 be like some new planet that we've never seen before or whatever. But what's unfortunate is that it's at Disneyland and not, um, and not California adventure because the difference is California adventure, you can get liquor and Disneyland has no booze whatsoever. The, the missed opportunity is if it was that California adventure and they could have, you know, the bar, if they can, but yeah, the cantina, you would be able to go and be like, uh, can I get an utini? Oh, I've served by a Java. It would come in a special Java cup with red eyes. Oh, and you have to say it like that to get it, to actually get the order to be completed. Yeah. I feel like it's like in a mug with like red eyes and then there's a little button on the side that goes, oh, TV. Just say, uh, it's, it's got, it's like a stein. So you have to, you have to pull the lever to open up the top of the Java hood to drink it. Yeah. And, and yeah, that's, and it comes in the signature glass. You can pay to keep it. Oh yeah. Absolutely. You know, speaking of, uh, I have a freaking butter beer mug from, from, uh, Universal Studios. I don't know. So, and to be clear, it's not, I'm not, it's not that the reason I have never been to Disneyland is not because I don't like theme parks or anything. I love Terry Potter. Yeah. That's maybe why I thought you were always went because I see, you know, your snaps. Sometimes you'll go to Universal and stuff like that. I grew up going to Six Flags over mid America. I feel like between the, uh, the suction cup story and the allowance money story, I know you guys on a, on a level that I didn't know you before. Yeah. That's why we do these pre shows. Now, you know, the ones that aren't live. All right. Uh, let's get rolling here. Oh, we're going to podcast. Well, yeah, we are. We're going to podcast like there's no tomorrow. Well, there is no. It's 1999. There is. There's actually a day to actually, we are hot. Funnily enough, given the subject matter, we are going to podcast like it's 1999. A little bit. A little bit at the very latest 2005. Well, it was pretty dead by then, but yes. Yeah. All right. Here we do. Daily Tech News show is powered by its audience, not outside organizations. To find out more, head to dailytechnewshow.com slash support. This is the Daily Tech News for Friday, December 16th, 2016. I'm Tom Merritt, Darren kitchen in the house today. Darren just found out there's a new Star Wars movie. Are you excited? I am a way to throw me under a bus. But no, I, um, wow, not under a bus, under a rock, that rock is supposed to pull you out from under a rock, right? I need to, I need to tweak my rock filters because it's really just supposed to keep like, you know, please brutality out of my life. And it's, and it's unfortunately caught, uh, something significant. Yeah. Well, everyone's thought you got to find two of those filters. This is how you learn. For sure. Machine learn. Well, hey, speaking of which is that the machine learning is a very difficult thing to curate because you need humans to be in the mix. So if you're not, if the human isn't seeing the input and output, then it can't tweak what that end result will be. You can't let machines teach machines because they're not going to come out with anything good. I mean, really, I just, that is the perfect setup for our first top story, but we have to introduce Len Beralta. Yeah. Len Beralta is like a machine. I am like a machine. I am a nonstop drawing machine on Fridays, at least. Uh, Len, have you seen the new Star Wars yet? I have not. You know, I think I was, I was going to see it this weekend, but I might actually wait till after Christmas when my other son gets home so we can all go as a family. Oh wow. So you're not even going to see it. I would love to see it before you. It sounds like you probably will. A lot of people are going to see it before me, but we'll see how this weekend goes. I might, I might, you know, I saw it last night and I very much enjoyed it. Good. Well, good. Because today's drawing is going to have a little bit of maybe have some Rogue Rogue one in it. So we're going to, we're going to be talking about why any company would be using MD5 to hash their passwords. I mean, August 2013 is when Yahoo was still using it, which we talked about yesterday. Darren's going to, Darren's going to try to explain this to us, but let's start with our top stories. All right. So say it again, Darren. What was it about humans and machines? Machines aren't very good at teaching machines. You need a human that to kind of chaperone them and yes, sure that they don't get off track. Evernote felt the same way. We told you about this yesterday. They announced a change to the privacy policy was going to come in January that would allow limited employees who go through background checks to have limited access to anonymized users, private unencrypted notes, if you encrypted them, they couldn't see them. And the only reason they were going to do it is to monitor machine learning features of Evernote. And everyone hated them. Like people started looking for alternatives to Evernote, canceled subscriptions, said this is awful. So Evernote has decided not to implement the changes to the privacy policy and will instead revise its privacy policy to reinforce privacy protections and stated, no employees will be reading note content as part of this process unless users opt in, which is exactly what I suggested yesterday. If you want to be able to have humans review things to see how the machine learning is going, ask users if they will opt in to help you with it. I'm guessing they're not going to get a lot of participation at this point after this snafu, but at least it's the right thing to do. Don't you think, Darren? Yeah, I mean, and there's there's good reason that humans would need to be able to kind of see that data to be able to tweak the machines, especially with machine learning to, you know, get the best desired results. I feel like as consumers, as humans, we don't seem to have too much of a problem when it comes to a bot serving up ads based on the context, content of our message. And we understand that those bots don't understand the context of said messages either because they're just they're dumb machines. But in order to get machines to be a little smarter about it, it would be really helpful if we got some humans to kind of coach them and understand what those messages are. And it is a delicate balance because you don't want to completely turn off your entire customer base by giving them the the idea that somehow suddenly you're reading everything, which would be impossible given the vast size of the Evernote user base, you know, no one could read all of that material. So I feel like an opt in approach is probably a good solution. And we've seen this, you know, with with technology, well, for the longest time, I remember seeing this in the 90s with direct access test units, which would allow linemen to, you know, do basically test do it's a kind of a test equipment thing that will allow you to to do things on different film lines. And one of the functions that I needed was the ability to check to see whether somebody was talking on the phone at the given time. Now the phone company doesn't want to give all the linemen a dial-in number where they can just, you know, snoop in and listen to any line. So it would come out completely garbled. So you could tell there was a boy over is what it would sound like. So you could tell that it was human, but you