside.
But yeah, I think that's.
The big reason, josh at leastfrom my mind, is the buzzword of
national security is why thisis getting so much more
(30:44):
attention yep, and it makes thepoliticians kind of look like
they're doing being hard onchina maybe, or at least you
know, have that if we want to gothere.
Joshua Schmidt (30:55):
I'm sure that probably could be yes well, yeah
, and that's both sides of theaisle too, right it should be
yeah, because I mean, ultimatelywe want our own spyware right,
not theirs I'm surprised noone's come up with a competitor
yet.
You know, I mean there's thingsthat instagram and youtube are
(31:15):
doing to well compete.
Cameron Birkland (31:17):
Yeah, I mean I feel like there's so many that
have copied the format.
That's how pretty much allshort videos are displayed now.
Nick Mellem (31:25):
You have YouTube has their shorts, instagram has
reels.
They're all doing it.
Cameron Birkland (31:32):
Yep, it's whoever has the best algorithm.
Joshua Schmidt (31:36):
Yeah, it seems like it's peaked a little bit.
I know I did read an articlerecently that although they have
leaned into that short formcontent, that long format
content like our podcast, isstill just as relevant and doing
well in a different way.
You know it's reaching adifferent audience.
You know people sign on to lookfor different things.
I was going to ask if you useTikTok or if you have played
(31:59):
around with it.
Nick Mellem (31:59):
I have played around with it, but I don't use
it.
My wife does.
I keep trying to get her todelete it, but they get all
their ideas, whatever else forkids' toys, snacks you can get
recipes and whatever else.
They claim they can learn somuch on TikTok, so whatever, but
(32:20):
I do not use it personally.
Cameron Birkland (32:22):
No, yeah, no, I don't use it either.
My parents use it, though.
They they really gotten intoTikTok.
They like the whole.
You know it's well.
It's a constant stream ofcontent and of course it's
perfect.
It's always perfectly tailoredto the person who's looking at
it.
You know like the videos arevery specifically picked out and
there's something that you wantto see, so it's easy to just
(32:45):
keep swiping, scrolling,watching in the app.
Nick Mellem (32:49):
You're engaged in there.
What I was going to say beforeto me, the big takeaway here
right is right, we want to banto banning tiktok, right, I
don't want to get preachy, but Ithink this just shows that this
goes for everything.
You have to protect yourself.
Right, we're depending on theDOJ and whoever else to
potentially ban this.
(33:09):
I know some states are evenbanning it, but it really shows
that we need to like, governwhat we're doing, not just like,
oh, I'm sure they're not doinganything bad with our data or
whatever else.
Really, it shows like, what,what's going on your kids phones
, yada, yada and I think thisthat segues into the password
conversation about logging inand logging out of devices.
(33:33):
But, uh, yeah, I think there'sa, there's a lot here, like we
talked about.
I don't foresee it going awayanytime soon because it is just
a jogger, not of an application.
So hopefully something can be,you know, fixed by either a
purchase or dissolving it intosomething else, it being
absorbed to Instagram orMicrosoft taking it over or
(33:53):
something.
Joshua Schmidt (33:54):
One of the big music companies I can't remember
who it was, I'll just leavethat out was recently.
I can find it on Google, butquick search took all their
music off of TikTok andmusicians are just freaked out
because that's the best way toreach people right now.
And I've even heard aboutpeople being signed by a record
(34:15):
label that won't release theirnext single or their next album
until they manufacture a viralTikTok moment.
Oh, that's interesting.
Their next album until theymanufacture a viral tiktok
moment?
That's interesting.
So, yeah, they are the sense.
Rectify that situation orsweeten the deal for them where
they're allowing their musicback on, I'm sure more money
going into the pockets of thecorporation, I would assume, um,
(34:35):
because I haven't seen any uh,windfall from the artist side of
things.
But uh, unfortunately.
Nick Mellem (34:42):
But um, wasn't this kind of like vines.
Do you guys remember vines backin the day?
I never, really ever, used thateither, but I thought that it
was similar.
Right, artists could go onthere.
Right, they post their music.
They get discovered that way.
So it just seems like this ismaybe just a newer version of
that.
I could be wrong, just a sidethought yeah, no, I think that's
(35:05):
a similar idea.
Cameron Birkland (35:06):
Vines were limited to, I think, like six
seconds and I didn't even usethem.
I didn't even use it much whenit was a thing, and of course
then it was gone before I waseven able to download the app,
basically.
Joshua Schmidt (35:23):
Was that a Twitter offshoot Vines?
Cameron Birkland (35:25):
Yes, I don't know if it started out that way,
but I know Twitter definitelyacquired it at one point.
Joshua Schmidt (35:34):
That may have been what tanked it.
I actually was on tour in Texasnot too far from you, nick, in
Austin in 2000.
I want to say 2016.
We or 15 we met matt king, whowas you probably don't remember
the name, but he was the thevine star at the time.
He had like a video of him inthe car like doing this head bob
(35:54):
thing with like a funny face,but, um, that's my vine story I
do?
I do rememberiscope on Twitter.
Cameron Birkland (36:02):
Do you?
Joshua Schmidt (36:02):
remember Periscope?
Yep, I may have known somepeople not saying I did this,
but I may have known some peoplethat watched some free boxing
matches on Periscope, got onsome pay-per-view and that got
shut down rather quickly, Ibelieve.
Nick Mellem (36:15):
That was a Twitter Periscope.
Wasn't that a Twitter offshootas well?
Joshua Schmidt (36:19):
Yeah, I believe it was.
It was like a walkie talkiefeature social media where you
could just video someoneinstantly and connect, but
people were using it tobroadcast, like I said, football
games and and then you know,you got a hundred thousand
people broadcasting a boxingmatch and then they get shut
down and then 20,000 other onesspring up and it was just like a
game of whack-a-mole.
(36:41):
so you know another one of thosecircumstances where maybe you
didn't think through all theconsequences before rolling out
the software I don't thinkthat's going to change anytime
soon, unfortunately I agree.
But before we change topics andI'd like to segue about the
password management, but um,before we segue, let's just
remind our listeners what we cando with our kids, at least to
(37:04):
keep them safe.
I want to give a shout out toour episode.
I think it was in the 30s,maybe it was Andre Champagne, or
maybe it was even the late 20s.
We had a guest named AndreChampagne who was a forensic
cyber investigator for CookCounty in Illinois and a couple
of the takeaways that heremembers that I remember from
(37:26):
his speech was that you know, ifyou can help it, don't let your
kids be in a locked room or abedroom with a tablet or a phone
or a computer.
Put the stuff out in the livingroom, make it a public space
use only for your kids so youcan monitor everything that's
going on.
Because you know, as parents,we all want to have privacy for
(37:47):
our children, give them somefreedom to to go out into the
world and kind of explore, butat the same time it's really our
job to make sure that they arenot getting preyed upon or in
any kind of trouble.
So you know, at the end of theday, privacy is nice, but having
your kids safe and is probablya better option.
(38:07):
And nicer, it's even nicer, yeah.
So that was one of thetakeaways from that.
I remember, nick.
Do you remember any of theother ones that he had mentioned
?
Nick Mellem (38:14):
I don't remember anything that he mentioned, but
I think you know one.
One of the you know tips thatcomes to my mind is I think it
mentions it in the article hereis using the functionalities
built into the app to eitherlimit time for the kids on there
so limit how much time they canactually spend on that, because
Cameron was talking about it,his folks use it and you get
(38:36):
that rabbit hole right.
You just keep going and youknow tick tocks issue with you
letting children under 13 usethe application.
It subjects them to adultcontent, right, things that you
know maybe they shouldn't beseeing or aren't ready to see
yet.
So I think you know using thefunctionality, the shared
accounts, right, so you can seewhat they're seeing.
(38:58):
You can review, you know, theitems that they have already
seen or potentially could see.
Joshua Schmidt (39:08):
And then limiting the time they spend on
the app, I think would be twobig takeaways for me.
How about you, Cameron?
Do you got any golden nuggetsto share with our listeners?
