 I did the sketches. I did the- Wait, did you or did you not create them? I did, I did not do the sculpting on them. What I did was, that was Frank Ippolito and his crew. What I did was do the concept sketches that were given over to Blizzard for approval. So you could, you know, what they were gonna look like, what they were gonna wear, how the actual suit would work. It was pretty cool. And then the best part though was that there was like a little sound chip in it that makes the Merlach sound, which was great. I love the Merlach sound. Oh, oh, oh, oh, oh, oh, oh. What if they just had a very dry, hacky voice? Hi! Yeah. Like in reality, that's what a real Merlach sounds like. Breathing in all that- Hi, wait. Swamp water every day. What are you, how do you come to sound like? Yeah, that was pretty cool. I mean, it was cool to actually see it come to life because I had done a couple different drawings. I wish I would have seen them in person. And I was there so briefly. Yeah, me too, I would have loved to have seen them. They were just kind of walking around. A lot of people thought that they were just fans who were dressed up as Mr. Locks. That's how good cosplayers are these days. Yeah, well, apparently a lot of these effects companies are being asked to create things that are cosplay friendly for that very reason so that they can see their brand out there at the show. It's almost like going into building a character for an entertainment medium. You have to have cosplay in mind, similar to how Disney has to think about the potential ride before they make the movie, right? Right, which explains why. Darren, Mr. Pineapple would be like your first. Oh, geez, I'd love to be able to do that. I'll create Mr. Pineapple for you, Darren. You should have Mr. Link to that. You know what a dull whip is, right, Darren? Oh, I know what a, I am a fan of the Magic Kingdom. Let me tell you, I can't go, I can't not go to the tiki, tiki, tiki, tiki, tiki room. And you have a dull whip. You just make a Mr. Pineapple, but it's like, you know, that's a dull whip inside. You pop the top off. It's funny that you should mention that the original Wi-Fi pineapple came in a plastic pineapple case with the antenna sticking out the straw hole. Nice. Yeah. Hence the name. Hence the, actually, Jim Lauderback named the Wi-Fi pineapple, but that's after-show material. Did he really? He actually did it. I was going to call up the grenade, but he alluded to it in a blog post when Hack 5 was joining Rev3 and called it, tune into Hack 5. I hear it has something to do with the pineapple. Last minute, 11th hour, I go, oh, that sounds way better than the Wi-Fi grenade. Yeah, yeah. Very nice. Which is interesting, because grenade is the French word. Yeah. Yeah. Well, hence the, hence the Lauderbackian. I love J. Lowe. I wonder what he's up to now. J. Lowe. Jim Lauderback. He loves being called back. I understand. He's a mover and a shaker in the conference scene these days. All right, let's get rolling here. You guys ready to rock? Let's do a podcast. Yeah. I'm feeling chipper. I'm going to give a Sarkmark warning for you. Oh, no, no, no, no, no, no, no, no, no. I, I, I calm down around line 15. Okay, good. Reel it back in. Here we go. This is the Daily Tech News for Friday, November 18th, 2016. I'm Tom Merritt joining me today. Darren Kitchen is back alongside. How you doing, DK? So happy to be here, Tom. That's good. I'm glad. No. We missed you. Yeah. We've got some good news. We've got some bad news. We've got, we've got some. We've got some things you can use. Good news, bad news and things you can use. There you go. What's up, bro? All coming up. And of course, Len Peralta is back as well. We missed you last week. Yes, the. The eminently illustratable, or not last week, but two weeks ago, the, we had a, had a, like, a Lego Dimension story on a Friday. I know. I know. I feel so bad I couldn't do that. Today we've given you fake data breaches to illustratives. That's awesome. Well, I'm, I'm up for it. You know, the last time I was here was at the end of October, which since then it's like the world is completely imploded and changed. Yeah. Microsoft joined the Linux Foundation. Yeah. It comes on the World Series. He knows. Yeah. Cats and dogs are now just openly taking naps with each other. They're canoodling. I heard there was canoodling. I, yeah, I mean, I've heard of the reports. I haven't seen any verification though. What it, what it comes down to. Episode about identifying fake news. What it comes down to is that I've got to come back here to bring balance to DTNS. Oh, I'm so glad. I'm so glad that you're here to do that. We've got a lot of good stuff to talk about today. AT&T will announce details about its direct TV now. Internet TV service on Monday, November 28th in New York City. So a week from Monday. Direct TV has been doing the, we've got an announcement about an announcement, about an announcement for a while. So November 28th, we finally get to the end of that trail. They're going to give us the details. Do you use any of the PlayStation viewers like TV, either one of you guys? I can't find myself. I can't find the time to enjoy media. This is, this is it, Tom. This is the show I get to experience. That is fun. This is an act five. But if I, if I weren't, if I were to, I would probably pick up one of these new. Newfangled things. Yeah. Looks like we had a little pause on all of the videos here. Hi, I'm here. But Len's here. Maybe it's just Darren then. And that's hard to tell if you're paused, Len, because you're not. I should probably do something and move, right? Yeah, exactly. So hopefully, hopefully Darren unlocks. Well, we're hoping maybe we just need to score enough points to unlock Darren Rogers here. He's waiting. So it is just Darren. We'll get him back. Roger's going to work on getting back. Let's start with some top stories. Apple has introduced the iPhone 6 Plus multi-touch repair program for models that have the so-called touch disease that results in a flickering screen, a gray bar over the top sometimes, generally unresponsive. Now, Apple's not calling it the touch disease. Apple's calling it the multi-touch repair program. They've reduced the repair fee too. They're not doing it for free. If you have an iPhone 6 Plus, not an iPhone 6, an iPhone 6 Plus, not an iPhone 7 Plus, iPhone 6 Plus, it'll cost you $149 to fix the problem instead of I think it's usually $300. If you've already paid for the repair, Apple will let you contact them and give you reimbursement for the difference between $149 and whatever you paid. I fix it, as well as several others, believe that it could be related to a design flaw in the touchscreen controller chips that cause the problem, but Apple maintains it only happens after stress on the device such as multiple drops on hard surfaces. Oh, so in other words, you're, what do they call it? Holding it wrong, or by holding it wrong, I mean dropping it. Okay, okay, but seriously, like if I drop my phone on hard surfaces a lot, which many people do, I shouldn't be surprised if something