here are the stories were covering this week in the category 5 TV newsroom as if we needed another reason not to trust Kaspersky it was discovered that their antivirus injected a unique ID that allowed sites to track users even in incognito mode Ubuntu 19 point 10 will offer it an experimental data fest file system option there's a new attack exploiting serious Bluetooth weakness that is capable of intercepting sensitive data and if this then that warns against migrating nest devices to Google accounts these stories are coming right up don't go anywhere this is the category 5 dot TV newsroom covering the week's top tech stories with the safe Linux bias I'm Sasha Rickman in here the top stories we're following this week as if incognito mode antivirus software is something that can help people be safer and more private on the internet but it's protections I can cut both ways a case in point for almost four years AV products from Kaspersky Lab injected a unique identifier into every website a user visited making it possible for sites to identify people even when using incognito mode or even when they switch to a different browser the identifier was part of a blob of JavaScript Kaspersky products injected into every page a user visited the JavaScript was designed to among other things present a green icon that corresponds to safe links returned in search results ronald Eichenberg a reporter for a CT magazine who broke the story found something unsettling about the javascript injected by the Kaspersky product installed on his test computer a big long tag that looked like a serial number he investigated and found it was unique to his machine and it was injected into every single page he visited it didn't matter if he used Chrome Firefox edge or opera or whether he turned on it incognito browsing David the fire acted as a unique identification number that website operators could use to track him first he stopped sending the identifier in June after ikan burg privately reported the behavior to the AV company the identifier was introduced in 2015 that meant for close to four years all consumer versions of Kaspersky software for Windows including the free version Kaspersky Internet Security and Kaspersky total security silently branded users with a unique ID dear if well but that's the thing is that they were providing a means for attackers to track users they weren't necessarily tracking the users they could have been but they were injecting a unique identifier into every website that someone visited so if a malicious party I figured that out yeah which I'm sure they did we're not hearing about that aspect we're hearing about it now that it's been made public knowledge and fixed four years later but I guarantee you it was exploited sure I think the intention was probably not malicious it was just an oversight not that as a programmer innocent as a programmer I would say that that was an intern who made a real bonehead move and is no longer with the company that's like my programmer standpoint is like that was a bonehead move right stupid but companies make those kinds of stupid decisions sometimes it makes me wonder if there's even the possibility somebody started to put that in there as part of maybe an analytics to be able to track how it usage data sure that kind of stuff so that they can you know fix the program and it goes wrong but it just it's like come on like to our people still using Kaspersky unfortunately the unknown the the unknowing public do tend to still use whatever is presented to them somebody please share this share it all your friends yeah stop just that that kind of programming mistake from a security company is not acceptable no it's okay so that's the thing because it's a security company right so if it's just the regular blunder from a regular blunder from some other company but it's a security company like you really I mean we take for granted that these products are out there to protect us but should there not be an absolute evaluation and auditing process for any feature that's added to a security product that could potentially exploit the user right see and I guess this is just kind of the tangent that my brain goes off but I look at stuff like this and I go if it was that easy for one company to inject this ID yeah it opens up the door to go how many other people are gonna go oh that was easy to do mhm so I'm gonna do that yeah here's like a free add-on for your computer that gives you whatever well yeah I mean you think of people who are like all the government's tracking you literally all they've got to do is done lucky hit ever you know everything about everybody yeah yeah else is tracking you yeah and that becomes personally identifiable it's like it's like and I don't mean to take up so much time Sasha but it is like that the mall surveillance system that they said was not personally identifying people right but at the same time as soon as you see oh yeah that's Sasha Rickman right there then as I see the surveillance video that's going through the mall I know what she's with oh yeah even though I can't make out her face you know I'm better than AI I can see that Sasha Rickman right so is it personally identifiable oh no it's just a UUID well login to your Gmail guess where that UUID is injected now it's associated with your gmail account it's associated with your email address in your contact list it's associated with your Facebook and your Twitter profile exactly so but now they're not doing it any longer which means that it was probably in that way right right they've hidden their tracks yeah but we don't trust this person at this point yeah the damage is done people should really just back away is there a way to stop that kind of tracking though like what I mean we've got all these you know protections yeah it's like anti virus malware all the kind of stuff is there any way to create like a tracking ID suite that goes oh we found these trends we're wiping that out like how do you stop against that I mean the the correct answer is tor like that's the that's but you know is that legitimate for the average user no it's