 Coming up on DTNS, Amazon and Apple launch new fitness products. Reddit goes head to head with TikTok and one of the biggest cyber attacks on government and corporations possibly ever. This is the Daily Tech News for Monday, December 14th, 2020 in Los Angeles. I'm Tom Merritt and from Studio Redwood adjacent. I'm Sarah Lane and I'm the show's producer, Roger Chang. Joining us today on the show, freelance tech journalists in Australia. Peter Wells, welcome back. Thank you, Tom. And also principal, CTO, advisor, LLC, Keith Townsend. Welcome back as well. Thanks for having me. We are going to have a good conversation about that cyber attack. Thank you both for joining us. We were just having a conversation about the new Amazon distribution center across the street from Keith, which might bring him faster deliveries and has brought him mice. If you want that conversation, you're going to have to get our wider conversation. Good day, internet. Become a member at patreon.com slash DTNS. Let's start with a few tech things you should know. EA reached an agreement to acquire the UK based racing game developer Codemasters and a deal worth one point two billion dollars. The company's largest acquisition to date, even for EA. This comes after the game publisher Take Two Interactive announced last month. It had reached a deal and agreement to buy the developer being Codemasters for nine hundred seventy one million dollars. So EA beat him out. Codemasters is mostly known for its Formula One and dirt racing game franchises. Amazon's autonomous vehicle startup, Zooks, spelled Z-O-O-X unveiled a production robo taxi that can run for up to 16 hours and does not include a steering wheel. The vehicle has motors in both ends and can travel in either direction at up to seventy five miles an hour. Zooks plans to eventually launch an app based ride hailing service with its vehicles sometime after twenty twenty one. Apple launched a web based version of its Shazam song identification service. Apple bought Shazam back in twenty seventeen approximately available, appropriately available rather at Shazam dot com approximately, but also pretty on the nose. The web experience is considered a beta and currently compatible with Safari, Chrome and Firefox on Mac OS and Chrome OS. Adult video site Pornhub removed all videos uploaded by unverified users after the site announced last Tuesday. It was limiting uploads to verified users. Uploads are now limited to official content partners or members of its models program. The move comes after a December 4th New York Times investigation found the site hosted videos of people who are under age. Visa and MasterCards subsequently cut the site off from their payment services on December 10th as of Monday morning. The site had removed almost 80 percent of videos previously available. The U.S. Federal Trade Commission ordered Amazon, ByteDance, Discord, Facebook and its subsidiary WhatsApp, Reddit, Snap, Twitter and YouTube to disclose how they each collect and use data from users, how they choose which ads to display to users and what personal information is used in ad selection. The platforms have 45 days to respond. The FTC used its authority under section six B of the FTC act to compel responses, which gives the agency the power to pursue broad studies separate from law enforcement. All right, let's get fit. Let's. Yeah, we got we got some stuff. Got some stuff. Got some hardware. We got some subscriptions. Amazon's new Halos, a Halo fitness tracker is now widely available for $99.99, so hundred bucks. And you get a unique twist because Halo uses a 3D scan of a wearer's body fat and then monitors their voice throughout the day for tone. Like are you stressed? Are you tired? Are you excited? That sort of thing to try to get a sense of what your personal body is doing. The first six months of services are free once you buy the band afterwards it costs $4 per month. If you don't have a subscription or you don't stick with it, the Halo is still a thing, but it'll track sleep time, heart rate and step tracking. It's just a sort of pared down fitness tracker. And also we got Apple's Fitness Plus, which launched Monday. Early reviews are out. Some people had a chance to give it a whirl before the public did. And the reviews somewhat mixed, mostly positive. The Wall Street Journal's Nicole Nguyen said that for $10 a month, which is kind of the going rate for a lot of fitness services, but that's what Fitness Plus is marked at. You know, it varies a tiny bit depending on where you live, but let's say $10 a month. She says it's a good deal compared to other fitness services, but to need an Apple Watch just to make work at all is going to put some people off. Some people are just in other fitness ecosystems. She says, if you forget to charge your watch or maybe you leave it behind your traveling and that sort of thing, you