 This 10th year of Daily Tech News show is made possible by its listeners, thanks to all of you, including Eric Holm, Carmine Bailey, and Vince Power. Coming up on DTNS, Rod Simmons is here to talk about LastPass and what you need to know if you want to switch. Plus, Microsoft brings Bing AI to Windows and Signal threatens to Brexit over an anti-encryption law. This is the Daily Tech News for Tuesday, February 28th, 2023 in Los Angeles. I'm Tom Merritt. And from Studio Redward, I'm Sarah Lane. And I'm the show's producer, Roger Chang. Joining us, the host of the SMR and BBQ and Tech podcast. And what I would say is a security professional as well, Rod Simmons. Welcome back to the show. Thanks for having me back. Do you describe yourself as a security professional? You know, 20 most security professionals don't describe themselves that way. But yes, I work in security all day every day and have for a number of years. You sound like a professional to me. Sounds like you professionally do security things. So yeah, there we go. Well, good. You're the man we need to talk to then. Also, folks, my world Congress still going on one plus saying it's going to launch a foldable phone later this year. That's all there is to that story because they didn't tell us any other things. So let's get to the quick hits. When Google launched the Pixel watch back in October, it promised it would also add a fall detection feature. That feature is now available in the personal safety app on Android. So on a detected hard fall, the Pixel watch will wait 30 seconds. If it doesn't detect movement afterwards, it'll vibrate, sound an alarm, ask the user, do you need assistance? And if there's no response after a minute, it will automatically call emergency services. The European Commission sent Apple an updated preliminary statement of objections. This is part of its antitrust investigation into the company's relationship with music apps. The new statement dropped a previous objection that Apple requires music apps to use its app payment system. It will no longer object to Apple requiring apps to use its in app payment system, kind of a big deal there. The objections, however, will focus on Apple's anti steering rules. Those are the rules that prohibit app makers from telling users about other ways that they could pay for a service like, hey, go to our website to subscribe. Meta CEO Mark Zuckerberg said that the company formed a new top level product group focused on generative AI. The group will initially work on building creative and expressive tools and eventually focus on developing AI personas. Zuckerberg said it's exploring experiences across WhatsApp, Messenger and Instagram, of course all meta companies, including text, images like creative Instagram filters and ad formats, video and multimodal experiences. On Tuesday, Nvidia released RTX video super resolution. This is an upscaling technology that works inside Chrome and edge browsers to improve any web video by sharpening the edges of objects and reducing video artifacts. So videos anywhere from 360p pretty low res and up to 1440p can up res to 144 hertz frame rate and upscale to 4k resolution. Nvidia Shield TV already had this. You feel like, hey, don't I have that? If you have a shield? Yeah, you do. But updates to the chromium engine have now let Nvidia expand it to the RTX 30 and 40 series cards. Man, I know it's probably lower res, but I've got some VHS videos from high school that I would love to clean up some now. Yeah, give it a shot. I know, right? Qualcomm and Thales announced certification of the first user-ready integrated SIM or iSIM. It offers card-free digital signups and security like an eSIM, but it's built into a phone's main processor, so there's no dedicated chip that's needed to be added. Might save space, maybe a larger battery, maybe even possibly save you some money, or at least save the carrier some money. No word on which phones will use iSIMs first, but since they support the same remote provisioning standard as eSIMs, providers don't necessarily need to update their systems. They could just kind of roll it out. So as soon as a handset comes out with the hardware, it should work. All right, that is a look at quick hits. We have quite a bit of Microsoft news to look over today. The company has been busy. So first, phone link is coming to iPhones. Phone link mirrors a lot of your phone's functions on the desktop, so you don't have to pick up your phone to use them. Say you're already cranking on your desktop, they will be mirrored there. Things like text messages, notifications, phone calls, stuff like that. So starting now, some Windows insiders can use the phone link app with iPhone to send and receive iMessage messages and also make and receive phone calls and also view notifications that would otherwise just be on iOS. However, there are more limits on what the iOS version of phone link can do if you want to compare it to the Android version. For example, you can't send pictures and messages, you can't participate in group chats from the desktop, and you also won't see any message history that wasn't