Tech Brew Ride Home - Fri. 06/11 – Now The Hackers Have Come For Our Hamburgers
Episode Date: June 11, 2021Moar… hacking news. McDonalds. Electronic Arts. Le sigh. Apple wants to do away with passwords too. Elon Musk unveils the Model S Plaid. An interesting Apple Car hire. And of course, the weekend lon...greads suggestions. Sponsors: TheLogic.co/subscribe promo code RIDE for 50% off Cybereason.com Links: McDonald’s Hit by Data Breach (Wall Street Journal) Hackers Steal Wealth of Data from Game Giant EA (Vice) Apple says its new logon tech is as easy as passwords but far more secure (Cnet) Tesla begins deliveries of its new Model S Plaid (CNBC) Apple Hires Former BMW Executive for Its Rebooted Car Project (Bloomberg) Weekend Longreads Suggestions: The hard truth about ransomware: we aren’t prepared, it’s a battle with new rules, and it hasn’t near reached peak impact. (Double Pulsar) When ransomware strikes, this company helps victims make bitcoin payments (CNBC) APPLE ISN’T JUST A WALLED GARDEN, IT’S A CARRIER (The Verge) THE APP THAT MONETIZED DOING NOTHING (The Atlantic) Marcus Graham: Looking back on 10 years of Twitch’s experiment with livestreaming (Venture Beat) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
On April 4th, 2023, around 2 in the morning, a man was found stabbed multiple times on a sidewalk in downtown San Francisco.
Hey, who did this to you?
What happened next turned the story into a political firestorm.
Reports have identified the victim as Bob Lee, the founder of Cash App.
From Bloomberg Podcasts, this is Foundering, the Killing of Bob Lee, beginning April 16.
Welcome to the Tech meme right home for Friday, June 11th, 2021. I'm Brian McCullough. Today, more hacking news. McDonald's, Electronic Arts, Lacei. Apple wants to do away with passwords. Elon Musk unveils the Model S Plaid, an interesting Apple car hire, and of course the weekend long read suggestions. Here's what you missed today in the world of tech. Well, what do you want for me? More high-profile hacks to tell you about, though, these seem to be.
just run-of-the-mill data breaches, not ransomware attacks, as if that makes it better.
McDonald's says hackers breached its operations in some markets, exposing some U.S.
business info and delivery customer data in South Korea and Taiwan, quoting CNBC.
The Burger Chain said Friday that it recently hired external consultants to investigate unauthorized
activity on an internal security system prompted by a specific incident in which the
unauthorized access cut off a week after it was identified, McDonald's said. The investigators discovered
that company data had been breached in markets, including the U.S., South Korea, and Taiwan, the company
said. In a message to U.S. employees, McDonald's said the breach disclosed some business contact
information for U.S. employees and franchisees, along with some information about restaurants such as
seating capacity and the square footage of play areas. The company said no customer data was breached
in the U.S. and that the employee data exposed wasn't sensitive or personal. The company advised
employees and franchisees to watch for phishing emails and to use discretion when asked for
information. McDonald's said attackers stole customer emails, phone numbers, and addresses for delivery
customers in South Korea and Taiwan. In Taiwan, hackers also stole employee information including
names and contact information, McDonald's said. The company said the number of files exposed
was small without disclosing the number of people affected.
The breach didn't include customer payment information, McDonald's said, end quote.
Meanwhile, EA, what I still think of as electronic arts, the video game maker,
confirms that it has suffered a data breach after hackers claim they have 780 gigabytes of data,
including the source code for FIFA 21, and the Frostbite Engine, quoting motherboard.
You have full capability of exploiting on all EA services.
The hackers claimed in various posts on underground hacking forums viewed by motherboard,
a source with access to the forum, some of which are locked from private view,
provided motherboard with screenshots of the messages.
In those forum posts, the hackers said they had taken the source code for FIFA 21,
as well as code for its matchmaking servers.
