 Daily Tech News show is made possible by its listeners thanks to all of you including Alexander Nisev, Hector Bones and Tim Ashman. Coming up on DTNS, Rod Simmons brings the insider perspective on company security. Why do so many employees need access to everything? Or do they? Plus, the EU makes USBC the law and the economy finally comes for the app store. This is the Daily Tech News for Tuesday, October 4th, 2022 in Los Angeles. I'm Tom Merritt. From Studio Redwood, I'm Sarah Lane. And on the show's producer, Roger Chang. Joining us, the host of SMR Podcast, Barbecue and Tech, and so much more. Rod Simmons, welcome to the show. Thank you so much. It's been a long time coming. I'm super excited to be here. It's good to have you. Long time listeners of DTNS will have last heard you on the electric car, the EV roundtable. Oh yeah, that's right. Yeah. So not too long, but too long, if you know what I mean. Something like that. We've missed you, Rod. Yeah, that's what I'm trying to say. All right, let's start with a few tech things you should know. The Connectivity Standards Alliance released the first version of the Matter Smart Home Compatibility Protocol on Tuesday. Matter lets smart home device makers certify that their product can work with any other device that also supports matter. It uses Wi-Fi and thread for data communications and Bluetooth low-energy poor provisioning. And it doesn't need the internet to continue working. Matters supported by all the major smart home device makers. Samsung, Google, Amazon, and Apple. Device makers can now certify their products and put the Matter Compliant badge on their product so you also know. And if you want to know more, we highly recommend reading Stacy on iot.com. Yeah, that's Stacy Higgin by them. She does good stuff. The 2022 Nobel Prize for Physics was awarded to three people. France's Alain Aspect, John Clouser of the United States, and Austria's Anton Zeilinger for experiments that proved elements of the theory of quantum mechanics. Clouser showed in 1972 that light could be entangled, meaning that two photons could share properties no matter how far apart they are. Now that doesn't allow you to do faster than light communication. I'm sorry to say. In fact, that's what Alain Aspect proved in his experiments, ruling out an alternative explanation for entanglement. And Zeilinger built on their work to show how entangled systems could be linked together in a secure network since the measurement of quantum systems easily reveals the presence of an eavesdropper or man in the middle. Google launched new Nest hardware. The second-gen Nest-wired doorbell eliminates fisheye distortion on its camera. It can record up to an hour of footage to internal memory and is available now in the U.S. for $180. The Nest Wi-Fi Pro supports Wi-Fi 6E. It includes a built-in thread border router and will support matter. A one-pack costs $200, and you add $100 to each unit in two and three packs. It's available for pre-order now and ships October 27th. The new hardware will use Google's redesigned home app available in public preview in the next few weeks. This adds a new Favorites page, supports using sensors to trigger automated routines, and uses the camera interface from Google's Nest app. A web version will be available at home.google.com with a Wear OS app coming as well. Later this week, we're going to have Congressional Dishes Jen Briney on the show to talk to us about the U.S. Chips Act, since she may be the only person in the country who's read all of it. One of the reasons the U.S. Pastry Chips Act is that there's a move to diversify the chip supply chains away from mostly being in mainland China. And of course, every country wants to be the home for some of those new factories. Companies want to be the ones running those new factories. Here are three cases in point out of today's news. Samsung announced it's going to triple advanced chip production capacity by 2027 and includes a plant outside Austin, Texas in those plans. In a race against Taiwan's TSMC, Samsung also said it's going to mass produce three nanometer chips starting in June targeting production of chips on a two nanometer process by 2025 and a 1.4 nanometer process by 2027. Micron announced it'll invest $100 billion to build four separate chip fabs on a 1300 acre site in Clay, New York just north of Syracuse. It'll start construction on a $20 billion mega fab in 2024 with production starting at that fab in 2025. And Apple released a suppliers list in the Wall Street Journal notice that 48 of the 180 suppliers had at least some of their sites in the U.S. That's up from 25 last year. Still, almost all the suppliers on that list had operations elsewhere, Japan, South Korea and 150 of the suppliers and remember they had them in multiple locations but 150 suppliers had sites located in China. Bloomberg reports that Elon Musk sent a letter to Twitter on Tuesday offering to buy the company for $54.20 per share. Yes, you are listening to the October 4, 2022 edition of DTNS. You have not gone back in time. Yes, that is also exactly the same price as the original offer that Musk made back in April. No, we don't really know why yet either. Keeps us on our toes. CNBC says the deal could be completed as soon as Friday and if that happens it would avoid this trial that was set to begin October 17. Yeah, it's Musk offering to buy Twitter and the EU requiring USBC and the Digital Services Act. These are our April shows all over