 Daily Tech News show is made possible by its listeners. Thanks to all of you, including Reid Fishler, Larry Bailey, and Michelle Serju. Coming up on DTNS, Jack Reciter talks to us about how he gets those excellent stories for dark net diaries. Plus, should we just accept that people think hacker is a negative word and DARPA's plan to secure open source? This is the Daily Tech News for Monday, July 18th, 2022 in Los Angeles, I'm Tom Merritt. And from Studio Redwood, I'm Sarah Lane. I'm the show's producer, Roger Chang. And as I just mentioned, joining us, host of Dark Net Diaries, Jack Reciter, thanks for joining us, Jack. Glad to be here, thanks for having me. I really appreciate you taking the time. We are huge fans, and when I say we, not just us on the show, but every single person in our audience, you were the number one person when we asked who should we get on the show this week. So we really appreciate it. We'll have to do this more than once then. Yeah, absolutely, I'm in. Let's start, however, with a few tech things you should know. Snap announced Snapchat for Web, which lets users send snaps and chat through a desktop browser. The feature is limited to Snapchat plus subscribers in the US, the UK, Canada, Australia, and New Zealand at launch, eventually expanding to subscribers in other markets, and then to all users. And yes, the web app will also prevent users from taking screenshots. But remember, it can't stop anyone from taking a photo of a snap on the web with their phone. Instagram added the option to shop through chat. The feature began rolling out to qualified small businesses in select countries, letting customers ask questions, get product details, and check out using Metapay in the chat interface. WhatsApp added chat-based shopping back in October. Denmark's data protection agency ruled that data processing of student data using Google's workspace suite does not meet the requirements of GDPR. The agency found that Google's data processor agreement allows for data to be transferred to other countries to provide support, although ordinarily, student data is stored in an EU-based data center. The agency ruled that schools in the municipality of Helsinger must stop using workspace and Chromebooks as a result, further saying that the ruling will probably apply to other municipalities and that it expects then to take relevant steps based on that decision. If any of you missed the net neutrality debates, guess what, they're coming back. The Washington Post reports that US Senators Ed Markey and Ron Wyden are preparing to propose, so they've got a proposal and they'll propose it soon, the Net Neutrality and Broadband Justice Act. It's a small bill, two pages, which is nothing for Congress. It would reclassify broadband telecommunications as a Title II service or a common carrier as it was under the FCC during President Obama's administration. The internet was reclassified under President Trump as Title I an information service, more like cable TV. This new bill would also give the FCC the power to set rules against throttling, blocking or paid prioritization. The Verge's sources say they could introduce the bill sometime in August. It's not clear if the bill would garner enough support to pass or not. Speaking of things like that, FCC chairwoman Jessica Rosenwurzel circulated a notice of inquiry to fellow commissioners seeking to increase the national broadband standard from 25 to 100 megabits per second and downloads from three to 20 megabits, I'm sorry, 25 to 100 megabits, up down three to 20 megabits up. Remember, the FCC is split to two right now, so she may not be able to get them to agree to that either. Metta announced a plan to acquire Giffy back in May of 2020. The deal attracted regulatory scrutiny in the UK with the competitions and markets authority ultimately ordering Metta to unwind the deal in November of 2021. Metta appealed the decision to the competition appeal tribunal. That body largely sided with the CMA but found that the CMA failed to properly inform Metta of SNAP's acquisition of Giffycat, thus undermining Metta's defense. As a result, the tribunal ordered the CMA to reconsider its ruling, giving Metta an opportunity to comment on its final report. Stay tuned. All right, let's talk a little more about open source. Some people probably still think of open source software as a hobby. You imagine the individual tinkering around with their code railing against proprietary systems and that kind of thing absolutely still exists. But open source software is much larger than that. It underpins a large part of how the world operates. The dominance of Android and Linux based servers means that pretty much most tech that boots up boots the Linux kernel at startup. And that's just Linux. MIT technology review notes that multiple open source projects are essential for the infrastructure of the internet as well as things like power grids, shipping, transportation and more. The theory goes that open source software can be more secure because it has more eyes on it than a closed software situation. But there are so many projects now that inevitably a few are going to escape scrutiny. For example, in November of 2018, someone managed to push a back door into a widely used JavaScript module called EventStream after the volunteer who maintained it handed it over to somebody that they didn't know. These cases aren't common, they're rare, but a spam has taught us at scale rare cases can cause problems. So the United States Defense Advanced Research Project Association, US's DARPA, you know, the folks who brought you the internet have launched SocialCyber, an 