like this happens. So that is not unreasonable to say, hey, we just think, you know, people drop their phones, when they drop them a few times too many, it knocks this thing off, but I start to get skeptical when like, but why does it seem to happen to this model in particular? Right, and previously when Apple gets called out for design flaws, it brings on innovation in ways of rubber bumpers. So this time, I feel like Apple could actually introduce the smartphone equivalent of a toddler's sippy cup. Oh, or a leash, the new eyelash that'll stop it from hitting the ground when you drop it. I don't know what form this is going to take, but I just know Johnny Ives needs to get on this because it's going to be hip in short order. It's one single fiber machined from purest nylon. We call it, we call it the item. In statements following the vote to approve the merger of Solar City and Tesla, CEO Elon Musk said that Solar City's new roofing material should cost less than traditional rooftop shingles to make an install. He said in his best information commercial, infomercial voice, you'd be crazy not to buy our solar roofs. The savings is expected because the solar shingles could be cheaper to ship because they weigh less than your typical shingle and they're sturdier, they risk less breakage. Shingles would reportedly feature tempered glass made by Tesla, a new solar film from 3M, specifically designed for the project as well as solar power technology jointly developed by Tesla Solar City and Panda Sonic. So new roof coming, you'd be crazy, Darren not to make it Solar City. I don't know, I don't know, Tom, between the touch disease and the solar shingles, I'm not sure what any of these. These just sound like horrible things you'd find in a doctor's office where that guy's got solar shingles, this guy's got the touch disease. Yeah, now what I'm sad about is, because I'm just wondering, does this mean that your traditional blue monocrystalline solar panels are suddenly gonna become like the equivalent of a Casio calculator watch or a flip phone? No, you gotta take a look at these if you haven't already. I know I have, but I've already got six hundred lots worth of the old stuff on my van, so I'm wondering how long until that's retro cool again. Yeah, you're gonna have to hang in there for a few years, my friend. I can't put shingles on the van roof. Anyway, yes, the technology is awesome and I'm skeptical as always, but hopeful. Yeah, I checked in with Big Jim. You've probably heard us mention him before. He works in logistics and he likes to weigh in. He's the guy who does the tech and trade podcast and he said he'd have to dig in to be sure, but on the face of it, this isn't an outlandish claim. He's like, yeah, they might be able to save enough money in the overall production and shipping of these to bring it down. They certainly are gonna be a premium at the start, though. Yeah, definitely. I mean, it seems like the Apple version of a solar panel. Nice, Enth Mike just said, touch disease, solar shingles, the flu screen of death. I love it. All of it, this is something you want to avoid. The Canadian CRTC and the USFCC have signed a memorandum of understanding to allow the two organizations to team up and fight robo calls. The two will share knowledge and expertise through training programs, staff exchanges, as well as informing each other of legal developments and their respective jurisdictions. I, okay, I'm gonna make myself really unpopular, Darren. I don't really get bothered by robo calls. I just don't answer them. Wait, Tom, don't stop the podcast. I have an important announcement regarding your online search. Your home warranty is under review. It's a request to connect to our SEO specialist. Okay, I'm not gonna say I've never picked up the phone and gotten a robo call, but then I just hang up. Like, yeah, I would hate this if it were happening six times a day and I've heard some horror stories from people where that's happening and I get it. You know, it's like, oh yeah, I need to do my call list if that's the case. That said, I'm not criticizing Canada and the US for teaming up on this. Sure, why not? Yeah, I was actually just being asked about that this morning because I'd get a phone call from my home area code and I just don't pick it up because to save money, they obviously route through whatever your local exchange is and so that's kind of like a dead giveaway that it's a robo call. I get six a day at least and it's made my phone pretty much worthless. So I'm signed up for the do not call lists. And they're still getting you. Yeah, so it's, you know. All right, so I'll back off. Well, it's just frustrating because it's like email. Email's worthless to me now too because it's just like the signal noise. I find really, I just FTP things directly. I literally tell people to tweet me now because it's like, anyway, but that's neither here nor there. Yeah, it's a frustrating thing. I hope that they can, you know, figure out some good stuff to thwart it. And you know, I think that interesting stuff actually comes out of DEF CON in this regard too. As far as like the social engineering village has a lot of fun with telemarketers in this regard. We'll be back to that. Keep it, yeah, keep your eyes out for that. We've got some good updates coming to the Windows 10 creators update builds. If you're on the fast track of the insiders preview, build 14971 is arriving there for the fast ring. They call it fast ring insiders. 3D version of Microsoft Paint, codename Bay High has arrived. You can play around with that. PowerShell now replaces command prompt as the default in the file explorers file menu and the WinX menu. Also, if you right click in blank space, you can change it back to the command prompt. They're not getting rid of the command prompt. So if you wanna live in the style to which you've come accustomed, you can go back to that. Microsoft Edge got the ability to read undrammed EPUB books and an update to get Office, which a lot of people call Office Hub, now helps you find and launch apps all in one place. It's not just the collection of links, although the links that were there are also still there. The Windows holographic shell's not in there yet, but they did add the Windows holographic first run app. It doesn't do a lot much yet, but it is a sign that they're starting to build the process of adding the holographic shell. I find, Darin, the most disturbing thing is the indication that command that cmd.exe might be getting deprecated here. Well, you know, all of this has happened before and all that will happen again. You know, command.com is dead, long live cmd.exe. cmd.exe is dead, long live powershell.exe. What I say is as long as I can run tree, which is the best command of all, then bring it on, except it does still sadden me in the same way that I'm saddened when I see Trump at Winsock going by the wayside. I am happy that there are certain mainstays and Windows that you can always rely on. cmd was one of them. At least it's being aliased to the new version of the prompt. And for the