Gadgetory

the 359 is sponsored by USB technology the USB implementers forum reminds consumers that USB if' logos are displayed on certified USB products so the next time you're shopping for a reliable USB charger cable or device look for the logos get the whole story at enabling USB org welcome to the 359 I'm Ben Fox Ruben I'm Roger Tsien I'm alfred hang so Alfred you just got back from Vegas where you attended the Def Con and blackhat cybersecurity conferences first of all what was what was it like how did you like it I mean there was a ton of cybersecurity news that had come out of there I think I wrote like nine stories in three days all right so I'm trying to but yeah I mean I think the big headline there was most likely the election hacking village this is the second year in a row that they've done it this time around they wanted to prove all the naysayers wrong by basically saying we're putting mostly machines that are already in use because there was a criticism of last year's a voter hacking village oh we don't even use that machine anymore so about 70% of the machines that were brought this time war are actually being used in this year's election okay mmm so and how easy were they to hack I mean like are we in a lot of trouble I mean so a lot of them were pretty simple to hack but another criticism of it of this year's village is is basically you know yeah but they have unlimited access so they can just go in and have as much time as they want with it during in an actual election on election day you know you have all these volunteers watching you and making sure you don't go and put like a flash drive in it or anything like that but I think there's still you know a lot of valid points being made from here where basically the idea is okay but you're still using this machine and like just because you have people watching for it doesn't mean that there can't be you know some issue with like physical security where like your volunteer is not looking at it at this time and then the idea is like if people lose their confidence in an election in the voting machines like even if it's just one machine that's compromised totally point is you know I don't know if I can really trust who we elected anymore or anything like that yeah let's go to Teddy Ruxpin you just published this like earlier this morning about hacking the new Teddy Ruxpin and it seems kind of kind of weird yeah so this was more of a fun story so parents out there who have a Teddy Ruxpin I just want you to know that this isn't one of those hacks that you know your kids information is lost or anything like that basically a cyber security researcher wanted to take a look and see if he could put anything that he wanted on it Teddy Ruxpin has a complex file system that like you can only accepts files in a certain system but he was able to do it and he basically took a video clip from the movie hackers from like 1995 where guys yelling hack the planet and then he puts it on the Teddy Ruxpin and its eyes are showing like the Def Con logo instead of it's like cute like blue LED eyes yeah but yeah this is this guy that had done it is already in IOT security researcher and he anytime he gets like a smart toy for his kid or anything like that he wants to see all the different ways that he can hack it so this one was kind of safe so he gave it to his kid and now he can put any story that he wants on it so but also what was it easy to actually hacked a Ruxpin um I mean once he figured out what kind of like files that it needed and like how to convert like his images and audio into that filed and yes but you know I think the whole process of figuring that out might have taken a bit longer nice also we wanted to talk about smart cities too so this is this is something where more things are getting connected these days and I guess that means there are more vulnerabilities in more ways to like hack into a smart city right yeah this is much more serious than the the Teddy Ruxpin hack so these were they these researchers basically took a look at secure smart city systems from three different companies that you know one does like controlling lighting two one does like flood warnings and then another one does like road stuff like for smart cars and things like that and they found like really simple vulnerabilities like some of them had like their password set on by default some of them Vic yeah so like one of the tips that they basically gave to these companies like maybe you should like change your passwords if you're gonna like implement them in your tip for everybody yeah when it comes to smart cities though I reached out to the three companies all them who said they fixed it one of them behind the cars basically said you know we don't test this on public roads that they were being used by the Federal Highway Administration but it wasn't being used on any public roads thankfully so there's not that much of a danger there either nice well luckily now I'm terrified about everything lastly we wanted to give a shout out to Claire Reilly's story on coober pedy an opal mining town in Australia where people live in underground mining holes definitely check out the story if you want to read more about these stories check us out on SEANET thanks for listening everybody I'm Ben Fox Ruben rotor Chang I'm Alfred and thanks everybody for joining us for the recording of the audio podcast now as always I'm gonna jump into the chat and try to pull out any good questions and comments you guys have about the quest the topics at hand Alfred you've had a really busy week I want to hear I'm honestly I'm mostly surprised to find out that the Teddy Ruxpin has a complex file system you would think that something like a toy may be a little more easy to access could you expand on that I would I would understand why