Anniversary Kitten BBQ: Biometrics for All the Wrong Reasons [CL51]

Posted on Tuesday, Mar 28, 2023
Chris is concerned about Amazon One, Ned is amazed by Accenture’s size, and we all celebrate one year of Chaos Lever’s existence.


[00:00:01] Chris: I don’t know what you’re talking about. I’ve been recording the whole time. I’ve just been very quiet.

[00:00:07] Ned: Or you’re always recording everything.

[00:00:12] Chris: Exactly.

[00:00:13] Ned: Or more likely the NSA or the CIA or one of those three letter agencies is recording everything we say. So really, if you ever forget to record a podcast, just write a letter to the NSG and they probably have it.

[00:00:29] Chris: Yeah, that makes sense. Let’s call it a permanent backup.

[00:00:36] Ned: Absolutely. That’s my disaster recovery plan. I’m just going to call the NSA.

[00:00:43] Chris: Just start yelling about like, absconding to Yemen with state secrets and all of a sudden they will have all kinds of time for me.

[00:00:51] Ned: All kinds of time and a very tiny box to put you in. I hear it’s very comfortable.

[00:00:59] Chris: Not at all pointy.

[00:01:02] Ned: One would hope not. Yes. So shall we do it? Hello, alleged human, and welcome to the Chaos Lever podcast. My name is Ned and I’m definitely not a robot. I sure am glad I’m an organic being susceptible to all manner of colds and viruses. Boy, it sure would be awful to be cybernetic and immune to something like the flu, which I mention for no particular reason. With me is Chris, who is also here.

[00:01:36] Chris: I was just assuming that immune to the flu means that you didn’t like having just gotten off of an airplane. Yeah, that’s funnier if you see it written down.

[00:01:48] Ned: Yeah, you really stretch that one. I don’t know if I can get on board with that. Unlike this plane.

[00:01:56] Chris: Just when I think I’ve made it bad, ned always comes in to make it worse.

[00:02:03] Ned: Yeah, that is kind of my job. And as we have seen, my function in this podcast to make everything worser.

[00:02:13] Chris: And you can’t say function without fun.

[00:02:17] Ned: That’s true. Wow, really think about that. Don’t think about that for a while.

[00:02:23] Chris: I mean, you also can’t say function without unction, which I’m almost positive is a real word and probably not a good one.

[00:02:31] Ned: Well, there’s unctious, which is a real word and it doesn’t sound good.

[00:02:36] Chris: And there’s unctilisis, which was the roaring talk. Oh God, I screwed that joke up.

[00:02:42] Ned: Never tried.

[00:02:43] Chris: Move on. Just go, just go.

[00:02:45] Ned: See, I thought you were going to make like a comparison to bootylicious and how. That exactly what I was trying to do, okay?

[00:02:51] Chris: And I just didn’t remember how syllables worked, how letters structured in a single order somehow turned into a sound that you can make that people will understand and comprehend.

[00:03:02] Ned: You and Chat GPT have that in common. Yes, I’ve heard of it. Perhaps we should try doing it. So should we talk about some tech garbage?

[00:03:16] Chris: Sure.

[00:03:17] Ned: Well, I’m going to let you finish. But first, Chaos Lever had the greatest year of all time, christmas. Yeah, I led with that Kanye reference from 2009. That was 14 years ago.

[00:03:36] Chris: It was a long ass time ago.

[00:03:39] Ned: Yeah, what is less old is this year podcast. We published our first episode on March 22, 2022. Do you remember what it was called?

[00:03:52] Chris: Please God, Ned stop talking. Ned. Please God, stop talking.

[00:03:55] Ned: That was the subtitle.

[00:03:56] Chris: Oh, my bad.

[00:03:58] Ned: The main title was Layered Tech Garbage, and I don’t think we could have set the tone better for this podcast.

[00:04:06] Chris: It tracks.

[00:04:09] Ned: Since then, we’ve somehow managed to publish 49 additional episodes with this one making a nice round. 51 or 33 in hex or 11001 in binary. No reason I would know that off the top of my head. No reason at all. Hashtag not a robot. So I listened to our first episode. Some of it the first two minutes.

[00:04:38] Chris: You listen to it at five x.

