Initial commit: HPR Knowledge Base MCP Server
- MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Lee Hanken
193
hpr_transcripts/hpr3828.txt
Normal file
193
hpr_transcripts/hpr3828.txt
Normal file
@@ -0,0 +1,193 @@
|
||||
Episode: 3828
|
||||
Title: HPR3828: The Oh No! News.
|
||||
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3828/hpr3828.mp3
|
||||
Transcribed: 2025-10-25 06:09:43
|
||||
|
||||
---
|
||||
|
||||
This is Hacker Public Radio Episode 3,828 for Wednesday, 5 April 2023.
|
||||
Today's show is entitled, The Oh No, News.
|
||||
It is hosted by some guy on the internet, and is about 18 minutes long.
|
||||
It carries a clean flag.
|
||||
The summary is, Oh No, News is Good News.
|
||||
Hello and welcome to another episode of HPR.
|
||||
I'm your host, some guy on the internet.
|
||||
Let's begin the Oh No News.
|
||||
We're going to start off with Threat Analysis, Your Attack Surface.
|
||||
The first story we're going to cover under Threat Analysis is going to be the Plex and
|
||||
Last Pass story.
|
||||
In the last episode of The Oh No News, I covered Last Pass in their vulnerability history,
|
||||
or I should say their recent vulnerability history.
|
||||
I did not want to include the name Plex back then, I wanted to read some more on it,
|
||||
so that way when I reported using the name Plex, I would have a little bit more
|
||||
details and I felt like that was a more responsible approach.
|
||||
Now I just want to be clear, currently it is pure speculation that Plex Media Server
|
||||
was involved in the Last Pass data breach.
|
||||
A Plex vulnerability dubbed CVE 2020 5741 was patched in May of 2020, but a bleeping computer
|
||||
article states, quote, close quote, later in that same bleeping computer article, which
|
||||
you can find in the show notes, all articles mentioned here will be in the show notes.
|
||||
I just wanted to state that bleeping computer linked to an ARS Technica article, the
|
||||
ARS Technica article states, quote, according to a person briefed on a private report from
|
||||
Last Pass, who spoke on conditions of anonymity, the media software package that was exploited
|
||||
on the employee's home computer was Plex, close quote, ARS Technica also mentioned in
|
||||
this article, quote, interestingly, Plex reported its own network intrusion,
|
||||
on August 24, just 12 days after the second incident commenced.
|
||||
Close quote, the second incident being the second Last Pass incident, just keep in mind,
|
||||
we're not saying the two are linked, but it's very interesting that right after Last Pass
|
||||
had their incident suddenly Plex has a data breach of their own, we're going to move on over
|
||||
to Plex and the security announcement that they've made regarding the CVE 2020 5741.
|
||||
Now, let's go ahead and read a message from the Plex security team from May 2020, quote,
|
||||
we have recently been made aware of a security vulnerability related to Plex media server.
|
||||
This issue allowed an attacker with access to the server administrator Plex account to upload a
|
||||
malicious file via the camera upload feature and have the media server executed.
|
||||
This could be done by setting the server data directory to overlap with the content location
|
||||
for a library on which the camera upload was enabled. This issue could not be exploited
|
||||
without first gaining access to the server's Plex account.
|
||||
Close quote, Plex also mentioned that they're going to start mitigation in version
|
||||
1.19.3 of the Plex media server. So there's one thing that I'm going to point out here,
|
||||
the attacker has to first have admin access on the system to the Plex media server.
|
||||
Most people already, you know, we give a pass to anyone or anyone's software when an attacker
|
||||
has rude access on the machine. Kind of hard to just only blame Plex there, you know what I mean?
|
||||
What makes this bug a little more dangerous is, like they mentioned earlier, once the attacker
|
||||
has rude access they exploit this vulnerability within Plex and use Plex to then execute code
|
||||
without the user knowing it. Plex is being used as a link in the attack chain.