18 month long project designed to map, understand and protect open source code and communities. They're gonna use automated tools to do code analysis, looking for potential bugs, and also things like sentiment analysis on social interactions. So for example, the Linux kernel mailing list, they would look to see, hey, do we detect any patterns that indicate somebody's maybe up to no good. DARPA contracted multiple teams of security researchers who are going to look at code contributions to critical open source projects like the Linux kernel. They also mentioned Python would be one of these as well. And they will identify areas of under investment where important parts of the open source ecosystem are run entirely by handfuls of volunteers. For example, New York's margin research is mapping out who works on the Linux kernel. Turns out the largest contributor is Huawei, but code is also written by Russia's positive technologies, which is currently sanctioned by the US, and also members of the US NSA. The point of the project seems to be getting a handle on where code is coming from, as well as how to safeguard that the code is indeed benign. Jack, do you have any thoughts on whether this is a good idea, a good path forward? Yeah, I think it's probably good for someone to have like a second set of eyes on some of this stuff. I mean, one of the early stories that really got me into why I make my show was the Heartbleed story. And this was a vulnerability in OpenSSL. And that was a big problem, right? It resulted in lots of stuff happening. And so there was some folks that were like, well, we're gonna make our own version of OpenSSL and we're going to fork it. And that was, I think, Libre SSL. And at the same time, OpenSSL was finally getting some funding. And so OpenSSL was getting all this extra bugs fixed and stuff and Libre SSL was like a fork of it and they were fixing bugs. And it was going in all these directions and it was like interesting to see what happened after Heartbleed, right? And I wasn't seeing that and that's kind of why I was like, wait, I want this update of what happened after that. What were all the changes that happened? And did it get the funding it needed and the support it needed? So I think we've seen quite a bit of vulnerabilities happen in major open-source software that it would be nice to have, I don't know, some significant support on them to audit it or review it or maybe even give some sort of approval of like this is allowed to be used in government software or something like that. Cause we've got all sorts of standards that the government has to agree to before they can accept software and so there are systems and stuff too. So yeah, I think it's an important thing that's going on here is open-source is important to just the fabric of the internet and having some sort of support there because a lot of these projects are lacking support. Yeah, I think having an organization that is independent that tries to keep track of things in necessary now because of the number of projects that are out there. It's just impossible for it to be done without a little bit of organization. Whether DARPA is the right ones to do that or not, I think is debatable, but I think they are the right ones to maybe point the way and maybe what comes out of this is the information you need to be able to set up some kind of independent effort that in the open-source tradition will allow people to like get on board and say, okay, we're gonna be the folks that we're gonna be the ombudsman, so to speak, that try to look over everything like this. I think it's a good start for sure. Yeah, I think there's just like massive amounts of open-source projects out there. So it's gonna be interesting to see which ones they actually look at and do anything with because they'll probably be able to touch less than 1% of what's out there. But the important ones out there, what's the critical infrastructure that needs to have a good solid working framework to it? It's gonna be fascinating to see what they deem critical, I suppose. Totally. Well, in tech circles, the term hackathon has been part of the common parlance of our time. Skating together a group of engineers, programmers, working intensely on a project over a day or two, we are used to hackathons. Then you've got yourself one. The term even made it into the Oxford English Dictionary back in 2012, but Stacey Morford recently published a piece in the conversation. She made the case that while the term is common in the tech industry, might be time for some alternative names to take root, especially in the health industry. Yeah, so the marathon part of hackathon, the thaw part of the portmanteau, isn't really the problem nor is the efficacy of hackathons themselves, but Morford points out that research shows the general public thinks of the word hack as negative. They associate it with malicious behavior. And while it may seem like an innocuous difference when you have organizations organizing hackathons around things like healthcare and other sensitive data sets, the term sometimes does these efforts no favors. There are alternative names. I mean, hackathon could be called a datathon, maybe a code fest, but Morford notes that these pale in comparison to the popularity of hackathon, which shows about 90 times more results in Google search compared to datathon and about 30 times more in scholarly publication. Yeah, she's talking specifically about the healthcare industry in her conversation column, but I think there's a wider topic here. For a long time on this show, we try to refer to malicious hackers as attackers or