 We've been finding that like It's almost almost fetishy kind of thing Like there's like a it's like these videos because Ellie just watches all these videos And she keeps touching the tablet and we're trying to get her to stop doing that But she fell on this one where it this this adult like guy As a capacifier and has his two daughters with past fires and they do like these weird. What like It's creepy One of his pretends to vomit Have you downloaded the YouTube kids app? Yes, okay, and we weren't using that when this happened. No Is it like Japanese or something no, it's American it's some guy either the Midwest or it's in his apartment Oh, I mean, it's an infinite Internet, right? Yes Banality mixed with infinite WTF in the infinite Text ignore by the way, she's the she's the one who will drink Order a drink when we go out cuz I'm usually driving. So I was like, what's your drinks? I couldn't remember what a drink is. I'm rid of sourced. She always she always orders. I'm rid of sourced I have amaretto you guys need to bring you door needs to come over I Know I have no idea how to make But we have everettos. Oh, there you go And know whatever drinks it if we've this amaretto I don't think liquor spoils, but this amaretto is from our wedding Okay, well, I don't know why unless you leave it open to the air. Yeah, we bought it We bought it we bought all our liquor for the bar for our wedding from Costco and Then returned anything that was unopened, but if it got opened you couldn't return it And of course somebody had an amaretto sour Nora wasn't at our wedding. I don't think but somebody Somebody had it. And so we had okay. Well, we got to keep the amaretto. I'm like, I'm sure we'll use it. Oh 14 years later a couple of couple years ago someone on Twitter Wanted this print that I found in my office of Peter Sagle that I drew and I'm like I'm like Does anybody want it, you know, and so someone from Ireland was like, I will send you whiskey for it So they sent me Irish whiskey. It's called writer's tears And and it's been sitting in our kitchen and Nora's like, can we open this? No, I got it. This is like this what paid like for this thing. It's kind of cool So so it's you know, so it's just kind of sitting there. I just like the name of it I like why you should open it and taste it. It's not gonna go bad. I know I'm kind of a wimp All right, so but but you know, I prop me out when I'm really down and yeah when I'm down I generate my own for you That's what I like about it. It's got no This assembled list of potentially affected sites Everybody in the chat room by the way If you guys go to tested calm listen to our latest creature geek podcast You can find out how to get free stickers and they're not up here But free creature gig sticks creature geek stickers that I created for the show So so check it out go to tested calm and download and listen to the latest episode of creature geek, which is up today So this is basically some guy in posters on github. Yeah It's the work in progress So basically it contains all the domains that use a cloud for a cloud flare DNS, right? I have that in the show notes, right? Yeah, yeah, that's what I'm just going. Oh, I thought you you were asking about it. That's right. No, I'm going through it. Oh, yeah No, I just said you said you were going through it. I'm like, oh the one from github. Oh, okay. Yeah. Oh, I'm sorry. I didn't hear that That's all right Len was plugged. That's I'm plugging. I'm sorry So you're gonna show every single website affected by cloud bleed, right? Do you want me to all five and a half million websites, you know what I'm gonna do is I'm just gonna put that one that What's that one that you've reached the end of the internet? Oh, yeah. Yeah, that's good That'd be great I see is that around still up Has to be oh man. We already got title suggestions kv87 how cloud lost its flare I Like that That's cute Thank you for the the the nice comment on my uh, my white rabbit project image. Oh my god. It was so good Thanks. It's a test. That's only a test. I'm Trying to work on when you said that was a test. I thought you better like Shannon had passed. It was a I was only testing you to see if you remember doing that No, the art was a test. I'm I'm trying a new style I'm trying to come up. I'm trying to expand my art. That's really cool I liked what it looked like. I liked your shading Thanks. Thanks. It's I'm really I'm really trying to try something a little bit different So it was nice because most people just go hey like but it's nice to get a comment. So yeah Yeah, same with me on my instagram. I've been posting a lot of photography and trying to learn more about how to take good photos Especially landscapes and like touristy spots and stuff like that and uh, yeah, I always get those like nice Yeah, beautiful. Thumbs up Like tell me why like what's good about it? One of the most important things I learned was I mean, this is something you pick up from graphic arts class But uh, this is the uh, the rule of golem thirds Is that it the rule of third? Yeah, yeah Have they taken something that works pretty they do the same thing in photography. Yeah rule of thirds I use that too It works really well rule of thirds is to do under thirds the way you would want thirds to do under you Yeah, I mean, it's it's something that was drilled into me in uh uh Production video production class. Hmm. Wait, uh, do you know if you ever get a book there's um What happened to shannon? I just have a black screen for you Can you hear me? Yeah, but like when you I see your little picture in the corner But when as soon as you speak the screen goes black Let me uh log back in. Okay I'll close and then log back in cool Yeah, the picture down on the bottom is still so that implies that it's cached Clouds flare Beautiful There's you know, that's fine hangouts. You could do that four minutes. Oh, yeah, you're back. Yep Oh, there's two of me. Yeah, one of you is not moving though and we'll eventually go away Okay I closed the window and just reopened a new one. Yeah. Now you now you now you see what we were seeing Yeah, that's weird. Yeah, so it's when it loses the picture. It keeps whatever the last still it had is which imposter shannon that actually is kind of bad because then I think I i'm tricked into thinking maybe your video is still working if i'm not paying attention Oh, yeah, yeah, that's fine foe shannon will leave imposter shannon Imposter shannon shannon no worse Ha ha ha walls There did you did you ever get your a seven shannon your sony a seven Oh, yes, I did. I got it. Uh before I went to japan last year Nice Oh, good. She dropped. That's right imposter shannon. Yeah, that's right get out of town No, that's your uh, what do they call it in the flash your uh time Yeah, I got the uh, I got the a seven right before I went to japan and it's amazing. I love it so much Oh Best camera ever I give a thumbs up and say beautiful Beautiful. Thanks. Thanks one. Thanks beautiful Real quickly On the latest episode of portlandia or episode of portlandia there was a guy Fred armson plays a guy that just is like commenting on instagram pictures. All he says is beautiful I'm gonna start doing that now beautiful Beautiful Beautiful I'm gonna go through all your pictures shannon and do that now control You'll know I'm gonna start right now actually all right you guys uh while len just marks beautiful on all of shannon's pictures Are you guys ready to start the show? Yes Okay Here we go The daily tech news show is brought to you by its global listener base not outside organizations To find out how you can contribute go to daily tech news show dot com slash support This is the daily tech news for february 24th 2017 i'm tom merit shannon morse in the house today How are you doing shannon? I'm doing awesome. How are you doing mr. Merritt? I am doing good shannon, of course, uh from tech thing and hack five And uh luckily enough we have a hacking. Well, it's not really actually it's not really a hacking Is more of a