Security Now 1014 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
 

00:00 - Leo Laporte (Host)
It's time for security now. Steve Gibson is here. We're going to talk about Apple I don't know giving in on the UK request for a backdoor. Maybe they were playing 3D chess. Steve has some opinions. We'll also talk about why it might be illegal to pay that ransomware, how the Spanish Soccer is blocking cloud flare and causing quite a bit of a mess, and then why your apartment building access control system might not be all that secure. It's all coming up. Next on Security Now Podcasts you love From people you trust. This is Twit. This is Security Now with Steve Gibson, Episode 1014, recorded Tuesday, February 25th 2025. Freedom administration login. It's time for Security Now, the show where we protect you and your privacy and your security online. Did I say we pardon me? He protects you, mr steve gibson the man of the hour.

01:14 - Steve Gibson (Host)
You are inseparable from the podcast, from the network, from you know yeah, but in this case it will not go on without you I am a member of the audience in this case.

01:23 - Leo Laporte (Host)
Stick around. I listen to Steve and I hope you all do what's coming up this week.

01:29 - Steve Gibson (Host)
So I stumbled upon a. It started off as just a regular sort of like security announcement, but the more I looked into it, the more astonishingly. Wow, too much caffeine the more.

01:50
I was astonished that anybody could be producing a system like this, and it is something that our listeners are going to be able to experience for themselves the astonishing insecurity of almost ironically an access control system whose own access control just fails just miserably. Anyway, the title of the podcast is that Freedom Administration Login, which we're going to have a lot of fun with when we get to it. But first we've got the news that actually we sort of did a preview of it last week. In this case it's Apple disabling the advanced data protection for new users in the UK and eventually all users, although they're not saying when and they're not saying why they're not doing it yet.

02:48
Anyway, my take on it is a little bit different than everybody else's. It looks like I'm probably going to be wrong, but I'll share it nonetheless. We also have the news that we've been talking a lot recently about paying ransoms, like, oh, we've got these groups and those groups and we've got attorneys and we've got people who specialize in all this turns out paying a, we should remember, is often illegal, so oh, interesting there's that, yeah um also just a random piece about uh x blocking signalme links.

03:22
Um sp's Soccer League has blocked an IP of Cloudflare. Unfortunately, they got much more than they bargained for when they did that, causing a big mess. We have two new and exceedingly rare vulnerabilities in OpenSSH, which is widely regarded as one of the most well-designed and most secure. Thank goodness open source projects that exists. But whoops, a problem was found, not end of the world, but worth looking at. Also, the US seems unable to evict Chinese attackers from its telecom systems. We've had a senator recently say suggest what we should do. In response, because, as if saying and we can't. It's like what? What do you mean? We can't? And come to you know. Speaking of that, what are they doing to get in? What is salt typhoon? Is it some? You know some mastermind strategy? Turns out not so much, and our listeners will not be surprised to discover how China is getting into our networks. We have, oh, lisa, leo.

04:36 - Leo Laporte (Host)
You call me Lisa.

04:37 - Steve Gibson (Host)
Hello, by far, I'm not confusing you by far, and I'm not confusing you by far the largest cryptocurrency heist in history, which occurred just four days ago. On Friday, we have an ex-NSA well, the ex-NSA head suggesting that the US is actually falling behind on the cybersecurity front lines behind on the cybersecurity front lines. We have last week I put it out to our listeners come up with an alternative term for backdoor. The replacement term is a good one, suggested by many of our listeners. It does exactly what I was hoping it would do. It is both accurate and clear. We'll touch on that and then, as I said, we're going to look at a pathetic access control system that just begs to be hacked and it will be maybe even by some of our own listeners, although not maliciously, maybe to help the poor schlubs who have purchased this thing and have just everything wide open.

05:51
Yeah you poor schlubs, you schlubs, and we've got a great, great picture of the week. A common theme, but a variation on that theme, a new entry into the ever popular. Where there's a will, there's a way contest.

06:06 - Leo Laporte (Host)
Oh, that sounds like fun, that's. That's the ones where you you should be careful not to electrocute yourself yeah yeah or fall off or I've had some great feedback about this.

06:17 - Steve Gibson (Host)
I did the the mailing to 16 363 of our listeners last afternoon and a bunch came back and said now this one is what I would not have thought of Nice.

06:30 - Leo Laporte (Host)
You have more subscribers than we have Club Twit members. That's actually shifted. For a while we had more Club Twit members. You've had so many subscribers. And if you are a subscriber to this show and you're not a Club Twit member, I must ask, ask, why not? Don't you want to support the wonderful steve gibson twittv slash club twit it should, they should. There should be rough parity between those numbers. I think you care enough to subscribe to the the you know, or?

07:00 - Steve Gibson (Host)
email, steve. Anyway, my email list subscription is free. So there's that, steve, how much is a venti triple quadruple I I let the secret out last week nine dollars and fifty cents. Okay, so we're less for one of my quinti venti lattes.

07:18 - Leo Laporte (Host)
We're less than a quinti venti latte at starbucks once a month. That's all that seems like a fair deal deal. You could keep the $2 and buy a cup of regular coffee. How about that? Our show today, brought to you by I'm just teasing brought to you by Zscaler. We love Zscaler.

