Transcripts

Security Now 1000 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show

 

0:00:00 - Leo Laporte
It's time for security now. Yes, our 1,000th episode. We're going to look back a little bit as to how this show got started. We also have the latest news, including good news for our sponsor, Bitwarden they are still open source. How Microsoft is fixing user access control and Synology's very serious zero-click RCE flaw Synology's very serious zero-click RCE flaw. All that and a lot more coming up next on our 1,000th episode of Security Now Podcasts you love From people you trust. This is Twit. This is Security Now with Steve Gibson, Episode 1000, recorded Tuesday, November 12th 2024. 1000. It's time for Security Now episode. They said it would never happen. 1000,. Ladies and gentlemen.

0:01:03 - Steve Gibson
Actually, some people did say it would never happen. That would be me. I said it would never happen.

0:01:09 - Leo Laporte
We've convinced Steve to go to four digits as we continue on in what is now almost our 20th year of talking about security flaws, privacy breaches, how to stay safe online and, just as important, how things actually work. Steve's a master of that. Ladies and gentlemen, I give you Steve Gibson.

0:01:30 - Steve Gibson
Nice to see you, steve, coming to you from my alternative location because the roof is being changed on my normal location, and it sounded like they were like walking right on top of my head this morning and I thought, well, you know that's not going to fly.

0:01:44 - Leo Laporte
I would say, though that episode 1,000 blew the roof, thought, well, you know that's not. You can say, though, that episode thousand one thousand blew the roof off it.

0:01:49 - Steve Gibson
Uh, oh, that's true.

Fortunately, literally we have mild weather in southern california it's a good time to do it, yeah so, uh, yes, uh and I was just saying to you before we started recording, leo, that that 999 was you. You would have thought that would have been like the one that I focused on, but it was when I was putting this together and I put in 1000 that I thought, wow, that really is cool. So, yes, we got a lot to talk about For the last several weeks. I have been frustrated that there's been so much going on, so much happening, but there just wasn't any need to spend a lot of time as we often do sometimes really drilling down into anything. So we've got a bunch of listener feedback that we're going to end the show with, but we're going to look at whether Bitwarden, a sponsor of the Twit Network, went closed source. There was some odd rumblings about that over the last few weeks.

The rights of German security researchers have been clarified thanks to some legislation in Germany. Australia is preparing to impose lower age limits on access to social media for children, which is going to be interesting. Also, it appears that people got free copies of Windows Server 2025 without asking for it, to their chagrin often. We're going to talk about that. Also, uac wasn't in the way enough, so Microsoft's going to fix that. So Microsoft's going to fix that. Also, we've got from Russia with fines or obey, or else. Also South Korea has fined Meta over some serious user privacy violations we'll take a look at. Synology is recovering from a very critical zero-click remote code execution flaw that affected their photo sharing stuff. A really interesting story about malicious Python packages which are being invoked by typos in an interesting supply chain typoquatting attack. Also, google has said that they're going to enforce full multi-factor authentication for cloud service users. Mozilla Foundation just laid off 30% of its workforce, so should we worry about Firefox?

Also, I've got some feedback from Dave's Garage who took a look at Spinrite. Thank you, dave Plummer. And, as I said, we'll wrap up with a bunch of Dave's Garage who took a look at Spinrite. Thank you, dave Plummer. And, as I said, we'll wrap up with a bunch of really thought-provoking closing-the-loop feedback from our terrific listeners. And, of course, we've got one of our Pictures of the Week for Episode 1000. So I think another great episode for our listeners.

0:04:59 - Leo Laporte
I feel like I've seen this. Maybe it's because somebody sent it to me first or something.

0:05:02 - Steve Gibson
Anyway, it's been around but we hadn't put it on the podcast. Good, I like it and it's just, uh, it's another one.

0:05:10 - Leo Laporte
It's another one of those pesky people. Those pesky people. Well, congratulations on the episode 1000.

0:05:17 - Steve Gibson
Well, to us, to you, this would this uh, I wrap up with a little retrospective. Look back at your original invitation.

0:05:27 - Leo Laporte
I do have to say that, while I have not been here for all 1,000 episodes you have, there is no security now without Steve Gibson. So really, the kudos go to you. I've only done maybe 950 of them. Well, you do take vacations, and that keeps you fresh, but do not, which is odd, but I don't know why. Yeah, anyway, uh, we're so glad that you don't and we really appreciate everything you do, steve and congratulations on well.

0:05:58 - Steve Gibson
So, uh, let's see. It took us 20 years to get here. I I don't think we're going to make 2,000, but we'll keep going until we can't.

0:06:08 - Leo Laporte
Well, we'll be like in our late 80s, early 90s. It would be interesting, let's say that Toward the end.

0:06:17 - Steve Gibson
Jerry Pornel, who I think of when I think of pushing the limits, he was something.

0:06:23 - Leo Laporte
A little crotchety, but you know what? He was perfectly sharp, sharp upstairs.

0:06:29 - Steve Gibson
there was never any question about that, me not so much I'll say what is this about, honey monkeys?

0:06:34 - Leo Laporte
if you can say, leo, that was 40 years ago, that's right story. Wow, it would have been anyway. I do want to say our show today, brought to you by Bitwarden, and I want to reassure you. Bitwarden is the open source password manager, GPL open source password manager trusted by, I mean, thousands of businesses. It is the best way to keep yourself safe online, and I'm a big fan. I've used it for years, as has steve bit warden's 2024 cyber security pulse survey results are in. We did this last year and it was kind of almost depressing. Well, it's not much better. 92 of it, and cyber professionals agree 92 that's virtually unanimous. The password managers are critical for protecting business operations.

Now, as more employees seek support from generative AI tools, a big number 63% of security professionals are facing significant challenges in maintaining proper approvals for devices and applications. It's getting harder, isn't it? You know that If you work in IT. You know that 89% of respondents expressed concern over the security risks these behaviors introduced to their organization's security posture. It is a big and, I think it's safe to say, a growing problem. Well, let's talk about it.

Bitwarden might be the cure, right? The holidays are quickly approaching Peak. Security is a must-have. Social engineering tactics are getting much smarter. Bitwarden is a great choice for business in really locking down security Security. You get unparalleled SSO integration and flexibility. Yes, it works with your SSO solutions. You get inline autofill capabilities, including cards, identities and pass keys. As we pointed out, this prevents people from using spoofed sites to enter important private data like cards and identities. That's really a big help. Your business deserves a cost-effective solution that can dramatically improve its chances and your employees' chances of staying safe online. That's why we love Bitwarden. It takes a few minutes to set up. Bitwarden supports importing from almost all the existing password management solutions and, as I mentioned, will integrate perfectly well into your SSO solutions.

And I do want to underscore this and Steve's going to address this a little later on but if you're curious, the Bitwarden source code is open source. It's on GitHub, it can be inspected by anyone and, of course, they regularly have it audited by third-party experts and always this is really important. Not everybody does this they always publish the results of those third-party audits and if there's any question, it's GPL. That means it is really truly open source. Michael Crandall, who's the CEO of Bitwarden, sums it up like this. We don't need to overcomplicate security. Let's get back to basics, Empower employees with the right tools, enforce strong password habits and create a culture where security becomes second nature. That's Bitwarden baby.

Get started today with Bitwarden's free trial of a Teams or Enterprise plan and I'm really aiming this at businesses right now, but I should assure you as an individual. In fact, even the business plan starts with the individual vault. As an individual, because Bitwarden's open source. It's free to individuals. That means every device iOS, Mac, Android, Linux, Windows For individual users, you can host your own vault. If you don't want to trust Bitwarden, I personally trust them implicitly. But it's strong security, unlimited passwords, unlimited devices and the free plan even supports pass keys and hardware keys like the YubiKey, and that's free forever. So if you have friends and family who are saying I'm not going to use a password manager, I don't know who wants to spend money on that, you tell them Bitwarden's free, it's easy to use and it really works. Bitwardencom slash twit. Make sure they use that address so we get credit. And if you're a business and you want to really lock your systems down, Bitwardencom slash twit. We thank them so much for their support.

0:11:09 - Steve Gibson
We thank you for your support. Bitwardencom slash Twitter. Actually, I think our first story. Well, let's do the picture of the week first and then we'll do the story. Okay, so imagine that you have a beautiful green park space yes, and along one side of it is sort of a paved roadway meant for pedestrians. We can see in the distance a concrete pole sticking up in the back. So you know, cars are not able to have any throughway here, it's just people.

0:11:35 - Leo Laporte
Plus, this would stop bicycles and motorcycles and other rolling vehicles. Well, not initially.

0:11:41 - Steve Gibson
Presumably, this all was green, everything was fine.

But somebody was annoyed that bicycles or scooters, or something other than pedestrians, were using this, presumably at some sort of high speed.

So the genius here figured okay, we're going to slow these people down, we're going to prevent them from zooming along on their scooters or their bicycles or whatever newfangled contraption they might be using, by basically putting an obstacle course in this road way, in in what used to be an idyllic little you know asphalt path for people bordering this beautiful green lawn parkway. And so what, what? What we have here are some, essentially some, you know gates, that that you have, that you have to weave yourself through overlapping blockages. So somebody on foot has to go forward and then move sideways in order to skirt the first one and then slide over in order to get past the. In order to move a skirt the first one and then slide over in order to get around the second one. Then they have, they can, you know, catch their breath and walk down, you know, another 20 feet when they hit another one of these things. But boy, is that going to stop those guys on those, on those, you know, scooters or bicycles or whatever the hell that they're using.

Well, unfortunately, I gave this the caption. What they intended was not what happened. No, because the beautiful green parkway is beautiful and green, not so much any longer. There is a as a consequence of the fact that they basically put an obstacle course in the middle of the road, all the people who were riding something bicycles, scooters, whatever just rode over on the grass. They rode around it, kids, that's right. That's right. They didn't slow down.

0:14:05 - Leo Laporte
No, you can see the ruts. Yeah, right, they didn't slow down.

0:14:06 - Steve Gibson
No, they probably the ruts. They did. Yeah, they, they didn't signal, they just now. Of course, the first person who did that had very little effect on the grass. Probably the second person also, but after about 5 000 people did this, well, that took its toll, and so now the grass has given up it's, it's made its own path and it's very clear now you don't even have if you are a person who hasn't yet approached this area you know which way to go, you know exactly what to do. You're not getting off your scooter and having to go through this little obstacle course. No, the path has been paved for you at this point.

0:14:45 - Leo Laporte
That's hysterical.

0:14:50 - Steve Gibson
Yes, One of our listeners wrote back this morning because I got the show notes out in the late morning, so he had time to write back and he was speaking to a police officer I can't remember now what the term was, but there is a term for this like people finding the path of least resistance sort of effect, and that's certainly what happened here.

0:15:14 - Leo Laporte
Yeah, no kidding.

