 Coming up on DTNS, TikTok leaves Hong Kong, Loon launches commercial service in Kenya, and Kirsten Brazier helps us understand the security that protects our industrial systems. Do we need to worry about hackers taking down the power grid? We'll ask her. This is the Daily Tech News for Tuesday, July 7th, 2020, in Los Angeles, I'm Tom Merritt. And from Studio Redwood, I'm Sarah Lane. And from the somewhat dark forests of Finland, I'm Patrick Beja. I'm from a well-lit portion of Southern California. I'm the show's producer, Roger Chang. And Kirsten Brazier, security consultant joining us as well. Kirsten, thanks so much for being with us today. Thank you for having me. We were just talking about using Amazon's voice assistant to help satisfy your children's curiosity on good day internet. If you want to get that wider show, join us, patreon.com slash DTNS. Let's start with a few tech things you should know. Google Assistant is like, excuse you. RECO reports Walmart will launch its Walmart Plus subscription online shopping service, which will offer same day grocery delivery, fuel discounts and other perks for $98 per year. Walmart confirmed Walmart Plus back in February, but hadn't announced details until now. The OnePlus Nord mid-range smartphone will be officially revealed in a livestream July 21st. The announcement event will be shown in the OnePlus Nord augmented reality app, which is available now in the Google Play Store and coming to iOS as well. Motorola announced the Moto G5G available in Europe, starting at 349 euros. A sub $500 model is planned for release in the US in the autumn. Magic Leap hired Peggy Johnson as its new CEO. Johnson was a business development executive at Microsoft, had been with the company for about six years. Johnson told the New York Times that she had reached out to Rony Abavitz, Magic Leap's founder and CEO in May after he announced he would step down. The All-Star team has a date. The US House Judiciary Antitrust subcommittee announced its hearing that will star Amazon's Jeff Bezos, Apple's Tim Cook, Facebook's Mark Zuckerberg and Google Sundar Pichai. The Avengers of Tech will assemble July 27th at 12 p.m. Eastern. The hearing will be live streamed through the House Judiciary Committee's YouTube channel. By the way, the House Judiciary Committee has a YouTube channel. I had no idea. Amazon Prime Video is rolling out user profiles. So multiple viewers on the same account can have their own recommendations, playlists and watch watch histories. Customers can create up to six profiles. Profiles will arrive first on Android, iOS, FireTablet and Fire TV. The profile feature first rolled out in India and Africa earlier this year. Google Fiber is outing its first new market in four years. The city of West Des Moines, Iowa is building an open conduit network. Google Fiber will lease space in the network. All right, let's talk a little more about what's going on in Hong Kong. We mentioned Monday that several app makers announced they had suspended processing requests for user data by Hong Kong law enforcement. Basically, Hong Kong would ask for user data. And in the past, they would process those requests. The list of people who are now saying we're not processing the request right at the moment are Facebook, Microsoft, Google, Twitter and Zoom, among others. Apple says it hasn't changed what it does because it has always required such requests be submitted through the U.S. Department of Justice under a legal assistance treaty. But it is also still reviewing that. Also happening in Hong Kong, TikTok announced Monday that it will pull its app out of the Google and App stores in Hong Kong within a few days. All of this, the security, the law enforcement request processing suspensions, TikTok pulling its app are as a result of a security law imposed on Hong Kong by mainland China. Now, as of last September, TikTok had 150,000 users in Hong Kong. That's not a lot. So this may be a fairly easy decision for them to make. But the reason they're making it is because TikTok is owned by Chinese company ByteDance, and it is seen as a Chinese company. However, TikTok, even though it's owned by ByteDance, has its own CEO, a former Disney executive named Kevin Mayer. It has headquarters here in the United States. And TikTok is not available in China. It does not comply with Chinese government requests. It says it's never received one. So TikTok is out there trying to do a lot to separate itself from its parent company because it continues to receive a lot of flak and a lot of accusations that it does cooperate with the Chinese government. So, Sarah, essentially what's going on is we're seeing TikTok say we want to move out of Hong Kong to distance ourselves from the Chinese government, which is asserting more control over Hong Kong. Yeah, well, they've got the Chinese version of the app. So this this could be something where it was already in the works. And because of some government restrictions and a little bit of brouhaha, they're like, all