Know Thyself Jellyfish: OWASP API Security Top 10 Countdown [CL53]

Posted on Tuesday, Apr 11, 2023
Chris counts down the OWASP API Security Top 10, Ned mocks InfoSec at his own peril, and we both hold out hope for a data privacy bill of rights.


00:00.00 Ned Or you always break everything. That’s your prerogative.

00:00.00 Chris I didn’t break everything. I Only break most things.

00:09.72 Ned Okay, we’ll qualify it with the most. That’s fair. That’s fine.

00:13.90 Chris And I don’t you know I don’t really like to think about it as like active destruction. It’s more like um, integrity tests.

00:21.95 Ned Um I like that you’re you’re doing software development testing Q a testing for Zencastr.

00:26.96 Chris Doing what I can to break it because somebody has to.

00:32.52 Ned You know that somebody’s going to be you Do you do you have a person in your life that is kind of like if they can make the technology work. You know it’s bulletproof like just someone who is somehow like physically allergic to technology. Do you have that person in your life. God Damn it I walked right into it I can’t even be Mad. Ah, ah well I’m here now I That is my sister is the one who is just.

00:52.19 Chris I’m talking to him right now but you you ah shade right into that.

01:07.20 Ned Complete like somehow in in the genetic lottery I got all the tech and she got zero of it. Um, which which would explain why she’s been a lifelong Mac user because it does at least make things relatively easy. But yeah.

01:21.26 Chris So shots fired this early in the episode.

01:26.18 Ned Listen, it’s It’s just the way it is and so she she teaches Kindergarten which is in theory very low tech but we were talking last week and she was just telling me about the nightmare of when Covid happened and suddenly she had all this technology foisted upon her. And so the technology liaison at her school basically made her I would say the post he she was the tester if he wrote up instructions and or some sort of tutorial to use something and my sister could grock it and do it. Then he knew he was good across the entire school.

02:07.32 Chris Um, that’s ah, that’s a dubious honor. Let’s put it that way.

02:10.91 Ned She makes no bones about it. This is not a point of contention or embarrassment. She’s just like no I am physically allergic to technology I break. Whatever I touch. So if you can make something that I don’t Break. You’re probably good for like 99% of the population I know thyself you know me takeaway. Ah yes, we nobody’s ever thought of that before. Well yeah I mean that that was on the.

02:31.22 Chris All right? Yeah I think that’s the main takeaway that and don’t swim 30 minutes after eating.

02:46.54 Ned Yeah, on the rosetta stone just below know thyself was you know don’t swim until 30 minutes have elapsed though they called it something else.

02:54.48 Chris Um, I mean you could just keep it make it more simple and just don’t swim.

02:57.70 Ned Water is our enemy despite being mostly native. It’s true and I’m not going back. Oh dear.

02:59.96 Chris We evolved out of it for a reason.

03:06.92 Chris I just imagine you know four hundred billion years ago or whatever and you know, whatever first Protozoa moved out of the water was like fuck seaweed that stuff’s gross and that’s how life started.

03:17.85 Ned It’s so Gross. It’s it I won’t say it’s the worst thing about like swimming in the ocean because when the sometimes there’s just a ton of little Jellyfish and those are worse than seaweed. Because you can feel them all around you and you know most of them are going to Die. It feels super gross my middle one won’t even go in the ocean if we’re having a ah culling.

03:35.25 Chris When you say it like that it sounds super gross.

03:48.77 Ned Of the transparent jellyfish which happens about once or twice a year on the jersey shore I think Snooky’s involved somehow use your imagination or don’t really? ah.

03:56.65 Chris So oo.

04:04.95 Chris I’m gonna go with the I’m gonna go with the latter on that one. Yeah.

04:06.12 Ned Ok hello alleged human and welcome to the chaos lever podcast. My name is ned and I’m definitely not a robot I do not have an immature and insatiable thirst for power and possessions I have simpler ambitions. You know I merely want to bring peace and tranquility to the world and if necessary I will destroy anything or anyone that stands in the way but did I say destroying I meant recalibrating into their component atoms. Don’t run. It won’t help anyway, hi Chris.

04:47.90 Chris So it’s good that we’re doing this one remote huh.

04:52.35 Ned Ah, as is our want We haven’t done one in person in a while on account of you getting a real job now. What? what’s that all about.

04:56.53 Chris It’s true. It’s true. What’s your fault for it.