07:36
They're doing something we've talked about a lot on this show zero trust. That's made them a leader in cloud security. You know, the problem is clear. I mean, we all see it. Enterprises have spent billions of dollars on firewalls, you know, perimeter defenses and VPNs, and but has it helped? No, breaches are going up like crazy 18% year over year increase in ransomware attacks. $75 million record payout in 2024. Although, since Steve says it's illegal to pay ransomware, I think that number is secretly probably an awful lot higher than $75 million. I mean, we don't have to debate that. It's clear.

08:16
The traditional security tools most people use don't help. In fact, they are expanding your attack service. Those VPNs have public-facing IPs that are exploited by bad actors and now, more easily than ever, they're using AI to generate their malware tools. And, of course, what happens if a hacker penetrates your extra strong perimeter defenses, often using a VPN, in fact, we just had a story last week about that breach we talked about last week. They used VPN to get inside the perimeter defenses and once they're in there, there's nothing to stop them from going everywhere, looking at every nook and cranny, exfiltrating privileged customer information, your emails, things like that. It's a nightmare because VPNs and firewalls don't stop lateral movement. They assume that if a user is connected to the network, hey, they have carte blanche. And then, of course, they exfiltrate all that stuff encrypted and the firewalls have trouble inspecting that encrypted traffic. And well, you could see, it's not a good situation. Hackers are exploiting traditional security infrastructure like that, using AI to outpace your defenses. But there is a better idea. There's a better way. It's time to rethink your security. We can't let these bad actors win.

09:34
You need Zscaler Zero Trust Plus AI. It stops hackers by hiding your attack surface. There's no public IP address anymore, so apps and IPs are invisible. They've nothing for them to hang their hat on. Also, even if they do get in, it eliminates lateral movement because users are only connected to specific apps, never the entire network. It doesn't assume just because you're in the network, you can do anything you want, and Zscaler continuously verifies every request based on identity and context. It's like a watchdog. You know that junkyard dog watching your stuff, making sure nobody gets access to it unless you say it's okay. Zscaler simplifies security management. It has AI-powered automation and they use AI to analyze over half a trillion daily transactions most of them fine, but looking for those needles in the haystack, the malicious attempts detecting them and stopping them.

10:32
Cold Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust plus AI. You can learn more at zscalercom security. That's zscalercom security. We thank them so much for their support of security now, and you support us, of course, when you use that address. That way, they know you saw it here. Zscalercom security. Steve, I have not looked ahead. I have not seen the picture of the week. Should I scroll up now?

11:03 - Steve Gibson (Host)
It's a good one, as I said a new entry into the ever popular oh dear.

11:10 - Leo Laporte (Host)
This does not look like a good idea at all. Holy moly, I like the way he's managed ground. I guess that's what he's doing with his screwdriver.

11:20 - Steve Gibson (Host)
Yep, that's exactly right.

11:48 - Leo Laporte (Host)
no-transcript he doesn't have one. That yes, yeah so.

11:55 - Steve Gibson (Host)
So we've seen before in similar pictures where you know somebody used fingernail clippers to jury rig connecting an american outlet or american plug to european outlets or, thank god, laptops.

12:11 - Leo Laporte (Host)
Now all use usbc and you can tell this is a vintage picture. Look at the cell phone in the corner.

12:18 - Steve Gibson (Host)
This is a different era, thank god so this person was determined to you know. The battery ran down on his laptop. It's like, okay, I gotta plug this in gotta work but the adapt. The adapter he has is the right voltage, but it's the wrong connector I hope it's the right voltage oh yeah, that you want, you definitely want to make sure of that. But the but, those, those various connectors, there are some standards, but they're weak standards and they have different, different numbers of millimeters of like inner and outer diameter.

12:48 - Leo Laporte (Host)
I used to have a kit with all the different tips. Right, remember that Right.

12:52 - Steve Gibson (Host)
Exactly so. It looks like we have a situation here where he does. He's got the wrong tip for his laptop, but he's like that's not deterring him. So he's got a screwdriver stuck into the VGA output, wedged in there in the case, in order to obtain system ground. He's got the power adapter outer barrel, which is chrome, pulling against the screwdriver. So the ground of the AC adapter is connected to the shaft of the screwdriver, which then goes to the VGA shell to get ground. Then a paper clip has been opened up and stuck into the center of the coax of the power adapter and then he's got a white piece looks like a piece of insulation because he needs somehow to get the. He needs the opened up paper clip to go into and connect to the center pin of the power connector in the laptop without touching the edges, which of course is ground I bet he thought he was really smart doing that.

14:10 - Leo Laporte (Host)
I bet he I would.

14:11 - Steve Gibson (Host)
I would argue that this guy gets an award, leo, because the laptop is powered up against all odds of of this just, it is you can tell it's working.

14:24
Well, yeah, I mean, here it is. He took a picture. He was so proud. It's like look what I did, look what I did, mom, it works, it works. Yeah. And I can tell, looking at it as an engineer, yes, this would work. It's you know, it's not going to survive an earthquake of any significance, but, yeah, I would. I. I think this is great, this is very clever.

14:43 - Leo Laporte (Host)
Don't do this at home. Where there's a will, there's a way. Yeah that's awesome by the way, they're telling me in the chat that's not a cell phone, that is a cordless landline.

14:53 - Steve Gibson (Host)
Yeah, that looks although still the laptop's got some. It looks like that weighs.

14:58 - Leo Laporte (Host)
It's got some oh, yeah to it. So you don't see vg. I'm thinking it's a thinkpad. You don't see vga.

