 Coming up on DTNS how a wonky European privacy decision affects US companies and you cloud gaming services or loss leaders And what that big attack on Twitter Wednesday means This is the Daily Tech news for Thursday July 16th 2020 in Los Angeles. I'm Tom Merritt and from studio Redwood I'm Sarah Lane from Lake Merritt. I'm Justin Robert young That's Roger Chang the shows producer we were just talking about the NBA bubble We were talking about saving a goose And we're talking a little bit about this Twitter story get the wider conversation on our expanded show good day internet Become a member at patreon.com slash DTNS. Let's start with a few tech things you should know Facebook began rolling out Instagram shop in the US a place to shop from the Instagram explore tab Instagram shop features personalized products from brands and creators as well as curated collections from Instagram's at shop Accounts the company plans to eventually replace the activity tab with the shop tab and users can check out using Facebook pay Facebook also announced that it will add a label to all posts from US presidential candidates and federally elected officials That mentioned voting or ballots these labels do not indicate the accuracy of the post information And we'll provide links to official government websites on voting for the most up-to-date information When in doubt label everything Xiaomi announced an international version of its low-cost me band wearable the first time the device will be officially sold outside China the me Smartband 5 supports activity tracking for 11 exercise modes with heart rate sleep and stress monitoring and menstrual cycle tracking It offers magnetic charging a claimed 14-day battery life and water resistance up to 50 meters Compared to the China exclusive me band 5 the international version does not include NFC or the Xiao AI virtual assistant Pricing and release dates were not announced Cener makers of a video co-watching chrome plugin announced that Cener now supports Amazon Prime Video Disney Plus The premium version of Hulu Vimeo and Funimation The plug-in launched with support for Netflix and HBO Max The company is also working with San Diego Comic-Con to host streams of films and anime during the event with a live community chat Amazon added a 38 live TV channels to Amazon Prime Video in Germany This includes 28 HD channels and access to public broadcasters ARD and ZDF The channels are part of the standard Prime Video package at no additional cost to you the good German subscriber That's what they were up to Google confirmed what we saw in leaked slides Yeah, a deeper integration of Gmail chat meeting rooms come into web and on mobile update We'll first roll out to customers in the G suite early adopter program The chipmaker TSMC confirmed as of May 15th It suspended new orders from Huawei to comply with US export regulations and will ship out any existing wafers ordered by September 14th TSMC chairman Mark Lew said that the company is working closely with other clients to fill up its unused capacity and Anticipates that TSMC will still achieve 20% revenue growth this year based on demand for 5g smartphones infrastructure and high performance computing applications. Oh It might have been a nice day for Twitter today If not for the devastating social engineering attack We will talk about later Twitter announced a new pop-up messenger box style interface for DMs on Tuesday and Wednesday It announced that the Twitter API v2 the first rebuild of the API since 2012 will add missing features like Conversation threading poll results pin tweets spam filtering and is designed to let Twitter add new functionality to the API Oh, so much faster Platform access will also be revised into new pricing and access tiers And you got a little breaking news right before the show because today Netflix announced that Netflix has named chief content officer Ted Ted Sarandos co-CEO Sarandos will continue to head content CEO rate he's teens read Hastings rather said quote This change makes formal what was already informal that Ted and I share the leadership of Netflix and quotes Netflix also named a cheap product officer as cheap operating officer The company also announced it added 10 million net new global subscribers beating expectations Co-CEO's never goes wrong. Ask Blackberry. All right Let's talk a little more about What would probably have been the main story today on any other day the EU and the US Have had a back-and-forth on agreements to make it easy to let US companies transfer data From the EU to its you well US operations while still following EU privacy rules We're talking about companies like Facebook Storing EU user data in US data centers, for instance, this is not about Keeping EU data separate from any US jurisdiction or it is rather. It's not about sending emails and stuff This is Facebook saying hey, we we have a data center over in the US So we want to store some EU data there and the EU had this agreement that allowed that to happen Well a previous agreement was struck down in 2015 and replaced with a new one called the EU US privacy shield So back in 2015 we talked about that we talked about the privacy shield on DTS going into place And how that just made things a lot easier Lowered costs lowered compliance issues. Well That one's gone now the European Court of Justice found that the primacy of US national security public interest and law enforcement in Privacy shield in other words privacy shield said well the US They still has those as their prime factors interfered with the ability to protect EU citizens privacy rights and The process to handle EU citizen complaints was not sufficient This was a lawsuit brought by Max Shrems and he won partly It's because data of the capture powers allowed by section 702 of the US's foreign intelligence surveillance act and US executive order 12333 sanctioned bulk collection that's specifically just not allowed under EU law and the court said look this agreement can't work if those FISA act and Executive orders are in place So the ruling means companies now no longer have blanket coverage And we'll have to rely on something called a standard contractual clause businesses in non-US