Download: Episode 74.
This episode we talk about Chinese spy chips, new sophisticated voice phishing schemes, and Facebook’s huge security breach.
Show Notes
Community Event Planning pre-order. Still time to get in on the book previews.
https://community-events-2.backerkit.com/hosted_preorders
Survey for event organizers. Please fill it out!
https://airtable.com/shrvbemYqHvL1Z7tt
Issue 10 – Science! It’s shipping. Back order sale use code READER18 for buy 2, get 3rd 1/2 off!
https://shop.recompilermag.com
China planted spy chips in computers from Portland-based Elemental, Bloomberg reports | OregonLive.com
https://www.oregonlive.com/silicon-forest/index.ssf/2018/10/chinese_planted_spy_chips_insi.html
The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies – Bloomberg
https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
The Big Hack: Amazon, Apple, Supermicro, and Beijing Respond – Bloomberg
https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-amazon-apple-supermicro-and-beijing-respond
Chinese Hackers Have Allegedly Compromised the Supply Chain to Spy on Amazon and Apple
https://motherboard.vice.com/en_us/article/gye8w4/chinese-supply-chain-hack-apple-bloomberg
Voice Phishing Scams Are Getting More Clever — Krebs on Security
https://krebsonsecurity.com/2018/10/voice-phishing-scams-are-getting-more-clever/
Facebook says nearly 50m users compromised in huge security breach | Technology | The Guardian
https://www.theguardian.com/technology/2018/sep/28/facebook-50-million-user-accounts-security-berach
Kim Zetter on Twitter: “The Facebook breach gets even worse – it’s not just that an attacker who has your Facebook token can access other accounts you’ve used your Facebook account to access, he/she can access accounts you haven’t even used Facebook to access… https://t.co/BCCpuPG9XI”
https://twitter.com/kimzetter/status/1046806168348160000?s=21
jason polakis on Twitter: “Given the scale and severity of the @facebook breach, I’ll share some thoughts based on our recent @USENIXSecurity paper with @m0eb1t, amrutha, @kaytwo, @stevecheckoway, where we explored the ramifications of your Facebook account being compromised. https://t.co/6gS2ERrGvO (1/n)”
https://twitter.com/jpolakis/status/1046086964410294272
Facebook Security Bug Affects 90M Users — Krebs on Security
https://krebsonsecurity.com/2018/09/facebook-security-bug-affects-90m-users/
O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web
https://www.cs.uic.edu/~polakis/papers/sso-usenix18.pdf
Can Mark Zuckerberg Fix Facebook Before It Breaks Democracy? | The New Yorker
https://www.newyorker.com/magazine/2018/09/17/can-mark-zuckerberg-fix-facebook-before-it-breaks-democracy
Burgerville Notifies Guests of Data Breach
https://www.prnewswire.com/news-releases/burgerville-notifies-guests-of-data-breach-300723908.html
THE WILD INNER WORKINGS OF A BILLION-DOLLAR HACKING GROUP
https://www.wired.com/story/fin7-wild-inner-workings-billion-dollar-hacking-group/
Episode 69: We’ll just make a pickle grid – The Recompiler
https://recompilermag.com/2018/08/10/episode-69-well-just-make-a-pickle-grid/
MIDI unicorn
https://www.youtube.com/watch?v=i3tiuGVDDkk
Willamette River presents stunning lidar image on poster from Department of Geology | OregonLive.com
https://www.oregonlive.com/travel/index.ssf/2013/04/willamette_river_presents_stun.html
Now Broadcasting LIVE most Fridays
We broadcast our episode recordings LIVE on most Fridays at 12pm PT. Mark your calendars and visit recompilermag.live to tune-in.
We love hearing from you! Feedback, comments, questions…
We’d love hearing from you, so get in touch!
You can leave a comment on this post, tweet to @recompilermagor our host @christi3k, or send an email to podcast@recompilermag.com.
Transcript
CHRISTIE: Hello and welcome to The Recompiler, a feminist hacker podcast where we talk about technology in a fun and playful way. I’m your host, Christie Koehler.
Hi, Audrey.
AUDREY: Hi, Christie.
CHRISTIE: Long time no chat.
AUDREY: Yeah, at least for our live broadcast.
CHRISTIE: We are doing our live recording of Episode 74 of The Recompiler podcast. It is 5th of October, 2018. A little after noon, Pacific time. It’s Fall. Fall is here.
AUDREY: Very definitely.
CHRISTIE: There is pumpkin spice in the air and rain.
AUDREY: It was raining when I woke up today.
CHRISTIE: And apparently, rain likes to drive spiders into dry places like my vehicle. I almost didn’t make it on time for the podcast because there’s a big hairy spider holding my car hostage and I had to ask a stranger to get it out of my car.
AUDREY: I’m glad that somebody was able to step up and help.
CHRISTIE: It was not fun. I was like, “What do I do? Do I call AAA?” Anyway, it worked out. I’m here. This week, we’re talking about some Chinese spy chips, hardware supply-chain issues, a new set of sophisticated voice phishing schemes we’ve been hearing a lot about, and Facebook’s huge security breach. This one’s a doozy. But first, we got some announcements.
