Katherine (12s):
Hey everyone. Welcome back to reality. 2.0, I am Katherine Druckman joining me as always is doc Searls and we have our two favorite guests back again this week. Petros could Tupass. So you know, and Kyle Rankin, who you also know, and before we get started, I wanted to remember to remind everyone to please go to our website at reality, to cast.com. That is the number two and sign up for our newsletter so we can stay in touch. I, you know, I keep them short and we just sort of update everyone on what we're thinking about that week and that's it. But today we are talking about a couple of big things and the first is solar winds, like, cause we can't not talk about solar winds.

Katherine (53s):
It's a huge, huge thing. You know, the, the short version is some hackers have been in, in various government agencies all over the country for at least nine months that we know of. They piggybacked on a software update and it's really, really bad. So we'll go into that. And then later we have a little low-key outrage. We w we can talk a little bit about Facebook targeting Apple and Apple's privacy initiatives and sort of hiding behind small businesses to do so. So let's, let's get into it. I'm I kind of hoping that Kyle can give us a little bit more of a deep dive on the significance and, and also just the, the method of attack with this solar winds thing.

Doc (1m 36s):
That'd be for it. Kyle stars. I just want to point out that it's interesting that you call this a solar wind thing, because it, you know, a major, a major hack has been named after the company that made it possible, which has to be one of the greatest branding fails of all time. I mean, it's just like, well, anyway, but that's all I can contribute to that at this point, because there's much more to say or much better. So let's well, I mean, so we'll start by just saying that this is probably the it's, it's not an exaggeration to say that this is the biggest security story of the year, maybe the decade in, just in terms of scope of attack, degree of compromise.

Kyle (2m 23s):
I mean, bigger than the office of personnel management hack from a number of years ago, in terms of same sort of things scope, and just the, the degree of potential problems with this, because you, as, I think you mentioned when you first were introducing this, the, we have reason to believe that that some of these agencies who were compromised were compromised since March, which is an incredibly long time to be floating around a system undetected capturing information. And so, I mean, among other things, I think it's useful to think of this in terms espionage. There's a lot of words being thrown around in terms of attacks and that sort of thing.

Kyle (3m 5s):
It's really, I think it's because there was not to our knowledge so far, there isn't, there wasn't any damage done in terms of like, there was no ransomware, there's no one, you know, deleting files doing anything like that. It's just capturing information that it's just, it's just that gigantic espionage campaign capturing, who knows how much data, but yeah, so what, again, this is still pretty early days by the time this airs, there's probably going to be a lot more information out there on it. What we, what everyone seems to know so far is that at least one of, of at least two different entry points.

Kyle (3m 45s):
So this is just solar winds, apparently as of yesterday was only considered one of the possible entry points that entry point and happened because there's a piece of software called Orion that that's solar winds that has created that a lot of, I mean, like 18,000 companies use it. And it's also important to note where solar winds sits in a network. So they have, they're a huge vendor in the enterprise for managing networking equipment. I mean, they're just used all over the place for that. And if you think about where, what kind of access your network management equipment software would be in like where it would be, what acts, what it would have access to, you know, that's that kind of software.

Kyle (4m 32s):
Typically, if you're going to a grant, if you're going to use firewalls in grant access to a system, the system used to manage all of your networking equipment is probably going to have unfettered access to the network. So from what we understand, the attackers were able to compromise solar winds systems themselves, use that to inject the binary. Apparently as of today, it doesn't look like they act, they modified the source code, but what instead they did was they compromise the binary. That was, that was then shipped as an update to everyone that uses solar winds. And that binary contained a backdoor, but it was signed with legitimate solar wind signing keys.

Kyle (5m 17s):
So everyone applying the updates, using the normal systems that are in place to check the, the software's legit, everything looked legitimate because it was officially signed. They, everyone, a lot of organizations installed that update. And then at that point they had it back. There was a back door that allowed the attackers to get into the system. Right now, there hasn't been official attribution. Some people, a lot of people are pointing toward a Russian state actors as being behind this, but that's not official yet. Just a lot of speculation, but in any case, yeah, it, right now, at least some of the, some of the organizations that seem to have that, or that seem to have been hacked, include the department of treasury commerce, the department of energy in particular, the section of the department of energy that maintains a nuclear prepared.

Kyle (6m 12s):
That's the department of Homeland security. And apparently there's also a number of private companies that Microsoft has gone on record saying that there's a number of private companies that appear to have also been backdoored, but there hasn't been an official list and, and typically enlist enlist there in California or somewhere else that requires them to do so. A lot of companies aren't required to disclose that they've been tacked. Oh, also the city of Austin.

Katherine (6m 42s):
Yeah. I read that one. Yeah. Yeah, yeah.

