 Daily Tech News show is made possible by its listeners. Thanks to all of you, including Matt Zaglin, Scott Hepburn, and Bjorn Andre. Coming up on DTNS, David Spark is here to tell us the security trends coming out of the RSA conference, plus the Insteon smart home server mystery, and how much you should worry about the Apple M1 chip vulnerability. DTNS starts now. This is the Daily Tech News for Friday, June 10th, 2022 in Los Angeles. I'm Tom Merrant. I'm from Studio Redwood. I'm Sarah Lane. And I'm the show's producer, Roger Schmidt. And joining us today is David. Yes, David. I'm sorry. I almost left you to introduce yourself. Go host and producer at the CISO series, David Spark. Welcome back. It's good to have you back, man. I'm thrilled to be back. Let's start right in with a few tech things you should know. Netflix announced several new game titles that are tied into its TV shows. For example, the Queen's Gambit chess game is, as you might assume, a chess game. It's coming sometime later this year. Shadow and Bone Destinies is a single-player RPG set in the world of the show too hot to handle. If you're not familiar, it's designed to mimic the reality show where singles are on an island competing for shockingly very little money. And Casa de Papel is a heist game. There are also several other games not directly tied to Netflix franchises. All right. That's what I thought they'd be doing right from the beginning, but interesting. Truckers in South Korea increased a strike action on Friday. This is a story worth keeping an eye on because it could reduce delivery of material needed for semiconductor manufacturing. Container traffic at the port of Busan was down by a third. Port activity at Incheon was down to 20 percent. And port activity at Ilsan was suspended as of Tuesday. It also has cut Hyundai's factory production by half an affected steel maker, Posco. The truckers are protesting the effect of rising fuel costs. And President Yoon Suk-yul is taking a neutral stance, which means an agreement may take longer. And if this drags out, that's going to affect the supply chain. If you might recall, Seth Green, the actor and producer, built a TV show around a board Ape NFT that he owned. Board Ape NFTs carry intellectual property rights with them, unlike many other NFTs, but that's what they do. You also might recall that his board Ape was stolen and then sold to somebody who went by the alias Darkwing84 and Mr. Cheese. Well, we've got some good news. Board Ape 8398, AKA Fred Simeon, has been transferred back to Seth Green as of Tuesday. They're long global nightmares over everybody. A wallet controlled by Green transferred 165 Ether to a wallet controlled by Mr. Cheese. So it looks like Mr. Green paid about 100,000 more than Mr. Cheese had paid for it. So that's where we land on this one. I love that it's green and cheese and a story about money. At its Financial Analyst Day, AMD announced that Zen 4 CPUs will arrive later this year offering 8 to 10% faster instructions per clock than Zen 3. Single threaded performance gains greater than 15% and more than 25% improved performance per watt. Company will also introduce Zen 5 in 2024 with all new micro architecture and integrating AI and ML optimizations. On the graphics side, AMD said its RDNA 3 GPU architecture will be built on a 5-nanometer process and offer at least 50% improved performance per watt and be built on a chiplet design for efficient scaling. Two government regulatory stories worth keeping track of today, the UK's Competition and Markets Authority plans to launch an investigation into Apple and Google's market power and mobile browsers, as well as into Apple's cloud gaming restrictions. The CMA also launched a separate investigation into the Google Play billing requirements in the Play Store and the US National Highway Traffic Safety Administration posted documents saying it's upgraded its investigation into incidents with Tesla's autopilot to an engineering analysis that's its second and final phase before it could determine a recall. Could get a recall there, that's worth keeping an eye on too. Alright, let's talk about Instion. Back around April 16th, Smart Labs apparently shut down, the company just shut down and Instion's smart home servers went down with it because Smart Labs owns Instion. Now Instion light switches, outlets, and sensors all still worked over RF, but users couldn't access their hub remotely and cloud integrations with Google and Amazon stopped working because they relied on those servers. A few days after that shutdown, Smart Labs said it had failed in attempts to sell Instion and had therefore handed over the intellectual property to a third party for sale. That's all we heard until this week, Tuesday, Stacy on IOT, Stacy Higginbotham's newsletter reported that some of her users as well as folks on a Reddit thread reported that their hub just started working again. No warning, which I mean, that's a good thing, but nobody told him it was going to happen. It just happened. It seemed that Instion servers had come back on, Sarah. We