D (3:39)

The part I found interesting with this one is that it's not like she was in there for like 10 minutes or 15 minutes. No, she was in there for like the entire day. And she actually said hi to the principal, I believe, talked to some of the teachers. She was scolded by one of the teachers for using her phone in class. So it's not like it was a short term thing where the security guard caught her 20ft away after she entered the door. This was an entire school desk.

C (4:02)

So she did this just to prove the point that she could.

A (4:05)

Yeah, that she could walk in basically.

C (4:07)

All right, yeah. Cool, cool. That's about as far as that goes. Right. If we all just took that and be like, I wonder if I could do this, we'd all be in jail for something. That was a stupid idea.

A (4:18)

Yeah.

E (4:19)

Realistically, being from Iowa, even if you are authorized, apparently you can sometimes possibly wind up in jail for breaking into buildings even with proper authorization. So you definitely don't want to be doing it without proper authorization.

A (4:32)

The thing that I'm Wondering is. Let's say it went different. Let's say that she was walking around the school and they called in a tactical SWAT team to tackle her, like, handcuff her, drag her out of the building. Would she have been, like, showed up in court or been interviewed and been like, you know what I went through? And I was testing the school security, and I just want to say really good. Really good. Good job, guys. I was. I was impressed. No, this strikes me as the type of person that, if that happened, would be like, oh, this is police brutality and abuse of power.

A (5:08)

It just. Yeah, it just sounds like that this is someone who is looking for attention and she got it, and we're giving it to her.

C (5:14)

I always think it's interesting, too, because when you are doing assessments and you do find something that's, like, egregious or bad, you're like, oh, I can't believe this. How could they, Right? This is ridiculous. And then when you are doing something and they did something right, you're like, oh, okay. Well, I guess that's just one thing they did right. You know, like, you tend to, like, highlight the things that they're doing wrong and quietly remember the things they're doing right. And, you know, sometimes I have to catch myself in those moments. Like, no, no. That really is something that I should be talking about or, like, emphasizing, like, this is. You should continue this road as opposed to just looking at stuff and just being like, I can't believe you did that right then. That's your point about, like, her, how she would respond. She'd be like, well, I was still able to get in, even though they tackled me and beat me up.

A (5:54)

Because she's got to find a win situation. Yeah.

C (5:56)

She's got to find a fallback.

A (5:57)

Yeah. You know, this is what I was trying to do. I don't know. I just think that it sounds like a bad movie with Zac Efron or something. Lindsay Lohan in.

A (6:10)

Done by Disney. And Jack. Jack Black brings us all together with song at the end. And we.

C (6:15)

Let's.

A (6:15)

Let's pass on this story and never talk of this lady again.

C (6:18)

I think you should totally be in charge of casting for that movie, though. You got it.

A (6:22)

I've got the cast already. We're set up. We're set up. You know.

C (6:25)

Awesome.

A (6:26)

So how about we do the world's first malware targeting Windows containers? I don't know who put this one together.

C (6:32)

Oh, containers are bad. Don't use them. Everyone just let go. Just. We.

E (6:35)

It's.

C (6:36)

It's All. It's all bad.

A (6:38)

Oh, do tell.

E (6:39)

Bare metal is the only way to go.

C (6:41)

Yeah. No, I mean containers are coming, right? And whether you want to accept that or not, I think it's irrelevant. Right? There's a lot of use and demand to put containers in environments and continuous integration and DevOps and all this other fun stuff. So they're here. But how you do that and how fast and how it affects security is going to be a continual cycle, Right? It looks like in this article is about kubernetes and the fact that they're running containers on Windows and then being able to gain access to the host os. I mean, everyone, if you don't know when you're running a container, it's just kind of like an isolated process. Like it's not really. It's not a security construct, okay? This isn't, you know, running in a container is not how you secure things, okay. This is actually just how you manage operating or software dependencies. Think of it like that, like containers aren't security, they're just to help you run software dependencies and allow you to work around that. Now, you can implement some things, but if you. We all have to get around this idea that containers create security, they don't.