right, well, it's let's have TikTok in the rest of the world, or at least in the markets where we don't have these sorts of issues. And we can continue to grow our presence in China because, yeah, TikTok is a separate company, but it is all ByteDance at the end of the day in a certain sense. So I I don't know why TikTok would have really fought this. Otherwise, this seems like the best course of action for the company is the best course for consumers. That remains to be seen. It is definitely they are trying so hard, so hard to say, we're OK, guys, we have nothing to do with China, which I mean, I'll leave it to everyone's appreciation to decide if they do or don't. But this is definitely this has become something very hard for that company to deal with. It's also worth, I guess, wondering, would all of these companies have I'm talking about American companies now, would they have been so quick to distance themselves or to decide or to announce that they will not be complying with this new law, essentially, if things hadn't been the way they have been for the past couple of weeks in the US already, I wonder if that would have it's possible that they they are thinking we already have a lot on our plate about everything, essentially. So maybe let's not add that as well. Interesting to note as well, Facebook is not present in China, where in all of those other companies are. Well, maybe Google, yeah, Google and Facebook are not present, but and neither is Twitter, but Zoom and Microsoft are. Yeah, and Apple. Kirsten, or do you have any thoughts on what's going on with with Hong Kong? I can't say. So my biggest concern at the moment with them is how this affects their ability to communicate about what is happening to them in their country, right? The social media is one of the ways that. Particularly, protesters are able to get an unfiltered message out to the world to tell their own truth. So that is my my biggest concern. But the the app being limited. The other side of that is from a security perspective. The security community doesn't like take top, right? We there's plenty of risks. We it's very popular among children. And I know for us, our children, their friends are all on take top. And we have to have uncomfortable conversations with them that we other not otherwise would prefer not to have to have, especially at a really young age about predators being on there, about people masquerading as someone else about all the information that a person can pull from the app. We just saw here recently, I forget, the Twitter user where he did some reverse engineering on the app and found out that the restrictions were very, very permissive. And so it allows people to pull lots of information that people may not even be aware of. And yes, you know, any app that you use, they're going to be a risk, especially if it's free, you are the customer, if that app is free. But it's still it's that that's my biggest concerns around it. It's the, you know, limiting people's ability to communicate where they may not otherwise have a way to, especially in light of the fact that a lot of other social media companies are banned from there. But then the other side of that is, you know, you still you have personal risk to yourself and your family by someone in your especially kids. It's more popular with with kids with them using the app. So yeah, yeah, I mean, it's a good point. TikTok doesn't even have to have a connect into the Chinese government to be problematic from a security perspective. All right, Patrick, tell us about what's going on in Kenya. Indeed, Alphabet's Loon launched its first large scale commercial service Tuesday in collaboration with telecom Kenya, Kenya's third largest mobile carrier. Loon balloons hover about 12 miles above the earth and provide for GLT service to the ground, think floating cell towers. The new project covers central and western Kenya, including the capital Nairobi, about five, 50,000 square kilometers, about twice the size of New Hampshire. New Hampshire. Loon uses around 35 balloons in constant motion to maintain coverage. Speeds are about 18.9 megabits per second down and 4.45 74 megabits per second up with 19 millisecond latency. That's not too bad. About 35,000 customers connected the balloons to the balloons during the testing earlier this year without noticing. Yeah, because they're just floating cell towers, like you don't have to do anything on the ground, right? That's really the strength of this system, I think you just add them and you don't have to have a new type of connection. You don't have to have a new subscription, new hardware. It's just 40 and it's much easier to use than other like satellite based systems and things like that. I think a lot of people too are like, now we have these balloons in the air. Doesn't that seem problematic for birds and helicopters? It's like 12 miles above Earth is way above fly patterns for any aircraft. So it's pretty remarkable how and that Project Loon has been in testing in the area