Podcasts about security holes

Ryan interviews Chris "Tito" Tito, co-founder and CEO of Hidden Layer, a company providing security solutions for AI models. Tito outlines Hidden Layer's full platform to secure AI, including scanning models for malware, monitoring model behaviour to catch attacks, and proxying API calls to block abuse. Tito then discusses various impressive enterprise use cases he's seen and talks about the common mistake businesses are making.  Join 2,500+ readers getting weekly practical guidance to scale themselves and their companies using Artificial Intelligence and Revenue Cheat Codes.   Explore becoming Superhuman here: https://superhumanrevenue.beehiiv.com/ KEY TAKEAWAYS Pre-trained open-source models often get reused internally but may contain backdoors if not scanned thoroughly first. Current cybersecurity tools don't inspect model code so can't catch malware that is desperately needed for specialized AI security. Tito stresses that while AI promises much value, it requires thoughtful implementation with appropriate safeguards. Models deployed into production pipelines are vulnerable to surrogate attacks and theft. Safeguards are needed for both internally hosted models and external API-based ones. Diverse, specialized use cases are extracting tremendous value from AI across industries. However, many teams lack the skills or processes to properly evaluate or fine-tune models. Generative AI is increasingly being used for fraud, deception and reputation attacks. The talent shortage, especially in adversarial ML, poses scaling challenges for AI security start-ups. BEST MOMENTS "We have found thousands of examples of models that have been loaded with malware where we've malware hiding in weights of models." "Current cybersecurity stack is not even parsing models. It's like trying to point a windows product at a Mac file." "If you have the inputs to the model and you have the outputs to the model, you basically have the training set and the labels." "Every time we talk to a customer, we find a new [AI use case]. The world is getting really creative." "There's just an enormous shortage of adversarial machine learning talent out there." Ryan Staley Founder and CEO Whale Boss ryan@whalesellingsystem.com www.ryanstaley.io Saas, Saas growth, Scale, Business Growth, B2b Saas, Saas Sales, Enterprise Saas, Business growth strategy, founder, ceo: https://www.whalesellingsystem.com/closingsecrets

Contact your host with questions, suggestions, or requests about sponsoring the AppleInsider Daily:charles_martin@appleinsider.com (00:00) - 01 - Intro (00:13) - 02 - AirPods turn 7 (02:05) - 03 - Upgrades day! (02:58) - 04 - iPhone 15 camera gossip (04:10) - 05 - Camp Iwannabuildabizness (05:00) - 06 - Y U so mad, China? (05:54) - 07 - Deutschsprachiges Apple TV+ (06:34) - 08 - Outro Links from the showApple launched AirPods seven years ago, and changed the world againApple fixes exploited security flaws with iPadOS & iOS 16.6.1, watchOS 9.6.2, macOS Ventura 13.5.2 updatesExploit patched in iOS 16.6.1 update delivered Pegasus spywareEntire iPhone 15 lineup's camera specs detailed in last-minute leakApple's Entrepreneur Camp application window is now openChina's iPhones ban seen as effort to restrict Apple's access to marketChina widens ban on officials using iPhones but isn't enforcing itChina government iPhone ban will have almost no effect on sales, says analystApple TV+ unveils its first German-language show(Link to the Entrepreneur Camp registration site)Subscribe to the AppleInsider podcast on: Apple Podcasts Overcast Pocket Casts Spotify Subscribe to the HomeKit Insider podcast on:•  Apple Podcasts•  Overcast•  Pocket Casts•  Spotify

This MacVoices Live! session continues as we explore the conflicts within Reddit, risks of mailing checks, and a security breach with Western Digital's My Cloud service. Chuck Joiner, Jim Rea, David Ginsburg, Ben Roethig, Brian Flanigan-Arthurs, Web Bixby, Mark Fuccio and Eric Bolden challenge the concept of the "Apple tax" and talk about Google's exit from domain name registration. (Part 2)  This MacVoices is supported by Notion. Do your most efficient work with Notion Projects. You can try it for free today at notion.com/macvoices. Show Notes   Chapters:0:03:14 Reddit's Server Costs and Financial Troubles0:04:57 Reddit's Poor Communication and Business Decision0:05:23 Lessons Not Learned: Alienating Users and Potential Blowback0:06:43 Volunteer Moderators: The Backbone of the Platform0:07:02 Reddit's popularity due to previous service, Dig0:08:51 Concerns about Reddit's future as a profit-generating company0:10:45 The Strengths and Weaknesses of Reddit0:11:51 Communities seeking alternate information storage options0:14:23 Risks of check interception and electronic payment alternatives0:17:40 Payment methods and concerns about giving direct account access0:19:42 Safety tip: Use separate checking accounts for different purposes0:22:14 Western Digital's MyCloud security breach and data protection concerns0:27:09 Concerns about Security Holes and Dubious Services0:29:25 Apple Value vs. Apple Tax0:31:03 Oculus devices vs. Meta's Quest: Quality and Cost Comparison Links: Reddit hackers demand $4.5 million and API changes in threat to leak 80GB of datahttps://www.engadget.com/reddit-hackers-demand-45-million-and-api-changes-in-threat-to-leak-80gb-of-data-114041164.html Why You Should Stop Sending Checks in the Mail, Especially Nowhttps://lifehacker.com/why-you-should-stop-sending-checks-in-the-mail-especia-1850543113 Western Digital's cloud storage service went down for days due to breach https://www.itbrew.com/stories/2023/04/21/western-digital-s-cloud-storage-service-went-down-for-days-due-to-breach Meta will lower the Quest headset's recommended age from 13 to 10https://www.engadget.com/meta-will-lower-the-quest-headsets-recommended-age-from-13-to-10-211153535.html Google Domains shutting down, assets sold and being migrated to Squarespacehttps://9to5google.com/2023/06/15/google-domains-squarespace/  Guests: Web Bixby has been in the insurance business for 40 years and has been an Apple user for longer than that.You can catch up with him on Facebook, Twitter, and LinkedIn. Eric Bolden is into macOS, plants, sci-fi, food, and is a rural internet supporter. You can connect with him on Twitter, by email at embolden@mac.com, on Mastodon at @eabolden@techhub.social, and on his blog, Trending At Work. Brian Flanigan-Arthurs is an educator with a passion for providing results-driven, innovative learning strategies for all students, but particularly those who are at-risk. He is also a tech enthusiast who has a particular affinity for Apple since he first used the Apple IIGS as a student. You can contact Brian on twitter as @brian8944. He also recently opened a Mastodon account at @brian8944@mastodon.cloud. Mark Fuccio is actively involved in high tech startup companies, both as a principle at piqsure.com, or as a marketing advisor through his consulting practice Tactics Sells High Tech, Inc. Mark was a proud investor in Microsoft from the mid-1990's selling in mid 2000, and hopes one day that MSFT will be again an attractive investment. You can contact Mark through Twitter, LinkedIn, or on Mastodon. David Ginsburg is the host of the weekly podcast In Touch With iOS where he discusses all things iOS, iPhone, iPad, Apple TV, Apple Watch, and related technologies. He is an IT professional supporting Mac, iOS and Windows users. Visit his YouTube channel at https://youtube.com/daveg65 and find and follow him on Twitter @daveg65 and on Mastodon at @daveg65@mastodon.cloud Jim Rea has been an independent Mac developer continuously since 1984. He is the founder of ProVUE Development, and the author of Panorama X, ProVUE's ultra fast RAM based database software for the macOS platform. Follow Jim at provue.com and via @provuejim on Twitter. Ben Roethig has been in the Apple Ecosystem since the System 7 Days. He is the a former Associate Editor with Geek Beat, Co-Founder of The Tech Hangout and Deconstruct and currently shares his thoughts on RoethigTech. Contact him on  Twitter and Mastodon. Support:      Become a MacVoices Patron on Patreon     http://patreon.com/macvoices      Enjoy this episode? Make a one-time donation with PayPal Connect:      Web:     http://macvoices.com      Twitter:     http://www.twitter.com/chuckjoiner     http://www.twitter.com/macvoices      Mastodon:     https://mastodon.cloud/@chuckjoiner      Facebook:     http://www.facebook.com/chuck.joiner      MacVoices Page on Facebook:     http://www.facebook.com/macvoices/      MacVoices Group on Facebook:     http://www.facebook.com/groups/macvoice      LinkedIn:     https://www.linkedin.com/in/chuckjoiner/      Instagram:     https://www.instagram.com/chuckjoiner/ Subscribe:      Audio in iTunes     Video in iTunes      Subscribe manually via iTunes or any podcatcher:      Audio: http://www.macvoices.com/rss/macvoicesrss      Video: http://www.macvoices.com/rss/macvoicesvideorss