sent through phone link itself. In addition to that, a Windows 11 update has come along, only for Windows 11 though, which adds screen recordings within the snipping tool, tab support for notepad, and updated Braille display support. The headline grabbing one though is the Bing icon is now showing up in the taskbar's search box. You can already search Bing in the taskbar, this lets you do the chat thing. If you are in the access group that can chat with Bing, you can hit that Bing icon in the taskbar, start chatting with Bing in Edge. You can manually install the update now or wait until the automatic one March 14th. That's when the monthly security update will begin to roll out to everybody else. Rod, any of these get you excited to fire up the old Windows machine as soon as you get the update? Yeah, all of them actually, both of them actually. So I'll start with the first, which is what excites me about that is typically for some people who are Windows users, iPhone users, and the only thing keeping them using a Mac is I can get my text message on my phone because I can type faster on a full-size keyboard. It's super nice. No, you can do that on Windows. I think it's fantastic. But you just get with chat GPT with Bing and what I love about them most is, and I think if you haven't played around with it, if you're not, I'll say the perfect writer, like I always will write something up and I'm like, I don't like the way it sounds. I'll say, Rob or I'll send it to a marketing person to clean this up. Now I can just say reword this and it's, oh my gosh, this is great. I sent it to the market. I did that and I sent it to a marketing guy. He's like, this sounds great. I was like, yeah, I know it does. So I think both of those are going to be like huge values for people at work because they can write really great content or at least write okay content and have someone do the cleanup for them. I love the idea of the marketing person saying, perfect, no notes, wait a second. Shoot. They probably sent it the same place and said it came back with the same thing. Yeah, yeah. I do wonder if this is a little early to have this concern, but if people start using this Bing engine a lot more and it's now tied into your taskbar, do we start to have little rumblings, little murmurings, little complaints about Microsoft and its 82% desktop domination tying in a search engine? I don't think so. You wouldn't, you'd hope not. I mean, because if you think about like Google's dominance that they have, I'd say in the classroom with Chromebooks, like my kids all use Chromebooks. And it's interesting if you talk to the kids, what they like is on some Chromebooks, specifically the Google ones, there's a quick button to access Google search and it bypasses search history. So if the kids are in class and they're searching up answers, if they click those buttons, they don't go into the school search history. So they don't realize the kids are searching for answers. So you still get that same level of capability on Chromebooks that are very dominant and popular and Google's baking their heavily dominant search engine into heavily dominant phone, heavily dominant Chromebooks that are at the educational level like K through 12. So I think what you're saying is Microsoft baking its search engine into Windows, Google baking its search engine into Chrome OS, Apple needs to start a search engine. Yeah, or just keep the relationship. I mean, the ratio they have with Google right now, which is they pay Google Kings ransom to pay Google for some search and they pay Bing for search that comes from Siri. Yeah. So they're like splitting the difference. Yeah. I don't think Apple, well, they probably eventually will need to get there, but probably not just yet. Yeah. No, I'm curious about that. But yeah, the phone link stuff obviously limited because of iOS's own limitations. But great is, I know Wild West Dan was saying he uses messages.google.com all day long. I'm with him 100%. It is a tab that I have open all day long. I have one open right now. My wife was texting me as we started. Do I need to pick up your son? No, he's on already home. So message.google.com is a killer if you're an Android user. Yeah, I have a few friends who are iPhone users, but also use Windows for work. So that's like a primary computer that they're going to be sitting in front of most of the day. I said, check it out. And then we're like, really? Wow. Seriously? Oh my gosh, this is going to improve everything. I think if you're a WhatsApp user, I mean, 90% of us use either, you know, you scan the QR code. So you have either the WhatsApp app or WhatsApp web. Everybody, if you're at a, you have a full keyboard in front of you, you'd rather type on that. And I can say, I think for me, this is huge. I wish Apple a long ago would have just put iMessage on every single platform because things like WhatsApp would have never really gained steam because everybody can do iMessage. So I think it was a miss for them on that one. They could have left you green if you weren't on an Apple device and still had their little blue bubble situation