Year of the [European Union] Linux Desktop Finally Arrives? | BHIS - Talkin' Bout [infosec] News 2025-06-30 - Talkin' Bout [Infosec] News

Summary6 min read

Talkin' About [Infosec] News, Powered by Black Hills Information Security

Episode: Year of the [European Union] Linux Desktop Finally Arrives?
Release Date: July 4, 2025

In the latest episode of "Talkin' About [Infosec] News, Powered by Black Hills Information Security," the hosts Wade, Charles, John, and Ethan delve into a multitude of pressing information security topics. From phishing techniques and government IT shifts to data breaches and emerging vulnerabilities, the discussion offers a comprehensive overview of the current infosec landscape.

1. Microsoft Direct Send Exploitation in Phishing Campaigns

The episode kicks off with an exploration of how Microsoft Direct Send is being weaponized in phishing campaigns. Wade highlights the significance of this technique, noting its effectiveness in bypassing traditional email filters.

Wade [12:55]: "It's one of those things that either doesn't work or it blows the customer's mind. And they're like, I'm mad."

The team emphasizes the importance of disabling Direct Send if it's not essential, as it can allow threat actors to masquerade as internal employees effectively.

2. European Governments Embrace Linux, Moving Away from Microsoft

A substantial portion of the discussion centers on European governments transitioning their IT infrastructure to Linux-based systems. Charles expresses surprise at the number of cities adopting their own Linux distributions.

Charles [15:19]: "Pretty big. That's an amazing feat."

Wade elaborates on the motivations behind this shift, citing concerns over data sovereignty and the desire to minimize reliance on American companies like Microsoft. The hosts debate the practicality of maintaining such environments, especially regarding features and support.

3. Info Stealers Targeting Screenshots on Mobile Devices

The team examines a recent article about an info stealer malware that extracts sensitive data from screenshots on smartphones. Wade explains how this malware targets critical information like crypto phrases, posing significant risks to users.

Wade [03:00]: "Don't save, don't use screenshots to store sensitive information at all."

They discuss the importance of reviewing app permissions and regularly deleting unused applications to mitigate such threats.

4. Mobile Security Best Practices

Continuing from the previous topic, the hosts share their strategies for maintaining mobile security. John mentions his routine of cleaning up apps monthly, supported by calendar reminders.

John [05:06]: "I do it once a month."

Charles shares his approach to securing devices used by his children, emphasizing minimal app installations and the removal of unnecessary permissions.

5. War Thunder Forums Leak Classified Military Data

A lighter yet concerning topic is the accidental leak of classified military manuals on the War Thunder forums. Wade humorously remarks on the recurring nature of such leaks and the actions taken by moderators to contain the breach.

Wade [25:40]: "The Harrier is not British. It's ours. My bad, I'm not a pilot."

The group underscores the ease with which sensitive information can spread on gaming communities and the importance of monitoring such platforms.

6. Scale AI’s Data Breach Through Misconfigured Google Docs

The episode highlights a significant data breach involving Scale AI, where numerous Google Docs were left publicly accessible due to improper link-sharing settings. Wade criticizes the lax security measures that allowed sensitive information, including employee lists and chatbot training data, to be exposed.

Wade [29:31]: "If you're an organization that uses Google Docs, you got to disable public link sharing."

The hosts advise organizations to tighten their document sharing policies and regularly audit permissions to prevent similar incidents.

7. Arrests Linked to Breach Forums in France

Discussions turn to recent arrests related to the notorious Breach Forums, a hub for cybercriminal activities. Wade comments on the cycle of forum ownership changes leading to repeated legal actions against administrators.

Charles [33:09]: "Just use Signal."

The conversation touches on the persistent nature of such forums and the challenges law enforcement faces in shutting them down permanently.

8. Supply Chain Attacks via Malicious NPM Packages

The team explores a new wave of supply chain attacks targeting job candidates through malicious NPM packages. Charles shares his experiences defending against such tactics, emphasizing the need for vigilance during the recruitment process.

Charles [36:23]: "It's pretty interesting to fight against it."

Wade suggests using ephemeral virtual machines during job interviews to contain potential threats, highlighting the evolving nature of cyber threats in the recruitment landscape.

9. Citrix Bleed 2: A New Vulnerability

A significant highlight is the introduction of Citrix Bleed 2, a vulnerability reminiscent of the infamous Heartbleed bug. Wade explains that this flaw affects both management and client interfaces of Citrix gateways, potentially allowing attackers to extract sensitive memory contents.

Wade [40:03]: "Patcher Citrix, you probably are super aware of this."

The hosts caution users to promptly apply patches and stay informed about security updates to protect their systems.

10. Vulnerability in Brother Printers’ Default Password Generation

The episode sheds light on a critical vulnerability discovered in Brother printers, where default admin passwords are generated based on the device's serial number. Charles recounts incidents where this flaw was exploited within organizations, emphasizing the necessity of changing default passwords.

Wade [44:12]: "Only affects 95% of printers."

The hosts advise businesses and individuals to update their printer credentials to safeguard against unauthorized access.

11. Canadian Government Bans Chinese Surveillance Cameras

Charles and Wade discuss Canada's decision to ban Hikvision cameras due to national security concerns, aligning with similar actions taken by the U.S. government. They debate the implications of such bans on privacy and security.

Wade [48:39]: "They're following the writing on the wall."

The conversation underscores the geopolitical ramifications of relying on foreign-manufactured surveillance equipment and the importance of securing critical infrastructure.

12. U.S. House of Representatives Bans WhatsApp

A surprising move by the U.S. House of Representatives to ban WhatsApp on staff devices becomes a topic of contention among the hosts. They debate the rationale and enforcement mechanisms behind this decision, questioning its effectiveness and consistency.

Charles [52:51]: "Someone off."

The discussion highlights the challenges in standardizing communication tools within government entities while balancing security and functionality.

13. Light-Hearted Segment: Chickens and Cybersecurity

In a departure from serious topics, the hosts share amusing anecdotes about chickens, blending humor with informal conversation. This segment serves as a brief respite from the intense discussions, showcasing the camaraderie among the team members.

14. Concluding Recommendations: Public Service Announcements

As the episode wraps up, the hosts offer practical security tips, encouraging listeners to:

Delete unused apps and review app permissions monthly.
Disable unnecessary features or consider disconnecting from the internet when not needed.
Change default passwords on all devices, especially printers and IoT devices.
Explore alternative operating systems like BSD for enhanced security.

Wade [58:07]: "Set a calendar invite now. So at this point, by the end of the show, you should have four monthly calendar invites."

These recommendations aim to bolster personal and organizational cybersecurity hygiene, reflecting the hosts' commitment to proactive security measures.

Final Thoughts:
This episode of "Talkin' About [Infosec] News" offers a robust examination of current cybersecurity challenges and trends. From sophisticated phishing techniques and government IT transformations to critical vulnerabilities in widely used products, the discussion provides valuable insights for both professionals and enthusiasts. The hosts blend technical expertise with engaging dialogue, making complex topics accessible and actionable.