something else specific to what they're doing. And we try to reserve the use of the term hacker for its broader meaning of somebody who likes to mess around and try things. But I'm wondering now after, you know, 20 some years of doing that, whether that battle is over. English is a living language and sometimes you just have to admit that the language has moved on. Is hacker one of those words? Is it generally a negative term now? Jack, I can't imagine you haven't given this some thought yourself. Yeah, I think hacker has become such a common day parlance term. I mean, I'm thinking immediately lifehacker.com, Hack a Day. There's a book called Parenting Hacks. I mean, I've got an aunt who's not into computers much at all. Yet when I go with her to the smoothie shop, she's like, I've got a hack on how to get, you know, a certain kind of smoothie that they can't make on the menu or something, like check it out. And I'm like, that's not a hack. And, but I love how everyone thinks that they're a hacker just because they can navigate a food menu properly. So I think that term, I mean, if my aunt is using it and she doesn't have that, you know, hacking mentality, like we imagine what a hacker sounds like, what is hack anymore, right? And so I think it definitely doesn't have a negative connotation just in the sense of like, yeah, I've got to travel hack or I've got a parenting hack. Like that's totally not negative at all. That's a great thing. Ooh, I want to hear about that. Tell me about your parenting hack. So yeah, I take, you know, I disagree with the idea that hack has such a negative term. I think it's used very commonly now. I feel like you have given me new hope, Jack. Cause you're right. Like we have, we go to the bubble tea place and people talk about like, you know, like, oh, I've got a hack for getting more, you know, regular user things on the frequent bubble tea card. And we never think of that as negative. You're absolutely right. So we just need to wait it out maybe and continue to use like, you know, these are attackers or these are sophisticated actors or whatever it is for the people doing malicious things. Because I think it's only in terms of stories about computer attacks that hacker has that negative connotation. Yeah. And I think, go ahead. Oh, okay. I was just going to say, I love you bringing up life hacks, life hacker, you know, one of my favorite websites, but life hacks in general, I use that term all the time. And I don't even realize it. And people know what I mean. They don't think I'm breaking into someone's computer when I say something like, oh, I've got a good life hack for you. They're breaking into their life. You're right. And I think also there, you mentioned the bubble tea place, Tom, I subscribe to a newsletter that's all about flight travel hacks, basically how to save yourself money, as much money as possible. You know, when you're traveling somewhere, maybe when you get to the hotel, there's a hack to get upgraded to a better room type of thing. No, nobody doesn't think, you either read the newsletter or you don't, but if you're interested in that sort of thing, it's like, this can save me money and time. These hacks are good. I think that probably everyone in the audience knows better, but people who say, oh, computer hacker, well, that means, you know, they're going to take down a, you know, the department of energy, you know, if we don't stop them first, that's a scary kind of hack because a lot of people don't understand that. Yeah, I think everyone wants to be a hacker secretly. And that's why we use things like, oh, I got a travel hack and stuff. But I do kind of want to unveil like what this hacker thing is, and that's kind of why I do my podcast. Like, ooh, is this person in the basement with a hoodie on or whatever? And, you know, oftentimes my show talks about like, no, this kid was in fifth period class and he just found a post-it note on the teacher's desk and grabbed it. Like that's not like the hacker you imagine. And he's doing it on a tablet in the back of class. Like, it's a different, like gives you a whole different view set of what, you know, criminal hacker might be. And I agree with you. Instead of using the term hacker on my show, I often use attacker or extorter or criminal or a thief or something like more specific. Yeah, yeah. Now, there's a mischievousness to hacking that is apparent in these life hack travel hack examples, right? Which is like, you're not, maybe you're skating along the line of the rules or the law, but you're not up to no good. You're just, you know, trying to see how the system works. And I'm glad that you pointed out that that ethos is still preserved in those arenas. So yeah, like I said, you've given me new hope for this. I'm gonna keep it up. Folks, as you may realize, it's special guest week here on DTNS all this week. If you like what you're hearing, please tell others and thank our guests for coming on. Tell your friends to watch or listen to daily tech news show all this week. Dark Net Diaries is an investigative podcast that focuses on various aspects of cyber crime, but also online security hosted by Jack here. It is, as I said, hugely popular amongst the folks in our audience and the staff here. Jack, explain Dark Net Diaries. Why did you start this? I feel like I wanted a slow news version of cybersecurity stories, right? So if you listen to the news, it's like, well, here's the breaking news and this site is down or this place got hacked, but you don't know what happened. You don't know who did it or what. So I was like, okay, let's wait until four, five, six years later and