 Coming up on DTNS AI that lets you talk to Jane Austen while the U.K. may be changing its mind about using Huawei equipment and telecom networks. And Stephanie is here to tell us how not to get socially engineered. Didn't your mom have an unusual maiden name? This is the Daily Tech News for Monday, July 6th, 2020 in Los Angeles. I'm Tom Merritt. And from Studio Redwood. I'm Sarah Lane. Yeah. That was Roger Chang, the show's producer. You can't really hear him, but he's definitely here. Sorry. And also joining us, Stephanie Iizuku, Infosec engineer. Thank you for joining us, Stephanie. We really appreciate it. Thank you for having me. We were just talking about hot dogs and what we ate on July 4th on Good Day Internet. You can get that expanded conversation. Become a member of patreon.com slash DTNS. Let's start with a few tech things you should know. On Friday, Foxconn announced the customs clearing procedures in India have been resolved and shipments stuck at the border have now passed through. Last week, Reuters reported over 150 Foxconn shipments were being held in the port of Chennai due to heightened customs checks. Tencent launched Lightspeed LA, a AAA game development studio in Los Angeles. Lightspeed will be led by Steve Martin, who was the studio manager for Rockstar Games since 2011. The search engine DuckDuckGo announced that ISPs in India were blocking the service through DNS servers starting on July 1st. Users were still able to access the search engine through third party DNS resolvers. As of July 4th, many ISPs had removed the blocks. A DuckDuckGo spokesperson speaking to the verge said they've contacted the Indian government, but still don't know why they were blocked. Facebook announced a partnership with India's Central Board of Secondary Education, which oversees education in private and public schools in the country to launch a certified curriculum on digital safety and online well-being. The goal is to help students develop skills to safely browse the internet, make well informed choices and consider the effects on mental health, as well as train on things like augmented reality with Spark AR Studio. First phase of the partnership will start with training 10,000 teachers who will then coach 30,000 students in phase two. Instagram confirmed a report by Business Insider India that it's testing its Reels feature in India. Reels lets you record a 15 second video set to music or other audio and is currently available in Brazil, Germany and France. An Instagram spokesperson told TechRoundship plans to test an updated version of Reels in more countries soon. Perhaps not coincidentally last week, India banned TikTok and 58 other Chinese apps. The app analysts at AppTopia estimate the Disney Plus app installs in the United States rose 72.4 percent to 266,084 this weekend compared to the average for the last three weekends in June. Worldwide installs increased 46.6 percent, excluding India and Japan, where Disney Plus is streamed through partners. Looks like Disney Plus did not throw away its shot to get installs on the release of Hamilton. The US Supreme Court struck down a 2015 amendment to the Telephone Consumer Protection Act, which allowed robocalls to be made to cell phones by debt collectors on a debt owed or guaranteed by the United States. Robocalls to cell phones violate the First Amendment in favoring debt collection speech over other types. And the court found that the government couldn't differentiate government debt collection speech from other categories. The court found that the TCPA can be enforced while severing off the debt collector exemption. Listen, Sarah, I just want to tip of the hat to your professionalism. I know how enjoyable this story must have been for you, but you could not hear the wide smile. Doing a little dance in the chair. Robocalls, you can all, you know where to go. Do a thing. All right, let's talk a little more about what's happening in Hong Kong. WhatsApp, Twitter and Telegram have all stopped processing Hong Kong law enforcement requests for user data. So if a Hong Kong law enforcement agency asks what's up Twitter and Telegram for user data, those companies are saying, hold off, we're not processing requests right now. They're not denying the request. They're just not processing them at the moment. This is because mainland China imposed a national security law in Hong Kong that went into effect July 1st, removing the requirement of a court order to request user data. So the security agency can just request the data without having to go to a court. And that security agency is now set up under Chinese mainland jurisdiction, not under local Hong Kong control. WhatsApp said it paused processing to review the impact of the new law and consult with human rights experts. Telegram said it would not process requests, quote, until an international consensus is reached in relation to the ongoing political changes in the city. And Twitter said it is reviewing the implications of the law as some of the terms of the law are vague and without clear definition in the words of Twitter. So this, of course, relates to that new Hong Kong security law. There are other podcasts out there that can go deep and explain what that law is. But essentially it's mainland China saying we are now for security purposes, terrorism, colluding with foreign agents, fostering secession. We