couldn't tell what that message is. So this is something that will continue to go on as we develop that relationship between the man and machine. Yeah, the best the best case scenario was Evernote and I believe this is what they wanted. They wanted to give a limited set of people working on this project legal protection to look at what the machine learning algorithm was looking at when it made a decision. If they're like, this is a weird decision. What did it see? What what what were the words that it was seeing? They didn't want to read people's notes, but to be able to see what the machine learning was seeing, they had to give those people the right to see those notes, which were otherwise private. And it just it is another testament to the ongoing lesson. The companies refuse to learn. They think they can all get away with not having to learn it, which is opt in is not going to get you in trouble the way opt out will. You know, I'm just realizing there was a really good example of this. Google did a pretty good job of this with Google Voice initially when they started to introduce the the service where it would play your voicemail, but it would have a speech to text and it would, you know, you could read along and often hilarious. Yes. But if you hovered over on the mouse, it would give you this little button where it said, would you like to send this to Google so that we can help make it better? And you're like, well, it's just a message from Geico and it doesn't have my account number. Sure. Mercedes-Benz has launched a pilot of its car sharing platform called Kruve, like Groove, but with a C. Maybe it sounds better in German. They're doing it in Munich. And anyone could put the car up for rent. All you have to do is have a good condition car. Pretty reasonable condition requirements and less than 15 years old. So I think I could use my car for one more year if I were in Munich. Renters can filter based on model and other options, as well as the time they'll need to rent the car, because you don't have to make your own car available all the time. The service is similar to Turo, which just launched in the UK and Easy Car Club, which is available elsewhere in Europe. But the interesting thing is we see we have seen a lot of car companies getting into things like Zipcar because they like the idea of using their cars and getting people used to using their cars. And hey, maybe if they drive our Zipcar, they'll want to buy this car. And this is not that. This is platform agnostic Mercedes Benz is just running a literal car sharing program, which is you can put any car in it as long as it runs and anybody can rent it. And Mercedes isn't getting anything out of it, except for the profits of running the system. Yeah, it's really interesting. Personally, I would love to hear like Molly Woods take on this from her old blog culture of ownership, because it is like a vast different kind of mindset of like what? Well, you know, looking at a manufacturer like they're used to selling you something that you own and that's how they make money. And now the whole context of what is ownership and in a sharing economy, how does that impact them? And so it's I applaud them. This does feel like a test and that's good. They should test the waters and kind of see where, you know, it leads them. But I would say that this is would be akin to say the RIA opening up like an MP3 store online in 2000. And that's can you imagine? Can you imagine that like an under your MP3 store for all member labels to participate in? I mean, it isn't that. It isn't exactly that because this isn't the car association. This is a particular car company. OK, so it would be like BMG or Sony, you know, yeah, but it is that it is somewhat contrary to their their own personal interests, but it gets them a lot of data about car use and car ownership and what kind of cars people like to drive and what features they like. And Daryl Etherington at Tech Crunch points out they could use it in car sales to say, hey, you want to buy this new Mercedes today and maybe the price is a little much for you. But the monthly payments seem a little steep. Guess what? You could sign up for our cruise service and then you can rent out your car and that helps alleviate the cost of this car. Oh, man. Also, could you imagine you're like you're in the car and you're like, wow, I really like this. And then the thing pops up in your smartphone. It's like you want it? Just tap here and just keep driving it. Well, no, that's the Zipcar model. This crew couldn't do that. Well, I guess it could. Yeah, no, you're right. If if it's a Mercedes. But the fact is this is not the best way to do that. The best way to do that is a Mercedes car sharing program, right? This is not going to guarantee that you're ever in a current model Mercedes. Unless, of course, they seed it. They seed their own platform with Mercedes, which they may have. Well, no, but that's the key. That's the key is they're not doing that. That is the whole point of the story. And it's hard to wrap your head around. It's like, yes, that's what they should do, but they're not. That's why I don't understand it, but I still think it's a good thing. Yeah, yeah. To Sony opening their own MP3 store in 2000, where it's like, hey, the sea is changing. Let's get ahead of that. No, that's it. It's Sony opening an undear mdp3 store that sells other labels music as well as their own. Yeah. Right. Yes, exactly. Yeah. Source told Mac rumors that Apple will sell AirPods in its retail stores starting Monday, December 19th. My guess is they'll be limited lines and limited availability. But if you ordered an AirPod that wasn't going to be delivered until January, this might be a chance for you to get it earlier. Apple Insider also noticed on Apple's servicing pricing page that a single lost earbud replacement. Remember, the AirPods aren't connected. They're separate will cost you 69 bucks. The full price of a pair is $159. So I was one of the people who have first said, oh, I'll just report two of them stolen and pay $140 because they're only $169 a piece to replace. Except that doesn't get you the charging case, which you have to buy separately. And that apparently is like $69 to get the charging case. OK, because I was about to say, you know, you just buy to get one pair half off. Yeah. But now they've thought of that. To be honest, Tom, I really feel like the story behind the delay is actually way more interesting than the product itself, just considering it's Apple. Yeah. Why is that? Because I just, well, maybe it's because I'm into, you know, manufacturing and e-commerce and all that nature. But but it's just like, dude, you're Apple. Like, how can you not, you know, make this work? Your CEO was the supply chain wizard. Yeah. But I. But you know what? He's the CEO. Now he can't spend all this time because the supply chain wizard. Well, it's I don't know. I just I would love to hear the backstory of that. I know. And it's sad because I know I never will. Oculus just Oculus just launched a feature for Gear VR called rooms. Friends can chat, interact with objects in the virtual room, watch videos from Facebook up on a virtual big screen, play games at a virtual table or even do some multiplayer Gear VR experiences together. Oculus also launched a simple voice chat called parties that will work in Gear VR. Avatars in the services appear as semi-translucent heads with circular photos pulled from Facebook below them. So you know, which semi-translucent