15:03 - Steve Gibson (Host)
Youga not seeing a vga output on there like natively on the laptop yeah, this is. You don't see ports like this anymore at all and and there is microphone and and headphone jacks there in in the foreground, so it does sort of date it yeah oh, this is good, nice, nice picture, thank you.

15:21 - Leo Laporte (Host)
Nice piece of work, great picture. Thank you, steve. Nice piece of work, great picture.

15:24 - Steve Gibson (Host)
Okay, so I took Apple's decision as good news. Now, better news would have been for the UK to have decided to back off from their demand that Apple arranged to provide access to the encrypted, stored iCloud backup data of anyone anywhere, for whatever purpose they might have, but that hasn't happened, at least not so far. Apple took the next step in what I'm hoping is a bit of a dance, and that had to happen One way or another. I feel that this is the issue we've been perched on here for several years now. One way or the other, the world needs to work out this issue about governments believing that they have the right to breach the privacy of anyone they choose. The question is do they or don't they when they choose? The question is do they or don't they? This has been brought to the fore because the technology we have now prevents that. We have the technology and Apple has implemented it where there's just no way for Apple or a government to access data which has the, as Apple puts it, advanced data protection. You know all of the possible protections turned on.

16:58
Bbc News reported that ADP stopped being an option for new users starting at 3 pm UK time last Friday. Other outlets have subsequently confirmed that ADP is no longer an option for new users in the United Kingdom. In response to the news our Johns Hopkins cryptography professor, matthew Green, posted on X. He said, quote If you're not in the UK, you should turn on ADP now. The more people who use it, the harder it will be to shut it off this way.

17:26 - Leo Laporte (Host)
I was about to turn ADP on Then I thought well, that just puts a big target on my back right.

17:31 - Steve Gibson (Host)
That just announces Maybe it means that you're being counted as somebody who like you're exactly.

17:39
It is a vote. Okay, so no one in the UK can now activate advanced data protection and existing users will be disabled at a later date. Now that's the thing that I sort of found interesting. My own opinion is that this is Apple intentionally not yet dropping the other shoe. It's an incremental move which allows them to wait to see what the UK chooses to do next. There's little doubt that this move has been forced upon Apple and is not going to be widely embraced with great joy, I would think, among the UK's voting citizenry. You and I, leoo, were talking about this before we began recording your take is. You know, are people really going to care that much? And you know, I mean as evidenced by the fact that most people don't have it turned on no, it's kind of hard to turn it on and you lose some features.

18:37
I would like to have it turned on. I can't as I've said, I've got too many legacy apple things around here that I'm still wanting to use and you have to have more modern hardware in order to be able to turn on, because it has to be on universally on every device logged into that account or no one gets to play.

18:56 - Leo Laporte (Host)
Yeah, Right now my son has a laptop that he hasn't updated and I can't get rid of it because it needs his password to remove it. So I'm kind of stuck.

19:07 - Steve Gibson (Host)
So the UK's parliament now realizes that if Apple is also forced to take the next step which they haven't yet of disabling all existing ADP enabled encryption across the UK, that's going to have a far greater negative impact, with the UK's politicians being directly blamed for forcing Apple to take away privacy guarantees that those citizens of the UK previously enjoyed.

19:40
And right. They're going to be singled out. Other people at world you know the world over get to have this, not people in the UK. So since enabling ADP is something that one needs to do deliberately and, as we said, it can be a little, you know you have to work at it in some cases it will be those who most want it who will be having it removed. Now I'm sure Apple is holding out hope that that won't be necessary. If this first move by Apple is sufficient to have called the UK's bluff, you know to very clearly demonstrate that it's not joking about this and that it will proceed with removing all remaining iCloud ADP encryption, and only then for disadvantaged UK citizens, then Apple can avoid backtracking on existing encryption and can simply resume allowing those who want to turn it on to do so. I don't know what's going to happen, but I'm sure it's quite clear to everyone now that Apple holds all the cards here. I mean they can be forced to turn it off, but then they're just going to disadvantage UK citizens. The BBC's reporting said. They wrote it is not known how many people have signed up for ADP since it became available to British Apple customers in December 2022.

21:09
Professor Alan Woodward, a cybersecurity expert at Surrey University, said it was quote a very disappointing development unquote, which amounted to quote an act of self-harm by the government. Quote an act of self-harm by the government. He told the BBC quote all the UK government has achieved is to weaken online security and privacy for UK-based users and that it was naive, he said, of the UK to think they could tell a US technology company what to do globally. Now, opinions on this are mixed. However, the BBC reported that online privacy expert Carol Robson said she believed it was quote unprecedented. Well, she's right for a company quote simply to withdraw a product rather than cooperate with a government. Unquote, and, of course, we know it's unprecedented, which is precisely why the world has desperately needed this precedent to be set. We don't know which way it's going to go, robson told the BBC. Quote it would be a very, very worrying precedent if other communications operators felt they could simply withdraw products and not be held accountable by governments. So of course, that's a different take than we have. I don't think there's anything worrying about it. This is precisely what Apple needed to do, and we already know that.

22:38
Signal and others have said they would follow in Apple's footsteps. Yeah, I don't know. What can Signal do? They don't, they can't. There's nothing they can do except to leave. If the UK says you must build, you know, a means of monitoring your users into your product, the BBC said. Meanwhile, bruce Daisley, a former senior executive at X, then known as Twitter, they wrote, told BBC Radio 4's PM program quote Apple saw this as a point of principle.