Kyle (6m 47s):
And what was interesting about it is that the attacker seemed to use some of the infrastructure. They compromise in the us as their command and control because, you know, if you, for example, say you're a Russian hacker and you hack somebody and then they see there's all this traffic going to Moscow, you know, you might raise an eyebrow. So what's happened instead is apparently the, the Austin infrastructure that was compromised was, was used as a launching off point because it looked less suspicious for the attackers. Yeah. But yeah,

Katherine (7m 21s):
I mean, yeah. I mean,

Kyle (7m 24s):
Every, every day or twos of this week, it seems like there's a couple more companies or organizations that have been implicated because now they're or not implicated, but that have been compromised. There's a lot of now that now there are certain tools and signatures in place that people can use to check whether they have been attacked. But as I mentioned before, the solar winds, binary is only one of apparently there's one other sort of foothold that the attackers were able to use, but it hasn't been disclosed yet. What that second one is. And the other thing is that these, that compromise just allowed them to get their foot in the door. From that point, they apparently were able to take advantage of a lot of other vulnerabilities to both hide their tracks and extend their access, including getting, in some cases, complete access to any credential, any authentication credential they wanted, any SAML credential they wanted, which would then allow them to impersonate any user on the network in some cases.

Kyle (8m 25s):
And from what if you read the mid mitigation recommendations on that the us government has put out for this in many cases it boils down to, you must recreate everything from scratch.

Katherine (8m 38s):
Yeah, yeah. Blow it up rebuilt. Cause there's another thing that at that point, I mean, what could you do really? Oh, unbelievable. It's very well thrown out frighteningly. Exactly. It sucks when the criminals are smarter than, you know, than so

Doc (8m 58s):
Does this have to be a state actor? It's interesting to see what it must be. The Russians, I kind of ducked out that or don't have much that it, it would be those, but might've just be, you know, some other troublemakers, some criminals, whatever somebody looking for leverage or, or for secrets or, you know, whatever.

Kyle (9m 20s):
I mean, that's the problem with that's the problem with attribution is it's very difficult to a hundred percent pinpoint. Who's responsible for an attack like this. They, some of the people who are experts in this field who are, who are considered knowledgeable in that and, and who are able to do attribution relatively well and have a good track record of it, seem to think that due to some of the methods employed and some of its and circumstantial, like for example, there's been a lot, there were a lot of European us, North American States involved, but not there were no no Russian companies or anyone in Russia or a couple of other places that seem to have been affected by this.

Kyle (10m 10s):
So some of that circumstantial, I don't, I don't think all of the evidence that would then lead the attribution's been published. So we don't really know, but yet to your point, I suppose it might be possible, but I I'm expecting that just due to the L L there's a certain level of sophistication that state actors tend to have that, you know, just a really skilled hacker on the side often don't have in terms of just coordination planning in, in the ability to hide in these networks for a long time and overall good operational security, that sort of thing.

Doc (10m 50s):
And I was thinking, what if, if I was, if, if I were one of the, you know, experts, maybe even somebody from Russia or China or some other place would that has that kind of sophistication, but I'm on the market as a skilled person or team, you know, I could, I could sub out to anybody. I mean, I, you know, I could work for anybody. I mean, it, it just, it just strikes me that, that, I mean, you know, you just pretty much explained it, you know, that, but it's, it seems to me that, that there could be lots and lots of characters, maybe not with sufficient expertise, but maybe they have enough expertise. So you could throw shade on somebody else. So, you know, just to throw it off the track, I mean, you know, the, the Russians are typically the wounds behind this kind of thing, but somebody else could be going to be behind it and using the Russian Russian behaviors as a smoke screen.

Kyle (11m 42s):
Well, and the other thing to keep in mind, especially when we started hearing attribution from intelligence agencies in the U S is that there's a of times that they're reluctant to dive into why they know what they know, just because it might reveal sources of methods and that sort of thing. Right. So in some cases it might be that just because of how thoroughly we've compromised, other things we're able to see activity that we can't then talk about. I'm not sure,

Doc (12m 12s):
I wonder what hope there is now for, for solar wind, you know, that we're just find them and look at their website and it's like, nothing happened. It was like, we're, we're not saying anything, but maybe I missed it.

Kyle (12m 28s):
I mean, but what's interesting is, is looking at so last, this all sort of seemed to start with FireEye last week, which had, which announced that it had been hacked and it, but their response, because they were so transparent about what had happened. So, and explained things so thoroughly and were open to the security community about what they knew, and then went further, further to try to analyze the attack that they suffered. I mean, that's, I, that's what ultimately led to everyone, everyone else discovering this. And so they, at least, even though, you know, they're a security company that we're ha that got hacked, most people, you know, even a day or so later after that was announced, tend to give them a lot of benefit of the doubt, just because of how responsible their response was.

Kyle (13m 18s):
Yeah.

Doc (13m 19s):
I should say by the way, I think, I think I just misspoke because I'm looking at their site now it's solar wind is there plural, and they have a security advisory and they start out with one of those annoying things where, you know, the, the, the front page animates through a bunch of sales messages basically. But the first one is a message from their CEO, I suppose, but it's a video, so I'm not looking at

Kyle (13m 42s):
Yeah, they have, I mean, they have a challenge because they're one of those companies that have long been their long standing enterprise companies that just, that have more recently pivoted over to security just because of where they sit in the network. But for the longest time, this, it was just a traditional network enterprise software company. So if you've managed a lot of, you know, routers and switches in your data center, you would, you would potentially buy their software to help you manage everything. But these days, because so much of, of security is around capturing network traffic, analyzing network traffic, and trying to detect attacks like this software, like this is now started pivoting more towards security also that's, you know, more lucrative market these days to type how big is the company, do we know?