head is whose lip and head movements are replicated by the floating heads. This isn't quite the talking avatars that we saw when they showed off things last fall. But it's it's an avatar chat room in VR. Hey, sounds cool. I wonder what it's like. Yeah, that's what I thought. Popped on your Gear VR. It's it's just chat roulette. Yeah. Oh, no. That's well. OK. Actually, speaking of parties, Oculus parties could be chat roulette if you're not careful, although you can only talk to friends. So it's not like chat roulette where you get random people. Oculus rooms, on the other hand, is only going to show you the semi-transparent floating head. Got it. Well, you know, I was speaking of predictions to feel like Patrick Beja was just a year too early on his prediction because I think it just came true. I mean, that'll be the fun prediction results argument next year. Stay tuned for our prediction show on December 30th. We already have recorded it, obviously. And Patrick predicted something about avatars. Listen closely and write in when you when you listen and tell us if you think the rooms service actually fits his prediction, because it kind of does. But it also isn't kind of. I mean, they're avatars, but they're not avatars. Like, they don't really look like you. Time to edit the MP3 and just, you know, throw in a little filler anyway. I know Patrick Beja emailed me today asking if he could add another prediction because he's all excited about Super Mario Wren. OK, so here's here's the thing that I'm feeling, though, this whole Facebook live streaming thing, integrating with it. That's the part that I'm like, OK, well, that's really interesting because the way the gear VR works with your phone is that your your camera's on the outside. If you're wearing a gear VR, you can actually pass through your phone's camera to the VR so that you can kind of fumble around the room very awkwardly. But the thing that I'm not feeling like a little iffy on is like, while Facebook live awesome, I know some of the people behind it, they're the rad, but bringing that to VR don't bring meat space into my VR. Yeah, like there's a reason it doesn't have to be live videos. It could be uploaded videos to like clips and trailers and things. And I'm just going to say it one more time, chat roulette. No, no, it's not live. You could there are there have been whole television shows like from Amazon premiered on Facebook. You can watch those instead. But in VR, no, no. Well, on a big screen, it's bigger than the screen. Most people have their house. I don't I don't want my meat space in my VR. But then you and I could watch a show together without having to be in the same city. That sounds terrible. All right, I'm not convincing you. The Pew Research Center asked people in the US about fake news in a recent survey. This is the first effort to find out like what the actual perception of it is. Is this a real Pew study or is this a fake Pew study? This is a real Pew Research Center study as far as we can tell. Cultural relativism aside, it found around seventy six percent of people did not admit to ever sharing fake news. So most of us don't share these things. Thirty two percent said they often come across completely made up political stories. Well, twenty six percent said they hardly ever or never did. So most of us come across them every so often. There's a third of us come across them all the time. And a third of us or quarter of us that say we never do around 64 percent of the people surveyed say that it causes a great deal of confusion. So most people think that it's confusing that there's all these fake stories out there. But eighty four percent were somewhat or very confident in their own ability to recognize made up news. So they say, well, it causes a confusion, but it causes confusion for other people, not for me. People generally think that the public, the government and websites are sort of equally responsible for fake news that it's it's not one particular thing. So nobody could really agree on who's responsible. We just need bots that churn out fake news at a rate of 100,000 times more than the existing amount so that the signal to the noise is such that only credible sources can ever be trusted or no credible sources can ever be seen because they're just drowned out by all of it. Yeah, there you go. I what one of the reasons I want to talk this talk about this is I think I can easily misunderstood by people on all sides of this issue because I want to see evidence about what is happening with this. Is it actually having an effect? Do people believe it? And this is the first attempt I've seen for anyone to actually find out what's going on in people's heads. This is short of saying what effect the stuff has. This doesn't tell me did it sway your opinion? It doesn't attempt to do any kind of double blind, which would be difficult. But it is at least getting people to say, OK, this is my perception, and it is not the same as a lot of people think there. There's a quite the questions here are, OK, most people say that they're not bothered by it because they can tell. So let's test that. Let's find out if they do get fooled and let's try to figure out to find out if it actually had an effect or not. Well, the problem, the study is that you don't get the people that are like, oh, no, I've never seen fake news and yet everything they've ever seen is fake news. Right. Right. Because they think they're confident that they have it. Let's test and find out if that's a common occurrence or not. Oh, my God. I'm just imagining. Could you imagine like a documentary of the life of a person who can't tell the difference between spam and real email, fake news and real news? Yeah. Well, another J. Martin says almost a quarter of Americans have admitted to sharing fake news. How many of you have shared an onion article? Oh, my gosh. You shared fake news. Every now and then Shannon will show me because I'm not on Facebook, but she'll show me like, you know, oh, that's that story about the abortion plex just popped up again and everybody is freaking out and losing their minds and the other thing is sharing it not because you believe it, but to point it out and go, they're doing this again, they're trying to push this again. So yeah, there's there's a lot of data that needs to be collected. At least the onion does it with style and Pew Research Center. I trust they have good vetted procedures. So I think these numbers are fairly solid. Thanks to all those who participate in our subreddit, you can submit stories and vote on them at daily tech news show reddit.com. All right. Yesterday and the day before we talked about Yahoo announcing that a billion accounts had been compromised in August 2013. Names, email addresses, et cetera, where access no financial information was accessed. But the one thing that caught my eye and the whole thing is otherwise it I mean, it's a large hack but it's not a particularly unusual hack in most respects. Usually when accounts are compromised, which they're compromised all the time at lots of different companies, they get names and email addresses, et cetera. They don't always get passwords. When they do get passwords, they're usually hashed, which is all when you see that you're like, oh, OK, good. So at least there's a speed bump to them getting into them. They are not usually hashed these modern times in MD five. MD five is a very insecure hash that has been broken many times. Back in the 90s, it was discovered that you could