had a mystery. We did. So the mystery cleared a little bit on Thursday when somebody named Ken Fairbanks, that CEO of Instion Technologies, posted that a small group of passionate Instion users that have successfully inquired Instion, so they explained that their first priority was getting the servers back online. And then they did that before they had access to the Instion website or email or social accounts, hence the lack of communication. It was a clandestine move. That makes sense, but it'd be interesting to find out how Fairbanks's group was able to purchase the company when others could not. Stacy Higginbotham, as you mentioned, Tom, reported that Universal Devices CEO Mike Cohnenem said in June that his company, which makes a popular hub that works with the Instion system, made a bid but was rebuffed. All right. But I've got a clue on why Fairbanks may have succeeded where Michael Cohnenem didn't. In his LinkedIn profile, he has a history of business development and investing as you might expect somebody leaving an investor group that bought Instion, but it includes a stint with Smart Labs as VP and general manager from 2004 to 2007, where he was, quote, responsible for the development, marketing and business development of the Instion home control networking technology and products. So he kind of helped bring Instion about in the earlier days. Obviously he says he's part of a passionate group that wants to restore it and he's got a stake in that, but he probably had some connections that he could pull to get this deal to happen. Good too, right? Because Instion users get their service restored. However, I don't know, David, does this give you confidence that, you know, if you buy smart home material? Too much hot potato here, or is it just kind of, you know, business as usual? You know, this was the thing with all these smart home networks, whether, you know, you had to choose one, whether Zigbee was one and was he a direct competitor to Zigbee? I'm trying to remember. Z-Wave. Z-Wave. Thank you. I remember at CES, this goes back a number of years, the two of them were kind of fighting tooth and nail and their booths were like right next to each other. And it was all of like, you've got to choose one environment, another. And, you know, it's of the, you know, the beta VHS days too. Pick a team and hope you picked the right one. The Instion people picked the wrong one, but luckily not all is lost. Yeah. And even when matter comes, which I'm cheering for you, it's going to come. Yeah. It's going to come later this year. No, it's going to come there. I believe in it. When matter comes, it'll end that war. It'll end that HD DVD Blu-ray war for that part of the battle. But something like this could still happen because even if you're using matter, you still might have servers that are providing at least integration with cloud, right? In which case, if you're a smaller company and your servers go away, you could have this kind of disruption. So it, it's, it is a weakness in the system. If you've got cloud based service for stuff, which you kind of have to have. Have you ever had a service that you love that got shut down because the business shut down and you were really bummed? That's a good question. I'm sure I have. I've had services that I canceled and then later they shut down and I was glad that I wasn't, no, I was no longer a customer. You were essentially setting a trend. Yeah. Yeah. But I don't know if I ever had something go away while I was, oh, you know what? Google reader. That's the closest I can think of. Yeah. Okay. All right. All right. I guess that would apply to me as well. And many other Google services, but that was one I was relying on quite a bit for, for my daily, my daily driver. All right. Well, let's talk some chips. Shall we? Apple's M1 chips like some ARM chips implement something called PAC or PAC, which stands for pointer authentication code. PAC checks are used to protect the CPU against attackers with memory access. PAC was introduced in ARM 8.3. It adds a cryptographic signature to pointers in memory. So if an attacker tries to replace the pointer, like with a buffer flow attack, for example, it won't have that signature and will be rejected and the attack will fail or it should fail if all things go well. It's a last line of defense though. If an attack has succeeded against the operating system and it's compromising memory pointers to execute its attack, PAC can still stop it unless you do this attack method that folks at MIT discovered. Tom, I know you looked into this a bit. Yeah. Yeah. This is, this is both very interesting, bad for people in certain situations, but for most of us, a curiosity and good that they, they found it, not somebody else. A scientist at MIT seesail developed what they call a PACMAN attack on Apple M1 systems on chip that can find correct values to pass the check. So first there would need to be a successful vulnerability on the software side that would otherwise be stopped by PAC. If you don't have that, this attack doesn't work. You've got to