it has a complex file system like mostly because they so the only way you can get stories for your Teddy Ruxpin is through the app itself that like they they provide and it like transfers over bluetooth so the way that he did it those because because he couldn't infiltrate the app he like plugged a mini you like he plugged it into the USB port in the back and uploaded it that way and even when he does that he can't create a new story that you can access from the app you basically have to replace the files from another story so like you can open up like I don't know what stories Teddy Ruxpin has but let's say it has like the Three Little Pigs you would like open that up but and then you would put like the stuff that you want it to play in that file how would you basically on the app play Three Little Pigs yeah but I don't play like what you want instead but yeah let me look through this but like it's it's very I guess like new it's very specific so like for the images do it to somebody else's remotely or you wouldn't be able to do it to like thousands of the set for the images on the eyes they have to be 128 by 128 pixels because the eyes are only like 1.25 inches and then the audio itself has to be like a specific type of wav file and then even beyond that he have to you have to put it through a what's it called a formatter to make it a custom snx rom format I have no idea what that what it is the necks really just like a custom format yeah for Teddy Ruxpin yeah yeah yeah yeah sounds like more like a hobbyist project yeah I mean definitely I think this is one of those things you see it black at Def Con right like these random hacks that yeah they're not practical but they're interesting this yeah I'd really I thought it was really interesting to see you know the Teddy rocks been yelling out hack the planet so mhm hey let's go to that videotape shall we yeah let's do it where am I supposed to look there you go sorry we just had to get a little taste of that right Oh totally hey I kind of want to do audio stuff yeah excellent line Ben dude do we think this is gonna open up a whole new market for like not build-a-bear but like hack a bear kind of thing custom custom toys for your kids yeah so I asked him about that and like if he's put any like specific stories that he's done for his own kid it turns out there's a lot of work that goes into like the stories that Teddy Ruxpin has on its own because like if it tells you a story zyo Sonny out and then like the arms are supposed to move too and then like it shows like a sunny sky so like you would have to have the videos in the eyes timed to the story as well so you know he did this project in a way that was like this is fun for like Def Con and like look look at this like really novelty thing whereas like if you wanted like a whole video thing like synchronize like that's a lot of work which like they do at you know wicked toys the company behind Teddy Ruxpin but like for a hacker or like I don't really like you can put in the effort for it but I don't know if I'd be war you know I really love your kid if you would do the custom story yeah would or to like freak out your younger sister I suppose that would be one reason you're the hacker doing it though for like on your sibling yes oh then I feel like there's a story behind you in your siblings oh there's a very long story let's go to the chat and take some questions from Fujian do you think that blockchain can help with the election hacks they go on wait wait wait they go on to say they go on to say I think that I read several governments are testing blockchain with their elections to try and prevent these what are your thoughts on that okay so West Virginia rolled this out last week they're doing a blockchain based mobile election like voting thing they're doing it from their phone here's the thing about that though even if like the app itself is working on blotching your phone can be compromised so it's like the service like think about like when people's Bitcoin wallets get like robbed right its bitcoin is secured like they're not gonna just straight-up steal that but they can hack your computers to take that and that's why it's a terrible idea this is well it's a limited pilot right now right it's specifically meant for armed services that people people that are serving overseas so they are gonna test it out and III obviously understand the blockchain is very much a buzzword these days but the idea of providing more capabilities more technological capabilities for people to vote I think is a good idea instead of just doing paper balloting and showing up at the voting booth ahlet's I think it's important to like tested on thing on votes that are inconsequential and like don't matter before like putting out on an election thing like maybe try blockchain voting for American Idol or like naming a boat yeah but oh yeah that worked out really well at first and then if that works out then maybe let's talk about doing that for elections but like because like this is not a place to like test something out and in that sense you know like Oh we'll see if it works and then somehow an elected official is like considered illegitimate because like it might have had security issues but yeah that's no no no - blockchain and election security do you think from from your perspective at black hat and DEF CON do you think that because there's so much more attention to election hacking now than in 2016 that like they're more prepared there's more awareness there's a little bit more urgency in Tepeyac actually preparing for the midday it depends on what state and what county so like the Department of Homeland Security does a lot like they helped secure like funding for a lot of states to get it but at the same time not every state has basically said like we