 Coming up on DTNSA vulnerability in the trusted platform module Spotify trials a cheaper plan and Seth Rosenblatt is here to talk about the effects on security of right to repair DTS starts now. This is the Daily Tech news for Tuesday, August 3 2021 in Los Angeles on Tom Merritt and from studio Redwood. I'm Sarah Lane. And I'm Roger Chang, the show's produce editor in chief and founder of the parallax Seth Rosenblatt is with us again. Welcome back, Seth. Hello. How's everyone doing? We're doing lovely. Thank you for asking. We were we were just talking about pneumatic tubes and a half on pneumatic tubes with Seth. We were also talking about big box electronic stores. We miss all of that is on Good Day Internet. Get that by becoming a member at patreon.com slash DTNS like our top level patrons like Paul Boyer, Brad and Kevin. Thank you for supporting the show. Let's start with a few tech things you should know. Real Me officially launched Magdard and Apple MagSafe ESC system for the iPhone 12 range of phones. The company says that the 50 watt Magdard charger will fill a 4500 milliamp hour phone battery up to 100% in 54 minutes and is also working on a 15 watt Magdard charger that will charge a 4500 milliamp hour battery in 90 minutes. YouTube's hundred million dollar fund to pay creators using its shorts format, which rolled out to 100 countries last month is now live. You can get that money. YouTube says it'll invite thousands of eligible creators waiting to be one or to be paid from the program through 2022. It's offering $100 to $10,000 depending on your engagement metrics. Anyone posting shorts is eligible for payment, though creators who participate in the YouTube partner program are exempt because you're already getting paid other ways. Apple has made the Magic Keyboard with Touch ID available for purchase separately for $149 or $179 if you want that number pad as well. Previously, the keyboard was only available with the purchase of a 24 inch iMac and in potential future Apple product news, the Eurasian Economic Commission Database has six new Apple Watch identifiers, not too surprising as an Apple Watch Series 7 is expected in this fall. There were also two new Mac identifiers added, which are likely new MacBook Pros with Apple's M Series chips. After being named in a lawsuit filed by the Department of Fair Employment and Housing, the DFEH alleging sexual discrimination and harassment, Blizzard Studio President Jay Allen Brack has stepped down from the company and will be replaced by Executive Development VP Jen O'Neill and GM Mike Ibarra as co-leaders. In a statement, Blizzard indicated a desire to change its company culture. Twitter announced a partnership with the Associated Press and Reuters to add contacts to trending topics, starting with English language topics. This will be in addition to Twitter's crowdsource fact-checking system Birdwatch already in place. Twitter also introduced support for account creation and login using Google or Apple accounts. Google login works on Android, iOS and the web, and Apple login works on iOS with web support coming soon. So it's Black Hat Week, which means you can expect your feeds to be filled with set your hair on fire, scary security stories, and we will try to help you sort out the truly scary ones from the other ones. This one isn't great, but at least it got caught by researchers. Security researchers at Dolos Group published the results of a pen test of a client's network, Penetration Test, in which they compromised the trusted platform module, the TPM chip. Researchers were given a Lenovo laptop with full disk encryption using Microsoft's BitLocker, a TPM, of course, Ufie Secure Boat, password-protected BIOS, and other recommended security implementations based on NIST standards. The encryption key for unlocking the drive was stored in the TPM. This is the default configuration. Now, Microsoft does advise using a PIN or password to unlock the drive instead of letting the TPM just do it. But only if the user believes they're at risk of someone gaining physical access to their machine with enough time to open it and solder a little bit inside. However, the Dolos Group researchers figured out a way to get the decryption key out of the TPM in 30 minutes without needing to use a soldering iron. The TPM communicates with the CPU using a serial peripheral interface, or SPI. The SPI itself doesn't offer any encryption, so the TPM has to rely on the device it's communicating with to encrypt the connection. And it was communicating in this case with Microsoft's BitLocker, which does not use any of the latest TPM encryption standards. So there's a possibility of eavesdropping. To eavesdrop on the SPI communication, though, they had to attach leads to pins. They didn't have to solder, they just had to attach leads to pins. But those pins on the SPI are 0.25 millimeters wide and