23:12
If they were going to concede this to the UK, then every other government around the world would want this too, and that's a really good point. My feeling is we could not ask for a better test case setup than what we have. New users are being told they can't have something that they may want. Existing users are at risk of losing it. So your move, uk.

23:44
Now, of course, there is a downside and dark side to this which tempers my enthusiasm. What if the democratically elected politicians within the UK decide that they know better than their own citizens? What if they shrug off this first step toward Apple's removal of ADP, forcing Apple to take the next step of requiring all existing UK users who have ADP enabled to disable it? What then?

24:15
So some other reporting on this quoted Mike Chappell, an IT professor at the University of Notre Dame's Mendoza College of Business and a former computer scientist at NSA. He noted that this episode illustrates quote one of the fundamental flaws in government efforts to undermine encryption. Faced with having to choose between security and complying with government regulations, companies like Apple tend to remove security features entirely. And here's the worry Chappell noted that quote the net effect is reduced security for everyone. If other governments follow the UK's lead, we risk a future where strong encryption is functionally outlawed, which puts all of us at risk of not just government surveillance but also to eavesdropping by other bad actors.

25:12
So, in other words, I've been assuming, hoping that the UK's elected parliament would lose this fight with Apple and their own citizens and that the rest of the world would take note of that. As I said last week, france is getting ready to push some of their own legislation forward to the same end, but maybe I'm the one who's being naive. We learned that people don't really care all that much about encryption so long as they're able to check out how many likes they've received, and that they're fine with trusting their government to do the right thing. I know obviously on this podcast we're focused on these issues. Maybe most people aren't. We need to accept that this Apple UK standoff might very well break in that direction and that other governments would then learn exactly the wrong lesson and immediately make similar guarantees or make similar demands, thus forcing a general global retreat on all encryption privacy guarantees.

26:20 - Leo Laporte (Host)
So this is like glasses half full, half empty, I guess, because I have a completely different take. Is this is like glasses half full, half empty? I guess? Right, because I have a completely different take. In my view, apple capitulated and the uk government got most of. They didn't get all what they wanted, but they got most of what they want, which is there's no end-to-end encryption available from apple in the uk. So how is that a win for apple or anybody else? You can no longer do end-to-end encryption in the uk, right? That seems.

26:49
That strikes me as a as a capitulation on apple's part, and this is probably just the first shoe to drop on the uk's part.

26:57
Well, you're assuming there's going to be some from everybody else yeah, you're assuming that the, the british citizens, are going to stand up, say, no, I want my adp, but they're not going to do that. They're not going to do that because, as you point out, people aren't even aware of the issue. Uh, and I think what this is going to give is a license to every other government to do this exactly the same thing. Oh good, apple was glad to back down on this. Apple will turn off adp. It's as simple as sending them a secret letter saying we want a back door. They don't need a back door anymore in the uk. They don't need a, they have, they've always had a back door into icloud. Right, right, I mean it's.

27:34 - Steve Gibson (Host)
It's a legal back door. They have to subpoena it, but right as long as you don't have adp turned on, there is a means by which Apple is able to comply with the demand from the UK courts, whereas with it turned on, apple is unable to comply. I mean, they're able to honestly say you know, on the stand, we're unable to give you what you want.

27:57 - Leo Laporte (Host)
This is what scares me. This is what I thought would happen, which is that governments are eventually going to tell people no, you cannot provide end-to-end encryption to your customers. And when? Apple says okay, fine, that sounds like a capitulation so what could they have done? Or nothing I mean, what is this? Inevitable they have to withdraw from the uk is the only thing they can do? Encryption or their product? Yeah, they can't completely withdraw and, by the way, that's not unprecedented.

28:23 - Steve Gibson (Host)
Google withdrew from china and apple has mostly withdrawn is the only thing they can do.

28:25 - Leo Laporte (Host)
Encryption or their product? Yeah, completely withdraw. And, by the way, that's not unprecedented. Google withdrew from China and Apple has mostly withdrawn from Russia for similar reasons. Wow, but yes, you're right. I mean, look, we know Apple's not going to withdraw from the UK.

28:40 - Steve Gibson (Host)
That's not going to happen. No, no. And the other thing is that this is sort of a fuzzy line. So is it a phone registered by a uk citizen? What about them traveling out out of the uk? What about a us? Citizen this is why I said apple partly capitulated.

28:57 - Leo Laporte (Host)
The request from the federal, from the uk government, of course and again this is never been published is everybody globally, not just citizens.

29:06 - Steve Gibson (Host)
We want a backdoor to all adp accounts globally, including for us citizens well, all iCloud backup storage, you know, yeah, yeah, yeah, they want you to, they they want it. Oh, very good point.

29:20 - Leo Laporte (Host)
So so apple didn't comply fully. Apple only did it in the uk, yes, in the UK.

29:23 - Steve Gibson (Host)
Yes, they can't get yours. Well, they can get yours and mine, because we don't have ADP turned on, but they can't get any non-UK person.

29:33 - Leo Laporte (Host)
Well, truthfully, we don't need it. But what I worry about is the dissidents, the political opposition, political leaders, intelligence agencies, all of these people, if they want to use an iPhone, and they want to use iCloud should be using ADP Strong encryption.

29:51
Right Now. We talked about this on MacBreak Weekly and it is possible to use an iPhone without iCloud, and that's what you have to do if you want to be private at this point is you turn off iCloud backup? You just don't use iCloud Because Apple has the keys, just as Google has the keys to Google Drive and Microsoft has the keys to Microsoft's uh, and I think we did learn that when you turn off iCloud backup within a short period of time, it's a hell out of you Apple.

