 Coming up on DTNS, an epic way to motion capture faces, NVIDIA passes Intel, and Mike Johnson and Alan Alfred help us understand how to keep your business secure. This is the Daily Tech News for Thursday, July 9th, 2020 in Los Angeles on Tom Merritt. And from Studio Redwood, I'm Sarah Lane. From Lake Merritt, I'm Justin Robert Young. From the escorts of Los Angeles, I am the show's producer, Roger Shea. And we're very happy to continue Security Week with a couple of excellent guests. First of all, Mike Johnson, CISO of Fastly, and co-host of the CISO Security Vendor Relationship Podcast. Mike, good to have you. Great to be here. Thanks for having me. And Alan Alfred, delivery CISO at NTT Data Services and co-host of the Defense in Depth podcast. Alan, welcome back. Thank you so much. We were just talking about the world of ordering a drink in the time of the pandemic, as well as talking about the secret life of podcast host pets. That's all on Good Day Internet. Become a member at patreon.com slash DTNS. Let's start with a few tech things you should know. Well, this is exciting for photographers. Cannon announced the EOS 45, a 45 megapixel mirrorless system camera with the ability to record 8K 12-bit raw video within body stabilization as well. The R5 is expected to ship in July for the low low price of $3,899 just for the body. Cannon also introduced the EOS R6 with a 20.1 megapixel sensor, maximum resolution of 4K, 60 frames per second, shipping the body at the end of August 4, $2,499. What a bargain. Apple confirmed to multiple outlets that the company will continue to support Thunderbolt connectivity on Macs that use Apple Silicon. Thunderbolt connections require the use of Intel-made controllers. Apple ships USB-C and Lightning on its existing ARM-based mobile devices like iPad and iPhone. I know I'm not the only one that asked on yesterday's show or elsewhere whether Apple would continue to support Thunderbolt, but I like to imagine that they made this clarification because I Fujifilm released a Mac OS version of its Fujifilm X webcam software to let owners use their X-series cameras as a webcam. Fujifilm released the X webcam tool for Windows back in May. The software is available as a free download and compatible with Mac OS 10.12, that's Sierra, up to 10.15 Catalina. But it does not mention the beta of Mac OS Big Sur, at least not yet. Facebook announced it has removed two disinformation networks and associated accounts and pages. One network had 54 accounts and 50 pages removed from Facebook and four from Instagram for posting as fake residents of the US state of Florida discussing political consultant Roger Stone. The second network involved 35 accounts and 14 pages removed from Facebook and 38 from Instagram for creating fake reporters and news organizations in Brazil linked to the office of Brazil's president. Facebook also banned a Canadian PR firm for interference in six Latin American countries and linked a disinformation campaign to add agency in Ukraine. TikTok's transparency report says it took down more than 49 million videos globally during the second half of 2019 for violations of either the app's community guidelines or terms of service. That makes up less than 1% of all TikTok videos uploaded in that period. Users in India had the most pulled at 16 million and the United States came in second with 4.6 million videos pulled. Time's up, Wink smart home users. Wink announced its delayed plans of charging customers $5 a month will finally take effect on July 27th. Customers who do not pay to subscribe are going to lose access to voice and remote app controls, third party integrations, groups, robots, shortcuts, advanced settings, several other functions. So by July 27th, you'll have to make your decision. Elon Musk announced that the computer brain interface startup Neuralink will provide an update on its progress on August 28th. Last year, the company announced it successfully implanted extremely thin wires into animal brains using a surgical robot designed to connect to an external processing unit. And I never thought we'd have this many QR code stories in one week, but WhatsApp is now letting users scan QR codes on receipts and storefronts to directly contact companies over WhatsApp. The app also now lets businesses share their WhatsApp based product catalogs outside of WhatsApp, so the links will work outside of the app. The WhatsApp business app now has 50 million monthly active business users, more than 15 million of those in India and more than 5 million in Brazil. All right, let's talk a little more about what's going on with Quibi, Justin. Oh, this old thing, Sensor Tower estimates that 8% of the 910,000 users who signed up for Quibi, their free three-month trial stayed around as paid users. That comes to 72,000 paid users. This does not represent all of Quibi's users, just the ones who got the free trial initially in the first three days. For comparison, Sensor Tower estimates that 11% of the 9.5 million users who signed up for a free trial of Disney Plus converted to paid users. Quibi told Verge that more than 5.6 million people have downloaded the app since launch. Sensor Tower puts the estimate around 4.5 million. Quibi shot back, saying Sensor Tower's numbers for paid subscribers is, quote, incorrect by an order of magnitude. But which one? Yeah, honestly, the 8% conversion is not bad. Let's give Quibi some props for that. It's just you need to have more users signing up in the beginning for that to make a difference. 