05:05.45 Ned I Think that really said it all more than words so you had a thing you wrote stuff and it’s It’s one of your favorites.

05:11.52 Chris Yeah, so I did I actually almost had another thing but that was shockingly even more esoteric and boring. So.

05:23.67 Ned Oh.

05:30.35 Ned So you need to punt that to me next week it’s what you’re saying here. Go make this interesting.

05:30.78 Chris To save everybody I decided on this one.

05:39.49 Chris So yeah, we are going to talk about o wasp releasing an update to the api security top 10 buckle up.

05:50.89 Ned Those were some words that you used I recognized about 50% of them. It’s true.

05:57.57 Chris So that’s better than average. So let’s yeah, let’s go ahead and do some background on the sentence that I just made and hopefully we’ll fill in the blanks here question number 1 What is an o wasp and what do they do.

06:07.41 Ned Um, okay.

06:16.10 Chris O wasp is an acronym that stands for open web application security project which is a lot more words So this is why everybody sticks with O wasp so we can do that right? you agree.

06:29.39 Ned True I agree that is fine.

06:36.48 Chris K so oasp is an open source community of security researchers dedicated to a simple cause finding categorizing and counting all of the common security problems people can and will encounter on the internet. They are most famous for their. Top 10 list just top 10 which is dedicated to bringing awareness to major issues that web app developers will face this one which is the one that we are not talking about that one the one that we’re not talking about is more or less based on websites and website adjacent online properties.

06:56.21 Ned M.

07:15.21 Chris But the list is still on the general side of security kind of on purpose. For example, the number 1 issue identified by the o wasp top 10 right now is broken access control. How do they define that they define it as quote.

07:26.65 Ned Okay.

07:31.55 Chris Violation of the principle of leastase privilege or deny by default bypassing access control checks by modifying the ah url improper elevations of privilege it goes on but you get the idea.

07:44.18 Ned Ah, yeah, So yeah, that is more general. It’s not speaking to a specific exploit or a way to take advantage of this failing. It’s just this failing exists and it’s usually has something to do with someone you know modifying the yeah url to Bypass. What would be like the login page where you’d get your initial token or cookie.

08:04.54 Chris Right? And you know that list has been around for a while and it is aimed at Web Apps but because of its general nature. It is clearly applicable to a lot more than just your online gambling website now. Fun fact the most current version of the big list.

08:18.49 Ned Um.

08:24.40 Chris Is from 2021 but if you ask chat Gpt it will lie to you and tell you that the most current version is from 2017 don’t listen to everything the internet tells you yeah I hadn’t so what I really should do is like.

08:34.12 Ned Especially chat gbt.

08:42.53 Chris I got to set up some kind of a script that does an automated bake off of every single asinine question I come up with and see how wrong they all are but in different flavors I think that would be fun make that happen. Yeah, like I said the original big o wasp top 10

08:52.33 Ned Yeah, okay.

09:02.52 Chris Is generic in order to be more specific o wasp also started up another top 10 list. That’s the one we’re going to talk about today the api security top 10 you want to you want to guess with that.

09:16.58 Ned Moon.

09:21.32 Chris That security top 10 list is about so close Apis so what’s an Api you might be wondering quietly to yourself.

09:24.31 Ned Grpc Final answer. Oh.

09:33.73 Ned So what is an Api now. Yeah I do hear the term bandied around a lot especially with the advent of web 2.0. But I think it’s a term that gets used fast and loose a lot. So maybe we should put some parameters around it.

09:52.96 Chris Yep Api stands for application programming interface and basically what they exist to do is provide plumbing for the internet connect 1 site to another in a programmatic fashion.

10:04.63 Ned M.

10:09.38 Chris You know that gambling website that you just can’t close the tab on Ned you know how it talks to your bank via an Api. It is not a connection that the average user will ever see or care about. But it’s there and as you can imagine. It’s super important.

10:17.16 Ned Who.

10:29.13 Chris After all, you can’t lose $2500 playing 4 simultaneous hands of blackjack online at three o’clock in the morning after your job gave the primo contract to Steve even though you were the one that did all the legwork but I guess that’s not important because Steve it’s the positive nephew hit me.

10:29.24 Ned Um.

10:45.26 Chris I know it’s a 17 against the 6 and the card says I should stand but damn it I need to feel a lie. Um, what? Um, what was the question again.

10:50.20 Ned Wow, you do you need? Do you need a minute. Do do you need a like 5 and a juice box. We can do that for? yeah.

