Podcasts about ssl tls

One of the biggest issues holding back usage of retro computing platforms -- including Classic MacOS - is the lack of modern SSL/ TLS. That is getting fixed. Oh, and we're getting SDL too. More from The Lunduke Journal: https://lunduke.com/ This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit lunduke.substack.com/subscribe

Has the self-sovereign identity (SSI) movement strayed from its original values? Are we witnessing the centralization of digital identity under the guise of decentralization? In this compelling episode of The SSI Orbit Podcast, host Mathieu Glaude sits down with Christopher Allen, a pioneering figure in cryptography, decentralized identity, and internet security. Together, they unpack the troubling trends that suggest SSI ecosystems may be drifting away from foundational principles and towards models that ultimately serve governments and corporations rather than individuals. Christopher shares his deep industry experience, from co-authoring SSL/TLS, which secures the internet today, to leading the development of decentralized identity standards. He discusses how the early promises of user empowerment in digital identity have been eroded by the realities of commercialization, government control, and the re-centralization of power. He also reflects on lessons from history—how identity systems have been weaponized in past regimes—and warns of similar risks emerging in today's digital landscape. If you care about privacy, autonomy, and the future of digital identity, this episode is a must-listen. Tune in to hear a thought-provoking discussion on whether SSI is still on the right path—or if it's time to course-correct before it's too late.

Forecast: Breach storms surge with Chinese actors, Ivanti spreads wider, and malware disguises itself—stay alert and patched! ‍ This episode of Storm⚡️Watch features exciting developments in security tooling and concerning breaches in critical infrastructure. We're thrilled to finally talk about Censeye on the pod! It's Censys's powerful new automated hunting platform that's revolutionizing how security teams conduct threat hunting. This innovative tool combines automation with Censys's comprehensive internet scanning capabilities, complete with new gadgets that enhance threat detection and analysis capabilities. In major security news, a significant breach at the US Treasury's Committee on Foreign Investment (CFIUS) has been attributed to Chinese state-sponsored actors. This concerning development potentially exposed sensitive data about national security reviews of foreign investments in American companies. The Ivanti vulnerability situation continues to evolve, with UK domain registry giant Nominet now confirming they've been impacted by the recent Ivanti VPN exploits. This development highlights the expanding blast radius of this critical security issue. 2025 has already seen sophisticated threat actors weaponizing exploits, with researchers uncovering an information stealer disguised as a proof-of-concept exploit for the LDAPNightmare vulnerability (CVE-2024-49113). We'll explore how Censys Search is strengthening phishing prevention through advanced SSL/TLS certificate monitoring, providing organizations with crucial tools to identify and prevent potential phishing campaigns. The episode concludes with an in-depth look at GreyNoise classifications, particularly focusing on suspicious activity patterns identified in the last 24 hours. We'll break down what these classifications mean for security teams and how to leverage this intelligence effectively. Storm Watch Homepage >> Learn more about GreyNoise >>  

In this episode of the SANS Internet Storm Center's Stormcast, we cover the latest cybersecurity threats and defenses, including Python-delivered malware, goodware hash sets, SSL/TLS protocol updates, and critical vulnerabilities in ASUS routers and Paessler PRTG. Stay informed and secure your systems! Full details and links to all stories: SwaetRAT via Python: https://isc.sans.edu/diary/SwaetRAT%20Delivery%20Through%20Python/31554 Goodware Hash Sets: https://isc.sans.edu/diary/Goodware%20Hash%20Sets/31556 SSL/TLS Updates: https://isc.sans.edu/diary/Changes%20in%20SSL%20and%20TLS%20support%20in%202024/31550 Cyberhaven Extension Compromise: https://secureannex.com/blog/cyberhaven-extension-compromise/ PRTG Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-24-1736/ ASUS Router Vulnerabilities: https://cybersecuritynews.com/asus-router-vulnerabilities/

Brought to you by TogetherLetters & Edgewise!In this episode: Prisons in England and Wales record rapid rise in drones delivering drugsSpace debris weighing over 1,000 pounds reportedly crashes into village in KenyaCloudflare using lava lamps for secure SSL/TLS encryption US appeals court blocks Biden administration effort to restore net-neutrality rulesBill requiring US agencies to share custom source code with each other becomes law1-800-ChatGPT - Calling and Messaging ChatGPT with your phoneCFPB sues JPMorgan Chase, Bank of America and Wells Fargo over Zelle payment fraud (episodes 239 and 224)NHTSA finally releases new rules for self-driving cars — but there's a twistMullenweg Pauses WordPress Services - Hopes To Reopen Next Year (episode 361)Weird and Wacky: The Great Exhibition unveils the world's only office roller coaster in StockholmScientists Developed a Questionnaire to Identify if Your Cat Is a PsychopathThe Race to Translate Animal Sounds Into Human LanguageScientists Demonstrate 'Negative Time' In Groundbreaking Quantum ExperimentTech Rec:Sanjay - Orbit by Mozilla Adam - Kensington SlimBlade™ Pro Wireless TrackballFind us here:sanjayparekh.com &

Forecast = Expect severe disruptions in transit security, with a chance of clearer skies as the White House pushes for smoother collaboration with cybersecurity researchers. Transport for London's Cybersecurity Crisis Transport for London (TfL) has found itself in a cybersecurity “trainwreck,” facing a range of vulnerabilities and management issues that have exposed its infrastructure to significant risk. An investigation reveals a series of failures, from outdated systems to neglected security protocols, painting a chaotic picture of public infrastructure's readiness against cyber threats. With passengers' data and critical operations potentially at stake, this story highlights the growing urgency for improved cybersecurity measures in public sector systems. White House Endorsement of Cybersecurity Researcher Collaboration In a significant policy shift, the White House has endorsed a more collaborative approach with cybersecurity researchers, aiming to bolster national defenses against growing cyber threats. This endorsement includes support for responsible disclosure practices and partnerships that could help expedite vulnerability identification and mitigation across industries. By actively promoting collaboration, the administration signals a move toward a more unified and proactive stance on national cybersecurity, recognizing the essential role of researchers in safeguarding critical infrastructure and public safety. CVE's 25th Anniversary Report Celebrating 25 years, the Common Vulnerabilities and Exposures (CVE) program reflects on its progress in tracking and cataloging cybersecurity threats, becoming a cornerstone in the fight against vulnerabilities. The anniversary report not only emphasizes milestones in vulnerability identification and mitigation but also considers how the program must evolve to meet emerging challenges as cyber threats grow more sophisticated. With an eye on improving its database and keeping pace with the expanding threat landscape, CVE aims to continue being an essential resource for the cybersecurity community. CVE-2024-47575 Vulnerability as Flagged by Censys Censys has flagged CVE-2024-47575 as a serious vulnerability affecting systems reliant on outdated cryptographic protocols, specifically impacting certain SSL/TLS implementations. This vulnerability poses a risk to data integrity and confidentiality, enabling potential attackers to intercept or alter sensitive information in transit. The case of CVE-2024-47575 underscores the need for organizations to update and secure their cryptographic practices to avoid exposure to similar vulnerabilities.   Storm Watch Homepage >> Learn more about GreyNoise >>  

In this episode, host Jim Love delves into sophisticated phishing attacks, cybersecurity initiatives, and significant changes in data security protocols. Listeners will learn about a national survey revealing that 53% of Canadians would switch banks after a data breach and hear insights on Apple's proposal to shorten SSL/TLS certificate lifespans. The episode also covers 23andMe's data breach and settlement, and introduces the FIDO Alliance's new protocol designed to enhance passkey portability across platforms. Emphasizing the importance of robust cybersecurity measures and user education, the discussion highlights advancements in passwordless authentication, as demonstrated by major implementations from companies like Amazon. This episode offers an in-depth look at current cybersecurity challenges and forward-thinking solutions in the realm of user authentication. 00:00 Introduction and Show Format Update 00:48 Canadian Banking Cybersecurity Concerns 01:14 Survey Insights and Financial Sector Responses 03:25 Customer Concerns and Communication Gaps 04:17 Financial Impact of Data Breaches 05:13 Apple's SSL/TLS Certificate Lifespan Proposal 06:20 Google's Push for Shorter Certificate Lifespans 07:24 23andMe Data Breach Settlement 09:55 FIDO Alliance and Passwordless Authentication 12:38 Conclusion and Show Notes

In the latest episode of Storm⚡️Watch, we delve into the pressing issue of ransomware payments, which are on a notable decline as victims increasingly choose not to pay. The conversation then turns to the alarming frequency of cyberattacks that often go unnoticed by the public, and highlights one recent breach in the municipality where a major U.S. court case is occurring. We highlight several incidents at organizations across the globe, emphasizing the pervasive nature of these security breaches. We also dissect the sobering findings from the Dragos Industrial Ransomware Report for Q4, which reveals the increasing number of groups involved in ransomware attacks. This report underscores the challenges faced by industries in safeguarding their operations against such threats. A surprising revelation comes from Germany, where a job posting for a Windows 3.11 administrator for a rail line brings to light the outdated and insecure systems still in use, which pose significant security risks. The episode doesn't shy away from discussing major breaches, including the recent attacks on HPE and Microsoft, and the potential spillover effects these could have on the broader tech ecosystem. We also explore Cert Spotter, a Certificate Transparency log monitor from SSLMate that alerts you when an SSL/TLS certificate is issued for one of your domains. The team covers two recent blogs by Censys researchers, and takes a look at GreyNoise tags that are linked to ransomware gang activity. Lastly, we briefly note CISA's new Water and Wastewater Sector Incident Response Guid,e and touch upon the latest trends and active campaigns in the cybersecurity landscape, as well as a roundup of known exploited vulnerabilities, providing listeners with a comprehensive overview of the current state of cyber threats. Episode Slides >> Join our Community Slack >> Learn more about GreyNoise >>  

Blog: https://medium.com/asecuritysite-when-bob-met-alice/the-art-of-the-backdoor-e39f001ea8b9 Do you ever worry that your locksmith may take a copy of your key when they fit a new lock? Or that your locksmith has defined a lock which they know they have a skeleton key for? Or that your locksmith modifies the lock so that they can compromise it? And so we trust those that create locks to design them so that they cannot be broken easily, and that lock standard agencies around the world to set standards that promote good lock design, and, most of all, that locksmiths can be trusted to fit them without compromising them (and in giving us good advice). Introduction Well, let's look at software backdoors. Overall it's not an easy thing to put in a backdoor in a piece of software. Well, let me re-phrase that … “it is not an easy thing to put in a backdoor in a piece of software and for it not to be seen”. Computer security is a serious business, but you must smile a little when you see the lengths that some intruders will go to in order to compromise systems. Organisations such as the NSA have long been accused of applying backdoors into cryptography software, but the recent Apple login hack shows that there are lots of opportunities for others to get in on the act. The addition of a backdoor in the Apple compiler showcased the opportunity for large-scale compromises. Overall there are a number of ways that a backdoor can be added to a piece of software: Escrow. In encrypted communications, one method is to keep of copy of the encryption key that could be used at some time in the future. Details [here]. Defining a standard that you know you can crack. The NSA and law enforcement agencies around the world have been accused of helping to define a standard and setting various parameters, and they know they have the methods to crack them. Source code addition backdoor. This is the typical way that an intruder would add a backdoor, and where the additional code is added which will perform a task that allows the source code writer back into the system. Normally the code is added by the writer, but then an intruder finds out the backdoor and can exploit it. Injected code backdoor. With these, packages such as Metasploit insert some additional code into the application, which allows it to work the same, but creates a backdoor connection. Normally this is a call-out method, where the program calls out to the malware writer. Compiler backdoor. This is the best method for going undetected, and where the compiler, itself, adds the additional code to every program which uses the compiler. In terms of a mass exploit, the compiler backdoor will have the greatest scope as it will exploit a wide range of applications. The executable will also be signed to verify that it is a valid application. Vulnerability and XSS exploit. This involves compromising a system in order to create a backdoor, typically injecting code into a running application which causes the system to open up a backdoor connection. The open-up of a network connection will obviously be detected on the system, but code writers have implemented a number of smart ways to cover this up, including passing secret passphrases for passwords, or with port knocking, where network packets are sent to a well-known open port, which then causes another port to open. A. Defining a standard you know you can crack A key focus for law enforcement is the cracking of cryptography, especially for tunnels and VPN connections. Devices created by Juniper were found to have a flaw which allows agencies to decrypt VPNs traffic. The company may have also used Dual EC (Elliptic Curve) DRBG (Deterministic Random Bit Generator) for generating the random numbers required to create VPN tunnels. This method, which was promoted by the NSA, has a known weakness and can be cracked. The possible backdoor in Dual EC DRBG has been known about since 2004, and the team who worked on it had the chance to plug the gap but failed too. It thus allows law enforcement agencies to crack SSL/TLS encrypted traffic which used the method for random number generation. It was thus assumed that no one would use the method, but, in Juniper's case, it has been found in some of their devices. In 2013, Edward Snowden showed NSA memos which indicated that the NSA had been the sole editor of the standard, whereas NIST responded that it did not deliberately weaken any cryptography standard. The following year, NIST recommended that companies stop using it, and withdrew it from its draft guidance on random number generation. In 2013, also, OpenSSL was found to be implementing the method, which allowed TLS/SSL connections to be decrypted. The back door in the standard for Elliptic Curve method for Dual_EC_DRBY caused a great deal of suspicion on the definition of NIST's P curve standards, and that they had selected them so they could have an advantage in breaking the public keys. Most of the industry has moved away from the P standards (such as P-256) and towards Curve25519 (which is shown in the graphic on the right-hand side and which was created by Daniel J Bernstein), and now used by Tor, Signal, What's App, Facebook, OpenSSH, and many other standards. In 2013, Bruce Scheiner stated that he didn't trust the values selected: I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry I have plotted some of the standard Elliptic Curve parameters [here]. B. Source code additional back door It has long been the case where code writers have added additional code which allows them back into the code whenever required. They will often add debug functions which can be remotely enabled, but where they forget to switch-off. This backdoor method works well until the source code is read, and the additional code is revealed. With the rise of Git hub repositories, it can become obvious as to when the backdoor has been added. The following outlines a few backdoors: A classic backdoor was added to an FTP server (vsftp), which has an intentional backdoor within the version running on it. The back door is exploited with the username ending with: “:)” and then the server listens on port 6200 and awaits a connection: root@ubuntu:~# telnet 1.2.3.4 21Trying https://www.linkedin.com/redir/invalid-link-page?url=192%2e168%2e99%2e131...Connected to https://www.linkedin.com/redir/invalid-link-page?url=10%2e200%2e0%2e1.Escape character is '^]'.220 (vsFTPd 2.3.4)user mybackdoor:)331 Please specify the password.pass none ^]telnet> quitConnection closed.telnet 1.2.3.4 6200Trying https://www.linkedin.com/redir/invalid-link-page?url=10%2e200%2e0%2e1...Connected to https://www.linkedin.com/redir/invalid-link-page?url=10%2e200%2e0%2e1.Escape character is '^]'.id;uid=0(root) gid=0(root) The UnrealRCD IRC daemon runs on port 6667. The version on Metasploitable has a backdoor where the user sends “AB”, and then follows it with a system command on a listening port (see demo above). Intentional backdoors Cryptography cracking is often one of the most challenging areas for investigators to crack, so there have been many allegations of companies tampering with source code in order to create backdoors. While these are not necessarily network connections, the software is modified in a way which changes the functionality of the encryption function. One company — Crypto AG, a Swiss cryptography company who make encryption machines — has been accused of modifying their software in collusion with intelligence agencies from Germany (BND), the UK (GCHQ) and US (NSA). This was highlighted, in 1986, when Ronald Regan announced that the US had intercepted encrypted diplomatic communications between Tripoli and the Libyan embassy in East Berlin, related to a bombing in Berlin. In 1992, the Iranian government even arrested Hans Buehler, a salesman for the company, but was released in 1993 without revealing any flaws in the machines (and after $1 million bail money was paid). Crypto AG soon after dismissed Hans and requested he pay back the $1m. Since then Der Spiegel has interviewed former employees and concluded that the machine was indeed rigged. Even after several other investigations, there is still no conclusive proof of the rigging, but some suspect that the relationship with defence agencies goes back to 1954. Juniper backdoor Juniper recently announced that there were two backdoors on their devices, and which allowed intruders to gain administrator access and also decrypt the encrypted content. It was the kind of shock that has not been seen since the asleep script was released, and which could crack most Cisco Wi-fi access points which used the LEAP authentication method. With backdoors in cryptography being a hot topic, Juniper revealed that it had traced “unauthorized” code within its ScreenOS operating system on some of its firewalls, and which allowed an intruder to take complete control of Juniper's NetScreen firewalls using a hard-wired password. This would allow them to decrypt all the encrypted traffic for VPN connections. There is a patch for this, but intruders can now determine the required password — which has been hard-wired into the code — by examining the ARM code used in the backdoor: The strange thing is that the password is “

In this podcast, Jen Racine, Director of Sales Consulting at Entrust, and Andrew Sheedy, Enterprise Sales Director at Entrust, discuss the importance of managing SSL/TLS certificates and how agencies can maintain TLS encryption with Entrust Certificate Services (ECS). Listen to the podcast to discover how Entrust ECS can support your organization with SSL/TLS management to secure online communication, meet compliance requirements, advance Zero Trust initiatives and much more.

AWS Puts Up a New VPC Lattice to Ease the Growth of Your Connectivity AKA Welcome to April (how is it April already?) This week, Justin, Jonathan, and Matt are your guides through all the latest and greatest in Cloud news; including VPC Lattice from AWS, the one and only time we'll talk about Service Catalog, and an ultra premium DDoS experience. All this week on The Cloud Pod.  This week's alternate title(s): AWS Finally makes service catalogs good with Terraform Amazon continues to believe retailers with supply chain will give all their data to them Azure copies your data from S3… AWS copies your data from Azure Blobs… or how I set money on fire with data egress charges

Certbot is an important part of the ACME standard. This open source tool makes it easier for many IT administrators to use ACME to automate provisioning and installation of SSL / TLS certificates.

As the industry explores the expected consequences of 90-day maximum term for SSL / TLS certificates, some are wondering if the allowed validation data reuse period stands to go down also. We explain today's data reuse rules and what the evidence indicates will be required for both domain control validation (DCV) and organization information validation.

On this episode of The Cloud Pod, the team sits to talk about AWS's new patching policies, the general availability of Azure OpenAI, and the role of addressing IM or access management challenges in ensuring the seamless transition to the Cloud. A big thanks to this week's sponsor, Foghorn Consulting, which provides full-stack cloud solutions with a focus on strategy, planning and execution for enterprises seeking to take advantage of the transformative capabilities of AWS, Google Cloud and Azure. This week's highlights

On this week's episode of the podcast, I cover a whole lot of news, much of it not good news for Microsoft as a data breach of a service they maintained was disclosed, MFA suffered performance issues in Europe and an out-of-band patch had to be issues for an SSL/TLS issue. There is also news about Citrix SD-WAN, Windows 10 22H2 and more! Reference Links: https://www.rorymon.com/blog/microsoft-data-breach-citrix-sd-wan-end-of-life-send-messages-from-intune/

On The Cloud Pod this week, the team discusses why Ryan's yelling all day (hint: he's learning). Plus: Peter misses the all-important cloud earnings, AWS Skill Builder subscriptions are now available, and Google Eventarc connects SaaS platforms.  A big thanks to this week's sponsor, Foghorn Consulting, which provides full-stack cloud solutions with a focus on strategy, planning and execution for enterprises seeking to take advantage of the transformative capabilities of AWS, Google Cloud and Azure. This week's highlights

Cloud Posse holds public "Office Hours" every Wednesday at 11:30am PST to answer questions on all things related to DevOps, Terraform, Kubernetes, CICD. Basically, it's like an interactive "Lunch & Learn" session where we get together for about an hour and talk shop. These are totally free and just an opportunity to ask us (or our community of experts) any questions you may have. You can register here: https://cloudposse.com/office-hoursJoin the conversation: https://slack.cloudposse.com/Find out how we can help your company:https://cloudposse.com/quizhttps://cloudposse.com/accelerate/Learn more about Cloud Posse:https://cloudposse.comhttps://github.com/cloudpossehttps://sweetops.com/https://newsletter.cloudposse.comhttps://podcast.cloudposse.com/[00:00:00] Intro[00:01:36] Exploiting GitHub Actions on open source projectshttps://medium.com/tinder/exploiting-github-actions-on-open-source-projects-5d93936d189f[00:04:38] Search Engine for Developershttps://beta.sayhello.so/[00:06:16] GitHub Actions: Remove offline self-hosted runnershttps://github.blog/changelog/2022-08-03-github-actions-remove-offline-self-hosted-runners/[00:07:29] Atlantis Adds /plan and /apply endpointshttps://github.com/runatlantis/atlantis/pull/997[00:09:08] Amazon RDS for MySQL now supports enforcing SSL/TLS connectionshttps://aws.amazon.com/about-aws/whats-new/2022/08/amazon-rds-mysql-supports-ssl-tls-connections/[00:09:46] Performance of AWS Cloud Watch increased[00:10:28] Is there a way to get the running version of Terraform in HCL (without data external)? [00:13:36] How to Name AWS Accounts by Workload, Stage, etc?[00:20:05] How to enable customer devices (e.g. IoT) to send metrics to cloudwatch and upload files to S3 “at scale”?[00:28:57] #114 Adding missing EFS Terraform resourceshttps://github.com/cloudposse/terraform-aws-efs/issues/114[00:30:29] GitOps: We have a rad GitHub Actions workflow, why do we still need ArgoCD/Flux/etc. [00:38:46] user-agent for some providers should include the version?[00:40:56] How mature is the Terraform Oracle Cloud Infrastructure Provider?[00:44:25] Outro #officehours,#cloudposse,#sweetops,#devops,#sre,#terraform,#kubernetes,#awsSupport the show

Shownotes: Episode 00046!!111elf Yes! It is happening! :D Erstmal die NEEEEEWS zu E-Mobilität, der Arbeitswelt, der Chipkrise, Infrastruktur, Gaming, Weltraum und so weiter Dann kommen die Themen! Im ersten Thema bringt Chris Verschlüsselung - Teil 2 mit einem Überblick über SSL / TLS. Wie funktionieren private/öffentliche Schlüsselpaare? Was ist ein Zertifikat? Und wer signiert diese? Und wie kommt am Ende (auch OHNE VPN!!! :D) eine sichere Verbindung dabei herum? Im zweiten Thema bringt Pati dann einen Einblick in Hackbacks mit und wie sie sich in der Realität doch sehr von Hollywood unterscheiden. Die Rechner der Angreifer zum Explodieren bringen? Wohl kaum! Eher: "Wenn man Glück hat noch etwas aus dem Angriff lernen". Im Dummgeschnack geht es dann wie so oft noch etwas ums Zocken. ;) Neue Adventures. Alte Shooter. Alles dabei! Und wie immer: Schreibt uns! Wünsche, Themen, News, Grüße! Alles sehr gerne gesehen! :) Auf Insta oder Facebook, ne Mail unter jasiapodcast@gmail.com oder kommt uns mal auf unserem Discord unter discord.ja-sia.de besuchen! Bis demnächst! ;) Unsere Links: Unser Discord-Server: http://discord.ja-sia.de Instagram: https://www.instagram.com/jasiapodcast/ Facebook: https://www.facebook.com/jasiapodcast/ Mail: jasiapodcast@gmail.com Kapitel: 00:00:00 Intro 00:02:53 Vorgeplänkel und News 00:54:10 Themenvorstellung 00:55:22 Thema 1: Verschlüsselung - Teil 2: SSL / TLS Überblick 01:41:03 Thema 2: Hackbacks in der Realität 02:15:08 Dummschnack 02:36:59 Zusammenfassung Links zur Sendung: 99 Percent Done https://www.youtube.com/shorts/VU3i0zOJeg8 Folge direkt herunterladen

