Podcast Summary
Ensuring secure access to Okta-protected apps through device security checks: Collide solution secures access to Okta-protected apps by checking device trust before granting access, including unmanaged and untrusted devices like Linux fleets, contractor devices, and BYOD phones and laptops.
The security of your organization's data is only as strong as the devices accessing it. While many companies focus on user authentication, they often overlook the security of the devices themselves. Unmanaged and untrusted devices can bypass security checks and put your organization at risk. Collide, a new solution, ensures that only devices that pass your security checks can access Okta-protected apps. This includes devices without MDM, such as Linux fleets, contractor devices, and BYOD phones and laptops. By addressing the device trust problem, Collide helps protect your organization from potential threats. Additionally, Google's recent developments in advertising technology are changing the way web browser users receive targeted ads, and these changes could have significant implications for privacy and security. Stay tuned for more insights on these topics from Steve Gibson on Security Now.
Google's Browser Shift: From HTML Renderer to Ad Auctioning Server: Google's browser now operates as an ad auctioning server, impacting the digital world significantly with implications for monoculture and privacy.
Google has made a significant shift in how its browser operates, turning it from an HTML renderer into an ad auctioning server. This change, which has been active since July 2022, is astonishingly huge and has major implications for the digital world. Google's move is the only way for the company to deliver what it wants and what users demand, but it also raises concerns about monoculture and privacy. Despite these concerns, Tim Berners Lee is actively working on the new Wide Web Consortium. This seminal podcast will help listeners understand the full impact of this change and why it matters. If you're concerned about data security and the challenges of hybrid work, consider using Lookout to gain complete visibility into all your data and minimize risks from external and internal threats. By seamlessly securing hybrid work, Lookout allows your organization to maintain productivity, employee happiness, and security.
Cybersecurity in the Age of IoT: Balancing Innovation and Security: Cybersecurity is essential in today's interconnected world, where neglecting it can lead to unexpected consequences. IoT devices, including seemingly innocuous appliances, can pose significant risks if not properly secured. Understanding context and network traffic data is crucial in identifying potential threats.
Cybersecurity is crucial in today's interconnected world, and neglecting it can lead to unexpected consequences. Lookout's unified platform can help simplify IT complexity and safeguard data, allowing organizations to focus on innovation rather than constant security concerns. An intriguing example of irony was shared during the discussion – a "Please do not touch" sign in braille. This seemingly contradictory message highlights the importance of considering all perspectives and potential users in our designs. IoT devices, including appliances like washing machines, can also fall victim to cyberattacks. In one instance, a listener's LG washing machine was found to be using excessive data, suggesting it had been taken over and was being used to upload large amounts of data. This serves as a reminder that even seemingly innocuous devices can pose significant risks if not properly secured. When interpreting network traffic data, it's essential to understand the context and direction of the traffic. In the case of the washing machine, the labels on the traffic flow suggested that it was uploading large amounts of data, potentially making it part of a botnet. Overall, these examples underscore the importance of maintaining a strong cybersecurity posture and being aware of the potential risks, especially in the era of IoT and hybrid work environments.
IoT devices like washing machines pose security risks: Be aware of potential risks from IoT devices, consider segregating them on a separate network or disconnecting to minimize security vulnerabilities.
The Internet of Things (IoT) devices, like a compromised LG washing machine, can pose significant security risks to consumers. The washing machine, connected to the Internet for convenience, was found to have been compromised, potentially leading to unwanted Internet traffic and even access to the residential network. However, most consumers are not monitoring their local network's traffic and may not be aware of such intrusions. The only solution could be to disconnect the device from the Internet, but the question remains, is it necessary for washing machines to be connected in the first place? The convenience of remote control and notifications might come at a high price, including potential security vulnerabilities. Therefore, it's recommended to consider sequestering IoT devices on a separate guest LAN or not connecting them at all. Additionally, even seemingly secure services can still be vulnerable to DDoS attacks. Ultimately, it's crucial for consumers to be aware of the potential risks and take necessary precautions to protect their networks.