are going to impose a law that is controlled from China, which many see as a violation of the two countries, one system agreement that was put in place when Britain handed over Hong Kong to Chinese administration back in the 90s. Now, far as technology goes, that means these companies now have to make a decision of whether this changes conditions in Hong Kong enough for them to be comfortable to operate. Remember, you don't have Twitter and WhatsApp in mainland China for many reasons, but they just don't operate there. They can operate in Hong Kong, though, because there were these two different systems. Sarah, is this, you know, where do you think this is going? I'm curious. Oh, man. Well, you know, the Hong Kong situation and again, you know, I'm very much an outlier and I know a lot of people know more, you know, especially from the front lines of what's going on here on a variety of levels. Yeah, I think that companies need to make a choice. I mean, is the user base in this region worth kind of fighting for? Or does it make sense for the company to say, you know, this is getting too messy and we can't change things based on regional laws on this level and pull out of Hong Kong? Stephanie, I'm curious if you have thoughts on this, especially given that, you know, WhatsApp is limited in what can hand over anyway, because it's end to end secured, but they could certainly be handing over metadata. These things come up. I'm going to say, like, you know, there's a soapbox somewhere, but I'm not getting on it today. I just say, you know, sometimes it's confusing when businesses or companies have to then make political decisions or decisions based off of political leaning. So it can be messy. It can be messy. I'm not even going to say that I would enjoy making a decision either way. Everybody feels like they're on the right side. And it's one of those things where you just have to prove your point. You just have to prove which side you're willing to be on, like Sarah said. So I'm always curious to see what happens with these. I think this is a really interesting one, too, because usually what companies can say is we will follow local laws. And one of the exceptions to that is China. Where companies have sometimes said, we don't want to follow local laws. So we're not going to operate there. Hong Kong is sort of changing the rules of the game as it goes along. So it's it's a much more complicated situation. Well, this was rumored last week and today it's true. Uber has agreed to acquire postmates and plans to keep the postmates app running separately from Uber eats. That's Uber's own food line, but supported by a more efficient combined merchant and delivery network. According to the analysts at second measure with the acquisition, Uber would hold roughly 30% of the U.S. food delivery market. That's behind door dashes 45%, but ahead of grub hubs, 23%. On a conference call discussing the announcement, Uber says that the combined business will be able to significantly cut costs. Yeah, Uber, as we've mentioned before, is looking at food delivery as a way to make up the lost business that they have from ride hailing as people aren't taking rides right now and doesn't look like they're going to in any great numbers anytime soon and are ordering food to be delivered to their house. I think it makes sense for Uber to take its logistic software, which that's the thing that it's best at is software that matches drivers up with things and say, we've developed this for food delivery on Uber eats. Let's let postmates take advantage of that and integrate it with postmates. Be curious to see what postmates thinks about that. They may think that their platform is pretty good, but it would also allow them to expand postmates into other markets. I'm curious how they differentiate the two since they're going to keep keep them both going. Yeah, it's funny. I I did not realize that postmates alone of pre acquisition had such a small market share in the US because I lived in San Francisco for years. That's where postmates is headquartered. And you know, it just was like, that was the thing before Uber eats even came along or at least caught on. And of course there are other delivery services, but for a while it was like, Oh, postmates. It's the way that I get food delivered to my house. And then there spawned a lot of apps. The Uber eats and postmates app and trust me, I've used them both quite quite a few times when I lived in Los Angeles. You could get anything you wanted at any time. It was great where I live now because it's much more rural. I have very limited options on Uber eats and no postmate options. So selfishly, I'm kind of like this makes sense for the consumer and if for some reason you just liked one company more than the other, I can see why it doesn't make sense at least at this point for the company to kill either of the apps because you know, there's brand recognition there. Yeah, and postmates does more than just food. Stephanie, I'm curious. Do you ever do any of these kinds of apps where you live? Yeah, I definitely am a Uber eats person. I use it. It always has the best options and then I can piggyback off of people who are ordering stuff, which typically results in great choices. So I I'm partial to Uber eats, but I'm surprised that DoorDash even has 45% because no one I know uses DoorDash. Most of