This week on the podcast, we discuss the US government's push to investigate the risks that TP-Link network devices introduce to national security. Before that, we give an update on the NPD data breach from last week as well as the threat actor behind it. We also discuss an ongoing cyber incident at the Port of Seattle.
View Transcript
Marc Laliberte 0:00
Hey everyone, welcome back to the 443 security simplified. I'm your host, Marc Laliberte, and joining me today is Corey
Corey Nachreiner 0:07
Grady secured, Nachreiner. Grade A trust. Mark your
Marc Laliberte 0:13
trust. Mark of cyber. On today's episode, we will be discussing why we may need the US Cyber trust Mark labeling sooner rather than later, or risk having an entire manufacturer's rank of devices banned before that, we'll cover a security incident back home. Well, I still call it home for Corey and I in Seattle. We'll give an update on the NPD data breach from last week, and we'll give an update on the threat actor behind that breach. With that, let's go ahead and trust our way in, not stupid mark, our way in a label, our way in, whatever. Let's just start.
So let's start this week with a update to one of last week's stories. If you remember, last week, we chatted about the national public data breach, which caused hundreds of millions of social security numbers to become national public data, freely available for anyone,
Corey Nachreiner 1:20
billions of records so that we talked about how most of them are probably duplicate with additional information or something. Yeah.
Marc Laliberte 1:27
So shortly after recording that episode, cybersecurity journalist Brian Krebs published a blog post with some more information about the breach and some details about another breach involving a sister site called recordscheck.net so first off, a couple tidbits from Krebs. He pointed out that there were, despite two point whatever, billion records. There were, in fact, 272 million individuals affected with their social security numbers being leaked, including quite a few deceased people. That doesn't mean 272 currently living folks, but still a massive number.
Corey Nachreiner 2:04
Listen to before, kind of we did a little bit of math, 333 million, approximately, people in the US. I think the Equifax thing said it lost 146 or 47 million social security numbers. This one's obviously bigger. I think it's mostly because of deceased I assume the only thing missing of the 333 million Americans is they probably don't have, you know, I assume 40% of those are kids under 18 in US population. And not that they don't have social security numbers, but they don't have credit history that might leak them. Yeah.
Marc Laliberte 2:41
And in theory, this is anyone that's ever had a well, even more than just had a background check. Is, in theory, this is their database of information they use to do the background checks too, potentially, yeah. So
Corey Nachreiner 2:50
it could even be maybe not even loan or credit, but going in for significant healthcare or something. I think unfortunately, healthcare is one of the organizations that repeatedly ask you for your social security number. Yeah, but yeah, I think that's the one other place you might get extra people that are not credit or money related. But
Marc Laliberte 3:13
so he also shed some light on what I think might be a it's not exactly how the breach occurred, but there's some additional info in here that gives them, gives us some ideas about how it could have potentially occurred. So yeah, the second breach and
Corey Nachreiner 3:28
show how great the security was of the company assuming these, these theories work out. So the second
Marc Laliberte 3:38
exactly, involving a sister site called recordscheck.net which he noted is basically like a mirror. It looks just the same, and the login is almost identical as well. They found a archive on that site at a undisclosed location on there called members dot zip, which included the source code and plain text administrative credentials for the website, the source code indicates a few interesting things. So records check users all are initially assigned the same six character password, and they are not forced to change it, though they do have the option to the admin credentials were identical to credentials exposed in a previous data breach involving npds founder Sal varini, and the source code also indicated that this website was developed by a contractor in Lahore, Pakistan called creationnext.com whose website has a prominent testimonial from Sal themselves. So a couple things done back in there. First off, the all users being initialized with a same six character password is Bad News Bears. Yeah, that's insane in my mind. Like,
Corey Nachreiner 4:55
I don't think you should ever do it, but if you are going to. Do it. It shouldn't be you're given the same password if and everyone and asked to change it. The only time I think it would be okay to have a hard coded first password is if the user is required, like programmatically required to change it on the first and even then, it's a dumb idea, because if someone gets the account before you, they can change your password knowing this. So it definitely ideal, if it wasn't the same six characters for every user to start, but at least force the change
Marc Laliberte 5:30
six characters. First off is just like, that's stupid. Yeah.