Severe DDoS attack causes widespread downtime: Reliable services can be affected by large-scale DDoS attacks, and proper emergency planning and account management during mergers and acquisitions are crucial.
Even the most reliable services can be brought down by unexpected and powerful attacks. Source Hut, a service known for its reliability, experienced a severe and prolonged outage due to a distributed denial of service (DDoS) attack. The attack was unusual in its scale and resources, which exceeded Source Hut's ability to mitigate on their own. The primary data center was affected, and the service was unable to reach their servers due to an oversight in their account migration during a supplier acquisition. The incident caused collateral damage, including the downtime of Hacker News and a nonprofit free software forge known as Codeberg. This incident highlights the importance of thorough emergency planning and the potential consequences of oversights in account management during mergers and acquisitions.
Unexpected sources of DDoS attacks: DDoS attacks can originate from unexpected sources, causing disruptions and potential harm. Major carriers respond by blocking traffic, but careful monitoring is necessary to lift the block once the attack subsides. Quantum crypto faces significant challenges, but solutions like Bitwarden exist for secure password storage.
DDoS attacks are a serious threat on the internet, and they can originate from unexpected sources like an LG smart washing machine. These attacks can cause significant consequences for individuals and organizations, leading to disrupted services and potential harm. Major carriers like Cogent respond to these attacks by null routing, which means discarding any packets attempting to enter their network bound for the IP under attack. However, this action also blocks all traffic to that service, making it essential for service providers to carefully monitor and lift the block once the attack subsides. The challenge of creating and maintaining a truly secure networking device continues to grow as more features are added. Quantum crypto, on the other hand, faces a major problem. Despite these issues, there are solutions like Bitwarden, a password manager that offers secure and open-source password storage. Stay tuned to learn more about this and the significant quantum crypto issue.
Bitwarden adds new features for password security: Bitwarden, a free, open-source password manager, enhances security with support for passkeys and Argon2, addressing the growing importance of password managers.
Bitwarden, an open-source password manager, continues to make password security more accessible by adding new features like support for passkeys and the implementation of memory-hard public key derivation function Argon2, all while keeping its personal edition free forever. This ease of use and affordability is crucial as the importance of using a password manager grows. However, even with advancements in technology like post-quantum encryption, there are still challenges to overcome. For instance, the Kyber algorithm, which provides quantum resistance, was recently found to be vulnerable to timing attacks in some of its implementations. Despite this setback, the issue lies in the code implementation rather than the algorithm itself, and the community is working to address it. Overall, Bitwarden's commitment to making password security accessible and their ongoing efforts to improve and adapt to new challenges make them a standout password manager.
A vulnerability in a post-quantum encryption algorithm highlights the importance of security updates and theoretical considerations in coding.: A vulnerability in a post-quantum encryption algorithm could lead to sensitive information being leaked, emphasizing the need for continuous updates and theoretical considerations in coding. Chrome dominates the global web browser market, while other browsers like Firefox and Opera have become less significant.
The security of software and technology, no matter how well-established or widely used, can never be taken for granted. A vulnerability was found in a post-quantum encryption algorithm, which could have led to sensitive information being leaked through a timing side channel. This incident serves as a reminder of the importance of both theoretical and practical considerations in coding, and the need for continuous updates and improvements to ensure security. Another interesting observation from the discussion was the dominance of Chrome in the global web browser market, with other browsers such as Firefox and Opera becoming less significant. This trend was highlighted through a comparison of browser usage statistics from 2012 and 2022. Furthermore, there were listener responses to the previous episode's discussion about the Apple backdoor, raising questions about the possibility of a supply chain hack and the long lead times for new silicon designs to reach physical devices. Despite the uncertainties surrounding the incident, it underscores the need for vigilance and transparency in the tech industry.
Is it too late to start a career in infosec in your forties?: Experience and effective communication are valuable assets in infosec, making age no barrier for entry. Consider Proton Drive for secure cloud storage, as Sync's issues may not be addressed promptly.