Loading summary

Transcript321 lines

[00:01]
Wade
Okay, Wade, I see you drinking out of that cup. Is it from Starbucks?
[00:06]
Charles
Yeah, dude, I needed my caffeine fix.
[00:07]
Wade
I don't know.
[00:08]
John
Oh, man.
[00:09]
Wade
First of all, it's from Starbucks, okay? So my question is this. Is your name written on it with the Sharpie?
[00:16]
Charles
Poorly, poorly, poorly.
[00:18]
Wade
This is like, part.
[00:19]
John
Oh, wow.
[00:20]
Ethan
Oh, you use your real name. You don't use an alias.
[00:24]
Charles
It's Starbucks. Like, wow. Wait, my thread. You can Google me and figure out most of my life like, that Starbucks ain't gonna. The barista. Knowing my name is probably a positive because they just start making my drink when I walk in.
[00:38]
John
You know what's funny? They actually just sit. They actually don't even put my name on it. They just put happy spaces and smiley faces. That's all they put. So you get your name written on it. I get smiley faces.
[00:50]
Wade
So that's the question. So this is like the new Starbucks thing, is they're writing their. They're writing on the cups again. They bought like 200,000 Sharpies or whatever. It was like a news article, and now they're writing on the cups. Did this affect anything at all? Is there anyone out there who's like, I only buy coffee from places that write on the cups with Sharpies.
[01:10]
John
Oh.
[01:12]
Wade
We got another cup. Fake name.
[01:15]
Charles
Now you know.
[01:16]
Wade
Now you know your fake Name of choice.
[01:18]
John
R2D2. Your drink's ready.
[01:22]
Wade
How do we know?
[01:22]
N/A
How do we know that's not her real name and the name she's giving us is the fake one?
[01:30]
Wade
R2D2 is pretty funny. I don't know why that got me. All right, roll the finger. Let's go.
[01:37]
John
Let's go.
[01:55]
Wade
Hello and welcome to Black Hills Information securities. Talking about news. It's June 30th, last day of June, I think. I don't know how calendars work, but welcome, everyone. We're going to talk about, well, the news, obviously, but this stories. This week we got Microsoft Direct Send being abused by phishing in phishing campaigns, which. I mean, this technique is near and dear to our hearts. As the original publishers of the blog, in my opinion, we have European Linux discussions. And that's why we have Charles here to talk about Linux, even though he's actually BSD Bandit. Not Linux Bandit, but pull out. We have. And this is Wade, and I DM'd about this a little bit.
[02:36]
Charles
Yeah.
[02:37]
Wade
Once again, I'd like to kind of mark the occasion. Like, we need some kind of ceremony. Like, does anyone have confetti or anything?
[02:42]
Charles
Who's on a map Everybody, everybody do the mat symbols to see everyone, right?
[02:47]
Wade
Oh, yeah. How do I turn on. Anyway, basically, it has once again happened restricted and leaked data on the War Thunder forums.
[02:56]
Charles
We just barely missed it last week.
[02:58]
Wade
Barely missed it, but we're still going to talk about it because it's hilarious. And I, I texted, weighed this. I was like, I think this is the best way to mark the passage of time. Like, yeah, it is. I don't know if it's another year or another, like, what the time frame is, but it's another year. Like, it's another time for leaked data on War Thunder forums. Classified data. It's just. It's so good. Yeah, John Strand not here. He's actually waiting in line at Starbucks for a fake name. He's never going to get his drink because he accidentally gave them a fake name and then he forgot what name he gave. So, yeah, I think we can start off with the sensitive screenshots article. It's just the first one in the list, basically. This is nothing crazy. We probably won't spend too much time talking about it, but there is evidence of an info stealer that extracts sensitive data from screenshots on people's phones. I'm assuming it's iOS and Android, so I don't think there's a desktop version. And these, these architectures, like, these malware architectures are such a disaster. There's totally a possibility that there's a desktop version. And no one's really figured it out yet. But basically the concept here is people would screenshot their crypto phrases, their key phrase, you know, which you can use to recover your WA wallet. But that phrase also basically functions as your identity, so you can easily just extract that key from a screenshot and then steal someone's cryptocurrency.
[04:27]
Charles
A lot of apps ask for photo permissions too, just like to view your photos. And it's not. Honestly, it's one that doesn't sound as sensitive. Right. So you're just like, ah, okay, yeah, whatever.
[04:38]
Wade
One of the things I like about iOS is every time you open an app that has full photo access, it's like, hey, hey, do you want to do this photo access? Are you sure you want to keep giving it full photo access? So I like those kind of reminders because then I'm like, I open some random app and I'm like, no, absolutely not. Nuke this.
[04:57]
Charles
How often do you go through your phone apps and look for, like, weird stuff in there that like, or. Or apps you haven't used in forever and Delete.
[05:04]
Wade
Not often enough. That's a good point.
[05:06]
John
Um, I do it once a month.
[05:08]
Charles
Once a month you have a calendar invite for it.
[05:10]
John
Yeah, I, I actually do. You know what? I actually do actually.
[05:15]
Wade
Good luck Hacking BSC Bandit.
[05:18]
John
Look, I actually have a calendar is. It says I'm. It says, Charles, clean up your. Literally that's what the email.
[05:29]
Charles
You know, Charles like walks around the house for hours after that. Not just he's like, what am I doing?
[05:33]
Wade
What?
[05:34]
Charles
There's a whole checklist that.
[05:36]
Wade
What am I doing? Yeah, that's funny.
[05:40]
John
You download apps because you download apps, you play for the. Play with the app for like a few and then you forget about it. You know, I think you know that. And that just goes with like just Mobile Security 101, right? So a lot of times, a lot of users, they'll just update like the latest version of iOS or Android, but then they forget about the applications and wondering why, hey, why do I have malware on my device? You have to update your OS and your applications as well too, right? Because you could have a rogue app that's like so out of date that it's just riddled with bugs. So I always just make sure like once a month I'm like, oh, let me make sure I got the latest update. If there's no update, then there's no harm, no foul. If it needs to be updated, he is done and it's just a click of a button.
[06:19]
Wade
That's really smart. I should do that.
[06:21]
Charles
I recently grabbed got a phone for my son, right?
[06:26]
Wade
Like two. What are you doing?
[06:28]
Charles
Perfect. Good job. Look at you.
[06:29]
John
Oh, wow.
[06:30]
Charles
Well, so we were on vacation. I needed something to throw at him to take his attention for a 10 hour.
[06:35]
Wade
That's what iPads are for. Yeah.
[06:37]
Charles
So I gutted an old pixel, took, took out all the apps on it, right? And then slowly brought it back up with like I took out cel, no cell service, all connect to WI Fi and started installing like a couple of game apps that they have for kids. A lot of the game apps for kids don't have ads built into it. Some of them do. But I realized as I'm installing games that a 2 year old could play, trying to figure stuff out. A lot of these apps quite require data, a lot more data than I thought. Like when did Fruit Ninja start requiring an online connection?
[07:12]
Wade
Right? Oh yeah, of course. Cause they gotta be able to throw those ads your way.
[07:16]
Charles
It's ridiculous. But yeah. I couldn't believe how many apps I could get rid of before the phone Took a shit. Like it was just like anything that it would let me delete and some stuff that I shouldn't have.
[07:27]
Wade
Sure. No, I mean I, I think it's a good idea. I mean I will say one of the workarounds, I'm not an expert on Android, I don't know if this works, but on iOS you can actually completely remove photos permissions and you can still share photos. Like in Discord you have no photos access. But then if you use the share functionality so you go to the photos app and you share like it's like a one way trip. It can't access your photos to pick a photo, but you can go from the photos app to any app. I don't know if that works on other on Android, but It works on iOS.
[07:56]
Charles
I have never heard that. I like that functionality though. Like that's cool. What do we call that? Like one way messages everywhere or one way share?
[08:03]
Wade
Yeah, it's like you're allowed to share from photos but you can't view all your photos in discord. Like if I go to select attach a file, it doesn't see anything. But then I can like just hit a file and hit share.
[08:14]
Charles