if they wanted to. I would have been totally fine with it as long as I could have used iMessage. And yeah, I'm on Android now, so it's not a big deal for me anymore. One last Microsoft thing. They expanded the PC Game Pass service to more markets. Preview is now available for 40 new countries. It includes countries across Europe, North Africa, and the Middle East. Users can get access to the Xbox Insider Hub app. Broader Launch is coming in the next few months. Service now available in 86 countries. So if you've been waiting for it to come to your country, go check out. We have a link to the Engadget article lists all the countries it's coming to. All right. Let's move on to some encryption talk. In fact, we're going to be talking about it a lot on the show today. Let's start with this. The UK Parliament has riled up providers of encrypted services yet again in an effort to combat child sexual abuse material also known as CSAM. The UK online safety bill would require such providers not to encrypt information in a way that would stop regulators from being able to see what's in them if they need to. If they think something really bad is going on, we need to help. That's the idea. The government's impact assessment of the bill goes further though, saying that companies must take steps to mitigate the risk that using end to end encryption would stop regulators from being able to identify CSAM. This is an old story. We have talked about it multiple times. The government can say that it's not banning end to end encryption, but also we know that end to end encryption means only the user and the intended recipient can read those messages. If you require the government to be able to read that information or anybody by definition, there are not ways you can then implement end to end encryption. It breaks down at that point, but don't let that stop you. You can use end to end encryption as long as you can figure out a way to do that. And then also let the government peak somehow just to get rid of the bad guys. The bill even funds five organizations to find ways CSAM can be detected and addressed within end to end encrypted environments while still ensuring user privacy is respected. To that I say good luck. To that signal said goodbye. Encrypted messaging app signal said in no uncertain terms it will not operate in the U.K. if it has to weaken end to end encryption in any way. Signal CEO Meredith Whitaker told ours, Technica, we would absolutely exit any country if the choice were between remaining in the country and undermining the strict privacy promises we make to the people who rely on us. And just today a German encrypted email provider, or at least I noticed it today called Tutanota took its own approach writing on its website that if U.K. Prime Minister Rishi Sunak's government wants, quote, to stop people in the U.K. to use strong encryption, he must block access to Tutanota just like Russia and Iran already doing. So basically saying Russia and Iran already block us U.K., you want to be next? Listen, I don't know much about Tutanota, but it certainly reflects the rhetoric out there and signal is used by the British government. So if they were to just pull themselves out of the U.K., it would cause quite a stir. Rod, is there any compromise on issues like this? Is there a way for the government to be able to stop the bad stuff, but not, you know, transgress your privacy? God, I wish there were, but there's not. And I think the, I think it was a signal CEO who probably said it best, which the same mechanism you'd want to do to weaken the encryption can be either within the company who has access to those keys can exploit it. Law enforcement can have overreach to exploit those and attackers who gain access to that backdoor mechanism for law enforcement can exploit that. So any mechanisms you do to try to reduce encryption, it's no matter, and it's a bad idea. So I think, and the idea that, well, you could do it pre on device scan, which I think Apple had looked at doing with CSAM, and they backed away from that idea because it was just too invasive of analysis of devices. So unfortunately, the gene's out of the bottle with end-to-end encryption, and if you force certain apps to do that, there'll just be other ones that'll pop up that people will just go over to. And as a signal user, I'm super happy the signal is taking such a strong stance on protecting user privacy. Yeah, I mean, I actually thought people maybe overreacted a little to Apple's on device scanning, because if you remember what they were doing was saying, hey, you're about to send an image, it kind of looks like it might be, you know, an offensive image that maybe you shouldn't send, are you sure you want to send it? That's something you can do entirely on the device and no one but the device holder would know about it. There were other parts of that method that involved notifying parents and everything that also caused people to object. If you are looking at this bill, if you were to tell people, hey, what you're about to send looks like CSAM, maybe you don't want to send it, you're only helping the