Transcription of the twelfth release of the podcast "Procurator"

In immemorial times, on all of us, our favorite resource (that is, right here) was a type of publication called “podcast”. Since a lot of water has flowed, podcasts have disappeared from Habr, but survived the take-off, the fall and the new take-off, bringing us to the present day. We thought for a long time whether it was worthwhile for us to conduct an experiment on transcribing a time-based podcast into text, but sometime after the third request to “read”, but not “listen”, we realized that this would have to be done.

Quick Reference:

• Yes, the podcast is called Procurator, but not Judea, but information security.
• No, the picture is not Pontius Pilate, but Niccolò Macchiavelli, because his "Princeps" (or "Sovereign") was the first to describe the methodology of seizing power and management methods - what we (the attempts to capture and control) constantly face in the field of "information" and any other "security."
• Yes, we decided to make a text transcript of one of the podcast releases in the first place for those who do not know yet, it would be interesting for him to listen to such discussions, and secondly - for people who perceive text better than audio.
• No, we will not do the decoding of each podcast regularly.
• Yes, this is the twelfth podcast release, its title is 0c . It was published on March 30 - in the process of reading (or listening) you will understand why it is important to understand this in the middle of April.

Sasha Kozlov : Hello everyone! With you, the Procurator for the account, it seems, is 12, what name will we think up to him in our system of calculation - the question is good and we will discuss it a little later, I think, with our colleagues.
Meanwhile, with you here, today, the full composition of the podcast Procurator, including Sasha Kozlov , also known as shapelez is me, and everything is clear with me, Kostya kpp Ignatov , Artyom janatem Shvorin , Sasha user318 and Artem ximaera Gavrichenkov .
We continue our interesting experiment with the lack of a common document, and we now consciously bring each of our themes to a podcast in which everyone is interested. Well, I will begin, probably, I: I will not call it a tradition, we just need to start somewhere!

Legal point of view

Sasha Kozlov : I brought with me a wonderful story about the trial of Oracle with Google regarding the use of Java in the Android mobile operating system, which has been dragging on since 2010. Yes, Artem?
')
Artem Gavrichenkov : Yes, I doubted now, give comments about a whale and an elephant or about a toad and a viper. But while I'm confused in zoology, Sasha, go ahead.
Sasha Kozlov : Well, let's remember the historical background of all this, because I'm not sure that everyone has been following this since 2010, when the first lawsuit began between the two companies.

In fact, the whole story, of course, began much earlier, at the start of the creation of the Android mobile operating system under the authority of an organization that was called the Open Handset Alliance at one time, that is, if you didn’t know, it was she who created this operating room. the system was run by Andy Rubin, where Google acted on an equal footing at that point in time with many other companies, including Samsung. In general, who just was not there!

In 2009, it seems, or at the end of 2008, a corporation such as Oracle absorbed another company, which at that time was already in a rather pitiful state — this is Sun Microsystems. Actually, Java was the intellectual property of Sun Microsystems, of course, that this intellectual property passed to Oracle. Everything would be fine, but after 8 months, respectively, in the US court - now we will not go into details of the state in which they were judged, since this is a big question ...

Artem Gavrichenkov : Not in Texas, by chance , no?

Sasha Kozlov : I think that one of these lawsuits was definitely taking place in Texas, but which of the three rounds of statements and appeals is a big question. Because they, in fact, passed from 2010 onwards, respectively, 3 full circles: when a lawsuit was filed, there was a meeting on it, a decision was made, after that an appeal was filed, and then the decision was made again. So here is the last 2 appeals Google lost.

Actually, this is the whole complexity of their current situation, because from the legislative point of view ...
Kostya Ignatov : What?
Sasha Kozlov : Legislative point of view ...
Kostya Ignatov : Did you now translate the English word into Russian with the help of transliteration, or what?
Sasha Kozlov : Yes.
Artem Gavrichenkov : There is such a word!
Sasha Zubkov : But someone has already translated it before.
Sasha Kozlov : From this very point of view, the following story is obtained: in order to escalate the trials further, Google now has no other chance than to go to the Supreme Court of the United States, i.e. Supreme Court, as I understand it.

Artyom Shvorin : Stop, but before that, it was about exactly which state it happened - and this is important, because in some of the states there is a nest of patent trolls - is it Texas?
Artem Gavrichenkov : Yes, it is Texas! East District.
Sasha Kozlov : It seems, yes! And by the way, there is also another interesting story: on one of the previous podcasts, remember, I told you about the judge, to whom all the complicated cases related to such situations, when the code understands during the court session, flow to you? So - this is a Texas judge.
Artem Shvorin : Just at the beginning of this story, there really was a judge who wanted to learn the basics of Java in order to understand whether “Hello, world” was a unique property.

Sasha Kozlov : Well! And at the last meeting on this appeal, which Google lost, there, in fact, also tried to make ... That is, one of Google’s positions in his defense was that the Java code was written as executable on the desktop, and in this case, speech It is about applications in mobile OS, which expands this system of application of this code and where intellectual rights for some developments that have already been overbought to the current moment, begin and end, well, and pull all this legacy behind them.

So, intrigue: will Google go to the Supreme Court or pay almost 9 billion dollars? Or agree in some way to reduce this amount? This, I think, is what we will see soon in the news. Yesterday a very large number of people wrote about this, and Bloomberg released super-large material, and the quotes are falling - from both companies, so Oracle won nothing here, because killing Android means killing Android. What do you think?

Artem Gavrichenkov : Why kill?
Kostya Ignatov : Killing the project will not work with it. And Google, of course, will go to this Supreme Court with this, but it seems to me that they will refuse to accept the application, as, in my opinion, has already happened. Here is another interesting thing: if you look at this story, it turns out that Oracle, in fact, wanted to run into a desktop extension, i.e. Chrome is already running not only in mobile systems, but Chrome OS also exists, which runs on desktops, and Oracle really wanted to run into it.

Artem Shvorin : So there is no Java in Chrome.
Kostya Ignatov : No, not in Chrome, but in Chrome OS - this is not the same as the browser, this is a directly full-fledged OS, which lives on the same principles and has the same API. And, in general, the hitting does not even go to the code, not even to the JVM, but to the API, i.e. just all the things that lead to the fact that you can call a function that has some name and does some thing. As far as I understand, the hitting goes exactly to the list of names and what they do.