need this and they can't basically say like you can't use this machine in your County because it's run by state and local officials you know and a speech from like you know vice president Mike Pence about the week before the UH DEFCON he mentioned there are 14 states currently that are still underfunded not under funded but under prepared for election day and the problem I'm surprises I would have it's just 14 yeah but the problem with this village at least from my perspective was basically that like yes they're doing a lot of great research yes they're finding a lot of vulnerabilities but it is not going to make it to election officials in time like they're gonna put the report out in September that's two months from Election Day and and at that point that's already - yeah even if there is a massive vulnerability with like all the voting machines in your County from this report what are you gonna do like you're not gonna like it's order a whole ton of them within two months I mean go back to paper ballots I mean the good thing I guess is that you know they can use that knowledge for the 2019 election but like there's basically like not much that they can do at this point which is hilariously sad but I guess the hope is that they are prepared already which DHS has done a lot of work from 2016 onwards to make sure that happens like it's not like they've waited on tone now to tell everybody like the question is whether it's filtered down to the state level or yes yeah and that that is that is a pretty big problem also a lot of like local states have issues with like contract stuff so it's like oh we want to switch voting machines because you know when you sold this to us like we didn't really consider security vulnerabilities or anything like that now like that we are we don't want to use your machines anyway well you're in a contract with us till like 2022 yeah yeah yeah give us more money um and I think that was that was another factor that like is not considered that much is like vendors so like people when they look at election security they look at they point the fingers out like elected election officials the DHS you know state and local counties but it's also up to the vendors you know they should be the ones fixing these vulnerabilities not like asking people like oh just buy different stuff or switch to different thing I agree with you yeah they're generally not on the hot seat I mean like you mentioned Diebold in yes Ori I think there's probably a couple of other vendors out there there it's like there's just less awareness yeah for that and it's much easier to you know that's also on them yeah it's not I agree I agree I think to Ben's point they're like no one's getting angry at a table door Diebold yeah they're getting angry at the elected officials the state yeah because there's just an easier target yes my point is that they should be getting in Korea the vendors yeah and somebody in the chat tell me how to pronounce d-ball Diebold Bible is it dible and whatever I vote as a Christmas movie all right starring Bruce Willis alright that's gonna be like that I feel like that's a good name for a die-hard sequel folder off-brand that you got like Walmart nice let's take another question from k-19 how does one get involved with Def Con I always wonder if the convention is open to the public yeah it's open to the public you can it's every summer and it's much less expensive than blackhat but yeah you can just go check it on their website and find out when it is if they tell you that Def Con is cancelled that's not true that that is a long-running joke with Def Con where it's basically anybody that's like new to it will ask like oh when is Def Con or anything like that it was like it's know what sometimes cancelled so most of the times it's not canceled there's been a few cases where it's come close to being canceled from what I've heard yeah it's also a joke yeah so just check it on there yeah just check it on their websites open to the public you can come as press you can come as just a normal person you can go as like a contestant like that all these different contests and stuff if your security researcher I'm sure you know that you can go as a speaker yeah they have they have all these like different things that you can go there for and what about black hat same thing it's open to the public but it's also much more expensive because black hat is more for like corporate like cybersecurity compromise which ones the more fun I mean I guess it depends on what you like like they have a show floor for black hat where like they have like Oh check out this stuff from like Symantec I also do all these like weak like kind of gimmick still I get you to like stop at their booth oh yeah normal trade yeah so if you like if you like swag like if you like free stuff black hat is for you there's some free stuff there that's I got blockchain necklace there um it's just it's literally like a cinder like it's like a 3d printed cinder block on like a chain that's kind of cool and you're not wearing it now why it's at my desk I can go get it but I don't want to walk off set so okay thank you to mark Fitzpatrick and Matthew dat you for clearing it up it's pronounced Diebold let's take one from our old friends friend Roy why isn't or why aren't the IT giant jumping into evm development dubious elections are a worldwide problem any corporate or any corporation can make huge money by getting national contracts well you can't get a national contract for it was that's well regardless like is this a minefield that like a company like Google yeah that's also yeah I don't think they want to be apart of it regulated there's a lot scrutiny there if it fails that's yeah that's fine then their work with the military has already been like seriously sighs yeah scrutinized