 Daily Tech News show is made possible by its listeners. Thanks to all of you including Chris Benito, Steve Aderola, and Jeffery Zilx. Coming up on DTNS, Twitter's former security chief lays into its security practices an example of the downside of a false positive when detecting CSAM. And Chris Ashley tells us how he doesn't have a garage or a driveway, but still got an EV charger installed. This is the Daily Tech News for Tuesday, August 23, 2022 in Los Angeles. I'm Tom Merritt. And from Studio Redwood, I'm Sarah Lane. And coming from the DMV, your boy, Chris Ashley. And I'm the show's producer, Roger Chan. And for people in California, that's not the Department of Motor Resources. Chris, can you help me with my... Yes. Registration. If you know, you know. Yes, get an EV, all problems are solved. All right, speaking of solving your problems, let's start with a few tech things you should know. Sony posted on Twitter and Instagram that the PlayStation VR2 headset is coming in early 2023. Now, the company still hasn't announced a price, but says that the VR2 will feature displays that add up to 4K resolution and can run at 90 or 100 Hertz and have a 110 degree field of view and use foveated rendering, which if you're not familiar, renders the parts of the image that you're looking at more sharply, which is easier on a processor. The PS VR2 will still connect to your console with a USB cable, probably. Yeah, USB-C, USB-C cable. USB-C. RW Nash posted a bleeping computer article to our subreddit describing the discovery by Arseny Sharaglaza at Positive Technologies that a password protected zip file can have two correct passwords, even though you only set up one. A Twitter user going by unbeliever1 noted that zip files use the PBKDF2 algorithm. And if you're not familiar, you don't need to be. You just need to know that that hashes a password if it's longer than 64 characters. And that's what Arseny did. He made a password that was longer than 64 characters. When it gets hashed, the hash is then stored as the actual password to save memory. So if you know the hash of your password, you could use the hash instead of the actual password because passwords shorter than 64 characters are not hashed. It is not necessarily less secure to do it this way, though it would seem to me that it removes the benefits of a long password. Usually a long password makes brute force attacks more difficult. This would keep it at 64 characters for everything. There are lots of other quirks of this finding. If you're interested, go read the bleeping computer article by Axe Sharma. We'll have a link in the show notes. Apple will start production of the next iPhone in India two months after it begins in China. Earlier this year, Bloomberg reported that Apple could begin production in India simultaneously. Now Apple officials have noted the supply chain in India not as developed as the one in China. And secrecy measures need to be replicated there as well. iPhone production in India is expected to begin in late October. CNBC reports that former Apple employee Xiaolong Zhang has pleaded guilty to a 2018 felony charge for theft of trade secrets in San Jose federal court. Zhang was accused of transferring a 25-page document that included engineering schematics of a self-driving car circuit board, as well as Apple's prototype descriptions put all of those on his wife's laptop. Sounds like a plot from the flight attendant on HBO Max. The charges also included stealing circuit boards and a Linux server from a development lab. Just off took the whole server. Plea agreement is under seal with sentencing scheduled for November 14th, and charges could result in up to 10 years of prison or a fine of up to $250,000. Engadget confirmed what reverse engineer Alessandro Paluzzi posted on Twitter that Instagram is internally testing a new feature called Candid Challenges. The feature notifies users at a new time each day to snap a candid photo, activating both the front and rear cameras. Users will have two minutes to take the photo. If you say, wait a second, that sounds so much like be real. That's because it's almost exactly what be real does. So be real's made it. Instagram is ripping it off. It's true. It's true. You've made it. You've arrived, be real. Congratulations, be real. All right, let's talk about these Twitter allegations. In November 2020, Twitter then run by Jack Dorsey hired a new security chief, renowned hacker and security expert Peter Zotko, a.k.a. Mudge. We'll refer to him as Mudge from here on out, but you might also know him as the guy who led a program to detect espionage for DARPA, a talented guy, knows his security. Twitter had just suffered that huge breach in July 2020 when an attacker took over accounts of public figures, member Bill Gates, Kanye West, a bunch of people had their accounts compromised. So they brought in Zacko, they brought in Mudge to help lock things down. In January of this year, 2022, Twitter at this point now run by CEO Parag Agrawal fired Mudge. They got rid of a lot of