 That's the point, damn it. What is your point? I have points to make and I'm not gonna bury the lead. Welcome to Vlog Thursday. Yes. I'm actually gonna start with the things that are in the Vlog Thursday subtitles below or on the thumbnail or what it's titled. We're gonna talk about crack. Yes. Okay. Yes, so Wi-Fi is broken. And that crack. That crack. So, let me mute my phone. The record goes off. All right. That crack. Wi-Fi is broken. And what they're talking about is a new crack attack that came out. I posted about it, posted a video about it. And it's worth addressing again because I wanna make sure you understand the details and what you can do to be secure. You can turn off your phone. There's one way to be secure. Oddly, you can have an iPhone. And through a series of- Boop, boop, boop. Hello, Siri. Siri, thank you for not being- So, let's talk about how this attack worked for real quick. I have some more details and when I first posted the video, did some reading, found, talked more about, so we can talk a little bit more about the flaw. And what happened is, the people that write the standards for things like Wi-Fi, we have a standard. And companies are supposed to follow that standard. That way, when you follow the standard, everyone implements it the same way. And that way, this Wi-Fi works with that Wi-Fi device and they're all inter-compatible with each other. That's great. Unless the company that wrote the standard makes a flaw in the way they implement security. But don't worry. Security's really, really complicated and we understand that flaws are made and this is where things go awry. Thanks, iPhone. They misread the complicated security thing and go, huh, let's do it this way. And the good news is that the subtle wrongness that iPhone actually did is why it doesn't work. They're enviable to it because there's a part called the four-way handshake and they only do three parts and not the fourth part of it, essentially, if I understood correctly. So they didn't implement it properly as a bottom line. So iPhone, oops, their way into that. The Linux people, oops, their way into hell because they absolutely followed the standard to a T. And the standard was wrong, therefore, they had devices. Now, here's the thing. A lot of people are talking about updating and I did too, because it is important you update the access points because there's feature sets in the access point that can be slightly exploited. But that does not secure you. That secures that access point from the attack, but the attack is actually perpetrated against your device. And what it does is it can spoof your device in giving up what the traffic is between you and the network you thought was secure. Now, it's not that the world is coming to an end with this. It's one, it's a proximity attack. So there's one problem. They have to be within range of your device and they have to have a device powerful enough and if you're using proper security on that network, it only allows them to view the traffic. So it's not- They just see that things are going back and forth. Right. But because your traffic's encrypted, they don't see what VPNs definitely will save you from this. So if you have a VPN that starts at your phone, then they can't see anything because occasionally there's traffic that we refer to as leaks and it's traffic that passes. For example, the encryption between me and Facebook. You don't know what I'm posting on Facebook, but you can once see that I'm connecting to Facebook because what sites you're going to is not encrypted. The data between you and that site is encrypted. But there's occasionally times when data passes through unencrypted. So I still refer to it as an edge and it can get them further in. So the sky isn't falling, but yeah. It's still disconcerting. Really disconcerting. Definitely need more updates. It would be awesome if I actually didn't know what some people were posting on Facebook ever. Ever. When is somebody going to make that exploit? Yeah. I don't know. Sometimes I just think keep posting. I'm diagnosing. Right? There is that. Yeah, there is that. Keep posting. I'm diagnosing. It's all right. Yeah, you just keep posting and that way I know the people that I shouldn't talk to. So does Marvin know what CVE-2017-15361 is? I believe that was the combination to my high school locker. There is a chance of that. So this is kind of how fun security is. Is that your social security number? Yeah. Yeah. So CVEs are vulnerability IDs assigned to things and there's a series of CVEs for this wifi thing. And at the same time, in the same range roughly, is the CVE for RSA flaws. And this is real mathy and real nerdy, so to speak. Yeah, because it has to do with effectorization flaw on the TPM chips on the RSA private keys. And what they figured out was this company called Infineon, who makes TPM chips and are called trusted platform modules. And the concept is, because you