1
00:00:00,000 --> 00:00:03,520
Hello, I put one foot in front of the other.

2
00:00:04,400 --> 00:00:06,840
But stuff still happened.

3
00:00:06,960 --> 00:00:07,880
So what's up?

4
00:00:07,880 --> 00:00:10,160
Polyamory is all the rage these days.

5
00:00:10,160 --> 00:00:12,680
But what if your data was polyamorous?

6
00:00:12,680 --> 00:00:14,960
Dating at field is trying to be something different.

7
00:00:14,960 --> 00:00:18,480
They want to give you more options to like dial in exactly what you're looking for.

8
00:00:18,960 --> 00:00:22,960
And they also exposed all of your information to everybody, like all of them.

9
00:00:22,960 --> 00:00:26,480
Like every like it's like, whoa, I want to preface this by saying

10
00:00:26,480 --> 00:00:29,720
that Field now claims they have already solved all of these problems.

11
00:00:30,560 --> 00:00:32,040
But let's talk about what happened.

12
00:00:32,040 --> 00:00:36,720
Internet security firm Fortbridge did a test of field services

13
00:00:37,120 --> 00:00:41,880
and alerted Field that, hey, dog, anyone can basically do anything

14
00:00:42,000 --> 00:00:44,200
without even needing to hack your account.

15
00:00:44,200 --> 00:00:47,560
These are the things that they were able to do just by poking and prodding.

16
00:00:47,880 --> 00:00:51,080
They were able to view photos that they weren't supposed to be able to see.

17
00:00:51,200 --> 00:00:54,600
They could read, edit and delete other people's messages.

18
00:00:54,600 --> 00:00:58,160
They could send messages in other users' chats.

19
00:00:58,240 --> 00:01:00,320
They could edit other people's profiles

20
00:01:00,320 --> 00:01:02,600
and they could also view other people's matches.

21
00:01:02,600 --> 00:01:04,520
And that's not the exhaustive list.

22
00:01:04,520 --> 00:01:05,320
So how do they do this?

23
00:01:05,320 --> 00:01:06,960
Do they hack into the mainframe?

24
00:01:06,960 --> 00:01:12,360
Did they like steal the CEO's thumbprint to get past biometric security?

25
00:01:12,560 --> 00:01:14,200
No, they just kind of looked at the data.

26
00:01:14,200 --> 00:01:15,880
Buckle up, boyos.

27
00:01:15,880 --> 00:01:17,600
We're going to get nerdy with it.

28
00:01:17,600 --> 00:01:19,400
It's time for an education.

29
00:01:19,400 --> 00:01:23,320
When an app interfaces with a server, it uses a thing called an API.

30
00:01:23,320 --> 00:01:25,920
Basically, Field's API was hella fucked.

31
00:01:25,920 --> 00:01:29,040
The researchers looked at the data that was being sent to their app

32
00:01:29,040 --> 00:01:33,720
and found that their app was loading data that they weren't supposed to have access to

33
00:01:33,720 --> 00:01:37,840
for the purposes of showing them that they don't have access to the data.

34
00:01:37,840 --> 00:01:39,600
Like, here's a person's picture.

35
00:01:39,600 --> 00:01:40,720
They're blurred.

36
00:01:40,720 --> 00:01:44,080
You're supposed to have to, like, match with them or subscribe or whatever

37
00:01:44,080 --> 00:01:46,040
before you can actually see the photo,

38
00:01:46,480 --> 00:01:50,040
but they sent the photo to your phone and then blurred it on your phone

39
00:01:50,040 --> 00:01:51,800
so you actually have that data.

40
00:01:51,800 --> 00:01:54,800
Now, the average user isn't going to just randomly stumble upon this,

41
00:01:54,800 --> 00:01:59,240
but a bad actor wouldn't have to do a whole lot to get that information.

42
00:01:59,240 --> 00:02:02,680
But what's worse is they started then pushing back on the API,

43
00:02:02,680 --> 00:02:06,560
saying, hey, API, I swear I'm this other user.

44
00:02:06,560 --> 00:02:07,800
What can you do for me?

45
00:02:07,800 --> 00:02:11,320
And the API was like, oh, baby, oh, baby, I do it all.

46
00:02:11,320 --> 00:02:14,880
So, yeah, they were able to pretend that they were the app and say, hey, server,

47
00:02:14,880 --> 00:02:16,680
I'm that person.

48
00:02:16,680 --> 00:02:18,280
Let me edit their profile.

49
00:02:18,280 --> 00:02:20,280
And the server was like, yeah, sure, that makes sense to me.

50
00:02:20,280 --> 00:02:23,040
Yeah, you absolutely are them.

51
00:02:23,040 --> 00:02:24,160
Consider this metaphor.

52
00:02:24,160 --> 00:02:27,000
You walk into a doctor's office and walk straight to the front desk

53
00:02:27,000 --> 00:02:30,320
and say, I'm John Wanmin.

54
00:02:30,320 --> 00:02:31,760
I want my medical records.

55
00:02:31,760 --> 00:02:33,960
And they're like, OK, John Wanmin, here you go.