spaced a half millimeter apart. So not really possible without soldering, but the SPI chips shared a bus with the CMOS chip, which had larger pins. So the bus handled the communication for both the CMOS chip and the SPI chip. Any information coming from the TPM to the SPI chip came through that shared bus, so they attached their leads to the big pins of the CMOS bus. They used a Soleil logic analyzer to sniff the bytes moving through the shared bus. They used BitLocker SPI toolkit written by Henry Newme to isolate the decryption key and Bob's your uncle. They could decrypt the hard drive from there. It was a phishing expedition on the drive that led to them finding a way into the company's VPN. Multiple security researchers offering ideas for mitigations here. It's a sophisticated attack, Seth. So I don't think most people in the world have to worry too much about it, but how much should we be concerned? It's the kind of attack that the average consumer, even us on this call, probably don't have to worry about at all. I would even venture to say that activists or journalists reporting on sensitive topics probably don't have to worry about it unless their organization is sending them a brand new laptop that has the latest and greatest built in. It is, however, a concern, I think, for employees of organizations that are engaging in very sensitive data transfer. If you are, say, an engineer at a company that's got some very protected IP, this might be something you'd have to worry about then. But it's a very interesting hack, the way that they got around this. It's vulnerable to the housekeeper attack if you leave your laptop in the hotel room, or at the border if they take your laptop away for more than 30 minutes, you know, but yeah, I think you're right, I'm with you. It's more of interest how they were able to do it. And also, I think good news in that it's like, hey, Microsoft, A, you might want to support those TPM standards. And also, B, even if you don't think someone has time to solder, if you want to mitigate this, maybe turn on that password protection for the decryption, right? Absolutely, yeah. Good stuff. Well, on yesterday's show, we told you about YouTube's new cheaper ad free tier that doesn't include YouTube music. But what if you really like music, but also would like to not have ads? Spotify might have a solution for you. It has a new cheaper paid tier. It's not free, but it's a cheaper tier with ads called Spotify Plus, with at least one user saying that they saw it offered for 99 cents per month. It's in testing, so not everybody may get the same price. Currently, for $99 per month, the premium tier gives you all the bells and whistles of Spotify, Apple Music, same price. But Spotify limits you to six songs, skips per hour, and only lets you shuffle albums and playlists when you're on the free tier, the absolutely free tier. So this is something that's, you know, it's a buck a month, right, or thereabouts, but it might give you what you're looking for. Spotify Plus will still have ads, but it will let you skip as many songs as you want and select specific songs on an album or playlist to also listen to. Spotify is testing different price points with select listeners, but that 99 cents per month. Seems to be one of the ways that they're testing things out. I, so $9.99 a month seems decent. That's, that's the premium price, but I get why some people wouldn't want to pay it. They're like, you know what, I don't need that much expense. I also see that Spotify is like, yeah, but if we can, you know, boil the frog, get you to pay 99 cents a month just to skip after a while, maybe you'll be like, oh gosh, not skipping, being able to skip is nice. But I really would like to create my own playlists or, or all, you know, the other features that are in premium, maybe the fact that they got you to pay a little gets you to pay a little more later, right? Yeah, I actually, I'm lucky enough to, so I'm not a Spotify customer. I am an Apple Music customer and the two services, at least for that $10 premium tier, more or less the same. I get it with my Verizon mobile subscription. It's just something that's, that's, that's bundled in. So it's not actually $10 that I pay for every month. I feel like I still would, but, but if for some reason Verizon was like, eh, no longer offered, I might think about some of these things. You know, how often am I really skipping between songs more than six times per hour? Not often. In fact, I mean, if there's like a new album that I'm interested in, I might be, I might be listening to some music and there are other months that my activity is pretty low. So, yeah, I think, I think it makes a lot of sense for Spotify to say, will you give us just a dollar a month? Maybe 10 is a little bit too much for what you're looking to do. But we can at least strip out those ads because that is, you