Are You Ready For Data Wiping Attacks? Yet another warning coming out from the federal government about cyber security. And this one is based on what's been happening in Ukraine. So we're going to talk about that situation, the whole cyber security over there and why it's coming here. [Automated transcript follows] CISA is the cybersecurity and infrastructure security agency. How's that for a name it's not as bad as what does that shield right over from the Marvel universe, but the cybersecurity and infrastructure security agency is the agency that was created to not just protect federal government systems, although they are providing information for. [00:00:41] People who protect those systems, but also for businesses and you and me and our homes. So they keep an eye on what's happening, what the various companies out there are finding, because most of the cybersecurity information that we get is from private companies and they. But it altogether, put it in a nice little wrapping paper. [00:01:05] In fact, you can go onto their website anytime that you'd like to, and find all kinds of stuff that is going to help you out. They've got a ton of documents that you can download for free little steps that you can take. It's at csun.gov, C I S a.gov. And they've got the known exploited vulnerabilities catalog. [00:01:30] That's something that we keep up to date on to help make sure our clients are staying ahead of the game. They've also got their review board securing public gatherings. They also run the stop ransomware.gov site that you might want to check out. And we'll be talking a little bit more about ransomware and the ways to protect yourself a little later today. [00:01:52] Now Seesaw is interesting too, because when they are releasing information, most Americans really aren't aware that they even exist. They do. And they've got a big warning for us this week. There's a site that I follow called bleeping computer that you might want to keep an eye on and they have. [00:02:15] I'll report just out this week that you, crane government agencies and corporate entities were being attacked. This was a coordinated cyber attack last Friday, a week ago, where websites were defaced data wiping malware was deployed and causing all of these systems to become not just a corrupt, but some of these windows devices to be completely. [00:02:45] Operable now that is a bad thing. The reason for this, this is speculation, but it isn't a whole lot of speculation. Right? Am I getting out of, on a limb here particularly, but the whole idea behind this is a cyber war, that Russia's got, what is it now? 130,000 troops, whatever it is over a hundred thousand. [00:03:08] On the border of Ukraine, they invaded Ukraine a few years ago. Russians shot down a passenger airline in Ukrainian air space. This that was a few years back. They've been doing all kinds of nastiness to those poor Ukrainians. They also had a massive ransomware attack in Ukraine. That was aimed at their tax software. [00:03:35] Some countries do the electronic filing thing a lot differently than the us does. A couple of examples are Ukraine. France is another one that comes to mind. We have clients in France that we've had to help with cyber safety. And we're always getting popups about major security problems in the tax software, because they have to use this software that's provided by the French government. [00:04:03] Ukraine's kind of the same way. The biggest. Company providing and the tax filing software for Ukraine was hacked and they use that hack to then get into the tech software and make it so that when that software was run by these Ukrainian companies, they would get ransomware. It was really rather nasty. [00:04:30] So the Russians had been playing games over in Ukraine for quite a while. But what's apparently happened now, is that a thing? Those things, same things are coming our way now. It's not just because of the fact that a Ukraine is being threatened, maybe they're going to encroach even more, take more than Crimea, which they did last time. [00:04:56] We're in the U S and what are we doing? President? Biden's been sending troops to Europe, troops to Poland, Germany, and also advisors to the Ukraine. He's removed the embassy staff, at least the vast majority of it from Ukraine. And I just I think. To what happened with his completely unplanned withdrawal that we did in Afghanistan and how things just got really bad there. [00:05:28] And I'm not worried about what's going to happen in Ukraine because the Russians aren't particularly fond of the idea that we are sending aid and support to. Yeah, it's a bad thing. President Obama sent them blankets, but Biden is sending them military weapons and ordinance, which is what they'd need to fight. [00:05:53] So Russia has shown that they will attack a country via electronic means cyber means, right? Cyber attacks. And so what's happening now is the bad guys from. That have been the facing websites and who have been doing more than that, wiping computers and making them completely unusable could well come after us because they're really going to be upset with what's happening now. [00:06:27] And that was CNN has reported the Ukrainian it services company that helped develop many of these sites was also a big. And of course that means bottom line, that this is what's called a supply chain attack. What I mentioned earlier with the Ukrainian tax software, that's a supply chain attack where you are buying that software, or you're mandated to use the software to file your taxes by the government. [00:06:57] And what happens while it turns out that software is contaminated, that's called a supply chain attack. Now crane issued a press release about a week ago, saying that the entities were hit by both attacks, leading them to believe that they were coordinated. This is a quote here. Thus, it can be argued with high probability that the interface. [00:07:24] Of websites have attacked government agencies and destruction of data by Viper are part of a cyber attacking, but causing as much damage to the infrastructure of state electronic resource that's from the Ukrainian government, not the best English, but their English is much better than my Ukrainian or Russian. [00:07:44] So you, crane is blaming these attacks on Russia, incomes, CS. So you says now urgent. Business people in the us and other organizations to take some specific steps. So quote, here from the Seesaw insights bulletin, the CSO insights is intended to ensure that senior leaders at the top of every organizational where the cyber risks and take urgent near term steps to reduce the likelihood and impact of a potentially damaging compromise. [00:08:19] All organizations, regardless of the sector or side should immediately implement the steps outlined below. So here's the steps and there are a lot of them. One I'm going to do these, you should find in your newsletter today. Hopefully that all made it in. But three basic things. One reduce the likelihood of a damaging cyber intrusion. [00:08:46] And we're going to talk about the best way to do backups here a little later on today. Make sure your software is up to date. Make sure your organization's it personnel disabled, all ports and protocols, not essential for business purposes. This is all basic stuff, but I got to say. I bet you, 98% of businesses and organizations, haven't done these things. [00:09:07] The next major category here, take steps to quickly detect a potential intrusion, and then ultimately maximize the organizations resilient to destructive. Incident. So that means doing things like testing your backup procedure, make sure your data can be restored rapidly, or you have a way to get your business back online quickly. [00:09:31] What we tend to do is in our backup strategy, depending on how much the company can afford, to be down. To be out of business if they lose all of their stock versus what it costs to do this, but we will put a server on site at the company and that server then does some of the backups, right? It does all of the initial backups. [00:09:55] And then what happens is it gets relayed to us. It gets pushed to tape and tape is really good. We'll talk about that in just a few minutes, but the other big thing is. The backup that we have local to their business also has what's called a virtual machine infrastructure built on it. So if a machine goes down, If it gets wiped or if it just crashes and can't be recovered easily, we can spin up that machine. [00:10:27] A copy of it in our little virtual environment in just a matter of minutes. So these are all things you should be considering. If you're interested, you can send an email to me@craigpeterson.com. I can send you a checklist that a little more extensive than this, or I can help you with any other questions you have. [00:10:47] I get lots of questions every week from everything for on retirees, wondering what they should do all the way through businesses that we help government contractors and others. This isn't good. Russia is likely coming after us. Based on this. Visit me online. Craig peterson.com or email me@craigpeterson.com with your questions. [00:11:14] With all of this talk about hackers, ransomware data, wiping systems. What's the best way to protect yourself, but what do you do to really protect against ransomware? I can tell you, it's not just plugging another hard disk into do backup. [00:11:31] We've got so many hackers out there. We're talking about a multi-billion dollar industry to go after us. [00:11:39] It's just depressing. Really. When you think about it, I think about the old days where security, wasn't a huge concern, right? Physical security. I had one of my first jobs was at a bank and I was, this was back way back in the a G it would have been the mid seventies and I was one of the operators of the main. [00:12:05] And so as a mainframe operator, we'd load up the tapes and we would ship them places. We'd also go ahead and put them in the vault so that they were in a fireproof vault, and we could recover anything we needed to recover. It worked out pretty darn well, and it was a fun job, but most of the time it was cleaning the tape drive heads and taking those tapes, those big round tapes, you might remember those. [00:12:33] Nine track tapes and maybe the fancy stuff, 52 50 BPI or 800 BPI of one end or the other, or the spectrum. And we just had to make sure they were physically safe nowadays of course, mainframes are still around and are still absolutely fantastic. They're just phenomenal. Some of the technology IBM has in their mainframes. [00:12:59] Most of us, aren't using those. Most of us are using a regular computer or I'm sitting in front of a Mac right now that I use for the radio show. We have windows, computers, Linux machines, right? All of those things that we have in our business and that we maintain securely for our clients. But what do you do when we're talking about random? [00:13:23] You can cross your fingers and hope that you'd hope you don't get ransomed. That sort of a practice doesn't usually work out too well for people, but you can do backups and many people do. So let's talk about the backups. Let's say that you have your computer and you're doing a backup and you have one or two generations worth of backups for your company. [00:13:47] Ransomware nowadays does not just typically destroy your whole disk. Usually what it does is it encrypts files like doc files, doc X, right? Excel files, all kinds of files that thinks might be useful to you. And then of course, the rest, it pops up says, pay me. And off you go. The reason for that is so your computer still works so that you can enter in the decryption code. [00:14:18] Once you've paid the ransom, hopefully it works for you give or take 50% of the time. You will get your data back. If you pay the ransom much of the time. But let's go back to that one or two generations of backup. You're using a cloud service, let's say, and your computer gets ransomware. That cloud service backup software will still work. [00:14:43] What if it's working? So you're now backing up your encrypted files to the backup site in the cloud. Do you see where I'm going with this? Your backups? No. Same thing is true. If you're backing up to a local hard disk, many people do it and it's handy. I recommend that you do that, but it's not all you should do. [00:15:08] So that disc is attached. We had a. Boy, who was it here? Yeah, we have a client in Maine and they have a really smart system administrator and he designed these disk drives that would physically disconnect themselves from a machine when the backup was not running and would physically connect themselves when the backup. [00:15:34] Was running. So the idea there was okay, great. We've got a local backup on a local disk and if the bad guys managed to get a hold of the machine, they're not going to be able to encrypt the. And, as long as the backup isn't running, I thought that was a brilliant solution. Doesn't solve some problems, but it certainly takes care of some others. [00:15:58] So if you are doing a backup, you've got to make sure you've got multi generations. I tend to keep a year's worth. Now there's other considerations. There's the federal rules of. Procedures that say you have to have bad cops. They have to go back years. And there are also other things the payment card industry requires certain types of backups. [00:16:25] If you are a government contract, We have them as clients and they have certain data retention policies based on the length of the contract. They have keep it for some years afterwards. It goes on and on. So if your data is lost or stolen or encrypted, and your backup is encrypted or deleted, You are in real trouble depending on the type of business you're in. [00:16:56] So what's the right answer to this. I've talked about 3, 2, 1 backup for a long time, and it's still a very good methodology for doing backups, but nowadays they're talking about 3, 2, 1, 1 backup, which is again, that's a bit of a different methodology. In doing backups, but the idea is you've got multiple copies of your data on multiple types of media in multiple places. [00:17:29] That's the bottom line. What is the gold standard for this? I it's something that gets to be a little expensive. Again, we have another client that we've had for years, and they are looking for a replacement for the backup system. Now. And so we proposed something that's based on what's called LTO technology, which is a type of a tape drive. [00:17:55] It's a small cassette, right? It's not those big 12 inch reels of tape that we used to lug around and it's amazingly dance. The new LTO tape drives have space on them for as much as 45. Terabytes of information. It's also great because it's encrypted by hardware, government level encryption automatically, and those tapes can be taken offline. [00:18:25] You can take the tape. Now we picked up a client who had been doing backups and they were using little USB drives and every day he'd take the drive home and bring in the next drive. So he had five drives, right? So he had the drive for Monday, Tuesday, Wednesday, Thursday, Friday. And he was taking them home, but he missed one of the key things to check the back. [00:18:53] He hadn't checked the backup and their backup had not been running for more than a year and a half. So that's the other thing you have to do? The LTO tapes are really the gold standard. It goes back to that for one of the first jobs of mine, right? The job I mentioned, where I was mounting tapes and filing them and moving them around and mountain disc packs and pulling them out and everything. [00:19:19] It still makes sense. They'll last for decades, they cannot be hacked because they are literally offline. You can ship them to places to have them stored. I have a course on backups and if you're really interested, send me a an email to me@craigpeterson.com. And I'll go ahead and. Send you a link to the course, you can watch it. [00:19:48] But yeah, I think this is really important. Of course, I'm not going to charge you for that, but magnetic tape it's established. It's understood. It's proven it's been around for many decades and LTO tape is unique. It needs all five best practices for addressing ransomware. Even be able to recover. [00:20:12] If you want more information, just email me@craigpeterson.com or sign up for my free newsletter. Craig peterson.com. [00:20:22] Switching from gasoline powered engines to these new electric cars is no environmental panacea. At least that's what West Virginia university is saying. And the E. Just changed its mind as well. [00:20:38] Ford of course, about a year ago, unveiled its new electric. [00:20:43] F-150 the lightning and Ford has stopped taking orders for them because they are going to have to make double what they thought they would have to make. Ford also has a similar problem with yet another electric vehicle. The Mustang GM is doing a few different electric. Coles. And so is everybody else, frankly, Porsche even now has an electric car out. [00:21:11] That is all well and good. Isn't it. And there's certainly problems, particularly with manufacturing nowadays, trying to get the CPU's and other electronic components you need. They're even having trouble getting electric motors for electric windows in vehicles. Now they're coming. Crank window with a little coupon saying later on, we'll convert it to electric for you all kinds of problems, but there's one that I haven't heard anybody but myself talk about. [00:21:44] And so I was online looking around, doing some searches, seeing if I was, like the only one there's no way right now, I'm not the smartest person in the world. I don't pay the most attention to everything. And I found that. Virginia university is in total agreement with that with me, it's just amazing. [00:22:06] They looked at recent trends and they're cautioning as I have been for years, at least a decade. Now they're cautioning about what seems to be a race to put more electric vehicles. On the road. And the problem is that these electric vehicles in their demand for electricity may well out, run what's needed to keep the vehicles on the road. [00:22:35] So here's a quote from them. The electric grid will struggle to handle the quick charging of very many electric vehicles at the same time. Okay yeah, by the way, like hardly any quick charging is generally what everyone thinks about, like going to the gas station, getting a full charge in 10 to 15 minutes, which would be a tremendous instantaneous load on the local distribution center. [00:23:03] My concern is the huge power dumps required at quick charging stations along the interstate. It sounds good, but it'll require a lot of new infrastructure to get the power to the charging stations, as well as building those charging stations. So where does the power come from? Power storage is going to be required if we're going to also move towards fixing. [00:23:28] Power sources such as solar and wind. We do not have power storage capability yet in large enough quantities to do this on a large scale. Solar does not work at night. The wind doesn't blow all the time. Also, we do not have the distribution on the streets to move fast charging into residential neighborhoods on mass. [00:23:52] Electric vehicles are great, but we have not fully considered the impact it'll have on our electrical grid infrastructure. It will require a lot of expansion of our electrical distribution and charging facilities. Remember, electric power comes from the power company. I heard an interview with a lady the other day, and they asked her, where does the electricity come? [00:24:15] She said, From the plugin, the wall, right? We must consider this when considering wide-scale electric vehicle adoption, much as there is to gain from electric vehicles. I don't believe we're ready yet as a society for completely electrical vehicle transportation system. With time and infrastructure development, we can be. [00:24:37] I totally agree. This is Rory Nutter, professor lane, department of computer science, electrical engineering, Benjamin M. Slater, college of engineering and mineral resources. I totally agree with that. We don't have the ability to generate the electricity. We don't have the ability to store the excess electricity. [00:25:01] So in other words, if we're using solar at nighttime, we don't have the sun, we can't run solar. So we got to store the solar. And in fact, we have to make about twice as much electricity as we need during the day so that if we can store it, we can then use it in. The same thing with wind, right? It's fickle. [00:25:24] It just doesn't work that well. So what do we need? Basically right now, we need to stop turning off our coal powered plants, our natural gas plans and our nuclear plant. Because we need to still have electricity. Look at what's happened last year. And this year over in Europe with the crazy cutbacks that they've been doing on some of these plants, coal nowadays with the scrubbers that are on our cold powered, flat plant is clean energy. [00:25:58] It's not like the old days where you lived on the south side of the tracks and you got all of the wind blowing towards you that had all of that nasty cold ass. You ever seen any of those pictures? It was just terrible. All of that nasty sitcom. It's not something we need to worry about nowadays. [00:26:16] The other big thing that ties into all of this is so how do we generate our electricity cleanly? A hundred percent cleanly? Nothing. Per cent, but just a couple of weeks ago, the European commission presented their 27 members states with new draft rules that classified natural gas and nuclear power as green fuels for electricity generation. [00:26:47] Listen, if we want electric cars, which as we've talked about before are highly polluting. Yes. Because of the materials in them, because of the materials that go into the batteries, having to mine it, having to ship it, having to process it and then having to change out those battery packs after 80,000 or a hundred thousand miles. [00:27:09] Did you see this guy? There was a meme in the video about this online a few weeks ago. How to test. His Tesla needed a battery replacement. It would cost him, I can't remember what it was. 20, $30,000. A lot of money. So he decided to just blow up the car. That's all it took. I saw another Tesla that had water damage. [00:27:33] From, being down in new Orleans or somewhere, the flooding occurred. And the guy bought that Tesla because Tesla won't sell the parts to fix the car after the water damage. And so he ripped out the batteries, ripped out the electric motors and he bought a high power engine. And gasoline and put it into the Tesla and made really, quite a very cool car. [00:28:00] You can find it online if you want to look for that, it's quite cool. What they ended up doing. It took us quite a while to do it, but they did it. So now that we're seeing. That nuclear is green. Let's talk about why we've been so afraid of nuclear. One of the biggest problems of course is so what do you do with all of the waste? [00:28:20] And that's a legitimate question, but what you're really talking about when you ask that question are the reactors that went online 50 years ago, or that were approved 50 years ago because of the regulations. There are. These nuclear plants that have been provisioned in the last 20 years that are still using that old technology. [00:28:43] So when we get back, we're going to talk about this more. What about the waste? What our fourth generation nuclear power plants, how safe are they when they say they're intrinsically safe? What does that mean? And how and why? Because I'm predicting to this point that we're going to have to switch back to nuclear and even the European union, if you can believe it agrees with. [00:29:13] Hey, make sure you take a minute. Go online. Craig peterson.com. Subscribe to my free newsletter. You can get it right there. I send you out stuff every week. And this week is no exception. We've got a bunch of bullet points that if you are in a business position, you got to protect yourself immediately. So I tell you how Craig peterson.com. [00:29:38] So what are these new rules for nuclear energy? And why is it absolutely necessary that we do something like this? Get fourth generation nuclear online. If we can even consider electric vehicles on our roads. [00:29:55] Things have changed in the European union. They've been trying to figure out how they're gonna handle all of these electric vehicles, how they're going to properly handle all of the solar cells and the wind turbines. [00:30:09] And there's even some work over in the EU. To get the tide to generate electricity, some very cool stuff. Actually, that's been done, I love tech and I'm into all of this stuff, frankly. I think we should be doing a lot of it. What I don't think we should be doing. Is getting ahead of ourselves. And unfortunately that's really what's being going on. [00:30:35] We don't have a grid that can really use the electricity that we can generate from our windmills, from our solar cells, from anything, frankly. And we cannot. All of that electricity that we might be generating and somehow have that electricity be stored and used distributed appropriately to our charging station. [00:31:03] And our grid was built and designed to have a few central point where the electricity is made, where it's generated and then distributed to some pretty specific types of things like housing, development, businesses, et cetera. You can't just go ahead and open a big business man. in a residential area. [00:31:25] And part of the reason for that is the grid isn't set up for it. You don't have three phase power going into residential areas or even more than that, you don't have the high voltage, the high current, et cetera. So how are you going to be able to quick charge electric cars in the regular residential neighborhoods? [00:31:47] I w how about at a hotel? Yeah. Okay. A hotel is probably. Multiple phases and has a fair amount of power there, but the amount of strain that's put on the grid by trying to just rapid charge a single car is huge. So how can we deal with that as well? The quickest and easiest way to deal with it is just put more large power plants online. [00:32:13] Some people don't like that. Don't like that idea at all, frankly, but we're not ready. What are we going to do? Look at what happened in Texas with a fairly minor reliability or re reliance, I should say, on these windmills last winter and things with this winter, as cold as it's been, that could really cause some just incredible problems. [00:32:40] Nuclear is being reconsidered, particularly fourth generation nuclear power plants. The greenhouse gas emissions from nuclear power are one 700th of those of coal. The nuclear power plants produce one, 400th greenhouse gas emissions of a gas plant, and they produce a quarter of the greenhouse gas emissions from solar. [00:33:09] Now you're saying, Hey Craig, come on, I get it. Wait a minute, solar, how can solar produce greenhouse gas? It does. And it produces greenhouse gases because of the manufacturing processes, as well as of course it off gases. So how do we make all of this stuff work? We all saw the China syndrome and we heard from experts like Jane Fonda, how we would all die. [00:33:34] If we put a nuclear power plant. These are intrinsically safe, power plants much different than they used to be. Nuclear power frankly is a much safer business than most people think it is. They no longer these new plants produce. The the nastiest what's called high level nuclear waste. [00:34:00] They can reprocess it right there in the plant. They can start in fact where some of the nuclear waste though has been generated from the older nuclear plants and get rid of that. It's amazing. So people are asking okay. Plutonium might have a half-life of 24,000 years, but it doesn't emit much radiation. [00:34:23] We get that. How about the higher levels of radiation? Because some of it can last for hundreds of thousands of years. According to the U S radiation expert, Robert Gale for every terawatt hour of electricity produced nuclear energy is 10. To 100 times safer than coal or gas. What it does emit are alpha particles, which do not even penetrate human skin. [00:34:54] They've done all kinds of risk assessments and tried to figure out what's going to happen. What can we do? And I'm not going get into all the details here, but it is intrinsically safe because. What really happens is that the, these new plants he's fourth generation, a newer plant are instead of using water, for instance, that can do reactors out of Canada, use heavy water in order to cool those rods. [00:35:25] It was same sort of thing we've had in the meltdowns before they're using a liquid silica inside. They're set up in such a way that they do not need to have pumps running. So the Fukushima reactor that you might remember in Japan that failed because of the tsunami and the fact that one fact, this is what was their killer that their electrical generation from the diesel generators went offline. [00:35:56] Why did it go offline? Oh, I can see the grid going offline, but how about a diesel generator? If you have a below sealer, And the water comes in. You're in big trouble now. They didn't have it like below, permanently below sea level and Fukushima. But when that tsunami wave came in, it was below sea level. [00:36:16] They just, man, we could talk for a long time about the problems that they had over there. The nepotism, the line on the forums. They fact they did not do the upgrades that the manufacturer has suggested on and on. So these new reactors can lose all power and you won't have a China store. They won't go through a meltdown and they're even designed in such a way, the way using physics things called the law of gravity, who would have thought, right? [00:36:51] So that what happens in the worst case scenario is no one gets hurt. It just eats in on itself and then stops runs out of. So we've got to remember all of this stuff. Okay. The nuclear power of yesteryear is not the nuclear power of today. And the nuclear power of today is so green and so safe that even the European commission presented new draft rules that said to the natural gas, nuclear power, our agreement. [00:37:29] Fuels for electricity generation. So assuming the rules are approved and Francis in favor, Germany isn't as into nuclear power. In fact, they plan on having all of their plants shut off by the end of 2025, which is crazy because they're already having serious problems with their solar and wind. [00:37:53] And that's why they're buying so much natural gas now for. Yeah, American influence dropping over there. Thank you again, president Biden for allowing that pipeline to go through. All right. Anyhow. They're assuming they're approved Germany. Apparently isn't likely to try and block these rules. It means that nuclear, the new nuclear force generation or newer is going to be right there alongside renewables, like wind and solar on the list of the EUS technology that are approved for financial support. [00:38:30] Now, this is very good news because as I mentioned earlier, What happens when it comes to solar at nighttime doesn't work solar. When it's raining, doesn't work solar. When it's snowing, doesn't work solar. When it's cloudy, doesn't work. Ryan, how about the windmills? When the wind is. They don't work when they break down, which happens a lot due to mechanical failures, they don't work. [00:39:02] So having the. New nuclear plants that are intrinsically safe, that don't generate this really nasty radiation, and stuff that we have to store for a thousand years, et cetera. The high level nuclear waste makes a lot of sense because unlike the. Solar plants or other things that might be on someone's house that cannot be easily controlled by the central grid. [00:39:32] In other words, Hey, stop generating electricity because I got enough right now. And what Germany has been doing is putting it into heat sinks, heating up lakes and other things, to get rid of that extra solar energy people are generating on their homes and businesses. What you can do is, Hey, we are at the point where we don't have enough sun. [00:39:54] It's really cold. People are trying to heat their homes, or it's really hot. People are trying to cool to their homes. And yet it's raining heavily or there's a lot of clouds. So all you have to do at that point is turn off. That nuclear power plant or multiple plants. You see the way it's going. [00:40:12] You're not going to have some massive plant with a bunch of reactors. No. Where they're going with this is to have community reactors in the multi megawatt range that can be put into communities and the power distributed directly. Into the community and these power plants are good for 20 years and these new ones, they are typically going to be buried in the. [00:40:41] And then every 20 years they get dug up, put onto a truck, shipped off, they get recharged, brought back and you're off and running again, a whole different concept. And I love it. We're starting to do this in the United States. We've got some early approvals for some of these, and I was shocked and amazed and happy that the Biden administration has decided. [00:41:06] To approve the new nuclear here in the United States. So there'll be some test plants going online relatively soon. That just makes so much sense. These 50 year old nuclear red regulations and plants, they just don't work. Make sure you visit me online. Craig peterson.com. I'm going to have a lot of stuff for you every week. [00:41:32] Craig peterson.com. [00:41:37] The hacker world got turned upside down this past week as Russian president Putin decided to crack down on the hackers. Now, this is a very big change for Russia. We're going to talk about my theories. Why did this happen? [00:41:54] As we keep you up to date, russian hackers have long been known to go after basically whoever they want. They have really gone after the United States and other Western company countries. [00:42:10] And as part of what they've been doing, they have been making a lot of money and keeping Vladimir Putin pretty darn happy. He's been a happy because they're bringing more. Into mother Russia, he's happy because they are causing confusion amongst Russia's competitors out there, particularly the United States. [00:42:35] But there's one thing that Putin has been absolutely steadfast. And that is not allowing any of the hackers to go and hack any of the countries that are part of their little pact over there. Think of the old Warsaw pack they got that band back together. So as long as they didn't harm any Russian or, a affiliated country, They could do basically whatever they wanted and they did. [00:43:09] And they have caused a lot of trouble all over the world. So Friday Russia. As security agency announced that it had arrested members of the cyber gang called reveal. Now we have talked about them for a long time. They have come and gone. The FBI and other countries have shut down their servers. [00:43:37] So reveal disappears for awhile. Then pops his head up again. And Russia said that they arrested members of revival who were responsible for massive ransomware crimes against us companies the last year. So why would they do that? I'm looking right now at the Russian website here, that's part of the FSB. [00:44:06] And it's saying that the Russian federal security service in cooperation, the investigation department of the ministry of internal affairs of Russia in the cities of Moscow St. Petersburg, Leningrad lips. As, I guess it is regions. They stop the illegal activities, a members of an organized criminal community and the basis for the search activities was the appeal of competent U S authorities who reported on the leader of the criminal community and his involvement in an encroachment on the information, sir, resources of foreign high tech companies by drusen militia software, encrypting information and extorting money for its decreased. [00:44:52] Now that all sounds like the stuff that Vlad has been just a happy about in years past. So why did this happen? What brought this about nowadays in this day and age? What is he doing? I've got a little bit of a theory on that one because there have been some interesting development. One of them is this hacker. [00:45:19] In Belarus. Now, Belarus is one of those countries that's closely affiliated with Russia friend of Russia, right? Part of the old Warsaw pact. And you might remember that Bella ruse is right there by you. And of course, we've got this whole issue with Ukraine and whether or not Russia is going to invade president and Biden said something incredibly stupid where he said, yeah a moral response is going to depend upon what Russia does, if it's just a minor invasion. [00:45:57] You're you remember? The president Biden's saying that just absolutely ridiculous. And then of course, the white house press secretary and various Democrat operatives tried to walk the whole thing back, but it's a problem because Russia has, what is it now like 120,000 troops on the border. [00:46:17] Now, if you know anything about history, you know that the military army. March on their stomachs, right? Isn't that the expression you've got to feed them. You have to have a lot of logistics in place. In fact, that's what really got a lot of the German military in world war two. Very nervous because they saw how good our logistics were, how good our supply chain was. [00:46:43] We were even sending them. They cakes to men in the field that they discovered these cakes in great shape. And some of the German armies, particularly later in the war, didn't even have adequate food to eat. What do you think is happening with the Russian troops that are sitting there? [00:47:01] They need food. They need supplies, including things like tanks, heavy artillery, ammunition. All of that sort of stuff. So how do they do that? They're moving it on rail, which they have done in Russia for a very long time. You might remember as well in world war II, the problems with the in compatibility between the German rail gauge and the Russian rail gauge as Germany tried to move their supplies on Russian rails and Soviet rails, ultimately, but on Russian rails and just wasn't able to do. [00:47:37] So hacktivists in Bella ruse right there next to Ukraine said that they had infected the network of Bella Russa's state run railroad system with ransomware and would provide the decryption key. Only if Bella Reuss president stopped. Russian troops ahead of a possible invasion of Ukraine. So this group, they call themselves cyber partisans wrote on telegram. [00:48:11] Now I got to warn everybody. Telegram is one of the worst places to post something. If you want some privacy, excuse me, some privacy, some security it's really bad. Okay. No two questions. So they have, apparently this is according to what they wrote on telegram. They have destroyed the backups as part of the pec low cyber campaign. [00:48:36] They've encrypted the bulk of the servers, databases and work station. Of the Belarus railroad, dozens of databases have been attacked, including, and they name a bunch of the databases. Automation and security systems were deliberately not affected by a cyber attack in order to avoid emergency situations. [00:49:00] They also said in a direct message that this campaign is targeting specific entities and government run companies with the goal of pressuring the Belarus government to release political prisoners. And stop Russian troops from entering Bellaruse to use its ground for the attacks on Ukraine. Now, this is frankly fascinating from a number of different angles. [00:49:26] One is, it is very easy nowadays to become a cyber hacker. And in fact, it's so easy. You don't even have to do anything other than send N E. And it's been done, frankly. It's been done people who are upset with a, an ax, for instance upset with a particular company, you can go onto the dark web and you can find companies. [00:49:53] And this revival company was one. That will provide you with the ransomware and they will do everything for you except get that ransomware onto a computer. So you could bring it in to an employer. You can send it by email to the ax. As I mentioned, you can do a lot of stuff. And then the. Ms. Cyber hacker guys, the bad guys will go ahead now and they will collect the ransom. [00:50:24] They'll even do tech support to help the people buy Bitcoin or whatever currency they want to have used. And then they take a percentage. So they might take 30% of it. There's a whole lot. We can talk about here too, including trust among thieves and everything else. It is easy to do this. So to see an organization like these cyber partisans, which I'm assuming is an organization, it could be as little as one person taking ransomware, going into specific computer systems breaking in. [00:50:58] Because again, even here in the U S how many of us have actually got their computer systems all patched up to date? The answer to that is pretty close to zero. And they can now go after a government, they can protect their friends. It's really something. When you start thinking about it, right? No longer do you have to be North Korea or China or Russia in order to hack someone to the point where they commit. [00:51:31] And in this case, they're not even after the money, they just want these political prisoners freed and they want Russia to stop shipping in troops supplies, into the area in Belarus next to or close to. Very fascinating. There, there is a whole lot of information about this online. If you're interested, you can read more about it. [00:51:55] It's in my newsletter, my show notes. I have links to some articles in there, but it really is a tool for the under. We've never really seen this before. It's quite an interesting turn in the whole ransomware narrative. It's just in crazy. That's a quote from a guy over at Sentinel one. Alright. [00:52:21] Lots to consider and lots to know and do, and you can find out about all of the. One way, subscribe right now@craigpeterson.com. I promise. I'm not going to her Hess. You stick around. [00:52:38] We've heard a lot about automated cars. And of course we talked about them a lot here too, but that original vision of what we would have, it's gone now. It's fascinating. We're going to talk about that journey of automated car. [00:52:55] To date on technology for years, automakers have been telling this story about how these automated cars are going to drive themselves around and do just wonderful things for us. [00:53:10] And as part of that, they've decided that. The way it's going to work. And I remember talking about this, cause I think it's a cool idea is that there will be fleet of these vehicles think about maybe an Uber or Lyft where you get on the phone and you order up a card and it says, Hey that driver will be here. [00:53:30] Here's the license plate, the driver's name and picture. It's really cool, but general motors and Lyft haven't gotten there. They signed in agreement. To have electric autonomous cars as part of Lyft's fleet of drivers. They did a back in 2016, a long time ago. Ford promised what it called robo taxis and that they would debut by 2021 Dimeler of course, the company that makes Mercedes-Benz said it would work with Uber to deploy fleets of their car. [00:54:12] And the logic was really financial and it made a lot of sense to me, which is why I was so excited. I have car outside. You know about my Mercedes, you. How often do I drive that 40 year old car? Most of the time it's sitting there parked, most of the time, because I don't go very many places very often. [00:54:35] What would it be like then to just be able to have an Uber or Lyft type app on my phone that says, okay, tomorrow I have a 10 o'clock meeting in Boston and I want a car to take me there. So the. Checks with the servers and figures out. Okay. At 10 o'clock meaning, that means you're going to have to leave at eight 30 in order to get around the traffic that's normally happening. [00:55:03] And so we'll have a car there for you. So all I have to do is walk out the apple, probably remind me, my butt out of bed and get outside. Cause the car is about to arrive. So the car pulls into my driveway or maybe just stops on the road and the app reminds me, Hey, the car's there I go out. I get in. [00:55:22] And on the way down, I can work on getting ready for the meeting, getting some things done, just really kicking back, maybe having a nap as we go. And I'm there on time for my 10 o'clock. Just phenomenal. And from a financial standpoint, nowadays, how much is a car costing you? Have you ever done the math on that? [00:55:44] How much does a typical car loan run you per month? And I also want to put in how about these leases? How many of us are leasing cars? My daughter leaves to Gargan believe she did that. Didn't leave to me. It didn't make financial sense, but maybe that's just because I've been around a while. But looking right now at some statistics from credit karma, they're saying us auto loans, new cars, your average monthly payment is $568. [00:56:17] For an average loan term of 71 months. Good grief used cars, about $400. A month payment and average loan term, 65 months. I can't believe that I've never had a car loan for more than three years. Wow. That's incredible. So we're talking about six year notes on a new car. Wow. I guess that's because people buy cars based on the monthly payment, right? [00:56:49] So figure that out. If you're paying $500 a month, how about just paying a subscription service? $500. You can get so many rides a month and you don't have to maintain the car. You don't have to buy insurance. You don't have to make any fixes. You don't have to do anything. And the car will just show up. [00:57:08] That's what I was excited about. And it had some just amazing implications. If you think about it, it city dwell over dwellers and people who were directly in the suburbs, it'd be just phenomenal. And you could also have the robo taxis for longer trips. You can abandon that personal car. Really alternate. [00:57:31] So now it's been about a decade into this self-driving car thing that was started. And, we were promised all of these cars, it reminds me of the fifties, we're all going to be driving, flying cars by. George Jetson one, when was he flying around the cities, but that's not happening. [00:57:52] Okay. The progress on these automated vehicles has really slowed automakers and tech companies have missed all kinds of self-imposed deadlines for the autonomy. Look at what Elon Musk has promised again and again, it's. Basically in 2020, late 2020, it was going to have fully autonomous cars even calls itself dry. [00:58:15] When it isn't really self-driving, it certainly isn't fully autonomous it more or less drives. It stays in the lane as it's driving down the highway. But the tech companies are looking for other ways to make money off of self-driving tech. Some of them have completely abandoned. There's self-driving cars, the sensors like the LIDAR, and I've had the LIDAR people on my show before they've all gotten cheaper. [00:58:40] It doesn't cost you $50,000. Now just for one LIDAR sensor, think about what that means to these cars. So some of these manufacturers of these future autonomous cars are shifting to a new business strategy. And that is selling automated features directly to customers. In other words, you're going to buy a car, but that car isn't going to do much. [00:59:09] Think about the golden key that the tech companies have used for years, right? IBM well-known for that, you buy a mainframe or from IBM or a mini computer from digital equipment corporation, and you have the same computer as someone that has this massive computer. But in fact the difference is that they turn off features and we're seeing that right now. [00:59:34] I'm, I've mentioned that Subaru before where they are charging people for upgrades, but some of the companies are charging you monthly to use a remote start feature for instance, and many others. So what's happening is a major change. We have the consumer electronic show, right? January 20, 20 and general motors CEO, Mary Barra said that they would quote, aim to deliver our first personal autonomous vehicles as soon as the middle of this decade. [01:00:07] So again, it slipped, right? I'm looking at it, a picture of what they're considering to be. The new Cadillac car that should be out next year. Maybe thereafter. It is gorgeous. Absolutely gorgeous. But this announcement, right? Yeah. We're going to have autonomous vehicles, middle of the 2020s. She had no specific details at all. [01:00:33] And apparently this personal robo car project is completely separate from this robo taxi fleet that's been developed by GM's cruise subsidiary. And cruise said it has plans to launch a commercial service in San Francisco this year. So they're going after multiple paths. The logic here is financial. [01:00:56] The reasoning has changed and they're offering autonomy as a feature for the consumer market. Tesla, Elon Musk, they've been charging $10,000 now for the autopilot driver assistance feature. They're planning on raising it to $12,000 here early 2022 Tesla technology. Can't drive a car by itself. [01:01:22] But he's going to charge you if you want it. And I expect that's going to be true of all of the major manufacturer that's out there. And by the way, they're also looking at customization, like color changing cars and things. They're going to charge them as features. Hey, stick around. Visit me online. [01:01:43] Craig peterson.com. [01:01:46] Just how secure are our smartphones. We've got the iPhones, we've got Android out there. We've talked a little bit about this before, but new research is showing something I didn't really expect, frankly.  [01:02:02] We've got some new research that wired had a great article about last week that is talking about the openings that iOS and Android security provide for anyone with the right tools. You're probably familiar at least vaguely with some cases where the FBI or other law enforcement agencies have gone to apple and tried to have. [01:02:29] Old break into iPhones. Apples, refuse to do that one in particular, down in Southern California, where they tried to get apple to open up this I phone and tell them who was this person talking to after a shooting of foul of fellow employees at a. It was really something, there was a lot of tense times and we've seen for decades now, the federal government trying to gain access to our devices. [01:03:04] They wanted a back door. And whenever you have a back door, there's a potential that someone's going to get in. So let's say you've got a. And your house has a front door. It has a backdoor, probably has some windows, but we'll ignore those for now. Okay. And you have guards posted at that front. All in someone needs to do is figure out to how to get into that back door. [01:03:31] If they want to get into your house, it might be easy. It might be difficult, but they know there's a back door and they're going to figure out a way to get in. And maybe what they're going to do is find a friend that works for that security company, that post of the guards out front. And see if that friend can get a copy of the. [01:03:51] That'll let them in the back door. And that's where we've had some real concerns over the year years here, a decades, frankly, our first, I remember this coming up during the Clinton administration, very big deal with the. That they were pushing. This was a cryptographic chip that they wanted every manufacturer to use if they wanted to have encryption and the white house and every gov federal government agency, and probably ultimately every local agency had the ability to break any encryption that was created by the clipper. [01:04:30] In fact, we were able to track Saddam Hussein and his sons and his inner circle. Because he was using some encrypted phones that were being made by a company in England. And that company in England did have a back door into those encrypted phones. And so we were able to track them and we could listen in, on all of their communications back and forth. [01:04:56] And it's really frankly, oppressed. When that sort of thing happens. So what do you do? What are you supposed to do? How can you make it so that your devices are safe? There are some ways to be relatively safe, but these cryptographers over Johns Hopkins university, Use some publicly available documentation that was available from apple and Google, as well as their own analysis. [01:05:26] And they looked into Android and iOS encryption and they founded lacking. So they studied more than a decades worth of reports. How about which mobile security features had been bypassed had been a hack. I had been used by law enforcement and criminals in order to get into these phones. They got some of these hacking tools off of the dark web and other places, and they tried to figure. [01:05:59] So we've got a quote here from Johns Hopkins, cryptographer, Matthew Green, who oversaw the research. It just really shocked me because I came into this project thinking that these phones are really protecting user data. Now I've come out of the project, thinking almost nothing is protected as much as it could be. [01:06:22] So why do we need a backdoor for law enforcement? When the protections that these phones actually offer are so bad. Now there's some real interesting details of if you like this stuff, I followed cryptography for many decades. Now I've always found it. Fascinating. There are some lightweight things I'm going to touch on here. [01:06:46] We won't get too deep in this, but here's another quote. Again, Johns Hopkins university on Android. You can not only attack the operating system level, but other different layers of software that can be vulnerable in different ways. Another quote here on iOS in particular, the infrastructure is in place for hierarchal encrypted. [01:07:10] Now higher are hierarchical. Encryption is various layers of encryption. If you have an iPhone or an iPad, or if you have most Android phones nowadays, if you use a passcode in order to unlock the phone or even a fingerprint or a face. Your method of authentication is used to encrypt everything on the phone, but in reality, everything on the phone is only fully encrypted when the phone is powered off. [01:07:49] Now that's a real, interesting thing to think about because obviously the phone can't work. If everything's encrypted. It needs access to the programs. It needs access to your data. So what they found bottom line was the only way to have a truly safe machine or a smartphone in this case is to turn it off because when you turn it on and it boots up on first boot, now it gets. [01:08:20] Either by bio medical information, like your fingerprint or your face sprint or your passcode, it then has a key that it can use to decrypt things. So apple has on the iPhone, something, they call complete protection and that's again, when the iPhone has been turned off on boots up because the user has to unlock the device before anything can happen on the phone. [01:08:45] And the is protections are very. Now you could be forced to unlock the phone by a bad guy, for instance, or in some cases, a warrant or an order from a judge, but forensic tools that, that they are using the police and the criminals really would have almost no luck at pulling information off of your phone. [01:09:11] That would be useful at all because it would all be encrypted, right? If they could. So once you've unlocked your phone after that first reboot molt, after that reboot, right? You unlocked it after power up. A lot of the data moves into a different mode that apple calls protected until first user authentication. [01:09:32] But it's what I call after first unlock. So when you think about it, your phone is almost always in the after first unlocks. Because how often do you reboot your phone? No, it's pretty rare that your phone might do on. And this is particularly true for I-phones might do updates and boot and reboot. And then of course you have to unlock that phone, but it doesn't go much further. [01:10:01] The net and that's, what's interesting. That's how law enforcement and the bad guys, these Israeli companies and others have been able to get into iPhones and get into Android devices because ultimately if that computer is turned on and you've logged in, there's a lot of data. That's no longer encrypted. [01:10:22] Oh. And by the way, that's also how some of these attacks occur on our laptops. Particularly if you traveled to. In the memory on that laptop that you close the lid on, you have to re log into is the key to UNHCR, unencrypt, everything, right? Because you logged in once. So all they have to do is freeze the memory, duplicate the memory and put it back in part of the reason, by the way that apple laptops have their memory soldered in you can't do that kind of attack. [01:10:56] Stick around. We'll be right back. [01:11:00] VPNs are good and they are bad. It depends on the type of VPN. Many of these commercial VPNs of people are using are actually very bad for you when it comes to your security. [01:11:17] VPNs are Trump problematic. I did a couple of boot camps on VPNs. Probably I think it was about last year. [01:11:26] Yeah, it was last spring. And I went through and explained and showed exactly why commercial VPNs are one of the worst things you could possibly do if you want. To stay secure. Now I lemme just give you the high level here. I have given people copies of this, if you're interested in a link to that VPN webinar that I did, I'd be glad to send it to you. [01:11:57] Just email me Emmy at Craig Peterson, doc. And ask me for the VPN information and I'll send that all off to you. I also wrote something up that I've been sending out to people that have asked about VPNs. Cause it's one of the most common questions we have Franklin, but here's your problem with commercial VPNs? [01:12:18] Most all of them say, oh, your information safe at zero logging, et cetera. And yet we have found again and again that's not. In fact, it can't possibly be true in almost every case because most of these VPN services are running out of other people's data centers. So they might be in an Amazon data center or IBM or Microsoft. [01:12:45] And inside that data center, your data is coming in and then it's going to. So let's say you're using a VPN and you're connecting to a website. I don't care. Go to google.com via a VPN. So you're using one of these services. That's advertised all over creation. And what happens now is. Your web request to get to Google passes over that encrypted VPN and comes to an exit point because at some point it has to get onto the regular internet. [01:13:20] How else are you going to get to that website? On the other side? You can't, unless you get to the regular internet. So at the other side, now the server is that's receiving the end point of view. VPN is going to send the request to Google. Google is going to respond to that VPN server. It's going to be encrypted and sent back to you. [01:13:43] So what's the problem with that? There's multiple problems. One is the data center can see. That there is the request going up to Google. Now he might not be able to tell who it was. But if that VPN server has been hacked. And let me tell you, it is a big target for hackers, government hackers, as well as bad guys. [01:14:06] Then they do know who went out there and depending on how it was hacked and how the VPN was set up, they may even be able to see all of the data that you're sending back and forth. It's called a man in the middle of. And some of these VPN services do it by having you install some software on your computer. [01:14:28] And as part of that installation, they provide you with a master key that they then use to spoon. The keys for the websites. You're going to some, explain that what happens is if you were to go right now on your web browser, go to Craig peterson.com as an example. So Craig peterson.com. I'm typing it in right now in the browser. [01:14:55] That's directly in front of me. Now you'll see a little lock up in the URL. What does that mean? If you click on that lock, it says something about the connection being secure. Are you familiar with that? What's actually happening is it's using SSL TLS keys, but it's using encryption now to send the data from your computer. [01:15:24] To my server, that's hosting Craig peterson.com. And then my server is sending all of the webpage back to you. Encrypted. Any fact, a VPN has been established between your web browser and my web server. So why use a third-party VB? Because your data is encrypted already, right? Could it be more simple than that? [01:15:59] Now, remember again, that the server on the VPM service that you're using is a prime attack target for everybody else. As I said from government agencies through hackers. So your data is likely less safe because if they get a hold of it, they can do all kinds of things to your data and to. And then on top of it, all the VPN service may well be selling your data in order to make money, to support the VPN service because free VPNs, inexpensive VPN sees the ones that are charging you five or 10 bucks a month cannot possibly afford to provide you with that service. [01:16:51] And in the bootcamp, I go through all of the numbers here, the costs involved. With a VPN service it's not possible to do. They can't make any money off of it. So it is a very big problem for you to use one of these public VPN services. Now, I want to talk about an arc article that was on Z. [01:17:19] Apparently your old pole, which is of course the police over there in the European nations has seized servers. What servers, VPN servers in Europe. Now they seized the servers because they were used by who was it? Grandma looking at pictures of the grandkids. Was it people watching cat videos who was using the VPN server? [01:17:45] The paid VPN service. Wow. It was criminals. And when they seized these VPN servers that were also being used by criminals, they found more than a hundred businesses that had fallen victims to attacks. So who uses VPN services? People who want to hide something as well as people who just want to have their data secure. [01:18:14] Another reason not to use VPN services. So as a part of the joint action by Europol Germany's police Hanover police department, the FBI, UK national crime agency, and others seized 15 servers used by VPN lab dot. Okay. So VPN lab.net net, obviously no longer usable. And they started looking at all of the records that were being kept in these servers and use that to find the criminal. [01:18:48] Does that make sense to you? So VPN lab.net was according to these charges, facilitating illicit activities, such as malware distribution. Other cases showed the services use in setting up infrastructure and communications behind ransomware campaigns, as well as the actual deployment of ransomware. You like that. [01:19:12] Now they were using open VPN technology, which is actually very good. As part of that VPN information, I can send you if you're interested, just email me M e@craigpeterson.com. Let me know what you're interested in, and I'll whoop you off an email. Give me a few days I can get behind sometimes, but you can set up your own private VPN server if that's what you want to do. [01:19:38] And I've gotten instructions on how to do that in that little special report in that email, but They were providing what they called online anonymity, this VPN lab.net service for as little as $60 a year. Okay. You like that? So they provided what they call double VPN servers and a lot of different countries and made it a popular choice for cyber criminals. [01:20:04] Very big deal. Okay. So be very careful with VPNs. Also be careful of the VPN you might be using for your business. Let's say you've got something that isn't terribly secure or not secure at all as your firewall, right? So you buy a nice little firewall or this is so great. It's not expensive. And I got it online from a big box retailer. [01:20:27] Most of them out there do not meet. The minimum standards you really need in order to keep your business. And there's only two companies that do one of them, Cisco, and one of them's Juniper, that's it? None of the other firewalls with VPNs meet the minimal standards you need to have, but those be glad to sell it to you. [01:20:49] They'll be glad to tell you that it's perfectly secure, but it is not okay. Just went through that again with a company this week an engineering firm and at least they understand some of the stuff, but they were trying to do the right thing and they were being misled by these various vendors. So this action against VPN lab took place in January involved with authorities from Germany. [01:21:15] The Netherlands Canada,