Cameron Birkland (39:13):
No, I think you covered most of what I would
say.
Ultimately, it's just sayultimately, it's just about
limiting the screen time,because it's too easy to sit
there for endless amounts oftime because the stream of
content never ends.
Joshua Schmidt (39:33):
Yeah, that's on the user side, but also thinking
about just on the privacy side.
I've seen a lot of people andtry not to cast and their
birthday and what school they'regoing to, and you know, and
it's you're giving them all thatinformation, you're giving
(40:03):
everyone all that informationand you know at the end of the
day the children have no consentover what is being shared.
So you know it's almost kind ofas a as a benefit to your
children.
You know as fun as it is to getthose likes and that dopamine
hit and to share everybody witheveryone that your child is cute
(40:24):
and growing up and you're doinga great job as a parent.
I think it's even cooler toreally put their safety and
protection first and maybe justshare that.
My wife and I use an app calledBack.
Then it's still cloud storage,so we're still careful about
what we post on there, but it'sonly shared with people that we
let on there friends and family.
(40:44):
It's a great way to share thosemoments with people but also
still have them be a little moreprivate.
Nick Mellem (40:51):
I think that was a good tip, josh, that you brought
up censoring what you'reputting on there.
In the military we were trainedon this.
We would call it operationalsecurity.
Right, Don't post where you'regoing on an operation.
If you're deploying, you knowmovements.
It applies here.
You know, maybe if you'retaking a picture of your house,
don't put the address on there.
(41:12):
You know, wherever you're goingor whatever you're doing, it's
certainly like what you'resaying, josh, at your kid's
school, your teacher's name, theaddress of the school, it just
it really puts our kids into a,you know, a sticky situation,
right, that they, like you said,josh, didn't consent to, they
don't know about, right, they'reyoung and you know we don't
even be subjecting our kids to,you know, to that kind of
(41:35):
behavior from you know unknownentities.
Joshua Schmidt (41:38):
I got one more for you.
Cameron, probably don't do this.
You don't strike me as a guythat posts his food like Nick
does.
My last tip was to wait tillyou're done with your vacation
to post your vacation pics.
Wait till you get back home,you know.
Just stagger it by a week.
If you go out of town, youdon't need to tell everybody
we're leaving that day, and thatway you still get to share your
(42:00):
trip if that's something that'simportant to you.
But you're already home.
So you know it already happened.
People don't need to know whereyou are all the time.
Cameron Birkland (42:10):
And they don't .
Yeah, they don't need to knowthat you're gone, that your
house is empty hey, my house isempty with all my stuff in it
and I'm not gonna be home for aweek because I'm in hawaii or
whatever.
Joshua Schmidt (42:22):
Yeah, these are social engineering gold mines
yep, I'm gonna do a shout out toeric brown here and say nick,
you need to start a tiktokaccount for mr meowgi.
Nick Mellem (42:35):
I was waiting for it.
We made it like 48 minutesbefore the cats got brought up.
Shout out to EB out there.
Joshua Schmidt (42:43):
All right.
Well, we have one more thing totalk about that's been relevant
to us and we'll wrap it up withthis.
Today I'll share my experience.
I just switched over toBitwarden for all my passwords
and cleaned up my security andit was rather painless.
It was just a little timeconsuming.
I was a little freaked out todo it, just because it's not fun
(43:06):
downloading a CSV file and, youknow, logging into 18 different
websites and then looking atyour phone, looking at your
browser, trying to like, sussout, how am I doing this?
Because we get so used to likehow we log into things and we
just want it to go quick becausewe're trying to get our work
done or whatnot.
So, but I'm happy I'm switchedover and still got a little bit
(43:28):
of work to do.
But yeah, I did realize I didneed to download the desktop
extension for my desktop andthen a browser extension and
sorry for my mobile as well, andthen the browser extension for
whatever browser I was usingwithin those devices.
So it's kind of a multi-stepprocess.
So you got to have the mainsign in and master key, but then
(43:51):
you also kind of have tointegrate them into your browser
.
But once you kind of get pastthat stage.
I felt like it was veryseamless.
So when I'm now logging intowebsites, it's coming up right
away and I'm kind of back towhere I was flying through
websites.
Do you guys use these and doyou have anything to add to the
convo?
Cameron Birkland (44:10):
Yeah, sure, I mean, I've been using Password
Manager and it's Bitwarden forquite a few years now.
It was a situation where highschool I was, you know I had to
have accounts for things.
I would just, you know, maybeuse variations of a password
that I used before.
(44:31):
I never needed a passwordmanager.
I was like you know, that's toomuch work, too much work to set
up a password manager, and itcan be especially if your
password, if your passwords,aren't already stored somewhere.
It can be a lot of work to startgetting all that into a
password manager like Bitwarden.
So it ended up being like endedup taking probably a few months
(44:54):
for me to actually finally getall of my accounts in there,
because they weren't all in apassword manager before.
But it's worth it.
Once you have it set up, it'snot only way more secure you
know every single password isdifferent but it's easy, right?
You can use your fingerprint tounlock Bitwarden and it
(45:16):
autofills your passwords for you.
So now it's like I livedwithout it for so long.
Now I can't live without itkind of thing it's.
It's made life easier and moresecure.
Nick Mellem (45:25):
You.
Just you hit it on the head cam.
I was going to say that there'snot many situations that you
can say are more secure andeasier.
Yep, right, and here is aperfect example.
I, obviously I use one myself,but I'm going to go against the
grain.
I use a proton proton pass.
It works the same as a bitwarden, but I have it on my
(45:48):
phone and all my computers iPad,things like that and you know I
used to well, this is probablythree, four years ago Now I got
all my passwords off off Googleand get the CSV implemented
there, so it's pretty easy forme to switch over.
I think one good thing aboutthese services is they have a
password generator built in, orwhoever.
(46:20):
One of the big pieces of adviceis we always give to anybody is
to don't use the same passwordfor every application or every
website, so on and so forth, andthis makes it really easy
because it will suggest thepassword.
You don't even need to thinkabout it.
It will autofill it, save it,put your email on as a username.
So again, just another stepeasier.
But yeah, if you're not using apassword manager, I highly
recommend you start.
You don't need to spend a bunchof time getting set up.
(46:41):
I think you can if you start itand you can implement all the
passwords you already have.
But just let it evolve right.
Just keep getting passwords inthere slowly as you create new
accounts, things like that.
Joshua Schmidt (46:54):
When you switched over, did you realize
how many junk username andpasswords you have?
Because you know when youupdate your password or you
forget your password and thenyou go make a new one and it's
still stored in that CVS file orin that passkey.
So I've been like sortingthrough tons of just junk
username login credentials.
Cameron Birkland (47:14):
Yeah, no.
As time went on and I startedadding more and more accounts to
it, it became very clear howmuch of a problem my password
practices were at the time.
Nick Mellem (47:24):
Diamond himself out .
Cameron Birkland (47:27):
There was a time when I typed in all my
passwords and there was not thatmany variations.
Obviously, after four years ofgoing to school for
cybersecurity, I cleaned that upa little bit.
Nick Mellem (47:43):
Changes your tune pretty quick once you see how
nasty it can get.
Cameron Birkland (47:46):
Yeah, yep so and like, for example, bitwarden
has, it allows you to have someinsights into password reuse
and things like that.
You know that's pretty commonfor most people.
Most people are going to have alot of password reuse and if
you're able to get all yourpasswords into a password
manager, you can see the numbersLike here's how many times your
(48:08):
password has been reused.
Nick Mellem (48:10):
Right?
Yep, I think even on the iPhoneit does that too.
If you go into the passwordsarea on the phone, it will show
you oh, I have five, I have 20,I have 200, or whatever it is.
Passwords have been reused.
And I think it even gives youan option and a link to change
it and it will automatically goto the website to help you
update your password.
Joshua Schmidt (48:29):
And that's what I was going to call it.
That was the biggest pain is tolog into the website and then
go change it, because everywebsite's different.
The next level I would love toyou know maybe this will get out
across the algorithms to adeveloper at Bitwarden.