can still access videos and do workouts, but you need that Apple Watch to sign up initially. So you can't just be like, oh, I don't need an Apple Watch. You kind of do. See, that's Vanessa Hand Oriana noted that Fitness Plus is easy to use, very beginner friendly, has 10 different workout types to choose from, but she says it's perhaps not the best option. If you're really feeling like you're a pro in any of these categories, she says it's geared for a broader audience, didn't quite replicate her existing routine. She said she did a lot of Pilates. It wasn't totally up to snuff. It didn't really replace what she would like to do when life gets back to normal and fast companies Mark Sullivan noted that for most workout types, Fitness Plus works best if you got a big TV right in front of you. You can stream stuff on an iPad, on an iPhone. He said it worked okay for certain activities like yoga or strength training on the iPad because you could kind of prop it up, but the iPhone just felt too small. So Peter, Keith, which one are you going to go first? I'll talk about Fitness Plus and I wish they would have released a free tier when they did this. You know, they've already got it built into the name. There's a plus there. They could have just had Apple Fitness where if you own an Apple Watch, then you get, you know, just a couple of really basic training videos to watch for free. I think that would have taken away so much of this criticism of what I need to spend money after I buy the Apple Watch. Like if you got a range of activities to do for free built into the Apple Watch, that completely flips that on its head. Yeah, and I'm a little bit disappointed in all of these Fitness trackers in general. I'm a pretty decent fitness nut. I'm 82, 83 days into running 5k every day for 100 days. Wow. One of the things that one of the things that I really love about my Apple Watch is the hardware, the software, great, but the social piece of it. None of these guys have gotten close to what I get with my Fitbit from a community perspective. And I don't know if I trust Amazon to do it and Apple just hasn't done it. Apple hasn't done anything social well and, you know, ever. Yeah. Yeah, I really wish back in the day that Fitbit had sold, had kind of pivoted towards software rather than continuing to go hard on the hardware. I even told the CEO that one time and they told me they're not interested in those ideas. But yeah, nothing has come close to that social map that Fitbit had. And that's such a used part of fitness. Yeah. I currently have a Fitbit premium subscription, which you get for 90 days when you get new hardware. And I just happened to have my Fitbit V2 crap out on me a couple of months ago. So I got to start over. I got a new 3 month subscription. I already have on my calendar to make sure to cancel, you know, before I start getting charged. And it's cool. I mean, there's a lot of stuff going on Fitbit brought Fitster sometime ago. It is competitively priced to something like Fitness Plus. I haven't tried out Fitness Plus. I know for some of my VR exercise activities, it really matters who is guiding you through this. You know, even if you're not a total novice at yoga, for example, where you just like need the absolute basics, the instructor, the person who's, you know, pumping you up or whatever, Peloton people will say the same thing. That really matters. It does sound like across the board people said, Apple definitely got a lot of people who know what they're doing and are motivating and try to make all the stuff as fun as possible. But yeah, I don't have an Apple watch. So, you know, this just isn't something that I can dip my toe into anytime soon. All right, folks, tech companies are on the move in the United States. Oracle has changed its corporate headquarters from Redwood City, California to Austin, Texas. Somewhat symbolic as Oracle will keep its offices in California and already had a campus. In Austin, but it does follow HP Enterprise moving its headquarters from California to Houston, Texas and Palantir leaving California for Colorado. Meanwhile, TechRudge has a story today noting that Tencent, ByteDance and Alibaba, all Chinese companies are opening regional hubs in Singapore. Singapore is a hub for a lot of companies. Google, Facebook, Amazon Stripe, Salesforce and Grab all there as well. Now, this is partly to avoid some of the pressure of the U.S.