AUDREY: Yeah, we do. We are working on our Community Event Planning book, The Second Edition. And there is still a little time to do a pre-order if you’d like to see the book as it’s being worked on and various chapters as we start getting new content put together. And so, you can go to our pre-order shop and buy that. There’s also some sticker kits available and the pre-order shop is going to close once we start sending those preview chapters out. So, if you are interested in that, you should go ahead and make your purchase.
CHRISTIE: We’ll add that link in the show notes. It’s community-events-2.backerkit.com. And then we also got a survey to go along with this, don’t we?
AUDREY: Yeah, we’re talking to different event organizers to get a breadth of knowledge about how people’s events, like what their focus is, how they work, what they’ve learned from them. And so, we have a survey that we’re asking people to fill out to give us some ideas about what they’re doing. And we’re going to be doing some follow up interviews with that information.
CHRISTIE: So, we’ll have that link in the show notes.
AUDREY: I also have one more announcement.
CHRISTIE: Oh, a 3rd announcement.
AUDREY: Which is that Issue 10 – Science is shipping. I am reserving copies for new subscribers. So, if you haven’t subscribed yet, you can absolutely do that. You can also order individual copies. And there’s some really great stuff in there. I really enjoyed the range of perspectives that we were able to bring to it and the different ways that we were able to get science as a practice and what it means for our work in technology. So you can definitely get in on that. And we also are doing a little bit of a back-order sale right now where if you buy two copies, you can get the third one half off, that’s so that I can clear out space on my shelf, for all of the other issues that we’re doing this year. And there’s a discount code to use: READER18.
CHRISTIE: READER18. Well, that’s a good way to get caught up. It’s a great way to support what we’re doing here both on the podcast and just with everything we do with The Recompiler. Holiday season is about to start. So this could make some great stocking stuffers or White Elephant gifts. Are White Elephant gifts always supposed to be crap?
AUDREY: I think that they’re supposed to be bad things. I mean, if you need one of those, I’ll give you one of the copies that came out torn. We have a couple of discards from the binding process. I’m probably not going to do another reprint of any of the previous issues before the end of the year. So if there were some things that you were thinking about picking up from someone, this is definitely a good time to do it.
CHRISTIE: And shop.recompilermag.com for that.
AUDREY: Yup.
CHRISTIE: My favorite White Elephant story is, do you remember when Angry Birds first came out and it was super popular? Someone had an Angry Birds plushy in the White Elephant. And I ended up with it. But this is December so we had just gotten Dora, our Dachshund [inaudible]. And I made the mistake of announcing out loud that I was going to give the Angry Birds plushy to my dog. And there was like a collective gasp from the rest of my company. Like, “How dare you!” Because like everyone with kids, they wanted it for their kids. Anyway, I ended up feeling guilty enough, I traded it with someone else. I would argue that Dora would probably have enjoyed it, at least as much as anyone’s child.
AUDREY: But she might not have been able to tell the difference between Angry Birds doll and Pokemon.
CHRISTIE: This is true, yes. And we subsequently learned that she is an expert seam ripper. So any toy like that, in about 15 minutes, she will actually have it unstitched. And if you buy her the same toy again, she will do it in a fraction of the time afterwards. She remembers. It’s astonishing.
AUDREY: She’s so efficient.
CHRISTIE: She is very, very efficient. Audrey, I did a lot of reading on this story yesterday and I honestly still haven’t made sense of it. Have you?
AUDREY: Well, I will say I have some feelings about it.
CHRISTIE: This big story came out in Bloomberg BusinessWeek.
AUDREY: It was their cover story.
CHRISTIE: It was their cover story. The print edition may not even be out yet. They’re basically saying that a bunch of companies who purchased Supermicro, I guess mostly, motherboards – or the equivalent of motherboards – potentially have equipment that has a spy chip, a little tiny chip on it that enables exfiltration of network information, network packets. And that some really big companies have been affected by this. Amazon through Elemental was the big one named, but also Apple. They say up to 30 different companies. They weren’t super specific about the details of the hardware or the exfiltration method and all of the sourcing except for the denials but the companies seemed to be anonymous. I read through it again to see if that was true and I don’t think anyone, any other source is mentioned by name.
AUDREY: The only people named are security researchers who have not had access to any of the particulars, the details of anything that would back this up.
And they also say that the government is involved in investigating this. I haven’t yet found, I mean this just broke yesterday. Yesterday, I couldn’t find any independent verification. I looked at a number of the sort of security researchers we tend to go to when we’re talking about security stuff or getting information on it and I didn’t see anyone outright refuting it. I saw a lot of people saying this is weird and the way the companies are denying this is weird, like usually you don’t see this outright denial if there’s something going on behind the scenes or if companies have been subject to a gag order. But I also saw people saying that this sort of thing is entirely plausible.