0:15:15 - Steve Gibson
Okay. So on the topic of Bitwarden, for the past few weeks our listeners have been sending me notes regarding their concerns that Bitwarden's licensing might have been changing to make it less open. I mean, this actually got some traction out on the Internet. It turned out that it was a good thing that I had not found the chance then to dig into whatever was going on, because it has since resolved itself completely. Now the register weighing in with an explanation, and you know their particular brand of snarkiness. I edited it a little bit for podcast clarity. They said fear, not FOSS fans. You know FOSS F-O-S-S free, open source software. Bidwarden is not going proprietary after all. The company has changed its license terms once again, but this time it has switched the license of its SDK from its own homegrown license to V3 of the GPL.

0:16:22 - Leo Laporte
Just as you were saying Leo.

0:16:23 - Steve Gibson
Yep, they wrote. The move comes just weeks after we reported that it wasn't strictly FOSS anymore. At the time, the company claimed this was just a mistake in how it packaged its software. Writing on Twitter they said, quote this is Bitwarden quoted. It seems that a packaging bug was misunderstood as something more and the team plans to resolve it.

Bitwarden remains committed to the open source licensing model in place for years, along with retaining a fully featured free version for individual users. Yay, yep, the register said. Now it's followed through on this. Yep, the register said now it's followed through on this. The GitHub commit entitled improve licensing language unquote changes the licensing on the company's SDK from its own license to the unmodified GPL3. That's good. That's really good. They said previously, if you removed the internal SDK, it was no longer possible to build the publicly available source code without errors. Now the publicly available SDK is GPL3, and you611 on GitHub where that bug was titled, desktop Version 2024.10.0 is no longer free software. Of course that's the comment that set off this firestorm. Of course that's the comment that set off this firestorm. So to that their CTO, kyle, wrote the SDK internal package.

References in the clients now come from a new SDK internal repository which follows the licensing model we've historically used for all of our clients, and I said cfaqmd for more info. The SDK internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden license code in the future we will provide a way to produce multiple build variants of the client, similar to what we do with WebVault client builds. He finished. The original SDK repository will be renamed to SDK secrets and retains its existing Bitwarden SDK license structure for our Secrets Manager business products. The SDK Secrets repository and packages will no longer be referenced from the client apps since that code is not used there. So you know they cleaned things up and fixed what was essentially just sort of a trip in this and fixed what was essentially just sort of a trip in this. You know what has obviously become a rather complex build process with multiple overlapping licenses and things. So the register finished, saying this is generally good news for the program's more fervently FOSS-focused fans it's all open source and it's possible to build the whole thing, including the SDK, from freely available code. It seems to us that Bitwarden has responded to its users' unhappiness with the changes to the licensing around its password manager and has not merely undone the changes, but gone further toward making it all free software, even if it continues to maintain that it was all just an error. The change is commendable and we're glad to see it. It does, however, look as if the company is leaving itself room to build more non-FOSS tools in the future. You know fine. So what, anyway? So I think the whole thing here, everything that we've just seen, is that I mean, it's it's what free and open source software is about. It's a terrific example of community action, which helped to bring some clarification to some initial confusion over Bitwarden's licensing terms and, to their credit, as the register reported, bitwarden really stepped up and did the right thing. So props In some good news for German security researchers.

The German government has drafted legislation to protect security researchers who discover and report vulnerabilities. There was some ambiguity before, so this proposed law would eliminate the risk of criminal liability from cybersecurity research, as long as the bugs are responsibly disclosed to the vendors. At the same time, the law does also introduce harsh prison sentences, ranging from three months to five years, for any researchers who abuse the process of vulnerability research for their own criminal acts. These include incidents when researchers cause substantial financial damage during their research, try to do some extortion or acts that damage critical infrastructure. In other words, if you're a true researcher in Germany, any previous gray area has now been eliminated, so yay. But if you're hoping to abuse, you know the but I'm a security researcher claim. Your inability to get away with that, you know, has also been clarified too. So it's good that we're seeing this because, you know, we've seen instances that we've talked about a lot on the podcast, where you know a well-meaning researcher reaches out to a company and says you know, I was poking around at your web page and I noticed that you know, whatever blah, blah, blah, you know, and I was able to log on to your servers and suddenly you know, like, rather than taking this as someone trying to help them, they immediately sick their legal staff on them and start threatening them. So, anyway, it's good that Germany's made this clear.

Australia this is going to be interesting. I think they're preparing legislation that would introduce a minimum age of 16 years for social media accounts, that is, for access to social media accounts. Under this new legislation which is not yet law, just to be clear, but it's on its way to being law access to social media platforms in Australia would be legally restricted to only those 16 years of age or older, and this legislation would hold online platforms accountable. Online platforms would be accountable for enforcing the ban. Presumably, it would also incur meaningful fines for failure to do so under this new law or this forthcoming law. Australia's government plans to introduce the bill in Parliament this week, so something's going to happen soon, and presumably it'll have some period before it has to take effect, because you need to give the social media platforms some means of responding to this in a reasonable way. Government officials explained that they're introducing the bill due to the harm social media is causing for Australian children.

Now, we've talked about this a lot in the past from the standpoint of the technological challenges, practical challenges, associated with filtering access to online services by their accessor's age. How is this done exactly, and will the legislation somehow put parents in charge? Can parents, for example, choose to opt their children out of such filtering? You know, and there's a slippery slope there because if that's possible, that creates the problem of one's kids saying, hey, but mom and dad, all the other kids' parents let them watch TikTok. You know, regardless of the degree of the truth of that itself should be robustly providing this information to any application through some sort of platform-specific API. You know, for example, at this time, 12 and above, or 17 and above, but there's no 16 and above. So that's kind of a mess.

And none of this is automatic. You know it's up to mom and dad to lock down their children's phones. Nor does this lockdown setting change automatically, like on their birthday. The device's apps that have previously declared their own minimum age usage will then be restricted by the phone, which none of this is the way it should work, and I'm not sure how we got to where we are now, but it doesn't seem like it was well thought out.

It seems to me that a superior solution would be to allow the parent to set and lock in the date of birth of the phone's user, based upon their feelings, their parental feelings about the maturity of their child and or their feelings about, you know, the perceived dangers of unrestricted access to social media. They could choose to fudge their child's declared be used in which locale in the world, and at some point it will become accepted that on such and such a birthday, access to this or that social media service becomes available. So this is certainly another interesting aspect of today's Internet the ubiquity of smartphones among minors and of the platform's willingness to treat them like everyone else? I don't know. Leo, we're tightening down access based on birthday, but we really don't have the mechanisms in place yet.

0:27:54 - Leo Laporte
That's the problem is, how do you do age verification without impeding on the privacy of adults, let alone? Kids impeding on the privacy of adults, let alone kids. And they have all these companies that say well, we just look at them and we could tell by their faces we use AI and blah, blah, blah. That seems ripe for misuse and failure. So, yeah, I can understand the desire to do it, but it's one of those things where, if you don't have the means to do it, in a safe way?

0:28:30 - Steve Gibson
you've not improved things, and here's the legislators in australia saying you know, thou shall this figure it out? And it's like, uh, how exactly right. Oh well, that's not our problem, you're techie people, you'll.

0:28:39 - Leo Laporte
You know, you'll work it out I mean, I think your solution is the only way to do it. I think that the mistake is government. Government says oh, we'll do it for parents. No, Parents. Give parents the capability and let them decide. Only they know what their kid should and shouldn't do.

0:28:55 - Steve Gibson
Yep, exactly. And if the parent puts in their birthday and again they could fudge it, you know, plus or minus a year or two, depending upon you know their own perceptions of the risks and and so forth then, once that's there, an api in the platform can be queried by any social media application, or anything else for that matter, uh, to determine the age of the of the. Now, ok, maybe the reason Apple did this is that having a birth date is considered itself a loss of privacy. So they're like well, we're just going to create these big brackets of 4, 12, and 17, and 9, and that way we're not divulging much. But I don't think you can have it both ways. You're saying that the platform must enforce an age-based restriction. Well then, you have to know the person's age. So, yeah, okay, so, yeah, okay.

Last Wednesday, the Register posted another interesting piece that I don't recall seeing anywhere else, although I did hear about it from a number of our listeners. The Register's headline was SysAdmin Shock as Windows Server 2025 Installs itself after update, labeling error and then, of course, being the register. Their tagline on the article was screens sprayed with coffee after techies find Microsoft's latest OS in unexpected places. So, with that tease. You know we need to find out what happened. So the register writes administrators are reporting unexpected appearances of Windows Server 2025 after what was published as a security update turned out to be a complete operating system upgrade Whoopsie, okay. So the problem was flagged by a customer. They wrote of the web app security company Heimdall. Arriving at the office on the morning of November 5th, they found to their horror that every Windows Server 2022 system had either upgraded itself to Windows Server 2025 or was getting ready to. Sysadmins are cautious by nature, they wrote, so an unplanned operating system upgrade could easily result in morning coffee being sprayed over a keyboard coffee being sprayed over a keyboard. Heimdall's services include patch management and it relies on Microsoft to label patches accurately to ensure the correct update is applied to the correct software at the correct time. In this instance, what should have been a security update turned out to be Windows Server 2025.

It took Heimdall a while to trace the problem. According to a post on Reddit quote, due to the limited initial footprint, identifying the root cause took some time, by 1805 UTC. We traced the issue to the Windows Update API, where Microsoft had mistakenly labeled the Windows Server 2025 upgrade as KB5044284. Our team discovered this discrepancy in our patching repository, as the GUID for the Windows Server 2025 upgrade does not match the usual entries for KB5044284 associated with Windows 11. This appears to be an error on Microsoft's side, affecting both the speed of release and the classification of the update. After cross-checking with Microsoft's knowledge-based repository, we confirmed that the knowledge-based number indeed references Windows 11, not Windows Server 2025. Okay, so, whatever they said, the register has contacted Heimdall for more information and will update this piece should the security organization respond. We also asked Microsoft to comment almost a day ago.

Since then crickets, as of last night, heimdall estimated that the unexpected upgrade had affected around 7% of their customers. It said it had blocked KB5044284 across all server group policies. However, this is a little comfort to administrators finding themselves receiving an unexpected upgrade. They finished, since rolling back to the previous configuration will present a challenge. Affected users will be faced with finding out just how effective their backup strategy is oh dear or paying for the required license and dealing with all the changes that come with Windows Server 2025. Wow, what a mess. So I cannot speak for other admins, but I would be desperately checking everything that everything was still working after such a jump if it were my servers.

Uh, you know, and if it were, I'd probably choose to remain on that platform if it hadn't like irrevocably broken things which you know it could easily do, you know, after such a jump like that had been made, you know, since microsoft would eventually be forcing the move anyway right, I mean anybody who's on 2022, they've got 2025 in their future. So, wow, I can definitely empathize with the panic that that would ensue.

0:34:55 - Leo Laporte
To be more clear on this did this happen to anybody who wasn't a Heimdall customer? It's a good question, Because if it didn't, then it's Heimdall's fault, not Microsoft's.