perpetrators at that point, right? You're actually not catching them. What the UK wants to do is say, we want to be able to look at a message after it's been sent and say, oh, that person sent an offending message. There's just no way to do that without breaking encryption. At least nothing I could think of. Yeah, so I like the intention. I do get the intention. I think the problem is, as soon as people start talking about child pornography, everybody wants to kind of jump in and we want to try to figure out a solution and it's a horrific thing that happens but what if you could catch someone, I don't know, trying to manufacture bombs or trying to sharing information about how to do things with bombs or if you're human trafficking in general. There's all types of freeches and the problem we'll have is it'll just be, well, we just want to go an inch further, we just want to go an inch further until at what point in time they just want to inspect and look at every single thing that people are communicating and the intention is great but privacy is privacy. If you need to inspect what someone is doing, get authorization to get onto their devices. Having the person sitting in the middle is probably not the right point because then at some point, should we go to everybody who sells email encryption keys and say, hey, you can no longer have clients that support end-to-end encryption and if the emails are sent to your servers, you have to find a way to decrypt the emails where I'm using my public key to send an email and we're trafficking back and forth. Yeah, you can do that. Just make sure the government has a key that they can use to, right? That's exactly what they want. The government is like, let's just try triangulation. We want you to be encrypted from sender to end user but we also want to make sure you're not doing anything super bad. So maybe just make sure that we're also part of the conversation. And we promise not to look unless we have a really good reason. Yeah, you have to give us a really good reason or we just have to come up with one. Yeah. Did you say just BCC the government on everything? Yeah, make it easy. Why not? There was a move, a book. Gosh, what was it? I think it was Dan Brown. He did a book where the CIA was gathering all different communications and it was just such massive volumes of data. I cannot remember. It'll come to me later and essentially it took down one of their servers trying to decrypt a constant stream and volume of data. It was definitely a Dan Brown book but I can't remember that. That sounds very Dan Brown. And encryption is math. So you can't really outlaw it. You can just make using it illegal. But like you said before, people who want to encrypt their things are going to find a way to do it. Folks, what do you want to hear us talk about on the show? If you haven't checked out our subreddit, there's a great community in there submitting stories, voting on those stories, talking about the stories. Let us know in our subreddit dailytechnewshow.reddit.com. Last pass disclosed more details about how the attackers were able to access customer encrypted password vaults. One of the criticisms when they announced this in December is they didn't give details. They have now finished their investigations and published a lot of details. I'm going to give them credit for the transparency at least in this particular case. The attackers used information stolen in other breaches to take advantage of a remote code execution vulnerability in a third party media software package. Ars Technica has sources that say it was a vulnerability in Plex and there was a vulnerability in Plex around that time. They then were able to install a key logger on a senior DevOps engineers home computer that let them grab the employee master password to their corporate vault, which then gave them access to the encryption keys and all kinds of other stuff. But the encryption keys needed to access the AWS S3 production backups. The valid credentials made the access difficult to detect because it was legitimate and it wasn't for a couple months before AWS Guard duty alerts finally detected the intruder when they tried to use cloud identity and access management to perform an unauthorized activity. So as best they can tell they were in the system from August 12, 2022 to October 26, 2022. A lot of people were wondering this how far back did they have access to the vaults and it only goes back to August. So in light of these more complete findings, LastPass recommends that users make sure they are using a strong and unique password on their vault. Change default PBKDF2 iterations to at least 600,000. Review all the passwords in their vault for uniqueness and strength. Turn on dark web monitoring to look for matches and enable multi-factor authentication. Here's the clincher. If you're already using multi-factor authentication, LastPass also recommends regenerating your shared secrets because part of the things that they got out of AWS were MFA seeds. Rod, these are things most people are not going to do, especially regenerating MFA secrets, checking PBKDF2 