 Daily Tech News show is made possible by you, the listener. Thanks to all of you, including Jeff Wilkes, Paley Glendale, Tim Deputy, and Stephen Radke. On this episode of DTNS, Apple users beware of MFA bombing, will explain. Hulu moves into Disney Plus, and it's a bigger deal than it seems. And why is Phil Spencer spilling the tea about the video game industry's problems? Well, Scott Johnson's going to explain. This is the Daily Tech News for Wednesday, March 27th, 2024 in Los Angeles on Tom Merritt. And from Studio Redwood adjacent, I'm Sarah Lane. In Salt Lake City, I'm Scott Johnson. I'm the show's producer, Roger Chang. And we have assembled for you, the people to explain tech news in a way that nobody else really wants to, because they're either getting paid not to, or they don't have support. Who's getting paid not to work? Oh, no, getting paid not to explain. I'm working for a tech company, so I don't want to explain. I want to spin, right? Not us. We are independent of all of that. And we start as we do every episode with the quick hits. Zero day exploits are on the rise. So say Google researchers who observed 97 zero days, those are the types of exploits that work in the background without you knowing exploded in the wild in 2023. That is a 50% increase from 62 that they found in 2022. Of those 97 researchers found threat actors were behind 58 of them. 48 of the vulnerabilities were attributed to espionage actors. And the other 10 showed financial motivation. Three of the zero days point to 11, which was also behind the 2021 zero day, Accelion attack, which affected dozens of financial institutions, among others, ransomware gangs like Nokia, Acura, LockBit, and Magnambare reportedly exploited another four. Facebook launched project ghostbusters in 2016. And although it sounds fun with that name, I don't think you'll find it fun. The purpose of the project was to decode what was in encrypted network traffic between Snapchat's app and Facebook servers. This is when Snapchat users would integrate with Facebook. It later tried the same thing for Amazon and YouTube, by the way, and it used the Onovo VPN team and the Onovo VPN tech to install kits in its Facebook apps that were able to capture the traffic before it was encrypted. That let it collect usage data to inform its analytics on how Facebook users were using YouTube and Amazon. Consent was obtained from Facebook users to do this. But in 2020, Sarah Grabert and Max Millian Klein filed a class action lawsuit against Facebook claiming that the company lied about what data it was collecting and how when it sought that consent. 91Mobile's reports that based on renders published earlier this year by Onlakes, Google may release three different models of the upcoming Pixel 9 with a Pro model, but also a Pro XL. Now, you might recall that Google did away with the XL size when it launched the streamlined Pixel 5 some years ago, but started using the Pro name in 2021. So, if rumors of the Pro XL having a 6.5 inch display are true, there's a little shrinkage from the 6.7 inch Pixel 8 Pro display. Both Pro Pixel 9s are said to include triple camera systems on the back. A lot of talk about this online, but in any case, we should expect an official announcement in October. Elon Musk says a lot of things and we don't usually report on them because they don't always come true, but sometimes they do and maybe this one will. Tuesday, Musk wrote on X, later this week, Grock will be enabled for all premium subscribers, not just premium plus. If you missed it, Grock is X's chatbot, which was trained on X's data and has access to real time posts. Grock's model was posted without the training code as an open source package on GitHub, March 17th. Amazon said on Wednesday, it will invest another $2.75 billion backing Anthropic, said to add to its initial $1.25 billion investment that was announced last September. So, Amazon double and down on Anthropic. San Francisco-based Anthropic is working on generative artificial intelligence, as are many other companies, with its foundation model and chatbot, Claude, competing with something like chat GPT. Amazon will maintain a minority stake in Anthropic and won't have a board seat at the company. People who use Apple products are reported being targets of a new wave of phishing attacks called MFA bombing and sometimes MFA fatigue or push bombing. This is, of course, when people with masters of fine arts just keep knocking on your door until you know it's not. Don't you want to play the violin? I have a math, I went to school for eight years. No, this MFA stands for multi-factor authentication, but it is that same idea of pestering you until you do something that's not in your best interest. It's partly based on, well, mostly based on user behavior and apparently happening because of a bug in Apple's password reset mechanism. Yeah, it's getting some buzz today from folks who have been reporting similar issues. Phishing attacks are often about tricking somebody to give access to their account. Maybe you pretend to be the IRS, call me on the phone type thing. It happens via email. It happens in many different ways. Text messages, they're on the rise. There are other strategies as well, but that's what phishing is. But Apple's