|
||||
Then after the latest last pass incident in August of 2022, don't worry, I'm not going to cover
|
||||
all of the details that were mentioned in the last oh no news, but shortly after last pass
|
||||
is data breach in August of 2022. Approximately 12 days later Plex also had a data breach in August
|
||||
of 2022. The Plex data breach was just as bad. I mean, last pass is worse because again,
|
||||
it's the keys to everyone's kingdom. However, the Plex data breach, the attacker had access to
|
||||
passwords, user names and emails of over 30 million customers. Plex of course went through the
|
||||
usual methods of requiring all of its customers to reset their passwords and other security measures.
|
||||
They also snuck in a little message at the bottom saying, no payment data was leaked. Like that's
|
||||
going to do anybody any good, especially when it's tied to last pass, right? I don't mean to laugh
|
||||
because this is a terrible thing that has happened, but I can just imagine trying to recover your
|
||||
reputation when something like this gets out. After having ARS Technica mentioned that a
|
||||
confidential informant from last pass stated that it was Plex's fault this whole thing happened.
|
||||
Which is kind of funny, right? It does feel like pointing the finger here.
|
||||
You know, last pass with all their terrible policies, now trying to go, no, no, it wouldn't us,
|
||||
you know, Plex and their their software is why this whole thing occurred. Plex did not respond
|
||||
in the way that we're used to within the online slash Linux community.
|
||||
Thank you for calling Lesbos. How may I help you? How dare you try to drag Plex into your nonsense?
|
||||
You and your buggy half big beta software. We didn't.
|
||||
Now we didn't get that. Instead, Plex gave us something a little bit more classy and professional.
|
||||
Quote. We have not been contacted by last pass, so we cannot speak to the specifics of their incident.
|
||||
We take security issues very seriously and frequently work with external parties who report
|
||||
issues big or small using our guidelines and bug bounty program. When vulnerabilities are reported,
|
||||
following responsible disclosure, we addressed them swiftly and thoroughly and we've never had a
|
||||
critical vulnerability published for which there wasn't already a patched version released.
|
||||
Close quote. So there you have it folks, that's what I have so far on this whole Plex and last pass
|
||||
debacle. Last pass attempting a graceful landing. Only problem is they're moving at about
|
||||
400 kilometers per hour, so I don't know how graceful it's going to be. They attempted to pull
|
||||
the Plex parachute at the last second and eat the evidence that came from it all does kind of
|
||||
suggest. Plex may have had a part in it, however, I cannot state enough. This is like circumstantial
|
||||
evidence, right? These are things that are just happening around the same time period,
|
||||
and currently last pass has not released any sort of actual data that they've gathered from
|
||||
the employee's home computer that that would suggest that yes indeed Plex did play a part in this,
|
||||
so this is all just mere speculation. So let's move on from here. If there's more details in the
|
||||
future, I'll bring you back in on it. On next story, not to be confused with key pass XC
|
||||
vulnerability allows attackers with right access to the XML config to export clear text passwords.
|
||||
This door was brought to us by NIST, the National Institute of Standards and Technology. All right,
|
||||
I'm going to boil this one down. This is vulnerability with the key pass database file,
|
||||
but in order for it to be exploited, the attacker would need to have physical access to the machine
|
||||
with the user that controls the password database file being already logged in,
|
||||
so like if you were to walk away from your PC and just left it logged in and someone walked up to
|
||||
that PC and found your key pass database, they can then exploit this vulnerability. So either that
|
||||
or an attacker with root access to your machine. In other words, your PC was already owned,
|
||||
so this vulnerability is just sort of side effect of your PC being owned. Now with that said,
|
||||
it's still pretty rough because you expect your password to vault to keep your passwords secure.
|
||||
Key pass has patched this by the way, and I have some supporting articles down in the show notes
|
||||
that will take you to the different articles showing the patched versions, which I believe is 2.53
|
||||
is the version that is patched or 2.53.3 something like that. I just wanted to report this and
|
||||
what I feel to be a more responsible manner before it gets out there that, oh no!