-China trade conflicts, but it's also because of the need for access to the Southeast Asian market. Singapore also has made it easy to incorporate and set up shop there. So, I don't know if these trends are related, but it's interesting to see tech companies on the move moving from places you would be accustomed to seeing them to somewhere new. Keith, I know the moves into Texas certainly are notable in the enterprise space. Yeah, they are notable. There's a huge problem. I know we've talked about it a lot, but the firstly, inclusion is a big problem and enterprise IT and tech in general. So, I'm excited about this, but my peers in the Valley are pretty, they're spazzing out a little bit. Their HPE is one of those born in the Valley in the garage companies. Oracle has been there forever in Redwood. It's kind of the thing in Redwood. But Houston, Austin, these areas have been growing a lot. My son is moving to Austin for a tech job. So, this is more than just a trend. Yeah, back in 1999, I moved from Austin to San Francisco to get a job in technology. So, we're kind of reversing that trend now. And Peter Wells, I mean Southeast Asia, you're right there next door to that, right? Yeah, look, I mean, I will head on up to Singapore as soon as I'm allowed to again, because it's such a wonderful city-state. Yeah, it makes a lot of sense. So, I've been seeing quite a few larger corporations also moving their production out of some areas of China into Vietnam and India and things like that. So, yeah, I think this year has shown that, you know, people need kind of a diversity in all aspects of production. You can't just have all of your stuff, all of the things you manufacture coming out of one tiny little pocket in the world. Indeed. All right, Sarah, tell us what Reddit's up to. I will, Tom. Reddit announced it acquired the short-form video social platform, Dub Smash. The company plans to integrate Dub Smash's video creation tools into Reddit itself. AppAnnie ranks Dub Smash number two behind TikTok in the US's short-form video market. It's pretty popular. Dub Smash has been downloaded more than 350 million times. Reddit also cited the app's diverse user base as a major factor. 70% of Dub Smash's users are female and it claims, quote, about 25% of all black teens in the US use the service. Dub Smash will operate as its own entity and brand within Reddit with its entire team and three co-founders staying on board, but it will integrate Dub Smash video creation tools into Reddit. Reddit introduced native video on its platform back in 2017 and says that video posts doubled in 2020. I get Reddit wanting to get video creation tools and buying technology. I don't know why they buy Dub Smash, which because Reddit is trying to do the right thing, they will leave it as an independent entity. Yeah, it's not like Reddit makes those kinds of acquisitions. Usually that part can that part I'm a little less clear on. I remember back in 2017 when native video was introduced, I was like, is Reddit really? I mean, is this going to become a whole different platform than what we're all used to? I know the answer is mostly no. Reddit has, you know, it's nothing if not consistent in certain ways. You know, you got your subreddits, you got your memes, you got, you know, you kind of know what you're getting depending on where you want to hang out on Reddit. But this, it felt like I was a little it felt a little left field to me. Like, what are we doing? Like competing with TikTok on Reddit? And like you said, Tom, it sounds like the technology is something that the company is interested in and hopefully it'll be used in some sort of way while not taking away from what Dub Smash is already doing really well. So, yeah, I don't know. Peter Keith, what are your thoughts? This feels like one of those moments where I realized just how old I am. It was the same when Twitter bought squad the other day and I was like, what is squad? You know, yeah, I just feel like there used to be a time years ago when I'd be on the show where I had the beta invites for all of these kind of things and now I'm just like, oh, never heard of that before. Interesting. Yeah, I have it on my list of follow-ups to ask my 12-year-old what is Dub Smash? Because she is in that 25% black. You would think she might have heard of it. So, you know what? It's an action item. I've stayed away from Reddit just as a user. This is curious. Yeah, report back. Let us know what you find out about Dub Smash. What do the young people say? Yeah. All right, folks. Listen, we appreciate you being here. If you are like, no, I could have told you about Dub Smash weeks ago. Well, get in our Discord and tell us stuff like that. You can join by linking to a Patreon account at patreon.com slash DTNS. A breach in the Orion Network Management Platform. It's a network management platform called Orion from a company called SolarWinds has led to attacks on FireEye. The FireEye attack we talked about last week, Microsoft and several U.S. government agencies. SolarWinds said Sunday that updates to its Orion platform that happened between March and June may have carried malware as a result of a sophisticated nation-state supply chain attack. SolarWinds says Microsoft noted it noted it notified it of a compromise to SolarWinds Office 365 accounts. It's not sure if that's how the supply chain attack was carried out, but it's investigating. SolarWinds did call for all Orion customers to update to its latest version immediately. That'll partially mitigate this and it plans an additional patch for Tuesday to fully defend against it. SolarWinds has 300,000 customers worldwide, including most of the Fortune 500 companies in the U.S. Lockheed Martin, Booz Allen Hamilton, PricewaterhouseCoopers, the Federal Reserve, the Defense Department, the State Department, the U.S. Secret Service, the National Security Administration. 