before this rollout. So they were obviously pretty confident that this was going to work well. But how large of an area, including a very large capital city, is now covered. Yes, they have a telecom partner. But what this means for other areas where launch some balloons up there and everybody gets better access? Yeah, it doesn't mean as much for Nairobi. They have good connectivity in Nairobi. But in those areas around, in the rural areas, that's huge. And good for telecom Kenya, trying to take down SafariCom, who's like the predominant provider there. They're famous for Mpasa, for instance. So it's I wonder if Loon is going to get more partners on board for this to provide a little more competitive space, because that could be a big boost for telecom Kenya. Last month under seal, a US federal court granted Microsoft control of web domains being used to target victims in 62 countries. Attackers used the domains to send COVID-19 themed emails. So you want to get people to panic like Stephanie was talking on yesterday's show, so they're not thinking straight. They were designed to look like they came from a trusted source, like your own employer in a lot of cases. The emails then, if you clicked on them, opened a legitimate Microsoft login page. This is the genius. They took you to an actual HTTPS for real Microsoft login page, but would then redirect to a web app that was malicious asking for account access. So they never needed to get your username or password. That malicious web app would get you the access token set by Microsoft, because you would tell it that it could have it. And then they would use that token access to fish sensitive information out of others or carry out fraud or any of the bad things you can do once you get that kind of access. Microsoft took control of the domain names, disabling key parts of the attacker's infrastructure, and a spokesperson told TechCrunch it was not a nation state backed operation. So this was likely a money making operation. Kirsten, I don't know about you, but the methods of these malicious actors were impressive, if not horrifying, but also impressive. I'd love to see, and I haven't dug into this enough to know, I see that they're saying it's not a nation state actor. So I'm guessing that the security community tends to shy away from attribution, but I'd be curious to, I'd be looking into this more after the show to learn more about it, because it definitely was something that was really sophisticated. Yeah, definitely. And a really good reminder that parts of the attack can look legit, and in fact, even be legit. So you really need to be aware. Yeah. Uber launched grocery delivery service in 19 cities in partnership with and in advance of Uber's acquisition of Chile's corner shop, which is still pending regulatory approval. The service is available in Montreal, Toronto, Lima, Bogota, 11 Brazilian cities, including Rio de Janeiro and Sao Paulo, and four Chilean cities. Uber expected to expand to Miami and Dallas later in July, and other cities worldwide in the coming months. So it's a pretty significant rollout. The grocery delivery option is available in the Uber and Uber Eats apps and sources groceries from local stores like Walmart and Metro in Canada. It's available with a per delivery fee or included in writer pass and eats past subscriptions. So this is Uber once again. Yeah, the Uber trying to reach scale. Like we talked about the Postmates acquisition yesterday, and the reason they want to do this is they want to get enough scale that instead of losing money on every one of these rides, they're able to make money because they have a big wide platform that's monetized. And that that seems to be what they're after here by buying corner shop, by rolling out grocery delivery. So they get more deliveries, groceries, including food. It's really all about chasing chasing that margin, which right now all of these DoorDash Postmates, all of them operate at a loss per delivery. They need to build up enough deliveries before they can finally hit profitability. I think it's interesting too, because if you look at... So this is just my personal opinion of I think market trends are going to shift more towards this, right? This COVID, the pandemic that we're in, we don't know how long this is going to last. Here in Texas, we are one of the states that's leading in infections. And so your question earlier about us ordering, are we doing more online ordering? We are. And so I see if Uber is following these trends, and if we're going to be in this long term, and if you also think about consumer habits overall, I think are going to be shifted permanently. So I think it's a good move for them. And I think other companies, they have to be looking at the entire ecosystem and figuring out the same thing, like, okay, if we're operating at a loss on these things, then how do we scale and make sure that we are following where consumer demand is going? Yeah, that's a really good point. Go ahead, Patrick. Oh, sorry. No, please, please. I