Episode: 4005
Title: HPR4005: Sgoti's reply to multiple shows.
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr4005/hpr4005.mp3
Transcribed: 2025-10-25 18:31:32

---

This is Hacker Public Radio Episode 4,05 for Friday the 8th of December 2023.
Today's show is entitled Scotus Reply to Multiple Shows.
It is hosted by some guy on the internet, and is about 15 minutes long.
It carries a clean flag.
The summary is, Scotus Reply to a few HPR shows.
Hello and welcome to another episode of Hacker Public Radio, I'm your host, some guy on
the internet.
Alright, this is actually round 2 of recording this show.
I didn't like the way the first one came out.
I rambled a bit too much into the laughing and talking about all sorts of nonsense, and
I had a good time making it, but it was way, way off topic.
So one more time, alright, first show that I want to talk about, this is a reply show.
I don't know if I mentioned that or not.
So the first show I'm replying to is Operator Show Beeper.com, which is HPR 3988.
He did a great job.
I think that Beeper is a wonderful project.
I just don't think it's for me.
It's a great solution, just not my solution.
I want less notifications, less interaction in that way.
You know, don't give me wrong.
We all have multiple chat programs that we use, and the idea of tying them all together
into one sounds great, but it also sounds super complicated and bound to fail.
How many of you have ever seen three studios?
It did a gag, where one of the studios was supposed to be fixing the plumbing downstairs,
and there was a pipe leaking water.
Basically it was just dumping free flowing water in the house, so he would just keep getting
a new elbow and dumping it, you know, tying it on, and another one and another one, just
over and over again, and then he'd eventually encased himself in this webbing of pipes
and above his head was like a wide pipe or a tea pipe, just spewing water all over him
and all in the house and everything, and it was just a mess.
That's what I think about when I think of this type, not Beeper itself, but this type
of operation, right, because Matrix bridges are already finicky and just require just
a lot of time and effort to maintain them, or so I've heard I've never actually maintained
one.
The idea that a company is building a prop, building a service off of this, a product
off of this, it just sounds way too complicated, but I wish you the best of luck, it sounds
cool, definitely give us more updates in the future.
I'm also interested in how the iOS, I message thing works with that, you know, very curious
as to how that works.
So number two, that I want to reply to anyways, HPR 3989, which is a Hookah's last past
security update, great stuff, I mean, while we're at it, let me also make sure that we
talk about operators response to a hookah as well, let me add this in here, I need to make
sure update my notes here, because I listened to that show earlier today, which is HPR 3994,
the last past response by operator to a hookah talking about a last past's hack, I already
discussed it in the past as well, I do not fault any company for getting attacked, especially
a company like last past, who has as their business model, they hold the keys to everyone's
kingdom, you're going to get attacked, if you're on the internet, you're already being
attacked, is just whether or not you know about it or not or and or whether or not you
can stop it.
Yeah, no fault for getting attacked, however, I think the last past, at least back when
the attack occurred, had very bad internal policy, where it was reported by an anonymous
source, believed to be a last past employee, and I think ours technica did the reporting
didn't, that that's where I covered it anyway, reported that the that developer, who was
like ground zero for the attack, basically was using his work laptop and as his personal
laptop, so he was just running everything on one machine, so it's not the fact that
you were attacked, it is just that you allow such terrible policy, like that was allowed
to happen, and it's one thing where, okay guy tried something crazy, you know, he's
skirting the rules and I get it, you can't keep an eye on everybody, you gotta have some
trust for some people to kind of get away with some things, but there are also environments
where this cannot happen, right?
You got one of the guys who have the keys to the kingdom, and his keys gives access to
everyone else's keys, and you're trying to tell me this was allowed to fly, yeah, I
don't blame you for being attacked, but the reasons why you were attacked bad policy
and that kind of thing, yeah, that's, that's where I would not recommend a company like
LastPass, I think Trey also did a comment on this on a hookah show about changing your
passwords, yes indeed, for every one of those people that used LastPass and did not change
every single one of their accounts, credentials that were stored in that vault, they're asking
for trouble, right?
I don't blame them because they were attacked, however, now that you know you were attacked,
your credentials are now in the hands of people who were rushing to crack them, and I'm
pretty sure you know you're using a bone head password, right?
My dog's name plus, you know, the year I got them, that kind of thing, you know that
vault's gonna go down sooner or later, and when it does, everything goes with it, so
what do you do?
Well, you're smart enough, you get out there and you start changing all your credentials
because here's another thing, when LastPass is forced to admit to the breach, it could
be months after it actually happened, so the attackers have had this data and been cracking,
you know, working on it for all this time, when you hear about it, get on it, and yes,
I know a lot of us like me, I have about, you know, 300 plus accounts online, so that
would mean a lot of work that needs to be done, however, I'd like to get into my accounts
in the future, right?
I liked for my bank to maintain its secure status and not wake up the next day and find
my account empty, so I better get on that, right?
So I think these are great shows, and also if I remember correctly, I've been listening
to so many shows and things, operator throughout an invitation to doing shows collaborating,
I'm always looking to collaborate, I'd like to, you know, try to, try to sync up sometime
where we can get together and cut a show, I think email is a good topic we can discuss,
I'd like to, you know, spitballs my ideas at you about email, or whatever, maybe even
browser security, even a matter of fact, in that show, I think it was the LastPass response
show, or one of the shows that he's done, I can't recall right now, he was talking about
different ways to secure applications by creating different users and having those
users run the applications in that way if an attacker does breach it, they would have
to, you know, escalate permissions, or try, because that user doesn't have permissions,
they would have to hop to another user, and then, you know, that kind of thing.
