Mostly Security

Eric's on another road trip, and Jon's just back from camping (and plumbing). Exchange followup with 'indiscriminate' deployment of Black Kingdom ransomware, Hobby Lobby's exposed S3 bucket, Revenge Plot has real world consequences, more zero days used by an advanced group, and a walk through a TikTok RCE. For fun we have Space Probes, a Container Shortage, and no shortage of (bald) eagles. 0:00 - Intro 10:59 - Black Kingdom 12:45 - Hobby Lobby Exposed 14:04 - Revenge Plot 17:57 - "Expert" Hackers 23:04 - TikTok Android RCE 30:32 - Space Probes 34:02 - Container Shortage 39:51 - Eagles!

Jon is swimming in eggs and Eric is learning German. CryptoKitties are back in the form of NFTs and SMS hijacking just got easier. Using unregistered domain names in your code isn't awesome and more SolarWinds/Exchange disclosures. Eric watches a show in German while Jon discovers a Greek Computer. 0:00 - Intro 10:47 - Not Nifty NFTs 16:02 - Easy SIM Hijacking 20:59 - Default Values go Ooops 27:40 - Mimecast Incident Report 35:10 - Hackerville 39:10 - Pi Day (or Tau Day?) 41:53 - Antikythera

Jon fertilizes and Eric's got (more) water problems. The Exchange zero day has been seriously exploited. A vulnerability in a WiFi mouse app, a novel bitsquatting technique, and a new WebKit remote code execution. For fun you can get a job in Remote, Oregon, watch an amazing drone-in-a-bowling-alley video, and learn just what IS inside a proton? 0:00 - Intro 17:26 - Hafnium Timeline 24:26 - Krebs 30k Article 26:18 - WiFi Mouse 29:12 - Squatting Bits 33:55 - WebKit RCE 38:11 - Remote, Oregon 41:08 - Bowling for Drones 42:31 - What's In A Proton

Eric finds a drone and stinky garbage. Jon orders pizza and builds garden beds. Logos, Space and Spectre followup. People can't get into their cars without keys and Exchange can't deliver mail without a 0 day. SpaceX SN10 lands upright-ish until it doesn't and Eric suggests Talking to Strangers. Jon notes a cat identifier and SPACE HURRICANES. 0:00 - Intro 16:44 - Logos! 19:39 - Arecibo Cleanup 20:38 - Meet Nasa Flight Director: Diana Trujillo 22:23 - Weaponized Spectre 25:08 - Key Fob Failures 30:36 - Exchange 0-day 35:58 - Microsoft Note 38:06 - SN10 Goes Boom 41:02 - Talking to Strangers 44:34 - Cat Detector 47:40 - Space Hurricane

Jon talks too much bees (and hornets) and Eric plans deck changes and lockpicking. For followup the Nursery Cam "loophole" is disclosed and the Jamaica story gets worse. California DMV users exposed in data breach, a Washington State audit of unemployment fraud results in a huge breach, and Apple releases their platform security guide. For fun we have the Perseverance parachute message, hope for net neutrality, and accurate magnetic reversal calculations thanks to well preserved trees in New Zealand. 0:00 - Intro 1:34 - Bee Talk 10:22 - Lockpick Kickstarter 14:23 - Nursery Cam "Loophole" 16:24 - Jamaica One More Thing 18:50 - California DMV 23:33 - Audit Oops 28:03 - Apple Security Guide 32:28 - Perseverence Parachute 38:32 - Net New-trality 41:43 - Adams Event

Enjoying the cold... No snow day, but a "No Power Day". Space Helicopters, Nursery Cam Oopsies, Super Cookies, Jamaican Exposure and French Cyber Things. Eric shares a FIDO2 Kickstarter note and Jon reminisces about the origins of the Mozilla logo and Eric sneaks in a plug for folklore.org. 0:00 - Intro 11:27 - Space Helicopters 14:28 - Nursery Cam Oopsies 17:16 - Super Cookies 20:44 - Jamaican Exposure 23:53 - French Cyber Things 29:29 - Solo v2 FIDO2 Key 32:33 - Mozilla Logo 38:06 - Apple Folklore

Eric's latest app (Hash/Check) is officially released. Super Bowl was mostly watched and Jon can't gauge time. CISA releases malware analysis for Teardrop, a nifty bit of dependency research, cops playing music to take down live streams, Microsoft's TCP/IP patches, and a wordpress plugin vulnerability. For fun Eric brings a movie and short-shorts, and Jon brings the smallest known reptile and a prelude of next week's landing on Mars. 0:00 - Intro 4:07 - Hash/check 11:20 - CISA Teardrop MAR 12:32 - Dependency Confusion 18:35 - Dependency Confusion Pt. 2 20:52 - Beverly Hills Cops 25:11 - Microsoft TCP/IP Patches 28:26 - NextGen Gallery 32:02 - Along with the Gods: The Two Worlds 35:18 - Pixar Popcorn 37:05 - Nano Chameleon 39:32 - Perseverance Landing