iterations. You and I will do them. Sarah will do them. But there's a lot of people out there that their eyes will glaze over and they just won't get around to it. A lot of people in our audience just want to know who to switch to. They just want to get off LastPass. Before we get to that though, I want to know your take as someone who works in security. How do you feel about how LastPass handled this? So I'll start with I've been a LastPass user, well, was a LastPass user for about 12 to 15 years. So I've, and mind you, I love that product. I've recommended it to so many friends. For me, the issue with LastPass isn't that they got breached. It was the speed at which they disclosed information, and I felt like it was trickled out too slow. Because if we had found out very early on of a breach and said, hey, we lost vaults, go change your passwords, I'd have changed my passwords on LastPass and moved on with life and never given it a consideration. The fact that a developer was hacked, I can live with that. Those things, they happen, they happen to, I mean, I'm a Marriott user and Marriott's been hacked. So okay there. The bigger challenge is, as I was reading through this article as to what's happening, I'm like, how did you guys not detect this in for two months? I mean, just the abnormal behavior, and mind you, it's the credentials that the user needed to do their normal job. But were they doing it at that same volume? Like if someone was downloading all the vaults, wouldn't you find it abnormal that this admin is moving vaults off in that mass? Like that should have triggered something. So that's where I'm a little concerned that probably their security wasn't as tight as one would desire it to be. But for me, it was 99% disclosure. I lost trust in the organization, which is what forced me to move elsewhere. I would add to that, like the fact that they lost vaults and it involved a home computer means there probably weren't some best practices being followed there as well. Absolutely. Should people rely on password managers? I've heard a lot of people say, well, this proves that password managers are a bad idea. Password managers are still better than not using one. I mean, I've made the joke before that someone could come up to me and say, tell me the first character in your Gmail password. And if you had a gun to my head, I couldn't tell it. I could guess, but I really, I'd let a jill of me don't know. And for 99.9% of my passwords, I couldn't tell you the first character in them. So password managers are still great things to lean on because it does get users doing, having better passwords and less things that I mean, if you've ever looked at, have I been pwned and looked at the number one breach, the top 50 breach passwords, they're all horrendously awful and easy to crack. And what we're trying to get as users to kind of be more knowledgeable. And then with most of the platforms like LastPass with the security challenge or one password with, I think they call it the watchtower, they all can let you know reuse of passwords, which most people don't catch. They were reusing passwords if they're manually typing them in. But more importantly, if they're, if they're known breach passwords, you can also pick up on those or in on the dark web. So all of those types of things are so valuable with a password manager that you don't get by putting it in, you know, some type of encrypted vaults you're managing on your own. I mean, the LastPass story has unfolded over time and we know more now today than we have in the past. And like you said, there are other options. You can say, yeah, you know what, just that was just too little too late. I'm moving on to something else. However, this could happen to a lot of companies. And because of this, one would think that LastPass goes, we've learned a lot from our mistakes, we are stronger than ever and keep trusting us. There's some merit to that too, right? Yeah, I think some merit. I'm right here. Get on it, Tom. I mean, just in the sense that, you know, we hear about breaches all the time and companies saying, here's what we now know. Here's what we will not allow to happen again, hopefully in a perfect world. How much credit do you give LastPass for that? I think, is that what you're asking, sir? For just disclosing? I think it's, we're just disclosing. It's fantastic. Again, it's, it's not, it's, first you have to disclose quickly. That's, that's the most important. And that's, where we've seen most security companies fall down in the past, it's been either lack of disclosure or too slow to disclose. And that's where like, I think there were a lot of SSL or companies that were providing encryption and doing encryption that got kicked out of browsers because of just either poor management, poor disclosure from Google, Microsoft and those things. So I think that's the first most important. It is great that they're coming transparent, but I think it's after massive backlash and users deciding that they're not going to use it. I mean, when you start looking at users who've been around with you for a decade more, who are now no