Corey Nachreiner 5:35
And then brute forced in, uh, less than an hour,
Marc Laliberte 5:39
less than a minute, I imagine, and second, like I recognize, this site probably wasn't made in 2024 but it is 2024 and we have mechanisms to randomly generate passwords now, and like any library under the sun that you would need, so
Corey Nachreiner 5:56
starting with reset mechanisms that don't even require an initial password, that you can start right into a password reset that gives the user a way to make a unique password immediately, or,
Marc Laliberte 6:07
I don't know, here's a wild thought. Maybe for the account creation form, it's got a field that says, enter in a password for your account. Wouldn't that be interesting? So that's item number one. I'll turn the SaaS down a little bit for the second one, but I like the s the admin credentials that were exposed in a previous breach, meaning they were likely reused with other accounts too, and this being associated with the owner, who also is the owner of the website that lost 272 million social security numbers, I'm willing to guess there's At least a high probability that they were reusing admin credentials all over the place, and they got breached several years ago, ended up on the dark web, and Mr. US DoD was able to just log straight in and download everything off the site like that. Sounds like the the what I would have done if I were in the attacker's shoes?
Corey Nachreiner 6:59
Yep. So I'm curious what I how many characters was that? It'd be nice to know how many characters the admins reused password was, hopefully that at least is more than six. Probably somehow it
Marc Laliberte 7:14
went for high security on that one. It's a I'm gonna hop back up on the soapbox again. So despite the fact that we should not be using social security numbers as a like authenticator in order to sign up for credit or go to the hospital or whatever, we do currently use that, and it really feels like we need some like nothing's gonna happen to this guy, like he might get they're getting sued by their customers, but there's not going to be any like regulatory action against them for leaking hundreds of millions of social security numbers. Doesn't we really need some sort of, like privacy protection and, like data safeguarding protections in the United States,
Corey Nachreiner 7:55
GDPR that's federal? Yeah, yeah. We definitely need a GDPR that's federal. I mean, as much as we're a company that I will have to say it's sometimes a pain in the butt when you're in another country than Europe, having to follow GDPR in certain ways, because they don't necessarily make it easy even to do the right thing. But I You can see it's definitely working for Europe to help regulate and put teeth behind making companies protect this information for you. And other than the CCPA, you know the California one, which, at least we do have enough cross business across US states that many people have to pay attention to that, I agree with you. We predicted a federal version of GDPR many years ago, and I'm surprised they still don't have it, by the way. I did want to follow up. I mean, this was in the last thing. So we won't spend more than a minute, but just for practical tips for users, you can find out at various sites you might see on the screen if you're watching YouTube, whether or not your data is in this it very likely is, if you're an adult in the United States. In fact, I almost guarantee it. I don't think it's much change from the Equifax situation. But if you followed that long ago, and you're like me and Marc, you'll remember that we freeze our credit all the time. You know all you unfortunately, you really mostly just need addresses, phone numbers, emails and a social security number to create identity in some places, so and potentially open up a line of credit if it's not in person. So be sure to have a credit freeze if you're worried about it. It's the best way to protect yourself against this until the government gets its head out of its place. It shouldn't be and actually passes a federal privacy law that puts some teeth into people that make things too easy and lose all our data
Marc Laliberte 9:48
the sites that Corey was showing it's NPDB breach.com, and npd.pentester.com I will say the first one weirds me out a little bit that one of the ways. To check if your information was leaked is to enter in your social security number,
Corey Nachreiner 10:03
yeah, the social the email, I'm bad enough with the email, although that's at least public and leaked to you, but I always feel weird even sharing. Have I been pwned, because I'm telling people to enter something like their name, and sometimes they want even, even the MPD pen test one, they're trying to at least make sure they're only giving the information to that real person. So besides your name, they do ask for your birth date. But I just think that's not the last for the last four of the social too. Not the full thing, though. Yeah.