the people I use postmates or Uber eats. So it's very interesting that they carry majority of it. But I think it's a good idea to separate them. Like Sarah said, like some people like postmates just because of usability and their experience with it. Some people hate Uber eats for other reasons. So I think it makes sense. Yeah, I'm with you on DoorDash. I personally had some bad experiences with them. I'm sure that there was just me, but I kind of stopped using them. I don't know anybody else that uses them, but apparently there are a lot of people. I just don't know who they are. The UK is official position on using Huawei Network and Gear in building networks is that it could account for up to 35% of 5G network equipment in the country, but could not be used for core network infrastructure. They came up with that principle in January. However, Britain's digital minister Oliver Doudin says that that decision is quote, not fixed in stone and an update will be given to Parliament before July 22nd. There are multiple reports out there. Sources telling Bloomberg, the Telegraph and others that the UK's National Cyber Security Center reexamined its January recommendations after the US put in new restrictions on using US company software equipments and designs for chip fabrication for Huawei. We remember we covered that on DTNS where it's like you can't it's not just that you can't sell to Huawei as a US company. You can't use stuff from US companies to build chips for Huawei now and that would mean Huawei would have to source its chips from other manufacturers, which the UK's Cyber Security Center says we not we may not be able to properly vet those so we may not want to allow those on our network since we could vet the stuff that was made by say a TSMC and we don't know if we can vet whatever company's Huawei decides to use in the future. Well, it's a pretty bad situation for Huawei if that's the case where you know you're forced to partner with the company in order to get around some restrictions but then the UK is saying, you know, well, but then we can't vet those companies either. So that would also be a problem. Yes, Stephanie. It's another one that mixes politics in with security and technology, right? Yeah, that's why it's very interesting on this scale. Obviously as a as a major like a leader of any of these companies or even just a leader in politics, you have to make these decisions, but it's just interesting how something happens in the US and the US makes a change and then it trickles over to another person's or another countries or government's problem and they have to figure out what they're going to do from there. It's one of those things that I think is beautiful in a weird way about politics and what it can do and the impact it can have. So I'm definitely curious to see how this goes moving forward if they would completely stop. Stop dealing with them and stop using their equipment or not. Yeah, and China's ambassador has has protested this idea saying that the UK would be, you know, hurting itself by not getting the by having to spend too much on its network and and everything which kind of implies that this is hurting if you get the ambassador out there saying it right instead of just representatives from Huawei. A new feature in the canary build of Chrome 86 called intensive wake up throttling will extend the limit on JavaScript browser timers from one second to one per minute, one per second to one per minute in a page that's been hidden for five minutes. You got a tab open. You haven't been there in a while. That's what we're talking about. Websites use JavaScript timers to check things like whether scroll positions are changed, logs are updated, analyze ad interactions stuff like that. Chromium researchers found that in a test with numerous background tabs on a 2018 15 inch MacBook Pro, throttling the timers extended battery life by 28 percent, which is almost two hours to 8.2 hours total in that same test safari used result safari used resulted in 9.3 hours of battery life. Yeah, so what was not surprising here is Chrome is a battery hog, no matter what you do. But it is nice that they they got back some of that battery life by reducing this. I mean, this is this is one of those situations where the engineers of these pages and these JavaScripts, they don't care about your battery life. So they set that thing to happen multiple times a second or I guess once a second was the limit on Chrome because why not? You know, if they can catch that scroll position change faster that way, then that's good for them. So I'm glad that Chromium is is putting in a longer limit because it has some significant effect on your battery life. Stephanie, I see you nodding over there. Yeah, because I'm like I myself have had had struggles with Chrome. It's my preferred browser, but you know nothing nothing gets rid of that annoying resource intensive type of type of experience. So I'm glad as well, but what you said was brilliant about engineers not necessarily thinking about your experience and mostly thinking about getting that end or getting this resolving the issue and they're got in their eyes. So this is a great thing for me as a consumer. Yeah, sometimes you need the folks who are consumer focused like the browser maker to do this, even if it isn't necessarily in Google's best interest because it