do some combination attacks against them. But then at least you could say, well, it's it's, you know, it would take a little bit of power to get into these. They're not particularly secure. But by 2006, it was simple to break an MD five hash. So Darren, explain to me how any company could possibly be using MD five to hash its passwords in August 2013? Well, just to clarify so that everybody's on the same page here, we're talking about a one way math function, something where you can typically, you know, password or really any data, you can run it through this and you get what they call a hash, which is just, you know, a bunch of gobbledygook, right? And that gobbledygook, you'll always get that same way. So every time you type in your password, you're always going to get the same gobbledygook, right? But turning that gobbledygook back into the password, really difficult to do, which is why what happens is you'd go to log into the site, you type in a password, it would run your password through this function and then check the gobbledygook that you get that resulted in to see if it equals the same one that it has in its database. And if they're the same, because there can only be one outcome for any given input data, then these can say, Oh, OK, well, those are the two, the same password and they never actually saw your password, never actually stored your password. They just stored the one way hash functioning of it. Yeah. So if I could if I can just interject real quick, one way to think about this, if this is still confusing you is let's say your password is 13, the hash function is 135. If you multiply 13 by 135, you get a thousand seven hundred fifty five. And if you store that and people see a thousand seven hundred fifty five, it will be very difficult for anyone to figure out that that represents the number 13. Unless you know that 135 was the number that 13 was multiplied by. Yes. And so what unfortunately will happen with any given cryptographic hashing function is that over time, weaknesses will be found at what they're called collisions and other weaknesses, whereby an attacker can either turn that gobbledygook back into its original source or they can come up with a different source material that will result in the same gobbledygook and that's that's scary because it renders the encryption completely useless and that's what happened with MD5. MD5 is is the the result of a rework of an older function called MD4, which, hey, there were bugs found in that in the early 90s and so MD5 came to replace it. And then, you know, there were bugs found in MD5 in the early 2000s. But at that time, at the same time, those those bugs were like theoretical and you and they required supercomputer. So in the early 2000s, MD5 was a popular hashing function for storing passwords because it was built into a lot of different web programming frameworks. This was the same time that, well, web 2.0 was coming about. So, you know, programmers using Perl and Python and Ruby and PHP could very easily write together a login system and just, hey, just use MD5 because it's built in. Right. So that's why it gained popularity. It wasn't until about, you know, 2005 that it became absolutely trivial to break. And the more time goes on that the more kind of ridiculous it becomes. It was just catastrophically broken. Like any home computer can crack this stuff. So it went out of, you know, went out of style. Better hashing functions have replaced it. Stuff like Bcrypt and Scrypt. But MD5 is still kicking around in some really weird ways. It really made a name for itself as a checksum function. Basically, something that you used to verify that what you downloaded is the same thing that was served up. It's just to check the integrity of a file, make sure it was corrupted in transit. It's not supposed to be used in this day and age for storing passwords. That's not to say that it's inherently bad, but it's just not today's best. So why would it be used in 2013? Either laziness, blatant disregard for security best practices, laziness. Inertia. Good reason. There are no there are no good reasons. Yeah, inertia is another word for laziness, I suppose. But yeah. So so it wasn't that they were just trying to use it as a checksum on passwords, and which would pretty much imply that they just weren't encrypting the passwords. Yeah, at this point, like encrypting something with MD5 is equivalent to having password as your password. It's right. I mean, encrypting something with MD5 in 2000 was not the most secure way to do something, but you needed you needed some resources to be able to crack it. So that's why it was built into everything is like, well, this is, you know, this is this isn't going to put too much overhead and it's fairly secure. Those those are that's always the definition of the currently most used hash, right, which is like there's an attack against it, but it's a really hard attack. And so it's easier to use this because it doesn't add a lot of resources to the decryption process. But at some point, like you say, 2005, we got to the point where it's like, oh, no, this is just like, you can break this on on my ThinkPad T42 sitting down there like that it was trivial. At that point, you have to move on to something else. You have to. And here's the thing. That's I really want to emphasize that this isn't like, oh, MD5 is bad. It's not a matter of like good hash functions and bad hash functions. It's really just a matter of keeping up with the times because cryptographic hash functions come and go. And what's secure today is trivial to break tomorrow. As an example, DES, it's it's still actually part of SSL, right? And it's what your browser negotiates with the web server when it creates an SSL certificate. It'll say like or when it creates an HTTPS connection, it'll say like, hey, what ciphers do you speak? Here are the ciphers I speak. And let's choose the best one. And, you know, modern browsers rip those out because they're like, well, let's not use DES, but it's still. Available in the same way, in the same way that a dot matrix printer is available today and in the same way that you may see the DMV still using them, you know, it's not that old technology ever dies. Sometimes they have some like staying power and they just kick around even though they're not the best tool for the job. Think about that the next think about the fact that the fax machine was patented in 1905. Next time you're asked to fax a document, you know, technology has a way of sticking around. But today's best, you know, S-crypt and B-crypt and PBK-DF2 will be trivial in a decade, two decades, whatever have you. So it's always the matter of using the best of the time and then upgrading as time goes on. To oversimplify, going back to my 13 times 135. At some point, you get a computer, all of our computers could do this that could go through a bunch of different hashes and say, hey, guess what? If we divide all of these by 135, we get a working password. So the encryption must be 135. And at that point, you've figured out, okay, this is a division thing. Now we're gonna take 13 and multiply it by 1,265 and multiply it again by 7 million. And that'll be harder to crack. And then eventually computers get to where they can just run through all the possibilities and figure out, oh, well, what they're doing is multiplying it by two numbers. I mean, that is way, way simpler than these hashes are, but that's essentially what's happening is they're figuring out, oh, we can