Marc Laliberte 10:39
I mean, the reality is, even
Corey Nachreiner 10:41
the thing is, it's late. It seems awkward, but the data, like you and I could go download this off a torrent right now, if we wanted to. It's, it's, it's too late for that piece of information. Anyways, if you think about it, it's already gone. So might as well enter it in one more site if they're going to check for you.
Marc Laliberte 10:59
Might as well. So moving on though to a related story. So if you remember, this breach was caused by an individual going by the name of us DOD. They've sometimes also been called equation Corp. They were also the hacker behind FBI InfraGard breach back in the 2022 timeframe. Well, on July 29 of this year, US DOD, the user not the government agency published a 53 megabyte file containing 103,000 lines of information they claimed was from crowdstrikes internal threat intelligence platform. They claimed to have scraped the entire two 50 million record collection from crowdstrikes portal. CrowdStrike strike, by the way, did say this is not a breach. This is public Intel data available to our 10s of 1000s of customers, blah, blah, blah. Well, it does seem to have ticked off CrowdStrike, because now they've turned around and doxed us, DOD, meaning they found their identity and gave it to local law enforcement. We know this because us DoD released a statement basically saying, hats off to CrowdStrike. They found me out, and he like, it was this whole paragraph, which you'll show on the screen, but it's actually kind of interesting, like they seem to have at least a little bit of remorse. They don't have delusions that they were going to remain undetected for the rest of their life, and they're basically kind of giving up, like he said, I won't run. I'm in Brazil, the same city where I was born. I am a huge valuable target, and maybe I will talk soon to whoever is in charge, but everyone knows that I'm behind us. DOD, I'm human like anyone else, to be honest, I wanted this to happen. I can't live with multiple lives, and it's time to take responsibility for every action of mine and pay the price. Doesn't matter how much it'll cost me. It's interesting. I can't remember the last time I've seen a confession by like, well, like a high profile hacker or data leaker like this.
Corey Nachreiner 13:03
It's hard to get it because I'm trying to find like he also ends, by the way, I'll see you around. Don't worry, Brazilian authorities, I'm coming to meet you. And he says something like, I'm not a threat. I'm I can do much for my country. It's almost like he wants to be caught so he can be turned to doing government work that he couldn't have just applied for. I don't know it's weird. I wonder. I mean, we all have our quirks and mental illness, but it's like, it's like he was doing it against his own will, type of thing. You can just not help himself. He didn't consider it malicious. I don't know, it's definitely unique Marc. You're right about that. I don't want to
Marc Laliberte 13:45
say it's a legitimate career path, but there is a career path some folks have taken where they do a crime, get thrown in prison with a sweetheart deal for three, four years, and then go found a cybersecurity company and make millions for sure or get
Corey Nachreiner 13:58
hired. I mean, Sabu. I forget his real name. I think he's a Floridian, but he is one of the people that was part of LulzSec, and he was the first person that the FBI caught, but then they basically turned into an informant, and he continued quote, unquote hacking, but really informing on people. It's definitely in reality and in movies, you see authorities catch criminals and sometimes use them for good instead to throw them straight in jail. But I don't know, it just seems it's definitely interesting and weird.
Marc Laliberte 14:33
Yeah, it was super interesting. So it is a an individual in Brazil named Luang Ji. They redacted his last name, but I imagine because Brazil has extradition treaties with the US and this guy ticked off enough people, including the FBI themselves, this won't be the end of the story from them, and they most likely will be having a discussion with the authorities at some time soon. But I thought it was interesting that. It like in his little confession, he basically said CrowdStrike doxxed me other people found out first, I think he pointed to Intel four to one as another organization
Corey Nachreiner 15:09
in regard something without the list, I think too he mentioned, but there
Marc Laliberte 15:14
seems to have been a trend lately of private organizations like CrowdStrike and others outing the identities of cyber criminals. There was a talk that I think you were there too. Corey, the very first talk at Def Con this year, with John DiMaggio. Were you at that one that ransomware diaries? Guy? Yeah, talking
Corey Nachreiner 15:35
about lockbit and his French, his friendship, slash whatever, with over time, with the lockbit creator,
Marc Laliberte 15:43
if you guys aren't familiar with John DiMaggio, he's the author of the ransomware diaries, which is a fantastic read of basically him infiltrating lockbit And all of lockbit affiliates to try and figure out the identity of this guy. And it's a story of him by building an actual relationship with the person over time.
