Transcript

[00:00:00] Ned: All right, now I’m recording. Jesus Christ. Your whole bit. It was so good, and now it’s gone.

[00:00:07] Chris: Now I think we gotta do you just you just cut from now we’re recording. Oh, Jesus Christ. Directly into the introduction.

[00:00:16] Ned: Hello, alleged human, and welcome to the Chaos Lover podcast. My name is Ned, and I’m definitely not a robot. Each day I wake up in my padded, horizontal rest unit, shaking off the nightly hallucinations I experience while paralyzed in a semicatatonic state. That seems normal for a well adjusted thing that all carbon based life forms should do, and not a small death leading to total oblivion. With me is Chris, who is awake.

[00:00:46] Chris: Alive, but not with flavor.

[00:00:51] Ned: Okay, so you’re an outback steakhouse. Oh, damn, I’m sorry. I’ve never actually been to an Outback Steakhouse. I feel like I need to fess up to that one.

[00:01:02] Chris: Well, you know their slogan, right? No rules except don’t eat it. Outback Steakhouse.

[00:01:10] Ned: Don’t order the Bloomin Onion.

[00:01:13] Chris: You can order it once at a table of twelve. You have 90 seconds. After that, the Bloomin Onion must be taken away or terrible things will happen to everyone.

[00:01:22] Ned: I mean, honestly, terrible things are going to happen to everyone. Intestinally speaking.

[00:01:28] Chris: Oh, I thought that was just like an eschatological statement. It turns out everyone’s going to die crying. Welcome to the show.

[00:01:38] Ned: It’s so good to see everyone. Oh, we’re already so upbeat. Let’s talk about some tech garbage, shall we?

[00:01:46] Chris: Let’s do it.

[00:01:47] Ned: Okay. Cybersecurity starts in the home.

[00:01:52] Chris: That’s where the heart is.

[00:01:55] Ned: The heart bleed is oh, wow. I tried.

[00:01:59] Chris: Yeah.

[00:01:59] Ned: So I reached. Did I make it?

[00:02:02] Chris: No.

[00:02:05] Ned: Cybersecurity. It’s kind of a big deal these days. We may have mentioned it like a few times on this show.

[00:02:12] Chris: I mean, I’ve heard of it.

[00:02:14] Ned: Perhaps last week we spent a whole episode talking about cybersecurity at the governmental level.

[00:02:19] Chris: You do cybersecurity in the hypercloud or the SuperCloud or the super? Hypercloud.

[00:02:25] Ned: Get out. Well, since SuperCloud is an illusion, cybersecurity is often also an illusion. But I wanted to bring it down to something that you, the individual, can actually do to improve cybersecurity without waiting for policymakers and congress and all those other knuckleheads to actually get out of their own way and do something. You could do something right now, and part of that is protecting yourself from ransomware, since TechTarget called 2022, a breakout year for ransomware, which seems like a.

[00:03:06] Chris: Little headline grabby, but okay.

[00:03:08] Ned: Having a breakout year is great if you’re like the latest hopeful Angenu on the Hollywood scene. Less great if you’re a malicious software that prevents a hospital from running properly.

[00:03:19] Chris: And definitely like, the worst great if you’re in that hospital.

[00:03:23] Ned: Yeah, you could be in the middle of a different kind of breakout.

[00:03:29] Chris: Like the game.

[00:03:30] Ned: No one with, like, a lot more measles.

[00:03:32] Chris: Oh.

[00:03:37] Ned: Unfortunately, we have rather a lot more of the latter, the bad ones. The bad one yeah, it doesn’t seem to be getting a whole lot better.

[00:03:45] Chris: Cool.

[00:03:46] Ned: Yeah. Now, you’re probably tired of getting hit over the head with the cybersecurity cudgel. That’s at least in part because people are the overwhelming reason for most cybersecurity incidents, as we mentioned last week, was it 95% are caused by people. Yes, but I’m not blaming you, the listener. This is not entirely your fault. So many of our technology systems are poorly designed, with Naraya thought to security in mind. And when security is implemented, it’s usually so onerous that people have to circumvent it just to get their jobs done. So what I’m saying is that technology vendors are as much to blame, if not more than the end users, and that is unfortunately unlikely to change anytime soon. So even though it’s not your fault now, it’s your responsibility.

[00:04:42] Chris: Just like middle school.

[00:04:46] Ned: Wow, that really rings true. Anyway, I had a molten middle school. Let’s move on. Those are fashionable again, did you know that?

[00:04:56] Chris: No, they’re not. Nor have they ever been. There are two people that are allowed to have a mullet in this world. They are Billy Ray Cyrus.

[00:05:05] Ned: That’s number one.

[00:05:06] Chris: Yes. And also Billy Ray Cyrus.

[00:05:09] Ned: That’s it. Looking in a mirror. He’s like, you look good, and nobody else. Since we can’t directly force software vendors to build more secure software, the alternative is to make ourselves safer when using their crappy software. In lieu of this state of affairs comes a set of best practices for home network security from the NSG, courtesy of Corey Quinn over at last week in AWS. This seems extra important, given the recent breach of Lastpass that could have been avoided with just a tiny bit of security hygiene on the part of their engineer, like segmenting any network or patching at all. So I figured we could go over this advice from the NSA, try to assess the feasibility of their recommendations and maybe distill it further down to some must dos, should dos and might dos, and maybe some shoeby dos.