again. But let's talk about a couple of laws making progress in the EU. The European Council approved the Digital Service Act. So now it's law or it's about to become law. The Digital Service Act is the one that applies to social platforms and search engines that have at least 45 million users in the EU. It affects targeting of users. So there's new rules about that, what you can and can't do. It has some rules against dark patterns. That idea of, you know, making the yes button a little easier to see and click than the no button, stuff like that requires transparency about how algorithms promote content, how they recommend content. Platforms are going to have to explain why they remove content and give users an ability to appeal takedowns. Companies must also disclose any steps they're taking to combat misinformation and propaganda. The regulation is going to be published in the official journal on October 13th and then it goes into effect 20 days after that. So most of the measures will apply 15 months after it goes into effect. That's built into the law. Law goes into effect 20 days after the 13th. So October 33rd, no, it's November 2nd. And then the law says 15 months from then. You have 15 months to get ready for this. 15 months from that in 2024. You have to start following these rules. Now you may be wondering about the very similarly named digital markets Act, the DMA. That's the one that requires messaging apps from big companies to interact among other things. That was enacted back in July. And that will go into operation early next year and go into full force in 2024. So Digital Services Act, Digital Markets Act, now both law in the EU. But there's another EU lawmaking progress that's probably going to impact more of us, even those of us outside of the EU. Indeed. So the European Parliament voted 602 to 13. Pretty overwhelming victory to approve legislation that will require phones, tablets, cameras, and laptop makers to support USB-C charging. The aim is to reduce the number of chargers that people need to have. And in theory, will reduce waste. The law now heads to the European Council where it's expected to get approved once it goes into force. Each European country will have 12 months to put the law on its own books. Then companies will have 12 months after that to comply. So we're looking at the end of 2024 to be when phones that are sold in Europe will have to support USB-C charging. Laptops wouldn't have to come into compliance until the spring of 2026. Now a couple of things to note on this directive. Any product put on the market before the rule applies can continue to be sold. You don't have to yank everything off the shelves. So you may see some companies flood in the market. The rule applies to a wide number of electronics. Phones, laptops, tablets, they get all the attention, but it also includes digital cameras, headphones and headsets, handheld video game consoles, portable speakers, e-readers, keyboards, mice, portable navigation systems, and earbuds even, like your AirPods and your Beats and all those. It only applies to devices that charge by a wired cable of up to 100 watts. So you may think, oh, they can get around the rules by going wireless. It does not apply to smaller electronics like smartwatches and fitness trackers because they don't pull 100 watts, but there is going to be a standard for wireless in this law as well. The law doesn't name that standard. It requires the European Commission to come up with a plan for wireless charging interoperability by the end of 2024. So I just want to be sure on this one. You said it doesn't apply to wireless, at least does it right now, but if I have a device like I think if you take my Sony headsets, I can wireless and wire charge them. Yeah. If it's got the wired on there, then it has to support USB-C. So for this, I'm absolutely sick and tired. I travel a lot for my day job and there is literally nothing worse when you're traveling than I have a cable for my Bose headsets. I have a different cable for my phone. I have a different cable for my... Yeah, I signed me up. I'm fully with this one. You know, I am too. I feel your pain, right? Very much so. In fact, it's the most stressful part of packing for any kind of trip, because I try to not forget something, but I often do. Some of this does seem like, okay, well, this seems more convenient. Like you mentioned, Tom, we might see some products getting on shelves before they have to change everything and provide USB-C interoperability because they don't already. And if you obviously have a product that charges some other way, it's not just going to magically stop working or anything like that. We also see technology evolve. You know, by the end of 2024, we're probably still going to be on the USB-C train, but there's no doubt in my mind that it will continue to advance and then you kind of have to go back to this rule all over again with what's available at the time. Yeah, I like the standardization. I'm not sure that I fully am on board with this being the way to get it. It's sort of like, well, at least we got it. But I don't know that a law that extends out to 2026 is the best because they have said we will continue to adapt to new standards as they come. But there's two things to that. One, okay, how? We haven't seen the details on that. That's not in the text of the law. I'm just taking your word for it and I'm curious how that's going to work. And two, if companies are only required