 This 10th year of Daily Tech News show is made possible by its listeners, thanks to all of you including Matt Zaglin, Kelly Cook, and Scott Hepburn. Coming up on DTNS, Reddit tries to go real-time again. David Spark is with us, fresh off the RSA conference and bringing the knowledge. And why do hacker groups get those silly names anyway? This is the Daily News for Friday, April 28, 2023. From Studio Redwood, I'm Sarah Lane. From lovely Cleveland, Ohio, I'm Rich Strafolino. From Southern California on the shows, producer Roger Chang. And joining us is David Spark, producer of the CISO series and frequent guest on DTNS. David, good to have you back. Also from Southern California. I've been good as well. Also from Southern California. Good distinction. Thank you. Thank you. By the way, we had a quick discussion of whether Southern California just means Los Angeles because I'm actually south in the San Diego area. People usually just say San Diego. Oh yeah, no, SoCal is SoCal. The LA people have their own thing. Well, you know, LA Plus. Alright, well, David, we're so glad to have you on the show to talk more about RSA this week. But first, let's start with some quick heads. Let's get started with an early in season highlights because there have been a few of them over the last 24 hours. Amazon saw revenue up 9% on the year in its Q1 with Amazon Web Services revenue up 16% and advertising revenue up 23% to that effect. Pinterest also announced a multi-year ad partnership with Amazon where clicking on an Amazon ad from within a Pinterest forward would take you to Amazon to complete the purchase. Also in good news, Sony set an all-time record revenue and operating profit in its fiscal 2022 shipping 19.1 million PS5 units in 2022 up 65% on the year. But Snapsaw Q1 revenue fall 7% on the year. That's the first time it's seen an annual revenue drop so kind of significant there. And Intel saw revenue fall 36% on the year with both its PC and server chip units seen similar revenue drops. OpenAI reopened access to chat GPT in Italy after the company met a variety of conditions from the country's data protection authority Garante. OpenAI now provides further information on how it collects and uses data to train chat GPT on its site. It's also added a form for EU users to object to having their data use. That was one of the big ones under GDPR and edit age verification tools to prevent miners from signing up. Garante urged OpenAI to meet its other demands for a more expansive age verification system and a publicity campaign to inform Italians about their right to opt out of data processing on the flat form. But chat GPT available again. The company nothing confirmed that its phone one will get the Android 4 14 rather beta one in the coming weeks didn't say exactly when but said coming soon. This would put nothing's phone one as one of the first non Google devices to get an independent preview phase. More partners will likely announce the same during Google's IO which takes place on May 10th. Earlier this week the UK's competition and markets authority you might know them as the CMA blocked Microsoft's acquisition of Activision Blizzard. They were citing the deal would hinder competition in cloud gaming. Although Microsoft said it plans to appeal the decision on Friday it also announced a 10 year deal with the Spanish cloud gaming platform and where a good faith measure to prove it can work nicely with others. This Microsoft knows stranger to granting these kind of deals. It's previously signed similar cloud gaming deals with Valve, Nvidia and Boosteroid. Qualcomm announced a new game upscaling feature called Snapdragon Game Super Resolution. This uses a single rendering pass to upscale resolution on mobile devices. Other similar upscalers like Nvidia's DLSS use multiple passes. Qualcomm claims no impact will be docked on battery life so that that's good. The company also says it will be compatible with most mobile GPUs but didn't offer a lot of specifics otherwise. Alright Rich let's talk about Reddit and the future of Reddit. Yeah they are starting to test new persistent chat channels. This is a pretty small test right now 25 volunteer subreddits right now. Think maybe a little discordy but within Reddit so you know active communities can have more real time feel to them or at least that's the idea. The company didn't share a list of the test subreddits but did say there were communities with less than 100,000 members so hopefully trying to keep those chats manageable at least to start. Reddit is also accepting applications for moderators of subreddits that want to try out chat channels as they start to roll this out. Yeah so if you hang out on Reddit or a mod and don't know about this already the channels will be live on the community navigation bar. Subreddits will have a dedicated channel for moderators to chat amongst themselves. Again this sounds a lot like discord to me although of course Reddit is saying no it's our own thing. Mods will also have control over enabling chat at all maybe that's just not what the subreddit is good for. They can also