So on the other side of this, how many times do you guys actually have photos of sensitive data on your.
[08:19]
Wade
Well, I mean on my work computer, that's my screenshots, man. That's all pen testing data forever. Right?
[08:26]
Charles
Like we'll say on your phone though, not your computer.
[08:28]
Wade
On my phone. No, I mean define sensitive data. A seed phrase never. But like a screenshot of an order, like a receipt or QR code or something. Pretty often, like if I'm like checking in, I mean, I guess it's not really sensitive, but if I'm like going to an event and they need a QR code to check in or something like that.
[08:44]
John
I mean that makes sense.
[08:45]
Wade
Yeah, but not much. Not much you can search through. I wonder. I think there's a way in like the photos library probably to see like screenshots. There's probably a separate folder for that. So you could go through those and like clean those up. They're probably. That's like 90 garbage in there, right? There's no way that's actually useful.
[09:05]
Charles
There's been times where I have definitely used it because there's a functionality that I can't copy and paste or something like that. So what I'll do is I'll take a picture with my phone and then ocr it out and then message it to myself.
[09:16]
Wade
Right, okay, you're Stealing your own data.
[09:19]
John
Look at that.
[09:20]
Charles
Yeah, it's my own data. We'll say that.
[09:22]
John
Right?
[09:22]
Ethan
Well, it seems like every time we book an appointment to take one of the kids to the doctor, they require that you take a picture of your driver's license and send it to them over your phone or whatever you're. I'm usually on the phone because I'm so busy, but I won't do it. I just won't do it.
[09:37]
Wade
That's totally fair. Yeah. I mean that identity verification we've seen, even we've talked about on this show of like those identity verification services getting breached. Yeah. I mean, I think in general, I will say just as kind of a shout out, doing OCR on stolen images is nothing new and it's pretty cool. It's definitely good from an intelligence perspective to be able to do OCR like DLP should be able to do ocr. I noticed actually Flare, which is the dark web tool we use, they do OCR on images. So we've actually found like check fraud and stuff where we'll just search for our customers in OCR data and it'll be like someone posts a check pretending to be the customer or something like that. So it's pretty cool. Like there's, there's security applications of OCR in addition to, you know, hacking applications. That's pretty awesome. But anyway, review your permissions on your mobile devices and, you know, definitely on desktop too. Don't take screenshots of sensitive data. The app or the article has some good recommendations. I mean, obviously, like, like, you know, how often do you review your apps? That's tough. But the biggest thing is don't save, don't use screenshots to store sensitive information at all. Just, you know, move, use, use something else to store that. Anyway, I like how they mean.
[10:50]
John
I was about to say I like how they named it Spark Kitty. That was a cool name.
[10:54]
Wade
Spark Kitty. Let's talk about Direct Send. So this is a post by Veronis. Basically, Varonis is like a. I don't really know what Varonis Threat Labs is. We never, I don't think we've ever covered something from the movie is an mdm. I thought, I thought it was like a ransomware. I've seen it used mostly for like ransomware protections. Like people have it for. Is that what it is? People have it for? Like it monitors, it sits on your file shares and it like monitors for mass encryption and stuff like that.
[11:23]
Charles
That's totally wrong. A unified whatever. Don't give them ads Anyway, basically there's a.
[11:28]
Wade
There's. They also have a Threat Labs division or whatever that posted this. So Microsoft 365 direct sent. This is something that we use on every Black Hills pen test, at least where the rules of engagement allow. We published a blog years and years ago called Spoofing Microsoft. Like it's 1999, which is. Let's just say it made some trails and made some people angry. But yeah, I mean, the technique is. It's actually laid out really well in this Fur onus post. It's essentially like a component that's enabled by default with the smart host you can send essentially is like internal email spoofing. So we'll send our clients an email as another employee of the company. It looks totally legit, and that's kind of the risk. Definitely turn this off if you haven't already. But it is interesting to see how threat actors are using it in the campaign. I thought the payload they were using was pretty interesting. It's like a PDF saying, oh, you received a voice call or whatever, PDF.
[12:24]
Charles
Of a QR code of credentials. I was like, man, like, if you're gonna get past all that stuff by using that, like, come on, you earned it, you earned it. But I wasn't expecting it to be so many steps like you. Yeah, but the QR code is pretty gold. It's usually pretty hard. Once again, something else that you need OCR usually to recognize.
[12:44]
Wade
But yep, yeah, I mean, it's a cool campaign. I don't know how successful it was or not, but we definitely strongly recommend if you don't know what Direct Send is, to go and look at it and fix it.
[12:55]
John
How.
[12:56]
Charles
How often does it work when you guys test it?
[12:57]
Wade
I would say probably half the time it works it. But the thing is, when it works, it works so, so well. Like, ridiculous. Like, it typically bypasses. Here. I'll post the blog post in our. In Discord. When it works, it typically. It typically bypasses all filters. So, like, all this stuff about QR codes and PDFs and stuff is maybe a little bit unnecessary. But yeah, like, it. It's. It's one of those things that, like, either doesn't work or it blows the customer's mind. And they're like, I'm mad.
[13:29]
Charles
And it's just like one flag, right? Literally, like, at least in the detections in that it said there's one check, checkbox you had to flip in order to block it.
[13:39]
Wade
Right? Exactly.
[13:41]
Charles
I had never heard of this attack too. So I was reading it Pretty.
[13:47]
Wade
Yeah, yeah, it's. I mean, obviously it applies to people who use, you know, the Microsoft 365 suite tools and software. If you're a Google Mail user, you probably don't even have to worry about this. But yeah, it's kind of interesting. Definitely disable this and something we've been doing. You know, we've been using this in our campaigns for years. All right, let's talk about Linux bsd. You ready? You got your kernel compiled ready to go?
[14:12]
Charles
This, this one is so good. There's. There's some distros in here. Yeah, I had that. I am so surprised exist.
[14:19]
Wade
So, yeah, so the article and we. This is kind of like building on a couple weeks ago we talked about like some European city was switching all their computers to Linux. Yeah, I think, you know, they also were like. It's basically like the theme here is European governments are de Microsofting themselves or distancing themselves from Microsoft. Every article kind of gives different reasons. The best reason I can tell so far is in the article it basically says, you know, we can't have our government security, not just security, but our government's integrity affected by an American company. Right. So part of it is the current political climate where angry Orange man might just decide to turn Microsoft off one day or whatever. Like, that's the theoretical possibility. I don't know how realistic that necessarily is. But the bigger thing is if you're a European government, all these features nowadays you're relying on cloud stuff, like AI stuff.
[15:19]
John
Right.
[15:19]
Wade
They can definitely cause, you know, data from European countries to leave the European Union and end up in somehow in America or in, you know, Microsoft tools. But I don't know. That's the fear.
[15:34]
Charles
I guess I was just surprised that some of these cities have their own distro and then maintain it. Yes, they do have. Right.
[15:41]
John
Which is amazing.
[15:42]
Charles
Pretty big. That's amazing feat. Like, yeah, not just like, I was like, okay, one Munich. That's like, okay, that's pretty cool. But then a couple more pop up and I'm like, this is crazy.
[15:50]
Wade
It is.
[15:51]
Charles
Why doesn't it do that?
[15:53]
Wade
Like, I would guess they're pretty heavily. Like, I would guess it's like they have a packer build or whatever that's like take a boon to add our stuff to it. Like, I, I would guess there's a whole. Not a ton of modification happening. It's not like a completely forked, you know, branch. But it does seem like they're going that route. Right. So the one example they give is the France's gender. Gender, Marie, I don't know how to say that has 100k computers, which is 97% on their own Ubuntu Distro or Ubuntu based Distro. But then they're also talking about having like EU EU basically, which is going to be based on. I never heard of these Kenoit, which is. I don't know. What is it?