password reset system appears to be the vector of a new phishing attack. So Krebson security reports, it revolves around a bug in the password reset feature. Now, victims are then inundated by reset password notifications, including a text that says something like, use this iPhone to reset your Apple ID password, and then the options to allow or reject the request just keep coming. You can say, reject a bunch of times, but maybe at some point you get confused or bored or just, you're doing something else and say, okay, fine, accept. And that's where you get into trouble. The idea is that the user will either accidentally select allow instead of don't allow. If given enough opportunities, sometimes people slip or just get sick of all of the notifications and then say allow to make them go away. Yeah, I think go ahead, Tom. Oh, sorry, I was just going to say based on the report so far, it seems like they're targeting startup founders. So you may not see this, but it doesn't mean somebody else might try to take advantage of it for another reason. Yeah, I mean, I think so yeah, this is as far as I know, knock on wood, everybody, not something that I have experienced or will, but I will say having, you know, moved recently and having many pieces of hardware in the Apple ecosystem, mostly on the same Wi-Fi network, but sometimes, you know, in transit type thing. I'm, you know, for example, at my mom's right now, I'm already on her Wi-Fi network, but I had to, you know, sort of remind Chrome, you know, that I'm logging in from a trusted device type thing. You do get that stuff. Now, not everybody is moving around all the time, but I could see where if you, you know, you're distracted, you're busy, you know, you're stressed, variety of reasons is why phishing attacks work on people who know better. You know, it's not about the fact that, oh, it only works on people who don't know how tech works. No, it works because people are vulnerable at times. Yeah, the irony here, I think, is that they're targeting a platform in particular, although others are vulnerable to this, obviously, but Apple users maybe getting targeted more is a little bit of a poke at Apple being a little hardcore on their authentication stuff. Like they, I think they do it because they think it's a selling point. They're big on security. They're always telling us that. And so, part of that is, oh, you're logging in somewhere, approve this, now take this number, now enter it, okay, hit okay. Did it go through? Uh-oh, second factor kicked in, blah, blah, blah. Like you had all this stuff and you're used to getting these messages kind of more frequently. And again, I think in good faith, it's meant to give you a more secure feeling. It's security first sort of thinking from Apple. And so, to take advantage of that in particular is a problem. I mean, I don't even know how you would have responded if you're Apple to this. Maybe you do nothing, but maybe you go, are we making people jump too many hoops? I can answer that. You fix your rate limiting. Because this is pretty simple. Like it's very targeted. And I don't think it's made to make Apple look bad. I think they found a vulnerability. What it's taking advantage of is any of us can go to a page and say, I need to reset my password and it'll say, great, what's the email address for your Apple account? Put that in. What's the last two digits of your phone number? Put that in. Okay, now we've verified that you're talking about the right account. We're going to send a password reset notification to your device. And then you're going to have that device and you press allow. That's all very secure. That's the way it should work, right? Even if somebody's able to go to that page and know my email address in the last two digits of my phone number, I should be able to say, Nope, don't want to do that. What they're taking advantage of is for some reason, the rate limiting is not working. It should have a rate limit. And I'm assuming it does have a rate limit that says after a certain number of times that the user has not responded to this or has said disallow to this, stop sending them, stop honoring them for a period of time. Whoever's doing this figured out how to get around that rate limiting. Maybe it's a SQL injection attack or something. And so all they do is they know the Apple account ID or they've guessed it for their target. They know the last two digits of their phone number, which implies they know the phone number and then they just start spamming it getting around this rate limit somehow. If people don't respond to that, a lot of these attackers have taken to then calling them, spoofing the Apple support ID and saying, Hi, we're calling from Apple. We noticed someone trying to get into your account. We can help with that and then try to trick them into giving them information that way. And just so you know, Apple doesn't do that. Apple does not initiate a phone call to you ever. Anytime someone calls you saying they're from Apple, they're not from Apple unless you asked for that call to happen. Right. And that's a fair, that's a fairly good thing to keep in mind with anybody. If it says expect a call, they don't, none of them do that. So yeah, good. I'm glad you mentioned that because that's