I'm sure they thought of this.
But wouldn't it be great if youcould just change it right in
the Bitwarden app or theProtonMail app, where you didn't
even need to log into thewebsite, whether it's Google or
(48:53):
Netflix or whatever?
It just pushed it out for youand you could do it all right
there.
Nick Mellem (48:59):
It could be slick.
It sounds a little scary to mehaving that connection.
Make sure you have MFA set up.
Cameron Birkland (49:05):
Yep MFA.
Joshua Schmidt (49:08):
Cameron doesn't like that idea.
Nick Mellem (49:10):
It makes me a little scared, but could we get
there Maybe?
Cameron Birkland (49:13):
I like the idea of the convenience of it,
of course, but there's alwaysthe trade-off of convenience and
security.
Nick Mellem (49:21):
I'm going to say no just because of all the
connectors to that one that itwould take to get that to work
Again.
Fantastic idea.
If you can implement itproperly, you won't be sitting
on this podcast anymore.
Joshua Schmidt (49:37):
The first, one's free.
I got a lot of ideas.
This is why you guys are theexperts and I'm just the
producer.
Nick Mellem (49:47):
It's a great idea.
We'll leave it at that.
Joshua Schmidt (49:51):
Hey, well, it's a great spot to leave it today.
I had a lot of fun chattingwith you guys.
We're joined by Cameron Berklinand Nick Mellon of IT Audit Labs
.
I'm your producer, joshuaSchmidt.
Today we've been talking aboutsome news and then a little bit
of extra about Bitwarden andpassword managers.
If you want to hear more, wehave all of our episodes on
Spotify, apple, amazon.
You can find us on YouTube.
We have shorts that come outseveral every week and please
(50:15):
subscribe, like and share itwith your friends.
You've been listening to theAudit presented by IT Audit Labs
.
Have a great day and we'll seeyou in two weeks.
Eric Brown (50:23):
You have been listening to the Audit presented
by IT Audit Labs.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact or all.
Our security controlassessments rank the level of
(50:46):
maturity relative to the size ofyour organization, thanks to
our devoted listeners andfollowers, as well as our
producer, joshua J Schmidt, andour audio video editor, cameron
Hill.
Joshua J Schmidt and our audiovideo editor, cameron Hill.
You can stay up to date on thelatest cybersecurity topics by
giving us a like and a follow onour socials and subscribing to
this podcast on Apple, spotifyor wherever you source your
(51:09):
security content.
Welcome to the Audit presented by IT Audit Labs
.
I am your producer, joshuaSchmidt.
I'm joined today by Nick Mellomand Cameron Berkland.
We're here to chat about thenews today.
We're going to talk today aboutCrowdStrike.
We're going to talk aboutApple's new OS Sequoia, the DOJ,
an FTC suit, tiktok, and wemight even get into a
conversation about passwordmanagers.
(00:26):
But first I wanted to do alittle icebreaker and ask you
guys if you have done anythingfun this summer.
We're kind of in the dog daysof summer here.
So first week of August is over.
Have you done anything fun oryou got any big plans for the
fall, nick?
Nick Mellem (00:40):
Well, I'm just going to shout out that it's
super hot in texas so I've beenstaying inside a little bit more
.
Uh, august is the worst, worstmonth, so it's consistently
around 100, which thank god forac, but uh, I don't haven't done
anything.
Probably notable um, but I didget um just on tuesday.
(01:00):
Uh, starlink, starlink internet, that's the satellite internet
for backup, so I've been toyingwith that, so I've kind of been
using that as the backup,especially if any systems go
down, just as a secondary device.
But I guess that's just mynotable tech fun that I've had
over the past week.
Joshua Schmidt (01:20):
The reason I ask is I just got back from a
camping trip so we took our twodaughters out into the woods.
We did two nights.
We were thinking aboutextending it to a.
The reason I ask is I just gotback from a camping trip so we
took our two daughters out intothe woods, we did two nights.
We were thinking aboutextending it to a third night in
northern Minnesota, but we werepretty well exhausted by the
end of the second day.
Full day in the woods.
But there's nothing better thanswimming in a lake, in a nice
(01:40):
crisp, clean northern Minnesotalake.
It's one of my favorite thingsto do.
I also like to paddle the canoearound and listen to the loons
late at night by the campfire.
Uh, it's a lot of work gettingthe car loaded up and everything
and packed up and all the food.
It's quite the list, but it'salways worth it when we get
there and, um, yeah, but now I'mhome, back to work.
How about you, cameron?
(02:00):
You got any big plans this fallor done anything of note this
summer?
Cameron Birkland (02:05):
Yeah, I mean, I feel like my summer has been
like.
Just it feels like it's goingaway.
It's already so cold today I'mwearing a sweater here.
Yeah, it does feel like.
Joshua Schmidt (02:16):
Minnesota.
It's actually kind ofrefreshing though.
Cameron Birkland (02:24):
Well, that's true, because it was a little
unbearably hot for a little bitthere, and yeah.
So I've just been.
I feel like I'm running to somefamily event every weekend and
now everything's just gone by soquickly.
I'm trying to recoup what'sleft of summer.
You know I want to try to dosomething, so I'm hoping to go
out.
My grandma lives on a lake uphere.
She has a pontoon, so I want totry to get out there at least a
(02:47):
couple weekends this summer thewater's still warm.
The water's still warm but I sawthat the algae is starting to
come out, so it's getting alittle dirty.
Nick Mellem (02:55):
That will happen the summer is dwindling for you
guys are you a state fair guy,cameron?
Cameron Birkland (03:02):
oh, I have gone probably twice in my life,
wow okay and I was thinkingabout going this year, but I
don't have anybody to go withyet.
I haven't found anybody thatwants to go, so I might not end
up going.
Joshua Schmidt (03:18):
I'm good with kids you could help us with our
crew.
You want to come with us, Nick.
Sorry, what were you saying?
Nick Mellem (03:30):
No, I was just going to say that we haven't
made it to the Texas State Fairyet, but I think we're going to
try this year.
I think it's in October andit's almost a month long, so I'm
looking forward to doing that.
The big fair I would say downhere, closer to Houston, is the
rodeo in February, which isbasically another state fair.
Good times, a lot of crowds.
So it's kind of get what youwant, walk around, see what you
(03:54):
want to see and that's that.
Joshua Schmidt (03:57):
Do you have a belt buckle Nick?
Nick Mellem (03:59):
I don't.
I have not earned one yet, so Imight have to jump in the ring
with the rodeo clowns.
You have to get one the ringwith, uh, with the rodeo clowns.
Joshua Schmidt (04:05):
You have to get one as the size of like a
pancake I'll see what I can dobefore uh, our next live all hat
no cattle.
I got a hat it's downstairs nobelt buckle stetson.
Nick Mellem (04:19):
Uh no, you know, I can't remember what uh resistal,
I think that's how they say it.
Yeah, you got to have someboots too probably.
Joshua Schmidt (04:26):
Oh yeah, Multiple pairs.
That's a standard issue forTexans, I suppose.
Nick Mellem (04:31):
Standard issue.
Yeah, you got to have a goodpair of boots, good one for
around the house doing somechores and another pair to take
the wife out.
Take the cats out, yep, takethe cats for a walk.
You need a good pair of boots.
Joshua Schmidt (04:44):
I always thought it was cool those rattlesnake
boots that have the actualrattlesnake or the cobra or
maybe the python or cobra orsomething that actually have the
snake on the toe.
You can get any flavor of bootyou could ever want, we got to
get a pair of those for Eric tobe walking around the office
with.
Let's get that project underway, a early christmas gift or
(05:11):
something that's on you, man?
Nick Mellem (05:11):
I think you got the outlets for that down there, so
we can put the it out of labslogo on the side of the there
you go, made out of snake skinfor sure he'll be in on it all
right.
Joshua Schmidt (05:24):
Well, I hope he's listening.
Uh, yeah, eric's taking the dayoff today, so I hope I hope
he's resting up.
Um, we're going to jump rightinto it.