decide which users can participate, moderate, reported messages, all the things that mods do. The company also says it plans to add threading and pinned messages and user mentions and message editing going forward so the whole sort of live chat is just part of Reddit trying to expand. Now David, Reddit's tried stuff like this before but that asynchronous commenting platform has been sort of the beauty of Reddit this whole time. The fact that Reddit hasn't changed all that much so what do you think? Are we ready? You know obviously there are enough users out there passionate about their specific communities, their subreddits that they want to chat in any means possible. More my concern would be how the moderators would be able to handle this. If you put an open chat out there I'm sure it would be used. You know we work a lot with the cyber security subreddit and have done AMAs with them and I want to tell you although the ones we've done have been the asynchronous ones, we turn those into events and again they're not chats but definitely within the first hour that we do these and we often make these AMAs a week long. The first hour are incredibly explosive so it's not a chat by any stretch but you can do timed events through the normal Reddit as we see now that may have a little bit of that feeling, a little bit more lasting power as well. Yeah what I think is interesting here I know a lot of people are saying oh this is them going after Discord. Discord has kind of rolled out forum kind of posts to kind of give the opposite you know go from a chat after having something with a little bit more permanent threading and that kind of stuff and now Reddit kind of going after this. I feel like this is an attempt to go after like whenever you have a subreddit that's like you know super thread or something like that. I've used like for example like the fantasy football subreddit might seem pedestrian but whatever. Like every Sunday they'll have we're going to be talking about the games in this thread right here. That thread is like useless the day after those games. It's only really useful when like football is being played. It's a real time thread. Yeah and what you want what you really want I think the experience would be much better if that was in a chat that doesn't necessarily take away. I'm still going to it feels like I'm still going to use Reddit in the same way I have where it's like these hyper focused individual communities this isn't going into the homepage right this is I have to navigate to the subreddit that I'm already passionate about to see this if I'm seeing like my aggregate feed on the Reddit homepage that experience is not changing and I can I can dive into that community when I want to. So I while I can definitely see obviously there are some some analogues to what an app like discord is doing I don't necessarily see this as like oh man this is this is red it's discord killer definitely sees this as competition it may draw some usage away but I that it feels fundamentally different just how the communities kind of interact. Reddit also it strikes me as a community who's like we do what we do well and we don't want to be the modern version of Reddit. You might recall that Reddit has tried live interaction stuff features Reddit talk that was a clubhouse clone live chat community chat rooms were deprecated back in 2020 Reddit saying at the time we listen to you users and mods and your experience was not up to our standards so I feel like there there is a place for this but I wonder if Reddit is almost uniquely positioned to be a bit of a dinosaur and and and everyone on the platform wants it to be that because that's how it works well it's it's amazing I mean you know all other technology programs would not keep this incredibly lean looking not graphically attractive platform going given the immense amount of users that are on it but that is again their brand their charm and why people stay on it so you know again live chat stays within that brand it's you know they're not offering video and and also stickers to put on it as well so I think they're they're they're staying within their brand here. And the other thing that's really notable about this it seems like they're being very mod focused with this rollout I mean they're doing it very small scale they're like we want my question. That was their mistake the last time they tried to do this they shoved it on everybody and mods were like freaking out like we can't look to David to your point we can't scale this. Right that was my number one concern I don't think it's a problem of users not adopting it's whether mods can handle it. Yeah. And that's kind of what what Reddit is all about. Well a lot of times when we're talking you know about malicious actors online talk about threat groups talking about advanced persistent threats those kinds of things we're using the code names provided by security companies and coverage of these we see these names out here all the time. Sometimes that means we're talking about someone like APT 29 sometimes we're talking about cozy bear sometime we're