just, I wish, I hope my mom's listening because she gets stuck by this a lot. It's like, no, mom, they don't call you. You call them, you know, I, I've been, you know, the IR, you know, I use the IRS as an example, like I actually almost got tricked once. I mean, it only lasted a couple of minutes where I was like, Oh, yeah, okay. I see what's going on here. But, but they got me at a time where I was sort of like worried about financial stuff. You know, did they know that? Did they not know that? Was it coincidental? You know, all this stuff is like, you know, throw a spaghetti at the wall and see who caves. Yeah. Yeah. I mean, there, there have been a couple of times where a company has called me and it was legitimate. And I was like, I'm going to call you back because that's how these things work. And they were like totally fine because if they're a legit company, they will be fine with that. Sure. Yeah, absolutely. So, so the point of the story mostly is like, hopefully Apple can figure out how to fix this rate limiting bug and get it back to where you can't spam people with this until they do. If you see this happen to you, which again, most of you probably won't. But if you do, you'll know like, Oh, this isn't just a weird bug. This is that attack, which I think helps you have a little more patience not to hit allow and just kind of wait it out and see what happens. Yeah. And if somebody sort of mentions like something really weird is happening, well, if this is it, then pass that along as well. Keep. We should mention the other thing you can do is that you can set a recovery code, a 28 character recovery code, and then that will stop the password reset mechanism from working unless you have the recovery code, but it won't stop the spamming. That also implies that there's there's a bug here. Because even if you set a 28 character recovery code, they can still somehow push those notifications to you, which they're not supposed to be able to do. But at least that would be a safety net to stop you from accidentally pressing allow. Yep. All right, let's talk about Hulu moving in on Disney Plus. The company had been testing this for a few months and has now made it official. The idea is that if you're a subscriber to Hulu and a subscriber to Disney Plus, maybe with the bundle, you can get all of the content from both in the Disney Plus app. The Hulu app will continue to exist separately. If you prefer to access the content that way, they're not taking it away. And in fact, Hulu already does a version of this, you can get ESPN plus content in the Hulu app right now. So it seems like only a matter of time before they just unite all three of these and give you ESPN stuff in Disney and I don't know, maybe give you Hulu and Disney stuff in the ESPN app. I don't know. The way this works, though, if you have the app, you will see a Hulu chiclet, Hulu slide, the way you see Pixar and Marvel and other stuff at the top. And when you click on that, if you're a subscriber, you'll get to see all your Hulu stuff. If you're not a subscriber, they'll say, Hey, would you like to subscribe? Here's how to do that. The Verge had a really good article on this, though, telling all the background, all of the behind the scenes stuff they did to make this happen. They could have very eaten, I don't want to say easily, but they could have the ease, the shortest route to making this happen could have been take all the Hulu content, which was encoded differently. Because remember, Hulu was a separate company for a long time and just convert it to the Disney plus format, convert it to the Disney plus metadata and art specs, bring it over to Disney plus, and you'd have to do that every time you moved something over. That's not what they did. They unified the backend for everything streaming. So Hulu, ESPN, Disney, the whole ball of wax, so that now when Marvel makes a movie and they deliver it for streaming, that movie will be encoded in a way that will allow it to work on Hulu. It'll allow it to work on Disney plus. And it gives them flexibility to have different types of streaming apps and different kinds of types of services in the future as well. It's very, very smart to do that, I think. And also just think of the headaches they're avoiding by doing that. We have enough experience in this streaming world to see where things have merged or come in together or changed or whatever. And you've seen problems glitches, whether it's stuff we see on this side or pure headaches for IT professionals in the back end, but unifying all of that makes really good sense to me. And it actually, the side of this we haven't really talked about actually makes me excited because if I'm to pick the two codecs, like which looks better to me when I throw it up on a big screen and want a big movie experience, Disney plus is one of the best looking. I was talking to Robert Herron about this once. He says, yeah, their stuff's kind of like top notch is the best thing. So I assume that's the direction they went with that and moved it to the Hulu and the ESPN content. They did the highest quality encoding. So I don't know, they may have even improved on the Disney plus one, but yeah, they did the highest quality encoding for everybody. Yeah. And that's great