[00:06:12] Chris: And the ones that we don’t like will be the do dos. Up top, anywhere, any minute now. Come on, don’t leave me hanging.

[00:06:24] Ned: All right. Visual jokes for an audio medium. So the report, if you decide to read it, and you should, it’s only nine PaaS. So this is not some epic tome of forgotten cybersecurity lore. It’s written mostly for someone with a little bit of technology background, but not like a CCIE, and I suspect most of our listeners fall into that former category. Of course, if you are CCIE and any of this is news to you, you should probably have it immediately revoked.

[00:06:58] Chris: We’re going to have to have, like, a hard conversation.

[00:07:02] Ned: I’m going to have to get Cisco on the phone, and they are not going to be happy that I called them because they don’t want to hear from me again.

[00:07:10] Chris: So, point one.

[00:07:13] Ned: So at a high level. The first point is essentially saying to patch your software and upgrade stuff, that’s end of life.

[00:07:20] Chris: Or just upgrade stuff.

[00:07:23] Ned: Yeah, I mean, at a bare minimum. So for your regular computing devices, desktops and laptops, and even your mobile devices, this is pretty easy. I would say it’s a must do. And it’s straightforward. Enable automatic updates on the operating systems and install updates when prompted. Yes, mobile operating systems in particular are great at this. Your operating system and apps update automatically by default. You don’t have to do anything except just restart your device when it tells you to. You have to make the very stupid choice to disable it, so don’t do that.

[00:08:06] Chris: This one definitely falls into the must do. And also I would add the secret little tag of don’t overthink.

[00:08:13] Ned: It true.

[00:08:15] Chris: Don’t try to be clever, don’t try to be cute. Just automatic updates on the basics solves so many problems.

[00:08:24] Ned: Right. And I don’t know what the current state of affairs is on macOS, you’d have to tell me. But I know on Windows at this point, ten and Eleven have updates enabled automatically and they just install in the background and you have to work extremely hard to turn any of it off. That is by design.

[00:08:47] Chris: Right. And if you want to tell me if this is true for the consumer side, but I believe on the enterprise side, you can do lagged updates as well. If you’re worried about what some people would call a zero day and what Microsoft calls Patch Tuesday, there is some logic to maybe waiting a little bit, but not forever.

[00:09:13] Ned: Yes, that is true. You can configure update policies on the consumer version, but you have to go.

[00:09:24] Chris: You could lag it for like 30 days.

[00:09:26] Ned: You can pause updates for a certain amount of time, but if you want to get the lagged updates, you’re either going to have to upgrade to like a professional version or do some registry hacking.

[00:09:37] Chris: Right? Do you have a teenager? Talk to the teenager.

[00:09:41] Ned: They’ll know what any of this means. H key. LM what the hell is it’s? A new band from Korea? No, it’s your registry calling. But I’m guessing in your household you probably have more than just the laptop and smartphone. You probably also have routers, maybe wireless access points, maybe smart devices of some kind. And internet of things. Garbage like WiFi light bulbs and WiFi.

[00:10:12] Chris: Crock pots, and even ones that you think are safe, like doorknobs or a roomba.

[00:10:20] Ned: I hadn’t heard about the doorknobs, but roomba. Yeah, I understand where that one’s coming from.

[00:10:28] Chris: We’re talking about like the Amazon Key type of doors.

[00:10:31] Ned: Oh, God. I had to race that from my memory because it immediately seemed like a terrible idea. Why just no, here, Jeff, here. I have a total access to my home. I’m sure it’s fine.

[00:10:44] Chris: Please come into my house whenever you’d like.

[00:10:47] Ned: Just like that flying drone that they were trying to push.

[00:10:50] Chris: Oh, they still are trying to push.

[00:10:51] Ned: That, but stay on topic. Okay. All right.

[00:10:55] Chris: Stay on target.

[00:10:56] Ned: Assuming that your IoT device comes from a reputable source, and that’s a big assumption sometimes there’s probably a way to enable automatic updates or they come enabled by default. Now, if I’m thinking of products from Apple, Google, Roku, et cetera, those all have automatic updates enabled by default. And there’s a team of people at those companies that in theory, are developing security patches for those devices.

[00:11:24] Chris: Right?

[00:11:26] Ned: Your main concern is for any of those devices? Well, your main concern with those devices, specifically the Google, the Roku, Apple, et cetera, is when those devices reach their end of life and they’re no longer receiving updates. And usually you’ll get a couple of emails from the vendor letting you know that device is reaching end of life because they have all of your informations.

[00:11:50] Chris: I mean, sometimes if the device is reputable enough, you’ll even see it on the screen.

