🧱⛓️🔐💦

Recorded: June 6, 2023 Duration: 0:32:07

Player

Snippets

Yeah, yeah, yeah, what up? Good morning
I'm all stuffy, just I don't know where all of a sudden I was totally fucked.
until like right before I had to start this. So I'll get the drink some more water work through it. Anyway, happy Tuesday. Happy, I think that's the first Tuesday of June.
That's exciting. Pretty much going to be halfway through the year. The end of this month. That's crazy. Time moves too fast. It needs to slow down. Anyway.
Got some interesting things to talk about today. Wait for the rest of the gang to get here. I'm gonna go ahead and get myself some water real quick. If you're listening in the future that applies to you because there's nobody in this room right now, aside from myself.
Yo yo yo, what up, homie? GM.
- I'll be doing all right today.
I'm getting my weed together. I got some really exciting things to talk about.
Yeah, yeah.
You got that thing yet? You got that thing on you? Get your ass up here. Okay, you're good enough.
A-A-G-M-G-N
Yeah, we're just five in I'm just five in until fucking Ramy and bandit get in here. Oh, yeah, how you boy is always Joe's base. Look right now. I feel like no one ever stars this base.
What they want to talk about, we always spend time chillin' and vibing because honestly, security is stressful. I'm just calling out. We don't want to talk about security, but it's a job. It's like a calling to save a
world at least for me it is. It's like this is your hero moment, dog. You want to be a superhero? Give behind the keyboard and don't piss nobody off. That's what's up, aren't we? That's fucking what's up. What's up, bandit? GF?
I got some fucking things pulled up to see that I posted a little thing. There's a new Chrome zero day like that just got dropped this morning. There's still there's not even a CVSS score on it yet, but Google's internal threat analysis
this team already identified it and hatched it. They didn't really go into a lot of extra stuff, but there's that. There's a few other little tidbits and news that I was able to snag that I find rather interesting and wanted to discuss with the boys.
So yeah, I saw that Google one I definitely had to figure that out. Yeah, it's just a quick update. It's just a, you know, so but this is the third one this year. I'll tell you what Apple. I feel like it's more than that. No, it's been three for Google Chrome. That's a good place.
3 0 days for Google Chrome since 2000 since the beginning of the year They were all memory related Yeah, they're fresh as fuck. I mean it's very you know still so early in the year is only five months and we just got through the fifth month right so like We're just we're still like not even all the way through the year
year yet, but again, it was wild just because like Linux is getting more ransomware and malware now, same with Apple and stuff like wait and that I think is actually kind of really interesting. I think that's something we could like talk about, but like it's funny because like Apple and
and Linux in particular really have that air about them that they're not insecure, they're the least educated people would go about being like, "My Apple will never get a virus."
It's just good like that. They don't get viruses. I remember people saying that. And I was like, "It's a fucking computer. It could get infected. It doesn't matter if it's fucking what it is." You know what I mean? Threats exist in a bunch of different forms.
It just turns out that oh yeah, they've been fucking incredibly susceptible to a bunch of different threats But you know up until recently the pool was so small like compared to At least this is what a lot of security research says like the reason you see more You know exponentially more
threats on Windows devices and Android devices because of the ubiquity of those versus the other operating systems and other platforms in terms of general use in the population. More people in the world use Windows and Android.
the Nifel and Linux and the people that use Linux and Apple tend to be they kind of like subgroup themselves even more Linux users are incredibly tech savvy so like the pool of
potential people to take advantage of using ransomware, malware on Linux is dependent on getting people who are unfamiliar with it to install stuff. There's education, there's a curve there, but yeah, a lot of Apple users, they
like zero security understanding and at the same time though it's being leveraged heavily now by threat actors because we've seen multiple zero days and zero clicks just since the beginning of this year on Apple devices which is just like bonkers.
Now that's more interesting than zero clickings. I was trying to keep people mindful of those. The last one that really like fucked me up was the I message one. Did you see that one just like six weeks ago? Yeah, it just said but my thing is that's worse than the emotion.