use the computer to figure out the math that is causing MD5 to happen and reduce it. And then that doesn't take into account things like collisions that Darren was talking about, which are other ways to divine it. But the point is, computers get more powerful. They can figure out these hashes. You come up with a more difficult hash because you have more powerful computers that can compute those more difficult hashes and the song goes on forever. It in fact does. And that's a good thing. You know, we wanna see that continue to happen. You know, throw it, in fact, your multiplication thing, Tom throwing some prime numbers and I think you nailed it. I think, you know, yeah. And then quantum computers come around and it's all completely irrelevant. So that's what we want. At some point, at some point, the technology changes so much, you have to change your whole approach, but the key here to bring it all back is everything we're talking about is fine. There's nothing wrong with MD5 being invented. There's nothing wrong with Bcrypt being really good right now and eventually becoming crap. The key part is that the company's securing things continually move to the most secure available option. Yeah. I mean, I'm not saying that your slide rule can't compute. Your slide rule still functions. It's just not the best tool for the job anymore for the most part. That's why it's on my mantle. Instead of securing my passwords. Yeah. All right. Well, thank you for that, Darren. I hope that helps people understand a little bit more. And if anybody out there actually knows, like, oh, one thing that you may not have realized is that Yahoo was doing this or whatever. Let us know. I would love to know more about this. One thing I'd like to just add to this discussion because I feel like it doesn't spread around this idea is that when you're signing up for a web service, you don't know what technology they're using to protect your data on the back end. It's not something that has become part of the culture of disclosing that kind of stuff. And I feel like we need to change that because if you were told ahead of time, hey, sign up for this new web service and you were interested in signing up. But then it had a little thing that says, by the way, we store your password in MD5. You'd be like, wow, OK. Time to really come up with a throwaway one here. When you say that, it makes me realize one of the things that Yahoo did do, which was very security advanced, was provide some alternatives to passwords being your protection, not only to factor authentication, but using devices to actually log you in so you didn't have to put in a password. It may be that the security team that eventually left because of cooperation by Yahoo with government requests may have been thinking, you know what? Why bother? Passwords are all broken anyway. We're going to move past that. And then they never got to the point to make that practical. I'm not saying that makes the decision absolutely right, but that could be some of the thinking. Yeah. I just feel like we just need to get to a point where it's like an independent body that issues like badges or something where sites can proudly disclaim that they're using whatever the latest and greatest is, and then continue to keep up with the times because you can actually rehash someone's password when they log in so that you're storing a better version of it in databases. And sometimes we'll see data breaches where there's MD5, but only on really old accounts where people haven't logged in in a long, long time, but all of the more current active users are using something more secure. And there's no reason why disclosing what algorithm you're using would make the service any less secure. If anything, I feel like it would increase the, you know, your user's loyalty and trust with you. Yeah, yeah, all of that. All right, let's get to our pick of the day from Lon, who recently upgraded his iPhone and needed to stock up on Lightning connectors. He says, my favorite item from the mono price order was a teeny tiny micro USB to Lightning adapter. Let's you adapt common micro USB cables to Apple's Lightning connector. Takes up no space in my bag. I just leave it on one of my short micro USB adapters and it only cost me eight bucks. So yeah, if you're a dual user, you're using iPhones and Android devices, this can come in pretty handy. Another dongle. Yeah, living that dongle life. Send your picks to feedback at dailytechnewshow.com. You can find more picks at dailytechnewshow.com slash picks. A few messages of the day, first of all, so we got an email and now I can't find out who I screwed up, the person's name in here, so I'll find it in a second. But it was about the FCC and we had talked yesterday about how they did not confirm, reconfirm one of the Democratic commissioners and Tom Wheeler is stepping down January 20th, leaving them with only three. And I said, well, could, I don't know if there's a rule that says they can't just fill with all from one party. Well, only three commissioners may be members of the same political party and none can have a financial interest in any commission related business. That's US code 154 of the Federal Communications Commission. So Mark, who is the person who mailed this to us, said, a president can't stack the FCC commissioners with all people from his own party, but he could appoint commissioners from third parties and independents. Just makes you wonder what the, just looking at it, not from a political perspective, but just from like a security, kind of like computer security side, it's like, well, what validates that somebody's political affiliation is true? Well, membership, basically, are you a member of the Republican Party? Right, but if you are, that's the way it works. It's actually very, no, it's very, but it's, what they're saying is, we only wanna appoint two people who are Democrats and two people are Republicans. So if you wanna be a commissioner, you gotta sign up for the party, and then, yes, okay, you could be ultra-conservative, sign up for the Democratic Party, and try to get named commissioner, but you won't get named because no one will put your name forward, and you won't get confirmed by the Congress. It would be my guess. Are you telling me that, no, Darren, no one's a double agent? That's- No, no, no, I'm saying it to be a difficult attack because of other safeguards around it. Okay, I hope that the, quote-unquote, other safeguards are off. I mean, if you have enough, you got me thinking, though, if you've got enough people in Congress who are willing to agree with that, I guess the Democratic Party could just kick you out of the party at that point, though. You just go as a sleeper until you're called to do your duty. I think that's a lot more effort than the benefit you will get from doing that. Yes, but it sounds so good under my tinfoil hat. All right, fair enough. That goes fairly well. Tyler wrote in and said, a few thoughts to add to the headline conversation regarding Uber using Volvo XC90s in its autonomous car hailing pilot program. I work as the new car delivery coordinator at a high volume Volvo dealership, and I can see a few reasons to choose the XC90. Volvo is known for safety. Scott mentioned that on the episode, but our CEO, Hawkins Samuelson, has made it our vision that by 2020, no one shall be killed or seriously injured while in a new Volvo. In pursuit of that safety, it has a bunch of semi-autonomous driving features already, so maybe that