 Coming up on DTNS, Microsoft has new accessories for your team's life. Roku makes a voice activated remote and why someone wants to steal your chest x-ray. Seth Rosenblatt is here to talk about the need for better safety around medical. This is the Daily Tech News for Tuesday, April 13th, 2021 in Los Angeles. I'm Tom Merritt. And from Studio Redwood, I'm Sarah Lane. I'm Mr. Producer Roger Chang. And joining us, the editor-in-chief of the parallax, Seth Rosenblatt. Welcome back to the show. Good to have you, man. Hello, everybody. We were just talking about the mystery of French tacos and trying to track down what the appropriate definite article in French would be for that. If you want that expanded conversation, become a patron. Good day, internet. Patreon.com slash DTNS. Let's start with a few tech things you should know. Spotify launched a dedicated voice control car accessory called Car Thing, only available to invited Spotify premium subscribers in the U.S., currently being sent for free outside of shipping. The device features a touchscreen and two knobs, connects to a phone over Bluetooth, and essentially serves as a dedicated car remote for the Spotify app. Apple sent out invites for a special event streaming online April 20th, at 1 p.m. Eastern, 10 a.m. Pacific. The invite started with the title Spring Loaded, and an Apple logo that was also drawn a bit like a spring. So, obviously, this means Apple Pogo Sticks or Beds will be announced, although some people believe it will instead be an announcement of a new iPad Pro with a mini LED display and Apple AirTags. But we'll see. We'll find out April 20th. I could live with a new iPad Pro. Just saying. Just saying. Yeah. What's up, loophole? Let's an attacker lock you out of the app and essentially deactivate your account. So, what an attacker needs to log in is to log in through your number by requesting authentication codes, then wait for WhatsApp to block sending codes after you do enough attempts because that's what WhatsApp does, then set up a new email address to send a lost stolen phone request, and then repeat that cycle two more times to successfully lock you out. So, it's a bit complicated. The method does work, though, even if you've set up 2FA. But WhatsApp says in response, quote, providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem. Man, never call a problem unlikely to a bunch of hackers. Dell announced a new XPS 13 laptop option with an OLED touchscreen available now starting at $1,000 up to $2,200 for an 11th gen Intel Core i7, 32 gigs of RAM, two terabytes of PCIe solid state storage. Dell is also releasing the 16-inch 3K display, Inspiron 16 Plus, along with updated versions of the Inspiron 13, 14, 15, and the Inspiron 14, 2-in-1 mid-range laptops. The 16 Plus touchpad is 30% larger than the last gen, has 11th generation Intel H-Series processors, and NVIDIA GTX or RTX graphics card options. Starts at $950 coming June 3rd. Discord is blocking its iOS app users from accessing servers tagged as NSFW, or not safe for work. You can still access those servers through the browser on iOS or on other devices. Discord announced the change, but did not mention why the change was made. I'm gonna suspect an Apple App Store rule, but that's just a guess. All right, let's talk a little bit about Microsoft announcing all that stuff. A lot of things. Microsoft made several hardware announcements with a new Surface Laptop and a variety of accessories. So let's start with Microsoft's Surface Laptop 4. Similar in design and port selection to the Surface Laptop 3, so doesn't have Thunderbolt, but it is available in 13.5 and 15-inch modes, models, with a choice of Intel's latest 11th gen processors or AMD's Ryzen 4000 Zen 2 series. Microsoft claims up to 70% better performance than the Surface Laptop 3, and the battery life claim rises from 11.5 hours to 16.5 to 19 hours, depending on the model. You can max out the Intel models at 32 gigs of RAM and 1 terabyte of SSD now. Pricing for the 13.5-inch starts at $999 for AMD, $1299 for the Intel version, with the 15-inch starting at $1299 for AMD, and $1799 for Intel shipping in Japan, Canada, and the U.S. on April 15th. On to the accessories. Microsoft's modern webcam will be available in June for $69.99, offering 1080p resolution with HDR, a 78-degree field of view, and a privacy shutter, although no Windows Hello supports. The company also announced the modern USB-C speaker available in June for $99.99, with omnidirectional microphones and background noise cancellation, as well as a dedicated button to launch a control panel for Microsoft Teams. The Surface Headphones 2 Plus for Business includes a USB dongle and on-air Teams controls, cost $300 shipping in April for $300, and Microsoft's modern headsets, both with dedicated Teams buttons, $50 for wired and $100 for wireless coming in June. Yeah, so it's the modern age. We got all these new things called modern, and all this stuff is really Teams-oriented. This is for folks using Microsoft Teams. But that webcam, I saw a couple people refer to it, and Sarah, you and I were talking about this earlier, very competitive to the Logitech