for sure so yeah they may want to stay in their lane on this one yeah it would take like it's an interesting extreme amount of money for them to jump into this dumpster fire yeah and yeah - Alfred point it's not a national contract you'd have to win them state-by-state which I don't think is worth it it's a lot of work you've got to have basically lobbyists or sales team in all 50 states sometimes different counties within states and that's just it's a lot trouble let's take a couple more questions for a call today another one from Fujian how does hacking into a phone prevent blockchain from providing appropriate election votes wouldn't people have to hack millions of phones and if your vote is on blockchain is it safe I mean in the same way that like so if you use signal or you use whatsapp or you've used iMessage like that's encrypted like messaging like that's supposed to be secure - you can't like pick up like what I'm sending you through signal through like Wi-Fi or anything like that you can't like the NS I can't really intercept that but what they can do is they can like get if they have access to my phone they can just open the signal app and see it that way that's what I mean like encryption yes is like extremely secure and as is blockchain but there are workarounds to it that like makes it like inconsequential in some scenarios right but to to to is point hacking a bunch of phones individually yes it's not scalable yeah but like this wouldn't be hacking phones in the sense of like you can also hack like accounts like if you can log into like your Android phone with like you know using if I just have access to like your gmail account or something like that and then I can like set up my phone to log into your Gmail account and then from there I can find out your login to your blockchain voting app that you have like that's like that's like a pretty like good workaround for that like your blockchain the vote itself like is most likely secure like if you're using like a form of encryption on it but like there are like several workarounds for that I just hope the hackers have had my same political leanings so they're just gonna vote the same way I would anyway you know that's that's what I would be it would be I mean I guess if you had access to the account information of like whatever hundreds of thousands yeah accounts that would work but I guess I mean that would be kind of tough to scale if you didn't have that yes yeah scaling is always like the the biggest challenge on these things so yeah I understand but I just but like like the point that I mentioned on the podcast also like even if it's just one phone that's hacked and like one phone that's compromised that's still like really like shakes the core of like confidence interactions right and that's what like this whole hacking village thing really is about for me at least we're you know the the idea is and they said this about the 2016 presidential election to where they basically said like there's no proof that any votes were altered by like any of these Russian hackers and like but they did they were successfully able to like shake the core of like trust and confidence in aural and it isn't even yeah but that's that's a really good point they didn't even change the votes all they had to do was infiltrate certain systems and show that mostly voter records yeah yeah so like that's my point though that like another angle of this is to basically like have you not trust your vote and they don't have to change the vote to do that mm-hmm yeah the only thing you can do is just vote for a Mickey Mouse and then call it a day all right one more question on a way out the door from Sir enjoy one more time did the EVM defendant say that such a vulnerability exposure would reduce voter turnout among the young generations I mean the is asking that the vendor say that or like the folks in the hacking village it just seems like generally anybody in the village anybody who is a defender of the exposure how would that sway young generation turn now um I think that's a bigger question than like voter like voter hacking content I mean I'm sure there's many other reasons why younger people are disillusioned with democracy and voting this could contribute to it I don't think it's the only reason though or main reason really yeah yeah yeah okay I guess we're just gonna leave it leave it there I'm very green on this entire topic so I'm learning throughout this entire conversation today as I do most days most days closing thoughts before we wrap it up let's let's go ahead and put our votes out for what we think the next best toy to hack is going to be I'm putting my money on tamagotchi gotcha is that back already oh the Simon Says thing not connected now do on this that's all fancy internet connected the color music thing yeah just so what it's just gonna like do the wrong beat and destroy your self-esteem yes exactly exactly so the Sony dog what is it the ape I bow I bow yeah yeah just turn it into like an attack dog or something not sure what an adorable attacked up yeah that's a slogan worthy of a t-shirt doesn't even have know that things have knives so a and uh well what would you do to hack the the magic leap just again disorient I make it profitable thanks everybody for joining us that was fun tell us in your comments and questions and tweet at us let us know what you think a good toy to hack would be besides Teddy Ruxpin and what challenges could be at hand to do so until then we'll see you guys tomorrow thanks again to USB for sponsoring the show Ben you're gonna take us out here sure the 359 is available on iTunes tune in stitcher feedburner google play music google podcast the Amazon echo and of course cnet.com thanks everybody for your questions and we'll see you again tomorrow bye bye