I have never thought to do that on a desktop environment, I have done that on server when
I ran a Minecraft server, you know, you have your user that you normally operate and manage
things with, and then the services that you're running, you create different users for those
services, and you don't grant them any pseudo or anything like that, so that way they just only
manage their services, and you kind of build isolation between things that way, but I've never
thought to do that on a desktop, I don't even know how, or I guess the process would be similar,
but when you're calling the application, yeah, that, it just, it sounds different, and that could
be a point of conversation between us, right, we could actually discuss that, that sounds like a
great idea, I wouldn't mind testing it at all, sounds like a fun test, I wonder how long I could
keep something like that up, because I don't know what the interaction is, one of the things about
security that I've learned anyways, is that there's a hundred different ways for you to be secure,
there's actually more or whatever, but how many of them are you actually going to keep up with,
because each step has just a little bit more inconvenience, how many of them are you actually
going to stick with, because taking it back to password managers for just a second again,
I mean, why not, this is my show, I can bring us back there all day long if I need to, right,
so long as I'm making great points, but we talk about best practices where you would have one
password manager that's going to have like your username and login, and then there's going to be
a second password manager that's going to contain TLTP keys, so it's going to be generating the TLTP,
you'd have to authenticate with one manager just to get the basic credentials, and then authenticate
with a second entirely different manager to then be able to perform the two factor using TLTP,
this sounds great as a best practice, but in reality, you're introducing so much friction,
no one's ever going to do that and keep up with it, right, you might be able to test it out for
a month or two and think, okay, well, you know, it was nice and then, you know, let's put it all
in one manager now because the manager is either secure or it isn't, you're going to have
loss somewhere, it's like that I'm going to make an analogy here and probably ruin the entire
thing, right, like, you know, there's no perpetual energy, energy that just constantly goes on forever
and ever, whatever, and I think about that with every process that we create, there's loss and
every process. Now, right now we're trying to process maximum security for the user, we're already
asking them not to use that thing they can easily remember because it's insecure, right, don't use
your daughter's name and the day she was born, okay, so they're not using that and you got to also
tell them don't use your house address or any phone numbers you previously had or any of that,
right, has to be something completely unrelated to you. In fact, we can't even trust you to generate
it because you're subconsciously going to generate something that is related to you anyways.
So just use this manager that is designed to provide you with random information, it will give
you something that you can use and hey, don't even use a password, use a pass phrase because it will
give you more complexity, a better string and it'll be easier to remember because these are
dictionary words rather than just non-stop gobbledygook and then while you add that,
make sure you set up two factor authentication and not just two fact, not just any two factor,
let's let's let's say multi factor because we have to include biometrics. Sure, your face is the
only face like yours but it's going to be easy to break in your device using your face so your
fingerprint will be a little bit more secure. However, laws allow us to sort of compel that away
from you. So if you were relying on that to keep your data safe, yeah, that's kind of tough.
Not only that, your fingerprints, you know, I'm just going to put this out there super paranoid mode
here, your fingerprints are out in the open. Think about all the places right now where your fingerprints
exist. So I would not want to use that as a second factor. I'd much rather use a bit of data that
only I and this manager that I used to create it, that is the cone of silence, right? The manager
and me, that's where the information exists outside of that, you would have to steal it. So I have
more trust in that. Now, then there's another best practice, right? You can secure your manager
with its own set of credentials and multi factor, except instead of using a TLTP code for your manager
or biometrics for your manager, you use a hardware device like a ubiquity. Do you understand? We
have already added so many layers of security on top. You're far from low hanging fruit already,
and you're far, you're far enough away from it to where you could actually be flirting with
paranoia, you know what I mean? And that's where I am. That's where I'm comfortable being. Now,
the thing with security as well is it is an exercise and it is a lifestyle. I'll say,
because sure you can exercise security, right? When you're at work, you have this super serious,
this super secure environment that you have to live within while you're there. That's just an
exercise because when you leave work, you no longer have to maintain that. However, what you do on
a daily basis to keep yourself secured, that is the lifestyle. That is what you need to be able to
maintain long term and build on top of because as security and technology, all of it evolves,
so does the threat. The threat always exists and you need to be able to keep up with it. So you have
to be able to build layers on top of it. And as long as you can live it, I mean, it'll work for you.
So I'm all up for exploring better ways to live security. Now to mention this will also give us a
good chance to take the pictures out of it. Start talking about air gap machines and everything
else just to be able to like watch YouTube. Alright, I covered a couple of shows here. I'm going
to go ahead and pick another few and do another show on those. Thank you guys for listening. If you
do have a show response of your own, hit on over the hacker public radio. Don't just leave a comment,
guys. Do a show response. Let us know what you think about these shows that we've got, right?
Aren't they great? Round of applause for our hookah tray. Even though traded and do a show. You know,
he left a comment, but we still love him anyway. He's great and operate, huh? By the way,
where's DNT? Has he been hiding somewhere? I have to put an APB out on DNT. You know what? I think
I found out what happened to DNT. After that last show we did, we we mentioned Black Colonel. And
I think I think Black Colonel got to him. We sent a bunch of confused and angry users over the
Black Colonel's inbox. Or at least not me. I didn't do it. I think DNT did it. But either way.
Alright, alright. I'm out of here for real this time. Take it easy.
You have been listening to hacker public radio at hacker public radio does work. Today's show was
contributed by a HBR listener like yourself. If you ever thought of recording a podcast,
you click on our contribute link to find out how easy it really is. Hosting for HBR has been
kindly provided by an honesthost.com, the internet archive, and our syncs.net. On this
otherwise stated, today's show is released under Creative Commons Attribution 4.0 International
License.