 This 10th year of Daily Tech News show is made possible by its listeners, thanks to all of you, including Chris Smith, Mark Gibson, and Reed Fishler. Coming up on DTNS, what is nothing's next move? Plus, we'll discuss the latest in Generative 8i, and if you miss your old calculator, well, we've got good news. This is the Daily Tech News for Monday, January 30th, 2023. From Studio Redmond, I'm Sarah Lane. From lovely Cleveland, Ohio, I'm Richard Raffalino. On the show's producer, Roger Cheng. And we are joined by David Spark, producer at the CISO series. Hi, David. Welcome back. David, we can't hear you. The amount of incestuous that is going on in the show is astounding because I have worked with Sarah and Roger before, and Rich and I work currently together over at the CISO series as well. So it is awesome that we're all together. Well, I agree. And we're so happy to have you back to talk about all the things. But first, let's start with the quick heads. Tiktok CEO, Shozi Chu, voluntarily agreed to testify before the U.S. House Energy and Commerce Committee on March 23rd. Representative Kathy McMorris Rogers, the committee chair, said the hearing will focus on how Tiktok handles U.S. users' privacy and data security, as well as how it keeps minors safe on the platform. Earlier this month, Chu met with European Union officials to discuss how Tiktok would comply with the EU's Digital Services Act. Bloomberg sources say that the Apple supplier J-Bill begins shipping AirPods and closures from India to China and Vietnam for assembly. This marks an expansion of Apple's Indian manufacturing footprint, which previously only included iPhones. Bloomberg sources are always saying something now. They're saying Baidu plans to release a chatbot service similar to ChatGPT in March. This will initially integrate with its main search services, providing a conversation-style search result. The service will be based on its Ernie machine learning model in development for several years, spent a lot of money on it, and finally getting a front-end for it at least. Also sounds like what Google's working on. Last week, Mercedes confirmed its DrivePilot automated driver assist system achieved the requirements of Level 3 autonomy in Nevada. That's the first system in the U.S. to achieve that level of automation. The National Highway Transportation Safety Administration defines Level 3 as enabling the vehicle to handle all aspects of driving up to 40 miles per hour. So maybe not on the freeway, but it's going to take you some places. Drivers need to be attentive in the event that they must take control with their face visible, but they don't need to keep their hands on the wheel. That is interesting because my Volvo does the latter. The DrivePilot system is available on 2024 S-Class and EQS sedans. And begun the EV pricing wars have. Ford announced price cuts for its Mustang Mach-E electric vehicle. Top-end GT model with extended range saw a 9% reduction. That's the biggest reduction that announced its price down to $63,995 while the base model saw a more modest $900 price cut to $45,995. Customers on waitlist will see the price cut on delivery while current owners will receive personal offers to refund the difference. This comes of course as Tesla cut prices on its Model 3 and Model Y EVs from between 6 to 20% earlier this month. Alright, that was the quick hit. Let's talk a little bit more about nothing, Rich. Yeah, so last summer, Carl Pays Nothing Company made a big splash with its Nothing Phone 1. It's obviously, as the name would indicate, its first handset. In a world of increasingly similar looking Android slabs, it kind of found a way to stand out with a transparent back and an interesting take on notification lights all wrapped in this cyberpunk aesthetic that they've been chasing after they did it with their earbuds as well. It wasn't perfect. It used an off-the-shelf version of Android. The camera was just okay according to reviews and it featured a mid-range processor. But one of the biggest limits to its appeal, it didn't ship to the US. Nothing did open up a beta membership to provide the phone to US customers just to give them a channel officially to get one. But it only supported a subset of T-Mobile's 5G bands. They didn't change out the radios. They were just like the European radios and good luck. Well now, that is changing. Might be good news to some folks. CEO Carl Pays told Inverse's Raymond Wong that Nothing's next handset, the Phone 2, will come to the US in 2023 describing the market as its top priority. We still don't know a ton about the Phone 2, however, although Pays said it would be more premium than the Phone 1 with a version of Android completely made in-house. He also said its hardware differentiation is the major reason it's seen iPhone customers come to its brand and he wants its software to experience to live up to that. In this interview, Pays reiterated what he said when the Phone 1 launched that the company is resource constrained and it kind of has to choose its markets and its battles carefully. 