72,000 isn't much. Yeah, I mean, the comparison to Disney Plus is, you know, Disney Plus having 11%, you kind of go like, well, okay, 8% is under that. But Disney Plus had a lot more users at the offset. So it turns out to a lot more users today that are now paying. Quibi also raised an exorbitant amount of money. So to have a conversion rate that on paper is like, you know, might be okay for another company is not necessarily okay for this company. Because to make that money back is going to take, you know, there have been estimates of like hundreds of years, which is just not going to happen. So a lot of this has to do with the upper management of Quibi saying, Hey, this is pandemic related. We know what we're doing. You know, we got robbed, but you know, based on, you know, virus related issues and yet they've walked back certain stances, you know, they're now allowing casting to television because everybody's at home. I believe they now allow screenshots, which they didn't initially, which kind of hurts just social sharing of things. But I don't know, man. I don't know. I got a couple people who were like, ah, crap, forgot to cancel Quibi. So I'm part of that number. Well, there we go. Yeah, they're the 72,000. The percentage of users is really not something you should focus on, to be totally honest with you. If you want to look at the success or failure of Quibi and very obviously I think we know where on the side of that binary the numbers lay is that 910,000 users signed up initially. They wanted 7.5 million in their first year. Now, obviously they got time to go between here and then everything in that business is hit driven. So they are a hit away from all of a sudden the resurrection of Quibi being the avalanche of stories we read about as opposed to the dissolving of it. However, this is terrible and everything we thought were terrible signs appear to indeed be terrible signs. The hopeful message from the story from Quibi is they still have a lot of time to turn it around. Yeah. And money. 750 million dollars in cash on hand is what they report as having. So they've got time to do it. But again, you've got to have the content if you want people to pay money for a service. They have no free tier, which is another thing for them. Mike, I saw you nodding emphatically as Justin was going through some of these numbers. What is your take on all of this? It was really good to think about the original number of what they wanted it to be and how they're not anywhere near that. And that's not the frame of reference that I had in mind. I was like, yeah, 8%, pretty good conversion rate. But when your absolute number that you're starting with is significantly lower than what they were going for, that's what really kind of resonated with me and what I was hearing. Well, maybe they get some money out of Sony. They seem to be given it away. Sony announced it has invested 250 million dollars in Epic Games, giving it a minority stake, not a controlling stake. And of course, Epic was quick to reassure people they will continue to publish on non Sony platforms. The companies say they have a shared goal of advancing the state of the art in technology, particularly they talked a lot about real time 3D experiences and Epic just released an example of that advancing motion capture technology with an iOS app called Live Link Face that can stream facial animation data in real time from the iPhone's cameras onto characters in Unreal Engine. Live Link Face uses Apple's TrueDepth camera, so it works on the iPhone 10 forward and Apple's AR kit platform. Epic hopes it can make facial capture easier and more accessible for developers, and it can work either here in a home office kind of situation or adjust to work well with super professional setups that have multiple actor actors and mocap suits and head mounted rigs on a soundstage and all that. It's not the first iOS facial capture app by any stretch, but it's significant given the millions of developers worldwide who use Unreal Engine. Yeah, this is more about Sony's place in I think production than it necessarily is in games. It just shows you how sprawling Sony is and how much Epic has kind of punched above their weight that we immediately think, oh no, now all Epic games or anything on Unreal Engine is going to be a PlayStation exclusive. If you've watched the behind the scenes on the Mandalorian, that is a great example of what Unreal Engine is being used for now in a lot of Hollywood productions and even commercials, but it's a way to put actors not only in a more immersive experience when they're shooting on what would otherwise be a fairly antiseptic green screen, but also gives the an in-camera world so animators can more fully kind of put together everything in post-production. So I think this is more about Sony selling the best cameras both in production and in users' palms than it is necessarily video games. And honestly, the Epic side of this, which doesn't have that much to