[00:04:40] Ned: 1.5, but who’s counting? In our opening salvo, we had this gem ned should we do the thing with the stuff? Chris, in the sense that we don’t know what we’re doing or why, I’m happy to say a year on still has the ring of truth.

[00:04:57] Chris: We were timeless words. Timeless words.

[00:05:00] Ned: We were much wiser back then. So congratulations to you, Chris, to the rest of the team at Chaos Lever, which is also mostly you. And to the listeners everywhere, which is also also mostly you.

[00:05:17] Chris: Look, I didn’t buy these 4500 Mp3 players for no reason.

[00:05:22] Ned: Is this a vanity project for you?

[00:05:26] Chris: How did I bought mirrors?

[00:05:29] Ned: This is not my beautiful house. This is not my beautiful automaton partner.

[00:05:34] Chris: This is error, error, error. System int erupt restarting Ned protocol.

[00:05:44] Ned: Yeah, let’s talk about some tech garbage, shall we? And since this was since one of our first topics on our first episode was data storage on DNA, I think it’s only appropriate that our anniversary topic is about the data already stored in your DNA. Great segue. You love it.

[00:06:05] Chris: No.

[00:06:08] Ned: Can’T you just I mean, it’s our anniversary. Dressed up nice, I wore pants and everything.

[00:06:20] Chris: That’s unlikely. Anyway, what Ned is alluding to and stretching the rules of science and common sense is an emerging trend over the past couple of years of biometric authentication going mainstream for all the wrong reasons. Now, this week, Panera Bread announced that they are rolling out biometric identification system as a part of their loyalty program.

[00:06:49] Ned: Are they just hooking up scanners to the trash cans?

[00:06:54] Chris: Well, I mean, if you wanted to go for the end result, it would be in the bathroom, but anyway, tuche. So yeah, biometric identification at Panera. Panera, realizing the technical challenge and massive time sink it is to pay for a sandwich these days, decided to do something about it now. Not like building their own system, of course, because that would be crazy. Instead, they partnered up with Amazon to use a product of theirs that I personally completely forgot existed. Said product is called Amazon One, which is not a great name, and it uses your palm print as identification and authorization to connect your identity to your credit card to pay for things, keep track of loyalty points and any type of sign in programs, because sandwich points are important.

[00:07:57] Ned: I guess I only need 35 more sandwich points and one more finger to get a free sandwich.

[00:08:06] Chris: And it’s worth saying up front that what we’re going to be talking about in terms of Amazon One. Amazon One is not AWS. It doesn’t have anything to do with that side of the business. This is purely Amazon Corporate or Amazon Commercial or whatever. So remember, they are in effect, two separate companies. But since Amazon’s company, AWS, is also notorious for having terrible names for their products, I figured there might be some confusion that I just wanted to clear up early.

[00:08:34] Ned: Thank you.

[00:08:37] Chris: Now, first of all, the idea of using Biometrics, relatively speaking, isn’t new. People have probably been doing it without really even putting two and two together, say, for a faster login to your phone or your computer. Why type in a four digit code on your phone when you can just use your fingerprint? Or programs like Windows Hello that can make it much easier to log into your desktop. So easy that it can happen automatically if you want it to.

[00:09:14] Ned: Yes.

[00:09:15] Chris: The camera tracks movement, sees someone locks onto that face, and if it recognizes your face, you’re logged in. Done. Now, this is automatically problematic in at least two ways. First of all, what if you’re not intending to log into said computer? Too bad you just sit down at your desk to grab a pen or a folder or something off your desk or something from a drawer. Windows hello unlocks your computer and you walk away, leaving your PC completely unlocked when you’re home alone in the dark, filled with shame, not a big deal. Hey at the office. Not great.

[00:09:59] Ned: That is also my office. And I’m not saying that I bought the nicer logitech webcam because it supported Windows Hello, but I’m not saying that I did that.

[00:10:15] Chris: Yeah, I have one as well. It’s still in the box.

[00:10:18] Ned: The other thing I want to point out is if you deliberately lock your computer when you come back and sit in front of the camera, you still have to interact with the keyboard or mouse in some way for it to complete the unlock process so it will recognize your face. But then you have to like, I forget if it’s hit a spacebar or click on a button to complete the login. So it’s not just going to unlock and you walk away and your secrets are revealed to the world. But there are other issues with it.