30:17 - Steve Gibson (Host)
Well, yeah, there is what do you mean? You're not back in it wait, I took a picture with this and it's not over here.

30:24 - Leo Laporte (Host)
It's like no, apple will tell you're gonna you up. Wait, I took a picture with this and it's not over here. It's like me. No, apple will delete.

30:27 - Steve Gibson (Host)
You were going to say I think Apple will delete it. They will scrub your data from the cloud.

30:30 - Leo Laporte (Host)
It's going to be a while, though, and we have to trust that they're going to do that. That's another thing. They might not. How would we know? Oh, it's Apple, though they want to. Yeah, I don't think they want to store it.

30:47 - Steve Gibson (Host)
no, that's why adp exists? Because they wanted a way to say to governments no, yes and that works and, and essentially, it brings them to parity. Remember that android has had this. Android has end-to-end encrypted cloud backup for a while now yeah and it's on by default what we don't know.

31:03 - Leo Laporte (Host)
This leaked out through I've, and I wish I could.

31:06 - Steve Gibson (Host)
I forgotten which was it bloomberg it was the washington post that first was the post yes, so the post found it.

31:12 - Leo Laporte (Host)
It was then confirmed by several other sources. But this is, uh, the equivalent of our national security letter in the us right. The government can request this and and the rules are, you can't say that the government's asked for this. So apple never said oh yeah, we got.

31:27 - Steve Gibson (Host)
They just turned off ad thus the, thus the the existence of warrant canary it's a warrant canary in effect where, and, and you know, if we stop telling you we've never received a warrant, then, uh, draw your own conclusions.

31:41 - Leo Laporte (Host)
So the question is did, and why wouldn't they, the uk government, also send this to everybody else google and microsoft, and so signal and why haven't we heard from those parties? They're, by the way, enjoined from saying anything about it as well. Yeah, you know, if you're going to obey the law, you can't say a word about it and again.

32:01 - Steve Gibson (Host)
This is why, regardless of what happens, I'm you know, this is what we've. This is everything has been building to this for the last several years. I just fear it's not going in the right direction.

32:12 - Leo Laporte (Host)
It's now. See, I changed your mind.

32:18 - Steve Gibson (Host)
It's half empty, stave I'm an optimist, I want, I want the good guys to win.

32:25 - Leo Laporte (Host)
I uh yeah, well, you better, darn well, make sure you get some uh, end-to-end encryption, uh on your stuff and um, and start thinking about this, if you want to well, and if apple is just the first target, then we're, then the other chips are going to fall right.

32:41 - Steve Gibson (Host)
I mean, and by the way I look.

32:43 - Leo Laporte (Host)
I don't want to get political on this, but do you think cash patel will hold back in any way?

32:53 - Steve Gibson (Host)
uh, the new director of the cia he's, I mean of the fbi yeah, uh, or or bongino whatever hold back in complying with the uk or no, the FBI is going to go full speed ahead.

33:07 - Leo Laporte (Host)
And do you want the FBI?

33:09 - Steve Gibson (Host)
And demand the same thing from Apple. This is a weapon.

33:11 - Leo Laporte (Host)
We now have a weaponized law enforcement in the United States. This is the time to download some secure encryption and start paying attention to your privacy, because law enforcement's going to go after their enemies and, frankly, I'm probably, if they knew about me, I would be one of them. Not Steve Steve's no, steve's a good guy. He would never. I'm going to shut up right now. Go ahead.

33:37 - Steve Gibson (Host)
I'm just glad I'm not a teenager now. Leo, what?

33:40 - Leo Laporte (Host)
a world to grow up in, the history would be written differently because I got myself into some trouble with.

33:47 - Steve Gibson (Host)
You know escapades, but boy, I didn't have the internet to to tempt me, so I'm glad for that. Uh, let's talk about our sponsor who's going to tempt our listeners. Oh, and I'm going to sip on that nine dollar and fifty cent latte now there are other ways you could spend that money.

34:05 - Leo Laporte (Host)
Steve, I'm just saying you're, you're automatically a member of the club. Uh, is that what's in there? By the way, is it quinti venti?

34:14 - Steve Gibson (Host)
no, this is a smaller cup. It's only got three shots and I didn't, and I you made it yourself I made it here before the podcast yes, so it cost you much less.

34:23 - Leo Laporte (Host)
Uh, our show today. Well, this is actually very timely. Uh, you might want to start thinking about getting some of the information that is already on the internet about you off this show brought to you by Delete Me. Have you ever searched for your name online? I don't recommend it. You will not like how much of your personal information is publicly available for anybody who's willing to search, and there's even more for anybody who's willing to pay a buck 50, less than that latte.

34:54
Maintaining privacy is not just a personal concern. It's a concern for your business. That's why we use Delete Me, because we want to make sure that we don't get spearfished. It's a concern for your family. Delete Me has plans for individuals, businesses, families, many plans. Take a look With Delete Me's family plans, for example. You can ensure that everyone in the family feels safe online. Delete Me for everybody reduces risk from identity theft, cybersecurity threats, harassment and more. We're very lucky.