2022 saw the company expand significantly, however, it increased its revenue almost 10 times on the year to over $200 million and it doubled the size of the company to 400 people. That being said, nothing may launch the phone into a shrinking market. IDC reported the overall smartphone shipments felt 11.3% in 2022 and just looking at Q4, it saw shipments down 18.3% on the year. So David, I'm curious, we have a declining smartphone market. Is that an opportunity for nothing or maybe bad headwinds that they're launching into? To tell you the truth, I'm kind of confused as to why they're doing this because there's kind of so many things fighting against them, but obviously they may know something that we don't know. I mean, the things that are fighting against them is getting people to switch off of the platform they're in. People get pretty attached to their platforms. Second, they're kind of first to manufacturing. You're up against people or companies that have been manufacturing phones for a very long time and the first of anything rarely does very, very well. And honestly, the real money is never just hardware, it's software, so it's unclear if they even have a software play here at all. Yeah, I'm kind of with you on this one, David. The declining smartphone market in general is just bad for everybody. If you're a boutique, I was about to say iPhone maker, phone maker, like nothing is, at least at this point, not even being in the US, kind of saying, hey, we're trying to be nimble as we roll out our variations of phones. We've got the nothing to coming out. Don't really have much to say about it, but it's going to be way better. And we're going to be able to enter new markets that we weren't quite ready for. That all sounds fine, but not when you hear these stories about the smartphone market shrinking as much as it does. If you really want this phone, you're going to get it. And this might really speak to a lot of folks, but in a very crowded market, I think that's a tough sell. Here is where I think their strategy lies because I do agree. It is a tough market, but part of this interview also talked about nothing's initial success. They opened a retail store in London. It's right next to a Supreme store in a very posh area. I'm told that's what the kids say over there. But the idea being that like, okay, we're linking, we're putting ourselves in cool areas. We're putting ourselves next to cool brands where people that might be more inclined to something that speaks aesthetically versus this has the latest Qualcomm Snapdragon 8 Gen Plus Gen 5, you know, SOC or whatever like that. People that are going to be attracted by that look and be like, okay, I'm, if I'm spending money on Supreme shirts or whatever, I might also spend money on electronics that speak to me more on a design level. I don't know how big that market is, right? But they talked about, Karl Pei was talking about expanding their retail presence, kind of with a similar strategy. And when we've been talking on this show about, you know, increasingly seeing phones as almost like retro fashion, right? We're talking about flip phones coming back because part of that is like the 90s millennial aesthetic. I think we can increasingly, or I think what nothing is thinking about is that increasingly this is all within the milieu of fashion. Everyone has to have a phone, the same way you have to have a pair of shoes. And they're saying, why not? Why don't we just be the trendy one? David, to your point, I think Karl Pei would like nothing more to bundle in a bunch of software and services and make a whole bunch of money on that. But they have 400 people and their revenue is like what Apple sneezes out in the day and like an afternoon or something like that. But again, you know, when these marginal players come out and if they can differentiate themselves as being a, quote, luxury phone, I don't know, then possibly. But, you know, the big thing is the guts is Android, although it's going to be an alternative Android and the question is, does anyone believe them? It's going to be better than the current Android? I have no idea. Yeah. So, sadly, and I hate to give this response because we say it to our own guests. It's a total wait and see. Well, this is the total nothing playbook. This is their hype playbook to every extent. They've done those every product where they dribble out some details. They get you excited talking about this. The particular thing that's interesting is the smartphone market is pretty cold right now. Basically, everyone is seeing shipments decline, even Apple with 50% market share. Even they are having to think about stuff right here when you're talking about a company that is going to have to fight for manufacturing space is going to have to fight, you know, for chip supply even and stuff like that. I also think the life cycle and phones are extending now like we saw with computers. You remember there was a period of time where you really had to get a new computer sometimes as early as every two years just because the chip processing power just became that much more that you could run software