The hackers also said they obtained source code and tools for the Frostbite engine,
which powers a number of EA games, including Battlefield.
field. Other stolen information includes proprietary EA frameworks and software development kits,
bundles of code that can make game development more streamlined. In all, the hackers said they have
780 gigabytes of data and are advertising it for sale in various underground hacking forum posts
viewed by motherboard, end quote. Not only that, these hackers seem to be bragging about their
coup, claiming they used stolen cookies, bought online for as little as 10 bucks, to gain access to
EA's internal Slack and then tricked IT support into giving them login tokens for EA's network.
Quoting motherboard again. A representative for the hackers told motherboard in an online chat
that the process started by purchasing stolen cookies being sold online for $10 and using those to gain
access to a Slack channel used by EA. Cookies can save the login details of particular users
and potentially let hackers log into services as that person. In this case, the hackers were
able to get into EA's Slack using the stolen cookie.
Once inside the chat, we messaged IT support members. We explained to them we lost our phone
at a party last night, the representative said. The hackers then requested a multi-factor authentication
token from EA IT support to gain access to EA's corporate network. The representative said this
was successful two times. Once inside EA's network, the hackers found a service for EA developers
for compiling games. They successfully logged in and created a virtual machine, giving them more
visibility into the network and then accessed one more service and downloaded game source code,
end quote.
Somewhat related to that.
At WWDC this week, Apple has demoed pass keys which would allow users to set up accounts
with just face ID or touch ID, thereby joining Microsoft and Google in advocating for
a passwordless future, quoting CNET.
To set up an account on a website or app using a pass key, you first choose a username for
the new account, then use face ID or touch ID to confirm that it's really you who's using the
device. You don't ever pick a password. Your device handles generation and storage of the pass key,
which ICloud keychain synchronizes across all your Apple devices. To use the pass key for
authentication later, you'll be prompted to confirm your username and verify yourself with
face ID or touch ID. Developers must update their login procedures to support pass keys,
but it's an adaptation of the existing web-awthon technology.
Because it's just a single tap to sign in, it's simultaneously easier, faster, and more secure
than almost all common forms of authentication today.
Garrett Davidson and Apple Authentication Experience Engineer said Wednesday at the company's
annual WWDC Developer Conference.
Pass keys are the latest example of growing interest in passwordless login technology.
That's designed to be more secure than the list of passwords you've taped to the side of
your monitor.
Conventional passwords are plagued with security shortcomings, chiefly our inability to create
and remember unique ones. That's why Apple, along with Microsoft, Google and other companies are working
to come up with alternatives. The single most common security vulnerability today is still bad passwords,
Jen Fitzpatrick, Senior Vice President of Core Systems at Google said at the Google I.O.
Developer Conference in May, quote, ultimately we're on a mission to create a password-free future,
end quote. The new Tesla Model S. Plaid is here, unveiled by Elon Musk at an event last night.
This is the high-performance version of Tesla's flagship sedan, and Musk hails it as the quickest production car ever made.
Quoting CNBC, Musk made his entrance on Thursday by driving a Model S-plad around the Tesla test track and onto the stage before stepping out to cheers of select customers and fans invited to the event.
Previously, Musk had promised the long-anticipated Tesla Model S-plad would deliver acceleration from zero to 60 miles per hour in under two seconds, and he crowed about breaking.
the two-second barrier repeatedly on Thursday. Musk said the new Model S would be, quote,
faster than Porsche, but safer than Volvo. But he also caveated some of his own sweeping
safety claims by noting that the NHTSA has not yet rated the Model S plaid for safety. We're in production
and going to deliver the first 25 cars now and then basically should be at several hundred cars
per week soon and 1,000 cars per week next quarter, Musk said. According to Tesla's website,
the Trimotor All-Wield Drive Model S Plaid produces 1,020 horsepower, features a battery with an
estimated EPA-rated range of up to 390 miles and can hit a top speed of 200 miles per hour
if equipped with the proper wheels and tires. Those won't be available until the fall,
according to the fine print on the site. The four-door sedan includes a steering yoke rather than a
traditional steering wheel, a 17-inch center touchscreen display, and separate 8-inch display in
the rear for passengers' entertainment, charging ports in the front and rear that can charge
laptops and other mobile devices, and processing power that the company says puts its systems
on par with modern gaming consoles like the PlayStation 5, end quote.