0:35:06 - Steve Gibson
Yes, I did hear from some of our listeners already who experienced this themselves, but they didn't specify whether they were Heimdall customer or not. There were some. I believe it was third party upgrade, upgrade management right. That was.

0:35:26 - Leo Laporte
That was right source so microsoft's getting all the blame for this, but it's not microsoft's fault no, I, I, I believe it was somebody who's who.

0:35:35 - Steve Gibson
so systems that were under patch management by a third party were updated not by microsoft, but by their, by their patch manager. Yes, and so I'm glad you brought that up, leo, because that is the case. And the other thing that is the case is it's a time for me to take a sip of coffee. Oh, I just took a bite of sandwich.

0:35:57 - Leo Laporte
so, okay, you take that sip and I'll try to chew fast.

0:36:03 - Steve Gibson
Take that sip and I'll try to chew fast. I have my eye on the clock and we're 34 minutes in, so it's a good time Before we talk about what it is that Microsoft has decided they're going to do to Windows 11 to further protect people from user account control. Turns out it's not in your face enough, yeah well, that's true, Everybody.

0:36:31 - Leo Laporte
Just you get the prompt to elevate and you go okay, yeah, fine, I have mine turned off. You don't use UAC?

0:36:40 - Steve Gibson
No, and I understand completely why I bring it down to minimum, minimum and then I go into the registry and I disable it completely because it's just, you know, I, I'm a mother hen over this, over my machine you don't need two mother hens, one's enough no. And the fact is, I mean, the problem is people are saying, oh, there's that annoyance again, and they just click yes, yeah. And so it's like, okay, what protection is that? Well, microsoft's going to fix that.

0:37:13 - Leo Laporte
Let's not make this easy. Our show today brought to you by actually, this is a very appropriate company to talk about right now. Threatlocker company to talk about right now ThreatLocker. Threatlocker makes zero trust easy, affordable and it's really effective. If zero-day exploits and supply chain attacks are keeping you up at night and if you listen to this show, they probably are worry no more because you can harden your security. The best way to do it with ThreatLocker. Worldwide companies like JetBlue trust ThreatLocker to secure their data to keep their business operations flying high.

The key is a proactive and I want to underscore this. I don't know how you do that in audio. Underscore this Deny by default approach A proactive, deny by default approach to cybersecurity. That means by default, you block every action, every process, every user. They just know, unless explicitly authorized by your team, and this is zero trust. This is how Zero Trust works and it works so well and Threat Locker does it so well. They make it easy to do and this is equally important they provide a full audit of every action. So if somebody is authorized, some process is authorized. You know exactly how, who, et cetera. That's great for not only risk management, but also really important for compliance. Threat Locker's 24-7 US-based support team fully supports you getting on board and beyond and, by the way, very easy to implement. Thanks to them, threatlocker stops the exploitation of trusted applications within your organization. It keeps your business secure. Yes, it protects you from ransomware All unknown zero-day threats.

This is the problem. This threat's never been seen before. How do you prevent it? Well, you just don't let anything in across your border. Organizations across any industry can benefit from. They call it ring fencing, threat lockers, ring fencing they isolate critical and trusted applications. They put it inside the ring fence right From unintended uses, from weaponization, limit attackers' lateral movement within their network. They're there, but they can't get there right. Threatlocker's ring fencing is so effective it was able to foil a number of attacks the traditional EDR just couldn't stop, like the 2020 cyber attack on SolarWinds Orion, effectively foiled by ring fencing. Threatlocker's customers are really happy about that. I can tell you. Threatlocker works for Macs too. So your whole network. Get unprecedented visibility and control of your cybersecurity quickly, easily and cost-effectively. Threatlocker's Zero Trust Endpoint Protection Platform offers a unified approach to protecting users, devices and networks against the exploitation of zero-day vulnerabilities.

I think this is so cool and if you look at reviews, look at ThreatLocker customers you'll see. I'm not alone in this and it's very affordable. Get a free 30-day trial. At least try it. Learn more how ThreatLocker can help mitigate unknown threats and ensure compliance. Visit threatlockercom. That's threatlockercom. We thank them so much for supporting security now and our friend mr steve gibson, you support us when you, if they ask you, if you say oh yeah, steve gibson told me all about threatlockercom. I Now I want a cup of coffee. It's my turn for your time, your turn?

0:40:48 - Steve Gibson
A cup of coffee, okay so we all know, uac, user account control. This is Windows' clever and workable solution to the age-old dilemma of users running root privileges on a system, just so they're not constantly being told that they can't do what they want to do with their own system. The problem with doing this, with running as root, is that it's their logon that has the root privileges. This means that anything they might do inadvertently, like innocently run some malicious software by mistake, inherence their accounts root privileges and allows their system to be easily and potentially irreversibly compromised. So the solution Microsoft evolved and we talked about this when it first appeared in Windows and I said then I think this was very clever. I mean, I think it's like the best solution we've had so far. What they did was they split credentials where an administrative user even though they're an administrative as opposed to a standard Windows user An administrative user effectively logs on with both standard user and elevated credentials, or tokens as Microsoft calls them, while always running as a standard user with reduced privileges. This way they're protected from anything that might inadvertently happen when they're not intending to have anything happen, when they're not like intending to have anything happen, when they're not looking, then when they try to do something that their lesser privileges doesn't permit, such as installing a new application into the system or disabling some system protections. Windows will pop up, you know, the user account control, the UAC prompt, which essentially serves as an. Are you sure you want to do this? Required confirmation, and when the user sighs and clicks yes, I'm sure I want to do what I just asked for, windows briefly switches over to their elevated permission token credentials to allow that requested action to be performed. Ok, so that's the way it's been now for many years, but we learned last week that it will be possible to optionally add another layer of security to this existing mechanism. Microsoft wrote this Administrator protection, which is what they're calling it.

Admin protection is an upcoming platform security feature in Windows 11, which aims to protect free-floating admin rights for administrator users, allowing them to still perform all admin functions with just-in-time admin privileges. With just-in-time admin privileges, this features off by default, meaning okay. Just for clarity, when this is part of Windows 11, it will not be enabled by default, so UAC will continue working the way it has, but it can be enabled via group policy, so systems that are being administrated remotely over the network and enterprises can can cause this to be on for all of their Windows client machines. Microsoft said we plan to share more details about this feature at Microsoft Ignite. Now the Hacker News dug into this a bit and did some reporting. Now the Hacker News dug into this a bit and did some reporting. They said Microsoft will add a new security system to Windows 11 that will protect admin accounts when they perform highly privileged and sensitive actions, named admin protection. The system is currently being tested in Windows 11 Canary builds. The new feature works by taking all the elevated privileges and admin needs and putting them into a separate super admin account that's most of the time disabled and locked away inside the core of the operating system.

Okay, now just note. We don't know how they're implementing this yet. I mean, this sounds like more than UAC with more protection. So maybe it is, I don't know. No, like maybe. Maybe their intention is to make this super duper bulletproof. Anyway, the Hacker News says, with a password, a PIN or some other form of authentication before they're able to go forward, they said.

But a change in prompting authentication is not the only major change. According to technical and non-technical write-ups from Microsoft MVP Rudy Alms, who first spotted this feature, admin protection is a lot more powerful and innovative than you might expect. It changes how the entire Windows OS assigns admin privileges. Okay, so that answered my question. This is not just adding additional authentication to UAC. You know this. Bury it down somewhere in the bowels of Windows and whatever that means that's, you know. That's apparently what's going on. Changes the entire Windows, the way the entire Windows OS assigns admin privileges. In past versions they wrote Windows created two tokens for an admin account Right One to use for normal operations and one for when the admin needed to do admin things, with the user switching between the two. They finished saying unfortunately, this allows threat actors to develop UAC bypass techniques and abuse admin accounts for malicious purposes. Okay, so you know? Stated in another way, uac, even as intrusive and potentially annoying as it was, was still too easy to use, so it was being abused also. So Microsoft is going to give it another go and even more robustly lock up these privileges which are too powerful to allow bad guys and bad wear to get their hands on.

The Hacker News said the new admin protection basically locks away all those highly privileged actions into a separate system managed account. The threat actor would not be able to switch to that super admin account unless they could now bypass all the extra authentication options. The way this will exactly work in detail, they said, is unknown. Microsoft is set to provide more details about the new admin protection feature at its Ignite developer conference later this month and we hope, writes the Hacker News, that these extra authentication prompts will be able to support some form of MFA. If they do, threat actors that compromise admin accounts will have a much harder time exploiting those accounts for high privileged actions.

So you know, I suspect, that the operational profile of a developer such as myself is probably very different from the typical office worker. Even having UAC constantly popping up drives me nuts, as I said earlier, since I'm extremely careful with what I do with my system and I maintain somewhat obsessive management over my machines and I maintain somewhat obsessive management over my machines, so I've never felt that I really needed Microsoft to protect me from myself. Now, at the other end of the Windows user spectrum, you know, we have someone sitting behind a desk at a large enterprise. They are probably running a fixed set of pre-approved software and logging into a standard rather than an admin account. So they would already need to provide complete administrative credentials if they wanted to change anything in the system. This still sounds like the admin privileges that the system will have somewhere. You know, because there is an account defined on a system that has admin privileges, even when the user who's currently logged in is a standard user. So Microsoft is going to, you know, much more deeply lock this down.

So all this suggests that the forthcoming Windows 11 admin protection feature, you know, is intended to better protect everyone else. You know all of those who've been logging in with admin accounts, but for you know for whom? The? Are you sure? Yes, no, uac pop-up has not been providing sufficient protection. So, again, I can't fault Microsoft for providing options and for also, first of all, making it optional Thank goodness, although I don't tend to be under Windows 11 control anytime soon but also providing an option to more thoroughly lock down this security security and I'm just gonna say, and given that, like a biometric multi-factor authentication might be available, then that would make it tolerable you wouldn't have windows.

0:50:38 - Leo Laporte
Low is very secure.

0:50:40 - Steve Gibson
I think yes you wouldn't have to constantly going over and you know to to your smartphone and getting a one-time password in order to to continue doing things you want to do.

0:50:49 - Leo Laporte
Do you run as an administrator? Yeah, yeah, of course you do. Yeah, but I mean that was always the advice is don't run as an administrator, and UAC solved that by kind of having these different levels.

0:51:03 - Steve Gibson
Right, right, I mean Windows has become such a nanny OS that I have to try. I mean I'm creating brand new code, right? That's what I do, right, every time inherently dangerous, yeah, you know, yeah, and I hit. Well it it's, it's not dangerous. No, but it looks that way to the operating system. Yes, yeah, so. So I have to completely shut down windows defender right, or it deletes my xc the moment it gets created that's terrible.

0:51:34 - Leo Laporte
What's this?

0:51:35 - Steve Gibson
boom, it's gone. Get rid of that quarantine. It get it out of here we never saw this before. Get the oven mitts gone no, it's, that's so.