[16:39]
John
It's. To me, it's just, I, I've heard of it. It looks like more so just. I mean, to me it's just another Linux that's getting cute with KDE desktop. I mean, okay, that's that. I mean that's pretty much it. Like here's the thing with a lot of the stuff, right? Like, okay, that's great. They want to, you know, I feel like I'm reading something from like 1999, right? And early 2000s, let's be honest. Because everybody always had that, that we're going to get away from Microsoft attitude every day, right. You know, and we had a lot of shops, one stop shops, where you had one person who was just like anti Microsoft. He was a sysadmin. You had your DNS, you had your Apache, you had your Squid, you had everything just 100% Linux. Until one day email stops working or something stops working in Linux or a power outage happens and then it doesn't boot up properly and then you have issues with the kernel, you know? Yeah, I mean I'm not, I'm not like 100% on the side of Linux or Windows, but Windows does get some things right, right?
[17:40]
Wade
What.
[17:47]
John
I'm saying, don't clip, don't clip any of this. Look, I love. Listen, I'm a huge fan of BSD Mix all together, right? But here's the thing. What are you going to do about email? Right? Yeah, you can use Gmail and everything.
[18:01]
Wade
We got Squirrel Mail.
[18:02]
John
Okay. Squirrel Mail. Okay. And then we're going to use Mutt for the, the actual like email clients, right? We're all going to use mutt. Right? Let's, let's, let's, let's break it down here.
[18:13]
Wade
For those, hold on. For those that don't know what MUTT is, let's just run through some of the features of mutt.
[18:20]
John
Oops, my, my beard is showing.
[18:22]
Wade
So Mutt. Mutt is a command line email viewer that doesn.
[18:31]
John
Look, we gotta lock it down. Let's lock it down all the way, right? Let's. Yeah, we're gonna go all the way with it.
[18:37]
Wade
I will Say, my concern is, I think specifically around. So here's, here's my thought and this is like, I'm totally guessing. I don't know exactly how they're implementing this stuff. There was a person who reached out to me after the last show and kind of gave me some info about specifically how France is doing it, which I'll get, I'll read off some of that stuff. But I think the, if you approach this from the angle of we have to have all the same features. We have to have all the same features of Linux or in Linux or in this like environment in our corporate environment, we have to also have them in, you know, in Linux. I think you're screwed if you try to have like video calling teams, AI, like all of the stuff that Microsoft does. Microsoft Word, Microsoft Access, Microsoft Project, Microsoft this, Microsoft, like if you try to bring all the tools and suites, suites of software, then you're screwed. But I think what they're doing is they're cutting down the services they provide to a very small number, like desktop services, email, documents, and that's it. And then everything else would be SaaS. Right? Like I'm assuming like for project management. They're not using, they're using. Not like, yeah, I'm assuming they're not using like open source version of Kanban or whatever. They're probably using Monday or Jira or whatever. Right.
[19:54]
John
So it could work though.
[19:56]
Wade
Yeah, it's like if you cut your, if you cut your corporate IT down to almost nothing and then you have SaaS for everything else, not Sunburn as a service, software as a service, then I think it actually works like that is what they're doing.
[20:12]
Charles
But on that side point, you go straight Linux, right? I think there's a lot less people who know Linux comfortably to manage it as well as to do security on it. At least from a blue team perspective. Like, I don't think it's my personal preference. It's not that much harder. It's just a couple more things to learn. But a majority of security people definitely know a lot about Windows and just some about Linux. And there's certain security features that you're just used to using on Windows that you then really have to figure out how to use on Linux. So that jump is also like something I was thinking about. Like how would I go about defending this entire Linux environment now?
[20:50]
Wade
You know what?
[20:51]
N/A
Here's one more thing to think about.
[20:53]
John
Yeah, go ahead.
[20:54]
Wade
Office.
[20:54]
N/A
Office nowadays is available through the browser. You could go ahead and be on Linux and still use Microsoft Office if.
[21:04]
Wade
You wanted, not if you wanted features.
[21:07]
John
I mean, yes, features are not available.
[21:10]
Wade
Yeah, yeah, you can't share your screen.
[21:14]
N/A
But if what you're looking at is a compatibility issue or something to switch over to, you're still going ahead because you're still not getting those features if you're using the native Linux on it. Especially if you're dealing with somebody that is going ahead and you're trying to interconnect with somebody, say in the US.
[21:31]
Wade
And have a team, they use LibreOffice, they don't use Microsoft Office. Part of this is also. So I think from their perspective, the biggest problem is the cost is big, huge. Like the cost of having Microsoft office licensing for 100k users is massive.
[21:49]
John
Right.
[21:50]
Wade
And they're worried about the sovereignty of it. If you're a German state and Microsoft goes down and you can't, you know, do German stuff like, then what do you do? Kind of a silly thing from sovereignty perspective. And I get it. But I mean, obviously we could talk about it forever and forever. It'll be interesting to see how it plays out. They recommend so many different, like, like Wade said, this article has so many different, like distros and. Oh, are they gonna, are they gonna use Open Zeus or are they gonna use, or are they like, it's, they're gonna use steamos.
[22:23]
Charles
We're just gonna play Steam OS everywhere, you know, just.
[22:26]
John
But you know what? And you know, you know that boomerang, that BSD boomerang has to come back around. Just come on over to FreeBSD. The servers are 100, like stable. I mean, rock solid. Okay. You know, for, for the people that have Mac, have Macs or whatever, you can, you can use that with BSD on the back end. These are things that you can actually use. So you can come on over to bsd. Any, any city, any city out there that's looking at this video and want to convert over. Definitely think about bsd. BSD is a great option. You know, less fuss. You know, it is tried and true. And I agree with what Wade said. And, and look, a lot more people don't really pay attention to bsd. Like the security folks. They don't pay attention to bsd. So that's even better. I'm not here just doing my little quick spin.
[23:13]
Charles
For more information, please email BSD Bandit.
[23:16]
Wade
Don't click the Windows comment about how Windows is useful. Clip that one instead.
[23:20]
John
Yes, clip this one.
[23:22]
Wade
So as a little, as a little kind of follow up, as I mentioned, you know, the person that Reached out to me that had some not like insider info information. But basically for anyone curious, the French government uses, they call it Tchap which is based on Matrix we were talking about what do they use for teams. That was our big question. Like the other stuff I get like LibreOffice Desktop is Ubuntu or whatever it's called. I just posted a news article in Discord that just kind of runs through their in house IM app that they use. For anyone who's curious now, what about Pigeon?
[23:56]
Ethan
Isn't Pigeon like Linux?
[23:58]
Wade
No, Pigeon's garbage. Terrible security. All IRC is wide open. OTR was how you apply encryption to IRC and that was super volatile vulnerable as well. There was some hyp like the alphabay guy got got because the OTR encryption keys are just on disk and it's, it's, it's symmetric encryption. So like it's just like if you have one key it's everywhere.
[24:23]
John
Let's put it to you this way. Pigeon is so bad that send mail is more secure than Pigeon.
[24:31]
Charles
Just use signal. How do we signal for signal?
[24:34]
Wade
Don't hexeth yourself. And yeah, you're good to go.
[24:38]
John
Sorry sin mail. I had to do it.
[24:42]
Wade
So yeah, we'll see. But kind of an interesting thing to think about. And yeah, I guess we should cover the article about War Thunder because we talked about at the beginning. So let's run through this real quick. Basically this is restricted data about the AV8B Harrier, which is I think the British vertical takeoff and landing jet. They posted flight manual for that which is classified restricted information to the War Thunder forums. Yeah, it was the section from the NATOPS manual used by the United States Navy and the Marine Corps distribution statement C which means it's not approved for public release and is restricted to authorize U.S. government personnel and contractors. The War Thunder community manager confirmed the document breached the forms rules and was removed immediately. The user received a temporary ban. So they're temporary, they're allowed to come back. Sorry, the Harrier is not British. It's ours. My bad, I'm not a pilot.