helps Uber along the way. And he says the Volvo XC90 was Motor Trends' truck of the year in 2016. So it's highly rated. There you go. That might be one of the reasons they wanted to pick a Volvo. And then another Jay Martin wrote in and said, hey, Len, Tom, Roger, and Darren, because he was confident I was gonna read this today. I am hoping that Facebook is taking the path of flagging sites instead of just stories. It would be better to start with a list of validated sites so all the stories posted from that site could be considered real news, and any report that a story might be fake is ignored, or those reports might be considered as gaming the system. Then if a news story comes from a new unverified site with no history, it could be passed to the checkers to see if the site should be considered as a spam site or be verified. I think this would alleviate Justin's worries about stories from established sites being marked as fake. It's a fair point. I do think, though, that we can have, I think you could say, okay, yes, the Wall Street Journal is verified. Anything that comes from the Wall Street Journal goes right through. We know it's not gonna be fake, because that's not what they're after. And maybe that's how they're gonna work it with those different signals that they accept. But what about motherboard? What about the Daily Beast? Zach's discussion has happened with many other technologies where you try to whitelist and blacklist what is good and bad. Look at email servers, for instance, you know? I mean, there's nothing to say that spam can't come from Gmail address. Well, and another Jay Barton says, another Jay Barton says I work for an anti-spam company and we've accidentally blocked things that are not spam because we thought they were at the time. And the same attacks that hold true for spam holds true for fake news, which is you create a blog that has legitimate stories until you've accumulated credibility enough to put in fake stories. I mean, this is- False flag! It is best. Yeah, it is a difficult problem. Well, thank you, Darren Kitchen, for helping explain difficult problems to us, as always. If people wanna find more about these sorts of false flags and hashes and drones and all kinds of things, where would they go? Oh, you know, if you wanna learn how to crack these hashes, we've got fantastic episodes on Hack 5. Just go to hak5.org and just type in hash or cracking or things of that nature because we have 11 years worth of weekly episodes with Shannon and I. I remember one that was shot in the outer banks of North Carolina called Salty Hashes with Margaritas and we explained hash salting. Right, we didn't even get into the salting of hashes. So you gotta go check out that episode now. Yeah, I mean, grab a margarita and watch away hak5.org. Darren, let's look over to what Len has been drawing because it is Star Wars related, but also related to Yahoo in some strange way. Yeah, in some strange way it does. I wanted to do something because today is, of course, the release of Rogue One, so I couldn't let anything go without referencing Star Wars. But this is the way that the name of this print is actually called How the Death Star Was Pwned. And, you know, the idiots in the back, those troopers made the password. Password, honest to be blown up, is what Darth Vader is asking. And of course, he's using the word Uttini as a swear word. That's my password, Len. Oh, I'm sorry. Cursing in Jawa. I thought using Jawa was gonna be more secure. It's not in a dictionary. Unless you're using a Jawa dictionary attack then you're screwed. There you go, there you go. And of course, the new female lead of Rogue One, I have not seen the movie, so I haven't really, I don't know your name. Gin Urso. Gin Urso. She is in the corner stealing the Death Star plans for what we inevitably will be. Which apparently are printed on legal paper. Exactly. Or, you know, that's how bad it was over there, tech-wise, for the Empire. Legal paper, bad passwords. Tech never dies. Yeah, old tech never dies. Listen, you do not want to be without this print, folks. Go to LenPeraltaStore.com and check it out. You can get a digital version or a version printed out and sent to you. You may notice if you're watching the video that I have a version of the link that he drew. Oh yeah. Len's art is good. You wanna get it, LenPeraltaStore.com. Right on the front page. Thanks to everybody who supports this show. DailyTechnewshow.com slash support explains all the different ways you can do it. Big thanks to all our patrons, including Philip Carr, Mark LaVialette, and Daniel Gall. Props to Doug Thompson who raised his pledge. If you're not supporting the show through Patreon.com slash DTNS, you need to give these people your thanks because they're the ones paying to make sure we're able to do it. Thank you, thank you, thank you. Our email address is feedback at DailyTechnewshow.com. We're live Monday through Friday 4.30 p.m. Eastern at AlphaGeekRadio.com and DiamondClub.tv. And our website is DailyTechnewshow.com. Back on Monday with Veronica Belmont. Talk to you then. Show is part of the Frog Pants Network. Get more at FrogPants.com. Props you have enjoyed this program. Nice, good show. Yeah, it was really fun. Thanks for doing that, Darren. Yeah, you're welcome. And anytime we try to like explain cryptography, I'm just like, oh, this could go awry, but that didn't go awry. No, I think it went really well. We'll see if anybody writes in with their head spinning, but I think we did a good job. We did not make a hash of it. Hey, sorry if that was a little salty for you. Look what's trending on showbot. Oh, Tini! All right, so at the top of the list, we've got MD5, Don't Jive. A room with a virtual view. You've got your meat space in my VR. Then there's another variation of the same thing. Keep your meat space out of my VR. Yeah, basically variations on a theme here. I like my news, like I like my reality, fake. The game is secure today, gone tomorrow. Evernote's controls ease. Don't ever, ever note, do that again. Got a crewv on. The onion is fake news with style. Hashing out cryptography. Mercedes crew. The hash for password is utanini baby pack. How about game D5, Don't Jive? It looks like it's the top one. What do you think, Darren? It's utini! I figured you might make a plea for that. No, it's okay. MD5, Don't Jive is good. My only problem with naming the show that is does it give away the joke? What, MD5, Don't Jive? No, it's utini. Oh, no, no, no. Also, they didn't even spell utini right. All right, MD5, Don't Jive, it is. No, I think that's spelled right. Yeah, but anyway, yeah. Yeah, but then we're going to get into, people are going to be like, no, that's spelled right. Yes, it is. Let's check the original script. Whoa, what if it's not in the original script? What if that was like... I think it's an ad lib. That's an ad lib, actually. An ad lib by the job. Whoa, what if it was ADR ad lib? Dude. Yeah, you know, the Jawas speak, I don't know what language that is, what it's based on. What if it's referring to Francisco Uttini, the Italian composer and conductor, who is mostly active in Sweden? Ewoks speak of a mishmash of Tibetan, I think. That's what the Ewoks speak is Tibetan. Oh, really? Yeah, it's based on Tibetan. Yeah, it's Tibetan. So I don't know what the Jawas speak, but... Let me see. Movie Clips has posted up a live, this is Facebook live, pull of Rogue One versus the Force Awakens. Rogue One wins. No, no, no. So basically on the live