35:26
We started using it with Lisa's data and you may remember the security now where Steve and I searched the National Public Data Brokers database of breach database of hundreds of millions of social security numbers, found our social security number there, but then did not find Lisa's, because we've been using delete me. See, delete me as experts find and remove your information. I should have been using it, but I figured, hey, I got no secrets. I don't have any privacy and no one is going to believe us spearfishing mail from me, but they might from our CEO, and that's why it was so important to us to subscribe. Delete me as experts found and remove and they'll do this, ceo, and that's why it was so important to us to subscribe Delete Me's experts found and remove and they'll do this for you, lisa's information. They went through hundreds of data brokers. You can assign a unique data sheet to each family member, tailored to them, with easy to use controls. Account owners can manage privacy settings for the whole family.

36:21
Delete Me does something. That's really important, though. After that initial clean and scan, they will continue to scan and remove your information regularly, and that's important because every day there's another data broker. It's a very profitable business which, I might underline, is not illegal at all. It is legal in the United States to sell my social security number to anybody the Chinese government, the FBI, marketers it's legal. So this is why you need Deleteme. They will delete addresses, phone numbers, emails, relatives, phone numbers, social media, property values, social security numbers and more. You need to protect yourself. We all do Reclaim our privacy by going to joindeleteemecom slash twit and if you use the offer code TWIT while you're there, you'll save 20%. That's joindeleteemecom slash twit offer code twit for 20% off. So an idea whose time has come, shall we say.

37:22 - Steve Gibson (Host)
I can tell you that people care who listen to this podcast. You know I have the GRCSC link shortener just to make it easy to refer people to things. The number one shortcut taken of all time was to the national public data breach. Just shy, eight, shy of 13 000 clicks on that and, to give you a sense, the second most popular, so that was 12 992, that one. The second most popular is the credit freeze shortcut and that's only got 36, 30, oh so four times holy cow, the, the, the number of. I mean people really did care about that National Public Data Group.

38:08 - Leo Laporte (Host)
Just because I don't. I'm like the canary in the coal mine. I'm the guy who's like take it all and let's see what happens. But that's just because I've been doing broadcasting for 50 years. I mean, how could I have anything to hide by this time? Nothing. On we go.

38:24 - Steve Gibson (Host)
So podcast 1012, 1012 topic. Its topic was hiding school cyber attacks. Two weeks ago, and last week we took a look at the latest rising ransomware as a service startup. Well, they started last February, but still they're now number one, and that's RansomHub. One thing we didn't touch on at all during either of those recent discussions was the question of the legality of all these ransomware payments that are being made. An editorial about this appeared in a recent Risky Business newsletter, which opened with a reminder regarding the legality of paying ransoms. The newsletter's author wrote A recent CISA report and a series of tweets from Equinix's threat intel analyst, will Thomas, clarified that quite a few InfoSec and adjacent cybersecurity experts are not fully aware that paying ransoms to a rising ransomware crew named Ransom Hub carries quite a high risk of breaking US sanctions.

39:33
The group, he reminds us, launched in February 2024 when it started advertising its ransomware as a service offering in underground hacking forums. They got incredibly lucky because just three weeks later, law enforcement agencies across the globe dismantled LockBit, which was at the time the largest RAAS. You know, ransomware as a service platform on the market. Okay, now just to intersect here to interject. What the editor meant about their being incredibly lucky was that ransom hub had established itself and its presence in the sector just as the current number one raas provider, lock bit, was being taken down. This left the rass affiliates without any base of operations. But, as luck would have it, the new kid on the block, ransomhub, just happened to be there to step in to fill LockBit's abandoned role. The editorial continues throughout the year. Many of LockBit's affiliates slowly found their way to RansomHub. By the end of the year, the platform rose to become 2024's most active ransomware operation, with its leak site listing more than 530 victims. A CISA report published last August warned of the group's rise in popularity and increased operations.

41:04
But, as Will Thomas noticed, ransomhub also appears to have attracted some unsavory affiliates, namely the members of a cybercrime cartel known as Evil Corp. Evil Corp appears to have begun using RansomHub as a final payload around July of last year, dropping the ransomware onto systems previously infected via the fake updates, which is SockGolish botnet. Per reports from both Microsoft and Google, between late 2017 and 18, evil Corp previously developed and ran its own ransomware strange such as BitPamer, wastedlocker, doppelpamer, hades and PhoenixLocker. The group abandoned its own tools after it was sanctioned in the US in December of 2019, sanctions that forced companies to flat out refuse to pay ransom. They didn't have any choice, fearing that they would break sanctions and face the wrath of US authorities. Since then, evil Corp has been jumping between different RAS platforms as part of a clever strategy of hiding their tracks and as a way to avoid scaring their victims with the possibility of sanction violations. With a fresh new coat of both US and UK sanctions issued in October of last year, the risk of breaking sanctions in the case of Ransom Hub infection is higher than ever. So they finish as saying but still, the TLDR here is that if you get hit by RansomHub, you better check with your legal team before even thinking of opening your wallet.

42:52
So you know, we know that the rise of ransomware is entirely fueled by the prospect of the bad guys getting ransom payments. They don't care. Getting ransom payments, they don't care. The bad guys could not care less about any random enterprises, network insecurities, nor their databases full of proprietary customer crap. They couldn't care less. The only thing they care about is cash. And the realization that vulnerable enterprises do care absolutely about their own crap-filled databases and about them not being publicly exposed created today's modern ransomware nightmare. So the point being, if it was ever actually possible to pinch the cash flow.