I am totally fine with somebody figuring out a way to send me some malware and an emoji at least I have to read your text But from my understanding you don't have to read the text just like with windows you did not have to open the ISO file or
When you type of file extension it was your windows explorer has something automatic that it will do to load that file and somebody inserted the malicious code at that point not opening not downloading no uac bypass you open your documents folder
And that's essentially the same thing kind of that happens in that zero click sense. That fucking last one though, with the iMessage where it just automatically boop, it's installed. I think it was also like a, they utilized like a sandwich
thing in the title, like what that's what it was, it was like people were like writing, putting code, essentially injecting code into like the title of the post-dated event, and then just sending it to Tarvets, and then it would automatically post that.
event to the pass dates in the calendar without notifying the user and then execute whatever code was hidden in that. I don't know. And I haven't thought about it. Abuse the, abuse the calendar notification system, abuse the reminders.
the words they tell you all the time do not just click on random alerts million dollar you know honey pot available don't click on that shit you know why swipe that should open open your app and see what type of notification you have sitting in the app because
I don't even like advertise me from apps like yeah I turn off my notifications off I got only the I turn off all my I tried to film all my notifications and shit to their just watch me like I'll just get paralyzed reading shit that I don't need to read I got a question
What do you think the security risks are that exist or will exist for the new Apple fucking VR headsets? I like your blinker. It's like a metronome. I would have to see
What they're actually using what their specs are but offhand if there's data being collected it's not a monkey vulnerability I don't know what they're gonna collect about you But I think the biggest vulnerability is whatever they're collecting outside I'm wondering how vulnerable that device will be or if they actually hard to
But I also feel like they made it to be profitable. That's a 35 on it. If I'm thinking about the right one. Yeah, throw a $500 device, right? Yeah. Yeah. That costs more than your phone, more than your computer, more than that. That actually costs more than your desktop. So I'm wondering how
much process and power this thing is about to be carrying around. I think that's probably where the one is going to be like I'm going to give wherever going to end up with somebody's VR headset mining crypto. Yeah, but like so the price doesn't have shit to do with the capabilities because the price is
It's just the marketing. For Apple at least, not for all businesses. For most businesses, the price is just a natural reflection of the sustainable business model. But for Apple, it's literally part of their marketing because they want to appeal to the higher-inners,
people where money is not an issue, they want to get this as a status symbol. Maybe money is not an issue, maybe their credit isn't an issue. Right, maybe they could just give whatever they want. Regardless of the person that's going to buy this at the end of the day, this is going to be a high end one. But that's smart. Look at it. Look at it. Look at it. Look at it. Look at it.#
3500 or 350 I want to look at it is the 3500 yeah right no no no no no but I'm saying like but to your point I want to say it to your point look at it like this. It could be 3500 or 350 the part of it that I was looking at was who's using it and
And like you said, what's the security vulnerability? No matter how much money they put into it, what's going to be the risk to the user potential? And I think that's what I was looking at more than, you know, are they trying to market to reach people or are they trying to market to poor people? Because like I said, it costs more than a phone. But like you said, some people are going to get it
And at some point it will be more affordable, I think. So look at some of the board. That's the reason I think like you said, they're targeting a higher echelon and I think that's definitely a factor. But I wanted to take it a step further. What happened?
is when I can afford to go get this thing. Facts. Yeah. No. And then we're looking at, okay, well, now Apple is in marketing to $3,500 marketing more. They want my little rope to be able to get it for, you know, for half an ETH, right? So they
They're looking at it look at that when they drop it and they start making more of them. Okay. Cool. Are they going to change their procedure? I think that's what I wanted you to look at right now. They're charging 3500 because that's what's going to get them their marketing and quotas and whatever their reasoning is, right? But if we change that and say now it's available for a hundred dollars,
Well, are they did the packaging change did the quality change did the security vulnerabilities increase 1000 x Yo no you ain't lying fucking I think part of the reason that they're doing it to you know the upper echelon is
It's just a smart kind of fucking business move in the sense that they're giving it to people who are gonna be happy with fit no matter what. Like the person that's gonna spend every 500 bucks on that is gonna be super fucking excited to have it even if it fucking doesn't work. And it's just because it's a conversation piece and something
to look at something to say, you know, you're part of that, you know, cultural zeitgeist in the moment and you have, you know, artifact from it. So yeah, so that's where like, I don't think that they're necessarily making security probably
like it's Apple so they probably have it top of mind all the time from like a business level but like from a product level they're probably just like you put it together, ship it and we'll figure it out as we go.