need to take the way general security works right now, is we take prime numbers and we multiply them together to generate keys. This is kind of the basic overview of it. It turns out that this expensive little chip called TPM chip that's found in high-end servers and in higher-end laptops and other computing devices was producing bad keys. Matter of fact, they're producing predictable keys. Some security researchers, you know, when you got nothing to do, you go, I wonder if I can take all these Infineon chips and let's just spend all day creating keys on it. It uses a command, I send the key, I send the command to the chip, it creates a key, then the key gets kicked back out and goes, hey, here's the key for you. And they go, let's lay out all the keys. And they lay them out and it goes, there's a pattern. You know what there should never be when you're generating randomly generated keys? A pattern. Then they go, this makes all keys predictable that are produced by this chip that has been produced since 2005 until, God, I think it's vulnerable all the way until 2017 models. They have it on their site, this is a big deal. Where that comes into factor is people use things like encryption on their hard drives and they trust it to use these keys. If that key was used, it costs roughly $1,000 of compute time on Amazon to crack it. Because it's so hard to crack, but because there's a predictable nature of the key, they're predicting for less than $1,000 of computer time, you can crack it. And if you use the higher inversion of the key, it's about $40,000 to crack it. But this is well within a reach of nation state actors and people thought of time in their hands. So this is a very fundamental security problem that protects things at the highest level. Matter of fact, there's some tools and things like that and I may find a link and throw it in there, but if you look at the CVE and how to check for it, if you care about encryption or all that, you probably already know about it and it's probably not everyone on YouTube, but it's a very serious vulnerability. Now, back to why you didn't know about it. So crack attack, got a cool logo, got a cool website. And we're all concerned about people snooping on our phones and things like that. This other CVE, the RSA tech, no cool website, no cool logo, hugely serious to the fundamentals of the way things are set up. Wow, well we should make a website and a logo then. I know they need a website and a logo because you never knew about it before this. Only if you're in the security research world, I didn't even see that many security people really posting about it, they were going nuts because I got messages Sunday because the way the crack attack got dropped was the security researchers were like, we're gonna drop a bombshell at about 5 a.m. heads up. They registered a website, they had everything ready, they just didn't make it go live to say what was going on and of course just send everyone into a flurry of who was guys falling. Almost as if the crack attack was released to take our attention from the CVE. Yeah. Oh, I'm just saying. Let's go deep conspiracy here. I'm just, I mean, I'm not saying, I'm just saying. I think that's what it is. I know this has been applied to other things but this problem with security in general is if you're on the side of securing things you have to be right all the time. When you're on the side of the hackers that want to break anything, they're gonna be here once. Oh, we gotta find that flaw one time in WAMO. Yeah. It's a numbers game. It's a big numbers game. You have to try a lot though. Oh yeah. And never underestimate a clever, time-rich young people. That's true. They got a lot of time in their hands sometimes and they're just like, I'm gonna poke away at things. You know, I'm gonna take a university person going, hey, let's just build random keys and see if there's a pattern all day long until we find something. Yeah, why not? Why not? Yeah, scary stuff. Yeah. It's like making a whole ring of keys and just walking around and trying them in every door. Eventually you're gonna find one that works. That actually, yeah. Speaking of which, I was at the MI sec watching a lockpicking demonstration just last Thursday. Okay. Yeah, it was fun. I've actually done a few and maybe I'll get into that. Like a lockpick? Like a lockpicking class. Yeah, classes on this. That's the only class that's a security meetup and we all just found there are some clever things out there for unlocking things. Interesting. There's one for our commercial door that I didn't know about and it's basically a U-shaped hook with a flat blade with two hooks in it and you can push it between doors, turn it and the end of it will turn a lock so it'll turn the knobby thing. That's what it's for. It's really clever. Oh wow. Yeah. So we get to demo all the cool stuff and play with the locks and the guy that brings all the transparent