let's cover that whole story. Now I know it all. Now I know who did it. I know they were arrested and I know they were caught and all this sort of thing. So we can finally go back to the beginning and tell the whole story soup to nuts. And I think that's a proper way to tell a cybersecurity story. And I was lacking that in the world. I couldn't find that. So I decided to make it myself. Like what's that whole story like? Give me the full story now, not just a current version. When we were asking people, okay, we're gonna have Jack on what kind of things would you like to hear him talk about? Universally, people wanted to know how do you find these stories? How do you get these people to talk to you? I've kind of got three, maybe four different ways of finding stories. Number one is I just keep my head in the game, right? I'm on Twitter. I'm watching the news. I'm all this kind of stuff. So I kind of know what's happening and what are the big stories. And the big story is I let simmer for quite a while before I do anything about it. People are like, hey, there's stuff happening, coronavirus hacks are happening or something like, okay, four years from now I might cover that. But thanks for telling me now because I've got a pin in it and I'll come back to that. So just like knowing what's out there. But I've got some Google alerts, like hacker sentenced. I think it's a good Google alert because when they're sentenced, now I know they were arrested. And if they're arrested, that means they've done a crime and if they've done a crime, now I know what they've done. And I can go all the way back and figure out from the start. So there's a bunch of Google alerts that I have that just look for stories. Some other Google alerts are like biggest hack ever, biggest data breach ever, hack that reads like a movie, just these strange things that people might write about. But then I also have people at this stage, I've gotten so popular that people are bringing me stories. And so people are coming out of prison and like, I don't know who you are, but my friend says I should talk to you to tell my story. And I'm like, okay. And they're like in a halfway house calling me on a borrowed phone or something. And it's amazing. Some of those stories are really incredible. So yeah, I'm lucky to have stories brought to me at this point. I'm curious. Oh, go ahead, sir. I was gonna say, we certainly, we cover some of what you cover, but we're a daily techno show, right? So we cover things and then we cover them again when we find out more information. And often stories can go years and years and years. And we've gone back to them several times and even had to correct information as information has changed. Do you ever, I know that you like to play the long game when it comes to your diaries themselves because you wanna have all the information and be able to tell the full story, especially when people are coming to you with stories that would be and could be very compelling. Do you ever feel the need to rush anything out to revisit later? Yeah, there's sometimes like very rarely there's, I get lucky where there's like a, you know, a hacking story in the news or whatever. And the person who did it comes to me and says, I'm the one, I'm the one on these headlines. And I'm like, okay, well, I guess I could tell your story before you get arrested or something like that. It'd be interesting to hear what from your perspective. So that doesn't happen too often. I usually do wait, like if somebody comes to me and says I'm actively doing criminal stuff, I'm like, okay, I'm not going to like publish that because I have some sort of, I don't know, responsibility that I don't wanna glamorize some of the criminal behavior that people are doing. And so I really kind of like, I prefer if they, if somebody comes to me and says I've done some criminal stuff in the past, I'd like to tell you my story. I'm like, were you arrested? That's my first question. Like show me your indictments, show me the court documents because that'll help me understand that there's kind of a narrative there as well. Like, yeah, you've done all this terrible stuff, but then you were caught and you've received some sort of punishment for it because like I said, there's some sort of responsibility I have of not glamorizing it too bad. You've mentioned several times about people coming to you and that partially answers my question, but why do you think people want to talk to you? You would think it would be the opposite that people don't want to make their crimes known, especially if they haven't been arrested yet. Yeah, and to top it off, I think it was very difficult for me to ask people, hey, do you feel like telling me about that worst day of your life at a time where you were hacked or you did this like horrible crime or whatever? And like I was really nervous and not even wanting to talk about it, but as I got in, as I asked those really hard questions in some of those early interviews, those people were telling me like, wow, I've never actually spoke about this in such detail with you, with anyone. Nobody's asked me how I felt the moment I pushed enter. You know, like that's like a whole new question that nobody's ever asked. So it was, it's almost cathartic for some of these people to just express it all and get it off their chest and say, yeah, that's what happened. And some of the news stories get it wrong. And so now they want to come on and say, I want to set the record straight. This is not the kind of person I am. Here's more clearly like why I did things and stuff. So they don't like how the media portrays them sometimes