[25:41]
John
It's all good.
[25:43]
Wade
Yeah, so this is. Let's add that to the list of the Challenger 2 main battle tank, the LeClaire. Well, I don't even know what that is. And a bunch of other military things that have been. Honestly, should this be their advertisement? Is this just their advertising at this point?
[26:00]
Charles
The most realistic video game ever. Right?
[26:03]
Wade
We're so realistic the government will be watching what you're doing to see if you're eligible for prison sentences. Yeah, I mean, I just think it's.
[26:12]
Charles
Did they say it was eight? Was it eight or nine? Just amazing.
[26:18]
Wade
They. Yeah, I don't know. We don't have, like, an official counter, but maybe we should. Oh, yes. At least the ninth. So minimum.
[26:25]
John
@ least.
[26:26]
Charles
There's probably some just hidden in the forum somewhere that no one's noticed. Right. So people get out there.
[26:31]
Ethan
The article points out that these manuals are already floating around.
[26:35]
Wade
Yeah, I mean, I will say, like, it's totally just a meme. Like, you know, if you really were to go and find this stuff, it's out there. But it is funny how, like, people get into arguments or, like, dude, I totally would have won if the plane was accurate to the manual. You can't fly at Mach 2, dude. It's impossible, man.
[26:57]
John
Then you have a whole bunch of subreddits.
[27:00]
Wade
Yeah, I think it's pretty funny. All right, let's talk about this scale AI thing. Did anyone catch this?
[27:08]
Charles
No.
[27:09]
John
No.
[27:09]
Charles
Let's talk about that.
[27:10]
Wade
So it's a. Kind of a silly article, but probably worth talking about. So it links to. There's a Business Insider. I'll link the article in the chat. Okay, so it's a. The original article is in Business Insider, and they basically are kind of. It's like. It's almost like they're disclosing the vulnerability, but they're more just like doing it through a news article. So basically the story here is that scale AI, which I don't actually know that much about scale AI, but they had Google Docs for their clients that were just open with the link sharing enabled. So there was. There was like hundreds of them, or I don't know exactly how many, but they. Business Insider managed to find a bunch of things that were shared by link, and some of them even allowed editing by link. So it's like basically bad Google Docs permissions. The data that was disclosed included, you know, a list of employees and whether they're good or bad. This is for, like, Google themselves, not scale AI. This is like Google is using scale AI for some purpose. There was audio clips for chatbot speech training, just a bunch of leaked data. So my question to anyone is, like, first of all, how do you end up as a company like this with so much sensitive data? Who allows link sharing to be enabled on your Google Docs? Like, that's an obvious thing you should lock down right off the bat. Right? Like, disable link sharing, disable public access.
[28:39]
John
It was AI to do that.
[28:42]
Wade
Yeah, exactly. But My other question is, how did Business Insider get their hands on all these links? Because that's my angle here is like, where do you get the links? I don't think Google indexes them. Like, I was doing some Google Dorking before the show to try to look for like whether you can find Google Docs links. There are some, but not like, you know, If I search site docs.google.com scale AI, nothing comes up. That's like Facebook employee list or whatever. So I'm like, where are they getting these links? Are they pulling them from. What about shared around? Like, I don't know. I don't think you can brute force the links because they're probably like 35 character IDs or something like that. So I don't know, just an interesting angle. It's like bad security. But where do you get these links to begin with? I don't know, maybe advertising or something.
[29:31]
Charles
Perfect. If anybody ever tells you security through obscurity, just point them at this. Right. Which I have in the past, which is also scary.
[29:40]
Wade
Yeah, definitely. You know, if you're an organization that uses Google Docs, you got to disable public link sharing. Or even not just Google Docs. Any tool that has a public link sharing functionality, whether it's OneDrive, SharePoint, Google Docs, whatever it is, turn that off. You don't need it. You don't need Google link sharing for every. Like the whole Internet needs to be able to see this document. I don't think so.
[30:01]
Charles
Yeah, just do that for everything you have. The only people who usually need it are Sale. Yeah, just turn the Internet off. Just get a POTS line, you know, just. That's all you need. Set.
[30:12]
Wade
No, you definitely need a Squid proxy and a round cube server.
[30:15]
John
Yeah. Ah, Squid will never die. Oh, goodness. But no, I think it should. You should apply that to everything, really. Like, like whether you're like if you're what, like an engineer or admin or whatever else. If you don't need it, turn it off. Any services. Yeah, any services that you don't need. Yeah, just turn it off and uninstall it. Well, that could be tricky. Let me take that back. Because, you know, Linux these days, there's so many library dependencies with certain things that if you do remove something, it could mess something else up. So leave it. But just make sure it's disabled and turned off permanently. That's my BSD public service announcement.
[31:00]
Wade
Well, also, you set a calendar invite for yourself every month that just says turn everything off. You don't Need. That's true.
[31:07]
John
Yeah, that is true.
[31:08]
Wade
You can do that too if you're a network admin. Just set a calendar invite that says disable.
[31:13]
Charles
I'll do it for everyone right now. Okay. Google set a calendar wonder reminder in one month to turn off everything I'm not using. God damn.
[31:21]
Wade
Picked it up. Yes.
[31:22]
John
Look at that. Let's start it off perfect.
[31:26]
Charles
All right.
[31:26]
Wade
In a month, everyone's Internet will go down and no one will know why.
[31:30]
John
Oh yeah, well, they get the reminder.
[31:33]
Wade
They'll get their reminder. They're like, why is the Internet turned off? Oh, I guess the IT team said it wasn't needed.
[31:37]
John
Yeah, yeah, it wasn't needed. Yeah, Just for a day.
[31:40]
Wade
It's awesome. Yeah, let's cover. The next article I wanted to talk about is. So the breach forums. A couple more breach forums admins were arrested in France. So this is Shiny Hunters, who's a notorious threat actor and intel broker who's another notorious threat actor. They were, I believe Shiny Hunters was indicted like last year by doj.
[32:04]
John
Yeah.
[32:05]
Wade
Or sentenced in the so but now they've actually been arrested. So yeah, I mean, are detained by France's Cyber Cybercrime Brigade. Brigade. So yeah, I mean, again, the breach forums has been a notorious hacking forum for the last long time, five years or more. And it just keeps exchanging owners and each owner appears to be ending up in jail sooner or later. So it's pretty dangerous site to be running. But for some reason they keep doing it. It's almost like 20 plus 20 something year old males might not have fully developed brains. I don't know. Yeah, it seems to be a specific demographic of who's running these sites.
[32:47]
John
But yeah, I don't know, it could be.
[32:49]
Charles
You think he chose. You think he chose the name Shiny Hunters after the group? Because that's what I was feeling. I was like, why would you like. Yeah, I knew about Shiny Hunters because they've been around for a while. Like literally in my thread. Yeah, the threat actor, like my intel class I have. Shiny Hunters is like an example of a threat actor. And it's like from 2019.
[33:09]
Wade
Yeah.
[33:10]
Charles
So I was like, what? This is kind of crazy. Like that now some dude took that as a username and got hit. Like, oh, at least the original take like another name or something. Right. Or unless he's the dude, which also sucks.
[33:23]
Wade
Well, no, I'm. I think he's the dude.
[33:27]
Charles
He's the hunter. The shiny.
[33:28]
Wade
I think he's the hunter. I, I could be wrong, but I mean this is a Notorious threat actor. I mean they. Yeah, I don't know, who knows? But I mean these threat actors also have hilarious names. Like I swear half of this is just the gamesmanship of like how stupid of a name can you come up with, right? Like Shiny Hunters, also known as Hollow or the other people, the other suspects Hollow knocked and one is just called Depressed.