executives at the time, not just Mudge. However, in July, Mudge filed a 200 page complaint with the Securities and Exchange Commission accusing Twitter of deceiving shareholders and violating its agreement with the FTC on security standards. And that brings us to now CNN and Washington Post have received copies of the filing, published redacted versions of it and interviewed Mudge. There are some allegations in this document that we can discuss in a half hour program, but here are some of the main ones. Okay, yes, here are some of the main ones. So Mudge says around 5,000 full-time employees have access to sensitive user data and software that can change how the service works. If that's true, this is a security risk, both because it's a high number of targets for phishing attacks and because of possible actions by those employees themselves. For example, during the January 6 riots in the U.S. last year, Mudge says he wanted to lock down internal access to prevent employees from attacking the platform from within. He alleges this was impossible since all engineers had access and the access was not logged. That might be enough for you, but here's more. He also alleges that Twitter hired an agent of India's government, like hired them as an employee who was then given access to sensitive Twitter user data because apparently all employees get that. He says the Twitter's method of measuring the percentage of bots on the service is misleading. Has a lot of details about that. He notes that there are bonuses tied to increasing daily active users, but no bonuses tied to reducing spam and bots. Hang in there because still a bit more to this story. Finally, remember that Twitter reached an agreement with the U.S. FTC in 2010 to safeguard users' personal info. Mudge alleges that Twitter makes false and misleading statements to users and the FTC that violate that very agreement. Particularly, he said servers are running out of date software. So what does Twitter say? Well, as Tom mentioned earlier, Twitter says Mudge was fired and the company cites for poor performance and an effective leadership and while it hasn't seen the full filing from what it has seen, it says seems inconsistent and accurate and lacking important context. So you might say, okay, a lot of different stories here. What happens next? Yeah, it's another example of he said 200 pages of things, he said they're false. So the FTC, the Federal Trade Commission here in the U.S., is reviewing the complaint. It could possibly lead to fines if they find out that these allegations are true. Mudge has also been subpoenaed. If you heard that bot allegation, you might have thought Elon Musk, because Elon Musk been out there saying that Twitter overestimates or underestimates how bad the bot problem is. So Mudge has been subpoenaed in that lawsuit between Twitter and Musk. Though what he put in the SEC filing will not bear directly on that case. They'll basically have to depose him and get all the information again. And of course, like some kind of personal injury lawyer perking up at the sound of a siren, the U.S. Congress has roused itself and begun preparing to chat with Mudge as well so we can expect a hearing or two, possibly in the Senate and the House, calling Mudge out to talk about all this stuff. We should start this conversation by saying there are allegations from Mudge. He is a credible source, but they're not proven. But if they're proven, Chris, these are not good. This is one of the scariest stories I've read in a long time, and I tried just to read one aspect of it, and I was like, oh, got to read the next part. Got to read the next part. And I just could, as a guy that works in the software and talk to many organizations that the first thing you try to do is secure your environment and reduce the keys to the kingdom. And the fact that Twitter got hacked because they did something as incompetent as leaving passwords out on, you know, where somebody could find them. To me, this kind of rings true, even though we don't know for sure, but 5,000 people have some type of high level access to the environment. That is nuts to me. I will believe that this isn't as bad as Mudge makes it sound. I will believe Mudge has got a little bit of an axe to grind. But I would guess, and I'm just guessing, that the facts themselves, when you boil out some of the, you know, consequential, circumstantial stuff, are probably true. Maybe not quite as bad as it sounds, but it, because if it's as bad as it sounds, I don't understand why Twitter is a breach more often. So that's what makes me go, well, maybe it's not quite that bad, but there's got to be some fire to go with the smoke, I would guess. Well, bit of a heavy story day on DTNS today. The New York Times reports that in February of 2021, a man named Mark noticed that his son's growing rather was swollen. COVID was still in full swing. People were worried about all sorts of things. So his wife called and scheduled a video consultation for the next day. A nurse asked them to send photos of