Episode: 3828
Title: HPR3828: The Oh No! News.
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3828/hpr3828.mp3
Transcribed: 2025-10-25 06:09:43

---

This is Hacker Public Radio Episode 3,828 for Wednesday, 5 April 2023.
Today's show is entitled, The Oh No, News.
It is hosted by some guy on the internet, and is about 18 minutes long.
It carries a clean flag.
The summary is, Oh No, News is Good News.
Hello and welcome to another episode of HPR.
I'm your host, some guy on the internet.
Let's begin the Oh No News.
We're going to start off with Threat Analysis, Your Attack Surface.
The first story we're going to cover under Threat Analysis is going to be the Plex and
Last Pass story.
In the last episode of The Oh No News, I covered Last Pass in their vulnerability history,
or I should say their recent vulnerability history.
I did not want to include the name Plex back then, I wanted to read some more on it,
so that way when I reported using the name Plex, I would have a little bit more
details and I felt like that was a more responsible approach.
Now I just want to be clear, currently it is pure speculation that Plex Media Server
was involved in the Last Pass data breach.
A Plex vulnerability dubbed CVE 2020 5741 was patched in May of 2020, but a bleeping computer
article states, quote, close quote, later in that same bleeping computer article, which
you can find in the show notes, all articles mentioned here will be in the show notes.
I just wanted to state that bleeping computer linked to an ARS Technica article, the
ARS Technica article states, quote, according to a person briefed on a private report from
Last Pass, who spoke on conditions of anonymity, the media software package that was exploited
on the employee's home computer was Plex, close quote, ARS Technica also mentioned in
this article, quote, interestingly, Plex reported its own network intrusion,
on August 24, just 12 days after the second incident commenced.
Close quote, the second incident being the second Last Pass incident, just keep in mind,
we're not saying the two are linked, but it's very interesting that right after Last Pass
had their incident suddenly Plex has a data breach of their own, we're going to move on over
to Plex and the security announcement that they've made regarding the CVE 2020 5741.
Now, let's go ahead and read a message from the Plex security team from May 2020, quote,
we have recently been made aware of a security vulnerability related to Plex media server.
This issue allowed an attacker with access to the server administrator Plex account to upload a
malicious file via the camera upload feature and have the media server executed.
This could be done by setting the server data directory to overlap with the content location
for a library on which the camera upload was enabled. This issue could not be exploited
without first gaining access to the server's Plex account.
Close quote, Plex also mentioned that they're going to start mitigation in version
1.19.3 of the Plex media server. So there's one thing that I'm going to point out here,
the attacker has to first have admin access on the system to the Plex media server.
Most people already, you know, we give a pass to anyone or anyone's software when an attacker
has rude access on the machine. Kind of hard to just only blame Plex there, you know what I mean?
What makes this bug a little more dangerous is, like they mentioned earlier, once the attacker
has rude access they exploit this vulnerability within Plex and use Plex to then execute code
without the user knowing it. Plex is being used as a link in the attack chain.
Then after the latest last pass incident in August of 2022, don't worry, I'm not going to cover
all of the details that were mentioned in the last oh no news, but shortly after last pass
is data breach in August of 2022. Approximately 12 days later Plex also had a data breach in August
of 2022. The Plex data breach was just as bad. I mean, last pass is worse because again,
it's the keys to everyone's kingdom. However, the Plex data breach, the attacker had access to
passwords, user names and emails of over 30 million customers. Plex of course went through the
usual methods of requiring all of its customers to reset their passwords and other security measures.
They also snuck in a little message at the bottom saying, no payment data was leaked. Like that's
going to do anybody any good, especially when it's tied to last pass, right? I don't mean to laugh
because this is a terrible thing that has happened, but I can just imagine trying to recover your
reputation when something like this gets out. After having ARS Technica mentioned that a
confidential informant from last pass stated that it was Plex's fault this whole thing happened.
Which is kind of funny, right? It does feel like pointing the finger here.
You know, last pass with all their terrible policies, now trying to go, no, no, it wouldn't us,
you know, Plex and their their software is why this whole thing occurred. Plex did not respond
in the way that we're used to within the online slash Linux community.
Thank you for calling Lesbos. How may I help you? How dare you try to drag Plex into your nonsense?
You and your buggy half big beta software. We didn't.
Now we didn't get that. Instead, Plex gave us something a little bit more classy and professional.
Quote. We have not been contacted by last pass, so we cannot speak to the specifics of their incident.