locks and so you can see how to pick them up. Yeah. We've done these before and they're kind of fun, different hacker places and I've thought about doing it here. I'm pretty good at picking locks in Skyrim. No. Very similar, the concept is similar but it's physical and real. Say nothing I could handle one. So Unify's had more updates and more updates to their systems. We had a client that only wanted a few cameras and then they decided they love the cameras so much they wanted a whole lot more cameras which then led me to spending two hours because it turns out that if you don't have exactly matched firmware, my mistake, you will have to match the firmware. So don't take a NVR that didn't have the absolute latest but then load the absolute latest and that's because the absolute latest just came out the other day which has firmware updates and then the absolute latest was out a couple of weeks and in between I changed service for a client and it cost me a couple hours of time but we did a build video, we didn't, well we shot the video and it didn't because we finished it yesterday and delivered it yesterday and now we're doing Vlog Thursday and I got busy delivering it so I didn't do the video but I did the video, just didn't publish a video. So we're gonna have to do the video. I know, so many details. Anyways. This is getting on into philosophy and stuff. Philosophy, but I'm gonna talk a little bit about that server and- If Tom makes a video but doesn't post it, did he still make the video? Did I make the video? I know. Part of what my problem is they use, this company is a, we do way more of these and I'd like to hybrid companies and I may wanna call them. Where we do the cameras or we do some aspect of the company, this one's even weirder because the only thing we don't do with this company is a firewall because the other IT guy doesn't wanna let it go. He's got some personal relationship with the owner of the company and I don't have the password of the firewall so everything's a request to this guy who travels between America and China a lot for whatever reason, I don't know the reason. So he is difficult to get a hold of. I don't think so. Yeah, and they're always seem to be agitated and I've given them quotes on firewalls and I asked them randomly if they wanna update and maybe soon, which there's a litany of problems with their current firewall. They have an old Sonic wall that was probably put in in 2005. It's old, I can't remember that there's any specific vulnerabilities against it but it's antiquated. And I can't log into it so I don't remember exactly which firmware it is. But the other problem is it just doesn't like to DHCP some devices, here's a magical problem we have. It does not like to DHCP the commercial HP like $20,000 printers that they have because they do graphics printing like the large format stuff. It will not give DHCP address to that and it won't give a DHCP address to a unified camera. So we had to manually and statically set every camera which made my job that much more difficult because all they do to get the system working when the firmware mismatch, no problem. You just reset the camera's factory defaults and they rejoined right away. That sounds easy until you have 20 cameras that you have to statically assign all the addresses to. Oh, by the way, don't lose the name of the camera because I had to rename every camera back to what they were called because I didn't wanna go renaming them around the building. So yeah, these are some of the aggravating things and almost in retrospect, we thought about putting in our separate firewall just to create its own land just for the camera network. And we just assumed we can put it all in that network there and put it, it has its own switch and yeah, and he gave us an IP range for it but it just doesn't DHCP, it randomly does. If you keep resetting the cameras randomly, they'll get an address. Then they don't. I got nothing. Yeah, thanks, Sonic Wall. I never liked Sonic Wall. Not a fan. Matter of fact, you may have known that I'm a fan of PF Sense. He is. Yes, and I'm excited because the new 2.4 is out so I gotta update to it. Then I'm going to be doing a speaking event at a BSD thing for the guy that wrote the book on it. Truly cool, he's gonna be there. I like him. His name's Michael Lucas. If you wanna read a book on file systems, he wrote two. He didn't write the book on file systems, he wrote two of them. Set aside the day because I'm sure it's a real page turner. It is. We reviewed his book on our podcast. Wow. All right. Fun note. So he probably, Marvin's in several writing circles and does Michael Lucas ring a bell a little? The name is familiar. He has probably showed up there. He's a fiction writer and writes all kinds of things. Matter of fact, his titles are almost always plays on tech terms. Like we have GitHub, so he has commit, get, murder, which in a commit and get is a programming