news for people that want, you know, the fidelity that you can, at least maximum fidelity, you can get out of a streaming service, which is never going to be quite, you know, one to one 4k Blu-ray or something. I mean, doesn't all of this also and, you know, I'm looking ahead. I realize this, but if Hulu content is available on Disney plus and if you're, you know, you don't have to subscribe to Hulu content to, you know, enjoy the Disney plus that you already have, you know, unless you buy the bundle, you, you know, you might be able to, you know, find something and it's like, oh, it's a Hulu show, want to subscribe, you can say no. But doesn't that kind of mean that we're getting a unified app and some of these independent apps might go away? That would probably, that would probably save some jobs if you're people at this company. I don't know if it saves any jobs, to be honest, because you still need the same kind of number of people to, to handle a lot of the stuff, whether it's in one app or another, because of all the work they just did. Basically, what they said was we made it so we can decide whether to combine apps or spin apps out or spin up new apps and not have to worry about the technological infrastructure. Before, they didn't bring Hulu over into Disney plus because it was a pain. It was not the same content, not the same metadata. Now they've made one single platform, they can make those decisions based on what's best for the consumer, because you've got the same infrastructure working behind. I mean, I guess if they canceled the Hulu app, there's probably maybe less copywriting to do a little less app maintenance to do. So, so arguably it might, it might save them some money, but, but that's kind of not the point. The point is, they did a lot of work that they didn't have to do so that down the road it's easier and they don't have to make harder decisions like that. Yeah. What's nice too is you basically I was just gonna say where we, sorry, Sarah, we're clearly across things, but I'll just say this real quick. It mirrors the 80s. It's like they had Hollywood pictures and they had Touchstone as a way of doing content that wasn't pure Disney content, meaning family, friendly content. This is like that over again, except now you're going to get to go into the same movie theater in a way and choose, you know, if you want to be in the adult section and watch some, you know, I don't know, Fargo, or do you want to be over here and watching, you know, Mickey Mouse do stuff and you'll get both. So make sense. Yeah. Yeah. Kind of similar point. I mean, as somebody who has a few streaming apps that I use over and over, I mean, you know, I have a dozen of them, I guess that I use, but really only three that I use on a daily basis to consolidate is not a bad thing to me. Long as I have my content and as long as, you know, what I'm paying for doesn't, you know, sound crazy. I like that. I like that solution. And you know, if anybody out there is like, I don't like the solution or I agree with you, tell us why. Feedback at DailyTechNewShow.com. Yeah. And keep an eye on Hulu Live, which is their live television service. If you see that merge into Disney Plus, that could be an indicator they're going to get rid of Hulu and do an HBO, where Warner Brothers brought HBO into HBO Max and then eventually called it Max. And now it's a sub brand of Max that could be doing that with Hulu. Keep an eye on that. As long as they've got Hulu Live separate and only available in the Hulu app, it seems to me that they're going to maintain those independent brands. Yeah. We hope you like green logos, by the way. Just a little side. Oh yeah. What do you think of that new Disney Plus logo? I think it's fine. It's not full. It's not full Hulu green yet, but it's a tint toward it. And it's also they thickened up the plus and the Disney name just a little bit. It's a little more readable, maybe. So I'll tell you, you know, you know, shout out to YouTube for staying red because everybody else is green or blue. Folks, if you want to recap of the week's tech headlines with insights into how technology affects and disaffects communities of color, then you want the tech John in your life, J A W N the tech John with host Rob Dunwood, Stephanie Humphrey and Terrence Gaines dives into the top tech stories of the week delivered from their points of view. Those are points of view you don't always hear in the mainstream media new episodes, land Tuesday afternoons, find it wherever you get your podcasts or visit the tech J A W N dot com. Polygon's Chris plant talked to Microsoft CEO of gaming Phil Spencer about the state of the video game business at GDC last week and why it feels like video games are in trouble. And maybe how they could get out of it. Scott, you follow this industry closely. You have your own ideas of what's going on. What did Spencer say? And how do you think it matches up with what you were thinking? Well, it actually matches up pretty well. I think that I think it's important to just put this out there that like a lot of other industries, certainly in tech, gaming experienced a boom with the pandemic. Many businesses suffered, but gaming did not. They sold more consoles. They were harder to get getting games was the