AUDREY: I have to start with something that you know but listeners might not, which is that I worked at Elemental from 2013 to 2015. And I specifically worked on the platform team which was responsible for the operating system and software installer, the application installer, that was on these server appliances that are being talked about. So in some ways, what I was doing was at closest to the level of what they’re talking about that could happen on those motherboards. There’s a lot about this that just seems really sketchy, a lot about the story, and the reporting that seems really sketchy to me. I don’t have insider knowledge, like I have not talked to a current employee about it, having worked there since 2015. I left a few months before the acquisition, so I can’t say for sure that nobody inside of Elemental is going, “Wow! We really got caught up by this. This is really a big problem.” But I am just really skeptical of everything that they’re claiming. I agree that, that kind of supply-chain being compromised is possible and it would be really bad and I can buy into the idea that maybe there is some tiny chip that might do some of the things that they’re talking about. Although one person I asked about that said, “You know, that would be newsworthy on its own if they’d miniaturized things this far.” But just the way that they’re talking about like how things were found out doesn’t make sense to me. And it doesn’t make sense to me that the motherboards purchased by Elemental would be targeted.
CHRISTIE: Because that’s like too specific?
AUDREY: No, because one of the selling points of the product and one of the things that made my job challenging, is the boxes are meant to be run without access to the internet. That is actually how they are sold. That is the reason that it was very complicated to produce a custom Linux installation for them. So I mean, I thought maybe they were overstating some of the [inaudible] connections of the product anyhow but I wouldn’t necessarily know every sales contract. I just think that it wouldn’t really…like if there were 30 places being targeted, Elemental just doesn’t make sense. If you wanted to exfiltrate TV shows, then you might have a shot at that. But the idea that you’d be getting drone footage out of this just seemed really unlikely. I don’t know. There was just something about how they were leading with this as the evidence that didn’t make sense. Obviously, Amazon disputes that anything like this was found in their security review before the acquisition. I don’t know. I read through it, I was kind of strongly feeling like what if this happened, this would be really terrible but it doesn’t make sense to me.
CHRISTIE: One thing that stuck out to me and I can’t find the exact quote now but there is this kind of…and they kind of just sort of an off-hand aside where they said like and this kind of intercepting equipment or whatever and putting adulterating it, that’s something the US government has been known to do. Did you catch that?
AUDREY: Yeah.
CHRISTIE: Anyway.
AUDREY: There was just a lot that’s not backed up here. I think the [inaudible] feels really fictional to me, the way that the article is framed around the idea that there are these server appliances that have been compromised in this way. I can’t speak to the discovery of it. Everything I know about the product says that would be a fairly pointless thing to do.
CHRISTIE: I think Bloomberg is known to be reasonably reputable.
AUDREY: I think so.
CHRISTIE: And I actually don’t know these two reporters, Jordan Robertson and Michael Riley. What do you think is going on here?
AUDREY: I think somebody in US intelligence sold them a story. I think somebody in our intelligence department sold them a story. I mean, not in the financial sense but like they pitched them something fraudulent.
CHRISTIE: Do you think that they also have sources from within companies?
AUDREY: They claim that they’ve got three senior Apple employees that were talking about this. That’s something that they repeat a couple of times in the story. I can’t imagine. I don’t know. If that was happening at Apple, they’d be fired really fast. Those kinds of anonymous leaks, they’re sanctioned. They’re either sanctioned or they’re firing offenses. I just remember reading a bunch of stuff awhile ago about how every anonymous government supposed leak that the New York Times was running was in some way sanctioned, was in some way a deliberate release of information. And without engineering confirmation, could this be implemented on a chip that small in the way that they’re talking about and without independent confirmation like a breakdown of the hardware. I just can’t find this believable. I could be wrong. Maybe if I was currently at Elemental, I’d hear everybody scrambling to figure out what they’re going to do here. But like I said, it just doesn’t make sense to me.
CHRISTIE: I think what I would want, I would want independent confirmation in the form of a security researcher that I trusted or had some prior knowledge and sort of had a good reputation, have physical access to the hardware and was able to inspect it and try to reverse engineer how a thing is working.
AUDREY: Sure, yeah. You would need at least somebody sitting down with one of these motherboards finding the chip for themselves and analyzing it. And there wasn’t even confirmation that they’d done that. The rebuttals that were coming from the companies made it sound like the story was at least a few months in progress. So, there potentially would be time to get your hands on the compromised hardware to have somebody analyze it.
CHRISTIE: It felt a lot of like, “Oh, we have some sort of dirty laundry or things that aren’t very favorable that we want to talk about with these companies.” Like there’s a lot of smoke to this article.
AUDREY: And if you were going to invent something, a company that’s been acquired by Amazon where you can say, “Oh, it happened before the acquisition,” there’s a lot of people who aren’t going to be able to say anything about it. The acquisition changes the communication process quite a bit.
CHRISTIE: And one of the founders has passed away even. So, there’s been turnover.
AUDREY: And that was a thing I thought about too that Sam, the founding CEO of Elemental, really valued corporate ethics in this way that I think is unusual at startups, like the idea that the company would always behave in an ethical manner was…I didn’t always agree with him about how we were doing that, but that was something that he valued really highly. And so, just the idea that any kind of shadiness would be happening in the background, it would go against character.
