here are the stories were covering this
week in the category 5 TV newsroom as if
we needed another reason not to trust
Kaspersky it was discovered that their
antivirus injected a unique ID that
allowed sites to track users even in
incognito mode Ubuntu 19 point 10 will
offer it an experimental data fest file
system option there's a new attack
exploiting serious Bluetooth weakness
that is capable of intercepting
sensitive data and if this then that
warns against migrating nest devices to
Google accounts these stories are coming
right up don't go anywhere this is the
category 5 dot TV newsroom covering the
week's top tech stories with the safe
Linux bias
I'm Sasha Rickman in here the top
stories we're following this week as if
incognito mode antivirus software is
something that can help people be safer
and more private on the internet but
it's protections I can cut both ways a
case in point for almost four years
AV products from Kaspersky Lab injected
a unique identifier into every website a
user visited making it possible for
sites to identify people even when using
incognito mode or even when they switch
to a different browser the identifier
was part of a blob of JavaScript
Kaspersky products injected into every
page a user visited the JavaScript was
designed to among other things present a
green icon that corresponds to safe
links returned in search results ronald
Eichenberg a reporter for a CT magazine
who broke the story found something
unsettling about the javascript injected
by the Kaspersky product installed on
his test computer a big long tag that
looked like a serial number he
investigated and found it was unique to
his machine and it was injected into
every single page he visited it didn't
matter if he used Chrome Firefox edge or
opera or whether he turned on it
incognito browsing
David the fire acted as a unique
identification number that website
operators could use to track him first
he stopped sending the identifier in
June after ikan burg privately reported
the behavior to the AV company the
identifier was introduced in 2015 that
meant for close to four years all
consumer versions of Kaspersky software
for Windows including the free version
Kaspersky Internet Security and
Kaspersky total security silently
branded users with a unique ID dear if
well but that's the thing is that they
were providing a means for attackers to
track users they weren't necessarily
tracking the users they could have been
but they were injecting a unique
identifier into every website that
someone visited so if a malicious party
I figured that out yeah which I'm sure
they did we're not hearing about that
aspect we're hearing about it now that
it's been made public knowledge and
fixed four years later but I guarantee
you it was exploited sure I think the
intention was probably not malicious it
was just an oversight not that as a
programmer innocent as a programmer I
would say that that was an intern who
made a real bonehead move and is no
longer with the company that's like my
programmer standpoint is like that was a
bonehead move right stupid but companies
make those kinds of stupid decisions
sometimes it makes me wonder if there's
even the possibility somebody started to
put that in there as part of maybe an
analytics to be able to track how it
usage data sure that kind of stuff so
that they can you know fix the program
and it goes wrong but it just it's like
come on
like to our people still using Kaspersky
unfortunately the unknown the the
unknowing public do tend to still use
whatever is presented to them
somebody please share this share it all
your friends yeah stop just that that
kind of programming mistake from a
security company is not acceptable no
it's okay so that's the thing because
it's a security company right so if it's
just the regular blunder from a regular
blunder from some other company but it's
a security company like you really I
mean we take for granted that these
products are out there to protect us but
should there not be an absolute
evaluation and auditing process for any
feature that's added to a security
product that could potentially exploit
the user right see and I guess this is
just kind of the tangent that my brain
goes off but I look at stuff like this
and I go if it was that easy for one
company to inject this ID yeah it opens
up the door to go how many other people
are gonna go oh that was easy to do
mhm so I'm gonna do that yeah here's
like a free add-on for your computer
that gives you whatever well yeah I mean
you think of people who are like all the
government's tracking you literally all
they've got to do is done lucky hit ever
you know everything about everybody yeah
yeah else is tracking you yeah
and that becomes personally identifiable
it's like it's like and I don't mean to
take up so much time Sasha but it is
like that the mall surveillance system
that they said was not personally
identifying people right but at the same