security topic to talk about it is a Zero day well not really a zero day because buffer overflows. It's a six day later Vulnerability disclosure discussion. Yeah, we are going to talk about the cloud flare vulnerability If you've heard a little bit about that or you heard it called cloud bleed We are we're going to talk about basically the upshot is don't panic. You're probably not affected But if you want to be safe, you might want to change some passwords And we're going to talk about that some more. Uh, and that's what len peralta is going to try to draw How's it going len? Oh, it's uh going very very well. I i'm excited about this actually I think it's going to be a it's an interesting topic. Uh, mr. Dear, would you guys have to say about it and uh, I am more than ready to uh to do a really awesome image Well, when we did heart bleed uh a few years back You know that you did you did a knockout job with that. So I'm confident I'm I well, I hope uh, I hope I can I can live up to that. So we'll see what happens Uh, also, uh, we should mention before we get in the top stories google Apologized for yesterday for or I guess they apologized today for an issue yesterday with its google accounts engine Which accidentally logged everybody out of their google wi-fi and on hub devices Those are the routers that google sells and then triggered a factory reset So everybody had to reset up their routers from scratch That's fun. Good. Good thursday evening project Poor google more poor wi-fi and auto Somebody made a bork Yep unrelated to cloud flare. Just so you know, uh, tavis ormundy confirmed that actually in one of his threads Oh, that's funny. Yeah, he people were like, hey, is this have anything to do? He's like, no, no, it doesn't separate problem I don't know anything about it being on your way people now. Here are some more top stories Alphabet's all over the news today. Uh, alphabets waymo. That's their autonomous car company filed suit against uber's auto otto Autonomous truck company over misappropriated trade secrets waymo alleges that back in december 2015 While autos founder anthony levandowski was a waymo employee This was back when Waymo was not called waymo. It was just part of google as google x Back then levandowski downloaded 14 000 highly confidential and proprietary files Including waymo's lidar circuit board design lidar is the laser based kind of radar like detection He then went on to start auto and they say he even met with uber before he was done being a google employee Waymo discovered this when a supplier accidentally copied a waymo employee on emails containing autos designs And they said, huh, those look very familiar the suit alleges other former waymo employees also took data when they left google and went to auto How do you think that employee feels right now about accidentally emailing something? Oh Oh the supplier. Yeah Like I I mean how many always my hand how many of us have accidentally sent an email to the wrong person and Then and then immediately felt the embarrassment of that person going. Hey, I think you met roger chang Oh, yes, it happens It seems very obvious what's going on here. I think they have a pretty good case Yeah, I mean any the the reason you go to court is to find out if you do have a good case or anything But I will say that alphabet in general Isn't highly litigative, right? Like if this was a patent holding company or something If this was samsung even you'd wonder like oh, are they trying to get away with something? This isn't zenny max this is this is alphabet and they Probably would not have filed this if they don't feel absolutely certain that Their design has been compromised and uber is staking a lot of its future on autonomous cars And if alphabet was part of the reason for that then they want some restitution. I'm sure Yeah, absolutely. And of course, this is an ongoing story. So I'm sure you'll follow it too, right? Yeah, yeah, we'll keep we'll keep an eye on it for sure google has renamed its default android text messaging app This is the one that used to be called messenger. Uh, and a lot of times People would replace it with their own proprietary messenger. So the idea here is hey guys Don't give us a crappy text message app when in your android implementations use the new android messages That's the new name and the app gets some updates as well. It supports rich communication services or rcs That's a google backed protocol that brings multimedia read receipts Other chat app type features to a standard sms like service. So it's like whatsapp It's like iMessage, but it can be used across multiple apps as long as you're in a device that supports rcs Just like sms. You don't have to all have the same sms app But android messages is the first one to support rcs multiple hardware makers and service providers are on board to support rcs So they've got some pretty good uptake. However, they don't have the big names. They don't have apple They don't have samsung and in the u.s. They don't have verizon at and t or t mobile So if you're using the new android messages and you're sending an rcs message It will fail back to mms or sms kind of like if you remember before mms was widespread If you send a link to somebody if you send an image to somebody who didn't have mms It would just fall back to sending them a link to the image on sms Given i currently use a signal. I'm gonna have to check and make sure that signal is rcs I would assume that it does do rcs, but i'm not sure So i'm wondering how this is going to affect my conversations with other people who have yet to download signal Who currently like use hangouts for example. Yeah, so you use use signal for sms, huh? Yeah, exactly Yeah, i'm curious if signal is supporting rcs Let me know if you if you find that out because i'm curious how many of these are going to do it. Yeah But yeah, it's it's uh It I think rcs is a cool thing I know it's google pushed but it is a standard and i'm kind of hoping apple and samsung and atnt and t mobile and all of them Do support it and it just becomes a standard that we no longer think of google as promoting because it It seems like a great way To bust out a little bit of that. Oh well, you'll have to message me on whatsapp because that's the app i use Generally i've found with a new standard standardization, especially with like protocols and things in the security field What'll happen is it'll be slow moving to get Popular but at some point when the media picks it up everybody starts implementing it So now that we're starting to see rcs in the media and they're starting to explain like hey This is like a new implementation. It's gonna take over for mms and sms I'm assuming that we'll probably see a lot more of it and hopefully a lot more in the us too kv87 in our chat room just took a quick look at the github and says it It said it doesn't support rcs at the moment. Cool. Good to know. Thank you apple says a fix in ios 10.2.1 has reduced unexpected shutdowns of iphone 6 and 6 s devices by 70 to 80 percent So it hasn't eliminated all of them, but if you were having them happen a lot, this should reduce the number of times It happens It's different than an unexpected shutdown bug caused by batteries Those were recalled where they just took the battery out. The problem was that the battery This problem has been caused by a sudden spike of activity As your battery got older the battery would deliver power unevenly if a bunch of stuff started to happen at once I've actually seen this happen with my own old iphone 6 And so it would go into an emergency shutdown and just reboot or sometimes it would turn itself off and you'd have to manually Turn it back on two things in this update one is better power management So when the that spike in activity happens, it doesn't immediately cause a power problem And if it does shut down it now is more likely to reboot Which is at least better than having it just go black and giving you the frights that you've killed your phone I had one friend who had to take her