And again, somewhat related to that, just leaving this here, Apple has hired Ulrich Krantz,
who ran the development teams for the BMW I.M.W.
I-3 and I-8, and co-founded self-driving electric vehicle startup Canoe, quoting Bloomberg.
Krantz is one of Apple's most significant automotive hires, a clear sign that the iPhone maker is
determined to build a self-driving electric car to rival Tesla and other carmakers.
Krantz will report to Doug Field, who led development of Tesla's mass market Model 3,
and now runs Apple's car project, said the people who requested anonymity to discuss a private matter.
Following successful stints at BMW's mini-division and teams working on sports cars and SUVs,
Krantz was asked to run Project 1, a battery-powered vehicle skunkworks, started in 2008.
It yielded the all-electric I-3 compact and the plug-in hybrid I-8 sports car.
The former was panned by design critics and production was very limited on the latter.
Krantz left BMW in 2016 and soon became chief technology officer at Faraday Future,
an electric vehicle startup based in Los Angeles.
He stayed only three months before co-founding Canoe. Both firms have struggled with their technology and
ability to produce vehicles, while Canoe reportedly discussed selling itself to Apple and other companies.
Canoe went public in December after a reverse merger with a special purpose acquisition company or spec called Hennessy Capital Acquisition.
Canoe last month said it was being investigated by the U.S. Securities and Exchange Commission
becoming the third Clean Energy Auto Startup to disclose a federal probe in the last year.
Canoe plans to debut a minivan for less than $35,000 next year, end quote.
Time for the weekend long read suggestions.
First up, security expert Kevin Beaumont has a long piece up that basically makes this point
about our current situation with ransomware in double pulsar.
The point being, this ransomware threat is becoming overwhelming.
It is a battle with new rules, and it hasn't yet reached.
peak impact. Uh-oh. Quote, what we are seeing currently is a predictable crisis which hasn't yet
near peaked. I'm not sure people generally understand the situation yet. The turning circle to
taking action is large. With this post, I hope to lay out the reality and some harsh truths
people need to hear. I also want to state up front that I've seen some cybersecurity vendor
industry people beating themselves up about the situation. My take is this. Stop that. People have
done amazing work over the years on this subject. And,
incredible amounts of attacks are stopped due to said work. The reality is, however, the threat is
becoming overwhelming and, I believe, in existential crisis for the security industry, and so
their customers. We are stuck in a self-eating circle, and it's time to ask for help, end quote.
CNBC has another story about the entrepreneurial angle to all of this, even beyond the, you know,
actually becoming a hacker. Digital Mint is a full-service crypto broker that helps
victims pay ransoms to ransomware hackers. Quote, we're at the end of the process, says Mark
Grenz, co-founder and president of Digital Mint. We're the hired specialists after the forensic
consultants, the company, and stakeholders have all made the determination. They've exhausted all
their options and that paying the ransom from an economic perspective is the best way to move
forward. That's when they come to companies like us in order to help them acquire crypto at any
time of day or night, Grins told CNBC. In the space of 30 to 60 minutes from initial contact,
Digital Mint is able to make the ransomware payment for the victim. This includes vetting the hacker
to make sure they aren't tied to a U.S. sanctioned country and going on the open market,
order books, and exchanges to acquire the cryptocurrency needed to pay the ransom. The company says
that 90 to 95 percent of ransoms are paid in Bitcoin, but Monero is an increasingly popular option.
Minero is considered more of a privacy token and allows cybercriminals greater freedom from
some of the tracking tools and mechanisms that the Bitcoin blockchain brings.
Since January 2020, Digital Mint says it has facilitated more than $100 million in ransomware settlements
with a median payment of $800,000.
Last year, crypto ransomware payments overall more than quadrupled from 2019 levels to $350
million, according to chain analysis.
But Digital Mint told CNBC that figure is likely understated.
Grenz believes the true number is closer to $1 billion, end quote.