talking about nobellium turns out those are all the same group you wouldn't know it just by the various that we have out there. Well why is Andy Greenberg recently wondered we're talking about groups that are doing really serious stuff here we're talking about groups that are threatening critical infrastructure disrupting businesses spying on people you know working hand in hand potentially with other nation states. Why are we using a glut of unstandard eyes and kind of sometimes cutesy sounding name like cozy bear I want to give a hug to and not you know be targeted by like you know Russian special forces or something like that. So David. Why do we have kind of this this where they come from. Yeah I guess where are we pulling these from and what's the glut here that we're seeing. They're all coming from but but there is definitely an issue with the same organization having multiple names all together because you know whether you have your defenses up for one. Does it also appear that you have it for the other two it's. What we definitely don't need in cybersecurity is more confusion and more I would say unnecessary confusion that would be a great sort of concern that I would have about that. It seems like pedantic to be arguing about names of threat actors like this just call them jerk one jerk two three four whatever but this is actually kind of critical also because where the threats are coming from sort of speak to the intention and the type and it will allow us to actually have a better conversation about it and also know what we're dealing with. No question is can we all get on the same page. Yeah and in the piece. You know Andy was talking about possibly bringing in the National Institute of Standards and Technology NIST to kind of standardize all of this we've seen also calls from this from Mandy and CEO Kevin Mandia and others in the industry to kind of be like I don't want to have to go to my board when we've been breached and say. It's periwinkle tempos. Yeah. Like they're at it again. These are legitimate names and yes obviously like if you're your CISO or you know your CTO or whoever is coming to you and say we're having a major cyber event it like that at a certain point you you block out the silly sounding name and you focus on the business urgency and the crisis. If Mint Sandstorm is attacking you with a massive ransomware attack that could literally cripple your business. It's it is distressing to know that one of these silly names is could be the end of your career or your whole organization. So that is a sort of a sort of an odd conundrum to be in. And I guess you know what what are we going to decide here. I think what Microsoft doing is doing interesting in terms of standardizing the naming convention. Can everyone get on board with it. Well yeah I mean that's that's part of the problem is what I guess not part of the problem. The industry feels like there are relatively few enough small big players and we're talking about like Microsoft CrowdStrike Mandiant like these giant names that if they can coordinate on that they have the sway to pull those in. But it's really Microsoft that's that kind of sparked this conversation they actually recently changed up how they are doing their naming convention going from elements. So like nobellum and elements then for threat groups turns out there's more than 118 threat groups who could have known Microsoft. And they've switched it up to this different name. But it kind of has its own issues because it's it's two words one of them is related to the suspected country of origin. And then the second is kind of like the mode of their operation. And one of the problems with that I think also is we are very cautious. And David I know you are also on the CISO series of making sure that we're saying these are you know we don't know that these are state affiliated actors we see signs of their state affiliated actors. But like they don't come out and say like we're working for Russia or Iran or North Korea or anything like that. But by locking in a suspicion like that with kind of no visibility into the confidence in that assumption. I think that also might have some negative downstream effects when it's like oh well it says sandstorm so of course we know this is from country X or something like that right. Yeah I mean that you make a good point of it's what we think it's coming from. Because yeah people don't raise their hand and go oh yeah that's me. It's like they're not going to a Yelp site and say qualify or you know claim. For stars in this group. It would have been better with a better name but they did everything else really well. Yeah that what is what is interesting to me is we have seen a very concerted effort from CISA from everyone from CISA all the way on down throughout the industry that like information sharing especially like post solar winds is more important. Right as we're seeing threat actors increasingly target things like critical infrastructure right. We need to be sharing threat intelligence and it would seem like it could be a massive problem if oh I didn't update nobellium