was just going to say, yeah, I think to your point, Kirsten, the whole let's reach profitability somehow, some way, we have really popular service that would be Uber and Lyft and lots of other competitors in various markets. The idea of, okay, well, we've been trying really hard to figure that out. Autonomous vehicles, that'll help. We'll get there eventually. If people aren't going anywhere, that becomes a really hard business model, and perhaps one that's a little DOA. So yeah, you really have to pivot in a big way, and people still want food delivered. Yeah. Yeah, I think the... Go ahead. The autonomous vehicles definitely helps in those areas as well, and they have to be thinking it's a few years away now, whether a few is four or eight, they have to get market share now, maybe, and they can lose money. God knows they have a lot of it. They can lose money for a number of years, and if they manage to hold on until autonomous vehicles are good enough for these kinds of things, and it seems like it might probably be easier to put in place for items delivery than for passengers, that might cut their costs enough that they do reach profitability earlier. Yeah, especially with contact list delivery. I don't think that consumers are going to go back. I know for us, we have been rethinking everything that we've done and the habits that we had, and even now, so we've all gotten accustomed to contact list delivery. Well, the self-driving cars, that makes it even more contactless, right? And so I think they're going in the right direction. It's unfortunate because there people who were depending on those jobs, especially retirees, were driving Uber with something easy that they could do, and then even other people who if this was the only thing they could do was be a delivery driver, then that income is then that entire model of income and supporting themselves is taken away from them. But on the other hand, it sure does reduce the risk of transmitting any types of airborne diseases like what we have now. All right, let's finish up with Germany's digital media compression pioneer Fraunhofer. You may know them as the people who brought you MPEG-3 audio, announced a new video compression standard called H.266, also called VVC, which stands for versatile video coding. VVC promises increased efficiency and reduced data requirements by around 50%. So in other words, a 10 gigabyte 4K video could be encoded using 5 gigabytes of data instead. VVC supports HDR, resolutions up to 8K, and also has adaptive resolution changes and tile-based streaming, which could support even wider color gamuts than HDR and resolutions higher than 8K in the future. Apple, Ericsson, Intel, Huawei, Microsoft, Qualcomm, Sony are all industry partners with Fraunhofer, so widespread adoption of VVC is expected. It will be licensed under Frand, the fair, reasonable, and non-discriminatory principles, which makes it a lot easier for people to adopt. That will be licensed through the Media Coding Industry Forum, MCIF. The first H.266 encoder and decoder software is expected in the autumn. So if you're looking at ways of saving hard drive space or getting high quality video under your data cap, this could be hoped for you. Yeah, I had a friend this morning say H.264 is still the standard for most people. H.265 took so long to be adopted on device for so many of these companies. What does this all mean? We're a decade out, and I'm like, I don't know. With all the companies that are on board and the fact that using much higher resolution video for stuff like AR and VR efforts, it leads me to believe that we will see this widely adopted sooner than we think. The thing is everyone wants to reduce file size because it equates to cost on the internet. I'm not seeing Google on that list though, so YouTube is a big concern for that, but it might go quicker than H.265. Yeah, Google being part of that would be a very, very important piece. That is a very good point. Hey folks, if you want to get all the tech headlines each day in about five minutes, be sure to subscribe to DailyTechHeadlines.com. Folks, there's a lot of fear and uncertainty and doubt out there about malicious attackers hacking the power grid, the water system, other industrial systems, horror stories abound of nuclear power plants whose systems were protected with default passwords like one, two, three, four. Thankfully, Kirsten Brasier joined us today to help us assess the reality of the risks to industrial control systems or ICS. Let's start with that. What kind of systems are we talking about? What is ICS, Kirsten? So we're talking about everything that controls the power grid, your postal system, your banking, your communications platforms, the internet, all the manufacturing systems that produce your food, produce your spirits, your beer. Basically, ICS controls everything that we depend on every day. And why is, I mean, I think I know the answer, but why is ICS security so important then? Well, if we don't have security