[00:11:54] Ned: Yes, isn’t that nice? Your device is reaching end of life. You should replace it. Hey, we have a sale right now on whatever. So, like, if you hooked up your Roku box to your extra TV ten years ago, you might want to check on its support life. It’s probably up, right? Less reputable devices like, say, smart light bulbs from a random Amazon seller probably won’t be getting any updates ever. Now, I’m not saying don’t use these devices. I mean, probably don’t use them, but still, if you want to, there’s a way to do it somewhat safely. The larger question is whether or not you need a device to be connected. For instance, my new smoker can be connected to the WiFi. Does it need to? No, it does not.

[00:12:54] Chris: Did you connect it?

[00:12:55] Ned: No, I didn’t.

[00:12:58] Chris: With yourself and others?

[00:13:00] Ned: All right, so it broke my phone when I tried to set up WiFi, so I gave up.

[00:13:04] Chris: There we go.

[00:13:05] Ned: You hush. But same goes for your fridge, your oven, or your Crock Pot. Maybe just leave it offline.

[00:13:16] Chris: The whole point of a Crock Pot is not to have to think about it. So don’t think about it. You push the button, you come back in 8 hours, your kitchen is on fire. That’s how you use a crock pot.

[00:13:29] Ned: I mean, ideally, it’s weird, they say to put Napalm in there, but that just doesn’t sound right. But who am I to question Martha Stewart?

[00:13:38] Chris: I’m going to use Paprika, you bastard.

[00:13:45] Ned: Anyway, speaking of your network, the NSG has some solid advice regarding your home network, but this sentence in particular kind of made me laugh. Quote Your Internet service provider may provide a modem router as part of your service contract. To maximize administrative control over your routing and wireless features on your home network, consider using a personally owned routing device that connects to the ISP provided modem router. Yeah, that lines up I have no notes. ISPs don’t care about your personal security. Additionally, they don’t want to spend a lot of money on the devices that they send you and then charge you every month for.

[00:14:31] Chris: Right. And honestly, that last part really heavily informs the first part a little bit.

[00:14:41] Ned: So they are notoriously of poor quality, with terrible user interfaces and frankly, incredibly underpowered internals. If you have the option to remove the ISPs devices entirely, I highly recommend it. That is what I did in my setup. Now, that’s not going to be available for everyone. I just happen to be in a situation where they ran from the Fios box, which converts the fiber to what I can actually use in my house. They ran cat five out of that in addition to coax. And I can just plug that cat five right into a router that I provide. So no ISP devices necessary at all. I know that’s not the case for everyone, right? But if you can, it’s awesome. If you can’t, then set up a double hop from their device to a router that you control and can configure. It is more of a pain administratively, but you’ll have the peace of mind that there’s a quality network device you control sitting between the Internet and all your other devices.

[00:15:52] Chris: Yeah, this is kind of an advanced one because a lot of the things that come along with the ISP provided router is set it and forget it. And in particular, you can set it and configure it from Verizon. What is the verizon? Verizon serverless.com. No, wait, that’s cell phones from the Verizon site. Yeah, which for people that are not technical is a huge convenience.

[00:16:15] Ned: It also exposes the administrative interface of your device to the public Internet. Which is bad.

[00:16:23] Chris: It’s not great.

[00:16:24] Ned: Don’t like it.

[00:16:24] Chris: It’s not great.

[00:16:26] Ned: That will come.

[00:16:27] Chris: I’m just saying, if you are capable of doing it, it’s kind of a no brainer, but if you’re not technical, then it sounds impossible.

[00:16:36] Ned: Yes, this is a should do, but it could be infeasible for some folks. But again, ask the young teenager in your neighborhood and they can probably help you with it.

[00:16:48] Chris: The children are our future.

[00:16:51] Ned: Right? Try not to let them fleece you too badly. Next, your wireless devices should be running at least WPA Two for their wireless authentication and security at a minimum, and WPA Three whenever possible. WPA Three was ratified in 2018, and they started shipping devices that were compatible that same year. So basically, if you have a device that was made in the last four years, it should support WPA Three. But you may need to keep WPA Two enabled for crappy IoT devices or that aforementioned ten year old Roku device that you really should have replaced by now. Ned, I mean, theoretical human could be anybody. There’s also a non zero chance that the wireless router your ISP shipped doesn’t support WPA Three because they’re cheap and don’t like you. So assuming you’ve supplied your own wireless router, you should be good. Or you can buy separate wireless access points. Either one is fine beyond using your own gear and WPA three, the NSG recommends segmenting your network. And this is where I think we’ll lose most non techie folks and even some techie folks that don’t have a networking background. So we’ll go over the basics, and if you want more information, ask Chris.

[00:18:30] Chris: Would you like a non documented network that may or may not work?

[00:18:34] Ned: Yes. I’ll take two. Essentially, the idea is that you should break up your home network into isolated subnetworks for different classes of devices. Yes. That sounds scary. No, it’s actually not that hard. Basically, trusted devices on one network, those crappy IoT devices on another, and your guests on a third network would be a fantastic start. But doing so may require an understanding of virtual lands, aka Vlans and routing. So you not only have to create separate Vlans and wireless networks to support them for each of those segments, you also have to decide on what level of isolation you want. If you want to filter content between networks if those networks should be able to talk to each other at all and how you want to isolate individual devices on a given network. I’m going to go ahead and say that the networking and security industries have done a pretty poor job of making these technologies easily consumable. I mean, they were never meant to be easily consumable because Vlans were designed for data centers, right? Not homes. But still, I promise that it’s not actually that hard. If you can get a decent home wireless router, there’s a pretty good chance they have a wizard in there that will help you with this.