We take security issues very seriously and frequently work with external parties who report
issues big or small using our guidelines and bug bounty program. When vulnerabilities are reported,
following responsible disclosure, we addressed them swiftly and thoroughly and we've never had a
critical vulnerability published for which there wasn't already a patched version released.
Close quote. So there you have it folks, that's what I have so far on this whole Plex and last pass
debacle. Last pass attempting a graceful landing. Only problem is they're moving at about
400 kilometers per hour, so I don't know how graceful it's going to be. They attempted to pull
the Plex parachute at the last second and eat the evidence that came from it all does kind of
suggest. Plex may have had a part in it, however, I cannot state enough. This is like circumstantial
evidence, right? These are things that are just happening around the same time period,
and currently last pass has not released any sort of actual data that they've gathered from
the employee's home computer that that would suggest that yes indeed Plex did play a part in this,
so this is all just mere speculation. So let's move on from here. If there's more details in the
future, I'll bring you back in on it. On next story, not to be confused with key pass XC
vulnerability allows attackers with right access to the XML config to export clear text passwords.
This door was brought to us by NIST, the National Institute of Standards and Technology. All right,
I'm going to boil this one down. This is vulnerability with the key pass database file,
but in order for it to be exploited, the attacker would need to have physical access to the machine
with the user that controls the password database file being already logged in,
so like if you were to walk away from your PC and just left it logged in and someone walked up to
that PC and found your key pass database, they can then exploit this vulnerability. So either that
or an attacker with root access to your machine. In other words, your PC was already owned,
so this vulnerability is just sort of side effect of your PC being owned. Now with that said,
it's still pretty rough because you expect your password to vault to keep your passwords secure.
Key pass has patched this by the way, and I have some supporting articles down in the show notes
that will take you to the different articles showing the patched versions, which I believe is 2.53
is the version that is patched or 2.53.3 something like that. I just wanted to report this and
what I feel to be a more responsible manner before it gets out there that, oh no!
Key pass XC is super vulnerable and you're going to lose all your passwords because other stories
with last pass and everything else that's happening out there. So you know now, if you're using
Key pass, just make sure you keep it up to date. Don't let anybody, you don't know access to your
computer, right? And you'll be just fine. All right, let's go ahead and pivot on over to the user
space version of the show. First article. How to delete yourself from the internet. Bye bye!
I'm going to go ahead and spoil it for you here folks. You cannot actually delete yourself from
the internet. Yeah, once you've uploaded something to someone else's computer, just because you made
a request for them not to display it to you anymore, does it mean it's not there anymore? But the
article goes on telling you different methods about sending requests over to Google to remove
information because it reveals very private information like your phone number, your home address
or things like that. And Google will remove it from the search results. They also go on to show
you how to, you know, delete social media accounts and other chat service accounts. One of the good
things about the articles, they talked about Firefox relay a little bit, you know, just for a teeny
bit, which yay, Firefox, right? Mention some information about using VPNs, which is good
information, but it doesn't, you know, it keeps you private on the internet. It won't actually
delete you. This is just preemptive measures and remaining anonymous on the internet. And understand
that's still very limited, depending on who's coming after you or who's looking for you. If they
have enough time and resources, they'll find you. But I thought it was still a nice little article
to mention for user space. If you were looking to clean up your trail just a little bit and you
wanted a nice method to go about that, I thought this article was, it was decent, especially if you
can find your personal information in a Google search, like right on the search page, your phone
number or something just pops up and you don't know why. Yeah, you might want to take care of that.
And our next article, Mark Zuckerberg's meta exploring plans to launch Twitter rival.
Yeah, I included this one in user space because I thought it was funny Facebook's basically
from what it sounds like. Facebook's basically playing around with a mastodon like
instance. So there's the idea written in the story that meta aka Facebook is going to be launching
a Twitter alternative, something like mastodon, but of course it's going to be centralized instead
of decentralized. And it's just plans for now. There's no real evidence of it. Apparently he's
nervous about how TikTok's taking over, drawing a bunch of his Instagram models and things
away from the platform. So got to come up with something fresh and hip and you know all the other
cliche nonsense. My throat's starting to give out here and drinking a ton of water, but I'm
going to we're going to push on folks. We're going to keep going. Let's go ahead and change over
to the next segment, which is toys for text. All right, we were the last time we did this. It's
kind of hard to find cool toys for text, but the first one I found was a nice little E ink
display, which is mounted to a Raspberry Pi P cool wireless board. And it's called the Inky
Frame 4. It has a Wi-Fi connectivity. You can mount extra storage using an SD card. Very low
power usage. Now for some details on that E ink display is the E ink gallery palette 4000 E paper.