By the way, the restriction, written in the official position of Oracle, applies not only to mobile, but also to cloud platforms. Those. The desktop is the only platform on which you can use Java or any other implementation of it, and not be afraid that you ...

Sasha Kozlov : And Oracle does not mind. Artem, say: you are a perennial Android user, you had a lot of Android phones - are you worried?
Artem Gavrichenkov : Do I have a long-term user? It depends on the definition of the word “a lot”, because I have been using it for less than a year, so if 0.9 is a lot, then it really is. In fact, there is no talk of any “killing the platform”; rather, someone’s attempt to bite off someone else’s piece of cake, since they didn’t have time for distribution.

Especially funny that the dead man (Sun Microsystems) did not have time to divide the cake, which makes this story even more fun. I'm still inclined to believe that it is not an elephant of a whale, but a giant mutant toad and a no less mutated snake. I saw something similar in some Japanese films.
Sasha Kozlov : It is quite possible. If, of course, anime can be called Japanese films, although why not.
Artem Gavrichenkov : No-no-no!
Sasha Kozlov : Do you mean any direct films?
Artem Gavrichenkov : There was something with Godzilla and there was some big worm ... Matra, or something like that.

Privacy

Sasha K : Artem, since we started about the phones, I know that you wanted to tell something about Phantom Secure - a company with which an interesting story happened.

Artem G : Yes. This is a wonderful story. For those who do not know, but few, probably, know: in the tenth of March the FBI detained the head of the company , which was engaged in the production of secure mobile phones. And really protected Androids with a physically remote GPS, with a standard browser removed, with built-in PGP and an encrypted messenger - not a Telegram, in the sense, but a really secure secure messenger. And the FBI has arrested the people who produced such phones, and is now preparing a case for trial.

At the moment, if you have not heard about this news before, you probably think that this bloody American gebny oppresses freedom of speech and so on. But the fact is that the main market for such phones was Latin American drug cartels. The company was called, or called, Phantom Secure (“phantom security”), and they actually had such a market positioning.

Their owner was caught when he made, in the best tradition, test purchases. Canadian police officers called, naturally presented themselves as drug dealers and asked the employee if his phone was safe to discuss the delivery of methamphetamine to Montreal. To which the representative of the company happily replied that it is for that absolutely safe, you can use. On the one hand, it is so fun to be substituted.

Sasha Z : Did you post a portfolio?



Artem G : Voo! Yes Yes. I mean, when I read it, my first reaction was “shut up and hold my money.” Where can I buy this phone? But really.

You know, there is such a car Toyota Hilux , it is very well known ... Not so. She is very popular because she is known for her indestructibility. Toyota Hilux is the car Clarkson and May from Top Gear drove to the North Pole , they had a little different tires, but, in principle, the same Hilux. This is the same car that Top Gear put on the roof of a multistory building before the building was blown up, and this car started up and went after that. But Hilux gained fame when it was suddenly discovered that everything ... How can I characterize it? Arab groups?

Sasha K : Firstly, because of our wonderful Roskomnadzor, we are immediately forced to make the following reservation: “Organizations that are prohibited in the Russian Federation”.
Artem G : Yes, as well as organizations, apparently, allowed, because there is Hezbollah, but I am not aware of it. In general, organizations, including those banned in the Russian Federation, used these Toyotas for everything. As a result, the people had a question: why aren't they immediately delivered with turrets?

If anyone wants to google at their leisure, read fun Wikipedia articles: there is such a thing as the Toyot War . This is a weekly conflict in the Middle East, where two groups clashed, most likely banned in the Russian Federation, and both groups used these Toyota Hilux for transportation.
Sasha K : It's really very cool there, i.e. they make them tanks, book them, and so on.
Sasha Z : Now they can add more phones there.
Sasha K : Smart car (laughs).
Artem G : And now look.

“Phantom Secure Phone. Approved by drug cartels. ”

Gorgeous!
Sasha K : Best advertising not only in the southern hemisphere, for anyone ...
Artem G : Any Blackphone can be simply closed after that.

Kostya I : An interesting point, by the way, about a secure connection - an instant messenger, which is of the type there and what you just said about Telegram. It’s just for the listeners that it may be interesting that we are recording from two different points in the world, and we are now communicating with each other via the Telegraph.

I also wanted to tell about one fact discovered on the topic of Android. Perhaps you know that officially Android can only be called a completely specific OS, it should be certified by Google, it should contain not only what Google publishes as open codes, but also part of their libraries and Google Play Services, in particular. It is believed that if this is not on the phone, then this is not Android, i.e. You cannot use this trademark to call it that. Therefore, what is produced in large quantities in China, generally speaking, is not considered Android.
Artem Sh : It is believed, but not called.
Sasha Z : Who will stop them.
Kostya I : For the same reason, Lineage and what used to be called CyanogenMod are also not called Android.

An interesting nuance is that such a well-known brand like Xiaomi does not release many of its phones for sale anywhere except in China. Accordingly, if you buy a phone that was purchased in China and was somehow imported here, then most likely Google Play Services should not be on it, or if they are there, then the people who brought this phone should be , unlocked the bootloader, installed some other firmware, maybe they just shoved Google Play Services, blocked the bootloader back and sold it to you. This applies to almost all Chinese manufacturers, that is, if you buy a Chinese phone, you need to check to which territory it is officially distributed.

It was an interesting discovery that I discovered while studying one forum. I found that people began to face this problem: they run the newly installed Lineage, which Google Play Services was stuffed, and Google does not allow them to register. Users enter their usual e-mail, everything is as it should be, the password is there and then Google and Google answers that your device is not certified. Those. From this month, Google does not allow to log in from devices that it did not certify or did not sign with its own kind of scary signatures.

Artem Sh : The question is: “what the fuck?” Or what?
Kostya I : There is some workaround there, of course, but by and large - yes, “what the fuck”? Workaround is that you can manually find out the code of your phone using some manipulations and register it as a result on the Google server so that the system will link it to you, and everything will seem to work, but the point is that even soon Those people who have already configured and connected devices to Google may face the problem that Google will soon give them a message that the device is not certified and the system will refuse to work on it, send a complaint to the manufacturer.

Artem G : And now I will tell why this is good news, at least from what I understood. I even have a modest suspicion that I know where these legs grow from, why suddenly Google 10 years after the existence of left-handed phones thought about it. It is unlikely that the company began to lose market share? The point, perhaps, is different.