[33:55]
John
Or you have. Or you have Dubin the Data Destroyer.
[34:00]
Wade
Yeah, like that's part of it is having such a silly name that I'm honestly surprised and I guess a little impressed that their name isn't just a straight up slur. Based on the hacking forums I've been looking at, they use a lot of those. So let's be glad it's something we can even say on this podcast.
[34:15]
Charles
Yeah, I've seen too many of those.
[34:21]
Wade
Yeah, there was an interesting one about more supply chain attacks or I guess like malicious contagious interview attacks. So this is something we've talked about before on the show. Basically North Korea will pose. This is their, their attempts to infect job candidates or job hunting candidates. Not it's not the one where they go get a job at the company. It's the one where they're trying to infect people who are looking for jobs in the hope that when they do get hired they can siphon that data that they get and, and take over the account socket security or whatever. Has published a blog about. They picked up 35 different malicious npm packages. The idea is these NPM packages will be used and like they'll have during the interview process they'll be like, hey, can you write a tool that uses this NPM package? And then they'll compromise their system that way.
[35:14]
Charles
Yeah, I've been, I've had to fight against this a couple times in the past. It's usually pretty hard. Sometimes what will happen is the whole pretty much the victim will email you and be like, hey, is this for real? Did you guys offer me this job because they see something fishy? Then you'll start conversing like, hey, no, where did you see this? And you realize it's on some weird job board that like isn't as well watched, say as LinkedIn or indeed a lot of the times the way you can find it is of course with some type of threat intel capability that is either like looking for your logo, looking for your company name, or possibly looking for high up VIP individual names because sometimes those are actually in the job listing. Right. Another thing to think about if you are putting job listings is to put some type of like seed name into the job listing always, and then always hunt for that name if it shows up anywhere on not an accredited job board. So that's the other thing is you also have to know where your recruiters are actually posting jobs, which is something that most cyber people aren't going to know. So you have to then talk to the recruiters and see what they're doing. It's. It's a pretty interesting tactic. I like it. But it's pretty interesting to fight against it.
[36:24]
Wade
Yeah, I mean, it's. This is, you know, one of those examples of how it can be picked up kind of out of band. It's like being picked up at the malware level, not at the, like, you know, what Wade was talking about, which is more at like the business logic level. I guess this is like just scanning for and trying to pick off these GitHub repos and malicious packages before they got, you know, published or before they got used, hopefully. But yeah, it's pretty scary. I mean, if you, you know, someone said in chat, if you're doing a job interview, use an ephemeral vm, right? Like, you don't do your job interview from your main system or God forbid, from your work system for another company.
[37:05]
Charles
I've seen that.
[37:07]
Wade
So use. I mean, half of these interviews nowadays require you to install spyware anyway. If you're doing a coding interview, like, if you're doing a coding interview for Amazon, they're like, it's pretty aggressive with what they make you install. And yeah, so just be careful you're looking for a job. It also just sucks because it's affecting the people who are looking for jobs, which is like, you know, they have a lot going on, I guess. Vulnerable demographics, they're more vulnerable because they don't have. If you're looking for a job, you probably don't have an EDR on your system or you know what I mean? Like, you're not security, you're on a byod, just on a home computer now. If you're running bsd, probably good.
[37:46]
Charles
Maybe that's.
[37:47]
John
You are good.
[37:49]
Wade
I installed the malicious NPM package and it said it couldn't compile because my kernel doesn't have a GCC compiler.
[37:57]
John
Look at that. See?
[37:58]
Wade
Oops.
[37:59]
John
Isn't that a godsend?
[38:00]
Wade
I installed MingW and the program runs well. I now have C2 on my system. Is that the intention?
[38:10]
Charles
I had a program interview that required me to do a bunch of installs and I did just like I did that. I did it through a VM and then when I got on the interview, the guy's like, yeah, here's your problem. Just write this code. And I'm like, well, you had me like, install all this stuff, do all these things, and then you want me to make a repo for it, but now you just want me to write this? He's like, yeah, you know, you didn't need to do any of that. Just like, just pull up VS code and just let me see you do this. And I'm like, dude, that was like an hour's worth of work of like, down the drain. I. I winded up commenting on that interview and telling them that their programming interview sucks.
[38:43]
Wade
So good for you. I hope that wasn't for a company you actually ended up working for.
[38:48]
Charles
It is not. No, I would not.
[38:52]
Wade
No experience, though.
[38:55]
Ethan
It was probably one of the code, right? They wanted the. The code written internally and they just wanted.
[39:00]
Charles
It definitely wasn't anything gnarly. No, it was something stupid. But it was more of like the dude also who's reading the code was like talking to his son while he was. While I was doing the interview and I wrote all the code out. I'm like, hey, man, I think I got it. And he's like, like, nah, that's wrong. He's like, oh, time's up. All right, we'll have a good day. And I'm like, what the.
[39:18]
Wade
They didn't even read the code.
[39:21]
Charles
I was like, all this work for nothing. Like, okay, that's insane.
[39:25]
Wade
That's a great process, though, because it makes sure that you as a candidate have many red flags to just say, don't work there before you get a job there. Yeah, yeah, yeah, yeah.
[39:35]
John
Wait for the win.
[39:39]
Wade
Let's talk about. We can talk about this. There's a couple of vulnerabilities I want to talk about. One is this new Citrix Bleed. Citrix League. Two. So this is posted by Double Pulsar, which is Kevin Beaumont, one of our favorite security researchers out there. Basically, if everyone remembers Citrix Bleed, I think that was last year. It was very similar. So the bleed part is remembering back to Heartbleed, which is our favorite vulnerability from what, 2017 or something? I forget the year. A long time ago, maybe more like 2013. Super old vulnerability. Yeah, 2014, it was basically a vulnerability in SSL to let you dump memory contents of anything running open SSL, which turned out to be 90% of the Internet. This is affecting Citrix gateways. It's kind of interesting though. Like, the. The researcher really goes deep on like the first they said it was only the management interface which should never be exposed, but then they removed the like thing that said it was only the management interface. So it's apparently not just the management interface, it's also like the client interface, which means it's everything, I guess. I don't know if there's a POC. I haven't seen one yet. Most of the POCs out there right now have lots of Chinese characters in them and are probably maybe not as legit run them. So be careful with looking for POCs on this. Right. But yeah, the POCs, at least the ones I've seen so far, just straight up look like malware. But. But maybe over time a POC will be published. And then the long story short here is Patcher Citrix, you probably are super aware of this, but yeah, Patcher Citrix Environments out there.
[41:18]
Charles
I haven't used Citrix in so long. It's been like four companies. Yeah. Is it just me or are they going out or do people actually use it a lot?
[41:29]
John
I guess they're still using it like they're using Lotus Notes.
[41:41]
Wade
He just triggered so many people by saying that.
[41:45]
John
Oh man, I had a moment. I ran across a place that had Lotus Notes like last year. So that's why.
[41:53]
Charles
Did you read the second line in this article? Did you read that out loud?
[41:57]
Wade
I did not read it out loud, no.
[41:59]
Charles
It's back like Kanye west returning to Twitter about two years later. This is the.
[42:04]
Wade
Oh man, is that like a current. A current news article that, that we should be covering? Kanye west is back on Twitter. Oh, that's.
[42:12]
Charles
I'd rather not, but maybe.
[42:13]
John
No, no, please, no.
[42:16]
Wade