So cyber security companycrowdstrike has published
published its root causeanalysis detailing the falcon
sensor software update crashthat crippled millions of
windows devices globally.
I'm sure we all know someonethat had a rough flight or a
(05:45):
delayed vacation.
So it gets a little technicalhere and I'm going to rely on
you guys to break this down forus.
So it says the channel file 291incident, as originally
highlighted in its preliminarypost incident review, has been
traced back to the contentvalidation issue that arose
after it introduced a newtemplate type to enable
visibility into the detection ofnovel attack techniques that
(06:08):
abuse named pipes and otherwindows interprocess
communication mechanisms.
That goes right over my head.
Can one of you guys jump in andbreak down what's going on here
and what this article istalking about?
Cameron Birkland (06:19):
yeah, I think we can talk about this a little
bit.
So essentially with the way theCrowdStrike Falcon works, is it
needs like the lowest level ofaccess to the system possible to
be able to fully see everythingthat's going on for visibility
purposes.
So it runs as a driver, it runsin the kernel.
(06:41):
What this ends up meaning isthat any code that it executes
it's kind of up to it tovalidate it right.
Usually normal application onthe system is going to have
checks and balances, whereaswhere the CrowdStrike agent is
running, it's kind of runningunchecked, right.
It's up to itself to check it.
(07:02):
And what CrowdStrike was doingwas pushing out sort of updates
to these devices.
And it was doing it.
They were validating everythingon their end, but what ended up
happening was their validationprocess didn't catch this one
little thing and they pushed itout to all customers at once.
(07:27):
The update wasn't actuallytested on any live systems, they
just put it through theirproprietary validation process
and then pushed it out toeverybody all at once and sort
of found out what would happenin a real world scenario.
As it happened.
Nick Mellem (07:46):
It says further down the article, here too,
where it it you know, opposed tothe 20 supplied content yeah
Right, that's Nick's paragraph,right there versus the 21 that
were in this update, and the21st portion of it was the one
that actually crashed the, thesystems, yep, yep.
Cameron Birkland (08:07):
So to get a little more technical with it,
ultimately what happens was anout-of-bounds.
So the CrowdStrike agent wasexpecting 20 input fields, right
, and it reserved enough memoryfor those 20 and um.
The new update required 21.
(08:27):
So it read past that memorythat it had reserved that 21st,
pushed it outside of thereserved memory and that's what
caused the crash.
And since it's running in thekernel, there's essentially um,
it essentially just has to takedown the whole system, right?
Nick Mellem (08:44):
which, which is unfortunate, obviously.
That's why we kind of use thatmethod of, let's say, you have
one big square and then you havea square in the center right,
and the square in the center islike the kernel right, where you
have the keys to the kingdom.
You have systems like Falconrunning in there, what you want
most secure, and everythingoutside of that center box is
going to be like office.
You know, teams work thingslike that and if they fail in
(09:09):
the outer ring, it just bringson that application.
And that's what we want, right,we want those lower game for
ones.
They can fail outside andthat's fine that we can
troubleshoot it.
If it's running in the kernellike crowd strike falcon, it
there's no way around it.
It craps everything out, uh,everything goes dark.
So that's why everybody wasgetting the blue screen and even
(09:30):
if you didn't get the bluescreen, you were still affected,
um, and we saw this in allhealthcare.
You know flights, um, I knoweven a family member of mine
this is, you know, not acritical system but was going to
their service provider to get anew cell phone, not knowing
that this happened becausethey're not in the tech industry
, and there was a big sign onthe door that said basically, we
(09:52):
can't help you, so go home.
And I'm sure we all have peoplethat were affected by it.
But I think that's the basis,josh, of what had happened, what
Cam and I were just talkingabout.
Joshua Schmidt (10:04):
So lots of people affected and probably
still dealing with it now wasthis like worst case scenario,
or could it have been worse,because it seemed to be really
disruptive, you know, across theentire globe I think this was
pretty worst case for this umand I.
Nick Mellem (10:24):
This was as real as it gets, obviously, because so
many things were down criticalsystems and this was a real life
tabletop exercise that peoplewere flung into in the middle of
the night and I think peoplethought it was either a cyber
attack or you know an outagethat they were having, you know,
overnight.
Overnight people, IT guys, gals, you know, were flung into
(10:45):
action and had to starttroubleshooting things right
away.
So I think this is as real asit gets.
I think a lot of people werethinking we were under attack.
Right, we're in World War IIIwas kicking off systems were
going down all over the place.
But, uh, got anything to add tothat Cam?
Cameron Birkland (11:00):
Yeah, no, it's .
Um, it's pretty crazy how thatone little thing ended up
causing such a huge dominoeffect.
It took down some criticalsystems and caused an incredible
amount of disruption.
And there's been a lot of, Iwould say, criticism of
Microsoft, and maybe evenCrowdStrike as well, on having
(11:22):
that kernel level access.
For that reason Right, becauseobviously there was some
validation, some checking thatshould have happened.
That didn't.
I think this was ultimatelypreventable, but it happened,
and so now we kind of have to,we have to go back and look at
how could this be prevented,ideally, I think.
(11:43):
Some people say that thereshould be a sort of api for
these things.
Right, like we don't do, wereally need to have the falcon
sensor running in the kernel,like as a driver.
Shouldn't it have some sort ofapi to be able to access the
system and prevent that kind oflevel of damage?
(12:04):
Or I mean, at the same time,crowdstrike should probably do a
little better with theirtesting methodology and make
sure that they're not pushingout updates to every single
customer at the same timewithout any real-world
validation.
Nick Mellem (12:23):
Yeah, it was.
No matter which way you cut it.
There's probably going to be alot of after actions on how we
can prevent these things fromhappening.
But you know, I agree with Cam.
Does it actually needkernel-level access?
That's something we need todiscuss.
But I think, flinging intoaction, you know a lot of
industries you know found, youknow they're strong individuals
(12:46):
that were ready to react to this.
Cam and I work for a pretty bigorganization that we were
involved with remediation Cammore so than I for all the
(13:06):
downed computers and sendingthem to the techs on the ground
at the site, because we hadessentially strike teams out to,
you know, bring back serversand everything that was affected
.
And then we also had, let's say, 2,500 to 3,000 machines, blue
screen.
Yeah, we had to set uplocations for individuals to
come in and rectify this.
Luckily, I'm remote and I didnot get affected with the blue
(13:31):
screen, so I was able to helppretty quickly getting those
BitLocker keys to come backonline.
But, cam, you were boots on theground, correct?
Cameron Birkland (13:41):
Yeah, so for me I guess it ended up similar
with what I.
What what happened to me was Ihad my workstation shut down
overnight, so when I had bootedit up in the morning, it had
already been reverted, and so Iwasn't.
I didn't end up being affectedby that blue screen, so I was
able to hop online.
By the time I was up, it waslike 7am at that point, so
(14:05):
people were already, you know,in calls and trying to figure
things out.
Luckily, I was able to getonline.
Wasn't able to get onto thenetwork, of course, because VPN
wasn't working.
I was able to use Teams andOutlook, and that's about it.
Nick Mellem (14:22):
Yeah, I got a very frantic call from one of our
colleagues pretty early in themorning and you definitely
thought something big waskicking off and the frantic
voice was well warranted.
So there's still so muchcleanup to do.
I think the biggest questionthat we're dealing with is how
do we prevent it, but we couldprobably talk about this for a
(14:44):
whole episode.
It's been affecting industriesall over the world and, as we
know, crowdstrike is heavilyinvolved with Microsoft and it's
going to continue, probablycontinue that way, but just
affecting so many differentindustries.
The scary thing is, like thehealthcare industry right On
surgical tables or whateverpeople that use computer access
(15:08):
for, whatever the reason mightbe, in those situations we
certainly want to safeguardthose industries.
Not that they're more important, you know, than others, but
critically life-saving devicesright running on software like
this is is rather scary yeah, no, I agree, and it's um also
(15:29):
important to mention, uh, whatcrowd strikes changing after
this some changes they'vestarted implementing.
Cameron Birkland (15:35):
I don't believe they're going to be
rolling out updates like theseanymore to all customers.
