Gadgetory

good morning on Thursday March 15th it's episode 370 of the 359 podcast on BVG and your host today are Alfred and Roger morning morning everybody we got a pretty stacked plate today and I'm sure we're gonna get a lot of trolls in the chat for this one more than usual or let's just let's just say that the bait has been clicked music yeah alright just checking the music always plays what do we got a complete cyber show today we do have a complete lots of cyber careful cyber cyber anyway it's a look it's gonna be a fully stacked show all about security we've talked about Google making the case that it's just it's Android phones are just as secures iPhones I will be talking about us leveling sanctions against Russia for champion with the elections was not petya and and more out there's all the details we'll talk a little bit about Intel fixing or putting out its Spectre fix and a look at why IOT still scares us it's scary right right breaky a lot of ghosts yes ghost in the machine there we go alright as always if you have any questions leave in the comment section but I will pick up the best and we'll try to answer them in 3 minutes and 59 seconds from 3 to welcome to the 359 I'm Roger Chang I'm alpha ring today's all about security first up Google is that with the new security report and claims that Android is just as secure as the iPhone it says that there are fewer cases of malware and flaws the phones are getting better security updates Alfred you're the expert here like do you buy this I'm inclined to believe them on several parts of it where they talk about how they've improved security in the App Store so you won't be able to download something that actually has a virus from it from the official App Store they're enough how they're retrofitting security so the biggest criticism against Android security has always been that only what like 3% of their phones are on the latest like update and then the rest of it it's kind of like you're on your own so they've tried addressing that by only doing security updates it's before your security updates would come if likely patches all right you would only get the latest security update if you got like Android or something after and that would have to go through crazy approvals with carriers with handset makers in the long so what they do now instead is like send updates that are just security only which is similar to what Apple does with iOS updates so that I'm also inclined to believe in them on but there are some other issues that like they didn't really point out or kind of like deflected about so one of the issues that I had so when they're talking about where do it we're getting better at app security they're not that's specifically only for the Google Play Store and there there are entire markets out there that don't have access to that store and have to silence idle yeah China for example does not have Google Play so there are tons of third-party app stores out yeah and even if you know they're getting these retrofitted security like features there are like other ways for you to breach into like an android device like specifically through these apps or something like that so I I take them at their word for it for like some of these points but there are other points where I'm like I know better about this and I don't really buy it I will say they've done a good job of offering these security updates to more devices although it's there are still plenty of millions of dollars that probably don't get these updates as quickly as they should all right next up the US Treasury Department just leveled sanctions against several Russian entities and individuals this is pertaining to the u.s. election this is not Pecha even though electrical grid Alfred you have most of details yet what's going on here so they announced this about an hour ago this is specifically about the election tampering so some of the entities include the internet research agency which a special counsel Bob Mueller found charges against in February and also on the not petit attack which they said the Russian military carried out it was supposed to be the most destructive cyber attack in history these are these are sanctions similar to sanctions that have been you know sent against Russia before but these are related to specifically related to these cyber attacks that have been going on all right so it's a big security as I said Intel's Allen says it has a fixed respecter that's coming out new chips and that is basically patched up existing devices with software updates CEO is out with a blog post basically telling you to update your computer now and Alfred lastly you wrote this piece or from the Kaspersky security summit one of the themes there was the fact that you know IOT continues to be a big security issue and specifically older devices right so should we should we just be afraid all the time I mean you should you should look at your older IOT devices differently so you know everyone talked about how they're improving IOT for the future you know politicians talk about these bills that they're putting out for things that we're gonna buy soon and security companies have all these new solutions for IOT devices and manufacturers in the future keyword being the future the idea is that there are still about eight billion IOT devices that are out now and when I was at this conference they were basically looking at older IOT devices that people have generally forgotten about and it's like oh here's this vulnerability and here's this vulnerability and then when I reach out to the companies about it the idea is oh yeah we can't really fix that or like that's like so old that like we don't really focus on that anymore which