So the other one, that's pretty funny or not funny, but just insane in the scope of this vulnerability. So the Brother printers, this is research by Rapid7. There's eight vulnerabilities in. And this number is not made up 748 models of different devices from five different vendors. So 689 models come from Brother, which is a Japanese company. And the big vulnerability here is that the technique used to generate the default admin password is just uses the serial number as seed data. So you can just reverse engineer that process and you can generate the default admin password over the network. You can query a device, get its, get its serial number and then pull down and generate the admin password.
[43:08]
Charles
So pretty crazy.
[43:10]
Wade
So this is, this is crazy in just an amount like it. I don't know how many printers that is, but I'm guessing it's just A lot. Like millions, maybe billions. I don't know how many printers are out there, but I feel like if you assume minimum 100 printers per company and then like a printer at everyone's house, it's gotta be in the billions.
[43:33]
Charles
But yeah, especially small businesses rely on the brother printers a lot more than you think. Like my dad's literally like he puts the brother printer as the success to his company. It was that alone because it could fax and do print, like do a scan and do everything from like a low level Internet. And sure, now I'm gonna have to go in and update that. So thanks a lot.
[44:01]
Wade
Yeah, exactly. So Nerf Blasters nailed the comment. It's mitigated if you ever change the default password. So it only affects 95% of printers. So. Yeah, exactly.
[44:12]
Charles
Do you guys.
[44:14]
Wade
So I have a brother printer and I went and tried to use the default password and I was like, I actually did change it. I changed the default password on printer. So I am the 1% guys. Woo.
[44:24]
Charles
Do you know what the password is now though?
[44:26]
Wade
It's in one password. Yeah.
[44:27]
Charles
Okay. Oh good.
[44:29]
Wade
Yeah. So the question is how many companies out there that are small businesses and how many home users have changed the default password on their printer?
[44:40]
Charles
One of the companies I was working at, there was a vulnerability for the R printer and we found it and we didn't have any like full time red teamers so we tried to exploit it on the network and next thing you know you just hear it like super pissed off because the printer just took printing.
[44:57]
Wade
It was blew up.
[44:58]
Charles
Yeah, it literally like took a. And we never comped to it. But it was a possibility. Yes, they got a new printer and they fixed it.
[45:11]
Wade
So and as far as like why does it matter? I mean honestly, you know, there a lot of this is old stuff, like a lot of this is like, you know, old school stuff. But back in the day, back in the day, this is the printer days. We would get DA off a printer because a printer would be configured with an LDAP password. And I mean you might as well use the admin account when you're making that LDAP finding to be able to look up, you know where you're going to send the email for this print. But yeah, printers are bad. I mean printers, they also have sensitive data. Like I would say some of the most sensitive data in any organization is happening is going through printers and faxes. Medicare or medical industry uses faxes heavily. Just like the data going in and out of printers these days especially is probably almost all Sensitive data. Because if you're printing it or if you're faxing it or if you're scanning it, it's probably sensitive. Otherwise you would just send it by email.
[46:04]
Charles
There's a lot of good DLP tools that track printing. That's because literally that's like one of the last few things that, like printing, you can't do screenshots. But I have seen DLP go through home printers quite some time for. So you can actually look up. They'll look up. Print jobs tell you exactly the file name. Usually if you hit the file name, you can go look on their computer and grab. See what it is. And usually it's a sales list or something like that.
[46:29]
Wade
Yeah. So basically inventory your printers tools like NESSUS or NMAP or, you know, pick any network scanning tool for find your printers. Make sure the default passwords are changed just out of hygiene. But this is a reason to do it because this is. 700 models of printer are affected by this, which is a lot. I will say I didn't see a POC for this either. I didn't look that hard. But I'm curious what the actual technique to generate the password is and how, you know, computationally intensive that actually is, if at all. What else? What else?
[47:05]
Charles
The only other one I read and I. I glanced at it was the Chinese China. Canada orders Chinese hikovision to close Canadian operations, which I don't think it's anything. It's. It's interesting, but I feel like it's not anything too surprising. Right. Like, we've been seeing this a lot lately.
[47:26]
Wade
I. I've seen these cameras all over the place. These are super common. Yeah. Is it hick vision? I. I always said hick vision, but maybe that's just me being a hick and having bad vision.
[47:36]
Charles
But I'll take whatever.
[47:37]
Wade
I'm not the best hike vision is probably more accurate.
[47:41]
John
I'm gonna go say hike. Let's say hike. Vish.
[47:44]
Charles
All right, cool.
[47:45]
John
Please look over height.
[47:47]
Charles
So pretty much right. The Canadian government ordered all the Chinese surveillance camera camera cameras from the manufacturer of hikvision to cease operations in Canada completely for national security concerns.
[47:59]
Wade
Were they also banned in the US Like I'm reading, and it's like it.
[48:03]
Charles
Says they're banned in Canada. They are banned. They are most likely banned in the.
[48:06]
Wade
U.S. it basically says we've put multiple sanctions and restrictions on them over the past five years. But I don't think we've actually outright banned them, have we?
[48:16]
Charles
Or let's see.
[48:18]
Wade
Google seems like A drastic measure.
[48:20]
Charles
Let me find an actual.
[48:22]
Wade
Sure. Basically this is a pretty. They're following the writing on the wall. Like obviously we've sanctioned them. We've the writings on the wall. People are saying in discord. Right. Like they're heavily discouraged. They were not officially banned versus Canada. Took it one step further. So kind of interesting.
[48:39]
Charles
24 they're the FCC upheld the court. Court upholds FCC right to ban tech from China owned telecom companies. And one of those bands was Hikovision. So they, they are banned in the U.S. but okay. You could probably still order them from like what's. Like what's those Chinese ordering. That's Timu.
[49:02]
Wade
Yeah, I was gonna say. Yeah. I mean honestly like if it's banned and they're ceased, they're not allowed to operate in Canada. Does that at all affect your ability to just buy them and use them anyway? And how many of them are just rebranded as something else? Right. Like this is similar to the any other Amazon type product where it's like, like oh no, this isn't a Hikovision. It's a best camera. It's a. You know what I mean? It's like just the rebranding is so rampant. So yeah, I don't know me personally, I use the unifi stuff. I'm a big fan of it. Like self hosted. Obviously it is still cloud accessible so maybe they get breached and I hate that. But I don't know. I think nowadays if you're rolling your own cameras they're going to have either Chinese firmware or you're going to have to pay a subscription fee.
[49:50]
Charles
And then the police have instant access to them.
[49:53]
Wade
Yeah. If they're on Nest. If you have Nest or a ring or any of those other third party clouds. Yeah, for sure. Pretty scary. Yeah. Post your camera recommendations. If you. If, if I. Where can I buy a camera that doesn't have Chinese firmware? Send links?
[50:09]
John
That's the great question.
[50:12]
Wade
So an interesting one. This is kind of political a little bit. But apparently The House banned WhatsApp on staff devices. Are you telling me this was allowed? Why was this allowed?
[50:22]
John
Oh, when I saw that.
[50:24]
Wade
This is an article.
[50:26]
John
When I saw it on T. When I saw it on cnn I just looked and said, you know what? Yeah, I'm. I'm gonna go lay down and take a nap. I can't believe what I just witnessed it like literally.
[50:37]
Wade
Because you know what, you know what you should do? Set a. Set a monthly calendar. Invite to go take a nap. Yeah.
[50:48]
John
I mean static clear has it Right.
[50:51]
N/A
They standardize on signal. Obviously. That's why they banned it.
[50:55]
Wade
Oh, you mean WeChat or whatever or. Yeah, what was the one? Telemessage. You mean telemessage? Telegram. Yeah, yeah, telegram. Oh, my goodness. I guess the US House of Reps has banned installation and use of WhatsApp. Honestly though, I'll count this as a win that they're actually banning stuff. I can't believe this was enabled before. I guess it is end to end encrypted. And it is, like, US based, right?