and he's commit, get, murder. Yeah, he's got a technical spin but he's actually becoming a more famous author for some of his fiction stuff. Interesting. He's a super interesting guy. He looks more into him. Yeah, he's local here. So yeah, meet him. He's really an interesting, he's a lot of fun. I've actually been to his talks as well, so. Awesome. Yeah. I'll definitely look into him. Oh, we discovered a feature of this. Oh. We learned different skills. Whoa. Hey, that's neat. Here are a few of your enabled skills. First is box of cats. Open up a box of cats. Who knows what you might find in it. Alexa, stop. Alexa, open up box of cats. Turns out there's not a box of dogs because who would put a dog in a box? That's true. Is there a dog in a yard? Is there, I don't know. We also learned, Alexa now does podcasts and yeah, it does a horrible job of podcasts. Kinda does them. All's idea was get mad at it. So I was like, trying to find it. What it does is even though we know that certain podcasts are in there, it just doesn't wanna play them. The only good note is it would play our podcast. It wouldn't play the right episode I want. I kept seeing the latest episode and I kept pulling the wrong episode. It pulled some old one. But it does play the Sunday Morning Literary Podcast which made me happy. So. That's cool. Yeah. Alexa got that much right. Shut up, Alexa. There. Ha, ha, ha, ha, ha, ha, ha, ha, ha, ha, ha, ha. Ah. Yeah, anyways. Shut up, Alexa. So among the other things is, we decided and the horrible idea that was that is the eating of that. Yes, we shook it. A lot of people said you didn't shake it. That's why it tastes like propellant. No, we didn't let the alcohol. It's talking about the pepper spray. The pepper spray. The pepper spray. Yeah, this is a video. We made a poor choice. Well, they made a poor choice. I chose Google. They chose pepper spray. And they said. I had to try it. Yeah. They were all curious because we had seen people do this. That's what I think the beauty of the internet is. Ha, ha, ha, ha, ha, ha. Like, I think it's funny. If I watch someone on a skateboard from the 70s and things like that, you're like that was considered a cool trick. Yeah. Watch this. People just do. I mean, there's this video of this guy who comes on a ramp on a, in standing inside of a garbage can on a skateboard doesn't jump, lands on another skateboard and continues. Like. Oh. Yeah. I've seen some impressive things. Yeah. And I think that's the beauty of the internet that some people overlook. While there's all these people arguing about politics and lots of BS on Facebook, there's the other people that are watching going, I can improve upon that trick. And then our person across the country goes, that's a cool trick. But if I combine it with this other trick that I know and I make a video about it. And the same thing happens when people put pepper spray on chips and pepper spray on chicken. You're like, they did it. They think it's hot. We don't think things are hot. We should try this. Let's find out. And it was not, it was hot. Not the hottest thing we've ever eaten. Not the hottest thing we've ever eaten. But it had hints of motor oil. This is the alcohol and peppermint. And peppermint. Which was weird. So it wasn't hot, but it tasted terrible. No, we understand it's not food. That's also why we did not. Steve's original idea, this is where I kind of say stop, but then not all the way, was let's put all of it on all of the chicken that we have. I'm like, no, no, no. Put some on a piece of chicken. Now, before this, Steve does a test. He goes outside and sprays them on his finger. But he waited for it to dry and then looked at it. He says, it tastes like spearmint and heat. It's kind of hot. Okay, so. But yeah, we did it like right away. They did it right away and didn't want to evaporate. So that's, yeah. In retrospect, we won't do that again. Not the smartest thing, but we'll come up with something else. Well, yeah, we will top ourselves and pursue, oh yes. We keep setting the bar higher and higher though, like next we're gonna, I don't know what we're gonna do next. Absolutely. I have no idea what we're gonna do next either. We've eaten pepper spray like that. Seen pepper spray. That's it. That's where it is. While they were eating pepper spray, I was finishing up and I'm gonna, I'm doing a whole series of videos. I'm gonna create a new playlist for them all on virtualization. I've done three now on Citrix Zen Server because we migrated our stuff over to there. And Zen. And I did on networking and I called the network Tom's Land of Zen. Ha ha ha ha ha ha. Awesome. It's still named that and it's gonna continue. I like it, I like it. Yeah, we're gonna change the wifi names too. We just been, we're going to do it but then I have to change all the things that are connected to it. But that's gonna happen too. gonna make a public and private one. Okay. This land is my