[00:20:02] Chris: Yeah. And this is actually something if you do have an ISP based router. I mean, I can say from personal experience, when I upgraded at the middle of last year, I got a new router from Verizon and logging into it, it actually had next next, next finish to set up three networks exactly like you just described.

[00:20:20] Ned: Wow.

[00:20:21] Chris: Yeah. I know it’s come a long way, and if you are a person that is not of a networking background and do not want to do that and want to stick with the ISP based routers, even take a look and see if the ISP router can do it, because some of the new ones can. Wow. I had no isolation makes a huge difference.

[00:20:40] Ned: It really does. The main benefit is that untrusted devices like the IoT, Crockpots and your friend’s weird smartphone that they got from a knockoff shop off of Canal Street, they won’t be on the same network as you, and hopefully they won’t be able to spy on your traffic or infect your stuff.

[00:21:01] Chris: I got a great deal on the latest Black Barley. What?

[00:21:08] Ned: Did you see the trailer for the BlackBerry movie?

[00:21:11] Chris: Oh, God, no. What?

[00:21:15] Ned: Moving on.

[00:21:16] Chris: Okay.

[00:21:20] Ned: That about covers it for networking stuff. If we turn back to individual devices, the NSA recommends that you take advantage of the software that’s bundled with your operating system. Antivirus antimalware firewalls, disk encryption, TPM support both Windows and macOS. Correct me if I’m wrong, Chris. Include virus protection, a firewall, and disk encryption. Yes, and usually the virus protection and the firewall are enabled by default, and you have to work really hard to turn them off. So, like, Don’t, I found out in doing the research for this that disk encryption on Windows Ten and Eleven is enabled automatically when you log in with a Microsoft or Work account. They just turn on Bitlocker for you.

[00:22:13] Chris: Yes, I remember when they did that. Everyone got all mad.

[00:22:17] Ned: I am not really mad about that. The main benefit is if someone steals your laptop and tries to take the hard drive out and read it with some other device, they will not be able to correct. If they can guess your password very easily, well, all bets are off. But assuming that they try that second approach, it’s not going to work out well for them, so you don’t really need to do anything else. I think the same is true of macOS, the encryption, by default, and it’s definitely true of Android and iOS. So just like, leave it on Hooray. Good job, vendors. You did something right.

[00:22:59] Chris: I mean, it took 15 years, but you did it.

[00:23:03] Ned: While we’re talking about encryption and protection, just a gentle reminder that you should be securing your passwords with a password management tool. We haven’t yet reached our password free utopia, although Fido is helping to usher that any day now or year now or decade now. For the moment, you should select a password manager that does not lastpass something else, and use it to manage your passwords going forward. Generate different passwords for each website that you have a log on for. And if you have to fill out some stupid security questions form, which some of them still make you do for some ungodly reason, give fake answers and then store your fake answers in the password manager. I use Dashlane and they have a secure Notes feature. So when I have to fill out that form, I just put my answers in a secure note with the website’s name. You wouldn’t believe all the different hospitals that I’ve been born in and all the streets I lived on when I was ten. So many.

[00:24:12] Chris: Yeah. And that’s really a key, is these things are going away. I don’t know what you want to call them. Security surveys to break back into your account if you forget your password.

[00:24:24] Ned: Yeah.

[00:24:25] Chris: You can’t, in secure minds, simply cannot give real answers to these questions. No, because with social engineering, somebody who knows a little bit about you or can find it out can answer those questions on your behalf. You can live on one, two, three, anywhere street if you want to. Just don’t live where you actually live when you answer those questions.

[00:24:49] Ned: If someone can run a credit report on you, do a background check, or just access publicly available records, they can answer like 70% of the security questions just from there. And the rest of them, they can guess. So, yeah, fake answers all the way. Big thumbs up to that. To supplement your password management lifestyle, it’s probably worth enabling two factor authentication wherever you can. Yes. I’m going to beat that fucking drum again. I’m so sorry. But you do it.

[00:25:27] Chris: Do it.

[00:25:28] Ned: You don’t have to do it all at once, and you don’t have to do it for every site right? Now, think of, like, the five or six sites that you go to on a daily basis. Start there, then branch out.

[00:25:44] Chris: And here’s the at least in my own personal experience, once you get used to the process, because it is an annoying interruption at first to see the second thing come up and ask for the six digit security code and, oh, Jesus, where’s my phone?

[00:25:59] Ned: Blah, blah, blah.

[00:26:00] Chris: Get the app out. You get into a pattern. You get used to it. And the more you get used to it, it becomes second nature. You stop worrying about it, and you will naturally just start doing it for every website anyway.

[00:26:13] Ned: And more and more sites are supporting not just the ToTP style Authenticators, where you have to look at a six digit code. Many of them are supporting security keys, right, where all you have to do.

[00:26:27] Chris: Services is that you click yes, yes.