old older iphone I think it was an iphone 6 as well Back to the apple store and they just replaced it. I believe it's because it was one of those battery issues So not this one. Um, is this one very widespread because I I haven't heard much about it No, and it isn't very widespread And it kind of goes with what we're going to be talking about with club flare You have to have an older phone. So it's not all iphone 6 and 6s It's one that you've used for a long time the battery has to have been cycled a lot and it's starting to get older and and It has to be a situation where you're sending a lot of things happening at once Uh, and and and a lot of people don't use their phones that way So they may never trigger that state of affairs. What you guys don't do that I know pokemon go on checking my email and twitters and all the things every time it happened to me on my iphone 6 I'm like, oh, I did too many things at once like I just felt that like I knew that I like oh I pushed you too far. I'm so sorry So sorry Yeah The usfcc voted two to one thursday upon along party lines to remove transparency requirements for isps with fewer than 250 000 subscribers now that means that small isps don't need to disclose things like their network performance Their fees their data caps except to customers But but this was going to be a filing with the fcc the initial rule exempted isps with fewer than 100 000 subscribers And it was always the intention to reevaluate it and say do we need to increase or lower that so this Reassessment is not unexpected. The exemption is now locked in for five years. However On monday something a little different is going to happen The usfcc is expected to put a hold on a data security requirement that is part of a broader Privacy requirement the data security requirement is set to go into effect march 2nd That would require broadband companies to adopt Reasonable security measures protecting things like your location your web browsing history sensitive information other other sensitive information social security numbers, you know things like that and medical information and so The fcc wants to put that on hold Uh, they would like to have an a vote So chairman aji pie is trying to call for an emergency vote because they won't meet again till march 23rd Which would be after this would go into place if he can't get an emergency vote though He has the latitude to just unilaterally issue as as commissioner a stay on this, right? So i'm all for security obviously, so i'd be the one saying uh, yeah, this needs to go into effect and on another note speaking on the um, uh, including the information about your network for 250,000 or less uh customers I was not very surprised about that fcc passing because we had heard about it previously and knowing that aji pie just Um, just because it came like the fcc You know the big boss the head of the fcc. Yeah, so I wasn't super surprised that they passed that and I I feel like They should not have because I think no matter how big your isp is your Customer should be allowed to see Network data like that on their account because in some places you just don't have a choice And that's the only isp that you have available Yeah, there's a couple things the the transparency requirement. I understand that it's expensive enough To run to try to run an isp and if you want to encourage competition You want to make it easy to get into the market so making it so smaller isps have fewer hurdles is good I don't think this is the definitive hurdle that keeps anyone out of the market But I get the idea behind it Uh, and and so I support it in as much as what I would like to see the fcc do That none of them have done as far as I know ever whether they were republican or democrats is Take concrete steps to encourage new entrants into markets. Yeah to encourage competition make pull access easier Make infrastructure will allow easier. This ain't the the silver bullet for it But I'll support it in in so much as it is a move towards that direction. Yeah one about privacy the argument against Having this because all of us are like, well, yeah, I don't want the isps to you know have handled my sensitive data badly What the isps are saying is This holds us to a higher standard than say google or facebook Of course, and so In that respect, it's worth looking at it and saying, okay Do we actually need to have the policy be stronger than that? Or is there enough market pressure to keep privacy? Or should we increase the privacy requirements of google and facebook? Yeah That that's not a new conversation though But then again if if you do that if you make google and facebook and like twitter or whoever else have those same kind of privacy protocols It's kind of like a trickle down effect. You start with the isps you go to the search engines and then who's after that It's it seems like you would have to create that kind of law for everybody in In the stream going to all the way to the consumer. So at some point it feels like that would be a wasted effort But at the same time i'm i'm all about that security. So Maybe it would just take, you know, voting with our wallet to make that happen and honestly, I am much I am I'm much more in favor of maybe a little bit overdoing it in protection of people's Sensitive information. Yeah same if you have to lean one way or another. Yep The international telecommunications union published its draft report on technical requirements for 5g radio interfaces on thursday A single 5g cell is going to need to have capacity of at least 20 gigabits per second That doesn't mean you'll get 20 gigabits per second. Unfortunately, that means everybody Using that cell gets to split up 20 gigabits per second Maximum latency of 4 milliseconds. So quite a bit of an improvement By the way, lte modems are required to have 1 gigabit per second capacity right now. So this is this is big support for up to 1 million connected devices per square kilometer, which sounds like a huge amount But consider internet of things you're gonna have a lot more sensors out there So you need a big number like that and have at least 100 megahertz of free spectrum scaling up to a gigahertz Users are going to be required to see a minimum of 100 megabit per second down and 50 up So this is the part to pay attention to it says in the worst possible scenario when the node is overloaded and to capacity You should still get 100 megabits per second down and 50 up So that's pretty good The draft is expected to be finalized and approved in november and at that point the technical specs become practical Then you start having to decide. Okay. What spectrum is this going to operate in what devices are we going to settle on? And we're already seeing moves towards that I am so excited about this. This is so cool. I mean, um, I was just talking to a friend in australia this morning Who works at telstra and he was doing some tests of their wireless down there their data And he was getting somewhere around 960 megs was this on the like lte, uh The uh, it's not lte advanced the new one that they just that they just announced recently And he was getting these incredible speeds and the whole time. I was just like, oh, i'm so jelly Yeah, so jelly right now. So yeah, I can't wait for this to happen We saw a bit of information trickling out of ces about 5g. So It's going to happen. It's just when Well, and and one of the reasons I put this in here and didn't get a lot of attention in the press today Unfortunately, I think because this is the real thing, right? You know, oh a verizon's going to test some pre fought pre commercial 5g and AT&T and those are great Yes, yes. Yeah, this is the actual technical specs being put forward and saying, okay We pretty much are ready to approve these everybody. Take a look before november So that we can nail them down and that that's concrete progress I'm looking forward to it. Uh, finally valve released a free toolkit for developers called steam audio That adds physics based sound propagation In other