For quite a long time already, developers of applications for Android for ... rowed users sitting on Chinese phones, produced by some company with an unpronounceable name, whose memory is 256 megabytes, the processor is some kind of MediaTek, etc. The fact is that people install - not even a game, an audio player! - which this phone just does not pull, and they give the application a rating of 1 out of 5. As a result, evaluating applications on Google Play is quite a useless thing.

In the Russian Google Play, these estimates do not make sense at all, because, if I’m not mistaken, the only application that has very few low ratings is Wi-Fi in Metro , because it is simple, it works everywhere, solves the problem and helps fight the evil power in the face of the company Maxima Telecom . And all the others have a set of one-star assessments of the “slow / buggy / falling” format, and there, as a rule, either the phone is not marked or something is marked with hieroglyphs.

What am I for: perhaps Google heard developers who, I can believe, got bogged down by it. And, again, if it helps to bring the rating structure on Google Play to some kind of understandable state in which it can be used, it will be very good.

I really don’t feel very sorry for those who are sitting on ... On the other hand, what kind of non-certified phones by Google? In my view, this is, say, something like the Kindle Fire, but Amazon has its own app store. That is, in my opinion, this is the Chinese noname.
Sasha K : Yes.

Kostya I : Even if you just install custom firmware, then your phone will simply change this identifier when the factory reset and the device ceases to be certified in terms of Google.
Artem G : No, it is not. I watched, Google has whitelist firmware, which you can enroll. True, I don’t know what the process is, and I’m not sure that this process is so simple, but Lineage seems to be on the white list.
Sasha Z : Well, at least I have not experienced such problems.
Kostya I : Well, this is a completely new thing in the first place. That is literally a matter of days. And secondly, it is not enough to be the firmware, i.e. There is a combination of firmware and phone.

Sasha K : That is, how is the iron itself?
Kostya I : As far as I understand, they are doing just that. But I, in fact, raised this topic-story, to lead to another conversation about some other heavy applications. The fact is that somewhere from the beginning of this year I am conducting an experiment on uninstalling Google applications and, in principle, Google Play Services on my phone. Those. it turns out that I have that phone, which we call the rutted Android, formally, as such, Android is not.
Sasha K : Routed pseudo-Android.
Kostya I : Routed Lineage OS.
Sasha Z : Android Open Source Platform.
Kostya I : But this is still not Android, that is, yes - this is an open source platform, it provides you with source codes from which you can build, for example, Lineage OS or something else if you wish.

So, I am a Facebook user, but I’m not subscribed to Mark Zuckerberg, however, the face of this person in the last 3 weeks, being a user who opens the application every 2-3 days, I see very often.
Sasha K : Very rarely open because. It is necessary to open more often.
Kostya I : Probably, but the problem is this: everyone just learned that Facebook is collecting data. That's who it was for discovery?

That is, with these rudimentary Androids on any Lineage and other Privacy Advisors, people have noticed that Facebook applications have been climbing into everything that can be done on the phone for many years now.
Sasha K : Wait, let's take a small step back and in order to formalize it as a topic, it is necessary to mention the facts that made all this information appear in the Internet space, and Konstantin Ignatov, who opens Facebook once every two days, began to see Mark Zuckerberg everywhere.

Seven and a half gigabytes per dead man's chest

Sasha K : This story is related to Cambridge Analytica, and now we will not go into details, just if you have not heard about it, then most likely you are not listening to our podcast, which means that you do not exist.
Therefore, we will not focus on the history with Cambridge Analytica now, but I would really like to recall 2 points:

1. In 2010, BusinessInsider published a very interesting screenshot of Mark Zuckerberg's correspondence with one of the early co-founders of Facebook after they released the very first version - not Hot or Not, but Facebook, for Cambridge users - when it was possible to register there, only having university e-mail The screenshot shows a dialogue where Mark writes to his friend:
- Can you imagine? Thousands of people came and gave me everything: e-mails, names, surnames, family ties - everything!
- How so? How did you ask them?
- Yes, I did nothing at all.
And then there was a wonderful expression in English, which seems to sound like “dumb fucks”, i.e. conditionally Mark called all those who came and registered "stupid idiots."

Artem Sh : In soft translation.
Sasha K : Yes, in a soft translation. He, of course, now, as soon as the stories of Cambridge Analytica began to flare up, they remembered it right there. This was the reason for the appearance of the Quit Facebook movement: that Jim Carrey, who drew an interesting caricature, which on Twitter became super popular in one day and blew everything up, and so on.

The story of Cambridge Analytica made people go and once again look at the settings of their Facebook accounts, someone encouraged it to go further and retire, and someone went to dig those logs that Facebook allows you to export, from where you can find out everything that happens with your information actions.
We have all reacted to this in different ways.
Artem Sh : Do not care.
Sasha K : No, nothing so apocalyptic is happening yet.
Sasha Z : It seems to me that Facebook even behaves well in this situation, because it provides this information.
Sasha K : Yes, at least he does not hide it.

2. Well, in general, one researcher who had a Facebook Messenger application on his Android phone that synchronizes his own contacts with the phone’s address book found that it collects metadata about calls and SMS: to whom, when, duration, etc. d. I think that this was the very top berries of this multi-story cake associated with Facebook, privacy, using our data.

And, of course, the situation when Mark was silent for several days, and then bought the newspaper pages of the largest American publications for one day and wrote that “you entrusted us with your data, if we don’t cope, then this is bad” ... Well, yes - bad . And what will you do with it, Mark?
Of course, we all know that any company sells user data, and this is obvious, because at that moment, when we use something for free, we are a product. It is very important to realize this. Those who forget about it, then fall into unpleasant stories.

Kostya I : The main trick is that we lose a simple thread. Maybe some company, maybe people bought options against Facebook, but nothing new happened. All these topics have been discussed many times.

When I had a phone with one gigabyte of RAM a few years ago and a very small amount of memory on the phone itself, I constantly had problems due to the fact that I was going to install the Facebook application. It is on the then Android, like the fifth version, took about 200 MB, eating about 30-40% of free space on the phone. Even then, I thought about what settings the program is requesting and how to pull it down, which I eventually did, for the very reason. Since then, I open Facebook only in the browser. But even those iOS users who believe that they are more protected: well, yes, Facebook will not climb to you, but do you think that Apple is protecting you?
Sasha K : No, of course not. Artem?