[00:26:30] Ned: And most of them allow you to set up both factor. Some of them allow you to set up both. And that’s really the ideal situation, is if I’m on a device where I don’t have access to that security key, I can use my Authenticator app, right? And if I’m on a device that I do have that security key plugged into, I can just tap the key.

[00:26:54] Chris: Or if you’re particularly security paranoid, you can use both. I, for one, don’t even get out of bed without eight factor authentication.

[00:27:03] Ned: Well, the robot you don’t want to.

[00:27:04] Chris: Know what they are.

[00:27:05] Ned: The robot you have doesn’t let you get out of bed. It won’t even let you access the bathroom.

[00:27:10] Chris: He can hear you. Sorry, Marlene.

[00:27:15] Ned: So Google Authenticator and Microsoft Authenticator are both common apps for supplying those codes. But I’ve also heard good things about Authi, and I’m thinking about checking it out. That seems to tout better recoverability and backup, especially across multiple devices. So if you lose your cell phone, you’re not like, shit out of luck.

[00:27:38] Chris: So Auth is awesome. I use it for a lot of sites. The thing to know about it is that it is a centralized cloud service. So your device is not really the device. The device is the author service in the cloud. Which means if you lose your device you can very quickly get back up to speed on a new device by reestablishing a connection to the cloud service. So it’s a push and pull in terms of convenience but it’s also your.

[00:28:05] Ned: Security which they’re storing your information. You have to trust them. Like Last.

[00:28:10] Chris: Yeah. And I mean it is also free, which is nice. And it is backed up by a legitimate and gigantic company called Trulio that does this for businesses.

[00:28:19] Ned: Right.

[00:28:20] Chris: So you use it yourself for free. You like it, you tell your boss about it, your boss buys it for the whole company is pretty much their business model.

[00:28:28] Ned: Interesting.

[00:28:29] Chris: So I like it. Would I use it if I was like the CEO of a bank? I’m not 100% positive that I would but not every site and not every person needs to follow every single one of these to the hardest and most stringent letter of the law that we’re describing.

[00:28:46] Ned: Right. I would put the password manager under the must do, two factor under should do and security keys under the maybe.

[00:28:58] Chris: Yeah. I mean the thing about them is if you know what they are, you know if you need it or not. If you don’t know what it is chances are you probably don’t need it.

[00:29:08] Ned: Yeah.

[00:29:09] Chris: Yet.

[00:29:12] Ned: So next, moving on to the next portion. There is one section about safeguarding against eavesdropping and this section is just wildly unrealistic if you plan to own any kind of home assistance. The phrase that they have in the document is quote limit sensitive conversations when you are near baby monitors, audio recording toys, home assistants and smart devices end quote. In many cases that defeats the purpose of those devices in the first place. For truly paranoid persons Chris, having a Nest home or an Amazon Echo is going to be a non starter. If you’re trying to employ NSA level security don’t even bother purchasing anything that has a microphone on it right now.

[00:30:04] Chris: Here’s the thing every single word you speak does not go back to Amazon. This has been tested over and over and over again.

[00:30:12] Ned: Yeah.

[00:30:13] Chris: Having said that, if the device is taken over then now you have a microphone in your house.

[00:30:19] Ned: Yes.

[00:30:20] Chris: Again this is going to be your own level of security and comfort, what you think you need. And also if you do have a personal assistant of some kind buy one from a reputable company. And I’m using huge air quotes here talking about it, but this is one of those times where the Aphorism is always don’t buy cheap tires because that’s what connects your car to the road.

[00:30:46] Ned: Right.

[00:30:47] Chris: Don’t buy a cheap home automation device because that’s what keeps your doors locked at night.

[00:30:55] Ned: Yes. And I will say that the reputable manufacturers have started including toggle switches to turn off the microphone and those toggle switches are hardwired to the circuit that actually connects the microphone. So when you that’s a device by.

[00:31:11] Chris: Device thing, you’re going to have to confirm that. But you’re right, and that’s a pretty cool feature because a lot of them is a software based microphone mute.

[00:31:20] Ned: Right. There are a few that are doing the hardware based mute, and that if you are especially paranoid and you would like to turn off the microphone, look for a device that has that feature.

[00:31:31] Chris: Yes.

[00:31:33] Ned: Now, the remainder of the document is just really solid advice for anyone trying to navigate the world of cybersecurity in a safe way. So I’m just going to hit a few highlights that I enjoyed. Feel free to add your own color. Don’t use USB charge stations, or if.

[00:31:50] Chris: You do, they sell little USB dongles that eliminate all of the data paths.

[00:31:56] Ned: Yes.

[00:31:57] Chris: Because the concern here is if you plug into a USB charge station and it’s not just charging, it is trying to pull information off of your device, it is staggeringly easy in a lot of cases for that attack to work.

[00:32:10] Ned: Yes. You’ve basically given someone physical access to your device. If you plug it into a USB charger, that’s less than reputable.

[00:32:19] Chris: Right. In an emergency, if you have to do it, turn the device all the.

[00:32:23] Ned: Way off and maybe watch the screen of the device to make sure it.

[00:32:28] Chris: Doesn’T make sure it doesn’t turn back on.

[00:32:29] Ned: Right.