know, well, that doesn't strip out the ads. The 99 cents leaves ads in, right? Yes, yes. Yeah. Yeah. So you're going to put up with that still. Yeah. Yeah. Well, and then, and then maybe there's, I don't know, a $5 tier at some point where they figured out something even, even more. Right. So how many tiers are they going to have? They still don't want to pay the 10. Yeah. Every, I have a price point for every feature. I don't know, Seth, I don't even know what kind of music service you pay attention to. Is this interest to you at all? I pay for Spotify. I've gone back and forth on quitting and going to pay YouTube premium. And my, my, I mean, I've got like, I don't know, 12,000, 15,000 songs or something. You know, that I've liked on Spotify. So when they finally, you know, bumped us up, that was a big deal. I, it really bothers me that they still don't have a lot of the music that I want. You know, or they'll have, you know, every album by a, by a specific artist, except for one or two. So when they, they try to nickel and dime, you know, free users into paying for just a slightly larger subscription than free, but not the full $10, I don't, I don't know. Is it going to, I don't know that it's going to work for them. I don't know that people care enough. I think it's frustrating for people who, you know, may not be able to afford a full time, you know, a full $10 month service or multiple services. And ultimately, I think it's going to wind up driving people away. There's just, there's too many different services. There's, you know, too many different ways of slicing and dicing it. But I'm also very skeptical about these things to begin with. I think they end up, people who want to use Spotify will continue to use the free, whether they'll pay a little bit just to skip songs. I mean, that's why Spotify is testing it. Yeah, yeah, yeah, yeah, yeah. China's crackdown on tech platforms continues. Here's the latest China's economic information daily published in an article condemning online game addiction, specifically mentioning Tencent's Honor of Kings, one of the most popular games in China. Hours later, Tencent, which makes Honor of Kings, announced that children younger than 12 may not spend money in the game. And they took the time restriction for those children from one and a half hours per day down to an hour. After they did that, the article disappeared. The state administration for market regulations said it would investigate mainland China's automotive chip makers for evidence of hoarding, price gouging and collusion. China's car sales fell 5.1 percent in June, ending an 11 month streak of growth that may have prompted this investigation. And I'm going to take a deep breath here. The Central Propaganda Department of the Communist Party, the Ministry of Culture and Tourism, the State Administration of Radio and Television, the China Federation of Literary and Art Circles and the Chinese Writers Association, issued joint policy guidelines to encourage better culture and art reviews by in part limiting the role of algorithms in content distribution. The policy advises Chinese content creators to, quote, strengthen Marxist literary theory and criticism and, quote, not to contribute to the spread of low vulgar and pandering content or quasi-entertainment content. Too much celebrity gossip, not enough Marxist literary theory, basically is what they're saying. The ongoing crackdown has impacted companies in different ways. Tencent ended the day with its stock price down 6.1 percent. Gaming and online community company NetEase fell 7.8 percent. Video sharing site Billy Billy fell 3.4 percent. Ant Group Financial announced profits dropped 37 percent from the previous quarter following its canceled IPO. Meanwhile, Alibaba has been weathering things a little better. Revenue missing expectations, but still up 34 percent on the air and earnings per share beating expectations. Cloud and commerce slowed, but global active consumers for Alibaba rose 45 million on the quarter. The bright spot for Alibaba was its worldwide expansion. Tess, I don't know if you've been following the ongoing China crackdown as it moves from food delivery to financial to chip makers, et cetera. But this is a march that China is making. And last Friday, we sort of talked about the fact that what they really want to do is get people to move off platforms talking about social media stuff and start doing serious technology. And I found that reflected here and they're saying, we don't want you gossiping about celebrities anymore. Right. Yeah, the I haven't been following the latest in this very closely, but certainly China has the ability to influence how its people interact with technology and the Internet more so than almost any other country on earth. Certainly more so than any other widely active on the Internet or widely engaged with technology country. It's