This MacVoices Live! session continues as we explore the conflicts within Reddit, risks of mailing checks, and a security breach with Western Digital's My Cloud service. Chuck Joiner, Jim Rea, David Ginsburg, Ben Roethig, Brian Flanigan-Arthurs, Web Bixby, Mark Fuccio, and Eric Bolden challenge the concept of the "Apple tax" and talk about Google's exit from domain name registration. (Part 2)   This MacVoices is supported by Notion. Do your most efficient work with Notion Projects. You can try it for free today at notion.com/macvoices. Show Notes Chapters:0:03:14 Reddit's Server Costs and Financial Troubles0:04:57 Reddit's Poor Communication and Business Decision0:05:23 Lessons Not Learned: Alienating Users and Potential Blowback0:06:43 Volunteer Moderators: The Backbone of the Platform0:07:02 Reddit's popularity due to previous service, Dig0:08:51 Concerns about Reddit's future as a profit-generating company0:10:45 The Strengths and Weaknesses of Reddit0:11:51 Communities seeking alternate information storage options0:14:23 Risks of check interception and electronic payment alternatives0:17:40 Payment methods and concerns about giving direct account access0:19:42 Safety tip: Use separate checking accounts for different purposes0:22:14 Western Digital's MyCloud security breach and data protection concerns0:27:09 Concerns about Security Holes and Dubious Services0:29:25 Apple Value vs. Apple Tax0:31:03 Oculus devices vs. Meta's Quest: Quality and Cost Comparison Links: Reddit hackers demand $4.5 million and API changes in threat to leak 80GB of datahttps://www.engadget.com/reddit-hackers-demand-45-million-and-api-changes-in-threat-to-leak-80gb-of-data-114041164.html Why You Should Stop Sending Checks in the Mail, Especially Nowhttps://lifehacker.com/why-you-should-stop-sending-checks-in-the-mail-especia-1850543113 Western Digital's cloud storage service went down for days due to breach https://www.itbrew.com/stories/2023/04/21/western-digital-s-cloud-storage-service-went-down-for-days-due-to-breach Meta will lower the Quest headset's recommended age from 13 to 10https://www.engadget.com/meta-will-lower-the-quest-headsets-recommended-age-from-13-to-10-211153535.html Google Domains shutting down, assets sold and being migrated to Squarespacehttps://9to5google.com/2023/06/15/google-domains-squarespace/ Guests: Web Bixby has been in the insurance business for 40 years and has been an Apple user for longer than that.You can catch up with him on Facebook, Twitter, and LinkedIn. Eric Bolden is into macOS, plants, sci-fi, food, and is a rural internet supporter. You can connect with him on Twitter, by email at embolden@mac.com, on Mastodon at @eabolden@techhub.social, and on his blog, Trending At Work. Brian Flanigan-Arthurs is an educator with a passion for providing results-driven, innovative learning strategies for all students, but particularly those who are at-risk. He is also a tech enthusiast who has a particular affinity for Apple since he first used the Apple IIGS as a student. You can contact Brian on twitter as @brian8944. He also recently opened a Mastodon account at @brian8944@mastodon.cloud. Mark Fuccio is actively involved in high tech startup companies, both as a principle at piqsure.com, or as a marketing advisor through his consulting practice Tactics Sells High Tech, Inc. Mark was a proud investor in Microsoft from the mid-1990's selling in mid 2000, and hopes one day that MSFT will be again an attractive investment. You can contact Mark through Twitter, LinkedIn, or on Mastodon. David Ginsburg is the host of the weekly podcast In Touch With iOS where he discusses all things iOS, iPhone, iPad, Apple TV, Apple Watch, and related technologies. He is an IT professional supporting Mac, iOS and Windows users. Visit his YouTube channel at https://youtube.com/daveg65 and find and follow him on Twitter @daveg65 and on Mastodon at @daveg65@mastodon.cloud Jim Rea has been an independent Mac developer continuously since 1984. He is the founder of ProVUE Development, and the author of Panorama X, ProVUE's ultra fast RAM based database software for the macOS platform. Follow Jim at provue.com and via @provuejim on Twitter. Ben Roethig has been in the Apple Ecosystem since the System 7 Days. He is the a former Associate Editor with Geek Beat, Co-Founder of The Tech Hangout and Deconstruct and currently shares his thoughts on RoethigTech. Contact him on  Twitter and Mastodon. Support:     Become a MacVoices Patron on Patreon     http://patreon.com/macvoices     Enjoy this episode? Make a one-time donation with PayPal Connect:     Web:     http://macvoices.com     Twitter:     http://www.twitter.com/chuckjoiner     http://www.twitter.com/macvoices     Mastodon:     https://mastodon.cloud/@chuckjoiner     Facebook:     http://www.facebook.com/chuck.joiner     MacVoices Page on Facebook:     http://www.facebook.com/macvoices/     MacVoices Group on Facebook:     http://www.facebook.com/groups/macvoice     LinkedIn:     https://www.linkedin.com/in/chuckjoiner/     Instagram:     https://www.instagram.com/chuckjoiner/ Subscribe:     Audio in iTunes     Video in iTunes     Subscribe manually via iTunes or any podcatcher:     Audio: http://www.macvoices.com/rss/macvoicesrss     Video: http://www.macvoices.com/rss/macvoicesvideorss