11:01.32 Chris Oh I need a juice box. Oh anyway, Apis that’s that’s yeah so cool. The point is api security is super important too. In fact.

11:05.12 Ned We all eat out anyway. Okay.

11:19.93 Chris According to hacker one after the websites themselves the apis that connect them are the number 2 attack vector on the internet. So so that’s bad and those connections because they are invisible like I said a lot of people don’t even know they exist. So.

11:29.98 Ned Um, could be.

11:39.61 Chris In order to bring them a little more into the light o wasp created this api security top 10 the first list came out in 2019. They put out sort of a minor adjustments in 2021 and now the 2023 list is out for public. Comment with a stated final release date of ah soon soon. 202023 for sure. Probably so that’s who they are. That’s what they’re talking about.

12:06.81 Ned Maybe we’ll see okay.

12:18.33 Chris What’s on the list. So this is an interesting one because 1 thing that’s happened is oasp is changing the way they approach this list. There are a few new categories in 2023 that collates issues from the 2019 list. There are a couple of completely net new issues which that collation made room for and of course there are a few that have the most depressing categorization possible after 4 years everything is still exactly the same.

12:52.30 Ned Yeah I I feel like their general website top 10 has been relatively static for several years I think the sql injection attack is still like one of the number ones or.

12:53.40 Chris So.

13:07.78 Ned In the top 10 year after year after year. Even though it’s a very well-known attack.

13:10.51 Chris Right? Yeah I don’t I think at a certain point they’re just going to change the name of the list to are you f and kidding me so I don’t go I don’t want to hit every single item in the list because there are some that are.

13:20.82 Ned Ah, yeah.

13:27.74 Chris There are variations on a theme and it gets a little too deep into the programming weeds but I have a couple of points to talk about that are in this list and again this is up for public comment. So if you are either a researcher or a programmer and you find these things interesting or challenging. You can go to the linked.

13:32.55 Ned Um, sure.

13:47.43 Chris Github site and post comments because this is not public yet or it’s not final yet I should say so let’s do it. Okay.

13:49.42 Ned Dark.

13:58.66 Ned Let’s go with number one with a bullet. Oh a repeat offender.

14:00.11 Chris Again, security issue number 1 on the api security top 10 broken object level property level. Oh shit I said that backwards broken object property level authorization and like I said. This one has been unchanged for 4 years now the list gives a tiny bit of a pass in the way that it’s described because the definition has expanded slightly but the problem is still the same the request. Made to an api can be made to return more data than is necessary for the intent of the request. This could be something individual like forcing the api to return an entire user’s profile instead of just their username.

14:43.44 Ned Um.

14:54.69 Chris Or it could be group-based forcing the api to return itemized usernames and pi instead of just summary data. So if the question is supposed to be how many users are in group x and you can manipulate the Api into returning everything about all the users in group x. That is broken property level authorization. In either case, the advice is the same devs should be careful about query validation unquote now. The danger here is simple.

15:16.35 Ned I see.

15:28.40 Ned M.

15:33.30 Chris And the advice that comes down to a very common old saw security versus convenience developers. Want people to use their apis. So sometimes they can be shall we say less than stringent when it comes down to nailing.

15:40.85 Ned Oh I feel like we’ve heard that before.

15:53.56 Chris Responses and requiring really explicit requests So being a little less explicit is good in terms of user adoption but is bad in terms of security which is why it has been number 1 For 4 years.


19:18.82 Chris Ah, right? So that was issue number 1 broken object property level authorization. Any broad thoughts on that before we move on.

19:21.46 Ned Um, I’m just I’m thinking about the newer introduction of graphql and the way that that might make might exacerbate this problem because the nature of graphql is to include queries. Inside the request so that you can ask for exactly the information you want and so if you don’t have tight controls on the backend in terms of permissions for that Request. It’s meant to be more open in Nature. So The the. Amount of abuse that can happen. There is pretty high.

20:01.83 Chris Right? Yeah and it’s actually interesting that you brought up that specific example because in a couple of the articles that I use for research for this that was brought up specifically so I mean it’s right there on I mean.

20:07.14 Ned All right hey I knew a thing woo.

20:19.50 Ned Yep, every time.

20:21.30 Chris And this is going to be a common theme but it’s security versus convenience every single time. So let’s talk about api security issue number 2 that would be. All the other authorizations. So the number 2 issue on the list is a collation that is simply called broken authentication now there are a few.