do with Sony particularly, is that technology taking advantage of that camera technology in the iPhone and creating something that can work in Unreal Engine, which we always think about as video games, but our producer Roger pointed out in our pre-show today, like Unreal Engine also used for a lot of effects and movie effects and that sort of thing, which I guess does tie back to Sony a little bit there too. So I don't know, Alan, it seems like it's pretty impressive from the outside, right? I'm liking it and I'm going to be selfish here. I'm a gamer and my first thought when I saw this news was, oh hey, more real Hollywood actors in more video games because it's easier to rope in the major talent if you don't have them have to do all the goofy stuff and wear all the goofy things, this technology is going to bring more folks in. I think that's phenomenal. Well, we don't spend a whole lot of time, in fact, we don't really spend any time talking about stock prices on this particular show because they move around a lot, they fluctuate a lot, and they often impact financial traders and not really tech consumers like ourselves. But it is notable that on Wednesday, Nvidia's market capitalization passed in TELS. Nvidia is best known for its consumer graphics cards, but it also has moved into supplying data centers, automobiles, and artificial intelligence. Now, the shift to working from home has also helped Nvidia's data center business. As an example, as of Wednesday, Nvidia's emperor AI chips are available on Google Cloud, AWS, and Azure. Still, Intel outsells Nvidia by a pretty wide margin. Analysts expect Nvidia to hit about $14.6 billion in revenue this year, while Intel should end up at $73.8 billion. Alan, you seem pleased by this news. Oh, I'm very happy with that. I'm an Nvidia fanboy. I'm talking to you guys on a computer with a 1080 Ti and the 2080 Ti replacement is in a box right next to me. I'll be building out the new rig this weekend. I'm a huge fan of Nvidia, and it's for a lot of reasons. But I'll tell you right now, one of them that's timely and really relevant for me is I'm using Folding at Home right now, leveraging that Nvidia processor to actually try to map out COVID-19. The Folding at Home guys have come up with a COVID-19 to help research for the vaccine. So I've got an Nvidia GPU chugging away on COVID right now as we speak. Yeah. Team DTNS is number 367 in the Folding at Home project right now. So I'm glad to hear you. You're part of that wider effort, too. I think this is great news for Nvidia. It's not great news for Intel because I think what it shows is Nvidia up until now has been doing the right things and staying ahead of the next piece, which was knowing that AI chips, data centers were the places of growth. And Intel just hasn't navigated that as well. Mike, do you agree? Totally agree. Intel has tried. They've tried to make some AI chips. They've tried to get involved with some of the autonomous vehicle work. It just hasn't caught on the way that Nvidia has. And a lot of Nvidia's business now being in these large cloud providers with the custom GPU capabilities that Nvidia is providing. And Intel is mostly just, let's build a faster CPU. And that's really all we hear about. And it's really the market saying, hey, we think the future of Nvidia is stronger than the future of Intel. Yeah. And that is the takeaway here. It's not that Nvidia is bigger, as Sarah pointed out. It's that Nvidia's arrows are pointed in the direction that investors like and they feel confident about. And Intel is caught between a rock and a hard place here, the rock being Nvidia and the hard place being ARM, as ARM starts to make more inroads into markets that traditionally have been Intel's as well. And you've seen Apple switching to ARM away from Intel as a great, for instance, of that. Well, Google open sourced its enterprise vulnerability scanner called Tsunami, which is designed to operate at extremely large scales. We're talking about enterprises with millions of internet connected devices. Tsunami comes in two components. The first is a reconnaissance module that scans the network for open ports, then tests to see what protocols and services are running on them. Google says this is essentially end map with some custom code. A second component takes that list of ports and services and actually runs benign exploits against them to look for weak points. The second module supports plugins so that organizations can add new attack vectors and vulnerabilities to test over time as they discover new ones. Current plugins for UIs and weak credentials come with Tsunami when you get it from GitHub. New plugins will be developed by Google and released through a second GitHub repository as well. And Tsunami will not be a Google branded product. It will be maintained by the open source community. It's similar to Kubernetes in that way. The goal for the project is zero false positives. I mean, obviously they know they're not going to achieve zero false positives, but they're focused on reducing false positives because they feel like in an enterprise situation that is as large as what Tsunami is for, that's where a lot of the problems can come in. Alan, what do you think of this? I'm lit up. This