[00:10:46] Chris: Yeah, such as the service being hacked back in 2021 with researchers being able to fake a USB camera, feed the hello program an image, and get it to unlock your computer.

[00:11:00] Ned: That seems like a problem.

[00:11:02] Chris: That’s bad. That’s real bad. And it would have been impossible with a simpler username password combination. So when we talk about these things. Just remember always in the back of your head the seesaw between convenience and security. And when we talk about things like Amazon One or let’s just say the loose defaults that Windows Hello comes with that they’re trying to have it both ways and it’s not working out great because you’re right, Windows Hello actually has defaults that you can change. So it will not automatically log you in ever. Right, but it’s not like that by default.

[00:11:44] Ned: No. And if you’re in a corporate environment, hopefully your administrators have configured that via group policy to be a little more restrictive. And if that’s adorable, if they haven’t then boy do I have a job opportunity for you.

[00:11:59] Chris: So the major point biometrics are a different class of authentication and by using them in wide open ways like Panera is doing is reckless and is on the wrong side of that seesaw. So in order to explore that point, let’s go back in time and talk about what Amazon One actually is.

[00:12:27] Ned: Yeah, because I’ve literally never heard of this service.

[00:12:32] Chris: I remember a little bit of it and one of the reasons that you and I don’t know much about it is as we’ll see it is primarily deployed in Seattle for completely coincidental reasons, I’m sure. But what it is, is a biometric payment system that Amazon announced in 2018 and introduced into the world conveniently for everyone in late 2020. What the service does is allows users to register to pay for goods and services using their palm print which is linked to an Amazon account and by definition a payment card of some kind. The first testing areas for Amazon One was their COVID lockdown darling of an idea the Amazon Go stores. Now these you probably remember.

[00:13:28] Ned: I do remember them. That was the one where you could just put stuff they had the funny commercial where it looked like a shoplifter was going around the store and shoplifting all the things and then they walked out and security guard did nothing. And then you realized oh, it had scanned all the items magically as they walked out and done their payment. Which is not exactly how it worked with Amazon Go but it was a pretty good commercial.

[00:13:50] Chris: That’s close enough. And that’s certainly their ideal which is a cashier list bodega that is the epitome of surveillance. You walk in the door, you use your palm to scan it opens the little thing like the subway. They take a picture of your face, they follow you around as you pick things up and put them in your cart with a series of Rfids and cameras, approximately 11 million sensors I think is the low end. And then you just leave. The theory being that with all those cameras and with you authenticating yourself with your palm print at the door they know who you are, they knew what you took and then they automatically debit it from your account. When you walk out the store. So neat. This is where they talk about how amazing the system is. And immediately my question is, why can’t you just use a credit card or your phone? Because even nowadays with credit cards, with the little tappy thing, it’s the exact same speed as putting your palm on a reader.

[00:14:56] Ned: Probably faster, honestly, because you might have to take a glove off. You’re probably going to have to reposition it three or four times. We know those things are not super accurate. Putting my credit card near one of the card readers, I won’t say it works every time, but it is like nine times out of ten.

[00:15:14] Chris: At least if you put your credit card on the farthest outside part of your wallet, you can do it without taking the card out of your wallet.

[00:15:22] Ned: Unless you have at least I can. Oh, I see. Unless you have one of those paranoid wallets where it blocks RFID. Allegedly.

[00:15:32] Chris: Anyway, so they have not put out a ton of these stores. Most of them are on the West Coast, and a lot of them are being closed because they’re not getting anything near the traffic that they thought they were going to get. As a matter of fact, out of the I want to say 26 that exist in the world, eight of them were announced to be closed this week. And Amazon also got sued class action lawsuit in New York City for inadequately informing customers of just how much surveillance goes on inside of an Amazon Go store.

[00:16:07] Ned: However much they told them, it was more.

[00:16:11] Chris: Yeah, I mean, I don’t think there’s a lot of that case. Probably doesn’t have a lot of legs.

[00:16:15] Ned: Probably not.