to periwinkle tempest last week so now all of my signals like I'm not correlating that signals intelligence. That's not a problem for Microsoft or any of these big players but it is a problem for a lot of the smaller companies that are depending on them they might not. It's just the threat intelligence like how do I you know like in that chart that Microsoft has they have a whole list of also known as so if I'm coordinating threat intelligence and organizations get threat intelligence from multiple locations. You know and is this the same threat intelligence as I have from Microsoft is also this location I mean that that's a lot of freaking confusion. Well we will talk a little bit more about you know how to make us all a little bit safer coming up after the break but first rich where can they keep up with the latest episode of Tom's top five. All right yeah well Tom's top five you got to check it out YouTube dot com slash daily tech news show Tom is covering celebrities who know how to go that's right celebrities. They're more than just good here and a smile of course they have that but some of them write code in their spare time and you can catch the other episode where Tom breaks down the top five things you need to know about technology. You can check it out like I said YouTube dot com slash daily tech news show. All right the RSA conference is an annual trade show where cybersecurity professionals gather to discuss emerging threats current issues and ways to deal with both. This year's conference happened this week in San Francisco and David you were there as usual at RSA so let's talk first any major new trends in cybersecurity that stood out to you. Well let me just start with it was no surprise that application security and cloud security were the two big issues because most of the breaches we are hearing about now are often happening through those avenues and also happening because of identity issues which is you know people you know getting the credentials to access both cloud and application security so that is pretty pretty darn high I would say though given the rise of gender AI and chat GPT just in the past like four months that was an enormous level of discussion as well and it's that just sort of it's AI has been a big issue but it's a very different discussion this year than it was last year. Well and what do you think you know for people who understand you know how it works and where it's going that's one thing but did you feel like there was a lot of fun going on from people who aren't quite sure yet. Well in this crowd the RSA crowd we don't fortunately. The desire to not get sold FUD is pretty high and I think most vendors know not to push that fear FUD stands for standing for fear uncertainty and doubt and that was a very common tactic in fact when we started the CISO series we were very much battling that sales technique and we very much sold that so I feel again this is just anecdotally that I hear way less that of that now than I've ever heard before. I think it's just this issue of you have many many vendors often doing the same exact thing and it's very confusing for the buyers to understand what. How is this one different than the next one. The quick story I tell is I would roam the floor for with CISOs chief information security officers who are extraordinarily knowledgeable and I just say you know look at all those names out in front of you that you see. What percentage would you say you actually know what they're doing and the highest number ever got was about 20% which is distressing that the smartest people in the industry have a 20% clue of what's going on. So that gives you an idea of how tough and confusing selling and buying is in the industry of cybersecurity. Reading the kind of the show floor for lack of a better term when it comes to generative AI as I guess both a potential threat tool like what. What on balance were you seeing more like hey we're excited because we have tools like Microsoft's security copilot and stuff like that that are that are going to enable us to do more things efficiently and free up more time for security analysts or was it. There is going to be like where was I guess where was it on that spectrum of or this is a threat that you need to prepare for. So it's interesting to bring that up because Jackie PT introduces value and a threat simultaneously and that's kind of odd and unique about it. I would say definitely they there was definitely a more half glass half full attitude towards chat GPT in that most were very excited about it from many different angles about what you can do to simplify rather mundane tasks. There was I remember having a discussion about would you let chat GPT code for you. And because that is what's being done by a lot that they say write a write some code for me that does this task. Now many you know the security people I spoke to goes well I you know if I had to just have it do a repetitive task I'd say write the script that will you know repeatedly find this information and copy and paste it into a document kind of a thing. And they're like yeah yeah