In today's episode of Elixir Wizards, Michael Lubas, founder of Paraxial.io, joins hosts Owen Bickford and Bilal Hankins to discuss security in the Elixir and Phoenix ecosystem. Lubas shares his insights on the most common security risks developers face, recent threats, and how Elixir developers can prepare for the future. Common security risks, including SQL injection and cross-site scripting, and how to mitigate these threats The importance of rate limiting and bot detection to prevent spam SMS messages Continuous security testing to maintain a secure application and avoid breaches Tools and resources available in the Elixir and Phoenix ecosystem to enhance security The Guardian library for authentication and authorization Take a drink every time someone says "bot" The difference between "bots" and AI language models The potential for evolving authentication, such as Passkeys over WebSocket How Elixir compares to other languages due to its immutability and the ability to trace user input Potion Shop, a vulnerable Phoenix application designed to test security Talking Tom, Sneaker Bots, and teenage hackers! The importance of security awareness and early planning in application development The impact of open-source software on application security How to address vulnerabilities in third-party libraries Conducting security audits and implementing security measures Links in this episode: Michael Lubas Email - michael@paraxial.io LinkedIn - https://www.linkedin.com/in/michaellubas/ Paraxial.io - https://paraxial.io/ Blog/Mailing List - https://paraxial.io/blog/index Potion Shop - https://paraxial.io/blog/potion-shop Elixir/Phoenix Security Live Coding: Preventing SQL Injection in Ecto Twitter - https://twitter.com/paraxialio LinkedIn - https://www.linkedin.com/company/paraxial-io/ GenServer Social - https://genserver.social/paraxial YouTube - https://www.youtube.com/@paraxial5874 Griffin Byatt on Sobelow: ElixirConf 2017 - Plugging the Security Holes in Your Phoenix Application (https://www.youtube.com/watch?v=w3lKmFsmlvQ) Erlang Ecosystem Foundation: Security Working Group - https://erlef.org/wg/security Article by Bram - Client-Side Enforcement of LiveView Security (https://blog.voltone.net/post/31) Special Guest: Michael Lubas.

Memories of Michelangelo (the virus, not the artist). Data leakage bugs in TPM 2.0. Ransomware bust, ransomware warning, and anti-ransomware advice. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity

How much economic ignorance can you fit into 1 minute and 54 seconds? Well apparently its quite a lot. Peter Zeihan confidently embarrassed himself on Joe Rogan's podcast recently by going on a short rip regarding Bitcoin's negative value and how a reliable, fixed money causes economic disaster but the inflated, debt drowned political currency is more valuable. And how counterfeiters have rightfully earned the wealth they steal, but savers gaining some purchasing power as the economy grows is "unviable." We dive into a short clip of Peter Zeihan and take it apart, piece by ignorant piece, in today's Guy's Take episode. Strap in. Here are the links to so many other reads for diving further into these economic ideas if you want a deeper understanding. All highly recommended: No Bitcoin Has No Intrinsic Value, and that's great!: https://open.spotify.com/episode/0EyuzhpYZRR5TimBl28Ngw?si=f5223cb0872545f9 Another Way to Think About Bitcoin's Value: https://open.spotify.com/episode/5d8O5XztARIi0eI7lYMmSN?si=8c89c2cf2c4a4f0a --- World Hyperinflations: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2130109 When Money Dies: https://www.amazon.com/When-Money-Dies-Adam-Fergusson-audiobook/dp/B004FU1028 --- Trusted third Parties are Security Holes: https://open.spotify.com/episode/21iWPjbJrRfZb3sBUb6zkD?si=c5946f4f85984745 The Dawn of Trustworthy Computing: https://open.spotify.com/episode/4AkUNUNGFeCibaPyQWtHSY?si=c351d269b0ee4cf6 The Whitepaper: https://open.spotify.com/episode/1mxIgLMRVzsuYj964ZiLa9?si=3e386d6c5ae14864 --- The Use of Knowledge in Society: https://open.spotify.com/episode/6itH5T3tXPlLfJil5jcuU4?si=82d1e0deb1da4725 The Yield From Money Held, Reconsidered: https://open.spotify.com/episode/67dqOHWLX9NRmAs4S0G9XQ?si=9f8fa16e335e4dc6 Don't forget to check out our amazing sponsors: • Dive into the Bitcoin only wallet, the cypherpunk calculator, and a company that has built secure Bitcoin products for nearly a decade. Code BITCOINAUDIBLE gets 10% off everything in the store until Christmas! (https://guyswann.com/coldcard) • Gets sats back every time you dump fiat at a store, to pay your bills, everything in your fiat life pays you sats with the Fold Debit Card and FoldApp. 5,000 FREE SATS at (https://guyswann.com/fold) • The best place to onboard a true Bitcoiner - Stack sats automatically, withdraw automatically, and learn or get help from the best team of Bitcoiners out there with Swan Bitcoin. (https://swanbitcoin.com/guy) -------------------------------------- "The root problem with conventional currency is all the trust that's required to make it work. The central bank must be trusted not to debase the currency, but the history of fiat currencies is full of breaches of that trust." – Satoshi Nakamoto Learn more about your ad choices. Visit megaphone.fm/adchoices --- Send in a voice message: https://podcasters.spotify.com/pod/show/bitcoinaudible/message

How much economic ignorance can you fit into 1 minute and 54 seconds? Well apparently its quite a lot. Peter Zeihan confidently embarrassed himself on Joe Rogan's podcast recently by going on a short rip regarding Bitcoin's negative value and how a reliable, fixed money causes economic disaster but the inflated, debt drowned political currency is more valuable. And how counterfeiters have rightfully earned the wealth they steal, but savers gaining some purchasing power as the economy grows is "unviable." We dive into a short clip of Peter Zeihan and take it apart, piece by ignorant piece, in today's Guy's Take episode. Strap in. Here are the links to so many other reads for diving further into these economic ideas if you want a deeper understanding. All highly recommended: No Bitcoin Has No Intrinsic Value, and that's great!: https://open.spotify.com/episode/0EyuzhpYZRR5TimBl28Ngw?si=f5223cb0872545f9 Another Way to Think About Bitcoin's Value: https://open.spotify.com/episode/5d8O5XztARIi0eI7lYMmSN?si=8c89c2cf2c4a4f0a --- World Hyperinflations: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2130109 When Money Dies: https://www.amazon.com/When-Money-Dies-Adam-Fergusson-audiobook/dp/B004FU1028 --- Trusted third Parties are Security Holes: https://open.spotify.com/episode/21iWPjbJrRfZb3sBUb6zkD?si=c5946f4f85984745 The Dawn of Trustworthy Computing: https://open.spotify.com/episode/4AkUNUNGFeCibaPyQWtHSY?si=c351d269b0ee4cf6 The Whitepaper: https://open.spotify.com/episode/1mxIgLMRVzsuYj964ZiLa9?si=3e386d6c5ae14864 --- The Use of Knowledge in Society: https://open.spotify.com/episode/6itH5T3tXPlLfJil5jcuU4?si=82d1e0deb1da4725 The Yield From Money Held, Reconsidered: https://open.spotify.com/episode/67dqOHWLX9NRmAs4S0G9XQ?si=9f8fa16e335e4dc6 Don't forget to check out our amazing sponsors: • Dive into the Bitcoin only wallet, the cypherpunk calculator, and a company that has built secure Bitcoin products for nearly a decade. Code BITCOINAUDIBLE gets 10% off everything in the store until Christmas! (https://guyswann.com/coldcard) • Gets sats back every time you dump fiat at a store, to pay your bills, everything in your fiat life pays you sats with the Fold Debit Card and FoldApp. 5,000 FREE SATS at (https://guyswann.com/fold) • The best place to onboard a true Bitcoiner - Stack sats automatically, withdraw automatically, and learn or get help from the best team of Bitcoiners out there with Swan Bitcoin. (https://swanbitcoin.com/guy) -------------------------------------- "The root problem with conventional currency is all the trust that's required to make it work. The central bank must be trusted not to debase the currency, but the history of fiat currencies is full of breaches of that trust." – Satoshi Nakamoto Learn more about your ad choices. Visit megaphone.fm/adchoices