longer logging into their vaults, deleting all their credentials out of their vault, that's, that's problematic. And I think they know, and not to mention last pass, they were getting very large in the enterprise market and knowing that companies are actually having to read, look at their security policy and posture and might have to make moves off of last pass and go elsewhere. That's a, that's a pretty big hit for them. So I think disclosure are fantastic. And I think they're doing the right thing now, but they should have done the right thing a while ago. And it's okay that the story is evolving as they learn more, totally fine with that. It's, but I should have known about the breach as early as possible so I could take the most evasive action as possible. Last question. Do you have a recommendation for people moving off to last pass yet? Is there an alternative that you like to recommend? So it all depends on the type of user. If I were talking to you, Tom, I'd probably say go with Bitwarden. You probably would be very happy there. For me, I went with one password and you probably think, well, why the heck would you recommend Bitwarden if you went with one password? So with Bitwarden, I thought it was a fantastic password manager. It's definitely a little rough around the edges. There are certain things that I felt that were, I was stumbling across getting done. However, with one password, the reason why I went that route for myself is I wanted a family plan. I wanted family sharing. So I wanted all of my kids, my wife, I wanted us all to be able to easily share credentials, be on a single password manager, pay one price throughout. I'd say if you were debating on the switch, start with Bitwarden and verify it won't work for you because it's free to get started. So there's a really good run rate where you can trial it out. One password, you're kind of getting into, you don't have a lot of run rate for trying out the solution before you're into a paid model. So for me, I went one password. There's a lot of things that are not last pass and it frustrates me, but I'm learning to use one password for what it is. Excellent. All right, before we get out of here, let's check the mail bag. Let's do it. Mike in Dubai wanted to add to Chris Christensen's travel tip from our Friday show on February 24th. Mike writes, on that show, Chris Christensen mentioned trip mode on macOS and asked if there's an equivalent on Windows because he didn't know because he's a Mac user. Mike says if a user goes onto any Wi-Fi connection, they can toggle between metered and unmetered connections. I don't know all the details about what downloads happen automatically in metered mode, but it minimizes Windows software updates until you return to an unmetered connection, which is the default. I set up my phone hotspot as a metered connection while traveling. Oh, nice tip. Thank you, Mike in Dubai. Good stuff. Indeed. And thanks to everybody who emails us cool tips like this. Feedback at dailytechnewshow.com is where to send those. We welcome them and thank you in advance. Also, thanks to you, Rod Simmons, for being with us today. Could not have done the show without you and we mean that. Let folks know where else they can keep up with your work. Yeah, so I hang out with a couple of clowns. I know Rob and Chris come over here often on the SMR podcast, but also Chris and I run a podcast called Barbecue and Tech. And I do appreciate someone in the chat said Bitwarden does have a family plan. And I did know that, but there was something about their family plan that I didn't like one pass, but I'll have to look that up. And I know I talked about this on the SMR podcast before. So yeah, you did a nice, nice good deep review on SMR folks should absolutely go check that out. I also unrelated to last pass really enjoyed the barbecue and tech episode you just did about the cutting boards because I have a cutting board that you made that I bought from y'all. And I was like, oh yeah, I need to I need to clean it and your cleaning tips and everything were really good in there too. So thank you for that. Yeah, no problem. I don't even want to talk about how my cutting boards probably should be cleaned better. You should listen to this episode. That's a story for a GDI at another time. We do want to thank our brand new boss, Les. Les just started backing us on Patreon. Thank you, Les, and welcome. We're so glad to have you. All right, keeps the streak alive. Thank you, Les, who will pick up Les's baton tomorrow. Patreon dot com. Yeah, patrons like Les get to stick around for the extended show, good day internet. We're going to talk to Rod some more about how to do the move, what you should do when you want to move off last pass on to another password manager. But just a reminder, we do the show live. You might be listening to us after the fact, and that's fine. But if you can catch the show live Monday through Friday at 4pm Eastern 2100 UTC, we'd love to have you. You can find out more at dailytechnewshow.com slash live. We're back doing it all again tomorrow with Scott Johnson joining us. Talk to you then.