that is like the bigger problem here and that's a billion that is a staggering number all right all the time we have four more of these stories just cuz I was seen it I'm dr. Chang I'm out for ding thanks for listening ah yes he's good vodka everything I mean sorry hey BJ back here at 359 I'm not a Russian spy I was trying to Russian eyes your name but I couldn't like I can't figure what what it would be we G PG VG ski alright so thanks everybody for joining us I'm gonna go ahead and start jumping through your comments and questions in the chat pulling out some good stuff to keep the conversation going in the meantime you guys can talk amongst yourselves so I mean from the kaspersky conference I mean what was for you what was the most I guess shocking or surprising hack definitely definitely the robot one okay only so yes only because of the response that I got from the companies when I reached out to them what was the response I reached out to some people that like wrote the software behind it and they they basically said usually when you reach out to a company like oh here these security issues that we found are you fixing this or anything like they usually say we're working on a fix bla bla bla this response was basically we built this without security in mind alright so they admitted that they built a theory and it was like the idea was it's not up to us to implement the security it's up to the people that put this software in their robots they basically said like we kind of wipe their hands of this yeah they're they're argument was like if a carpenter builds a home and then the person that light-like lives in that home doesn't use a lock on it like how is the carpenter at fault here well kind of thing Wow I mean you know what it's shocking but it's probably true for a lot of companies they're probably not thinking about security in mind when they they give you that sort of can responsive like we're working on a Security's party yeah that's probably the case they're probably like what this company's thinking we didn't think about this in the first place now we're scrambling yeah so that but the thing is they weren't scrambling though they were just like yeah this wasn't we there was some weird line we're in where it was just basically like we didn't build security in it because we'd rather not like mess it's worse to mess up security than it is to like try it at haul it ourselves those the idea that like they're so bad security they were afraid that if they tried to add it they would like they would mess up the whole robot system itself which it's just like well then maybe you should make a robot add response and the problem with this with the robot one too was that like this is this is a robot it's pepper which like they show at CES yeah the time course cuz it's like oh it's like cool and I can talk to you I mean it's at malls it's at like ours yes all this stuff airports and it could be secure if it was on its own Wi-Fi network what the thing is because it's always in these public places they're not gonna set up like its own one just for that robot so yeah that that was like the most surprising once we also did see a smart cam one that used to be owned by Samsung right they demonstrated that one in front of us where it was like they had these two smart cameras were both connected to the cloud and then it was basically okay we're gonna take footage from this camera and make you see it from like yeah even though this camera that's like right in front of me just like the movies what movies I don't know you know when they switch the camera feeds the security that did happen in Black Panther I mean that happened to like yeah yeah so yeah it was weird to see that like actually happen realized yeah all right what questions do we got let's start things off with the almighty ever-present sir enjoy enjoy man Google has tightened its Play Store or malware's for sure but why aren't they promoting the Android privacy guard which is only open source and available mainly in custom roms that's a great question I don't know why they're not promote yeah they promoted its so little that I actually don't know what that is yeah I mean I've no I have heard of it but I don't know much about it because as just said talk about it too much they probably don't promote it that much because it's only available in custom roms it doesn't sound like something that's coming through that yeah so like if anything they're probably trying to discourage from custom roms because that's half of what mal where it comes from and you know that something like that where it calls itself I need to know more about like privacy guard but like that is how a lot of malware spreads through devices where they promote it as like this like antivirus kind of thing and it turns out to actually be the virus that was in my mobile security story I wrote last week's is the worst season of black mirror yet so there there there was a massive mobile malware campaign that hit like hundreds of thousands of phones across like 20 countries and it did it by spoofing a Android apps for signal and whatsapp which are supposed to be like secure communications apps what they did was they would go to like these activist groups on Facebook and made a post like don't use signal it's been compromised use this is our updated secure version of it that you can't get from the app store well and it got like thousands of people that way so that's my point like like something that promotes itself as being secure if it's like it can also be like Mauer all right there you go and like Lakshmi's come Android is safe too everyone stops downloading dumb stuff yeah the beautiful utopia that we hope does well no I mean