Securing our apps is our responsibility as developers. We are the custodians and the guardians of our user's data. We met up again with Michael Lubas to discuss some lesser known community security resources and helpful tips to get us started with securing our Elixir and Phoenix applications! Show Notes online - http://podcast.thinkingelixir.com/131 (http://podcast.thinkingelixir.com/131) Elixir Community News - https://erlangforums.com/t/otp-25-2-released/2166 (https://erlangforums.com/t/otp-25-2-released/2166) – Erlang/OTP 25.2 is the second maintenance patch package for OTP 25, with mostly bug fixes as well as improvements. - https://twitter.com/livebookdev/status/1603787699458113539 (https://twitter.com/livebookdev/status/1603787699458113539) – HuggingFace announced “spaces”, a feature that lets people run Docker images on HuggingFace. - https://huggingface.co/spaces/livebook-dev/singlefilephxbumblebeeml (https://huggingface.co/spaces/livebook-dev/single_file_phx_bumblebee_ml) – Elixir Phoenix was specifically shown as a Docker example on HuggingFace - https://twitter.com/sean_moriarity/status/1602817446875992066 (https://twitter.com/sean_moriarity/status/1602817446875992066) – Sean Moriarity added “negative prompts” feature to Nx's Stable Diffusion support. - https://github.com/elixir-nx/bumblebee/pull/109 (https://github.com/elixir-nx/bumblebee/pull/109) – PR adding "negative prompt" support - https://twitter.com/miruoss/status/1604849993130676225 (https://twitter.com/miruoss/status/1604849993130676225) – Michael Ruoss has a new Kino plugin for working with kubernetes pods - https://github.com/mruoss/kinok8sterm (https://github.com/mruoss/kino_k8s_term) – KinoK8sTerm - https://twitter.com/livebookdev/status/1603391808209391617 (https://twitter.com/livebookdev/status/1603391808209391617) – Livebook added two new neural network tasks to Bumblebee integration. - https://twitter.com/hanrelan/status/1603470678081929216 (https://twitter.com/hanrelan/status/1603470678081929216) – Customized Livebook Stable Diffusion shows intermediate steps when generating images. - https://blog.ftes.de/elixir-dijkstras-algorithm-with-priority-queue-f6022d710877 (https://blog.ftes.de/elixir-dijkstras-algorithm-with-priority-queue-f6022d710877) – Fredrik Teschke wrote a blogpost using Livebook to visualize Dijkstra's algorithm for finding the shortest path between nodes in a graph. - https://notes.club/ (https://notes.club/) – Notesclub is a website by Hec Perez that makes it easy to share and discover Livebook notebooks online. - https://twitter.com/louispilfold/status/1602740866602631170 (https://twitter.com/louispilfold/status/1602740866602631170) – Louis Pilfold announced his last full day at Nomio. He is now working full time on Gleam. - https://twitter.com/louispilfold/status/1600960290455113728 (https://twitter.com/louispilfold/status/1600960290455113728) – Louis Pilfold shared that Bumblebee, Nx and Axon work in Gleam thanks to Gleam's new Elixir support. - https://twitter.com/kipcole9/status/1604929772253229057 (https://twitter.com/kipcole9/status/1604929772253229057) – Kip Cole has a library called Image. He added Image.Classification.classify(image) using Bumblebee. - https://sessionize.com/code-beam-lite-stockholm-2023 (https://sessionize.com/code-beam-lite-stockholm-2023) – Code BEAM Lite Stockholm 2023, 12 May 2023, Stockholm, Sweden. Call for speakers is open until Feb 5th 2023. Do you have some Elixir news to share? Tell us at @ThinkingElixir (https://twitter.com/ThinkingElixir) or email at show@thinkingelixir.com (mailto:show@thinkingelixir.com) Discussion Resources - https://paraxial.io (https://paraxial.io) - https://paraxial.io/blog/securing-elixir (https://paraxial.io/blog/securing-elixir) – Securing Elixir/Phoenix Applications - 5 Tips to Get Started - https://paraxial.io/blog/xss-phoenix (https://paraxial.io/blog/xss-phoenix) – Cross Site Scripting (XSS) Patterns in Phoenix - https://podcast.thinkingelixir.com/93 (https://podcast.thinkingelixir.com/93) – Previous interview with Michael - https://www.youtube.com/watch?v=w3lKmFsmlvQ (https://www.youtube.com/watch?v=w3lKmFsmlvQ) – ElixirConf 2017 - Plugging the Security Holes in Your Phoenix Application - Griffin Byatt - https://felt.com/blog/rate-limiting (https://felt.com/blog/rate-limiting) – Rate Limiting Algorithms for Client-Facing Web Apps by Tyler Young - https://github.com/podium/elixir-secure-coding (https://github.com/podium/elixir-secure-coding) – Elixir Secure Coding Training (ESCT) that runs in Livebook - https://github.com/rrrene/htmlsanitizeex (https://github.com/rrrene/html_sanitize_ex) - https://fly.io/phoenix-files/github-actions-for-elixir-ci/ (https://fly.io/phoenix-files/github-actions-for-elixir-ci/) – Blog post about Elixir CI/CD checks - https://github.com/mirego/mix_audit (https://github.com/mirego/mix_audit) – mix_audit - https://hexdocs.pm/mix/Mix.Tasks.Deps.Unlock.html (https://hexdocs.pm/mix/Mix.Tasks.Deps.Unlock.html) – mix hex.audit - https://erlef.github.io/security-wg/securecodinganddeploymenthardening/ (https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/) – Erlang Ecosystem Foundation resource - Secure Coding and Deployment Hardening Guidelines - https://github.com/slab/safeurl-elixir (https://github.com/slab/safeurl-elixir) – SafeURL hex package by Slab - https://slab.com/ (https://slab.com/) Guest Information - https://twitter.com/paraxialio (https://twitter.com/paraxialio) – on Twitter - https://github.com/paraxialio/ (https://github.com/paraxialio/) – on Github - https://paraxial.io/ (https://paraxial.io/) – Blog - michael@paraxial.io - https://genserver.social/paraxial (https://genserver.social/paraxial) – on Mastadon Find us online - Message the show - @ThinkingElixir (https://twitter.com/ThinkingElixir) - Message the show on Mastadon - @ThinkingElixir@genserver.social (https://genserver.social/ThinkingElixir) - Email the show - show@thinkingelixir.com (mailto:show@thinkingelixir.com) - Mark Ericksen - @brainlid (https://twitter.com/brainlid) - Mark Ericksen on Mastadon - @brainlid@genserver.social (https://genserver.social/brainlid) - David Bernheisel - @bernheisel (https://twitter.com/bernheisel) - David Bernheisel on Mastadon - @dbern@genserver.social (https://genserver.social/dbern) - Cade Ward - @cadebward (https://twitter.com/cadebward) - Cade Ward on Mastadon - @cadebward@genserver.social (https://genserver.social/cadebward)