Age should not be a barrier for entering the information security field, as there is a high demand for professionals and experience can be an asset. A listener, who is in their forties and considering a career change to infosec, asked for advice on whether it's too late to get started. The speaker reassured the listener that there's always a need for skilled IT professionals, and having life experience and the ability to communicate effectively can be valuable assets. The listener also asked about Proton Drive as a replacement for Sync for secure cloud storage, as they've had issues with Sync's iOS app. The speaker expressed disappointment with Sync's slow response to fixing the issue and suggested considering Proton Drive due to its reputation and association with ProtonMail. Overall, the speaker emphasized the importance of staying informed and adaptable in the ever-evolving tech industry.
Listening to user feedback can lead to unexpected solutions: Investigating user feedback can uncover hidden bugs and limitations, leading to improved user experience and solutions for affected users.
Even when faced with unexpected challenges, it's worth listening to user feedback and investigating further before making a definitive decision. This was evident in the development of Spinrite, a data recovery tool, where a limitation was imposed due to a bug in certain USB BIOS codes. However, after receiving user feedback and further investigation, the developer was able to create a solution that lifted the restriction for non-affected BIOSes and patched the buggy code for the affected ones, allowing access to larger drives. This not only improved the user experience but also showcased the importance of being open to feedback and continuous improvement. Additionally, the collaboration between the developer and the community played a significant role in the resolution of the issue.
Google's privacy-focused approach and individual data protection: Google is developing new privacy technologies, individuals and companies should safeguard personal info, DeleteMe helps remove data from brokers, protecting sensitive info benefits all, research aligns with GDPR.
Google is working on new technologies under the name "privacy sandbox" to protect user privacy while still enabling effective advertising. Meanwhile, it's essential for individuals and companies to safeguard their personal information from data brokers to prevent security breaches and identity theft. A service like DeleteMe can help remove and regularly scan for personal information across hundreds of data brokers, offering valuable support and advice tailored to each user's unique situation. This not only benefits individuals but also companies, as protecting sensitive information is crucial for maintaining security and avoiding phishing scams. The academic's research suggests that Google's privacy-focused approach could be in line with EU and UK laws like GDPR, signaling a positive future for privacy in the digital world.
Google's Privacy Sandbox: A Step Forward for Web Advertising and User Privacy: Google's new Privacy Sandbox initiative includes the Protected Audience API, aimed at financing web through advertising without compromising user privacy, addressing privacy concerns and chaotic system caused by current reliance on cookies.
Google's new Privacy Sandbox initiative, which includes the Protected Audience API and other technologies, represents a significant step forward in web browser technology and standards. This initiative aims to allow the web to finance its own existence through advertising without compromising user privacy. The web's current reliance on cookies for tracking and advertising has led to privacy concerns and a chaotic system. Google recognized this issue three years ago and began working on a solution. The Protected Audience API is part of this effort, and it's designed to protect user privacy while still allowing advertisers to optimize their ad buys. This new technology is a major improvement over the simple web technology of the past and is necessary to address the privacy issues that have arisen from the web's evolution. It's a sign that Google is taking user privacy seriously and is using its technological expertise to find a solution to this complex problem.
New APIs for privacy sandbox in web browsers expand their role: Web browsers now learn about users' interests and select ads autonomously, keeping data within the browser using new APIs like Topics and Protected Audience API.
The introduction of new APIs for privacy sandbox in web browsers, such as Topics and Protected Audience API, which became available in Q3 of 2023, have significantly expanded the role of web browsers. These APIs allow the browser to learn about users' interests and select ads autonomously, keeping user data within the browser. The operation of these APIs is complex and interconnected, with the Protected Audience API being originally named Fledge, then Turtledove, before being renamed to its current name. Although these names may be confusing, they all serve the purpose of enhancing privacy and control for users in the digital advertising ecosystem. The simple solutions of the past are no longer sufficient for the complex demands of modern web usage, and understanding these new APIs requires a nuanced perspective.
Google's New Targeted Advertising Method: On-Device Ad Auctions: Google's on-device ad auctions use the Protected Audience API for targeted ads based on user interests without cross-site tracking. User's browser records interest group memberships, runs browser-side ad auction with isolated JavaScript worklets, and preserves privacy.