and they want to get that cleared up. But I mean, I think a lot of criminals kind of like, you know, having that sort of feather in their head of like, look at the cool thing I did or something, you know, even though they were arrested and served prison time and stuff like that. The thing that I don't hear much of at all, I mean, I get pitched every day. I'd like, you know, we have the CEO of our cybersecurity company that would like to come on your show and talk about, you know, being an expert in these emerging threats and stuff. And I'm like, I want to hear the time when your company got breached or when you got inside a threat that just took you down and hit you and you were on your knees and you didn't have a plan and you had to figure out how to work through this and no CEO wants to come on my show to tell me this. And so we do have these kind of embarrassing moments of like, well, that was a horrible time. Why would I tell you that? It doesn't look good on my company at all. I want to come on your show to look good, not to look bad. And I think we are lacking that just kind of in the industry. And I want to bring that out of like here, let's expose ourselves in this vulnerable way of like just saying, this is where we suck. This is where we dropped the ball. This is how we could have done better. And this is how bad it was, but this is how we're fixing things in the future. I wish I could hear more of those stories honestly. Yeah, I feel like it would be just as therapeutic for the industry, once that, if that were to become the norm for companies to feel like, oh, okay, we aren't risking everything by admitting that something happened. In fact, we're able to better defend in the future because we're sharing information more. At least it feels like it might be like that. I mean, I go to conferences to try to find people who share the same pains as me, right? And so if we're sharing them publicly, then I think it could connect us in a better way. Yeah, well, folks, you hear that? Get in touch with Jack, be the first. Be the one to brave the change. Well, moving on to space. The first pictures from NASA's James Webb Space Telescope, this telescope have been making the round some really beautiful stuff. You've probably seen at least a few, but the new telescope has already had a few rough patches in short time in operation. Back in June, NASA disclosed that a micro meteoroid struck one of the telescope's 18 hexagonal mirrors between May 22nd and May 24th. NASA have released a new report on the incident, detailing more about what the damage actually entailed. While the number of micro meteoroid strikes met pre-launch expectations, you're going to run into stuff in orbit. That's just how space works. And the magnitude of one of these caused a significant blemish in one area that NASA said caused significant uncorrectable change in the overall figure of that segment. NASA expects the overall impact of the telescope's mission to be small as the other mirrors remain unblemished and realigning the mirrors allows it to operate within performance limits. The next dust generating event that the telescope needs to look out for is flying through particles from Halley's Comet in 2023 and 2024. Well, they had better luck than Hubble, I guess, which if you remember, they had to fly up and change stuff out. At least they could just sort of, you know, get around this problem. But yeah, I don't know, do they need more shields or something? Like, that's scary that that happened already. Thankfully, it did not affect the amazing pictures that were getting out of it so far. And it seems like it won't, fingers crossed. Yeah, no kidding. I mean, I've been very transfixed by some of the images. So James Webb Space Telescope, we believe in you. Just stay away from the micrometeoroids or even the bigger meteorites. Micrometeoroids, stay away from the JWST, please. Yeah, yeah. Go bother somebody else. We're doing good work here. Yeah. Come on, the humans need information. Thank you so much, Jack Reisider, for being with us today. Such a pleasure. Let folks know if they would like to DM you some cyber crime tips or follow your podcast or anything else that you do. Where should they go? I'm most active on social media on Twitter. So my name there is Jack Reisider. And you can follow my podcast on the website darknetdaris.com. Very cool. Very, very beautiful art on that website as well. Thank you. And I like your explanation of how you make art and then somebody who's really, really good at it makes it really, really cool. Yeah, it's a combination of a little collaboration. I'll do the initial design and then give it to an artist to kind of clean it up. Yeah, results are pretty cool. Thanks to our brand new bosses, Andrew and Eric came in over the weekend, just started backing us on Patreon. Thank you so much, Andrew. Thank you so much, Eric. One for each day on the weekend, right? Yeah. That's perfect. Y'all are the best, like a tag team. Yeah, and you know, tomorrow it could be you. There's a longer version of the show called Good Day Internet. Sometimes we call it GDI. It's available at patreon.com slash DTNS and we roll into it right after DTNS wraps up. Just a reminder, we do the show live Monday through Friday at 4 p.m. Eastern, 200 UTC. Find out more at dailytechnewshow.com slash live. We're back tomorrow with Scott Johnson joining us and special guest, Will Smith, on the democratization of broadcasting. Special guest week rolls on. Talk to you then. This show is part of the Frog Pants Network. Get more at frogpants.com. Simon Club hopes you have enjoyed this program. Ha, ha, ha, ha, ha.