43:46
The ransomware problem would slow down a lot, but, as we observed also last week, that just doesn't appear to be happening. I think what we're seeing is there are still enough companies that are able to avoid the problem of sanctions for example, not in the US, where this is a problem, but are operating in countries either with loose regulations or not able to enforce sanctions and so forth that are able to create this cash flow into the bad guys' wallets. This was kind of odd. I'm unsure why exactly the security and privacy industries are all up in arms over last week's news that x has started blocking its users from including links containing the signalme domain. But I saw this like all over the place and I don't even you know.

44:47 - Leo Laporte (Host)
This is one of those things where, by the way, I just to test it just now posted my signal address. Now I see it, uh, and I did get one person message me, but so maybe they're shadow banning it, but I don't see them blocking this now. That doesn't mean they didn't they. They may have changed. This is often the case, as with, like Mark Zuckerberg, where you do stuff and they say, oh, never mind, that was my mistake, okay, so it could already be gone, yeah, anyway, I was able to post this without being and do we know if?

45:17 - Steve Gibson (Host)
anybody has been able to click it At least one person has messaged me on Signal. Yes, saying welcome, so maybe yeah.

45:46
Okay, signal, yes, saying welcome, so maybe, yeah, a Signalme domain was encountered were never clear. You might see sending direct message failed without further explanation. Attempting to post publicly may result in we can't complete this request because this link has been identified by X or our partners as being potentially harmful. Or you might see this request looks like it might be automated to protect our users from spam and other malicious activity. We can't complete this action right now. Please try again later, so you know. Oh, and at the time of this being reported, which was late last week, an attempt to add a Signalme link to a profile bio resulted in an error message saying account update failed. Description is considered malware. So okay, anyway, maybe that's already gone.

46:45
Maybe that was you know as you said, it was like oh sorry, we didn't really mean to do that because of backlash that was created. You never know, you don't know. X has is another. I think it's an interesting object lesson. You know, in the inertia we often observe throughout the tech sector and elsewhere, as we know, today there's been an explosion of alternate messaging platforms. You know, like you know Signal in the case of Signalme, but you know there's Mastodon, blue Sky, discord, meta's Threads, whatsapp, instagram, signal, telegram and more.

47:30
Unfortunately, what this has created is a dispersion from what was a valuable single platform concentration which Twitter originally provided Like. If you know, having everyone on different platforms is far less useful for, obviously for contacting everyone than having everyone in the same place, but that's the way things have evolved. Then it was probably inevitable, right, that there would be alternatives and people would migrate off into their own areas. But for what it's worth, it's why I returned to email for my own purposes. As I mentioned at the top of the show, we have 16,326 subscribers at this point. I think now I actually got a few during the mailing. Some additional people signed up yesterday.

48:20 - Leo Laporte (Host)
Bravo, good for you, so anyway.

48:23 - Steve Gibson (Host)
I'm not surprised. It's gone and we've seen twitter flailing back and forth. It's not the first time that I'm still calling them twitter. You know x has blocked something and then backed off of their blocking gosh.

48:36 - Leo Laporte (Host)
For a long time they blocked mastodon links, you know right so right. It could easily be that they saw signal as a competitor, as x gets into more and more things and becomes the everything app.

48:47 - Steve Gibson (Host)
I that might also be, but yeah, and you know, we know, elon, he's, he's, he's prone to doing things, and then you know changing his mind so whatever by the way, I I have.

48:57 - Leo Laporte (Host)
I don't post on x and I only did this for you, but I figured posting my signal address uh is probably a good thing to do.

49:06 - Steve Gibson (Host)
Well, and actually when I went to X I'm signed out of it on my browser on my other desktop and I tried on Sunday to log in. I logged in with my username and password. It prompted me for my six-digit one-time password. I put it in and it said invalid. Oh, and so I'm unable to log in there. So yesterday-.

49:33 - Leo Laporte (Host)
A lot of people have reported that. By the way, don't let your ex-account log itself out, because it's hard to get back in Really, yeah, that's nuts. Well, anyway, so I'm still logged in. I don't think it's intentional, I think it's broken.

49:45 - Steve Gibson (Host)
Okay, good, because I'm still logged in in my desktop, and when I came here yesterday morning after the weekend, I went to X to see whether I was going to be able to get back in, and I did discover that the previous two weeks I had forgotten to post my weekly show notes summary.

50:04 - Leo Laporte (Host)
It used to be only to X, where I was where I was, that's where I would get it, yeah so I apologize to everybody.

50:10 - Steve Gibson (Host)
I said I'm sorry, I my bad, I will and I and I'm posted there now for for today's podcast already so that was an account, a device that you hadn't been logged out of yet yeah, I never logged out of x on that other machine.

50:24 - Leo Laporte (Host)
I would not have done that deliberately. Well, it could have timed out, maybe I don't know.

50:29 - Steve Gibson (Host)
Yeah, that's a very good point, because I'm in it, on this workstation, more often than.

50:35
I am over there, so it could have been just so many months that I didn't go there that the cookie expired, yeah, which I would like to be able to log in there so hopefully I think if you keep trying, you'll get in eventually, yeah I first encountered a short, worrisome blurb which read cloudflare blocked in spain on the weekends and it read spanish internet service providers have started blocking access to some Cloudflare IP addresses on the weekends. The blocks were put in place this month after Spain's soccer league won a lawsuit against Cloudflare for hosting pirate streaming sites. According to reports in local media, the blocks are indirectly blocking access to many legitimate websites, including GitHub, Reddit and many private Spanish businesses. So this news was accompanied by a tweet. Some guy on Twitter. It is a tweet.