Hacking the TLS Handshake and decryption with Wireshark // SSL Deep Dive 50,157 views Mar 25, 2022 Warning! We go deep in this video to explain how the TLS handshake is completed. Warning! This is a technical deep dive and covers a lot of detail including SSL decryption and discusses RSA, Public and Private Keys, symmetric key exchange and lots more. // Wireshark pcap // https://davidbombal.wiki/tlsedpcap // Ed's TLS course // https://davidbombal.wiki/edtls49 Use coupon code: "BombalTLS" to get for $49 // MENU // 00:00 ▶️ Introduction 02:11 ▶️ How SSL/TLS is shown in a browser 02:40 ▶️ Pre-Requisites 05:15 ▶️ Data Integrity/Hashing 06:27 ▶️ Potential Problems with Hashing/man in-the-middle attack 07:32 ▶️ Message Authentication Code 10:09 ▶️ Prerequisites continued 11:51 ▶️ Symmetric Encryption 12:45 ▶️ Asymmetric Encryption 17:00 ▶️ Private and Public Keys 20:05 ▶️ Signatures 21:55 ▶️ Protocols 22:50 ▶️ SSL/TLS Handshake, Client Hello and Server Hello 28:35 ▶️ Client Hello and Server Hello in Wireshark 34:09 ▶️ Certificate 35:12 ▶️ Server Done 35:35 ▶️ Server Hello, Certificate, Server Hello Done in Wireshark 36:51 ▶️ Client Key Exchange 50:26 ▶️ Client Key Exchange in Wireshark 51:39 ▶️ Client Change Cipher Spec and Finished/Encrypted Verification 54:08 ▶️ Server Change Cipher Spec and Finished/Encrypted 56:10 ▶️ SSL/TLS Handshake in Wireshark 57:44 ▶️ Decrypting a PreMaster Key with a Private Key in Wireshark 1:03:15 ▶️ Where to get in contact with Ed to learn more // David's SOCIAL // Discord: https://discord.com/invite/usKSyzb Twitter: https://www.twitter.com/davidbombal Instagram: https://www.instagram.com/davidbombal LinkedIn: https://www.linkedin.com/in/davidbombal Facebook: https://www.facebook.com/davidbombal.co TikTok: http://tiktok.com/@davidbombal YouTube: https://www.youtube.com/davidbombal // Ed's SOCIAL // Twitter: https://twitter.com/ed_pracnet YouTube: https://www.youtube.com/channel/UCKmU... // Ed's TLS course // https://davidbombal.wiki/edtls49 Use coupon code: "BombalTLS" to get for $49 // More detail on Ed's YouTube channel and website // Asymmetric Encryption explained from a Practical Perspective: https://www.practicalnetworking.net/p... RSA Algorithm: https://www.youtube.com/watch?v=Pq8gN... DH Algorithm: https://www.youtube.com/watch?v=KXq06... Practical TLS - Crypto & SSL/TLS foundation: https://www.youtube.com/playlist?list... // MY STUFF // https://www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com tls tls decryption ssl crypto cryptography ssl decryption tls wireshark tls decryption wireshark tls tunnel tls handshake tlsp tls explained tls tunnel vpn tls protocol tls handshake explained tls 1.3 TLS Transport Layer Security Handshake TLS Handshake Crypto Cryptography security wireshark wireshark tutorial wireshark packet analysis tls decryption tls decryption wireshark tls 1.3 decryption tls decryption wireshark tls tunnel vpn free internet tls decryption palo alto Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! #tls #ssl #wireshark

Links Referenced: quietly updated the re:Inforce site: https://reinforce.awsevents.com remains disturbingly murky: https://www.theverge.com/2022/3/22/22990637/okta-breach-single-sign-on-lapsus-hacker-group far greater detail: https://kloudle.com/blog/aws-rds-does-not-force-clients-to-connect-using-a-secure-transport-layer AWS Lambda announces support for PrincipalOrgID in resource-based policies: https://aws.amazon.com/about-aws/whats-new/2022/03/aws-lambda-principalorgid-resource-policies/ Automated Incident Response and Forensics Framework: https://github.com/awslabs/aws-automated-incident-response-and-forensics CI/CDon't: https://hackingthe.cloud/aws/capture_the_flag/cicdont/ TranscriptCorey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it's nobody in particular's job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.Corey: This episode is sponsored in part by our friends at Sysdig. Sysdig is the solution for securing DevOps. They have a blog post that went up recently about how an insecure AWS Lambda function could be used as a pivot point to get access into your environment. They've also gone deep in-depth with a bunch of other approaches to how DevOps and security are inextricably linked. To learn more, visit sysdig.com and tell them I sent you. That's S-Y-S-D-I-G dot com. My thanks to them for their continued support of this ridiculous nonsense.Corey: Last week AWS quietly updated the re:Inforce site to reflect that instead of Houston, their security conference, held ideally annually, would be taking place this July in Boston. Given that Texas's leadership has been doing what appears to be its level best to ensure that respectable businesses don't want to do business there, this is an incredible logistical, and frankly moral, feat that AWS has pulled off.Corey: That's the good news. The bad news of course is as this issue went to print, the news coming out of Okta about a breach remains disturbingly murky. I'm trying here to provide the best take rather than the first take, so I really hope someone's going to have better data for me by next week. Oof. Condolences to everyone who is affected.Yeah, other than that, from the security community, a while back I had a bit of a conniption fit about how RDS doesn't mandate SSL/TLS connections. For a company whose CTO's tagline and t-shirt both read “Encrypt Everything” this strikes me as… discordant. A blog post I stumbled over goes into far greater detail about what exactly is requiring encryption and what isn't. Make sure your stuff is being secure when you think it is, is the takeaway here. Verify these things or other people will be thrilled to do so for you, but you won't like it very much.Corey: Couchbase Capella Database-as-a-Service is flexible, full-featured, and fully managed with built-in access via key-value, SQL, and full-text search. Flexible JSON documents aligned to your applications and workloads. Build faster with blazing fast in-memory performance and automated replication and scaling while reducing cost. Capella has the best price-performance of any fully managed document database. Visit couchbase.com/screaminginthecloud to try Capella today for free and be up and running in three minutes with no credit card required. Couchbase Capella: Make your data sing.Corey: AWS had one notable security announcement that didn't come from their security blog. AWS Lambda announces support for PrincipalOrgID in resource-based policies. Now, that's a fancy way to say, “All of the resources within my AWS organization can talk to this Lambda Function,” which in common parlance is generally historically expressed as just granting access to the world and hoping people don't stumble across it. I like this new way significantly more; you should too.And from the world of tools, I found two of interest. Hopefully, folks aren't going to need this, but AWS Labs has an Automated Incident Response and Forensics Framework that helps you not do completely wrong things in the midst of a security incident. It's worth reviewing if for no other reason than the discussions it's likely to spark. Because security has always been more about people than tools. Occasionally it's about people who are tools, but that's just uncharitable, so let's be kinder.This CI/CDon't tool is awesome; it intentionally deploys vulnerable software or infrastructure to your AWS account so you can practice exploiting it. I'm a sucker for scenario-based learning tools like this one, so I have a sneaking suspicion maybe some of you might be, too. And that's what happened last week in AWS security. Thank you for listening. I'm Cloud Economist Corey Quinn. Ugh, this week is almost over.Corey: Thank you for listening to the AWS Morning Brief: Security Edition with the latest in AWS security that actually matters. Please follow AWS Morning Brief on Apple Podcast, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign up for the Last Week in AWS newsletter at lastweekinaws.com.Announcer: This has been a HumblePod production. Stay humble.

Do You Know How Hackers are Spoofing You? All About Email spoofing! We just got an email this week from a customer and they're saying, "Oh no, my email has been hacked." What does that mean? Was it really hacked? We're going to talk right now about email spoofing, which is a very big deal. [Following is an automated transcript] [00:00:15] Email spoofing is being a problem for a long time, really? Since the 1970s. I remember when I got my first spoofed email back in the eighties and there was really a little bit of confusion. [00:00:30] I went into it more detail, of course, being a very technical kind of guy, and looked behind the curtains, figured out what was going on. Just shook my head. I marveled at some people. Why would you do this sort of thing? The whole idea behind email spoofing is for you to receive an email, looks like it's from someone that it's not now, you've all seen examples of this. [00:00:55] Everybody has. And those emails that are supposedly from the bank, or maybe from Amazon or some other type of business or family friend, this is part of what we call social engineering, where the bad guys are using a little bit about what they know about you, or maybe another person in order to. Frankly, fool you. [00:01:19] That's what spoofing really is. There were a lot of email accounts that were hacked over the last what, 30, 40 years. And you might remember these people sending out an email saying, oh, my account got hacked because you just got emails. Back in the day, what people were trying to do is break into people's email accounts and then the bad guys after having broken in now knew everybody that was in the contact list from the account that was just broken into. [00:01:54] Now they know, Hey, listen, this person sends an email. Maybe I can just pretend I'm them. Days it, the same thing still happens. But now typically what you're seeing is a more directed attack. So a person might even look in that email account that they've broken into and poke around a little bit and find out, oh, okay. [00:02:16] So this person's account is a purchasing manager at a big company. So then they take the next step or maybe this tab after that and try and figure out. Okay, so now what do I do? Oh, okay. So really what I can do now is send fake purchase orders or send fake requests for money. I've seen in the past with clients that we've picked up because the email was acting strangely where a bad guy went ahead, found. [00:02:49] Invoices that have been sent out by the purchasing person and the send the invoices out and changed the pay to information on the invoice. So they took the PDFs that they found on the file server of the invoices went in and changed them, change the account that they wanted, the funds ACH into. And once they had that happen, they just sent the invoice out again saying overdue. [00:03:18] Off goes in the email and the company receives it and says, oh okay, I need to pay this invoice. Now. Sometimes it marked them overdue. Sometimes they didn't mark them overdue. I've seen both cases and now the money gets sent off and that invoice gets paid and then gets paid to the wrong person. [00:03:38] Or maybe they go ahead and they don't send the invoice out, but they just send a little notification saying, Hey, our account has changed. Make sure you. Direct all future payments to this account. Instead. Now you might be thinking wait a second here. Now they send this email out. It's going to go into a bank account. [00:03:57] I can recover the money while no, you can't. Because what they're doing is they are using mules. Now you've heard of meals before. He might've even seen that recent Clint Eastwood movie. I think it was called. But typically when we think of mules, as people we're thinking about people who are running drugs well, in this case, the bad guys use mules in order to move money around. [00:04:24] And now sometimes the people know what they're doing. The FBI has had some really great arrests of some people who were doing this, particularly out in California, some of them cleaned. Yeah. I didn't know what was happening. It was just somebody, asked me to send money. It's like the Nigerian scam where the Nigeria in the Nigerian scam, they say, Hey I'm, I'm Nigerian prince, you've heard of these things before. And I need to get my money out of the country. I need to place to put them. And so if you have a us account, I'm going to transfer money into it. You can keep a thousand dollars of that 5,000 and I'm going to wire in just as a fee. Thanks for doing this. I, this is so important and it's such a hurry and I'm going to send you the. [00:05:11] What they'll often do is send you a money order. It couldn't be a bank check, could be a lot of things, and then you go ahead and you cash it and oh, okay. Or cash just fine. And then you wire the $4,000 off to the bad guy. The bad guy gets the money and is off. Running in the meantime, your bank is trying to clear that bank check or that money order. [00:05:38] And they find out that there is no money there because frankly what might've happened? I, this is one I've seen, I'm telling you about a story w we helped to solve this problem, but I had taken out a real money order from a bank, and then they made copies of it. Basically, they just forged it. And so they forged a hundred copies of it. [00:06:01] So people thought they were getting a legitimate money order. And in some cases, the banks where the money order was, you mean deposited, did conf confirm it? They called up the source bank. Oh yeah. Yeah. That's a legit money order and then they all hit within a week or two. And now the, you are left holding the bag. [00:06:22] So that's one thing that happens. But typically with these mules, the money comes to them in that account. They are supposed to then take that money and put it in their PayPal account and send it off to the next. And it might try jump to through two or three different people, and then it ends up overseas and the bad guys have gotten so good at this and have the cooperation of some small countries, sometimes bigger countries that they actually own. [00:06:54] The bank overseas of the money ultimately gets transferred into. And of course there's no way to get the money back. It's a real. So with spoofing, they're trying to trick you into believing the emails from someone that you know, or someone that you can trust. Or as I said, maybe a business partner of some sort in most cases, it's some sort of a colleague, a vendor or a trusted brand. [00:07:22] And so they exploit the trust that you have, and they ask you to do something or divulge information. They'll try and get you to do something. So there's more complexity tax. Like the ones that I just explained here that are going after financial employees, there might be some, an accountant, a bookkeeper, or bill payer and receivables payables. [00:07:48] I've seen CFO attacks, but the really the spoofed email message looks legitimate on the surface. They'll use the legitimate logo of the company that they're trying to pretend that they're from. For instance, PayPal. Phishing attack. They have a spoofed email sender and typical email clients like you might be using for instance, on Microsoft outlook. [00:08:13] The sender address is shown on the message, but most of the time nowadays the mail clients hide the actual email address, or if you just glance at it, it looks legit. You've seen those before these forged email headers. Yeah, it gets to be a problem. Now we use some software from Cisco that we buy. [00:08:38] You have to buy. I think it's a thousand licenses at a time, but there were some others out there, Cisco again, by far the best and this, the software. Receives the email. So before it even ends up in the exchange server or somewhere else online, that email then goes through that Cisco server. They are comparing it to billions of other emails that they've seen, including in real time emails that are. [00:09:06] Right now. And they'll look at the header of the email message. You can do that as well. With any email client, you can look at the header, Microsoft and outlook calls, it view source. But if you look at the email header, you'll see received. Headers that are in there. So say, receive colon from, and they'll give a name of a domain and then you'll see another received header and give another name of a machine. [00:09:33] And it'll include the IP address might be IVF IPV four of your six, and you can then follow it all the way through. So what'll happen is partway through. You'll see, it took a hop that is. Not legitimate. That's where it comes in. Nowadays, if you have an email address for your business, man, a domain, you need to be publishing what are called SPF records. [00:10:01] And those SPF records are looked at there compared to make sure that the email is properly signed and is from. The correct sender. There's a SPF records. There's a mother's too, that you should have in place, but you'll see that in the headers, if you're looking in the header. So it gets pretty complicated. [00:10:24] The SPF, which is the sender policy framework is a security protocol standard. It's been around now for almost a decade. It's working in conjunction with what are called domain based message, authentication, reporting, and conformance. Heather's D mark headers to stop malware and phishing attacks. And they are very good if you use them properly, but unfortunately when I look, I would say it's still 95% of emails that are being sent by businesses are not using this email spoofing and protection. [00:11:00] So have a look at that and I can send you a couple articles on it. If you're in trusted Craig Peterson.com. [00:11:07] So we've established that email spoofing happens. What are the stats to this? And how can you further protect yourself from email spoofing? Particularly if you're not the technical type controlling DNS records, that's what's up right now. [00:11:24] There's so much going on in the cybersecurity world. It affects all of us. Now, I think back to the good old days 40 years ago where we weren't worried about a lot of this stuff, spoofing, et cetera. [00:11:38] But what we're talking about right now is 3.1 billion domain spoof. Emails sent every day. That's a huge thing. More than 90% of cyber attacks. Start with an email message. Email spoofing and phishing have had a worldwide impact costing probably $26 billion over the last five years. A couple of years ago, the FBI, this is 2019. [00:12:09] Reported that about a house. A million cyber attacks were successful. 24% of them were email-based and the average scam tricked users out of $75,000. Yeah. So it's no wonder so many people are concerned about their email and whether or not those pieces of email are really a problem for them. And then anybody else. [00:12:36] So a common attack that uses spoofing is CEO fraud, also known as business, email compromise. So this is where the attacker is spoofing or modifying, pretending to be a certain person that they're not they're impersonating an executive or owner, maybe of a business. And it targets. People in the financial accounting or accounts payable departments or even the engineering department. [00:13:03] And that's what happened with one of our clients this week. They got a very interesting spoofed email. So even when you're smart and you're paying attention, you can be tricked the Canadian city treasurer. Tricked into transferring a hundred grand from taxpayer funds, Mattel tricked into sending 3 million to an accountant, China, a bank in Belgium, tricked into sending the attackers 70 million Euro. [00:13:33] It happens and I have seen it personally with many businesses out there. So how do you protect yourself from email? Spoofing now, even with email security in place, there's some malicious email messages that are still going to get through to the inboxes. Now we're able to stop better than 96% of them just based on our stats. [00:13:56] In fact, it's very rare that one gets through, but here are some things you can do and watch out for whether you're an employee responsible for financial decisions, or maybe you're someone who is. Personal email at work. Here's some tricks here. So get your pencil ready. Number one, never click links to access a web. [00:14:20] Where you're asked to log in, always type in the official URL into your browser and authenticate on the browser. In other words, if you get an email from your bank or someone else, and there's a link in there to click that says, Hey oh man, here's some real problems. You got to respond right away. [00:14:44] Don't do that go to paypal.com or your bank or your vendor's site, just type it into your browser, even though you can hover over the email link and see what it is. Sometimes it can be perfectly legitimate and yet it looks weird. For instance, when I send out my emails that people subscribe to that right there on Craig peterson.com, the links are going to come from the people that handle my email lists for me, because I send out thousands of emails at a time to people that have asked to get those emails. [00:15:24] So I use a service and the services taking those links, modifying them somewhat in fact dramatically. And using that to make sure the delivery happened, people are opening it and that I'm not bothering you. So you can unsubscribe next step. You can, if you want to dig in more, look at the email headers. [00:15:47] Now they're different for every email client. If you're using outlook, you have to select the email, basically in the left-hand side. Okay. You're going to control, click on that email and we'll come up and you'll see something that says view source. So in the outlook world, they hide it from you. [00:16:07] If you're using a Mac and Mac mail, all you have to do is go to up in the menu bar email and view, header and cut off. There it is. I have many times in the past just left that turned on. So I'm always seeing the headers that reminds me to keep a look at those headers. So if you look in the header, And if the email sender is let me put it this way. [00:16:33] If the person who is supposed to have sent it to you is doing headers proper, properly. You're going to see. A received SPF section of the headers and right in there, you can look for a pass or fail and response, and that'll tell you if it's legit. So in other words, let's use PayPal as an example, PayPal has these records that it publishes that say all of our emails are going to come from this server or that server of. [00:17:06] And I do the same thing for my domains and we do the same thing for our clients domains. So it's something that you can really count on if you're doing it right, that this section of the headers. And that's why I was talking about earlier. If you have an email that your sending out from your domain and you don't have those proper headers in it, there's no way. [00:17:33] To truly authenticate it. Now I go a step further and I use GPG in order to sign most of my emails. Now I don't do this for the trainings and other things, but direct personal emails from me will usually be cryptographically signed. So you can verify that it was me that sent it. Another thing you can do is copy and paste the text, the body of that email into a search engine. [00:18:05] Of course I recommend duck go in most cases. And the chances are that frankly they've sent it to multiple people. That's why I was saying our Cisco based email filter. That's what it does, it looks for common portions of the body for emails that are known to be bad, be suspicious of email from official sources like the IRS, they're not going to be sending you email out of the blue most places. Aren't obviously don't open attachments from people that you don't. Special suspicious ones, particularly people we'll send PDFs that are infected. It's been a real problem. They'll send of course word docs, Excel docs, et cetera, as well. [00:18:56] And the more. I have a sense of urgency or danger. That's a part of the email should really get your suspicions up, frankly, because suggesting something bad is going to happen. If you don't act quickly, that kind of gets around part of your brain and it's the fight or flight, right? Hey, I gotta take care of this. [00:19:19] I gotta take care of this right away. Ah, and maybe you. So those are the main things that you can pay attention to. In the emails, if you are a tech person, and you're trying to figure this out, how can I make the emails safer for our company? You can always drop me an email as well. Me, M e@craigpeterson.com. [00:19:45] I can send you to a couple of good sources. I'll have to put together a training as well on how to do this, but as individually. At least from my standpoint, a lot of this is common sense and unfortunately the bad guys have made it. So email is something we can no longer completely trust. Spoofing is a problem. [00:20:07] As I said, we just saw it again this week. Thank goodness. It was all caught and stopped. The account was not. It was just a spoofed email from an account outside the organization that was act Craig peterson.com. Stick around. [00:20:26]  [00:20:26] The value of crypto coins has been going down lately quite a bit across the board, not just Bitcoin, but the amount of crypto mining and crypto jacking going on. That hasn't gone down much at all. [00:20:50] hi, I'm Craig Peter Sohn, your cyber security strategist. And you're listening to news radio, w G a N a M five 60 and FM nine. Point five, you can join me on the morning drive every Wednesday morning at 7 34, Matt and I go over some of the latest in news. You know about crypto coins, at least a little bit, right? [00:21:18] These are the things like Bitcoin and others that are obstensively private, but in reality, aren't that private. If you receive coins and you spend coins, you are probably trackable. And if you can't spend that, the crypto currencies, why even bother getting it in the first place. One of the big drivers behind the price of these crypto currencies has been criminal activity. [00:21:50] We've talked about that before. Here's the problem we're seeing more and more nowadays, even though the price of Bitcoin might go down 30%, which it has, and it's gone down in bigger chunks before. It does not mean that the bad guys don't want more of it. And what better way to mine, cryptocurrency then to not have to pay for. [00:22:18] So the bad guys have been doing something called crypto jacking. This is where criminals are using really ransomware like tactics and poisoned website to get your computer, even your smartphone to mine, cryptocurrencies for. No mining, a Bitcoin can cost as much in electric bills that are in fact more in electric bills. [00:22:45] Then you get from the value of the Bitcoin itself. So it's expensive for them to run it. Some countries like China have said, no, you're not doing it anymore because they're using so much electricity here in the U S we've even got crypto mining companies that are buying. Old power plant coal-fired or otherwise, and are generating their own electricity there locally in order to be able to mine cryptocurrencies efficiently, effectively so that they can make some profit from it. [00:23:20] It's really quite the world out there. Some people have complained about their smartphone getting really hot. Their battery only lasts maybe an hour and it's supposed to last all day. Sometimes what's happened is your smartphone has been hijacked. It's been crypto jacked. So your smartphone, they're not designed to sit there and do heavy computing all day long. [00:23:47] Like a workstation is even your regular desktop computer. Probably isn't. To be able to handle day long mining that has to happen. In fact, the most efficient way to do crypto mining of course is using specialized hardware, but that costs them money. So why not just crypto Jack? All right. There are two primary ways. [00:24:11] Hackers have been getting victims, computers to secretly mine. Cryptocurrencies one is to trick them into loading. Crypto mining code onto their computers. So that's done through various types of fishing, light tactics. They get a legitimate looking email that tricks people into clicking on a link and the link runs code. [00:24:32] Now what's interesting is you don't, even for cryptocurrency crypto jacket, you don't even have to download a program in. To have your computer start mining cryptocurrencies for the bad guys. They can use your browser to run a crypto mining script. And it runs in the background. As you work right, using up electricity, using up the CPU on your computer. [00:25:00] They also will put it into ads. They'll put it on a website and your browser goes ahead and runs the code beautifully. So they're really trying to maximize their returns. That's the basics of crypto jacking what's been particularly bad lately has been the hackers breaking into cloud account. And then using those accounts to mine cryptocurrency, one of the trainings that I had on my Wednesday wisdoms has to do with password stuffing and my Wednesday wisdoms, you can get by just subscribing to my email over there@craigpeterson.com. [00:25:46] But what happens here is they find your email address. They find. Password on one of these hacks that is occurred on the dark web. You weren't on the dark web, but your username or email address and password are there on the dark web. And then they just try it. So a big site like Amazon, or maybe it was your IBM also has cloud services can be sitting there running along very well, having fun. [00:26:19] Life's good. And. Then they go ahead and try your email address and password to try and break in. Now, you know how I keep telling everybody use a good password manager and this week I actually changed my opinion on password managers. So you know, that I really like the password manager that you can get from one password.com. [00:26:46] It really is fantastic. Particularly for businesses, various types of enterprises, one password.com. However, where I have changed is that some of these browsers nowadays, particularly thinking about Firefox Google Chrome safari, if you're particularly, if you're on a Mac, all have built in password managers that are actually. [00:27:12] Good. Now they check. Have I been poned, which is a site I've talked to you guys about for years. To make sure that your accounts are reasonably safe than not being found on the dark web, the new password that it came up with or that you want to use. They check that as well. Make sure it's not in use. So here's an example here. [00:27:34] This is a guy by the name of Chris. He lives out in Seattle, Washington, and he makes mobile apps for local publishers. Just this year, new year's day, he got an alert from Amazon web services. Now Amazon web services, of course, cloud service. They've got some really nice stuff, starting with light ship and going up from there, I've used various services from them for well, since they started offering the services over very many years and. [00:28:06] They allow you to have a computer and you can get whatever size computer you want to, or fraction of a computer. You want to, he got this alert because it said that he owed more than $53,000 for a month's worth of hosts. Now his typical Amazon bill is between a hundred and 150 bucks a month. My typical Amazon bell is now 50 to maybe $80 a month. [00:28:36] I cannot imagine getting a $53,000 bill from our friends at Amazon. So the poor guy was just totally freaking out, which is a very big deal. So I'm looking at an article from insider that you can find a business insider.com. They were able to confirm that, yes, indeed. He got this $53,000 bill from Amazon and yes, indeed. [00:29:02] It looks like his account had been hacked by cryptocurrency miners. So these guys can run up just incredibly large charges for the raw computing power. They need to produce some of these digital cryptocurrencies, like Bitcoin there's many others out there. But this isn't new. This is happening all of the time. [00:29:26] Google reported late last year, that 86% of account breaches on its Google cloud platform were used to perform cryptocurrency mining. So make sure you are using a good password manager that generates good passwords. And I have a special report on passwords. You can download it immediately when you sign up for. [00:29:50] My email, my weekly email newsletter@craigpeterson.com and it tells you what to do, how to do it. What is a good password? What the thinking is because it's changed on passwords, but do that and use two factor authentication. Multi-factor authentication as well. And I talk about that in that special report too. [00:30:13] And visit me online. Sign up right now. Craig Peterson.com. [00:30:18] We're moving closer and closer to completely automated cars, but we want to talk right now about car hacks, because there was an interesting one this week that has to do with Tesla. And we'll talk about some of the other hacks on cars. [00:30:34] Connected cars are coming our way in a very big way. [00:30:40] We just talked about the shutdown of two G and 3g in our cars. We, it wasn't really our cars, right? Two G 3g. That was for our cell phones. That was. Years ago course now for four GLTE 5g, even 10 G is being used in the labs. Right now. It's hard to think about some of those older technologies, but they were being used and they were being used by cars, primarily for the navigation features. [00:31:15] Some cars use these data links, if you will, that are really on the cell phone network in order to do remote things like remote start. For instance, I have a friend who's Subaru. Of course was using that. And now she's got to do an upgrade on her car because that 3g technology is going away depending on the carrier, by the way, some of it's going away sooner. [00:31:43] Some of it's going away later, but it'll all be gone at the end of 2020. What are we looking at? As we look into the future, I'm really concerned. I don't want to buy one of these new cars at the same time as I do, because they are cool, but I don't want to buy one of those because of the real problem that we could have of what well of having that car. [00:32:09] I need an upgrade and not been able to do it. I watched a video of a guy who took a Tesla that hadn't been damaged badly in a flood, and it was able to buy it for cheap. Why? Because Tesla will not sell you new motors and a new batteries for a car like that. So he got the car for cheap. He found a Chevy Camaro that had been wrecked, but its engine and transmission were just fine. [00:32:39] He ripped everything out of the Tesla and went ahead after that, cause you got to clean that out, and water damage. You spray wash all to the inside. He got right down to the aluminum, everything that wasn't part of the core aluminum chassis was gone. And then he built it back up again. He managed to keep all of those Tesla systems working, that, that screen that you have upfront that does the temperature control, cruise maps, everything out. [00:33:11] He kept that it was able to work. The, automated stuff, cruise control type stuff. And now he had a very hot car that looked like a Tesla. He took it out to SEMA, which is pretty cool. I'd love to see that, but it was a Tesla with a big V8 gasoline engine in it. He's done a, quite a good job on it. [00:33:35] It was quite amazing to see it took them months. It was him and some of his buddies. These new cars are even more connected than my friend Subaru is they get downloads from the. Some of them are using Wi-Fi and 5g. Really one of the big promises of 5g is, Hey, our cars can talk to each other because now you can get a millisecond delay in going from one car to another versus what you have today, which can be a half a second or more, which can be the difference between having a rear end collision and being able to stop in time when it comes to these automated system. [00:34:17] So they are more connected. They connect to the wifi in your homes. They connect to obviously the 5g network, which is where things are going right now. But what's happening with the hackers because really what we're talking about, isn't a computer on wheels. Oh no. Dozens of computers inside that car and your car has a network inside of it and has had for many years, this can bus network and even fancier ones nowadays that connect all of your systems together. [00:34:52] So your entertainment system, for instance, is connected to this network. And that was used. You might remember a couple of years ago on a Chrysler product where the bad guy installed. Or using the thumb drive onto that entertainment system and had a reporter drive that car down the road. This is all known. [00:35:16] It was all controlled. And was able to the bad guy right there, the demonstration in this case, I guess you'd call them a white hat hacker. He drove that car right off the road while the reporter was trying to steer otherwise because cars nowadays don't have a direct linkage between anything in any. [00:35:38] That's why I love my 1980 Mercedes TESOL. You turn the steering wheel. It isn't actually connected to the wheels to that front end of the car. All it's doing is telling the computer you want to turn and how much you want to turn that brake pedal. Doesn't actually. Compress hydraulics and cause the brakes to engage that fuel pedal doesn't actually move the throttle on the car. [00:36:03] The throttle is really being controlled and moved by the computers. So the car is completely electronic. It feels like a regular car, right? We're not talking about the Tesla's of today or tomorrow. We're talking about Volvos that have been sold for more than a decade. We're talking about a lot of different cars. [00:36:24] So now you have a platform on wheels that can be dangerous because it can be, in some cases, remotely controlled, it can have software that may be crashes. We know that part of the infrastructure quote, unquote bill, which contains almost no infrastructure. It's amazing how they named these things. Isn't it. [00:36:45] And what is it like 6% it actual infrastructure and the infrastructure bill? One of the things in there that is not infrastru. Is a demand, a law that says the car manufacturers have to include a remote. Button, if you will, so that a police officer could go ahead and say, okay, I'm pursuing this car and they're not stomping. [00:37:11] I don't want to risk people's lives. As this bad guy tries to elude me here in backstreets. Kids can get hit, et cetera. So they push the button and the car stops that all sounds great. The problem is that you could potentially be opening some security problems by having this remote stop button that can be used by anybody really right. [00:37:40] Since when is it going to be limited to just law enforcement? Isn't that a problem? According to Caren driver, I'm looking at their magazine right now. They're saying that there were at least 150 automotive cybersecurity incidents in twenty nineteen, a hundred and fifty incidents, part of a 94% year over year increase since 2016. [00:38:05] In other words, every year. The number of automotive, cybersecurity and incidences has doubled. And that's according to report from a company called upstream security. So we're lost. So looking at what w maybe ransomware for a car. So that your car gets hacked. You can't hack my 1980 Mercedes diesel. [00:38:28] It is impossible to hack into an unconnected car, but if you are driving a vehicle it's likely at risk from some sort of digital true. We've even seen from some of the bugs. We've seen cars from Japan that have decided to drive into the Jersey barrier because it misunderstands exactly what it is. We've seen cars from Tesla. [00:38:57] Drive right into the back of a parked fire truck mentioned doing that at speed, right? And cause a fire truck full of water, et cetera. I've actually seen that one happened personally. So the more sophisticated the system is, the more connected your vehicle is. The more exposed you are in Detroit free press has a great little article on that right now. [00:39:23] And in there he's saying we have taken. Whatever model car you think of. And we hack them through various places. I can control your steering. I can shut down and start your engine. Control your brakes, your doors, your wipers, open and close your. There's a lot of people who are trying to break into these cars. [00:39:46] And there's a lot of people who are trying to protect them. That hacker duo back in 2015, who took control of that Jeep Cherokee, just think about that sort of. There's an Israeli based automotive cybersecurity company who told the free press that he expects the current trend of hackers, holding digital data on computers for ransom to also move to cars. [00:40:12] So when this happens, the driver will not be able to start the vehicle until they pay off the rant. Or suffer the consequences, which could be wiping the cars systems operating systems could be Kenning the car to catch on fire. Think of what can happen with each generation with those batteries. [00:40:32] There's no way around it. You're going to have to get it towed and get all of the software reloaded in the company. And now this week, it comes out that in 19 year old kid said that he was able to hack into over 25 Teslas that he tried via a bug in a popular. It's an open source tool that people are using to link into their Teslas to do various types of remote control. [00:41:01] And he posted a tweet on this guy's name's David Colombo. You'll find them on Twitter, went viral and he reported the vulnerability to the people who are maintaining the software and they fixed it. In fact, the very same day and Tesla also pushed updates to their vehicle. That invalidated the signatures and the key exchanges that we're having. [00:41:28] So this is a 19 year old researcher. He's able to hack into cars in 13 countries, 38, 13 countries. Yeah. Worth of Teslas without the owner's knowledge. No, he says I, I can not. Doors, I can turn off the security system. I can open windows. I keyless start and things turn on the stereo, honk the horn view, the cars location, and if the driver was present, but he doesn't think he could actually move the vehicle remotely, but that's a 19 year old. [00:42:02] What's going to happen when we implement the law that was just passed that says our cars have to be remotely controllable by anybody basically. Yeah. It's scary. Hey, I want to invite you guys to take a minute, go to Craig peterson.com. Make sure you sign up for my newsletter there, and I'll keep you up to date on all of this stuff and you'll even get my show notes. [00:42:28] Craig peterson.com. [00:42:30] The hacker world got turned upside down this past week as Russian president Putin decided to crack down on the hackers. Now, this is a very big change for Russia. We're going to talk about my theories. Why did this happen? [00:42:56] hi, I'm Craig Peterson, your cyber security expert. And you're listening to news radio, w G a N a M five 60 and FM 98.5. Hey, you can join me. Wednesday morning, did 7 34 on the morning drive. As we keep you up to date, russian hackers have long been known to go after basically whoever they want. They have really gone after the United States and other Western company countries. [00:43:30] And as part of what they've been doing, they have been making a lot of money and keeping Vladimir Putin pretty darn happy. He's been a happy because they're bringing more. Into mother Russia, he's happy because they are causing confusion amongst Russia's competitors out there, particularly the United States. [00:43:55] But there's one thing that Putin has been absolutely steadfast. And that is not allowing any of the hackers to go and hack any of the countries that are part of their little pact over there. Think of the old Warsaw pack they got that band back together. So as long as they didn't harm any Russian or, a affiliated country, They could do basically whatever they wanted and they did. [00:44:29] And they have caused a lot of trouble all over the world. So Friday Russia. As security agency announced that it had arrested members of the cyber gang called reveal. Now we have talked about them for a long time. They have come and gone. The FBI and other countries have shut down their servers. [00:44:56] So reveal disappears for awhile. Then pops his head up again. And Russia said that they arrested members of revival who were responsible for massive ransomware crimes against us companies the last year. So why would they do that? I'm looking right now at the Russian website here, that's part of the FSB. [00:45:26] And it's saying that the Russian federal security service in cooperation, the investigation department of the ministry of internal affairs of Russia in the cities of Moscow St. Petersburg, Leningrad lips. As, I guess it is regions. They stop the illegal activities, a members of an organized criminal community and the basis for the search activities was the appeal of competent U S authorities who reported on the leader of the criminal community and his involvement in an encroachment on the information, sir, resources of foreign high tech companies by drusen militia software, encrypting information and extorting money for its decreased. [00:46:11] Now that all sounds like the stuff that Vlad has been just a happy about in years past. So why did this happen? What brought this about nowadays in this day and age? What is he doing? I've got a little bit of a theory on that one because there have been some interesting development. One of them is this hacker. [00:46:38] In Belarus. Now, Belarus is one of those countries that's closely affiliated with Russia friend of Russia, right? Part of the old Warsaw pact. And you might remember that Bella ruse is right there by you. And of course, we've got this whole issue with Ukraine and whether or not Russia is going to invade president and Biden said something incredibly stupid where he said, yeah a moral response is going to depend upon what Russia does, if it's just a minor invasion. [00:47:17] You're you remember? The president Biden's saying that just absolutely ridiculous. And then of course, the white house press secretary and various Democrat operatives tried to walk the whole thing back, but it's a problem because Russia has, what is it now like 120,000 troops on the border. [00:47:37] Now, if you know anything about history, you know that the military army. March on their stomachs, right? Isn't that the expression you've got to feed them. You have to have a lot of logistics in place. In fact, that's what really got a lot of the German military in world war two. Very nervous because they saw how good our logistics were, how good our supply chain was. [00:48:03] We were even sending them. They cakes to men in the field that they discovered these cakes in great shape. And some of the German armies, particularly later in the war, didn't even have adequate food to eat. What do you think is happening with the Russian troops that are sitting there? [00:48:20] They need food. They need supplies, including things like tanks, heavy artillery, ammunition. All of that sort of stuff. So how do they do that? They're moving it on rail, which they have done in Russia for a very long time. You might remember as well in world war II, the problems with the in compatibility between the German rail gauge and the Russian rail gauge as Germany tried to move their supplies on Russian rails and Soviet rails, ultimately, but on Russian rails and just wasn't able to do. [00:48:57] So hacktivists in Bella ruse right there next to Ukraine said that they had infected the network of Bella Russa's state run railroad system with ransomware and would provide the decryption key. Only if Bella Reuss president stopped. Russian troops ahead of a possible invasion of Ukraine. So this group, they call themselves cyber partisans wrote on telegram. [00:49:30] Now I got to warn everybody. Telegram is one of the worst places to post something. If you want some privacy, excuse me, some privacy, some security it's really bad. Okay. No two questions. So they have, apparently this is according to what they wrote on telegram. They have destroyed the backups as part of the pec low cyber campaign. [00:49:55] They've encrypted the bulk of the servers, databases and work station. Of the Belarus railroad, dozens of databases have been attacked, including, and they name a bunch of the databases. Automation and security systems were deliberately not affected by a cyber attack in order to avoid emergency situations. [00:50:20] They also said in a direct message that this campaign is targeting specific entities and government run companies with the goal of pressuring the Belarus government to release political prisoners. And stop Russian troops from entering Bellaruse to use its ground for the attacks on Ukraine. Now, this is frankly fascinating from a number of different angles. [00:50:46] One is, it is very easy nowadays to become a cyber hacker. And in fact, it's so easy. You don't even have to do anything other than send N E. And it's been done, frankly. It's been done people who are upset with a, an ax, for instance upset with a particular company, you can go onto the dark web and you can find companies. [00:51:13] And this revival company was one. That will provide you with the ransomware and they will do everything for you except get that ransomware onto a computer. So you could bring it in to an employer. You can send it by email to the ax. As I mentioned, you can do a lot of stuff. And then the. Ms. Cyber hacker guys, the bad guys will go ahead now and they will collect the ransom. [00:51:43] They'll even do tech support to help the people buy Bitcoin or whatever currency they want to have used. And then they take a percentage. So they might take 30% of it. There's a whole lot. We can talk about here too, including trust among thieves and everything else. It is easy to do this. So to see an organization like these cyber partisans, which I'm assuming is an organization, it could be as little as one person taking ransomware, going into specific computer systems breaking in. [00:52:18] Because again, even here in the U S how many of us have actually got their computer systems all patched up to date? The answer to that is pretty close to zero. And they can now go after a government, they can protect their friends. It's really something. When you start thinking about it, right? No longer do you have to be North Korea or China or Russia in order to hack someone to the point where they commit. [00:52:51] And in this case, they're not even after the money, they just want these political prisoners freed and they want Russia to stop shipping in troops supplies, into the area in Belarus next to or close to. Very fascinating. There, there is a whole lot of information about this online. If you're interested, you can read more about it. [00:53:15] It's in my newsletter, my show notes. I have links to some articles in there, but it really is a tool for the under. We've never really seen this before. It's quite an interesting turn in the whole ransomware narrative. It's just in crazy. That's a quote from a guy over at Sentinel one. Alright. [00:53:40] Lots to consider and lots to know and do, and you can find out about all of the. One way, subscribe right now@craigpeterson.com. I promise. I'm not going to her Hess. You stick around. [00:53:55] We've heard a lot about automated cars. And of course we talked about them a lot here too, but that original vision of what we would have, it's gone now. It's fascinating. We're going to talk about that journey of automated cars. [00:54:12] For years, automakers have been telling this story about how these automated cars are going to drive themselves around and do just wonderful things for us. [00:54:24] And as part of that, they've decided that. The way it's going to work. And I remember talking about this, cause I think it's a cool idea is that there will be fleet of these vehicles think about maybe an Uber or Lyft where you get on the phone and you order up a card and it says, Hey that driver will be here. [00:54:45] Here's the license plate, the driver's name and picture. It's really cool, but general motors and Lyft haven't gotten there. They signed in agreement. To have electric autonomous cars as part of Lyft's fleet of drivers. They did a back in 2016, a long time ago. Ford promised what it called robo taxis and that they would debut by 2021 Dimeler of course, the company that makes Mercedes-Benz said it would work with Uber to deploy fleets of their car. [00:55:27] And the logic was really financial and it made a lot of sense to me, which is why I was so excited. I have car outside. You know about my Mercedes, you. How often do I drive that 40 year old car? Most of the time it's sitting there parked, most of the time, because I don't go very many places very often. [00:55:50] What would it be like then to just be able to have an Uber or Lyft type app on my phone that says, okay, tomorrow I have a 10 o'clock meeting in Boston and I want a car to take me there. So the. Checks with the servers and figures out. Okay. At 10 o'clock meaning, that means you're going to have to leave at eight 30 in order to get around the traffic that's normally happening. [00:56:18] And so we'll have a car there for you. So all I have to do is walk out the apple, probably remind me, my butt out of bed and get outside. Cause the car is about to arrive. So the car pulls into my driveway or maybe just stops on the road and the app reminds me, Hey, the car's there I go out. I get in. [00:56:37] And on the way down, I can work on getting ready for the meeting, getting some things done, just really kicking back, maybe having a nap as we go. And I'm there on time for my 10 o'clock. Just phenomenal. And from a financial standpoint, nowadays, how much is a car costing you? Have you ever done the math on that? [00:56:59] How much does a typical car loan run you per month? And I also want to put in how about these leases? How many of us are leasing cars? My daughter leaves to Gargan believe she did that. Didn't leave to me. It didn't make financial sense, but maybe that's just because I've been around a while. But looking right now at some statistics from credit karma, they're saying us auto loans, new cars, your average monthly payment is $568. [00:57:32] For an average loan term of 71 months. Good grief used cars, about $400. A month payment and average loan term, 65 months. I can't believe that I've never had a car loan for more than three years. Wow. That's incredible. So we're talking about six year notes on a new car. Wow. I guess that's because people buy cars based on the monthly payment, right? [00:58:04] So figure that out. If you're paying $500 a month, how about just paying a subscription service? $500. You can get so many rides a month and you don't have to maintain the car. You don't have to buy insurance. You don't have to make any fixes. You don't have to do anything. And the car will just show up. [00:58:23] That's what I was excited about. And it had some just amazing implications. If you think about it, it city dwell over dwellers and people who were directly in the suburbs, it'd be just phenomenal. And you could also have the robo taxis for longer trips. You can abandon that personal car. Really alternate. [00:58:46] So now it's been about a decade into this self-driving car thing that was started. And, we were promised all of these cars, it reminds me of the fifties, we're all going to be driving, flying cars by. George Jetson one, when was he flying around the cities, but that's not happening. [00:59:07] Okay. The progress on these automated vehicles has really slowed automakers and tech companies have missed all kinds of self-imposed deadlines for the autonomy. Look at what Elon Musk has promised again and again, it's. Basically in 2020, late 2020, it was going to have fully autonomous cars even calls itself dry. [00:59:30] When it isn't really self-driving, it certainly isn't fully autonomous it more or less drives. It stays in the lane as it's driving down the highway. But the tech companies are looking for other ways to make money off of self-driving tech. Some of them have completely abandoned. There's self-driving cars, the sensors like the LIDAR, and I've had the LIDAR people on my show before they've all gotten cheaper. [00:59:55] It doesn't cost you $50,000. Now just for one LIDAR sensor, think about what that means to these cars. So some of these manufacturers of these future autonomous cars are shifting to a new business strategy. And that is selling automated features directly to customers. In other words, you're going to buy a car, but that car isn't going to do much. [01:00:24] Think about the golden key that the tech companies have used for years, right? IBM well-known for that, you buy a mainframe or from IBM or a mini computer from digital equipment corporation, and you have the same computer as someone that has this massive computer. But in fact the difference is that they turn off features and we're seeing that right now. [01:00:49] I'm, I've mentioned that Subaru before where they are charging people for upgrades, but some of the companies are charging you monthly to use a remote start feature for instance, and many others. So what's happening is a major change. We have the consumer electronic show, right? January 20, 20 and general motors CEO, Mary Barra said that they would quote, aim to deliver our first personal autonomous vehicles as soon as the middle of this decade. [01:01:22] So again, it slipped, right? I'm looking at it, a picture of what they're considering to be. The new Cadillac car that should be out next year. Maybe thereafter. It is gorgeous. Absolutely gorgeous. But this announcement, right? Yeah. We're going to have autonomous vehicles, middle of the 2020s. She had no specific details at all. [01:01:48] And apparently this personal robo car project is completely separate from this robo taxi fleet that's been developed by GM's cruise subsidiary. And cruise said it has plans to launch a commercial service in San Francisco this year. So they're going after multiple paths. The logic here is financial. [01:02:11] The reasoning has changed and they're offering autonomy as a feature for the consumer market. Tesla, Elon Musk, they've been charging $10,000 now for the autopilot driver assistance feature. They're planning on raising it to $12,000 here early 2022 Tesla technology. Can't drive a car by itself. [01:02:37] But he's going to charge you if you want it. And I expect that's going to be true of all of the major manufacturer that's out there. And by the way, they're also looking at customization, like color changing cars and things. They're going to charge them as features. Hey, stick around. Visit me online. [01:02:58] Craig peterson.com. [01:03:01] Ju [01:03:01] st  [01:03:01] how secure are our smartphones. We've got the iPhones, we've got Android out there. We've talked a little bit about this before, but new research is showing something I didn't really expect, frankly. [01:03:23] hi, I'm Craig Peter sawn, your cybersecurity strategist. And you're listening to news radio w G a. A M five 60 and FM 98.5, like to invite you to join me on the morning, drive Wednesday mornings at 7 34, Matt and I always discussing the latest in cybersecurity technology. And, Matt always keeps you up to date. [01:03:50] We've got some new research that wired had a great article about last week that is talking about the openings that iOS and Android security provide for anyone with the right tools. You're probably familiar at least vaguely with some cases where the FBI or other law enforcement agencies have gone to apple and tried to have. [01:04:17] Old break into iPhones. Apples, refuse to do that one in particular, down in Southern California, where they tried to get apple to open up this I phone and tell them who was this person talking to after a shooting of foul of fellow employees at a. It was really something, there was a lot of tense times and we've seen for decades now, the federal government trying to gain access to our devices. [01:04:51] They wanted a back door. And whenever you have a back door, there's a potential that someone's going to get in. So let's say you've got a. And your house has a front door. It has a backdoor, probably has some windows, but we'll ignore those for now. Okay. And you have guards posted at that front. All in someone needs to do is figure out to how to get into that back door. [01:05:18] If they want to get into your house, it might be easy. It might be difficult, but they know there's a back door and they're going to figure out a way to get in. And maybe what they're going to do is find a friend that works for that security company, that post of the guards out front. And see if that friend can get a copy of the. [01:05:39] That'll let them in the back door. And that's where we've had some real concerns over the year years here, a decades, frankly, our first, I remember this coming up during the Clinton administration, very big deal with the. That they were pushing. This was a cryptographic chip that they wanted every manufacturer to use if they wanted to have encryption and the white house and every gov federal government agency, and probably ultimately every local agency had the ability to break any encryption that was created by the clipper. [01:06:17] In fact, we were able to track Saddam Hussein and his sons and his inner circle. Because he was using some encrypted phones that were being made by a company in England. And that company in England did have a back door into those encrypted phones. And so we were able to track them and we could listen in, on all of their communications back and forth. [01:06:44] And it's really frankly, oppressed. When that sort of thing happens. So what do you do? What are you supposed to do? How can you make it so that your devices are safe? There are some ways to be relatively safe, but these cryptographers over Johns Hopkins university, Use some publicly available documentation that was available from apple and Google, as well as their own analysis. [01:07:14] And they looked into Android and iOS encryption and they founded lacking. So they studied more than a decades worth of reports. How about which mobile security features had been bypassed had been a hack. I had been used by law enforcement and criminals in order to get into these phones. They got some of these hacking tools off of the dark web and other places, and they tried to figure. [01:07:46] So we've got a quote here from Johns Hopkins, cryptographer, Matthew Green, who oversaw the research. It just really shocked me because I came into this project thinking that these phones are really protecting user data. Now I've come out of the project, thinking almost nothing is protected as much as it could be. [01:08:10] So why do we need a backdoor for law enforcement? When the protections that these phones actually offer are so bad. Now there's some real interesting details of if you like this stuff, I followed cryptography for many decades. Now I've always found it. Fascinating. There are some lightweight things I'm going to touch on here. [01:08:33] We won't get too deep in this, but here's another quote. Again, Johns Hopkins university on Android. You can not only attack the operating system level, but other different layers of software that can be vulnerable in different ways. Another quote here on iOS in particular, the infrastructure is in place for hierarchal encrypted. [01:08:57] Now higher are hierarchical. Encryption is various layers of encryption. If you have an iPhone or an iPad, or if you have most Android phones nowadays, if you use a passcode in order to unlock the phone or even a fingerprint or a face. Your method of authentication is used to encrypt everything on the phone, but in reality, everything on the phone is only fully encrypted when the phone is powered off. [01:09:36] Now that's a real, interesting thing to think about because obviously the phone can't work. If everything's encrypted. It needs access to the programs. It needs access to your data. So what they found bottom line was the only way to have a truly safe machine or a smartphone in this case is to turn it off because when you turn it on and it boots up on first boot, now it gets. [01:10:08] Either by bio medical information, like your fingerprint or your face sprint or your passcode, it then has a key that it can use to decrypt things. So apple has on the iPhone, something, they call complete protection and that's again, when the iPhone has been turned off on boots up because the user has to unlock the device before anything can happen on the phone. [01:10:33] And the is protections are very. Now you could be forced to unlock the phone by a bad guy, for instance, or in some cases, a warrant or an order from a judge, but forensic tools that, that they are using the police and the criminals really would have almost no luck at pulling information off of your phone. [01:10:59] That would be useful at all because it would all be encrypted, right? If they could. So once you've unlocked your phone after that first reboot molt, after that reboot, right? You unlocked it after power up. A lot of the data moves into a different mode that apple calls protected until first user authentication. [01:11:20] But it's what I call after first unlock. So when you think about it, your phone is almost always in the after first unlocks. Because how often do you reboot your phone? No, it's pretty rare that your phone might do on. And this is particularly true for I-phones might do updates and boot and reboot. And then of course you have to unlock that phone, but it doesn't go much further. [01:11:49] The net and that's, what's interesting. That's how law enforcement and the bad guys, these Israeli companies and others have been able to get into iPhones and get into Android devices because ultimately if that computer is turned on and you've logged in, there's a lot of data. That's no longer encrypted. [01:12:10] Oh. And by the way, that's also how some of these attacks occur on our laptops. Particularly if you traveled to. In the memory on that laptop that you close the lid on, you have to re log into is the key to UNHCR, unencrypt, everything, right? Because you logged in once. So all they have to do is freeze the memory, duplicate the memory and put it back in part of the reason, by the way that apple laptops have their memory soldered in you can't do that kind of attack. [01:12:44] Stick around. We'll be right back. [01:12:48] VPNs are good and they are bad. It depends on the type of VPN. Many of these commercial VPNs of people are using are actually very bad for you when it comes to your security. [01:13:04] VPNs are problematic. I did a couple of boot camps on VPNs. Probably I think it was about last year. [01:13:13] Yeah, it was last spring. And I went through and explained and showed exactly why commercial VPNs are one of the worst things you could possibly do if you want. To stay secure. Now I lemme just give you the high level here. I have given people copies of this, if you're interested in a link to that VPN webinar that I did, I'd be glad to send it to you. [01:13:45] Just email me Emmy at Craig Peterson, doc. And ask me for the VPN information and I'll send that all off to you. I also wrote something up that I've been sending out to people that have asked about VPNs. Cause it's one of the most common questions we have Franklin, but here's your problem with commercial VPNs? [01:14:05] Most all of them say, oh, your information safe at zero logging, et cetera. And yet we have found again and again that's not. In fact, it can't possibly be true in almost every case because most of these VPN services are running out of other people's data centers. So they might be in an Amazon data center or IBM or Microsoft. [01:14:32] And inside that data center, your data is coming in and then it's going to. So let's say you're using a VPN and you're connecting to a website. I don't care. Go to google.com via a VPN. So you're using one of these services. That's advertised all over creation. And what happens now is. Your web request to get to Google passes over that encrypted VPN and comes to an exit point because at some point it has to get onto the regular internet. [01:15:07] How else are you going to get to that website? On the other side? You can't, unless you get to the regular internet. So at the other side, now the server is that's receiving the end point of view. VPN is going to send the request to Google. Google is going to respond to that VPN server. It's going to be encrypted and sent back to you. [01:15:30] So what's the problem with that? There's multiple problems. One is the data center can see. That there is the request going up to Google. Now he might not be able to tell who it was. But if that VPN server has been hacked. And let me tell you, it is a big target for hackers, government hackers, as well as bad guys. [01:15:54] Then they do know who went out there and depending on how it was hacked and how the VPN was set up, they may even be able to see all of the data that you're sending back and forth. It's called a man in the middle of. And some of these VPN services do it by having you install some software on your computer. [01:16:15] And as part of that installation, they provide you with a master key that they then use to spoon. The keys for the websites. You're going to some, explain that what happens is if you were to go right now on your web browser, go to Craig peterson.com as an example. So Craig peterson.com. I'm typing it in right now in the browser. [01:16:43] That's directly in front of me. Now you'll see a little lock up in the URL. What does that mean? If you click on that lock, it says something about the connection being secure. Are you familiar with that? What's actually happening is it's using SSL TLS keys, but it's using encryption now to send the data from your computer. [01:17:11] To my server, that's hosting Craig peterson.com. And then my server is sending all of the webpage back to you. Encrypted. Any fact, a VPN has been established between your web browser and my web server. So why use a third-party VB? Because your data is encrypted already, right? Could it be more simple than that? [01:17:46] Now, remember again, that the server on the VPM service that you're using is a prime attack target for everybody else. As I said from government agencies through hackers. So your data is likely less safe because if they get a hold of it, they can do all kinds of things to your data and to. And then on top of it, all the VPN service may well be selling your data in order to make money, to support the VPN service because free VPNs, inexpensive VPN sees the ones that are charging you five or 10 bucks a month cannot possibly afford to provide you with that service. [01:18:38] And in the bootcamp, I go through all of the numbers here, the costs involved. With a VPN service it's not possible to do. They can't make any money off of it. So it is a very big problem for you to use one of these public VPN services. Now, I want to talk about an arc article that was on Z. [01:19:06] Apparently your old pole, which is of course the police over there in the European nations has seized servers. What servers, VPN servers in Europe. Now they seized the servers because they were used by who was it? Grandma looking at pictures of the grandkids. Was it people watching cat videos who was using the VPN server? [01:19:33] The paid VPN service. Wow. It was criminals. And when they seized these VPN servers that were also being used by criminals, they found more than a hundred businesses that had fallen victims to attacks. So who uses VPN services? People who want to hide something as well as people who just want to have their data secure. [01:20:01] Another reason not to use VPN services. So as a part of the joint action by Europol Germany's police Hanover police department, the FBI, UK national crime agency, and others seized 15 servers used by VPN lab dot. Okay. So VPN lab.net net, obviously no longer usable. And they started looking at all of the records that were being kept in these servers and use that to find the criminal. [01:20:36] Does that make sense to you? So VPN lab.net was according to these charges, facilitating illicit activities, such as malware distribution. Other cases showed the services use in setting up infrastructure and communications behind ransomware campaigns, as well as the actual deployment of ransomware. You like that. [01:20:59] Now they were using open VPN technology, which is actually very good. As part of that VPN information, I can send you if you're interested, just email me M e@craigpeterson.com. Let me know what you're interested in, and I'll whoop you off an email. Give me a few days I can get behind sometimes, but you can set up your own private VPN server if that's what you want to do. [01:21:25] And I've gotten instruc