might hurt an advertiser who's using this on the other end. Yeah, it's it's it's good. I'm glad to see this and I can't wait for it to roll out to my own Chrome. Not I always have my thing plugged in, but you know one day I'll start traveling again and I'll want that battery life. Well, and it's it shed some light on you know you always it's not just Chrome that people complain about you know it it hogging the battery life on their system, but but Chrome does get that a lot because it does happen to a lot of people and just getting a little bit more back information on oh here's what's actually happening or what might be happening in your case and why it might be better in the future. It just you know gives people a little bit more information than just this is the worst browser ever. Yeah, because I don't I'm using Firefox right now, but I can't tell you how many tabs I have open. There's too many to count. On June 11th open AI released its first API in public beta, which leverages open AI's latest GPT 3 model, letting you train the model on any text. Keep that in mind. You can put anything in here train the model and then use that model along with the API's general English training set for any natural language task. Now already there's some cool stuff happening. Janelle Shane of AI Weirdness used it to simulate we rate dogs a commendable project. Thank you Janelle Shane and friend of the show Andrew Maine created a project called AI writer, which uses the API to simulate conversations with historical and fictional figures. So real people like Marie Curie or Isaac Newton, but also fictional people like the Hulk. In other words, you can talk to them and it will use their writings to inform how it responds. For example, you could ask a virtual Jane Austin how her characters would use social media because remember it's also got that English training set so it can draw on some modern knowledge. And Jane Austin, the AI would reply. I'd have Emma update her status with a lament about the deplorable state of the publishing industry in a desperate attempt to get her Facebook friends to buy her book. Jane Austin as wise in 2020 as she was when she was alive. Andrew Maine says the characters can be quote quite erratic with matters of opinion and quote rarely reply to the same question in the same way. So they're not spot on quite yet, but they do well with historical facts and Maine says he's been using this for a little bit of creative inspiration in his own writings. There's a waiting list. If you want to get access to AI writer, go apply at AI writer app. I love this. I mean, it's it clearly has a long way to go and there are, you know, some inconsistencies as as the researchers have found, but just kind of the idea of let's say I was, I don't know, I was in college and I was writing a paper on a historical figure. The ability to gain more information about who that person was, you know, what they had said, how they would interact when prompted with a variety of questions is just a really neat way to get information about somebody that differs from reading a Wikipedia page say, right? And I think that it would be really interesting to see Hulk do something like what is the take on affirmations are holistic wellness because I think that's what the people need in the world. Did you say Andrew asked Hulk why Hulk smash and Hulk responded. Hulk likes to smash. Why Hulk not know why? Please help. I mean, that's consistent with what I know of the incredible Hulk. Yeah, exactly. Hey, folks, if you want to get all the tech headlines each day in about five minutes, be sure to subscribe to daily tech headlines.com. Now, as we've said many times on the show, we humans are the weak point in security. Even if you have everything patched and secure on your computer, attackers could still gain access to your stuff if you give it to them. Social engineering is one of the ways that can happen. And even the smartest of us can get tricked if we're tired or distracted or just facing someone who's really good at social engineering. One of the ways you can fend off this risk, however, is being aware of what it is. And Stephanie is going to help us strengthen that firewall in our brains. Stephanie, let's start by telling people what social engineering is. So social engineering is basically, you know, your knowledge of human behavior, taking that and using that and trying to get a person to do something they wouldn't ordinarily do. So the definition itself is pretty neutral. There's no bad or good connotation to it, but a lot of people have associated with bad behavior because they've lost money or they've been tricked into giving credentials or things like that. But when you think about it on the level of your six-year-old, which is an example I use all the time, your six-year-old that wants to go out and play and you're like, okay, well, do your homework and or clean your room and they just stuff all their clothes in their closets, like my room's clean. And then they get to go out and play. And then you find out that they didn't actually do the cleaning. They use the fact that you wanted their room clean as an excuse to, okay, what can I do to like make it seem as if I did that and check them into letting me go outside or using my tablet or whatever. So in and of itself, we all do it on some minor level. But of course, people have