Some customers have stagingenvironments.
Uh right, this update obviouslydid not utilize any of that, so
now you're going to have theopportunity to actually apply
the update to a set ofdevelopment systems, for example
(15:57):
, before it takes down yourentire network.
I think CrowdStrike is going totake that a little more
seriously.
Nick Mellem (16:03):
I think it's kind of alarming too, just to show
show that you don't have to bein the IT industry to understand
this but just how easy this wasto happen.
Right, it was an update.
It ran out of memory when itwas doing the update and it
brought so many industries totheir knees that require the
software Well, require acomputer, I should say, because
(16:24):
it brought everything down.
So just showing how easy it isto bring those things down shows
the weakness that you can have,right, especially for a
critical infrastructure.
Like you know, we have anarticle that we could discuss
later about the water industry.
Right, critical infrastructurelike that goes down.
That's, running this kind ofsoftware is, you know, very
(16:44):
alarming yep, and that's.
Cameron Birkland (16:47):
That's the big takeaway.
I've heard from a lot of peopleoutside of the cyber security
industry as well, as you know,if it took this one little thing
to take down so many stuff like, or so much stuff.
How vulnerable are we, you know, and how easy is it for like a
nation state to do somethinglike this in a malicious manner?
Nick Mellem (17:06):
Right, yep Insider threat.
You know you think about allthose things.
If it was as easy to push anupdate to bring it down and have
that kind of effect, you knowwe need to to work on.
You know policies, procedures,know how, having these
conversations regularly and weyou know we had a real life
tabletop exercise, but I think,doing this more regularly right
(17:29):
In a, in a practice environment.
What are we going to do if thishappens?
This situation happens again.
You can use this, as you know,instruction, or look at this to
an after actions report on whathappened, and then you know
practice right, let's use thisas an example.
And how are we going to springinto action next time something
(17:50):
like this happens?
Hopefully it doesn't.
I feel like we should bepreparing like this is possible
every day.
So I just think this is a goodexample to practice on what we
should be doing day in and dayout.
If you're in the, especially ifyou're in the IT industry.
Joshua Schmidt (18:04):
It seems to me that, as Cameron said, it could
have been prevented.
It was a preventable situation.
But my mind goes to just theingenuity of human error is so
vast that it's hard to accountfor everything.
I was just talking to a buddywho lives in Arizona and they
have the self-driving cars thereright and you can take, and
(18:25):
they have the self-driving carsthere right and then you can
take the taxi with, you know,the self-driving car and these
cars are still making mistakesand they're still learning and
gathering that data.
But you know, the conversationrevolved around it had gotten
pulled over, you know, by apolice, no one in, you know, no
one in the driver's seat,because it had made a bad move.
(18:45):
It was waiting in anintersection or something like
that that it thought someone wascrossing but there was no one
there.
So the car was sitting in theintersection or something like
that.
But it's kind of hard toaccount for all of the crazy
ways things can go wrong whenthere's just an infinitesimal
amount of amount ofopportunities to fail.
So but yeah, crazy that thislittle human error that
(19:08):
seemingly could have beenprevented caused such a big,
dramatic outage.
And I hope, I hope you knowthat it, you know, kind of
informs people going forwardthat you know to be on top of
these things a little bit better, or yeah, don't roll out your
updates to everybody.
I'm I'm really quite surprisedto hear that.
Nick Mellem (19:26):
Well, if we're going to, if we're going to do
it, let's.
Let's not do it on a Friday,let's schedule this for like a
Tuesday or something.
Cameron Birkland (19:33):
Yeah, that was definitely the best part.
It was on a Friday.
Joshua Schmidt (19:38):
Do you think some of that is the climate that
we're in of just rolling thingsout, letting the people do be
the beta?
Cameron Birkland (19:45):
yeah, and I mean crowd strike's, always
trying to be on the bleedingedge.
Right, you know they're tryingto stay competitive so they
don't want to fall behindspeaking of which, that segues
us to our next article perfectsegue yeah, perfect segue to yet
another iteration of Mac OS.
Joshua Schmidt (20:03):
This is the time of Sequoia Yep, I think they
have so many updates rolling outthey're going to run out of
California-type names to calltheir OS.
Nick Mellem (20:13):
I love how they explain it, where they're
talking about.
All the engineers get into avan or whatever.
They talk about this in theirkeynotes and they do whatever.
They come up with these names.
It obviously a joke, but it'spretty fun yeah it's, it's
catalina, now it's sequoia.
What was it like they didn'thave animal names.
They've got all kinds of thingsyeah, tiger leopard snow
(20:34):
leopard, leopard.
Yeah, that's what I wasthinking about.
Joshua Schmidt (20:37):
Wasn't there one ?
That was this wine countryrecently, like sedona?
No, that's, that's, that's no,there was one like that.
Nick Mellem (20:45):
You can't think of it what's the one?
Weird one called maverick.
I think that was a while agothat was the only one I can
remember that wasn't a place oran animal yeah, well, at any
rate.
Joshua Schmidt (20:56):
Um, we're on sequoia now, I guess, so I have
to keep a close eye on myupdates.
I have mine turned off on myMac just because I don't want to
be running into any issues, butwe'll talk about that in a
second.
Apple's new Mac OS, sequoia,tightens gatekeeper controls to
block unauthorized software.
Apple on Tuesday announced anupdate to its next generation
Mac OS version that makes it alittle more difficult for users
(21:19):
to override gatekeeperprotections.
Gatekeeper is a crucial line ofdefense built into macOS,
designed to ensure that onlytrusted apps run on the
operating system.
When an app is downloaded fromthe outside of the app store and
open for the first time, itverifies the software is from an
identified developer.
A couple of things I want tothrow at you guys, and maybe we
(21:39):
can pass it back and forth alittle bit.
There was the first thing Imentioned of, you know, just
rolling out these continualsecurity updates, seemingly
because it's the patching ofvulnerabilities and whatnot.
In this case, you know, withthird party software, you can
run into the problem, which Ihave frequently, of getting an
automatic update on my computerand then trying to sign into a
(22:01):
recording software or maybeyou're a gamer I'm sure this
happens to gamers or any kind ofthird-party software that might
require some hardware or somefirmware and those developers
aren't on the ball or just don'thave the budget or aren't aware
that there's an update beingrolled out and all of a sudden
it renders your softwareunusable.
(22:21):
It happened to me with Final CutPro.
I was, you know, bellying up tothe office computer here for a
little editing work and, lo andbehold, the Final Cut Pro would
just not open after my lastupdate.
It would roll through all mythird-party plugins which are
meant for, you know, audioediting and whatnot, and then it
would just stall, ended upgetting to the boss-level IT
(22:44):
people at mac where they takeover your computer to figure out
what's going on.
And the guy had already youcould tell he had already done
like 200 of these calls thatweek and he was just like, yeah,
we already have it documented,so you're just gonna have to
wait until they update.
And I'm like, really I can'twork on my project today.
There's no you don't have aworker for me yeah, because on
(23:05):
logic pro and some of the otherat you know um proprietary apps,
they have at least like acommand period.
You know, while you're bootingup, where you can get around up.
You know, scanning third-partysoftware, sure, but they didn't
have that, or still don't umseemingly have that for final
cut pro.
So that's the first problem,right?
Have you guys run into anythinglike that?
I mean, I know you're not a Macuser, cameron Do you find that
(23:30):
on Microsoft products as well?
Cameron Birkland (23:32):
Yeah, I only use Windows.
Ultimately.
I can't say I've ran intoanything specifically like that,
but I think it is.
You know it has a lot to dowith the separate ecosystems.
Like Apple wanting to keepeverything locked down secure,
microsoft has to keep things alittle more open, I would say,
(23:54):
because of all the you know thelarger amount of users that are
using their software.
Windows is designed to becompatible with a larger number
of devices.
You know that sort of thing.
Nick Mellem (24:04):
So I this seems like a very much an apple thing
to me, at least at first glanceI've run into this issue but
it's kind of because of my owndoing, and I say that because I
like to run the beta software.