[00:16:17] Chris: I think that this is going to be one of those cases where they take it in front of a judge and the judge goes, what were you expecting? Again, dismissed. Now, Amazon’s claim is that their system is secure, biometric data is encrypted. It is super secure in its storage in the cloud, and the biometric data isn’t enough to individually identify a person anyway, which is an interesting claim. And as you can imagine, Amazon One is primarily used in Amazon owned or Amazon affiliated stores. However, there are partnerships slowly creeping up. In 2021, they announced that they had partnered with ticketing company AXS to use Amazon One for contactless entry at entertainment venues in the US. In May, they also announced a partnership with the NFL Seattle Seahawks to do contactless entry at their football field, which at the time, and I think is still called Lumen Field. There are also Amazon One powered stores in Seattle for both for all of the arenas, actually football, baseball and hockey, as well as a few other ones around the country. Minutemade park in Houston, TD Garden in Boston, and UBS Arena in Long Island, which I guess is where the Islanders play.

[00:17:41] Chris: I have absolutely no idea what’s curious and what I wonder, and I did not have time to research is, is this spreading, SaaS, catching on because customers actually want care about it, or because Amazon is making sweetheart deals with these places to implement it for the good press?

[00:17:59] Ned: Yes, the second one. And also you said, Contactless solution. It feels like putting my palm on something involves some level of contact.

[00:18:10] Chris: You don’t actually have to touch it. You just get your palm, you stretch your fingers out as much as you possibly can and you put it real, real close. You know what’s going to happen.

[00:18:21] Ned: People are going to put their hands.

[00:18:22] Chris: On it, like immediately, right away. Yeah.

[00:18:25] Ned: You know what is actually contactless? When I have the little e ticket on my phone and they scan it.

[00:18:31] Chris: See, I think you’re getting the point. Amazon One has been controversial since it was announced, due precisely to concerns over privacy and security. Now, in general, critics have raised concerns that the use of biometric data such as palm prints could lead to different and more complicated privacy violations, data breaches, and attack vectors in specific. Amazon already has a history of utterly failing to protect your privacy. In fact, not just utterly failing, not really thinking it was all that big of a deal. In 2021, a report came out showing that Amazon had no real security policy to speak up when it came to your personal data. And all customer data was basically available to everyone inside the company. There was little to no gatekeeping when it came to which teams could access personal information in what was referred to by somebody at Amazon as a free for all approach. And this was designed into Amazon’s business policies. They were making the calculation that less internal security made for more sales, therefore they were going to go for more sales. And this was no one off thing with a rogue team or a wonky system. The report that came out was based on emails and internal documents going back years.

[00:20:11] Chris: And if you want to see the results of that laissez faire attitude to security, there are many, many pages that list out Amazon’s myriad failures to protect customer data. I went with the first Google link, and if you look at them, you’ll see that there are multiple major incidents in nearly every listed year. And let’s not forget that Amazon was hit with the largest GDPR fine ever. Why were they hit with that mishandling customer data? Amazon said that those charges were utterly without merit.

[00:20:51] Ned: Everyone else said, yeah, bra, right.

[00:20:55] Chris: That’s how they talk. Yeah, that’s how they talk in Europe. So what I’m saying is, there is the general concerns about biometric, which we’ll get into in a second. There’s also the specific Amazon that I think also needs to be taken into consideration when you’re doing this risk versus reward calculation.

[00:21:16] Ned: Right. I want to make an important distinction here because people might be thinking of how they use their fingerprint to unlock their phone or their face to unlock their phone. And what’s important to understand about most of those solutions I’m not going to say all, but most of them, they don’t store the hash or whatever the algorithm is of your fingerprint or your face on a remote system. That hash gets stored in a TPM on the device itself. And so while it does use biometric authentication, that authentication is not leaving the phone or the device per se and being stored somewhere else. So you don’t have to worry about what you’re talking about with Amazon One where no, your biometric data is in fact being stored somewhere else. And so it would be useful for someone to steal your palm print because they could in theory use it on any device that supports Amazon One. Unlike having to steal both your phone and your fingerprint to get into your phone, right?

[00:22:19] Chris: Yeah, that is an important point, is that the isolation of where that data is stored matters.

[00:22:26] Ned: Right.