C920, which has kind of been the workhorse of webcams for years now. Yeah, I mean, I'm using the C920 now. Sometimes, people say, you need a better camera. Oh my gosh, there's a spider on my monitor. Okay, I'll just keep going. But yeah, it's sort of the, oh, you want to get into video podcasting, start with that. It's relatively cheap and does a good job. And this seems like for $70, it seems to be right in that wheelhouse. Is it a problem that it doesn't work with Windows Hello that seems to be not great planning on their part? I mean, I suppose there are other ways to use Hello. Certainly, you don't have to use a camera for Windows Hello. You can use Fingerprint, and maybe you've got a new Surface laptop 4 that has camera built-in, but it's odd to me. Why wouldn't you have it work with Windows Hello when you made the camera? I guess unless you want to keep the price down? I don't know. Yeah, I would think it would all be software, but I don't know. I would think so too, right? But maybe there's a chip that you need in there that they didn't want to upgrade to. Yeah, I don't know why that wouldn't work with Hello. But I might be willing to try it just to see how it compares to the C920, because nothing wrong with the C920. It still works great, but I've been curious about some kind of alternative to it for a long time. So yeah, good stuff. Good stuff in Microsoft. Nothing earth-shattering here. Surface laptop 4, just a spec upgrade. I think the biggest news there is that you've got the AMD and the Intel options going on. Sure, sure. And maybe a spider option as well. Yeah, if there's a spider removal option on maybe the new Dell monitor or Microsoft has something for Sarah, that might help out there. Thank you for both of you talking for the last minute or so while I took care of the issue. Good. We're back in business, everybody. You're now spider-free. We got product announcement today. Roku began rolling out Roku OS 10. That adds AirPlay 2 and HomeKit compatibility to all the supported Rokus. Previously, AirPlay 2 was only supported on select 4K players and a few of the TVs. Now, any Roku device that can run Roku OS 10 will be able to support AirPlay 2 and HomeKit. That means Siri voice control. Roku OS 10 also features Instant Resume. That's a feature that takes you back to the last thing you were watching. If the channel supports it, right now there's 15 supported channels. There probably will be more. The U.S. live channel guide now lets you hide channels and add some to a favorites list. And connected game consoles can now be auto-detected on TVs running Roku OS 10. That'll configure you for all the top gaming settings. Roku OS 10 also includes HDR 10 plus a virtual surround setting that will work with Roku soundbars all coming to Roku devices over the next several weeks. Some of the higher-end devices will get it first, and it will eventually roll out to everybody. Roku also announced the Roku Express 4K Plus for $40 coming in mid-May, has a faster processor than the Roku Premiere, which it replaces. Includes dual-band Wi-Fi and works with micro USB adapters. If you want to have a wired connection, you can do a micro USB Ethernet adapter. A company also announced, I think the one that's getting the most attention, the Roku Voice Remote Pro. That's a rechargeable, first rechargeable remote that Roku has put out. You can recharge over micro USB, last up to two months on a charge shipping this week. It's got a midfield microphone that can detect when you say, hey Roku, without even having to pick up the remote, so you don't have to touch a microphone button. You can just talk to it, leave it on the coffee table. It has preset buttons for Netflix, Hulu, Disney Plus, and Apple TV Plus. Your Roku Remote will come with an Apple logo on it, available now online and in stores in May for $30. Finally, the Roku Smart Soundbar is being renamed the Roku Streambar Pro. Mostly it's staying the same. It'll ship with a voice remote like the Roku Ultra does, and it supports virtual surround, which is coming to Roku OS X. The Roku Streambar Pro coming in May for $180. Who's going to snap up a Roku next? Seth, do you use any Roku stuff? I do not. I have a Chromecast dongle, and that's about it. And I use Plex. I use Plex TV. So I can throw things from my media server to the Chromecast. Actually, one of the neat things about my new apartment setup is that there's no room for a TV. So we have to get rid of the 10-year-old or so TV and get a projector in a screen. And that's been sort of an exciting research project for varying definitions of exciting. That'll make Robert Herron very excited. You should call him up. Yeah, it's kind of a cool excuse to get into projectors, right? Well, one of the neat things is that while the apartment itself is a little smallish, the yard is huge, and it abuts the neighbor's building. And they have a giant wall with no windows, which means that I can play movies outside on their wall. I might have to invite them over, but other than that, it should be fine. So looking at projectors, I discovered there's no such thing as an outdoor projector. You can build a little hutch for