words sounds bounce off of things the way they would in the real world So you can you can as you can sort of, uh, mimic this you can approximate this by Having things get softer as you move away and having things get louder as you move forward But it still doesn't sound the same as it would If you're coming around a corner in a room, right? And so that's what the demonstration of this shows is you can have a sound source that That mutes naturally the way it would when you round a corner or your block. It's blocked by a wall Uh, it's uh, it's going to be available on windows macOS steam os linux and android and works with unity Uh, and eventually with the unreal engine for fmod studio and wy's the support for those last three is in the work So they're trying to make it as cross-platform as possible The exciting thing that I find about this is that it's it's going to be cross-platform First of all, which is going to be amazing, but it's also going to immerse yourself even more into virtual reality Once this becomes available for vr games It's going to really feel like you're actually there as opposed to just having sound You know slowly dissipate and then come back and be loud So you'll actually hear things that make it sound like you're you're really walking around a space Or you're really like hearing that rain drop off of your hand or whatever it might be So I'm so stoked. It's one of those subtle things that you might not think is that big of a deal You're like, oh, well my game does that now I can hear if it's over behind me, right? That's a little different than having that reverberation makes it really feel real That's when you're like, whoa that that that sound like I looked over there and I heard I heard something But it didn't get louder when I turned because it's happening behind the rock and now I know it's happening behind the rock You know, like that's the way your brain works So I I feel like this will help too when you're in like a closed environment in a game And I don't know if you've ever had this happen to you, but sometimes I run into walls in games And I think that's a real walls. Yeah I think this will give you a better idea of how large the environment is that you're in And it might help you with gameplay, especially if you're in like a first person shooter So this is going to be really cool, especially for those fps players It's going to be great. Yeah, uh, I'm looking forward to it too Folks if you want to get all the tech headlines of the day in less than 10 minutes Actually, I have around five minutes. You got to subscribe to our sister show daily tech headlines dot com All right cloud flare, uh, where do we start? I I want to start by saying don't panic, okay Uh cloud flare is a company and this is where it gets problematic They provide optimization and security services for five and a half million websites. So Think of a website if it's not google facebook amazon or apple think of a website and they're probably on cloud flare Um, they they they provide for uber they provide For okay cupid they provide for last pad or for enough for last pass for one password So Every site you can think of is potentially affected by this but The chances of your data from using those sites showing up in this vulnerability is still fairly low So as shanna and I were talking before the show it's that balance of we don't want to overly excite people into thinking that they their Data is out there, but we don't want to minimize that it could be and so you might want to take steps anyway Yeah, we we don't want to scare you guys Because the chances are incredibly low percentage wise of uh, if any kind of data leaked specifically for your accounts but it's still very, um very Good idea to change your passwords and do things like that and we'll explain why I'm just a little bit It's kind of a good idea anyway. So, you know, think of it as oh, here's an opportunity to clean up my security act But let's go through what happened. So back on september 22nd cloud flare Uh started updating an html parser that they they use the update accidentally caused a coding error in the older html parser to surface a vulnerability so http rewrites Enabled the first of the new html parser uses Causing some request for cloud flare backed sites To return information that has passed the buffer now This was a vulnerability that existed in the old parser But the way the buffers were managed meant that it never showed up It never actually spilled any data out of the buffer. However With this new parser the way that the buffers were managed changed and it did So some of the data from memory, which could be cookies authentication tokens post bodies other sensitive data could Show up doesn't mean it did but it could and then once it showed up search engine crawlers Might see this information and cache it as they just go around in their automatic way Crawling the internet now Cloud flare customer ssl keys were not leaked cloud flare wants to make that Certain it was only things that were being transferred Through cloud flare from the client to the server, right? On january 30th cloud flare added a Second new feature called server site excludes that migrated to this new parser now at this point nobody had noticed Because neither one of these two the the automatic http rewrite or the server site excludes were used very much Most websites that were using cloud flare weren't enabling these services. So it didn't show up a lot. However On february 13th the email obfuscation feature from cloud flare changed to using the new parser And a lot of companies used that it caused a spike in these memory leaks And this is where it becomes problematic This is when you start to notice it and that's on february 17th four days later When google project zero researcher tavis orman d discovered the leak which optimized It discovered the leak and said i think i need to talk to cloud flare about this So he posted on twitter like how do i get in touch with someone Someone from cloud flare got in touch with him right away within 47 minutes of orman d Describing the problem to cloud flare cloud flare turned off email obfuscation and that stopped most of the memory leaks remember we said Most of the companies were not using the other two so they turned off email obfuscation that got rid of almost all of it Then they turned off automatic https rewrites three hours and 52 minutes in And they thought they were done they thought they had got rid of it all and but they kept looking to be sure And that's when they noticed that the server side excludes Were also affecting this although almost no one was using them and the way it worked meant it didn't kick in all the time And so they fixed that one after an additional three hours So within seven hours cloud flare fixed the underlying coding error Then worked with the search engines and this is why it took from the weekend until now For them to actually announce it is they wanted to see if they could clean up as many of these cached Items as possible. So they worked with google they worked with bing They worked with yahoo and others to try to identify any cached versions of cloud flare sites that would have had The spilled data available. They thought they have gotten most of them. There's some people saying, hey, I think I saw one over here I think I saw one over there, but that's why they went ahead and finally revealed it Boom So I think we should take a back take it back a little bit And kind of explain what some of those terms mean because I I know for myself personally It made a lot more sense when I went through each Item and kind of parsed it myself So first off the html parser. What what is that thing? So you know when you say a whole sentence and your mind Takes word for word and tries to define what that word means and then what the whole sentence means together That's kind of like what an html parser does for a computer So it takes that html code of really really long thread of code and it parses it into little bits here and there