thing people did because they had a lot of downtime or they were at home. They were staying away from each other. Perfect time to play online games. They benefited from that, that entire era. And they benefited to a degree that they got a little ahead of themselves, I think they over compensated or they over swung and figured that that growth would go was going to be somewhat permanent. And they tried to find ways to make it more permanent, but they along with Sony, Nintendo and everybody else under the sun has had to come to a fairly recent reckoning, which is maybe things aren't so rosy in the future in terms of, you know, the industry's fine. People this idea that the industry is going to fall apart is not even close. It's too big to do that. But there will be some retraction. I don't know if it's a full on recession of the industry, but it's something like that where people are pulling back and they already are all of these layoffs and and canceled projects and this sort of thing. These are all signs of a pullback. Not just by the way, the cynical view is just well, that's just to make shareholders happy next year when they show a profit. There's some of that going on, but this is also just a retraction, a pulling back and a necessity in a lot of ways for a business that was seeing nonstop growth for a very long time and then a big boost in in 2000, 2021 and forward. So anyway, he talks about the big issues facing the industry. He mentioned cost and that reduces risk taking mentioned the fact that it costs somewhere upwards to $300 million at times to make AAA games the way we perceive AAA games. And that's not as easy to deal with as before. You also have kind of a conflict happening where games come out with massive budgets like that and they sell extremely well in the many millions of copies and they still don't turn the profit they want because games have been pretty resistant to cost increases unlike other industries. And so if you sell a game for $70 and you do enough of them, it's still not a guarantee you're going to make enough. So if they sneak in like microtransactions and stuff at the end of the game that you're going to want to maybe pay for or not, players are starting to get increasingly tired of that sort of thing. And so I think that kind of all he's sort of speaking to all of those issues when he talks about the cost and the reduction of risk taking. Exclusivity he talked about limits the revenue potential reducing motivation for exclusives. I think that's very true. I think that is also reflected in some of their actions lately by bringing former exclusives to other platforms to help mitigate that. And also he talked of console stagnation. Console players are upgrading, but new console players aren't entering the market. In other words, some of my friends may get around this fall and the rumored PlayStation 5 Pro will come out and they'll go, Oh, cool. I'm getting the upgrade. But the worry is, at least on the Sony side is that people will get there and they'll do that. But new people will not be buying new consoles. They're either be happy with what they've got or they're not bothering at all. PC infiltration has made a big stamp on all of this. People are, you know, you work from home and you're playing from home and often you're doing that on the same device. I think that's cut into it as well. There's a whole other issue too of a new generation of up and coming players. And I think they're hard to peg. I mean, he referred to Gen Z not being this bound to traditional video game console models. They've got other ideas on how do they, how do they get their games? They get them on phones. They get them in other ways. They may get them in streaming. They may not be playing as much games at all because it's all sort of been done and they're feeling a little burned out. And I can tell you my youngest feels this way a little bit. So these are often, you know, blanket statements about blanket ideas that are hard to like narrow down and get exactly right. But my biggest overall take on this is not only is he right about the changes in the industry and where things are going and why people are pivoting the way they're pivoting, but also this is a new way of telling us this. Normally, you don't have a big player in the market get up in front of everybody, the head of Xbox slash gaming at Microsoft, the company that is, you know, one of the largest in the history of the planet and say to people, yeah, things kind of suck right now. And here's why they suck and what we're trying to do to address it. It didn't feel like marketing speak to me. It felt like, yeah, this is what we're facing. And I don't know if this will kick off a wave of like, oh, Sony's now going to start talking like this, the head of Sony of America or even Japan will start talking to us in this sort of straight language. You know, I won't go out on limb and say, well, I think this is just for us and Microsoft gets no self service by doing this. I think they do, especially as a second place player in the actual console hardware market, it helps them to be transparent. But I do think we are heading toward a model where if they don't be transparent about the challenges, gamers are not going to know about that stuff and just