A (7:43)

The other thing that's interesting for me on this one is step one is the attacker achieves remote code execution through a vulnerability, right? So it's not that. The point of the story isn't that these vulnerabilities exist, because we know that they exist. The point of this story is to basically articulate a lot of the code execution and impersonating other services, establishing command and control, basically going through and checking compromised nodes, checking the privileges. A lot of the things that we would normally do are also present in containers. And I think that that kind of speaks to what you were just talking about, Ralph, where people think if they just move to the cloud, they're secure. And we've seen this again and again. People were like, well, we're going to run Linux and we're magically secure, right? It's like somehow they believe that just by adopting a specific technology, be it cloud, be it container, be it Linux, be it virtualization, all the way back to using a fricking firewall. Every time something like this comes up, the entire industry says, well, this is the way forward and this is what we need to do for security. And I mean, even all the way from Biden and the White House released a statement talking about computer security in the government and where we need to go. They were really big on Zero Trust and they were really big on cloud. Both of which are things that I absolutely agree with. But I don't think that those things are secure just in and of themselves. Like, you actually have to have a plan. You need to have the technology, need to have the architecture, need to have the process and procedures to support that, to actually make it secure. So kick it back over.

E (9:16)

Yeah. And I would also say you have to know how to properly configure it.

C (9:20)

I mean, with.

E (9:21)

With my experience of Kubernetes, I mean, one of the most common vulnerabilities that I've seen and I don't pen test Kubernetes clusters much, full disclosure.

E (9:30)

I've tried to set them up and then I try to break them, but most of the time the stuff I see is just stuff saying, oh, it was poorly configured from the get go, and this says it right there in that second paragraph, that its main goal is to go through poorly configured Kubernetes clusters. So configuration is big. I mean, it goes to the cloud as well. If you don't actually know how to configure your cloud services, you have no business being in the cloud right now.

C (9:55)

Yeah, Kubernetes is a monster. Right. It is a complex machine that you really have to dive in and understand how it's working to properly secure it. If you don't know how it works, you can't secure it. That's how that works. Right. It's big. It has a lot of interfaces, the web management interface, all of this stuff. The other thing too, with just Docker containers in general, most of them run as root. The user is ran as root. That's how they design the container. Because it was the simplest way to make sure it had the permissions on the file system you share. I mean, that's another way too that you break out quickly out of Docker container is that your. The container process has the ability to write some files to a folder as the user root. Right. So it's just. I mean, there's a lot of that.

A (10:40)

But yeah, Yep, absolutely. Okay. Is it. Is it time for the. The show to transition to ransomware?

C (10:47)

And that's it. That's the whole show?

A (10:49)

That's the whole show. We're done. Oh, my God.

C (10:52)

This isn't even the only one too, that's happened recently.

A (10:54)

No, no, there's so many. And that's why we're doing an emergency webcast on this tomorrow. I kind of want to talk about how we got to the place that we're at and who we can actually blame. Hint, it's going to be management.

A (11:08)

But there's. There's a bunch of things like, I can't remember who got. There's like a Japanese company, and then you had the JBS Foods. And then there was another company that just got hit today. And news stations, News stations are getting hit. And then now they're going after schools to the chagrin of hardly anybody. Like, kids are like, school shut down because of ransomware.

C (11:27)

Okay, cool. And they're like, you owe us somewhere. Yeah, you owe us millions of dollars. Like, we could hardly afford the teachers. Dude, come on. What do you want from us?

E (11:36)

All right. She guys here on Tuesdays and Thursdays.

C (11:38)

Yeah, exactly.

C (11:42)

So.

A (11:43)

So this is interesting, this threat post article, because they're talking about the Revil, or Revil Weevil, whatever. Ransomware re evil. But there's. We're missing an E there.

C (11:55)

I know, I know.

A (11:57)

And basically they were talking about their kind of thoughts on the state of ransomware as it exists today.

E (12:03)

Right.

A (12:03)

So with this, you. You know, they're talking about the recent attack impacting JBS Foods was originally directed at a Brazilian entity. And I think for any of us that do pen testing, we're like, yeah, yeah, we totally. We totally can see how that would happen. You know, where you exploit one organization and then you end up in another organization. Because all these organizations are connected. So.

C (12:23)

But it.

E (12:24)

That's.

A (12:24)

That's kind of funny, you know, a ransomware group and like, yeah, we didn't originally go after these guys, but it just fell in our lap.

C (12:29)

It was a Bogo event. Right?

A (12:31)

It was Bogo.

A (12:36)

They also don't know why the United States has intervened in this case, which I think is hilarious. You know, they're sitting around, why. Why are governments getting involved with our illegal activities? This is a mystery to us.

C (12:47)

I don't understand. This is a job.