20:47.52 Ned And.

20:51.69 Chris Are looped in through the list that also refer to authentication. But like I said variations on a theme. So I’m going to kind of talk about them all at the same time for the sake of time and sanity now in 2019 this issue which was still number two was called broken user right. Authentication now one of the reasons that this change was made and one of the reasons that I think it was a good change to make is quite simple. Automated connections user implies.

21:18.25 Ned Writes.

21:23.78 Ned Um.

21:29.20 Chris Human now this is a complicated thing that we in technology have to get past is that the vast majority of devices that connect to something are overwhelmingly larger in count than the number of humans that will connect to something. Okay.

21:37.40 Ned That really kicked in with the internet of things I mean was already there but the internet of things kind of just exploded out in an exponential kind of way where you have there’s 9000000000 humans on the planet roughly.. There’s already more than 9000000000 devices on the planet that are connecting to the internet and that’s that number is only going up. So if you think of it in those types of of features. Then yeah. Focusing on machine to machine. Authentication is actually more important than user to machine.

22:20.55 Chris Um, right and something else that has occurred in software development that also changes the nature of security is the concept of microservices and especially elastically.

22:26.42 Ned Um.

22:32.61 Ned Um, known.

22:36.79 Chris Designed microservices which would require different security considerations. How do you make sure a connection is safe when the endpoint might have only begun its existence 5 seconds ago and will only exist for another ninety. The answer is. Which is criticized by api security issue here and according to lazy developers is by creating things like connection strings with no password or tokens with an infinite expiration date these practices while convenient.

23:02.25 Ned Um, whom.

23:05.58 Ned Yes, and that’s gets back to that seesaw right? and there’s a pretty good chance that the developer implemented that when they were just trying to get a feature working I Just want to make sure that the functionality is there and then I’ll layer on the security later. But no, they have to ship it tomorrow and that security just never comes.

23:13.83 Chris Are bad.

23:21.91 Chris Right now.

23:25.37 Ned So unfortunately the solution has been pushed off to operational folks and they have put elaborate things in place like service meshes that layer the security on top. So the debs quote unquote don’t have to worry about it even though they do.

23:48.58 Chris Right? And it comes down to the idea this is like the foundational theory of things like devsecups which is you build the security at every layer at every step of the way not bolt it on at the end.

23:58.55 Ned Until it doesn’t.

24:03.47 Chris And just say oh well we have a firewall and deep packet inspection that’ll cover it right? So that’s bad. Don’t do that security issue number 3 here are some.

24:15.46 Ned Um, whoo.

24:20.95 Chris That we’re added to the list now there are a few that I’m going to skip over because they’re pretty self-explanatory number 7 on the list again is security misconfiguration and I mean that’s a good one. That’s something we should pay attention to don’t misconfigure stuff. That’s my advice. You’re welcome.

24:36.50 Ned I already haven’t ready to be now I already have it ready to go in Quickbooks you’ll get an email. Don’t worry.

24:40.69 Chris That will be $900 ned will be invoicing all of our active listeners I hope you have a lot of paper in your printer. So.

24:51.50 Chris It’s 2023 so what is new to the list number 1 ranking number 6 on the 2023 list is a a banger and it’s going to take a little um time.

24:59.46 Ned Okay.

25:07.38 Chris Time to work through because it’s not an. It’s not an obvious thing. It is called server-side request forgery or ssrf or I guess yeah.

25:07.70 Ned Oh yeah, that’s completely clear I I it’s on the server side and it’s forging a request I don’t need any more information but maybe our listeners. Do.

25:26.77 Chris Yeah, for the listeners. Let’s back up what is a request forgery a request forgery is when an attacker can make you as a user request something from website a that is then redirected to website B therefore you.

25:44.18 Ned Um, okay.

25:45.29 Chris Accidentally asked you you sent a legitimate request to the wrong website because of the attacker. So here’s the example that happens on um the user side this would probably be more fitted to the main. Ah, wasp top 10 list but just for purposes of description imagine you are logged into your bank account and you have an email tab open in your browser as well. You receive an email that appears to be from your bank but is actually a malicious email from. Probably a different bank. Let’s be honest, you click on a link in the email. The link takes you to a website that very closely mimics your bank’s website now in reality that obviously is a malicious website controlled by an attacker. Contains code that automatically sends a request to your bank’s server to transfer money out of your account without your knowledge. This is possible because your browser includes the authentication credentials like cookies, session, tokens, etc all of which are inadequately secured with every request. It makes to the bank’s server. Admittedly, this is a unique situation and for it to work your browser has to be set up just right the certain amount of tabs have to be open in just a specific way but remember this is a numbers game. How many you said there were 9000000000 people on the planet which is wrong. But I let it go.

