Mostly Security

Jon returns from camping so Eric can go fishing again. Costco still sells hot dogs, the Polish dogs have just migrated to Sam's Club. A trip through anti-cheat development at Riot Games, and a raft of QNAP vulnerabilities. Chickens are fun! As are javascript games... Sam's Club Pounces DeepFake Deep Dive Aadhaar Grand Challenge AntiCheat==Malware Evasion? QNAP Command Injections Silicon (Chicken) Valley Jelly Mario!

Marcelo DaCruz joins to meander through various topics that include a little cryptocurrencies, promoting other podcasts, malicious World Cup apps, 4th of July data breaches, password managers, and wrapping car keys in foil. Oh, and Costco. And what Marcelo's first Amazon purchase was. Whew! IOTA is worth 3 billion? Ethereum's Blockchain is 1TB Hamas Lures Israeli Soldiers Risky Business Podcast Golden Cup Cyber Threat Timehop Data Breach Apple to deploy 1Password Wrap your key fob in foil Charlie Miller's thoughts Costco kills the hot dog Marcelo's first Amazon purchase

Eric rants about cryptocurrencies, Jon speculates about a billion ten year olds. Eric likes watching zoo animals and Jon appreciates fireworks in another state. Happy Independence Day, America! Oregon State wins the College World Series Gentoo Linux Incident Cryptocurrencies, again... IOTA wut? EOS huh? Ways to think about machine learning Oregon Zoo Fireworks

Jon's bees don't cooperate and Eric watches baseball. Docker hub containers that mine Monero for their own benefit and a Kubernetes honeypot; Tesla's malicious insider and insider threats in general. AI assisted slow motion, NES on the playgrounds, and what it costs to run a worldwide data service. Intro - Bees Do Their Own Thing Intro - OSU Survives in College World Series Followup - Yubikey supports more than just Chrome Malicious Docker Images Kubernetes Honeypot Tesla's Malicious Insider Significance of Insider Threats AI Assisted Slow Motion NES in Swift Playgrounds Troy Hunt Takes One for the Team

Eric rewatches The Matrix. Jon rewatches an assortment from Studio Ghibli. But enough about movies. Some followup with a bit more followup. Did you know your browser can talk directly to USB devices and that your router knows where you live? Eric finds a "smart lock" that suggests you not look behind the curtain. Jon expresses more love for serverless utilities. Followup from E025 - Selling your location Followup from E026 - Apple's Notarized Apps Followup from E009 - Right to Repair Followup from E026 - 3D Printed Homes in The Netherlands WebUSB and Yubico 2FA Google knows where you live Google home location leak "Unbreakable Smart Lock" #fail pulumi.io

Eric goes fishing (with an 'f'), Jon has baby goats, and hacking Windows 10 via Cortana. Treat robots as you would like them to treat you, and an underwater datacenter. Win10/Cortana Vulnerabilities Google Assistant Android Advantage Don't Kick That Robot Microsoft's Underwater Data Center

Microsoft buys GitHub and now we'll see what that actually means. Apple WWDC surprises developers with cool stuff. Antoni Gaudí wishes he had a concrete printer. Jon continues to explore his love for open source. GDPR Followup Amazon Alexa ODM Solutions Sonos Beam Microsoft Buys GitHub Microsoft + GitHub + Concerns? Apple WWDC - Notarized Apps Apple WWDC - Parental Control Printing a House Barcelona and the Sagrada Família Open Source Mac Apps

Eric has to deal with a stolen credit card. Jon checks in again on the telcos who resell your location data. Your Amazon cylinder might email an audio recording to someone. GDPR makes the web much faster. Eric likes time, Jon almost likes Apple. Notes: Krebs follow up on location data tracking Alexa eavesdropping scandal GDPR Fallout All about time by Zach Holman Steam Link!  Oh, wait...  

Comcast gets two bits of followup; look up the real-time location of nearly any cell phone user in the states; more Google duplex and cylinder security; a Sunday sermon with some Oatmeal. Links: Followup: eFail (nice lego dumpster fire) - https://boingboing.net/2018/05/21/mime-considered-harmful.html Followup: Comcast Mesh - https://www.engadget.com/2018/05/21/comcast-is-now-selling-mesh-wifi-pods-to-its-internet-customer/ Followup: Comcast Leaks - https://www.engadget.com/2018/05/22/xfinity-bug-revealed-personal-data-router/ Don't Share the Where - https://krebsonsecurity.com/2018/05/mobile-giants-please-dont-share-the-where/ More Google Duplex - https://9to5google.com/2018/05/21/google-duplex-explained-turing-test/ Cylinder Security - https://www.techrepublic.com/article/smart-office-secrets-alexa-siri-and-google-assistant-could-hear-commands-the-human-ear-cant/ Do You Hear Laurel? - https://www.nytimes.com/interactive/2018/05/16/upshot/audio-clip-yanny-laurel-debate.html Adam Savage's Sunday Sermon - http