Or there are little segments that the consumer or the computer software is going to like translate for itself So that it's understood by the server or by a website or by a search engine or whatever it means So that in this case cloud flare is using it just like you said for things like adding google analytics tags For changing http to https and you see these kind of things happen all the time If you're using like google chrome and you go to an http website, it'll change it for for you over to https So those things generally work great and they work perfectly But in this case it did not and it created this buffer overflow So when you have a buffer overflow a buffer is Like a temporary Cup if you will where data is stored until it's ready to go to another place So I store it from my fridge in I don't know my tea in the fridge and then it ends up in my stomach So when you have the buffers working right all the tea ends up in your stomach Exactly and if a buffer overflow happens That's when you put too much data in your cup and then it overflows with that data And then everybody can see that data outside of your cup and that's not on your shirt I know that was a terrible explanation. No, I like that. I actually works for me. Yeah, that's how I think of a buffer overflow So in this case that overflow happens on their edge server Which is the server that's like, you know between their private network and the public web And it's supposed to be sending data through it just fine But when this buffer overflow happens you search for these queries on like google or whatever it might be and you end up with web data that you're not necessarily supposed to see so You end up getting oaths tokens or passwords or private private messages on a Dating website for example and things like that. So it's it is bad in nature Buffer overflows are very very common Um, and they should be taken very seriously But the chances are incredibly low that your personal accounts are going to be affected by this But that doesn't mean that you should not change your passwords even though this is happening Uh, you could look at this as a consumer and be like, oh, well, my chances are low Whatever nobody's going to target me But if somebody is randomly finding this information and randomly targeting people you could be randomly affected as well so you should take it seriously and You know use a password manager Turn on two factor authentication if that's available on the website on cloud flare And you don't even have to know if it's on cloud flare to be honest You could should just use 2fa everywhere and uh, yeah and use a different password on all the different websites And then you should be okay Yeah Just to give people an idea because we have a tech savvy audience right if the way I say it is If a friend of yours asks you if they should change passwords. The short answer is yes Yes But if you want to know, okay, I I want to I want to know what the risks are Even even knowing you should you should do this anyway knowing what the risks are at its peak When the email obfuscation was on and that's when it got noticeable. That's when Tavis Ormandy noticed it right There was only one in every 3.3 million Http requests that suffered from this vulnerability. So zero point zero zero zero three percent of request a tiny number of requests Were actually subject to this buffer overrun Then the buffer itself Actually had to finish with a malformed script or image tag and be less than 4k And come from a site that was using email obfuscation or https rewriters or the sse With one other feature at cloud flare So after all of that had to happen Then not everything you were requesting was in the the buffer overrun If you were filling out a form, maybe your password was in there. Maybe it wasn't it It wasn't like the whole page was in the buffer. So It that gives you an idea of this this tininess of the chance that your stuff is out there However, the other side of it Shannon of which is I'm sure what you're thinking right now is if it is out there Someone's going to find it. Yes, exactly And a lot of times what people will do if if they are an attacker they'll find data like this and cross compile it against other Vulnerabilities that have happened on other sites and if they find a similarity between a password They found through this cloud bleed thing and then a the same password is used for a site that was hacked last year It's most likely the same person that's using that password unless it's a very common password And they will try to use it across multiple sites because they're going to assume that you're using that password across multiple sites as well And if you don't change it, then you're kind of screwed So, yeah, it's it's definitely important to do that Especially since this was this is human readable information that was being uh, out that was out there So it's it's not necessarily encrypted. It's it's you know, if you run across this from a google search You're going to know what you're looking at if it's a private message or whatever it might be Yeah, and for instance if it wasn't Encrypted in transit it's going to be readable now one password has made a point of saying. Yes, we used cloud flare Yes, we used these services But your one password password is encrypted in transit. So even if it showed up in the buffer It wouldn't be readable. It would be encrypted. So they aren't affected By this directly and that may be true for some other services as well um All of this is to say There is a very very small chance that because of the size of this Of the number of sites that use cloud flare, there's a very good chance that you used a site that is affected by this There's a very small chance that while using it you were affected, right? Just because a site used cloud flare doesn't mean it was being they affected by this vulnerability at the time you were using it But You don't know you don't know whether it was or not So if you want to be safe You know you you change your passwords And and that's why a lot of people are saying use a password manager because then it's easier to change all your passwords because you don't have to remember them Uh, you know with the last pass you could just go in and say change all my passwords and it will do it Uh, and and that's that uh, so so then you just have to make sure that you practice safe security practices with your password manager's password and all all of that but Uh, I I'm telling people you should absolutely turn on two-factor authentication So I posted to the patrons today at patreon.com To say hey patreon.com use cloud flare It's not likely that your password was in there But it might have been so you might want to change your password and you should Definitely turn on two-factor authentication. Yes, because that will help mitigate against this as well Yeah, totally agree with you tom And and you know what I had a guy, uh, I was talking with a guy on email he's like yeah, I don't use two-factor authentication because I don't always have good text messaging service And I was like, oh you should check out authenticator or ubiqui that that is a way to use two-factor authentication That doesn't require a connection. Yeah, absolutely and um, if if I believe the newest ubiqui it doesn't work with Some of my apps that I have on mobile right now for example with facebook you can now use a ubiqui But the new ubiqui 4c which allows for usbc compatibility It won't work with the facebook app because facebook hasn't turned that on yet, but he would be able to do that Via mobile or via the web with a ubiqui and he wouldn't have to worry so much about sms or text messages because it's hard coded into the ubiqui Platform the device that you purchase from them. He could also use One of the apps too like author or google authenticator or something like that Which are way more protected than sms or mms Which can be man in the middle like they can be intercepted So highly suggest switching up to either google authenticator or author or something