[00:22:27] Chris: And that’s one of the biggest things that we want to get across is because it is so dramatically different, it has to be handled in a different way. So first off, let’s remember that there are a bunch of ways to do authentication. I’m sure you can do all the categories off the top of your head, close Your Eyes, Go.

[00:22:49] Ned: Wrong, mother the Street I grew up on.

[00:22:57] Chris: So we have the easy one. Something, you know, that’s your password, something you have a physical object, say a smart card or a security token, something you are is your biometric data. Any type of thing you can think of fingerprint, face, eyeball, voice recognition, one that never gets used often enough is something you do. I don’t want to dig into this too much because it’s a little bit of a what’s that called? Digression. But did you know that they can make an authentication system that not only do you need to know the password you’re typing in, it tracks the way that you type it. So all the different changes in pattern and intensity and how long does it take you from like switching from a left hand letter to a right hand letter or two right hand letters in a row? Building out a password or a phrase like this would have to be a paragraph, basically. But something long enough it gets the fingerprint of how you as an individual type. There are camera systems that can track the way you walk down the street and if you get enough time, these things can be individualized.

[00:24:20] Chris: One of the things that you don’t notice when you see things like captchas online, some of the more advanced ones use something you do to check to see if you’re a human being and it has everything to do with the way the mouse moves across the screen.

[00:24:33] Ned: So it’s not even caring about the images, it’s showing if it’s showing you.

[00:24:36] Chris: Images at all, it’s an additional layer if they so choose to implement it. Because a computer can actually drag a mouse in a dead straight line. A human being cannot.

[00:24:47] Ned: True.

[00:24:49] Chris: So something you do, I think, is a kind of authentication that’s going to happen in the near future, but I just think it’s super cool.

[00:24:58] Ned: Yeah.

[00:25:00] Chris: And then the last one is something you are which is geographical. Like you cannot log in unless you’re in the state of Pennsylvania. We can do that. I mean, we can also fake it, but we can do that.

[00:25:13] Ned: Right.

[00:25:14] Chris: And there’s another important thing about biometric that makes it different from a badge or a phone app or a physical card of any kind. And that is, unless somebody has a hacksaw and a lot of bad intentions, you can’t lose it. So on its face, that’s a big see what I did there on its face. God, I feel so much shame. This should be a big pro. Well, the connected con is you can’t replace it either. We have not gotten to Minority Report yet. Nobody’s changing out eyeballs. So, yes, it can be more difficult to steal or forge biometric authentication than traditional forms. But if that information does get stolen or forged, say, I don’t know, a massive company with a long history of not being responsible with personally identifiable data has an incident, and now your biometric stuff is out in the ether, you can’t replace it. You can’t go to the palm doctor and get a new palm, right? I went to a Palmistry once. It’s very different.

[00:26:33] Ned: It’s not what you would expect.

[00:26:36] Chris: And they gave me a lot to think about.

[00:26:38] Ned: I’m sure they did.

[00:26:41] Chris: So if you lose a loyalty card, or even in probably a very common experience for everybody at least once in their lives, if you lose your credit card, it’s an annoyance, but it’s a fixable annoyance. It’s not a huge deal. You call the company, you cancel that card, and you get another one. Let me know how that works out when you lose your palm print.

[00:27:08] Ned: Slightly more challenging. Yes, right. Not as hard as getting a new Social Security number, but I mean, still.

[00:27:14] Chris: Pretty high up there 12345. So yeah, kind of to the point that you made before. Biometric data is great for highly secured and isolated environments where data about users is never widely available. But if you have an employee that works at one of those highly secured environments and ends up using Amazon One or other inevitable technology I know we’re banging on Amazon One, but they’re not going to be the first. They were the first, but they’re not going to be the last.

[00:27:54] Ned: Right.

[00:27:56] Chris: Say that data gets stolen. Well, now, theoretically, bad actors have a piece of unchangeable information that you use as authentication, which they can take and help them to break into said highly secured environment. I have seen the Mission Impossible documentaries, people. I know what can happen out there.

[00:28:18] Ned: Obligatory joke about the Burj Khalifa, et cetera, et cetera.

[00:28:21] Chris: Yes. And another final thing, why do we use MFA? Ned?