[51:20]
Charles
It's us based, right? Like, that's the. Is this a win? Like, I don't see it as, like, that huge.
[51:26]
Wade
How.
[51:26]
Charles
How are they enforcing this? That's what I want to know. Is there just a list of, like.
[51:30]
Wade
They'Re MD approved apps, right?
[51:33]
Charles
We hope.
[51:34]
Wade
But here's how they do it, Wade. They just force every House of Reps to tweet and DM Elon Musk and send them that list of apps on their phone, and then he just manually reviews all of them.
[51:45]
Charles
Oh, that's what I thought.
[51:46]
Wade
It's pretty. It's pretty. Pretty slick system.
[51:50]
N/A
I think the bigger question here is, if the House is banning it, what other areas of government are still allowing it?
[51:57]
John
Oh, good question. A lot.
[51:59]
Wade
The others, we should assume it's allowed by default now. Maybe the other. Other branches of the US Government will follow. But yeah, if you're wondering, here are the list of accepted chat programs. Microsoft Teams Wickr, which. Does anyone know anything about Wicker? I've never heard of that in my life. Signal iMessage and FaceTime. Apparently Wickr is Wickr, the government one.
[52:24]
Charles
Like, no, it's AWS. It's Amazon.
[52:27]
John
AWS.
[52:28]
Wade
Okay.
[52:28]
Charles
I think. I don't know. How do they spell it? W I, C, K, R. Yeah.
[52:33]
Wade
W I C, K R. Dude, you can't be having those. You cannot have too many.
[52:37]
Charles
Okay, I never heard of this ever.
[52:39]
John
Me neither.
[52:40]
Wade
So this is. Okay, so now I'm actually changing my mind because this is more just a diss on Facebook. Why? If you're gonna allow Wicker, why a lot, why ban WhatsApp? Doesn't make any sense.
[52:51]
Charles
Someone off.
[52:52]
Wade
It's just a dig on. Is this just like billionaire v. Billionaire? Like billionaire on billionaire crime. I really don't know why they would ban WhatsApp. They didn't really list this. Did they list a specific reason? I didn't see a specific reason.
[53:07]
Charles
All right, we got one more.
[53:09]
Wade
Well, they said citing concerns over how the app encrypts and secures data. I don't know what that means, but anyway, yeah, take us out. Someone linked a chicken article. I don't know is a chicken article.
[53:21]
Charles
I didn't get to read it. I saw it.
[53:24]
Wade
We'll cover it. Just because. Why not? We have time. We have to cover it for. For funsies.
[53:30]
Charles
Oh, my God. I could even speak to this. Chickens are becoming the third most popular pet. That is literally it. Tractor Supply company is expecting a high demand for its live chickens and chickens. Okay, so if you didn't know, Tractor demand actually sells live chickens there, you can just go and buy them.
[53:46]
Wade
Like, tractor supply.
[53:47]
Charles
Tractor supply. Yeah, that Interesting.
[53:50]
Wade
So high demand for its live chick and chicken sales through the chain Chick Days Promotions. Why I'm not aware of this.
[53:57]
Charles
I'm gonna have to send this article to a buddy of mine. So my first saw my first security job in a sock. The guy who got me the job loved chickens. Like, but his friends, like, he actually.
[54:07]
Wade
Was doing chickens on the show. I don't know.
[54:11]
John
Whip a live chicken.
[54:13]
Charles
Live chicken. So he had a bunch at home. He, like, his entire backyard was netted so that, like, hawks or anything couldn't eat the chickens. He put diapers on the chickens because they could go in the house. Most of them were, what if they poop an egg?
[54:27]
Wade
What happened?
[54:27]
Charles
Most of them were trained to go outside and poop, but there was, like, a couple that weren't. There was one time in the sock, right? He had adopted a. Like, a pygmy rooster. It was like a rooster, but it was, like, not, like, smaller than a venti Starbucks cup. And it was ridiculous. But he brought it to the sock because the other chickens were pecking at it, right? And he's like, I looked at the rules. It doesn't say no animals in the sock. And I'm like, all right. Like, I don't care that much. And, like, every now and then it would just, like, caw. And everyone's like, all right. And it was cool. It was, like, tiny. He was running around. And then we had, like, an executive walk in. It caught, and then he. He hid it under his. His, like, jacket. And the executive looked at him all funky, and he's like, all right. And then walked away. We are the socks. So everyone thought we were weird anyway, but it was perfect. Shout out to Lee if he ever listens.
[55:19]
Wade
Whoever. Cop to the. Whoever pretended like they were the ones who made the chicken sound. That's your real friend, dude. He.
[55:27]
Charles
They. After that, like, the. The director found out that he had brought a chicken and they had, they had put the, they had changed the rules that no. No pets allowed in the sock.
[55:36]
Wade
No animals in the sock.
[55:38]
John
Shout out to Lee, the chicken master.
[55:41]
Charles
Yeah, I will send, I will send him this clip later. It's been a minute since I talked to him.
[55:46]
Wade
I mean, I've given this warning multiple times on the podcast. But you know, if you get chickens, you get rats and you need to factor that in. If you're gonna, if you're gonna, if you're gonna have chickens around, you're gonna get rats. So then, you know, you need to, you need to plan for that.
[56:00]
John
Yeah.
[56:00]
Wade
Because rats and chickens go together like peanut butter and jelly.
[56:04]
Charles
I did not know.
[56:05]
Wade
Anyway, yeah, the rats like the chicken feed and yeah, it creates problems. And rats are real smart and real persistent. Like they'll remember a location for like five years. Like they'll, they'll keep coming back.
[56:18]
John
They're like adversaries.
[56:20]
Wade
Yes. They're like apts rats. Rats are the true apts of the world. All right, any last articles?
[56:28]
Charles
The, the one before the chicken one in the chat is actually pretty, pretty crazy. Norway Dam hacked valve open but no danger. I didn't see this one till just now. Someone hacked a dam in Norway and was able to open the release valve to full capacity. Luckily no one was injured and it didn't. Didn't cause any damage. But supposedly the attackers compromised some weak password in a web accessible control panel. This is up there at least for like an ICS hack or like at least vulnerable critical systems. Like I have never heard of it going this far. Besides some of like the water stuff we've heard in the past where they've like increased chemical levels in the water. But that's, it's a tiny little article. There's not much about it. That one's kind of scary.
[57:16]
Wade
That is scary. This is one of Those, like our IoT security policy is to just get lucky. That works really well. Yeah. I mean, if someone had been servicing it or if someone had been like in the wrong place at the wrong time, that's super dangerous. Right? That's crazy.
[57:32]
Charles
The one comment. Before anyone reads too much into this incident, officials remain uncertain as to if putting the valve at full, full capacity was intentional or not. So don't worry.
[57:42]
Wade
Yeah, this is a very thin news article, which makes sense because it's probably just some quiet town in Norway where you'd really want to live, but like there's not a whole lot of journalists, you know, pretty much around, but probably.
[57:54]
John
One journalist in the town.
[57:56]
Wade
One journalist. Yeah. I don't know. It's not great, but definitely review your exposed systems. Make sure they don't use default passwords and all that.
[58:05]
Charles
Good. Make sure it's in your.
[58:07]
Wade
Your.
[58:07]
Charles
Your calendar every month. Your dance.
[58:10]
Wade
Set a calendar invite now. So at this point, by the end of the show, you should have four monthly calendar invites. All right, let's go through them one by one. One, delete all your unused apps and review the permissions of the apps you have installed. Two, turn off all the unnecessary features or just consider turning off all the Internet. Three, take a nap. And four, change all your default passwords. That's four invites a month. That's fine. There's 30 days in a month. Ish. You got four invites. As long as you stagger them properly, it no big deal.
[58:39]
Charles
I believe.
[58:40]
Wade
And then also maybe add a fifth one monthly to install. And try bsd.
[58:44]
John
That's right. And this has been your public service announcement.
[58:49]
Wade
All right, thank you all for coming. We'll see you next week. Bye. Bye.
[58:53]
John
Later.
[58:53]
Wade
Have a safe holiday. If you're in the America area, it's.
[58:57]
Charles
Canada Day tomorrow and Canada Day.
[58:58]
Wade
No one blow your hand off. Keep those hands.
[59:02]
John
Your hands are important. That's how you make a living.
[59:05]
Wade
Yep. All right, bye. All.