[00:32:31] Chris: But yeah, those little dongles are super cheap. They work fine. You can have one on your keychain if you have to. So that’s another option. But really, just bring your own charger.

[00:32:42] Ned: It’s not that hard. I mean, it’s not like the chargers are as clunky as they once were.

[00:32:47] Chris: True.

[00:32:48] Ned: And if you’re the kind of person who travels around a lot, not that big of a deal.

[00:32:52] Chris: Yes.

[00:32:53] Ned: The next one is use a VPN on public WiFi. Do I really need to say anything else about that?

[00:33:03] Chris: Sort of like the USB charge stations, you’re connecting to someone else’s infrastructure, it cannot be trusted.

[00:33:08] Ned: Right. As someone who has a data plan that’s pretty flexible, I tend to just tether to my phone rather than using the public WiFi, just have it go over cellular. Yeah, but if I do need to go over WiFi, then the VPN is certainly an easy option for my phone. Not as easy for a laptop. I don’t know if Mac is any different, but there’s no built in VPN solution for Windows. You have to be using some kind of service.

[00:33:43] Chris: Right. And if you do use a VPN, pay for it.

[00:33:47] Ned: Yes.

[00:33:48] Chris: It’s not super expensive, less than $100 a year, and you will get phenomenally better service than the free connections that are available. I can’t remember the exact numbers, but Nordvpn has a free tier. I think they have ten contacts, servers worldwide. If you pay for it, they have like 500. That’s a different number.

[00:34:11] Ned: Yeah. The next one is. And I don’t know about this one. Your mileage may vary. Turn off Internet connected devices when not in use.

[00:34:24] Chris: So this is a good one in the sense that if it’s not on, it can’t be messed with and chances are it’s going to be either in a sleep or idle state the majority of the day anyway. So this one can fall into security, but can also fall into digital hygiene in the sense that turn off your computer when you’re done for the day so you don’t feel compelled to just go check your email real quick right before bed. Yeah, think about it that way and you’re accomplishing two things at once.

[00:34:55] Ned: The next one was interesting. It was reboot occasionally to remove persistent threats that are running in memory. So the NSA is basically saying there can be occasions where something does manage to make its way onto your computer or mobile device, but it hasn’t infected you in such a way that it’s able to persist itself through reboots. So it’s just sitting in memory doing something. So just by restarting your device, you’ll remove that threat.

[00:35:27] Chris: And this one also comes into digital hygiene because if you do what we talked about in the last point, it’s a non issue.

[00:35:33] Ned: True.

[00:35:33] Chris: And if you reboot occasionally anyway, your applications are going to run better because a bunch of cruft is going to be shuffled out of memory. Yes, everybody claims that that’s not a problem anymore. It’s 2023. Stop being ridiculous. It’s still a problem. Stop it.

[00:35:48] Ned: It always will be as long as.

[00:35:49] Chris: Java not being ridiculous.

[00:35:52] Ned: Yeah, as long as Java continues to exist, this is going to be a problem.

[00:35:57] Chris: Yeah.

[00:35:59] Ned: Don’t run as admin or root.

[00:36:03] Chris: Now this one I think we have gotten better at by default in almost every operating system over time.

[00:36:11] Ned: Better.

[00:36:11] Chris: We’ve come a long way from the Windows XP administrator was the only account on the system days.

[00:36:17] Ned: That’s true. At least now, when you set up an account on a new Windows device, even if you’re an administrator, you get that UAC prompt when it wants to perform an administrative function, and you have to click yes. But ideally, you would have a regular account that doesn’t even have admin rights that you would use. AWS your day to day account, and then a separate account you would run as when you needed to achieve something that required admin access. Most people are not going to do that. In fact, I think it’s the same sort of scenario on macOS as well.

[00:36:57] Chris: Yeah, I mean, macOS is closer to a Unix. I mean, allegedly it is a Unix, but I don’t like to give them that kind of credit because mostly it upsets hardcore Apple fanboys. But it’s the same idea where if you want to do some type of an upgrade and you have to do an installation, it will kick up a prompt that says this requires root. Would you like to do it and you either punch in your password or you can use a device to do it for you. But the point is, you don’t have those kinds of permissions on your user account by default.

[00:37:27] Ned: Right? The last one is use separate home and work devices. So if your employer supplies you with a device to use for work things, do your work things on there and then use your personal device to do personal things. And then you won’t run to a situation where you’ve installed Plex server on your work device, for instance.

[00:37:54] Chris: Yeah. And this falls in Linode with the philosophies that we talked about in the network section, which is segmentation is good. You do work things on work devices, you do home things on home devices. And if you keep those two things separate 100% of the time, it is a guarantee that they will not intermingle if one or the other gets compromised.

[00:38:17] Ned: Now, you still may run into situations where your employer expects you to configure email or something similar on your personal smartphone. You can say no, that is a valid response, and ask them to supply you with a mobile device specifically for them. You might get some pushback on it and it will require you to carry two devices, which sucks. But if you really want to adhere to this separation, it might actually be better for your personal life.

[00:38:48] Chris: Again, digital hygiene. Because when you’re done with your work for the day, you turn off your work phone hooray.