Miguel Angel Colls es el CTO de Dominion Commercial y nos viene a contar como su compañía está encarando la transformación digital y que papel jugó un ataque de ransomware que sufrieron. Como hicieron una evaluación de la situación, como empezaron a actuar y como tomaron la decisión de acelerar su migración a AWS recreando la infraestructura desde cero con seguridad como prioridad uno para poder dar servicio nuevamente al negocio de manera exitosa. Nos cuenta como inicialmente movieron las aplicaciones al cloud (Lift & Shift) y como eso les abrió las puertas para poder modernizarlas de manera mas fácil. Esta modernización va de la mano de la atracción de nuevo talento para que trabajen con tecnologías de punta. Miguel Colls Miguel Coll es CTO de Dominion Commercial holding perteneciente al grupo empresarial Dominion Global y que integra, entre otras, las marcas Phonehouse, Alterna y Luzdostres. Bajo su función se ubican las áreas de desarrollo de productos, arquitectura, análisis del dato y agilidad. Rodrigo Asensio - @rasensioBasado en Barcelona, España, Rodrigo es responsable de un equipo de Solution Architecture del segmento Enterprise que ayuda a grandes clientes en su estrategia y migración al cloud con una experiencia de mas de 20 años en IT.Secciones00:00 Intro00:50 Global Dominion y Dominion Commercial02:40 Carrera de Miguel05:48 Los planes de Dominion Commercial09:02 Ataque de Ransomware12:10 Como afrontaron la situación15:05 Que es Ransomware16:21 Vector de ataque17:50 Nueva estrategia21:29 Desafíos en la recuperación28:00 Los desafíos que nadie esperaba30:15 Seguridad en AWS34:37 Servicios gestionados38:52 Costos de operación42:00 Servicios de AWS en Dominion Commercial45:35 Planes hacia el futuro48:58 Talento digital52:25 Desarrollo de carrera53:43 Servicio de AWS favorito55:16 CierreLinksKMS para crear y gestionar claves criptográficas: https://aws.amazon.com/kms/ AWS Certificate Manager para provsionar y gestionar certificados SSL/TLS: https://aws.amazon.com/certificate-manager/ VPN para establecer conexiones entre oficinas remotas y el cloud de AWS: https://aws.amazon.com/vpn/ VPN client para conectarse a la VPN de AWS: https://aws.amazon.com/vpn/client-vpn-download/ Amazon S3 almacenamiento de objetos: https://aws.amazon.com/s3/ Dominion Commercial: https://www.dominion-global.com Quieres ver o escuchar otros episodios ? https://go.aws/3GvrSF8

Watch the live stream: Watch on YouTube About the show Sponsored by us: Check out the courses over at Talk Python And Brian's book too! Special guest: Jay Miller Michael #1: Autosync all branches of a fork Use GitHub actions to keep your fork in sync Step 1: make changes in a separate branch (a branch other than main) to keep the working tree clean and avoiding conflicts with upstream Step 2: Add a new workflow under the “actions” section. We are going to follow the Fork-Sync-With-Upstream-action from the Actions Marketplace. Copy the YAML in the article being careful to use the right repo/branch names Step 3: click on Start Commit and Commit new file and that's it! See your running workflow in the actions tab Brain #2: Measuring memory usage in Python: it's tricky! Itamar Turner-Trauring Nice, easy to follow discussion of memory Cool example to allocate 3 GB arr = np.ones((1024, 1024, 1024, 3), dtype=np.uint8) that's a 4 dimensional array of bytes, 1k x 1k x 1k x 3 “Resident Memory” measured with psutil.Process().memory_info().rss rss = “Resident Set Size”, or “non-swapped physical memory” returns bytes, so / (1024 * 1024) gives MB Shows a little more than 3 GB Doing nothing to process, but opening a few tabs in a browser and re-running rss shows a reduction due to some memory being saved to disk. Fil profiler can show peak allocated memory. Memory Resident Memory : RAM usage Allocated Memory : what we asked for, not really measurable Peak Allocated Memory : kinda the same, but not, and it's measurable Tradeoffs between measuring the two Jay #3: Python f-strings can do more than you thought. f'{val=}', f'{val!r}', f'{dt:%Y-%m-%d}' Caution! Just because you can doesn't mean you should but sometimes you will be looking for a way to do something Michael #4: 10 Tips and Tools You Can Adopt in 15 minutes or Less To Level Up Your Dev Productivity Upgrade your shell (ohmyzsh or ohmyposh) + Windows Terminal with PS 7 Secure.py (or NWebSec for ASP.NET or …) Use a UI for git (SourceTree, GitHub Desktop, PyCharm, VS Code, etc) Sync your github forks Use a good logging framework: Logbook, Loguru, even Sentry SSL/TLS with Let's Encrypt 80/20 testing with sitemaps PageSpeed insights (e.g for Python Bytes) Use an OS package manager: Homebrew, Chocolaty, or Linux's built in) Manage your dependencies with dependabot or even pip-compile requirements.in --upgrade Full conference video Brian #5: How to Start a Production-Ready Django Project Vitor Freitas Some great points for really any project, not just Django projects Make sure different environments work with the project, in this priority: local, so clone and run is easy and new people can onboard fast test, also local, so devs actually test with no issues production, can be more complicated since only experienced people will need it, or it will get run by your CI/CD chain production is also used in staging Configure git and venv from the beginning. Cool requirements files example with a requirements directory containing base.txt test.txt : base.txt + test stuff local.txt : test.txt + dev stuff production.txt : base.txt + any production only stuff Settings setup, also with switched implementation for local, test, prod Shared editor configuration, interesting addition Shared linting and styling tools, isort, black, flake8, … There are some Django specifics also, like app structure. Jay #6: Bunch macOS application that allows you to create starting and finishing workflows How Jay sets up and tears down the newsletter video Extras Jay Monodraw - Make diagrams or outlines using ascii art Joke

Julie Fryer joins David Blank-Edelman to discuss how to achieve better app token security by utilizing Application Roles and what the most effective security measures are to protect your applications.✅ Resources:Configure the role claim More Security best practices: Well-Architected Security Documentation [00:00] Introduction[01:08] What are tokens? Why is too much information in it problematic?[02:01] Why is security a problem, if all my systems are locked down with SSL/TLS?[03:09] Will simply encrypting the token data provide me with greater security?[04:15] What is the most effective, scalable security measure that protects all my applications?[05:23] Why are role-based security measures better than placing a UID in my tokens?[06:07] How do I get started using Applications Roles?

The Azure co-hosts had Gino Filicetti and Peter Laudati back after two years to talk about their latest development of the What The Hack initiative that has now grown to over 30 hacks. They also talk about ways to get involve and how everyone can leverage these hack guides and learn with any group one likes.          Media File: https://azpodcast.blob.core.windows.net/episodes/Episode370.mp3 YouTube Video Resources: Homepage: https://aka.ms/wthhome Repository: https://aka.ms/wthrepo How To Host a WTH: https://aka.ms/wthhost How To Author a WTH: https://aka.ms/wthauthor MSFT Employees: Propose a new hack: https://aka.ms/wthproposal External Folks: Send an empty PR with your idea! Other Updates: Testing device registration health You can use a PowerShell script to test the Internet connectivity to the following Microsoft resources under the system context to validate the connection status between the device that needs to be connected to Azure AD as hybrid Azure AD joined device and Microsoft resources that are used during device registration process. It also, checks for SSL/TLS handshake and report as failure if any. · https://login.microsoftonline.com · https://device.login.microsoftonline.com · https://enterpriseregistration.windows.net For more information, please see… Test Device Registration Connectivity - Code Samples | Microsoft Docs   Perform at-scale, agentless SQL server discovery and assessment with Azure Migrate Learn about the latest innovations: Inside Azure Datacenter Architecture    

Descripción:Dejadnos hablar un momento sobre #MarketingDigital, su importancia en el negocio, ventajas e inconvenientes, herramientas ligadas, #RRSS y buenas prácticas de la disciplina con un espacio también a la #SeguridadInformática. Herramientas recomendadas para... - Gestión y organización: Trello - Email Marketing: Mail Chimp, WhatsHash e Intercom - Gestión RRSS: Metricool y Hootsuite - Conectividad entre herramientas: Automate.io y Zapier - Análisis: Hootsuite y Google Analytics - Posicionamiento: SEMrush Términos asociados a mantener una página segura: - URL (dominio de la página de extensión www.) - VPN (red privada virtual) - HTTPS (extensión principal en una página web segura) - SSL/TLS (protocolo de seguridad asociado a los certificados de seguridad) - IPSec (protocolo de seguridad de red relacionado normalmente con VPN y cifrado de comunicación) Por último, recordad que nos tenéis a total disposición para dudas de informática en nuestro #Consultorio en alttab.clmactiva@gmail.com

In this video I go through the new most exciting features in HAProxy, one of my favorite proxies. HAProxy 2.3 adds exciting features such as forwarding, prioritizing, and translating of messages sent over the Syslog Protocol on both UDP and TCP, and OpenTracing SPOA, Stats Contexts, SSL/TLS enhancements, an improved cache, and changes in the connection layer that lay the foundation for support for HTTP/3 / QUIC. Resources https://www.haproxy.com/blog/announcing-haproxy-2-3/ 0:00 Intro 2:00 Connection Improvements 5:40 Load Balancing 11:36 Cache 15:00 TLS Enhancements --- Send in a voice message: https://anchor.fm/hnasr/message

This Podcast Is Episode Number 0392, And It's About The Benefits Of Adapting To Technology For Your Construction Business If you have a task that you don't like to do, there's an app or software program to take care of it for you. It might take a few moments of your time to learn and understand how the software or app works, but doing so will save you valuable time and precious energy. It will also free you up to spend time on the tasks you love to do, not on all the paperwork and record-keeping that go along with running a business. When you run your own contracting or trade business, your life involves many long days being on job sites while managing projects, staff, and clients. There probably are not enough hours in the week for you to deal with all the issues that arise while keeping your clients happy and taking time out of your schedule to manage your business is probably the last thing you want to do. Thanks to a variety of online software companies, running your business is now a lot easier. You can efficiently manage your projects, employees, finances, and records all through your computer or tablet, freeing you up to focus on your clients.   Here at Fast Easy Accounting, we are thankful for technology tools such as the ones we are using for our current clients. QuickBooks Desktop In The Cloud How much of your time do you spend hunting down financial documents, poring over spreadsheets, and tracking expenses? Searching for and trying to integrate scattered data makes it nearly impossible to close out the monthly books quickly and efficiently. Manage your business finances faster and more accurately by moving them to the cloud. QuickBooks Desktop In The Cloud has several benefits, including: Integration with all your other construction operational systems for the quick retrieval of the most current data; Automation of daily financial processes so you can step away from spreadsheets; Efficient expense tracking that improves accuracy and reduces revenue leakage; and Secure collaboration with team members and stakeholders. Xero Like many construction business owners, you probably didn't dream of owning your own business so that you could manage a paper trail and oversee cash flow. You likely have very little interest in following up on unpaid invoices or spending time paying bills. That's where Xero comes in. Xero takes care of accounting for your small construction business. You can create and track invoices and purchase orders, manage sales and purchases, and set up scheduled bill payments. You can even reconcile bank transactions any time from a computer, tablet, or smartphone and have up-to-date financial information about your business. If you have employees, you can track payroll and manage time and money spent on projects. Xero offers easier business financial management without headaches.  Receipt Bank If you hate taking time away from your clients and work projects so you can manage your paperwork, Receipt Bank has what you need. Receipt Bank is a technology platform that construction business owners can use to manage their vital business documents. Anything necessary to your business - such as receipts, invoices, and other documents - you capture on your mobile phone, through email, or scan on your computer, and upload it to the platform. Receipt Bank then takes the information and displays it for you to download it or send it to connected accounting software. It can also categorize your expenses for you. It requires some time to set up manually, but Receipt Bank will save you vast amounts of time once your account is set up. Hubdoc Hubdoc takes care of data entry, such as entering all your bills, invoices, and other paperwork for you. Hubdoc allows you to take pictures of your paperwork, link it to your account, and develop usable data. It automatically fetches your bills and syncs with your accounting programs. You can even give your accountant access to the program so they can stay on top of your finances as well. If you love the idea of simplifying your home maintenance and repair service business and avoiding masses of paper everywhere, Hubdoc can help you. Hubdoc automatically pulls your bills and statements into one secure hub. This means you have one login to view and manage the documents from all of your accounts. No more logging into ten different sites each month to gather your recurring bills. Three ways to collect paperwork to Hubdoc: 1. Snap a Photo with the App Simply take a photo of your receipt, invoice or bill with the mobile app. Hubdoc scans, extracts, and stores your documents, ready to be published. 2. Forward your Email Paperwork When you become a client, Hubdoc automatically creates a personalized email address just for you. Email in your documents, and we'll do the rest. 3. Scan/Upload your Documents If you've already scanned your receipts, invoices, statements or bills, you can upload them directly to Hubdoc and the software will extract the key data for you. Safe and Secure! Hubdoc uses bank-level security to ensure your data is safe. This includes 256-bit encryption, SSL/TLS, and a Premium Extended Validation certificate -- as well as monitoring and verification from McAfee & TRUSTe, the trusted industry standards in data security. Simplify and Go Paperless! Your important financial records are organized automatically for you, backed up forever and available on any device. Hubdoc is your digital filing cabinet in the cloud. TSheets Getting timecards into QuickBooks and processing payroll can be a big hassle for your construction company. Timecards come in late, causing payment to be under enormous pressure to meet direct deposit deadlines is a tremendous feat on its own. Tracking employee bonuses, reimbursements, and garnishments take time and money and can cost your company some severe fines, penalties, and lost productivity if you couldn't handle it correctly. Manual time cards are painful, and we have found the best time card calculator using TSheets. Final thoughts There's no question that these apps and software platforms can make business owners' lives easier. Most business owners didn't start their business to be surrounded by paperwork and endless record-keeping tasks. Choosing a platform that meets your company's needs will free up time and energy to focus on the things you love to do. Set aside a week or two to look at any processes that can be automated within your business.  Automating repetitive and tedious tasks can help you uncover hidden cost-savers and potential sales opportunities. We use hundreds more in our company - whether it's for Marketing, Accounting, or Production. We have been where you are now and understand how confusing it is to identify which tools are right for your construction company. Please reach out if you need help. About The Author: Sharie DeHart, QPA is the co-founder of Business Consulting And Accounting in Lynnwood, Washington. She is the leading expert in managing outsourced construction bookkeeping and accounting services companies and cash management accounting for small construction companies across the USA. She encourages Contractors and Construction Company Owners to stay current on their tax obligations and offers insights on how to manage the remaining cash flow to operate and grow their construction company sales and profits so they can put more money in the bank. Call 1-800-361-1770 or sharie@fasteasyaccounting.com

Facebook threatens to block sharing of news stories in Australia Maximum lifespan of SSL/TLS certificates is now 398 days Elections offices across the U.S. using faulty electronic technology Thanks to our sponsor, Trusona. Trusona enables enterprises to provide enhanced security and usability to the workforce by removing passwords from the Windows 10 login experience. The solution works with your existing infrastructure without requiring any software or hardware upgrades like Windows Hello, cameras, biometric readers or on-premises servers — making it the most cost-effective and user-friendly to deploy. For more, head to CISOSeries.com