Next, if you listened to the debate Chris and I had on the Twitter space this week about
the historical context of putting apps on phones and how it was back in the days before the iPhone,
consider this piece by Dieter Bone in the Verge.
He argues that Apple is now the equivalent of those carriers back in the bad old days of carriers
dictating what could be done on their hardware. It's the return of the angry god of annual revenue per
user, quoting Dieter. Lots of people hate taxes, but they are meant to pay for valuable shared
infrastructure. But then again, maybe Apple already covered those costs by selling iPhones.
So the Apple tax is egregiously high. Or if you prefer, a different metaphor with legal overtones,
maybe it's rent-seeking. Something about calling Apple's cut a tax strikes me as a little over the top,
the 2021 equivalent of spelling Microsoft with a dollar sign in place of the S.
Carriers have forced pre-installed crapware on phones since the beginning of apps on phones
well before the iPhone.
Examples are too numerous to count, but I'm talking about more than just pre-installed
Candy Crush-style games.
Users have always been encouraged by the design of a phone and the restrictions placed on
the networks themselves to do things that make the carriers more money.
I admit it's not fair to say Apple is as bad today as the carriers were back in the day
when it comes to squeezing dollars out of users or developers,
nor is it fair to argue that Apple's forays into content with TV Plus
are the equivalent of AT&T's flailing efforts at merging a TV network with a cellular network.
It's not fair, but the tune sounds familiar because the parallels strike a chord,
and the bitter harmony that I hear is the stifling of innovation to maximize profit, end quote.
The Atlantic has a profile of Calm, the meditation app that is seemingly the leader
in the mindfulness app space, quote, it is a very modern success story and a somewhat paradoxical
one. Calm is a young San Francisco company selling a centuries old spiritual practice,
a smartphone app that purports to undo the anxieties of the smartphone age, and a venture-funded
startup that has managed to monetize sitting and doing nothing. Getting people to chill the
fuck out amid the thousands of crises racking our modern world is apparently worth billions.
Acton Smith and two seem to wear these contradictions lately.
For them, calm is a service. It is a tool, a way to shepherd people who might be intimidated by
meditation into the practice. It's also a brand, one that may soon have a toehold in everyday corners
of our anxious modern lives. But really, how much can an app do, end quote? And finally today,
one of my favorite types of pieces, as you're well aware, Twitch is turning 10 years old,
so Venture Beat looks back at the company that not only created a genre,
but also led the way for modern creative economy things like tipping, getting creators paid.
Quote, at any given moment, two and a half million people are tuning in to Twitch.
On average, Twitch gets 30 million daily visitors up dramatically from 17.5 million at the start of 2020 before the pandemic.
It turns out that people needed social contact during lockdown and the Twitch community watched over one trillion minutes in 2020, up from 600 billion minutes in 2019.
Now more people are doing what Graham did for much of his career.
Over 7 million unique creators are streaming every month.
I talked to him about the past decade on how Twitch has grown beyond games,
how people have created brand new careers that never existed before,
and how we are on the road to creating the leisure economy,
where everybody will one day get paid to play games.
Twitch has grown massively.
2020 had more than 86 times the viewership of 2011,
and every month in 2021 thus far has surpassed
any months in 2020 or prior. Behind these hours watched is a massive community of creators with over
26 million channels going live in 2020 alone, end quote. So that's all for this week. No bonus content
of any kind on any feed this weekend, taking a summer weekend off to enjoy the start of the euros.
But we've got another Right Home Plus exclusive coming next weekend and another regular interview bonus episode
coming at some point this month. Speaking of the Euros in my reading and podcast listening this week
to prep and get hype for the tournament, really my favorite tournament, a little bit more than
even the World Cup. This morning I learned about iron brew, or I guess probably and forgive me
Scottish folks, iron brew, which is apparently an orange soft drink that has been popular in
Scotland for about a hundred years. As iconic as whiskey and as famous as haggis, Scotland's other
national drink, according to the Scotsman. How is it that I am today years old and I just learned
that iron brew exists? I've got a three-pack being delivered by Amazon tomorrow. We'll let you know
how it tastes. Talk to you on Monday.