33,000 of those customers use the Orion platform. So not all 300,000, but a large number. And SolarWinds believes that 18,000 of them installed the malware-infected versions. Now, not all 18,000 were targeted, but even a small percentage, that's a lot of targets. ZDNet reports that IT administrators are finding signs of the malware on their Orion systems, but few are reporting the second-stage payload that would be used to elevate access. So it's believed the attackers targeted specific customers around the world. FireEye, for example, announced the intrusion in its network reported last week, was caused by the SolarWinds breach. It has published detection rules on GitHub that you can access if you need them. Microsoft confirmed the SolarWinds compromise in a security alert to its customers and provided countermeasures, including detection rules added to Defender. The U.S. Cybersecurity and Infrastructure Agency, or CISA, issued an emergency directive with instructions on how all federal civilian agencies can detect and analyze compromised systems and advise them to shut down Orion. CISA advises all hosts monitored by Orion to be treated as compromised until you're certain otherwise. FireEye calls the malware Sunburst. If you're out there looking around, you see Sunburst. That's what that refers to, although Microsoft has dubbed it Solarigate. So we have a couple of different ways to refer to it. The attack worked by entering the network through the Orion vulnerability, however it got in there, and then gaining elevated credentials once it was in your network. That led attackers forward single sign-on tokens, which would let them impersonate privileged accounts, which allow them to grant new credentials to themselves and gain high-level access. The attackers were able to track authentication controls and access Office 365 at the National Telecommunications and Information Administration, where it definitely monitored emails. It probably did that in other places as well. FireEye says that each attempted intrusion needed what they called meticulous planning and manual interaction. This wasn't a set it and forget it blast. This was done intentionally to the targets it affected. FireEye says the victims have included government consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. So it's not just the US government. We anticipated there are additional victims in other countries in verticals, says FireEye. And yeah, the US government appears to be one of them Reuters sources saying that network intruders accessed internal email traffic at the US Departments of Treasury and Commerce and possibly other agencies. The US Commerce Department confirmed a breach and said that CISA and the FBI are investigating and the US National Security Council reportedly met on Saturday to discuss this issue. So this is big. It affects a lot of companies. It affects a lot of governments. It affects highly sensitive information. It seems to be meant to gather intelligence by going after email communications. But let's start with the way it got there, the supply chain attack. Keith, can you explain to us what a supply chain attack is? So this is one of these attacks that, you know, as the US government has been screaming China, China, China for the past few years. The fear has been that the Chinese government could infiltrate one of our manufacturers or suppliers based in the US. I mean, sorry, based in China via the supply chain so they can slipstream or put software or hardware compromised hardware into the unit before or during the manufacturing or shipping of it. If we remember the whole super micro theme from a couple of years ago, this would be equivalent to that. But just on a much more massive scale, this was done via software. So the things that we inherently trust and not just enterprise IT but consumer IT, the update process, that automated process to say, you know what, my program says it's time to be updated. I'm going to hit the update button and I trust from the point that SolarWinds is distributing the update to the point that my PC gets it, that I trust that update. It is equivalent to Apple or Microsoft or any other trusted enterprise company or consumer company asking for an update and getting malware instead. And I assume that SolarWinds, like any other company, has methods in place to try to prevent this from happening. What are the possibilities that it failed? This is quite frankly scary. SolarWinds is a proper enterprise IT company. 