Kyle (14m 30s):
I'm not sure pretty big, huge, although, because of this pivot, that my understanding is they didn't have, you know, incredibly large security side of their company. They apparently have a job opening for a VP of security right now. And I don't believe that that's because the old one quit. I think it's because they didn't necessarily invest in that side of the house. I mean, that's true for, for a lot of, of enterprise companies that have switched that sort of pivoted over to security or pivoted their products over to security, they don't necessarily reflect that change in their staffing by having, you know, hiring top notch security people on there to, to have, you know, the CEO's ear.

Doc (15m 15s):
Well, they do, their stock has a crash scene here. They're, they're, they're traded on the stock exchange. Their valuation is 4.6 billion. They raised sooner 75 million in an IPO. Their IPO date was 2018, October, 2018. So about two years ago. Yeah. Their and their stock was generally going up since March. They had a big drop in March, and I don't know why, but I may have just been Covid in general. And then it reached a high of, I don't know what it was counter to tell them it was well over 20 and they're below 15.

Doc (15m 56s):
So there they are.

Kyle (15m 56s):
Yeah. Big sell off by some of their, some of their major shareholders or executives a few days before the, the announcement of this breach, which is quite interesting timing.

Doc (16m 6s):
Oh boy. Yeah. 14, 14, 18, $14. And 19 cents is current, you know, down 19.4, 3%, but they're probably a good buy right now. That's what I was thinking. If I was, if I was the kind of person to treat it in this kind of stuff, I think, you know, it's the old, you know, sell on trumpets, buy on cannons. You know, when, when things look like hell and the company is basically viable, it's probably a good time to buy.

Kyle (16m 36s):
I mean, for instance, yeah. I mean, you saw a similar thing with target. The other number of years back when target had that massive hack, right? They didn't, they discovered the value of having someone at a C-level position and executive that was responsible for security because they didn't have one. And as a result of how bad that hack was, the CEO had to stepped down. And I think that sends a signal to everyone else in large companies, that if you don't have someone that you can feed to the wolves, when you've got, when you're hacked, you need to hire, you know, some sort of C level or VP level executive to take that, to take that

Doc (17m 12s):
Bullet, to stand on the trap door, you stand on a trap door. That's your job, chief chief blame sink officer.

Kyle (17m 25s):
No, no, but then the scale and this one is, it's pretty terrifying. It is

Doc (17m 30s):
The consequences of it. I mean, what are they, what are the consequences? I mean, I mean, there's somebody going to set off a new kid Canada, just for the heck of, for fun, because they got into something you kind of wonder, I mean, to meet the

Kyle (17m 44s):
Real consequences are, are one

Doc (17m 47s):
That, you know, there's Al there's untold amounts of information

Kyle (17m 50s):
On these apparently classified networks were ineffective to my understanding, but these unclassified networks that were shared around and that you can assume are compromised. The other consequences, all of these departments now have to go through and rebuild everything from scratch, which is the big nightmare. You know, I mean, every, any, any of the, these departments in any company that had, you know, this kind of deep level access, the only way to make sure that it's gone is to nuke it from orbit, which is always okay.

Katherine (18m 23s):
And having been in that position, having been in that position, I don't wish that on anyone, I mean, on a much smaller and, and recoverable scale, but I had to do that once I had to rebuild two of our, like one external micro-sites back in the day, am I even allowed to talk? Yeah. Who cares?

Kyle (18m 41s):
That's fine. I mean, it's not an unusual thing either. So yeah,

Katherine (18m 45s):
I, I gave up, I was like, I, you know, I can't, I didn't do the update in time in retrospect. And I just decided that it was easier to completely rebuild. They were, they were very small, you know, it wasn't a huge thing, but you know, it was probably a couple of weeks of work to, to recreate some things that I thought were better to just destroy and rebuild.

Kyle (19m 7s):
So my wife said to me where we live, where we get in the pool. So we were in our pool, she said, she said, the universe runs on maintenance. And I thought, that's actually true. I mean, if you don't maintain something, it goes to hell, whether it's a house or something else, there's a constant, it's a constant thing, you know? And when something completely gets trashed like this, and you have to kind of rebuild everything.

Katherine (19m 34s):
Yeah. Especially when you don't realize that the damage, how long you've been living in a, in a damaged structure, so to speak

Kyle (19m 41s):
Well, and there's, there will be ripple effects in the security industry, just due to the fact that this was a software supply chain attack. That at least the, one of the initial attacks was caused by a backdoor being inserted into a binary that was legitimately signed. And everyone applied as an update. This is not, you know, it's not the first time this has been conceived of as a problem. This is something that people in security been talking about for a long time. But the problem is so much of our security architecture is based around the idea of trusted signatures on things. And so you just, you, you take for granted that a vendor's signature is all you need to be secure and so much trust in the industry is hinges on the strength of those or the security of those, those keys, those signing keys, even though there's history of those signing keys being compromised.