I'm cool with that but chat GPT doesn't write they feel secure code so having it do something real was distressing from the glass half empty side. I would say the fear is really as to what general users are putting into chat GPT sort of knowledge base and the fact that a lot of personal identifiable information was being put in there and now it is now searchable by others. So that was a great concern and also just I think the use of chat GPT to do social engineering as well to get sort of good dialogue going. But in general, the threats that are out there are the ones that are being used in chat GPT so the ceases I was talking about it's like, well, it's just re regurgitizing regurgitating current threats. It's not creating zero days so I'm not as worried about that aspect. Yet is the keyword there. But David the other aspect I was really interested in was seeing like kind of a lot of confusion coming out around cyber insurance just like getting it pricing it. I know this is kind of been a contentious topic within the security community, especially when it comes to ransom or like what were you and I think a lot of people don't even know that cyber insurance exists. Yes, and it's definitely a very growing field and desperately needed. So it's interesting with cyber insurance. It is, you need to apply to get it and it is not like just getting auto insurance. In fact, many, many people get rejected for cyber insurance and you need. You need a lot to be able to have it you need to qualify and point detection response or EDR. You need to prove that you have an incident response plan that you have backup you have to FAA and you've got email security. And by the way, there's nuances to all of that. But I spoke to one cyber insurance guy and he said like, we, we see companies of all sizes, not having any of that, which is very scary. The other issue is, you know, they'll get a cyber insurance plan for a certain amount of money. And sometimes these ransomware attacks are so intense that because it's not just the it's not just the money you have to pay out to the ransomware company. It's also the net result of this of your information getting out there because a ransomware attack has multiple levels here. It's not just the money I have to pay them, but oh no, now they have this information and now I'm legally I've got legal issues of back the PIA personal identifiable information and personal health information is out there. So I ever heard in many cases they don't even do an audit. They just say, you know, you've got a max amount of X million dollars will just pay you that out. Like they don't even think it's like it's let's not even bother looking into it because it's definitely going to be more than that. So let's pay you the full amount. Wow. I'm just a ton of again, like an area that we don't get a lot of visibility into. So I appreciate you kind of kind of breaking down some of the issues with that. And I know we've seen even like Nash like certain countries and other areas where we're seeing legislation about, you know, what are the benefits of cyber insurance and stuff like that. I know you guys are talking about that on the CISO series. Cyber insurance is there for one reason. CISO security professionals, their job is to reduce risk. What controls can I put in? How can I train my staff to reduce risk? At some point, you just can't reduce risk anymore or there's no there's no cost benefit of it. We've gotten to the point where we've reduced the risk to the level that we can handle it. At that point, there's a percentage of risk that you can't control and that's where cyber insurance comes in. And that's why cyber insurance requires that you have sort of basic security controls because they only want to be dealing with the risk that is not controllable. And so understand that that's where cyber insurance comes into play. It's for the risks that you can't control that's out of your reach. All right. Well, if you need a data plan the next time you're traveling abroad and have a smartphone with eSIM capability, then Chris Christensen just might have the answer for you. This is Chris Christensen from Amateur Traveler with another Tech in Travel Minute. By the time you hear this, I'll be in Greece on a sailing boat and hopefully I'll have with me a data plan that I can upload all those great photos that I'll be taking while I'm in Greece. And if you're looking for a data plan, one thing to remember is that most modern smartphones have eSIM capability so they can have multiple lines. And you can get a data only plan or a data plan plus calling in addition to your regular number. And it's surprising how cheap they can be right now. And if you're looking for different plans, go to esims.io is one good resource for finding different data plans. I'm finding for Greece I can find something as cheap as $8 for three gigabytes of data for a month long plan. But you can also find what works for you. This is Chris Christensen from Amateur Traveler. I'm going to try to put aside my jealousy that Chris is going to Greece and say this is actually a really good tip. $8 