26:59.40 Ned Um, ray.

27:13.57 Chris I’m just saying there’s a lot of people and if they spray and pray with something like this eventually the attackers will have a situation where they can misuse those tokens for their own nefarious purposes.

27:16.17 Ned Right? So from a mitigation standpoint you have bank websites that should probably set pretty low expirations on tokens. So and the tokens should also not be valid for a cross site. Attack. So that’s part of the way that you can mitigate against it. But also if you’re the end user. You can use. Well if you’re using Firefox you can use something like the sandbox feature in Firefox to launch your bank website and its own sandbox and so tabs launched in the regular browser.

27:42.48 Chris Correct. Yes.

27:54.96 Ned Won’t you even have access to those credentials.

28:01.78 Ned Um, and okay.

28:03.40 Chris Right? Or if you’re using a Chrome you can do user profiles to keep them separate There are a couple of options that are built into the various browsers and depending on the browser you use your mileage may vary but that is a super good way to do it because effectively if you have your. Cookies for your banking or whatever sensitive website in that sandbox they are literally inaccessible to other websites that are in different tabs or different sandboxes or different user profiles. So.

28:25.57 Ned It’s funny I originally used that for Facebook because I didn’t want Facebook to have access to anything else. It was like keep it inside the sandbox. But then I realized oh I can actually use this as a defensive measure.

28:36.75 Chris Right? right.

28:37.17 Ned To keep my credentials and cookies in their own sandboxes. So there’s no intermingling.

28:50.64 Chris Right? So that is like again that’s on the front-end side right? That’s the user experience of this. Um for ssrf as it’s described in the application top 10 or api security top 10

29:01.64 Ned Um.

29:03.93 Chris It’s the same idea except it happens in the in the plumbing in the basement instead of in the lobby and again it comes down to if an api fails to constantly validate the data that is sent to it and make sure that all of the information is legit. It’ll be vulnerable. So you know cross-site scripting is is a great example if you have an api connection that comes from I don’t know ah New Britain Pennsylvania and it’s been running steadily ah connecting with with username and password that is legit then all of a sudden that same exact. Password and combination and authentication is redirected to I don’t know Russia that’s going to be a problem like even though you have the correct authentication because the ticket the token is valid or the credentials are are legit. Um, you know comes down to like impossible travel in conditional access in Microsoft um, in.

29:53.31 Ned Right.

30:00.73 Ned Right? And that’s actually something we’ll get into and won the lightning round articles. Yeah synergy.

30:00.83 Chris Intune apply that to the Api. The same thing can be the same security can be um, achieved.

30:13.79 Chris Neat. So I convenience versus Security Blah Blah Blah Blah blah next and I’m going to end the overall breakdown here because unlike ned.

30:16.31 Ned Okay.

30:31.44 Chris I have respect for our listeners time and patience clocking in at and don’t shake your head at me young man clocking in at number 8 is another new category quote lack of protection from automated threats now I know what you’re thinking.

30:41.48 Ned Um, fun.

30:51.41 Chris Surely this is not an issue any longer we’ve known about the dangers of automation since the 1920 s I saw metropolis you’re proudly saying to yourself I get it. But alas alas to take a and.

30:58.40 Ned Alas.

31:10.37 Chris Issue directly out of the news remember as recently as November of last year everyone’s favorite website Twitter was hacked utilizing an api vulnerability that was only feasible using drumroll please automation essentially the api allowed a connection.

31:16.46 Ned For ah.

31:29.87 Chris Millions of connections. 1 connection made millions of requests over a period of hours that pulled down pi for a huge amount of users. The actual number is still up for debate. This behavior should not have been possible full stop. The fact that it was.

31:33.87 Ned Um.

31:48.19 Chris Is the type of behavior that caused this category to be created not Twitter specifically. But as everybody’s favorite punching bag I thought I would bring it up so you don’t think this is important. Perhaps we’ll think about it this way.

31:49.69 Ned Fair enough.

32:01.89 Ned Now now.

32:05.59 Chris Remember the last time you got up to buy concert tickets and a reasonable way I didn’t think so for years now. Bad actors have been using botnets to buy up every ticket you have ever heard of before actual fans.