most part, a lot of the commands do transition over, but yeah, it means that I have to go back and redo a lot of USB rubber ducky payloads because they rely on opening cmd. And now they're gonna have to open powershell, which is by the way they should be anyway. Yeah. And powers, correct me if I'm wrong. Am I remember this bash is in powershell, right? No, it's kind of, I haven't gotten it. I'm really upset because I'm like, anyway, neither here nor there, but problems with my own system. But I would actually, powershell is 10 years old. I wish 10 years ago Microsoft said it's introducing powershell. I had just like adopted bash and this would be the default now and then we'd all be rejoicing. Well, that's what's gonna happen, I think. Yeah. Well, it took 10 years for powershell to become the new cmd. How long is it gonna take bash to become the new powershell? Bash is gonna take 10 years to eat powershell. And then by then, Linux will have moved on to a different system. People will go, man, Microsoft still stuck on bash. At least, look, at least unlike some operating systems, we're getting a built-in terminal emulator and a shell. So, I'm just gonna... Just to clarify, our confusion, powershell has access to bash, but also cmd does too, cmd.exe. There are very few mainstays in Windows. And so I'm always sad to see some of them go. The start, cmd, the run dialogue has been there since Windows 95. X in the top right has been there since Windows 95. You know, I think the one that's, that goes back to Windows 3.1 that's still there is in the top left corner of a window when you have the icon for the actual program. You can double-click on it to close the program. That's still a mainstay from Windows 3.1 where there used to be a minus sign there. Yeah. Oh, right. Yeah, that was the way you... Yeah, that was the big deal with Windows 95. I think Windows 2.1 was the left to the right. Windows 2.86 with an add-on could do that too. I don't know if it was native. I don't go back to 2.86, man. I'm a 80. That's where I got my teeth. According to Dan's deals, Dan Seals is probably some kind of singer. Dan'sdeals.com, Google has suspended more than 200 accounts from people who bought Google Pixel phones and had them shipped directly to a reseller in New Hampshire. The reseller has done this with several Google phones before in the past. It helps users take advantage of the fact that there's no sales tax in New Hampshire. So you buy it, you don't pay sales tax, it gets shipped to New Hampshire, he sells it, splits the profits with you. However, for the Pixel, Google requires purchasers either through the Google Store or Project Fi to agree that they are only going to buy the phone for personal use or as a gift. Google told Fortune that many of the accounts were created for the sole purpose of buying and reselling the phone commercially and therefore it disabled the accounts. However, it has restored access to accounts it considers from genuine people. So they're like, look, if you aren't just a business who is taking advantage of this, then we're going to restore your account. If you didn't just create an account that's done nothing but sell this phone, we're going to restore your access. Otherwise, we're keeping them banned in place. Yeah, I mean, it's up to them. They reserve the right to refuse service to anyone, like any other business. This is typical in e-commerce. There's a lot of places, ourselves included that will a lot of time block places like freight forwarders because it can cause all sorts of trouble. Well, that's interesting because I think as a regular consumer, you look at this and say, hey, wait a minute, I should have the right to resell the things I buy. It's the right of first use, right? I can sell anything I own. How can you stop me? But that's not exactly what's going on here. Google isn't saying you can't buy something and sell it yourself. What they object to is a commercial system that allows multiple items to be sold simply for commercial use. And is that close to right? Yeah, absolutely. And the thing is, in this case, you haven't bought it. You can't be upset because they just declined the transaction. They just declined the sale. And what is the problem? I think you're in a unique position to sort of shed some light on this for people. What is the problem with a freight forwarder or somebody coming in and just buying up? I mean, don't you just sell as many as you can? Yeah, if we were launching the new Act 5 Field Kit on Monday and then suddenly everybody goes and buys it through a reseller just to make a buck, I'd be upset because then there's all the people who would actually want it and not getting it because it's a limited amount of inventory, which is why you should be refreshing the Hack Shop on Monday. Anyway, point is, things like that would upset me because I want the right people to have it. And at the same time, freight forwarders, for example, what'll end up happening there is people in various places in the globe where they can't traditionally get shipping from the United States will go through a freight forwarder. It ultimately will get refused at their border and then it becomes our problem, even though it shouldn't be. Right, you're not the one who bought it to ship to that country that you're not allowed to ship it to, but you're going to have to answer it for it because it's your product getting shipped. No, well, technically, once the package has been received, the transactions is complete and you would think that you're off the hook, but not in the customer's mind. Yeah, yeah, exactly. It's your fault that it got. It's about customer support a lot of times. And even in New Hampshire, where you're not crossing a national border, there could be situations where people are buying these things and maybe they're damaged or something and then they complain to Google and Google's like, well, hey, we didn't ship it to you. We shipped it to this other place. They may have damaged it. You got to take it up with them. But like you say, customers. That's not the way that a customer thinks. Yeah. All right. Finally, this is going to lead us right into our main discussion today. UK's three mobile service announced attackers have accessed a customer upgrade database using an employee login. So they probably fished it or socially engineered it. The Daily Telegraph has a source saying up to 6 million customer records could have been exposed. Three has said the data accessed includes names, phone numbers, addresses and dates of birth. Added that it did not include financial information. So far, so familiar. You're like, what's so different about this in any other data breach that you've mentioned on DTS? The attackers have been upgrading customer accounts with new phones. It's actually similar to the story we just ran here. The attackers weren't going after your personal information. They just wanted to hijack accounts, order cheap phones with an upgrade on the plan, have them shipped to the attacker who then presumably would sell them because they're getting them at a subsidized