Tech Brew Ride Home - Fri. 05/28 – SolarWinds Back In The Headlines
Episode Date: May 28, 2021The SolarWinds hackers are back, and I’m starting to fear the escalation of a cyber cold war here. Mark Gurman thinks we’ll see redesigned AirPods this year. Have I Been Pwned goes open source. An...d come for the longreads suggestions as always, but stay for my rant about that insane Citizen app story. Sponsors: Netgear.com/bestwifi Promocode: Tech10 Cybereason.com Links: Russia Appears to Carry Out Hack Through System Used by U.S. Aid Agency (New York Times) Apple Plans Redesigned AirPods for 2021, New AirPods Pro in 2022 (Bloomberg) Have I been Pwned goes open source (ZDnet) Weekend Longreads Suggestions: 'FIND THIS FUCK:' Inside Citizen’s Dangerous Effort to Cash In On Vigilantism (Vice) Own the Internet (Not Boring) A New Crop in Pennsylvania: Warehouses (New York Times) The Mystery of Magic’s Greatest Card Trick (New York Times) Subscribe to the RideHome+ Feed at: tech.supercast.tech Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
On April 4th, 2023, around 2 in the morning, a man was found stabbed multiple times on a sidewalk in downtown San Francisco.
Hey, who did this to you?
What happened next turned the story into a political firestorm.
Reports have identified the victim as Bob Lee, the founder of Cash App.
From Bloomberg Podcasts, this is Foundering, the Killing of Bob Lee, beginning April 16.
Welcome to the Tech meme right home for Friday, May 28th, 2021. I'm Brian McCullough today. The Solar Winds
hackers are back, and I'm starting to fear the escalation of a cyber cold war here. Mark Garman
thinks we'll see redesigned AirPods this year. Have I been poned? Goes open source. And come for the
long read suggestions, as always, but stay for my rant about that insane citizen app story.
Microsoft is reporting that the Solar Winds hackers are back and that they've hacked email systems
used by the State Department's international aid agency in order to attack human rights groups
and other organizations critical of Russia's President Vladimir Putin. Remember, we don't know
how long the solar winds hackers were in the various systems. They penetrated last year,
and we don't know what sort of booby traps and hidey holes they installed for themselves for
later use. Perhaps this is that coming home to Roost, quoting the New York Times.
hackers linked to Russia's main intelligence agency surreptitiously seized an email system used by the State Department's
International Aid Agency to burrow into the computer networks of human rights groups and other organizations of the sort that have been critical of President Vladimir Putin.
Microsoft Corporation disclosed on Thursday. The newly disclosed attack was also particularly bold.
By breaching the systems of a supplier used by the federal government, the hackers sent out genuine-looking emails to more than 3,000 accounts across more than 150 organizations that regular.
received communications from the United States Agency for International Development. Those emails
went out as recently as this week, and Microsoft said it believes the attacks are ongoing. The email
was implanted with code that would give the hackers unlimited access to the computer systems of the
recipients from stealing data to infecting other computers on a network. Tom Burt, a Microsoft
Vice President, wrote on Thursday night. The original SolarWinds attack went undetected by the U.S.
government for nine months until it was discovered by a cybersecurity firm. In April, President
Biden said he could have responded far more strongly to the attack, but, quote, chose to be
proportionate because he did not want to, quote, kick off a cycle of escalation and conflict with
Russia, end quote. The Russian response nonetheless seems to have been escalation. The malicious
activity was underway as recently as the past week. That suggests that the sanctions and whatever
additional covert actions the White House carried out in response to the solar winds hack,
Part of a strategy of creating seen and unseen costs for Moscow has not choked off the Russian government's appetite for disruption. A spokesperson for the cybersecurity and infrastructure security agency at the Department of Homeland Security said late Thursday that the agency was, quote, aware of the potential compromise at the agency for international development and that it was working with the FBI and U.S. aid to better understand the extent of the compromise and assist potential victims, end quote. Microsoft identified the Russian group behind the attack,
as nobellium and said it was the same group responsible for the SolarWinds hack.
Last month, the American government explicitly said that SolarWinds was the work of the
SVR, one of the most successful spinoffs from the Soviet-era KGB.
The same agency was involved in the hacking of the Democratic National Committee in 2016,
and before that, in attacks on the Pentagon, the White House email system,
and the State Department's unclassified communications, end quote.
It's Mark German and Debbie Wu Apple Scoop Friday.
the pairs say that Apple is planning redesigned AirPods to come out this year and second-gen
AirPods Pro to come out in 2022, which will include updated motion sensors for fitness tracking.