that you couldn't on your older machine. You're not seeing that the case with phones today being that, you know, the proliferation of 5G phones is huge. The processing power is off the charts. So it's really until you destroy the thing, do you need a new one? I think people are holding on to them longer. Well, I think to your point, Rich, about putting a store next to a Supreme Store, for example, anybody who's not familiar with that, it's like kind of a sneakerhead type thing like, oh, if you can afford it, you know, for like a cool sweatshirt or whatever, very cool. If nothing can be that very cool niche market, they probably have some play here because I think for a lot of folks, myself included, it's like, well, that's the iPhone. It's super expensive. If you don't want to be in the Apple universe, then you're going to go somewhere else. But that's kind of the very expensive phone that you don't necessarily need. You could get by without, but you want it because there's some cachet there. Yeah. And let's not forget, Carl Pay has experience with OnePlus threading that needle of what specs matter to consumers, what specs don't. I feel like he can put together a convincing package, whether that design speaks long term to move them from a niche to anything bigger. Again, we'll have to see the phone till we can come in further. Alright, moving on to some machine learning. We've talked a lot about generative AI systems on the show as of late, but they've been mostly sent around text or image generation. Well, there's another medium that's seen a lot of investment and that is text to music generation. These systems aren't new. You might say, yeah, I've heard of them before and you wouldn't be wrong. Back in October, we talked about harmonized dance diffusion, openized jukebox for example. And while technically they're impressive, neither seem to have achieved that human replacement level performance we're starting to see from systems like chat GPT or mid-journey that get a lot of press. Yeah. And back in October, we kind of talked about Google's AI system called MusicLM. There hadn't been a lot out there, just some like samples of output, not any details about how it works. But, you know, we hadn't really seen a lot out of it, but Google researchers have released a longer paper now about MusicLM and samples of what the system is capable of, much more extensive. And it's kind of, I'm not going to lie, it's pretty impressive. Google trained it on 280,000 hours of music, where MusicLM stands out is its ability to generate longer cohesive works from a text prompt. Something like dance diffusion stitches together, generated music a few seconds in length at a time and it sounds like that. There's a lack of structure, even as you can pull out kind of distinct elements there. MusicLM can output several minutes of the time. Of course, that doesn't matter if it doesn't sound good, right? So, Joe, let's hear a little bit about what, or let's hear a little bit from MusicLM right now. That's the video game theme, I believe, that they put out there. I mean, these are impressive. It's better than what I could generate at home by myself, even though I have lots of tools. So Google published 30 second samples from complex text captions, such as the main soundtrack of an arcade game, fast paced beat, catchy electric guitar riff. The music is repetitive and easy to remember with unexpected sounds like cymbal crashes or drum rolls. Okay, I mean, AI can do this, right? The audio mostly fits the bill. It sounds mostly complete. I mean, unless you're some sort of music genius, which I am not. It also shared longer five minute generations based on short prompts like melodic techno that also seem to hold together. The audio can still sound a little compressed. Vocals are a little more of an idea than an actual voice, but I think we're getting somewhere. Yeah. However, don't expect to see MusicLM integrated into your favorite audio workstation any time soon. The researchers don't plan to release the model citing the, quote, risk of potential misappropriation of creative content associated to the use case, aka we talk to our lawyers. Part of this may be due to intellectual property concerns. The researchers found that about 1% of music generated directly replicated content from its training set. But Sarah, based on what you've heard, I mean, like if you could play with it, I mean, would you have some uses for this? 100%. In fact, it definitely depends on the song, but I am always in the morning, for example, if I'm trying to get ready for a DTNS. Sometimes I like music, but I don't need lyrics. Lyrics just, it makes it hard for me to write. You know, it's distracting. So something that I could kind of put together like, this is what I'm in the mood for. Here's some keywords. Just give me something, you know, for the next five to 10 minutes, or maybe a playlist or whatever. I'm down with that. I can see where artists, especially artists who say, huh, that sounds curiously like my latest effort would have a huge problem with this. And that just, I don't know, falls in line