|
||||
Key pass XC is super vulnerable and you're going to lose all your passwords because other stories
|
||||
with last pass and everything else that's happening out there. So you know now, if you're using
|
||||
Key pass, just make sure you keep it up to date. Don't let anybody, you don't know access to your
|
||||
computer, right? And you'll be just fine. All right, let's go ahead and pivot on over to the user
|
||||
space version of the show. First article. How to delete yourself from the internet. Bye bye!
|
||||
I'm going to go ahead and spoil it for you here folks. You cannot actually delete yourself from
|
||||
the internet. Yeah, once you've uploaded something to someone else's computer, just because you made
|
||||
a request for them not to display it to you anymore, does it mean it's not there anymore? But the
|
||||
article goes on telling you different methods about sending requests over to Google to remove
|
||||
information because it reveals very private information like your phone number, your home address
|
||||
or things like that. And Google will remove it from the search results. They also go on to show
|
||||
you how to, you know, delete social media accounts and other chat service accounts. One of the good
|
||||
things about the articles, they talked about Firefox relay a little bit, you know, just for a teeny
|
||||
bit, which yay, Firefox, right? Mention some information about using VPNs, which is good
|
||||
information, but it doesn't, you know, it keeps you private on the internet. It won't actually
|
||||
delete you. This is just preemptive measures and remaining anonymous on the internet. And understand
|
||||
that's still very limited, depending on who's coming after you or who's looking for you. If they
|
||||
have enough time and resources, they'll find you. But I thought it was still a nice little article
|
||||
to mention for user space. If you were looking to clean up your trail just a little bit and you
|
||||
wanted a nice method to go about that, I thought this article was, it was decent, especially if you
|
||||
can find your personal information in a Google search, like right on the search page, your phone
|
||||
number or something just pops up and you don't know why. Yeah, you might want to take care of that.
|
||||
And our next article, Mark Zuckerberg's meta exploring plans to launch Twitter rival.
|
||||
Yeah, I included this one in user space because I thought it was funny Facebook's basically
|
||||
from what it sounds like. Facebook's basically playing around with a mastodon like
|
||||
instance. So there's the idea written in the story that meta aka Facebook is going to be launching
|
||||
a Twitter alternative, something like mastodon, but of course it's going to be centralized instead
|
||||
of decentralized. And it's just plans for now. There's no real evidence of it. Apparently he's
|
||||
nervous about how TikTok's taking over, drawing a bunch of his Instagram models and things
|
||||
away from the platform. So got to come up with something fresh and hip and you know all the other
|
||||
cliche nonsense. My throat's starting to give out here and drinking a ton of water, but I'm
|
||||
going to we're going to push on folks. We're going to keep going. Let's go ahead and change over
|
||||
to the next segment, which is toys for text. All right, we were the last time we did this. It's
|
||||
kind of hard to find cool toys for text, but the first one I found was a nice little E ink
|
||||
display, which is mounted to a Raspberry Pi P cool wireless board. And it's called the Inky
|
||||
Frame 4. It has a Wi-Fi connectivity. You can mount extra storage using an SD card. Very low
|
||||
power usage. Now for some details on that E ink display is the E ink gallery palette 4000 E paper.
|
||||
I don't know if that makes sense to you or not, but I got some links in the description if it doesn't.
|
||||
It's an ACEP, which stands for Advanced Color E Paper 7 color with black, white, red, green, blue,
|
||||
yellow, and orange. And it looks pretty cool. It looks like a nice little wall mount system or whatever
|
||||
if you wanted, like just a little E display somewhere. So you can imagine this thing is going to be
|
||||
super low power because of that E ink technology. And it's colored. They have some of the
|
||||
some little images displaying the color palette and they show things like the pillars of creation
|
||||
and a few other really cool images that look fairly nice. But you know, just take a look at it.