[00:28:30] Ned: Because you need to provide more than one factor.

[00:28:33] Chris: Correct. Because if you have a password and it gets stolen, there’s another layer of security backing it up. Amazon One uses your biometrics but has nothing to back it up. It’s just a scan.

[00:28:48] Ned: Right?

[00:28:50] Chris: A scan that is connected to your credit card information. This just absolutely seems not worth it to me. When using a chip based credit card or an app on your phone is literally exactly as fast, but has a lot more security built into it.

[00:29:06] Ned: Or possibly faster.

[00:29:08] Chris: Yeah.

[00:29:09] Ned: Depending on the scenario.

[00:29:13] Chris: So that’s where I am on that.

[00:29:18] Ned: Yeah. I like the idea of biometric authentication when it’s handled in a way that respects the customer’s data. Do I trust that these large services who are built on the back of collecting as much customer data as possible are going to properly secure that data? Not especially. And Amazon is probably close to the top of that list right after advertising company Google.

[00:29:51] Chris: Yeah. And I just feel like they are taking the concept of biometrics and talking only about the convenience, which, admittedly, I guess it seems faster and it certainly seems more high tech.

[00:30:09] Ned: My problem with the Amazon Go store and a lot of other things is they’re trying to solve a problem that no one actually has.

[00:30:18] Chris: They’re trying to solve a problem like Maria.

[00:30:21] Ned: Exactly. How do you they’re trying to solve a problem because they saw something in a Sci-Fi movie or read something in a Sci-Fi book from 25 years ago. And the thing about Sci-Fi stories and movies is the tech doesn’t actually have to work for the story. Authors can just make shit up and if it looks cool or seems cool, it makes it into the final story. But it doesn’t have to be functional. And Sci-Fi novels are not roadmaps for our science future, they’re just ideas. And a lot of the time, the end of the story or the overall meaning of the story is, this is a Dystopia or this is a bad thing, not something that you should emulate.

[00:31:16] Chris: Right.

[00:31:16] Ned: And unfortunately, too many tech vROps lack the nuance to see that when they read those Sci-Fi stores and they’re just like, that’s cool. I want to make a store that scans everything.

[00:31:29] Chris: That’s how they talk.

[00:31:31] Ned: Yeah, I’ve been to Seattle. That’s how they talk.

[00:31:34] Chris: Fair enough.

[00:31:35] Ned: I rest my case. Lightning round.

[00:31:38] Chris: Lightning round.

[00:31:41] Ned: Even consultants get the blues, or the pinks, as in pink slips. You see?

[00:31:48] Chris: Oh, I get it. Yeah.

[00:31:50] Ned: Gigantic consultancy firm Accenture announced last week that they will be laying off 19,000 people over the next 18 months. What’s amazing is that 19,000 only represents 2.5% of their workforce, which means Accenture employs roughly 760,000 people just for fun. I looked up the total number of coal miners in the United States, and it was 38,400. Looking at some other numbers, accenture also employs more people than Apple, Facebook, and Microsoft almost combined. And unless you’re in technology, you’ve probably never heard their name before. I really wanted to make this post all about the people who are going to be impacted by this layoff, but I can’t shake the size and scale of Accenture 760,000. Weirder. Yet they expect their sales to grow grow by eight to 10% this year. Now, I know they are likely shedding low performers, people whose skills aren’t in demand, and anyone who was born on a leap year, because why the hell not? But you’d think a healthy, gigantic corporation growing by 8% over the next year wouldn’t need to lay off the equivalent of half of all coal miners. I’m starting to suspect, Chris, that capitalism doesn’t have workers best interests at heart.

[00:33:27] Ned: Shocking awe.

[00:33:32] Chris: Okay, all right. For the millionth time, we do not have to change passwords every 90 days. Another day, another breathless breakdown of how bad mandates on password changes are to overall It Security this Time by The Wall Street Journal. Look, I get it. When the company was first online in the 90s, allen decided that we all have to change our passwords every three months because it’s safer, right? That way, if your password get lost, it’s only a problem for a finite amount of weeks. But, guys, we’ve been over this. That concept is dumb. That concept came around in the 90s, which was 30 years ago, which was when Starfox came out for the Super Nintendo. And Alan doesn’t even work here anymore. NIST hasn’t recommended password rotation schedules as a best practice since 2017. The science has shown that mandated password changes unambiguously lead to weaker passwords, and it’s annoying to users. Admittedly, a lot of these pains should be ameliorated by password managers, but that doesn’t help when you’re talking about, say, the password you log into your computer with every day. Passwordless solutions like windows. Hello? Will help a lot. But back to the point scheduled password changes are dumb and counterproductive.