A (12:50)

I think that that's because they're Russians and. And I think that they're used to the mafia getting involved. So, you know, if you're from Revil, just so you know. You know, for you, it's the mafia. For us, it's the FBI. So just letting you know how that kind of works out. So hopefully it'll be like, oh, yes, I get it. There we go.

C (13:07)

The Mafia got involved.

A (13:09)

Now they were talking about U.S. legislation, and there's a number of states and lawmakers that are talking about trying to pass laws that would restrict ransomware victims from paying the ransom.

A (13:21)

I kind of think that that's a bad idea. I would like to get you guys all opinion on this because, you know, the conventional wisdom for ransomware is you should never pay the ransom because you're just going to make the problem worse. And it's like, yes, so my company is just going to roll over, go out of business, and I'm just going to go to my dying hole and die for the greater good.

C (13:44)

So.

A (13:45)

And I like their approach was it's not going to stop the attackers, right. They're not gonna be like, well, they passed the law, so we're not going to attack the United States anymore. Because what you're going to have at that point is a lot of organizations that quietly, hey. And that's going to shove this whole issue underground again. So I don't know, what are you guys thoughts on this too?

C (14:04)

That's a sticky question because I think you just brought up all the points, right? Like that it would cause people to go underground and to pay. If you had this law, it's obviously, businesses want to stay alive. That is their goal. So if paying the ransom allows them to continue to operate, you know, obviously that's something that is in their best interest. Right. Like they're weighing their pros and cons.

B (14:26)

And how fast can they get back if they hear the reward, if they.

C (14:30)

Yeah, but on the flip side, right, the other side of that, I kind of feel like, well, if we just stop paying them, then the business model stack starts to really suffer. And, you know, you don't have people devoting what they think as a career and building ransomware. Right.

A (14:47)

But if you look at. But if you look at the history of this, the idea of protection rackets, like in the 50s in New York City comes in is like, this is a really nice bakery. It'd be a shame if somebody were to come in here and mess it up. Yeah, yeah. That this has been a racket that has been around for literally a couple of thousand years. Right. I mean, it's just a new variation of it, and you can absolutely make it illegal all that you want, but it's not actually going to solve that problem. I really wish the attackers would go back to just crypto mining.

E (15:18)

Yeah.

C (15:19)

No, I mean, you're totally right, though. Like, making it illegal is not going to stop it. And I don't believe that in any way, shape or form. It's. It's just not going to stop the attacks. Right. I honestly feel like paying them is the wrong idea too. But I totally understand when you're in that moment, you're like, well, I woulda, shoulda, coulda. But right now I have one decision, and that is how do I get out of this situation?

D (15:39)

From a business owner standpoint, if you're hit with ransomware and you're faced with do I, you know, do I break the law and pay the ransomware? Now, who's holding me ransom here? Is it the business, the company who, or, sorry, the, the, the criminals who are trying to get ransom from me, or is it my own government who's saying, I can't pay this? Either way, I'm out of business?

E (15:58)

Yeah, it just creates the rock in the hard place.

A (16:02)

Yeah, it's like, and there's awesome president in governments setting up laws to punish victims. That always works. Every, every single time. Good history on that too. But no, I don't think that there's a clean answer for this. Right. Other than organizations starting to secure their crap. And, and I think with the heart of a lot of ransomware attacks, you're going to see a consistent theme where every organization has security vulnerabilities. Right. But you're going to see a certain theme where some of the vulnerabilities the attackers are taking advantage of are relatively easy vulnerabilities to take care of. And that's going to be one of the things I'm going to talk about on the webcast tomorrow is why is it that you have organizations that we do pen tests for year after year after year after year where we go in and we're like, hey, you know, you got a seven character password and it's bad. And they're like, well, PCI tells us it's okay. We come back the next year, it's like still bad. Actually worse than it was the year before. Or if you look at organizations that have old out of date software or all of these different things that we talk about, like the intro class using two factor authentication, long, strong passwords. A lot of these aren't rocket science to take care of. So what is the reticence? Why do you get the pushback in organizations for that?

C (17:18)

Maybe as well, Maybe this will be the, you know, the push that people need to actually fix it. I mean, because us telling obviously is not enough sometimes. Right?

A (17:30)

And I agree with you. You know what? I absolutely agree with you. I, I think that the ransomware is going to be the push. It's going to be the kick that.

C (17:36)

Organizations needed because it's either this change that password policy, for example. Right. Or go out of business possibly like that. That's kind of like A, you know.