56
00:02:33,960 --> 00:02:35,160
Here's your medical records.

57
00:02:35,160 --> 00:02:40,600
And then without breaking eye contact, you're like, I'm Lisa, Lisa Min.

58
00:02:40,600 --> 00:02:42,960
Also, give me my medical records.

59
00:02:42,960 --> 00:02:45,160
And they're like, absolutely, Lisa, Lisa Min, here you go.

60
00:02:45,160 --> 00:02:46,160
Here's your medical records.

61
00:02:46,160 --> 00:02:47,720
You're like, OK, cool.

62
00:02:47,720 --> 00:02:48,840
Neat.

63
00:02:48,840 --> 00:02:51,280
Field was alerted of these vulnerabilities back in March,

64
00:02:51,280 --> 00:02:55,080
and they didn't fully tackle all of them until August, apparently.

65
00:02:55,080 --> 00:02:57,120
The blog post came out just last week.

66
00:02:57,120 --> 00:03:00,320
So, hey, it's really easy to hear stories like this and be like, oh, well,

67
00:03:00,320 --> 00:03:01,080
it's the internet.

68
00:03:01,080 --> 00:03:02,080
My data's everywhere.

69
00:03:02,080 --> 00:03:03,720
It's not worth even bothering.

70
00:03:03,720 --> 00:03:06,960
I really encourage you to push back on that sentiment.

71
00:03:06,960 --> 00:03:10,520
General privacy, personal security, it's an ongoing battle,

72
00:03:10,520 --> 00:03:12,800
but it's not a lost cause on the internet.

73
00:03:12,800 --> 00:03:16,280
It's hard, but it's possible.

74
00:03:16,280 --> 00:03:19,280
And while in this case, it was literally a matter of people trusting

75
00:03:19,280 --> 00:03:23,480
a third party entity that didn't properly implement security protocols

76
00:03:23,480 --> 00:03:29,080
that are basic, still, you can do some simple stuff like use a password manager.

77
00:03:29,080 --> 00:03:32,080
I highly recommend Bitwarden as a password manager

78
00:03:32,080 --> 00:03:34,680
if you're looking for a place to start, not sponsored.

79
00:03:34,680 --> 00:03:35,560
Lightning round.

80
00:03:35,560 --> 00:03:37,240
Boeing workers have gone on strike.

81
00:03:37,240 --> 00:03:40,680
They might be on strike for quite some time because Boeing was like,

82
00:03:40,680 --> 00:03:43,000
hey, we're going to give you that raise that you wanted.

83
00:03:43,000 --> 00:03:44,600
It is garbage.

84
00:03:44,600 --> 00:03:48,400
And the workers voted almost unanimously to go on strike.

85
00:03:48,400 --> 00:03:50,520
So they're, they're holding out.

86
00:03:50,520 --> 00:03:55,000
USPS is rolling out new delivery trucks and they are adorable.

87
00:03:55,000 --> 00:03:56,560
Stubby little dudes.

88
00:03:56,560 --> 00:03:59,840
An update on a story from a while back, an NYPD cop who learned

89
00:03:59,840 --> 00:04:03,280
that the department had these like get out of jail free cards that were kind of

90
00:04:03,280 --> 00:04:05,520
hush hush and passed out to friends and family.

91
00:04:05,520 --> 00:04:08,160
He pushed back on that and got reprimanded for it.

92
00:04:08,160 --> 00:04:12,280
But just recently he ended up winning a big old settlement out of the deal.

93
00:04:12,280 --> 00:04:16,080
Notably, the NYPD has no intention to stop using these cards.

94
00:04:16,080 --> 00:04:20,280
In fact, Eric Adams, former head cop and now mayor of New York City,

95
00:04:20,280 --> 00:04:23,760
acknowledged the settlement but didn't say anything else.

96
00:04:23,760 --> 00:04:26,280
He declined to comment.

97
00:04:26,280 --> 00:04:30,280
And finally for today, the entire team of Anapurna Interactive,

98
00:04:30,280 --> 00:04:35,040
a video game publishing company that published Stray and Outer Wilds.

99
00:04:35,040 --> 00:04:35,560
Quit.

100
00:04:35,560 --> 00:04:39,040
They are a subsidiary of Anapurna just in general.

101
00:04:39,040 --> 00:04:40,520
There's also Anapurna Pictures,

102
00:04:40,520 --> 00:04:44,560
but they wanted to spin off into their own company and the Anapurna was like, no.

103
00:04:44,560 --> 00:04:46,240
So they were like, all right, bye.

104
00:04:46,240 --> 00:04:47,480
That's all I have for you today.

105
00:04:47,480 --> 00:04:49,320
Thank you so much for joining me.

106
00:04:49,320 --> 00:04:52,280
Head to SKH.News for sources and more.

107
00:04:52,280 --> 00:04:53,760
My name is Endeavorance.

108
00:04:53,760 --> 00:04:55,200
I will see you again soon.

109
00:04:55,200 --> 00:05:11,240
Take care and be well.