Corey Nachreiner 16:02
I think he even alluded to while he couldn't always get there for it, but he the type of boards and the type of places you have to go nowadays to get to that level of criminal. They don't just let you on anonymously or let you pay to join. They ask you to do some crimes. And I think even in one of his talks, he's like, you know, he tried to prove some hacks, but he wasn't able to actually, at some point, he realized he didn't want to actually do the ethical things he had. But it's, it was a very deep infiltration that actually required that he really act like a somewhat gray malicious person just to get accepted, and likely had to do a few things, maybe right on the edge of horrible. But
Marc Laliberte 16:47
spoiler alert, he was able to ultimately find the identity of the lockbit ransomware operator, the author, and it was around, excuse me, around the same time the FBI was able to get their identity, and basically the FBI released their indictment, and then John DiMaggio published, like a 30 something page docs of everything about this dude, online, like that.
Corey Nachreiner 17:09
Next, yeah, John, pretty much. I felt like he had everything, but he was trying to dot his i's and cross his T's. And when he learned about the FBI coming out, he just, he wanted to show that he had already done all the information. I figured it out too, so I had to rush, yeah.
Marc Laliberte 17:24
Anyways, crazy story. I think media.defcon.org should have the recording of it, and it was probably my favorite talk I went to at DEF CON, just because it was so engaging. He's a very good storyteller. He is a fun storyteller, for sure, but another example of a private citizen, in this case, doxing a threat actor. Is it like I always would have expected this to come from law enforcement, but it seems like private companies and private citizens may be better placed or have less like red tape preventing them from being able to find these identities. It's interesting. I
Corey Nachreiner 18:01
don't know. I feel like, at the very least, US needs some sort of case that's active before they start looking whereas people that are floating around on the underground can do whatever they want. I don't know you're befriend. It is interesting. I think the government and intelligence agencies are good at cybersecurity and are getting better. But I used to think I like all the new action and research actually comes from private business more than them. So not overly surprised. It's businesses and individuals red tape. There's less hands behind your back. You know, law enforcement has to have probable cause and all kinds of things to start, whereas a hobbyist or a company can just look into what they want to look into, as long as they're not breaking the law. Or some of them do
Marc Laliberte 18:50
what the FBI has been saying too, with they want to try and leverage their private partnerships as much as they can, because in some cases, companies like Microsoft and others are better positioned to take out just see
Corey Nachreiner 19:03
everything from all the endpoints. Yeah,
Marc Laliberte 19:05
exactly. The US government likes to pretend they aren't watching everything we do online, and so they work with private
Corey Nachreiner 19:13
companies they see, yeah, I'm definitely interested to see what happens and we hear more about what his motive was for originally doing this, because he doesn't, I don't know if he's made money from any of these leaks like lockbit, at least. Was like, That guy was not a good guy. That was a a criminal that knew what he was doing. Was crime that was stealing, stealing 10s, 10s of millions from many companies and people, and I guess even Robin hoodie, I mean lockbit. Part of things that Joe hated about the lockbit guy was he went after children's hospitals and healthcare. So that was a true criminal. This guy has done leaks, but I can't like all of his stuff. Seems to be more attention getting than crime, so I would just. Love to figure out what his motive was, and if he just couldn't help himself, he's like back in the 80s, before there was much pursuing of computer fraud, an abuse act like a lot of early hackers started out by exploring systems, not maliciously, but definitely getting into things they shouldn't. I wonder if that was, in part, his motivation, but he lives in a world where it's actually prosecuted now,
Marc Laliberte 20:26
yeah, I'm sure that will come out in the inevitable Courtney. So
Corey Nachreiner 20:31
although I did read one thing in the article, while you mentioned that Brazil does have partnership with the US to extradite, apparently, they don't extradite their own citizens. Very often they'll extradite, like, I don't know, Russian or other citizens that come to their country, to the US, but there was a little blurb about that. Sometimes they don't extradite their own citizens. So we'll see in that
Marc Laliberte 20:55
case, they do, at least still charge them locally. So even if it isn't the US DOJ leading it, maybe, I don't know. Would you rather go through the US as court systems or Brazil's court systems? Corey, I
Corey Nachreiner 21:04
honestly don't know in this case, I mean, Brazil seems pretty although Brazil's recovering from that craziness with their politicians, but yes, you make a good point. Part of me would say the US at least. I know it will try to follow rules, but lately that doesn't always seem to be the case.