Kyle (20m 38s):
In some cases in the past, this isn't the first case of that. Either the Stuxnet virus famously had used a Microsoft signing key so that it would legitimately trusted when it was installed in those centrifuges. Is this also a windows thing? This is something where I noticed Microsoft as a tax as well, or something would help if it was tied in with Microsoft there. Well, I mean, Microsoft is at the forefront of, of doing attribution and analyzing and tax like this. These days, they've really shown a lot of expertise in helping to shut down botnets and shut down other sort of malicious actors on the internet in shutting down command and control servers, things like that.

Kyle (21m 23s):
And so they are, they've sort of dove into some of the research. It's unclear at this point, there were some reports that they also were compromised, but that's, hasn't Reuters reported on that. They ha Microsoft has not confirmed that yet. And so maybe they're still doing an investigation when I'm, so yeah, at least as of the date, we're recording this, we don't know.

Katherine (21m 48s):
Maybe we should, we should share. When is today? Is it the 18th? I hope so. All day long. I thought it was the 18th. I think, I think actually incidentally, we'll release this early next week because next week is the week of Christmas and we don't, I don't really think we should release on Christmas day. So, so I think we'll release it early. So it will be a little bit less stale, but you know what we'll uncover by Monday,

Kyle (22m 13s):
You know, what, what this tells us is we need to revert back to the Sneakernet. Just, yeah. Just say the safer way. Well, I mean, it's, it's, there's a lot of soul searching now about what to do to prevent this sort of thing. And I'm sure if we had in-person RSA conferences and things like that next year, you would see a lot of vendors that are now updating their marketing material to say that they somehow could have prevented this attack. In fact, some people, the day after that, this was announced, got attack, got marketing emails from con competitors to solar winds saying, wow, did you see this hack? We wouldn't have been vulnerable to this. You know, which of course is nonsense, but I mean that, this, yeah, there's a lot of, so there's going to be a lot of talk into how do you stop such a wide scale thing and the challenges there's not any one thing that can, I mean, it requires a lot of different things among them, you know, the government themselves putting security expertise at a top level within the government to make recommendations that aren't simply offensive.

Kyle (23m 21s):
You know, we have a lot, we have a very strong offensive capability, but we haven't put that same sort of investment in internet defense or computer defense in the government. And the same thing kind of extends over to, to private companies within the U S the, the NSA more recently post-Snowden has tried to pivot a little bit into being more open to sharing vulnerabilities with the wider community when maybe when they're no longer useful to them to try to protect us companies from attack. So that's a bit of a defensive component, but for the most part, they've also been focused more on offense in the past. But so, yeah, there's, that's one recommendation.

Kyle (24m 3s):
I mean, the other thing that what's interesting is that, you know, this was a compromise of a binary not source code, and it looked legitimate. And like I said, so much proprietary software hinges on and even, and even free software hinges on the ability to trust a signature. So right now, if I, even on a Linux system, if I install software, the way that my system knows that it's safe is that it checks assigning signature. And so if someone were to compromise that a binary, but then sign it and package it, my system would trust it to. So in that case, whether you're using three software or proprietary software, you could still potentially get this kind of supply chain attack, but there's one fundamental difference, which is that with free software, there's at least the possibility of detecting it after the fact using what's called reproducible builds, which allows a third party to take the source code that, that you, the vendor providing, or the original author of the software, download that in, build a binary out of it, and then compare that binary to the binary you got from the, the vendor and, and ensure they match.

Kyle (25m 14s):
And if they don't match, then you can, you might suspect that there's been some tampering. There's been a huge effort for the last couple of years in the Debby and project. And I believe fedora and a number of projects, actually, a number of free software projects to make as much of the software that's in the system as possible able to be audited with reproducible builds. There's I think, you know, I think the WM project, I forget what percentage they're at now, but it's a reasonably high percentage. There's still, there's some challenges to doing it, but you can imagine that it's not that it would stop this problem from happening, but what it could help prevent is this backdoor being inserted in, in March and installed.

Kyle (25m 58s):
And no one detecting it until December, you know, because an attacker could compromise the network, inject the binary, but if you have third parties that automatically run automatically download the latest source code, whatever it is, and then compare the binaries, then you would hope that you would at least detect it. But of course, with proprietary software, you're never going to do that because they're not going to release the source code for a third party to audit.

Katherine (26m 26s):
So you bring up something you've mentioned a couple of times that it, that it's believed to have begun in March. And I wonder if, if we think that's a coincidence, you know, with somebody taking advantage of the chaos surrounding the COVID pandemic, I wonder, you know, so that's, that's one. And then second question, I feel like I want to mention, and I will link to this article, you know, in the description, but I feel like it's at least amusing, or maybe not at all to mention that solar winds actually had a blog post in 2019 listing a con of open source software, that it is more risky from a security perspective.