Podcast: The Secure Communications Podcast (LS 25 · TOP 10% what is this?)Episode: Ron Gula: The Future of Quantum CryptographyPub date: 2020-07-09Quantum computing isn't a reality yet, but most experts concede it is not far away. When that day comes, threat actors will have the ability to decrypt data they've stolen years before -- unless that data is protected by quantum-resistant cryptography. On this week's episode of The Secure Communications Podcast, we talk with cybersecurity investor and policy expert Ron Gula about the promises of and challenges associated with quantum cryptography. In this episode Ron is President at Gula Tech Adventures, which focuses on cybersecurity technology, strategy and policy. Since 2017, GTA has invested in dozens of cyber start-ups and supported multiple cyber funds. From 2002 to 2016, Ron was the co-founder and CEO of Tenable Network Security. He helped grow the company to 20,000 customers, raise $300m in venture capital and grow revenues to $100m, setting up the company for an IPO in 2018. Prior to Tenable, Ron was a cyber industry pioneer and developed one of the first commercial network intrusion detection systems called Dragon, ran risk mitigation for the first cloud company, was deploying network honeypots in the mid 90s for the DOD and was a penetration tester for the NSA where he got to participate in some of the nation's first cyber exercises. Ron is involved in a variety of cyber nonprofits and think tanks including Defending Digital Campaigns, the Cyber Moonshot, the National Security Institute and the Wilson Center.  Quick links Check out the Gula Tech Adventures website Follow Ron on LinkedIn  Read Kathleen (00:08): Thank you for joining today's episode of The Secure Communications Podcast. I'm your host Kathleen Booth. And today my guest is Ron Gula. Ron was the founder, cofounder, I should say, and CEO of Tenable. Today he is the president and cofounder of Gula Tech Adventures. Ron, you have an unbelievable bio. You know, you've been on the board of so many different cybersecurity companies. You're an active investor. You are, have served as a global fellow at the Wilson center, an advisory board member for George Mason University's National Security Institute. You have such a fascinating perspective on the cybersecurity industry, you know, too much to name. If I went through your whole bio, we could spend the entire podcast on that. But, but I'm really excited to have you here and, and get your perspective on a topic that I think is really interesting, which is quantum cryptography. Ron (01:00): Thank you very much for the the kind introduction and thank you very much for having me on the podcast today. So quantum cryptography, I, I it's, that's a topic that people should be very, very afraid of. But unfortunately we're really not doing a whole lot about it right now. So you know, assuming your users know a good bit about cryptography already, I kind of look at this problem as if somebody's collecting all of your encrypted traffic. Can they use a quantum computer at some point in the future to somehow break that traffic? And you would think that because of that threat, perhaps from quantum computers, you know, that there'd be more investment here and more awareness, but there really hasn't been. Kathleen (01:43): So let's start out by talking about the timeline, because I think this is something that, well, it's certainly something that I find fascinating. And I don't know if, if everybody understands it and maybe this is one of the reasons for a lack of investment in it, you know? We don't have quantum computing yet. What is, what is your opinion as far as when you think that it will actually be usable? Ron (02:07): So it's, it's interesting. I, I've, I've gotten a chance to spend some time with quantum computing companies and I ask them, so, you know, I ask them, so when can we break crypto? You know, when can we solve certain kinds of other problems and whatnot? And typically there's not a good answer there. And, and, and I said, well, do you think anybody else has done it? And they typically say no, because as soon as somebody has figured out how to do it, all these people are going to disappear and go work for the CIA or the NSA or a bank or, or, or, or something like that. So I think it's really difficult to put a number on, is this like a next year thing or next decade thing? And the problem kind of also overlooks the fact that you've got to collect all this traffic. Ron (02:48): Now, if you think about, if you imagine that the NSA and our adversaries have an infinite amount of storage and have infinite points to collect our data, then, then this is a problem. But, you know, the reality is that we live in a world based on physics, and, you know, a lot of these things need to be stored and kept in places. And I don't think the average person's having, they're, they're, they're having more stuff stored on them in social media, then perhaps an adversary is going to, you know, kind of come after them and collect on them Kathleen (03:17): Now, and, and, you know, I'm not a highly technical cybersecurity expert. And so my understanding of quantum the risk associated with quantum computing is that, you know, we don't have to worry right now that somebody could use it to, you know, crack, crack into some of the most protected information we have, but someday it's going to be a possibility. And I think, you know, the average person might think, well, who cares? So someday we'll deal with it then. But I guess my understanding is it's, it's more, you know, we can have that data stolen now and it can be held and eventually compromised in the future when that capability does come online. Is that right? Ron (03:57): It is a good, a good application of that is imagine you have something today that a crypt, cryptography that we all use - the TLS, SSL TLS you know, basically the, the S in your HTTPS. Technically you should be able to go and, you know, go to a coffee shop and go visit your favorite, you know, Facebook website, that's got, that's protected by that kind of, of crypto. And even if it was collected, it's going to be hard to break. But if at some point in the future, you know, somebody does come along and have an easy to use quantum computing, you might be able to do that. Now it starts getting a little far fetched. Is there a coffee shop somewhere, of course, pre COVID or whatever, you know, but it's some place that we're all using, you know, publicly collectible traffic that we could then say, well, the one day Ron Gula came in and happened to check his bank account. Ron (04:49): I have those packets that are in there and all, all set to go, you know? It's, it's just, it's when you think of all the things you have to do to protect yourself online, you know, patch, two factor authentication. This, it's just not the top of list for most people. And if they want to, they can just use their own, you know, a VPN, a product that you guys offer, right? Where I've done my key exchange ahead of time. You know, granted, you might be able to collect those packets and, and do it, but now you're, you're still a much harder target than people who are just relying on the cryptography from the web applications that they're using. Kathleen (05:26): Yeah. And it seems like for the average person, the notion that somebody could steal my data now, and, you know, 10 years from now, they could crack into it, I would think, so what? Like, my credit card numbers will have changed by that point. Who knows if I'll be at the same bank? Like, it almost, it doesn't seem like much of a risk to me, but where I think it gets really scary is when you think about data leakage from a place like the NSA, which, which has been compromised, you know, and there has been information stolen out of there, and maybe somebody can't process it and get into it right now. But, but if 10 from now, they're able to discover the identities of certain people or, you know, different programs that the U S government has, that then becomes a truly frightening prospect it seems. Ron (06:08): It is. And again, it's hard to be a, you know, a cybersecurity pro, cyber security person and say like, this is just not that big of a deal. But for me, I used to be like, Hey, look, this is a big problem, right? Computer's gonna be a lot faster, whether they're quantum or not. And, but at the coffee shop, you know, with using your quantum resistant cryptography, chances are the, the, the 20 dollar lock on your house that you bought from Home Depot, somebody can bust through that and put, you know, sniffers in your house you know, but little bugs that can get the same kind of information that you're trying to protect. So the question is really is, you know, when you bring that over to a large enterprise, it's, it gets, it gets interesting. It's just not the number one thing that people are working on. Kathleen (06:53): So given that the differences in the kind of, the level of risk and the implications of a compromise, do you think that, where, where do you see most of the work coming from on, on quantum resistant cryptography? Is it, do you see a lot of it coming out of the government or being funded by the government, or do you see more of it coming out of the private sector? Ron (07:15): So, so the biggest innovation I've seen in quantum resistant sort of security is, is this concept of, of multipath communications or shredding. So if I'm going to go from point A to point B, and you're assuming that your adversary is collecting on you between those things, if you can take a thousand different routes, every second, you're going to minimize the amount of data that they can collect on you. And of course, they're on your computer. Your computer is compromised. It's not going to help you, but neither will quantum resistant cryptography. And similarly, you know, if you're worried about data at rest, and you've got a one MB file, if you had a, like a hashing algorithm or a way to just physically separate that file into many, many different places - a little bit on Amazon, a little bit on Google, a little bit on your USB drive - you know, whatever, whatever that combination is, an adversary would then not only have to be able to break, your crypto, like get access to all of that, that data, that data. So the strange thing is, I've been pitched a bunch of companies like this, and there's pretty cool things. And I just, haven't seen a lot of people jump on this because they're on this mindset that the future is basically endpoint cryptography, or endpoint computing and cloud computing. You know, there'll be no CASBs in the middle. There's no, it's just about that secure access between where I need to go and where I need to go. And they're not worried about, you know, making sure that it's crypto or quantum resistant at that point. Okay. Kathleen (08:37): What do you think is, needs to happen to change that? Ron (08:42): There's gotta be a little bit more, I think, demonstration of this. And unfortunately, you know, the demonstrations we are getting is that when we break crypto, it's usually a software bug, right? Someone's figured out a way that they can see the CPU, change a crypto algorithm, extract keys, extract that, that type of stuff. But the problem is, is that, you know, just doing basic cryptography is so hard. You really have to understand who has access to your keys. You have to rotate keys, you have to do all those things. And I always like to point out that a lot of people got into cybersecurity came out of the military. They were key custodians, right? They were the people who would re-key the point to point bulk encrypters. They would, they would do things like change the codes for, you know, for duress, the duties got protocols for changing these different things. And the commercial world, private citizens, they have no concept of that. Ron (09:29): Right? I mean, I, I know people who have bad passwords to get into their password manager, you know? It's like, that's not the point, you know? So, so that's my concern is that, you know, we've really got to level up, a lot of basic hygiene things before we go tackle this. Now don't get me wrong. If, if tomorrow you know, Facebook or, or, or, or Amazon, or, you know, whoever has got more advanced, you know, ways for us to authenticate and, you know, encrypt as we, as we connect to them, you know, I'm, I'm, I'm happy with that. But in the meantime, you know, I still recommend people, like, if you're concerned about this, you should be buying products like Attila. You should be buying products that where you control your own infrastructure and then make use of what you control, because you can't just control everything else. Kathleen (10:17): So who's, who's doing really interesting work in the field of quantum cryptography? Who's out there kind of at the cutting edge? Ron (10:26): So there's, it's a little bit like the supercomputers, right? And so they, they every, every month or so you hear, Oh, the Japanese have got the world's largest supercomputer or the Russians do, or the Chinese do. Right? So the quantum folks are doing, doing interesting things. So the quantum computing folks, you've got here in Maryland, you've got that. Everybody's got a project because there's such interesting things. And, you know, I get to watch a lot of science fiction and, and play a lot of science fiction. You know, like World Builders. I'm playing Expanding Universe 2 right now. And it's kind of like Civilization, right? And quantum computing is usually one of the things you unlock that gives your, your race or your species, you know, magical powers. The problem is that the promise of what the quantum community just hasn't, it hasn't delivered yet. I think if anybody has broken it, you know, or they haven't done a lot of a lot of practical things with it just yet, that we've, that we've seen. Kathleen (11:19): So do you think it will be broken at the nation state level or in the private sector? Ron (11:22): Yeah. These are very, these are it's um, so without trying to sound too negative, so venture capital people talk to each other and you know, why would you invest in this company? Why would you not invest in this company? And it really tracks, the quantum computing, it's really tracking like healthcare research, where it takes a long time. There's a lot of PhDs in involved. A lot of universities involved. A lot of research. I mean, this is not true trivial stuff that you're going to do in your, or your, your garage. You're talking, moving atoms your, and then getting them to do things, things, and compute. And it sounded like wasn't that what a chip is? Like, Oh, the science is a lot different. Ron (12:07): I was very lucky. One day I got to visit one of these, these super computing, quantum computing companies. And there was another visiting fellow and, and this person had been to like nine other places. I got to hear about all the different kinds of, I'm dated because it's only two years ago. But at the same time, this could be a 20 year journey before we have a practical computer that you can buy in your, your you know, in your house. And it reminds me of when you, when you go and you see these, these quantum computers, you, you're like, where's the computer? They don't look like computers. It's telling you, there's a couple of these organizations. Ron (12:50): They show basic things like, show me how to code the traveling salesman problems. And I'll, I'll get the look like, no, we're not, you know, we're not really there yet. It's something I think is, is worthwhile to do. And if we're going to talk, talk a bit about quantum encryption and a bit about, there's this third area about quantum communications, where you can basically encode you know, the photons, the wave lengths in a certain way. Possibly you can, you can change a quantum object here. Maybe you can, you can stimulate it moving on the other side of the universe as a form of communications. I would love to see that. Everything I've seen has been snake oil. So, you know, I'm all for that kind of stuff, but it's, it's, it's not ready for commoditization in prime time just yet. Kathleen (13:37): Yeah. Now how accessible, if, if somebody is concerned about this and they do want to take steps now to try and protect their data, how accessible is quantum resistant cryptography now? Ron (13:51): Well, one of the reasons, so it's very accessible. You know, one of the reasons that the venture capital community has not jumped on this, it's because the cryptography becomes an OEM type of type of market. And before, you know, I get jumped on for, not from you, but know my business model. There's nothing fundamentally wrong with that. Ron (14:20): I have to do similar things. I probably have been pitched the last three, four years, probably about maybe 10 or 11 different quantum crypto library companies, where they actually don't sell anything to a direct customer. They sell it as a third party. Like a you know, w which is the believer that it's the right thing, because, you know, photography is hard. What you want is you want a team of really, really smart people who that's, all they've done. They focused on the cryptography has been vetted by the U S government. You know, that, that that sort of approach, the problem is that if they're out there selling well, licensing a library, it's not a huge, a huge thing. Back in the late nineties, early two thousands, I remember that you know, ISS, for the product that they were doing, they switched to elliptic curve cryptography to you know, communicate with their agents. And it was more resistant and that kind of stuff. Didn't really make a lot of difference I think for, for, for people that were like, okay, that's cool. That's, that's, that's better crypto, but, you know, does that really make you a better, a better security? And you would think it would be, especially since people do break into security products, but the market didn't, the market could have cared less. They want easier to use products. They don't really want, you know, that kind of stuff, but that's kind of where we're at right now. Kathleen (15:31): That's so fascinating. I mean, I think it's, it kind of applies to a lot of security, the sense that, you know, while we know there are risks out there, we just choose not to protect against them. It's, you know, it's like buying insurance, it's the same principle. It'll never happen to me. It's not going to happen anytime soon. That sort of thing. So I'm, I'm curious to see, what's going to take place that will prompt more of an interest in this. Ron (15:54): Yeah, what's going to happen, in the United States, it's NIST. N I S T is the group that does that. You've probably heard of it. DES encryption and triple DES, and then there was AES encryption and, and NIST does bake offs the same way that the air force does bakeoffs, like we have the F22 Raptor aircraft. But, but what do we really want? And this has got a lot of input from the NSA. They got a lot of very, very smart mathematicians and they're baking off these algorithms. And you know, I haven't gotten a recent update, but almost every pitch I get is like, Oh, we're part of the bake off for NIST. We were, we won this, this, this part of it. That's great. That's awesome. Kathleen (16:45): Yeah. Demand just needs to follow, I guess. Ron (16:49): It is. It's, it's one of those things where you, you know, like, let's say I got a tip from somebody who had a breakthrough in, in cryptography. You almost don't want to touch that because historically, that's where, you know, something's wrong and you, you miss a leak, you miss some sort of entropy sort of, sort of where you can actually decrypt it. And now crypto is the NSA because they have enough people to do the peer review and, and literally red team it and attack it. And I think that's very apt in these kinds of things. If you're a small company, a 10 person company, and you're coming up with the next generation, you know, quantum resistant, crypto, great prov it. You know? Go to NIST. Go to all that stuff. And, and then even after that, what's your business model? Like, why is your crypto going to be that much better than, than, than everybody else? Kathleen (17:44): Yeah. Well, it sounds like the U S government will lead the way, at least in creating demand if, you know, for it to protect itself. And then, and then it sounds as though that that could roll out a form of standards or regulations that would eventually bleed into the private sector. Is that accurate? Ron (18:00): Yeah. It's, it's, it's, it's very accurate. Ron (18:12): There's like satellites, if you've did right. It's, it's there. But when you're, when you're in space and when you're, you're there, know that's, that's weight on that device. So, so there's believe it or not, you know, there's a really a need for just encrypting in general. And it can even be bad encryption, but there's a lot of stuff that's, un-encrypted, that's, that's, that's still going on today. Actually, we have more encryption everywhere that you know, we have a lot of other things that were, that are in the clear now, that are not so much in the clear. Kathleen (18:42): Yeah, yeah. It's fascinating. I was talking to somebody the other day about IOT and it sounds like that's one area that, that is incredibly vulnerable for that same reason. Ron (18:52): So not only with IOT, do we have an issue where the device itself might have not been coded securely, but the protocols that'd be an inline when, if you look at something like SMB version three, which is very enterprise ready and has all sorts of which of levels of, of cryptography, you know, kind of built into it, you know, you just don't see that, you know, and, and talk to the cloud and we're going to give you a web interface, or a mobile app to talk to that cloud, you're hardly ever, so we need to reverse engineer it. With like one of your portfolio companies, you know, Refirm Labs from DataTribe there, you know, they find tons of stuff in IOT devices, all, all the day. Encrypt, you know, can, can you encrypt that better? Can you keep it, what's being collected half the time? So, so that's kinda where I'm seeing that market at right now. Kathleen (19:53): Yeah. Now, switching gears, you are an investor, you, as you mentioned, you get pitched by a lot of companies. You see a lot of technology. Is there a particular cybersecurity technology that you're really excited about right now? Ron (20:12): My friend's at DataTribe have some of my favorite companies. So way, the way I like to talk about it, is that, you know, I've done two companies. I've done Network Security Wizards, which was a network intrusion detection company. We did Tenable Network Security, which is cyber, you know? Ron (20:36): And swim lane. And after I left Tenable as an investor, I really got to explore. There's Huntress Labs. Huntress Labs is really focused on the SMB and finding malware, or finding back doors, finding, you know, phishing, phishing targets, you know? I find that very exciting. It's not about just their detection is it better than, you know, a Crowdstrike or a Sentinel One. It does it. Cause when, when you're dealing with a dentist office, it's a such a different mindset than, you know, dealing with like a bank, you know? Where we're, where they've got, you know, so I'm enjoying stuff like that. I'm, I'm really enjoying a lot of the different ways we can solve some of these problems. Some of the things that, that we've invested in is like cyber education. So if you look at the work that we're doing with Cybrary and you extend that to people like Catalyte, you know, that's, that's really interesting. The ability to use AI and, and, and create, you know, developers and IT teams, or in Cybrary's case, you know, the development or the ability to really, you know, pull people either from you know, inner city, retiring veterans, just anybody who's got a, access to the, to the internet, you know, into the cyber you know, career is, is just, is just really, really fun stuff. Ron (22:05): So it's, I think my biggest frustration sometimes is I'll, we'll invest in a certain category and somebody will solve it a certain way. And then another company will come along and solve it almost completely differently. Then we're sort of like, okay, well, do we want to invest in both of these companies, because they're going after the same dollars. Kathleen (22:27): Yeah. Ron (22:34): On the cloud, like Cloud Flare, or are you going to be in like a contrast, you know, and those two completely different businesses, well, security, it gets, it gets in there. That's the world I get to live in. And I really enjoy helping people think through that. And you know, hopefully we're making a difference and invest in the second and third tier here. Kathleen (23:02): Well, I love that you're involved in so many different education organizations and, and trying to kind of bring up the next, the next generation of cybersecurity professionals. I also love that you've been in business with your wife for so many years. Fun fact, I owned a company for 11 years with my husband. And so I feel like we could have an entirely separate podcast episode just on, just on working with your spouse, but I think that's, that's fantastic. And I love that story about what you guys are doing. Ron (23:30): So it's, it's funny you know, a lot of people know our story. You know, Cindy didn't get sort of the cofounder or on the web sort of, sort of u, you know, I had it explained to me, if you look at the, just for example, the divorce rate, you know, that kind of stuff, there's just, there's a, there's a 50% chance one of you is going to get divorced and leave the company and it, and that's a real risk. I get it. I get it. Having said that though, now that we've been a lot more public about it, I'm finding like you, you, you did business with your husband. I'll find a, to a brother's team, you know, that, that, that are working together. Now, brothers don't get divorced, but you can have fallings out with your families and stuff like that. I find that if you can make it work, it can be a very, very strong thing. But whenever we do sort of like off the cuff marriage counseling or anything like that, it's not like, Hey, why don't you, you guys go start a business. That'll solve all your, you know, all your things. But, but yeah, no, glad that, glad you brought that up. Kathleen (24:35): Yeah. I think going into business with anyone is kind of like getting married. Like, you have to be a phenomenal communicator and you've got to talk about everything to make it work. I always say that my greatest accomplishment in life is that I'm still married after 11 years of business partnership. So you're right. It's, it's, it's great. You have a level of trust you can't get with somebody you know, somebody else, who's not your family, so fantastic. Well, I really appreciate you joining me for this episode. It was, it was fascinating. If somebody wants to learn more about you and some of the work you're doing, where should they look online? Ron (25:12): So we maintain a webpage at gula.tech. We have a list of all the portfolio companies, including the DataTribe companies like you guys. And you know, we blog a good bit about podcasts. I'll be putting this on our blog eventually. And then you know, if they want, I do, I do post pretty pro, a good bit on LinkedIn, a little bit, you know, business. You gotta keep it on LinkedIn, but I appreciate anybody that wants to look us up. So let us know. Kathleen (25:48): Fantastic. Well, I'll put those links in the show notes. And if you're listening and you enjoyed this episode, please consider leaving the podcast a review on Apple Podcasts or wherever you choose to listen. And we want to hear from you. If you have an idea for a future episode, tweet us at @Attilasecurity. Thanks for listening. And thank you, Ron. Ron (26:06): Thank you.The podcast and artwork embedded on this page are from Attila Security, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

This episode is brought to you by me. If you like this show and want to support it, please visit my courses on Pluralsight and buy my new book "200 Things Developers Should Know", which is about Programming, Career, Troubleshooting, Dealing with Managers, Health, and much more. You can find my Pluralsight courses and the book at www.developerweeklypodcast.com/About Tim is a Microsoft Most Valuable Professional (MVP) in Cloud and Datacenter Management who is based in Nashville, TN in the United States. His professional specialties include Microsoft Azure, cross-platform PowerShell, and all things Windows Server-related. You can reach Tim via Twitter (@TechTrainerTim), LinkedIn or his website, TechTrainerTim.comShow resources:Twitter @TechTrainerTimLinkedInwww.TechTrainerTim.comTim's YouTube channelTim's Pluralsight coursesAzure FridayAzure LearnLinux AcademyAzure Status UpdatesPluralsight course: Microsoft Azure - What to Use When?Microsoft Azure certificationsFull transcript:Welcome to another episode of developer weekly. This week I'm talking with Tim Warner about keeping up with Azure. Tim is a Microsoft most valuable professional MVP in cloud and data center management based in Nashville, Tennessee in the United States. His professional speciality includes Microsoft Azure cross platform PowerShell, and all things Windows Server related. You can reach them via Twitter, at Tech tamer at Tech trainer, Tim, LinkedIn or his website, tech trainer tim.com. Thanks for being on the show Tim. Tim Warner  1:37  You're very welcome. Very, thanks for having me. It's a pleasure. Barry Luijbregts  1:40  So you are very active with Microsoft Azure. And amongst other things, you create videos about Azure and Azure certifications and even released a new Pluralsight Azure course on Pluralsight today. Tim Warner  1:53  Yeah, that's right. I've been an IT generalist since 1998. And I've always because I'm excited In so many different aspects of it, I've kind of intentionally avoided specialization. But it just happened over the last five or six years that I got involved in Azure. And it's been a perfect fit for me professionally, because I guess, well, more than I guess I know that as your is my professional specialization, but within Azure, given that the ecosystem is so broad, I can be a generalist within Azure. And to your point, the course that we released today is actually a complete redo of a course that I recorded Originally, I think, last summer summer of 2019. It's called something along the lines of developing batch processing solutions in Azure. And originally, I centered it around as your SQL Data Warehouse. But of course, in ignite 2019 as your synapse analytics was introduced, and as your Data Explorer is now in the forefront, so I just decided to scrap the old course and redo it from scratch. Barry Luijbregts  2:58  So you came from From an infrastructure, specialty, right? Tim Warner  3:03  That's correct. As far as the DevOps continuum, I skew more towards the operations side. However, I've always, I consider myself a hobbyist programmer. I guess I'm a professional scripter. I'm proficient with PowerShell. And to an extent Python, but more in an infrastructure scenario, like you said, Barry, but I mean, I remember my first exposure to computer programming this when my dad bought one of those tiny Timex Sinclair t 1000s. It was the $99 computer and Europe. It was called the ZX Spectrum, I think. Right. And basic programming is how I originally got into the field. Barry Luijbregts  3:45  Oh, that's, that's incredible. And now it's all into clouds. You know? Tim Warner  3:48  Isn't that something? It's funny how things turn around. I remember also, just before when I was in college, before I got into it as a career I had a summer position feed These, they look like old fashioned eight track tapes into these IBM tape drives because the company was a mainframe shop. And it's funny how things are circular now with the cloud in some ways, that's almost like a return to mainframe computing, isn't it? Barry Luijbregts  4:16  Yeah, definitely. So you've then been working with the cloud for quite a long time. And you say that you're a generalist and in the cloud, but still because Microsoft Azure is so extremely broad, as in there are developer services, but there is also infrastructure services and everything in between, right? And what do you focus on within Azure? And how do you choose what to focus on? Tim Warner  4:38  Well, in my job at Pluralsight, I'm a full time author. So I have I used to have more flexibility in the subjects that I chose, but I'm more I consider my biggest benefit to the company is that as a generalist, I can kind of pitch in and help if there's a course that maybe nobody wants to cover because it's so knew, I'm happy to jump on those subject. Those subjects. That's kind of how batch processing came onto my workbench. And I've taught a course on messaging services. And those are products that tend to skew out of my infrastructure home. So it was a good opportunity to stretch. I think in general, regardless of whether you're an author or a trainer, if you're looking at Azure as a career, you really have to be committed to always learning. I can't imagine somebody who wants to go into it primarily for financial reasons. And for job security reasons. I would really warn them against unless they really enjoy what they're doing. Because with Azure, you're going to fall behind too quickly. If you're not always actively learning new stuff. Barry Luijbregts  5:47  Yeah, it goes extremely quickly. new services are added all the time and existing services change and new features are added or they get deprecated. So So how do you do that? How do you precisely keep up to date with all those changes. Tim Warner  6:02  You and I have both shared with the community on that subject of staying current with Microsoft Azure. So the first thing I'd recommend your listeners to do is to do a good old Google or Bing search for how to stay current. And they'll find your piece I've presented at some user groups over the last year on that subject. And I'm looking at my browser right now in the Azure architecture center in the cloud adoption framework section. Microsoft itself has a nice article on staying current. Some go to like most important sites that I would recommend that people have bookmarks, or the Azure updates site, which is where I don't know if I guess all the product teams are supposed to post there. I don't know if they all actually do I'd say most. The Azure updates is where you're going to see features that are in private development and then as they come into private preview, public preview in general availability and if you're all dog like myself, In your RSS, you can subscribe to the Azure updates as a feed. There's the Azure service health dashboard within the portal. If anything on Microsoft side is going to affect your services, you can see a personalized view directly on the portal by looking up service health. Let's see I think as your has a top level blog, yeah, Azure dot Microsoft comm forward slash blog. And again, it's up to each product team, how often they post there, but you can keep up to date. And honestly, lastly, as you're working, especially in the Azure portal, pay attention when you're looking through the different blades when you see preview after something Oh, that wasn't here before. I mean, I'm surprised every day and I've, I've talked to enough Microsoft employees and team members that they get surprised too, so don't feel bad as an Azure customer. If sometimes you feel blindsided because I can attest to that I've talked to plenty of full time as your engineer And team members who are also surprised. It's just that fast moving of an ecosystem. Barry Luijbregts  8:06  Right. Yeah, it's, it's crazy. And then you can also use the preview portal right? So preview? Yes. portal.azure.com. Tim Warner  8:14  Very good. Yep, definitely, of course, there's the provision or previz or warning, whatever you want to say that, depending as a general rule, features that are in public preview don't have a support service level agreement attached to them. Sometimes Microsoft will make an exception for that. But generally speaking,  when you see preview after a service, consider that to be dev test and not prod. Barry Luijbregts  8:41  Yeah, right. So when do you consider a service for learning a deeper as in, they might be in private preview or in public preview and generally available? Do you only dive in when they are generally available or already when they might be in preview? Tim Warner  8:57  When I work with customers, I really am pretty concerned. About that, because of the first of all, I'll dig with them to make sure that a team is not offering a service level agreement or any kind of support when a feature is in public preview. An exception to that is Azure migrate, they were doing production support even when the server migration pieces were in public preview, as a plural site, and author, as a policy Pluralsight. And our agreement with Microsoft, we do not cover public preview features simply due to their volatility. I mean, we're already on a six month review cycle, we revisit our training courses every six months and make any changes as appropriate. It would just be too much management overhead if we included public preview features. So I tend to get into public preview features just personally as a professional development thing more than anything else. So I have a leg up to be helpful when the feature gets closer to general available. Barry Luijbregts  10:01  Yeah, yeah, the same same for me as well. Plus, I, after a couple of years of doing this, then you get kind of a sense of where things are going and if a public preview feature is going to stick, or that it might just be something fun to, to experiment with. Tim Warner  10:18  Isn't that something? Yeah, I mean, Asher blueprints is a service that I like quite a bit. It's been in preview public preview, seemingly forever. It's been in preview so long that Microsoft worldwide learning actually includes blueprints on many of the Azure certification exams so that we were joking about that just yesterday when I was chatting with them about that. Supposedly blueprints is gone is gonna go generally available someday. And then other features like as your Bastion and this is just my own personal opinion, I think they went ga on that too quickly. They announced it as a generally available service at Ignite last year. And it still is nice as Bastion, as it has some very significant limitations that I know for a fact are preventing many businesses from adopting it. Barry Luijbregts  11:05  Yeah, I guess many of these things are dependent on marketing efforts, whatever, internal goals and targets to companies. Sure. Tim Warner  11:15  Yeah. I mean, it's human, you know, human, these companies are run by fallible human beings. And when you've got a company as enormous as Microsoft, like you said, You've got all these different groups, it's a wonder that they can ship any software. Barry Luijbregts  11:32  Yeah, absolutely. So when you then go through the lists of updates and new services and things that changed, how do you do that? Do you do that once a day or every week? Or do you do you develop healthy habits around that? Tim Warner  11:50  I don't have a habit of for instance, looking in the Azure updates, but I do have a habit of reading the tech news each day. I just use Google News is my news reader and I have alerts on Azure and Microsoft and this kind of thing. And I have my Twitter feed I checked that several times a day and because I'm connected to a lot of Azure people yourself absolutely included I'm able to get a heads up on on things probably that way more directly than anything else. And once I get a heads up on on a feature service, then I'm inspired to check the documentation and see if there's anything in there look up on the Azure updates page see like you said, the preview portal dot Azure calm if it's surfaced in there, etc, etc. Barry Luijbregts  12:39  Yeah, I do. I do the same thing as well. I create my little internet bubble of like minded people that talk about Azure, for instance, in Twitter and put them on a list and then I can can just keep up to date. Yeah. So once you've selected something like you know about a new surface that you might need to make a course for Pluralsight about how do you go about learning something new like that?  Tim Warner  13:04  That's a fun question. Because I'm really I consider myself a born learner, which means that I'm extra happy and Azure. And also the fact that I am one of those folks who has multiple learning preferences. I mean, some people are more visual, some people are more listening and conversational. I'm grateful that I can adapt to all of it pretty much. If it's a brand new thing for me. Then I'm going to start by just drinking from the fire hose in as many different ways as I can. I'm going to use computer based training, and listen and pay attention to what the instructors are saying. I'm going to see if Scott hanselman talk to any engineering team members on Azure Friday. I'm going to look for blog posts. I'm going to just try to like I said drink from the fire hose to get over That initial hump, that initial learning curve, that's the toughest to get over. I'm also going to be reaching out to colleagues, professional colleagues and friends who are already expert in that technology. And I know I've reached a good point when I'm able to talk intelligently and discuss the subject with people who do it for a living, then I know I've reached that point where I'm over that initial hump, and I'm ready to go to the next level. It's Um, okay, I hope that was helpful. Barry Luijbregts  14:32  Yeah, definitely. And then, do you then also use it in a real world scenario? Tim Warner  14:39  Not everything. But mostly, what's cool about Azure is that it kind of reminds me of a magnet that's picking up metal shavings. It starts collect door a snowball rolling downhill, as my skill set with Azure expands and expands then yes, in my consulting real world life that I Have, I'm able to add those in matter of fact, I've picked up some AI some Azure AI skills over the last year. So I'm going to finally have a chance to flex my muscles on that and a consulting engagement pretty soon. So yeah, definitely as, as I pick up these skills, it's important that I actually apply them in the real world. I don't have a lot of time for consulting. But it's crucial. Like you said, Barry, because there's theory. And there's practice. And the real world practice is quite a bit messier than what you see in a typical Pluralsight lesson. Barry Luijbregts  15:38  Yeah, absolutely. You know, I also create PluralSight courses and they get the chance to edit everything out and things look a bit smoother than they are in the real world. And also, when you actually start working with something, then you get to find out what all the bugs and hurdles and little things are that you don't read about in the documentation. Tim Warner  16:01  Yeah, exactly. There's nothing like feedback expand, it doesn't have to even be me working necessarily. A large part of my professional development is talking shop with people who do this work full time in the field. And by I can capitalize and really leverage their experience and add it to my own. I'm grateful for this as your thing because I remember I've struggled over the entire time I've been in the industry, between the practical hands on experience and then being a credible instructor. And it used to be a lot harder before the cloud to the point where literally, I would work full time as an instructor for a few years, then I'd go out into the industry for a few years, then I'd go back and forth. It's kind of jarring. Now with the cloud, I'm actually able to do both I'm able to do what I love teaching and writing and transferring now But I still from the comfort of the same office that I teach from, I can do real Azure work with customers. It's a beautiful thing to be able to do both of those things simultaneously. Barry Luijbregts  17:13  I have to say my same experience. Absolutely. Yeah. And, you know, there are people that are, let's say, full time authors, they create books and PluralSight courses and other things online. But I do think that you, you need to keep consulting and working in the real world. Otherwise, you don't know if what you're teaching actually works in the real world and how we write and how it affects real customers and real solutions. Tim Warner  17:38  Oh, it's invaluable to the point where, and I think this conversation is really spring, a lot of gratitude in me that I have that because I'm thinking about when I'm teaching and how I'm always thinking of use cases and real practical scenarios and I'm grateful that I can rattle those off because I do have that side. To my skill set. Barry Luijbregts  18:02  So you also have a YouTube channel with a lot of videos on there and also a lot of videos about Azure certifications on there. What do you think of as your certification? And should people take those? Tim Warner  18:18  So long story short, I'd say is Yeah, yes. And some reasons for Azure certifications are number one, it's going to be a differentiator for you in the job market. I've heard some people make the counter argument app. certs are a waste of time all they're good for us to get you past the first step of an interview process the human resources. And I'm like, yeah, that's legitimate. Right? And if you have the cert, you may get past that first step, whereas several other people who don't have the cert don't get past that first step. Another thing is, especially nowadays, the way that these badges work, they're validated very much like SSL TLS certificate. Tickets are. So instead of just claiming that you have this certification, you can actually share it in a way that's validated directly by Microsoft. And third, if nothing else, studying for these certs is a great excuse for making sure that you're current with modern Azure practices because all of these role based certifications, the skills in there are the fruit of job task analysis, or JTA. Is that Microsoft conducted with practitioners. So it's not just speaks to what we were talking about earlier, Barry, how is Asher actually used in the world not just some ivory tower theoretical thing? Barry Luijbregts  19:42  And what would you say to the argument that there might be a lot of people that cheat on these certifications as they download the answers from from the internet or pirate sites and just cheat and then they have the certification and can get into jobs relatively easily? Tim Warner  19:59  Yeah. The brain dump problem has been a problem since the very beginning. The words of the great William Shakespeare come to mind to thine own self be true, really, by using these short circuits. Ultimately you have to do the job, you'd either know how to do the job or you're not. And again, I think of Shakespeare, the truth will out, in my experience, people who rely upon the brain dumps as a way to short circuit certification and get into a job. Eventually, if they're out if they are actually weak in the skills, it's evident. And you know, what typically happens in that scenario? Not always, but I would say most of the time. Above all else, what I find most concerning about the brain dump situation is how normalized they seem to be to the point where many people I've observed. I don't I think that they genuinely don't understand that using these is a breach of the non disclosure agreement. You sign with Microsoft, there are people that believe that they're just these brain dumps, which are thefts of the actual intellectual property of the exams are just as legitimate as, say, a measure up practice tests. So I want to Yeah, educate to the point that no these brain dumps are actually stolen exam content. And by using them, you are in fact, violating your NDA with Microsoft and I have seen people permanently decertified from the program, if Microsoft learns that you've used them. So I would suggest strongly go with legitimate practice exam exam software. Barry Luijbregts  21:39  Oh, that's great. Actually, that that happens. I didn't know that Microsoft penalize people that found that out. Oh, yeah. That's great. Yeah. Because, you know, I know that a lot of people use these brain dumps and then that negates the value of the certifications. Tim Warner  21:57  Yeah, you know, I mean, I understand Your point because if somebody cheats to get in a position, and I don't get the position because of that person, I mean, there's I understand that grievance for sure. I just need to make sure that I'm doing the right thing, because the only person I have control over is myself. And I want to make sure I have a clean conscience as I go forward. Barry Luijbregts  22:20  So what is a good certification to get started with? Like, if you're going to get started in Azure as an infrastructure person or a developer? What would you start with? Tim Warner  22:31  Yeah, I get asked that question a lot. In fact, somebody sent me a DM on Twitter just last night saying, I'm a dotnet developer. And for whatever reason, he or she didn't say why, but they need to get certified. And my answer was, well, I don't know you. But top of my head, if you're a full time developer, the most closely aligned certification would be the Azure. So as your developer role, the library of these certifications is aligned to job roles. It used to be that there was just one One certification for all of Asher, which now is kind of laughable when you think about it. But now we've got this entire portfolio of certifications that aligned to roles. So if you are an infrastructure professional, there's the Azure administrator. There's one, there's a associate cert for security engineer. There's AI data platform, Microsoft 365. There's the introduction as your fundamentals, which is, I think, a great skill set. The what's neat about the Azure fundamentals or the az 900, is that it's not intended wholly for protect people. It's intended for even non technical people like sales or marketing people who may work for a company that's in the cloud, and they need to know the vocabulary, so don't discount as your fundamentals. Barry Luijbregts  23:53  Oh, right. I didn't know that. That was also a target audience. That's good to know. So how are we And prepare for one of these things. It's been ages since I've taken an exam. And when I did it, I used these very big Microsoft press books, exam prep things. I don't know, 500 pages or something. Yeah, I just crammed that way. How do people do it nowadays? Tim Warner  24:17  Those books, Microsoft press still makes the exam rafts, and those are good because they are aligned exactly to the exam objectives. But the the issue with any print book seems to me is that it's almost impossible to keep pace because as your changes so often, and Microsoft worldwide learning revisits the exams every two months, and revisits each certification program every year. So, in terms of prep, you're going to have to go with a more agile approach. Microsoft learn is an excellent place especially for Azure fundamentals. They have a learning path, it's totally free. That covers all of the objectives of course, At Pluralsight what's cool about the Pluralsight Microsoft partnership is that you don't even have to be a Pluralsight subscriber, a paying subscriber to take advantage of a whole bunch of courses Barry or any of your Azure courses in the free partnership. Do you know? Barry Luijbregts  25:16  Yes, a couple of them. I'm not sure which one I think the as your what to use when is one? Oh, yeah. Tim Warner  25:24  Yeah, I mean, a lot of this, like we were talking about earlier depends upon what your preferred learning style is. If you're more of a book reader, instead of looking for a print book, I would suggest you go certainly to the Azure docs but also Microsoft learn, because there you're going to get the most current readable material on Azure computer based training. Obviously, there's Pluralsight. And there's other computer based vendors that I personally like a lot. I like Linux Academy and cloud Academy behind that. Let me see experientially hands on is definitely important. What's Cool about Microsoft learn as well as that they have a whole bunch of hands on labs that give you free access to the Azure portal and Microsoft subscription. So you can do development administrator data, work, whatever, all without using any of your own money or subscription credits. Pluralsight also eventually will have cloud labs for both Azure and AWS. They're currently under development now. Oh, sorry, beget Barry. Last part. There's the theory. There's the hands on but then don't forget about practice exams. Like you said, Barry, especially people who have never taken a Microsoft exam before it's been years. I've seen students get blindsided because they're coming in with lots of knowledge, lots of practical experience, but because they're not accustomed to going through case studies, and different types of interactive items where you're using your mouse. This is the real value of the practice exam to give you confidence and how many Microsoft will evaluate your knowledge. Barry Luijbregts  27:03   So are these Practice Exams exactly what the exam are like?. Tim Warner  27:11  In the case of measure up, it's pretty close measure up is Microsoft's official practice test provider. And those Practice Exams are very similar in length, content and format to the live exam. Of course, you can't use Word for word, but it's pretty close. Then up besides measure up the other company I personally recommend is called whiz labs. And their practice exams are close in content, but not really for format. They don't have all of the different item types that measure up does. And that's kind of a weakness maybe with labs will evolve that over time, but either of those companies in my experience will do a good job of getting you into the frame of mind to clear the live exam when you're ready to take it. Barry Luijbregts  27:57  Alright, that's good. So Becca I took the exams and by the way, I don't take any of these exams currently because it just doesn't fit with my business model anymore as I don't need them at the moment. Yeah, but back when I did it, I needed to go physically to an office of fingers Pearson VUE and then sit behind a computer which was monitored and with cameras and everything should it could make sure that I didn't cheat and then take the exam. Is that still the case? Or can people do it differently especially in these times? Tim Warner  28:33  Pearson VUE is still Microsoft's exam provider. Until the COVID pandemic. Yes, the Pearson VUE testing centers were the way to go. I'm not sure. I guess it depends where you are in on Earth, whether Pearson VUE have begun opening their doors, but I'm really grateful to report that the online testing has evolved to be a really great solution over the last few months since this pandemic Started, I've taken probably a dozen Azure exams using the Pearson VUE online testing format. And it's so good and so reliable and so resilient that I don't plan ever again to go to a testing center. It's so convenient to be able to take these exams from your home or office. Barry Luijbregts  29:19  And then how do they check the cheating, Tim Warner  29:21  the Pearson VUE testing software runs on Windows and Mac, it's called on view. And it's a secure application that has to be the only foreground app running on your system. So the app itself is really resilient and has a lot of security built into it directly. For example, I've used the Pearson VUE software to test on both Mac OS and Windows and it on my Mac, it wouldn't let me go into the exam until I stopped a background process I was using a keyboard shortcut utility. So it does this system this check of all the processes that are running On your system to make sure that only it and the bare OS processes are alive, really impressive. The other aspects of exam security are that you have to be on a computer that's equipped with a webcam I find and I suggest you use a laptop. And a microphone has to be enabled on the webcam as well because that's how you interact with a live Proctor. The live Proctor comes over your speakers. And one time the proctor asked me to swivel my laptop 360 degrees so he could see my room. You do take as part of the preliminary check. You use your cell phone to take pictures of your work environment. You take four pictures, one facing your computer one away, one to the left and one to the right. You have to take a picture of yourself. You take a picture of your ID front and back. So it's pretty nice. It doesn't take that long. To do the check period, I would estimate takes about five minutes total. And if you're in a room that's already pretty distraction free that is, I like to do it almost in a closet, take my laptop into a small closet. You can do it on your office desk, but you want to turn off any additional monitors besides your primary, and you'll want to make sure that your desk is cleared of everything except your keyboard and your mouse. Like I said, the proctor will come online and ask for clarification if there's any situation. So, and then lastly, I'll say that the exam experience is really resilient. I haven't had any crashes this year. A few years ago, when I used the Pearson VUE, I did have a crash during the exam session. But I was able to restart the application I got connected to another Proctor and they were able to bring back my session just like it was before so I don't know exactly what kind of checkpointing they put in but it's pretty good. Good. I've never heard of anybody losing an exam session yet. Fingers crossed. Barry Luijbregts  32:05  Wow. That's very impressive. That's that's come a long way since I've used it. Tim Warner  32:08  They really have. I give Pearson VUE, lots of props. They obviously put a lot of engineering effort into that on view client. It's great. Barry Luijbregts  32:19  All right, that's great. So we've discussed a lot of things that you can use to keep up with Azure and to learn as in there is blogs, there is Twitter, there is videos, there are also certifications that you can take that help you to keep up because then requires you to learn. And then you can also show that you actually know what you're talking about. And then as a final point, I sometimes also go to conferences and local meetups to keep up. And I believe that you're also a user group organizer, is that right? Tim Warner  32:52  That's right. I'm an organizer of the Nashville Microsoft Azure Users Group here in Nashville, Tennessee. Barry Luijbregts  33:00  So people can come to your user group as well to learn and keep up to date. Tim Warner  33:05  Yeah, exactly. It's I admire every single person who participates in a user group, because by definition, they're willing to learn. And that's always near and dear to me. I'm glad that we're closing on this human factor because it is crucial. I mean, as much as these online resources can be helpful, there's nothing like hearing about something from another human being, like you say, conference, a user group. And I would say to your listeners, if they're not already plugged into meetup calm that's, in my experience, the central place to look for Microsoft Azure user groups. And one nice thing I guess about this pandemic is that most user groups have converted to an online format, which means that you're not limited by geographic area. You can present or just participate at an Azure user group anywhere on Earth. Those are great opportunities for learning new stuff, not just from the presenter, but from other people who pipe in with their own experience. And these user groups are a great place to get hooked up with technical recruiters. Obviously, technical recruiters are going to be swarming around user groups to look for job candidates. It's really a win win situation. Barry Luijbregts  34:25  Yeah, absolutely. And I think the same now goes for conferences, as well as most conferences have moved online. Some are even free now. So you can just log on to them and just learn. Tim Warner  34:38  Isn't that something? It's amazing how the world is shifting as a result of the pandemic technical conferences. Look what Microsoft did with build recently. Barry Luijbregts  34:47  Oh, yeah, yeah, absolutely. Tim Warner  34:50  And my wife told me last night that AMC which is a major movie, movie theater chain here in the states is going To a rental model, where instead of going to a physical movie theater, you can stream movies from their website or from their app. I'm like, good for them for shifting. Barry Luijbregts  35:11  Really? That is amazing. Tim Warner  35:13  Isn't that something? Barry Luijbregts  35:15  Yeah, you know, some good came out of this. Yeah. So horrible thing, obviously. But, you know, some good came out of this as in companies need to transform their business models and set and they're doing it is incredible. Tim Warner  35:28  Yeah. And look at you in this podcast, you're transforming as well. Congratulations. Barry Luijbregts  35:35  Isn't it funny, you know, you just record something, put it out there and people can listen wherever they are. Tim Warner  35:40  Yeah, it is. It's wonderful. Barry Luijbregts  35:42  All right. So what are you working on currently and what can we expect from you next? Tim Warner  35:49  Okay, um, let me see. I've got four courses in the Azure Pluralsight partnership right now that I'm updating. Yeah, we're on the it seems like once we finish a six month review cycle, it's time for the next one. But you know, it's a good thing. I'm happy. So I've finished patching a bunch of courses. I don't even remember what they were on. It's kind of a blur. But that that's been my full time stuff. And I've been enjoying posting to my YouTube channel. You mentioned my YouTube channel, I've been posting these little nugget videos about 10 minutes each covering each objective from the Azure fundamentals, az 900 blueprint that's been a lot of fun. That skill sets a lot of fun to talk about and to teach. And it's gotten good reception from people Barry Luijbregts  36:34  That is great content. We will link to that in the show notes. Great, and to all the other things as well that we talked about today. Thank you very much, Tim, for being on, and we'll see you next week.