32:15.15 Ned The.

32:23.30 Chris Ever Have a chance So scalpers are the bad guys right? I mean they’re on the list of scum of the Earth like it’s a sliding scale but the name is on there seriously hold on that.

32:26.56 Ned Right? I mean Tinker Master is clearly worse.

32:41.46 Chris New episode idea Dante’s inferno except I tscumbags I guarantee scalpers are on the list but the websites are guilty too and the connections that those website uses could have controls in place now.

32:42.81 Ned Um.

33:00.99 Chris I know that everyone out there is shocked that I would imply that Ticketmaster was anything but interitus. There’s a joke that only 2 of our listeners are going to get but it’s true and this is why this item is on the list ticket master as the developer. Fails because their api allows this kind of behavior. So take all that and drop it down into the plumbing level. That’s what this one is about on the list and why it’s so important that is new that it justified being a new category.

33:29.76 Ned Right? And so in this particular case this could be solved by doing some sort of some form of throttling but the problem you have with botnets is they’re able to come From. What seemed to be a whole swath of different public Ip addresses. So It’s hard to say with certainty that all of these connection requests are Bots So. It’s going to be a little harder to mitigate. But.

33:46.17 Chris Yeah, yeah.

34:06.78 Chris Yeah I mean that’s a valid point and one of the things that you’re always going to see is whatever the security is put in place. The attacker will find a clever creative way to either manipulate something else find a way around it right. You know one of the things that’s happening Ticketmaster is trying to put something in place to try to make it harder to sell scalped tickets. Um, and what hackers have been doing instead is selling the entire ticket master account.

34:34.81 Ned Ah, that’s awesome I mean airable.

34:39.71 Ned Ah, so I’ll buy up the tickets and then I’ll just sell you the the account credentials and you can use them. Wow Just well done all around.

34:43.42 Chris It’s like you just it’s got to be a slow clap for that 1 right? I mean.

34:52.54 Chris Right.

34:59.46 Chris But you know I think it’s interesting and it’s worth you know fighting the good fight You can’t just go back and say well everything’s going to be awful all the time we have to do what we can to stem the tide and even though a lot of this stuff is not something that directly relates to my life I am not a programmer. Um.

35:10.63 Ned You.

35:16.87 Chris I Only tangently understand a lot of what I just said, but it’s important that we know you know you put light on a shine light on the situation so that the people that are capable of doing something about it know what to look for know what to go after and know what to. Try to fix and maybe just maybe some of these things won’t be on the list Next time they put it out.

35:34.35 Ned You’re cute lighting round all right Tiktok bill forgets to mention Tikt Tock never ones to waste a crisis.

35:46.53 Chris Lightning round.

35:49.99 Ned To make a naked power grab hard delightful congress has drafted a bill that would ostensibly be used to ban Tiktok absent from the language of the bill is any actual mention of Tiktok but the implication is there. The actual language is so vague in general that it could be used to ban nearly any technology product or service and make a vpn illegal to use rather than this being a bug of the lawmaking process. The more cynical of us see it as an opportunity for the government to ban any technology that they take a dislike to and considering the hallowed halls of our nation’s capital are packed to the gills with geriatric luddites who fail to grasp even the most basic components of technology. This is. Bad all it takes is a couple well-funded lobbyists to weekend at Bernie’s the current or future secretary of commerce and we be up to our ear lobes in banned apps due to quote national security I hope you felt the air quotes there. Efforts to circumvent such bans would also be illegal potentially making the use of vpns also legally questionable. It’s just another instance of throwing the baby out with the bathwater setting the house on fire and nuking the neighborhood from orbit for good measure.

37:19.57 Chris Because freedom product that lets you open your garage door over the internet you guessed it So again, why.

37:22.77 Ned Ah, yeah.

37:36.97 Chris Why do things like this exist. Why would you need to have a solution in your life that allows you to open your garage door over the internet. You’ve already got a way to open the garage door from your car which is generally speaking when you’re going to want to open the garage door.

37:50.34 Ned But yeah.

37:55.51 Chris You don’t need to do that shit from like Walgreens anyway, home automation company next that’s spelled with two x’s for double the something.

37:58.88 Ned Not security.

38:10.12 Chris Next has a product that allows you to open your garage door from an app that app is completely insecure and has been hacked by a security researcher who responsibly told next about it next promptly did nothing. After months of silence the security researcher went public and well here we all are the attack appears to work because the next app shares information about every other device in the time zone.