Katherine (27m 10s):
And I just thought, I'd throw that out there. I've seen that circulating. I've seen that circulating a bit online and I just thought, Oh, my, that is, that did not age. Well.

Petros (27m 21s):
I used to work for a company years ago that had a similar mindset. The, I don't even want to call him a it personnel. I mean, he was just in charge of the computers for the small mom and pop tech shop. And he was super adamant, super against anything open source and him and I kept butting heads for obvious reasons. And I would install, let's say Firefox, he would have throw a fit. I would install, you know, I would set up these automation, automated workstations in the back warehouse to help streamline some of the stuff that the engineers back there were doing.

Petros (28m 7s):
The fact that it was running open source software, it, he refused to have it connected to, you know, his network. H is this mentality that open source was dangerous. It, it, it lives and in, I hate to say it, but it's you see it a lot out there and I still don't get it.

Katherine (28m 28s):
Yeah. I, I remember about 10 years ago, this is kind of funny. I was in a meeting with a couple of companies, one prominent hosting company, and one, a large software company. And one of them said that they went, they got pushed back from a potential customer at the time, a big major, major customer potentially that said, well, you know, I don't know about source. And again, this is 2010, but I don't know. You know, it feels like coding with your pants down. I love to tell that story. Cause I think it's hilarious. And then I of course said, well, at least your pants are down and then you have to keep it closed on that. I know I say that all that. I love that my favorite story. But anyway, I would actually like to quickly read a passage from the aforementioned to article blog posts because it's kind of, Oh gosh, I'm going to try not to giggle, try to be, you know, put my serious voice on, but it says security.

Katherine (29m 21s):
This is in the list of cons of open source software security becomes a major issue. Anyone can be hacked. However, the risk is far less when it comes to proprietary software, due to the nature of open source software, allowing anyone to update the code, the risk of downloading malicious code is much higher. One source referred using open source software as eating from a dirty fork. When you reach in the drawer for a clean fork, you could be pulling out a dirty utensil. That analogy is right on the money. I, they don't say much currency. I don't know what kind of money they're talking about, but yeah, I thought that was just bizarre. Anyway, eating dirty fork is going to be my new favorite joke.

Kyle (30m 3s):
Well, it also shows sort of a lack of understanding for how free softwares developed, because on the, on the contrary, obviously you don't anyone on the internet, can't simply merge something into a popular free software project and have it be distributed, right? It has at least as good of controls as your average proprietary software in terms of having project maintainers that have merged jacks as everyone else does. And that sort of thing. Right? And that you would think that in, you know, whenever this is published 2018, 2019, they would understand that the, the way that you develop software, whether whatever license it has is pretty similar in terms of you have people that are allowed to change it.

Kyle (30m 44s):
People that aren't and who are only allowed to submit patches, you know, that sort of thing. Yeah. There will have to be a company called dirty fork software. Now this has to happen. I mean, if I were starting a new company right now, that's open source would call it dirty work software. I just bought the domain. I mean, I'm kidding. The other, the other thing is if you, if you've ever seen a company that does that, they're going to publish their previously proprietary source code and then make it public. It's often awful, isn't it? Well, you all, you hear them say, well, it's going to, we're going to need to spend some time cleaning everything up. Yeah.

Kyle (31m 24s):
I know that when a company tells me, we, you know, we're, we're going to open source it eventually. I almost always tell them, look, I know what's going to happen. You're going to look at it and say, it looks like crap, and you're not going to ever do it. You know it, do it now do it now, you know, but writing

Katherine (31m 41s):
So that you know, other people are going to see

Kyle (31m 43s):
It. Exactly, exactly.

Petros (31m 47s):
The article that this, this blog posts, Catherine, that you were reading from, there's this one parts under the concept action where he specifically States open source software by not stick around. And, and yeah, I, I find it entertaining because you know, with proprietary software, if the parent company is not around that software is also not around. And how often have we seen in the open source world when a project dies more often than not, it gets forked.

Kyle (32m 27s):
Yeah. It was still useful. Somebody who works with exactly. Think of it. Yeah.

Petros (32m 32s):
I think of good example, you know, while Santos didn't die, the traditional Santos model was recently changed by red hat. Now they're taking a different approach with how they're releasing updates, how they're structuring the distribution and what happened as a result. Now there's at least a few forks that have been created including one by the original Creek, one of the original creators or maintainers of the centrals project. So, I mean, it's, it just baffles me for when someone mentioned something like open source, doesn't stick around.

Kyle (33m 12s):
I, yeah, I don't get it either. It's one of the few things that guarantees longevity, for instance, on my phone right now, I wanted a local Twitter client and there's one called call bird, which actually works pretty well. But when I was going through the history of it, apparently it used to, it, it was an example where there was a previous maintainer of the project under a different name in 2018. Twitter changed their API APIs in the maintainers that, you know what, I, I can't deal with rewriting this to deal with the new API APIs I'm done and just sort of hung the project up. And then someone else saw it and said, no, but I like the software I'm willing to put in the work to make it work, but Twitter again. And they did. And now it's a living project I'm using, you know, I use today to me publishing that is, makes it more likely it might actually exist.