price. National Crime Agency says three people have been arrested and the investigation is ongoing. Yeah. So it used to be that, you know, if you wanted to steal a bunch of phones, you just, you know, smash a few bricks through the Radio Shack window and just grab them from behind the register and off you go. And now it's so much more complicated and interesting. Yeah. I almost said I like this story. I don't like this story at all. But I was, it's an interesting story because it's not the typical like, we accessed the database and now we're going to sell the information online, which happens all too often. It's a different, it's a different use for a database. There's a lot of economic incentive to breaching data out of companies. And there's lots of ways that you can make money off of data breaches and the information that they provide. And this is a difficulty for all organizations because ultimately you do have to trust certain individuals within your organization with the information to, you know, be able to get their jobs done. Systems administrators notoriously end up having like access to way more than is, you know, typically necessary, but just to get their jobs done they do, which is why penetration testers will always go after the administrators first. So this is an example of like, yeah, those people with access have their credentials stolen and then it's a new novel way of having that data abused. Yeah. Well, thanks to all those who participate in our subreddit and help us find these kinds of stories, submit your own, vote on them at dailytechnewshow.reddit.com. All right. Darren found a couple of posts from Troy Hunt, security researcher of Great Renown. One of them looking into a supposed data breach of GitHub accounts. Turns out this is another one where GitHub has not been breached, but there is a data leak and I'll explain this. A company called Geek2N promises to recruit developers. They took advantage of GitHub's policy that allows site scraping for research or archival purposes or at least that's the best explanation for how this happened. They definitely got a whole treasure trove of publicly available information, but information that isn't aggregated and if they're doing this for a commercial purpose, it would violate GitHub policy. So if that's what they did, they would have violated policy. Whatever they did, however they got the information, it leaked out from a MongoDB with no password and is now being bandied about as a GitHub data breach. Public data from GitHub had been aggregated including email address, location, name, skills, username, years of pro experience. Now there are 8.2 million unique email addresses in this leak, 7.1 million of them are dummy addresses. They ended in .xyxp.wzf because those are accounts at GitHub that didn't have public facing email addresses. So Derek, this brings up the question of when is a breach a breach? This is definitely not a breach of GitHub, but it's gonna make GitHub look bad if people see that this breach is out here and it's not an 8.2 million email address database anyway. It's a couple million. Right, and here's the thing about this is this is only one source. So this information only came from GitHub which this is why it can potentially hurt GitHub because people are gonna say, hey, I've got the latest GitHub breach, right? And it's like GitHub wasn't breached, you just took the information off of publicly accessible pages. What's interesting in this case with what Troy Hunt typically does is he operates this awesome site called have I been pounded.com where you can type in your email address and see if you've been listed in any of these data breaches. What he doesn't do is actually give you the breached information. He just tells you what the exposure is. So whether it was your email address and your name and what other kinds of information were exposed. What he's taking as a different approach in this regard is he's actually providing you if you signed up for his notification service which is where he actually authenticates your email address. He will allow you to see what data was actually breached in your instance if you were part of this. I went ahead and did this because I'm part of this data breach because I have a GitHub account and oh no they scraped off GitHub, my username and my first and last name and my email address. But for other people it had also other information about their programming abilities and things of that nature. It's really interesting in this regard because it brings up the question of like, well what is a breach and if it's just public information does that count as a breach? However I would say in this case we're only talking about one source. If I were to just imagine what if some nefarious entity used Maltego-like tools to go ahead and crawl the internet and put together a phone book that didn't only have your name and phone number but also your address and every piece of public record about you held by states and counties and then also held all of the public information from all of your social media sources, everything that's still publicly available but what if that was then indexed and then you could just search anybody and then see basically everything that they've ever done publicly in life or online? Some would say, hey that's a data breach because you've compiled the information in such a way. So yeah, it's, I don't know it brings up some really interesting questions. Yeah, because my initial feeling on this is if this is public information then I should be aware it's out there and perhaps if someone collected all of our public information it would raise awareness for us about how much information is out there but then there's that other side of it which is like, yeah, it's one thing to have information public. It's another thing to have it all conveniently aggregated so that you can draw more conclusions about someone than you ever could if it was just public in the way it's public. It's the difference between someone seeing your license plate when you drive down the street and someone going up to your car and taking a picture of it and then keeping it on file and saying, I know your license plate number now, right? That creeps people out and it's a whole different conversation about that. So I, you know, in some ways I, you know geeked in definitely took advantage of GitHub's policy in a way that shouldn't so it shouldn't be allowed to do this. If they didn't use GitHub to aggregate this public information if let's say they did it by hand sounds probably impossible but just for the sake of argument let's say they did then well, okay, they that's publicly available information that you should put up there and you should be aware of that. But man, I wish geeked in would have protected it a little better than putting it in a MongoDB with no password. Right. And, you know, it just calls up the question of like is this a breach? Do you call it a breach? Because by saying data breach there's certain implications that it has that can smear the reputation of the entity. And in this case