countries already use these SCC's as they're called some US companies like Microsoft already use them as well just to give themselves a little redundant coverage The court has previously chosen not to abolish SCC's and in this decision. They said we're not getting rid of SCC's But the court warned that data protection agencies in European countries could Suspend the SCC protection if they are found that not to protect EU data So the court said look, we don't think US law can protect EU data We don't think we have the jurisdiction to overturn these SCC's That's the data protection agencies But they essentially said go complain to your data protection agency in your local country about this and you'll probably get a result So this isn't over yet Because US law could be seen to override the protections in the SCC's Which would mean companies who use them would be in breach of European law by relying on them The upshot here is either the US would have to change its law to make it easier to Have an agreement with the EU or US companies would have to start keeping EU user data in the EU Big and small companies, right? So not all companies are gonna find that easy to do Yeah, and and these are part of What you have to deal with when you play in the EU they are going to make these kinds of rules and for for the You know that on the US side you got to figure out a way to make things compatible and it shows you exactly how difficult that is Well Sticking with the EU for a minute the European Commission announced the launch of an antitrust probe into voice assistance And the internet of things according to EU competition commissioner at Marguerite vestigeur voice assistance Quote collect a vast amount of data about our habits And there's a risk that be big companies could misuse the data collected through such devices to Cement their position in the market against the challenges of competition and quotes The probe would also look at fitness trackers connected fridges washing machines smart TVs Lighting a preliminary report is planned for spring 2021 with final conclusions by summer of 2022 You know one of the things that strikes me about this is it's a little bit of a preemptive strike They're not saying that it is an anti competitive market. They want to stop it from becoming an anti competitive market So they're they're trying to get ahead of this one Yeah, and and it's interesting because It this has apparently the internet of things and the voice assistant market has become enough of a Established player enough of a consumer category that they feel that they need to do it because before it was Kind of a curiosity in a hobby really, you know up until this point Yeah, it's it's it's the entry into the smart home So looking at internet of things in conjunction with it makes sense And it is a way for for Europe to say look we don't want walled gardens that cause Amazon or Google To become predominant in this market the way we let them in their opinion become predominant in browsers and search Yeah, there we go the wandering EU policeman allowing for such horrors to be unleashed upon the world How dare we question the burden on their shoulders? Hey instead of talking about the EU Justin? Let's talk about the UK Let's do it finally a non-European country a warning published by the UK's National Cyber Security Center Canadian Communication Security Establishment the US Department of Homeland Security and Cyber Security Infrastructure Security Agency Enough security for you wait We have one more the US National Security Agency boom says attackers have been targeting organizations working on a COVID-19 Vaccine in the UK US and Canada the statement says the attacks may originate with a Russian organization But that is not certain the warning also says access to networks was gained through phishing attacks And then the well mess and well mail malware was installed Vaccine research itself is not secret and published in scientific journals attackers could benefit however from gaining access to details of manufacturer and supply agreements the report did not identify which organizations were targeted or what if any Information was accessed it did say research has not been hindered Yeah, I mean I think we can probably guess who it was as we mentioned yesterday Oxford University Working with AstraZeneca in the UK and the UK made this announcement on behalf of the other security agencies So, you know you connect the dots They're pointing the finger at Russia, but they're the only saying they're almost certain not that they are certain This could be China could be North Korea could be Iran could be somebody else But they are definitely sure and this is what I want people to take away from this They're definitely sure that social engineering happened phishing attacks happened malware was installed and data was accessed They said it did not hinder the research But again, the research is all public data What they don't say is whether they got those details of manufacturer and supply agreements Which could be incredibly lucrative as corporate espionage for whoever access them and let's also understand where we are right now with a Vaccine you have many countries up Including the United States that spending a lot of money out of government coffers to use to work with a lot of these private companies that are Literally producing Vaccines that are still in trial right now that if you've heard about the government's operation warp speed effectively What that means is that by phase 2 if it looks promising You're producing it so by the time that phase 3 is done and it seems safe You're not starting the months-long lead time to produce a vaccine because obviously COVID-19 has affected the world so tremendously. So this is not something that is a down-the-road thing. This is a massive multi likely billion dollar a Business that is going to come with straight checks from the richest countries in the world. Yeah So these were these were cyber attacks meant to make money To be able to figure out how to get in on some of that cash They they were not meant to stop the vaccines. In fact quite the opposite They want those vaccines to get out there so they can use that manufacturing and