it and protect it, or you can lug it inside and out when you need it, but there's no waterproofing for them. So that was sort of an interesting discovery. I'm not a Roku user either. It's just because I have an Apple TV and I'm a Plex user as well. And it's just, I don't really need both, even though I do have a Roku that I used to use before HBO came to Apple TV, I think was when I switched over entirely. But I am constantly amazed by the amount of products that Roku rolls out every year. And a lot of them are super affordable and do cool things. And, you know, they really keep us on our toes. I have a Roku. Eileen has a Roku TV, a TCL in her room, in her office over there. So I might try out the Roku Voice Remote Pro. I love today that there are two products that I want to try out, and they're both like, you know, within around 50 bucks, one of them 70, the Microsoft camera and the other's $30 Roku Voice Remote Pro. I might give it a whirl. We'll see. Cool. Researchers at Forescout, ARMS, and JSOF reported a set of vulnerabilities that they're calling NameRec and hundreds of millions of IoT devices. The way some devices parse domain names breaks DNS message compression implementations in the TCPIP stack, which can lead to denial of service or remote code execution by attackers. That means that some devices could be knocked offline causing problems and service outages. That alone could be a critical problem in medical or industrial settings, but remote code execution could let attackers access data or pivot elsewhere into a network. The researchers found nine vulnerabilities and seven popular TCPIP stacks, including NucleusNet, FreeBSD, and NetX. Security patches are available, and in cases where patches cannot be applied, segmentation and network traffic monitoring are recommended. Seth, what do you make of this? Is it a big one? Yeah, I mean anything that allows a hacker to go after the, you know, DNS and the TCPIP stack is not going to be good news. You know, these kinds of vulnerabilities, I think, are also really tricky because there are a lot of situations where devices can't be upgraded. Either, you know, especially in medical contexts, maybe they have a service agreement and the device is no longer being upgraded, and these devices will last a decade, sometimes longer. And while it's great to say, well, sure, monitor the network and do segmentation, a lot of, especially at like smaller hospitals or clinics, that's very difficult for them to do. They don't, you know, a lot of them don't even have a single dedicated cybersecurity person on their IT staff. Sometimes they have a one person IT staff. So this can wind up being very bad, depending on which devices are actually affected. And it's kind of a problem that we just continually see a lot of, you know, unfortunately. I generally look at these stories as good news because it's researchers found a thing and now we can fix it, right? It's what's troubling is what you're talking about. When you're talking about IoT, the fact it's not as simple as like, oh, I just got to push the patch, right? Because, right, while more recent IoT devices have gotten better at being able to handle that, a lot of that legacy stuff, even if it is updateable, sometimes it's not clear how you update it, or it's not easy. You might have to take it down and hardwire it in some cases. And like you say, if you're in a resource constrained thing, whether it's at a hospital or some other industrial site, that's a lot of stuff and a lot of time that needs to be done, but it's not easy to do. And what if, you know, just as an example, what if one of these devices is on the segmented network, which sounds great, that happens to be, you know, what the operating room is using. So suddenly you have this potentially vulnerable device connected to the operating room network, which means it potentially can connect to other devices in the operating theater. There's a lot of bad scenarios that can come out of this. It is certainly good that this has been reported by researchers and that patching is available and, you know, that those concerns are somewhat mitigated by that. But it's, you know, in talking with all the health IT professionals that I have been conversing with over the past few months, it's clear that in a lot of cases, their IT experts are just overwhelmed with the world that they're facing today. Well, folks, we're going to talk a little more about security in healthcare situations. But first, if you want an ad-free version of DTNS, support us on Patreon. You get your own personal RSS feed supported directly by you. You can find out more at DailyTechNewsShow.com. I got treated for something called a frozen shoulder a few years back, and I was fascinated that I could get online access to the MRI. There were slices of my shoulder, black and white, looking disturbingly like ham for me to look at on my phone. It was interesting to me and also meant that when the doctor went over the results with me, I was already kind of familiar with the images, so his explanation was even more useful. But there was something gnawing at the back of my mind, which was, I didn't