there's so there's still flaws in Android that are exploited to Google's you know Google's defense I think that bad gotten a lot better yeah III would say this is for like their their argument here is that we're just as safe if you like like the comments I'd like if you stop downloading stupid things like if you just play by our rules completely and like don't try anything stupid then yeah we're like a pretty safe and that's just like security hygiene like 101 that's right you know like don't sideload apps or anything like that I mean it's look it's Android being less secure than iPhone is inherent because it's not a closed system like yeah Apple doesn't have or Google doesn't have full control of anything you could do with the phone and where you get your apps yeah that's the that's the thing with iOS is that like they're not saying like hey please don't do anything dumb it's like you can't do anything like that but I think what Google was trying to say like and with like this announcement was more so that we have the same amount of zero days as other come as our competitors right in the sense that like there's no like massive like hack against it like not related to apps or anything like that like specifically zero days because like their biggest proof was we haven't paid out a large bug bounty in like years and that's the idea is that like no hackers have been able to like come to us with like these vulnerabilities or anything like that my argument against that is if it was really a vulnerability that was worth it what makes you think that somebody's gonna come to you and like hey right as opposed to just exploit it yeah to be fair though they pay a lot for it that's the whole idea of bug bounties that where I pay you more than what you would get for this if you use it criminally back into the chat coming in from Servan should I install any kind of antivirus app to make my Android more secure and I think this is actually a good relevant question in lieu of these updated security measures so I was it redundant I think if you have good hygiene about it then you don't really have to worry that much but I understand that you know if you want an extra level of security just to make sure you know because you you you don't know like what everything is going on on your phone is lookout has actually done a very good job at like preventing mobile malware attacks I used to be very skeptical of it but I I've like dug through their research alone I've spoken with their researchers I spoke time for that mobile malware story - sure they scan your phone like regularly they check for like man-in-the-middle attacks if you're on Wi-Fi I'm like public Wi-Fi or anything like that yeah lookout has actually done a fairly decent job at it I haven't looked into other like mobile security apps lookout is definitely up there though but as you said like really the big thing is having good security practices yeah downloading off with third-party apps be mindful of what you down yeah I'll be mindful what permissions you give to specific apps even if they apps you download from Google I would equate it to like going to the dentist though where like they would also tell you like oh if you just like practice good like dental hygiene you don't need to worry about anything but you would still go to your dentist to like check yeah if there's anything you might not know good analogy yeah I never would have thought about it like that so we have to floss my phone now yeah like my biggest advice is always to like practice like the best you know security hygiene that you can like but there are some things that you might not be able to see right here comes a question from Karl what about Bluetooth vulnerability ooh those are like those are pretty rare and the issue with that is that you first of all I don't if you have bluetooth on all the time I don't know why you - I do oh yeah I don't I don't that's more like security aside that she's like like a battery thing for me right yeah I mean look I have it because I have my headphones on and I just forget them turn them off yeah not like I mean to have them on all the time I just forget I also use my phone to remote-control a lot of the stuff around here in the studio well yeah but like there's been blue two vulnerabilities like named in the past but I always go back to the ideas like it's mostly targeted attacks in the sense they have to be close they'd have to be in your Bluetooth range to do it but they're there there is an idea that you know they might not be targeting you because both of you not told me you both like leave your Bluetooth on all the time I saw I've turned them off now just like I assumed the majority of people do so like I'm tired all day would worry about if I yeah but like think about like how many people have would have their phones with Bluetooth on at like a Starbucks or something like that right I could like walk in and scan for like any like open like networks like I really do yeah true here comes a question from BVG in the room so what this is another DVD here no I looked at the screen there's BVG so okay being a previous iPhone user and having recently jumped over to the Samsung train what's up and experiencing both the App Store in the Play Store in pretty thorough detail and do do you think there's ever a chance that Google will try to restrict the Play Store in the same fashion that iPhone has that's one thing to say is the App Store is much more policed let's call it as far as I think that's a Pandora's box that might be going down a dangerous road that would start to be too exclusive for the Android ecosystem no no I mean I mean how many pretty well for the App Store I don't go has a step up there