Artem G : First of all, I would like to say that if I understand the situation correctly, you should not have praised Facebook for making it clear how much data it collects. I understand that it is worth praising the European Commission for its GDPR, in which there is a human right to have information about how much data is collected about it, as well as the right to be forgotten.
In particular, Google also has such export, you can see the links in the description of the podcast. Of course, I went through all these links. So, the whole Facebook knows about me 55 MB of data in compressed form, but Google knows about me in compressed form 7.5 GB.

I haven't downloaded them yet. And this, of course, only the main account. There, however, 5.56 GB of them are obviously mail, but, again, on the other hand, it will be 5.56 in its unzipped form ... Well, in general, I have yet to study. But, apparently, Google knows about me stunned how many things, and about you all, most likely, too.

This is me to the fact that Facebook is not one. And just on this subject I have one life joke.

I went to Brussels for the weekend. Naturally, I looked there all 3 pissing sights of Brussels: a boy, a girl, a dog. And there are only 5 sights from more or less known to the inhabitant, in my opinion, of them 3 are pees, 2 are not pees In general, I looked at them all, and I still had a lot of time.

I decided to go somewhere. Someone from Moscow told me that there was one craft bar there, I naturally didn’t go there, because if someone from Moscow knows about it, then this is obviously a lure for tourists. Therefore, I found three local dudes of an alternative type and played with them. They turned out to be very correct European alternatives, vegans, of course, and so on, but the fact that they drank beer suited me perfectly.

During the conversation, I asked them in between times, and if you are on Facebook, if there is, let me add you, we will keep in touch. To which they gave me a chorus, indignantly replied that no, you are, we are not on Facebook, because Facebook sells the data to Russians - my Moilean accent did not embarrass anyone, naturally - Facebook sells the data to the Americans! We only use Twitter.

I mean, all this hype around Facebook looks just like a hot topic, at the moment, because, well, I don’t know, probably, Zuckerberg was apparently guilty for losing the democratic party in the elections. I do not see any other explanations for this HYIP.

Kostya I : And you did not read very interesting articles? From the series: he was going to prepare the tools on his Facebook in order to go to the presidency himself ...
Sasha K : Whoa-whoa-whoa, this, of course, is speculation ...
Kostya I : Well, of course, speculation ...
Sasha K : ... there was just a very funny moment when Mark Zuckerberg started acting like a presidential candidate. It was really funny!
Artem G : I started driving to some factories, yes, it was fun.
Sasha K : Let's move on, we still have topics on which we really would like to talk.

Buy High, Sell Low

Sasha K : I would like to give the floor to our colleagues, who so far have not been particularly involved in the conversation, and I know that Artyom read something old and wanted to tell us about the exchange spammers. The topic is interesting and rich, just now a Facebook shortcut happened, didn't you mean to say that?

Artem Sh : It’s still not really related to the stock exchange. The point is that MIT students conducted a study that was reported at a conference last year. They were interested in spam, which offered to buy various stocks. Therefore, one wonders: what is behind this? They do not just send spam emails, perhaps they want to extract some profit from this.

It was not difficult to guess that the pump and dump strategy was implemented in this way. first nachychit market, and then slow it down. The meaning is simple: there are stocks, rather small, cheap ones, which ...
Sasha K : I think, most likely you mean a small amount, yes?
Artem Sh : Yes, I mean the volume, because the word “cheap stock” is meaningless, as it seems to me.
Sasha Z : Low liquid.
Artem Sh : Here, take them and, by mailing, raise their price, well, and before that, buy, naturally, and then when their price rises - sell. The guys wondered if this mechanism could not be saddled. Does anyone do this, and is it possible for them ... to parasitize on parasites.

The study turned out quite large, there are a lot of things. It turned out that although it is difficult to do, but, in principle, it is possible. First, it is necessary to understand who exactly pumps up, i.e. which stocks are worth buying, and, secondly, to understand the moment when to sell.
After several attempts, they managed to ride the wave. The waves there, of course, are small, everything, and very often it does not work, and very often the spammers themselves are tingling, i.e. they buy shares for 100 thousand, and then sell for about the same price, but they still incur expenses for spam.

Sasha Z : They then figured out who else makes a profit for all this, and who does not.
Sasha K : Wait, and the guys who conducted the study themselves, they remained in the black, according to the results, or not?
Artem Shvorin: Well, I don’t know that, they don’t talk about it, although they said that it is, in principle, possible, although very difficult.
Sasha K : Yes, I understood, they confirmed the concept, conditionally.
Artem Sh : Their main result is not to earn money, but to conduct research and get some information.

Sasha K : Actually, I also wanted to add to this that many people speak in a similar way, i.e. they say that information can command the price of some assets and is quite active. It is clear that it has an impact on them, but when only information can greatly influence the value of assets, this is something that exists only in the current, XXI century, probably. Previously, this was not.
Artem Sh: No, this is still information in a general sense, it influences strongly, and it always influenced. Here we are talking about spammers, and that is quite surprising ... That's the thing for which I sometimes feel a sense of shame for the human race - this is the fact that people who believe this kind of advertising, they exist in such macro quantities, that you can use the whole ecosystem to build.
Sasha K : And then it is also to be pursued and ...
Sasha Z : It’s all that originated not only with spam, it’s also the boiler rooms that’s all about it, even some movies have it all ... It’s the same thing, it’s just spamming This is another tool.

Sasha KA: I just wanted to say that in fact there has been a lot of information manipulation in fact lately. In particular, I recall a study of AMD CPU-vulnerabilities, which was released by a completely remarkable, Israeli, perhaps, research company, in which very few details, described everything in general terms. The most important thing is that for the operation of each of these vulnerabilities, admin rights are needed ...
Kostya I : This is at best, if not more.
Sasha K : Well, yes, that is, specifically local access to the machine, in my opinion, they were all of this order. However, AMD nodded almost 20% per day.
Sasha Z : And the names there are more beautiful than the essence.
Sasha K: Yes, a very beautiful name, and one can well say that short AMD happened extremely successfully.