Google is introducing a new method for targeted advertising called on-device ad auctions, which uses the Protected Audience API. This API allows websites to display relevant ads to users based on their interests without the need for cross-site third-party tracking. When a user visits a site, the browser records the user's interest group memberships. Later, when the user visits a site with available ad space, the site can use the Protected Audience API to run a browser-side ad auction. Each interest group, or buyer, provides bidding code that generates a bid based on real-time data. The bid with the highest score wins the auction, and the winning ad is displayed in a fenced frame. All code from the seller and buyers is run in isolated JavaScript worklets to preserve privacy. The key point is that the user's browser visits a site, and the user implicitly expresses their interest in the topic of the site. Advertisers can then ask the user's browser to collect and retain information for future use, but they learn nothing about the visitor to the site. This new method allows for targeted advertising while maintaining user privacy.
Google's Privacy Sandbox: A New Era of Web Browsing: Google's Privacy Sandbox is a browser technology that protects user privacy while enabling targeted ads through interest-based advertising and auctioning processes within the browser.
Google's Privacy Sandbox is a radical transformation of web browsers from passive displays of web content to proactive advertising management engines. This new technology, which includes interest-based advertising and auctioning processes within the browser itself, aims to protect user privacy while providing websites with necessary ad revenue. The complexity of this system is necessary to deliver targeted ads without revealing user information to advertisers. Google has already implemented this technology in Chrome and is gradually phasing out older tracking methods. Although this may cause challenges for the advertising industry, it is a necessary step towards a more private web browsing experience.
Google's Privacy Sandbox: A New Era for Digital Advertising: Google's Privacy Sandbox introduces a new system for digital advertising, allowing browsers to collect user data and auction off ad opportunities, preserving user privacy and maintaining revenue.
Google's Privacy Sandbox marks a significant shift in the digital advertising landscape. Instead of individual advertisers collecting user data for targeted ads, it's now the user's browser that collects and auctions off advertising opportunities based on users' interests. This system, which has been in place for six months, aims to preserve user privacy while maintaining advertising revenue. Although Google dominates the market, other browsers like Safari and Firefox may adopt similar solutions. The end of third-party cookies and fingerprinting is imminent, and the elimination of cookie permission pop-ups is a promising development. This new system, which is opt-out and easy to block, offers a win-win situation for users, websites, and advertisers. However, it remains to be seen how governments will respond to this development, with potential legislation on user profiling and history aggregation.
Google's New Protected Audience API for Controlling Data and Monetization: Google experiments with a new API for users to control their data and lease it out, aligning with Tim Berners Lee's vision. Phasing out third-party cookies, Protected Audience API might be the answer to monetizing without invasive tracking.
Google is experimenting with a new API called "Protected Audience API" which could be a potential solution for users to control their own data and lease it out for sharing at their own terms. This concept aligns with Tim Berners Lee's vision of users controlling their own data. Google is phasing out third-party cookies due to widespread ad blocking and GDPR requirements, leading advertisers to adapt. The Protected Audience API might be the answer to monetizing without relying on cookies or invasive tracking. The browser is the key player in this new approach, and although the name is not appealing, the concept is interesting. Security Now encourages listeners to support Twit and their shows by joining the club for $7 a month, which offers ad-free versions of shows, access to Discord, and exclusive content.
Annual twitter.tv/survey24 for accurate show representation and customized podcast options: Participate in the twitter.tv/survey24 for accurate representation of TV show preferences, and subscribe to customized podcast versions for convenient access
It's crucial for everyone to participate in the annual twitter.tv/survey24 to ensure accurate representation of various show preferences. This survey is quick, easy, and helps determine individual interests. Steve Gibson's website, grc.com, offers various versions of his Security Now podcast, including smaller file sizes and text versions, catering to those with limited bandwidth. Subscribing to the podcast via a favorite player is the best way to never miss an episode. Additionally, Rod Pyle's This Week in Space brings the latest space news, featuring interviews with experts and covering space books and TV. O'Reilly Variscan is a free tool to help diagnose check engine lights.