to do USB-C, they're less likely to develop those new standards. So, granted, the USB implementers forum will continue to develop and there'll be a new standard coming from them. I'm certain of that and the EU can work with them. But there may not be as much encouragement to develop an even better standard if you know what I'm saying. Unintended consequences. You both brought up very good points. I'm still for it. Let me be very clear because it's less cables I need to carry. Yeah, I'm for that too. Your points are absolutely valid. Well, perhaps also valid is the fact that app stores might not be making all the money that they used to be making. Morgan Stanley and Alist Eric Woodring noted that data from Sensor Tower indicates that revenue from Apple's app store dipped 5% on the year in September and Google Play revenue fell 8% on the year. Revenue in China, Taiwan and South Korea bucked that trend. They stayed even or even grew a little bit but other markets were dipped. Revenue from gaming took the biggest hit dropping 14%. And if you're saying, well, the bad economy, it's probably the reason. Well, you could go apply for a job at Morgan Stanley because that's what they said as well. Bad economy. So these things tend to dip. The numbers could bounce back in Q4. We got an extra week. Exchange rates may end up being favorable by then. Apple also raised their app store prices in many markets to probably make up some of that money. But yeah, I'm wondering, Rod, do you feel like it's just a bad economy? Do people just want a game less? No, it's totally a bad economy. I mean, if you think about gaming as disposable income, when you have less disposable income, you're probably going to make some sacrifices. I think in our daily lives, people are, oh, I don't go to a gas pump because I drive electric, but people who do go to a gas pump for saying gas is more expensive what I'm dealing with. All the services of what I'm dealing with are more expensive. So whether it be energy costs if you're dealing with in the EU and the whole war that's going on with Russia and the Ukraine, all of those things sort of factor into I have less disposable income to work with. Therefore I choose to make cuts in certain areas and that starts with app store purposes. And I think you see that sort of moving down to other services like Netflix and Hulu will start to make the decision that maybe I don't need commercial freeze. So I'll save myself a couple bucks a month and deal with commercials on some of those platforms. Yeah. I feel like this is a potential sea change because app stores have been a cash cow for Apple and they haven't been bad for Google either pretty much since day one. They are just money printing machines. And I know a lot of Apple's future first party ad revenue plans are predicated on selling ads within the app store to direct you to other apps. If this starts to be less of a cash cow for them certainly Apple and Google aren't going to hurt too much. But it is going to have to shift their strategy and it is going to affect especially Apple's plans for making money off services if they had expected this much to come from app stores and suddenly that is declining instead of growing. So I guess the way I kind of look at it is there is always the new normal. So I think when gas prices were close to let's say $5 a gallon people are making decisions not to go certain places because they don't feel like paying $5 a gallon. But eventually it becomes a new normal. So the new lower gas prices is higher than the old gas prices and we just kind of adjust. So while I think this is a temporary impact I think that over time we'll get used to that's just what apps cost and I haven't had those for a while so people will start to come back in and drove. So I think it's just Apple and Google are probably looking at this. This is temporary. It's not a long-term impact for their businesses. Yeah, that makes sense. Especially when there's that one chevron that's still charging $6 over there. Oh, that's $6 where I am. I don't know if that's a positive deal. Wow. Yeah, for a long time I've reviewed lots of apps for work so I think I've been... I am not totally a normal example of how much somebody wants to pay for an app because I was downloaded just pretty much any app no matter what it costs for a while and I still do that to a certain point. I think many folks perhaps over a period of time if you have a finite amount of money and you say, okay, well this much money can go to fun stuff in app stores that I'm willing to pay for or in app purchases even if you get tired of a game let's just use games as an example you might say, I don't want to pay for this anymore but I like the time that I spend on this game and I'm gonna now spend that money towards this new game but when you have a bad economy overall that's not necessarily the decision that people come to they say, well I just have to do this less I need the money. I'm gonna cut back my spending. Yeah, and it may not be like with a game it's like I'm just not gonna do the in-app purchases I'll grind my way through the capabilities in the game and earn it versus paying my way out of frustration. That would be an interesting metric find out if time spent with the games goes up as they spend less on the games because they're grinding more, you know you might see that. Well folks if you have a thought on that you have some data on that maybe you just want to find out where Rod can get gas for