Today we talk about AWS Route 53, AWS Certificate Manager, $ Amazon CloudFront. We talk about how these service work together. We talk about Domain registration, Requesting a public SSL/TLS cert and then deploy that cert using CloudFront distributions. Stay updated by subscribing to our podcast at www.CloudSeshapp.com

+ Atacan al Departamento de Salud de los Estados Unidos para alentar su funcionamiento + Los efectos del coronavirus en el mundo digital + Coronavirus, es un virus humano pero también digital… el spam relacionado con este tema se multiplica abismalmente + Safari ya no admitirá certificados SSL/TLS de más de 1 año

This week, we welcome Dan Petit, to discuss his upcoming 2-day workshop at InfoSec World 2020! The workshop is a "deep survey" into all things DevSecOps. In the Application Security News, CVE-2020-1938: Ghostcat vulnerability in the Tomcat Apache JServ Protocol, APIs are becoming a major target for credential stuffing attacks and don't have to target the login workflow, SSL/TLS certificate validity chopped down to one year by Apple s Safari and how this can drive secure DevOps behaviors, and 5 key areas for tech leaders to watch in 2020!   Show Notes: https://wiki.securityweekly.com/ASWEpisode98 Visit https://www.securityweekly.com/asw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, we welcome Dan Petit, to discuss his upcoming 2-day workshop at InfoSec World 2020! The workshop is a "deep survey" into all things DevSecOps. In the Application Security News, CVE-2020-1938: Ghostcat vulnerability in the Tomcat Apache JServ Protocol, APIs are becoming a major target for credential stuffing attacks and don't have to target the login workflow, SSL/TLS certificate validity chopped down to one year by Apple s Safari and how this can drive secure DevOps behaviors, and 5 key areas for tech leaders to watch in 2020!   Show Notes: https://wiki.securityweekly.com/ASWEpisode98 Visit https://www.securityweekly.com/asw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

CVE-2020-1938: Ghostcat vulnerability in the Tomcat Apache JServ Protocol. IMP4GT: IMPersonation Attacks in 4G NeTworks demonstrates a proven insecurity on a layer above provably secure protocol, Boeing implementing more rigorous testing of Starliner after software problems shows how problems in cloud computing will be just the same in star systems, APIs are becoming a major target for credential stuffing attacks and don't have to target the login workflow, SSL/TLS certificate validity chopped down to one year by Apple’s Safari and how this can drive secure DevOps behaviors, and 5 key areas for tech leaders to watch in 2020. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode98

CVE-2020-1938: Ghostcat vulnerability in the Tomcat Apache JServ Protocol. IMP4GT: IMPersonation Attacks in 4G NeTworks demonstrates a proven insecurity on a layer above provably secure protocol, Boeing implementing more rigorous testing of Starliner after software problems shows how problems in cloud computing will be just the same in star systems, APIs are becoming a major target for credential stuffing attacks and don't have to target the login workflow, SSL/TLS certificate validity chopped down to one year by Apple’s Safari and how this can drive secure DevOps behaviors, and 5 key areas for tech leaders to watch in 2020. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode98

Your hosts are joined again by Ryan Lucas (@ryron01) who is filling in for Peter as we recap the week in cloud. A big thanks to this week's sponsors: Foghorn Consulting, which provides full-stack cloud solutions with a focus on strategy, planning and execution for enterprises seeking to take advantage of the transformative capabilities of AWS, Google Cloud and Azure. Blue Medora, which offers pioneering IT monitoring integration as a service to address today's IT challenges by easily connecting system health and performance data —  no matter its source — with the world's leading monitoring and analytics platforms.  This week's highlights It's earnings season as the top dogs show their growth. Azure gets back in the headlines with a bold but contested study. Google fulfills an old TCP prediction with reports of a unified service. Certificates of Doom Update Amazon has given customers an extension until March 5, 2020 to rotate their SSL/TLS certificates. Previously, rebooting or manually changing a relational database service (RDS) instance would automatically switch to the new certificate authority, even if the customer didn't have th

스탠다드아웃 67번째 로그에서는 RDS 인증서 업데이트, 파이썬 2.7 지원 종료, TIOBE 프로그래밍 언어 순위, 스톡옵션 등에 대해 이야기를 나눴습니다. 참가자: @nacyo_t, @raccoonyy, @seapy 정기 후원 - stdout.fm are creating 프로그래머들의 팟캐스트 | Patreon 주제별 바로 듣기 00:00:00 67번째 에피소드 시작 00:00:58 RDS 인증서 갱신 00:09:30 파이썬 2.7 지원 종료 00:16:00 TIOBE 프로그래밍 언어 순위 00:22:38 스톡옵션 아마존 RDS 인증서 교체 SSL/TLS 인증서 교체 - Amazon Relational Database Service 데이터 베이스 관리 시스템 | MySQL | Amazon Web Services AWS Certificate Manager - Amazon Web Services (AWS) 도메인 검증 작업 방법 - AWS Certificate Manager 파이썬 2.7 지원 종료 파이썬(Python) 2.7 공식 지원 종료 | 44bits.io 프로그래밍 언어 루비(Ruby) 2.7 릴리스 및 주요 변경 사항: 패턴 매칭 문법, REPL 개선, 위치 인자와 키워드 인자 분리, 번호 파라미터 등 | 44bits.io TIOBE 프로그래밍 언어 순위 index | TIOBE - The Software Quality Company Programming Languages Definition | TIOBE - The Software Quality Company C | TIOBE - The Software Quality Company The State of the Octoverse | The State of the Octoverse celebrates a year of building across teams, time zones, and millions of merged pull requests. Ruby | TIOBE - The Software Quality Company 스톡옵션 민주당 ‘7호 영입인재’ 이용우 카카오뱅크 대표, 누구? : 국회·정당 : 정치 : 뉴스 : 한겨레 Who Is ? - 이용우 카카오뱅크 공동대표이사 ‘분기 연속 흑자’ 카카오뱅크, 내년 증시 상장 순항 로켓펀치 - 비즈니스 네트워크 상법 - 제340조의2(주식매수선택권) 사내벤처로 시작해 ‘성공 신화’ 쓴 기업들 상법 - 제542조의3 (주식매수선택권) 조세특례제한법 - 제16조(중소기업창업투자조합 출자 등에 대한 소득공제), 2, 3 ,4

Show Highlights What is an SSL? “SSL” is short for Secure Sockets Layer and it allows you to send encrypted and secure data from the website visitor’s browser to the web server where your site is hosted. They have been around since 1995. It has a few iterations. Why do I need one? Security - You need to protect you visitors’ data, whether it is collecting emails or account information or even credit card into. Credibility - It never helps anyone's site to have the browser complain that it is not secure. People may think that your site is malicious. An SSL builds trust with your customers and makes it a lot harder for someone to impersonate your site to steal information or clients. SEO - You will rank higher on search engines. Google is now rewarding HTTPS served websites with higher rankings than HTTP served websites. In October 2017, Google rolled out even more aggressive notifications. Starting with Chrome 62 (released October 17, 2017), Google added the Not secure warning. How can I tell if a site is secure? You see the little green lock. Where do I get one? Many hosting companies make it easy to install a free SSL/TLS certificate via a service called Let’s Encrypt. Let’s Encrypt offers free unlimited SSL/TLS certificates. Here is a link of hosting companies that support Let’s Encrypt. https://community.letsencrypt.org/t/web-hosting-who-support-lets-encrypt/6920 You can also purchase them from 3rd party vendors. First you should decide what type of SSL you need and what warranty coverage best suits your business. Types of SSL Extended Validation Certificates (EV SSL) The highest-ranking and most expensive SSL certificate type is an Extended Validation Certificate. This type of SSL certificate, when installed, displays the padlock, HTTPS, name of the business, and the country on the browser address bar. Organization Validated Certificates (OV SSL) The Organization Validation SSL certificate’s primary purpose is to encrypt the user’s sensitive information during transactions. This version of SSL certificate has a high assurance similar to the EV SSL certificate, which is used to validate a business’ creditably. Domain Validated Certificates (DV SSL) Domain Validation SSL Certificate has a low assurance and minimal encryption, typically for blogs or informational websites.  Let’s Encryp provides a Domain Validation SSL Certificate. Wildcard SSL Certificates Wildcard SSL certificates are used to secure a base domain and unlimited subdomains. Purchasing a wildcard SSL certificate is cheaper than purchasing several single-domain SSL certificates Multi-Domain SSL Certificates Multi-Domain certificates can secure up to 100 different domain names and subdomains using a single certificate which helps save time and money Here are a couple of sites that list a number of SSL Certificate Providers, what types of SSL Certificates they provide, their warranties and yearly cost. https://digital.com/ssl-certificates/ https://www.buildthis.io/buy-ssl-certificate/ Is that all? You may need a plugin to make it all work, I recommend Really Simple SSL. Add the HTTPS version of your site in Google Webmaster tools and any other tracking scripts you are using. Set up a redirect on your site so that anytime someone tries to access the http:// link, they will be redirected automatically to the new one.

Dé derde episode van de True podcast!⚡ - Hosts: Kilian Drewel (Content Marketeer bij True), Daniël Koopmans (Innovation Engineer bij True) - Gast: Jona Koudijs (Infrastructure Engineer bij True) In deze episode bespreken we: - De Kubernetes Community Days - De nieuwe naam van de podcast onthuld! By the way, the list of SSL/TLS certificates issued to you (including subdomains) is public! blog.usejournal.com/by-the-way-the-…ic-5537ef1f11f5 - Ruim 30% van encrypted websites draait op Let’s Encrypt. www.reddit.com/r/netsec/comments…almost_30_of_web/ - Een nieuwe Service Mesh voor Kubernetes blog.containo.us/announcing-maesh…eam-cb866edc6f29 AWS Data Outage www.bleepingcomputer.com/news/technol…always-safe/ Ansible Collections netapp.io/2019/09/17/itss-all-…ing-together-nicely/ Heb je feedback vragen of tips voor een volgende episode? Laat het ons weten via de comments of stuur een mail naar podcast@true.nl.

Joshua Davies, author of Implementing SSL / TLS Using Cryptography and PKI discussed SSL/TLS, public-key infrastructure, certificate authorities, and vulnerabilities in the security infrastructure.  Robert Blumen spoke with Davies about the history of SSL/TLS; TLS 1.3; symmetric and asymmetric cryptography; the TLS handshake; the Diffie-Helman key exchange; the HTTPS protocol; verification of domain ownership; man-in-the-middle […]

This is a brief introduction to cryptography and encryption. I cover the concepts that allow us to achieve confidentiality, data integrity and authentication. This episode is intended to be background for future episodes on blockchain and various IT security technologies (VPN, SSL/TLS, etc). Notes for FSP0018 - Cryptography and Encryption

Welcome to the History of Computing Podcast, where we explore the history of information technology. Because understanding the past prepares us for the innovations of the future! Todays episode is scraping the surface of cryptography. Cryptography is derived from the Greek words kryptos, which stands for hidden and grafein, which stands for to write. Through history, cryptography has meant the process of concealing the contents of a message from all except those who know the key. Dating back to 1900 BC in Egypt and Julius Caesar using substitution cyphers, encryption used similar techniques for thousands of years, until a little before World War II. Vigenere designed the first known cipher thatused an encryption key in the 16th century. Since then with most encryption, you convert the contents, known as plaintext, into encrypted information that's otherwise unintelligible, known as cipher text. The cypher is a pair of algorithms - one to encrypt, the other to decrypt. Those processes are done by use of a key. Encryption has been used throughout the ages to hide messages. Thomas Jefferson built a wheel cypher. The order of the disks you put in the wheel was the key and you would provide a message, line the wheels up and it would convert the message into cypher text. You would tell the key to the person on the other end, they would put in the cypher text and out would pop the message. That was 1795 era encryption and is synonymous with what we call symmetrical key cryptography, which was independently invented by Etienne Bazeries and used well into the 1900s by the US Army. The Hebern rotor machine in the 19th century gave us an electro-mechanical version of the wheel cypher and then everything changed in encryption with the introduction of the Enigma Machine, which used different rotors placed into a machine and turned at different speeds based on the settings of those rotors. The innovations that came out of breaking that code and hiding the messages being sent by the Allies kickstarted the modern age of encryption. Most cryptographic techniques rely heavily on the exchange of cryptographic keys. Symmetric-key cryptography refers to encryption methods where both senders and receivers of data share the same key and data is encrypted and decrypted with algorithms based on those keys. The modern study of symmetric-key ciphers revolves around block ciphers and stream ciphers and how these ciphers are applied. Block ciphers take a block of plaintext and a key, then output a block of ciphertext of the same size. DES and AES are block ciphers. AES, also called Rijndael, is a designated cryptographic standard by the US government. AES usually uses a key size of 128, 192 or 256 bits. DES is no longer an approved method of encryption triple-DES, its variant, remains popular. Triple-DES uses three 56-bit DES keys and is used across a wide range of applications from ATM encryption to e-mail privacy and secure remote access. Many other block ciphers have been designed and released, with considerable variation in quality. Stream ciphers create an arbitrarily long stream of key material, which is combined with a plaintext bit by bit or character by character, somewhat like the one-time pad encryption technique. In a stream cipher, the output stream is based on an internal state, which changes as the cipher operates. That state's change is controlled by the key, and, in some stream ciphers, by the plaintext stream as well. RC4 is an example of a well-known stream cipher. Cryptographic hash functions do not use keys but take data and output a short, fixed length hash in a one-way function. For good hashing algorithms, collisions (two plaintexts which produce the same hash) are extremely difficult to find, although they do happen. Symmetric-key cryptosystems typically use the same key for encryption and decryption. A disadvantage of symmetric ciphers is that a complicated key management system is necessary to use them securely. Each distinct pair of communicating parties must share a different key. The number of keys required increases with the number of network members. This requires very complex key management schemes in large networks. It is also difficult to establish a secret key exchange between two communicating parties when a secure channel doesn't already exist between them. You can think of modern cryptography in computers as beginning with DES, or the Data Encryption Standard, us a 56-bit symmetric-key algorithm developed by IBM and published in 1975, with some tweaks here and there from the US National Security Agency. In 1977, Whitfield Diffie and Martin Hellman claimed they could build a machine for $20 million dollars that could find a DES key in one day. As computers get faster, the price goes down as does the time to crack the key. Diffie and Hellman are considered the inventors of public-key cryptography, or asymmetric key cryptography, which they proposed in 1976. With public key encryption, two different but mathematically related keys are used: a public key and a private key. A public key system is constructed so that calculation of the private key is computationally infeasible from knowledge of the public key, even though they are necessarily related. Instead, both keys are generated secretly, as an interrelated pair. In public-key cryptosystems, the public key may be freely distributed, while its paired private key must remain secret. The public key is typically used for encryption, while the private or secret key is used for decryption. Diffie and Hellman showed that public-key cryptography was possible by presenting the Diffie-Hellman key exchange protocol. The next year, Ron Rivest, Adi Shamir and Leonard Adleman developed the RSA encryption algorithm at MIT and founded RSA Data Security a few years later in 1982. Later, it became publicly known that asymmetric cryptography had been invented by James H. Ellis at GCHQ, a British intelligence organization and that both the Diffie-Hellman and RSA algorithms had been previously developed in 1970 and were initially called “non-secret encryption.” Apparently Ellis got the idea reading a bell labs paper about encrypting voice communication from World War II. Just to connect some dots here, Alan Turing, who broke the Enigma encryption, visited the proposed author of that paper, Shannon, in 1943. This shouldn't take anything away from Shannon, who was a brilliant mathematical genius in his own right, and got to see Gödel, Einstein, and others at Princeton. Random note: he invented wearables to help people cheat at roulette. Computer nerds have been trying leverage their mad skills to cheat at gambling for a long time. By the way, he also tried to cheat at, er, I mean, program chess very early on, noting that 10 to the 120th power was the game-tree complexity of chess and wrote a paper on it. Of course someone who does those things as a hobby would be widely recognized as the father of informational theory. RSA grew throughout the 80s and 90s and in 1995, they spun off a company called VeriSign, who handled patent agreements for the RSA technology until the patents wore out, er, I mean expired. RSA Security was acquired by EMC Corporation in 2006 for $2.1 billion and was a division of EMC until EMC was acquired by Dell in 2016. They also served as a CA - that business unit was sold in 2010 to Symantec for $1.28B. RSA has made a number of acquisitions and spun other businesses off over the years, helping them get into more biometric encryption options and other businesses. Over time the 56 bit key size of DES was too small and it was followed up by Triple-DES in 1998. And Advanced Encryption Standard, or AES, also in 1998. Diffie-Hellman and RSA, in addition to being the first public examples of high quality public-key cryptosystems have been amongst the most widely used. In addition to encryption, public-key cryptography can be used to implement digital signature schemes. A digital signature is somewhat like an ordinary signature; they have the characteristic that they are easy for a user to produce, but difficult for anyone else to forge. Digital signatures can also be permanently tied to the content of the message being signed as they cannot be moved from one document to another as any attempt will be detectable. In digital signature schemes, there are two algorithms: one for signing, in which a secret key is used to process the message (or a hash of the message or both), and one for verification, in which the matching public key is used with the message to check the validity of the signature. RSA and DSA are two of the most popular digital signature schemes. Digital signatures are central to the operation of public key infrastructures and to many network security schemes (SSL/TLS, many VPNs, etc). Digital signatures provide users with the ability to verify the integrity of the message, thus allowing for non-repudiation of the communication. Public-key algorithms are most often based on the computational complexity of hard problems, often from number theory. The hardness of RSA is related to the integer factorization problem, while Diffie-Hellman and DSA are related to the discrete logarithm problem. More recently, elliptic curve cryptography has developed in which security is based on number theoretic problems involving elliptic curves. Because of the complexity of the underlying problems, most public-key algorithms involve operations such as modular multiplication and exponentiation, which are much more computationally expensive than the techniques used in most block ciphers, especially with typical key sizes. As a result, public-key cryptosystems are commonly hybrid systems, in which a fast symmetric-key encryption algorithm is used for the message itself, while the relevant symmetric key is sent with the message, but encrypted using a public-key algorithm. Hybrid signature schemes are often used, in which a cryptographic hash function is computed, and only the resulting hash is digitally signed. OpenSSL is a software library that most applications use to access the various encryption mechanisms supported by the operating systems. OpenSSL supports Diffie-Hellman and various versions of RSA, MD5, AES, Base, sha, DES, cast and rc. OpenSSL allows you to create ciphers, decrypt information and set the various parameters required to encrypt and decrypt data. There are so many of these algorithms because people break them and then a new person has to come along and invent one and then version it, then add more bits to it, etc. At this point, I personally assume that all encryption systems can be broken. This might mean that the system is broken while encrypting, or the algorithm itself is broken once encrypted. A great example would be an accidental programming mistake allowing a password to be put into the password hint rather than in the password. Most flaws aren't as simple as that. Although Kerckhoffs's principle teaches us that the secrecy of your message should depend on the secrecy of the key, and not on the secrecy of the system used to encrypt the message. Some flaws are with the algorithms themselves, though. At this point most of those are public and security without a password or private key they just take too long to decrypt to be worth anything once decrypted. This doesn't mean we don't encrypt things, it just means that in addition to encryption we now add another factor to that security. But we'll leave the history of two-factor security to another episode. Finally, RSA made a lot of money because they used ciphers that were publicly reviewed and established as a standard. Public review of various technological innovations allows for commentary and making it better. Today, you can trust most encryption systems because due to that process, it costs more to decrypt what you're sending over the wire than what is being sent is worth. In other words, collaboration trumps secrecy.

Robyn Weisman has released her first Take Control book, Take Control of Your Browser, to help us get the most out of one of the most-used applications on your devices, no matter which one you prefer. In her first time on MacVoices, Robyn explains why she wanted to author this book, discusses what browsers she uses, and then digs in to some specific topics. Bookmarks, tabs, extensions are all options that you may not be using to their fullest. Robyn will help you surf faster, better, and more efficiently. This edition of MacVoices is supported by Linode, high performance cloud hosting and virtual servers for everyone. To take $20 off your first order, visit Linode.com/macvoices. Show Notes: Chuck Joiner is the producer and host of MacVoices. You can catch up with what he's doing on Twitter, Facebook, Google+ and LinkedIn. Subscribe to the show: iTunes: - Audio in iTunes - Video in iTunes - HD Video in iTunes Subscribe manually via iTunes or any podcatcher: - Audio: http://www.macvoices.com/rss/macvoicesrss  - Video: http://www.macvoices.com/rss/macvoicesvideorss Donate to MacVoices via Paypal or become a MacVoices Patron. Guests: Robyn Weisman is a longtime technology writer, mostly focused on the enterprise IT space. A second-generation Los Angeles native and current resident, Robyn earned a BA in American Studies from Stanford University and then an MFA in Screenwriting from USC. She fell into technology writing as a way to support herself after graduating from film school and discovered that it was something she liked doing for its own sake. After covering the commerce angle as a reporter for several years, she turned her focus to the enterprise IT side of the industry. Her move to content copywriting happened organically, after receiving several inquiries from companies she had covered over the years. After working as a freelance copywriter for general IT and cybersecurity companies, Robyn is now senior content writer at Venafi, a cybersecurity company focused on managing and protecting machine identities such as SSL/TLS certificates and SSH keys. When Robyn isn't working, you can find her hiking local canyons, driving her 1964 Ford Falcon Squire station wagon around town or obsessing about the L.A. Dodgers. She is also the earliest known photobomber, according to several sources. You can reach Robyn via Twitter or via email. Links: OneTab for Google Chrome

Robyn Weisman has released her first Take Control book, Take Control of Your Browser, to help us get the most out of one of the most-used applications on your devices, no matter which one you prefer. In her first time on MacVoices, Robyn explains why she wanted to author this book, discusses what browsers she uses, and then digs in to some specific topics. Bookmarks, tabs, extensions are all options that you may not be using to their fullest. Robyn will help you surf faster, better, and more efficiently. This edition of MacVoices is supported by Linode, high performance cloud hosting and virtual servers for everyone. To take $20 off your first order, visit Linode.com/macvoices. Show Notes: Chuck Joiner is the producer and host of MacVoices. You can catch up with what he's doing on Twitter, Facebook, Google+ and LinkedIn. Subscribe to the show: iTunes: - Audio in iTunes - Video in iTunes - HD Video in iTunes Subscribe manually via iTunes or any podcatcher: - Audio: http://www.macvoices.com/rss/macvoicesrss  - Video: http://www.macvoices.com/rss/macvoicesvideorss Donate to MacVoices via Paypal or become a MacVoices Patron. Guests: Robyn Weisman is a longtime technology writer, mostly focused on the enterprise IT space. A second-generation Los Angeles native and current resident, Robyn earned a BA in American Studies from Stanford University and then an MFA in Screenwriting from USC. She fell into technology writing as a way to support herself after graduating from film school and discovered that it was something she liked doing for its own sake. After covering the commerce angle as a reporter for several years, she turned her focus to the enterprise IT side of the industry. Her move to content copywriting happened organically, after receiving several inquiries from companies she had covered over the years. After working as a freelance copywriter for general IT and cybersecurity companies, Robyn is now senior content writer at Venafi, a cybersecurity company focused on managing and protecting machine identities such as SSL/TLS certificates and SSH keys. When Robyn isn't working, you can find her hiking local canyons, driving her 1964 Ford Falcon Squire station wagon around town or obsessing about the L.A. Dodgers. She is also the earliest known photobomber, according to several sources. You can reach Robyn via Twitter or via email. Links: OneTab for Google Chrome