the area in question. Mark's wife took pictures with Mark's Android phone and texted them to her iPhone in order to upload them to the secure health website for the doctor to review. If anyone's familiar with these secure websites, sometimes, you know, you have to do it in a certain way. The doctor diagnosed it as an infection, prescribed antibiotics, and they cleared it up, right, Tom? Yeah, so COVID, that's why they didn't go into the doctor with the son. That's why they had to send the photos. Wife probably was logged in on the iPhone, which is why she used her husband's phone to take the picture fast and then realized, oh, you know, I'll just text him to me. This would not be a particularly newsworthy story outside of Mark's own family if he didn't have automatic backup to Google turned on. Google's system identified the photo as it was uploaded from Mark's Android phone as child sexual abuse material, or CSAM, because of the picture that was being taken. The picture had to be taken in that area because that was the area that needed to be treated. Within two days, Mark received a message that harmful content had been found on his account and his account was then locked, shedding him out of not only email and all his Google accounts, but his phone, because he used Google Fi for his cell service. Mark is a software engineer. He understood what might have happened, knew it was a mistake, and so requested a review of the decision explaining what happened, but Google denied his request without explanation. Google's Content Safety AI had flagged the medical picture and another video on his camera and reported it to the San Francisco Police Department, which opened an investigation. Okay, so Google's being extra careful here. However, the police department, when they concluded the investigation, couldn't get a hold of Mark because Mark didn't have access to his email. So it took until December 2021 for Mark to receive an envelope detailing the investigation into his account. In that report, investigator Nicholas Hilliard wrote, quote, the incident did not meet the elements of a crime and that no crime occurred. So Mark's saying, all right, I've been clear to the police, appealed to Google again, including the police report, Google did not change its decision. Yeah, so you might say, well, what's going on with Google? Google told the Verge, quote, we follow US law in defining what constitutes CSAM and use a combination of hash matching technology and artificial intelligence to identify it and remove it from our platforms. Additionally, our team of child safety experts reviews flagged content for accuracy and consults with pediatricians to help ensure we're able to identify instances where users may be seeking medical advice, end quote. Google's head of child safety operations, Claire Lilly, told the New York Times that reviewers had not detected rashes or redness in the photo and subsequent reviews found video of a young child laying in bed with an unclothed woman. Google says it therefore stands by a decision despite law enforcement clearing Mark. The police have a copy of the contents of Mark's account on a thumb drive and the department says it's eager to help him get a copy. Yeah, there's probably some paperwork that has to be done, but it sounds like he might at least get the copy of his account back. It doesn't sound like Google's going to change its mind. And if you're sitting here throwing up your hand saying why he's been cleared by the police, the argument goes that Google doesn't want to go down a slippery slope of making it easy for bad actors. And therefore, when they decide that a piece of evidence is worth reporting, they don't change their decision. Once they've handed it over, they don't change their decision because they want to keep that line as far out as possible so that people don't try to take advantage of the system and get around it. The argument runs that, yes, the police may have cleared them, but maybe they cleared them on a technicality. You know, maybe it was CSAM, but there was some other aspect of the law that allowed them not to bring charges. Now, it seems clear from the outside that that's not the case here, but Google's holding a strict line of we're not going to start making exceptions for anyone. Our policy is when our reviewers say it meets the criteria, we don't change our mind on that. And I think this outlines one of the biggest problems that the average person has with companies, with our own government, with just the way our entire system is set up, because it seems more and more these situations lack common sense. And to me, 100% if you scan and you detect something, report it, that's your job. Of course. But once there seems to be some clearing up there, and honestly, it would take a final say from the doctor to say, you know what, yeah, we definitely requested this. This is the image that was sent to us. There's nothing else here, you know what I mean? Then it should be over with. So, you know, I guess there's always an outside chance