Marc Laliberte 21:23
That is correct. All right. Moving on, there's a pretty topical story that hits a bit close to
Corey Nachreiner 21:30
home for us. Yeah, they may not be for all of our listeners, but this is a local one for us, and still evolving,
Marc Laliberte 21:36
where, over the weekend, the Port of Seattle, which is responsible for like maritime operations in Seattle, as well as the SeaTac International Airport suffered a cyber attack which disrupted nearly all of their services. Their baggage sorting was basically non existent. Arrival and departure screens were totally blank. The shared check in kiosks were down. The airport's mobile app was down, and the maritime phone lines and emails were all down as well, too. I saw a tweet from like Alaska Airlines over the weekend, basically saying, do not check a bag in Seattle or you won't get it. It adds as the time of this recording, early Monday morning, the systems are still down. They had a press conference on Sunday saying they detected unauthorized activity on their system Saturday morning and are working with outside experts to investigate and respond. This all sounds like they got nailed with a ransomware attack, or they saw something else and then yanked the plug in response or both.
Corey Nachreiner 22:36
Yeah, unfortunately, they're still in the investigate state, even, I guess this would be the third day later, considering it happened at like 9am Sunday, or, I'm sorry Saturday, but they haven't said what? But, I mean, the immediate assumption is ransomware. It could be wrong, but, I mean, why else would many, many systems go down that said it feels targeted like I don't know enough about airports to know this, but even though there's different airlines, does the airport itself have its own systems that take care of internal baggage handling? For instance, you know the machines around it? Yes, Delta united. All of them have different tags or whatever. But is it generally the same system for the airport? Because this isn't all airports, so it seems like it's not targeting a particular airline. This isn't just SeaTac, so it's interesting that it seems to be affecting systems that are SeaTac sea tax directly, and it's not affecting other airlines or other airports necessarily, just SeaTac the
Marc Laliberte 23:44
baggage system is theirs, and apparently international flight check in is theirs as well, too. They were saying all airlines were having to manually enter information for international flights too. So that sounds like another shared system, like the reason, even though maritime
Corey Nachreiner 23:58
facility phone systems were down. So maybe this really, truly, well, I think the news on Saturday came out very SeaTac focused. Maybe it is actually Port of Seattle focused, because it happens that those SeaTac systems are part of the same network as some of the maritime stuff. If the phone systems for the maritime faculties are down as well facilities, I should say. But
Marc Laliberte 24:22
even though this is strictly Seattle, it's, I think, an interesting example of how disruptive a cyber attack against one of these, like central authorities in transportation, could be like, no doubt, you don't know what it is. Sounds like a ransomware attack, but imagine, you know, let's say next year, God forbid, like China decides they want to take over a tiny island off their coast, and it triggers a war, and all they would have to do is disrupt like airports to cause chaos in the United States. Like crazy. Yeah, I
Corey Nachreiner 24:53
could. I could get even more dystopian. Imagine some you know, adversarial country literally sends. Bomb our way, that's going to affect 10s of 1000s. But meanwhile, there's a cyber attack on trains and gas stations. You know, they're thinking, everyone in those cities will want to get out right before as bomb is launching intercontinentally. And then all those systems go, yeah, it's, it's funny, normal day. It's bad enough on a normal day to just three days of not being able to fly out very easily. I feel bad. I'm glad you weren't in Seattle this week Marc. But imagine if they time it with other situations. It's, it's definitely scary stuff. It's stuff that we should pay attention and whoever is behind it, if it is a person should, should pay for it. Well, good
Marc Laliberte 25:45
news that, you know, international relations around the world is are cooling down and not heating up, right?