not not really and can that be exploited well we've heard stories that yeah there are ways that it has been exploited we'll see right I don't know there's an easy answer off the grid but that's just why would you do that in their walk of life it's not an option boon to in nineteen point ten will offer an experimental ZFS file system option the newly announced plan which isn't set in stone is to include a ZFS install option in a boon to nineteen point ten the next short-term release do this October the downside is that using Santa FS on Linux distributions is a little tricky the format is tangled up with all sorts of licensing issues but those issues haven't put canonical off canonical states that they have quotes spent time looking at the licensing which applies to the Linux kernel and to ZFS and concluded that we are acting within the rights granted and in compliance with the terms on both licenses end quote feeling it's well worth its rights to use the zetas fest fully the company plowed away on bringing up ZFS filesystem support for boon to across the cloud server and containers for several years now it's coming to the desktop okay see I can see it really working well on the server why such a need to bring it to the desktop I guess we gotta be you know up and hop but guess doesn't set FS require but I this is a question maybe for our community doesn't it require or doesn't it suggests the need for like higher-end hardware like ECC Ram and that kind of stuff like is that not an issue and I asked that it's like I don't really know the answer to that so is it not a little bit of a dangerous thing to be presenting it to the end-users and their they'll call it experimental right so you know don't run this if if you don't know what it is but if you're running it on consumer hardware that you bought at Walmart is that a good idea why would somebody want to be using it well because it has certain advantages to the server and that's where on the desktop like we're talking like like redundant file storage the ability to go back on file versioning and things like that stuff that ext3 ext4 is not that good at because it's older right right so this is a more streamlined futuristic file system right but tricky for the common person to use the food yeah well to deploy but if they if they ease the deployment process make it a part of the Installer well then it's not so much of a big deal the Foo Set ZFS doesn't need anything extra unless you actually need that extra stuff so I think what they're saying is you don't have to add those features that are gonna be problematic if you don't need them which means the average user is probably not gonna add them right it's not gonna be a problem if you were going to be adding them you would know what you were adding and then you would know yeah precisely yeah the food goes on to say ZFS still validates that what was sent to the disk actually got there and that's important for sure how does it handle like power outages and things like that that's the you know the there there are so many questions about file systems that I don't know the answers to because that's like hah like really low level stuff and yeah the foo says he see see is recommended but not necessary but that's where I may be end-users like if I don't know the answers and maybe the community others know the answers maybe it's best to stick with like ext4 for the desktop or maybe butter FS at least stuff that's like I don't know I put butter on my breath I love butter on my bread and butter on my filesystem I don't like it there is a new attack exploiting serious Bluetooth weakness that is capable of intercepting sensitive data researchers have demonstrated a serious weakness in the Bluetooth wireless standard that could allow hackers to intercept keystrokes address books and other sensitive data sent from billions of devices dubbed key negotiation of Bluetooth or Knob for short the attack forces two or more devices to choose an encryption key just a single byte in length before establishing a Bluetooth connection attackers within radio range can then use commodity Hardware to quickly crack the key from there attackers can use the cracked key to decrypt data passing between the devices the type types of data susceptible could include keystrokes passing between a wireless keyboard in the computer address books uploaded from a phone to a car dashboard or photographs exchanged between phones knob doesn't require an attacker to have any previously shared secret material or to observe the pairing process of the targeted devices the exploit is invisible to Bluetooth apps and the operating systems that they run on making the attack almost impossible to detect without being highly without highly specialized equipment knob also exploits a weakness in the Bluetooth standard itself that means in all likelihood that the vulnerability affects just about every device that's compliant with the specification the researchers have simulated the attack on 14 different Bluetooth chips including those from Broadcom apple and qualcomm and found them all to be vulnerable okay so trot no longer trust your wireless devices I don't mind turning off my Bluetooth rights I was gonna say I have my watch I never turn my Bluetooth off yeah ever so when I'm in a at a public coffeehouse how do I know I can trust the individuals that are nearby right how do you know you can trust the coffee at that coffee house how can you afford coffee well because this it's a good coffee house jack loyalty program okay so Bluetooth they can just tap on in to bluetooth but they couldn't like tap into it and then go everywhere they can just tap into the one thing well presumably it's the communication data so what is being sent to your team or watch my steps chances are your location my way yeah actually yep all that kind of stuff a lot of those things don't concern me but what about like email or phone calls or sure well exactly okay well that's wise yeah well done but but not but but the the software itself silts can still access that by turning it on so it's it's still possible if they can get to the