like that or Getting a ubiqui because those are those are really great platforms Well, thanks to everybody who participates in our subreddit You can submit stories and vote on them and we pay attention to that when we pick our stories to talk about This was obviously near the top of our subreddit daily tech news show dot reddit dot com Okay back to blockchain just to lighten the mood Kevin douglas said I feel like I have a good general understanding of blockchains But I'd really like to understand the corner cases How is a tie solved etc And I'd like to hear about actual and practical use cases outside of banking the two resources I use when explaining the blockchain are logs with rules at medium dot com And a simple demo from anders dot com slash blockchain We'll have both those links in the show notes as well So if you're like Kevin are interested in helping to understand blockchain and be able to understand and explain it to others You can check those out. We'll have the links in the show notes Send your pics to us folks feedback at daily tech news show dot com You can find more picks at daily tech news show dot com slash picks Now this was not an email to the show It's a post I noticed on hacker news that was made by peter guttman to the cryptography and cryptography policy mailing list And shannon, I want your opinion on this this regards the collision of shaw one, uh, that cwi and google researchers Discovered we mentioned it on the show yesterday right Okay, he points out That the researchers to discover the collision required a very carefully crafted document And he states this does not affect all implementations of sh1 But situations where you need signatures to be valid for a long time So mostly long-term document signing and certificates because it takes so long to create the document to to be able to Cause a specific collision that you want to happen So he believes the risk of being exploited in practice is low For certificates and even for long-term document sign signing and finally to get to his actual post words He says finally with other stuff software updates isos and others Why were you still using shaw one and b? Now you have about six to twelve months to finally move to shaw 256 And this time we mean it for everything else you really do need to plan to move to shaw 256 Think of this as a practical application of rights principle Security won't get better until tools for practical exploration of the attack surfaces are made available Oh, that's so true. I love that quote And yeah, this is something that the infoset community has been touting for a very long time as shaw 256 Something better than shaw one because it's out there and it is available And these implementations are not very hard, especially if you've been trained as a Network administrator or whatever whatever you're doing with your day job. This is pretty easy to implement So why are people still doing this laziness? Um, a lack of funds lack of time just don't want to put in the time to do it There could be a lot of reasons, but it's something that needs to happen Because it is important your security and privacy is very important. It's just like what we were talking about With cloud bleed is now i'm saying at cloud bleed. I know it's just too easy It makes it easier to refer to I know Yeah, even though your chances are low you should still get better security so that your chances are Nill or at least as close to zero as you can be Yeah, and I like what peter was saying. He was he was trying to calm You know the the people who are panicking again saying hey It's a lot harder to make this collision happen than the headlines make it sound like all the shaw one Encryption it has not fallen apart overnight Right, but like you say that doesn't mean you shouldn't start right now move into shaw 256. So exactly Uh eric From used to be sunny in south carolina now cold sometimes rainy and on the occasion bright and sunny germany That's that's a lot of weather He wrote it and said wanted to comment on your episode about whatsapp I use it every day here in europe in europe as a whole they tend to use whatsapp and preferred over text messaging And I think the part of that comes from the cell phone plan structure I have a new cell phone over here and I do a prepaid plan Or I have three gigabytes of data and 200 texts or minutes for calling for 25 bucks So it limits me on how many texts or minutes I can use But whatsapp data usage is so low I favor using it over any built-in phone features You're calling or text messaging. In fact, what's app my daughter's new school here in germany preferred is is my daughter's new school Preferred communications platform the german radio stations. I'll have whatsapp accounts. It's very popular here But it's more along the lines because I think most people are in the position I am with the minutes or text messages not to mention I don't have to worry about how I talk to people in the united states when I use whatsapp So coming from an expat definitely different over here and that explains most of it We have mostly unlimited text messaging plans now in the u.s So everybody still use text messaging if you didn't have that then yeah, you're going to use whatsapp or something else I saw the same thing happen in japan last year when I uh, I was over there And I was trying to get in contact with some people and they asked me if I used whatsapp And I was like why does it matter and they said oh everybody uses it and I was like Okay, if it makes you feel better So I downloaded it and I used it it while I was over there But it didn't make a difference to me because I was on an unlimited plan But it did to them because I guess it's because of the data She wasn't able to explain to me why There was that difference. She was just like everybody uses it. So it's the thing It's the thing to do in japan but I was traveling with three other people in japan and we used whatsapp because Some of us had t-mobile with the unlimited international text messaging But not all of us did and so instead of having to think well who has what we all had figured out data And so it's exactly like eric is saying here We just decided to use whatsapp because we knew we knew it worked for everybody. Yeah Makes sense. Yeah. Well. Thank you shannon morse uh for being on the show Let folks know what's going on. Where can they find more what you're doing? Oh, man We have some super exciting news this week. I can't wait for this New product in the hack shop at hack five, which we have been working on for a while So you can go over to youtube.com slash h a k 5 and check out our teaser trailer And kind of see a glimpse into the back end of the warehouse too and see what we've been doing behind the scenes But i'm in there for like a split second too. Yay Yes, it's called the bash bunny and we're going to be having a big product release You can find information in the show notes if you're local in the san francisco bay area You can come to our little release party and if you're not we'll be Explaining all the details about the bash bunny lack next week on hack five So youtube.com slash h a k 5 for all those details and we're super super excited about this I'm so excited that the pineapple and the rubber ducky have a new friend me too and it's a bunny. It's one of my funny Go check it out folks h a k 5 dot org len peralta Hey, what's going on? Oh, you know just a little bit of a cloud bleed image Try to Yes, I know the last two weeks have been a little bit darker audio folks. It's exactly what it sounds like Probably, you know, yes, it's a A cloud bleeding all over a very upset person instead of the raindrops. It's ones and zeros obviously from what you were saying Take precaution. Maybe not as crazy as uh, is what I have depicted here in my image But hey, it's uh, it's still kind of a cool image anyway So you should definitely check it out over at lenperalta store.com I love the ones and zeros That's that's my little thing. I did that. Yeah It actually it actually makes it a