CHRISTIE: I was like, “Okay, I want to see what people are saying about this.” I looked at Bruce Schneier’s blog and I sort of appreciated this point of view. He didn’t really weigh in one way or the other about the veracity of the article. “Supply-chain security is an insurmountably hard problem. Our IT industry is inexorably international, and anyone involved in the process can subvert the security of the end product. No one wants to even think about a US-only anything; prices would multiply many times over. We cannot trust anyone, yet we have no choice but to trust everyone. No one is ready for the costs that solving this would entail.”
AUDREY: And there’s a lot of financial incentives to…okay, there’s a lot of reasons that compromising the supply-chain could benefit somebody. But there are also so many parties that would be harmed by that. Anybody involved in another part of the supply-chain would not want to see that happen. And certainly China doesn’t want to develop a reputation for being a bad place to have motherboards manufacture.
CHRISTIE: Right.
AUDREY: I mean, that on its own could be devastating. I think it was one of the links that you grabbed, the Motherboard article, maybe had a quote from somebody who said one of two things is possible – either this hack exists and this is happening in the way that they say or somebody really wants us to think it is. Like I said, I went through, I read everything that I could find. I talked to a couple of my former co-workers and my feeling is just that somebody really wants us to think that this is the case. There are plenty of pieces of it that are possible but the fact that the article leads in with something that just doesn’t make sense to start off, something that is being refuted pretty strongly that this thing was discovered because Amazon found it in the acquisition security evaluation. If that’s wrong, then what else is wrong?
CHRISTIE: And there could be intersecting ulterior motives, too. I mean, if you wanted to make a bunch of money shorting Super Micro stock, this would be one way to do it.
AUDREY: Sure. And the companies had problems.
CHRISTIE: Yeah. I think their stock was down like 20% yesterday. It’s so weird because there’s like this sort of detailed info graphic but it’s not actually…it’s just sort of telling you how something like this could happen, not specifically how it did happen in this case.
AUDREY: Right.
CHRISTIE: Like there’s levels of specificity but not where I want them, if that makes any sense.
AUDREY: Like you were saying about the level of specificity that the details aren’t there in the places that we want it to be and the things that people can say for certain don’t necessarily all stitched together into these particular claims. This morning, I was thinking about it and I thought about that sort of Twitter joke – the huge if true. That’s what we’re seeing here. If this were happening, it would be really bad. It would have some very bad implications. It would be destructive to our current manufacturing processes. It would very negatively affect certain companies. But that’s if it’s true. If it’s not true, then again, somebody really wants us to think it is.
CHRISTIE: And with the sort of political stuff that’s going on between the Trump administration and China…
AUDREY: There’s a really obvious motive here.
CHRISTIE: Yeah. We’ll just have to sort of keep our ear to the ground and see what comes of this.
AUDREY: Yes. And hey, maybe we’ll be the first tech podcast to say, “Oh, I don’t know about this.”
CHRISTIE: Voice phishing or vishing.
AUDREY: You actually see that somewhere?
CHRISTIE: Yes. I did not make it up. It is in the Krebs on Security article.
AUDREY: Okay.
CHRISTIE: I cannot take credit for that portmanteau. What’s vishing article? Audrey, you’ve been a target of this.
AUDREY: Yeah. Actually, I was really looking forward to seeing this write up because Matt Haughey, who’s quoted in the article, and I were hit by the same scammers sometime in about the same week. And he kind of got all the way through the conversation, gave over information that allowed his bank account to be compromised. I got to a certain point and I thought I am going to look. I’ve been be so embarrassed on the podcast if I keep answering questions and it turns out this was a scam. Actually, I did fall for it.
CHRISTIE: That was going on in your mind as you were…
AUDREY: I was like, “If I don’t take my own advice, I lose all credibility.” But I didn’t really think I was being scammed. What I thought was happening was that because my credit union uses a card services company to administer things, I thought that the card services company needed to work on their training process or something. What they were doing was goofy but I thought it was like somebody going off-script or something with the card services company fraud department where they just needed to work on what they were doing and not, “Oh, there’s a scammer,” and they are trying to get my info. I thought it was really clever. It was really sophisticated. The other thing that kind of primed me to accept what they were doing is that I’ve had a Bank of America account for a long time and their actual fraud department often did things that seemed kind of scammy, and I started verifying what was going on a little bit differently as a result. The thing of calling three times in a row so that you pick up on the third one because if it’s three times, it must be urgent. And using a phone number associated with your bank.
CHRISTIE: Faking it.
AUDREY: Yeah. Although in my case, it turned out that I would do a quick web search, what is this phone number. It was something associated with my bank. It was not a number that they ever would have called out from. And it did not show up on my phone, like I’ve got their main phone number saved on my phone, on my contacts. It didn’t show up as my credit union when they called. It was only when I checked the number when I was calling back to see if the number I had saved was the same number that had called me that I noticed that. They just have like a really smooth deal and so I hope that people hearing the details of it will help a little bit because I think it’s probably been a very effective scam.