land. This land is your land. Is that your idea, Kiles? Well, I mean, Kyle. Okay, yeah. I knew he had to be involved somehow. Yes. We're like, this is a wonderful idea to name it this. This land is your land. I love it. Oh, that is great. This land is my land. But seeing as WPA2 is broken and, you know, apparently they're all your land now if you've got the time and patience. Indeed. Indeed. Yes. So, yeah. Oh, man. The last thing we were talking about, we didn't even talk about broadband yet, did we? No, we haven't yet. All right. Thanks, Michigan. We'll make this quick. Yeah, we'll make this quick. I'm gonna do a separate video on this because I'm gonna get ranty about it. And this is a big problem. So there's a bill that has been proposed here in Michigan. Now, this is not something that's not held up anywhere, but, you know, this is near and dear to my heart because I live here. There's a bill that they want to stop municipal involvement in broadband. Now, I am normally a person who maybe, you know, I'll say, okay, I don't really want the government to overly involve the internet. I understand that sentiment. But because the government is where they are and has allowed the monopolies, they've encouraged the monopolies and granted the monopolies through other deals, there's a lot of broadband plans that have been changing because one of the big problems is they've heard to the last mile. So what happens is government gets involved and go, hey, you know what Ternus wrote up? Why don't we lay some fiber while the road starts? Because putting fiber after the road in and directional boring with lots of things in a way, very expensive, very time consuming. So there's a few different places around America where the government has started laying the fiber and then they, after they lay it, just like they're laying the road, they dig the road up, they lay the fiber, do it all at the same time. It's actually very minimal in my expense because you already have all the construction crew and everything there. And then they lease that fiber to internet providers. And that's what they're actually trying to stop. And the bill is laughable because the senator made a claim on Twitter that there are 37 providers available. There's plenty of competition. And people in Europe are going, yeah, we have lots of providers. And then people in America are going, yeah, I can get Comcast or I can get Comcast. And occasionally I can get Wide Open West. Now, the thing I'm against about government being involved. And our neighboring city is Wyandotte. They do not let other cable companies and other internet providers come in because the municipal runs the internet. Well, they do allow one competitor, AT&T. And AT&T is doing such a horrifically awful job there. No one wants AT&T, except for the people that are absolutely fed up with the Wyandotte internet because they have managed to make internet in the city that they charge more than Comcast for. They have data caps on it. So don't use too much data. You're in trouble. And their service is terrifically good. Incredibly unreliable. Very unreliable. And I literally have clients who moved their business out of the city because the internet was a huge factor for them. Because when the internet goes down, they can't do their business and they're like, look, we need the internet and you guys can't provide it. And we already know AT&T can't provide it. Not to mention AT&T and Wyandotte only provides like 10 or 20 meg DSL at the max. Simply not suitable for business. So there's no options because of the way the city runs it. One of the first questions we ask, if somebody calls and says, our internet isn't working, is where are you? Yeah, you happen to be in Wyandotte. Yeah, because like everyone in Wyandotte has called us today and said the internet wasn't working. My favorite one was our salon that opened up that they use VoIP phones. So they notice right away when the internet goes down and of course can't run their credit cards. They are adjacent to the building that the internet comes from. There's a road between them. There is a side street, not really a road. So there is about a 60, 70 feet between where the internet comes from and their building. And it goes down a lot. They have joked and the owner of the salon is friends with the mayor. And he I think was a Facebook comment, something along the lines of, can you just run a network cable between the buildings? Because we really hate this being down. The other thing too is they literally, like we've been on DOCSIS 3 for a while. Their infrastructure was so old, like it took them, like two years after everyone else said it, they finally got around to it. They don't, and I've talked to them, they're just underfunded, which is absurd because they're charging more money. I don't know the internals of it. Someone told me is I'm not involved too much in that city's politics, but they've had to borrow