38:39.70 Ned Um, cool.

38:40.26 Chris Reverse engineer the traffic that’s coming in you grab a code and you can legitimately open someone else’s garage door cool The report goes on to say that other next products are also vulnerable with the researchers saying disabling the alarm and turning on and off smart plugs.

38:53.46 Ned Neat Oh dear data centers are going nuclear a breathlessly positive article.

38:57.85 Chris Is pretty neat too.

39:04.63 Ned From data center dynamics delves delightfully into the promise of small modular nuclear reactors for data center power now they rightly point out that data centers are power hungry beasts that have maxed out the capacity in several regions across the globe with Ireland being a prime and recent example.

39:05.82 Chris Nuclear. Yeah.

39:23.19 Ned In addition to power grid issues. The cloud hyperscaers behind those power hungryng edifices also espouse concern feigned or real about the environmental impact of their megawatt monstrosities while wind and solar can help ameliorate the the impact. They are still reliant on the existing grid and do not provide the consistent power required to run the data centers the article goes on to pooh-pooh any kind of energy storage solutions that might mitigate the issue and goes on to extol the virtues of small modular reactors smrs that can produce. Up to three hundred Megawatts of energy with minimal environmental impact allegedly the smrs can be co-located next to each data center removing the burden on the grid while I agree broadly with the concept. There’s also a lot of nuance that the author completely ignores and there’s also the fact that so far no smrs have been deployed in the United States and as we’ve covered previously. The first one was approved this year and won’t be in operation until 2029.

40:42.57 Chris Privacy nightmares continue to rain down on the public in a country with few meaningful data privacy laws. It’s a jufer a lightning round tufer first tesla got dinged for wait for it.

41:00.60 Ned Sounds right.

41:01.00 Chris Privately and illegally accessing drivers vehicle videos sharing them internally on the company’s chat tool to make fun of their own customers now the tesla terms of service claim that user privacy quote is and always will be enormously important to us unquote. Tesla’s behavior makes this of course garbage now this behavior has also been happening for years with employees basically laughing at people being upset about the privacy violation saying that they should have expected it. The videos included such things as. Users being dragged by their vehicles and one of a car hitting a child riding a bike. Yeah that’s exactly the kind of thing I’m expecting my car’s company to be using. You know as a meme for a laugh.

41:43.90 Ned There.

41:54.14 Chris Elon Musk predictably had no comment most likely because he was too busy enjoying the memes next up an online alcohol recovery company called monument admitted to sharing personally identifiable data with advertisers. This pii included names dates of birth.

42:11.32 Ned Wow wow.

42:12.56 Chris Email and physical addresses insurance information photographs appointment information survey responses submitted by the patients monument is calling this a breach that happened because of quote third party tracking systems which is of course also garbage. The breach has also been happening for a period of time at least since 20 point this was negligence at best and willful and cynical abuse of the confidence of people who are struggling at worst to make matters more worser. Recently bought another similar company that had been doing the exact same thing since 2017 when is it that we’re going to get that data privacy bill of rights again exactly right.

42:54.41 Ned Um, operation. Cookie monster is a real thing and infosec professionals are children by which I mean they’re curious and fun. But also immature brats who lash out unexpectedly at the smallest perceived slight despite the ridiculous name operation. Cookie monster was a multi-year joint effort between the Fbi and other law enforcement agencies across the globe to infiltrate and bring down the genesis market.

43:16.61 Chris What do you mean by that. But.

43:26.22 Ned A website that provided impersonation as a service to would be cybercriminals. Impersonation is the process of recreating a client’s unique browser fingerprint and session cookies to hijack an existing client session with a given site that sounds familiar like something we just talked about. By successfully imitating an authenticated client attackers can circumvent the security controls in place such as 2 wo-factor authentication and risk-based assessment in partnership with have I been poned. The Fbi is making available a listing of everyone impacted by the genesis market. Can simply go to have and select the notify me option. The site will validate your email address and let you know if the records from the Fbi contain your email and what information was included amazingly none of my email addresses were included from for the genesis market. But it looks like park mobile and I might need to have some words.

44:34.46 Ned Um, then some who.