A (17:46)

But a lot of times they're buying. They're buying into the third option, which is they can buy themselves security, right? So if you. If you look at the industry as a whole, and I'm kind of talking about, I guess the webcast is on Wednesday, if you look at the industry as a whole, you have all these different competing factions trying to get attention and trying to get money, right? So if you're looking at an executive and that executive is looking at all these options and who's telling them their options? You have their security team, which is a bunch of tech geeks wearing black T shirts and jeans, and they use weird phrases all the time like, you know, you know, link local multicast name resolution. They talk about metasploit and they talk about all these different types of vulnerabilities and what the hell is a kubernetes anyway? And then you have the idea that, well, here's a company, a salesman shows up and he's wearing the same suit I do, the same shoes I do, the same watch I do, and telling me, hey, we can actually secure your entire organization for just a low, low price of hundreds of thousands of dollars per year. You're going to gravitate towards those people because they're selling you an easy solution, snake oil in some situations, sometimes it's not. And they look and act and walk like you do. So that's kind of where you're going to gravitate towards. That's the way it's been for a long time, I think with ransomware. We're now seeing that hit where they're like, well, I bought the shiny object from the guy that had the Maserati and it didn't work. Maybe I need to listen to the geeks. And I want you all, if you're listening to this. This webcast, I want you all to think about it. Listening to you, it security people is their last possible choice that they want to choose.

C (19:19)

Really don't like him, because heaven forbid.

D (19:21)

The guys who operate and build the.

B (19:23)

Stuff should know what they're doing, know what they're doing, right?

D (19:26)

And in some cases they don't, but clearly.

E (19:29)

But, well.

A (19:31)

And Dale, you've been part of this, right? I mean, you've been right in the belly of the beast where you have this new technology that's foisted upon you, where they're like, dale, we need to secure this by next week. You're like, why did. Why didn't you talk to me before this? You know, we've had These conversations.

E (19:47)

Yeah.

D (19:48)

I've not experienced that more than once or twice a month.

A (19:52)

For years. Right.

C (19:53)

Well.

E (19:54)

And then after that, you have to hire a consultant to come in and say it, so that way they'll listen to you.

C (20:00)

Well, look to the bright side, guys. This would be the last ransomware we have to talk about. You know, this is it.

A (20:05)

Yeah, that's true for this week.

E (20:07)

Yeah.

D (20:07)

There's a moratorium. There's no more ransomware after this week.

A (20:10)

I'm solving this on Wednesday, by the way. Yeah. It's going to take me two webcasts, but I'm going to nail this thing down. We've got solutions to all these things, but, folks, I have to jump off. I've, you know.

C (20:21)

All right.

A (20:22)

Car accidents and things like that that I got to help take care of. So you guys carry on without me.

C (20:27)

We will carry the torch. John.

B (20:30)

Catch you later.

C (20:31)

All right, Later, John.

B (20:34)

I thought it was just going to walk off screen and leave the camera running.

C (20:36)

Yeah, just like.

C (20:39)

Takes his mic off the stand and drops it.

B (20:41)

There we go.

D (20:42)

I for sure thought he was going to do the down into the basement thing.

C (20:46)

Yeah.

D (20:47)

Room with no ceiling.

B (20:49)

We have to make that a requirement next time we. Anybody tags off the webcast mid show, we gotta walk down the stairs.

B (20:58)

Okay, maybe not.

C (20:59)

All right, no more ransomware. It's been solved.

A (21:03)

Here we go.

E (21:04)

I do want to say just real quick.

B (21:06)

Okay. Bringing it back. I'm sorry, we can't just get away from the ransomware. Every time we try, they bring us back in.

E (21:15)

It just. It just. The one thing that grates against me with this whole thing is this is also. This conversation could also be applied to your phishing testing as well. Just a little bit. I mean, if you management are watching this and you're saying, like, oh, this isn't fair. If they do this, I might have to consider going underground and not telling people. If you're one of those people who, like, forces your employees to do terrible things after they fail a phishing assessment, you're just as bad. This is. This is the exact same conversation in that sense. I've always been more of a believer that you reward the employees that do well versus punish the employees that don't do as well.

A (21:50)

Anyhow, I'm done.

D (21:52)

Think about, like, training a dog. You reward the good behavior and ignore the bad.

C (21:55)

Well, don't ignore it.

E (21:57)

Or you make a mean dog by beating it every time it does something bad.

C (22:01)

And then that.

E (22:02)

That gets a mean dog who doesn't like you. And that's what happens. So, yeah, that's all. I just had to get that off my chest so we can go to the next step.