Security with open source, the new OSSF, what Substack is doing to newsletters and newsletters are doing to blogging (and both are doing to the growing subscription economy), plus a call for open source tools that help subscribers manage their oversubscribed lives. All those and more are subjects of a roundtable discussion among Doc Searls, Katherine Druckman, Shawn Powers and Jonathan Bennett on this episode of FLOSS Weekly. Hosts: Doc Searls, Jonathan Bennett, Shawn Powers, and Katherine Druckman Download or subscribe to this show at https://twit.tv/shows/floss-weekly Think your open source project should be on FLOSS Weekly? Email floss@twit.tv. Thanks to Lullabot's Jeff Robbins, web designer and musician, for our theme music. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: kolide.com/floss bitwarden.com/twit

Security with open source, the new OSSF, what Substack is doing to newsletters and newsletters are doing to blogging (and both are doing to the growing subscription economy), plus a call for open source tools that help subscribers manage their oversubscribed lives. All those and more are subjects of a roundtable discussion among Doc Searls, Katherine Druckman, Shawn Powers and Jonathan Bennett on this episode of FLOSS Weekly. Hosts: Doc Searls, Jonathan Bennett, Shawn Powers, and Katherine Druckman Download or subscribe to this show at https://twit.tv/shows/floss-weekly Think your open source project should be on FLOSS Weekly? Email floss@twit.tv. Thanks to Lullabot's Jeff Robbins, web designer and musician, for our theme music. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: kolide.com/floss bitwarden.com/twit

In this episode of the Virtual Coffee with Ashish edition, we spoke with Yoav Alon, CTO, Orca Security Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Yoav Alon (@yoavalon) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security Academy

AI Insider and self-driving car industry guru, Dr. Lance Eliot explains backdoor security holes in self-driving cars. See his website www.ai-selfdriving-cars.guru for further information.

I few weeks ago I was mercilessly cajoled by a PR firm to talk to the chief marketing officer of Sepio Systems, Bentsi ben Atar about their products and services. I don't do product announcements but I do talk about the problems the products were created to solve. So Bentsi and I talked for a while about how prevalent the potential for hacking modern vehicles is. And, apparently, public EV charging stations are a slam dunk for hackers. I hope this doesn't ruin your weekend. --- Send in a voice message: https://anchor.fm/crucialtech/message Support this podcast: https://anchor.fm/crucialtech/support

Crypto's home for live, breaking real time cryptocurrency news. Covering Bitcoin, Ethereum, ICO's and Blockchain Technology along with current prices. https://www.globalcryptopress.com/2020/10/us-anti-encryption-bill-forces.html Facebook And Instagram Removed More Than 12 Million Pieces Of Child PornhereRoss DavisRoss@GlobalCryptoPress.comBreaking Crypto News

Zoom has become very popular over the last month with an increase of users from 10 million to over 200 million. That put Zoom's privacy and security issues front and center. This episode talks about what Zoom is doing to address these issues. Be aware, be safe. Become A Patron! Patreon Page *** Support the podcast with a cup of coffee *** - Ko-Fi Security In Five —————— Where you can find Security In Five —————— Security In Five Reddit Channel r/SecurityInFive Binary Blogger Website Security In Five Website Security In Five Podcast Page - Podcast RSS Twitter @securityinfive iTunes, YouTube, TuneIn, iHeartRadio,

Stephen Lange Ranzini, CEO of University Bank in Ann Arbor, Mich., says The Clearing House's RTP and Early Warning's Zelle fail to meet basic requirements for enrollment, encryption of data in transit, and authentication.

It's Tuesday News and here are some of the stories we covered.Judy Faulkner reflects on what a long, strange trip it's been for Epic Systems Corp. Erik Lorenzsonn Madison.com32M Patient Records Breached in First Half of 2019, 88% Caused by Hacking Jessica Davis Health IT SecurityPhishing Attack Breaches Data of 183,000 Presbyterian Health Patients Jessica Davis Health IT SecurityMGH reports data breach that exposed information of nearly 10,000 people - The Boston Globe The Boston GlobeClose to one-third of healthcare employees have never received cybersecurity training, report shows Jeff Lagasse Healthcare Finance News.comApple Just Gave 1.4 Billion Users A Reason To Quit Their iPads, iPhones - ForbesBar is rising for consumerism in healthcare, but providers are still playing catch-up Jeff Lagasse Healthcare Finance WeeklyOpinion: It's Your Right To See Your Medical Records. It Shouldn't Be This Hard To Do NPR Harlan KrumholzGoogle wants to reduce lifespan for HTTPS certificates to one year - ZDNetCDSS Could Replace EHRs as Clinician Interface, says Frost & Sullivan Fred Donovan HITInfrastructure.comTwo-thirds of consumers say they're interested in telehealth, but far fewer have given it a try Mobihealthnews.com Dave MuoioIBM’s ‘Dr. Watson’ may have been misguided from the start

Sponsors Sentry use the code “devchat” for 2 months free on Sentry small plan Triplebyte offers a $1000 signing bonus CacheFly Panel Mark Ericksen Josh Adams Joined by Special Guest: Griffin Byatt Summary Griffin Byatt shares his background and what he is doing now as a security consultant for NCC Group. The panel discusses his security library, Sobelow, and their experiences using it. Griffin explains how it works, how it came into being and the goal of Sobelow. The panel wonders who contributes to Sobelow and Griffin invites anyone to contribute. Vulnerabilities that are commonly seen across all frameworks and those specific to Elixir are discussed. Elixir’s security features are considered and Griffin shares his experiences working to improve the ecosystem. Griffin gives advice and recommends resources to developers. Links Substitute Teacher - Key & Peele https://www.nccgroup.trust/us/ https://brakemanscanner.org/ https://github.com/nccgroup/sobelow https://github.com/nccgroup/sobelow/blob/master/lib/sobelow/traversal/file_module.ex https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing ElixirConf 2017 - Plugging the Security Holes in Your Phoenix Application - Griffin Byatt https://github.com/ueberauth/guardian https://oauth.net/ https://github.com/riverrun/phauxth https://github.com/riverrun/comeonin https://www.owasp.org/ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws https://griffinbyatt.com/ https://twitter.com/griffinbyatt https://twitter.com/elixir_mix https://www.facebook.com/Elixir-Mix Picks Mark Ericksen: https://stedolan.github.io/jq https://github.com/elixir-lang/elixir/releases Josh Adams: https://librem.one/ https://puri.sm/products/librem-5/ Griffin Byatt: https://www.freehaven.net/anonbib/ https://www.nccgroup.trust/us/our-research/assessing-unikernel-security/?research=Whitepapers  