it's it's always fascinating from one perspective to watch what they do and what they're interested in. It's also kind of scary. Yeah, I think one of the things that I'm noting is they've gone from we'll let you be open up to a point right to that point is now narrower. And yeah, I'm not sure what effect that's going to have on the economic benefits they got from allowing up to a point in the past. It's it's hard to to to see that, you know, is separate from what's going on in Hong Kong. They've, you know, been slowly tightening the bias on Hong Kong since 97, but just the most recent moves there plus this all feel connected in a way that the connections may be looser than than tighter. But it's just it, you know, it's very interesting there. Well, folks, we love patrons that stick with us. The patrons are the majority focus of who we serve and what we do and how we're funded. And that's why we're happy to offer Patreon loyalty rewards. You can get a unique sticker mug, a t-shirt or hoodie every three months as long as you stay a patron at the top four levels. Each one has unique art from Len Peralta featuring the DTNS seven year anniversary logo. Go check them out. Look at the tier descriptions at patreon.com slash DTNS. Right to repair is getting lots of momentum, even from US federal government. But there are some security implications that go along with it. We talked about this, you know, at a fair amount here on the show. So would finding a zero day vulnerability count as repair? For example, Seth, what are your thoughts? The right to repair movement is super interesting because it's, you know, the sort of the classic David versus Goliath and the organizations, the corporate organizations that have lined up against the Davids in this, you know, are as big as Apple. They're organizations that build, you know, medical devices such as CT scanners. And the idea that you can't have a third party come in and fix something even after they've been trained is, I think, sort of anathema to how we've developed technology, certainly in the US. And then you add on to that the idea that it's part of the repair that they can't fix a security vulnerability in the device when they have the opportunity to do so is just sort of a remarkable step backwards, I think. There's, you know, one of, if you remember the Mariah Botnet from a few years ago that infected all these video cameras around the world, one of the solutions proposed and I think implemented to some degree was to force out a firmware update that would patch the vulnerability and close the security hole that allowed the botnet to access that camera. Does that fall under right to repair? You know, it's certainly not something that the vendors of those cameras and the manufacturers of those cameras had a hand in because they were these very small manufacturers from who knows where, you know, and otherwise did not include over the air updates. So I personally think that that, you know, given the the risks that security vulnerabilities can face, you know, being able to do so to fix them is hugely important. And we're starting to see, you know, California, Colorado, of course, Massachusetts are all working on or have passed recently right to repair bills. Massachusetts is is working its way to the courts. I know Pennsylvania is considering one, Hawaii is considering one. These I think this is going to be become a nationwide thing very shortly. Yeah, I think this is an interesting take because we've talked before at length on the show about the idea that you should have the right to fix something because, you know, if it's broken, it's a lot cheaper to fix it yourself than to pay someone else to fix it or to replace it. A lot of times companies don't even repair your thing. They just they just want to swap it out, which is wasteful. But there's this other aspect of it, which is, yes, companies generally work with security researchers. There are stories of security researchers getting in trouble for fixing a vulnerability, which is it has a chilling effect. Even if it doesn't happen all that often, it happens enough that some security researchers like, yeah, I'm not going to mess with that. So if you have right to repair, cover security vulnerabilities, you're going to encourage more people to look for vulnerabilities, which means you'll find more vulnerabilities, which means you'll patch more vulnerabilities, which I think is good for all of us, right? Right. And, you know, one thing I just want to quickly interject that is is also really important, especially on medical devices. I wrote about this in May, just before I went on paternity leave, which is that a lot of device, a lot of medical devices are under contract and cannot be, cannot legally be repaired even by a licensed third party technician, even a third party technician who has training, who knows what they're