for three gigs for a month? Oh man, that is better than what I used to get from AT&T. Makes you want to get in the boat and just head on over to Greece. Really does. Really does. Alright, Sarah, what do we have in the mailbag today? Oh, Rich, I'm glad you asked. So Ulrike wrote in about why we might be ascribing personality to things like language models. As of late, we've been talking a lot about this. Why do people want robots to act like people when all they're doing is pulling information from people? Ulrike says there's a scene in Jerome K. Jerome's 1889 novel called Three Men in a Boat to Say Nothing of the Dog in which the characters all engage in a loud conversation about how they don't want any tea. I don't even like tea, et cetera, in order to trick a recalcitrant kettle into boiling. The answer to the question, why do humans attribute intelligent motivations to large language models? Isn't that we've watched too much science fiction, nor that there's even something unique about LLMs? The answer is that humans anthropomorphize everything. We talk to our cars. We talk to our kitchen appliances. We attribute malice to the photocopier that jams every time we're on a time crunch. I've had coworkers ask me to print things for them because, quote, the printer doesn't like me. Ulrike says anthropomorphization is inevitable because we're humans. We see patterns. We say that pattern is intent on attacking me. I have a brain. Machine works like my brain, which is not always true, but sometimes also true. And I think that's where we're in kind of a limbo mode. David, any thoughts on the printer not loving you? I love that line. The printer doesn't like me because, yes, first of all, everyone's had a printer not like them, and that is a reaction. Nobody says, oh, the printer's jammed. Obviously, it's broken in some way, and I need to fix it. No, we don't talk like that. We all know printers are sociopaths, so that's clearly the case. 100% non-sociopath, though. David Spark, thank you so much for being on the show today, dropping the RSA knowledge, the security knowledge, keeping us up-to-date on the latest and greatest. Where can people find out more of what great stuff you're doing at the CISO series? Well, I would say we do great stuff at the CISO series, Mr. Rich Strothelino. Because you're also part of the CISO series. If you want to hear more of Rich's voice, you should be tuning into cybersecurity headlines. So this gives you the great tech news, and sometimes security news, as we've seen here. But if you just want your cybersecurity news and you want it short, like six, seven minutes, I would check out our cybersecurity headlines. We are going to be going to New Orleans next week. If any of your listeners are in New Orleans, there's a B-Sides, which is sort of these localized security meet-up events. There's a B-Sides New Orleans happening May 3rd next week. That's Wednesday. And we will be the closing entertainment. We're going to do a live recording of our podcast, the CISO series podcast. We're going to be a ton of fun. We'll have the corporate CISO for GE there on stage with me. So please, and check out our site, CISOseries.com, and join our virtual or in-person events. We're going to have a lot more coming up. Well, David, always a pleasure to have you on the show. Thank you for being with us. Also, look to thank our brand new bosses. And right before recording began today, Chuckie Chan, you slipped in. Chuckie Chan just started backing us on Patreon. Thank you, Chuckie. We're so glad to have you. Woo-woo. And Patrons, remember to stick around for our extended show, Good Day Internet, where David will be delighting us with a quiz called, That Totally Socks. So, keep it in under control. But just a reminder, DTNS is live Monday through Friday at 4 p.m. eastern. At 20 hundred UTC. And you can find out more at dailytechnewshow.com at slash live. We hope y'all have a wonderful weekend. We'll be back on Monday with Lamar Wilson joining us. Talk to you then. This week's episodes of Daily Tech News Show were created by the following people, host producer and writer, Tom Merritt, host producer and writer, Sarah Lane, executive producer, Booker, Roger Chang, producer, writer and host, Rich Strafilino, video producer and Twitch producer, Joe Koons, technical producer, Anthony Lemos, Spanish language host, writer and producer, Dan Campos, news host, writer and producer, Jen Cutter, science correspondent, Dr. Nikki Ackermanns, social media producer and moderator, Zoe Deterdine. Our mods, Beatmaster, W. Scottus1, BioCow, Captain Kipper, Steve Guadirama, Paul Rees, Matthew J. Stevens, a.k.a. Gadget Versuoso and J.D. Galloway. Mod and video hosting by Dan Christensen. Music and art provided by Martin Bell, Dan Looters, Mustafa A, A-Cast and Len Peralta. A-Cast support, ad support from Tatiana Matias. Contributors for this week's shows include Scott Johnson, Justin Rubber Young, Molly Wood and Chris Christensen. Guests on this week's show included Brian Ibbid, Nate Langson and David Spirk. And thank you to all the patrons who make this show possible.