Artem Sh : at least here is a rather complicated mechanism with complex information, where it was not clear in advance how people would behave and so on. And when from the same spam letters, when they say “buy stocks such and such!”, Hamsters are crammed with buying ...
Sasha K : Spammers have longer cycles. It happens much faster and more intense.
Sasha Z : I still think that those comrades had more chances for success than those spammers.
Sasha K : Yes, I'm talking about the same thing, that the effectiveness of such actions, it is still a priori higher in the current society.
Artem Sh : Yes, but the mechanism is much more complicated, yet it is hacking of human souls.
Sasha K : Here, too, need some kind of research.

Artem G : I imagine this, there is quite a criminal offense called “using insider information”, yes? And I’m trying to imagine how the stock regulator in the future will call searching and publishing vulnerabilities in this way in order to influence the stock market - “outsider information”?
Artem Sh : Well, this pump and dump mechanism, it even without insider information, is also ...
Sasha K : Pump and dump existed, conditionally, for a very long time, of course.
Artem Sh : Yes, but there are also some regulations about this, including criminal restrictions, but even in the simplest case, this is not insider information.
Sasha K: It is about this that Artem says that it is, of course, difficult to call her one.
Artem Sh : Even in the simplest case, it is very difficult to prove something to someone ...
Sasha Z : There, most likely, it’s not about the insider that there is an attraction, but some other points. That they force people to buy, cheat, relatively speaking.

Artem G : I just have some idea what, look: this is an obvious manipulation of the stock market, right? Regardless, there really are these vulnerabilities ... well, they really do exist, by the way, because AMD has already announced that they will release firmware patches, that is, there are vulnerabilities, the issue is in the feed.

Since it quite obviously looks like market manipulation, naturally, once - well, but for this, which has been repeated many times, the market regulator on the head is no longer stroking. I mean, there are many companies - both vendors and individual companies - that people constantly send information about bugs, based on bug bounty and all that, and then these people are subject to criminal prosecution, but, as a rule, this is nothing is ending. Or, let's say they, without receiving any answer, after 3 months they publish it in open posts and then the companies are also judged with them, also to no avail.

So, I’m wondering, here’s a company that didn’t respond to bugs, and then suffered due to this, if it comes from the point of view of exchange manipulations, will it have a greater effect or not? Because it seems to me that there will be.

Sasha K : I think it will, I agree with you, because by and large AMD can speak here primarily about the loss of profits due to the release of this report.
Sasha Z : But this is not a stock exchange manipulation.
Artem G : Just in the States ... Security is safety, and this is finance, this is the most ... This is blood.
Sasha K : In the case when the company is present on the public market, this is exchange manipulation.
Sasha Z : No, I mean lost profits.
Sasha K : Loss of profits means damage.
Sasha Z : You see, because they lost their quotes, they did not suffer any damage from this.
Sasha K : Well, this is the value of the company, as it were, it still affects some of its future. Okay, God bless her, with AMD ...

Kostya I : By the way, it’s interesting here that it seems to me that it will not be like this anymore, it will just cease to influence the stock market, well, people are just ...
Sasha K : Well, wolves and wolves wolves
Artem Sh : Well, it's been done for a long time, constantly.
Artem G : Like, 13 vulnerabilities were found in processors, right? And the market is like this: “Oh, who has none!”.
Sasha Z: And, most importantly, such a wave can now go that they will manipulate the market, throwing out some empty vulnerabilities. And it may turn out that people will more simply relate to this.
Sasha K : Nichetacogopocalypse.
Sasha Z : And when the next Specter comes out ...

Kostya I : Well, actually, yes, because, apart from Specter and Meltdown, nothing more serious has happened yet, has it? However, when Specter and Meltdown come out, primarily affecting Intel processors, the stock moves a bit lower. But a month later, Intel is in the black, i.e. the stock has gone up ...
Sasha K : No, Intel has been very cool about the whole story related to Specter and Meltdown.
Kostya I : Well, yes ... and what have they done since then?
Artem Sh: This is not Intel, it happened, probably.
Sasha K : Well, I think that there is a lot of Intel contribution to this.
Sasha Z : Yeah, so half a year they sold processors ...
Kostya I : The same ones. So what?They stopped selling these processors, or what?
Sasha K : Of course not.
Kostya I : And the new processors, which, like, are not susceptible to these vulnerabilities - they have just been announced. Microsoft, meanwhile, announces bounty, $ 250 thousand, in my opinion, to someone who finds a similar vulnerability. Just to warn in advance, and not ...
Sasha Z : I found a vulnerability, you manipulate the market.
Sasha K : Microsoft, with the purchase, I think, and so there were no problems.
Kostya I : I just think that the market will not have much influence, just people are really used to it.

PKN-Tyan

Sasha K : Well, of course. Let's move on: Sasha Zubkov, I know, wanted to tell us a funny story about how a provider such as Transtelecom experienced problems about a week ago in Russia.
Sasha Z : Specifically, he experienced.
Sasha K : Yes, and this is a topic, naturally connected with our wonderful warriors, who exist in Telegram as a wonderful anime character named PKN-Tyan.

I'm right here dragged. There are people who draw new stickers about each info page. It is very nice. They really love their work.

Sasha Z : Well, yes, once again came the incident with locks. This time suffered TTK - Transtelecom - that is. what happened: added a bunch of addresses to the DNS records ...
Kostya I : In the DNS records of blocked resources.
Sasha Z : Yes, blocked resources.
Sasha K : And these, with smoking mixtures.
Sasha Z : Yes, well, it does not matter, anyone could do it. There may even be something that was previously discussed: people no longer need blocked domains, they throw them out, the next one comes, sees that he is already on the list, picks it up and can do anything with it.

Many providers block these sites by turning traffic to some of their filtering systems, and do this by embedding the route into the routing table at this particular address. For routers, the route table is limited in memory by the number of entries it can contain. That day there were about one million entries.

Kostya I : And these guys recorded in one DNS record for many, many IP addresses.
Sasha Z : Accordingly, Transtelecom providers routers could not stand it. As a result, the provider Transtelecom 4 or 5 hours just lain.
Artem GA: This is attached to the Greek choir of people who looked at the list of addresses recorded there, and said: “pff, Transtelecom - fuckers. It was possible to aggregate to / 17, it seems.
Sasha Z : Well, yes, perhaps on this basis, and there was a desire to ban Amazon.