is huge. This is a fantastic tool that I'm going to be downloading as soon as this podcast is over. I'll be looking at this. Obviously a robust end map is a good thing, but this second module is really, really, really interesting to me. I had not heard about this becoming available. I'm very eager to get ahold of it. Mike, what about you? It's really interesting how they split up the two modules from the discovery side to the actual vulnerability analysis side. The second part is what always takes so long. If you're scanning millions of endpoints and you're having to wait for even a minute per end point to analyze all of those vulnerabilities, it takes forever. By the time your scan is done, your environment has changed. Being able to have, this is how we're going to look at discovery and asset inventory as a concept and do that quickly, and then come back and do the scanning on top of that. It's really going to make this available and more real-time scanning available to enterprises who had no chance in the past. I think a lot of people wonder why Google does this sort of thing. Obviously, Google creates Tsunami for themselves because they have these same problems. Why do you think they decide to open source Tsunami and not something else? The plug-ins is really the key portion of that. The idea is get other people contributing plug-ins back to Google. Google is now able to embrace the larger community, have them do some of Google's work for them, and take advantage of that. At the same time, getting bug fixes, Google has one environment they keep growing. They're going to buy other companies that are going to look different to what Google is used to. Having some diversity of thought of what these tools look like is going to just help them going forward as Google continues to grow. Alan, do you think this ends up having a halo effect where people love Tsunami and so think a little favorably about Google Enterprise Services? Yeah, Google's played a Mike's point. It's an enterprise play or an ecosystem play. I'm sorry, they're trying to create an ecosystem. If it catches, if the community buys in, it's a win-win for everybody. It's a matter of whether or not they buy in or not. I think it's going to depend on how easy the framework is to author plug-ins for, how robust it already is in the first place, what plug-ins are required. There's a lot of ifs there. Folks, if you want to get all the tech headlines each day in about five minutes, be sure to subscribe to DailyTechHeadlines.com. Yesterday we talked with Seth Rosenblatt about what you can do to keep yourself secure at home. Today, we want to talk about what your business can do to keep itself secure. We were just talking about the most recent example, Google Tsunami. But there's a lot to defend with a business's tech. Let's start with what needs to be protected. How do you understand that? I think that's really, that is the basis. You have to understand what business you're in. You have to understand what is important because you can't defend every enterprise, every company the same way. Even Google and Facebook, massive tech companies, they protect their environments very differently from each other because what is important to them is different in each one of those places. Going around and just talking to your business leaders, talking to the product teams, the engineering teams, your founders, depending on the size of the company, you can really get a good idea of what's important. That's really where you need to start is what's important, figure out from there what you need to focus on, where does the business impact of each one of those sections of information or data stores or factories or whatnot. That tells you, hey, this is now what I need to protect. Alan, how do you go about that, do you think? Full agreement. I think the first thing is a BIA, a business impact analysis, where you literally rope the business together. You get everybody. To Mike's point, I'll even add and say you bring in HR, you bring in legal, you bring in payroll, you bring in accounts payable. You bring in absolutely every organization in the business needs representation. You sit down collectively and you say, what is the most important to us as a business? Obviously, a lot of players are going to immediately try to push their agenda forward and say, we're the most important, we're the most important. I'm a big believer in having an objective scoring system and doing a real business impact analysis. Collectively, you should get to a point where you start to realize, oh, actually, yeah, these are probably the top three most important things that we have as a company. Now, the CISO or whoever's in charge of security knows, okay, these are where I'm going to focus my efforts. So what you figure out, what needs to be protected, you've got to figure out what you're protecting it against, I guess, right? Risk is the next phase of that. Start with what's most important and then figure out what are the risks against whatever it is we've decided is most important. And you've got to go through and look at, we've got a tool in the business called threat modeling where you basically, it's like, let's say that what you've determined is important is your company's