So, like I have the latest betasoftware on my phone, I on my
Mac, right now that I'm on, I'mon Sequoia the beta software to
(24:26):
test the new things out.
It's running very smooth.
But on the Mac I haven't hadany issues.
But on my phone I've had some,you know, apps that I use daily.
Every now and again If youupdate to the newest beta it,
they don't open right, they justcrash right away.
Update to the newest beta itthey don't open right, they just
crash right away.
Luckily, none of those have beencritical, but I haven't had
anything directly affect me,like you're talking about, josh.
(24:48):
But I think a lot of times whatI see and this is, you know,
going back years and years is,let's say, on an iphone you open
it up and you had the newsoftware install overnight and
the next day or the day afterthat you might get a quick
update that said, oh, we have topatch something.
There's a security patch forsomething we found in the latest
update, so they're quicklygoing to another update.
(25:12):
So it's not directly affectingan application, but it kind of
goes back segueing toCrowdStrike.
These updates come out so quickand they have to patch
something that just came out.
Joshua Schmidt (25:28):
So there's a lot going on here.
But yeah, you get the updatewhen you wake up in the morning
and you're like on version 0.3before lunchtime, right, the
other workaround I kind offorgot to mention this.
Some of my buddies had the sameissue.
They were literally having touninstall their OS and then go
install a prior iteration of theoperating system just to get
their apps to work.
I was not willing to go therebecause I just seems like way
too much you just wanted to waitit out yeah, I just seemed like
(25:50):
something could go wrong.
although I'm pretty, uh, prettydiligent about backing up all my
data I usually do too, yeah,since I have so much um, so many
sessions and things like thatthat that I just can't lose or I
might need to reference twoyears from now or three years
from now I store all my sessionson two external hard drives and
(26:11):
a cloud, and I really try totake two or three times a year
to go through all my data andmake sure that it's backed up at
least twice.
But, yeah, that's not reallyhelpful if you can't open up the
app.
Nick Mellem (26:24):
So that's good practice, though, to do that.
Joshua Schmidt (26:27):
Yeah Well, cameron the other, you kind of
brought up that it's kind of allin the ecosystem and I think
that's another one of the issuesor could be seen as an issue
right.
It's like now there's kind ofthis gatekeeping you know, pun
intended around what can beaccepted onto the App Store,
what can you actually use onyour Mac.
(26:47):
If you're a Mac user, youprobably are okay with that to
some degree, but you might runinto an instance where you want
to use something that's notapproved by the powers that be
on the Apple side of things andthat could be politically.
That could just be for edgingout competition for their own
(27:08):
apps.
It's kind of probably a mix.
Nick Mellem (27:12):
They are going through a little bit of an issue
right now with major entitiestrying to sue them for this, so
there is probably some fruit tothat.
Joshua Schmidt (27:20):
It's probably more cost effective for them to
kind of ride that edge though.
Right and like just be thecutting edge, and if they have
to take on a couple of lawsuits,so be it.
You know, we'll kind of figureit out as we go.
Yeah Well, here's something Ihope we don't have to deal with
forever, but it seems like wemight.
Uh, nick and I are parents, sothis is something that's, you
know, hits close to home for us.
(27:42):
Good to know, though, the DOJand FTC sued TikTok for
violating children privacy laws.
As of August 3rd this came outthe US Department of Justice,
along with the Federal TradeCommission, filed a lawsuit
against popular video sharingplatform and TikTok for
flagrantly violating children'sprivacy laws in the country.
The agency claims to thecompany knowingly permitted
(28:02):
children to create TikTokaccounts and to view and share
short form videos and messageswith adults and others on the
service.
Yikes, I don't use TikTok often.
I do post a few things on thereand then immediately scrub it
from my phone.
But one of my first questionsfor you guys was, like you know,
(28:22):
we know this is not just TikTok, you know violating these
things.
Why do you think that we see somuch about TikTok?
Maybe not as much these daysabout Facebook and Instagram
Because Zuckerberg was getting alot of heat until TikTok really
took off.
I feel like he's been a littlebit more low key.
Nick Mellem (28:40):
I think you're onto something there, and TikTok is
casting a shadow over a lot ofthese other applications and
really for all the wrong reasons, it's always in the limelight
for something and with all theusers of all ages, it's like the
cool thing is to have a TikTokand do the kids do their dances
or whatever they do.
(29:00):
I don't use TikTok myself, butI think that's a lot of the
reason we hear it.
Tiktok was also just like infront of Congress.
I think it was like what sixmonths ago for these issues like
this, and it's alarming thatit's involving children, right,
I mean, if you're 16, 17, 18,right, you can kind of think for
(29:21):
yourself a little bit more.
But a lot of these were kids 13and under utilizing TikTok,
harvesting data and whatnot.
But there's a lot to chew onfor sure here.
Yeah, I think.
Cameron Birkland (29:35):
TikTok is I feel like it's been in the news
just constantly for years nowjust related to all these
privacy concerns and, on onehand, the kind of stuff that
TikTok collects is kind of inthe nature of the application,
right?
I think Facebook, google, youknow they all have their own
(29:59):
versions of TikTok now and I'msure they all collect similar.
You know they all have theirown versions of tiktok now and
I'm sure they all collectsimilar um.
But I know that one big concernwith um tiktok is that it's not
based in the united states, orit wasn't in the first place,
whereas our you know ourfacebook and google and stuff
that's at least on our own soilyeah, so the conversation really
(30:21):
always is shifting to nationalsecurity.
Nick Mellem (30:23):
What are they listening?
What are they spying on?
So I think a lot of the threatis somebody needs to buy or they
want to force a sale of TikTok.
It sounds like to somebody likeMicrosoft or something US
stateside.
But yeah, I think that's.
The big reason, josh at leastfrom my mind, is the buzzword of
national security is why thisis getting so much more
(30:44):
attention yep, and it makes thepoliticians kind of look like
they're doing being hard onchina maybe, or at least you
know, have that if we want to gothere.
Joshua Schmidt (30:55):
I'm sure that probably could be yes well, yeah
, and that's both sides of theaisle too, right it should be
yeah, because I mean, ultimatelywe want our own spyware right,
not theirs I'm surprised noone's come up with a competitor
yet.
You know, I mean there's thingsthat instagram and youtube are
(31:15):
doing to well compete.
Cameron Birkland (31:17):
Yeah, I mean I feel like there's so many that
have copied the format.
That's how pretty much allshort videos are displayed now.
Nick Mellem (31:25):
You have YouTube has their shorts, instagram has
reels.
They're all doing it.
Cameron Birkland (31:32):
Yep, it's whoever has the best algorithm.
Joshua Schmidt (31:36):
Yeah, it seems like it's peaked a little bit.
I know I did read an articlerecently that although they have
leaned into that short formcontent, that long format
content like our podcast, isstill just as relevant and doing
well in a different way.
You know it's reaching adifferent audience.
You know people sign on to lookfor different things.
I was going to ask if you useTikTok or if you have played
(31:59):
around with it.
Nick Mellem (31:59):
I have played around with it, but I don't use
it.
My wife does.
I keep trying to get her todelete it, but they get all
their ideas, whatever else forkids' toys, snacks you can get
recipes and whatever else.
They claim they can learn somuch on TikTok, so whatever, but
(32:20):
I do not use it personally.
Cameron Birkland (32:22):
No, yeah, no, I don't use it either.
My parents use it, though.
They they really gotten intoTikTok.
They like the whole.
You know it's well.
It's a constant stream ofcontent and of course it's
perfect.
It's always perfectly tailoredto the person who's looking at
it.
You know like the videos arevery specifically picked out and
there's something that you wantto see, so it's easy to just
(32:45):
keep swiping, scrolling,watching in the app.
Nick Mellem (32:49):
You're engaged in there.
What I was going to say beforeto me, the big takeaway here
right is right, we want to banto banning tiktok, right, I
don't want to get preachy, but Ithink this just shows that this
goes for everything.
You have to protect yourself.
Right, we're depending on theDOJ and whoever else to
potentially ban this.