little like you're starting to feel it's a little gory and they're like, oh, but it's ones and zeros It's ones and zeros It's what I would say it's it's beautiful. Isn't it? It's beautiful. Yeah, it really is Len Peralta store.com go take a look folks Our email address is feedback at daily tech news show.com. We're live monday through friday 4 30 p.m Eastern at alphageek radio.com and diamond club.tv and our website is daily tech news show.com back on monday with ms Veronica Belmont talk to you then Show is part of the frog pants network Get more at frog pants.com I just got the beautiful I just got that now I think I think s or uh, what's up as popular in japan for the same reason why line is at least in parts of uh, Asia is that to use SMS and not get charged you have to be on the same network Oh Oh, it used to be like that for me too I could text my sister because we were both on at&t at the time And it wouldn't count against my 200 text messages And then but if you do it with someone who's on a different network It's like well you make it charged So shannon, I got a quick question for you. Uh, is is uh, A mail from security at facebook mail.com. Is that legit or not? That's uh, I got an email during the show is saying that someone may have accessed my account And so I was curious if that is legit or not um I would say probably not it sounds like phishing um, but If you're concerned go to facebook.com like type it into your browser as opposed to clicking on the link in the email Don't click on any links in that email. Yeah, that sounds that sounds sketchy. I want to click on it. All right, very good Yeah, I would I would go we're recording. Yeah If I would go to my Website I would go to facebook.com like shannon said type it in log in Go into my security option see if there's there's any alerts or anything. Oh, yeah, and you can see in facebook Um, I believe you can see your facebook browser history or something like that. Okay. Oh cool Okay, I will check but don't ever click on links at that kind of email. Yeah, okay. Very good Hey, I'm gonna log off guys. All right Good luck. Len. Enjoy your art opening. Oh, yes. Thank you. It'll be awesome. Will there be food? I have no idea. Uh, I'm gonna assume not I'm gonna assume it's like in daredevil season one Dude All right. All right guys take care. Thank you. Bye. Bye uh titles number one is don't panic a uh illusion to uh Uh, um hitchhiker's guide and know where your towel is Cloudy with a chance of flare Clean up on aisle of cloud flare How cloud lost its flare Sometimes I run into walls storing a password There's a glitch in the cloud flare Cloudy bloody cloudy The clouds are falling google says we are am sorry I that it would explain something eggs, uh experience yesterday 5g. We have all the best specs audio eval Keep calm and don't panic The security rescue poses cloudy To cloud fair is human Don't panic, but you better change on your passwords I don't know cloud flare another reason to use distinct passwords I like cloudy with a chance of flare Yeah, I like that one too. Okay. It's my faith Yeah yesterday on my phone I got a uh, I got a couple of things for both of the accounts I have on there to uh Relog in my my credentials Maybe related to the google wi-fi maybe not Well, I thought I thought it was a phishing attack and then but then it uh I tried putting putting in the wrong password and then I put in the wrong google authenticator number and all that stuff seem legit Well, um, you know w. Scott is one snubs is asking a good question. Uh, if you log into services with facebook Yeah, like how does that affected by cloud flare? So i'm not sure how facebook implements it on um with their oauth type implementation, but Usually what'll happen is when you change your password it automatically logs all those Accounts out and then you have to relog in And approve it through facebook. Otherwise, um, if that's not how it works on facebook Then you can go into facebook and see um What connected apps you have set up and I know on twitter it's under like connected apps So i'll have to look it up on facebook because i'm not as familiar with facebook's policies Well, the the thing to remember too is that facebook doesn't use cloud flare for i think i think i have that right Yeah, no, uh, and so facebook itself wouldn't be subject to this vulnerability So if you're using facebook to log in it's fine But what shannon just mentioned is very important the facebook oauth token Might get passed along by a site that is subject to the cloud bleed vulnerability So the key the thing to do there is to and I wish it would have mentioned this on the show sign out of your mobile apps for sure But sign out of your service and sign back in to create a new token that way if there is one of your tokens out there It's not it's not good anymore Oh crap, I was just looking through facebook You can go to facebook security and then recognize devices and you can log out any devices that you don't use Nice, uh, let me see if there's a thing about oauth at passwords I have never used facebook authenticate. No, actually I take that back. I used it for one thing But it wasn't something there's also where you are logged in and that shows you your current sessions and you can end activity Great. That's really good Oh my god I need to go through here and like deauthenticate everything I have like old review products in here crap It's kind of frightening sometimes when you go in and see those things I've done that at twitter before and been like, oh my gosh that service doesn't even exist anymore Like it probably isn't hurting anything, but I really need to revoke that Oh lord Wait, where are you going through? You go to your facebook profile and then click on the little drop-down carrot in the corner and you can go click on settings security And then there's recognized devices and right under that. It's where you are logged in And you can revoke access to the world Sergeant Buffett's like oh my apple newton is still on there Yeah, my old samsung galaxy s4 from two years ago is on there too Whoops Well, these are all me these are all me Facebook your ipad. Oh, yeah, I still have an ipad. Oh, yeah, was it recognized devices? That's what you said it was Yeah, recognize devices and then where you were under that is where you're logged in Where you are logged in Both of those are on the same menu Well, I apparently log in from the same two devices, so Oh, that's good. Yeah, I generally don't use I don't generally don't like authenticating with a service Yeah, I don't either it seems kind of odd to me Yeah, see I'm what I I just went and looked at it and none of these are are making me Like nervous Yeah, they're they're they're really old like if it's from 20 if it's from 2011 Say we're mine just get rid of it just to clear out the cruft They make cheese slices That was a good question. Thank you for yeah. Yeah. Thank you. Dennis got us one Because now I'm looking at my own security and I'm like, oh, I should update this I usually do that like once a year. I'll go through my different accounts and check passwords and stuff like that, but I'm seeing I'm seeing all the names of my old my old laptops Oh Astrid and Murray Oh, that's so cute. Wow yours goes back that far at this mine doesn't go back that far Then goes back as far as early last year Oh my god, that's so funny Len Peralta commented on my Facebook or on my Instagram picture from today beautiful Yeah, that does not surprise me. I'm gonna favorite his post Oh, no 2012. Oh This I can go I can go Blackberry ah remember when I had a blackberry Oh, you had it forever too. I love that thing It would last like two days without a charge without having to re plug it in It's just didn't do all the cool fun api stuff Although google maps and Like all the big stuff was on it twitter. Thanks, Tom Beautiful I feel like I know this is just psychological, but I feel like encoding always slows down right before the end It doesn't know you're waiting for it. Yeah The encoding on my