Kyle (33m 59s):
For instance, you can compile and run mosaic browser on Linux today. I, I did it years ago. I just seen it out. Yeah. Originally mosaic. Yeah, the original Isaiah, 1994 on Linux. Now, most websites won't load anymore because the moment it doesn't support JavaScript. So the moment my website loads great. It looks great too. But yeah, there are smaller and smaller sections of the what's fun is to take the original mosaic and then load the websites from companies that were around at the same time, like go to yahoo.com or go to any of the internet companies that existed at the same time and see which ones load and render and which ones don't.

Kyle (34m 42s):
Yeah. Yeah. That's, that's interesting. I like to grab that and play with it. It's kind of an interesting test to see what's still out there. That's, that's a bit Craigslist to load. I mean, Craigslist is loads in a second everywhere. It seems, you know, it's nice and simple, no graphics, no, no anything. And you know, it, it works really simple and well, okay.

Katherine (35m 5s):
So before we move on to our minor outrage, so I did want to revisit my question that I sort of, I sort of overwrote myself and that is, do we think that this attack was related was pandemic related? Not like directly, but the timing of it. Do you think that at the time? Yeah.

Kyle (35m 24s):
Yeah. I mean, there's not, we haven't received any official, you know, evidence of that yet. But to me, what the timing says is that there were a lot of companies that were switching to work from home for the first time. And we know that unrelated to this attack, that there were this rapid increase in phishing attacks against people who were now working from home for the first time in a lot of companies did not have their security infrastructure set up to handle people working from home. And so there were a lot of cases where it was scrambling to try to allow people to log into some office, computer or server or system from home when, before they couldn't in a lot of attackers took advantage of this and were able to try to get, and I'm sure that the confusion and, and it scramble in March opened up a lot of companies to where even if it, even without the silver winds attack, I imagine a number of companies might've been exploited through some other means through phishing attacks.

Kyle (36m 19s):
Yeah.

Petros (36m 20s):
I never thought of that. I never thought of it that way. I mean, I, I work remote, you know, I've been working remote for many years and the company that I've worked for now, I mean, they obviously were properly set up, but I never even gave that much thought,

Katherine (36m 37s):
Well, it especially considered government government agencies. They didn't, they didn't look remotely. I mean, to an extent, but a lot of,

Kyle (36m 46s):
A lot of organizations have just sort of have perimeter security. You're if you're inside, it's trusted and everything's great. And if you're outside, it's, everything's bad. And it's untrusted in a lot of times that perimeter is, are you physically inside the office? You know, are you plugged into a office switch that sort of thing. And so if, if that's, if your, all of your securities is on that, and then all the employees are now at home, then you have to deal with how do I allow someone on the internet inside my trusted network. So, you know, that that's the only everything I'm from the outside's bed. And so, you know, VPNs maybe, but yeah, a lot of places were not set up for this. And also you have a lot of cases where if you have a problem, you then walk over to the it desk and ask for help.

Kyle (37m 29s):
Right. I need my password reset, that sort of thing. Well, now the it person is at home as well and answering their cell phone or emails or that sort of thing. So they're also ripe for, I need my password reset. I'm locked out of this new remote system. You set up, et cetera, et cetera.

Katherine (37m 47s):
Hmm. Well, I wonder what sort of long-term impact this is going to have on, on, on that type of security in various types of organizations. I mean, right.

Kyle (37m 57s):
<inaudible> some of the biggest things that ones we'll never hear. Yeah.

Katherine (38m 1s):
Yeah. Well that's early. Yeah. I won't, maybe Kyle will. Yeah. So, so anyway, so, so I think we're maybe at a point where we could pivot to talking about maybe outrageous a strong word, but I like it, doc, what are your thoughts on, on, on this, this Facebook thing? Just explain what we're talking about.

Kyle (38m 26s):
So Apple Apple said that they announced that they were going to make some updates to their next iOS. I was 14, which is already out, but they've not

Doc (38m 36s):
Made all of the changes to the right of the decimal point on it yet. And to make require that websites and services and apps ask to follow, you asked to track you before they do that. And, and Facebook split a gut because, you know, they don't want to have to ask that. And you know, and, and you know, they have this sort of total smokescreen. It is, it's all about small business, you know? Well, there are several topics here to, to, to go over. One is that I don't think most people know that Apple even has something called IDFA, which is ID for advertisers.

Doc (39m 19s):
It's buried. It is a global opt-out. You can opt out of this, but the whole, the first thing is they actually have an ID just for advertisers, for you. It's not your name, but it is something that allows companies to track you. My position on that is they never should have had that in the first place. It's a wrong thing. Nobody, no, no phone user ever wanted an ID for advertisers on their phone. It's to make direct marketing, especially easy. It's a little hook there. Everybody in the marketing business will tell you, Oh, do we really need that? Because we really have the need to address these things personally. No, no, you don't, you know, you know, no, nobody getting a newspaper or magazine would like it to come with little tracking beacon on it.