CHRISTIE: I still can’t find it but about a couple of weeks before this happened to you and happened Matt, I saw someone talk about it on Twitter, and it was a very similar thing. And I think in this case, they had used recordings from the actual bank phone tree, in addition to a live person. There’s like different combinations of the scam but it involves just really looking like coming from the bank. So, faking the caller ID, using recordings or scripts from the bank that you’re used to, having a bunch of your personal information all ready which to me is actually part of the thing that’s really disconcerting. We’re getting to a point where we just have to accept that basically all of our information is out there and being brokered and sold.
AUDREY: Right. And all of the ways that you might inherently assess trust are broken by that. This person was able to tell me my name, my home address, the last four digits of my card, a lot of pieces of information that off-hand you would think, “Well, if you have that, then you’re probably looking at my actual account.”
CHRISTIE: And some of the things I’ve also seen is that we’re more vulnerable to these things when we’re in the middle of other stuff, when we’re harried or when we’re stressed. In Matt Haughey’s case, he was about to travel and he was going to need his ATM card, so he’s like trying to expedite the process of getting a replacement or something like that.
AUDREY: And I had just sat down to start working. I don’t usually answer the phone when it’s a number I don’t recognize. But on that third callback, I started to think that maybe it was urgent. And also when I saw the calls, I thought, “Oh, it’s the fraud department.” Like there was just something about it that immediately made it seem that way. I think it was that it was an 800 number calling in repeatedly like that. And what I thought was, “Well, I could wait and have them leave a message and call the bank or I could just get it out of the way so I can do whatever else I have to do today.” Here, I thought I was being like a grownup for a minute there. I think it’s worth saying the point where I bailed on the call and I didn’t give them like my PIN or the back of the card number or anything like that. But the point where I bailed, they asked for my security question answers, and that was the point that I thought, “I’m going to be really embarrassed if I answer these.” And it turns out that there is a scam, even though I don’t think there is right now. I didn’t actually think I was being scammed until I called my credit union and talked to them for a few minutes.
CHRISTIE: Wow! So you think in your case, they were trying to get access to your online banking?
AUDREY: I think what they were trying to do was get the information that they would need to have the card reissued. So to call the bank, change the mailing address, basically say, “Hey, my card’s been stolen,” and get it canceled and reissued. I think that that’s the kind of information that they were after.
CHRISTIE: Man! I really hate scammers! There’s another scam I recently learned about where they target different kinds of care practitioners, therapists, yoga, pilates instructors, things like that, where they call and they pretend like they’re coming in from out of town and want to set up a special workshop or session. And then when they send in the advance payment or the deposit, they send a cashier’s check that is for way too much and then they ask you to send the difference. And this one I looked it up and this one’s kind of not new or anything.
AUDREY: It’s a variant of like an old eBay scam.
CHRISTIE: Yeah. Where you pay for things you purchased on eBay and you’d overpay. But it just pisses me off because most of the time, they’re going after individuals who don’t have a lot of threshold, that are really going to be hurt by this. It’s not like skimming a few bucks off something that a giant corporation is doing.
AUDREY: Right. This can affect people pretty directly. I mean, they can clear out your checking account.
CHRISTIE: I actually try not to constantly bombard my family with all the latest security stuff just because I don’t know, I can barely stand it. But this was one where I’m like…we sort of have a group SMS and I was like, “Hey, heads up. This is a thing that’s happening, so be on the lookout for it.”
AUDREY: I think I spent like half a day just making sure that there wasn’t anything actually wrong. And I got some tips from my bank about things that they would or wouldn’t say that would make it a little bit easier to spot this kind of thing in the future.
CHRISTIE: That’s good. Can you share some of those?
AUDREY: Yeah. I will say there were a couple of warning signs toward the end of the call that are worth calling out. One of them was that at a certain point, I could hear somebody else in the room speaking clearly on another very similar call. I’m still thinking like, “Hey credit services folks, you need to work on this because you shouldn’t be letting that happen.” But in retrospect, I’m like, “You knew they didn’t have very good soundproofing set up because they were just running this out of a closet.”
CHRISTIE: Right.
AUDREY: And what else? When I was about to hang up, the person I was talking to said that she could tell me my social security number. Like if I didn’t want to give her my security answers, she could tell me mine. And I was just like, “No. Why would you do that? No, don’t do that.” And she also wrapped up the call by saying that for best security online-making purchases, I should use PayPal which struck me as a really, really weird thing to say.
CHRISTIE: That is weird. I wonder where that was going.
AUDREY: It’s the kind of ad hoc like it was sort of trying to convince me still that this wasn’t scammy. The credit union said that they would tell me like a date and an amount, that they probably wouldn’t tell me the name of a charge. And I mean, that might vary a little bit. But they certainly wouldn’t tell me what was purchased. One of the things that I think they were using to try to overwhelm you with like, “Wow! No, not that,” was a certain level of specificity about the fraudulent charges. And my credit union said that they wouldn’t do that. They would just basically say, “Look at your receipts and your statement. Do you recognize a purchase on this date of this amount?”