Corey Nachreiner 25:52
Yeah, good thing. There's no wars that are just popping up out of nowhere, and that we all have our politics in order. There's no polarization in the world, and we all just get along.
Marc Laliberte 26:05
Well, how about instead of heading on a doom and
Corey Nachreiner 26:09
gloom one, we should do one more. Let's do
Marc Laliberte 26:12
truly hating on another, another country and their their IT equipment. How does that? Oh,
Corey Nachreiner 26:19
yeah, I guess this one is that direction now that we also killed Port of Seattle. What's next? The last story, so
Marc Laliberte 26:28
a couple weeks ago, to the two ranking representatives on the US House Select Committee on the strategic competition between the US and the Chinese Communist Party. Pause, holy crap. That is quite a mouthful of a committee government, the US House,
Corey Nachreiner 26:46
the doc, anyway, you got this from isn't any easier. Marc too. It's quite a dense letter. But anyway, keep going.
Marc Laliberte 26:53
So the two ranking members on this committee wrote a letter to the Department of Commerce in the US pleading for an investigation into the Chinese network equipment manufacturer, TP Link. There are a few like hot takes in here that I want to read. So there's one quote it says, open source information indicates that the company may represent a serious threat to the US ICTs security. An increasing number of outside researchers and analysts have identified specific concerns about the risks posed by TP Link and TP Link's unusual degree of vulnerabilities and required compliance with the People's Republic of what is it? PRC, Chinese communist
Corey Nachreiner 27:32
Republic of China, yeah,
Marc Laliberte 27:35
are in and of themselves, disconcerting. Basically, they're saying huge amount of risks. These routers are being sold in, like us, military installations, under the exchanges, and they're pleading for the Department of Commerce to effectively investigate and most likely ban these devices. Well,
Corey Nachreiner 27:53
they're very popular. I mean, they're extremely popular. TP I have, as I've pointed out, just to remind everyone TP Link has had some big vulnerabilities. It showed up in our news recently and other vendors. But in our last Internet Security Report, we talked about a the not the Mirai, they spelled it miori, a variant of the Mariah bot called miori, and it was actually exploiting a previous TP Link gaming vulnerability that was, I think it's a it's of their wireless router, and has a CVS of 10, so a very horrible flaw that was quite easy to exploit, and Just like the VPN filters the Cyclops blink, we've seen nation state actors start to leverage these, you know, router vulnerabilities to attack in botnets in other countries, in this case, that TP Link router firmware similar to what we found in our report was being compromised and a backdoor was being put on it to create a botnet in the EU, multiple other botnets were exploding because of this TP Link issue, so we saw it in our own report data. So I'm not particularly surprised, and anyone with any router equipment should be worried about this. But I guess the meat of this we ought to talk about Marc is this, I think, what makes it weird, and what made it weird for Huawei too, and even with all the bands, is, I think we worry about the People's Republic of China, because we know their government's own businesses there, the government can go in at any time and do things They don't have the same, you know, declaration of independence with with freedom between state and business that we have. So the question is, is TP Link just a crappy, inexpensive company that's not paying much attention to security, and these are just vulnerabilities that are popping up and being exploited, or. Is what the senators seem to be worried about, or is this the PRC purposely making these TP Link devices vulnerable for use in situations like this and that Russian strangers have done too tinfoil
Marc Laliberte 30:16
hat territory for that, but that seems to be what they're trying to, what they're alluding
Corey Nachreiner 30:22