phone oh it's a software handle it oh I see yeah and we live in a society where we are plagued with phishing scams right now right so the moment that a compromising party can gain access to your contact list right or information about you your contacts or people that you interact with then they can spoof that they can use specialized hardware if they're good to spoof an SMS sender and make it look like it's coming from a family member right and oh click on this link and it takes you to a thing that installs ransomware which is a real thing on phones now and certainly on computers so get a hold of your email address list and things like that people are way too trusting because Ella came from it came from a family member it came from a friend I've said like what if you got an email from me that said open this attachment I would probably immediately might open it if you really firmly believed it was for me because the email has matched the name matched even these days the signature matches yeah everything is it's a very very clever I got an email a week ago from somebody that I trust dearly hmm and the subject line was check this out yeah something like yeah okay mhm I open it up it's just a link yeah oh and I'm like yeah okay so I texted them the person I'm like yeah you've been hacked like what are you talking about I just got the seamless to check that s like no I actually sent that I'm like first look like a scam dude you really need to improve your email text people links to things I always add like a description of what I'm writing I'm still sophisticated I got one yeah it's like I don't know if you saw this is happening you don't want it to happen I did some research on it here's what you need to know this is where I found the research yeah and it was something related to what the two of us are involved in and I was like I almost clicked in a roll wait a minute yeah this guy knows nothing about technology yeah yeah there's no way you would talk about this right so they get ahold of your contact list through this Bluetooth exploit as an example and now they find out that oh you interact with Robbie Ferguson okay grab one of the emails from that Robbie Ferguson because of the Bluetooth connection gives them access to that as well and now they can spoof my signature so it looks exactly like it's coming from me spoof my email address and send you a link that says click here and signs it by Robbie to make it look completely legit right so what if it was flipped what would you do if you got a message for me that's had like oh my goodness Robbie I need your help I don't know what I've done spend money no and then there's a link yeah that sounds like me actually something I would say would you click it or would you call me and see whether or not I sent it I would probably because of my experience be able to determine from the URL that you've sent whether or not it's legit oh really you would send that through disco but that's me yeah but there's not that's not always the case so what I do in those cases when I'm not entirely sure is iw get it and I watch the headers and I see if yeah so I don't open it in a browser I open an OL in Linux terminal that allows me to follow the header flow so that I so that I can see it was it actually giving me a file oh this actually redirected and redirected and redirected until finally it gave me a JavaScript file and then I opened that javascript file in a text editor to see what it was actually doing and I find so smart and I find eval codes and so I decode the avowal codes and see the actual JavaScript that is being run so what would I do it's not average yeah well this is why I'm asking you what you yeah he's like 14 seconds after I've done whatever I'm not supposed to show feel like oh that was probably the wrong choice so I think we rather than what what would I do let's let's think about what we wouldn't do yeah so if you get an email this is happening right now this is a being distributed an email from a colleague or somebody that you know that looks like it's legit it's got their signature it's got their email address and everything else but it's got a zip file attached to it and the zip file is encrypted because presumably it's private right this is oh here's some private information so I zipped it and I encrypted it the password is blah blah blah blah blah one thing nobody who has any brains to encrypt something is going to send the password in the same email as the encrypted file okay so just think about that for a second hold on backup whether you think you know them or not that is a that nobody's gonna do that if they have the mindset to know that they need to encrypt the file think about that for a second though right if you okay so why would a malicious party then encrypt a file and create a zip file that is password protected and then give you the the password because an anti-virus product be it on a server or your own computer cannot read encrypted data okay so that's it file coming in to your in-laws yeah that zip file coming into your inbox it's password protected and encrypted so without the password it can't be opened and therefore can't be scanned it will scan the file but it won't find anything wrong with it because it's just a bunch of ones and zeros it can't read the actual data right so then you open the zip file especially on Microsoft Windows open that zip file enter the password that was in the email so cleverly because your friend is so security minded and boom it comes up and you're infected with ransomware and the whole network is gone you've lost all the files for the company and you feel pretty bad about that I'm pretty sure so what do you do okay so you get that email it's got a password-protected zip file regardless of whether you think you trust it or not you call that person you say Sascha did you just send me a password-protected zip file what are you gonna say no no what are you talking about yeah delete okay from soft it's just doing your due diligence I I wish there was a way for email service companies to come up with a hidden back button so when you get those cut emails