around those things, then our entire weight of being is put at risk, right? Those things that we take for granted with just turning a faucet on, clean water, well, for the most part, comes out, right? When you turn on an electricity switch, it comes on. When you plug in your phone, it just starts charging. Your postal service, your mail, that stuff is delivered every day if you call 911, someone answers. You usually, you don't have a problem with food shortages because of the systems that we have in place. Your banking, when you check your account, all that stuff is available to you, right? You have communities that are low-lying communities that depend on dams to keep them dry. Well, there are ICS systems that control all of that. And so if we don't have security around those things, all of that is put at risk. What is ICS security in Compass? Is it similar to the security we're used to at home? It is partially that, but a little bit more. And so one of the big differentiators between ICS security and regular security is if you apply security patches in ICS production, for example, and something goes wrong, then you can have safety issues like people can get hurt or people can die versus in IT. If you patch a system, a server may go down, but it's more of a minor inconvenience than something that can affect health and human safety. And so that's really the biggest difference between ICS security and regular IT security. And I think that's a really important point because I think a lot of folks say, well, why don't they just patch their systems? But there's a lot more writing on getting the patch right. Yeah. Yes, that is not how that works. And so you also, the public may not realize that, you know, for example, the lifecycle of an IT system may be, you know, three to five years versus ICS, those are built, some of them were built to last 30 to 40 years. And so what happens when you built something, you know, 30, 40 years ago that was not intended, first of all, the threats, nobody was even thinking about that. It was built for service for availability versus everything we do now, it's mostly, it's more convenience, it's time to market, especially on the IT side. And so patches may not even exist for the ICS system. So you can't just go past something. And then in a lot of times, too, availability is of the utmost importance. And so we can, in regular IT, you can have a maintenance window. And it's normally, you know, it's something that's scheduled and it's not a problem. Well, in large ICS systems, you can't have a maintenance window because you don't have the luxury of even having a few seconds of availability to be interrupted. And so that's mostly the main difference between the two. Yeah, when they take down the animal crossing servers to patch it, it's a mild inconvenience. When they take down the power grid, it's a little more serious, right? Yes, exactly. How bad is it though? A lot of people are like, oh, these SCADA systems out there, they're not even password protected. What's the reality of that? Well, so I will say that, and I mentioned this earlier, ICS security is in its infancy, right? It's a baby. So you do have a lot of catching up to do, but it's not as simple as that. You have backwards compatibility issues to be concerned about. You have vendors where things were built, 10, 20, 30 years ago, where the vendors are not even still in business to support any change you make. You have lots of systems that are controlling large parts of a grid and they cannot physically be patched, right? And so it's not as simple as what people may think it is. And yes, there are vulnerabilities, there's vulnerabilities in every system, but the people that we have, there are people that are increasingly working on it. And then I've also seen here, the trend that I've noticed in the last year or so, is that you now have companies that are, instead of having their security team working on enterprise security and OT security, which would cover your ICS-K systems, then now the companies are having dedicated security teams that are specifically for OT to cover those areas and then other people looking at enterprise security. And so we're going to get there, but it's going to be, it took the regular security community, it took them years to get to a certain level of maturity. Well, ICS has to go through that same maturity cycle. And thankfully, it's as complex for the attackers as it is for the people fixing it, right? Yes, it is very complex. While the risk does exist, there are systems in place, there are safety systems in place, there's lots of places where we have resiliency built in, but we do know that the risk does exist and none of us are pretending that it doesn't, right? We saw in Ukraine in 2015 and 2016 where they had over 200,000 customers went lost power because of an attack on the grid. So what we're doing is learning from those places and then we also, we've had in the United States, we have had attacks on the grid where sections of it have gone