to, for sure, and I'm i It's hard for me to go. I like I want to have protection. I want to have some sort of government, even western US, protection against systems that are overly vulnerable and prove negligence over and over again. But I don't know where you start this dangerous slippery slope of just banning entire devices from another country because, like, like, the letter says they do have information that it could be associated with the PRC. I wish we knew some of that information, because is this a DJI band? Because there really is a threat from DJI that they're actually trying to map the world through their drones. I bring up DJI because that's a band that affects me personally. Or is this, you know, just a company that doesn't care too much about security because it makes cheap devices that just happens to have a lot of vulnerabilities. It's hard to say,
Marc Laliberte 31:24
for better or worse, like, like you just pointed out, there is now recent precedent for all of us, like Kaspersky, DJI, Huawei, a few years ago, like the US, Department of Commerce and just the government in general, seems to be handing out these bans against technologies pretty rapidly now, way more than
Corey Nachreiner 31:43
Tiktok. And that's why I, on one hand, if they know things and they really are trying to protect us from a known thing, with evidence, I can be understanding, but my my slippery slope warning is, I feel like there this just becomes a new cold where? Where China and Russia are now going to ban Cisco and ban I don't know how you ban Microsoft, but you know what I mean, we'll pick certain US companies that honestly is Facebook all that much better than Tiktok. On one hand, I might argue that, yes, it takes a little more for the US government to get that data on citizens from Facebook. You would hope on the flip side, there's still a corporation that's evading our privacy on purpose for their own best interests. So I if, if the Chinese government is booby trapping products from their their nation and sending it to us, we need to know and we need to protect against it. But it's hard to say without seeing the actual evidence, and most of the evidence we see could just as easily just be a I've seen the same level of CVS 10 vulnerability from US organizations that haven't put focus on security. So it's hard to say I'm very pro us and anti China government.
Marc Laliberte 32:59
I think that's where I aligned. I align as well. Like, I firmly believe that the US government is probably doing exactly everything that it's accusing China of doing. Like, especially overseas, I bet we use a lot of our products and services as intelligence sources. I
Corey Nachreiner 33:17
feel like we there's even this case where maybe Cisco wasn't doing it, but the CIA literally intercepted Cisco devices in transit, backdoored them before they reached a foreign country. So I, I know that was a one time situation. It's not like all the products are backdoored. It was a but, yeah, we, we've done similar things before, espionage.
Marc Laliberte 33:40
The NSA has a extremely high profile backdoor in Microsoft Windows that's re releasing in October, called recall. Oh, yeah, so, exactly so. But you know, maybe this is just bordering on, like, I don't know, American exceptionalism, but I do at least somewhat trust my country, or at least I know, even if I disagree with my government, they are generally aligned with my own best interests. Yeah, that's the macro level.
Corey Nachreiner 34:09
I can't just, I can't just let it like I can't just ignore this either, you know, I'm hoping they have something there that's to prove why they're doing this, but I and like you say, I trust them more. We do actually have more freedoms, and we could actually speak out against our government without going to jail
Marc Laliberte 34:29
if they do end up banning TP Link devices beyond network equipment too. I am personally screwed, because every single light switch in my house, and like 20 of my plugs are TP Link smart devices to control everything, and that's going to be a nightmare. They
Corey Nachreiner 34:47
work gaming routers pretty good,
Marc Laliberte 34:51
yeah, and they're cheap, which is why I got them. Yeah, who knows? Maybe I've allowed a, you know, caught. University party botnet into my house.