stream, you either thumbs up for Rogue One or heart for Force Awakens and it automatically updates in the live stream what the count is. So the new Star Wars, the next one's coming out this summer, correct? No, I think eight is supposed to come out in December. Next December. Yeah, I think they've just shifted to December at this point because yeah, they were supposed to have Force Awakens was going to be in May and then they shifted it. Rogue One was going to be in May and then they shifted it. So is it like every other year is going to be a proper movie and then on the odd years we're going to get this Ewok jazz? I'm looking forward to seeing this, comparing it to the Ewok movie. In fact, I'm going to re-watch the Ewok movie before I go and see this. So Ewok is based on largely based on Chalmuc, a Mongolian nomadic tribal dialect. Ewok is or Jawa is? Ewok is. Oh, we were talking about Jawa. Someone said Tibetan so I was just going through it. That's what I thought. He was saying Jawa was based on Tibetan, right? Oh, no, I was saying Ewok was based on Tibetan. Oh, you are. Oh, okay, I'm sorry. But was any Ewok is actually memorable? Like, can you say one word in Ewok? Yeah, yeah. He says, uh, gotcha. Ah, that's going on. Wamburi ku-cha. Chub-chub. Chub-chub. Yeah, there was, yeah. There is an Ewok phrase. Jawa is based on several African languages, particularly Zulu. Oh, Zulu. All right. What is Jawa the Huts language? What's that? He's Hates. Yes. But what is it based on? It's based on Chuck E. Cheese. Hates. I know. The only, uh, he can't translate the word solo. So he says something like, Bala solo. Calli rara. Well, mine, everything has a translation because that's a proper name. Right. That's like saying I can't translate Peralta. Calli rara. Like my name, Yahweh. I mean, if you were to translate it, literally it would just be one you expect great things from. It's just easier just to say my name than to translate to a proper name. I'm actually just going to call you the one who I expect great things from, from now on. That's fine. You might be disappointed. It's a quantifiable name. I like it. My parents, my parents were rudely awakened sometime around high school. Hates. I know. So I guess the, Slug people. BioCa has an interesting question here. He says, if you have time, could you speak quickly on how knowing the hash of a password. And I think what he means is knowing that something is MD five doesn't make it less secure. He was under the other impression. So it makes it less secure if I'm saying, so hack five uses sha one to protect all your form passwords, which by the way, we don't. Thank goodness. That's just inviting trouble because what I'm saying is, I'm using a really old algorithm that's hella broken, just like MD five. But by saying I use the crypt, that's not hurting me anyway. In any way. It's not like, you know, I feel like, like the mindset that like, Oh, we shouldn't share what algorithm you're using. It stems from the whole idea of security through obscurity. It shouldn't matter if you're using a secure algorithm, then it's the algorithm that's that's securing you, not the not knowing of it and being able to. Is it possible to figure out what algorithm people are using very, very easily? Yeah, you can, you can profile it and see like, Oh, you know, there's, there's tools that will profile a hash and be able to tell you with, you know, varying percentages of accuracy, like, you know, what it thinks, what algorithm it thinks it is, you know, certain signatures. And it's just, it's like, it doesn't make my machine any less secure if I say like, Oh, I'm using BitLocker to, you know, encrypt the hard drive. It's, you know, that's just like, that's like, Oh, well, you don't know where the lock on my door is. It's like, well, you're eventually going to find the lock. It's the lock. I'm hoping. I'm not going to tell you whether I'm using Schlage or August. No, if anything, I really want to get us to a point where we're emphasizing that we're using the best and have it like just be part of, even if it's just buried in the privacy policy, because at least then if it's public, some website somewhere can catalog all of these. And then you can look them up and see, you know, if it's, even if it's done with like a five star rating, it's like, Oh, you know, that like, and I would like to see a big player get out there and say, like, Hey, we use XYZ. I would like to see a Google say, Hey, we use, you know, PBKDF2. Well, and a lot of them will. A lot of them will tell you, like they will have it listed somewhere or they'll, or they'll admit it. But it's not easy to find. Yeah. What scares me is if you go to a company and you're like, Hey, what are you, what hashing algorithm? A very specific question. What do you do to secure my data? And you get some canned response. But if you say what's, you know, hashing algorithm do you use for the passwords? If they can't tell you, then that scares me because that makes me think like, Oh, no, they either a went with whatever the default in programming languages, which is a lot of times MD5, which is how we end up in this mess, or be the worst. They rolled their own. Yeah. That's, that's scary. Well, and Biocast says, I guess that makes sense. As long as you were using the latest and greatest, then even if they know it doesn't matter. And the, and the opposite is true too. If you're not using the latest and greatest, not telling them won't, won't slow them down. Yeah. Yeah. If I, if you're not telling me, then I'm assuming for the, I'm going to assume the worst, but you're going to try MD5. You're going to try Shaw one. And then one of them is going to work. Yeah. You take a small sampling. You take like one hash and you just run it through the, all of the, you know, common weak ones. And then you see what spits out. And that takes no time. That's not a speedboat. No, that isn't. So you shouldn't just rely on, on that obscurity. And yet it's, it's like talking about what kind of underwear you wear, you know, it's, it's not something that people are like used to doing. You know, it's not. Yeah. But I feel like we need to change the conversation and get, you know, get, get the companies to kind of like, you know, you should let us know what's under the hood just a little. Be proud if you got your hands on now. Right. You should be. I got, I got, I was going to say before you went to the underwear, which is a much better metaphor because it will stick in people's heads. I was going to say it's like open source. Right. People used to have the same fear about open source. If I show my source code, they'll all be able to figure out how to crack into my software. Well, guess what? The source code for all of these encryption technologies is open. Yeah. If they were closed, then we wouldn't be using them because it wouldn't be. You couldn't. They're security. Yeah. You wouldn't have them be independently audited by, you know, cryptographers around the world. We use things like B-crypt and S-crypt because they are open. Nobody wants a black box solution here, especially for this. But how Cass says he doesn't know what underwear is because his wife buys it. I don't know what underwear I wear because I buy different brands. I'm not brand loyal. What? Wait, you don't have uniformity across the entire underwear drawer? No. I mean, they're all uniform in style. Okay. They're boxers if you must say. So you say. But they're not all from the same maker. They're not all the same exact