(33:09):
I know some states are evenbanning it, but it really shows
that we need to like, governwhat we're doing, not just like,
oh, I'm sure they're not doinganything bad with our data or
whatever else.
Really, it shows like, what,what's going on your kids phones
, yada, yada and I think thisthat segues into the password
conversation about logging inand logging out of devices.
(33:33):
But, uh, yeah, I think there'sa, there's a lot here, like we
talked about.
I don't foresee it going awayanytime soon because it is just
a jogger, not of an application.
So hopefully something can be,you know, fixed by either a
purchase or dissolving it intosomething else, it being
absorbed to Instagram orMicrosoft taking it over or
(33:53):
something.
Joshua Schmidt (33:54):
One of the big music companies I can't remember
who it was, I'll just leavethat out was recently.
I can find it on Google, butquick search took all their
music off of TikTok andmusicians are just freaked out
because that's the best way toreach people right now.
And I've even heard aboutpeople being signed by a record
(34:15):
label that won't release theirnext single or their next album
until they manufacture a viralTikTok moment.
Oh, that's interesting.
Their next album until theymanufacture a viral tiktok
moment?
That's interesting.
So, yeah, they are the sense.
Rectify that situation orsweeten the deal for them where
they're allowing their musicback on, I'm sure more money
going into the pockets of thecorporation, I would assume, um,
(34:35):
because I haven't seen any uh,windfall from the artist side of
things.
But uh, unfortunately.
Nick Mellem (34:42):
But um, wasn't this kind of like vines.
Do you guys remember vines backin the day?
I never, really ever, used thateither, but I thought that it
was similar.
Right, artists could go onthere.
Right, they post their music.
They get discovered that way.
So it just seems like this ismaybe just a newer version of
that.
I could be wrong, just a sidethought yeah, no, I think that's
(35:05):
a similar idea.
Cameron Birkland (35:06):
Vines were limited to, I think, like six
seconds and I didn't even usethem.
I didn't even use it much whenit was a thing, and of course
then it was gone before I waseven able to download the app,
basically.
Joshua Schmidt (35:23):
Was that a Twitter offshoot Vines?
Cameron Birkland (35:25):
Yes, I don't know if it started out that way,
but I know Twitter definitelyacquired it at one point.
Joshua Schmidt (35:34):
That may have been what tanked it.
I actually was on tour in Texasnot too far from you, nick, in
Austin in 2000.
I want to say 2016.
We or 15 we met matt king, whowas you probably don't remember
the name, but he was the thevine star at the time.
He had like a video of him inthe car like doing this head bob
(35:54):
thing with like a funny face,but, um, that's my vine story I
do?
I do rememberiscope on Twitter.
Cameron Birkland (36:02):
Do you?
Joshua Schmidt (36:02):
remember Periscope?
Yep, I may have known somepeople not saying I did this,
but I may have known some peoplethat watched some free boxing
matches on Periscope, got onsome pay-per-view and that got
shut down rather quickly, Ibelieve.
Nick Mellem (36:15):
That was a Twitter Periscope.
Wasn't that a Twitter offshootas well?
Joshua Schmidt (36:19):
Yeah, I believe it was.
It was like a walkie talkiefeature social media where you
could just video someoneinstantly and connect, but
people were using it tobroadcast, like I said, football
games and and then you know,you got a hundred thousand
people broadcasting a boxingmatch and then they get shut
down and then 20,000 other onesspring up and it was just like a
game of whack-a-mole.
(36:41):
so you know another one of thosecircumstances where maybe you
didn't think through all theconsequences before rolling out
the software I don't thinkthat's going to change anytime
soon, unfortunately I agree.
But before we change topics andI'd like to segue about the
password management, but um,before we segue, let's just
remind our listeners what we cando with our kids, at least to
(37:04):
keep them safe.
I want to give a shout out toour episode.
I think it was in the 30s,maybe it was Andre Champagne, or
maybe it was even the late 20s.
We had a guest named AndreChampagne who was a forensic
cyber investigator for CookCounty in Illinois and a couple
of the takeaways that heremembers that I remember from
(37:26):
his speech was that you know, ifyou can help it, don't let your
kids be in a locked room or abedroom with a tablet or a phone
or a computer.
Put the stuff out in the livingroom, make it a public space
use only for your kids so youcan monitor everything that's
going on.
Because you know, as parents,we all want to have privacy for
(37:47):
our children, give them somefreedom to to go out into the
world and kind of explore, butat the same time it's really our
job to make sure that they arenot getting preyed upon or in
any kind of trouble.
So you know, at the end of theday, privacy is nice, but having
your kids safe and is probablya better option.
(38:07):
And nicer, it's even nicer, yeah.
So that was one of thetakeaways from that.
I remember, nick.
Do you remember any of theother ones that he had mentioned
?
Nick Mellem (38:14):
I don't remember anything that he mentioned, but
I think you know one.
One of the you know tips thatcomes to my mind is I think it
mentions it in the article hereis using the functionalities
built into the app to eitherlimit time for the kids on there
so limit how much time they canactually spend on that, because
Cameron was talking about it,his folks use it and you get
(38:36):
that rabbit hole right.
You just keep going and youknow tick tocks issue with you
letting children under 13 usethe application.
It subjects them to adultcontent, right, things that you
know maybe they shouldn't beseeing or aren't ready to see
yet.
So I think you know using thefunctionality, the shared
accounts, right, so you can seewhat they're seeing.
(38:58):
You can review, you know, theitems that they have already
seen or potentially could see.
Joshua Schmidt (39:08):
And then limiting the time they spend on
the app, I think would be twobig takeaways for me.
How about you, Cameron?
Do you got any golden nuggetsto share with our listeners?
Cameron Birkland (39:13):
No, I think you covered most of what I would
say.
Ultimately, it's just sayultimately, it's just about
limiting the screen time,because it's too easy to sit
there for endless amounts oftime because the stream of
content never ends.
Joshua Schmidt (39:33):
Yeah, that's on the user side, but also thinking
about just on the privacy side.
I've seen a lot of people andtry not to cast and their
birthday and what school they'regoing to, and you know, and
it's you're giving them all thatinformation, you're giving
(40:03):
everyone all that informationand you know at the end of the
day the children have no consentover what is being shared.
So you know it's almost kind ofas a as a benefit to your
children.
You know as fun as it is to getthose likes and that dopamine
hit and to share everybody witheveryone that your child is cute
(40:24):
and growing up and you're doinga great job as a parent.
I think it's even cooler toreally put their safety and
protection first and maybe justshare that.
My wife and I use an app calledBack.
Then it's still cloud storage,so we're still careful about
what we post on there, but it'sonly shared with people that we
let on there friends and family.
(40:44):
It's a great way to share thosemoments with people but also
still have them be a little moreprivate.
Nick Mellem (40:51):
I think that was a good tip, josh, that you brought
up censoring what you'reputting on there.
In the military we were trainedon this.
We would call it operationalsecurity.
Right, Don't post where you'regoing on an operation.
If you're deploying, you knowmovements.
It applies here.
You know, maybe if you'retaking a picture of your house,
don't put the address on there.
(41:12):
You know, wherever you're goingor whatever you're doing, it's
certainly like what you'resaying, josh, at your kid's
school, your teacher's name, theaddress of the school, it just
it really puts our kids into a,you know, a sticky situation,
right, that they, like you said,josh, didn't consent to, they
don't know about, right, they'reyoung and you know we don't
even be subjecting our kids to,you know, to that kind of
(41:35):
behavior from you know unknownentities.
Joshua Schmidt (41:38):
I got one more for you.
Cameron, probably don't do this.
You don't strike me as a guythat posts his food like Nick
does.
My last tip was to wait tillyou're done with your vacation
to post your vacation pics.
Wait till you get back home,you know.
Just stagger it by a week.
If you go out of town, youdon't need to tell everybody
we're leaving that day, and thatway you still get to share your
(42:00):
trip if that's something that'simportant to you.
But you're already home.
So you know it already happened.
People don't need to know whereyou are all the time.
Cameron Birkland (42:10):
And they don't .