So you know, being a developer really requires you to just say calm down, down, windows, it's all right, it's me sitting here, so yeah, but again, I'm glad that they're able to allow enterprise admins to really crank the security up, and clearly they're not doing this because they don't have anything better to do. They're doing it because they've seen problems with not having enough, you know, the ability to lock things down as much as they are Okay. So under the category of who cares, last week we noted that fine happy Russian courts had levied such insanely large fines against Google for refusing to allow YouTube to spew Russian media anti-Ukraine propaganda, that not only did their own spokespeople have no idea how to pronounce the number of Russian rubles levied, but the fine far exceeds the total amount of money in the known universe. Moreover, you know the Google branch of Russia. You know the local Google entity Russia has fined went belly up and bankrupt about a year and a half ago. So there's no assets there either. So good luck squeezing some rubles out of Google. I don't think that's going to happen, but it seems that Russia has not been deterred.

In the fining department. They apparently decided that levying a reasonable fine against a going concern might actually produce some cash, you know, if not any change in that entity's behavior. So, to that end, a Moscow court has fined Apple, mozilla and TikTok for failing to remove content the Russian government deems as being illegal. Apple was fined for not removing two podcasts, mozilla for failing to remove some add-ons from its store, and TikTok for failing to remove videos related to the war in Ukraine. The fines range from $35,000 to $S dollar equivalents in Russian rubles. Now, since fines on that scale probably fall into the petty cash category for those three companies, at least there's something for them to discuss about going forward. It's not some ridiculous number with 30 zeros that no one knows how to pronounce. That you know Google's been hit with.

And while we're on the topic of fines, south Korea has fined Meta 21.62 billion won. Now, although it takes around 1400 won to equal one US dollar, when the fine is 21.62 billion won, that still equals around 15.67 million US dollars for a fine. So that's an attention getting amount, unlike Russia's fine, for you know Google, south Korea actually expects Meta to pay. Okay, so what did Meta do to upset South Korea's privacy watchdog?

The fine is for illegally collecting sensitive personal information from South Korea's Facebook users, including data about their political views and their sexual orientation, and wait for it, sharing that data with Meta's advertisers without their users' consent. The organization is called the Personal Information Protection Commission PIPC, so the PIPC in South Korea says that Meta gathered information such as religious affiliations, political views and same-sex marital status of about 980,000 domestic South Korean Facebook users so just shy of a million and then shared it with 4,000 advertisers on Meta, the PIP said in a press statement. Quote specifically, it was found that behavioral information, such as the pages the users liked on Facebook and the ads they clicked on, was analyzed to create and operate advertising topics related to sensitive information. Ok, actually that sort of sounds like a level or two removed, but still a breach of privacy, because you know Facebook is analyzing their users' behavior and then drawing conclusions about who they are based on what they do and then making the who they are information available to their advertisers. The PIPC added that these topics categorize users as following a certain religion, identifying them as gay or a transgender person, or being a defector from North Korea.

The agency accused Meta of processing such sensitive information without a proper legal basis and that it did not seek users' consent before doing so. It also called out the tech giant for failing to enact safety measures to secure inactive accounts, thereby allowing malicious actors to request password resets for those accounts by submitting fake identification information. Meta approved such requests without sufficient verification of the fake IDs, resulting in the leak of the personal information of 10 South Korean users. So just sloppy and not caring on Meta's part and users. So just sloppy and not caring on Meta's part, pipc said.

Going forward, the Personal Information Protection Commission will continue to monitor whether Meta is complying with its corrective order and will do its best to protect the personal information of our citizens by applying the protection law without discrimination to global companies that provide services to domestic users unquote.

So, for their part, in a statement shared with the Associated Press, meta said that it will quote carefully, review, unquote the commission's decision, after which it will probably get out its checkbook and to pay the fine, I would imagine. So you know, the good news is, everywhere we turn, it appears that you. If this profiling is gradually being squeezed and reduced out of the population of services, that suggests that the economics of online advertising will eventually be changing too. The advertisers don't want anything to change. They want all the information they can get about everybody all the time and governments are beginning to say, eh, not so fast there, we don't want you to have that. And of course, governments are able to make the laws that they want to. Our favorite NAS supplier, leo Synology, just patched a critical zero zero authentication flaw that would have created chaos had it been discovered first by bad guys. The fault, the flaw, affected Synology disk station and be photos and could be used for full remote code execution.

0:59:53 - Leo Laporte
It's being tracked.

0:59:54 - Steve Gibson
Yeah, it's being tracked as CVE-2024-10-443 and has been dubbed Risk Station by security researcher Rick DeJager of Midnight Blue. He successfully demonstrated and exploited the vulnerability at the recent Pwn2Own Ireland 2024 hacking contest. And this one is as bad as they get. Riskstation is a quote unauthenticated zero-click vulnerability allowing attackers to obtain root-level code execution on the Synology disk station and B station NAS devices, which would affect millions of devices. Now, as we know, zero-click means full remote takeover without any action required on the part of the owner of the device. We also know that the only way this could be possible would be if Synology photos for disk station or B photos for B station have open and exposed ports to the Internet. So I'll say it again, so I'll say it again it doesn't matter how tempting and cool it might be, to no safe way to do that using today's technology, no matter how much we wish it were otherwise. Now, the good news here is that this was disclosed during a pwn-to-own competition, so the bad guys have no idea how this was done and, in keeping with the responsible disclosure that's inherent in Pwn2Own, no technical details about the vulnerability have been released, nor will they be soon. They're currently being withheld to give Synology's customers sufficient time to apply the patches.

Midnight Blue said there are between one and two million Synology devices that are currently simultaneously affected and exposed to the Internet. So you know, easy to do, right, you just ask Census or any of the online scanning services like Shodan give me a list of all the IPs that are listening on this particular port and bang, you get the list. So, as it happens, I just updated my two Synology NASs. They notified me that there was new firmware available and that presumably fixes this and other lesser problems. But I would never expose my NAS to the Internet. It's sitting behind the NAT services of a PFSense firewall that has UPnP disabled, pfsense firewall that has UPnP disabled. My NASes were never in danger and I hope and trust that that's true for all of our listeners. But, you know, certainly it's not true for those one to two million Synology NAS users who said oh hey, cool, I can publish photos for my friends and you. What could possibly go wrong?

1:03:31 - Leo Laporte
somehow I doubt you use synology's photos app, but no, I you don't see the type, I don't do that either never, neither do I yeah, no, so you know it is.

1:03:43 - Steve Gibson
It is definitely more of a hassle not to simply be able to open ports and expose services to the Internet. I get it, but that's exactly what between one and two million Synology NAS users have apparently done. There are ways to safely obtain remote access, for example. I'm a huge fan of port knocking, which has never taken be the last one ever, so we don't need more security. This is what needs to change. Okay, this is really interesting, really interesting.

Over on the supply side of attacks, we learn that cybersecurity researchers have discovered a nefarious, malicious package in the Python package index. You know PyPy code repository and get this. This particular Python package is called Fabrice. It's been downloaded tens of thousands of times over the past three years of its availability, while going undetected for those three years as it stealthily exfiltrated developers' Amazon Web Services. You know AWS credentials. Now the package's name is Fabrice, which you know sounds like some sort of an air freshener or something. Yeah, it does, and it would be a believable package name on its own. It's actually derived from a typo of a very popular Python library called Fabric. Oh, so it's an E added to the end of Fabric. The legitimate Python Fabric library is used to execute shell commands remotely over SSH, but any developer who too hastily types fabric into their code might instead wind up with Fabrice, and that's where things begin to go very wrong for them. Whereas the legitimate fabric package has over 202 million downloads, its malicious typosquatting counterpart has been downloaded more than 37,100 times. Since developers trust the well-deserved reputation of the Fabric library, that's what they assume they're getting, even when they mistype the name and enter Fabrice. Unfortunately, fabrice is then able to exploit the trust that's associated with Fabric to incorporate payloads that steal credentials, create backdoors and execute platform-specific scripts.

Fabrice carries out various malicious actions depending upon which operating system it finds itself running in. If it's executed on a Linux machine, it will download, decode and execute four different shell scripts from an external server located at the IP address 89.44.9.227. When the same script runs on Windows, two different payloads a Visual Basic script named pvbs and a Python script named dpy will be extracted and executed. The pvbs script runs the hidden Python script, dpy, which resides in the downloads folder. This dpy script downloads another malicious executable, which it saves as chromeexe, then sets up a scheduled task to run that Chromeexe every 15 minutes. Once that's been done, the Dpy file is deleted.

In any case, regardless of the operating system and the path taken, the common goal is credential theft. Aws access and secrets keys are gathered and exfiltrated to that server at that address. By collecting these AWS Access keys, the opportunistic attacker gains access to potentially sensitive cloud resources. Now who knows what developer will run this and what resources might be obtained?

Since 2021, when this malicious Fabrice library was first dropped into the PyPy repository, 37,100 developers have downloaded it by mistake, thinking they were getting fabric. The first time they ran it, their machines were compromised. When they later corrected their typo, it was too late. Their development systems were already infected with a Trojan designed to seek out and send any AWS credentials they might have. So at this point, from time to time, the attacker's server at 89.44.9.227 simply receives unsolicited AWS credentials.

Every time someone new shows up, the attackers probably head over to AWS to see what their trap might have snarred. So we have a sophisticated typosquatting attack, crafted to impersonate a trusted library, which exploits unsuspecting developers who enter the wrong library name. Just once, this thing sat undetected for three years, collecting more than well. We don't know how many AWS credentials were collected, but it was installed in more than 37,000 systems and then began looking for AWS credentials before it was finally spotted and removed from the library. Of course, this begs the question what other similar typo traps are still sitting out there, salted out among the thousands of legitimate repository packages? This is why we've got researchers scouring the repositories looking for these kinds of nefarious baddies.

1:10:53 - Leo Laporte
And this is a continual problem in these repositories. I wish there was some easy way to fix this.

1:11:00 - Steve Gibson
Yeah, pypy has been particularly notorious right. Yep and NPM, of course also.

1:11:07 - Leo Laporte
Yeah, the Node Package Manager.

1:11:09 - Steve Gibson
It's a problem because we want public software, right? I mean, the whole idea is to create a community of people working together, publishing software packages and libraries like this, intending to share it. Well, how do you keep the bad guys out? You really can't. And leo speaking of good guys.

1:11:33 - Leo Laporte
I bet you I have a product that can get the bad guys out. Let me check. We continue on episode 1000. Steve gets his cup. I already had my mug. I'm wishing now that I had the quad venti latte that you always order. I only made a, a double, and it went quick.

Our show today brought to you by flashpoint. You know, and and information is power. Right, it's, it's absolutely key. It's's critical to being effective in the world in a whole lot of different ways. If you're a security leader, you know this has been a year to remember, shall we say.