time as soon as you see oh yeah that's
Sasha Rickman right there then as I see
the surveillance video that's going
through the mall I know what she's with
oh yeah even though I can't make out her
face you know I'm better than AI I can
see that Sasha Rickman right so is it
personally identifiable oh no it's just
a UUID well login to your Gmail guess
where that UUID is injected now it's
associated with your gmail account
it's associated with your email address
in your contact list it's associated
with your Facebook and your Twitter
profile exactly so but now they're not
doing it any longer
which means that it was probably in that
way right right they've hidden their
tracks yeah but we don't trust this
person at this point yeah
the damage is done people should really
just back away is there a way to stop
that kind of tracking though like what I
mean we've got all these you know
protections yeah it's like anti virus
malware all the kind of stuff is there
any way to create like a tracking ID
suite that goes oh we found these trends
we're wiping that out like how do you
stop against that I mean the the correct
answer is tor like that's the that's but
you know is that legitimate for the
average user no it's not not really and
can that be exploited well we've heard
stories that yeah there are ways that it
has been exploited we'll see right I
don't know there's an easy answer off
the grid but that's just why would you
do that in their walk of life it's not
an option boon to in nineteen point ten
will offer an experimental ZFS file
system option the newly announced plan
which isn't set in stone is to include a
ZFS install option in a boon to nineteen
point ten the next short-term release do
this October the downside is that using
Santa FS on Linux distributions is a
little tricky the format is tangled up
with all sorts of licensing issues but
those issues haven't put canonical off
canonical states that they have quotes
spent time looking at the licensing
which applies to the Linux kernel and to
ZFS and concluded that we are acting
within the rights granted and in
compliance with the terms on both
licenses end quote feeling it's well
worth its rights to use the zetas fest
fully the company plowed away on
bringing up ZFS filesystem support for
boon to across the cloud server and
containers for several years
now it's coming to the desktop okay see
I can see it really working well on the
server why such a need to bring it to
the desktop I guess we gotta be you know
up and hop but guess doesn't set FS
require but I this is a question maybe
for our community doesn't it require or
doesn't it suggests the need for like
higher-end hardware like ECC Ram and
that kind of stuff like is that not an
issue and I asked that it's like I don't
really know the answer to that so is it
not a little bit of a dangerous thing to
be presenting it to the end-users and
their they'll call it experimental right
so you know don't run this if if you
don't know what it is but if you're
running it on consumer hardware that you
bought at Walmart is that a good idea
why would somebody want to be using it
well because it has certain advantages
to the server and that's where on the
desktop like we're talking like like
redundant file storage the ability to go
back on file versioning and things like
that stuff that ext3 ext4 is not that
good at because it's older right right
so this is a more streamlined futuristic
file system right but tricky for the
common person to use the food yeah well
to deploy but if they if they ease the
deployment process make it a part of the
Installer well then it's not so much of
a big deal the Foo Set ZFS doesn't need
anything extra unless you actually need
that extra stuff so I think what they're
saying is you don't have to add those
features that are gonna be problematic
if you don't need them which means the
average user is probably not gonna add
them right it's not gonna be a problem
if you were going to be adding them you
would know what you were adding and then
you would know yeah precisely yeah the
food goes on to say ZFS still validates
that what was sent to the disk actually
got there and that's important for sure
how does it handle like power outages
and things like that that's the you know
the there there are so many questions
about file systems that I don't know the
answers to because that's like hah like
really low level stuff
and yeah the foo says he see see is
recommended but not necessary but that's
where I may be end-users like if I don't
know the answers and maybe the community
others know the answers maybe it's best
to stick with like ext4 for the desktop
or maybe butter FS at least stuff that's
like I don't know I put butter on my
breath I love butter on my bread and
butter on my filesystem I don't like it
there is a new attack exploiting serious
Bluetooth weakness that is capable of
intercepting sensitive data researchers