Corey Nachreiner 35:02
I wish that the government was I know they always have to protect sources. I wish there were some way they could share the evidence like it's I think we all want to support our intelligence agencies and governments if they really are going after countries that are undemocratic, that you know, that that don't even give their own citizens freedom, and especially ones that seem to be using technology to target other countries. I think we want to know that, and we want to support, you know, the democratic countries around the world that are trying to protect freedom and privacy and your right against buying backdoored equipment. It's just, it's hard. I don't want to ever become I'm not a fan of the Chinese government, but I'm a fan of China and Chinese people. And so we need to find a way to not just ban things because of a potential and because of mistrust, and maybe even as a weapon when we're trying to negotiate things, we need to. We need to have a little better proof that it really is because of a government connection of some sort? I don't know how they share that without sharing their sources, but I wish they could. Well, one
Marc Laliberte 36:14
last hot take, actually. So that was two years ago. Now, the White House released the National Cybersecurity strategy. One of their stated goals is to improve overall security resilience across the United States. Yeah, maybe banning hyper devices like this is that?
Corey Nachreiner 36:30
Yeah, this helps that for sure, exactly. But another way to do it, if they're not the band, to me, feels like they're saying the government is doing something wrong. Another way you could do that is allow these devices to come out, but have some sort of like we used to talk about FDA security grade. I say Food and Drug Administration, like, instead of a calorie grade, you have a security grade. And I'd be much better with them, letting DG, NTP link exist, but with F's, like a big, solid F on the packaging saying this thing is full of potential vulnerabilities, because then that at least talks about, you know, they're trying to do something to improve infrastructure. I don't know. I don't know. It's interesting. We'll see what happens
Marc Laliberte 37:15
the US Cyber trust mark is, I think just finishing up, getting close the What does they call it? Like the notice for proposed rulemaking and comments, period. And so that is coming soon. They even have a fancy little logo for it, where, sometime soon, your IoT devices may have a trust mark that you can scan the QR code and understand the security impact. That's it. My parents will never do that, and the average citizen will never do that. They won't pay attention like this. I don't think so that's asking too much.
Corey Nachreiner 37:48
I'm a calorie count now, so I look at him all the time on food, but I guess I am actually, when I talk to calorie counting to anyone else or like away. So you're probably right.
Marc Laliberte 37:59
You're a nerd, and so you are the target audience or this, but the everyday citizen is not, but it's coming. It is,
Corey Nachreiner 38:06
I don't know there is, there is stuff that remember when they showed pictures of lungs on cigarettes. It did. It didn't stop the people that were definitely going to do it, but it did have enough people notice that smoking did go down. So I don't know if you play something really big. I agree with you, if someone just went cheap and easy, they may still ignore it, but who knows. Who knows? What's the see like, hopefully, but I don't
Marc Laliberte 38:31
what's the cyber equivalent of like an abscess and a lung that they put that picture on top of the cigarette carton?
Corey Nachreiner 38:39
I don't know a hole into your I don't, because I maybe I get what you're saying. You have a living room with someone obviously spying through your TV or something,
Marc Laliberte 38:50
we're gonna require, like, all TP Link devices to have, like a wrapper with just some like, grotesque security event on the front of it, like, yeah,
Corey Nachreiner 38:58
anyway, disgusting sextortion. People might be spying on you. Be careful, man, your bank account may be drained. Be careful.
Marc Laliberte 39:09
It definitely is if you are, if you don't have your credit frozen, thanks to Mr. US DoD leaking everything. All right, fun week on that happy mark, yeah, keep an eye out for the US Cyber trust mark for all the good it will do. Hey everyone, thanks again for listening. As always. If you enjoyed today's episode, you can rate, please rate, review and subscribe. You can you should absolutely do it now. If you have any questions on today's topics or suggestions for future episode topics, you can reach out to us on Instagram. We're at WatchGuard underscore technologies. Also, if you have any recommendations for other social media platforms, please, because, has
Corey Nachreiner 39:49
anything taken off? Is anyone using threads? I don't think so. Mastodon, maybe
Marc Laliberte 39:55
we're now like 60 seconds, you can go
Corey Nachreiner 39:57
crawling back to x and big. For your blue verification check mark,
Marc Laliberte 40:02
I am on my phone. Yes. Anyways, is anyone even still listening at this point? If so, reach out to us on WatchGuard underscore technologies, and you will get a Chris pi five, thanks again for listening, and you will hear from us next week.