Yeah, they don't need to knowthat you're gone, that your
house is empty hey, my house isempty with all my stuff in it
and I'm not gonna be home for aweek because I'm in hawaii or
whatever.
Joshua Schmidt (42:22):
Yeah, these are social engineering gold mines
yep, I'm gonna do a shout out toeric brown here and say nick,
you need to start a tiktokaccount for mr meowgi.
Nick Mellem (42:35):
I was waiting for it.
We made it like 48 minutesbefore the cats got brought up.
Shout out to EB out there.
Joshua Schmidt (42:43):
All right.
Well, we have one more thing totalk about that's been relevant
to us and we'll wrap it up withthis.
Today I'll share my experience.
I just switched over toBitwarden for all my passwords
and cleaned up my security andit was rather painless.
It was just a little timeconsuming.
I was a little freaked out todo it, just because it's not fun
(43:06):
downloading a CSV file and, youknow, logging into 18 different
websites and then looking atyour phone, looking at your
browser, trying to like, sussout, how am I doing this?
Because we get so used to likehow we log into things and we
just want it to go quick becausewe're trying to get our work
done or whatnot.
So, but I'm happy I'm switchedover and still got a little bit
(43:28):
of work to do.
But yeah, I did realize I didneed to download the desktop
extension for my desktop andthen a browser extension and
sorry for my mobile as well, andthen the browser extension for
whatever browser I was usingwithin those devices.
So it's kind of a multi-stepprocess.
So you got to have the mainsign in and master key, but then
(43:51):
you also kind of have tointegrate them into your browser
.
But once you kind of get pastthat stage.
I felt like it was veryseamless.
So when I'm now logging intowebsites, it's coming up right
away and I'm kind of back towhere I was flying through
websites.
Do you guys use these and doyou have anything to add to the
convo?
Cameron Birkland (44:10):
Yeah, sure, I mean, I've been using Password
Manager and it's Bitwarden forquite a few years now.
It was a situation where highschool I was, you know I had to
have accounts for things.
I would just, you know, maybeuse variations of a password
that I used before.
(44:31):
I never needed a passwordmanager.
I was like you know, that's toomuch work, too much work to set
up a password manager, and itcan be especially if your
password, if your passwords,aren't already stored somewhere.
It can be a lot of work to startgetting all that into a
password manager like Bitwarden.
So it ended up being like endedup taking probably a few months
(44:54):
for me to actually finally getall of my accounts in there,
because they weren't all in apassword manager before.
But it's worth it.
Once you have it set up, it'snot only way more secure you
know every single password isdifferent but it's easy, right?
You can use your fingerprint tounlock Bitwarden and it
(45:16):
autofills your passwords for you.
So now it's like I livedwithout it for so long.
Now I can't live without itkind of thing it's.
It's made life easier and moresecure.
Nick Mellem (45:25):
You.
Just you hit it on the head cam.
I was going to say that there'snot many situations that you
can say are more secure andeasier.
Yep, right, and here is aperfect example.
I, obviously I use one myself,but I'm going to go against the
grain.
I use a proton proton pass.
It works the same as a bitwarden, but I have it on my
(45:48):
phone and all my computers iPad,things like that and you know I
used to well, this is probablythree, four years ago Now I got
all my passwords off off Googleand get the CSV implemented
there, so it's pretty easy forme to switch over.
I think one good thing aboutthese services is they have a
password generator built in, orwhoever.
(46:20):
One of the big pieces of adviceis we always give to anybody is
to don't use the same passwordfor every application or every
website, so on and so forth, andthis makes it really easy
because it will suggest thepassword.
You don't even need to thinkabout it.
It will autofill it, save it,put your email on as a username.
So again, just another stepeasier.
But yeah, if you're not using apassword manager, I highly
recommend you start.
You don't need to spend a bunchof time getting set up.
(46:41):
I think you can if you start itand you can implement all the
passwords you already have.
But just let it evolve right.
Just keep getting passwords inthere slowly as you create new
accounts, things like that.
Joshua Schmidt (46:54):
When you switched over, did you realize
how many junk username andpasswords you have?
Because you know when youupdate your password or you
forget your password and thenyou go make a new one and it's
still stored in that CVS file orin that passkey.
So I've been like sortingthrough tons of just junk
username login credentials.
Cameron Birkland (47:14):
Yeah, no.
As time went on and I startedadding more and more accounts to
it, it became very clear howmuch of a problem my password
practices were at the time.
Nick Mellem (47:24):
Diamond himself out .
Cameron Birkland (47:27):
There was a time when I typed in all my
passwords and there was not thatmany variations.
Obviously, after four years ofgoing to school for
cybersecurity, I cleaned that upa little bit.
Nick Mellem (47:43):
Changes your tune pretty quick once you see how
nasty it can get.
Cameron Birkland (47:46):
Yeah, yep so and like, for example, bitwarden
has, it allows you to have someinsights into password reuse
and things like that.
You know that's pretty commonfor most people.
Most people are going to have alot of password reuse and if
you're able to get all yourpasswords into a password
manager, you can see the numbersLike here's how many times your
(48:08):
password has been reused.
Nick Mellem (48:10):
Right?
Yep, I think even on the iPhoneit does that too.
If you go into the passwordsarea on the phone, it will show
you oh, I have five, I have 20,I have 200, or whatever it is.
Passwords have been reused.
And I think it even gives youan option and a link to change
it and it will automatically goto the website to help you
update your password.
Joshua Schmidt (48:29):
And that's what I was going to call it.
That was the biggest pain is tolog into the website and then
go change it, because everywebsite's different.
The next level I would love toyou know maybe this will get out
across the algorithms to adeveloper at Bitwarden.
I'm sure they thought of this.
But wouldn't it be great if youcould just change it right in
the Bitwarden app or theProtonMail app, where you didn't
even need to log into thewebsite, whether it's Google or
(48:53):
Netflix or whatever?
It just pushed it out for youand you could do it all right
there.
Nick Mellem (48:59):
It could be slick.
It sounds a little scary to mehaving that connection.
Make sure you have MFA set up.
Cameron Birkland (49:05):
Yep MFA.
Joshua Schmidt (49:08):
Cameron doesn't like that idea.
Nick Mellem (49:10):
It makes me a little scared, but could we get
there Maybe?
Cameron Birkland (49:13):
I like the idea of the convenience of it,
of course, but there's alwaysthe trade-off of convenience and
security.
Nick Mellem (49:21):
I'm going to say no just because of all the
connectors to that one that itwould take to get that to work
Again.
Fantastic idea.
If you can implement itproperly, you won't be sitting
on this podcast anymore.
Joshua Schmidt (49:37):
The first, one's free.
I got a lot of ideas.
This is why you guys are theexperts and I'm just the
producer.
Nick Mellem (49:47):
It's a great idea.
We'll leave it at that.
Joshua Schmidt (49:51):
Hey, well, it's a great spot to leave it today.
I had a lot of fun chattingwith you guys.
We're joined by Cameron Berklinand Nick Mellon of IT Audit Labs
.
I'm your producer, joshuaSchmidt.
Today we've been talking aboutsome news and then a little bit
of extra about Bitwarden andpassword managers.
If you want to hear more, wehave all of our episodes on
Spotify, apple, amazon.
You can find us on YouTube.
We have shorts that come outseveral every week and please
(50:15):
subscribe, like and share itwith your friends.
You've been listening to theAudit presented by IT Audit Labs
.
Have a great day and we'll seeyou in two weeks.
Eric Brown (50:23):
You have been listening to the Audit presented
by IT Audit Labs.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact or all.
Our security controlassessments rank the level of
(50:46):
maturity relative to the size ofyour organization, thanks to
our devoted listeners andfollowers, as well as our
producer, joshua J Schmidt, andour audio video editor, cameron
Hill.
Joshua J Schmidt and our audiovideo editor, cameron Hill.
You can stay up to date on thelatest cybersecurity topics by
giving us a like and a follow onour socials and subscribing to
this podcast on Apple, spotifyor wherever you source your
(51:09):
security content.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.