[00:38:58] Ned: Those were the days, if that’s even an option. So even though the document is only nine pages long, actually implementing everything inside would be overwhelming for most people. All people, really, especially if they’re not used to thinking in this way. So if you’re looking for a top three things you should do today, here’s what I’m thinking. Update and patch your devices. This is not hard. It’s turned on automatically. Just leave it on and then restart when it tells you to set up a password manager. There are some good free options. I say probably go with a paid option because when you’re not paying you’re the product and lastly, enable two factor authentication that doesn’t use SMS and get.

[00:39:46] Chris: Used to using it everywhere.

[00:39:47] Ned: Yes, it will seem like an annoyance at first and then it’ll just become part of your habit.

[00:39:53] Chris: Yes.

[00:39:55] Ned: I would say.

[00:39:56] Chris: Well, before we get to your final paragraph, there the number four point, and maybe this should be point number zero, is look at all of the solutions and devices and things you bring into your digital life with a skeptical eye. I think for a long time people have just assumed, well, I bought this thing. Surely the manufacturer is going to make sure that it’s safe. We go into these types of conversations and we’re like, we just want this to work. I want to turn it on and go, it’s fine. And the problem is, it’s not fine. Usually the things we need to do, like these three things that Ned just ran through, not complicated. Takes 1015 minutes to set up. Probably two factor authentication is going to take you a week or two to get used to it, but a week or two of annoyance compared to the rest of your digital life being significantly more secure.

[00:40:55] Ned: It is a trade off. Convenience versus security. It always comes back to that. And what we’re saying is you should choose the security in this case.

[00:41:04] Chris: Agreed.

[00:41:06] Ned: And then lastly, try turning your focus to your home network. Now, that is going to require a decent amount of effort and possibly learning some new things. I promise you it will in fact be worth it if for no other reason than keeping your weird Uncle John’s iPhone off your internal network. Who knows what the hell he has on there.

[00:41:27] Chris: You do not want to know where that thing has been.

[00:41:32] Ned: Lightning round.

[00:41:33] Chris: Lightning round. So Fintech is hard enough for humans to understand. Let’s go ahead and bring in AI. Fintech is a vague term. It’s short for financial technology, and as a term, it can really be applied to basically any It that affects, improves or automates financial services of any kind anywhere. So, like I said, vague. Even though the phrase has gotten significant pop recently because of our societal love of naming things via portmanteau’s, the concept is as old as computers are. It was responsible for the automated high frequency trading that caused the flashcraft of 2010, for example. Good times.

[00:42:20] Ned: Yay.

[00:42:22] Chris: The good people at the Gilmore Center for Financial Technology at Warwick Business School had a Fintech conference this past weekend called The Frontiers of AI and Fintech. And they invited Chat GPT. Not lost on me is the irony that this conference is about the future. Yet Chat GPT’s training stopped with data from 2021. Now, as fun as it would be to distill all the wrong things Chat GPT said if it were to have actually been made a proper panelist, which is what I was hoping, it’s actually only going to be used to, quote, create a report of the two day event. Still, considering the initiatives of Chat GPT’s corporate overlords, I tend to suspect that the event will mysteriously include a lot of suggestions of using anonymous bluish clouds for migrations and vendor neutral adoption of Office 365 or whatever as a takeaway. Be sure to drink your oval team.

[00:43:28] Ned: Encryption at Rest Try Encryption in Use when we discuss keeping data secure, we often talk about encryption in transit and encryption at rest. The data in transit is usually protected via some form of TLS, and data at Rest uses a combination of symmetric data encryption keys and asymmetric key encryption keys. Still, there’s one place the data is usually not encrypted, and that’s in memory, where actual work needs to be done with that data. But what if you perform operations on encrypted data with results identical to running the same operations on plain text. That’s the goal of companies like MongoDB with their queryable encryption feature and data security firm Vaulttree, with their Data in Use Encryption SDK. One approach behind encryption is used is Full Homomorphic Encryption, which allows for more advanced operations than what Mongo’s DB solution can provide, but it also requires heavy computation. No word on what technique Vaulttree is using in their proprietary SDK, but these technologies add a new level of security to potentially sensitive data. 2023 could be the year of encryption and use the final piece of the data security trifecta.

[00:44:54] Chris: The government is trying to ban TikTok again. The EFF is actually against it. So, first thing, it was only after I wrote like 2000 angry words on this topic that I realized completely on my own and with no advice from anybody else whatsoever, that literally every single thing we have a problem with regarding TikTok right now has been well known for years. That’s the article you’re welcome. I just saved us 25 to 30 bloviating and repetitive minutes. Long story short, right now TikTok is a political football, period. It is social media in general and online advertising in particular that are the real enemy when it comes to personal security. Now, look, sure, we can at this point agree that TikTok is, as the kids say, extremely suss. Their product is flaky and insecure, their algorithm is demonstrably manipulated for political ends, and using it at all is bad for everyone’s mental health. But guess what? So is every other kind of social media. Just because TikTok is the current king of shit mountain doesn’t make any of the other shit boulders any better. The EFF is rolling their eyes pretty hard at the notion that TikTok has been proven to be this harbinger of the apocalypse that DC is making it out to be.