|
||||
I didn't see any availability on it like they're out of stock at the moment. So yes,
|
||||
might be supplies, chain issues or who knows, but it looks really cool and I thought I'd show it
|
||||
off here. Oh, and I almost forgot. Phil King, the author of the of the article, he gave it a
|
||||
wonderful review quote. A classy color E ink display whose Wi-Fi connectivity greatly extends
|
||||
the possible uses, including as a digital photo art frame, life organizer, a low powered smart
|
||||
dashboard. Close quote. Now, because I don't know anything about C or C++ or micropython,
|
||||
I can't give you a ton of detail on that, but I have included links in the description for the
|
||||
the libraries. I think it links to GitHub and shows you some code examples and stuff like that.
|
||||
I was just poking around and obviously I can't really make sense of what I'm looking at,
|
||||
but it's there. If you can, you can look at it and have this schematic. So it's pretty nice.
|
||||
I think that's a nice little toys for techs. I think it comes in the whole device with the pie
|
||||
pico and everything comes in at about 70 US dollars, I think it was. So if that's something you're
|
||||
interested in, that whole E ink thing, I remember that was big a little while ago. Yeah, take a look
|
||||
at that. All right, last but not least, our last toy and story for today. We're looking at the
|
||||
ubiquo UBS HM2, which is like one of their really, really small form factor ubiquies. This one was
|
||||
created specifically for the public sector and they go into detail about all the different
|
||||
changes that they're making for this device. It's not a very podcast friendly story and I'll just
|
||||
give you an example of why it's got a lot of alphabet soup and it's so here's a quick little line
|
||||
from the story here. Support for advanced encryption standards AES in electronic codebook ECB
|
||||
and cypher block chaining CBC modes, right? So then when you want to read further into that
|
||||
and you go with AS is one of the most widely used symmetric cryptograph algorithms and can be
|
||||
used in several several modes such as ECB CBC CCM and GCM. All right, I'm going to stop there
|
||||
because you know, like I mentioned, this isn't a very podcast friendly thing to read, but it's
|
||||
it's ubiquo, it's more security and they go they talk some about the different threats that are
|
||||
out there. It's all usual one zero day exploits other type of malware that's out there. It's not
|
||||
going to help you against something like ransomware, but still, you know, somebody's trying to break
|
||||
in and get credentials. Yeah, this low device super low profile. For me personally, I'd have to
|
||||
keep it on the land here because I got kind of, you know, fat fingers. I can't really pinch down to
|
||||
pull such a small device out of the USB slot once it's inserted. So like if you take a look at it
|
||||
in the show notes down there, it is it's quite the the form factor. All right, ladies and gentlemen,
|
||||
now my closing thoughts here before we end the show. I just wanted to mention that I reconfigured
|
||||
the way the show notes are so that it is more accessible to to listeners who want to go through
|
||||
the show notes. I had some help from HPR members want to give a shout out to Mike Ray for assisting me
|
||||
via email. No, I must have been annoying the crap out of him. Just blasting him. You know,
|
||||
hey, Mike, take Mike, would you take a look at this? You know, just constantly sending emails back
|
||||
and forth trying to get him to look at stuff as I'm as I'm making changes. So I thank him for
|
||||
for assisting me with that. And Dave as well, Dave, give me some help. He pointed me in direction
|
||||
that would allow me to, you know, learn other features using a pan doc. And yeah, I mean,
|
||||
I believe we got the show notes looking pretty good. And I included an additional information
|
||||
section at the bottom of the notes. You can go through that to learn more if you're new to HPR
|
||||
and all of the security and technology. I've got some some standardized notes I'd like to continue
|
||||
including with future shows, future, all-no news shows. So that's about it. Thank you guys for listening.
|
||||
And I'll see you guys in the next episode. Goodbye!
|
||||
You have been listening to Hacker Public Radio at Hacker Public Radio does work. Today's show was
|
||||
contributed by a HPR listener like yourself. If you ever thought of recording podcast,
|
||||
you can click on our contribute link to find out how easy it really is. Hosting for HPR has been
|
||||
kindly provided by an honesthost.com, the internet archive and our sings.net. On the Sadois
|
||||
stages, today's show is released on their creative comments, attribution, 4.0 International
|
||||
Reference in New Issue
Block a user