Sasha K : A, i.e. Finish Zello just with a shovel ?!
Sasha Z : Well, yes, they may have thought that it’s really, and there’s a million records to unload - you need blocks!
Artyom G : There was a tradition on one legendary non-existent site, when syrani came there - and, naturally, the first post, which was a complete horror, came - they started to merge it, and syrani liked to be discouraged by the fact that “you don’t understand anything. It was an ISCPIRIMENT, and you are all victims of IKSPIRIMENT ".

I mean, I’m now in the affected area of ​​the Federal Service for Supervision in the field of Communications, which decided to ban the entire Amazon, because Trello is hosted in Amazon. And Trello to Amazon IP addresses, which ...
Kostya I : Zello.
Artem G : Oh, Zello, yes.
Kostya I : Trello is a task tracker which.
Sasha Z : I think it will not be important soon.
Artem G : He will be there. All will be there. I mean, at the moment, there is some kind of preparation for a truly banned Amazon. Along with Amazon, Softlayer and someone else get there.

Creepy little. I think that in the near future we will find out what our critical infrastructure really is and who will be affected by this. It will be a lot of fun if it happens.

Sasha K : I understood. What is critical infrastructure and how critical it will be.
Artem G : I found the right expression. Critical days await Russian Internet infrastructure.

Serious talk about life and death

Sasha K : Well, okay. Kostya, you have been holding something for a long time there, a topic that you haven’t shown to anyone, some kind of research came out, no one saw them. More precisely, Kostya saw, we did not see. Kostya promised to tell us on a podcast about the chemical plant in Saudi Arabia and funny stories that he almost had with him.

Kostya I : Somewhere in early March, or in the middle of March, an article was published in the NY Times, where journalists asked several researchers about a single incident that occurred in August last year. Why is this topic interesting to me now?

Recently, we have become accustomed to treating security as something, like: if you have bad security, well, you will write off money from a card and this is the maximum that can happen to you. Then you will call the bank, block, then they will return them to you and that’s all security.

Now there are all sorts of IoT devices. People were blocked in the hotel remotely, as long as it is ... the maximum that was observed. But, nevertheless, situations where an attack occurs precisely on, once such a word has been used, critical infrastructures (and not necessarily critical) - they really take place.

It would seem that there is this story about a chemical plant in Saudi Arabia, even more likely its infrastructure, which was attacked in August and the whole rose. The plant turned off, the hard drives were rubbed, the recovery took several months. It would seem to us that? Apparently, well, these are some sort of clashes between Iran and Saudi Arabia, because no one could get any money from this, what could be the profit from the fact that the plant stopped, except for political influence.

And it’s a lot of money to make this attack, to do quite a lot of work, a lot of utilities - unique, as I understand from the report of the researchers,. Naturally, it means that this is a state level. Well, Iran, what do we need?
So, the fact that, apparently, the utilities that made it possible, in general, were close to success.

The fact is that over the past few years there have been several major explosions at chemical plants, and there, of course, employees died, and a huge number of other employees suffered, and the poisoning of what was around, of course, was unpleasant, to put it mildly. , effects. And the fact that this did not happen in August turned out to be the problem of just literally one bug in the code that was flooded, as I recall, into controllers from the Schindler company. So these controllers are used around the world.

Sasha K : Schindler is the world's largest supplier of electrical equipment for industrial enterprises.

Kostya I : Yes, well, it’s natural that there are certain security features on it and it seems there is a key-in security there, that is, you can change any settings of this equipment only physically: you come, physically insert the key and change something. It seems that it is so.

Details have not yet been disclosed, but apparently the guys who carried out this attack did manage to somehow get around this and practically provoke an explosion at this plant. And only thanks to their bug (I realized that almost a segfault happened there) in the end all the systems were turned off instead of an explosion.
But if this is the case and such utilities end up on the black market or in general free access, then security issues grow from the IT infrastructure and some, in the worst case, unclosed doors in an overly smart home, into questions about human lives. And the conversation about how Uber knocks a person on autopilot ...

Sasha K : Yes, we will discuss this a little further. I wanted to say that in a world that is becoming computerized, everything will merge, of course. Everything will be the same.
Artem Sh : Infrastructure is already understood as infrastructure in the most general sense, and not just the IT infrastructure.
Kostya I : Yes, yes, of course. In principle, we have already spoken about this in previous podcasts.
Sasha Z : By the way, with the same Amazon, I remembered, there was some case when they had some problems, and because of this, some hospitals even had problems that they just used ...
Kostya I : No, last year there was a direct attack on medical infrastructures.
Sasha K : No, wait, these are cryptographers. Artem?

Artem G : Yes. When I saw the word "chemical plant" in the podcast plan, for some reason I decided that now there would be something again about the poisoning of the Archduke Skripl.

In the subject, indeed, questions about the threat to human life, there was some news. At first there was news that the auto-piloted car Uber had knocked a man to death. It was perfectly clear that someday this will happen. And it is clear that nothing will stop at this now, because ... there is that anecdote about the Vyatka lumberjacks, to whom the Soviet government has given a chainsaw. The chainsaw bounces off the rails, but this is not a reason to chop wood with axes and keep people driving the car, huh? In the city of the future person behind the wheel, of course, will not, this is understandable.

Sasha K : I would like to add a bit to Uber, which in my opinion everything, of course, became obvious after the first death while driving a Tesla in autopilot mode. When Tesla's coolest fan, the guy who helped them write the firmware, which Mask got permission to modify, within certain limits, his own car, which he had. He reflashed it himself, several times talked on this topic with the engineers and so on.

And he introduced light modifications to the autopilot, which allowed him to take a slightly lower class road than allowed by Tesla’s autopilot. Well, there was an accident when a timber truck at a difficult intersection, where part of the marking was missing, left it to the side, and he did not have time to react, and, accordingly, the person died.

Here we see not the death of the driver behind the wheel, but the direct hit in the car with the autopilot mode of another person.
Artem G : These are the lines of the code that handle the situation inside the Teslovsky car - I do not think at all that these are the first lines of the code written in blood. We have a lot of things that are already safe and have a positive effect on life and health.

There is another topic about this: we are now talking about the fact that the code can carry a potential threat. I wanted to talk about the code that carries a direct threat, that is, the goal of which is, in fact, the killing of humans. Because such code exists.

As many know, the armies of many countries around the world are armed with drones, in which there is no person physically. One way or another, the person still controls them, but sits far enough away from the drone itself, I mean, somewhere behind the console, and the drone is light and small, it flies and shoots some Afghan villages — with terrorists, presumably.