Cyber threats and physical security concerns on the upswing Now geopolitical instability, adding a new layer of risk and uncertainty. I'll give you one stat to illustrate it. Last year, there was a staggering 84 percent rise in ransomware attacks 84 percent rise. There was a 34 percent jump in data breaches, neither of which would be good for your company, right? And of course, the result is trillions of dollars in financial losses, but not just financial losses threats to safety worldwide. I've got a great solution for you, and it comes down to information. That's where Flashpoint comes in.

Flashpoint empowers organizations to make mission-critical decisions that will keep their people and their assets safe by combining cutting-edge technology with the expertise of world-class analyst teams. You know governments have intelligence agencies, but why should it only be governments? Shouldn't businesses also have people working to give them the intelligence they need to succeed? Well, with Ignite Flashpoint's award-winning threat intelligence platform, you get access to critical data, finished intelligence, you get alerts, you get analytics and you get it all in one place. You can use it to maximize your existing security investments, of course, because you know where the threats are coming from right.

Some Flashpoint customers have avoided half a billion dollars in fraud loss annually. Half a let me say that again half a billion dollars saved from fraud loss annually thanks to flashpoint 480. That's a 482 percent roi in six months. Flashpoint earned frosted sullivan's 2024 global product leadership award for unrivaled Threat Data and Intelligence. An SVP of cyber operations at a big company you would know a big US financial institution said, and I'll quote Flashpoint saves us over $80 million in fraud losses every year. Their proactive approach and sharp insights are crucial in keeping our financial institution secure. They're not just a solution, they are a strategic partner helping us stay ahead of cyber threats.

Don't you want to stay ahead of cyber threats? No wonder Flashpoint is trusted by both mission-critical businesses and, yes, governments worldwide To access the industry's best threat data and intelligence. Very simple Just go to the website flashpointio. Do it right now. You owe it to yourself and your company, Flashpointio. I mean you listen to the show for that kind of intelligence. Right, Get even more Flashpointio. Thank you so much for supporting the intelligent Steve Gibson. On we go.

1:15:11 - Steve Gibson
Okay, so we've seen this one coming for a while, and we're nearing the year 2025, which is the year during which Google has said they're going to be requiring, with no excuses, all of their cloud services users, which includes all Gmail users, to be authenticating with some form of multi-factor authentication. Good, good, Yep, it's like it's time right. So, more than just their username and password, which will no longer cut it. Google still hasn't provided explicit deadlines, but anyone who doesn't already have MFA set up can expect to start being pushed to do so near the beginning of next year. So there's not much more amnesty for people who haven't done that yet.

Okay, so I don't know how to read between the lines of some recent worrying news from the Mozilla Foundation. Just to be clear, that's not the same as Mozilla. The Mozilla Foundation is the nonprofit arm of Mozilla, but the foundation has just laid off 30 percent of its employees. Even though it's not Mozilla, it still makes me nervous, since I depend upon Firefox for the web and Thunderbird for email. The official statements from the foundation. Well, to me they sound like gobbledygook. Get a load of this Quote the Mozilla Foundation is reorganizing teams to.

While I'm reading this, think about the turboencabulator and the reverse trunnions that it uses because similar language. The Mozilla Foundation is reorganizing teams to increase agility and impact as we accelerate our work to ensure a more open and equitable technical future for us all. For us all, that unfortunately means ending some of the work we've historically pursued and eliminating associated roles to bring more focus going forward. Our mission at Mozilla is more high stakes than ever. We find ourselves in a relentless onslaught of change in the technology and broader world, and the idea of putting people before profit feels increasingly radical. Navigating this topsy-turvy, distracting time requires laser focus and sometimes saying goodbye to the excellent work that has gotten us this far, because it won't get us to the next peak. Lofty goals demand hard choices.

1:17:49 - Leo Laporte
What the hell. Does that mean they fired whoever was on their pr team who spoke sense? Yeah, wow, that's just bad pr. That's a bunch of utter nonsense. Here's, here's the good news. The mozilla foundation had more than doubled its staffing in the last two years. Ah, okay, so 30% cut still puts them ahead of where they were. It's also not the browser, it's their, you know, as you said, it's their nonprofit arm, right, right, okay, good, so don't worry. Do you use Mozilla or no? You use a Chrome browser?

1:18:25 - Steve Gibson
No, I'm a Firefox 100%.

1:18:27 - Leo Laporte
Oh good, yeah, yeah, yeah. No, I'm a Firefox 100%. Oh good, yeah, yeah, yeah, yeah, yeah, yeah, me too, yeah, yeah, we need diversity. It's the last man standing that Safari are the only two mainstream browsers that don't use Chromium. I?

1:18:38 - Steve Gibson
know, and for me, my computers run cooler and quieter when I'm not running Chrome.

1:18:47 - Leo Laporte
Yeah, Chrome is a pig.

1:18:48 - Steve Gibson
The reason I left chrome was that, like my fans, were spinning up it's like what the heck?

1:18:53 - Leo Laporte
it's just, it's just sitting here. To be fair, mozilla's had its problems in the past with resources, but I think right now it's pretty.

1:19:01 - Steve Gibson
It's a pretty darn good browser well, and it is getting heavy donation from from google oh yeah, 200 million a year, I think from google, not donation they spent.

1:19:12 - Leo Laporte
It's the same reason google gives 20 billion to apple.

1:19:15 - Steve Gibson
It's too right, yeah oh, right, in order to feature the default search engine. Yes, yes, and I, and I do use firefox's, whatever that the home page that comes up with sponsored stuff? Yeah, I, I do.

1:19:29 - Leo Laporte
I want to let them support them. Yeah, good for you.

1:19:32 - Steve Gibson
Yeah, I have no problem seeing that, and every so often there's something kind of interesting. It's like oh, what's that about? Yeah, okay, so that covers the most interesting news of the week. Today is Patch Tuesday, so we don't have any results from that yet, but count on it next week, absolutely. We don't have any results from that yet, but count on it next week, absolutely. We're not sure that the number of things fixed will be two digits or three digits but it'll be one of those two.

Yeah, it'll be in there. I was glad that there was not a torrent of news for today's 1,000th episode of security now, since you know, there's been so much news recently that I've been unable to share, as I said at the top, some of the truly great listener feedback we've been receiving. So we're going to do that today, but I've got a couple things. First, um, dave plumber was an early microsoft engineer. Among other things, dave is credited with creating the original task manager for windows he wrote it and also the space cadet pinball ports for windows nt. He was also the developer who added native zip file support to windows.

1:20:43 - Leo Laporte
Thank, you dave hard to pick just one of those as his most important. Yeah, he really is. I like the pinball a lot.

1:20:50 - Steve Gibson
Yes, space cadet pinball. So today Dave's best known for his two very popular YouTube channels. He has Dave's Garage and Dave's Attic. I'm mentioning this today first because Dave puts a lot of effort and energy into the videos he posts to his channel and our listeners might find a lot there to enjoy. So I created one of GRC's shortcut links to make finding Dave's garage easy. It's just GRCSC, slash Dave, so you know SC as, in shortcut, grcscdave.

But the main reason I'm mentioning this is that one week ago today, dave posted his look at Spinrite 6.1. His subhead was Optimize your hard drive and extend data life, including SSDs with Spinrite. Including SSDs with Spinrite. And his review of Spinrite was so positive that in the metadata info about this video he made his motivation clear by explicitly stating by the way, this is not all caps, a sponsored episode. I'm just a 30-plus year customer and fan of the app Exclamation point. So anyway, everyone who has been following this podcast already knows everything Dave talks about. We all know that SSDs are prone to slowing down over time when their data is only ever being read and never written, such as the file system's metadata and most of the operating system files and drivers and so forth, and early in the work on Spinrite 6.1, we discovered that running a Spinrite level 3 pass over SSDs that had slowed down over time would restore their original factory performance. Time would restore their original factory performance. So I'm mentioning this due to two viewer comments that were posted to Dave's Spinrite video last week. Brent Smithline said have used Spinrite since the early 80s. After talking with the head of support at Compaq, he stated that they used Spinrite to test hard drives before they were installed in Compaq devices. The bad ones were weeded out and sent back to the manufacturer so they did not become a support issue at the very start for Compaq. Now I've mentioned this anecdotally several times through the years, but it was fun to see it independently restated and it brought to mind a useful strategy that may still be useful today.

One of the things I've noticed while running drives on Spinrite is that the drive's self-reported smart health parameters will often be pushed downward while SpinRite is running. This is one of the biggest mistakes made by all of the various although they really don't have a choice smart drive health reporting tools. A drive that's just sitting there idle and doing nothing is always going to be relatively happy because it's not being asked to do any work and it's not the drive's fault for not reporting anything, since it has nothing to report. It's only when the drive is under load by being asked to read or write data that it's able to gauge its own ability to actually do that. For the past 35 years, this has been one of the fundamental tenets of Spinrite's value. A drive can only determine that it has a problem when it's asked to go out into its media and attempt to read or write those regions. Read or write those regions. The fact that in a sense, it owns that media doesn't automatically mean that it knows everything about what's going on out there. It needs to be asked to go, take a look, and it turns out today's Spinrite can still be used the same way that Compaq once used it to help qualify the relative integrity of spinning hard drives and SSDs.

Another interesting comment that was posted there, among 756 others since last Tuesday, was by Seagate's ex-chief technologist, robert Thibodeau. Thibodeau, yeah. In addition to being chief technologist at Seagate for years, robert is also one of the six founding directors of Carnegie Mellon University's Robotics Institute, from which he resigned in order to guide Seagate's development of, among other things, self-encrypting drives. In response to Dave's Spinrite video, last Tuesday Robert posted, he said as a chief technologist for Seagate for years, spinrite is generally done right. There are some errors in Daveave's presentation but they're minor. The biggest thing that needs to be said is that if you wish to retain digital data and leo, you're going to love this plan to keep essential data on multiple drives that do not depend on each other. Very good, he said. Raid is not a solution except for transactional data management or in disk. Very good, he said. I think he means full mirroring.

1:26:37 - Leo Laporte
RAID 1.

1:26:38 - Steve Gibson
He says, and always keep a full dated copy or two air gapped, meaning not connected to anything electrical, he said, meaning not connected to anything electrical. He said safe deposit boxes are useful for this and plan to make new copies on new drives every few years. He said digital storage devices can fail in more ways than you can count, and the ones that can preserve data for decades are really not commercially available and often give a false sense of security, leading to catastrophic data loss. The design life of storage devices is generally five years, although it's not unexpected that a given device will preserve storage for 10 plus a few years, will preserve storage for 10 plus a few years. Knowing what I know, I buy new drives every year or so and make new full copies, as well as keeping at least a couple of copies air-gapped all the time. Lightning can and does strike Fire, he says per endsens, heat demagnetizes and it is not true that solid-state drives are non-magnetic and susceptible to failures associated with magnetic field losses. So anyway, I want to share those two.

Well, I mean, you'd have to stick it in an MRI machine.