doing, legally cannot come in and fix things, stuff like motorized wheelchairs. And there are numerous cases where people who depend on these devices for their lives have not been able to use them once they break down, because there is, you know, there's two technicians for serving the entire US and we're in the middle of a, you know, of a pandemic lockdown and so they they can't get on a plane. They also may have a backlog of, you know, 500 cases or whatever the issue is. It's it's really sort of shocking to see manufacturers you know, spiting their own noses, you know, despite their face. It's really unfortunate because they could be doing their their customers a service by encouraging this or at least setting up, setting up sane regulations and and guide rails on how they want things done. But to just, you know, stamp down on it is is stomp down on it is really not really not so. Stop eating your own nose for goodness sake, ridiculous. All right. In July, we talked about how vulnerabilities and software from a company called Kaseya let ransomware group our evil crack into 50 managed service providers, which in turn led to ransomware attacks on around 1500 client organizations of those MSPs. Reuters Joseph Men has a story out now noting that several security researchers say that attackers are now targeting MSPs because, man, they saw how effective our evils attack was. And that looks real attractive to him. Head of the nonprofit Dutch Institute for Vulnerability Disclosure Victor Gevers said they have discovered vulnerabilities in more MSPs and are working with them to fix it. And bug crowd chief executive Ashish Gupta says their vulnerability reporting platform has seen flaws as bad as Kaseya's being reported, the US Cyber Security and Infrastructure Security Agency or CISA offers free risk assessments, penetration, testing and analysis of network architecture. But Seth, basically the message of this report is they're coming. They're coming for you. Sure. I mean, and we saw this with SolarWinds last, you know, last winter. MSPs offer a really attractive target. Why spend all this energy and effort targeting one company, even if it's a high profile company like Apple, when you can get 50 smaller companies and get much more bang for your buck out of the same vulnerability, it's it's it's economics. And that's something that we that we really see a lot of these days in, you know, in the cyber criminal space, which is the looking at economic incentive, they're looking where they can make money, whether it's espionage or ransomware or whatever. At the end of the day, it's what kind of value can they get for their efforts? So the fact that, you know, MSPs are really high up on the target list now should should be a surprise to nobody. Yeah, there was there was an interview kicking around today that was with a group saying, we're only targeting companies that that are a hundred million dollars or more. Yeah, right, which they're trying to make it sound like they're doing the world a favor by only going after the fat cats. But of course, that's the companies where you can get more money out of them. Right. Right. And I mean, that reminds me of last year when one of these ransomware gangs announced that they would because of the pandemic, they were putting a pause on targeting health care and hospitals. Yeah, so that didn't actually happen. They did not pause on targeting health care hospitals. They had some of the highest profile attacks against hospitals last in the fall of last year. I don't know that you can actually believe anything that a cyber criminal gang is going to tell you, because they have their own agenda, you know, so. Yeah. Yeah. There is honor amongst thieves, but not honor between thieves and the person they're robbing, usually. Yeah. Yeah. You know, yeah. Just just be cool, Robert. Come on, you know, we've got honor. Well, whether or not you're in a hospital, you probably care about washing your hands and Amazon has a new smart soap dispenser that works with its voice assistant. So you tell the assistant and it helps you do what you want. The fifty five dollar gadget includes a set of 10 LED lights that count down as you're washing your hands for the 20 seconds that's currently recommended by the CDC. You can optionally pair the smart soap dispenser with a compatible echo device to access a supporting routine that would say play your favorite song or tell you a joke or a fun fact or otherwise fill up those 20 seconds while you're washing your hands. The smart soap dispenser comes with a 802.11n Wi-Fi which is, you know, OK, and a micro USB port also, OK, for charging. But it has those things. Well, I don't understand what this does. It's a series of LEDs that blink at you, counting down the 20 seconds you're supposed to be washing your hands. And it's a progress and plays you music. And it can also play music if you