have demonstrated a serious weakness in
the Bluetooth wireless standard that
could allow hackers to intercept
keystrokes address books and other
sensitive data sent from billions of
devices dubbed key negotiation of
Bluetooth or Knob for short the attack
forces two or more devices to choose an
encryption key just a single byte in
length before establishing a Bluetooth
connection attackers within radio range
can then use commodity Hardware to
quickly crack the key from there
attackers can use the cracked key to
decrypt data passing between the devices
the type types of data susceptible could
include keystrokes passing between a
wireless keyboard in the computer
address books uploaded from a phone to a
car dashboard or photographs exchanged
between phones knob doesn't require an
attacker to have any previously shared
secret material or to observe the
pairing process of the targeted devices
the exploit is invisible to Bluetooth
apps and the operating systems that they
run on making the attack almost
impossible to detect without being
highly without highly specialized
equipment knob also exploits a weakness
in the Bluetooth standard itself that
means in all likelihood that the
vulnerability affects just about every
device that's compliant with the
specification the researchers have
simulated the attack on 14 different
Bluetooth chips including those from
Broadcom apple and qualcomm and found
them all to be vulnerable
okay so trot no longer trust your
wireless devices
I don't mind turning off my Bluetooth
rights I was gonna say I have my watch I
never turn my Bluetooth off yeah ever so
when I'm in a at a public coffeehouse
how do I know I can trust the
individuals that are nearby right how do
you know you can trust the coffee at
that coffee house how can you afford
coffee well because this it's a good
coffee house jack loyalty program okay
so Bluetooth they can just tap on in to
bluetooth but they couldn't like tap
into it and then go everywhere they can
just tap into the one thing well
presumably it's the communication data
so what is being sent to your team or
watch my steps chances are your location
my way yeah actually yep all that kind
of stuff a lot of those things don't
concern me but what about like email or
phone calls or sure well exactly
okay well that's wise yeah well done but
but not but but the the software itself
silts can still access that by turning
it on so it's it's still possible if
they can get to the phone oh it's a
software handle it oh I see yeah and we
live in a society where we are plagued
with phishing scams right now right so
the moment that a compromising party can
gain access to your contact list right
or information about you your contacts
or people that you interact with then
they can spoof that they can use
specialized hardware if they're good to
spoof an SMS sender and make it look
like it's coming from a family member
right and oh click on this link and it
takes you to a thing that installs
ransomware which is a real thing on
phones now and certainly on computers so
get a hold of your email address list
and things like that people are way too
trusting because Ella came from it came
from a family member it came from a
friend I've said like what if you got an
email from me that said open this
attachment I would
probably immediately might open it if
you really firmly believed it was for me
because the email has matched the name
matched even these days the signature
matches yeah everything is it's a very
very clever I got an email a week ago
from somebody that I trust dearly hmm
and the subject line was check this out
yeah something like yeah okay mhm I open
it up it's just a link yeah oh and I'm
like yeah okay so I texted them the
person I'm like yeah you've been hacked
like what are you talking about I just
got the seamless to check that s like no
I actually sent that I'm like first look
like a scam dude you really need to
improve your email text people links to
things I always add like a description
of what I'm writing I'm still
sophisticated I got one yeah it's like I
don't know if you saw this is happening
you don't want it to happen I did some
research on it here's what you need to
know this is where I found the research
yeah and it was something related to
what the two of us are involved in and I
was like I almost clicked in a roll wait
a minute yeah this guy knows nothing
about technology yeah yeah there's no
way you would talk about this right so
they get ahold of your contact list
through this Bluetooth exploit as an
example and now they find out that oh
you interact with Robbie Ferguson okay
grab one of the emails from that Robbie
Ferguson because of the Bluetooth
connection gives them access to that as
well and now they can spoof my signature
so it looks exactly like it's coming
from me spoof my email address and send
you a link that says click here and
signs it by Robbie to make it look