1:28:06 - Leo Laporte
Yeah, I mean you can't like degauss an ssd with a magnet or anything no, no, they are electrostatic as opposed to electromagnetic but they're still sensitive to changes, you'd have to hit them with a serious pulse.

1:28:20 - Steve Gibson
But I appreciated robert's reminder about the inherent volatility of mass storage. You know, back when I first designed and wrote Spinrite, you, leo and I, had 10, 20, or 30 megabytes of spinning hard drive storage.

1:28:37 - Leo Laporte
Oh, and we thought we were fat. Oh, we were.

1:28:40 - Steve Gibson
Well, because nothing was big back then, so 30 megabytes, that was. You know I'm never going to fill that up.

I take single photos that are bigger than that now Exactly, and those drives cost us thousands of dollars. That's right. That price dropped rapidly, but it was still uncommon for anyone to own more than their system's primary mass storage drive. That's why Spinrite's data recovery was designed to work in place, because back then there was nowhere else for recovered data to go. That's one of the many things I am very excited to be changing as Spinrite continues to evolve. In the future, and thanks to the ongoing support from this podcast's listeners and the greater Spinrite community, as well as independent influencers and reviewers like Dave Plummer, it appears that Spinrite will have a bright future. Nothing, truly nothing, could make me happier, because there's nothing I will enjoy more than continuing to work on Spinrite to move its code forward.

But I just wanted to mention that I'm always made a bit nervous when I get the sense that people are carrying around single copies of important data on today's thumb drives or external drives, you know, in their laptops or desktops, wherever where you know there may not be another copy of that data. Drives are certainly becoming more reliable as time goes on, but there's also a danger in that since, as Robert reminds us, lightning does still strike. So the fact that drives are generally not dying left and right can lull us into a false sense of security of believing they never will. With today's data storage being so economical, it might pay off to take some time to make backups automatic and transparent, and that's really where I'm headed here. Automatic is the key. It's's really where I'm headed here. Automatic is the key. It's the main point. I wanted to make Everybody's busy.

We get distracted. We naturally forget to do things that don't call for our attention. That's why it really makes sense to find some time, if you haven't already, to arrange to have the data you care about kept safe for you without you needing to remember to do anything at all. These days, with storage being so inexpensive, that doesn't have to be expensive. I mean almost free, in fact. The best case is that nothing bad will ever happen and that your backup system will never be needed. But even then, the peace of mind that buys of knowing that the system you put in place will have your back, I think is worth the time and trouble. So I just sort of wanted to take a moment to say really, don't have a catastrophe. There's just no reason.

Good reason there's no reason to have a catastrophe any longer.

1:31:53 - Leo Laporte
I think some things have changed since Dave was working at Seagate, for instance. Cloud storage is very, very common. Almost everybody I would imagine listening has at least one copy of their data in a cloud somewhere. It's so cheap, it's so ubiquitous.

1:32:08 - Steve Gibson
Oh my God, and nowrosoft is like dunning you. Yeah, one drive just comes with.

1:32:13 - Leo Laporte
Yeah, yeah, yeah. So that's a little annoying, to be honest, but yeah, but. But apple does the same thing with iCloud. I, I think that most people probably have their most important stuff in the cloud. Uh, and and, uh, you know you, you mentioned the sync thing, which I think is a great solution. I just have everything synchronized everywhere.

1:32:32 - Steve Gibson
Yes, yeah, yeah, okay. One last bit before we get to our listener feedback. I mentioned last week that my mailing system's instant unsubscribe feature had turned out to be a bit too instant, since many of our listeners were being repeatedly silently unsubscribed from the SecurityNow mailing list. The trouble was caused by some email providers, and this is a known issue I had never encountered, but I had heard of it. They attempt to protect their listeners from malicious links in email by following those links, pulling up the content they point to and then checking it for any sort of malice. So it's not a bad idea, though it certainly does make email a lot more trackable, since many savvy users will deliberately not click anything in spam they receive as a means of remaining invisible, because they don't want to give any indication that they got a live one here on the end. So the issue of trackability must have been a trade-off that these providers decided was worthwhile. In any event, the system I had in place until a few hours ago last week, a few hours after last week's podcast, when I said I was going to fix it the system I had in place would assume that requesting the content behind the instant unsubscribe link was the user clicking it so it would do as requested and instantly unsubscribe them. So I wanted to affirm that I did in fact change the way the system functions so that links now display an unsubscribe confirmation page. That's actually very pretty and you can click on it and then just to see what it looks like if you're curious, and then just don't proceed to give it the additional click of yes, I'm sure, because that's now what's required. So henceforth, everyone should now remain properly subscribed.

If you were not among the 12,656 listeners who received today's podcast topic summary, you know the picture of the week, the show notes link and everything in an early morning email. You may now resubscribe to GRC's security now mailing list. You know GRC dot com slash mail and you know subscribe. From now on. If you do that, all subscriptions should be sticky and remain in place until and unless you choose to later unsubscribe. So I'm done with the email system. I, as I mentioned last week, it's now very easy to change your email address anytime you want. Users can do that. This last glitch is gone. This mailing to 12,656 of our subscribers went out beautifully this morning. So I am now I actually already have turned my attention to my next project, which is to create this next DNS benchmark. So I'm very excited to get that, to get going on it deeply and get it done as quickly as I can. And, leo, let's take our last break and then we're going to look at some listener feedback for the final half hour of our podcast.

1:36:10 - Leo Laporte
Excellent, excellent, 1,000 episodes, kids. It's amazing, wow. And, by the way, I wish we had a list of all of the sponsors we've had over the years. It all started with Astaro, you remember way back.

1:36:27 - Steve Gibson
And Alex is still listening.

1:36:28 - Leo Laporte
Alex Niehaus is still a. Alex kneehouse is still a listener. Thank you, alex. We get regular emails from him. Uh, you, probably it's. It's not a thousand sponsors, but it's been quite a few. We're very grateful to all of them because it makes the show possible. We are, like the mozilla foundation, dependent on uh, on your support, uh, with club twit and, of course, on our advertiser support.

This segment of Security Now brought to you by a company you probably know and have heard of, with a really interesting product that's somewhat new. I'm talking about Lookout. Today, every company is in the business of managing data. That means every company is at increased risk of data exposure and loss. We're just talking about it, right.

Not just hard drive failure, but cyber threats, breaches, leaks. Cyber criminals are getting smarter every day and modern breaches now happen instantly. It doesn't take days or months anymore. It happens in minutes. At a time when the majority of sensitive corporate data has moved to the cloud, traditional boundaries no longer exist. The strategies for securing that data have fundamentally changed. That's why you need Lookout.

From the first phishing text to the final data grab, lookout stops modern breaches as swiftly as they unfold, whether on a device in the cloud, across networks, working remotely at the local coffee shop with your venti latte. Lookout gives you clear visibility into all your data, wherever it is, at rest and in motion. You will monitor, you'll assess and you'll protect, without sacrificing productivity for security, and you'll like this, or at least the IT department will. With a single unified cloud platform, lookout really simplifies and strengthens your posture, reimagining security for the world that will be today. Visit lookoutcom right now to learn how to safeguard data, secure hybrid work and, yeah, reduce IT complexity. Lookoutcom. Thank Lookout so much for supporting the show and we thank you for supporting us by mentioning you heard it on security now, because that's how we keep those sponsors happy, right.

1:38:45 - Steve Gibson
Yes, they think wow, this really makes sense to advertise on this podcast.

1:38:50 - Leo Laporte
It does I mean who else? What better place to tell the world about your security product?

1:38:55 - Steve Gibson
OK. So Paul Walker asked hey, steve, just listening to Episode 999 and your piece about AI to find, fix, prevent security vulnerabilities, I'm sure you're right. It'll be a great tool for developers, but I wonder if it'll just become the next arms race in the field. Couldn't bad actors deploy AI similarly to find vulnerabilities? And all we're going to end up with doing is raising the bar of complexity, picking off more of the loweranging fruit as the vulnerabilities just become more obscure and harder to find by humans. Is there even a danger that a bad actor wielding AI might have an advantage for a while as they turn this new generation of powerful bug-hunting tools loose on all the old current software that's already out there? Don't get me wrong. It should be a good thing, assuming the overall balance of power between good and bad doesn't shift too far the wrong way. But I fear your hope for a world of no vulnerabilities still isn't much closer. Congratulations on reaching 999 and thank you for going past it. Here's to the next thousand episodes, thanks, paul. So yes, paul, I've had the same thought. I agree that AI could just as easily be used to design exploits for the vulnerabilities that already exist or that will exist, and I also agree that the inertial lag and upgrade friction we keep seeing throughout our industry is likely to mean that malicious AI will initially find itself in a target-rich environment. So, yes, I agree 100% that things may get rough during the phase where AI is still newly being deployed by both sides deployed by both sides, but there is an important lack of symmetry here. The good guys will have an advantage in the long run because no malicious AI, no matter how good it is, will be able to create vulnerabilities out of thin air. All a malicious ai can do is find problems that exist. It cannot create new ones. So once the good guys have their ais working to starve the bad ais of any new vulnerabilities to discover and exploit, the game will no longer be an arms race. There will be a winner and that winner will be the good guys. So, but certainly an interesting point, and we are in for some interesting times. And also, speaking of AIs, matthew from Montreal, canada. He said Hi, steve, I might not be the first person to share this snippet of code with you, but I thought you'd find it useful. I asked ChatGPT how to remove YouTube shorts. Initially it suggested plugins, but since I have security concerns about plugins. I asked it again, this time specifying that I wanted a solution using only uBlock Origin. Here's the solution it provided and it works great. Okay, so now I've got it in the show notes. Basically, chatgpt, to its credit, created a three-rule filter, which you know. You go to you block origin, open the dashboard, click the my filters tab and then paste it's actually six lines because it's got comments for each of the lines Paste those in, click apply changes. Anyway, he said it worked. He said this approach has worked perfectly for me. And he said and I thought you might find it handy too, let me know if you try it out. Best regards, matthew from Montreal.

Okay, so, as I said and as he wrote, matthew from Montreal found that this worked for him. But a listener named Daryl, a man of few words, sent just a link to a GitHub page and it's GitHub dot. And then I have the link in the show notes. It looks like G-I-J-S dev slash ublock Origin filter list to hide all traces of YouTube shorts videos. He said this filter list might work with other content blockers, but I haven't looked into that yet. He says copy the link below, go to Ublock dashboard filters and paste the link underneath the import heading. So that's very cool. Under uBlock Origin there is an import dot dot dot. You can give it a link and it will suck the list in for you. So anyway, I used wget to grab the listtxt file referred to in that link. It's an extremely comprehensive, well-commented 71-line filter. Although that includes blank spaces and comments, lots would be quite surprised if anything resembling a YouTube short was able to squeak through that gauntlet.