GitHub's reputation doesn't need to be smeared because it wasn't actually anything quote unquote private. And here's the thing, like there's for instance it's kind of public that like, okay so like all of these data breaches have happened and there's sites like, you know haveabintone.com that will list those and I can for instance type in your email address Tom and I can see that you have been exposed in the Patreon data breach and in the Tumblr data breach but I can't actually see what that information is. That's what a responsible site like haveabintone.com actually does. That's not to say that there aren't your responsible sites out there where for a fee of course you can unauthenticatedly obtain the hashes or even plain text of those breaches and that's like, okay well that was public knowledge but that doesn't mean that it's responsible to spread that which is why there's an entire economy of selling and trading these data breaches. Well and some people because there is an economy of that want to build a name for themselves and purport to have breach files then aren't even breach files. That's another post from Troy Hunt about him investigating a breach of a German soccer site, dfb.de. He said he couldn't verify the breach. He found emails in the breach emailed some of those folks and they said, no I don't remember ever having an account there. He found people who said, yeah I definitely had an account at DFB I'll help you out Troy this is the email address I used he couldn't find it in the so-called breach. So he said look, you know this is a problem people are out there saying there are breaches some outlets, you know going back to Tuesday's fake news we'll just pick up with that and run it. Like oh I heard there's a Twitter breach and it turns out that it's not verified. So if you hear of a breach it's bad enough to think oh my data got compromised again what do I need to do? How do you make sure you're hearing about an actual breach? Exactly, it's really difficult considering the fact that journalists don't typically have the tools to verify this sort of information which is why it's good that there are certain security researchers out there actually doing the legwork to make sure that this is legit because it's just like any other accusation just being accused can smear your reputation. I mean, you know I heard that Julian Assange was a pedophile, right? And then therefore pick it up and roll with it. You know, there's certain reasons why any entity might want to do that if I had a competitor I could say oh my competitors had a data breach shop with us because we haven't or whatever have you. I mean you can see where you can go with that and then on top of that there's an entire economic incentive within the underground to create names for themselves and saying hey we have the most the biggest library of data breaches come and get them from us we'll sell you those and maybe even make a few bucks off of a fake one because it's very difficult to verify. A fake breach looks just like a real breach until you actually go ahead and go through the process of authenticating it which is why you know certain researchers put out things like canary accounts where you can tell like oh okay well I have a fake account at every website and when it gets breached I'll be able to look up this particular username and password for the password hash and see if it exists in there and if it does you can say oh well this probably is legit and if it isn't well hey so wait until the company itself in this case dfb.de Beatmaster tells me in the chat room is the Deutsche Fußball Bund it's the the the German Football Association they're going to make an announcement if they got breached eventually maybe they do it faster or slower but they will they will definitely let folks know and if you're waiting for them to like well wait a minute maybe they're just being slow about it wait for a trusted third party like like a Troy Hunt or another security researcher to say yeah I vetted this I've looked through it seems verified before you say okay I'm certain that that's a breach yeah that's that's really good practical advice because a lot of times companies will drag their feet because they don't want to acknowledge the fact that there's been a breach and maybe they'll like you know acknowledge it in some sort of vague way and then not actually allude to the the actual scope of it LinkedIn and so that's uh so don't wait just for you know if you want to be proactive definitely sign up for a service like uh Troy Hunt's habitpinponed.com he's a good friend of mine and he you know runs a responsible service there are other services like that where you can sign up to be notified when your email address appears in a breach and that way you can be you know uh you can be a little proactive about it and then log into your account and disable it or change password whatever whatever have you to uh just stay ahead of the curve there yeah so let's let's let's go from that that's kind of good step one of before a data breach even happens what's the best practices to make sure that I minimize any damage if somebody's data does get breached I want to I don't want to have to not use any services on the internet I want to continue to use things like LinkedIn etc perhaps what do I do that's one thing is sign up for something like habitpinponed.com we'll have the link in the show notes I would say don't replicate your passwords I mean that's just good advice anyway but definitely do not use the same password in multiple locations that way if somebody does get your password out of one database they can't use it on your accounts and other databases use two factor authentication if it's available make sure you you make it hard that if somebody did somehow get your password and username they won't it won't be easy for them to get into the account anything else Darren yeah I would say unfortunately we don't live in a world where it's disclosed on web services what sort of encryption technologies they use on the back end to protect your information whether it's something weak like SHA-1 or MD-5 or it's something newer like Bcrypt there's it's unfortunate that you don't know when you sign up for a service if it's going to be protected at all so you have to go into signing up for a service assuming that the eventual data breach will happen and when it does it could be worst case that it's uh that it's a really weak algorithm protecting your password which is why what you want to do is not be the low hanging fruit the simple things to crack are the you know short seven eight character passwords and the hard stuff to crack are those 16 20 something character passwords so if you're already currently using a 10 character password that you can already remember you can turn that into a 20 character password right now by just typing it in twice yeah and and and granted some some cracking methods will then start doubling passwords to to look for that sort of thing but it's better than than having just the 10 character password right it's always an automation