source code. You're a high tech company, you produce software products, your company's source code is the highest value target that you're most concerned about protecting, you have to look, where does that code reside? Who else can see it? Can the internet touch it? Can somebody compromise a local desktop and get to it that way? And you start to map out all the possible ways that the bad guys can get to this one thing you're trying to protect. And that's called threat modeling. And from there, you can begin to address the individual and specific risks and say, okay, if we invest a million dollars, we can stop all of this. If we invest $800,000, we can stop all about these really weird corner cases. And if we invest $500,000, we can stop the most likely, and you start to map out the budget physics versus the realities of how tricky it is for the bad guys to do what they're doing. And at some point, you draw your line in the sand and you declare we're mitigating this much risk and no more. And that's called risk appetite. Mike, how do you assess all that stuff? So a way of doing that is bring in outside, bring in, you can bring in a consultant, you can bring in any number of these companies that specialize in it, that they have people who day in, day out, what they're doing is trying to understand the weaknesses of companies. And one of the reasons to bring people in from the outside is so you're not so focused on your own view. It's very easy. You're in your comfort zone, you assume that you know everything, but by bringing in an outside party to take a look, they're able to then bring a new set of eyes. For more advanced companies, they actually have these teams in-house. They've got people who think adversarily, they think offensively. What are the ways that I can break into a company? What are the ways that I can bypass security controls? And they take a I'm going to just break in and get to the goods, whatever those goods are, view on everything. And then they just keep doing those tests over and over again, and you learn from them. You take those findings back, and you use those to feed back into your risk analysis to say, hey, this is actually a bigger risk than I thought. Our source code is actually sitting in an open GitHub repository, and we didn't know. We didn't even know we used GitHub. And by having that external perspective helps you find those kinds of things, helps you understand what your current state is. So you got to figure out what you're protecting, you got to figure out what the threats are, and then you got to assess all of that like you're describing. If you're a big company with a lot of money, I guess it might seem easy to do that, but if you're a small company without a lot of money, you're still going to be looking at the budget. In all of those cases, you got to convince the people that write the checks to pay for it. How do you do that? So that's security performance management is sort of the area where that comes into play. And the whole idea there is you've outlined these risks, you've addressed them in business terms, you've put this whole package together, you should be able to present to the board or to the C-suite or whoever you're having to report to upstairs a good map of where you stand. You've looked at individual risk, you've also hopefully conducted a maturity assessment where you can actually truly look at your entire organization and say, on a scale of one to five, five being the most secure company in the world, zero being horrible, we're a 1.8 in this area and we're a 2.0 in that area and we're a 3.5 in that area, and you dissect your business and actually compare yourself to a maturity curve. If you speak to the specific risk, you've done your business impact analysis, you have your maturity curve scoring, you should be able to bundle all that up into a pretty tidy package. Take that upstairs and start having that conversation. And again, security performance management says that you want to outline dollars versus that as well. So you can sit down and have the conversation to say, we're a 1.5 today and we want to be a 4.0. That's going to cost us X dollars. Oh, X is too much? Well, okay, give me Y dollars and I can give you a 3.5 on the maturity score. And start having that conversation where you're sort of dynamically moving around these targets and having the conversation about the dollars associated with them. At any given point, if you've done it right on that first stage we talked about, the business should know what it cares about and you're not coming to them scaring them, you're coming to them saying these things you say you care about, here's how we're going to address. And I assume you want to make the argument that it's going to cost money not to address it too. Yes, clearly. And the cost of that has to be outlined and measured as well. So how do you get all that done? So part of it is once you actually have that money is you need a team. There's no way that a single person can, in any reasonable size environment, make a dent in security. There's not enough hours in the day. There's a lot of people in the security field where we're more and more becoming a popular profession, but we actually still have negative unemployment and have