CHRISTIE: All right. Those are all good tips.
AUDREY: But the biggest tip here is if you get a call from your bank, you should say, “Hey, thanks.” And then hang up. Call them back from a number that’s on the back of your card or from the website that you know is actually your bank web site or something reliable like that.
CHRISTIE: Right.
AUDREY: I’m just glad that the word’s getting out about this one.
CHRISTIE: Yeah, me too. Because when it happened to you, I think I was like, “Oh, I’ve heard of this.” It is definitely a thing that’s been kind of…there’s a wave of it that started this Summer.
AUDREY: Yeah, there were a few of us who all got hit in the same week. They did a really good job of just…there’s so many scams that are just really obvious or like spam and lot of robocalls. It’s really obvious what’s going on there. I haven’t encountered a whole lot where it was difficult to tell.
CHRISTIE: Okay. Well, in other awesome security news…
AUDREY: It’s just security week over here.
CHRISTIE: It really is. Yeah. And we haven’t recorded in a while, so we’ve got like…I don’t know. So, Facebook. Oh my God, this one’s bad. Millions, I think the original thing’s at 50 million but I’ve heard like up to 90 million.
AUDREY: And how many people use Facebook?
CHRISTIE: 2.2 billion, I think.
AUDREY: Oh, wow! I was just thinking like what percentage of the user base is that?
CHRISTIE: If you look at 2.2 billion…wait, I don’t know how to do math. What is that? How do I do it? 50 divided by 220 or 2000? How does this work?
AUDREY: It’s a little hard for me to follow.
CHRISTIE: I think it would be less than less than 1%, I think. I will have to do math when we’re not on the air and correct myself in the show notes if I’m wrong. Anyway, I think a lot of people have heard of this by now. But basically, once you have authenticated with Facebook [inaudible] services you have authentication token that allows you to basically stay logged in across browser sessions and maybe even across devices, there was a vulnerability in Facebook code. And it sounds like in a couple of different spots which was a little confusing. They weren’t super specific, that allowed someone to have access to all those tokens and then basically be you logged in. And not just you logged in on Facebook but you logged in anywhere that supported Facebook log in.
AUDREY: Which is a lot of sites.
CHRISTIE: Yeah. I do not use Facebook log in on anything. I barely use Facebook. I haven’t logged in in six months. And I don’t use Facebook log in for anything, even if it’s the only thing you’re logging in. I’m just like, “No, I’m not going to use that thing.” But someone could still, if they had my tokens, they could still log in as me in those things which is awful.
AUDREY: I think some of the other details that you looked up when we were talking about it before, because of the way these single sign-on systems work even if you hadn’t created an account on a site before using your Facebook log in, somebody who had access to your tokens could still do that. And then if you did later create an account, you’d basically be merging with something they’d already set up.
CHRISTIE: Yep, which I think is an issue in and of itself. When this came up, these researchers who had presented a paper just in August, USENIX, called ‘O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web’ kind of goes into what the ramifications are of single sign-on and if someone is able to hijack those sessions. I haven’t read through this paper yet but we’ll link to it on our show notes, for those who like. There’s a graphic in here. It’s Figure 6: Effect of cascading account compromise in the top 100K websites. I’ll take me a little more time to process this but you can just see visually this is a big deal. And I realize that…Krebs on Security just gateway timed out on me because I wanted to bring up that article again because it’s got the 90 million figure in it. They also really didn’t give a lot of information. And part of this is, Audrey, I don’t know if you’d thought about this already, but GDPR is now in effect. And so, part of the reason Facebook probably actually reported on this so quickly is because they were legally obligated to because of GDPR.
AUDREY: Yeah, I saw some commentary on Bruce Schneier’s blog, I think, about that and whether that was going to turn out to be helpful or detrimental in terms of actually investigating security breaches. That if they have to report it before they finally have the details that among other things they’re going to be encouraged to give the largest possible number of people affected.
CHRISTIE: Oh yeah, you’re referring to the effects of GDPR’s 72-hour notification rule.
AUDREY: Yeah, I just glanced at it.
CHRISTIE: Yeah. It sounds like Alex Stamos, the former security officer at Facebook, was sort of pointing out that companies end up announcing breaches before the investigations are complete. He says 1) Announce and cop to max possible impacted users; 2) Everybody is confused on actual impact, lots of rumors; 3) A month later truth is included in official filing. He says, “It’s a perennial problem. We can get information quickly or we can get accurate information. It’s hard to get both at the same time.”
AUDREY: This is a huge breach but because like you were saying a little bit ago, there are so many data breaches to the point that we all might start to feel like there is no secure information. Because of that, it just…I don’t know what that speedy announcement is actually getting us. Is it going to change your behavior? Is it going to allow us to be more secure? The only thing Facebook could tell people was that they had revoked all the tokens.
CHRISTIE: Yes. So people had to re-login basically.