The new base AirPods will mark the first update to the product since March 2019 and will
add a new design that mostly mirrors that of the AirPods Pro. The earbuds will come with a new case
and shorter stems poking out of the bottom of each one, but the AirPods Pro coming next year will
be the first change to that product since October 2019 and will include updated motion sensors
with a focus on fitness tracking, the people said, asking not to be named because the plans
are private. As part of its broader home audio and accessory strategy, Apple has also begun
early development of a home pod speaker with a built-in screen, as well as a device that
combines the features of a home pod, FaceTime camera, and Apple TV, Bloomberg News has reported.
Competition for speakers with screens is already widespread. Apple released a HomePod mini
speaker last year and outlined a minor update to the Apple TV set-top box last month.
For the new AirPods Pro, Apple has also tested a smaller design that eliminates the stems.
That look will debut on new beats-branded wireless earbuds planned to be announced next month,
end quote.
Have I Been Poned?
Has, as promised, gone open source, starting with the Poned password code.
Also, the FBI is going to begin sharing compromised passwords discovered in investigations,
with the site, quoting ZDNet. Why is the FBI getting involved? Because Brian A. Vorndan,
the FBI's assistant director, Cyber Division, said, quote, we are excited to be partnering with
HIBP on this important project to protect victims of online credential theft. It's another
example of how important public-private partnerships are in the fight against cybercrime, end quote.
The FBI passwords will be provided in SHA1 and N-TLM hash pairs. HibP does
doesn't need them in plaintext. They'll be fed into the system as they're made available by the
bureau. To do that, have I been poned, is adding on a new open source program, poned passwords,
to let the data flow easily into HIPP. HIPP founder, Troy Hunt, security expert and Microsoft
Regional Director, explained he's open sourcing the code because, quote, the philosophy of
HIBP has always been to support the community. Now I want the community to help support
HIBP. HIBP is written in dot net and runs on Azure. People check the free HIBP site at a rate of
almost one billion requests per month. It collects data from all the many personal security breaches
that happen every week or two. Hunt says he could, quote, proverbially lift and shift
pone passwords into open source land in a pretty straightforward fashion, which makes it the obvious
place to start. It's also great timing because, as I said earlier, it's now an important part of
many online services, and this move ensures that anybody can run their own poned passwords
instances if they so choose. Hunt hopes, quote, that this encourages greater adoption of the
service, both due to the transparency that opening the codebase brings and the confidence that
people can always roll their own if they choose. Maybe they don't want the hosted API dependency,
maybe they just want a fallback position should I ever meet an early demise through an
unfortunate jet ski accident. This gives people choices, end quote. As M.O. Prodolinsky pointed out on
Twitter, sometimes one person's work really can make a significant difference in the world. How could
this project take off from here? Well, imagine just one scenario from Sean Scott on Twitter,
quote, if banks and fintech want to have trust front and center, why not leverage services like this one to
tell customers whether their passwords are compromised, end quote. Imagine that.
Imagine proactively alerting and protecting your own users.
Time for the weekend long read suggestions.
And look, just read this first one.
If you've never read any of my long read suggestions before, read this one,
because this is one of the worst, wildest things I've ever read in my 22 years in the tech industry.
It's from motherboard slash vice, and it involves that citizen app that we recently talked about,
you know, how they're hiring private security forces, vigilanteism on demand. Well, if possible,
if this story is true, it's even worse. Like, it seems that vigilanteism is an actual growth
hacking strategy that they're employing. Like, really, read the whole thing. They're flooding
users with notifications about crimes to make them anxious enough to pay up for the Citizen
Premium Service. It's gross. In fact, I'm just going to read the whole lead to the
piece so you can see how gross it actually is, quote.
Andrew Frame was excited. It was Saturday night two weeks ago, and Frame, the CEO of the
Crime and Neighborhood Watch app Citizen, was on Slack, whipping himself and his employees into what
he'd later call at an all-hands meeting a, quote, fury of passion about a wildfire that had broken
out earlier that afternoon in Los Angeles's Pacific Palisades neighborhood. Citizen had gotten a
tip that the wildfire was started by an arsonist, and Frame had decided earlier in the night that
the fire was a huge opportunity. Citizen, using a new live streaming service it had just launched
called On Air, would catch the suspect live on air with thousands of people watching. Frame decided
the citizen user who provided information that led to the suspect's arrest would get $10,000.
Frame wanted him before midnight. As the night were on, Citizen got more information about the
supposed suspect. They obtained a photo of a man, which they kept up on the live stream for
large portions of the night. More information trickled in through a tips line citizen had set up.
Citizen said the information about the person of interest came from an on-the-ground tip from an
LAPD sergeant, followed by emails from local residents who had been approached by LAPD officers.
First name? What is it? Publish all info, Framed told employees working in a citizen slack room who were
working on the case. Find this fuck, he told them. Let's get this guy before midnight. He's going down.