completely legit right so what if it was
flipped what would you do if you got a
message for me that's had like oh my
goodness Robbie I need your help I don't
know what I've done spend money no and
then there's a link yeah that sounds
like me actually something I would say
would you click it or would you call me
and see whether or not I sent it I would
probably because of my experience be
able to determine from the URL that
you've sent whether or not it's legit oh
really
you would send that through disco but
that's me yeah but there's not that's
not always the case
so what I do in those cases when I'm not
entirely sure is iw get it and I watch
the headers and I see if yeah so I don't
open it in a browser I open an OL in
Linux terminal that allows me to follow
the header flow so that I so that I can
see it was it actually giving me a file
oh this actually redirected and
redirected and redirected until finally
it gave me a JavaScript file and then I
opened that javascript file in a text
editor to see what it was actually doing
and I find so smart and I find eval
codes and so I decode the avowal codes
and see the actual JavaScript that is
being run so what would I do it's not
average yeah well this is why I'm asking
you what you yeah he's like 14 seconds
after I've done whatever I'm not
supposed to show feel like oh that was
probably the wrong choice so I think we
rather than what what would I do
let's let's think about what we wouldn't
do yeah so if you get an email this is
happening right now this is a being
distributed an email from a colleague or
somebody that you know that looks like
it's legit it's got their signature it's
got their email address and everything
else but it's got a zip file attached to
it and the zip file is encrypted because
presumably it's private right this is oh
here's some private information so I
zipped it and I encrypted it the
password is blah blah blah blah blah one
thing nobody who has any brains to
encrypt something is going to send the
password in the same email as the
encrypted file okay so just think about
that for a second hold on backup whether
you think you know them or not that is a
that nobody's gonna do that if they have
the mindset to know that they need to
encrypt the file think about that for a
second though right
if you okay so why would a malicious
party then encrypt a file and create a
zip file that is password protected and
then give you the the password because
an anti-virus product
be it on a server or your own computer
cannot read encrypted data okay so
that's it file coming in to your in-laws
yeah that zip file coming into your
inbox it's password protected and
encrypted so without the password it
can't be opened and therefore can't be
scanned it will scan the file but it
won't find anything wrong with it
because it's just a bunch of ones and
zeros it can't read the actual data
right so then you open the zip file
especially on Microsoft Windows open
that zip file enter the password that
was in the email so cleverly because
your friend is so security minded and
boom it comes up and you're infected
with ransomware and the whole network is
gone you've lost all the files for the
company and you feel pretty bad about
that I'm pretty sure so what do you do
okay so you get that email it's got a
password-protected zip file regardless
of whether you think you trust it or not
you call that person you say Sascha did
you just send me a password-protected
zip file what are you gonna say no no
what are you talking about yeah delete
okay from soft it's just doing your due
diligence I I wish there was a way for
email service companies to come up with
a hidden back button so when you get
those cut emails you hit them back oh
yeah this is spam this is malware hack
them back exactly like it like like
there are Russian servers that it's all
tapped in together it's been shut down
already Jeff warns against migrating
nest devices to Google accounts google
says it's moving nest devices over to a
unified Google ecosystem for the sake of
simplicity but simple can be complicated
as is certainly the case here in May
after users fought the decision the
company announced that it would maintain
works with nest connections for some
third-party integration if this than
that or IFFT applets for the company's
camera smoke detector and thermostat are
among those exceptions that certainly
bodes well for those users who took the
time to in great if functionality
however users who opted to migrate a
nest account to a Google one will break
their connections in the process if said
in a statement a quote do not migrate
your nest account to a Google account
migrating at your nest account will
cause if and other works with nest
integrations to be disconnected this
process is not reversible further they
warn users do not disconnect nest from
IFFT after August 31st as you will not
be able to reconnect it this affects
users that do not migrate their nest