Eric whines about 3D printing tools. John puts bees in his fridge and gets graded on his pruning skills. Eric then whines about Big Sur and TouchID issues. Jon mentions a few notes on SUPERNOVA, sudo on macOS and AIX (of all things) and iCloud Passwords beyond Safari. Eric fails to whine about how iOS 14 Messages work under the covers and Jon does math on Zero Day Patch Success. Eric shifts to fawning over Bletchley Park and Jon introduces you to Lynn Conway. 0:00 - Pre Intro 0:11 - Intro 15:02 - Big Sur and TouchID 18:41 - CISA SUPERNOVA Notes 19:52 - Sudo Bug on macOS & AIX 23:14 - iCloud Passwords for Chrome 24:30 - iOS 14 Messages 28:32 - 25% of Zero Day Patches Failed 34:01 - Bletchley Park Online 37:23 - Lynn Conway

Eric fixes his leaky faucet and gains an electrical problem, Jon "repairs" his Jetta. New Crypto-miner for QNAP, more iOS zero days, a decade old Sudo vulnerability, and an international Emotet takedown. For fun we have a password shanty, a cookie monster rock, seesaws at the border, and the whole GameStop situation. Oh, and bonus: Eric's written an app! 0:00 - Intro 8:37 - Jetta P2015 Fix 14:22 - QNAP Crypto-miner 16:17 - More iOS Zero Days 20:12 - Stackoverflow Redux 24:47 - Sudo Elevation 31:39 - Emotet Takedown 36:05 - Password Shanty 37:00 - Cookie Monster Rock 38:00 - Border Seesaws 39:33 - Outsider Trading 49:16 - Hash/Check

Eric's got another side project and Jon has a cow. A little Sunburst followup, a few Chrome 88 notes and DNSpooq has a logo. Oregon State discovers the first new Blue in 200 years and Dire Wolf DNA derived from planes, trains and automobiles. Finally, go watch Amanda Gorman. Really. 0:00 - Intro 15:31 - Sunburst Followup 19:55 - Chrome 88 25:20 - DNSpooq 37:00 - New Blue 40:57 - Dire Wolf DNA 44:14 - Amanda Gorman

Jon and Eric are both frustrated by water issues; Jon loses two bee colonies. Hope on the right-to-repair front from Europe, a side channel attack on hardware security keys, and evaluation of the Sunspot implant. For fun we have a Neal Stephenson novel 'Zodiac' and info about the James Webb Space Telescope that should launch in 2021. 0:00 - Intro 3:41 - Dead Bees 10:56 - Right To Repair 17:54 - Side channel on Security Keys 22:40 - Sunspot 30:41 - Zodiac 36:43 - James Webb Space Telescope

Eric gets new windows and watches a movie. Jon watches a show, fences some things and continues his flood watch. A look back 3 years at Spectre/Meltdown, Nissan leaks some code, Zyxel has backdoors and finally, SMB for your Browser! Jon pitches project pyodide and Eric mentions five axis printing and floating point video gaming. 0:00 - Ortni 11:01 - Spectre/Meltdown 3 years later 15:57 - Nissan Source Code Leak 21:05 - Zyxel Backdoor 25:01 - Web Assembly SMB 27:38 - Project Pyodide 30:35 - The Browser Will Be the OS 30:49 - Pitch and Yaw Printing? 34:10 - Floating Point Leviathan

Final episode of 2020. Eric and Jon talk holidays. Solarwind actors potentially using resellers as intrusion vector into cloud accounts. Physical security keys, ransomware against plastic surgeons, and taking down three bulletproof VPN providers. For fun we have dancing robots and an Alaskan Native rights activist. 0:00 - Intro 16:13 - Credential Abuse 22:21 - Physical Security Keys 27:02 - Plastic Surgery Dox 30:46 - VPN Takedown 34:19 - Do you Love me? 36:41 - Elizabeth Peratrovich

Eric complains about Apple and Jon chimes in. More SolarWinds and Sunburst notes. Farmers get their own Cybersecurity talking to and Journalist Phone Security is discussed. Happy Virtual Holidays, all! If you like choral music, check out the Oregon Chorale. Jon mentions the Great Conjunction and Science Events to watch for in 2021. 0:00 - Intro 15:03 - More SolarWinds 17:38 - More Sunburst 20:43 - Cybersecurity for Farmers 25:33 - Journalist Phone Security 38:01 - Happy Virtual Holidays 40:53 - Oregon Chorale 42:00 - The Great Conjunction 44:29 - Science Events to Watch in 2021