In early March, there was news that Google - in the words of The Intercept journalist, "surreptitiously" - signed a contract in order to work on a new initiative of the American Department of Defense to use artificial intelligence in piloting drones. That is, Google, naturally, signed up for a military contract, according to which it will explore and develop deep learning technologies that allow you to better manage the drone and better target the weapons that it has on board, as well as automate the swarm of these drones etc. This I mean, firstly, Skynet is actively writing ...
Sasha K : “Don't be evil” no longer exists.
Artem G : Yes, absolutely natural. Apparently, as I understand it, this development process will include field tests, that is, in the same Afghanistan, or I don’t know where the American troops will be at that time.

Remember that wonderful moment from “Three Billboards Outside Ebbing, Missouri”, when, they say, “the person has a supervisor, and he recently came from another country. I will give you a hint, there is a lot of sand in this country. ” And the answer is that it didn’t really narrow the circle.

In general, in some country it will happen. I mean, I just like the wording: “Starting this month, Google, also“ Don't Be Evil, ”officially started working on killing people.”

Sasha K : And I would also like to add such a thing here: Intel, if it hasn’t signed anything yet, it will definitely do it very soon, because Intel, in fact, is the company with the biggest results and achievements in the field of drone control today . Have you watched the performance with drones from the last Olympiad that took place in Korea? Not?

In general, the fact is that Intel now carries an awesome visual show around the world, which, of course, is created entirely by drones. Hundreds of drones that are synchronized with each other, different light bulbs hang on them, they sit down depending on the level of the battery, a replacement arrives. This is really cool!

But if you think that each of these drones will hang explosives or, conditionally, some kind of firearm, then, seriously, it looks wildly scary.
Artem G : But this is not the same drone, this, as I understand it, is a quadcopter, right?
Sasha K : Yes, here it is quadrocopters.
Artem Sh : The point is that they are not intended for design.
Sasha Z : The thing is how they are coordinated and work in managing ...
Sasha K : Yes, but the point is that we come to the fact that they say that current drones are inferior in efficiency to a swarm of drones, because a swarm of drones is cheaper than anyone else there ... I don’t remember how American drones are called, they have all sorts of cool interesting names . Because, for example, it is very difficult to blow up a landing craft with an UAV. And we dig drones - easy. That is, let's see what will come of it all, it will all translate into some kind of new military doctrines, and so on.



Artem Sh : Pelevin already wrote about this, and it is possible that the method of dealing with drones described there will be suitable.
Artem G : I have a continuation of the topic, but not about the drones, but the one with which we started, one more small news, which also passed around the 22nd. Forbes wrote that the American police ...

Yes. I need to - we discussed how people would be killed, now let's discuss why .

Forbes wrote that the police in the states now officially, without embarrassment, use the fingers of dead people, for example, suspected criminals, to unlock their phones and other wearable equipment. It turns out that the police do it without blushing, because from a formal point of view it is absolutely legal, because the person who died loses the right to privacy.
Sasha K : Well, his rights are not violated, in short.
Artem G : Yes.
Sasha Z : And if he did not die, but lost his hand?
Artem G : Yes, and this just makes the whole story a little more scary.

After all, indeed, if a person just sawed his hand, it turns out that it’s not very legal to unlock the phone with this hand. But if I’d like to solve a problem ... I’m sure: if earlier suspects or accused people were trying to detain them alive to interrogate ...

Artem Sh : Now this is not necessary.
Sasha Z : Now it is even unprofitable!
Artem G : ... taking into account the information that the phone collects, and all other data, and which only needs to be accessed, but if a person survives, you won’t get it, then it turns out to be unprofitable to take them alive now.
Sasha K : I now realized that from all the phones you need to take a receipt for article 51 of the Constitution of the Russian Federation, which allows you not to testify against yourself, relatives, relatives and everyone else.
Artem G : And the phone.

Artem Sh : Actually, returning to our previous topics about biometric identification and everything else, you can repeat the thesis that “biometrics are not suitable for cryptography,” everything.
Sasha K : Ok
Sasha Z : Or do you suggest adopting a phone?

Demand creates supply

Sasha K : We, in fact, started talking about phones, and I now remembered this story, which we haven’t discussed at all once, but in March competition began between the two companies, in March which the main essence of the product that it creates is unlocking iPhones, it seems.

Those. At first there was a story that there is an Israeli company, products, in particular, which the FBI buys. And with its help unlocks locked phones without a PIN. She has a competitor who, think, only for 15 thousand bucks sells a box that unlocks everything except 10 iPhones, which is on the latest version of iOS, conditionally.
Artem Sh : What did not have time to patch.
Sasha K : I think that the patches will be released, but here it is the price, here it is, the cost, in fact, of all those personal data that your phone collected about you and he knows. And naturally, having bought such a box for 15, you can, of course, work with more phones.

IETF 101

Sasha K : Artem, I think that, probably, you will tell us about your world tour and, in particular, about the last IETF conference held in London as the final topic, and our twelfth procurator will probably end with this, so you word!

Artem G : Well, look, in March there were two major events that I was at. This was, firstly, the ICANN Community Forum in Puerto Rico, in which I participated at the invitation of the ICANN Corporation in Fellow status, I will write a detailed report about this, I will publish it.

The ICANN meeting is such a stormy, complex event. For those who are not in the know, ICANN is a non-profit organization that is responsible for managing domain name systems and supporting everything associated with it, that is, including supporting a common platform for communication between root DNS server operators, and so on. .

On the topic of "noncommercialness" there was a funny story. So, it all happened, firstly, in Puerto Rico, on an island that in the middle of last year was wiped out by two hurricanes in a row in two successions. And part of the reports was devoted to the restoration of Puerto Rico, as a civilization. I posted a photo of a slide on Facebook on which there are two photos of Puerto Rico with the ISS. One is before the hurricanes, and the second is at the end of February of this year 5 days before the ICANN meeting (or early March). And it’s obvious that - despite the fact that in the city as such it’s already incomprehensible that everything was bad there - but in fact in Puerto Rico there are still 100 thousand people sitting without light, and well and with the ISS, it is clear that the island became much duller.