Eric's password buttons were pushed this week, not-so-secure eMail clients, and a touch of Google I/O. Fake coin offerings and ... a knife? Links: Password Rant - https://twitter.com/ericwuehler/status/996509740673908736 Followup: Eero + Echo - https://daringfireball.net/thetalkshow/2018/05/08/ep-221 Weird Al Hamilton Polka - https://www.youtube.com/watch?v=3v0c6smpHSk eMail Client Vulnerabilities - https://efail.de/ Google I/O - https://www.theverge.com/2018/5/8/17328828/google-io-keynote-summary-highlights-news-recap-2018 Ordering with a Voice Assistant - https://twitter.com/jonathan_b_king/status/996517910158819335 Buy Howeycoins! - https://www.howeycoins.com/index.html Cutco Cheese Knife - https://www.cutco.com/products/product.jsp?item=traditional-cheese-knife  

Logging in with only a physical key, Twitter's oopsie, Facebook fires a stalker and Signal's messages do not "self-destruct". Jon chats about stuff from the Microsoft Build conference. Eric still likes Netflix. Jon likes books. Links: Gigabit Router Followup - Botnet - https://www.zdnet.com/article/botnets-competing-to-attack-vulnerable-gpon-fiber-routers/ Gigabit Router Followup - Fix - https://thehackernews.com/2018/05/protect-router-hacking.html Death to Passwords! - https://www.yubico.com/2018/04/yubico-and-microsoft-introduce-passwordless-login/ Twitter logs passwords - https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html Facebook fires analyst for stalking - https://arstechnica.com/information-technology/2018/05/facebook-fires-security-analyst-accused-of-using-access-to-stalk-women/ Signal notifications do not self-destruct - https://motherboard.vice.com/en_us/article/kzke7z/signal-disappearing-messages-are-stored-indefinitely-on-mac-hard-drives Microsoft Build 2

Jon describes farm equipment, while Eric teaches driving lessons. Routers around the world are vulnerable, and a critical battle is won for the open web. A fun book tracking hackers and a crazy project for a VGA adapter. Links: What is a flail? - https://en.wikipedia.org/wiki/Flail_mower Oregon Instructional Permit - http://www.oregon.gov/ODOT/DMV/TEEN/pages/permit.aspx Vulnerable GPON Routers - https://threatpost.com/millions-of-home-fiber-routers-vulnerable-to-complete-takeover/131593/ Not a Computer Crime - https://www.eff.org/deeplinks/2018/04/dc-court-accessing-public-information-not-computer-crime Python Environment - https://www.xkcd.com/1987/ The Cuckoo's Egg - https://www.amazon.com/Cuckoos-Egg-Tracking-Computer-Espionage/dp/1416507787/ Software Defined Radio - https://osmocom.org/projects/osmo-fl2k/wiki/Osmo-fl2k

Eric is back from the road trip. IoT, the gift that keeps on giving. Eric chats about hotel security cards. Jon channels Harry Potter with Obiliviate DNS. The Grand Canyon is really cool and Jon tries installing a garage door opener. Links: Grand Canyon - https://www.nps.gov/grca/index.htm Ski lift exposed to the internet - https://www.golem.de/news/patscherkofel-gondelbahn-mit-sicherheitsluecken-1804-133930.html Hotel key card security - https://wired.trib.al/RkHWQ0U The Hotel Hacker - https://www.wired.com/2017/08/the-hotel-hacker/ Oblivious DNS - https://www.techrepublic.com/article/oblivious-dns-could-protect-your-internet-traffic-against-snooping/ BGP Hijack - https://www.welivesecurity.com/2018/04/25/ethereum-cryptocurrency-wallets-raided/

Peter Wooley joins Jon to talk javascript while Eric cannot prevent it. NPM gains package signing capabilities; a casino is hacked courtesy of their fish tank; and once DeepFake matures, how do we tell what's real? Peter recommends playing Celeste on the Switch, Jon should have read a couple more books about bees, and clicky keyboards are awesome. Links: Peter Wooley on Twitter - https://twitter.com/peterwooley Javascript won! - https://hackernoon.com/javascript-has-already-won-235b29ed126b NPM signed packages - http://blog.npmjs.org/post/172999548390/new-pgp-machinery Typosquatting packages - http://incolumitas.com/2016/06/08/typosquatting-package-managers/ Fish Tank Thermometer - https://thehackernews.com/2018/04/iot-hacking-thermometer.html Pi-hole - https://pi-hole.net/ WiFi Grill - https://greenmountaingrills.com/ DeepFake Videos - https://www.buzzfeed.com/craigsilverman/obama-jordan-peele-deepfake-video-debunk-buzzfeed Celeste - https://en.wikipedia.org/wiki/Celeste_(video_game) More Bees! - https://en

Gmail doesn't follow email address standards; having your accountant hacked is Not Good; and confidential data is found in VirusTotal. Eric shares a fun what-if, and Jon is mesmerized watching sorting algorithms. Links: Followup - PF Chang's vs. Panera - https://medium.com/@AkshaySharmaUS/p-f-changs-security-flaw-revealed-following-panera-bread-s-leak-b47fa6a1bba6 Google says: Ignore Those Dots! - https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user.html When Accountants Don't Patch - https://krebsonsecurity.com/2018/04/when-identity-thieves-hack-your-accountant/ Confidential Data in VirusTotal - https://threatpost.com/malware-scanning-services-containers-for-sensitive-business-information/124802/ Space Jetta - https://what-if.xkcd.com/142/ 15 Sorting Algorithms in 6 Minutes - https://www.youtube.com/watch?v=kPRA0W1kECg