Breaking news, this guy is the devil, get him, Frame said. By midnight, we hate this guy, get him.
He was growing impatient. He increased the bounty to $20,000. Thousands of people were watching citizens
live stream, but the man still hadn't been caught. Frame asked his staff to send out another
notification, one that would hit all citizen users in Los Angeles. The bounty had to go higher.
Close in on him. 30K. Let's get him. No escape. Let's increase. 30K, frame said. Notify all of L.A.
blast to all of LA. Citizen is on air. Arsonist pursuit continues the notification, which went out to
848,000 citizen users in Los Angeles said, we are now offering a $30,000 reward for any information
directly leading to his arrest tonight. Tap to join the live search, end quote. In the Slack room with
Frame 1 staffer brought up a loophole pointing out that Citizen was violating its own terms of
service that prohibit, quote, posting of specific information that could identify parties involved in
an incident, end quote. The staffer who brought up the terms of service violation was ignored in that
specific Slack room, and the broadcast continued to specifically name the person and share his
photo for hours. Earlier in the night, soon after the news of a fire broke, frame said he saw the fire
as a chance to catch a suspected arsonist live on the internet, therefore proving citizens' utility
to users and helping the app grow. Quote, the more courage we have, the more signups we will
have. Go after bad guys, signups will skyrocket. Period.
We should catch a new bad guy every day, Frame said.
At one point, Frame said, quote, these metrics will be great, and they were.
At one point, 40,000 people were watching the live feed according to the Slack messages.
Citizens saw a sharp spike in signups as the live stream spread.
Frame said at a later All-Hands meeting that 1.4 million people engaged with the content
according to other Slack messages.
Well after midnight, Los Angeles police made an arrest.
In a separate slackroom, employees cautiously began to celebrate.
Cop said it's an ongoing investigation. This looks like our guy, one employee wrote.
It wasn't citizens guy. Frame and the entirety of the citizen apparatus had spent a whole night
putting a bounty on the head of an innocent man, end quote.
I was really tempted to do a much longer rant on this, but I'll settle for this take.
people ask a lot about my biases and point of view when I do this show. I'm a multi-time founder. I'm
still an angel investor. So do I have the founder perspective, the investor perspective? Do I have
the journalist perspective? I would never call myself a journalist, not because I'm one of those
knee-jerk Silicon Valley types who hates journalists, but because I actually respect journalism
as a craft. I respect all crafts. Even though I do something on the show that is journalism
adjacent, I didn't go to school to learn how to do it properly, so I would never deign to be a
practitioner of a craft that I didn't properly train for. My editorial stance on this show is that I love
tech. It's the only industry I've ever worked in. It's all I've ever really known since before I was
an adult even. But because I love tech so much, I desperately want it to be better. I'm one of those
people who drank the Kool-Aid and really believes tech can change humanity for the better. So when I see
tech used for evil, venal, lazy shit, I get pissed. Growth hacking has always had a mixed connotation.
Moving fast and breaking things includes the breaking things part. It's right there in the name.
And I'm not naive or moralistic about this. My third startup got to 200,000 users,
basically because we spam the hell out of Live Journal back in 2005. But your growth hacking
does not get to destroy the fabric of the society that my kids live in.
Your quest for engagement does not give you the right to create a running man-style dystopia.
This is not hyperbole. This is exactly what they're doing here.
Oh, designing for virality, for engagement by creating the environment for doom scrolling,
for showing people things that enrage them. That's bad enough. That's bad enough for people.
That's bad enough for society.
Designing your product to scare people, though. So much so that you're literally creating actual
mob behavior is beyond morally reprehensible. I'd even say,
say it's borderline illegal and actionable. Anyone involved in this, if this story ends up being true,
has lost their moral compass full stop. Next, lots of folks have been sharing Paki McCormick's
bull case for Ethereum piece this week, and I'm sharing it because I think that this has rapidly,
over the last few months or so, sort of become the consensus opinion, at least among folks
in Silicon Valley who I talk to who are deeply into crypto. And it boils down to this, really,
quote, Ethereum is so many things at once, all of which feed off each other. Ethereum, the
blockchain, is a world computer, the backbone of a decentralized internet, Web 3, and the settlement
layer for Web 3. Bitcoin is easy. It's digital gold. It's a store of value. It just kind of
sits there. Ethereum is so much more than a cryptocurrency. It's a world computer and the value
layer of the internet. It lets people build apps and products with money baked into the code.
If you believe that Web3 is going to continue to grow, then you likely believe that over time
Ethereum will become the settlement layer of a new internet. All sorts of transactions, whether they happen on Ethereum, another blockchain or even Visa, will turn to Ethereum to exchange funds and keep secure immutable records. A year ago, I wouldn't have said that. But I'm increasingly convinced that ETH will become one of the best assets to own over the next five years. Here's the bullcase in a nutshell. Oaning ETH is like owning shares in the internet.