300,000 customers, 425 of the top 500. They're government customers so their code is getting audited. They go through all the rigors of this place. So much so that I've read that one of the reasons why it wasn't detected was because SolarWinds specifically requested that you not scan its directories for malware or viruses because it's so trusted. So what's scary about the hack? I've worked enterprise IT for over 20 years and one of the things that we do in enterprise IT for a product like SolarWinds or Ryan, which basically checks other systems, is the email server up, is the database server up, is the services running on that up? If it's not up, we'll alert the administrator. They're so trusted that we get exceptions for that security scan and we're confident that SolarWinds from a security perspective can be kind of absorbed from security scans. So this is about as bad as it gets. I mean, seems like a juicy target for someone to go after. It takes a very sophisticated attack to do it though, right? It takes a super sophisticated attack and then to jump off FireEye if you're not familiar with it. Basically, I had to implement this when I worked for Department of Housing and Urban Development as a federal contractor. Basically, it's the keys to the keydom. It sits on the edge of the network and goes through all the traffic leaving these agencies. You cannot get an exception. If you have a network connection, it has FireEye on it. So for them to hop from SolarWinds and compromise FireEye as a advanced attack, this is not admin one, two, three. This is pretty serious. Yeah, I wonder what the fallout is. We don't know exactly who was affected. We do know that it was after email and information and we don't know. There's some suspicions that it might be Russia behind this but we don't know for sure and we don't know what they were after. Were they just on a fishing expedition to see what they could get? Were they going after specific kinds of information and what did they want to do with it? Those are all questions waiting to be answered. And that was an awful lot of effort and you saw with 18,000 people being affected but not everyone being impacted. It was whatever they got, they probably, whatever they wanted, they probably got. Yeah, they were definitely going after certain targets, for sure. This wasn't just a random attack. So I doubt this will be the last we hear of sunburst aka Solera gate. I'm going to call it sunburst though. I think that one's the better name for me. Well, another question you might be asking yourself is when do I get to get on another John Deere tractor? It's been so long. Virtual reality, been at CES for many years. In fact, where I tried out VR for the first time. But for CES 2021, John Deere plans to send Oculus Quest 2 headsets to reporters who might have otherwise come to their booth at CES and talk to them and maybe check some stuff out so that the reporters could get a virtual ride on the latest farm equipment during planting season, highlighting the company's use of AI and satellite imagery for precision agriculture. According to John Deere's public relations head, John Ebert designing the experience and then sending out the headsets still end up being less expensive than booking floor space in Vegas for CES. John Deere isn't the first to try a virtual approach. LG and Samsung both used virtual demo rooms for IFA Berlin this year. You might remember that IFA scaled down considerably, but some people were still there in person. Who's the first? Dave Peter, you're gonna try to get an Oculus Quest 2? We should get one to Sarah too. I don't want one of these, but yeah. No, I'm all for the virtualization of CES and the big tech shows. I'm really looking forward to waking up and putting on my pajamas and going and watching seven different announcements in a row rather than like joining those queues in Mandalay Bay at four in the morning to make sure you get a seat in time. I'm all for it, bring on virtual everything. And it's been so good. Oh, sorry, go on, Sarah. Oh, no, I was just, I was gonna say, like the virtual, you know, you said, no, I don't want a Oculus Quest. I have one, one of my favorite things to do is, you know, there's like a lot of drone footage where you kind of like get to fly over Italy and stuff, you know, and look around. And it definitely is, it feels like you're flying kind of, but I mean, it's not really the same as like having a jet pack on my back and flying over Italy. So I wonder how the reporters will either, you know, say like, this farm equipment seems really great because of the VR experience that we were gotten because we actually didn't get to do a lot of testing in person, but it sounds like it's probably just