I don't know if that makes sense to you or not, but I got some links in the description if it doesn't.
It's an ACEP, which stands for Advanced Color E Paper 7 color with black, white, red, green, blue,
yellow, and orange. And it looks pretty cool. It looks like a nice little wall mount system or whatever
if you wanted, like just a little E display somewhere. So you can imagine this thing is going to be
super low power because of that E ink technology. And it's colored. They have some of the
some little images displaying the color palette and they show things like the pillars of creation
and a few other really cool images that look fairly nice. But you know, just take a look at it.
I didn't see any availability on it like they're out of stock at the moment. So yes,
might be supplies, chain issues or who knows, but it looks really cool and I thought I'd show it
off here. Oh, and I almost forgot. Phil King, the author of the of the article, he gave it a
wonderful review quote. A classy color E ink display whose Wi-Fi connectivity greatly extends
the possible uses, including as a digital photo art frame, life organizer, a low powered smart
dashboard. Close quote. Now, because I don't know anything about C or C++ or micropython,
I can't give you a ton of detail on that, but I have included links in the description for the
the libraries. I think it links to GitHub and shows you some code examples and stuff like that.
I was just poking around and obviously I can't really make sense of what I'm looking at,
but it's there. If you can, you can look at it and have this schematic. So it's pretty nice.
I think that's a nice little toys for techs. I think it comes in the whole device with the pie
pico and everything comes in at about 70 US dollars, I think it was. So if that's something you're
interested in, that whole E ink thing, I remember that was big a little while ago. Yeah, take a look
at that. All right, last but not least, our last toy and story for today. We're looking at the
ubiquo UBS HM2, which is like one of their really, really small form factor ubiquies. This one was
created specifically for the public sector and they go into detail about all the different
changes that they're making for this device. It's not a very podcast friendly story and I'll just
give you an example of why it's got a lot of alphabet soup and it's so here's a quick little line
from the story here. Support for advanced encryption standards AES in electronic codebook ECB
and cypher block chaining CBC modes, right? So then when you want to read further into that
and you go with AS is one of the most widely used symmetric cryptograph algorithms and can be
used in several several modes such as ECB CBC CCM and GCM. All right, I'm going to stop there
because you know, like I mentioned, this isn't a very podcast friendly thing to read, but it's
it's ubiquo, it's more security and they go they talk some about the different threats that are
out there. It's all usual one zero day exploits other type of malware that's out there. It's not
going to help you against something like ransomware, but still, you know, somebody's trying to break
in and get credentials. Yeah, this low device super low profile. For me personally, I'd have to
keep it on the land here because I got kind of, you know, fat fingers. I can't really pinch down to
pull such a small device out of the USB slot once it's inserted. So like if you take a look at it
in the show notes down there, it is it's quite the the form factor. All right, ladies and gentlemen,
now my closing thoughts here before we end the show. I just wanted to mention that I reconfigured
the way the show notes are so that it is more accessible to to listeners who want to go through
the show notes. I had some help from HPR members want to give a shout out to Mike Ray for assisting me
via email. No, I must have been annoying the crap out of him. Just blasting him. You know,
hey, Mike, take Mike, would you take a look at this? You know, just constantly sending emails back
and forth trying to get him to look at stuff as I'm as I'm making changes. So I thank him for
for assisting me with that. And Dave as well, Dave, give me some help. He pointed me in direction
that would allow me to, you know, learn other features using a pan doc. And yeah, I mean,
I believe we got the show notes looking pretty good. And I included an additional information
section at the bottom of the notes. You can go through that to learn more if you're new to HPR
and all of the security and technology. I've got some some standardized notes I'd like to continue
including with future shows, future, all-no news shows. So that's about it. Thank you guys for listening.
And I'll see you guys in the next episode. Goodbye!
You have been listening to Hacker Public Radio at Hacker Public Radio does work. Today's show was
contributed by a HPR listener like yourself. If you ever thought of recording podcast,
you can click on our contribute link to find out how easy it really is. Hosting for HPR has been
kindly provided by an honesthost.com, the internet archive and our sings.net. On the Sadois
stages, today's show is released on their creative comments, attribution, 4.0 International