have that vulnerability. Then the attack uses a speculative execution attack. These are pretty common now. If you've heard of Spectre and Meltdown attacks on the x86 instruction set, this is a similar type of attack on ARM. Speculative execution tries to anticipate tasks before they're called for in order to speed up processing. So speculative execution is a good thing. That's what the processor is using to speed up its work. Speculative execution attacks can read patterns in how the processor anticipates those tasks and then deduce data from that through a side channel. The MIT scientists conducted a speculative execution attack and then judged whether they had guessed the correct PAC value or not through the side channel because there are so many possible, only so many possibilities for a PAC value. They just kept guessing until they got the right one and then they were able to get past the PAC defense and let the vulnerability happen. So the PACMAN attack requires physical access to the machine. You're not going to be able to do that speculative execution attack over software, not remotely anyway. That's the good news and the bad news. On the one hand, it's harder to pull off. On the other hand, it also means it cannot be patched. So the question you're probably asking is, how bad is this? Should I throw away my Apple laptop, Sarah? No, I mean, unless you have some other beef with it, don't throw away your laptop or don't get angry at Apple in the same situation because the attacks work against any ARM chip that is implemented PAC, including chips from Qualcomm and Samsung. So it's not just an Apple issue. The attack wouldn't be necessary against chips that don't implement PAC as those chips don't have that protection. But PAC also doesn't bypass all security on the M1. Only bugs that otherwise would only be stopped by PAC checks. Because of that, Apple told TechCrunch that it had concluded this issue does not pose any immediate risk to our users and is insufficient to bypass operating system security protections on its own. The forthcoming M2 has not been tested for the flaw. I'm sure it will be, but as of right now, still juries out. The scientists who discovered the attack will present findings on June 18th at the International Symposium on Computer Architecture. Yeah, and we'll probably get a few more details about this. David, you're right there in the security space these days. How does this make you feel? Honestly, I'm not a Mac user, so I'm not as concerned. But you might be a Qualcomm user. You might be a Samsung user, right? Yes, it was. I, you know, look, vulnerabilities, they're, if you just got to calculate what, how it's attacking your environment. I mean, speaking of vulnerabilities in general, one of the, from Kenneth Security, their big vulnerability security company, and they'd calculated like 60% of all vulnerabilities flat out ignore. So I mean, every company is dealing with thousands. You really need to understand how this impacts your environment. So for me, it's not really impacting my environment, but for someone else, it could be a monstrous. And so the answer to how do you feel is, how is this connecting to your environment? Yeah, right. If you are a high value target, and you might be in a situation where you'd have to hand your laptop over to somebody, or your laptop might be out of your control, or maybe you leave it in a hotel room or something, you might need to think about this. You might need to think about the fact, and you'll be very curious on June 18th to find out, okay, physical access, but how long do they have to have physical access? Does it require soldering? That sort of thing. And most of us are not going to be in that situation. And the other thing that Apple's saying is, we're also trying to protect you from these vulnerabilities in the operating system. It's not like the M1 was the main defense against these vulnerabilities. We're hoping to shut down all these kinds of memory attacks that you would need in the first place before they ever get to the processor. This was just the safety of last resort. So it essentially sets the security on an Apple back to where it was before PAC was implemented in the ARM chip set, which it isn't always implemented on a lot of chips already. So yes, it's a good thing they discovered it. Hopefully they get it fixed in the M2. I don't think it's devastating for 99% of M1 users. What you should be more concerned about in talking about physical access is when you hand your phone over to one of those fix-it companies to put a new screen on. Mm-hmm. Yeah, you make sure that you're super trustworthy that they're not going to go in and do something. But there's all kinds of other things they could do in that situation more than this. This might not be the one that they try to use. Yes, I know what I'm just saying. You didn't need this for them to come. Yeah, exactly. If someone's having physical access to your machine, that's a whole different ballgame. That's a whole different ballgame. That's concern one. If you have other thoughts on this, if