that maybe something nefarious happened, but it just doesn't seem to be the case at this point. But when companies take these hard lines in the name of I'm just doing this because we have to be strict as opposed to let's do some common sense, it just frustrates the heck out of everybody. But the one thing we should note is that folks, when you store your images on another person's system, they have access to it, period. Right. And these sorts of things, you know, can happen. I mean, to your point, you know, Google saying, well, you know, we just, we have to take a hard line against, you know, something like this that could have been a much worse situation, 100%. I don't think anybody would argue with the company for saying we should be, you know, airing on the side of caution at all times. But there are exceptions. And this case seems like a pretty clear exception. And, you know, I mean, maybe the family is inconvenienced more than anything. You know, it sounds like, you know, their child is, you know, on the mend. And so that's what's most important. But if it were my family, boy, would I be mad. Yeah. Yeah. I get that there's an attitude of, with so many horrible perpetrators doing bad things, if it means that a few people like Mark have to suffer in order to stop them, so be it. That is the attitude. But I am also sympathetic to Mark's side, which is like, hey, I got cleared by the police. Google's not the police. There should at least be some mechanism for me to say, I've got a doctor. I've got the police. I've got my wife. Like, what more would you need to have me presume, to have me prove myself innocent? Right. He's, he's presumed guilty and not guilty. At least of all the facts of this are correct. And the pediatrician said they didn't see any redness. But, you know, Pediatrician didn't say that a Google reviewer said, and I get that, which is like, we look at it. And if we're like, this doesn't look like a medical image to me. I understand why they then forwarded it to the police. But if the police then review that and reviewed that video, by the way, they looked at that video that was cited of a woman unclothed with a baby. They didn't find anything that that seems to me to overrule and say, yeah, we get why you didn't think it was medical, but we determined it was. Yeah. I thought they said they're a team of reviewers. They have pediatricians advise the reviewers. Right. There you go. Pediatricians don't do the reviewing. That's right. Got it. Yeah, yeah, yeah. Rashes and redness, but it's swelling. It doesn't, you know, you can have swelling without having a rash or redness. You're looking for the wrong thing. But yeah, this is annoying because we all know, you know, when something goes wrong within a on like a Google account or whatever, that your, your complaints and your requests go into never, never land. This is like you, you get the can responses. At least he got some type of response, but it still seems a bit far for the wrong reason. And beatmaster in our chat points out Google doesn't want to host anything even closely related to see Sam on their servers. You know, I get that. But again, there, there should be a process where if, if, if the police aren't even bringing you to trial, like they're like, there's not even enough evidence to, to charge you. I feel like there ought to be some mechanism to, to reverse an account ban like that. What do you think? Let us know. Get in touch with us. Feedback daily tech news show.com or on social media. We have a Twitter account, DTNS show and an Instagram account, DTNS pics, DTNS PIX. You can also find us on Tiktok as well. We're over there too. Chris has made no secret of his love for his new Ford F-150 Lightning, but true love must overcome all obstacles. And he had a major one in the installation of his EV charger. So listen up all you folks who think maybe you can't get an EV because you don't have a garage. Chris, you don't live in a house with a garage or a driveway, right? I don't have a garage. I don't have a driveway. But what I do have is a parking space. And so I figured after months and months of suffering, trying to get an EV charger installed, I could help other folks who might be in a similar situation. So I live in a townhouse if you haven't figured it out. And we have parking spaces in front of our house. And essentially what I had to figure out is who to talk to first, who to talk to next, and then try to get this process going. So obviously the first phone call was to actually find an installer that could install my, my charger. And you're saying I've got a dedicated space, but you're going to have to install it basically by a sidewalk. Well, actually I asked them because I was new to this. And I was like, what do you have you guys ever come across my situation before? And they said yes. And I said, oh, so what do you do? And they said, well, there's a couple of options. You can install it on directly in your house and you can stretch the charge cable across the sidewalk. You can install, you know, we