with writers saying, well, I, you know, I don't want chat GBT to, you know, take over my job. And, and visual artists saying, well, you know, I don't want something like mid-journey to take over my job either. I think there are a lot of like, cool implications here. And a lot of people saying, ooh, but we're scared. What about us? Yeah, David, are we going to be like re-litigating the same AI data set battles for forever now? Well, this, this is, you know, and I think Google's response to this is kind of what I was thinking originally when this all came about is that, you know, we've seen all these sort of litigations in the past where one lesser known musical act goes after a bigger musical act because they lifted some riff from a song of theirs. And you, you see the court case where they play their riff and then they play the better musical or the more well-known musical acts riff. And, you know, they're trying to get some money out of this company stealing from them. But it's very clear that this AI, that's what it's designed to do is pull samples from a lot of locations, which is what artists do without AI often. And so this is, this is just asking for trouble in the market. But to people who need music, the desire for royalty free music is sky high. And this would be desirable. I know. I mean, there's definitely demand for it. Well, while we're not seeing Music ML right now or LM, excuse me right now, Google did release the Music Caps data set, which is a high quality music caption data set, basically to support for the research of one of the problems with doing music is captioning is really hard. Like when you have a two minute work, how do you caption that like succinctly as opposed to a static image? A lot easier to do that than it is to caption music. So while we might not see Google's product out there anytime soon, that might provide the data sets researchers need to, you know, use it in other fields as well. Well, if you have a thought about anything we talk about on the show, it could be about AI music, it could be about anything else. We would like to hear your thoughts. Email us at feedback at dailytechnewshow.com. You know, when you pop open the RSS reader and you click on your cybersecurity news, it's easy to think the situation only gets worse. It seems like we've been numb to seeing things like data leaks and breaches. You see like 10 million, you know, people's data leaked. You're just you don't even react to it anymore. But even in this jaded security landscape, the rise of ransomware as a major threat in recent years has been kind of hard to ignore. Yeah, over the past, let's say five years, we've seen the volume and the value of ransomware attacks explode. It might be conventional wisdom to just say, don't pay the ransom, because why would you that only encourages more ransomware? But the reality is a lot of companies do that because they want the problem to go away. Analysts data of cryptocurrency transactions show that ransomware payments increased from about 43 million back in 2018 to 766 million in 2021. These attacks seem to come from all sorts of actors, some ransomware as a service becoming a business model for organized cyber criminals. Which is why a recent report from Chain Analysis caught our eye. It found that in 2022, ransomware payments decreased on the year. And not just like a little bit or it stayed, you know, kind of flat just down like technically down 40% to 457 million dollars. That's still about 10 times the ransom's paid in like 2017-2018, so up still historically, but you know, definitely down on the year in a big way. That was followed by news last week that the US FBI and Europool coordinated to take down infrastructure of the high ransomware organization infiltrating their organization and basically alerting victims, leaking decryption keys, that kind of stuff. So David, you know, are we figuring out ransomware? We have like two kind of good ransomware story news out there which, you know, you know, this seems pretty rare. Or should we maybe hold off on rolling out the mission accomplished banner? I think we definitely have to hold off on rolling out the mission accomplished banner. That's for sure. No, you know, the reason we're seeing a decrease is I think mostly because this is on high alert for most businesses, ransomware, and on top of it, the number of cybersecurity vendors that are out there that are helping deal with this problem has exploded in the last few years. So you have companies paying greater attention and addressing the problem front end. The story of though taking down Hive or essentially hacking the hackers is really quite impressive in that the essentially the law enforcement did what we've always wanted them to do, and that is essentially cut off the ransomware companies at their knees. The thing about with ransomware that is astonishing to me is it is extremely low risk to get caught, unbelievably low risk to get caught, and the payout is enormous. I can't speak to any other crime that has those two extremes, which is what a criminal wants, something low risk of getting