you're a high-value target and you're like, yeah, this affects me, give us an email. Our email address is feedback at dailytechnewshow.com. Send us a long note. WWDC was not the only tech conference going on this week. The IT security-focused RSA conference ended Thursday. David attended the event and has become tradition on Daily Tech News Show, has showed up to talk to us about some of the trends you noticed. Honestly, I think this was my tenth RSA. This might be actually close to ten appearances with you. It could be. I think you've done it pretty much every year we've done the show. Yeah. Yeah, I've come many, many, many times. So I will always precursor this with the show is enormous. There's no conceivable way I can see all of it. So this is Dave's review from what I saw, what my eyeballs and ears could see and hear. By the way, these are just views of the show floor, which was plenty packed. It wasn't the volume of people. I think the volume was probably half, about 20,000 people. They've had like 42,000. I think it was back in 2020 at the beginning of 2020. But I will say that in terms of booth sponsors, it was completely packed. They sold essentially every spot on the floor to cybersecurity companies. And the thing that's amazing for those of you not in the world, that world only is growing with new competitors, essentially new players in the marketplace. And that, again, these are just numbers I've heard. In the early days, I had heard 3,000, 4,000. Then I was hearing 5,000 companies. Now I've heard as high as 6,000. Who the friggin? Real quick, this happens in San Francisco, correct? Every year. What did the venue look like this year? Well, the venue is enormous now. So for those who've ever been to the Moscone Conference Center, there used to be a North Hall and a South Hall for all the booths. But there's been such a demand that the Moscone Center actually did a major conversion. And there is no North and South Hall. It's just one giant hall because they connected the two. And so there's like pretty much now they added another 50% more space, if not even more, for a booth. So it's just, it's overwhelming. It's just an enormous marketplace period, cybersecurity. And most consumers don't know it because they're not selling to consumers. They're just vendors selling to other businesses to secure their environments. All right. So obviously one of the trends is you keep hearing about all these vulnerabilities, folks. Guess what? That means security is booming. There's more companies needed than ever. Does it feel like companies are taking it seriously? There's more vectors to come in. This is the thing is that, you know, there were days like, you know, you only needed like firewall and some like identity management type thing. But now there's all these new vectors. Oh, no, there's, you know, there's IoT, Internet of Things that we need to secure that environment too. And oh, now we also have cloud. We now have to secure that environment. Oh, but there's many vectors of cloud. And there's the issue of how are you configuring your cloud? Well, you need a security program to handle that as well. And are you multi-cloud? Well, you need to have security and manager multi-cloud. Like the number of vectors, it's endless. And then Gartner, the research firm keeps coming up with a new category. There was one called, that came out a while ago. I don't know if Gartner didn't coin it, but called XDR. Actually, I think it was Palo Alto Networks that coined it. And nobody was really glomming on, but at this year, the show XDR, which is the next generation of what EDR, which stands for Endpoint Detection. CrowdStrike probably the biggest player in that space. XDR is kind of the next level of how do I detect on the endpoint, but how do I connect it to all the other knowledge I have in my environment to tell the story of what the heck's going on. And it also includes my cloud endpoints as well. So it's more, there's more acronyms to learn, more categories, more confusion. It's overwhelming. What's the messaging around security? What was the tone that you felt? The tone, I think the tone is a lot less negative, even though it's such a horrible situation we're all kind of dealing with, and nobody's wrapped their arms around it by any stretch. There is a need to be more positive about cybersecurity in that we can win, we can beat. It is a manageable thing to a degree. There is no such thing as 100% security for that matter. But mostly the reason for the positive messaging is actually to get more staff in the industry. If you keep talking about it being scary, people are not going to work in this industry. And the good news is it's a very lucrative industry if you can get into it. The demand is high. Every single CISO, essentially chief information security offer that I speak to is hiring. Everyone's hiring. It's the big joke we have on our show. I always ask, are you hiring? And rarely does someone say no. You talked last time you were here about the hiring practice gap between the people who want the jobs and the experience