data that they found to cash in Yeah, they want this is a Once in a generation train heist in terms of corporate espionage because it is rolling now and nobody knows how long it's going to continue to be a target Sarah let's talk about something that doesn't involve any of this Gaming Okay Microsoft's project xCloud game streaming service will arrive in September as a free add-on for people who pay for Xbox game pass ultimate Microsoft's Xbox chief Phil Spencer says that project xCloud will eventually be available separately from Xbox game pass ultimate Protocols Janko Rodgers passes along the salient observation from more insights and strategy analyst and shell sag Then most of these cloud services can be seen as lost leaders as in videos G force now encourages cloud gaming as an industry It sells more GPUs to cloud services Stadia shows off technology that can be sold to the video game industry through Google cloud and the same goes for Microsoft Which can sell xCloud functionality through Azure? Yeah, I thought this was a really good piece by Janko over at protocol and of course passing along insights from Angel sag Which are really good too This explains a lot if people are like they'll get rid of stadia. No, they won't stadia is their demo car It's there. It's their model home. It's the thing that they're using It doesn't matter if people even use it as long as it works Then they can use it to show other companies who want to create their own video game streaming services Of course Microsoft. I think it's well known doesn't do anything if it doesn't make money through Azure these days That's not exactly true, but it's almost true. So it makes perfect sense that xCloud would be part of that And be that's why they feel comfortable just bundling it in with ultimate like Phil Spencer said Eventually, they'll sell it on its own too and they would like to make money off of it But it is just as valuable as a demonstration of what Azure can do for Microsoft The way stadia is is valuable as a demonstration of what Google cloud can do the way G-Force now is a is a way to encourage people to tune their games for ray tracing and other things that will allow Nvidia to go sell more GPUs Imagine when we all get 6g what this life would look like, you know I'll tell you I would only push back on one thing. I think the name stadia could go away Sure, but the concept of how do you hate stadia? Oh, no, no, no, I'm not saying I hate stadia I'm saying that the name. Oh Who knows because Google might want to rebrand it or somebody else They might have a partner come in that wants to buy the bones of it or license the bones of it and call it Something else Google wants to sell server space Azure wants to sell server space AWS wants to sell a server space This is the concrete of our modern age and they want to show you all the amazing things you can do with it Yeah, yeah, you don't sell concrete by rolling up a concrete truck You build stuff with concrete and show what you can do with it. Yeah Hey folks, if you want to get all the tech headlines each day in about five minutes Be sure to subscribe to daily tech headlines comm All right, let's talk about the Twitter stuff It started during yesterday's daily tech news show and high-profile accounts like Elon Musk Bill Gates Uber Apple President Obama among many others all posted a weird encouragement to send them Bitcoin At first I thought okay. This is just some hacks some clever hacks into high-profile accounts. It happens Well, it was bigger than that the posts were removed but kept popping back sometimes on the same account Sometimes on other accounts to the point that Twitter eventually took the scorched earth policy of Stopping the ability for all verified accounts for being able to post in order to make sure that the attackers wouldn't be able to post To the most hope high-profile accounts. They just shut them all down Twitter says it has no evidence the attackers acts as passwords It did not believe that you need to reset your password necessarily However, out of an abundance of caution Twitter did lock accounts that had attempted to change the accounts password during the past 30 days And it's working to help people with locked accounts gain access But they're being very careful about who they give that access to rightly so Twitter says it believes this was a quote Coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools Yeah, so right not think not an inside job According to Twitter and they're implying that this was social engineering. It wasn't done on purpose They think somebody tricked an employee integrating the maxis that they that's the way it reads to me See last Monday's episode on social engineering. It can happen to anybody scoff at your risk a source However told mother board quote we used a rep that literally done all the work for us and a second source Claimed the attackers paid a Twitter insider for the access now that raised a lot of eyebrows We don't have confirmation. It could just be the attackers spouting off to cause controversy. We don't know Mother board also showed redacted screenshots of a Twitter admin panel which showed account details The ability to add an email and phone number to an account as well as whether the account was suspended or protected that ability to add an email and phone number is probably how this account was Was was how this attack was carried out Twitter said the access was used to take control of accounts that implies It was not using an internal tool to post to Twitter accounts that Twitter employees didn't have that but that the tool Was used to grant access likely by resetting passwords and email addresses That's also backed up by what the sources told mother board and that can be automated That can be done rapidly when properly scripted Especially if you have access to the tools used to do account recovery and resets Now hacker lucky 225 has legitimate control of deceased hacker Adrian Lamos account He did an interview with ours to Africa that I found very interesting He received a password reset code 90 minutes before the first public signs of the breach He did not enter it but shortly after got an app notification of a new device logging into