five dollars a gallon email us feedback at dailytechnewshow.com A few weeks back Peter Zacko aka Mudge the former security leader of Twitter alleged in an SEC filing and to the US Senate Judiciary Committee that somewhere around the number of 4,000 employees or so at Twitter had pretty much unfettered access to data on the network including data associated with Twitter accounts it's been exaggerated what data was available and at the same time that's a lot of people having a lot of access Zacko also said it was very difficult to identify if specific data was taken because the company didn't monitor or log all the employee access. Rod you've got a lot of experience in network security in strategy in compliance in your experience let's just focus first on that number is it common to have that many people in a company with access? Well okay so no let's start with that however depending upon the like the function that you're within you might like let's say let's take Twitter since this is a use case example you might have people who specialize on Twitter with just profile management another group of people who specialize on Twitter with things such as like verified users and then some people who handle tweets, takedowns and all those so you might have thousands of people who have very specific specialties within Twitter but carte blanche access across the entirety of the platform yeah that's very abnormal but for in most companies and organizations it's not abnormal if you're talking Fortune 500 companies that they have a team of database developers and there might be 500 to a thousand database developers who all have some level of access to the database platform to make modifications and changes because the application is just so large and they work in groups and teams to sort of deliver a solution Go ahead sir Okay I was going to say for okay so Rod you're saying 4,000 employees sounds like a pretty high number what are the implications of the data that seems it is still quite unclear how many of those people had what kind of data what kind of data would having so many folks having this access to even if it's unusual then what are the implications what's the worst that can happen so I think if you take a step back I think where the first place you start is do they have access or do they have persisted access and two things so for most organizations they're leveraging credential vaults I think you guys are familiar with something like a last pass but in the enterprise you're using solutions like cyber arc psychotic beyond trust and then there's a hash there's hundreds of others in that kind of model those are really designed for either highly privileged accounts so my administrative account would be locked into the vault I have the ability to check it out at any point in time but I don't operate that account on an ongoing basis and then you have shared accounts that would sort of exist inside of that vault where if I needed access to a shared account to deploy it while I may not know the credential at any point in time I can check it out use it and then when I check it back in the credential is scrambled therefore you have full accountability of I was the only one who knew the credential at that time and I was the one I had to be the one to make the change so it's all about that accountability side and more importantly the integrity to your users but yes 4,000 is high if it were system wide access but in compartmentalize for someone the size of Twitter I don't and also we consider like the follow the sun approach for managing the corporate platform it probably isn't abnormal that there might be that many people who have very specialized access throughout the platform it's it's whether or not it's persistent is the more concerning part and that that may be the case with Twitter maybe it was at 4,000 people with unfettered access to everything it may be lots of compartmentalized access that could access various parts that were sensitive but not each person had access to all of it but it sounded like Mudge was also saying but we don't really know who had access to what like there wasn't a way to track it. That almost seems like the bigger problem right and I don't know if that's just a symptom of a company that grew quickly over you know 10 plus years but if the company doesn't log employee access and the former security lead of Twitter is like we don't really know how bad it was because we don't have any evidence that it was bad but it might have been bad now what do you do? Yeah so let's distinguish two things there's logging the access logging that someone has done something most companies have that argument that they didn't that's awful because if you had a threat team coming to try to figure out how something to place they need logs but then there's the governing who has access many companies I say a lot of companies are very mature as it relates to governing who has access to what but the reason why companies adopt governance solutions is specifically around this requirement which is it also builds trust to your users so what you're trying to do with governance is you're trying to say we have an automated process that will grant people the access they need with inside the organization we have a scheduled review process to ensure that people have the access they need or more importantly we remove the access they no longer need and more than we also have a process to ensure that when someone leaves the organization