point in between the two or something like that something yeah a long password is is going to make you exponentially harder to crack and therefore you're not the low hanging fruit so when you know the uh so when the uh I want to say when the crackers throw the data breach file into hash cat or whatever you know trendy uh cracking service of the day is and say crack them all um you know the first ones that are going to get spit out are the really easy ones and you don't want to be one of the easy ones don't be one of the easy ones folks uh and I know Darren has concerns about using uh password managers but certainly using a password manager is better than using the same password everywhere uh and there's things like keep pass if you want to keep control of that sort I use the password manager it's just in my noggin that's all but it's susceptible to the rubber hose problem so yeah yeah that's that's always uh all right let's finish up with a pick of the day from mox mawcs it's it's short for his actual name I don't know if it goes by mawcs or mox though I like mox I'm gonna call you mox until you tell me otherwise uh since the recent call for VPNs remember a while back we talked about virtual private networks we had a listener saying hey what's the best one and we're like there is a best one but we've gotten a lot of people telling us the ones that they enjoy and mox wanted to chime in for PIA at privateinternetaccess.com lots of servers even international servers no logging great encryption lots of devices on a single plan integrates with his router and more he said really the only downside is it's based in the USA so some people won't want to use it because they're worried about surveillance or that sort of thing he's also been using meet.jit.si as an alternative to hangouts and Skype ooh jitzi is so good it's actually easier to use than both hangouts and Skype as long as you're using chrome or firefox and it's free and open source yeah and you can roll your own server and we did just that on a hack five episode last year and it's a really cool package it uses some awesome you know new html all the cool trendy codecs and all that good stuff and it's yeah it's really something worth checking out we ran a server for a while here at hack five it was a lot of fun send your picks to us folks feedback at dailytechnewshow.com and you can find more picks at dailytechnewshow.com slash picks all right before we get to Len Darren what's been going on at hack five what do you get to tell folks about I seem to remember earlier in the show you were saying some big announcement is coming on Monday oh yeah yeah that's right you know the the hack five field kit has been you know much sought after for quite a while there's the you know the little version and the big version and so these are just chock full of like all the tools you know in one place and to accompany some of our best come Monday we will be launching the hack five field kit book the pocket guide of the essentials which covers all the ins and outs of getting started with the usb rubber ducky or the wi-fi pineapple or the land turtle the tools that you've seen on shows like mr robot and in video games as I've just found out like watchdogs too so that's pretty cool wi-fi pineapple is all over that video game I'm honored and tickled otherwise hack five dot org get the place to check out awesome shows like tech thing and hack five and threat wire this week Shannon has an awesome review of the nes classic as well as three hundred and seventy five gigabyte raspberry pie servers it's I don't know just cool stuff and then hack five we're covering ways to exfiltrate data using usb rubber duckies that's exfiltrating data it's uh it's like involuntary backups backup the data folks yeah or that'll be backed up for you thank you h a k five dot org check all that stuff out Len Peralta poor guy he's missing his breaches he is missing his breaches this is actually my first sort of psa for dt nest which is basically saying beware the breach you talked about some great ways of of you know keeping your password safe and those are kind of outlined here including tfa and doubling your characters which i thought was a really good idea also we're pants and other protective clothing which is really important which obviously this guy didn't do so yes it's a friendly message from your friends over at dt ns and you can get this print right now at my online store and what's kind of cool about it is that for those looking at the video it says my password is password it's someone who's like not really doing anything to protect themselves if you get the digital version which you can get right now the digital version is blank and lets you write your password right there so it's a little bit different than the actual physical version the physical version says my password is password the digital version lets you write your own password in so turn it up yeah you could actually use this if you're in a place that puts the wi-fi password up on the wall yes yes that's the idea you know you can print it out you can actually if you have a laminator you can laminate it and then just sort of write stuff on there so it's kind of a fun fun little interactive thing plus a nice little PSA for remembering how to protect yourself and beware of the breach so yeah check it out yeah go check it out as well as all the other stuff at my store of course we're coming on you know got doing some cards doing custom drawn holiday cards got the dtns super superfan poster as well go to lennproltstore.com check it all out thanks to everybody who supports the show like Len with his art there like our new patrons including Brandon Spickard and Michael Jones huge thanks to Brian Chastain and Michael Honey Arcement and I apologize Michael if I didn't pronounce that last name right those two folks just increased their support we thank every single person who is continuing to support us thanks for hanging in there with us you guys are the best patreon.com slash dtns our email address is feedback at dailytechnewshow.com we're live monday through friday 4 30 p.m. eastern at alphakeakradio.com and diamondclub.tv and our website is dailytechnewshow.com back on monday with Veronica Belmont talk to you then this show is part of the frog pants network get more at frogpants.com diamondclub hopes you have enjoyed this bro the tight show good work what should we call it what should we call it showbot let's not call it showbot no let's not call it showbot let's see what they got going on here oh life's a breach that's a good one life's a breach and then you lie yeah can you hear me yes we hear you now Roger good hey Roger I heard you for a second I really did now I can hear you again all right that is a Roger all right I told life's a breach life's a breach yeah I fixed you pay I think we've used that before something life's a breach no I fix it you pay yeah I feel like life's a breach might have been used before too possibly solar shingles double your pasture double your fun hey that's solar solar shingle Tom no I got to yeah