the account Lucky 225 then regained control using the phone number So he pulled it away from the attackers But later that evening got a notification that his two-factor authentication had been turned off which could be related to Twitter managing Compromised accounts and turning off passwords and access Twitter's still investigating how long the attackers had access We know they had it at least 90 minutes before the attack showed up at 1 p.m. Pacific yesterday They could have had it longer What other information did they obtain and what else might they have done while they had access to the dashboard? Where they just haven't fun posted to high-profile accounts about Bitcoin trying to make some money That's what the FBI says or were they gathering information from direct messages Now yeah Twitter says it has taken significant steps to limit access to eternal systems Well, so like today today they said that yes So in other words, I here's how I imagine that there's a team of let's say There's team of six on the community team that has access to this to like look at suspended accounts help recover if somebody's like Hey, I got locked out somebody hacked my account They can reset passwords for somebody were changing mail addresses in this tool and today Twitter said there's one person has access to that Tool we locked everybody else out so that that we know How to control access that's probably what that means There was a lot of there were a lot of questions yesterday. I mean this this all kind of broke at the end of yesterday's DTNS and You know the whole sort of like oh if you have a blue check mark and you're verified you can't tweet anymore I tweeted but I also use a third-party app And I I I I Immediately deleted the tweet because I was it you know was just test kind of thing But there were a lot of other people in my timeline doing the same thing like what is happening right now like Are we out are we in what's going on the whole idea of You know, you know somebody gaining access and then two factor being turned off for somebody who had legitimate control of someone's account is interesting the you know the The the situation as of now seems like it's you know, it's under control But yeah, what was the social engineering, you know the thing that you know got somebody to give over Credentials to have a hack of this magnitude because as you mentioned Tom we talked about this in our security week last week this happens all the time and you know it and and very smart people sometimes are fooled and That's what this sounds like. Well, all right. So so let's just Real quick to reset for everybody if you're thinking about this from the way that we normally think about Exploited Accounts where somebody gets a password or like a phishing to the user that this is not that this was something that was the call Was coming from the inside somebody got access to Twitter's internal panel So it's like a lot of the conversation of well, how do they bypass to factor authentication? This is how that they write the rules inside of Twitter. And so they decided so the scenario would go Someone got access to this internal admin tool that lets you change password reset passwords and change email addresses Yes, you go in once you have access to that tool you add an email address. Yeah, that's that under your control You say reset the password you never have to see the password But now you get the email password reset at the email you added and now you can get into that You own you own that account you can do whatever you want to it and you can see all the data there So I think that is a big question here, but Tom Let's get into the Who how and why of it all right? So this happened to Twitter in January 2009 that time it was Unforgivable it was a brute force attack of an admin password that was happiness the password was happiness It was a dictionary attack that allowed posts from President-elect Obama's account and Fox News So it was just as bad in its effectiveness as today This is not the first time it's happened and it hasn't caused mass controversy Happened again in April 2009 a mere three months later That time by accessing an employee's email account where they had stored their admin password in plain text It was a more secure password, but once they were in the employee's email account They were able to get plain text well Twitter has improved its security since then it settled an FTC case for those breaches in 2010 There are of course is the case of the US Department of Justice Saying that in 2015 Twitter employees were talked into looking up personal information and passing it to the government of Saudi Arabia But that wasn't giving access to a tool that was passing along information And in 2017 a Twitter employee inadvertently deleted the account of President Trump for 11 minutes That's definitely user error not a breach. So what we're talking about here is something where I believe if someone had gone in Yesterday morning and said please look at our admin panel security. We have two-factor authentication. We have strong passwords What do you think they would have said these seem to be reasonable protections? That's the thing with social engineering Social engineering is very difficult to protect against because you have to put the firewall in someone's mind They have to not be susceptible to accidentally giving access either by some kind of phishing attack where they where they Click on something or being fooled into telling someone some information that lets them get into the account or being taken to a Website we talked about the website from Microsoft last week where it looked like you were logging into Microsoft because you were But you had got there in a way that could take the token that was set when you logged into Microsoft and be able to use that to Log in later that is absolutely a way this could have been done You trick someone into logging into their admin panel through a particular link that looked like it was coming from inside Twitter You get their token and then you're able to log in bypassing 2fa and everything. It's a hard attack. It's not easy That's why you don't see it all the time So you don't seem to buy much into the idea that