I think that's what I've looked at. Yeah, no exactly. What's the, what's the zero click for VR, right? Like I think that's the question. Yeah, I have no idea what I have no idea. And I think that's what scares me. I don't even know what I don't even know what the attack vectors
would look like for a VR headset outside of sniffing your data, packet crafting and getting something, getting it to do something that shouldn't do initially. Maybe it won't harm the person or maybe it won't steal the most sensitive data, but the more we poke, somebody's gonna figure out, somebody figured out.
But you just it's so funny. He said packet. I think I don't know what you're about to say, but you said packet. And you're gonna say, it's not like you're gonna say crash. Yeah, I did. Yep. This is that's what I was about to say. Packed crap. Yeah. And you fucking dropped out the moment you said that like your fucking data just disappeared. It just fucking evaporated like fucking Thanos snap#
There's just about five seconds. It was funny as fuck though, it was perfect. It was very poetic. But no, I think, yeah, so sniffing, packing, crashing, what was the other thing you were going to say?
I think I said packet crafting and potentially it's just the start of getting the device to do things not supposed to do and responding in an intended way. I don't know if there'll be a zero click that makes sure it hits it crash on you or explode.
on you but I'm saying I don't know what the technology in the headset is yet so I did get a full handle on it so I can like explore it like it's time to be a security researcher with a VR headset I just don't have 30 pounds of security research money what's the I'd say like what's the
What are the risks that exist with existing headsets, like Oculus and stuff like that? And then differentiating what's happening that's different than what's already available. And I bet you it's going to come with its own ecosystem of applications. It's going to have its own processor. You know how they have different operating systems. They're probably going to
have a VR operating system. Because they got the iOS TV, they got the iOS for mobile, they've got Mac OS for desktop. I guarantee you they're going to come out with a specific plan. That's going to be part of their security protocol. Exactly. The iOS VR or whatever. And that's going to be for all of their
they're going to be doing it in perpetuity and creating a specific architecture just for the VR specific processing is not only going to be making more efficient for like graphics processing and whatnot, but it's also going to obviously offer unique security
and enhancements that maybe would not be available in other types of processors. Because again, what are we even talking about, like with this Chrome Zero Day, all three of these Chrome Zero Days have to do with misallocation and mismanagement of memory, right? So it's like when you look into how the threats that I have
actually exist when we're talking about people getting "hacked". It's more or less just making you go to a two-part thing. It's fishing you into going to a website you shouldn't be going to. And then once you're there, it's either doing nothing and having it be a zero-click interaction thing.
where you just go there and download something, that downloads something else. Next thing you know, you have a chain of events that leads to malware getting installed on your computer or the fuck my brain just dumped on itself. Oh, the heat management and the memory management. That works just straight up.
like you go to a fucking website that looks normal, but it's actually not. And just the interaction itself causes you to be like with the iOS stuff. And we're not just like literally this like a Chrome zero day we have right now. It goes that well, we don't know that actually. The last Chrome
zero day I think was the one where no the iOS browser it was a Safari zero day that allowed for a website to essentially write outside of the memory buffer and then in doing so leave the virtual environment that was created by the browser because iOS
create specific virtual environments for every application. As far as I'm aware and as far as I understand it, but by misallocating the memory, you can exit that fucking virtual machine and go to the root of the device itself. And so like that's again. So, so like, yeah, memory vulnerability
capabilities in these VR devices I can see maybe not maybe not Apple right but we're gonna see an uptake what's up Lerado um what's up fucking mine garden um we're gonna see an uptick over time no matter what of other devices coming out right I'm linked in their time
talking about it. He's like Apple's book and they're making the right moves. They're taking their second mover advantage. They watched Google fall on their face with their VR headsets, you know, essentially a decade ago. And they've seen Facebook come out and tinker with their own stuff. And now Apple's
ready to go full send. They're doing it probably the right way as much as possible. But again, it's a for profit company so they're not going to go further than they think they need to to satiate their shareholders and their consumers. But you're going to see an uptake in third party black market
knockoffs or just cheap or alternatives. And I think those are going to be where you're going to see smaller companies that are just jamming old processors and old graphics cards in there to make their thing work but be cheap as fuck. And that's going to be where we're going to see a huge
uptake insecurity, or rather insecurities, big vulnerabilities. Because I have no idea. I mean, I do like to an extent, like I fuck with, I've done AR filters and I do video editing and shit like that. Lots of fucking computer system resources go into
doing it just for a fucking computer screen. Right? So imagine having to project up, you know, imagining there's, you know, you have to account for both eyes. So there's constant like orientation that has to happen. There's sensors. There's so much information that has to go back and forth on top of the rendering of the data itself. And that all has to happen.