model of the same exact brand of the same. They're not the same color. The exact color. Yeah. What? I have to make decisions every morning. Am I going to go plaid or solid? Low dude. That's just crazy pants right there. Crazy underpants. I'm sorry. I'm just going to like, you know, put it out there like all one brand, all one color, all one model exactly the same like uniform. It's like, get this. Here's the reasoning behind it. If your socks, if every pair of your socks is exactly identical. Yeah. Then when you reach into your sock drawer, you grab two socks independently. You never have to mate them when you're doing laundry and you will have assurance that I follow that sock rule. All my socks are the same brand. Oh, my silly. Oh, I can't remember. And they're all black. But underpants. I don't, I don't care. I don't choose them. I just grabbed the one. I actually rotate them. I grabbed the one at the front. Well, I mean, I put them in the back. Yeah, that makes sense. Wait, what? Oh, anyway, that makes sense. There was a time in my life where I had two competing pairs of socks, where I wasn't sure if the crew cuts were going to make the cut, or if it was going to be the other ones. And so, but thankfully it was, you know, you reach in twice and you had a 50-50 shot of getting a matching pair. Right. And if you didn't get a matching pair, reach one more time and you have a 100% chance of getting a matching pair. Right. And you just have to reject one of the ones you have in your head. Yeah. You know, but with each additional style, you throw in the mix. Now you're just reaching forever. I have running socks, but I keep them separate from the regular socks, so they never get mixed up. But they're entirely different colors, too. If you just switch to smart wool across the board, you wouldn't have this issue. I'm probably revealing way too much about my obsessive compositiveness. But the other thing I do is I also rotate my shirts. When I pull them out of the laundry, I put the shirts that are clean at the back so that I always know which shirts aren't getting worn as much, because they're at the front. No, that's smart. Yeah. If you do it right, every shirt is identical, and then you just always close your clothes. I know. I don't go that far. I've thought about it. I've actually thought about doing that. I started, that was my 2016 New Year's resolution, and I stuck to it for the entire year. I've been wearing the same exact shirt for a year. You've had different shirts than that one. But the undershirt, this. Oh, the undershirt. Okay. Yeah. Who makes Patagonia? This Patagonia shirt. Patagonia makes Patagonia, I think. They do. And it's good stuff. So you just get eight of those. You always have the same exact shirt. Or you could just get shirts you like with similar designs. Just different enough so you do feel like you're wearing the same shirt. But you don't have to choose between them because you always like whatever is coming up. Yeah. It goes grey and it goes with everything. I'm not talking about the shirt that goes over. Not the button down. That's got a, you know, those are the new unique snowflakes in the wardrobe. But see, that's the Steve Jobs thing is he went with the turtle neck. All black turtle necks all the time. He was a cartoon character. I mean, you never saw a dog who wears something different. It costs too much to animate a different outfit. Right. No, you can't animate a different. That's like Snoopy not wearing Snoopy outfit. He's a dog. He's naked. He wears a scarf when he's flying us off with camels. He doesn't wear anything. He's naked. He's naked. Sorry. That's the red Baron who wears the scarf. Yeah. Don't confuse the two. Sometimes he wears sunglasses when he's joking. But that's a joke. Doesn't he wear a shirt on that too? No. Maybe a college sweatshirt possibly. Yeah. Archie. Archie wears the same thing in every comic. Does he not? I don't know. I haven't read Archie since grade school. Well, it's all rebooted and dark now. Yeah. Everything is rebooted. I'm not kidding. No. It's not a joke. I'm sorry. I really thought you were making social media. No, they really don't. And there's a TV show based on the rebooted dark Archie that's coming to... It's coming under Archibald. Wonder why I'm under a rock. Yeah. I don't want your dark reboots. They're going to call it the green Archie. It's called Riverdale. That's the TV series. I don't. I do not want your dark reboot. The dark... You know, the dark reboot of hack five. Hacking in hoodies with ski masks and gloves. Or it just like, you guys are always like against hacking. That's the dark reboot of hack five. No, no. I think it would just be like really kitschy. I think we would like have lead speak everywhere. It would... You would have to be in a basement. And you would have to be surrounded by a lot of con... Perhaps a converted warehouse. You'll be telling people how DRM is great. And you should close source everything. You mean Dr. M? By the way, my favorite character of Buzzland. I miss Dr. M. Dr. M strikes again. No, I kind of want to go see Rogue One. Yeah. Let's go. Do that strap. Draw Darth Vader all hour. Yeah. I get in the virtual living room with you right now. I don't know if I'm going to do. I'm, you know, I don't know if I'm going to do anything. I'm, you know... Oh my gosh. Would you watch a movie in VR? Yeah. No. Like go to the theater to put on some goggles and like... I wouldn't go to the theater. Just like Tom has never been to Disneyland, I've never tried true VR. Yeah, it's the same thing. Wow. I would never... I would never... Why? Why would I need virtually Adley to look at a two-dimensional image? Because it wouldn't be two-dimensional anymore. The whole movie, you'd be immersed in the movie. Yeah, you'd be like in it. But you'd be sitting. You'd be walking around to you. Going, Oh, Tini! Yeah, but it would be it would be weird though because you'd be sitting and you know that... Well, no, you'd get a little office chair and everybody would be having to like sit four feet apart so you can spin around. They make you stand on a treadmill and then you would just have to walk everywhere. The only problem with that I could see is that it would have to be on rails because otherwise you could be lost somewhere in the movie and feel like the action's way to the Death Star and you're like still on Endor and you're like, where is everyone? That raises a good question. I mean that doesn't... Sorry, the fourth movie. It's still a movie at that point because you're not being led by the nose as it were based on the camera. Well, actually I would say the same thing holds true to many of these. Like I'm playing Watch Dogs 2 because the Wi-Fi pineapple was featured in a video game. And it is not for the apathetic gamer. The whole open-world gaming is great if you have the portitude for it. But if you're apathetic like myself you'll find yourself just wandering around the virtual streets and just go, not at all because you're just like, I don't have to complete the objective. The storyline doesn't move forward if I don't do anything and so therefore I'm just driving around. You've basically found the space between life and death in that one moment that you can stretch out forever. Think Doctor Who before that concept. I'm gonna go figure out how to see Rogue One and see if one of my kids wants to go with me. I want a mutini for Christmas. Alright, we're all gonna go down to the bar and get some mutinis. Alright. See you later. Bye.