[00:35:06] Chris: Stop mandating them.

[00:35:08] Ned: Amen. Look, Ma, the FTC is doing something good. FTC chairperson Lena Khan has been up to more shenanigans siding with corporate interests, going easy on ISPs, and listening to lobbyists. Wait, what’s that? She’s not doing any of that. She’s introducing stuff that might actually help the consumer. What’s her game? My more skeptical nature notwithstanding, there is a new proposed rule out of the FTC that would require a simple cancellation mechanism for consumers in the same format as they signed up for any given service. If you signed up through an app, you can cancel through the app signed up through the website. There has to be a form on the website to cancel with, and the process to cancel cannot be more onerous than the one used to sign. Up. Additionally, the rule also states that if the service wants to incentivize you to stay with special offers, they must ask you if you want to hear them first and listen when you invariably say no. Naturally, the only dissenter on the panel is Republican Christine Warren, who makes some vague allusion to Supreme Court things and also that she murders kittens. I don’t know, the whole thing got pretty confusing.

[00:36:33] Ned: The comment period will begin shortly, so if you have a moment, leave a comment about how ease of canceling is good and eating kitty flesh is bad.

[00:36:46] Chris: Speaking of confusing oh, I thought you.

[00:36:50] Ned: Were going to say kitty flesh.

[00:36:52] Chris: Damn dude, you have one too many beddrill. What’s going on over there?

[00:36:58] Ned: Yeah.

[00:37:01] Chris: TikTok CEO Testifies to Congress Everyone ends up looking bad in this week’s episode of Inane Grandstanding by the technologically illiterate, TikTok CEO Xiao Xi Chu responded to approximately 5 hours of questioning from our good friends in Congress. He repeatedly defended the efforts that TikTok is already making to respond to data security concerns, especially highlighting that TikTok’s Project Texas little pandery with the name would satisfy all the demands that the government had about isolating data from the Chinese government. Questionable whether that’s true. He also engaged in what I think was totally justifiable what about ism when reminding Congress that Facebook and Google have been just as guilty and nothing has happened to them. There were some absolutely magnificent questions lobbed out from members of Congress. Such as when Republican Richard Houston of North Carolina asked, quote, does tic TAC access the Home WiFi network? Unquote, just magical? The man said that on television where his family could hear him. Overall, nothing was accomplished by this hearing. No minds were changed, but it wasted a lot of time and money. So congratulations all around. I guess I will point everyone back to the EFF article about this issue we talked about last week.

[00:38:34] Chris: Wake me up when there’s an actual data privacy bill that won’t just die.

[00:38:38] Ned: In committee or when you go go feel good about that. Creator of the first Ethernet, Robert Metcalf wins Turing Award believe it or not, boys and girls, there was a time before the Internet and wireless when computer networks were connected by thick cables and limited to a single room or building. Terrifying, I know. Bandwidth was measured in megabits, not bytes, and you couldn’t even rick roll a person because Rick Astley was still in diapers. What’s amazing about the Ethernet developed by Metcalf and David Boggs is the fact that it is still used today as a layer two transport for basically the entire world. Whether it’s cat five multimode fiber or wireless radio signals, they all use Ethernet for their transport, starting at a minuscule 2.94 megabits per second. It’s now possible to run Ethernet at multi terabit speeds. There Azure, an estimated 7 billion Ethernet ports in the world as of 2022, and all the little packets steering around our crazy globe owe metcalf and friends a debt of gratitude.