Then I discovered where Daryl found his GitHub link. He sent me another piece of email with a link to a piece on Medium where a software developer explains. He said as a software engineer, I typically spend 8 to 10 hours daily on my laptop. Following that, I frequently indulge in YouTube shorts, which, combined with my extensive screen time, has started to negatively impact my eyesight. Despite recognizing this, I found myself too addicted to simply stop. Hence I decided it would be better not to see any shorts on YouTube at all. That's when I discovered my savior uBlock Origin. Ublock Origin is a Chrome extension that not only blocks ads on YouTube but can also stop YouTube shorts, which I hope in turn, will save me more time. Here are the steps to follow. Okay, and then he provides a link. Actually, he copies a bunch of stuff into his Medium posting. At the bottom he provides a reference.

It turns out that this software engineer is also not the originator of this filter list. As I said, at the end of his medium posting he links to the YouTube video where he presumably learned about uBlock Origin and found this filter. So first of all, we've confirmed my suspicion from last week that uBlock Origin all by itself, which can obviously function as a Swiss army knife for web content filtering, could probably nip this YouTube shorts problem in the bud without the need for any sort of possibly sketchy additional web browser add-on, which is what brought this whole topic to the podcast. Right? Remember that somebody had a YouTube short blocker and it became owned by somebody who started using it to track all of its users around the Internet. So we were saying, hey, do you even need an add-on, why not just uBlock Origin? So sure enough. But I was still unclear about what all the hullabaloo was over this so-called YouTube Shorts problem. What's the problem exactly? Why are people creating web browser extensions to hide these? So I followed this software engineer's link to the YouTube video where Chris Titus Tech tells us how to do this. That had been posted to his explainer over the past 10 months since he posted his video, which has been viewed 1.6 million times, were quite illuminating. So here's a sampling.

For example, people said the fact that people want to disable shorts and there are developers that create these amazing tools really goes to show how crap shorts really are. Somebody else said what's wrong is YouTube themselves keep pushing shorts on people. It's a form of spam and should be something you can opt out of. Unfortunately, opting out doesn't work within the YouTube platform. I hate shorts and I hate the way YouTube is going. Someone else said thank you for the tip. It's a lifesaver. Youtube shorts are cancer. Somebody else said alternate title how to cure YouTube's cancer.

Somebody else wrote my child can't stop himself once he starts watching them. I have to step in. He even tells me he wants to stop watching shorts, but can't, which is terrifying. Knowing this will make a huge difference in our lives. Thank you Finally. Someone said dude, I literally cannot thank you enough for this. I'm currently trying to really focus on my studies, but shorts have been my downfall all caps, literally. He said I just get so addicted to it and I feel like I physically can't stop Once I realize how much I wasted doing nothing. I feel empty and dumb inside. So glad this is a thing and it works. Great, you're a lifesaver. Thank you so much.

And the last comment could you please make a shorter version of your video? Okay, I confess I made that last one up, but wow, whatever this is, it really appears to have people in its grasp. It's somewhat astonishing, but these reactions to the posting of Chris's extremely comprehensive YouTube shorts content you know, and how to block, how to block it using you block origin answers the question of why anyone would want to remove these from their browser. So you know, also apparently from their life, in addition to from their browser. So, anyway, we know you can use uBlock Origin.

The show notes have lots of links and one to a very comprehensive filter list for anyone who feels like a lot of these. You know 8,000 plus people who discovered Chris's's uh list do. Tom damon said steve, I ran into this on linkedin about last week's photo of the week. Just thought I would let you know. Quote here's how a bunch of firemen created a viral image that fooled the internet. Unquote that was the title from Business Insider. He said thanks, been listening since episode one, tom Damon. Okay, now Tom is actually referring to last two week before last photo for episode 998.

1:50:45 - Leo Laporte
Oh, this is the one where the train tracks Yep.

1:50:50 - Steve Gibson
The insane one showing the fire truck's hose crossing the train tracks while being protected by fire protectors or by tire protectors, you know, as if that would do what was intended, you know, for the wheels of a train, right? So Tom linked to an article in Business Insider. Unfortunately, it was behind a paywall which placed a firm pop-up covering the page in my face and which refused to allow me to proceed. But I was quite curious to see what Tom had seen. So once again, you block origin to the rescue. I simply disabled JavaScript for the site.

1:51:34 - Leo Laporte
Yeah, that site is really hard to get to. I'm glad to know I can do that.

1:51:39 - Steve Gibson
Yep, refresh the page and no more pop-up blocking the page's content. So I can tell you that Business Insider wrote. If you spend any time on the Internet over the past few months, there is a chance you saw a photo of firemen who had found a foolproof way to lay a hose over train tracks. The photo went viral, being shared all over Twitter and Facebook. Insane, right? Not quite. The photo was actually a joke. Firefighter Tom Bongoerts from Belgium took the photo at the beginning of April, posted it to Facebook. The caption says something like fire early this morning. Our hoses are still protected from the train exclamation point but that track was down that week for repairs.

Those in town presumably Tom's Facebook friends, knew that the photo was created and posted for laughs. There was no chance a train would be coming. And posted for laughs there was no chance a train would be coming. But soon hundreds of people were sharing the photo on Facebook, adding their own commentary. People who didn't know Tom or about the defunct train track began to see the photo and, in disbelief, share the photo themselves. After his picture was shared hundreds of times, it eventually became separated from its original source and from its sarcastic caption. People believed it was real Stories like the one about how a train was derailed began going viral as well.

Several days later, after tons of tweets, shares and email forwards in lots of languages, tom wrote a follow-up post explaining what happened. It says hey, this past week, our funny photo went viral throughout the whole world Thousands of shares and likes in many different countries once and for all. Once and for all. The picture was taken in Belgium, in a small village called Bornem. After a minor intervention, meaning some fireman-related activity. We had some time left near the railway to make this picture. Oh boy, since there were no trains running at all for a week due to maintenance works, we can state that our joke was a real success.

1:54:18 - Leo Laporte
Oh, and now, many years later, still fooling people on the Internet.

1:54:24 - Steve Gibson
So a big thank you to our own Tom, our listener, tom Damon, for resolving this mystery for us. It's good to know that those firefighters were aware that either their scheme would not actually survive a train or that any passing train might not survive their scheme. Opinions among our listeners who sent feedback about the photo differed widely about what might transpire if the integrity of that crossing hose solution were ever to be tested. Paul Northrup wrote Dear Steve, in regards to the new DNS benchmark offering, will there be versions for other operating systems Apple, linux, bsd, bsd? Thanks, okay. 15 years ago when I first wrote the DNS benchmark, I took great pains to make sure it would run perfectly under wine, and it does beautifully. So I'll definitely be preserving that functionality anywhere wine can be used with a DNS benchmark. As it turns out, all three of those non-Windows OSs that Paul mentioned Apple, linux and BSD are POSIX compliant and can and do run Wine. So while it won't run natively, it will be possible to run it on any of those platforms in addition to Windows. So got that covered.

Jim Riley poses an interesting question. He writes Hi Steve, thank you for being here for Security Now. Every week you and Leo make a great podcast. I have a question about AI which is a bit philosophical. A comparison of answers between Gemini, chatgpt and Copilot shows the systems can disagree on basic facts such as who won the 2020 presidential election.

1:56:25 - Leo Laporte
Well, there is disagreement in general.

1:56:29 - Steve Gibson
And that is exactly to my point, leo. He says Gemini refuses to answer the question. This sounds like Big Brother, and Google has anointed itself the Ministry of Truth deciding what facts it will suppress or reveal. Having our access to knowledge regulated by corporate overseers is disturbing. How can AI be trusted if it withholds facts? Do you think a control system should be installed in AI that will prohibit AI from withholding the truth? Regards Jim. Okay, this is an aspect of AI that I suspect is going to be a real issue.

My wife and I have grown to know the neighboring couples within our little community enclave quite well. Lori enjoys socializing and since she lets me work every other minute of the day, I'm happy to join in. What I know, because I've grown to know our neighbors, is that I could ask each couple the same question and obtain a different answer from each, sometimes radically different answers, and their intelligence is not artificial, though in some cases it may be questionable. So I suspect we may be asking a lot of AI for it to be some sort of absolute oracle and truth teller and, moreover, the truest answer may not be a simple binary yes or no, true or false. I believe in the fundamental rationality of the universe.

So I believe there is an absolute truth, but I've also observed that such absolute truth is often extremely complex and colored by subtlety. Many people just want a simple answer, even when no simple answer can also be completely true. In other words, they will choose simplicity over truth. Having come to know our neighbors, I have also come to understand their various perspectives, so when they share what they believe, I'm able to filter that through who I know them to be. I know we would like things to be easier and more straightforward with AI, but I see no reason why it might be so. Whether we like it or not, what we're going to get from AI will just be another opinion.

1:59:13 - Leo Laporte
A couple of things I would add to that. First of all, the AI didn't bumpers put in to keep it from answering controversial questions. That's just a human saying no, no, no. If it says this, don't answer it. The AI would give you an answer. I don't know what the answer would be, but it would give you an answer. The other thing I would say is this is exactly what Timnit Gebru, margaret Mitchell and others who were working in Google's ethics department at the time until they were fired for this, said in a paper called Stochastic Parrots, where they talked about the problem with AI is because it's coming from a computer.

People give it more weight. They assume oh, computer, so it's smart, so it's going to be right, and that's, of course, a mistake, right? And? And really, if you ask the same ia, this ai, the same question several times, it will give you different answers each time. It's designed to do that. So, uh, yeah, it's more a question of us understanding, and I think the term artificial intelligence is part of the problem understanding what it is we're playing with. Yeah, and it's more a question of us understanding, and I think the term artificial intelligence is part of the problem understanding what it is we're playing with.

2:00:33 - Steve Gibson
Yeah, and it's not intelligent at all well and we've been using the term forever.

2:00:39 - Leo Laporte
You know, I, when I was in high school, I was at the ai lab at stanford university well, it wasn't you know, yeah and so like, okay, that's nothing like what we have today so, although you know it's really interesting, I just read an article, a really good article, about feifei li, who was one of the early researchers who believed in neural networks, and this was 20 years ago and the entire ai community had said now you know, you know what, we've tried them, they don't work. And she persisted, spent two years inputting something like 20,000 or 30,000 images into it and created an image recognition program that worked. I remember we interviewed the people at the University of Toronto when I was up at Call for Help in Toronto about this image recognizer. This was what inspired Jeffrey Hinton and others later to continue on with the AI, in fact using neural networks and other techniques that we see today.

So even this AI winner, there were people out there who had ideas that made sense and worked but, for a variety of reasons, didn't get a chance to try it out. It's been an up and down thing. There are people who say today, a lot of people seem to know what they're talking about. Agi is close, like within a few years.

2:01:57 - Steve Gibson
Yeah, actually I think that's our topic for next week, Is it? Oh good, yeah, because Sam Altman has just gone on record he's a hype master. I know, but there was enough meat in the discussion that I thought it would be interesting to share that.