this could be a bribe or a payoff or or an inside man It would be easier to do that attack if you could get somebody to do it It's harder to get someone to risk that to get that kind of payment I don't know these guys were obviously trying to collect money on Bitcoin Maybe they thought they could use that you know give them a cut of that. It's not impossible It seems less likely than just social engineering which is which is a more common in relative terms It's more common for someone to get tricked into giving access then to agree to be paid It is it is harder to find that kind of confederate on on the inside. Yeah, that being said I will say this There was an open letter from senator Josh Howley Who by the way the most dangerous place in? Cyber space is between Josh Howley and a trending topic He loves jumping on this kind of stuff and indeed he did yesterday I do think though that number one we probably have not seen the last of some of Possibly salacious elements of this of these leaks Considering that or did this breach considering that these people likely had the access to DMs of very high-profile accounts and I think that there is going to be a larger conversation and possibly one that the government will look to lead on knowing Congress's ability to find limelight about who exactly has access to this and and Why it was why they they needed to severely restrict it as they said today compared to yesterday I fully expect that to happen I fully expect Twitter to be able to answer all those sufficiently. I may be wrong We may find out the Twitter dropped the ball in this I wouldn't be shocked But I expect Twitter will say no we went through industry standard procedures You have to have these kinds of functions to operate a website. We had them with limited people We just you know poor Pat just got fooled and Pat feels horrible about it That's actually what I expect to happen here is is that's going to be the outcome of this The question is What do you do with that? And I'm I'm very curious what the method of social engineering was I'm very curious What else they accessed because I don't believe the Bitcoin thing was their main purpose here I think it was an expedition to find information that is private information in the DMs of the people they were accessing We don't know all we know is there's an Instagram account from Anthony alias aka and alias Claiming responsibility Saying they there was a charity attack, etc. But that really doesn't tell us anything. No Well, you know who does tell us a lot of stuff is people who participate in our sub reddit You can submit stories and vote on them at daily tech news show dot reddit dot com also Nate Langston In our thing of the day shows how a five dollar loot pack turned into a bit of a bonanza for him You guys this week I was accidentally given about $20,000 worth of in-app credits in a free-to-play game made by game loft after the company mistakenly put Hundreds of times the amount of credits in a new loot box than it meant to the five dollar packs are only on sale for a matter of minutes Before they were pulled But I got lucky and managed to buy a few and you can hear how this happened and what I learned about loot box Economies as a result of this on my show text message You can go to UK tech show dot com and look for episode two one two or search text message That's TEC H apostrophe s message wherever you get your podcasts as episode two one two back to you guys By the way, I'll throw in that if you are a patron of text message and you get their extra message Nate goes on to explain later in the week how they reset his balance and now he owes coins Because I took advantage of this So kind of an interesting solution to that go check it out Speaking of patrons. Thank you to our patrons at our master and grand master levels including at mark Gibson Dr. Carmine and Bailey and Mike McLaughlin also special thanks to Justin rubber young for being with us today How's your week been men? You want to know what? My week was made so much better because I got a text message from Tom Merritt on Saturday wherein he did a full segment of the politics politics politics show to which I Samarily ignored because I was doing other things and I forgot to look back at it It filed it in my brain and then it got lost Tom then texted me again 48 hours later to remind me that he had done my job for me and I checked it out. It was amazing It's in this Wednesday's edition of politics politics politics, but it is every bit of Awesomeness that you get from Tom in terms of his research abilities on tech this time It is about the history of universal basic income And if all you've ever heard about it is from the mouth of Andrew Yang obviously a very big contemporary Advocate then you might not know the story of how it almost came to be at the hands of Richard Nixon It was fun. I just went down a rabbit hole and and I recorded this thing for Justin and they used in the show Which is which is nice of him. Thank you It is nice of you to do do my job and do better than I can so so please go check it out I thought it was great. I think the whole episode is actually really worth listening to but but yeah Go ahead and check it out. It is Wednesday's edition the July 15th edition of the politics politics politics program. Hey Folks, we want to thank you for supporting us on patreon and in these times Man, I am more thankful for patrons than ever before At the beginning of all of this lockdown stuff in March I was fairly concerned about what was gonna happen to direct supported stuff I am very pleased to say that direct supported stuff seems to be weathering this a lot better because you all Value it you get value and you give value back and I thank you for that Everybody who supports us at patreon.com slash DTMS Our email addresses feedback at daily tech news show at calm if you'd like to join us live We'd love to have you Monday through Friday for 30 p.m. Eastern 20 30 utc Find out more at daily tech news show comm slash live back tomorrow with Rob Dunwood Len Peralta'll be here drawing as well Talk to you then This show is part of the frog pants network get more at frog pants calm I'm in the club hopes you have enjoyed this bro