money, they're losing money on it, even as much as they're charging, they're losing money out, had to borrow from funds. To keep it afloat and try to do infrastructure upgrade. This is where government is completely gone nuts because they've, they've barred the competition and they're doing an absolutely horrible job and no service to people. Literally when you start losing businesses because businesses need the internet, you should think about your strategy. You have more empty buildings now. Yeah. Yeah. So this bill is going to outlaw these things. Yes. So I understand the argument of arguing against windout. I disagree with the argument of where this is more targeted is places that are laying fiber and then leasing it back out because they say eliminates competition. Yeah. So I'm going to dig more into this and see as I have some political friends and see what's going on and raise awareness because this needs to be shot down. If the government wants to run some of these fiber, great. Once you get outside some of these areas, the competition is nil and it's really tough. We have in downtown Detroit, we've got several fiber companies that are competing with each other, but it's literally regulations that they're fighting with. So we need more cooperation, not more regulation. That's kind of my opinion for a lot of this. And these bills are just a trip it up to, you know, keep whoever's there without losing any of their. I mean, the internet really has become a utility in the water or your or your electricity. So I mean, the city comes through and puts in your new sewer line when you need a new sewer line. Right. I mean, it's it's one of those things where like it. Yeah, you need the internet is a necessity anymore. So and you can have the larger philosophical argument that the government should be making roads and the government should be doing series. You can have that go, OK, you know, let's all be probably funded or some methodology to do that. That's great. That's not that is a pie in the sky. Academic discussion. Let's deal with the real world sometimes. I mean, I've had great philosophical suggestion that how things could be done better if you could start over. But then the other side of it sometimes is I have work to do. And there's this is a direct effect. This is a real world thing we're dealing with right now. There's not an easy way to hit the reset button on it. So we kind of have to deal with things as they are, not just as we want them to be on a large scale. So hurricanes, wildfires, maybe there is a reset button. I don't know. I'm just saying. I'm just saying. Oh, side note. I didn't read a lot about this, but I was talked about on one of the other podcasts that the guys in California. And one of the problems with California workfire is they people lack TVs anymore. You know, they don't watch over the air TV. They rely on internet. Well, apparently the wildfires as they kept through broke the internet and the internet is what services the cell towers. So the cell towers went down. This is actually why a lot of people did not get the forewarning that they needed to get out before it's too late because they're like, I don't know, your phone work. No, okay. Well, we can't turn on TV. We literally have no communication. Something bad must be happening. Do I leave? Which way do I go? Right? My navigation doesn't work now. I don't know how to go. Wow. So apparently that was a factor there that when the wildfires come through. So he was really thought about, you know, you have this high reliance on technology and you're like, wow, we lose service to an internet. And all of a sudden, nobody knows what to do. But you said it's a necessity now. Yeah, it really is. It really is. And we just kind of don't have it. We just bump into each other. We just keep wandering around, bumping it. Yeah. Humans do need to have some devices organized. Yeah. If you if you go, no, humans will self organize and you have faith in humanity. One, you don't work in tech clearly. So second, watch a traffic light go out. Yeah. Humans are lost. Yeah, that's it. Traffic lights out, gridlock, nobody's going anywhere. So that was Vlog Thursday. Thanks for watching. We rambled on long enough, Daniel. I'm sure we can ramble on more, but I actually got to work today. I got to reply to a lot of emails today. I've been avoiding doing that. There was still another new star we didn't get to, but we will maybe sometime. The New York. Which one? Oh, the New York. Yeah. I may ramble about that later. The thing that could be solved with a select star SQL statement, but whatever. I know. Yeah, I want to rant in general about municipal use of technology. Yeah. It's messed up. It's broken. Thanks. But that's a rant for another time. We'll see you next week. All right. Oh, if you like the content here, like and subscribe. Clickety click. Also, should I leave my hair down? I always didn't put it in ponytail.