need multifactor authentication to log in and get these images. So who else was going to be able to get at them? Seth, you have a story out on parallax about a study published by Cyber Angels, senior cybersecurity analyst David Segula, about medical image security. What did he find? He accidentally, it sounds like, started looking at whether or not he could find medical images available on the internet. And he spent about six months researching this, published a study last December, and discovered that, yes, he can find medical images available on the internet, and not just a couple of them or not just a couple thousand of them. He wound up finding more than 45 million medical images available on the internet. And one of the complications of medical images when it comes to security issues is that while they are mostly recorded in a format called DCOM, or DICOM, D-I-C-O-M, it's another compressed image format, similar to JPEG or PNG. It contains far more metadata fields than a simple more standard compressed image. And so where you may at most have a couple dozen fields, if that in a JPEG, you can have up to 240 metadata fields in a DICOM. And there's good reason for that. You want your medical information to be associated with the image. You don't want to have a clinician have to go scrambling through a complicated electronic health record system or something similar to try and find out who you are and which shoulder you're looking at or whatever the issue is. But that also means that the information is attached to those images. And so he found in some cases even social security numbers attached to them. And this can be really bad when you consider that the value of medical information on the dark web is far, far higher than any other kind of PII of personal identifiable information. Medical records go for 10X, sometimes 50X depending. And the reason they go for so much is why? Because you can do more with them? Sure. You can do more with them. They can be used also in a lot of different cases. They can be used for blackmail. They can be used, you know, extortion ransomware is another potential outcome of a hacker getting hold of this information, especially if they are able to create a phishing attack using the information that looks incredibly authentic. Exactly. So then they can get access to a network. But the other thing that can happen is that medical identity fraud is a serious concern as well. And that's a, I think it's $110 billion a year problem, at least as of 2018. So there are serious consequences. And according to a 2015 study that I found, which was unfortunately the most recent, it costs each person who is a victim of medical identity fraud somewhere in the ballpark of $13,500 to remedy it. So the consequences are pretty steep, whether the information is being used for ransomware, for attacking a clinic network, for attacking the individual patient. It's bad news all around. Yeah, one of the things that I hadn't thought of until I read your article was the idea of using someone's medical information. Let's say you get that metadata out and you go get a fraudulent prescription or you perform an insurance scam. That's bad enough, but you may think, well, that doesn't really harm me until that shows up in your medical records and your doctor's like, oh, I see you had a prescription for OxyContin recently. And you're like, no, I didn't. Why is that there? Yeah. And it's also not just malicious individuals who are going about committing medical fraud, but there are medical clinics, there are pharmacies. There's all kinds of people and organizations who can use this data in illicit ways. And it's really kind of unfortunate and disturbing at the same time. I had never even considered this until I read the report. And I thought, oh my gosh, this is not a trivial thing. And one of the consequences of this kind of research is good researchers will reach out to the organizations affected. And I asked him if he did that. And he said, well, no, because one, how do I know who they are? The data could be stored on a home server backup. It could be stored on a drive that somebody's forgotten about. And he said, these are thousands of organizations. I'm supposed to reach out to each one individually and let them know that they've got images floating around and connected to the internet. Right, because he was just scanning the internet and finding the images. He wasn't going into a network of a particular company. Yeah, that's a lot of entities. Yeah. In many cases, he said he was using Shodan, which is the IoT search engine. But he said in some cases, he was just using Google search and just performing very finely tuned searches. But this stuff is out there and it's available. Ultimately, it's another window into the precarious state of healthcare cyber security. Well, good stuff. And hopefully writing articles like that and talking about it here gets the word out. And organizations realize that they need to update their policies on image handling and proper procedures and encryption and all of that. Sure, sure. Yeah. It's challenging as well, I think, because, as I said earlier, organizations are