have it paired to an echo device. It actually doesn't even have a like a speaker inside. It's a it's a fifty five dollar Internet connected progress bar. Basically, yes. Cheese. So OK, so I'm really glad that I'm glad that you said that's not me because earlier, you know, I was like, oh, it's it's kind of cool. And I was like, what isn't I mean, listen, it's it's important. We should all be washing our hands for 20 seconds. Like I'm not going to argue with you about that. But it does seem like overkill for something that is, you know, kind of all the rage. I remember everyone's ignoring the major function of this, which is it just dispenses when it it senses your hand and dispenses. You don't have to push down on it. It's touchless. Right. I could get a touchless dispenser for much cheaper. To me, that's the compelling feature. Yeah, I really need the LED lights and then why I mean I remember years ago reading an article about how the biggest cause of bacterial infection in operating rooms was that doctors weren't washing there, not just doctors, nurses. Everyone in there wasn't weren't washing their hands before. You know, before before starting surgery, they were literally not scrubbing in, which we all know that they should do. I mean, I don't know. Like, I think what they wound up doing was just creating better messaging for washing their hands and not creating a freaking fifty five dollar internet connected in progress bars. Crazy, you're you go to someone else's house. It's a dinner party. You go in their bathroom and you're like, well, that's fancy. You know, it's like a fun gift, maybe to give somebody. It's all right. It's not that it doesn't, you know, it serves some sort of a purpose for the person who has everything, but also has dirty hands. There you go. It's like, do you guys remember from a few years ago at at CES, the the internet connected fork? Right. Remember this? And it would like, it would like monitor your meals for you or something. How much you ate based on something. This is like this, but for soap. I mean, we're still on that kick. We're trying to monitor just about everything. But I don't need. Here's the way I look at it. Honestly, I don't need my soap dispenser to be hackable. Motion sensing. Great. Wi-Fi. No, I don't. Yeah. Yeah. Yeah. All right, let's check out the mailbag. All right, let's do it. This one comes in from Thor. This is in response to Chris Christensen's tip yesterday about the Cable Car Museum in San Francisco. Thor says, I love technical museums and I'd like to share another that I visited while interrailing around Europe. The Nikola Tesla Museum in Belgrade, Serbia. Loads of cool steam punky stuff. And of course, a big Tesla coil, wishing you all great travels. Oh, that's very cool. If I ever get to Belgrade, I will go there. That looks great. I'm glad that he reminded us. I think maybe I'd heard of this before, but very cool. I feel like too. Yeah, I've never been there. And if we all should be so lucky to travel soon, let's go when Serbia will let us in. Oh, that's right. Yeah, let's all go to the Tesla Museum. If you have feedback on anything that we talk about on the show, we would love to hear it. Really, really enjoy questions, comments, all the feedback that you've got for us every day. Keep it coming. Feedback at dailytechnewshow.com. Also, a special thanks to Mark Allen, Leanna Cio, who's our, one of our top lifetime supporters for DTNS. Mark, you've been a supporter for many years. We thank you wholeheartedly. Thank you. Also, thanks to Seth, Rose, and Blatt for being with us today. A lot of security news to talk about, Seth. It's gonna get worse. Well, just with Black Hat and DefCon coming, even though they're mostly virtual with some people in person, this week is gonna be really busy. So if you start seeing a whole bunch of scary headlines, just take a deep breath, drink some water, maybe some whiskey, and then dive in. Whatever you do. And where can people keep up with your work that might be debunking some things that might be too scary for other folks? Sure, on Twitter, I'm at SethR, that's S-E-T-H-R, and the Parallax View newsletter, which focuses on cybersecurity and healthcare, is at the-parallax.com. That's it. All good. Well, thanks a lot. This is the applause for Mark Allen Leonezio that I couldn't get to play earlier. Oh, I mean, I don't mind being applauded. You can have some applause, too, yeah. I feel like Seth deserves applause. Thank you. Thank you. This goes right, this goes right. Folks, we're live on this show Monday through Friday. We do it every weekday, 4 or 30 p.m. Eastern, 2030 UTC. Find out more at dailytechnewshow.com slash live, and we will be back here doing it again tomorrow with Scott Johnson. Talk to you then. This show is part of the Frog Pants Network. Get more at frogpants.com. The Diamond Club hopes you have enjoyed this program.