they have stepped up but it's still nowhere near as no bare bones my argument against against like this like whole open thing that Android does is just like how many apps do you really use any way that you would need like this like open like network where millions of apps are flowing in like it like you really only use like what like 30 to 50 apps on your phone it's that yeah and it's just like what do you need like all these haps 4i I think it should be everyone's not using the same 30 or 40 yeah right that's that's the issues like there are people who are gonna use this app that you will never touch and that's the issue yes that that's a selling point for Google's because it's open it'll cater to your very very specific needs right things like I don't know if you're mountain climbers were mountain climbing up I'll never have a mountain climbing app on my phone but someone's going to large number of people will yeah but like that app would be able to go through like it's a fairly innocuous example but I mean I'm not telling like don't ban like niche like like don't don't allow like niche apps like that I'm saying more like they should be like a lot more careful if like curating them yeah for sure what's up the John Falcone out the window peeking in we really need to make a compilation of falcone look-ins we should I'll work on that supercut next week I have a hundred and fifty three apps on my phone yes how many do you use though all of them really don't we all use our dietary devices we have remote control cameras here at the studio there's a lot of pizza places near my apartment that's one app though no no there are multiple app to get the coupons man oh wow dude just putting that out there all right there you go all right let's shift gears over into cybersecurity from Mike Shaw shift gears we've been that's the whole shot well I know but let's talk about IOT sorry your cybersecurity is only as strong as its weakest link if you have an IOT device on your network you have an unlocked door Alfred you've gone down this path many times and we've seen so many devices act as what I've mentioned before a Pandora's box yeah I wouldn't I wouldn't throw all IOT devices in that hole certainly like it's true that IOT devices are like very bad at security but I think Amazon and Google have worked very hard to you know make sure that like their home assistants don't really have that many breaches or anything like that it's really more like the the smart home gadgets that you'd get like the third party there yeah I'm like lesser-known yeah the the amazing deal that you got on that like smart light $7.00 lipo probably is not secure at all and yeah he does have that point about you know your eye your security's about as strong as like your weakest link right so it doesn't matter if like the rest of your house is like very sick so you've got nest and you've got Amazon everything here and then you've got like this one Chinese made light bulb yeah and like vacant most likely access your network through that no yeah it's a very good point it's a poison let's what's what's the right analogy for it link yeah all right fine we are almost out of time I'm trying to think of a good way to like bring this down and close it out we we've kind of questioned conversation yeah I mean do you think what's the right phrase I want to use on this are we all screwed I've been on the show I've been on the show like three days now talking about like another ioad like security issue and I think I've ended all of them we've just like everything sucks what is going to be the the rhetorical event theoretical event that would end up just crumbling the entire foundation I don't know because it kind of already happened with the Mirai botnet attack last like 16 when they shut down Netflix and Twitter and Spotify for like what like two-three hours and you know it's these issues are still here so I I don't know what its gonna take for a change or something like that but yeah everything sucks what what what do you guys do just on your day-to-day maintenance in your own IOT devices in cybersecurity what is your own personal protocol for trying to keep yourself safe besides keeping your Bluetooth off I don't have ya IOT objects I have like I mean that's the same way I've got well I have I have like two smart switches that are fairly name-brand I won't say what they are and then I've got like I've got two echos and that's pretty much it yeah I pretty much only have voice assistance you guys don't have that like I love each dollar fridge in your home no I have the fridge my landlord gave me yeah and will give me if this one breaks I just I bought my own fridge it's a nice fridge it's not smart at all it's completely dumb oh yeah your does dispense water and ice which was huge for me living in most with in Manhattan apartments with small fridges that that was a big perv but like the whole idea of it being smart and connected and be able to like send me recipes I didn't care about that stuff and then the vulnerability issue was definitely in my mind with thought about refrigerators thought about appliances in general so make sure to brush your smart speaker floss your phone daily and always wipe front to back good site data wipe the data front of the back there you go the end of the show for the week week Wow but you but quick week I know that's good and bad from breaking news every morning yeah exhausted let's hope not even supposed to be on right now what do you Dante from clerks do you like David you saw her hurt here check us out on CNET our podcast is available in itunes tune in stitcher Feedburner google play music and the amazon echo see y'all next week take care everyone see you Monday