Doc (40m 3s):
So people would know what you've read on every page, you know, that's ridiculous. And, but anyway, so that's the first thing I, and probably I'm alone at that. I'm alone in saying that ID for advertisers never should have been in there in the first place. But this look at the small business case that Facebook makes. There are actually two parts to this. One is that I have heard from multiple people at Facebook in the past that a, a non dirty secret about Facebook. Is that a great deal. If not even a majority of their income is actually from small business. It's, it's the, you know, it's the gift shop on main street. It's the tackle co you know, the, the, the bait and tackle company, you know, it's the campground, it's the, the nail salon.

Doc (40m 51s):
It's the, it's these small operators that want to reach people in a neighborhood. They want to be people with a common interests, things like that. And, and to Facebook's credit on this, not credit a bit, but just to explain a little bit better than most people know about them, they are not tracking you necessarily personally. I mean, they, they gather up a crap load of information about you, but it goes into a database where an advertiser could say, I'm looking for these characteristics and you get hit with an ad that's seems to be personalized because you happen to match a whole bunch of those characteristics that are looking for it is it is kind of unique that way. There's not anything else quite like that.

Doc (41m 32s):
So it's kind of hard generalize for Facebook to every other company in the world. Also, if you're on Facebook, you kind of know that's what the deal is. I mean, you know, that you're being followed. There's not a secret here. So that's, you know, but by the way, the people have spoken to a Facebook, some have promised to come through with some actual numbers and how much of your business actually a small business and not big companies like Procter and gamble trying to brand. And I suspect this actually a lion's share as for the idea of a hurting that I'm not sure that they even need the IDFA to, to, to, to target their ads. I'm really not sure that they do, you know, but maybe they do.

Doc (42m 12s):
I don't think it's a loss in any case. I don't think Facebook's hurt in the least by it, but in, you know, the eff has a nice piece on it. Look up the eff and IDFA and, and Facebook, but, but an interesting thing here is that the IAB, the interactive advertising Bureau did a similar thing. When, when it's really successfully stomped out doing that track a few years ago, they ran lots of ads because Mozilla was the first and only at the time browser maker to turn on, do not track by default in the browser, you had to kind of opt out of it on your browser. But doona Trek was never anything more than a polite request, but the IB ran a campaign, which a prior guest on this podcast told me was actually $110 million.

Doc (43m 2s):
They spent $110 million to just about flatten Mozilla on this thing. And Mozilla caved, they caved and they took that thing out and then they didn't end up doing that. But the campaign was Mozilla is hurting small business. It was exactly the same kind of thing that Facebook is saying now. And it worked. I mean, it, it, it actually worked. Apple is a much bigger target. Apple's not going to do a damn thing. Apple is if they want to continue being a privacy company, they, you know, they need to stand up to Facebook on that one. I think they are just by ignoring them, frankly, they did back off on when they would roll this thing out. But I, you know, anyway, I think it's a, it's a bogus, it's a bogus thing on Facebook's part.

Petros (43m 46s):
Hey, listen, I don't mind the tracking. I mean, this is how I started to join all my whiskey clubs. You know, all of a sudden Facebook is like, Hey, you like whiskey, here's a bunch of clubs for you to join. And I'd actually joined soccer.

Doc (44m 0s):
Yeah, me see, so, I mean, Facebook, Facebook and Google are, are the biggest targets of editorial Iyer about advertising online. And both of them have would amount to really unique, not widely shared business models that they basically rely on. The one for Facebook is the one I just described, which is, you know, they're basically just matching a whole bunch of characteristics with populations that, that have those, you know, you're a whiskey drinker you might be interested in, right? And the, you know, and Google makes most of its money from search advertising search advertising is, you know, except to the degree it's based on tracking you, which is very little, I mean, if you, if you want to know the height of Mount Everest, you know, the answers that they give you for vacations in Nepal or whatever those are likely to be are not a hell of a lot more informed by them having tracked you all over the web.

Doc (44m 58s):
Before you asked that question there, the ads are genuinely totally contextual. And they're based on the actual search they're based on the actual intent. And they could actually live without any tracking behind that at all. They can live totally without that. So, but where Google is actually, you know, where, where the, the feds are going after them right now is that they actually run the back end of these things too. They are part of the machinery by which the rest of the ad tech I call it a feco-system, because it's fecal, but the Ad Tech fecosystem is this four dimensional shell game where nobody knows what the hell is going on. And Dr. Augusta Fu has been on the show already has a wonderful thing called page x-rays.

Doc (45m 41s):
So if you look up page x-ray, you'll find his thing that tells you how you're being tracked and that the Google is totally involved in all of that. And that's, that's a different thing. It's a completely different thing than the way they make most of their money. So, so that's a different thing, right? So anyway, I'm not being as articulate as I'd like to be on this, but, but they're, but they're, these are different species of advertising, you know, and the kind of advertising you got on TV, or you get from a billboard is entirely different. Again, that's old fashioned, non tracking based advertising, and that's what Kira creates brands. They're every brand in the world other than maybe trader Joe's and Zuora, which don't advertise, you know, were made by, by, by traditional advertising is not tracking it at all.