can trench. To closer to the sidewalk. And then, you know, the run from the charger is shorter, but still across the sidewalk. But they said we don't typically do those installs, but what we will do is we will trench a line from your house across your front yard under your sidewalk and up into your parking space. And I was like, oh, all right. So they said, we have all the equipment for that. It's something we've done before. We'll install a post in your parking space and we will attach the charger to the post. So I was like, okay, cool. So once I knew that there was a method and pretty much three different options for me to do the install, I then contacted my homeowners and I said, hey, I have a charger. I want to install it. They're like, oh yeah, just submit the change request. And I was like, no, no, no, no, no, no. You guys aren't paying attention. Let's be clear. I'm not on the side of the street that has a driveway. I'm on the other side. So they're like, oh, okay. Well, submit the plan of what you want to do and then I'll submit it to the board and we'll review it. And that's what happened. So I had the company and folks, you know, we're new to this stuff. So definitely ask the company for as much help as possible. And what they did was they actually drew up a plan. I took a picture at the front of my house and then they, you know, drew a line on the picture where they're going to do the install, the measurements and what they were planning on doing. So that was really helpful to kind of visualize how the install was going to go. And then they, I took all of that and then, you know, the write up as well and submitted that as the change request. So what happened next was I got an initial approval after about a month and they were like, you know, but we have to, you know, get some paperwork drawn up with the lawyer to, you know, facilitate everything and, you know, make sure, you know, it was to be expected. They don't want to, you know, be responsible. Liability and all that sort of thing. Yeah. Yeah. Insurance, et cetera. Well, that's the key thing there, folks, because what they hit me with was what I like to call the Okie Doke. Because they said, I read the paperwork and they're like, yeah, you need a million dollars worth of coverage. I was like, what? My house isn't even worth a million dollars. What are you talking about? So after and I called two different insurance companies that I deal with and they were like, we have no idea what you're talking about. There is no such thing as charger insurance. In the end, I found out what they were asking for is what's called an umbrella policy. Okay. And in a nutshell, an umbrella policy kind of sits on top of your car policy and your house policy and it takes those policies up to the million dollars. Okay. So it doesn't have to be on its own. Right. Right. Right. And so what they do is they make you bump up whichever insurance is not where it needs to be. And then once you raise those up to where they need to be, then they'll allow you to do the umbrella policy. And honestly, I would suggest even if you're not getting any of these, call your insurance agent and check out umbrella policies because it was only $130 for the year. And imagine you're in a three-car accident. You could probably, depending on the cars you hit, you could easily exceed your insurance liability that you have. So anyway, just a little side note there. But once we got that figured out, I bumped the policies up, added that to the plan, submitted that back, got the paperwork, signed all the paperwork and had it notarized and sent that back to the, to the homeowners guys. Now, then they said, okay, we'll meet again in a month. So sit there and keep dragging your extension, 25-foot extension cord from your dryer out across the sidewalk, which is an actual hazard. Right. Yeah. And to your car to charge your car. So I was like, awesome. So, but I sat in on the homeowners meeting and what I found out, and this is something, another tip that I want to tell folks that, or might be in a situation, check your state laws because as it turns out, I live in Maryland, and Maryland is a right to charge state, which means that they cannot stop you from installing a charger at your house. And, and so, and this is kind of, if you think about it, it's the same thing happened with satellites early on, right? Before when satellites first came out, they were like, nope, no satellite dishes on the house, front of the house, back of the house, in your house, we don't, and then eventually they're like, no, no, no, you can't stop people from doing this. This is crazy. And everybody, you know, they change past the law where you have to allow it. Same thing happened with chargers. So it's not every state, but it will make your path a lot easier if you are right to charge state because then, you know, they can't stop you. They have to work with you. Yeah. Yeah. They can put conditions, but they have to give you a viable path, right? Exactly. And so they wanted the charger. They