that we deprovision all their access and their removed access so if you think of it from an end to end if an auditor would come in and say we need to get access to this and you can go back through a log and say Rod requested this access it was approved by these three different people who have to go through the approval process and that access was revoked on this date and time because he only requested it for a single day then you have full chain of that you have actually control over access versus someone just going into the system adding a person to a group or to a role and then they get all that access governance is it's demonstrating you have controls in place so anybody who's listening to show who works for security are probably thinking things like SOX or ISO 27001 all of those about control frameworks to show that you've put the processes in place to govern and control access within your platforms when I left tech TV in 2004 there was a third party analytics tool that I was surprised to discover I still had access even though I was no longer an employee there and I quickly let somebody know like hey I was able to get into this then I shouldn't I am somebody who did that a lot of people wouldn't do that CNET on the other hand had such lockdown security that when we wanted to you know demonstrate certain products that weren't allowed on the network we had to get an IT person to come up turn on access to a particular port that we were using in the studio do the product shoot then they would turn that access off again and it was on a dirty net anyway it wasn't even on the corporate network so obviously things evolved over time is what I'm saying how pervasive how emblematic do you get a sense that this is and fortunately it's more widespread than one would like to believe however when you like as you gave the example at CNET the larger the organization Fortune 500 1,000 they have usually they have very good controls in place and more importantly they might be evolving those controls aggressively it's when you start getting to the medium size or smaller size enterprises they started off with automation which is we have scripts that do this but it's not the perfect process and then as you sort of mature you realize that we need to implement products and there's a spend for organizations it's not like you can get a credential vault for free that scrambles credentials it's not like you can implement a governance product for free it's a big financial spend and it actually does involve automation and it touches all different tentacles within the organization so it is more pervasive than we'd like to believe but it tends to be within the medium to smaller size organizations who just don't have a mature practice in place versus just malicious intent because I tell you that time and money it looks like a lot the first time you confront it especially as a smaller or medium business right absolutely if you were on like a Microsoft platform would be a good example Microsoft provides their own like governance capabilities if you're like a Microsoft Azure customer but it requires a certain I think it's like a P2 or P3 license with Microsoft to use those capabilities so you have to upgrade what you're paying with Microsoft but you get that for the Microsoft platform the problem when you start getting into large organizations that they're very heterogeneous so they say well yes we use Zoom we also use SAP we also use Workday and some Compartmentalized and we have all these homegrown applications how do we tie all that together and that's where you start getting into the bigger identity governance solutions that try to help you with the automation and tying all those little pieces together but I should say the key part is not just automation but it's the reporting to prove to your auditors that you actually have the right controls in place and prove to yourself that your controls are working too right I think it's important for that too yeah it's no no go ahead I was going to say but it's also it's like there's a lot of users right now early on it was you had to be I think it was a celebrity to get a verified status if you as Sarah told you well I have a friend at Twitter and they can get you a verified status for 50 bucks all of a sudden verified users goes away so there's no integrity behind verified users if you can just pay to get verified so like the controls that Twitter put in place for the process to become a verified user it means that if I see that stamp I know that that is Elon Musk who tweeted versus somebody that integrity is critical to the platform the same core principles apply when it comes to governance is everybody has a customer and your customers want you to demonstrate that you have the controls in place so that if you're a third party vendor and you get breached it doesn't move over to their organization or if they're trusting their data on your platform like Azure, Google that their data is actually secured and it doesn't mean that everybody in your IT infrastructure can look at all the documents we're saving on your platform well we have quickly some breaking news here Scott Johnson who'll be on the show tomorrow is a grandpa again his new granddaughter is named Phoebe she was just bored during the recording of daily tech news show and he tweeted about it so congrats to Taylor Scott's daughter and her family and welcome Phoebe Phoebe we want you to stay hydrated you know humans need hydration it's true