used it as their profession to get, you know, to exploit people and get access to things that they wouldn't normally get access to. So it's a really fascinating thing. I love figuring out or checking or reading up on how people react to certain things. And so social engineering has been a really fun project for me in the last few years to like read up on stuff and kind of see what people do. So that's the longest short of that. Well, how do you know if you're getting social engineer? What are some things to look for to notice? I mean, if you're dealing with a six-year-old, I think it's a little easier, maybe not, I don't know. There's a lot of different things. What I like to tell people is you're not going to catch the best, you know, liars. I guess you could say our best manipulators. However, sometimes you just have to be careful with what information you share. A lot of people in security have different practices for how they secure their data and things like that. We're not expecting someone who is just a regular, you know, somebody who doesn't practice security to know those things, but stopping and thinking about why is this person asking me this? Or that's a very specific type of question. Just being a little bit more reflective or in the moment trying to think, okay, this question, is this some information I should share? Is it connected to anything that would give somebody access to something? Something as weird as like you're at the coffee shop, which doesn't make much sense now in the pandemic, but when you're pre-op the coffee shop and somebody is just saying, oh yeah, you know, I just took my dog on a walk and things like that. Sometimes sharing the name of your dog or how older dog is or a specific information about your dog that somebody could use to answer questions, you might want to say, hmm, maybe even though my dog's name is Sparky, maybe I'm going to name him, I'm going to say that my dog's name is Spot instead. Maybe coming up with little things like that, but I don't want to make people paranoid about talking to people because human beings need to connect. It's just about what information do you share to a stranger and asking yourself the quick question of why do you think this person is asking this? Yeah, and I think that goes for online as well as in person if you're in a Zoom call, you know, with people maybe you don't know or in a cocktail hour on a Zoom call or in a chat room or anywhere, sort of being aware of what people are asking you and why is good, but sometimes we just get tired, right? Yeah, I think, I read a lot of psychology books as well and they talk about decision fatigue and basically how in the beginning of the day, your brain is prime and prep to be able to make the best quality decisions, but as you're making decisions every day and that can be from am I going to go, where am I going to go for lunch or am I going to answer this text right now or am I going to wait till later? As the day goes on, your brain is tired and it's like, what is the best, what seems like the best choice? That's why we tend to munch at night or we tend to skip the gym at night. Instead of the morning, we might be more able to go. So we kind of have to make sure that we are aware of those things and put things in place to be able to front that. So for instance, working out in the morning as opposed to working out at night is something that you would do on that level, but when it comes to answering important emails or things that seem urgent, maybe just having a mechanism of pausing. Like something we talk about at work, for instance, when we're training people on security things, is pausing to think, okay, this CEO is asking me for everyone's W2s, why? Why would they ask me an email? This is kind of important information. I'm not going to send this back. Instead, maybe I'll just call them or I'll talk to their assistant or someone else out of band to make sure that that request is what it is. So we need to make sure that we are aware that we're not always making the best decisions and kind of question ourselves in the moment. But again, it is a function of human beings to just make worse quality decisions as the day goes on anyway. Man, I love that idea of having a time at night when you kind of say, look, I shouldn't be filling in online forms. I shouldn't be adding in important information right now because it's late and I'm not paying as much attention. That's really good advice. You know, Stephanie, you mentioned the dog situation at the cafe. This actually happened to me not super recently, but somebody had called me and it was one of the IRS scams where a sheriff was coming to my house really soon if I didn't pay some money. And I had already heard about the scam. So I was like, ah, gotcha. Yeah, I know this isn't real. And for whatever reason, I was just kind of like curious. I wanted to find out where the call center was. And so we're kind of chatting for a few minutes and here I am like, I got one over on this guy and I realized he was still doing it because he was asking me kind of, because now we're sort of chatting his friends where he was like, he even asked me for a job. It was a whole weird thing, but it was like he was still trying to get personal information out of me because we had transcended to some other level. And finally I was like, this is just bad news. I'm