agreed that the charger install in the parking space is the best location for the charger because it's the cleanest location. And so, so after they voted, they approved the install. I was able to get the guys out, you know, they called Miss Utility to come out and mark all the lines that, you know, all the power lines, water lines, gas lines that go into the house, you know, make sure that gets done. And then they dug their trench and probably the coolest part watching them did the dig the trench was when they went under the sidewalk because they use the machine called the missile. And this thing looks like a missile and they drop it in the trench and it's air powered and it just starts ramming itself through the dirt under the sidewalk and the whole sidewalk was just lifting up and going down, lifting all down. And then it kind of shot itself through the other side right into the gap that they dug through. So they jack hammered out a hole on the other side. But, you know, and long story short folks, you can't don't panic if you have a situation like mine. There are options. And honestly, if I had to install the charger in my yard, I would have just got one of those little bumps that, you know, or cables run underneath it. Just, you know, you just have to step over it just to make sure nobody trips on or anything. But, you know, check with your home owners, check with installers because installers in your area may have already done this before and have a path for you to do this. But there is a way around this and, you know, there's a lot of folks that I've talked to over the last couple of months that are in my situation and completely rode off EVs just because they think they couldn't get the charger installed. And so you can get a charger installed. You just have to kind of, you know, work with the system. And, you know, after I've just given you the blueprint of how to kind of work that path. So don't don't let that be a means to stop you from getting an EV charger at your house. Now we'll talk a little bit more about this next extended show. But there's one last shoe you're going to drop because you've got the charger in. Yeah, it's working. Right. It's working. It's working great. But the city has now gone. But hold on a second. They're like, wait a minute. Do we own this spot? What? So yeah. So it's possible that the spot my charger is in, even though it was approved by the permitting folks, it was approved by the home owners that the city may have the rights to that spot. And so it may have to have an approval through them or they just won't allow approvals. So that's just a whole nother dynamic. We can go a little bit more detail. It's hopefully just going to be paperwork where the city goes. Oh, you have to get our approval first. But you're approved. I'm hoping so, yeah. Yeah, yeah. Hopefully. Well, if you have any thoughts on this, if you're sitting at home saying, oh, I wish I could talk to Chris about this feedback at dailytechnewshow.com is where to send feedback to us about anything that we talk about on the show or might talk about on a future show. Speaking of Chris, Ashley, thank you for bringing the knowledge today, Chris. Let folks know where they can keep up with everything else that you do. It's my pleasure. You, everybody else can always find me in the homies on the SMR podcast, you know, one of the funnest podcasts you'll ever listen to. And Rod and I are getting ready to launch barbecue and tech season three. We got some really cool stuff that we're already starting to do this season. If you don't know what barbecue and tech is, we're just, you know, talking, making great barbecue and the tech we use to facilitate it. So really cool. Two really cool shows that you can come check me out on. Well, always good to have you on this show. Also special thanks to Adrian Clark. Adrian Clark is one of our top lifetime supporters for DTNS. Thank you for all the years of support. Adrian, today is your day. Indeed. We appreciate Adrian sticking around because right now we're down 21 Patreon supporters on the month. That's not the end of the world for us, but you know, if that keeps up for a long time and we don't swing back around, you know, we might have to start cutting back on things. So if you like DTNS as it is, and maybe you'd even like a little more DTNS and you're not a patron already. Now's a good time because with financial uncertainty, with people getting back to work, not having as much time to listen to podcasts in the same routine, we're seeing a few more folks drop off. You can help keep us going on DTNS. Speaking of patrons, stick around for the extended show, Good Day Internet. If you know, you know. You can also catch our show, DTNS is live Monday through Friday at 4 p.m. Eastern 200 UTC. Find out more at dailytechnewshow.com slash live. We are back doing it all again tomorrow with Scott Johnson joining us. Talk to you then. This show is part of the Frog Pants Network. Get more at frogpants.com. The Diamond Club hopes you have enjoyed this program.