D (22:09)

And realistically, if you just keep punishing them, eventually they just don't tell you about it anymore.

C (22:13)

Right.

E (22:17)

Just saying, like in this one instance, the management's kind of getting a taste of that medicine. And if you're one of those managers or one of those people writing those policies, don't do that. It's not good.

B (22:27)

Van Buren. Who knows about Van Buren, But I.

D (22:30)

Had another thought about the ransomware.

B (22:32)

Oh, of course, of course. Van Buren is a victory against overboard interpretations of the CFAA and protect security researchers. So we had a little bit of a discussion about this earlier. Who wants to re summarize that?

C (22:47)

I think this is about the exceeding authorized access in the Computer Fraud and Abuse Act.

B (22:54)

Get your hand out of your face.

C (22:56)

Yes. Can't hear you. Sorry.

C (23:00)

Yeah. So this gets down to kind of the sticky of security researching and stuff like that and how that gets put up in the law. Right. And how it gets interpreted and whether we're allowed to do it or not because we got access or not or what.

B (23:17)

That's sort of related to the Texas lady in a way. In the roundabout way, in a way, kind of.

C (23:24)

Yeah, yeah.

B (23:27)

It really.

E (23:27)

It sums up to just like how, like I said, in some senses, even if you have all the law on your side and you're doing a physical test, like, you don't you want to make sure you have the law on your side and in this case, like, helping spell out where the law is. And I'm telling you, you don't want to ride up, like, right on the edge of this line because that line.

C (23:45)

Still is very gray.

B (23:47)

So get all the lawyers involved if you have to.

E (23:51)

If you have to.

C (23:52)

Yeah. I think we're going to keep going back and forth on this. And it sounds like in the article that there was some wins here, wasn't all bad. But the idea of how we sum up what we can and can't do and whether that was authorized and stuff like that. And I think as the years have gone by and more of this is more security researching, more vulnerabilities, more ransomware, all this other stuff. Right. How we define that law, where the line is. Right. And who's allowed to do it and how I think is we're going to see more of that. Right. The EFF is obviously kind of at the forefront of some of this stuff. Right. So pushing for these legislations.

E (24:32)

Yeah. And I think also if you ever find yourself on the wrong side of that line, you can actually contact the EFF and they'll help you get a lawyer. So just as a note.

C (24:41)

Yeah, for sure.

B (24:43)

Microsoft is getting better security as they should end to end encryption for voice calls.

C (24:50)

This was like my first thing that I hated about teams when it first came out. I was like, there's no end to end encryption. It's just like it's wide open. It's just. I mean, it's Skype but in an electron app. Really.

B (25:03)

But it's Skype but different.

C (25:05)

Yeah, it's Skype, but very different. Skype never left though. I'm immediately going to go up and just say like, how much encryption did we get here? I know Zoom kind of gotten caught up, caught up in that one about end to end encrypted and stuff. But all of our chat platforms should be moving to some kind of end to end encrypted. That should be their goal. Right. That's the ultimate kind of at least, you know, getting to some level of privacy where you're not just saying we are a secure company who does regular security test. And that's why you should trust us.

E (25:40)

Right.

C (25:41)

You know, encryption we. In encryption we trust kind of thing. Yeah. End to end encrypted is probably like the first thing you should be doing. And then there's a lot of other. I mean, we have a bunch of other chat platforms that have came out and you know, like Keybase is one that does end in encrypted and that was from the very Get Go Telegram. Even though I kind of not totally trust their rolling their own crypto type thing. But still it's out there. But yeah, a lot of the platforms have moved to this, so it's not surprising that Microsoft would be moving to that. But yeah. What do you guys think?

E (26:12)

I just think it's funny. I had it in a time where I was talking to someone, they're like, oh no, we're going to leave Zoom because they don't have end to end encryption. We're going to go to Teams because they just. There's like a large number of people who thought teams already had this technology.

C (26:27)

SSL is not end to end encryption. That's not how that works. Okay.

E (26:33)

For those who don't know, yeah, like.

C (26:36)

Ssl, it's just a bulk. Like SSL is just bulk encryption of the traffic and has nothing to do with the message inside. Meaning all of the message inside can be read by.