[00:46:26] Chris: The EFF, in their rebuttal makes the extremely prescient point that the real crime is the idea that data broker is even allowed to be an industry. Let me close by quoting the entire last paragraph in EFF’s breakdown, because it sums things up far better than I just did. Quote If China wanted to buy this data, meaning your user data and location data, it could probably find a way to do so. Banning TikTok from operating here would probably not stop China from acquiring location data of people here. The better approach is to limit how all businesses here collect personal data. This would reduce the supply of data that any adversary might obtain. Truer words have never been spoken.

[00:47:21] Ned: Samsung exinos is extra insecure. Project Zero, one of the less evil branches of advertising company Google, disclosed 18 vulnerabilities affecting the Samsung xynos line of chips. These system on a chip components power eleven of Samsung’s handsets and the Google Pixel Six and Seven, as well as other mobile devices and some vehicles out of the 18 vulnerabilities Project Zero withheld the technical details of four of them, deeming them too dangerous to release in the wild before patches are available. Each of the four big baddies would allow an attacker to compromise the affected device remotely without user interaction. So that’s bad. The other 14 require the attacker to have physical access to the device. So don’t leave your phone unattended in a public area. Probably good advice in general. Advertising company Google had already patched their Pixel phones prior to disclosure, and patches are coming for the Samsung devices. In the meantime, if you have an affected handset, samsung recommends that you disable WiFi calling and voiceover LTE in the device settings and go buy an iPhone or a Pixel or something that doesn’t include bixby.

[00:48:50] Chris: Rolls Royce to build moon based nuclear reactor from the well, that headline is just way too awesome not to talk about department. Basically what I just said. The UK Space Agency announced this week that Rollsroyce won a $3.5 million contract to build micronuclear reactors intended for moon based power generation with a delivery date of 2029. Some people might know that Rolls doesn’t just produce cars. They also make some of the world’s best turbine and jet engines too, and have done since World War II. Something some people named Chris didn’t know until literally right now is that they also have experience building nuclear reactors for submarines and have done that since the 1950s. The nuclear reactors in question will be of the, quote, small modular reactor variety, or Smr. So don’t think of like the Springfield power plant here. These are little guys. Just a little guy. They’re just little guys.

[00:49:57] Ned: So adorable.

[00:49:58] Chris: Smrs appear to be the linchpin of the plan that will make a moon base possible. Although I am sincerely hoping that a nuclear powered Rolls Royce Phantom ends up eventually being available kind of as a side project. Oh, and before anybody, well, actually me about this, yes, I know that the car Rolls Royce company is different than the Rollsroyce company that builds the reactors. There was a big split. It was a whole deal. Please just hush and let me have this one.

[00:50:30] Ned: Okay, fine.

[00:50:32] Chris: You’re the best.

[00:50:33] Ned: Hands are the hardest thing to draw. Mid Journey says hold my beer. This has been a big week for AI. GPT four was released. Microsoft expanded their copilot branding to include all of Microsoft 365, encompassing their Office applications as well. And Mid Journey version five was released, showing some stunning renders that approximate real life a little too well. Anyone who has used previous versions of Mid Journey or a competitor like Dolly knows that it gets the large details right while having trouble with the small things. People with impossible bone structures, trucks with way too many mirrors, dogs with more than the normal number of legs. You know, nightmare fuel that’s been fed directly into my brain. Mid Journey version Five offers an improvement on these details showing that they can create photorealistic images rendered in 4K resolution. And best of all, it can render hands with five digits in everything. AI’s inability to grasp the correct number of fingers on a hand, something a five year old has very little trouble with, has become part joke and part indictment. It would appear that the uncanny valley of hands has been bridged with version five’s sprinkling of presta digitation.

[00:52:00] Chris: You think that’s pretty funny, don’t you?

[00:52:01] Ned: Yeah, I really do.

[00:52:02] Chris: You think that’s cute?

[00:52:03] Ned: Very cute. I dare you to say otherwise. I muted your mic. It’s fine. Hey, thanks for listening or something. I guess you found it worthwhile if you made it all the way to the end. So congratulations to you, friends. You accomplished something today. They can go sit on the couch, segment your network, and learn about iPV. Six. You’ve earned.

[00:52:26] Chris: I-P-V.

[00:52:27] Ned: Seven never. 128 bits will be enough for everyone. And actually, it might be. You can find me or Chris on Twitter at ned 1313 and at Hayner 80 respectively. Or follow the show at Chaos underscore Lever, if that’s the kind of thing you’re into. Show notes are available@chaoslever.com where you can also sign up for our awesome newsletter that is delivered every week. We’ll be back next week to see what fresh hell is upon us. Tata for now. You. Me? What?

[00:52:59] Chris: Why are you looking at me?

[00:53:00] Ned: Why you stop it.

[00:53:02] Chris: Stop. You stop having that face. Why don’t you mid journey your face?

[00:53:09] Ned: I would be very pretty if I was mid Journeyed. That should be a verb. It’s now a verb. I verb.

[00:53:15] Chris: If you were mid journey, you’d be walking away from this conversation.

[00:53:19] Ned: Yeah. Nailed it.