out. And so, but we're taking all of those things and learning from them to build more resilient systems and processes. Is there a way to check, obviously private companies are private, but for your local utilities, your government-run ICS organizations, is there a way to find out how well they're doing? So one of the ways, so all security, all companies right there, you'll get certain, hmm, you'll get nuggets of how they're doing, where you have to kind of draw conclusions about where they are. So one of the places where you can tell is, and especially for publicly traded companies, you can go to their 10K filings. And their 10K filings will mention fines or expected fines for regulatory violations. Well, those regulatory violations are related to NERC SIP. So the North American Reliability Corporation, that is the site, those are the cybersecurity standards that govern the private utilities companies. And so if you go to a company, this is one of the ways, go to a company's 10K filings, if they're going to get regulatory fines related to this, then that means that their security was not sufficient. Another way to look at like historical information is to go to refer.gov, that's f-e-r-c.gov. And they have a tab on their website that tells you what companies have on their enforcement and legal tab. It'll tell you what companies have paid fines. And so that's also, and they also will, because it's public information, they'll also list companies that they've notified that they're going to be fined. And so that's also one of the ways that you can get kind of an idea of how they're doing. The other way is just industry, industry meetups, industry meetings. InfraGuard is one of, they have a special interest group where you can have an opportunity to communicate with people who are in that specific sector. And so that's also one of the ways that you can get information. And so obviously, it's very sensitive. And so they're not going to have it publicly plastered anywhere, but it's just, if you look in those different places, you can kind of get an idea of where they are. That's great information. Thank you so much, Kirsten. All right. For everybody who wants to participate in our subreddit, guess what? I've got good news. You can submit stories and vote on them at dailytechnewshow.reddit.com. Also, shout out to patrons at our Master and Grand Master levels, including Justin Zellers, Tim Deputy, and Kevin S. Morgan. Also, big, big thanks to Kirsten Brazier for being with us on the show for the very first time. Kirsten, it was so fun to have you. Thank you so much. And let folks know where they can keep up with everything that you do. I am most active on Twitter at Kirsten Brazier. I also have a blog, kirstenbrazier.tech. I'm also on LinkedIn. I'm not very good about checking LinkedIn, I'll be honest. But when I do go on there, if it's someone, if you send me a message, I'm more likely to accept your invitation. But otherwise, I just, I have no way of knowing why you're trying to connect with me. And so right now, I have 600 unread invitations because I don't know, especially if I look at it and it's not someone that's in my industry or you're not connected to anyone that I'm connected with. I'm going to be suspicious, just become a security professional by nature. I'm going to be suspicious of why you're trying to connect with me. So if you send me a LinkedIn request, please tell me why you're connected with me. If you saw me on this show or if you saw me somewhere else, or if you read my blog content or if you read my book or just say something other than just sending just, I'd like to connect with you on LinkedIn. Excellent. Well, thanks again. And also thanks to Patrick Beja for being with us. He's our Tuesday regular Patrick has been going on since we saw you last. I guess if you want to take a little break from the stresses of security, you might enjoy a video game or two, and you might enjoy the last of us part two. Thankfully, if you want to talk about this game after having finished it, I have two podcasts for which I did a spoiler full spoiler cast, pixels in English and le rendezvous jeu in French. So actually, most people here will probably be interested in pixels. So go check it out in your podcast app. It's pixels. Folks, Sarah has picked her next live with it. You can get her official announcement in the DTNS YouTube channel or at patreon.com slash DTNS. We also talked about it on good day internet. You can always support the show at any level at patreon.com slash DTNS. Indeed. And if you have thoughts for us, you have questions, concerns, I don't know, cat photos. I say that once a quarter or so. Our email addresses feedback at dailytechnewshow.com. We're live Monday through Friday at 4 30 p.m. Eastern 20 30 UTC and you can find out more at dailytechnewshow.com slash live back tomorrow with Seth Rosenblatt on telecommuting security as security week rolls on. Talk to you then. This show is part of the frog pants network. Get more at frogpants.com.