video slowed down slows down at the end of it too I I know it's probably not true that it's probably just our brains playing tricks with us, but it really feels that way But it does I think it's because it's actually like saving There might be something to that. Yeah, it makes sense. That's my guess. It's not all in my head Like the rest of you We're all in your head I I've definitely had the fear throughout my life that I was going to find out that everything I was doing was actually just a hallucination No, it's locked away somewhere He he thinks he's doing a podcast So this is interesting. I'm running a poll on my twitter account Uh, it says pull from my hacker friends true crypt very crypt. Ah, uh-huh. Yeah, and um, so far They've been pretty neck and neck right now true really at 46 and very creeps at 54 Yeah, I find it pretty interesting. I would have thought very crypt would be farther ahead by now That's interesting. That is really interesting. Some people like the true crypt. Yeah Even even still I split it between things. I really don't care about as much like it's I mean It's nothing sensitive. It's like family photos and things that I that I put in the Encrypted container versus like all my taxes and that's just because I have a lot of photos and to recreate A brand new volume for all that and then reupload is kind of a pain in the ass Versus because I hope sorry good. I've used both just for you know testing and reviewing and and Doing tutorials and stuff like that. Sure They work pretty much the same. It's just like do you want the one that was audited and Minor vulnerabilities were found but nothing major And it's never going to be updated again Or do you want the one that was audited and updated? But the new vulnerabilities were found and they updated it again But I don't know if they have any more vulnerabilities. Right. So And that one's also not as Uh, very crypt is not as uh, what would it be? It doesn't have the the repertoire. I guess that true crypt does right. It's it's sort of like Logically, you would think very crypt should be ahead because it is the more actively developed one, right? Well, true crypt died Yeah I mean it's being developed And but with true crypt you actually know what you're getting exactly, right? It's like, well, I know what the vulnerabilities are so, yeah Yeah, it's interesting Yeah, well Unless you want to do something crazy like I used to do you just bury a a very crypt volume inside a Uh, a true crypt volume. I used to do that make your very crypt volume the hidden volume on your tree Huh, even I don't do that you cray you cry. I stopped doing it because it's a pain in the ass. Yeah It's like whatever, you know, it's like, you know, you if you want to look at it. You already have my tax records besides Having known enough people who've worked in the in the credit card slash Financial district your private information that you submit for loans mortgages credit card applications. No, not secure Playing around on someone's desk Okay Granted that makes a good story and it is not technically secure But lying around on someone's desk these days is actually more secure than being stored online in some cases Some cases I just remember I still remember the tech tv Uh stolen, uh Was who did they steal? well, that was that was the finance person like That's not a security vulnerability that at some point you have to have a person handling information, right? And if that person is corrupt as that person was no, no that was even before then that was before then That was talking about that There was a time it might have been right after you Oh, no, I only got bit by that but I didn't there was a yeah, there was a there was a bridge though Yeah, but that's one. Yeah breaches happen. I know no, I know but that breach was someone went through the room It wasn't like it. It wasn't someone hacked into them. I just took it physically Yeah, but breaches happen online more often I know and then it happened to me. It's seen it and then they got they got sent the thing Sorry, we that was on I guess they outsourced their payroll and that place got got robbed or broken into I got hit by the CNET one myself Listen, there's no trust in it I guess what I'm saying is if if you if you want to say I want 100 security You're always going to find a problem because there is no such thing That's true And that's why I'm going to put all my important documents In a little block box in a cage of hungry lions Do you trust the lions though? I don't know. I trust them to be hungry, but I don't feed them kittens be snitching My kitty says hi Hello, who's that? This is starbucks. Hi starbucks. I had a laptop named starbucks Yeah, I think I did. Yeah Most likely she's been around for a while She's been so quiet today. I'm really proud of her She usually meows the entire time I'm in here Give me a touch. Give me a touch. It's so funny when when uh Sawyer was younger he'd always want to be down here and then he'd bark at the door And so I had to stop I'd be like no you can't be down here Now I leave the door open and he's older and he's like meh boring Because upstairs oh Then he'll he'll come down when I sit on the couch before the show for prep and he'll come down after the show Oh, check check out what's going on during the show. He's like, you're not gonna pay attention to me so I'm out He knows exactly when you're gonna be done and when you're yeah just starting It's like, oh, you're done giving me attention. Yeah, he knows exactly when you'll have a chance of getting petted Oh and played with that's cute You're being good Ooh, we're gonna meet a dog You're gonna meet a dog. Yeah possible adoption Really? Yeah. Yeah, but the dog has to select them from a from a number of entrants Sawyer can have a new friend. Yeah, have a new sister. Oh Are you planning to do like get a puppy or uh adult dog We're targeting like around a year because that's what Sawyer and Jango both were when we got them Sawyer was 10 months. Jango was nine. So somewhere around there. Yeah Make sure they're somewhat house trained Yeah, Jango was house trained Sawyer wasn't and we'd prefer it to be house trained, but yeah Oh My gosh So basically what this email is saying is that we're going to go do a meet and greet with with Sawyer To make sure that they get along. Oh, there she goes Um, and the goal is to have us bring her home if it all goes well That's awesome Yeah, that's so exciting Oh, good sign too the woman from the adopt from the rescue organization's last name is the same as my aunt Oh Yay, I'm like, oh nice There's a similarity there. Yeah. Yay Simularity the singularity. Mm-hmm. Mm-hmm. They're asking in the chat room. What breed she is a Actually, hold on. I want to say your aunt that is uh human I want to say human, but let me check No, my aunt was was uh, uh, total 100 percent. Yeah, mostly Where is she where she there she is she know a great is a husky mix Oh So she's kind of husky kind of looks like she might have some shepherd in her too. Oh Huskies are awesome I don't want to put the link in the chat room though because I don't want anyone to beat us to her Yeah, now hide her away. Don't let anybody see her It's what I did with starbucks. We already know what we're going to call our next dog too Thank you for the kisses Oh, she's like stop talking about dogs. Yeah, basically The walks all right Thanks shannon Yes, thank you shannon. Thank you everybody for watching. We'll be back on monday. Have a great weekend. Goodbye Hi everybody Oh, you know, oh that was good He's a good meow bye Yeah, bye Do you do you got my cat time? Yeah, we're gonna call her ray Ray yeah Like r a w r e y oh like in star wars. Mm-hmm cool Here i'll uh, i'll put it in the slack. This is joe her names. They call her josey right now Let me see let me see my cats are Starbucks and luna. Oh those are great names Was this the one that you uh said that would probably be snatched or picked up ready? No, that was violet and she was You can't like hold them or something