not getting enough out of this, bye. But it was, I was kind of, I was almost duped in a couple of situations because I ended up sort of feeling sorry for him and wanting to chat for a while. And I mean, imagine how often that happens to people of all ages. Exactly. Even I have almost been like, I wanna say like three, four years ago, somebody called in and they were like, oh, you know, there's an emergency. I lost my company materials or lost my company equipment and I really need to talk to this person in this department right away. And urgency is like one of the best tactics of like, okay, if I don't deliver this thing to this person, I could potentially have some sort of consequence that's negative. So then there's a rush to go. Exactly. So which is, but it's a person taking advantage of how human beings would naturally be helpful to somebody who's in need, you know, the whole Good Samaritan thing. They might say, okay, well, maybe if I just fly really quickly about this thing. But even the fact that you thought that, oh, I know what's going on here. You could see how a social engineer is still like, well, I'm gonna try anyway and see if I'm what I can get. Yeah. Using that sense of security that you had of like, I foiled him, you know, right? That's interesting. I mean, this example is probably more specific to phishing, but the one time that I caught myself almost giving away my eBay credentials was because I had just ordered something on eBay and an email came in saying, you know, log in and confirm your recent purchase. They didn't know that I had made a recent purchase, but because you can crank these things out on email and text message, right? They know that like 99% of them people are gonna go, I didn't make an eBay purchase, but you just need to hit somebody that one time and then suddenly it feels real, you know? And you got to be looking out for that too. Yeah, I know with those, I just wanna say quickly, those it's really best if you get notification just to go to the browser and manually type the name and just go straight bare to see. That will cut through a lot of stuff if you are just in the moment of decision fatigue. Yeah. Well, thank you so much. Now, you teach a course on this. Do you not? Yeah, I have a LinkedIn learning course that I did in partnership with LinkedIn Learning. I released it in December of last year and so you can definitely, it's definitely a beginner level so anyone can come in and kind of get some tools from that. I tried to make it as funny as I possibly could with the constraints that I had. So I hope you enjoy it. I've heard good things. But yeah, if you have LinkedIn Learning, you can definitely go on there and search Social Engineering Security Awareness and it'll pop up. Great. Everyone can join in the conversation in our Discord which you can join by linking to a Patreon account at patreon.com slash DTNS. Good group in there. Yeah, they're all gonna be asking each other their pets' names and their mother's maiden names, I have a feeling. Yeah, what was the name of your first elementary school? All right, let's check out the mailbag. Oh, we got a real nice one. We got a lot of nice stuff over the weekend but I wanted to highlight this one from Kevin who says it's from it's too hot to even swim Milwaukee. I feel I owe you an apology. You didn't even know you deserved. I used to think that I didn't have time for a good day Internet and I was wrong, happily wrong. I enjoy the additional daily conversation and we'll try hard to make time for it. I've had a Patreon supporter for years now and I just decided to join the RSS feed and I'm glad I did. Very entertaining and an excellent use of my Patreon funds. Keep on, keep on on and Stacy. Oh, thank you, Kevin. You don't know how much that warms our hearts to hear when someone finally discovers the beauty that is good day Internet. And I love the sort of like, listen, I just thought it was kind of fluff, but it's really fun. It is kind of fluffy sometimes. We have fun too. So glad to have you along, Kevin. Also shout out to patrons that are master and grand master levels including Scott Hepburn, Dan Colbeck and Irwin Stur. Also thanks to Stephanie Ihezuku. Hope I said that right. It's been so nice having you on the show and let folks know where they can keep up with where you are online. I mostly tweet. I tweet all the time. I'm a Steph and sec on Twitter. You know, sec is short for security stuff. Sorry for Stephanie and there's Andy in the middle. You can also visit my website at Steph and sec.com. Excellent. Also, as we mentioned, you can support us on Patreon, dailytechnewshow.com slash Patreon and maybe not all of you need a mask. But if you do, we got some extra ones in the DTSS store and who wouldn't want to walk around with the DTSS logo on their face. At least for me, it's much more interesting to have that. Go check it out, dailytechnewshow.com slash store. Our email address is feedback at dailytechnewshow.com. We love getting your feedback. We're also live Monday through Friday for 30 p.m. Eastern 2030 UTC and you can find out more at dailytechnewshow.com slash live. Back tomorrow as security week rolls on, Patrick Beja and Kirsten Broger are here to talk infrastructure security. Talk to you then. This show is part of the Frog Pants Network. Get more at frogpants.com. Hope you have enjoyed this program.