on a device that's on your face. Yeah, like they're gonna be a lot of shortcuts that get taken. So even if Apple doesn't introduce the insecurities, I think other people will. And I don't know. Like in terms of like you were saying, what can be stolen?
I think it would probably be used. I think the insecurities that exist just doing like a little thought experiment would be like a network, vulnerabilities, getting access to parts of the network that you shouldn't be able to because of improperly permissioned.
programs and settings and shit like that, configurations in general on the devices. And then that's just depending on your network security in your house or your office, that could be it, that could be the thing. But I think I wonder also about spatial data.
I got wonder what not biometrics, but maybe I don't know if they're scanning your fucking eyes and shit, but what kind of personally sensitive data that we don't consider to be like sensitive could be ex-filterated also, that we would typically wouldn't consider. But then again, it's probably nothing more, I'm over here just fucking
talking. Uh, it's probably not. It's that's a definitely legitimate potential and I think that's kind of why I was getting again. I don't know when those vectors are going to show themselves, but I noticed the possibility because people still are unaware. It's not their fault, but they are seriously unaware of the potentials at times.
Facts. I think, yeah, as long as you don't store your seed phrases in crypto, your private keys and shit on it, I think it should be good to go.
That's my recommendation. Okay, so like you guys were talking about something were you guys even Remy you guys were talking about true bot?
Was that just Remy? You were going to be able to hurt your robot.
Yeah, yeah, yeah. You can hear me now. I actually do some research on that one to catch up because yeah, if I just see a one-hits and I see it. There's liable to be a
how much chat GPT Dithagram he uses. I bet you I bet you like this guy's putting out content why he's a fucking paper boy. I mean I do I look at you. I use it to summarize shit all the time.
for me. I mean, the thing is I also have to go back and double check. I can't be confident in something by itself. So I'll have it summarize something for me, but also pretty much agree the entire fucking thing anyway, just to make sure. And if I really
want to know something that I don't know about, I'm also going to go and try to like find sources for it and not just rely on chat GPT because that motherfucker who loosinates, especially when it comes to highly specific things. Like once you start getting in the nitty gritty and asking questions, it'll just make shit up that sounds good.
And if you're like, did you hear, I think there was a law. There was a, well, we, you guys heard probably about the professor that, um, graded his, he, he submitted his students papers to chat GPT and asked it if they use chat GPT.
and it said that they did and that it did write those papers and then he failed them. Oh, Saiyan's gone. He rugs. So there's that guy and then there's another fucking funny chat GPT thing.
Oh, a lawyer, a fucking lawyer used Chad GBT to summarize his arguments and cited a bunch of non-existent
in case any submitted it. Now the judge is fucking pissed off from what I understand and yeah. So interesting just side tangent about chat GPT, but I found fucking hilarious.
It's the mad. Oh my god, that's just that's life is comedy, you know, the universe is hilarious. You back saying? Yeah, I don't know if I wrote out or if it was just getting bad on the signal, but yeah, here we are.
Did you hear what I said about chat GPT? Nope. I think I miss and actually not I'm back on stage. It seemed like I'm riggin it. It seemed like you're riggin out again. I don't know why. Am I? I don't know. Is it my fucking network? I'm gonna have to call fucking. It's hard to do like I constantly.
You can hear me still? You're saying, "Can you hear me?"
[birds chirping]
Try to intercept the invite. There it is.
Can you hear me now? Are we good?
All right
Okay, there it goes.
Oh my god.
[Coughing]
Is there a different color of the day in the light?
There goes.
(coughing) (birds chirping)
You'll be able to hear me now.
No fucking way.
Can you not hear me?
[Coughing]