2:02:14 - Leo Laporte
I've been dying to hear what you have to say about this. Oh, I can't wait.

2:02:17 - Steve Gibson
I'll look forward to that so john torsi, or wait, tor tor, john torrisi torrisi, he said hi steve. As someone who's been in security for over 20 years, I have found myself constantly overthinking anything that would result in lowering security, which could lead to a breach or intrusion. As a keen home automation tinkerer, I have numerous devices he sounds like you, leo, probably over 100 at home for controlling everything from lights to fans, to monitoring solar, etc. Etc. He says, all partitioned off, of course, with VLANs, multiple firewalls, separate SSIDs, etc. One of my biggest conundrums, though, is how do I expose the controller, for example home Assistant, to the internet so I can access it when traveling around? I have a fixed IP, so that's fine, but I really don't like exposing this type of software directly to the internet. At the moment, I connect using OpenVPN. That's fine, but this means I need to turn it on and off every time I want to do something, which is a pain, but this means I need to turn it on and off every time I want to do something, which is a pain. I have also thought about an overlay network, but need to research a bit more on data usage, as it will be used primarily from a mobile device and hence limited data. Anyway, going back to the main thread, I know security by obscurity can be somewhat effective in a layered approach. So what are your thoughts on using an IPv6 address rather than IPv4 for inbound traffic in these scenarios, as it's much harder to do full network scans across IPv6 address space compared to IPv4?

Long-time listener and SpinRide owner from Australia. Keep all the great work, great work you, leo, and all the team do over there at twit. Thanks, john. Thank you, john. So the problem John has is, as we were talking about earlier with sonology is a problem Many people are having, you know. This is why those one to 2 million sonology photo sharing services were exposed or are currently exposed and vulnerable. Hopefully they're getting patched. No one appears to have created a solid solution for this because developers keep believing, as I noted before, that they've just found and fixed the last problem that they're ever going to encounter. So you know right, sure, go for that.

What we still need is a clean and efficient means for remotely accessing the devices within our networks at home when we're out roaming. So John's wondering about the security of hiding his devices within the larger 128-bit address space afforded by IPv6. He clearly understands that such a solution is only offering obscurity at best. So I suppose I'd say that doing that would be better than doing nothing. But that also requires IPv6 addressing support at both ends, and the trouble is that it's not as if he gets to pick any 128-bit address at random from all possible 128-bit addresses. Isps are allocated well-known blocks of IPv6 address space and they generously hand out smaller blocks of 64K 16 bits of IPv6 addresses per subscriber. So it would still be possible for bad guys to target any ISP's range of known addresses and scan across that space. Given the massive scanning power of today's botnets, discovering open ports located within an ISP's assigned IPv6 space would not be prohibitively difficult. Would not be prohibitively difficult.

John mentioned the use of an overlay network such as Tailscale, zerotier or Nebula. I think those solutions are about as close to the perfect user-friendly solution as exists today. They all support all major desktop and mobile platforms, as well as popular open source routing software such as PFSense, opnsense and others. So an instance could be installed in an edge router to provide extremely secure connectivity to any roaming devices. Secure connectivity to any roaming devices. Or, if you prefer, docker can be used to install, for example, zero tier on a Synology NAS. Once you have an instance of one of these terrific solutions running on something at home. You can have secure connectivity to that network from any roaming laptop or smartphone and there's no indication of excess network bandwidth consumption.

Since all of these solutions are economical in their overhead and the way they work is exactly what you want, you simply have that client running on your smartphone and when you, when, when an app you have wants to connect to for example, home assistant, presumably you you use a, a web browser, and and you give it your home ip, or maybe you you have um done, dine, dns set up so that your home ip has a public DNS. You go to that DNS, you know colon, and then the port number and the traffic that is routed to your home only goes over the overlay network. I mean, it is like it is the perfect solution. It's, you know, not everybody's going to use it, because you know it's the kind of thing that our listeners will use. It's not as simple as you know Synology saying oh look, now all your friends are able to browse your photos. You know that you stick in the public photo sharing folder or whatever you know using your home NAS, your home NAS. That'll never be safe, but it is definitely possible to use an overlay network like tail scale, zero tier or nebula to successfully get what what John wants, alan.

Our last bit of feedback says Steve, congratulations on 1000 episodes of security Now. He said on 1,000 episodes of Security Now. He said. I listened to the first episode during my first year of college for computer science while donating blood plasma for money to buy a second monitor.

2:09:23 - Leo Laporte
Wow, that's dedication.

2:09:25 - Steve Gibson
Now I am a senior software engineer at Google, where I have been for nine years, nice. I've listened to every episode within the week it came out. Your podcast was at least as useful to my understanding as my bachelor's degree and in many cases your early podcasts helped me understand that material in my classes much more deeply.

Thank you for all your years making security Now, alan that is so beautiful, and so to Alan and to all of our many listeners who have recently written something similar and I actually have something else that just came in this morning I'll share next week. That was really, really wonderful. No-transcript. This podcast has developed over the years. It has been one of the major features of my life, and I'm so glad that you, leo, thought to ask me 20 years ago whether I might be interested in spending around 20 minutes a week to discuss various topics of Internet security. Just look what happened. Oh, my goodness. So thank you, leo, for making this possible.

2:10:59 - Leo Laporte
Oh, thank you, Steve. Let's see where the next 1,000 will take us.

I just provided you with the platform and you took it from there. It's been really amazing platform and you took it from there. Uh, it's been really amazing. Our uh web engineer, patrick delahandy, posted some statistics, um about, uh, the show. He said, the shortest show we ever did. Do you remember this? We did like an extra thing that was three minutes. I think it was like an update of some kind. I can't remember why, but we had to do an update for some reason, so I guess that will always be the shortest show, or that there wasn't a whole lot in it. I'm trying to scroll back and see if I can find his post. And then he said the longest one we did, I think was close to three hours. It was two hours and 57 minutes. Wow, yeah.

2:11:46 - Steve Gibson
I didn't know that we actually actually I thought that week or two ago was that that was two and a half hours and I thought that one was the well there's always the outliers.

2:11:56 - Leo Laporte
You keep it to two hours. Pretty nice, I think that's a target.

2:12:00 - Steve Gibson
I think that's a reasonable uh time. Uh, we've got a couple listeners who complain I, I don't have two hours to spend.

2:12:08 - Leo Laporte
It's like well, okay, don't listen to the whole thing then yeah, nobody's making you. It's not like you have to. My attitude's always been give people usually you know you're supposed to give them less than they want and my attitude towards podcasting is as long as it's longer than your commute you don't want it to end halfway to work and we know how people feel about those YouTube shorts.

2:12:33 - Steve Gibson
We don't want to be accused. There you go.

2:12:34 - Leo Laporte
We don't want to be shorts. No, we're longs. Yeah, in the early days of Twit, I tried to keep everything under 70 minutes because people were burning the shows to CDs and that was the maximum length of a CD, right? Yep, I don't worry about that anymore. As you probably know, I think we are now on almost all of our shows. Two hours is the shortest that I do. Almost all of them are two and a half to three hours. So you, you actually, uh, have the honor of hosting our shirtish show.

2:13:13 - Steve Gibson
My shirt congratulations and, dare I say, most focused yeah, very focused and we love that.

2:13:20 - Leo Laporte
It is easily the geekiest show we do and I say that proudly. I think that we try to serve a broadish audience because I don't want people to say, oh, I don't understand anything he ever talks about. But at the same time we also want to serve the hardcore person who really gets this and really wants to know deeply what's going on.

2:13:49 - Steve Gibson
Well, and we do have listeners who write and say well, I think I understand about 15% of what you guys talk about, but I like it. I don't. I'm not sure what it is, but it, you know, it makes me feel good and I always get a little something it's like okay, great.

2:14:05 - Leo Laporte
Yeah, that's okay too. I mean, I've often thought of what we do is aspirational. Um, I was. There's a good documentary about martha stewart, uh, on netflix right now. It's actually fascinating. I would watch it, even if you're not interested in martha stewart. But people said about her and her magazine nobody can live that way, nobody can be that perfect. You're setting too high a bar. She says it's aspirational. Everybody might want beauty in their life and want to be able to have that. Everybody wants to understand what's going on in the world of technology, and if you don't understand it all, you will Just keep listening, right? Yep, steve, it has been my great honor to know you and work with you for more than 30 years. I can't believe it's been 30 years.

2:14:49 - Steve Gibson
It doesn't feel like that at all, and that's the good news, because you know, we're only at 1,000. Yeah.

2:14:57 - Leo Laporte
Look, we're going to keep doing this as long as we can, but I am so honored and thrilled that you were willing to do this way back then and continue to do it. I know it's a lot of work. I'm very aware of how much work you put in. It's a lot of work, but I'm happy to do it. Yeah, here's Patrick Delahanty's note. I found it. The shortest episode of Security Now was four minutes and 12 seconds. That's this one. Security Now 103 SE Vote for.

Steve, do you remember that that was? You were trying to win the podcast awards oh, right, right, the podcast awards. And I think you did didn't you?

2:15:36 - Steve Gibson
We won the first several years of podcast awards, yeah.

2:15:38 - Leo Laporte
Yeah, Well, and rightly so. And then the longest episode and I have the receipts to prove it three hours and 57 seconds. But it was a best of, so you don't have to take credit for that, ah thank goodness I can't imagine I would have participated in that I would have been on the floor. Yeah, well, the reason was there were so many good sections, segments, in 2018, we couldn't do less than three hours that's neat.

Yeah, so that's. That's good, that's fair. I think that's okay. Steve, thank you, uh from the bottom of my heart for continuing on. I would have been bereft sitting here uh on this tuesday afternoon without a security now, and I know I'm not alone on that. So well, thank you for all the work. You so much work every week. There's no end in sight.

2:16:26 - Steve Gibson
Uh, they used to be saying our listeners were saying to 999 and beyond. Now I think it's going to be to 1-9-9-9 beyond?

2:16:35 - Leo Laporte
how about 9-9-9-9? How long would that take?

2:16:39 - Steve Gibson
200 years, yeah, I don't know I'm feeling great, but uh all I, as I said, I I do believe in a rational universe.

2:16:51 - Leo Laporte
But wait, maybe we're laughing now, but somebody in the future will be listening to AI. Steve, that's true, and episode 10,000.

2:17:01 - Steve Gibson
I'm sure you could dump all the transcripts into an AI and say, ok, give me the last week's news, as Steve would present it Totally.

2:17:13 - Leo Laporte
You could probably do that now, probably could do that now, but certainly before we're done with the second 20 years. Steve bless you, thank you.

2:17:26 - Steve Gibson
Thank you, my friend.

2:17:26 - Leo Laporte
You're all eternally grateful and we will see you next week.

2:17:29 - Steve Gibson
On to 1001. Next you. Thank you, my friend, we are all eternally grateful and we will see you next week On to 1001. Next week, bye. 

All Transcripts posts