caught and enormous return, and ransomware has it. That's why it's been so damn popular and we see so much of it. And with ransomware as a service, which is what Hive is, technically anyone with zero skill whatsoever, just low morals, can issue ransomware. And the other aspect of this that's interesting with kind of the takedown stuff is I feel like we're also beginning to understand, kind of like understanding how the mob works or the organization of the mob works. Like we've seen with leaks from like the Conti ransomware group where there was the split between the, you know, kind of pro Russian and pro Ukrainian aspects of that ransomware group. We got so much internal detail about how these organizations work and really, you know, we call them ransomware gangs or organizations and stuff like that. They're really it really seems like business operations like when you're digging into the emails of these organizations, and I feel like that as we increase that knowledge base, it becomes easier. I mean, again, hacking back the shoe is on the other foot of, they're an organization, they have the same kind of weak points that any other organizations where it comes to fishing when it comes to, you know, humans being you know, kind of your least reliable chain in your security protocols. So I feel like as we come to understand these organizations more as organizations, it may be more common to see this. The bigger question though is security you know always has the saying it's a cat and mouse game as soon as you adapt to one thing, they're going to change how they operate they're going to become more dispersed or they're going to start using more anonymous messaging or something like that to defeat this. Is this just a temporary blip of we figured out at this moment how to successfully, you know, stop one. It could very well be just that, but I think what's interesting is from this event the FBI and the DOJ has a playbook on how to do this so at this very moment, while similar attacks are going on and ransomware is pretty standard and how it's dealt with. They could be talking to other agencies and give them the current playbook to show what exactly they did which hopefully this what we'd love to see is copycat examples of what just happened where their formula actually works for others as well. Now, to your point of cat and mouse. Yes, they are always looking for something different and because of ransomware and being so lucrative and so it's a low risk that I don't think it's going away anytime soon. Yeah, and I remember in video made some headlines, maybe a year or two ago that they were trying to hack back some people that had stolen some stuff. And I don't think we're going to see private companies doing that. That's a dangerous. That's an extremely dangerous game. This was a law enforcement agency that did it. And we talked about this. The big reason you don't want to hack back one is it's illegal. But to the other issue because I mean breaking into other people's systems, but to the issue is you do not know the can of worms you may be unloading here. You don't know who's backing these attackers. It could be a nation state. You could be getting yourself into something that you have no capability to deal with and that is those are the two big reasons you don't do it. Well, something that many of us do have capabilities with our calculators. They have changed over time, but the Internet Archive has a new collection called the calculator drawer with 14 calculators to choose from. This includes the HP 48 GX, the TI-82, TI-83 plus even the electronic number muncher. And if you're like, what is that one? It was a toy calculator. Some people might remember back from the 1980s. However, Internet Archive is going a step past emulation by incorporating each calculator's physical design and also buttons. So using one feels as it's kind of almost the real thing, even though it's really an emulator. The Internet Archive used the MAME artwork system, which is a branch of the open source framework that recreates classic games, classic arcade games on various systems. It can render an emulated device a couple different ways. If it needs additional drawing to, for example, augment the part of itself that's reflecting the screen or lights of the device. If this sounds cool, but you say, oh gosh, I need a refresher on some of these machines. Well, the Internet Archive has thought about you and uploaded a collection of original user manuals as well. I definitely needed the refresher. I was trying to like graph a parabola and I couldn't land on like my TI-86 or 89, I remember. And I couldn't. I was just like, I'm totally lost. I needed the manual, but it did make me want to load up some of my favorite side loaded games on those, play some illicit substance wars once again. David, do you have nostalgia for old calculators? You know, I did have one of those. I can't remember the model number, but I did have one of those HPs where you didn't type one number plus another, then type equals. It was some like reverse logic that you had to do to actually get the thing