The Open Source midlife crisis, Donald Knuth The Yoda of Silicon Valley, Certbot For OpenBSD's httpd, how to upgrade FreeBSD from 11 to 12, level up your nmap game, NetBSD desktop, and more. ##Headlines Open Source Confronts its midlife crisis Midlife is tough: the idealism of youth has faded, as has inevitably some of its fitness and vigor. At the same time, the responsibilities of adulthood have grown. Making things more challenging, while you are navigating the turbulence of teenagers, your own parents are likely entering life’s twilight, needing help in new ways from their adult children. By midlife, in addition to the singular joys of life, you have also likely experienced its terrible sorrows: death, heartbreak, betrayal. Taken together, the fading of youth, the growth in responsibility and the endurance of misfortune can lead to cynicism or (worse) drastic and poorly thought-out choices. Add in a little fear of mortality and some existential dread, and you have the stuff of which midlife crises are made… I raise this not because of my own adventures at midlife, but because it is clear to me that open source — now several decades old and fully adult — is going through its own midlife crisis. This has long been in the making: for years, I (and others) have been critical of service providers’ parasitic relationship with open source, as cloud service providers turn open source software into a service offering without giving back to the communities upon which they implicitly depend. At the same time, open source has been (rightfully) entirely unsympathetic to the proprietary software models that have been burned to the ground — but also seemingly oblivious as to the larger economic waves that have buoyed them. So it seemed like only a matter of time before the companies built around open source software would have to confront their own crisis of confidence: open source business models are really tough, selling software-as-a-service is one of the most natural of them, the cloud service providers are really good at it — and their commercial appetites seem boundless. And, like a new cherry red two-seater sports car next to a minivan in a suburban driveway, some open source companies are dealing with this crisis exceptionally poorly: they are trying to restrict the way that their open source software can be used. These companies want it both ways: they want the advantages of open source — the community, the positivity, the energy, the adoption, the downloads — but they also want to enjoy the fruits of proprietary software companies in software lock-in and its monopolistic rents. If this were entirely transparent (that is, if some bits were merely being made explicitly proprietary), it would be fine: we could accept these companies as essentially proprietary software companies, albeit with an open source loss-leader. But instead, these companies are trying to license their way into this self-contradictory world: continuing to claim to be entirely open source, but perverting the license under which portions of that source are available. Most gallingly, they are doing this by hijacking open source nomenclature. Of these, the laughably named commons clause is the worst offender (it is plainly designed to be confused with the purely virtuous creative commons), but others (including CockroachDB’s Community License, MongoDB’s Server Side Public License, and Confluent’s Community License) are little better. And in particular, as it apparently needs to be said: no, “community” is not the opposite of “open source” — please stop sullying its good name by attaching it to licenses that are deliberately not open source! But even if they were more aptly named (e.g. “the restricted clause” or “the controlled use license” or — perhaps most honest of all — “the please-don’t-put-me-out-of-business-during-the-next-reInvent-keynote clause”), these licenses suffer from a serious problem: they are almost certainly asserting rights that the copyright holder doesn’t in fact have. If I sell you a book that I wrote, I can restrict your right to read it aloud for an audience, or sell a translation, or write a sequel; these restrictions are rights afforded the copyright holder. I cannot, however, tell you that you can’t put the book on the same bookshelf as that of my rival, or that you can’t read the book while flying a particular airline I dislike, or that you aren’t allowed to read the book and also work for a company that competes with mine. (Lest you think that last example absurd, that’s almost verbatim the language in the new Confluent Community (sic) License.) I personally think that none of these licenses would withstand a court challenge, but I also don’t think it will come to that: because the vendors behind these licenses will surely fear that they wouldn’t survive litigation, they will deliberately avoid inviting such challenges. In some ways, this netherworld is even worse, as the license becomes a vessel for unverifiable fear of arbitrary liability. let me put this to you as directly as possible: cloud services providers are emphatically not going to license your proprietary software. I mean, you knew that, right? The whole premise with your proprietary license is that you are finding that there is no way to compete with the operational dominance of the cloud services providers; did you really believe that those same dominant cloud services providers can’t simply reimplement your LDAP integration or whatever? The cloud services providers are currently reproprietarizing all of computing — they are making their own CPUs for crying out loud! — reimplementing the bits of your software that they need in the name of the service that their customers want (and will pay for!) won’t even move the needle in terms of their effort. Worse than all of this (and the reason why this madness needs to stop): licenses that are vague with respect to permitted use are corporate toxin. Any company that has been through an acquisition can speak of the peril of the due diligence license audit: the acquiring entity is almost always deep pocketed and (not unrelatedly) risk averse; the last thing that any company wants is for a deal to go sideways because of concern over unbounded liability to some third-party knuckle-head. So companies that engage in license tomfoolery are doing worse than merely not solving their own problem: they are potentially poisoning the wellspring of their own community. in the end, open source will survive its midlife questioning just as people in midlife get through theirs: by returning to its core values and by finding rejuvenation in its communities. Indeed, we can all find solace in the fact that while life is finite, our values and our communities survive us — and that our engagement with them is our most important legacy. See the article for the rest ###Donald Knuth - The Yoda of Silicon Valley For half a century, the Stanford computer scientist Donald Knuth, who bears a slight resemblance to Yoda — albeit standing 6-foot-4 and wearing glasses — has reigned as the spirit-guide of the algorithmic realm. He is the author of “The Art of Computer Programming,” a continuing four-volume opus that is his life’s work. The first volume debuted in 1968, and the collected volumes (sold as a boxed set for about $250) were included by American Scientist in 2013 on its list of books that shaped the last century of science — alongside a special edition of “The Autobiography of Charles Darwin,” Tom Wolfe’s “The Right Stuff,” Rachel Carson’s “Silent Spring” and monographs by Albert Einstein, John von Neumann and Richard Feynman. With more than one million copies in print, “The Art of Computer Programming” is the Bible of its field. “Like an actual bible, it is long and comprehensive; no other book is as comprehensive,” said Peter Norvig, a director of research at Google. After 652 pages, volume one closes with a blurb on the back cover from Bill Gates: “You should definitely send me a résumé if you can read the whole thing.” The volume opens with an excerpt from “McCall’s Cookbook”: Here is your book, the one your thousands of letters have asked us to publish. It has taken us years to do, checking and rechecking countless recipes to bring you only the best, only the interesting, only the perfect. Inside are algorithms, the recipes that feed the digital age — although, as Dr. Knuth likes to point out, algorithms can also be found on Babylonian tablets from 3,800 years ago. He is an esteemed algorithmist; his name is attached to some of the field’s most important specimens, such as the Knuth-Morris-Pratt string-searching algorithm. Devised in 1970, it finds all occurrences of a given word or pattern of letters in a text — for instance, when you hit Command+F to search for a keyword in a document. Now 80, Dr. Knuth usually dresses like the youthful geek he was when he embarked on this odyssey: long-sleeved T-shirt under a short-sleeved T-shirt, with jeans, at least at this time of year. In those early days, he worked close to the machine, writing “in the raw,” tinkering with the zeros and ones. See the article for the rest ##News Roundup Let’s Encrypt: Certbot For OpenBSD’s httpd Intro Let’s Encrypt is “a free, automated, and open Certificate Authority”. Certbot is “an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your web server”, well known as “the official Let’s Encrypt client”. I remember well how excited I felt when I read Let’s Encrypt’s “Our First Certificate Is Now Live” in 2015. How wonderful the goal of them is; it’s to “give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free” “to create a more secure and privacy-respecting Web”! Since this year, they have begun to support even ACME v2 and Wildcard Certificate! Well, in OpenBSD as well as other operating systems, it’s easy and comfortable to have their big help 😊 Environment OS: OpenBSD 6.4 amd64 Web Server: OpenBSD’s httpd Certification: Let’s Encrypt with Certbot 0.27 Reference: OpenBSD’s httpd ###FreeBSD 12 released: Here is how to upgrade FreeBSD 11 to 12 The FreeBSD project announces the availability of FreeBSD 12.0-RELEASE. It is the first release of the stable/12 branch. The new version comes with updated software and features for a wild variety of architectures. The latest release provides performance improvements and better support for FreeBSD jails and more. One can benefit greatly using an upgraded version of FreeBSD. FreeBSD 12.0 supports amd64, i386, powerpc, powerpc64, powerpcspe, sparc64, armv6, armv7, and aarch64 architectures. One can run it on a standalone server or desktop system. Another option is to run it on Raspberry PI computer. FreeBSD 12 also runs on popular cloud service providers such as AWS EC2/Lightsail or Google compute VM. New features and highlights: OpenSSL version 1.1.1a (LTS) OpenSSH server 7.8p1 Unbound server 1.8.1 Clang and co 6.0.1 The FreeBSD installer supports EFI+GELI as an installation option VIMAGE FreeBSD kernel configuration option has been enabled by default. VIMAGE was the main reason I custom compiled FreeBSD for the last few years. No more custom compile for me. Graphics drivers for modern ATI/AMD and Intel graphics cards are now available in the FreeBSD ports collection ZFS has been updated to include new sysctl(s), vfs.zfs.arcminprefetchms and vfs.zfs.arcminprescientprefetchms, which improve performance of the zpool scrub subcommand The pf packet filter is now usable within a jail using vnet KDE updated to version 5.12.5 The NFS version 4.1 includes pNFS server support Perl 5.26.2 The default PAGER now defaults to less for most commands The dd utility has been updated to add the status=progress option to match GNU/Linux dd command to show progress bar while running dd FreeBSD now supports ext4 for read/write operation Python 2.7 much more ###Six Ways to Level Up Your nmap Game nmap is a network exploration tool and security / port scanner. If you’ve heard of it, and you’re like me, you’ve most likely used it like this: ie, you’ve pointed it at an IP address and observed the output which tells you the open ports on a host. I used nmap like this for years, but only recently grokked the manual to see what else it could do. Here’s a quick look and some of the more useful things I found out. Scan a Network Scan All Ports Get service versions Use -A for more data Find out what nmap is up to Script your own scans with NSE ###[NetBSD Desktop] Part 1: Manual NetBSD installation on GPT/UEFI NetBSD desktop pt.2: Set up wireless networking on NetBSD with wpasupplicant and dhcpcd Part 3: Simple stateful firewall with NPF Part 4: 4: The X Display Manager (XDM) Part 5: automounting with Berkeley am-utils ##Beastie Bits Call For Testing: ZFS on FreeBSD Project DragonFlyBSD 5.4.1 release within a week You Can’t Opt Out of the Patent System. That’s Why Patent Pandas Was Created! Announcing Yggdrasil Network v0.3 OpenBSD Network Engineer Job listing FreeBSD 12.0 Stable Version Released! LibreSSL 2.9.0 released Live stream test: Sgi Octane light bar repair / soldering! Configure a FreeBSD Email Server Using Postfix, Dovecot, MySQL, DAVICAL and SpamAssassin Berkeley smorgasbord FOSDEM BSD Devroom schedule ##Feedback/Questions Warren - Ep.273: OpenZFS on OS X cogoman - tarsnap security and using SSDs in raid Andrew - Portland BSD Pizza Night Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

関連リンク Google、日本への「Pixel」投入認める iPhone XS 組み込み技術者向けTLS1.3基礎解説（前編）：まずはSSL/TLSについて知ろう ルノー・日産・三菱連合がGoogleとパートナーして車載システムをAndroidベースに BLE Ver5.0対応のSoC、600mの通信距離を実現 パナソニック、電柱広告の共同実証実験を開始 通信で表示変える電柱広告、駐車場の満空情報を表示 米中貿易摩擦は｢第３ラウンド｣に突入へ 韓国大統領が米国へ出発　南北会談の結果説明へ ZOZO前澤氏がアポロ以来の月旅行を｢買い占めた｣真意 —— イーロン・マスクと肩車

Vi snakker om viktigheten av digitale sertifikater, også kalt SSL/TLS. Hva må du som bedriftseier gjøre for å sørge for tillit til dine kunder. Hva må du som forbruker være bevisst på? Hvordan kan du vite at du er på ekte nettsider, og ikke såkalte phisingsider (falske sider) Vi deler gode råd og forteller deg hvordan du kan ha en trygg digital hverdag.

Hello from the Internet In this we count down the OWASP TOP 10 and explore the implications of each of the issues that we should be looking at in securing our applications. Enjoy the show! ## Show Notes - [OWASP](https://www.owasp.org/index.php/Main_Page) - [OWASP TOP 10 for 2017](https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf) ### 10. Logs - Insufficient Logging and Monitoring - https://www.owasp.org/index.php/Top_10-2017_A10-Insufficient_Logging%26Monitoring - Graylog - https://www.graylog.org/ - Logstash (ELK) - https://www.elastic.co/elk-stack ### 09. Components - https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities - Safety - Python - https://pyup.io/safety/ - Ruby - http://guides.rubygems.org/security/ - Node - Node Security - https://github.com/nodesecurity/nsp ### 08. Deserialization - https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization ### 07. XSS - https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS) ### 06. Security Misconfiguration - https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration - How to harden a Linux server: - https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf - https://medium.com/viithiisys/10-steps-to-secure-linux-server-for-production-environment-a135109a57c5 - https://www.cyberciti.biz/tips/linux-security.html ### 05. Broken Access Control - https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control - Firesheep - https://codebutler.com/projects/firesheep/ ### 04. XML External Entities - https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE) - Billion Laughs Attack - https://en.wikipedia.org/wiki/Billion_laughs_attack ### 03. Sensitive Data Exposure - https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure - PCI DSS - https://www.pcisecuritystandards.org/pci_security/ - GDPR - https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ - Password Hashing - https://crackstation.net/hashing-security.htm - Best practice for SSL + TLS - https://www.ssllabs.com/ssltest/ - https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ - Let's Encrypt - https://letsencrypt.org/ - CipherList - Strong config for Apache / Nginx https://cipherli.st/ ### 02. Broken Authentication - https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication - Horse staple - https://xkcd.com/936/ - NIST - https://www.passwordping.com/surprising-new-password-guidelines-nist/ - Rainbow tables - http://project-rainbowcrack.com/table.htm - Google 2FA - Authy - https://authy.com/ - Duo - https://duo.com/ ### 01. Injection - https://www.owasp.org/index.php/Top_10-2017_A1-Injection - Bobby Tables - https://xkcd.com/327/ - Misc - Nessus - https://www.tenable.com/products/nessus/nessus-professional - OpenVas - http://www.openvas.org/ - ZED Attack Proxy - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project - zxcvbn: realistic password strength estimation - https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/ - Be afraid, be very afraid - https://attack.mitre.org/wiki/Main_Page

Komerční sdělení: Dalším hostem našich videorozhovorů je Jindřich Zechmeister, který řídí internetový obchod s digitálními certifikáty SSLmarket.cz, největšího českého distributora SSL/TLS certifikátů. Bavili jsme se o zabezpečení webu, jeho současnosti a budoucnosti. I pokud vám není problematika zabezpečení webu blízká, tak díky rozhovoru se dozvíte to nejpodstatnější. SSL/TLS certifikáty využíváme od 90. let dvacátého století a chráníme s nimi spojení prohlížeče a serveru před odposlechem. Spolu s internetem prochází rovněž certifikáty evolucí a míra jejich využití se za posledních několik let dramaticky zvýšila. Před dvěma lety byl dokončen protokol HTTP/2, který umožňuje prohlížení webových stránek. V nové verzi HTTP protokolu je šifrování pomocí TLS certifikátů již nutností. Certifikáty se tak staly z původně luxusního statku něčím, co musí mít každý web a o čem se už nerozhodujeme, zdali to máme či nemáme mít. Informace o fungování certifikátů nejsou jediné téma, které jsme ve videu probírali. Jelikož jsme server zaměřený na podnikání, tak se samozřejmě také dozvíte, jak tento úzce zaměřený byznys ve společnosti ZONER Software vznikl, jak se postupem let proměnil a jak se bude vyvíjet do budoucna. Řeč přišla i na to, jak certifikáty nasadit, jak je to náročné a jaké problémy řeší se zákazníky nejčastěji. Zeptám se i na to, jak se Zoneru daří prodávat digitální certifikáty běžným laikům, kteří se dříve s šifrováním nesetkali a nejsou IT technici. A nakonec zamyšlení – kvituje Zoner snahu Google a Chrome všude prosazovat HTTPS, jak byste zřejmě čekali, nebo je to složitější otázka? rostecky.cz www.rostecky.cz Veškerá doporučení, informace, data, služby, reklamy nebo jakékoliv jiné sdělení zveřejněné na našich stránkách je pouze nezávazného charakteru a nejedná se o odborné rady nebo doporučení z naší strany. Podrobnosti na odkazu https://mladypodnikatel.cz/upozorneni.

Komerční sdělení: Dalším hostem našich videorozhovorů je Jindřich Zechmeister, který řídí internetový obchod s digitálními certifikáty SSLmarket.cz, největšího českého distributora SSL/TLS certifikátů. Bavili jsme se o zabezpečení webu, jeho současnosti a budoucnosti. I pokud vám není problematika zabezpečení webu blízká, tak díky rozhovoru se dozvíte to nejpodstatnější. SSL/TLS certifikáty využíváme od 90. let dvacátého století a chráníme s nimi spojení prohlížeče a serveru před odposlechem. Spolu s internetem prochází rovněž certifikáty evolucí a míra jejich využití se za posledních několik let dramaticky zvýšila. Před dvěma lety byl dokončen protokol HTTP/2, který umožňuje prohlížení webových stránek. V nové verzi HTTP protokolu je šifrování pomocí TLS certifikátů již nutností. Certifikáty se tak staly z původně luxusního statku něčím, co musí mít každý web a o čem se už nerozhodujeme, zdali to máme či nemáme mít. Informace o fungování certifikátů nejsou jediné téma, které jsme ve videu probírali. Jelikož jsme server zaměřený na podnikání, tak se samozřejmě také dozvíte, jak tento úzce zaměřený byznys ve společnosti ZONER Software vznikl, jak se postupem let proměnil a jak se bude vyvíjet do budoucna. Řeč přišla i na to, jak certifikáty nasadit, jak je to náročné a jaké problémy řeší se zákazníky nejčastěji. Zeptám se i na to, jak se Zoneru daří prodávat digitální certifikáty běžným laikům, kteří se dříve s šifrováním nesetkali a nejsou IT technici. A nakonec zamyšlení – kvituje Zoner snahu Google a Chrome všude prosazovat HTTPS, jak byste zřejmě čekali, nebo je to složitější otázka? www.mladypodnikatel.cz www.rostecky.cz

Originally released Feb 24, 2014. The first of two episodes where the hosts talk about failures. 0:01:40 - Josh Force (http://forcedesignhouse.com/) is the graphic designer behind Laura's impending website. Note from the future Laura’s website is done and here: https://lauraforcescruggs.com/ Jake is very proud of the SSL/TLS certification. 0:02:15 - Laura Force: Porn star? 0:04:50 - What happened to Bryn and social media? 0:09:13 - Apparently Facebook is . Jake breaks it down courtesy of Veritasium https://www.youtube.com/watch?v=l9ZqXlHl65g 0:15:50 - The theme of this podcast is Failure. Nilsa goes first. 0:22:20 - Nilsa is a complete professional. 0:22:58 - Bryn talks about how getting laid off from Motorola was heralded by a spooky "subjectless meeting" with his boss appearing on his calendar. 0:27:20 - "Arsenic and Old Lace" may have gotten Bryn promoted. 0:30:00 - Nilsa married her college sweetheart - a division III basketball player. Oh yeah. 0:35:27 - An early mid-life crisis. 0:37:40 - It happened in tech. 0:39:55 - Now she has this theatre company 0:42:30 - Bryn's failings in relationships and jobs 0:46:30 - The School at Steppenwolf 0:50:30 - How did Bryn's marriage go from nice suburban house and wine parties to divorce? 0:54:40 - "You guys were awesome roommates." 0:59:30 - Bryn and relationship overlap 1:02:45 - Breaking the overlap cycle 1:11:40 - Laura is performing at "Loose Chicks" Follow us on Twitter or Facebook Intro Music: "Are You Famous, Yet?" - Laura Scruggs. Outro Music: "AYFY 1" - Christopher Kriz

Megan Ferrell of websites503.com joins me to discuss, How is your web host possibly failing you?   Security communication – security (awareness of vulnerabilities), transparency of security information. Notification of security changes in the industry that could affect you and your potential customers. This would include things like PCI, GDPR , SSL/TLS changes just to ... Read more How is your web host possibly failing you?

Since last year's ‘Taking DevOps to the Edge', and with the introduction of AWS Lambda@Edge, the tools available to apply DevOps practices to your application edge have broadened. In this updated session, we dive deep into how you can integrate Amazon CloudFront and related services into your application, be agile in developing and adapting the application, and follow best practices when configuring the services to improve security and performance, all while reducing costs. Attend this session and learn how to determine the best location (origin, edge, or client) to execute your code, avoid needless forwarding of headers and cookies, test your application when making changes, version your configuration changes, monitor usage and automate security, create templates for new distributions, configure SSL/TLS certificates, and more.

SSL/tls What is ssl and tls. – https://en.wikipedia.org/wiki/Transport_Layer_Security Auto ssl in cpanel – https://blog.cpanel.com/autossl/ Other free SSL sites – Lets encrypt https://letsencrypt.org/ Google will penalize page rankings if SSL is not used as well as mark pages without HTTPS as non-secure. Caching In episode one we discussed gzip compression and using cache control headers (expires ... Read more Free SSL/TLS for your web site, Caching options for your web site

ゲストのOSCAさんとしがないラジオとの出会い、WEBエンジニア勉強会、SIにおける業務理解、モバイルの新OS対応について話しました。 【Show Notes】 OSCA WEBエンジニア勉強会 フィーチャーフォンにおけるSSL/TLSについて AWS Device Farm 配信情報はtwitter ID @shiganaiRadio で確認することができます。 フィードバックは(#しがないラジオ)でつぶやいてください！ 感想、話して欲しい話題、改善して欲しいことなどつぶやいてもらえると、今後のポッドキャストをより良いものにしていけるので、ぜひたくさんのフィードバックをお待ちしています。 【パーソナリティ】 gami@jumpei_ikegami zuckey@zuckey_17 【ゲスト】 OSCA@engineer_osca 【機材】 Blue Micro Yeti USB 2.0マイク 15374

PHP Hybrid VM to Make Small PHP Benchmarks 1.5 Faster - 3 Minutes Lately in PHP podcast episode 84 By Manuel Lemos PHP evolution efforts in terms of performance optimization continues. Now there is an effort to implement a Hybrid VM that can provide great performance improvements for PHP 7.2 with the JIT engine or not. This was one of the main topics discussed by Manuel Lemos and Arturs Sosins on the episode 84 of the Lately in PHP podcast. In this episode they also talked about the Raspberry PI PHP extension, using NULL parameters in PDO queries, and the evolution of support of SSL/TLS connections from PHP code. They also talked about PHP tutorial articles on using a digital document signature platform, managing cloud servers automatically from PHP and how Hired is helping developers to get better jobs without waiting for you to go after them. This article also contains a podcast summary as a 3 minute video of the summary. Listen to the podcast, or watch the hangout video, or the summary video to learn more about these interesting PHP topics.

This Podcast Is Episode Number 0219, And It Will Be About Unique Proven Marketing Tips For Your Contracting Company  For Most Construction Contractors Your World Is “Hurry Up” And “Wait.” Hurry up and answer the Call from the Customer.   Wait to make the appointment.   Hurry up and get to the job.   Wait for the Customer to come home, to be available.   Hurry up and create the proposal.   Wait for a decision.   In some cases, the Customer says “Yes” and then it is Wait for the Job Deposit. Wait to Start The Job Contractors doing Insurance Work are expecting to wait for Approval from the Insurance Company Wait for the 1st Installment from Insurance Company Wait for Inspection By Insurance Company Wait to collect Homeowner’s Deductible Wait for Final Payment By Insurance Company All of this Hurry Up and Wait for activity makes it hard for The Contractor to schedule other jobs. Many contractors are only holding a place open for the customer once a job deposit has been received. There Is A Better Way - Fill The Funnel And Let Them Clamor To Get On Your Schedule! Unless your Construction Contracting Company has lots of work stacked up, there will be times when there is nothing to do, and that is the best time to think about Strategic Marketing and following the adage: "Dig Your Well Before You Are Thirsty" Everyone over a certain age remembers the Big Telephone Book with Lots of Yellow Pages The Telephone Books was so thick that it was the first thing used as a “Booster Seat” for little kids at Holiday Dinners. Those days are gone along with the Full Page – Triple Truck Ads. Today’s telephone book is small, thin and looks closer to an oversized paperback book. Remember the Thomas Guide Map Books. Everyone had them and bought a new copy every year. Today it is the world of internet marketing and phone apps. When in doubt – Google It, Bing, Safari, or search on Yahoo. There are other places, but these are the most common. While waiting for something to happen here are few companies that may help generate leads Here are a few of my favorite companies that provide services that are helpful to contractors Home Advisor – Marketing Nationwide - http://www.homeadvisor.com/ The best part is that you choose the areas you want to work and the types of projects you'll service. They have resources on the pricing your construction services HomeAdvisor is the place to be found - here's why: • Over 12 million project requests in the last 12 months • More than 5 million reviews submitted by homeowners • Nearly 140,000 service pros in their network Houzz.com - Marketing Nationwide - https://www.houzz.com The website for Contactors to Market to Homeowners and upload pictures of past project   Footwork Express – Marketing to Real Estate Agents - http://www.footworkflyers.com Real Estate Agents need the assistance of contractors to put their listing in the best light Footwork Express Provides Real Estate Marketing in King & Snohomish Counties They deliver flyers, postcards, counter card promotions to Real Estate Offices They work with Builders, Agents, Marketing Cos, & Companies with Services which Help Agents List & Sell Homes Deliveries are Posted on their Home Page with the link to our client's website if available They also post the Flyers on their Facebook, LinkedIn & Twitter Postcard Mania – Marketing Nationwide - http://www.postcardmania.com/ Business Cards and Matching Postcards that you can pass out or mail Business cards never go out of style – the just seem old fashioned When the internet goes down, or customers do not have Smart Phone that trusty business card comes in handy Your Construction Company Business Card Should Have: Your Company Name Your Company Address Your Contact Info Your Company Web Address Your Company Phone Number A business card is two sided – print something on both sides. Add a Flyer-like the one you used with Footwork Express and do a little “toe & heel work.” In other words Market, Market, Market. Pick a neighborhood that is profitable to you. Pick a neighborhood you know. Pick a neighborhood that is developed with sidewalks. Get in the Habit of passing out cards. Our Marketing Favorite is called “Six Pack Marketing.” Warning! Contractor Six Pack Marketing Can Put You In A Higher Tax Bracket! Because of all the money, it can make you if you do it right...which means if you do it at all! Contractor Six Pack Marketing is extremely powerful so be very careful with this one...several years ago in one of our construction companies we would send a crew to do a small two or three-day project, and they would wind up staying in the area for several months at a time. What a scheduling nightmare! We had to hire more workers, train them using our documented process and send them out to a new project in a new neighborhood and BANG! More often than not they would plant the flag and set up operations and be there for a very long time. Here is how it works: Your crew shows up to a house to do construction project and before things get really busy you go to three houses on each side of the place where you are working (six pack) and introduce yourself to the people living there by handing them a business card and in your own words say something like "Hello, my name is ----- and we are doing a construction project for your neighbor ------ and I just wanted to let you know that if any of our trucks or vans get parked in your way or if you have any concerns about what we are doing you can contact me personally and I will handle it." WOW! You will amaze and delight them! Now do the same for the six houses across the street and when you are finished if nobody has asked for you to "stop by and see about a construction project" at their house you re-visit them and ask if he or she were inconvenienced in any way. This works because most people are curious about what is going on their neighborhood. Numbers, Numbers, Numbers! In baseball, if somebody hit home runs 30% of the time they went up to bat they would earn a lot of money. Most of the time you will not find new work in the neighborhood; however, if it works just 10% of the time and one more person hires you then repeat the six pack again, and in most cases, human nature is "Me Too, Me Too!" Nobody wants to be left out, and very quickly you are getting a backache hauling all your money to the bank! Now for the big news Figure out how much money it costs to "Mobilize" get your vehicles, labor, material, tools and equipment to a job site and how much does it cost to "Demobilize" or reverse the process. Now add an increased efficiency of at least 1% to the bottom line because the crew is familiar with the people and the neighborhood. Every time your contractor six pack works you just put that "Mobilize and Demobilize" money and the 1% increase to the bottom line in your "vacation, retirement, kids college fund or whatever makes you smile fund." If you would like to try the contractor six pack but need someone to do it with you and if you are within 20 minutes driving distance from my office in Lynnwood Washington and offer to buy me breakfast ahead of time I could be persuaded to do it with you at no additional charge other than breakfast because I always enjoy a good meal with a contractor! Contact Sharie 206-361-3950 or by email sharie@fasteasyaccounting.com and let her know you are interested in Six Pack Marketing. Alternate Method For Six Pack Marketing If it is a nice friendly neighborhood, the neighbors will be watching your work and come over. Why they might want something done at their house. Neighborhood with sidewalks – walk the block. Years ago we made up packets that consisted of a Door hanger, Flyer, Free Marketing pieces from the supplier, business card and a coupon. Paper-clipped together and bundled in groups of ten: Hired High school kids to work in pairs put out door hangers One driver and one person to pass out They changed who drove and who walked or parked the vehicle Sometimes both of them walked depending on the neighborhood Gave them a street map, a highlighter to keep track of where they had been Usually worked 2-3 Hours productively several days a week Be sure your truck is lettered because it and mobile billboard advertising your contracting company Add a few Yard Signs for the job sites When you see a New Construction Project, there are signs everywhere on the project Why – The Contractors want to have a “Next Job” to go to before this one is finished Coolfront – Invoicing Software Nationwide - http://www.coolfront.com/ The World's Smartest Service Businesses Use Coolfront Mobile.Coolfront is a Mobile Flat Rate Pricing App for Plumbing, Electrical, HVAC. Has the ability to customize for additional services. Designed for especially the Mechanical Trades doing Service and Repair. Anyone who has had to build a Flat Rate Pricing Guide appreciates all the built-in features. Construction Document Collection and Management System We are always looking for a software to use internally, and you help you. Clients love the new Document Management System that links to their Bank Account, Credit Cards and can send other documents to it and they can view 24/7 previous documents sent.  Our system automatically pulls your bills and statements into one secure hub. This means you have one login to view and manage the documents from all of your accounts. No more logging into ten different sites each month to gather your recurring bills. Already A Client? Click The Logo Below To Login To Your our systeem Three ways to collect paperwork to our systeem: 1. Snap a Photo with the App Simply take a photo of your receipt, invoice or bill with the mobile app. our systeem scans, extracts, and stores your documents, ready to be published. 2. Forward your Email Paperwork When you become a client, our systeem automatically creates a personalized email address just for you. Email in your documents, and we'll do the rest. 3. Scan/Upload your Documents If you've already scanned your receipts, invoices, statements or bills, you can upload them directly to our systeem and the software will extract the key data for you. Safe and Secure! our systeem uses bank-level security to ensure your data is safe. This includes 256-bit encryption, SSL/TLS, and a Premium Extended Validation certificate -- as well as monitoring and verification from McAfee & TRUSTe, the trusted industry standards in data security. Simplify and Go Paperless! Your important financial records are organized automatically for you, backed up forever and available on any device. our systeem is your digital filing cabinet in the cloud.   TSheets – Time Cards Construction Contractors And Their Empolyees Love - http://www.tsheets.com/   Whenever possible, we try to use the services before recommending them so yes, We use T-Sheets. Coming Soon We are currently testing a Dispatch Software with built in estimates, invoices and merchant services. It is a game-changer in the world of dispatch software because IT ACTUALLY WORKS! This particular dispatch software works with QuickBooks Desktop on your desk or in our QuickBooks Desktop in the cloud, and it will be a help to all contractors and the technicians and customers. Fast Easy Accounting Store - QuickBooks Setup and QuickBooks Chart of Accounts For Construction Contractors We are adding content to  www.FastEasyAccountingStore.com to meet the needs of the Do-It-Yourself Contractor. This is helpful to our US, Canadian and other international contractor friends who want to purchase QuickBooks setup Templates and QuickBooks Chart of Accounts for their specific construction company. Short List Construction Contractors We Serve Short List Construction Contractors We Serve  Brand New Construction Company    Handyman Company Cabinet Installer    HVAC Contractor Carpentry Contractor    Insulation Contractor     Carpet And Tile Contractor    Interior Designer       Commercial Tenant Improvement Contractor   Land Development Company Concrete Contractor    Landscape Contractor     Construction Company   Masonry Contractor Construction Manager   Mold Remediation Company       Contracting Company    Moss Removal Company       Contractor   Painting Contractor       Custom Deck Builder    Plumbing Contractor       Custom Home Builder    Pressure Washing Company       Demolition Contractor    Remodel Construction Company       Drywall Contractor    Renovation Contractor       Electrical Contractor    Restoration Contractor       Emerging Contractor    Roofing Contractor       Excavation Contractor    Spec Home Builder       Finish Millwork Contractor    Specialty Contractor       Flipper House Contractor    Subcontractor Flooring Contractor    Trade Contractor       Framing Contractor    Underground Contractor       General Contractor    Utility Contractor       Glass Installation Contractor    Construction Employees     Gutter Installation Company    Construction Support Specialist   Additional QuickBooks Templates, Resources, And Services QuickBooks Set Up Templates   Solopreneur QuickBooks Chart Of Accounts     Free Stuff QuickBooks Item Lists Templates     Consulting   We Serve Over 100 Types Of Contractors So If Your Type Of Company Is Not Listed Please Do Not Be Concerned Because If You Are A Contractor There Is A Good Chance We Can Help You! Call Now: 206-361-3950 We Serve Over 100 Types Of Contractors So If Your Type Of Company Is Not Listed Please Do Not Be Concerned Because If You Are A Contractor There Is A Good Chance We Can Help You! Call Now: 206-361-3950 As summer is approaching here is wishing you a safe trip as you go about your adventures. Enjoy your day. Sharie About The Author: Sharie DeHart, QPA is the co-founder of Business Consulting And Accounting in Lynnwood Washington. She is the leading expert in managing outsourced construction bookkeeping and accounting services companies and cash management accounting for small construction companies across the USA. She encourages Contractors and Construction Company Owners to stay current on their tax obligations and offers insights on how to manage the remaining cash flow to operate and grow their construction company sales and profits so they can put more money in the bank. http://www.fasteasyaccounting.com/sharie-dehart/ 206-361-3950 or sharie@fasteasyaccounting.com   I trust this podcast helps you understand that outsourcing your contractor's bookkeeping services to us is about more than just “doing the bookkeeping”; it is about taking a holistic approach to your entire construction company and helping support you as a contractor and as a person. We Remove Contractor's Unique Paperwork Frustrations We understand the good, bad and the ugly about owning and operating construction companies because we have had several of them and we sincerely care about you and your construction company! That is all I have for now, and if you have listened to this far please do me the honor of commenting and rating podcast www.FastEasyAccounting.com/podcast Tell me what you liked, did not like, tell it as you see it because your feedback is crucial and I thank you in advance. You Deserve To Be Wealthy Because You Bring Value To Other People's Lives! I trust this will be of value to you and your feedback is always welcome at www.FastEasyAccounting.com/podcast One more example of how Fast Easy Accounting is helping construction company owners across the USA including Alaska and Hawaii put more money in the bank to operate and grow your construction company. Construction accounting is not rocket science; it is a lot harder than that, and a lot more valuable to construction contractors like you so stop missing out and call Sharie 206-361-3950 or email sharie@fasteasyaccounting.com Contractor Bookkeeping Done For You! Thinking About Outsourcing Your Contractors Bookkeeping Services? Click On The Link Below: www.FastEasyAccounting.com/hs This guide will help you learn what to look for in outsourced construction accounting. Need Help Now? Call Sharie 206-361-3950 sharie@fasteasyaccounting.com Thank you very much, and I hope you understand we do care about you and all contractors regardless of whether or not you ever hire our services. Bye for now until our next episode here on the Contractors Success MAP Podcast. Warm Regards, Randal DeHart | The Contractors Accountant Our Workflow Removes Your Paperwork Frustrations For Contractors Who Prefer To Do Your Bookkeeping Fast Easy Accounting Do-It-Yourself Construction Accounting Store Is Open Most Contractors Setup QuickBooks Desktop Version In One Of Three Ways: #1 EZ Step Interview inside QuickBooks Setup #2 Asked Their Tax Accountant To Setup QuickBooks #3 They Attended A How To Setup QuickBooks Class Or Seminar And QuickBooks Does Not Work The Way They Want It Too! The Answer: #1 Click Here To Buy An Entire QuickBooks Setup For Your Specific Contracting Company #2 Click Here To Buy Just The Chart Of Accounts For Your Specific Contracting Company Short List Construction Contractors We Serve  Brand New Construction Company    Handyman Company Cabinet Installer    HVAC Contractor Carpentry Contractor    Insulation Contractor     Carpet And Tile Contractor    Interior Designer       Commercial Tenant Improvement Contractor   Land Development Company Concrete Contractor    Landscape Contractor     Construction Company   Masonry Contractor Construction Manager   Mold Remediation Company       Contracting Company    Moss Removal Company       Contractor   Painting Contractor       Custom Deck Builder    Plumbing Contractor       Custom Home Builder    Pressure Washing Company       Demolition Contractor    Remodel Construction Company       Drywall Contractor    Renovation Contractor       Electrical Contractor    Restoration Contractor       Emerging Contractor    Roofing Contractor       Excavation Contractor    Spec Home Builder       Finish Millwork Contractor    Specialty Contractor       Flipper House Contractor    Subcontractor Flooring Contractor    Trade Contractor       Framing Contractor    Underground Contractor       General Contractor    Utility Contractor       Glass Installation Contractor    Construction Employees     Gutter Installation Company    Construction Support Specialist   Additional QuickBooks Templates, Resources, And Services QuickBooks Set Up Templates   Solopreneur QuickBooks Chart Of Accounts     Free Stuff QuickBooks Item Lists Templates     Consulting   We Serve Over 100 Types Of Contractors So If Your Type Of Company Is Not Listed Please Do Not Be Concerned Because If You Are A Contractor There Is A Good Chance We Can Help You! Call Now: 206-361-3950 If you are a blogger, who writes about construction we would like to hear from you. https://www.fasteasyaccounting.com/guestblogger                                                                   Contractors_Success_MAP, Contractors_Success_Marketing_Accounting_Production, Contractor_Bookkeeping_Services, QuickBooks_For_Contractors, QuickBooks_For_Contractors,Contractors_Success_Map_Unique_Proven_Marketing_Tips_For_Your_Contracting_Company

Guest: Shawn Hooper What He Does: Shawn has worked as a computer programmer for most of his life, and is currently the Director of IT for Actionable Books — His job entails developing all of the internal tools for their staff. He is also a WordPress core contributor. Ponderance: How do SSL certificates and HTTPS help to secure websites? Find him online: shawnhooper.ca In today’s episode, Shawn joins Avery to talk about issues of HTTPS and SSL Certification. During this discussion, Shawn explains some of the technicalities of these things, and puts them in a practical framework that listeners can apply to their own websites.   Key Takeaways: [2:50] SSL stands for Secure Sockets Layer — this is actually an old protocol, and the new one is called Transport Layer Security, or TLS. SSL/TLS are cryptographic protocols that ensure that the data between your computer, and the computer that you’re getting data from, is encrypted for both sources. [4:50] HTTPS is a secure version of the HTTP protocol. This protocol is the standard that defines how a web browser and a web server exchange data. This covers permissions to request a page, how the server responds to that request, and how it handles errors. It requires an additional layer of security, so it’s HTTP over SSL. [6:30] In your web browser, when you look at the address bar, if it is secure you will see a little padlock. This means you are using https and the connection between you and the site is secure. The URL will also start with https, rather than http. [7:55] Web browsers are starting to call the attention of website owners and the visitors to websites to being more aware of security and to enable https to the websites we visit. The “not secure notice” shows up on pages where there is a form that requires a password or perhaps credit card information that is not secured with HTTPS. [10:05] Another type of warning could come on a page that is HTTPS, but isn’t fully secure. This is a sign of a broken implementation — it might be represented by a broken padlock or an i with a circle around it. [11:54] In addition to security, the biggest benefit of switching to HTTPS and having a secure site will help increase the trust between your customers and you. If they trust you, they are more likely to interact with the site much more easily. In some cases, having a SSL/HTTPS encrypted website is a requirement. This is required if you accept credit card data. Google will also give a slight increase in ranking to sites that are HTTPS. [14:05] To implement SSL/HTTPS, you need buy a certificate that will act as a “handshake” between your computer and the web server. This certificate identifies your server as being you, and allows your visitors’ browsers to recognize your website. There are three different types of certificates available: 1) domain-validated certificate, 2) organization-validated certificate, and 3) extended-validation certificate. From a technical standpoint from what they do, they all encrypt the same way. It is from a trust standpoint where they differ. [18:23] In terms of cost, you could get a domain-validated certificate for free. An organization called Let’s Encrypt offers free SSL certificates. Many web-hosting companies are building Let’s Encrypt right into their web offerings. A certificate from Let’s Encrypt expires after 90 days, rather than a year like most other SSL certificates, but it can be auto-renewed. This option is a great solution for those who want a little boost of trust but don’t necessarily need the higher-end validation of who you are. [20:48] If your web host doesn’t support Let’s Encrypt, you can get domain-validated certificates from a certificate authority for a couple of dollars a year. The other two types of certificates are more expensive. [22:19] Some factors that might affect the cost of your certificates: A wildcard certificate will allow you to secure a domain name and all of its host names in a single certificate. There is usually a premium that may increase the price. Along with this, Shawn and Avery discuss the probability of websites not using the “www.” domains. [25:20] As a non-technical person, should you reach out for technical help or can you do this? Shawn recommends contacting tech support for your web host or your web developer and see what the process is to determine what’s the best way to proceed. [26:13] Shawn talks through the process of putting an SSL Certificate on your website. A CSR (certificate signing request) is created by the web server that identifies it as the web server. This is submitted to the certificate authority, and you get a certificate that matches the CSR. Then these have to be connected together. [27:51] Once you set up the certificate, your website should be encrypted. To make sure, you can go to your HTTP website and see if it’s being redirected to the secure HTTPS version. You may have to change a setting to ensure your website is running the HTTPS. If you are still getting warnings, an element on the page may not be being transmitting using HTTPS. To be considered fully secure, each element must be changed to HTTPS. Shawn and Avery discuss some different situations of what could be causing mixed content warning. [33:30] Practical tips: Get in touch with your hosting company and try and get them to put the SSL certificate on your website for you. If you still getting the mixed content warning, then you may need to bring in a web professional. [36:14] It is important to make sure that we are doing as much as we possibly can to be secure on our computers and on our websites, and this level of encryption is just one extra step for your protection. It is much easier now than it was in the past.   Episode Highlights: Term Definitions: SSL and TLS Term Definitions: HTTPS URLs in specific Web Browsers Notices of Security Pros of switching websites to HTTPS How to Implement SSL and https to your website Purchasing an SSL Certificate Three types of certificates Price of certificates Resources for Obtaining Certificates Process of putting a SSL certificate on your website Mixed Content Warnings   Resources: Camp Tech Podcast Episode 1 Actionable Books Let’s Encrypt SSLs.com Camp Tech Website

In a provenance-aware system, mechanisms gather and report metadata that describes the history of each object being processed on the system, allowing users to understand how data objects came to exist in their present state. However, little attention has been given to securing provenance-aware systems. Provenance itself is a ripe attack vector, and its authenticity and integrity must be guaranteed before it can be put to use. In this talk, I will detail our efforts to bring trustworthy data provenance to computing systems. These efforts have led to the design and implementation of a provenance-aware operating system anchored in trusted hardware, and a mechanism that leverages the confinement properties provided by Mandatory Access Controls to perform efficient policy-based provenance collection. Using these architectures, I will demonstrate that provenance is an invaluable tool for combating critical security threats including data exfiltration, SQL injection, and even binary exploitation. By addressing key security and performance challenges, this work paves the way for the further proliferation of provenance capabilities. About the speaker: Adam Bates is an Assistant Professor in the Computer Science Department at the University of Illinois at Urbana-Champaign. He received his PhD from the University of Florida, where he was advised by Professor Kevin Butler in the study of computer systems and cyber security. Adam has conducted research on a variety of security topics, including SSL/TLS, cloud computing, USB attack vectors, financial services, and telephony infrastructure. He is best known for his work in the area of data provenance, particularly the construction of secure provenance-aware systems.