for quite some time. There are more jobs than there are people. And finding the right people, finding these good people who can come in, have an impact to help move that bar, to help protect the environment such that you're not going to have a breach, your customers are going to be able to trust you. A lot of it just comes back to hiring good people, giving them a plan, giving them a strategy, and hey, go do. Yeah. I mean, it's easier said than done to find those people, but you got any tips for them before we finish this up? Finding good people, a lot of it is meeting them where they are. So pre-pandemic, it was going to security conferences. Now it's really paying attention to online participation, how people are sharing and presenting research that they might be doing, how they are, frankly, even interacting with others. Are they being helpful or are they being a negative influence? Are they the kind of people that you want to work with? So you go and find those environments where people are being active today, you pay attention, you listen, you learn, you then decide to have some discussions, and that can really help you build a nucleus around which to find more people and more people and more people. Find that initial core. Yeah, and that's like Kirsten Brazier who was on the show earlier this week talks about just reaching out to others in the community, in the infosec community, and that seems like that's a big part of it. Yeah, I like what she had to say about mentoring others. That's the kind of person that you want to work with as someone who's actively trying to help others. Yeah, absolutely. Well, everybody in our subreddit actively helps each other by submitting stories and also voting on others to make sure we all know what's important to the rest of us. You can do the same dailytechnewshow.reddit.com. All right, let's take a look at the mailbag, shall we? Oh, let's. Gautamon wrote in and said, it was so great listening to Seth, Seth Rosenblatt was our guest yesterday. Thanks for an excellent Security Week thus far. Thank you, Gautamon. It says, since Seth brought up the topic of insecure Wi-Fi routers, I thought I would share a recent study from the Fraunhofer Institute where they tested 127 home routers from various popular brands and every single one of them had known security flaws. He links us to a ZDNet article about this study, which will happen in our show nets. Gautamon says, I'm starting to feel like we should all be treating our routers the same way we do phones and laptops and upgrade them every three to four years on average. Yeah, we should probably keep in the phones longer. At this point, spending more time upgrading the routers. Who smells a router subscription service? Hey, shout out to patrons at our master and grandmaster levels, including Jeff Wilkes, Sonya Vining and Ruchan Brantley. Also, thanks so much to our guest today, Mike Johnson and Alan Alfred. Mike, let folks know where they can keep up with what you do. LinkedIn is actually where I tend to hang out. So find me on LinkedIn. I'm reasonably prolific. That was where Alan and I met way back in the day of just chattering at each other on LinkedIn. So just look for Mike Johnson's security on LinkedIn and you'll find me. Very cool. Alan Alfred, let folks know where they can keep up with your work. Same story, LinkedIn it is. As my friends say, I'm very promiscuous on LinkedIn. Better than me. I check it like once every six months and I miss things all the time. So good tips. Thanks to Justin Robert Young as well. He is our Thursday regular. It's been a fun security week. Good to have you on today. Justin, what are you doing off of the show? Well, of course, my political podcast, Politics Politics Politics, is here for you. Thank you to everybody from the DTNS family that joined in on our Patreon at TakePoliticsSeriously.com. Just crossed the thousand-patriot milestone. That was very, very, very cool. And I appreciate everybody here who has followed me there and did a little bit of a tech overlapping with Politics Story on the episode that was released yesterday, July 8th, about how the political platforms, which are normally a contentious part of a convention, are now going to be held online and why I believe that might create the largest dumpster fire in internet history. Go check it out, folks, Politics Politics Politics.com. And if you're enjoying Security Week, but maybe you wondered, like, why are you doing this? What gave you the idea? What do you get out of it? I talked about that on the editor's desk. It's an update, audio update that I post on our Patreon every week. Go check it out. You can get it at Patreon.com slash DTNS at the associate producer level and above. Our email address is feedback at dailytechnewshow.com. You got something on your mind. We'll send it on over. We're also live Monday through Friday at 4.30 p.m. Eastern. That's 2030 UTC. And you can find out more at dailytechnewshow.com slash live. Security Week finishes up tomorrow with Alyssa Miller here to talk about Deep Fakes, Len Peralta, and Shannon Morse will be with us as well. Talk to you then. This show is part of the Frog Pants Network. Get more at frogpants.com. The Diamond Club hopes you have enjoyed this program.