be mad that things are being canceled, delayed, riddled with, you know, transaction, microtransactions, and not quite delivering on the promises that they make about their hardware or their games. So that's my overall on it. I actually am positive about the long run, but we are going to see a kind of a weird next couple of years. I think it was a little self-serving in the fact that it said, you know what, the right strategy for this new marketplace where costs are a problem and distribution is complicated, cross-platform strategy. Like the one we're pursuing at Microsoft, right? Like I'm not saying that it's bad that they're doing that. I mean, obviously, if you're pursuing that strategy, you think it's for the right reason. And this is an excellent explanation of why the industry is pushing them to do that. I did, and I do think this was a really fair assessment of things. I still wonder, why does it cost so much to make the AAA titles? Like I get that exclusivity limits the revenue. I get that distribution is way more complicated now because there's so many platforms and streaming and subscriptions and all of that. But did they just get themselves into a situation where every game has to look so much better than the previous one that they have to spend $300 billion? Well, you've got your finger on the right pulse there. Basically, it comes down to this. If you want to make a big deal, you make a franchise that just kills it, let's say Halo or the Horizon Zero Dawn series or any of those kinds of games. What you've now done to yourself is you made a very expensive game that was successful. Now to capitalize on that, you must make sequels that are very expensive and more expensive and also have to top what you did last time. And the people who made the game say, you still want us to do that? We'd like a little bump up. They do like movies. They stay in the safe lane. You're going to make Marvel movies. You're going to make big popcorn movies to make your big money that year, your indies and your smaller films. Like the parallels are there in the film industry. They always have been. But this is as good a time as any to make those comparisons. And I think that what we're missing is a big chunk of the market that we used to call the B tier or the double A titles. The titles that didn't have to be groundbreaking, push every limit, change your life. But we're really fun games to play in the center of all that. And we're doing great on the indie side. Indies are going great. This is an amazing time for indie developers. No question. At the high end is where they're struggling. Let's get some of that middleware in there and not the kind of negative kind everyone's hearing in their head when I say middleware. I don't mean middling. I don't mean mid. I mean, like good games that are worth playing that don't have to crack every realistic goal. They don't have to have every hair on somebody's head be perfect. In fact, let's get a little more stylistic. Let's let some of those ideas happen there. It is risky complex distribution platform. You don't know if you're going to make the money back as easily when you're not banking on a previous title. So it is risky. Yeah, I think the good sign or the good thing for Microsoft is they because this is about them, they bought into a ton of potential middleware slash B tier slash double A. So these developers that are about to finally produce that they have been purchasing for the last five, six years, we're going to fill a lot of that space. And I think they're counting on that. So we'll see how what Sony's plan is moving forward. Nintendo's, you know, they've got new console possibly being announced this year. That's going to get weird. But as usual, it's super fun to watch. Yeah, let's get weird together. You know, what, what else are we doing here? I haven't heard a better offer all week. Well, Scott Johnson, thanks for for breaking that down for us and let folks know where they can keep more up with more of your gaming news. Well, good news. Gaming talk is all, I'm all about it. And we do it for about three and a half hours every Thursday for a show called Core. We do it live for people who kind of want to pop in and be there casually. If you want the podcast after a course, that's up at frogpants.com slash core. And it's a lot of this. We dig deep into big industry stuff, the small stuff, everything in between, including games we're playing right now. So if that sounds interesting to you, come have a great time at frogpants.com slash core patrons. Stick around for the extended show. Good day, Internet. We're going to talk about Canva and affinity again. We talked about yesterday that Canva is acquiring affinity. And then today they made a promise. And we're going to ask longtime affinity fan Scott Johnson how he feels about trusting that promise. Stick around. GDI is going to be good today. You can catch DTNS though Monday, live Monday to Friday at 4pm Eastern, 200 UTC. Find out more at daily technewshow.com slash live. We're back tomorrow talking about a nonprofit trying to stop the AI apocalypse with Justin Robert Young breaking it down for us. Talk to you then. The DTNS family of podcasts helping each other understand Simon Club hopes you have enjoyed this program.