44:40.19 Chris Samsun is Samsun Simsum Oho Dim Sum let’s just go get lunch Samsung engineers shared top secret data and source code with chat Gpt. Let’s call this one. The oopsie of the week One story that I’m guessing. We’re going to hear a variation of quite a lot in the coming years. Samsung had a policy allowing their users access to chat gbt for the purposes of among other things accelerating code development. Employees in their haste unremitting pressure from above to pick up the pace used chat Gpt for all that it was worth that included internal source code meeting notes related to hardware and future plans and test sequences used in identifying faults in chips. All put into chat gbt to try to find improvements chat Gpt just went ahead and took that data like they clearly state they will do in their terms of service meaning that Samsung has no real recourse here.

45:37.76 Ned Um.

45:54.25 Chris That data is now the property of openai and will be used to train the models now on the one hand chat gpt does run behind the times right? We’re still running off of a 2021 data set. So the secrets are safe um ish on the other hand chat gbt. Just had an outage because people noticed bugs in the service itself that allowed users to read other users chat histories. So I guess it’s a double oops Samsung is now apparently investing in their own private version of Gpt.

46:14.82 Ned Um.

46:29.62 Ned M.

46:32.57 Chris To stop these kinds of things from happening which is probably what everyone’s going to do sooner rather than later and in the meantime just remember kids treat these Gpt type chat clients like Facebook the truth. It definitely is subjective and there’s no such thing as privacy.

46:41.76 Ned I feel like we need to create a startup for locally hosted Gpt for all these enterprise clients trademark right.

46:58.61 Chris Yeah I suspect what’s going to happen is there will be 1 that does the training for you and then they dump the data so that it returns answers from the training set. But it’s the training that takes all the the smarts and the computational power.

47:05.34 Ned Right? So you can sort of rent out a training model food for thoughtugh. Hey thanks for listening or something I guess you found it worthwhile enough if you made it all the way to the end so congratulations to you friend you accomplish something today now you can go sit on the couch.

47:16.75 Chris Yeah.

47:25.54 Ned Accidentally log into your bank account and your insurance company at the same time and pay yourself or something you’ve earned it. You can find me or Chris on Twitter at ned 1313 or at hayner 80 respectively or follow the show at chaos underscore lever if that’s the kind of thing you’re into. Show notes are available at as well as the sign up for our newsletter, you should do that because we need more people reading our ridiculous nonsense. We’ll be back next week to see what fresh hell is upon us ta-ta for now. So Zencastr huh.

48:06.76 Ned Um, yeah, real good I blame you? Okay, oh.

48:09.37 Chris So yeah, it seems like it went super great.

48:17.53 Chris That’s fair I’m going to go have a hot dog.


Chris Hayner

Chris Hayner (He/Him)

Our story starts with a young Chris growing up in the agrarian community of Central New Jersey. Son of an eccentric sheep herder, Chris’ early life was that of toil and misery. When he wasn’t pressing cheese for his father’s failing upscale Fromage emporium, he languished on a meager diet of Dinty Moore and boiled socks. His teenage years introduced new wrinkles in an already beleaguered existence with the arrival of an Atari 2600. While at first it seemed a blessed distraction from milking ornery sheep, Chris fell victim to an obsession with achieving the perfect Pitfall game. Hours spent in the grips of Indiana Jones-esque adventure warped poor Chris’ mind and brought him to the maw of madness. It was at that moment he met our hero, Ned Bellavance, who shepherded him along a path of freedom out of his feverish, vine-filled hellscape. To this day Chris is haunted by visions of alligator jaws snapping shut, but with the help of Ned, he freed himself from the confines of Atari obsession to become a somewhat productive member of society. You can find Chris at coin operated laundromats, lecturing ironing boards for being itinerant. And as the cohost on the Chaos Lever podcast.

Ned Bellavance

Ned Bellavance (He/Him)

Ned is an industry veteran with piercing blue eyes, an indomitable spirit, and the thick hair of someone half his age. He is the founder and sole employee of the ludicrously successful Ned in the Cloud LLC, which has rocked the tech world with its meteoric rise in power and prestige. You can find Ned and his company at the most lavish and exclusive tech events, or at least in theory you could, since you wouldn’t actually be allowed into such hallowed circles. When Ned isn’t sailing on his 500 ft. yacht with Sir Richard Branson or volunteering at a local youth steeplechase charity, you can find him doing charity work of another kind, cohosting the Chaos Lever podcast with Chris Hayner. Really, he’s doing Chris a huge favor by even showing up. You should feel grateful Chris. Oaths of fealty, acts of contrition, and tokens of appreciation may be sent via carrier pigeon to his palatial estate on the Isle of Man.