C (26:47)

The service provider you're using. They can read all your messages, mine them, do whatever the hell they want with them, make them endlessly searching. I'll give you a couple examples, like the prime examples of those that are doing this right now. Slack, for example, Discord is another one. None of that stuff you should ever send any like, or expect any level of necessarily privacy from those platforms. I'm not saying that they're bad or they're out to get you. I'm just saying that all of that is searchable by their platform and they can use that for whatever you, whatever they want. And think about it, both of those platforms are pretty much free until you get into like large groups or large amounts of traffic. Right.

E (27:25)

That's.

B (27:26)

No, that's kind of a feature of the platform too, is that you can search back the history. So.

C (27:33)

Yes, yes.

B (27:34)

And if you don't want to, you know, kick the dead horse sort of things, you can go see if anybody else is talking about it.

A (27:40)

It's like.

B (27:40)

And catch yourself up.

C (27:42)

Yeah. There is a real use for public conversation. Right?

B (27:47)

Yeah.

C (27:48)

Everything doesn't need to be like, you know, when we, when we communicate. Right. You know, some of that is meant to be in the public. I, I said this and I will share it with anybody who wants to read it. Please, you know, reply to me and you can share your message with anyone else who wants to read it. There is a place for that and there is a very good use for it. There's other communication though, that you expect or would hope that you have some level of privacy in.

E (28:11)

Yeah.

B (28:12)

So you just got to be smart about what you say in what channel.

C (28:16)

Yeah.

B (28:17)

And also common sense sort of thing.

C (28:19)

Yeah. In the end to end encrypted platforms like Keybase and other ones, you can pretty much still search those platforms because you can decrypt all the messages that were sent to you because you shared the key and so on and so forth. So, you know, there is still search in those platforms. So encryption does not mean the end of search. But I will admit that it does complex or make, make it more complex to implement some of those things or to do some of the other things like predictive or like, you know, how it predicts what you might be doing or, you know, other kinds of AI. I'm going to use in air quotes here.

B (28:51)

Bots, you know.

C (28:51)

Yeah, bots. Yeah. So in Keybase, the way that they did bots is that bots can only see messages once they get keyword that the bot would get interacted off of. Right. All the other messages, it actually can't decrypt. So then that way a third party can create a bot and you know, it actually can't see any of the chat except for when it's been flagged.

D (29:10)

So before everyone goes and gets too excited about it, there is a couple caveats with this. Implement with teams implementation of this as well. First one being that it's only for one to one voice calls. So no calls, no video calls. And also the other thing is if you're, if you're running teams, like the web version of teams, it's not Cryptid. It's only available on desktop, mobile, iOS and Android. As of right now. Well, as of when they roll it out later.

A (29:35)

July.

C (29:36)

July, yeah, yeah, that's usually how it goes. As soon as they have, they're like Indian encrypted, only for one to one phone calls, only for one to one messages and that, you know. Yeah.

D (29:47)

And the example they gave in one of the many articles about it was specifically for when it folks are sharing passwords with users. Sharing their default password or whatever. Which is great, but surely there's other ways you can get them their password than sending it over at chat.

B (30:05)

Like email.

C (30:06)

Yeah. The only way you send sensitive information now is only through email.

B (30:10)

It's through email.

C (30:11)

Yeah. It's like faxes, very secure.

B (30:13)

Only a fax might be very secure.

E (30:16)

Right now if I want to send something super encrypted, I'll send it PGP over carrier pigeon.

C (30:21)

Yeah, there you go. One time pass, man. One time pass. You can't crack me, hack me.

E (30:26)

You have to intercept my carrier pigeon first.

B (30:28)

Speaking of passwords.

C (30:31)

Oh, yes.

B (30:33)

Post or whatever it is about password manager.

A (30:35)

Yeah.

C (30:35)

So this is. Yeah, so.

C (30:40)

Tavis wrote a R in there. No, there is not wrote a blog about password managers. And so I have a sneaky suspicion that he's probably doing some research on password managers and kind of wanted to get it out there. His opinion on it. He kind of goes over, you know, one of his big things is that he hates it when people. One of the. One of the most popular things to say is hey, you know, just get a password manager. And he kind of goes into the fact that that's kind of like a broad statement and it doesn't necessarily cover all the angles. He also gets into a lot of the browser implementations of password managers and how they kind of break sandboxing and other things like that. The too long didn't read would be that he recommends that you just use the password manager that is built in something like Chrome or Firefox. As opposed to a third party password manager. And you know, one of his other big gripes is that obviously anyone who could compromise that company or any of the servers in between there, they would be able to read your passwords. Right? How much of that comes out to be true? This is kind of going back and forth and then the bigger question that goes along with this is when a lot of people say, hey, you should be using a password manager, I think what they really mean to say is stop using the same password. But his point is that some of these password managers don't necessarily bring as much security as you may think.