Eric drives slow and safe, Jon is late for Christmas. CRISPR for sickle cell looks amazingly promising. A Trillion Dollar problem, exfil data by turning your memory into a wifi card, and the Big Hack. Solarwinds supply chain attack disclosed and fallout continues. For fun we have a grazing goat math problem, listening to a whale heart, and macroeconomics for sovereign nations. 0:00 - Intro 4:17 - In Colbert We Trust 11:01 - CRISPR Follow Up 14:05 - Hidden Costs of Cybercrime 15:16 - AIR-FI 20:03 - Solarwinds Supply Chain 25:12 - Fireeye Sunburst 26:45 - Sneaky Injection 32:28 - Grazing Goats 36:13 - Whale Heart 39:05 - Spend then Tax

Tangents galore in the intro. Drone footage of Arecibo collapse. The Death of Flash (for realsies this time). The Next Apple Chips (already?) and some Public Transportation Ransomware, eh. Can you say "Socially Steganographic" with a straight face? Finish up with a glass of Quine Tweet and a stien of Kaggle Survey. 0:00 - Intro 17:04 - Arecibo collapse 17:56 - Flash EOL 19:10 - Next Apple Chips 21:40 - Public Transportation Ransomware 23:10 - The Ransom Note 25:07 - FireEye 29:49 - Socially Steganographic 36:02 - Quine Tweet 38:54 - Kaggle Survey

Post Thanksgiving Link Extravaganza. Donate to Wikipedia! Monolith, LoRa (sidewalk??), and iOS followup; Ransomware Days instead of snow days, M1 shines with Windows and Tensorflow, and AWS announces a Mac service. And an enormous iOS radio proximity zero click attack. For fun the Star Wars scroll creator, the Arecibo collapse (not fun), ice age paintings in Columbia, and Human Nature on Netflix. 0:00 - Intro 11:27 - Monolith Follow Up 12:44 - Donate To Wikipedia 14:06 - Sidewalk and LoRa 16:59 - iOS Zero Day 20:01 - Ransomware Days 23:52 - Windows on M1 24:48 - Tensorflow on M1 26:31 - Amazon EC2 Macs 28:06 - iOS Proximity Zero Click 45:08 - Star Wars Scroll Creator 47:58 - Arecibo Collapse 50:56 - Chapel of the Ancients 53:53 - Human Nature

Jon and Eric talk about a book and forget to mention the name (Rhythm of War, btw). Running Office on Apple Silicon times 3. More Ragnar Locker followup just so we can say Ragnarlok again. cPanel 2FA oops and a MobileIron RCE (along with a Password Manager Detour). Finally, booting from vinyl, a mysterious obelisk in the middle of Southern Utah, and a look at Bees and LoRa. 0:00 - Intro 7:02 - The book! 16:13 - Office on the Apple M1 x3 19:37 - Ragnarlok followup 21:41 - cPanel 2FA oops 25:53 - Password Manager Detour 28:50 - MobileIron RCE 35:26 - Booting From A Vinyl Record 38:53 - Utah Monolith 41:25 - LoRa and Bees

Covid continues, "winter" has arrived; MA passes right to repair law, how to turn off web site notifications, Microsoft announces their security co-processor, and Cisco fixes the ghost(s) in the machines. For fun we have the M1, how to install any iPhone/iPad app, Bill Gates and Rashida Jones' new podcast, and Mars' water loss. 0:00 - Intro 6:58 - Loss Of Bee Tree 15:44 - Right To Repair Initiative 20:32 - Web Site Notifications (Just ... don't) 24:28 - Pluton Processor 30:17 - Webex Ghosts 40:35 - M1 46:04 - Install any iPhone App 51:55 - Bill Gates and Rashida Jones Ask Big Questions 53:45 - Water On Mars

Eric doesn't hike Mt St Helens, instead finds mold growing in the bathroom. Jon goes to the coast and puts a wifi switch in his shop. Honest Criminals, Play Store "Malware", Liquor Ransomware, and 3 little iOS 0days. Eric throws a Jeopardy tribute and Jon does XSS and bioconductive ink. 0:00 - Intro 12:25 - Mt St Helens Hike 2020 13:28 - Honest Criminals 15:39 - Play Store "Malware" 27:05 - Liquor Ransomware 31:42 - iOS 0days 35:48 - Jeopardy! 38:51 - COVID Vaccine? 40:46 - XSS Company Name 43:17 - Bioconductive Ink