Demand for ETH will go up with increased Web3 adoption, while upcoming changes will decrease the supply of ETH and let more value accrue to holders.
It's like a tech stock, a bond, a ticket to Web3, and money rolled into one, end quote.
Next, I've often said that if I could do it all over again, maybe I'd come back as an economist because I love stories like this one from the New York Times about the Lehigh Valley in Pennsylvania.
If you know of the Lehigh Valley, you might know the city's Allentown, Bethlehem. This was one of the places the Industrial Revolution happened in the U.S. in the 19th and 20th century. But it's also rural, lots of farmland, so cheap land. Add to that, the Lehigh Valley's proximity to the New York and Philadelphia metro areas and two major interstate highways that go through the valley. And that means that about 30 percent of all American consumers are just a
day's truck drive away from the Lehigh Valley. So now there is a gold rush for building,
you guessed it, warehouses and fulfillment centers in the Lehigh Valley. Quote,
there are now almost as many warehouse and transportation jobs in the region as manufacturing
positions, but it's not a milestone all celebrate, not in an area that hopes to keep alive its
higher-paying manufacturing sector, even though some of its biggest employers like Bethlehem Steel
closed down long ago. Manufacturing jobs in the Lehigh Valley pay
on average, $71,400 a year compared with $46,700 working in a warehouse or driving a truck.
The region is still home to large manufacturing plants that produce Crayola crayons and marshmallow peeps candies.
Don Cunningham, the chief executive of the Lehigh Valley Economic Development Corporation,
says the warehouse jobs are lifting employment and wages, particularly for unskilled workers.
If you were to turn away this economic opportunity for a whole sector of workers,
where do they go, Mr. Cunningham said.
they could end up on some sort of government assistance or end up caught up in the criminal justice system, end quote.
Mr. Cunningham, whose father worked in the local steel industry, said he recognized that distribution jobs were not ideal, quote, but to be able to make $16 an hour with a high school diploma, there aren't a lot of places in the U.S. where you can do that, he said.
This is a really nice sector for low-skilled workers. It at least gives them a fighting chance to carve out a livable wage, end quote.
And then finally, one more from the New York Times.
times. The magician David Burglis has perfected what magicians consider the greatest card trick
ever devised. But David Burglis is 94, and he swears he can't teach the trick to a next generation
of magicians. Quote, it's not a secret I can give to anyone because it's not a secret as such,
Mr. Bergliss, a formal and intense 94-year-old said at his home in North London. It's like asking a
musician who can improvise to teach you his improvisations, which of course he can't, end quote.
The trick is a version of a classic plot of magic called Any Card, Any Number. These tricks are called
A Can in the business. A Can has been around since the 1700s, and every iteration unfolds
in roughly the same way. A spectator is asked to name any card in a deck, let's say the nine of clubs.
Another is asked to name any number between one and 52, let's say 31. The cards are dealt
face up one by one, the 31st card is revealed, and of course it's the nine of clubs. Cue the gasps.
For all their differences, every A-Can has one feature in common. At some point, the magician
touches the cards. The touch might be imperceptible, it might appear entirely innocent, but the cards
are always touched, with one exception, David Burglis's version of A-Can. He would place the cards
on a table, and he didn't handle them again until after the revelation and during the applause. There
no sleight of hand, no hint of shenanigans. It was both effortless and boggling. Among
magicians around the world, his touchless acan is one of the most talked about and puzzled over
tricks in history. It was eventually labeled the Burgliss Effect and helped make its
creator's reputation in a career that spans six decades. Over the years, a number of
magicians have reported private one-on-one performances of the Burgliss Effect that left them
stupefied, end quote. And now the question is, will the secret to the
trick, die with Burgliss, something, something, the prestige part two. Okay, big programming
note for you. Monday is a bank holiday here in the U.S., so we will not have a normal weekday show
for you on Monday because I'm taking the day off, but I will have plenty of content for you
on Monday because on Monday we're going to release the Twitter space that we did this week,
talking about the streaming wars, talking about Tesla, but even better than that,
I'm going to give you several more hours of Twitter spaces because, well, you'll see.
Look for a special announcement episode on Monday explaining how we're going to do the
Twitter space episodes going forward, including giving you access to Twitter spaces and
clubhouse rooms from a bunch of other prominent tech voices all in one place.
Look for that on Monday and enjoy.
Also, Ride Home Plus subscribers.
An interesting raises episode drops mere hours after this episode goes live.
If you went in on that and you're not a right home plus subscriber as ever, subscribe at tech.comcast.com.
But seriously, everybody, watch your feeds on Monday for our big new announce.
I'm super excited about this.
Talk to you on Tuesday.