Sponsors Sentry use the code “devchat” for 2 months free on Sentry small plan Triplebyte offers a $1000 signing bonus CacheFly Panel Mark Ericksen Josh Adams Joined by Special Guest: Griffin Byatt Summary Griffin Byatt shares his background and what he is doing now as a security consultant for NCC Group. The panel discusses his security library, Sobelow, and their experiences using it. Griffin explains how it works, how it came into being and the goal of Sobelow. The panel wonders who contributes to Sobelow and Griffin invites anyone to contribute. Vulnerabilities that are commonly seen across all frameworks and those specific to Elixir are discussed. Elixir’s security features are considered and Griffin shares his experiences working to improve the ecosystem. Griffin gives advice and recommends resources to developers. Links Substitute Teacher - Key & Peele https://www.nccgroup.trust/us/ https://brakemanscanner.org/ https://github.com/nccgroup/sobelow https://github.com/nccgroup/sobelow/blob/master/lib/sobelow/traversal/file_module.ex https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing ElixirConf 2017 - Plugging the Security Holes in Your Phoenix Application - Griffin Byatt https://github.com/ueberauth/guardian https://oauth.net/ https://github.com/riverrun/phauxth https://github.com/riverrun/comeonin https://www.owasp.org/ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws https://griffinbyatt.com/ https://twitter.com/griffinbyatt https://twitter.com/elixir_mix https://www.facebook.com/Elixir-Mix Picks Mark Ericksen: https://stedolan.github.io/jq https://github.com/elixir-lang/elixir/releases Josh Adams: https://librem.one/ https://puri.sm/products/librem-5/ Griffin Byatt: https://www.freehaven.net/anonbib/ https://www.nccgroup.trust/us/our-research/assessing-unikernel-security/?research=Whitepapers  

John Broadway returns and joins Andy Taylor to converse about the latest in Technology. Computers systems for both the desktop and laptop have really continued to work well in performance years after they were built or purchased. Andy's Asus K55 has begun to show a slowdown in performance which he believes could be from a system fan beginning to fail. Asus has been in the news recently with a security hole found in the MotherboardUpdate feature, the company has since patched the problems which some believed to have affected over a million users. Broadway and Andy share though the consistent quality over the years of the Asus Motherboards. John gives us an analogy of the computer system with comparisons to the Auto World. John Broadway talks about the Auto Update features on systems and why they are a great solution for security on a system patching holes. Looking for a plan on how to roll out a new Desktop Computer, John shares some good tips. A story about a problem which arose with a Lenovo system however the company’s customer service took care of the situation. Once again, Broadway calls in the best NASCAR reference for explaining RAID. The guys disagree on the Need for Anti-Virus third party programs for consumers. Over the years the AV programs have changed with results over time that became bloated. Andy swears by the Latest version of Norton however Johncalls on the Windows Defender program as a good source however reminds, it is about user education to not be click happy! The computer professionals hired to work on your computer systems should be checked out for references. John feels that background certification should be required as a way to protect end users. Listener comments for Broadwaythanking him for his Military service but also praise for his support for Ubiquity products. Why Smartphone are’s so pricy? Are they offering better features? The guys talk about the Streaming Service said to be coming from Apple Streaming. Is Apple coming in too late in the game? John shares why he doesn't think they are. John shares a Website MXToolbox.com to see if Webmail may be on a Blacklist. Connect with us on our Social Media sites. Facebook @techtalkers Twitter @TechtalkRadio Instagram techtalkradio Web: TechtalkRadio.Com

It's never been easier to trade stocks; just a few taps or clicks will do the trick. But most of the platforms that millions of market participants rely on to move their money suffer from cybersecurity shortcomings, new research warns. As if stocks weren't risky enough already. A new report from Alejandro Hernández, a security consultant at IOActive, found that nearly all of the 40 major online trading platforms he investigated had at least some form of vulnerability.

See the full show notes for this episode on the website at talkpython.fm/168.

If you are curious of the foundations of thought that ultimately led to the creation of the Bitcoin system, Nick Szabo is absolutely the one to read.  Listen to Szabo’s “Trusted Third Parties and Security Holes” from 2001 @nakamotoinstitute Check out the full article and other works at the nakamoto institute as well as to explore the links to dig deeper into the discussion: https://nakamotoinstitute.org/trusted-third-parties/ --- Send in a voice message: https://anchor.fm/thecryptoconomy/message

If you are curious of the foundations of thought that ultimately led to the creation of the Bitcoin system, Nick Szabo is absolutely the one to read.  Listen to Szabo's “Trusted Third Parties and Security Holes” from 2001 @nakamotoinstitute Check out the full article and other works at the nakamoto institute as well as to explore the links to dig deeper into the discussion: https://nakamotoinstitute.org/trusted-third-parties/ --- Send in a voice message: https://podcasters.spotify.com/pod/show/bitcoinaudible/message

Chris Kitze is a man of vast experience, knowledge, and unique perspective when it comes to cryptocurrency, and especially security surrounding private keys, what's private vs. what is spied upon by various actors (hint: everything). What started out as a discussion of Flash Coin and how this upcoming, innovative token is set to change how people use the internet and various websites, became a fascinating and sobering look at the ability of various actors to steal bitcoin, infiltrate most online systems and communications, and what the future of cryptocurrencies, Bitcoin and Flashcoin hold. Listen, subscribe, review. Then, Satoshi-willing, help support Future Tech podcast with your Bitcoin donation to our public key, listed on the website.

- Apple Releases iOS 10.2 - Mega Emoji Update in iOS 10.2 and watchOS 3.11 - Apple Plugs 11 Security Holes with iOS 10.2 - Apple Releases Updates for watchOS and Apple TVs - iTunes Store and App Stores Take Two-Hour Nap - Report: BeatsX Wireless Headphones May Be Delayed Three Months - Reports: AirPods May See Limited Release Ahead of Holidays - Fun with Numbers without Numbers: Microsoft Surface Edition - Apple Reportedly Rejects Samsung Pay Mini iOS App - The Worth of $1 Billion - Use promo code MOSK20 by 31 December to get 20% off a number of Drobos at - Power Mac OS Ken through Patreon at ! - Send me an email: or call (716)780-4080!