that they require. Was that pretty much the same at RSA or did you see any improvement there? One of the big issues to solve the gap issue is training. And then you probably have heard the classic line of, well, I'm fearing if I train the people and they leave and I've wasted the money on this training, but it's kind of such a kind of an incestuous group that people do bounce from one to the next and they will come back and they will refer you. So actually the reverse is true. If you don't train them, they're going to leave because people coming into this industry want to move up. They want to be trained. And if training is not part of your organization's culture, then A, they don't want to join. And if they find out they're going to leave because everyone wants new skills and they want to move up. Nobody comes into this level, into this industry to stay at the green level and just stay there. I feel like as consumers, we often hear the story of this company didn't spend the time and resources it should have and then it got breached and now the damage is worse than if they had prepared. RSA is one of the places where these companies have the opportunity to strike the deals, to strike the deals, spend the money, get the resources. Do you get any sense that that's getting better? It's a fire hose of information. Often what forces companies to get there is actually not the stories of, oh, this company got breached, that company got breached. Yes, they do want to beef up their security, but it's honestly, it's regulations and now the Security and Exchange Commissions, the SEC, has proposed new rulings forcing public companies to disclose what their security posture is. Now again, it's just a proposal that's going through a lot of debate right now, but you realize this, the SEC has rules that you have to disclose your financials, you got to disclose other things. One of the things they don't have is disclosing what your security posture is. And this is quite important to, and also if you have insurance too. And we're talking about this a lot, cyber insurance is also a much bigger story now too. And more and more companies are getting rejected for cyber insurance. We're talking 30 to 40% of companies that apply for cyber insurance get rejected because they don't have the security controls in place. So they realize, well, if I want this, I have to get to this level. So it's often not the fear that's forcing the sort of the rapid movement, but rather if I don't do this, I can't get insurance. If I don't do this, I'm going to get fined. So there's an immediate, very visible danger in front of them that will for sure happen. And it's not an attack. Yeah, once you focus the CFO's mind, suddenly things start to happen. All right, let's check out the mailbag before we get out of here. Let's do it. Rob, who lives in Germany, writes, and this is in response to our FIDO conversation from the other day. Rob says, one issue I see with FIDO, at least in my smallest group of people, is what if you can't have your phone with you? I work for the U.S. military and there are many of us who work in areas where no personal wireless devices are allowed. Phones, wireless headphones, smartwatches, even air tags and tile devices are a no-go where I work. Maybe I'm missing something, but is there another alternative? Good news, Rob. While we usually use a phone as an example, since almost everyone has one, there are alternatives to using your phone with FIDO, too. One example, I pulled off of Army.mil, the U.S. Army's page, reading about multifactor authentication that a fast identity online or FIDO-certified cryptographic USB hardware token is an acceptable way to do logins on Army computers. So there are alternatives beyond the phone and then there are ways to use secure phones as your login instead of your personal phone, stuff like that, and sometimes those kinds of accommodations are made. But yes, FIDO is actually being taken up by military organizations as well as private organizations. I imagine FIDO is a big topic conversation at RSA, too, right, David? Yeah, well, password lists has been a hot... Like what you were describing, passwords are an antiquated element of the Internet. They were never... It's ironic. They were designed for some level of security, but they were never designed to be secure to start with, which is bizarre, I find. But there has been this long drive to get off the password or move to multifactor authentication where MFA is really, literally putting a bandaid on a bad process. But we talk about this all the time that if you're going to do one thing to beef up your security, or actually two things, one is always MFA, and that will greatly, greatly reduce the potential for account takeover. That's multifactor authentication, not a master in fine arts. Multifactor, yeah, not master fine arts. Why not both? Yeah, if you have both, it's great. It can be both. And then the second thing is getting a password manager. But if you don't have to use a password manager, it's great. But it's entering the last pass, one of