to calculate basic math. But I remember I did need it because I remember taking certain finance and stats classes in college that I did need the calculator. But that calculator is long gone now. Who knows where it is? Well, Internet Archive has made, you know, your new life possible. All right. In the mailbag, Michael wrote in about our coverage of the last pass breach from December, which we talked about in December, what we've talked about it since, as we've known more information. Michael says, learning that last pass was storing anything at all in plain text, like the URLs for password entries. That is the most incredibly damning thing for a company that was selling security and making all these claims about how zero knowledge they are. They should not be technically capable of getting unencrypted data from our vault entries in the first place. That is the 100% unforgivable thing here. Michael says, well, so I bailed. I took a week changing all my passwords, storing the new ones in something called KeyPass, that's KEE Pass. And now I'm using sync thing to keep all my devices in sync without making use of cloud storage for my password file. After three weeks of the setup, I can say that KeyPass DX on Android actually works better than the last pass app. So the fact that I'm having a better user experience and at the same time avoiding a subscription fee and increasing my security, is an absolute win-win. Yeah. I mean, that's a good arrangement for Michael. It makes me sad because I know I've recommended last pass to people before, and I can't ask them to do all that. That's not what my mom's doing. I mean, I'm still using last pass, even though I understand that changing passwords, especially for the accounts that I care most about and I feel would be the most vulnerable, so that is time consuming, but not difficult, but time consuming. The problem is, many of these programs are forcing you to save it in their cloud. There is actually a way, and I've done it before, is that you don't actually subscribe to the service if it allows you on the one, but you save your own backup of the thing. So there is a sync, but your own private backup, not to their cloud backup, because your private backup, all they have, what they would have to do is specifically target you versus if they target the whole organization and they get everybody. So that's more valid, and that's the concern of these large password management things. But again, if they're all hashed, it shouldn't be a major issue, but we did have a guest who went through the process of changing all his hundreds of passwords, and it was a multi-hour project. Indeed. Yeah. I am not done with mine. That's for sure. Especially when it's like, you have a compromised password, and I'm like, really? I feel like I changed this, like, somewhat recently. Okay. Change it again. I'll do what I have to do. Always getting pwned. Always getting pwned. Well, you know who isn't getting pwned? That's David Spark. Thanks for being with us today, David. Don't put a target on my back. No, you're never going to get pwned, because you're good at what you do. Never. Internet. You've heard it before. All right. Knock on wood, everybody. Knock on wood. But David, always a pleasure. Let folks know where they can keep up with what your latest is. Yeah. If you're a security professional, want to be a security professional, love to learn about security, and you want to hear more of Rich Strafilino and myself for that matter, then you should head over to CISOseries.com. That's CISOseries.com. We have five shows on our network. Rich hosts one of them, the headline show, and he also does our Week in Review as well. And then we have a super fun show on Fridays called Super Cyber Friday. Just go to the events page on there, and you can find all of our live shows, including the one with Rich on it as well. Well, we're so happy to have you with us, because you're obviously a very busy person. So thank you again. Also thanks to our brand new bosses. We got some over the weekend. We have Michael and Adam just started backing us on Patreon. Thank you, Michael. Thank you, Adam. And thank you to whoever is our next patron tomorrow. You refer to your Patreon members as your bosses. So did they push you around? Yeah. I mean, we're doing the show for them, right? I'm wearing all this flair for them. Come on. We are merely cogs in the machine. The best bosses, we should say. The best bosses. Indeed. More bosses, more better. Speaking of patrons, do stick around for our extended show, Good Day Internet, which rolls right in if you're listening to the live version or if you're a patron of DTNS. You can also catch this show. This show here, Monday through Friday at 4pm Eastern. That's 2100 UTC. It is live Monday through Friday. If you need more information, check out dailytechnewshow.com slash live. We're back tomorrow talking about the Haiku Box. That's the bird song ID tool. Do you know about it? If not, Dr. Nicky Ackerman is going to tell you more. Talk to you then. This show is part of the Frog Pants Network. Get more at frogpants.com.