Jon chats about his car and beekeeping. Cloudflare's Privacy Focused DNS and an ARM v Intel post. Will Apple use its own chips in it Macs? And poor, poor Panera... Eric tries hiking Multnomah Falls and ends up hiking somewhere else. Jon gets a kick out of colors. Links: If you have an iPhone, use Overcast - https://overcast.fm Cloudflare's Privacy Focused DNS - https://1.1.1.1/ Dot-cm Typosquatting sites visited 12M times - https://krebsonsecurity.com/2018/04/dot-cm-typosquatting-sites-visited-12m-times-so-far-in-2018/ Beyond XSS: Edge Side Include Injection - http://gosecure.net/2018/04/03/beyond-xss-edge-side-include-injection/ Apple Plans to Use Its Own Chips in Macs From 2020, Replacing Intel - https://www.bloomberg.com/news/articles/2018-04-02/apple-is-said-to-plan-move-from-intel-to-own-mac-chips-from-2020 Intel v ARM power reqs - Killowatt - https://twitter.com/eastdakota/status/976560820611031040  ARM Takes Wing: Qualcomm vs Intel CPU comparison - https://blog.cloudflare.com/arm-takes-wing/ Panera do

Eric sees Ready Player One opening day. Boeing is hit by WannaCry and researchers demonstrate spoofing facial recognition using IR emitters in a ball cap. Someone built a game using HIBP passwords ("My Little Pwnage"). A personal VPN hotspot and a glowing meteorite ring. Links: Ready Player One - http://readyplayeronemovie.com/ Boeing + WannaCry - https://www.seattletimes.com/business/boeing-aerospace/boeing-hit-by-wannacry-virus-fears-it-could-cripple-some-jet-production/ Invisible Mask Attack - https://arxiv.org/pdf/1803.04683.pdf My LIttle Pwnage - https://mylittlepwnage.eu/ Amplifi Teleport - https://amplifi.com/teleport/ Carbon Fiber and Meteorite Glowstone Ring - https://youtu.be/K2VWLT63_cI

What does Zuckerberg mean by dust in the chickens, exactly? If you look at the bitcoin blockchain, more than just bitcoin transactions can be found. AI learns to WIN by cheating. How safe is your bitcoin hardware wallet? Checking out the StackOverflow Developer Survey. Muppets and IKEA. Links: Chicken Dusting? - https://www.theverge.com/2018/3/21/17150270/mark-zuckerberg-facebook-regulated AMD Follow up - https://community.amd.com/community/amd-corporate/blog/2018/03/21/initial-amd-technical-assessment-of-cts-labs-research What's in the Bitcoin Blockchain? - https://www.theguardian.com/technology/2018/mar/20/child-abuse-imagery-bitcoin-blockchain-illegal-content Serverless and Container Adoption - http://www.zdnet.com/article/serverless-computing-containers-see-triple-digit-quarterly-growth-among-cloud-users/ AI Learns to play Tic Tac Toe - http://www.zdnet.com/article/serverless-computing-containers-see-triple-digit-quarterly-growth-among-cloud-users/ Hardware wallet Security - https://krebsonsecurity.com/2

MemFixed sends flush packets to memcached servers. Security tools start showing up for Ethereum. ISPs insert spyware into downloads from legitimate sites. Carl joins to discuss the recently disclosed AMD vulnerabilities. Links: Followup - MemFixed - https://www.bleepingcomputer.com/news/security/memfixed-tool-helps-mitigate-memcached-based-ddos-attacks/ Ethereum Security Tool - https://blog.trailofbits.com/2018/03/09/echidna-a-smart-fuzzer-for-ethereum/ Government injected spyware - https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/ AMD Vulnerabilities - https://www.wired.com/story/amd-backdoor-cts-labs-backlash/ Two Photos, one millisecond - https://petapixel.com/2018/03/07/two-photographers-unknowingly-shot-millisecond-time/ Numberphile - http://numberphile.com/videos/analytical_continuation1.html

  Security implications of Google's Android 'P' first developer preview. Newly unclassified documents from 2016 (likely Shadow Broker fallout). Girl Scout cybersecurity badges and drones in Puerto Rico. Links: GitHub DDoS - https://github.com/649/Memcrashed-DDoS-Exploit Android P security features - https://www.theverge.com/2018/3/7/17088394/android-p-developer-preview-notifications-kotlin-microphone Android ecosystem statistics - https://developer.android.com/about/dashboards/index.html Unclassified 2016 'BOD-16-02' - https://twitter.com/RidT/status/970880435411709952 Girl Scouts cybersecurity badges - https://www.nbcnews.com/tech/tech-news/girl-scouts-fight-cybercrime-new-cybersecurity-badge-n852971 Drones in Puerto Rico - https://www.wired.com/story/drones-electricity-puerto-rico/