Applications written in C/C++ are prone to memory corruption, which allows attackers to extract secrets or gain control of the system. With the rise of strong control-flow hijacking defenses, non-control data attacks have become the dominant threat. As vulnerabilities like HeartBleed have shown, such attacks are equally devastating.Data Confidentiality and Integrity (DCI) is a low-overhead non-control-data protection mechanism for systems software. DCI augments the C/C++ programming languages with annotations, allowing the programmer to protect selected data types. The DCI compiler and runtime system prevent illegal reads (confidentiality) and writes (integrity) to instances of these types. The programmer selects types that contain security critical information such as passwords, cryptographic keys, or identification tokens. Protecting only this critical data greatly reduces performance overhead relative to complete memory safety.Our prototype implementation of DCI, DataShield, shows the applicability and efficiency of our approach. For SPEC CPU2006, the performance overhead is at most 16.34%. For our case studies, we instrumented mbedTLS, astar, and libquantum to show that our annotation approach is prac- tical. The overhead of our SSL/TLS server is 35.7% with critical data structures protected at all times. Our security evaluation shows DataShield mitigates a recently discovered vulnerability in mbedTLS. About the speaker: Scott A. Carr is a PhD Candidate in Computer Science at Purdue University, where he works with his advisor Mathias Payer in the HexHive research group. His research interests are security, programming languages, and program analysis. Scott's thesis topic is mitigating vulnerabilities in systems software written in C/C++ using compiler-based techniques. His work has appeared (or will soon appear) in ACM AsiaCCS, NDSS, IEEE TSE, and ACM CSUR.

In this session, we dive deep into how you can integrate Amazon CloudFront and related services into your application, be agile in developing and adapting the application, and follow best practices when configuring the services to improve security and performance, all while reducing costs. Attend this session and learn how to avoid needless forwarding of headers and cookies, test your application when making changes to the origin, version your configuration changes, monitor usage and automate security, create templates for new distributions, configure SSL/TLS certificates, and more.

Josh and special guest host Dave Sirrine talk about Halloween, passwords, hardware timing attacks, chip and pin, security economics, SSL/TLS, and Mozilla enabling TLS 1.3 by default.

Vi pratar Let's Encrypt, en tjänst från EFF och Mozilla m. fl. som ger ut gratis certifikat för SSL/TLS. Tidigare kostade det en del pengar att skaffa certifikat som webb-läsare känner igen, nu kan vi använda SSL/TLS för allt! Drupalsnack.se använder sedan en tid ett Let's Encrypt cert. Detta poddavsnitt sponsras av Websystem Det här poddavsnittet sponsras av Websystem. Dagens program: Let’s Encrypt Länkar till moduler, webbplatser och tjänster vi pratade om i detta avsnitt: Why HTTPS Matters | Web | Google Developers Let’s Encrypt - Free SSL/TLS Certificates Certbot Getting Started - Let’s Encrypt - Free SSL/TLS Certificates certbot/certbot: Certbot, previously the Let’s Encrypt Client, is EFF’s tool to obtain certs from Let’s Encrypt, and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol. Let’s Encrypt my servers with acme tiny | xdeb.org diafygi/acme-tiny: A tiny script to issue and renew TLS certs from Let’s Encrypt ACME Client Implementations - Let’s Encrypt - Free SSL/TLS Certificates cPanel’s Official Let’s Encrypt Plugin | cPanel Blog WP Encrypt — WordPress Plugins Smooth LetsEncrypt Installation by adding line to .htaccess [#2645198] | Drupal.org Eftersnack Jiro Dreams of Sushi (2011) - IMDb Manner Mode: Things I love about Japan | Texan in Tokyo Composer Elysia Cron | Drupal.org Cache tags | Drupal.org Configuration Management Initiative | A new system in Drupal 8 for managing configuration Cato den äldre – Wikipedia

This week on BSDNow, Allan is currently at EuroBSDCon! However due to the magic of video (or time travel), you still get a new episode. (You're Welcome!). Stay tuned This episode was brought to you by Headlines Performance Improvements for FreeBSD Kernel Debugging (http://backtrace.io/blog/blog/2016/08/25/improving-freebsd-kernel-debugging/) “We previously explored FreeBSD userspace coredumps (http://backtrace.io/blog/blog/2015/10/03/whats-a-coredump). Backtrace's debugging platform supports FreeBSD kernel coredumps too, and their traces share many features. They are constructed somewhat differently, and in the process of adding support for them, we found a way to improve performance for automated programs accessing them.” “A kernel core is typically only generated in exceptional circumstances. Unlike userspace processes, kernel routines cannot fault without sacrificing the machine's availability. This means things like page faults and illegal instructions inside the kernel stop the machine, instead of just one process. At that point, in most cases, it is only usable enough to inspect its state in a debugger, or to generate a core file.” No one likes it when this happens. This is why backtrace.io is focused on being able to figure out why it is happening “A FreeBSD kernel core file can be formatted in several different ways. This depends on which type of dump was performed. Full core dumps are ELF files, similar in structure to userspace core files. However, as RAM size grew, this became more difficult to manage. In 2006, FreeBSD introduced minidumps, which are much smaller without making the core file useless. This has been the default dump type since FreeBSD 6.0.” The article goes into detail on the minidump format, and some basic debugging techniques “Libkvm will first determine whether the virtual address lies within the kernel or direct maps. If it lies in the kernel map, libkvm will consult the page table pages to discover the corresponding physical address. If it lies in the direct map, it can simply mask off the direct map base address. If neither of these applies, the address is illegal. This process is encapsulated by vatopa, or “virtual address to physical address”. Once the physical address is determined, libkvm consults the core file's bitmap to figure out where in the core file it is located.” “minidumps include a sparse bitmap indicating the pages that are included. These pages are dumped sequentially in the last section. Because they are sparse in a not entirely predictable way, figuring the offset into the dump for a particular physical address cannot be reduced to a trivial formula.” The article goes into detail about how lookups against this map are slow, and how they were improved “For typical manual debugger use, the impact of this change isn't noticeable, which is probably why the hash table implementation has been in use for 10 years. However, for any automated debugging process, the extra latency adds up quickly.” “On a sample 8GB kernel core file (generated on a 128GB server), crashinfo improves from 44 seconds to 9 seconds, and uses 30% less memory” “Backtrace began shipping a version of this performance improvement in ptrace in February 2016. This enables us to also offer significantly faster tracing of FreeBSD kernel cores to customers running current and older releases of FreeBSD. On July 17, 2016, our work improving libkvm scaling was committed to FreeBSD/head. It will ship with FreeBSD 12.0.” *** OpenBSD gunzip pipeline tightening (https://www.mail-archive.com/tech@openbsd.org/msg34035.html) OpenBSD has rethought the way they handle package signing Changing from: 1/ fetch data -> 2/ uncompress it -> 3/ check signature -> 4/ process data To: 1/ fetch data -> 2/ check signature -> 3/ uncompress -> 4/ process data “The solution is to move the signature outside of the gzip header” “Now, Since step 1/ is privsep, as long as step 2 is airtight, 3/ and 4/are no longer vulnerable” Guidelines: small, self-contained code to parse simple gzip headers signify-style signature in the gzip comment. Contains checksums of 64K blocks of the compressed archive don't even think about passing the original gzip header through use as a pipeline step: does not need to download full archive to use it, and never ever pass any data to the gunzip part before it's been verified. “Note that afaik we haven't had any hole in our gunzipping process. Well… waiting for an accident to happen is not how we do things. Hopefully, this should prevent future mishaps.” *** OpenVPN On FreeBSD 10.3 (http://ramsdenj.com/2016/07/25/openvpn-on-freebsd-10_3.html) “While trying to setup OpenVPN, I noticed there was no up-to-date information with correct instructions. OpenVPN uses EasyRSA to setup keys, it has recently been changed in version 3. As a result of this, the old steps to configure OpenVPN are no longer correct. I went through the process of setting up a VPN using OpenVPN on FreeBSD 10.3.” I know FreeBSD developer Adrian Chadd complained about this exact problem when he was trying to setup a VPN before attending DEFCON The tutorial walks through the basic steps: Install the needed software Configure EasyRSA Create a CA Generate keys and DH params OpenVPN Server Config OpenVPN Client Config Starting the daemon It even finishes off with bonus instructions on Port Forwarding, Firewalls, and Dynamic DNS *** lsop (https://github.com/606u/lsop) LSOP is the tool a bunch of users have been asking for “a FreeBSD utility to list all processes running with outdated binaries or shared libraries” How does it work? “lsop iterates over all running processes and looks through memory-mapped files with read + execute access; then it checks if those files are still available or have been modified/deleted.” How would you use it? After installing an system update (that doesn't require a reboot to update the kernel), or upgrade your packages, you still need to know which daemons need to be restarted to use the patched libraries and binaries This tool gives you that list Thanks to Bogdan Boyadzhiev for writing this much needed tool *** News Roundup OpenBSD 2016 Fundraising Campaign (http://www.openbsdfoundation.org/campaign2016.html) The OpenBSD fund-raising campaign has given us a status update on the state of 2016. They start by giving us a re-cap of previous years: “2015 was a good year for the foundation financially, with one platinum, one gold, four silver and 3 bronze donors providing half of our total donations. 680 individuals making smaller contributions provided the other half. While the total was down significantly after 2014's blockbuster year, we again exceeded our goal.” As of Sept 5th, they were at approx $115k out of a total goal of 250k. If you are an OpenBSD user, remember to contribute before the end of the year. Small amounts help, and the money of course goes to great causes such as hackathons and running the OpenBSD infrastructure. Update firewall Bad Countries (https://github.com/KaiLoi/update-fw-BC) Network and Systems admins know, sometimes when all else fails you need to break out the HUGE ban-hammer. In this case sometimes entire countries get put on the excrement list until the attacks stop. We have a handy GitHub project today, which will assist you in doing exactly that, enter update-fw-BC. (Update firewall by country) This perl script may be your savior when dealing with instances that require major brute force. It specifically works with IPFW, PF and IPTABLES, which will allow it to run across a variety of BSD's or even Linux. It will ingest a list of IP's that you feed it (perhaps from another tool such as sshguard) and determine what block the IP belongs to, and match according to country. Detailed setup instructions for the various firewalls are included, and some instructions for FreeBSD, although using it on OpenBSD or other $BSD should also be easy to adapt. *** More utilities via moreutils (https://distrowatch.com/weekly.php?issue=20160822#tips) In most BSDs, the “core” set of utilities and commands are just part of the base system, but on Linux, they are usually provided by the “coreutils” package. However, on Linux and now FreeBSD, there is a “moreutils” package, that provides a number of interesting additional basic utilities, including: chronic: Run a task via crontab, and only generate output if the task fails combine: binary AND two text files together, only displaying lines that are in both files errno: look up the text description of a specific error number ifdata: parse out specific information from ifconfig ifne: if-not-empty, only run a command if the output of the pipe is not blank isutf8: determine if a file or stdin contains utf8 lckdo: execute a command with a lock held, to prevent a second copy from spawning mispipe: return the exit code of the first command in a pipe chain, rather than the last parallel: run multiple jobs at once pee: tee standard input to multiple pipes sponge: write standard input to a file, allows you to overwrite a file in place: sort file | sponge file ts: add a timestamp to each line of standard input vidir: edit a directory in vi, great for bulk renames vipe: insert vi into a pipe, edit the content before it is passed to the next command zrun: uncompress the arguments before passing them. Like gzless and friends, but for any command Just goes to show the power of the original UNIX philosophy, chaining together a bunch of small useful tools to do really powerful things *** OpenBSD: SNI support added to libtls, httpd in –current (http://undeadly.org/cgi?action=article&sid=20160823100144) libtls, LibreSSL's improved API to replace the OpenSSL standard, now has a set of functions to implement SNI (Server Name Indication) Until a few years ago, each different SSL/TLS enabled website required a unique IP address, because typical HTTP Virtual Hosting (differentiating which content to serve based on the Host header in the HTTP request), didn't work because the request was encrypted. Finally the TLS standard was updated to include the hostname of the site the user is requesting in the TLS handshake, so the server can return the corresponding certificate, and multiple TLS enabled websites can be hosted on a single IP address The new API includes the ability to provide additional keypairs (via tlsconfigaddkeypair{file,mem}()) And allow the server to determine what servername the client requested viatlsconnservername() This is much easier to use, and therefore safer and less error prone, than the OpenSSL API The libtls API is used in a number of OpenBSD tools, including the httpd *** Beastie Bits Shawn Webb of HardenedBSD joins the OPNSense Core Team (https://opnsense.org/new-core-team-member/) How to install 2.11 BSD on a (simulated) PDP11 (http://vak.ru/doku.php/proj/pdp11/211bsd) OpenBSD Puffy needlepoint pixelart (https://nemessica.tintagel.pl/blog/OpenBSD-Puffy/) PulseAudio has been removed from dports (DragonFly BSD) (http://lists.dragonflybsd.org/pipermail/users/2016-August/313010.html) pfSense 2.4 pre-alpha available for testing, based on FreeBSD 11.0 (https://blog.pfsense.org/?p=2118) Call for Testing - Bhyve HDA Sound Emulation (https://lists.freebsd.org/pipermail/freebsd-virtualization/2016-September/004700.html) *** Feedback/Questions Matthew - ZFS Hole Birth (http://pastebin.com/CrZiDAF0) Hunter - systemd-mount (http://pastebin.com/GztjY4wz) Anonymous - Cool'n'quiet (http://pastebin.com/gG4j4RCi) Nathan - Datacenter (http://pastebin.com/9XgPzMM9) Chuck - OpenBSD w/DO (http://pastebin.com/FM2xYcxh) ***

Detta är det femtioåttonde avsnittet av Säkerhetspodcasten, i vilket panelen diskuterar nya SSL/TLS-problem, Satoshis vara eller icke vara, sårbarheter i 7zip och ImageMagick och mycket mer!

Here are some of my favorite stories and links for this week! Training opportunities NMAP course from Udemy - $24 for a limited time (I think) How to handle the the thoughtless compliance zombie hordes - by BHIS is coming up Tuesday February 16th from 2-3 ET. The price is free! Pivot Project touts itself as "a portfolio of interesting, practical, enlightening, and often challenging hands-on exercises for people who are trying to improve their mastery of important cybersecurity skills. News It is absurdly easy for attackers to destroy your Web site in 10 minutes. Secure your home network better using advice from the SANS Ouch! newsletter. Chromodo (part of Comodo's Internet Security)disables same-origin policy which basically disables Web security. Wha?! Virus total now looks at firmware images as well. We can soon wave goodbye to Java in the browser forever!. Kinda. Tools Here's a nice SSL/TLS-checking checklist for pentesters. Kali is moving to a rolling release configuration pretty soon. Update yours before April 15!

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Evilrob-Xaphan-TLS-Canary-Keeping-Your-Dick-Pics-Safer.pdf Canary: Keeping Your Dick Pics Safe(r) Rob Bathurst (evilrob) Security Engineer and Penetration Tester Jeff Thomas (xaphan) Senior Cyber Security Penetration Testing Specialist The security of SSL/TLS is built on a rickety scaffolding of trust. At the core of this system is an ever growing number of Certificate Authorities that most people (and software) take for granted. Recent attacks have exploited this inherent trust to covertly intercept, monitor and manipulate supposedly secure communications. These types of attack endanger everyone, especially when they remain undetected. Unfortunately, there are few tools that non-technical humans can use to verify that their HTTPS traffic is actually secure. We will present our research into the technical and political problems underlying SSL/TLS. We will also demonstrate a tool, currently called “Canary”, that will allow all types users to validate the digital certificates presented by services on the Internet. Evilrob is a Security Engineer and Penetration Tester with over 14 years of experience with large network architecture and engineering. His current focus is on network security architecture, tool development, and high-assurance encryption devices. He currently spends his days contemplating new and exciting ways to do terrible things to all manner of healthcare related systems in the name of safety. Twitter: @knomes xaphan is a "Senior Cyber Security Penetration Testing Specialist" for a happy, non-threatening US government agency. He has been a penetration tester for 17 years, but maintains his sanity with a variety of distractions. He is the author of several ancient and obsolete security tools and the creator of DEFCOIN. Twitter: @slugbait

Hi and welcome to the DevelopSec newscast for October 20th, 2015.  I am James Jardine and I wanted to take a few moments to talk about some recent news stories over the past week. Apple removes several apps that could spy on encrypted traffic - http://arstechnica.com/security/2015/10/apple-removes-several-apps-that-could-spy-on-encrypted-traffic/ , http://www.theregister.co.uk/2015/10/09/apple_borks_adblocking_app_over_privacy_concerns/   Apps installed a root certificate on device. Could allow monitoring of data, even SSL/TLS traffic. Recommended to uninstall the apps, unfortunately it was not made clear which ones they are. com CSRF bug pays security tester $25,000 - http://www.theregister.co.uk/2015/10/09/hotmail_hijack_hole_earns_boffin_25k_double_bug_bounty_trouble/ Wesley Wineberg found a Cross-Site Request Forgery flaw in the Microsoft Outlook.com website. Could hijack user sessions. Responsible/Coordinated disclosure allowed flaw to be resolved before publicly disclosed. Medicaid Data Breach, Security Issue at NC and CA Facilities - http://healthitsecurity.com/news/medicaid-data-breach-security-issue-at-nc-and-ca-facilities Spreadsheet sent via email unencrypted. Highlights importance of attention to detail. Sometimes the simplest mistakes create a potential risk. Difficult to prove if data was accessed by unauthorized users. What options could be used instead of emailing the attachment? Thumb drive stolen from employees home Data should be encrypted. Ensure policies exist that cover acceptable use of portal storage. Ensure that employees are trained on the policies.   Join the conversation on google+ (https://www.google.com/+Developsec) and Twitter (@DevelopSec)

Microsoft força a barra com Win 10; Fraudes com protocolos SSL/TLS; Marshmallow chegando para linha LG; Bug exibe audiência de posts no Facebook; Efeito placebo em games; 2016: o ano das telas dobráveis.

Vi snackar SSL - TLS om man ska vara nogräknad. Tobias berättar om Plex långa resa mot att kunna visa ett grönt lås i webbläsarens adressfält, och att göra det på ett så rätt sätt som möjligt. Ett stort tack till Cloudnet som sponsrar våra livesändningar och erbjuder finfina  VPS! Sist i avsnittet presenterar vi vinnarna i Informators Raspberry pi-tävling under Code night 2! Har du kommentarer, frågor eller tips? Vi är @kodsnack, @tobiashieta, @isallmaroon och @bjoreman på Twitter och epostas på info@kodsnack.se om du vill skriva längre. Vi läser allt som skickas. Länkar SSL Code night 2 Martin Videon av livesändningen är inte ute än Plex mediaserver Google och Firefox vill varna för osäkra anslutningar istället för att markera säkra Självsignerat certifikat Amazons molntjänster OpenSSL Digicert Rotcertifikatsutgivare Artikel om Plex utrullning och användning av Digicerts tjänst DNS-server Wildcard-certifikat UPNP - Universal plug and play Dyndns Opportunistic encryption Firefox implementerade men drog tillbaka HTTP2 - förslaget kring opportunistic encryption SHA-2 SHA-1 DNS rebinding protection/attack DNSSEC Linksys WRT-routrar cURL /etc/hosts NaCL IPv4 IPv6 OpenSSL-licensen GPL LGPL GnuTLS PolarSSL - numera mbed TLS BSD-licenser LibreSSL Stream-cipher Pipelining CA Let’s encrypt Informator Raspberry pi 2 Titlar Alla kryptonycklar på rätt ställe En kommitté med väldigt för mycket folk Ganska många lapptäcken ovanpå På olika kryptografiska vägar Den lilla gröna nyckeln Gröna, verifierade certifikat På ett skalbart och hållbart sätt Jag har ingen klar exploit i huvudet Vi ville göra allting superrätt Superrätt i det här fallet En pool som hela tiden fylls på Ta till silvertejpen När man väl har kommit över själva handskakningen Driven av väldigt många svärord

Viele Applikationen kommunizieren mit Servern und APIs. Dabei werden oft personenbezogene oder private Daten übertragen die geschützt werden sollen. Dazu kommt SSL/TLS zum Einsatz welches sehr viele Möglichkeiten zur Konfiguration bietet. Wie Du dabei die bestmögliche Sicherheit erreichst kannst Du in diesem Vortrag lernen. Session 2, Samstag, Terrassensaal, Macoun 2014

On this episode of The AIE Podcast... Alludra: AIE has a new IRC Tetsemi: Meetups, get your Meetups here! Mkallah: Noob Raids, COOPS, and more games Alludra: We have a new question of the week Tetsemi: Abovan and Kelseer are here to talk to us about AIE in Final Fantasy! All that and more coming up right now... Podcast Audio Raw Video http://youtu.be/yIJ_yv4XzlM Alludra: AIE Podcast News We will be moving to a new Internet Relay Chat (IRC) server for the live recording chat room. The new server was set up to support not only the podcast, but game divisions of AIE which need some open-access chat capability. The new channel can be accessed as #podcast on irc.aie-guild.org on port 6667 or on port 6697 for SSL/TLS encrypted sessions (which we recommend). You can also use our secure web client. If you are new to IRC, there are tutorials available. http://theaiepodcast.com/2015/03/13/a-new-irc-server/ Tetsemi: AIE In Real Life You want meetups? We have them! Retro Video Game Arcade Night in Pasadena, CA - April 4, 2015 7pm- $10.00 an hour buys you all the video games, pinball, and console games that you want- join your AIE guildmates to see who is the Master retro gamer! And maybe, just maybe, get Lanc drunk enough to give an encore of his Owl and the Pussycat performance! http://www.meetup.com/Alea-Iacta-Est/events/221049316/ The Central NJ Brewpub invasion is scheduled for Saturday, April 18 at 5 pm at the Harvest Moon Brewery and Cafe. Come join the AIE members and friends in New Brunswick for some pub 'n' grub. Open to all! And this event is being hosted our head robot himself, Stigg! http://www.meetup.com/Alea-Iacta-Est/events/221167568/ This week, Blizzard announced the dates for the mother of all events, Blizzcon- returning to the Anaheim convention center on November 6th and 7th.. Tickets are $199 US Dollars and go on sale April 15th and 18th through Eventbright. http://us.battle.net/blizzcon/en/blog/18291110/join-the-party-at-blizzcon%C2%AE-2015-november-6-and-7-3-12-2015 And, if you want to be in the middle of the action, but end up not having a ticket to the main event? AIE is planning our Guildhall at Blizzcon 2015. Please sign up on Meetup.com if you intend to come, to give Crazy Uncle Lanc and his organizers an idea of a headcount. http://www.meetup.com/Alea-Iacta-Est/events/221171579/ Mkallah: World of Warcraft Noob Raids First Anniversary is coming soon! http://forum.myextralife.com/topic/55947-noob-raids-first-anniversary/ Here is what Sparrow, the esteemed leader of Noob Raid has to say: It has been a fun year and a great time, I have made some amazing friends and had the opportunity to play with some of the greatest people in the game. How do we plan to celebrate this event? By going back where we started, but this time we are going Heroic !! ( was going to do mythic, but I dont want to limit the size of the group) . Saturday, March 21st at 11pm game time we will be setting off into Siege of Orgrimmar, If we end up with more than one full raid team, we will split off and make more. Come one, come all share your tales of Noobish valor and adventure! Spring Craft Faire CooP Grimcow has put up more information around the upcoming COOP craft faire. Gather at 8pm server on April 25th at the Goblin Death Blimp in Orgrimmar. COOP heads out at 9! The plan is to form as many groups as needed, and of course priority in the primary group is given to those without the War Bear. And we do need as many people as possible to run support, as those nasty Allaince leaders and friends hit HARD. Level 100 is prefered, but not required- and no PVP gear is needed. http://forum.myextralife.com/topic/55940-spring-craft-faire-coop/ WoW Game Token http://us.battle.net/wow/en/blog/18141101/introducing-the-wow-token-3-2-2015 Coming soon to an Azeroth near you: the WoW Token, a new in-game item that allows players to simply and securely exchange gold and game time between ea...

We're back from BSDCan! This week on the show we'll be chatting with Brian Callahan and Aaron Bieber about forming a local BSD users group. We'll get to hear their experiences of running one and maybe encourage some of you to start your own! After that, we've got a tutorial on the basics of NetBSD's package manager, pkgsrc. Answers to your emails and the latest headlines, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines FreeBSD 11 goals and discussion (http://blather.michaelwlucas.com/archives/2053) Something that actually happened at BSDCan this year... During the FreeBSD devsummit, there was some discussion about what changes will be made in 11.0-RELEASE Some of MWL's notes include: the test suite will be merged to 10-STABLE, more work on the MIPS platforms, LLDB getting more attention, UEFI boot and install support A large list of possibilities was also included and open for discussion, including AES-GCM in IPSEC, ASLR, OpenMP, ICC, in-place kernel upgrades, Capsicum improvements, TCP performance improvements and A LOT more There's also some notes from the devsummit virtualization session (http://blather.michaelwlucas.com/archives/2060), mostly talking about bhyve Lastly, he also provides some notes about ports and packages (http://blather.michaelwlucas.com/archives/2065) and where they're going *** An SSH honeypot with OpenBSD and Kippo (http://securit.se/2014/05/how-to-install-kippo-ssh-honeypot-on-openbsd-5-5-with-chroot/) Everyone loves messing with script kiddies, right? This blog post introduces Kippo (https://code.google.com/p/kippo/), an SSH honeypot tool, and how to use it in combination with OpenBSD It includes a step by step (or rather, command by command) guide and some tips for running a honeypot securely You can use this to get new 0day exploits or find weaknesses in your systems OpenBSD makes a great companion for security testing tools like this with all its exploit mitigation techniques that protect all running applications *** NetBSD foundation financial report (https://www.netbsd.org/foundation/reports/financial/2013.html) The NetBSD foundation has posted their 2013 financial report It's a very "no nonsense" page, pretty much only the hard numbers In 2013, they got $26,000 of income in donations The rest of the page shows all the details, how they spent it on hardware, consulting, conference fees, legal costs and everything else Be sure to donate to whichever BSDs you like and use! *** Building a fully-encrypted NAS with OpenBSD (http://www.geektechnique.org/projectlab/796/how-to-build-a-fully-encrypted-nas-on-openbsd.html) Usually the popular choice for a NAS system is FreeNAS, or plain FreeBSD if you know what you're doing This article takes a look at the OpenBSD side and explains how (http://www.geektechnique.org/projectlab/797/openbsd-encrypted-nas-howto.html) to build a NAS with security in mind The NAS will be fully encrypted, no separate /boot partition like FreeBSD and FreeNAS require - this means the kernel itself is even protected The obvious trade-off is the lack of ZFS support for storage, but this is an interesting idea that would fit most people's needs too There's also a bit of background information on NAS systems in general, some NAS-specific security tips and even some nice graphs and pictures of the hardware - fantastic write up! *** Interview - Brian Callahan & Aaron Bieber - admin@lists.nycbug.org (mailto:admin@lists.nycbug.org) & admin@cobug.org (mailto:admin@cobug.org) Forming a local BSD Users Group Tutorial The basics of pkgsrc (http://www.bsdnow.tv/tutorials/pkgsrc) News Roundup FreeBSD periodic mails vs. monitoring (http://deranfangvomende.wordpress.com/2014/05/11/freebsd-periodic-mails-vs-monitoring/) If you've ever been an admin for a lot of FreeBSD boxes, you've probably noticed that you get a lot of email This page tells about all the different alert emails, cron emails and other reports you might end up getting, as well as how to manage them From bad SSH logins to Zabbix alerts, it all adds up quickly It highlights the periodic.conf file and FreeBSD's periodic daemon, as well as some third party monitoring tools you can use to keep track of your servers *** Doing cool stuff with OpenBSD routing domains (http://www.skogsrud.net/?p=44) A blog post from our viewer and regular emailer, Kjell-Aleksander! He manages some internally-routed IP ranges at his work, but didn't want to have equipment for each separate project This is where OpenBSD routing domains and pf come in to save the day The blog post goes through the process with all the network details you could ever dream of He even named his networking equipment... after us (http://i.imgur.com/penYQFP.jpg) *** LibreSSL, the good and the bad (http://insanecoding.blogspot.com/2014/04/libressl-good-and-bad.html) We're all probably familiar with OpenBSD's fork of OpenSSL at this point However, "for those of you that don't know it, OpenSSL is at the same time the best and most popular SSL/TLS library available, and utter junk" This article talks about some of the cryptographic development challenges involved with maintaining such a massive project You need cryptographers, software engineers, software optimization specialists - there are a lot of roles that need to be filled It also mentions some OpenSSL alternatives and recent LibreSSL progress, as well as some downsides to the fork - the main one being their aim for backwards compatibility *** PCBSD weekly digest (http://blog.pcbsd.org/2014/05/weekly-feature-digest-28-photos-of-the-new-appcafe-re-design/) Lots going on in PCBSD land this week, AppCafe has been redesigned The PBI system is being replaced with pkgng, PBIs will be automatically converted once you update In the more recent post (http://blog.pcbsd.org/2014/05/weekly-feature-digest-29-pbing/), there's some further explanation of the PBI system and the reason for the transition It's got lots of details on the different ways to install software, so hopefully it will clear up any possible confusion *** Feedback/Questions Antonio writes in (http://slexy.org/view/s2UbEhgjce) Daniel writes in (http://slexy.org/view/s21XU0y3JP) Sean writes in (http://slexy.org/view/s2QQtuawFl) tsyn writes in (http://slexy.org/view/s20XrT5Q8U) Chris writes in (http://slexy.org/view/s2ayZ1nsdv) ***

舘野祐一さんをゲストに迎えて、Podcast クライアント、モバイルアプリ開発、TestFlight, WhatsApp, iOS セキュリティなどについて話しました。 Show Notes 坂本真綾 - ハチポチ Rebuild.fmクライアント(非公式)をリリースしました Podcast App Playback Speeds iOS Human Interface Guidelines: Designing for iOS 7 Design | Android Developers TestFlight Owner Burstly Acquired By Apple Acqui-hiring DeployGate Beta Facebook is buying WhatsApp for $16 billion WhatsApp: The inside story WhatsAppの買収から考える今後のスマートフォンビジネスの動き About the security content of iOS 7.0.6 Apple's SSL/TLS bug The WebKit Open Source Project - Writing New Tests

Ethan Robish is a researcher with Black Hills Information Security and is here to give us some of the background on a suite of tools for the Offensive Countermeasures class - Active Defense Harbinger Distribution. The Active Defense Harbinger Distribution (ADHD) is a Linux distro based on Ubuntu 12.04 LTS. It comes with many tools aimed at active defense preinstalled and configured. The purpose of this distribution is to aid defenders by giving them tools to "strike back" at the bad guys. A lean week in episode 319's Drunken security news, but at least the house was full with PDC staff. With Paul, Larry, Allison and Jack in-studio and John and Carlos via Skype to fill us in on all the fun. But first, make sure to not miss the other two segments from episode 319. First was 451 Research's Wendy Nather to talk with the team, and then Ethan Robish and John Strand came on to talk about a brand new distribution. If you like distributions like Samurai, Backtrack and others, you might be interested in this one. Titled ADHD (Active Defense Harbinger Distribution) this has been three years in the making and takes on offensive security with many of the tools you love. As for the stories of the week, Paul started off with a couple quick hits, including a joke about the Federal Reserve hack and bugs in hospital embedded devices. Then follow along as Jack goes a long way to make a joke about prime numbers, after one of the largest only-divisible-by-one-and-itselfs was discovered. The first story they dig into is one that Larry brought along, about SSL/TLS being broken. After some explanation on the Oracle padding issue and the use of the same key, John and Larry bring up Wright's Law (to be discussed in episode 320 on Tuesday). Larry wonders, who is working on fixing SSL and if there is someone with a fix today, it could take five years until it is fully implemented. Do you need anything more than six seconds? Apparently if you use Vine for Twitter, that's all you'll need. It's a new video sharing service, but all you get is six seconds of video. And what happens on Vine stays on Vine, right? Umm, no. What would you do if you were Adobe's CISO? Take the staff out to lunch? Quit? Or actually get things cleaned up. I guess at least they're not Sony. Congratulations to Allison who is Gold GCIA certified after her paper on digital watermarking to help prevent leaks. You can read the entire thing in the SANS Reading Room. Lastly, Larry drops an "I told you so" with regard to Universal Plug and Play (uPnP). As Larry wrote, now there is a single Packet UDP exploit for it, for almost every device - of which there are millions of devices connected to the internet based on HD Moore's scanning. Oh and if your company is looking for their next great employee (or if you get a referral bonus) contact Larry with the opportunity.