and Gatorade is a company that knows a little bit about that they want you to stay hydrated as well the company and a smart water bottle called the smart GX to maintain your baseline hydration level and monitor recoveries after workouts that sort of thing Gatorade is not the only company to do this but if you're interested in their product LEDs along the bottles cap which comes off can record daily hydration you know maybe you drink half a bottle then you fill it back up drink half again you know it's supposed to help you keep tracks so that you think about it less charging works over USB and a Gatorade spokesperson told and gadget the bottle is dishwasher safe the cap isn't because you've got to have the LEDs working but most of it can be cleaned regularly Gatorade also has an app called GX which includes things like nutrition and training information that's just on iOS at least for now the company does say a way to track what you drink from something other than the smart bottle is also on the roadmap for launch yeah because this is only going to track what's in the Gatorade bottle and if people are like I have a bottle that does this yeah this this isn't new the technology itself isn't new what's significant here is a brand like Gatorade getting into it and putting their name on it that's going to expose it to a bunch more people but yeah it's kind of it's kind of cool to be a refill it and it keeps tracking yeah yeah and you don't have to have maybe you love Gatorade but it doesn't have to be Gatorade that's inside the bottle either do you either one of you see yourself getting a bottle like this to track your I'll say your fluid intake I won't say Gatorade but whether it be water yeah when I've been really militant about my water intake which I have you know what I'm I don't know really being militant about what I'm in taking in general calories and water and stuff like that I have found it to be kind of cumbersome like I did have a glass of water like few hours ago crap okay let me you know go back and reset my stats this could be helpful for something like that you know or if I was training for a marathon and I was just like hydration was the utmost concern maybe more than it would be if I was just leading my normal sedentary lifestyle yeah it's safe for me I don't see myself going down the pathway this but it's often because I sit with a cup next to my desk all day every day and unfortunately it's usually half full by the time I walk from my kitchen in my basement and walk upstairs and realize I drank half of it so usually now I have a thermos and my glass so that I can refilling it throughout the day but I don't for me it's not about measuring what I intake it's just about making sure that I keep in taking and I don't see myself going this particular route yeah there's been a few studies recently McGill University had one that I'll throw in the show notes that the whole thing about drinking 6 to 8 glasses of water is kind of a myth like it's not a bad way if you're not getting enough water to sort of gauge whether you're getting enough water but you get water from a lot of food you don't really need to drink more than when you're thirsty unless there's something else going on unless you have a disease or it's particularly hot or you're exerting yourself like you're exercising like the Gatorade audience maybe so yeah I just I use a pint glass of water I just keep refilling it throughout the day I'm not too concerned and I don't work out at the level that I would need to really track this hydration but maybe you do the timing of my water intake is actually the most important slash annoying thing because if I drink too much right before bed then I got to get up instead of staying in bed all night so that has to be factored into which can be annoying not annoying is having Rod Simmons on the show Rod such a pleasure to have you today and we hope you come back soon let folks know where they can keep up with you in the meantime yeah so if you're looking at me from just a social standpoint I do a barbecue and tech podcast with Chris it was actually launched last year when you guys kicked off like kind of the hey contributor show and see if it where it goes so we launched barbecue and tech last year but I also run another podcast called SMR podcast which I think we record usually Wednesday or Thursday each week and we just get together three of us Rob Chris and myself and we just talk tech so if you want to find me those are probably the best place on Twitter it's Rod Simmons not I'm not creative when it comes to that and if you want to find me on Instagram go figure it's actually just Rod Simmons well we have a thing we have another thank you and that's to a brand new boss named Joe Mon. Joe Mon just started back in us on Patreon you are our new boss and we thank you Joe Mon. Welcome. Producer of today's show Joe Mon. Welcome. Yes indeed. Speaking of Patrons stick around for our extended show Good Day Internet which we like to call GDI which rolls right after the show wraps up you can catch this show though DTNS is live Monday through Friday at 4 p.m. Eastern twenty hundred UTC if you'd like to join us live but need a little bit more information go to dailytechnewshow.com slash live and that's where you'll find it we'll be back tomorrow with Grandpa Scott Johnson joining us we'll talk to you then. This show is part of the Frog Pants Network get more at frogpants.com Diamond Club hopes you have enjoyed this program.