If you want to understand the ways of a pen tester, Ken Munro is a good person to listen to. An info security veteran for over 15 years and founder of UK-based Pen Test Partners, his work in hacking into consumer devices — particularly coffee makers — has earned lots of respect from vendors. He’s also been featured on the BBC News. You quickly learn from Ken that pen testers, besides having amazing technical skills, are at heart excellent researchers. They thoroughly read the device documentation and examine firmware and coding like a good QA tester. You begin to wonder why tech companies, particularly the ones making  IoT gadgets, don’t run their devices past him first! There is a reason. According to Ken, when you’re small company under pressure to get product out, especially IoT things, you end up sacrificing security. It’s just the current economics of startups. This approach may not have been a problem in the past, but in the age of hacker ecosystems, and public tools such as wigle.net, you’re asking for trouble. The audio suffered a little from the delay in our UK-NYC connection, and let’s just say my Skype conferencing skills need work. Anyway, we join Ken as he discusses how he found major security holes in wireless doorbells and coffee makers that allowed him to get the PSK (pre-shared keys) of the WiFi network that’s connected to them. Transcript Inside Out Security: You’ve focused mostly on testing the IoT — coffee makers, doorbells, cameas –and it’s kind of stunning that there’s so much consumer stuff connected to the internet.  The Ring Doorbell and iKettle, were examples I think, where you obtained the WiFi PSKs (pre-shared keys). Could you talk more your work with these gadgets? Ken: Yeah, so where they're interesting to us is that in the past to get hold of decent research equipment to investigate, it used to be very expensive. But now that the Internet of Things has emerged. We're starting to see low-cost consumer goods with low-cost chip sets, with low-cost hardware, and low-cost software starting to emerge at a price point that the average Joe can go and buy and put into their house. A large company, if they buy technologies, has probably got the resources to think about assessing their security … And put some basic security measures around.  But average Joe hasn't. So what we wanted to do was try and look to see how good the security of these devices was, and almost without exception, the devices we've been looking at have all had significant security flaws! The other side of it as well, actually, it kind of worries me. Why would one need a wireless tea kettle? IOS: Right. I was going to ask you that. I was afraid to. Why do you think people are buying these things? The advantage is that you can, I guess, get your coffee while you're in the car and it'll be there when you get home? Ken: No. It doesn't work like that …Yeah, that's the crazy bit. In the case of the WiFi kettle, it only works over WiFi. So you've got to be in your house!   IOS: Okay. It's even stranger. Ken: Yeah, I don't know about you but my kitchen isn't very far away from the rest of my house. I'll just walk there, thanks.   IOS: Yeah. It seems that they were just so lacking in some basic security measures … they left some really key information unencrypted. What was the assumption? That it would be just used in your house and that it would be just impossible to someone to hack into it? Ken: You're making a big step there, which is assuming that the manufacturer gave any thought to an attack from a hacker at all. I think that's one of the biggest issues right now is there are a lot of manufacturers here and they're rushing new product to market, which is great. I love the innovation. I'm a geek. I like new tech. I like seeing the boundaries being pushed. But those companies that are rushing technologies to market with not really understanding the security risk. Otherwise, you're completely exposing people's homes, people's online lives by getting it wrong.   IOS: Right. I guess I was a little surprised. You mentioned in your blog something called wigle.net? Ken: Yeah, wigle is ….  awesome and that's why WiFi's such a dangerous place to go.   IOS: Right. Ken: Well, there's other challenges. It's just the model of WiFi -- which is great, don't get me wrong -- when you go home with your cell phone, your phone connects to your WiFi network automatically, right? Now, the reason I can do that is by sending what are called client probe requests. And that's your phone going, "Hey, WiFi router, are you there? Are you there? Are you there?" Of course, when you're out and about and your WiFi's on, it doesn't see your home WiFi router. But when you get home, it goes, "Are you there?" "Yeah, I'm here," and it does the encryption and all your traffic's nice and safe. What wigle does — I think it stands for wireless integrated geographic location engine, which is crazy …  security researchers have been out with wireless sniffers, scanners, and mapped all the GPS coordinates of all the wireless devices they see. And then they collate that onto wigle.net, which is a database of these which you can basically query a wireless network name … and work out where they are. So it's really easy. You can track people using the WiFi on their phones using wigle.net. You can find WiFi devices. A great example of that was how we find the iKettle, that you can search wigle.net for kettles. It's crazy!   IOS: Yeah, I know. I was stunned. I had not seen this before. I suspect some of the manufacturers would be surprised if they saw this. We see the same thing in the enterprise space or IT. I'm just sort of surprised that's just so many tools and hacking tools out there. But in any case, I think you mentioned that some of these devices start up as an access point and that, in that case, you know the default access name of the iKettle or whatever the device is, and then you could spot it. Is this the way the hackers work? Ken: No, that's right. The issue with an IoT WiFi device is that when you first put it up, you need to get through a process of connecting to it and connecting it to your home WiFi network. And that is usually a two-stage process. Usually. It depends. Some devices don't do this but most devices, say, the iKettle, will set itself up as an access point first or a client-to-client device, and then once you go in and configure it with your cell phone, it then switches into becoming a client on your WiFi network. And it's going through that set of processes where we also found issues and that's where you can have some real fun.   IOS: Right. I think you took the firmware of one of these devices and then was able to figure out, let's say, like a default password. Ken: Yeah. That's another way. It's a completely different attack. So that's not what we'll do in the iKettle. We didn't need to go near the firmware. But a real game changer with IoT devices is that the manufacturer is putting their hardware in the hands of their customers … Let's say you're a big online retailer. Usually you bring them in with application and you buy stuff. With the Internet of Things, you're actually putting your technology -- your kit, your hardware, your firmware, your software — into the hands of your consumers. If you know what you're doing, there's great things you can do to analyze the firmware. You can extract off from devices, and going through that process, you can see lots of useful data. It's a real game changer, unlike a web application where you can protect it with a firewall … But the Internet of Things, you put your chips into the hands of your customers and they can do stuff with that potentially, if they have got security right.   IOS: Right. Did you talk about they should have encrypted the firmware or protected it in some way? Is that right? Ken: Yeah. Again, that's good practice. In security, we talk about having layers of defense, what we call defense in depth so that if any one layer of the security chain is broken, it doesn't compromise the whole device. And a great example for getting that right would be to make sure you protect the firmware. So you can digitally sign the code so that only valid code can be loaded onto your device. That's a very common problem in design where manufacturers haven't looked at code signing and therefore we can upload rogue code. A good example of that was the Ring doorbell. Something that's attached to the outside of your house. You can unscrew it. You can walk off with it. And we found one bug whereby you can easily extract the WiFi key from the doorbell! Again, the manufacturer fixed that really quickly, which is great, exactly what we want to see, but our next step is looking at it and seeing if we can take the doorbell, upload a rogue code to it, and then put it back on your door. So we've actually got a back door on your network.   IOS: Right, I know. Very scary. Looking through your blog posts and there were a lot of consumer devices, but then there was one that was in a, I think, more of a borderline area and it was ironically a camera. It could potentially be a security camera. Was that the one where you got the firmware? Ken: Yeah, that was an interesting one. We've been looking at some consumer grade CCTV cameras, although we see these in businesses as well. And we've particularly been looking at the cameras themselves and also the digital video recorders, the DVRs where they record their content onto. So many times we find someone has accidentally put a CCTV camera on the public Internet. You've got a spy cam into somebody's organization! The DVR that records all the content, sometimes they put those on the Internet by mistake as well. Or you find the manufacturers built it so badly that ..  it goes on by itself, which is just crazy.   