Tom's right though the crackers are just going to you know try it twice so yeah put a couple characters in between yeah yeah do a little mitigation touch disease solar shingles that seems kind of odd breach blanket bingo oh that that's better that's a good one yeah I haven't used that one I know we have it pretty sure I haven't yeah innovation rubber bumpers this crazy elons practically giving it at all crazy elons we're practically giving them away the roof the roof the roof our power okay it's good good effort command shell problems mo shells mo problems what's the spirit of that one it just there's more than one way to steal a phone fishing i see you has a great pedigree of amazing titles so not down on here you know oh he's printing it out right now it's hilarious I am going to go with uh that yeah nice let's call it my password is e f five two zero four e six a I like that you put it in like you didn't write it on there you just printed it right oh no I I totally shopped you know aerial bold yeah very cool oh I love that thank you when this is no no problem great I love you I thought yeah you know someone's looking at that right now going wait that is my password well if you've been watching hack five for a while you know e f five two four d six a and I can't tell you why so we need to just set up like some sort of like python server or something or some IPP protocol where uh where lens art can go directly to my printer I want to set up the subscription service where I just get in on the patreon and it just starts coming out of the printer you know yeah that'd be that'd be actually cool to do yeah I come I come to the office and then I see like oh what's on the tray you know that's pretty cool life's a breach is winning I like that one and by the way on this on the screen is uh uh dark redeemer is uh oh nice superfan poster oh that's his his yeah is the one he ordered yeah that's his personalized one so that's great you can just you can get drawn in right into it that's fantastic like how Justin's tongue is stuck out that way who's the who's the upside down one at the top that's uh uh peter nice well because he's from Australia because he's from Australia right that makes sense fun stuff good work yeah I may I may um not respect the the vote here uh the electoral college is voting for breach blank at bingo uh you know life's a breach is winning the popular vote oh man Ian just called me out that I invented the fax machine you're right it's kind of let me oh well like a like a protocol to send something yeah yeah there was a way right you're right this art could just show up on my print tray all right that's good paper stock too yeah well okay actually so the only way to do faxes over the internet is with some kind of goofy thing like e-fax I was about to say no you know we were talking about like mainstays of windows technology like cmd I think winfax is still in windows 10 or winfax right but you still have to use the phone system right yeah I think when how has it somebody come up with a faxing system I mean that was the m are you about to do that pdf attached email no no something that would print like say why can't I set up my printer to say you can IPP internet printing protocol yeah you know you're right you're right but nobody uses it that's that's why we forget no that's what I'm saying is if there was a better protocol than I think it's pretty terrible it's not that we are saying there isn't one right want a better one I want to graphically sound one that will traverse NAT that I can then authenticate different people to so that I can be part of the Peralta list so that when there's new art that would you're giving me more stuff to do though I got to figure out what I need is somebody to come in and figure that all out your end could be done software if land could hover his finger over a giant print button that he knows when he presses print it's going to make 100,000 printers all over the world yeah I love it I'm all I'm all for automation yeah all for automation like people people go to your store and they sign up you know that maybe they pay a little money they sign up and they get added to the print button I think there is a way to do subscriptions through spot through Shopify but direct to printers I don't know about direct to printer I mean this is this is problematic in so many regards yeah it is there's no ink in it yeah I gotta get my school I gotta get my like school paper I mean honestly I'm not a nightmare because land used it all yeah oh it looks like some oh wait a second someone's buying oh I think someone just bought my my digital comic thank you so much look at that real-time satisfaction yes that is you can download that right now and you can read it yes love it thank you so much Michael oh that's no that's Nth Mike thank you so much oh hey look at that he said chat Nth Mike buys heel cut number one I know pretty awesome I gotta get ready I'm going to go see my son in a play tonight oh what's the play high fidelity oh he is he's the lead he's singing it I've never heard him sing before so it should be an interesting night high fidelity is it it's not based on the uh John Cusack film yeah yeah so he's John Cusack yeah should be interesting I've never heard him sing so you mean Jack Black I don't I don't know I don't know you don't know what his part is well he is um no I don't know I don't know anything he's never said all he told us is that it's kind of sweary mom and dad so I'm like hey I'm sorry I'm sorry when I when I showed my first book that I ever wrote to my dad and he read it he's like I really liked it I don't know why you had to swear so much yeah it was so funny he's in an improv troupe too and um improv troupe and he um and and someone knew that his parents were in the audience and so they were giving him all these kind of like risqué things to improv and he's like I'm sorry I'm sorry mom of course they just wouldn't embarrass the crap out of him it's very funny all right well we've got high fidelity and tell you something like a leg yes thank you we'll see how it goes and uh everybody have a very happy Thanksgiving likewise yeah my my pro tip for everybody here in America is if you're going to hurl anything at your family members make sure it's cranberry because that shows you still care for them yeah it's the way you show you care sweet it's sweet inevitable thanksgiving argument yeah they will be it'll be a great thanksgiving for everybody here in the united states all right I'm sure that take care everybody all right thanks Len bye hey jaren yes so I got you down for Sunday December 11th for the 9am detain us predictions result show yes I can do that because it's in the morning got it cool I'm looking for have you looked back at your predictions yeah and I was just too far ahead of the curve you know yeah that's always that's my problem like and I don't mean to give myself like I'm always right just too far ahead like but I'm always predicting things are like oh well yeah of course that wasn't going to happen this year if it is I don't want to have to