AUDREY: But that was it. That was the extent of what any individual could do is just log back in.
CHRISTIE: And it’s hard, 72 hours is just so short amount of time. I’d be curious what the reasoning was behind that in a roll. I’m torn because part of me is like, “If my information is out there, I have a right to know.” But also, the information has been out there. This vulnerability has been going on for more than a year.
AUDREY: Right. I don’t want them to be able to sit on it for a year.
CHRISTIE: Right.
AUDREY: I just wonder if any time in the next three months is going to be as appropriate as 72 hours.
CHRISTIE: Or seven days or 14 days. There’s a lot more you can do in 14 days than 72 hours, especially if that 72 hours is a long weekend where people are out of town or whatever.
AUDREY: I think one of the open questions that security researchers are having is how do we act as individuals? How do we act when our personal data could be compromised in so many different ways? What does that mean for us? Is it that we just have to accept that this is how things are? Is it that there are regulatory approaches that we should be petitioning our Congress people to take on? I just think that we don’t have a clear path for what actually happens next.
CHRISTIE: There’s sort of two related things that I wanted to mention in New Yorker from last month. There’s a big profile on sort of Facebook/Mark Zuckerberg. It’s really coming from the angle of Facebook as Mark Zuckerberg and to really understand that the decisions Facebook has made and continues to make, you have to understand Zuckerberg. And the writer of that was on Fresh Air yesterday. Depending upon how you…I think the article is really informational. If you like reading, you can check it out, the New Yorker. Or if you like radio or podcast, check out that episode of Fresh Air. I’m forgetting the name of the writer at the moment but it’ll be show notes. Audrey, I think you and I have talked around this but not specifically. I think you and I already kind of knew that Facebook as Mark Zuckerberg was kind of a one to one there.
AUDREY: The fact that he retains the kind of ownership stake that he does.
CHRISTIE: But specifically, he developed this mindset early on that if people were mad at Facebook, that meant they were doing the right thing. If they had vocal critical opponents, that meant they were innovating in the way they should be.
AUDREY: [Crosstalk] the original news feed as the origin of that?
CHRISTIE: No, just sites. It doesn’t site specific things about Facebook just that that is sort of a founding or a really strong guiding principle of Zuckerberg and that the idea is reinforced by their success. And they talk a little bit about one of the metrics they use, is they call it like six over seven something and it’s basically the number of people that have logged in six out of the last seven days. And that’s one of their key metrics. And that early on or rather quickly, they exhausted changes or features to add to the platform that were sort of about positive engagement. And then it became much more about sort of more draining negative engagement.
AUDREY: A little bit like we keep talking about with YouTube.
CHRISTIE: Right.
AUDREY: I wonder if it’s kind of worth going back to Kate Losse’s writing too on this about early Facebook and some of those kinds of cultural decisions.
CHRISTIE: Yeah. I’m not sure I know where people will find that.
AUDREY: She had a book which the name is kind of escaping me right now. But I’ll give it to you for the show notes. It’s basically about early Facebook and the sort of mentality and some of the lack of responsibility that was reflected in their early behavior, as somebody who worked there early on.
CHRISTIE: I haven’t finished reading the article but I listen to the Fresh Air episode and I find myself getting really frustrated because it’s like Mark Zuckerberg, how many goddamn times do you have to experience this where we’re like, “Hey Facebook, you’re having this effect,” and they go, “Oh, no. It couldn’t be.” And then they have to backpedal. It’s like dozens of times, I feel like it is. Russian interference and disinformation to Facebook. Remember? I think we talked about this. And then it reminded me again that they sent Facebook employees to the Trump campaign to teach them how to use Facebook better.
AUDREY: There’s like a neat audacity to this kind of thing.
CHRISTIE: To me like a shirking immoral duty, an abdication of that. Basically, I pretty much hate everything Facebook stands for. I guess it’s not surprising to anyone listening.
AUDREY: Right.
CHRISTIE: One quick follow up I wanted to mention. We talked about that FIN7 hacking group a couple of episodes ago that compromised a bunch of retail and sort of restaurant consumer-focused point-of-sale systems. And we just got word that Burgerville, which is a local burger chain, was part of that and actually didn’t know it until they were notified by the FBI. And then for some reason, still had the malware on the systems like a month later. So if you’re local to the Portland area, they’re up in Washington and they’re kind of around. Anytime in the last year you used your debit or credit card, then your information is out there. I think I may just start using cash for a lot of these things.
AUDREY: It’s not a bad option. I mean, assuming that you don’t take your cash out of an ATM with a skimmer attached.
CHRISTIE: A lot of people use the envelope budgeting system where you take out cash and put in an envelope for different categories. I don’t want to carry large amounts of cash for everything but I think for the occasional fast food order pickup…because you could also…if you didn’t want to always have to carry cash, you could buy $100 or a $50 or whatever Burgerville gift card. All these places have gift cards, and that gives you some level of protection too.
AUDREY: And budgeting. I wonder if I can get all my cards issued with shorter expiration dates? That would be kind of an interesting approach. This would be a pain for recurring billing but at the same time, a card couldn’t be indefinitely compromised.