IOS: Yeah, there's some stunning implications, just having an outsider look into your security camera. But you showed you were able to, from looking at the...it was either the firmware or once you got into the device, you could then get into network. Was that right? Ken: Yeah, that's quite ironic really, isn't it? CCTV cams, you consider to be a security device. And what we found is not just the camera but also the DVR, if you put it on your network and ,,, it can create a backdoor onto your network as well. So you put on a security device that makes you less secure.   IOS: One of things you do in your assessments is wireless scanning and you use something, if I'm not mistaken, called Kismet? Ken: Kismet's a bit old now ... There are lots of tools around but the Aircrack suites is probably where it's at right now And that's a really good suite for wireless scanning and wireless g cracking.   IOS: Right. So I was wondering if you could just describe how you do a risk assessment. What would be the procedure using that particular tool? Ken: Sure. At its most basic, what you'd be looking to do, let's say you're looking at your home WiFi network. Basically, we need to make sure your WiFi is nice and safe. And security of a WiFi key  is how long and complex it is. It's very easy to grab an encrypted hash of your WiFi key by sitting outside with a WiFi antenna and a tool like Aircrack, which allows you to grab the key. What we then want to do is try and crack that offline. So once I've got your WiFi key, I'm on your network, and we find in a lot of cases that ISP WiFi routers, the default passwords just aren't complicated enough. And we looked at some of the ISPs in the U.K. and discovered that some of the preset keys, we could crack them on relatively straight-forward equipment in as little as a couple of days.   IOS: Okay. That is kind of mind-blowing because I was under the impression that those keys were encrypted in a way that would make it really difficult to crack. Ken: Yeah, you hope so but, again, it comes down to the length and complexity of the key. If you WiFi network key is  only say -- I don't know — eight characters long and it's not really going to stand up to a concerted attack for very long. So again, length and complexity is really important.   IOS: Yeah, actually we do see the same thing in the enterprise world and one of the first recommendations security pros make is the keys have to be longer and the passwords have to be longer than at least 8. Ken: We've been looking at some ... there's also the character set as well. We often find … the WiFi router often might only have lower case characters and maybe some numbers, and those numbers and characters are always in the same place in the key. And if you know where they are and you know they're always going to be lower case, you've reduced the complexity.   IOS: Right. Ken: So I'd really like to be seeing 12-, 15-, 20-character passwords. It's not a difficult thing. Every time you get a new smartphone or a new tablet, you have to go and get it from the router then but really I think people can cope with longer passwords that they don't use very often, don't you think?   IOS: No, I absolutely agree. We sort of recommend, and we've written about this, that you can...as an easy way to remember longer passwords, you can make up a mnemonic where each letter becomes part of a story. I don't know if you've heard of that technique. You can get a 10-character password that's easy to remember and therefore becomes a lot harder to decrypt. We've also written a little bit about some of the decrypting tool that are just easily available, and I think you mentioned one of them. Was it John the Ripper?   Ken: John is a password brute force tool and that's really useful. That's great for certain types of passwords. There are other tools for doing different types of password hashes but John is great. Yeah, it's been around for years. IOS: It's still free. Ken: But there are lots of other different types of tools that crack different types of password.   IOS: Okay. Do you get the sense that, just going back to some of these vendors who are making these devices, I think you said that they just probably are not even thinking about it and perhaps just not even aware of what's out there? Ken: Yeah, let's think about it. The majority of start-up entrepreneur organizations that are trying to bring a new IoT device to market, they've probably got some funding. And if they're building something, it's probably going to be going into production nine months ahead. Imagine you've got some funding from some investors, and just as you're about to start shipping, somebody finds a security bug in your product! What do you do? Do you stop shipping and your company goes bust? Or do you carry on and trying to deal with the fallout? I do sympathize with these organization, particularly if they had no one giving them any advice along the way to say, "Look, have you thought about security?" Because then they're backed into a corner. They've got no choice but to ship or their business goes bankrupt, and they've got no ability to fix the problem. And that’s probably what happened with the guys who made the WiFi kettle. Some clever guys had a good idea, got themselves into a position where they were committed, and then someone finds a bug and there's no way of backing out of shipping.   IOS: Right, yeah. Absolutely all true.  Although we like to preach something called Privacy by Design — at least it’s getting a lot more press than it did a couple years ago — which is just the people at the C-level suite should just be aware that you have to start building some of these privacy and security ideas into the software. Although it's high-sounding language. And you're right, when it comes to it, a lot of companies, especially start-ups, are really going to be forced to push these products out and then send out an update later, I guess is the idea. Or not. I don't know.   Ken: That's the chance, isn't it? So if you look at someone like Tesla, they've had some security bugs found last year and they have the ability to do over-the-Internet updates. So the cars can connect over WiFi and all their security bugs were fixed over the air in a two-week period! I thought that was fantastic. So they can update in the field ... if you figured out that, brilliant. But they don't have the ability to do updates once they're in the field. So then you end up in a real stick because you've got products you can only fix by recalling, which is a huge cost and terrible PR. So hats off to Tesla for doing it right. And the same goes for the Ring doorbell. The guys thought about it. They had a process whereby it got the updates really, really easy, it's easy to fix, and they updated the bug that we found within about two weeks. And that's the way it should be. They completely thought about security. They knew they couldn't be perfect from the beginning. "Let's put a cable in place, a mechanism, so we can fix anything that gets found in the field."   IOS: Yes. We're sort of on the same page. Varonis just sees the world where there will always be a way for someone to get into especially newer products and you have to have secondary defenses. And you've talked about some good remediations with longer passwords, and another one we like is two-factor authentication. Any thoughts on biometric authentication? Ken: Yes. Given the majority of IoT devices have being controlled by a smartphone, I think it's really key for organizations to think about how they've authenticated the customer to a smart device or, if they have a web app, the web interface as well, how they authenticate the customer to that. I'm a big fan of two-factor authentication. People get their passwords stolen in breaches all the time. And because they will reuse their passwords across multiple different systems, passwords stolen from one place and you find another place gets compromised. There was a great example, I think, some of the big data breaches ... they got a password stolen in one breach and then someone got their account hacked. It wasn't hacked. They just had reused the password!   IOS: Right. Ken: So I'm a real fan of two-factor authentication to prevent that happening. Whether it's a one-time SMS to your phone or a different way of doing it, I think two-factor authentication is fantastic for helping Average Joe deal with security more easily. No one's going to have an issue with, "Look, you've sent me an SMS to my phone". That's another layer of authentication. Great. Fantastic." I'm not so much a fan of biometrics by themselves and the reason for that is my concern about revocation. Just in case the biometric data is actually breached, companies get breached all the time, we've not just lost passwords because passwords we throw them away, we get new ones, but if we lose your biometic, we're in a bit more of a difficult position. But I do biometrics work brilliantly when they're combined with things like passwords. Biometric plus password is fantastic as a secure authentication.   IOS: Thanks for listening to the podcast. If you're interested in following Ken on Twitter, his handle is TheKenMunroShow or you can follow his blog at PenTestPartners.com. Thanks again.

This post reveals the best way to protect WordPress from hackers ...

- NYT: New Regs in China Have Companies Crying Protectionism - Report: Apple Top Luxury Goods Maker in China - Western Union Adds Apple Pay as Payment Option - Misconnections Force Short iTunes Connect Closure - Apple Kicks Off Back-to-School Promotion in Australia and New Zealand  - Apple Updates Yosemite to v10.10.2  - Apple Updates iOS to v8.1.3 - Apple Updates iTunes to v12.1  - Apple TV Update Plugs 16 Security Holes - 120 Sports Hits Late-Model Apple TVs - Sony Killing Music Unlimited; Transferring Customers to Spotify  - Tangerine: Sundance Film Shot on iPhone 5S - Cast Set for Steve Jobs Movie  - lynda.com: Learn Apple software, plus business and creative skills, from easy-to-follow video tutorials at .

Richard Clarke: 'Government Failed You' on SecurityLargest Public Power Grid at Cyber Risk, Feds SayMinnesota Town Tells Google Maps: Keep out - We Mean It!Apple Patches 40 Security HolesInside the Attack that Crippled Revision3Intro music by Jessy MossHostsGene Naftulyev, CISSPAnatoly Elberg, CISSP