you hit them back oh yeah this is spam this is malware hack them back exactly like it like like there are Russian servers that it's all tapped in together it's been shut down already Jeff warns against migrating nest devices to Google accounts google says it's moving nest devices over to a unified Google ecosystem for the sake of simplicity but simple can be complicated as is certainly the case here in May after users fought the decision the company announced that it would maintain works with nest connections for some third-party integration if this than that or IFFT applets for the company's camera smoke detector and thermostat are among those exceptions that certainly bodes well for those users who took the time to in great if functionality however users who opted to migrate a nest account to a Google one will break their connections in the process if said in a statement a quote do not migrate your nest account to a Google account migrating at your nest account will cause if and other works with nest integrations to be disconnected this process is not reversible further they warn users do not disconnect nest from IFFT after August 31st as you will not be able to reconnect it this affects users that do not migrate their nest accounts to a Google one end quote for its part google says that it's looking to bring similar automation functionality to nest that presently requires third party integration from services like IFFT hmm couple of sides of this I mean you want to jump on them and say Google is trying to cut out the little guy that was my first reaction then I realize okay well there have been exploits on nest there have been hacks on nest and so what's the best way to protect nest users is to control the ecosystem to stop the API that allows third party integrations that's a tough situation when you've created something that that supports that from the get-go see and my thought was by you know removing that and kind of bringing it back into the centralized process what happens if there's a data breach well presumably Google knows about encryption by now right you would think but how many times have we seen big name home can you pump giant pumpkins folks October is coming but how many times have we seen big name companies go oops right like yeah because I mean is my shirt I could never think that Mike that that Google has that okay yeah anybody's now if one thing goes wrong and it's linked back to Google centralizing it and take taking the third party out in the middle man out then people are gonna go your problem not ours hmm yeah we'll have to maybe that's not a big deal of them but so I guess what it boils down to is the user like are you using EFT and if you are for your nest devices so that is your nest thermostat your I have a nest thermostat do you use the if this than that I don't use if this then that with nest however I do use my Amazon echo see how I stopped myself and you use that is that an if this than that situation no the echo is a third-party integration however okay I would imagine unless it's like a Google official skill right I guess that's something that I'll discover but I can understand why they'd want to lock down their ecosystem in such a way that they are in control right but at the same time it really hurts someone like EFT sure but and what what we learned there in your story is that now Google is saying they're going to create their own EFT rights they buy out the real EFT and give them a whole whack of money oh yeah that won't happen that won't happen no but it would be I'll just forgive them give them a bunch of free money just to say thank you for supporting the ecosystem maybe do that yeah because people don't want people don't want to have to switch to Google shareholders don't want that though no but come on play nice in this World Wide Web exactly you're gonna be the big dog play nice with the little guys those kind of I mean it would be nice what do you think please comment below oh and this is me I wanted you to take over but no this is actually my turn to talk about the coin gecko crypto report as of August 21st 2019 bitcoin has dropped a little bit but it's still doing quite well at ten thousand eighty one dollars and ninety cents Fiat USD Facebook Libre is still not trading litecoin is now light coin is an interesting case this week Oh last week its skyrocketed we're like almost doubled in its value in US dollars value that's why I don't know I don't know why follow the trends but it's cuz we covered in the news yeah so so it went up so if you bought like four four weeks ago you did really really well last week and I hope you sold because then it cut down again so it actually Wow so is it lower than it was two weeks ago last week it was at 188 thirty-seven doing quite well and this week it lost one hundred and fifteen dollars and thirteen cents it's now down at seventy three dollars and twenty four cents so I hope you bought after last week's show Manero is staying pretty static at eighty dollars and 23 cents Fiat up one thirty-four from last week torque or previously known as stellite it's been it's been doing well for a small coin sitting now at one point oh one ten thousandth of a cent whereas turtle coin is about half that at 0.53 remember the cryptocurrency market never closes it's always volatile it's always changing and because it's 24/7 you never know like jeff says well what caused it to go up and what caused it to come down you don't know you can take a guess but it's not like it's not like oil like you can't point it at one particular thing and say that's what caused it no it doesn't work that way it's cryptocurrency it's madness so anything you invest make sure you're ready to lose it lose it yeah exactly please big thanks to Roy W Nash in our community of viewers for submitting story to us this week thanks for watching the category-five TV newsroom don't forget to Like and subscribe for all your tech news with a slight linux bias and for more free content be sure to check out our web site from the category-five duty newsroom I'm Sasha Rickman in on Robbie Ferguson I'm Jeff Weston [Music]