Doc (46m 30s):
It's not personal. It isn't supposed to be personal. It was just able to populations.

Katherine (46m 35s):
And I think, I think there's, you know, there's a definite trend. We talked offline about GitHub and announcing that they've, they're eliminating, third-party third-party tracking, but you know, it's, I think Facebook is either going to respond by, I think initially it's just going to be fighting back, but at some point the tide will wash over them, right? I mean, if you have somebody as big as Apple following, let's say the rest of us and Facebook sticking to their tracking guns. I don't know. I, I feel like the apples of the world are going to win, but,

Doc (47m 13s):
Well, I, I think, well at the apples of the world, I don't think there's a plural there. I think there's only one, but I think there are, I mean, if you include in say duck, duck go and Ghostery, and a few other companies that are disconnected that really, you know, are in the privacy business, as it were in their position is privacy. Apple is taking the lead there and, and I commend them for it. I just think that they, they made a mistake by putting the idea of Faye in the, in the phone, in the first place. You know, you shouldn't be identifiable to anybody other than them, and maybe they're your phone carrier, you know? And then the rest of it's all up to you, how much you want to, you know, reveal of yourself to any company that you deal with.

Doc (47m 55s):
But there shouldn't, there should not be a tracking hook on your, on your phone for advertisers any more than it should be when on your body, your phone is an extension of your body right now, you've got it in your pocket everywhere. It's almost part of you that should not have a hook for other, for parties. You never were in touch with an interesting thing of, one of the pieces I read is that 30% of, of iPhone users ha have opted out. They have turned off IDFA anyway, and you have to dig down to find it. I'm not even sure it's called IDFA, but I think it's something that says, do you want to, do you want to be tracked for advertising purposes or something? And, but th that 30% of bothered to do that is that's a pretty substantial population when nobody has told you to do it.

Doc (48m 41s):
And it's not easy to do

Katherine (48m 44s):
Well on that note. I think, I think we've covered it. Any, any, any final thoughts? I do have actually one, and that's something that I don't think I mentioned earlier. And if I did forgive me for repeating myself and that is, can we please stop trying to undermine the whole idea of encryption and by we, I mean, governments around the world. I mean, by we, I don't mean us. I mean, I mean, culturally, can we please stop fearing encryption?

Doc (49m 13s):
So yeah, I think a good case for that is, do you think secrets are important for human beings? Do you think that it's important for people to be able to have secrets with other people and to share? And as long as, as long as secrets are something desirable in society, we should have crypto in, in the digital part of, of, of, of our social fabric, we need crypto in order to have secrets with each other, in order to have it, isn't so much having a secure channel, as much as it is to have a private one, you know, people need to be able to communicate privately. And the fact that, you know, the criminals can use that it was S too bad, you know, but I, but I, but I actually wonder to some degree, I just, I'm reading a science fiction piece by somebody I'd love to have on a show.

Doc (49m 58s):
There's a book called Shepherd's drone by Brett freshmen. And it said in the future, it's a science fiction thing where people coming and going are known to the buildings they go into by their bio-signature, as he calls it as a matter of course. And I thought, he's that really Oregon to end up where we're just known by her bio-signature may come and go from something. And it might be true. I don't know. I don't want that to be true, but it might be, you know, but that said, it's, that's a separate thing. I think we do need crypto in and back. Doors are a terrible idea. You know,

Katherine (50m 33s):
I think my, my final wisdom on it, and we'll see if anybody has any others, but any other, but I think, you know, there's no such thing as a secure encryption backdoor, if you insist on having a backdoor, you're going to get backdoored. It boggles my mind than anybody thinks otherwise.

Doc (50m 51s):
Yeah. Yeah. I, I used to have a house where I always left the back door of the garage open and it was very handy, honestly, for me, but the house was not very well-protected, but you know what, sometimes I forgot my keys and I mean, I, but I actually, I think that that's what my point there is that I think we need a better door. It's kind of, it's kind of like, you know, the, I don't know, there's probably a better, a better metaphor that I can think of on the fly for something that's a vulnerability rather than, I mean, look, if you look at it, as you need to build this vulnerability into your system for, to help us out, hi, we're the police.

Doc (51m 31s):
Can you please leave a vulnerability in your house so we can get in, give us a, give us,

Katherine (51m 38s):
No one else will find it. Nobody

Doc (51m 39s):
Will find it, let us know, trust us. We, you know, we'll know you've got it there. That's just fine. You know, that's, I mean, that's cause that's basically it, like let's have a vulnerability in our systems, so the right people can find their way in and the right people, of course. Could we get replaced?

Katherine (51m 57s):
Yeah. There are no right people. Okay. Well, well, thanks everybody. If you've made it this far and thank you to Kyle and thank you Petrus for joining us.

Kyle (52m 6s):
Thank you. Anytime. Anytime.