CHRISTIE: I also thought about and you have to be really careful about the fees, like a prepaid Visa gift card. If you can find one that was reloadable and didn’t have absurd fees, that might be another way to spend retail point-of-sale without that worry of…
AUDREY: And limit your vulnerability.
CHRISTIE: Yeah.
AUDREY: I think there are some different ways to get those, through not your bank but Costco maybe, some ways to get lower fee options.
CHRISTIE: Yeah, I think they’re out there. It’s just a matter of a lot of them can be really scammy. And I have to do some work to look for a good one.
AUDREY: For sure.
CHRISTIE: Did you put this thing in from Wired about the FIN7?
AUDREY: I did because I wanted to pull up the background again.
CHRISTIE: Okay. We’ll put that in the show notes and I’ll dig up the episode we talked about that which may or may not be one I’ve edited and posted yet. We’ll link to that as well.
AUDREY: We could have a little time travel whip happening here where we reference things that have happened in the past but also in the future.
CHRISTIE: I think we’re to things we like on the internet this week.
AUDREY: Awesome because I have one.
CHRISTIE: I haven’t opened this yet and I don’t have one.
AUDREY: I took a little bit of downtime this week and just kind of left it open to do whatever. What I ended up doing was a little bit of music production stuff and learning some different tools. But at one point, I asked a couple of people like how do I learn more about certain kinds of things? And they said, “Oh well, go on YouTube. There’s these kinds of videos.” So in the course of that, I discovered this really great MIDI example of making decorative MIDI. And it’s a unicorn.
CHRISTIE: I don’t want to turn on the audio because it will drown you out. I can see that there are several, it looks like there are several different tracks or something?
AUDREY: It’s the notes.
CHRISTIE: Okay.
AUDREY: MIDI sketches, what do you call them? Like when you’re looking at it, it’s a little bit like a player piano roll.
CHRISTIE: Okay.
AUDREY: So basically, the views that you can see for it, they look like a little player piano roll type things where there’s a block everywhere that there’s a note.
CHRISTIE: Okay.
AUDREY: So you’re seeing the Y axis is the notes on the keyboard and the X axis is time. And what this person has done is to put those those dots where the notes are in the shape of a pattern and also turn into something that plays and sounds good. The video actually gets into the details of that a little bit. How if you just draw something, it’s going to sound kind of weird and chaotic. So to get something that’s both musical and visually artistic, it’s a little bit of a challenge.
CHRISTIE: Okay, I’m just going to play a bit of it. You won’t be able to hear it but I’ll try to cut it into the podcast later. Oh, wow! This is like a baseline and everything. That’s pretty cool. Are you making MIDI music now, Audrey?
AUDREY: A little bit, yeah. I have a SoundCloud.
CHRISTIE: Oh! I use this one. Someone did a Lidar. Did you see this? A Lidar imaging/mapping of…and I don’t know what the source for this is because this is just the graphic. It’s on Oregon Live. But a Lidar imaging of the Willamette River. Let me send you this link so you can see it.
AUDREY: Ooh, that’s pretty.
CHRISTIE: I don’t know anything about the background of this. I’ll have to track that down. I just thought that was a really cool visualization.
AUDREY: Yeah, you can see all of the different river channels and the depth at different places, the texture of the riverbed it looks like.
CHRISTIE: And I think it must be like over time. This is old, but that’s okay. Willamette River presents stunning lidar image on poster from Department of Geology. It’s from 2013. Do you know that Lidar now has an acronym but it actually originated as a portmanteau of light and radar?
AUDREY: I think I did know that.
CHRISTIE: I thought that was interesting.
AUDREY: Backronym is not what you call it?
CHRISTIE: When you come up with an acronym after the fact?
AUDREY: Or you fill it in, yeah.
CHRISTIE: Yeah, I think that is called a back….how do you say it?
AUDREY: Backronym.
CHRISTIE: Backronym. Okay, I think that’s our show. Thanks, Audrey. Thanks everyone for tuning in. Happy Fall. Enjoy some pumpkin spice, whatever. We’ll talk to you all again soon.
AUDREY: Thanks.
CHRISTIE: And that’s a wrap. You’ve been listening to The Recompiler Podcast. You can find this and all previous episodes at recompilermag.com/podcast. There you’ll find links to individual episodes as well as the show notes. You’ll also find links to subscribe to The Recompiler Podcast using iTunes or your favorite podcatcher. If you’re already subscribed via iTunes, please take a moment to leave us a review. It really helps us out. Speaking of which, we love your feedback. What do you like? What do you not like? What do you want to hear more of? Let us know. You can send email feedback to podcast@recompilermag.com or send feedback via Twitter to @RecompilerMag or directly to me, @Christi3k. You can also leave us an audio comment by calling 503 489 9083 and leave in a message.
The Recompiler podcast is a project of Recompiler Media, founded and led by Audrey Eschright and is hosted and produced by yours truly, Christie Koehler. Thanks for listening.
The Recompiler 