April 24, 2023
RSA 2023, RSA Becomes Questionable?, AI Hype, Unmaintained Wordpress Plugin, Kubernetes Report
In this Episode:
Has the RSA Conference Become Questionable??
Unmaintained WordPress Plugin Used to Compromise Website
Kubernetes Security Audit Report
This Day in Tech History
[00:00:00] Pokie Huang:
Hey, it’s 5:05 on April 24th, 2023. Happy Monday! Stories in today’s episode come from Trac Bannon in San Francisco, California, Katy Craig in San Diego, California, Edwin Kwan in Sydney, Australia, Shannon Lietz in San Diego, California and Marcel Brown in St. Louis, Missouri. We’ll begin our first segment today from our Executive Producer, Mark Miller from RSA Conference in San Francisco.
Let’s get to it.
[00:00:40] Mark Miller:
This is Mark Miller recording on the streets of San Francisco this morning, walking over to the RSA Conference. You can probably hear the cable car in the background as I walk down Powell Street. This is a big day today. Alan Shimel and I have been producing DevSecOps Connect at RSA for the last eight years.
It was a hard time during Covid, but now we’re back in full force. This year the conference itself is gonna have 40,000 people. That’s an immense, huge increase from last year where I think we had 20,000 people show up. If you haven’t been to RSA, it is the heart of the security community. As we go through the sessions today, we’ll be focusing on how does DevSecOps play into the security patterns overall.
We’ll be calling in periodically. We’ve got most of the 5:05 crew here, so check in! Pokie is back in New York, holding down the fort. We’ll get to you with the sessions that we watch, the things that we learned, and hopefully get you excited about coming next year. All right! Hope you have a good day. We’ll be at the conference. Hope to see you there.
[00:02:02] Trac Bannon:
Has RSA become questionable? No, it’s just click bait so that you’ll listen. Hello, this is Trac Bannon reporting from San Francisco, California. I’m here at the RSA Conference and today is DevSecOps Connect. So why did I ask if it’s questionable? Well, because I intend to ask a lot of questions. Here are some of the things that I intend to sniff out and bring forward to you during the course of this week.
What is it about forgetting that security should start with design? We’re so focused on finding later flaws, that we’re not identifying the issues upfront. The second thing, what is it about this new concept of going without passwords, a passwordless future? How could that be with all the cybersecurity issues or another concept to bring forward will be SBOM and the changes in industry.
I’m also gonna be sniffing out what some of the new technologies patterns and practices are that impact our digital world. A number of my fellow journalists are here from our 5:05 family, so be on the lookout for impactful content that will give you something to noodle on.
[00:03:10] Katy Craig:
A recent 60 minutes episode sheds light on the potential dangers of “AI hype” as both CBS and Google are providing misleading information to the public regarding the capabilities of Google’s latest AI technology.
This is Katy Craig in America’s Finest City.
In the video, James Manyika, Senior Vice President at Google, claimed that their new AI system, Bard, had learned to translate all of Bengali after being fed very . Few prompts in the language.
However, former Google researcher Margaret Mitchell has publicly refuted this claim, providing evidence that contradicts Manyika’s statement. Mitchell took to Twitter to point out that Google’s PaLM, the AI model that proceeded Bard, had already been trained to understand Bengali. A quick examination of PaLM’s datasheet confirms that Bengali is indeed one of the languages it has been trained on.
This revelation highlights the potential dangers of “AI hype” and the importance of vigilance against misleading claims by major tech companies like Google. The role that media outlets such as CBS play in disseminating such claims further emphasizes the need for critical evaluation of information. As the AI industry continues to grow, it is essential to ensure accurate information is available to the public in order to foster trust and understanding of these advanced technologies.
I encourage all 5:05 listeners to approach AI advancements with a discerning eye and to remain wary of the pitfalls of “AI hype.”
This is Katy Craig. Stay safe out there.
[00:05:01] Edwin Kwan:
This is Edwin Kwan from Sydney, Australia. Attackers are using the abandoned WordPress plugin, Eval PHP, to compromise websites by injecting stealthy backdoors. Eval PHP is an old legitimate WordPress plugin that allows site admins to embed executable PHP code on their webpages and posts. The plugin has not been updated in the past decade and is generally considered abandonware. Yet it is still available through the WordPress plugin repository.
In April, 2023, the plugin is averaging around 4,000 installations per day. It is believed that attackers are using a compromise or newly created administrator account to install Eval PHP. They then used the plugin to gain backdoor access to the web server. The researchers at Sucuri, which reported on this attack, highlights the need to delist old and unmaintained plugins that attackers can easily abuse for malicious purposes. Until those responsible for managing the WordPress plugin repository take action, website owners are recommended to secure their websites, keep their WordPress up to date and use a web application firewall.
[00:07:03] Shannon Lietz:
In the interest of radical transparency, NCC releases the Kubernetes 1.24 security audit report last week.
This is Shannon Lietz reporting from San Francisco, California.
Last week, the NCC Group published a security audit report for Kubernetes. Kubernetes is a major platform in the industry, one that’s been open source for quite some time. So some thoughts… the report weighs in at a whopping 54 pages and begins with a summary that outlines the scope and critical findings. For those reading it, it’s a pretty good read. They even go so far as to break out their findings into accessible categories, with access controls, auditing and logging, authentication, configuration, cryptography, and data validation as summary categories for any of its readers.
The report is really thoughtful. It provides examples and outlines exactly what you need to know from a security perspective. Open source seems to be a front runner and a thought leader when it comes to these types of security audit reports. It’s incredible that we can see so much information and be able to make security decisions based on the transparency shared in this type of report.
It would be wonderful if we could see other types of software vendors out there, in particular commercial vendors, share this type of data so that people can actually make critical decisions when needed. Kudos.
[00:08:33] Marcel Brown:
This is Marcel Brown, the most trusted name in technology, bringing you your technology history for April 23rd and 24th.
April 23rd, 2005, the very first video uploaded to YouTube called “me at the zoo,” is posted by founder Jawed Karim. For now being a piece of history, the video is actually pretty dumb. Note to future entrepreneurs: what you do may be for posterity, please choose wisely.
April 24th, 1984. On the same day, Apple introduces the Apple IIc computer, announces Mac sales numbers, and discontinues the Apple III line.
The Apple IIc was apple’s first attempt at a portable computer. Dealers place orders for more than 52,000 units on the first day. Apple also announces that over 60,000 Macs have been sold since their introduction in January that year. In contrast, the Apple III Line only sold an estimated 120,000 units in the four years since it was introduced, losing Apple about $60 million sollars. That’s been your tech history for today. For more, tune in tomorrow and visit my website ThisDayInTechHistory.com.
[00:09:48] Pokie Huang:
That’s it for today’s open source and cybersecurity updates. For direct links to all stories and resources mentioned in today’s episode, go to 505Updates.com, where you can listen to our growing library of over 100 episodes. You can also download the transcript of all episodes for easy reference.
5:05 is a Sourced Networks Production with updates available Monday through Friday on your favorite audio streaming platform. Just search for “It’s 5:05!”. And please consider subscribing while you’re there.
Thank you to Mark Miller, Trac Bannon, Katy Craig, Edwin Kwan, Shannon Lietz and Marcel Brown for today’s contributions.
The Executive Producer is Mark Miller. The editor and the sound engineer is Pokie Huang. Music for today’s episode is by Blue Dot Sessions. We use Descript for spoken text editing and Audacity to layer in the soundscapes. The show distribution platform is provided by Captivate.fm. This is Pokie Huang. See you tomorrow… at 5:05.