the biggest password managers is the one who's pushing the password list model. And then in response to... Justin and I kind of discussing whether Xbox cloud gaming is the mushy middle, which Justin thought, or I thought like a pretty advantageous thing for a lot of folks who just don't want to have to use a console or a PC. Josh Grisdale wrote us a night's note saying that he loves living in the mushy middle. And Andrew wrote, I am the exact target demographic for all these cloud gaming advances. I'm a lifetime gamer, even scrimping and saving for new consoles in college. But as marriage, career, vacations, etc. have taken priority, $300 plus gaming consoles that I get to use for less than 10 hours a week have dropped off the budget priority list. But a monthly Xbox Game Pass subscription fits in nicely now that my PC can't run wow anymore. I imagine there are a good number of folks like me who used to game more frequently and would like the option to check out modern titles without needing to outlay so much money. The all you can play model also works well for the times that you learn quickly that a certain type of game isn't for you. Well said. Andrew, thank you for that. Yeah. And thanks to everybody who sends us feedback, questions, comments, feedback at dailytechnewshow.com keep them coming. I want good stuff over this weekend. I'm going to plug for the two of you because we love feedback and I don't think the audience knows how much you like how much your show is based on it because ours is like that. So I'm plugging for them. Give them more feedback. Yeah. Don't be if you're like, oh, they don't want to hear from me. You're wrong. We do. Yes, we do. You do want to hear from them. Yeah. Also, we wanted to hear from Len Peralta, but he couldn't refuse his son being in a rap competition. So he had to go do that instead of being on the show, which I almost would rather be there myself. If this show wasn't so fun, I'd be like, I know. Is it a Twitch stream? I mean, what are we all doing right now? But Len, being the consummate professional that he is still drew us something for today's show. It's called Pac-Man Attack. And of course, as you might imagine, it's Pac-Man going after the M1 ship to eat it up. We're talking, of course, about the video game Pac-Man in this case. If you'd like that print, Len has it available at LenPeraltaStore.com. And if you're a patron of his, you might have it already. Patreon.com slash Len. David Spark, always good to have you on the show. Great stuff as always. Hope you had fun at RSA this week. Let folks know where they can keep up with your wrap ups from the show and everything else that you do. Yeah, just go to CISOseries.com C-I-S-O-Series.com And actually, if you look right there at the top of the page right there, there's that little black icon that says the finals of the Caption CISO right there, where your cursor is. Yeah, that. If you click on that, we have a new show and our finals are coming up a week from today. So please join us. This will actually be before the show. 10 a.m. Pacific 1 p.m. Eastern. So join us for that before a good day. Perfect. Perfect lead in. Thank you for that. Exactly. I like that. We also have three new bosses to thank. Going into the weekend, strong. We got Paul. We got Matt and we got Mark. All just started backing us on Patreon. Thank you to our new bosses, Paul, Matt and Mark. Ah, the Gospel of Patreon. Thank you to all three. Gotta love it. Yeah, it's a strong Friday. Let's keep it going on Monday, everybody. Don't let us down. Just a reminder. There is a longer version of the show called Good Day Internet. Rolls right after DTNS wraps up. patreon.com slash DTNS is where you can find out more about that. Just a reminder. We do the show live Monday through Friday, 4 p.m. Eastern. 20 hundred UTC. You can find out more at dailytechnewshow.com slash live. Hope you all have a great weekend. We'll be back on Monday with Lamar Wilson joining us. This week's episodes of Daily Tech News Show were created by the following people, host producer and writer Tom Merritt, producer and writer Sarah Lane, executive producer and booker Roger Chang, producer, writer and host Rich Strathilino, video producer and Twitch producer Joe Coontz, technical producer Anthony Lemos, Spanish language host, writer and producer Dan Campos, news host, writer and producer Jen Cutter. Science correspondent Dr. Nicky Ackermanns, social media producer and moderator Zoe Deterding. Our mods, Beatmaster, W.S. Goddus 1, BioCow, Captain Kipper, Gadget Virtuoso, Steve Baderama, Paul Reese, Steven's and J.D. Galloway, modded video hosting by Dan Christensen, video feed by Sean Wei, music and art provided by Martin Bell, Dan Looters, Mustafa A, ACAST and Len Peralta, live art performed by Len Peralta. ACAST adds support from Tatiana Matias, Patreon support from Dylan Harari. Contributors for this week's show included Nika Monford, Terence Gaines, Scott Johnson and Justin Robert Young. Our guest this week was David Spark and thanks to all the patrons who helped make the show possible.