so overwhelmed with what they're dealing with at the moment. They're dealing with phishing attacks based on first COVID and now COVID vaccines. There's a lot of unfortunate nuance in the situation and it's very tricky for them. So I have a lot of empathy for where they're at and I have a lot of empathy for people like us who are on the patient side. Yeah, me too. All right, real quickly, we have an update on Facebook. Yeah, we do. The Oversight Board has only been hearing appeals on decisions that ended up in content being removed, but will now also consider appeals to have content removed that previously was not. As in appeals on content removal, a user must exhaust all options within Facebook and the Oversight Board is not obligated to hear every appeal. The Oversight Board is funded by an independent trust established by Facebook and Facebook has agreed to abide by the board's decisions around whether or not content should be removed. Yeah, so if you're like, hey, I wanted that removed and it wasn't, now you can go to the Oversight Board. Good to know. Well, we've got some good news for satellites. IntelSats IS1002 communication satellite has been in orbit since 2004 and after exceeding its original mission lifespan by five years, it was doing good work, was running low on fuel. And once you get to that point, you pretty much are done. Northrop Grumman's Mission Extension Vehicle 2 or MEV2, which launched last August, reached the satellite through geosynchronous orbit on Monday to clamp on and fuel up and give that little satellite another five years of life instead of being decommissioned. And this was the first time a life extension service vehicle docked with an active satellite. You might recall, we talked about this on the show last year at some point, Northrop Grumman's MEV1 clamped onto IntelSats IS901, but that satellite was already out of its original orbit. So we are making progress. Yeah, I remember MEV1 was, we're going to keep this thing from causing problems by falling into orbit or falling into the atmosphere, running into something else. Whereas MEV2 is given a satellite five more years to operate. That's great. Better than being space trash. Yeah, exactly. And that was one of the problems with MEV1 is that IS901 could have broken up and then caused even more problems with, because there's so much space trash out there already. Let's give it another 10 years. Yeah. We know how to do it. All right, let's check out the mailbag. This one comes from Kevin who says, I read Roger's article on NFTs. Thank you, Roger. And I did a bit of extra research and I was surprised to find I'm not buying the rights or the copyright to that item when I buy an NFT. I falsely assumed that's what I was buying. My main question I'm left with is, what is preventing an artist from just releasing a second copy of the digital art? My one of one is now one of two. It's a sad face. Since the digital print can just be copied, how do I know that there will only ever be a single version of this art piece? The artist still holds the raw file. They could just produce a second version, right? I kind of want to buy the raw file and then make them delete it. Yeah. That's not what's going on with NFTs. NFTs is about bragging rights. And yes, they could release, they could sell more series. You could always show that you were the one who bought the first one, but you're right. It's one of two then, not one of one. I suppose that if you could demonstrate that they promised this would be the only NFT that they would sell of that particular thing, you could then sue for fraud or some other kind of breach of promise. But yeah, there would be nothing technological from preventing that. Nobody knows that. NFTs are not about copy protection. They're simply about bragging rights. Well, if you have any feedback on anything we talk about on the show or anything that we add to Patreon or anything else, you can always send those thoughts to feedback at dailytechnewshow.com. And thanks, Kevin. It was good questions. Shout out to patrons at our master and grandmaster levels today. They include Martin James, Alexander Nasev, and Degracia A. Daniels. By the way, Degracia Daniels is in our top lifetime supporter list for DTNS. So Degracia, thank you for all the years of support. Also thanks to Seth Rosenblatt for being here with us today. Seth, good stuff from you. Where can people find the rest of your work? You can find the parallax view, the newsletter that focuses on healthcare and cyber security at the-parallax. That's P-A-R-A-L-L-A-X.com. And I'm on Twitter at SethR. Not to be confused with Seth Rogan. You probably get a few. No, which happens all the time. And people get angry at me. And I'm like, hey, hey, wrong, wrong SethR, wrong one. Well, thanks for being with us on the show. Please come back soon. Absolutely. We're live on the show Monday through Friday. We do it every day, 4.30 p.m. Eastern, 20.30 UTC. Find out more at dailytechnewshow.com slash live. And we are back tomorrow with Scott Johnson. See you then. This show is part of the Frog Pants Network. Get more at frogpants.com. I hope you have enjoyed this program.