accounts to a Google one end quote
for its part google says that it's
looking to bring similar automation
functionality to nest that presently
requires third party integration from
services like IFFT hmm couple of sides
of this I mean you want to jump on them
and say Google is trying to cut out the
little guy that was my first reaction
then I realize okay well there have been
exploits on nest there have been hacks
on nest and so what's the best way to
protect nest users is to control the
ecosystem to stop the API that allows
third party integrations
that's a tough situation when you've
created something that that supports
that from the get-go see and my thought
was by you know removing that and kind
of bringing it back into the centralized
process what happens if there's a data
breach well presumably Google knows
about encryption by now right you would
think but how many times have we seen
big name home can you pump
giant pumpkins folks October is coming
but how many times have we seen big name
companies go oops
right like yeah
because I mean is my shirt I could never
think that Mike that that Google has
that okay yeah anybody's now if one
thing goes wrong and it's linked back to
Google centralizing it and take taking
the third party out in the middle man
out then people are gonna go your
problem not ours
hmm yeah we'll have to maybe that's not
a big deal of them but so I guess what
it boils down to is the user like are
you using EFT and if you are for your
nest devices so that is your nest
thermostat your I have a nest thermostat
do you use the if this than that I don't
use if this then that with nest however
I do use my Amazon echo see how I
stopped myself and you use that is that
an if this than that situation no the
echo is a third-party integration
however okay I would imagine unless it's
like a Google official skill right I
guess that's something that I'll
discover but I can understand why they'd
want to lock down their ecosystem in
such a way that they are in control
right but at the same time it really
hurts someone like EFT sure but and what
what we learned there in your story is
that now Google is saying they're going
to create their own EFT rights they buy
out the real EFT and give them a whole
whack of money oh yeah
that won't happen that won't happen
no but it would be I'll just forgive
them give them a bunch of free money
just to say thank you for supporting the
ecosystem maybe do that yeah because
people don't want people don't want to
have to switch to Google shareholders
don't want that though no but come on
play nice in this World Wide Web
exactly you're gonna be the big dog play
nice with the little guys those kind of
I mean it would be nice what do you
think please comment below
oh and this is me I wanted you to take
over but no this is actually my turn to
talk about the coin gecko crypto report
as of August 21st 2019
bitcoin has dropped a little bit but
it's still doing quite well at ten
thousand eighty one dollars and ninety
cents Fiat USD Facebook Libre is still
not trading litecoin is now light coin
is an interesting case this week
Oh last week its skyrocketed we're like
almost doubled in its value in US
dollars value that's why I don't know I
don't know why follow the trends but
it's cuz we covered in the news yeah so
so it went up so if you bought like four
four weeks ago you did really really
well last week and I hope you sold
because then it cut down again so it
actually Wow so is it lower than it was
two weeks ago last week it was at 188
thirty-seven doing quite well and this
week it lost one hundred and fifteen
dollars and thirteen cents it's now down
at seventy three dollars and twenty four
cents so I hope you bought after last
week's show Manero is staying pretty
static at eighty dollars and 23 cents
Fiat up one thirty-four from last week
torque or previously known as stellite
it's been it's been doing well for a
small coin sitting now at one point oh
one ten thousandth of a cent whereas
turtle coin is about half that at 0.53
remember the cryptocurrency market never
closes it's always volatile it's always
changing and because it's 24/7 you never
know like jeff says well what caused it
to go up and what caused it to come down
you don't know you can take a guess but
it's not like it's not like oil like you
can't point it at one particular thing
and say that's what caused it no it
doesn't work that way
it's cryptocurrency it's madness so
anything you invest make sure you're
ready to lose it lose it
yeah exactly please big thanks to Roy W
Nash in our community of viewers for
submitting story to us this week thanks
for watching the category-five TV
newsroom don't forget to Like and
subscribe for all your tech news with a
slight linux bias and for more free
content be sure to check out our web
site from the category-five duty
newsroom I'm Sasha Rickman in on Robbie
Ferguson I'm Jeff Weston
[Music]