D (32:07)

I guess the beef I would have with this is that one of the allures of a password manager, like you said, is not so much just about making sure people aren't using the same password, but being able to synchronize those across multiple devices. So if I've got a 26 character password of random letters and numbers on my computer, that's all great, but when I gotta type that into my phone, that's a pain in the ass. Which is where the password manager really.

B (32:29)

On your TV helps.

D (32:32)

And that's where one of the areas where the password manager really comes into play. I mean it's multi feature multifaceted I guess. But I can see where it's coming from though. But there's got to be a usability factor.

E (32:42)

Yeah, I do. Question is, what if this still applies when considering. Okay, so let's say I use Chrome, Chrome's built in password storage and I link that to my Gmail account and then I sign into that from my Android phone. Is that still considered better than using something like LastPass or something like that?

C (33:02)

In the article he says that they have better security teams. Pretty much. She was saying browser implementations are better. The other thing is that they don't break any of the sandboxing models, which extensions kind of do. In the sense of how the cities password managers work. They do break out of the sandbox. It's not, it's, it's interesting. It's a pretty short blog for the statements that he's making. I'm pretty sure that he also probably has some vulnerabilities that he is going to either release or disclose with some of these password managers.

B (33:36)

He's leading up to something then.

C (33:38)

That's, that's my guess. I mean maybe he doesn't, maybe he doesn't want to go through this disclosure process because it's a pain in the butt and I'm sure he does it all the Time, I don't know if he necessarily was out to kick down password managers. I think he was just trying to talk like general, that they're not the end all be all from security and that they can have some of their own vulnerabilities as well. We all tend to kind of think, and I know me personally, that it's still good to use a password manager because of all the other benefits like you said, the syncing, all the. A lot of those things and in any security model there's no 100%, you know, certain and all this other stuff. In addition, in any of those like password manager models, anything that's very secure, you should also be using some other type of authentication. So that two factor authentication model where you're using some not cellular based but. Or when I say not cellular, not SMS based but some other kind of authenticator app on your phone to get push notifications, other things like that, that kind of helps to alleviate some of that. But I don't know. It's tough, right?

E (34:37)

I like the conversation piece for sure. My biggest thought is that I just don't. I question, I question it a little bit and solely for this one scenario, I guess. But. So let's say I use Chrome with my. And I link it with my Google account and then I linked out my Android phone and I also use Google single sign on to TikTok and authorize OAuth tokens to my Google account and then I do that for everything else that will let me use a Google+OAuth token. Like is it really more secure at that point? Like I don't, I find that harder to believe. I don't feel like people are super secure with their Gmail in general, if that makes sense. Like I feel like that. Like the nice thing I can say is that to an extent if I know someone's using a password manager, that account is usually separated in a sense. Yeah. And by the way. What? I don't actually use TikTok. That was just the first thing that came to my mind.

C (35:32)

Forget password managers, you use TikTok.

E (35:36)

This conversation is digressed.

C (35:39)

How old are you? Jesus.

E (35:41)

No, I'm 12 actually.

C (35:43)

Yeah. Yeah. Let me show me your TikTok dance you've been working on, man.

B (35:49)

It's actually a great way to share some security tips and get an audience to be on TikTok.

C (35:55)

Yeah.

B (35:55)

That's so hot right now.

C (35:57)

That's. That sounds like a dumpster fire. But.

C (36:02)

Gosh.

E (36:03)

First security tip for those on TikTok, stop using TikTok.

B (36:06)

Yeah, there you go.

C (36:07)

Don't do that. He did say in the article that he still recommended things like Keepass and Keepass X, which I thought is super funny when I read that because. All right, so check this out. One thing that I've done on plenty assessments is that there are a couple different public frameworks for extracting the master key from keepass. Right. And the thing is, this is actually not anything to do with keepass particularly, but whenever you unlock one of your password vaults, the key to unlock that vault is in memory. If you know where it is in memory, you can extract that and then you can use that to gain back access to that keepass. Right. And so a lot of engagements I'd be on, I'd find someone who was using keepass, I'd wait for them to open it, I would extract the key from memory, and then I would download the Keepass file and get access to all their passwords. Right. Because it's on disk and all this other fun stuff. So it really does depend on your threat model. What I did think was funny is that some of the other password managers, like One Pass, lastpass and other stuff like that, there's not any public ways to extract the key. Even though I'm not saying you couldn't do it. And in fact, functionally, I'm sure you could. I just thought it was funny because keepass has a pretty big public one because of the way it functions and the way that, you know, the passwords are saved onto a disk and, you know, being able to stretch it from memory.