pretty good marketing. Yeah. Keith, you're looking forward to a virtual CES? I'm virtual, you've been it out of AWS re-event was literally three weeks, I think, and it's still going on today. I put on a virtual event earlier this year. I'm just, I'm ready to see people in real life. I never thought I'd say this. I miss Vegas. Yeah. Whoa. So now we know that now we know the recovery period for missing Vegas. Yeah. Oh, man. Conversely, I was like, I don't have to go to Vegas in a couple of weeks. I know. This is like a very new world. Wow. It sounds like Keith's virtually exhausted. I'm sorry, man. All right. Let's check out the mail bag. Let's do it. This one comes from Daniel. Daniel has a question that I think probably a lot of other people are also asking. He says, Disney plus going up $1 per month, not all that bad for all that we're going to get. One thing that has always bothered me though, that's I wonder about the effect of all the people who share passwords. I have coworkers. I have customers where Daniel works that share with many family members. A coworker on Netflix, for example, has a coworker that he works with, has Netflix, Hulu, Amazon prime, Disney plus, HBO Max pays for none of them. And they're shared with eight other family households, siblings, parents, in-laws, cousins. It seems very wrong to Daniel. He says, I can't help but wonder if more people paid for what they should have paid, then it would help avoid price increases. I have no idea how the services could control this though, but it makes me wonder, am I wrong? Well, the thing to remember with sharing passwords or piracy or any kind of hacks around the system like that is they're usually less convenient than paying for the thing. And they aren't lost money. People who share a password aren't guaranteed to have paid for the subscription if they didn't get the password. And in fact, Netflix has found that password sharing can work like marketing, which will cause viewers to eventually want to pay for the service themselves so they don't have to share a password and they don't have to worry about, oh man, I forgot that they changed the password on me. Like people, when they can afford it, do like to be in control. It does have an effect. I'm not starting to say it has zero effect, but it is not a one-to-one of like every person who shared a password would have been a paid subscriber. Yeah, I remember back in the day, Netflix, this was at least five years ago admitting that part of their marketing push was allowing, when they would see all of these family account sharing coming from university dormitories that they were like, we can stop that. We could stop that if we wanted to, but we realized we were creating lifelong customers there. And look, if I'm honest, I shared Disney Plus with another friend of mine. We both have kids. We never watched Disney Plus, but we share a four screen pass because I only have one screen in my house and he has two, so it balances out. I think it's fine. And plus on the whole, would it be cheaper? Just keep in mind Comcast put a 1.2 terabyte limit on our data caps during a pandemic. So I don't have much faith that if these guys made more money, they'd pass those savings on to us. Yeah, that's not how prices get said. That's a really good point. Well, if you have feedback like Daniel's questions, comments, anything you'd like us to discuss, we'd love to hear it. Feedback at dailytechnewshow.com. We also love to shout out our patrons that are master and grandmaster levels today. They include Hi Tech Oki, Johnny Hernandez and Dr. X17. Thanks to Peter Wells for being with us this fine Monday or Tuesday. Peter, where can folks keep up with your work? Just head on over to Twitter slash Peter Wells and I do a daily tech podcast. I know that's an original thought. It's at thehelpdesk.com.au. Go check it out, folks. Excellent. Also thanks to Keith Townsend for being with us today, helping us understand a little bit more about security, Keith, where can people keep up with your work? You can find me on Twitter at CTOadvisor and the blog is thectoadvisor.com. Hey, folks, we love patrons and that's why we're happy to offer Patreon loyalty rewards. If you like the show, you like some perks, you can get bonus episodes, you can get longer episodes and you can get some merchandise sent to you as a thank you for supporting us. A unique sticker, mug, t-shirt or hoodie comes every three months to our patrons as long as you stay a patron. Each one has unique art from Len Peralta featuring the DTS 7-year anniversary logo, then Roger, then Sarah, then me. Get the details at patreon.com. Hey, folks, we're live Monday through Friday, 4.30 p.m. Eastern, 21.30 UTC. Find out more. Tell a friend, dailytechnewshow.com. We'll be back tomorrow with Patrick Beja. Talk to you then. This show is part of the Frog Pants Network. Get more at frogpants.com.