So, during the opening and during the entire meeting, the most popular and most discussed topics were 2, by and large, one was the GDPR, and the second was the ICANN budget cut. Accordingly, one of the speakers at the opening invented such an aphorism, he said that "Yes, we are not-for-profit organization, but we are also not for loss." And I liked the wording “not-for-loss organization” so much, I will now apply it.
Sasha K : It's elegant.
Artem G : Yes, but Facebook will still report on this, I will not stop.

And there was really IETF 101, again, a lot of things happened there. IETF is generally 7 days of intoxication, there are first 2 days of hackathon, then there is also no time for anything. But that, in fact, is significant, and this was also discussed in the summer in one of the podcasts after the Prague IETF, this is again a story about TLS.

First, the TLS 1.3 standard has been released after many years of its preparation; we have now updated the newest TLS standard, which means that its implementation will begin to spread around the world.

For reference: no, Cloudflare does not support it, it supports it, I checked it in draft version 23, and the final draft is, um, 27, it seems, or 28, well, newer than 23. And there’s something has changed since then.

Separate applause to Eric Rescorle for TLS 1.3, separate applause for Alexey Melnikov from the Internet Engineering Steering Group, which ... In the TLS 1.3 standard, for reference, 155 pages, plus about 40 pages of DTLS 1.3 — which is the same, but on top of UDP — and plus 10 pages of the standard, which I will now say separately.

In general, Aleksey Melnikov from the Steering Group actually read all these 155 pages and really fooled about commas, for which he was very thankful for the community, because he found some cool bugs there.

And, actually, what I wanted to talk about was that ... It is clear that another attempt to make TLS visibility, to decrypt a TLS connection transparently in the middle of transport , she again failed, this is not the question. Encrypted SNI, that is, Server Name Indication , was not included in TLS version 1.3 either: there was a discussion, and Guitema (fr. Huitema) stated that a consensus on the fact that this is something that needs to be worked on - so that even on top of an encrypted It was impossible to tell the traffic to which hostname and which site is being accessed, what can now be done - there is a consensus in the working group that you need to work on this, just no one yet has definitely good ideas on how to do this. Well, the work will continue.

But the question is not that again! I realized that death to all out-of-band DPI solutions would come much earlier, because now a document called “ draft-ietf-tls-exported-authenticator ” comes out of Last Call, which is the following idea: if now TLS we first authenticate the remote side, that is, send the request, including disclosing the host to cleartext, get the certificate (to TLS 1.2) also to cleartext, verify the certificate and then encrypt the connection, then the exported authenticator works the opposite: we first got the connection encrypted, we get an encrypted session, and then either Inside it, or even through a different communication channel, make sure that the certificate and the keys that were used to sign the session ones really belong to what we once wanted to connect to.

This is a general idea, generally there are 10-12 pages of a draft, it is better to read them. It’s just the idea itself - it’s claimed by a lot of people, as it turns out, and, secondly, naturally, no out-of-band DPI can do anything with this case, because the connection was first encrypted, and then some data passed through it . It means that in what interesting and evolving world we live

Epilogue

Sasha K : Well, thank you, Artem. Really interesting, well, it is worth saying that these are all our topics for today. Certainly, in March there were more various events, but why should we all of them, when there are key and especially those that we like.
Thanks for listening!

Kostya I : Give me a warning to our listeners so that those who like to use Firefox Nightly think carefully about whether they want to do it now, because Firefox has been doing some strange things for a long time. This time they decided to conduct research on their users ...
Sasha K : On developers. The point is that it is the developer version that sucks in a lot of information.
Kostya I: It is not that it sucks up a lot of information, but simply ... for example, in this version they launched an experiment on wrapping up DNS requests to an HTTP server, and this server is fixed there, this is an HTTP server — one of the servers ...
Sasha K : Mozilla ? Not?
Kostya I : No! Cloudflare. They signed, agreed, and everyone who installs Firefox nightly now ... and I do not agree that they are only developers, because you never know why people do it. Perhaps they want something to work faster for them, to feel that there will be tomorrow.
Artem G : Wait, it's about DNS-over-HTTPS, right? About DOH.
Kostya I : Yes.
Artem G : This is actually a pretty cool standard, it was written by Paul Hoffman - from ICANN just in time. It's pretty cool stuff.

The idea is that the DNS is not encrypted right now - once, and accessing the DNS from various JavaScript, including, but not limited to, browser extensions - you push it. Actually, DOH offers an extension for both tasks, i.e. it takes the DNS wire format and shoves it at POST.

Kostya I : This is understandable, no one argues with the fact that the standard is good. But the fact that they registered a fixed address and, in general, by default it turns on, and some companies that you did not subscribe to take and find out everything where you go there ...
Artem G : Well, I join merging all DNS queries to Cloudflare is a strange idea.
Kostya IA: Yes, and therefore, it may be worthwhile to see comrades who are interested in it, after all, on free builds of Firefox, since they exist, they exist for a mobile phone, perhaps you should look at Firefox Klar, for example.
Artem G : Yes, do not use nightly. I have this story: I was absent from the past podcast, was at that time in Kathmandu.

There I was not just like that, there was APRICOT - or rather, the forty-fifth APNIC community meeting and the APRICOT 2018 conference dedicated to this. One comrade spoke at the conference, who spoke about DNS rezolving and mentioned 8.8.8.8 and 9.9.9.9, and said that these are resolvers that are open to everyone, and if you use them (and they are free), you should understand that if you use a free product, then, as stated in the podcast today, “if a product is free, then the product is you".

So, in the hall were the guys from Quad9who are so offended! The fact is that they provided some sonorous evidence that it is, to put it mildly, unfair to them, because Quad9 is 501 (c) (3) nonprofit American, that is, it is absolutely transparent, it is funded by IBM and PacketClearingHouse, and with technical support for PacketClearingHouse, which is also not particularly noticeable. And in itself it is nonprofit, transparent, it does not drain data to anyone and it cannot receive money from anyone, and if it does, everyone will know about it and can refuse to use it.

I mean, do not put nightly and use 9.9.9.9 instead of 8.8.8.8, because it will not be worse from this for sure.

Sasha K: Yes, thank you, now for sure thanks for listening to us. It was the twelfth procurator, and today he was literally full, and what is full is a separate question.
Artem G : This part makes me look fat.
Sasha K : Here and now they diverge: Sasha Kozlov is me, Artem Gavrichenkov, Kostya Ignatov, Sasha Zubkov and Artem Shvorin. Thank you for listening (ed. Comment. And read), we will hear in a month.