say yeah my prediction is still last year's can can like do do I still like when it happens you know in 2017 or 2018 that there is a lawsuit over intellectual property being used in VR you know somebody recreating it's a small world and Disney having a problem with that then do I then when it then I mean yeah yes about it on the results show that's the problem so actually the further ahead that you can predict it the better because then I can be like I predicted that way back in someday cars will fly so I should be predicting the Cylons although I say that and then I go back and I look at my old predictions from like buzz out loud days you still aren't that accurate honestly now it's beautiful though because it shows kind of the hopes and dreams of the time yeah neither HD DVD nor Blu-ray will it win yeah well you know one can dream that's one of those things we're like well Blu-ray certainly isn't as popular as DVD was at a tight but it didn't die but streaming video is definitely more popular so yeah yeah it's still problematic I want offline I went digital delivery but I want offline you know and I want to be able to store it yeah well like Amazon Amazon Prime I can nope yeah save it yeah you can save it the box huh not on a Windows box oh maybe not on Windows on Android you can though yeah on Android see on the closed platforms you can where in Windows closed platform how is Android more closed than Windows there's no actually I'm up in there the Windows main shit because not Windows Amazon because it used to be able to save it the box you download just say it though you're talking about DRM yeah yeah you download Amazon Unbox and you could like download a you know encrypted version of the movie so the problem that I have is I'm like living in the 90s again where I've got a T1 at the office and I have crap for bandwidth at home so I want to download the movie where I have the fast internet and then when I go home tonight I want to be able to watch it on my big screen there's no reason Amazon couldn't do that on Windows I don't know why they don't well you know you look at like Google Play is the same way Google Play you can download the movie you can cash it on Android and on Chrome OS but not on Chrome the browser yeah there's no technical reason here other than like the studios don't want them to do it they're like oh no no it's not even DRM like it's not like Windows don't support DRM it's ridiculous yeah and who's going to copy it anyway I know dude we all just want to stream things we don't really want to own things anymore well I know there's it's not anyway but yeah most people though the the market pressure is not for like I want to I want to build a server of all the movies people want Netflix mm-hmm I want dear podcast provider to improve your experience with podcasts we've put together a few tips and reminders oh okay this is just the iTunes winter so like if you want to submit something for promotion on the iTunes store got it I was like uh-oh what are they changing I is that still a thing is iTunes still a big still pretty popular yeah really I haven't looked at stats on Act 5 in like five years I mean it used to be like 98 percent it's not up there anymore but it's still the dominant one okay cool so people are still installing the iTunes they should well it's that plus the podcast app on iOS got it oh that makes sense yeah okay I'm really surprised that Google never did a first party podcast aggregator saying well they Google play music Google play music does first party podcast aggregation but nobody remembers that nobody uses that that's yeah I would stop working this week and one guy was like hey why aren't you in Google play music my yeah they're buried in there they're not even like they're like oh they pop up randomly because our algorithm thought you might like this no I'm talking about like a podcast listing like something dedicated to first party from like Android fro yo you know right a podcast app built in the end you would think yeah why not take what they built for people play music and just create a lightweight app for people who just like no I just want the podcast part oh are you implying that the Google play music is lightweight because that beast anyway no no that was my point was like build a lightweight app lightweight okay just a podcast so I don't have to get the beast that is Google play music so terrible yeah yeah it's like they bought feed burner why didn't they turn that into something oh I know right that's just that's just Google's way no but it's like it's like buying geocities and then just leaving it on a 486 in the closet yeah a yahoo had the sense I don't know yeah the sense they had the hood split of shut geocities down which I also thought was dumb like why not just freeze it hand it over to archive.org well the archive.org ended up getting a copy some of it but not all of it no no they don't have my awesome text but actually no mine either awesome text files text files dot com or net my tripod site is on archive.org good luck finding it because I'm not telling you where it is but my geocities site is long gone aww I had two geocities sites I had one for boiling point and then I had one that was about returning the United States to England because we had illegally separated we're like making fun of these like revolutionary sites oh Tom trolling since 95 the original troll there was the American monarchy site or something I can't remember anymore see my two tripod or my two geocities is just because you only got two megs so I needed a second one to hotlink images from oh right yeah two megabytes wow I remember well that was the whole reason I got ace detect was because concentric gave me five megabytes of space for my website AT&T didn't give me any world net screw that hey uh you want to cut the um streaming streams yeah I'm actually like right at the point where I'll do that I just okay cool this this link that's usually what I do is I wait until everything is uploaded yeah okay makes sense and then I publish and I think well in that case I will read you an excerpt from my latest book chapter nine this is copycraft5.org actually let's skip to chapter uh chapter 10 the ducking workflow I didn't take it seriously obviously I don't know it tells me what it says you were talking about rubber ducky at this point yeah exactly all right thanks everybody for watching I'm sorry though it just finally loaded if everything's published oh okay do you want do you want to give more no no no no no I mean you know it's uh uh uh yeah anyway it's this is actually kind of boring educational stuff just read one read one line all right the ducking workflow whether you're auditing an ATM esoteric cash register system an electronic safe specialized kiosk or an ordinary windows pc the workflow will be the same and it goes on to cover pre-engagement interactions reconnaissance targeting research writing payloads encoding testing and optimizing them you just got somebody really excited I'm not even joking about that so check that out hack5.org on Monday we'll see you then