E (37:28)

Yeah.

C (37:29)

What's your. What's your threat model, man?

E (37:31)

Both of those, actually. You can exploit DP API and get the key out of them.

C (37:35)

Oh, yeah, Chrome. You could just extract all the passwords out of Chrome, like just straight in memory. So what is your threat model? Right. Is it someone on your system? Is that what you're protecting against? Because does using the browser password manager protect you from someone compromising your system? System. Right. And extracting it from memory? It does not. I can tell you that for a fact. But that's not what this was about. Right. And so where are you down the line? Like, how screwed are you? And how would they continue on? And I don't know if necessarily the Chrome one would help you that much more.

E (38:08)

Yeah, there's a point in which you just start writing all your passwords in a little book and against your side locked in a box.

C (38:15)

Yeah. And that's also when we want to talk about password managers and just passwords in General, that's when we started. That's why we use a lot of authentication one time authentication systems, the second factor, the third factor, whatever, so that we can control that in a time period. So it's not like you get this and then you have access forever. So. And that's why those authentication methods work or, you know, are implemented so that you can that password can be compromised but still not allow for immediate access. Right. I keep all my passwords in Excel, but I password protect it with super Secret password. It's password1. But this is not important for everyone who wants to just either rament about the fact that you write your passwords on a notepad or be upset that you use a password manager and Tavis doesn't approve. Go read that article.

B (39:04)

And that's the last leak we got.

C (39:06)

Oh, that is it.

B (39:08)

Do we want to add anything?

C (39:09)

Oh, no, I didn't have anything else. Did you guys have anything else you want to talk about? More ransomware, possibly. Just to really drive it home, I guess.

E (39:17)

One thing to say about Excel is I once knew a guy who protected his Excel document full of passwords by spelling password backwards and storing it as that. So there's a cool trick for those who don't know.

C (39:28)

Oh, yeah, yeah. Keyboard logs. Yeah. I was on engagement once speaking of Excel, and they had like sent some Excel document to each other via email and we got access to that Excel document and they had password protected it. Dude, I threw Hashcat at the thing for like a week, dude. And I still couldn't get that password, man. So I have no idea what they did. But it was good. I have like 10 billion password word lists, right? And then with permutations and rules and all the other stuff, I have no idea how many guesses I made at that. But anyways, it works.

E (40:00)

Maybe that was your problem, though. Maybe you had too many passwords and the password was really just password1, which is @ the bottom of your.

C (40:05)

List. No, trust me, I tried that one. Probably all permutations of password1.

C (40:12)

All right, well, if that is it, thank you everybody for joining us for Black Girls Information Security. Talking about news and we'll be back on.

B (40:21)

Monday. No, we.

C (40:22)

Won'T. Whoa. Oh, we keep switching it up. So it's just like.

B (40:27)

Roulette. Next week is.

C (40:28)

Reno. So we're gonna be there. I should be flying.

B (40:31)

So. But we won't have a newscast next week because we have our Reno Way west event. So the following week we will be back on.

C (40:40)

Monday. We'll be back. Well, definitely check out the.

B (40:44)

Wildlife. No news will happen all next week, I.

C (40:47)

Promise. No, no, it'll be like three more.

D (40:50)

Ransomwares. Well, yeah, John's fixing malware ransomware this week, so there shouldn't be.

C (40:55)

Anymore. That's right. That's right. So everyone show up to the webcast. Is it Thursday or.

D (41:00)

Wednesday?

E (41:01)

Wednesday.

C (41:01)

Wednesday. Yeah, show up on Wednesday. I'll be there. I'm gonna take notes. And we're. We're gonna fix. We're fixing ransomware.

E (41:07)

Again. I actually think we'll all be there. Yeah, I know that me and Dale were also on the.

D (41:11)

List. Yeah, I'll be there as.

C (41:12)

Well. Perfect. Well, everybody have a good week and a half. And hopefully no more.

B (41:18)

Ransomware. Not. Yeah, none. We have a.

C (41:21)

Quarter. All right, let's take it.

B (41:24)

Out.

B (41:41)

I stopped hearing everybody. I think my Firefox broke. I'm just gonna leave.