[00:39:54] Chris: CSA releases weirdly named Tool to Help Investigate Possible Microsoft 365 Breaches caesar or the Cybersecurity and Infrastructure Security Agency has released a new tool to assist security engineers in the fight against security breaches in Microsoft 365 environments. The tool is open source, free, and based on the Miter attack reports, the tool collects myriad telemetry data from cloud environments and analyzes them for potential malicious activity patterns. The tool is also, for some reason, called Untitled Goose Tool. You know, I’ll be fair, I could have researched why it had this name, but I didn’t. I’m just going to let Untitled Goose Tool live free in my memory forever.

[00:40:52] Ned: It’s best that way.

[00:40:54] Chris: Most security engineers are kind of questioning the point of this tool as one, most of what it does can be done by other tools, and two, the permissions that it requires for data collection are a little on the explicit side. It’s a good first step, though, in this reporter’s opinion, because one, did I mention it’s free? And two, it’s open source. CISA has been releasing little tools like this for a number of years, and I hope that they keep doing it. They’re reputable enough that I’m not worried about the permissions that they’re requiring, and everybody likes free, except for all the.

[00:41:35] Ned: Security companies that want to make money. They’re not as big of a fan. Hey, thanks for listening or something. I guess you found it worthwhile enough if you made it all the way to the end. So congratulations to you, friend. You accomplished something today. Now you can go relax on your Lazy Boy, read some tolstoy, and have a latte made with soy. You’ve earned it. You can find me or Chris on Twitter at ned 1313 and at Hayner 80 respectively, or follow the show at Chaos underscore lever if that’s the kind of thing you’re into. Show notes and the sign up for our newsletter are If you like reading things, which you shouldn’t, you have 50 other episodes of Chaos lever to get through.

[00:42:18] Chris: Better get on by the end of the day.

[00:42:21] Ned: Five X speed exists for a reason. We’ll be back next week to see what fresh hell is upon us. Tata for now.

[00:42:30] Chris: So what’s your legitimate fastest speed that you can listen to something and actually interpret it in any meaningful way?

[00:42:37] Ned: One and a half has been my Max. I tried two X once, and it was just I couldn’t do anything else at the same time. And that’s usually my goal, is to be able to do something else while I’m listening, right?

[00:42:50] Chris: Yeah. Unless I just want to make everybody sound like Alvin and the chipmunks, which is not necessarily a bad thing.

[00:42:56] Ned: I’m sorry, what were you saying? I was doing something else.


Chris Hayner

Chris Hayner (He/Him)

Our story starts with a young Chris growing up in the agrarian community of Central New Jersey. Son of an eccentric sheep herder, Chris’ early life was that of toil and misery. When he wasn’t pressing cheese for his father’s failing upscale Fromage emporium, he languished on a meager diet of Dinty Moore and boiled socks. His teenage years introduced new wrinkles in an already beleaguered existence with the arrival of an Atari 2600. While at first it seemed a blessed distraction from milking ornery sheep, Chris fell victim to an obsession with achieving the perfect Pitfall game. Hours spent in the grips of Indiana Jones-esque adventure warped poor Chris’ mind and brought him to the maw of madness. It was at that moment he met our hero, Ned Bellavance, who shepherded him along a path of freedom out of his feverish, vine-filled hellscape. To this day Chris is haunted by visions of alligator jaws snapping shut, but with the help of Ned, he freed himself from the confines of Atari obsession to become a somewhat productive member of society. You can find Chris at coin operated laundromats, lecturing ironing boards for being itinerant. And as the cohost on the Chaos Lever podcast.

Ned Bellavance

Ned Bellavance (He/Him)

Ned is an industry veteran with piercing blue eyes, an indomitable spirit, and the thick hair of someone half his age. He is the founder and sole employee of the ludicrously successful Ned in the Cloud LLC, which has rocked the tech world with its meteoric rise in power and prestige. You can find Ned and his company at the most lavish and exclusive tech events, or at least in theory you could, since you wouldn’t actually be allowed into such hallowed circles. When Ned isn’t sailing on his 500 ft. yacht with Sir Richard Branson or volunteering at a local youth steeplechase charity, you can find him doing charity work of another kind, cohosting the Chaos Lever podcast with Chris Hayner. Really, he’s doing Chris a huge favor by even showing up. You should feel grateful Chris. Oaths of fealty, acts of contrition, and tokens of appreciation may be sent via carrier pigeon to his palatial estate on the Isle of Man.