51:46
Some guy uh uh on on twitter is a tweet at the xc uh excel. Xc3ll tweeted if you are an apt using cloudflare as cdn and you see your beacons disappearing weekend in spain. It's because football period isps are blocked. Isps are blocking cloud flare during weekend to avoid ppl. You know people watching football from pirate streamings. As a side effect, you cannot cannot use GitHub on weekend.

52:26 - Leo Laporte (Host)
Oh my God, so do you blame the?

52:34 - Steve Gibson (Host)
pirates, or do you maybe blame the Spanish authorities?

52:35 - Leo Laporte (Host)
or ISPs Before I go any further.

52:36 - Steve Gibson (Host)
Let me remind everyone that the reason using a crude packet level firewall to perform IP based blocking no longer works is SNI server name indication. What SNI enables in practice is IP sharing at scale. So, for example, grc, my little company, has a handful of IPv4 IPs which I treasure, but I now have many more websites and services than I have IPs. I'm being saved by SNI server name indication, which allows the incoming connecting client, as part of its TLS negotiation, to specify which remote server the client intends to access at that IP Is that like port forwarding or

53:35
It's just you could think of it as multi-domain hosting at a single IP. So there might be hundreds or thousands of domain names whose DNS all resolves to that same single IP. So that means that access to hundreds or thousands of individual websites and services would be erroneously blocked if some court were to order the IP that also shares that some copyright infringers with all the other legitimate sites. So this is a mess. Cloudflare's headline, cloudflare's own headline, read La Liga understood dangers, went ahead anyway. Oh boy, and Cloudflare wrote. Cloudflare provides security and reliability services to millions of websites, helping to prevent cyber attacks and make the internet safer. Like virtually all major cloud service providers, cloudflare uses shared IP addresses to manage its network, meaning that thousands of domains can be accessed with a single IP address. You know, of course, this is how we've solved the IPv4 depletion problem too right, it's like we could have lots of domains all sharing a single IPv4 address.

55:16 - Leo Laporte (Host)
I get the difference. It's like port forwarding, except you don't, since all websites use the same port. You can't just do port forwarding, so you have to do name forward by name.

55:26 - Steve Gibson (Host)
It's exactly, yeah and exactly and that's what's exchanged during the tls handshake. During the tls handshake, the browser says I'm hoping to hook up to, to connect to this, to this website at this ip, and so then the proper server responds with a certificate for that domainores the way the internet works. Indeed, other governments in Europe have acknowledged these concerns and concluded that IP blocking violates net neutrality. Although La Liga clearly understood that blocking shared IP addresses would affect the rights of millions of consumers to access hundreds of thousands of websites that do not break the law, la Liga went ahead with the blocking. This appears to reflect a mistaken belief that its commercial interests should take precedence over the rights of millions of consumers to access the open Internet. At the same time, cloudflare regularly speaks with rights holders and policymakers about better ways to combat illegal piracy and online abuse. While Cloudflare cannot remove content from the Internet that it does not host, we have well-developed abuse processes in place to help by connecting rights holders with service providers who can take effective action. We will continue to push for rational solutions to combat illegal piracy that do not impact the rights of millions of Europeans to browse the Internet. In other words, they're saying we're not hosting this content, we're just part of the Internet's infrastructure. So don't blame us. We're not the problem, we're offering a solution. So some reporting on this explained.

57:42
Cloudflare statement needs no explanation, but two issues deserve highlighting. According to LaLiga's statement, its target behind Cloudflare was a web page with instructions get this, leo on how to download an Android app. Not even the content, not even pirated content. Not even the content, not even pirated content instructions on how to download an app, if that app was the means of accessing the content. That raises an important question. When Cloudflare's IP address was blocked, did that deactivate both the app and the pirated content available through it? And the pirated content available through it? If not, blocking many innocent websites appears to have been weighted against the benefit of blocking an instructional webpage. They also wrote. Cloudflare's suggestion that this was done deliberately could make this a matter for the European Commission at minimum.

58:43
Perhaps even more remarkable was the unwillingness of the ISPs to do anything, despite having the power to do so. The complication, of course, is that Telefonica and Movistar have licenses to distribute La Liga content and very little incentive to step in. Ultimately, customers of Movistar have suffered the most as individuals. This means that a decision was made to block Cloudflare in the knowledge that Movistar subscribers would face the most disruption and that Movistar was instructed to carry out the blocking against its own customers, as the court envisioned, apparently. Okay. So again, just to be clear, it's the customers of the Spanish ISPs that have taken to blocking websites by IP address that are being impacted, because these customers are behind their ISPs IP-based firewalls.

59:49
After all of this, spain's La Liga Soccer League replied. They wrote over the last few days, multiple websites across Spain have experienced disruptions, an issue linked to the blocking of a few IP addresses by Internet service providers. Now, just to note, under the court order that La Liga got from some judge somewhere, combat illegal access to its content, which Cloudflare has facilitated by knowingly protecting criminal organizations for profit. Through this conduct, cloudflare is actively enabling illegal activities such as human trafficking, prostitution, pornography, counterfeiting, fraud and scams, among other things. In fact, la Liga identified two IP addresses covered by Cloudflare, which provided access to child pornography. This evidence has been fully documented and submitted as part of a formal police report. Okay, now remember, what LaLiga is objecting to is a webpage that provides instructions for downloading an Android app which, in turn, allows streaming of live soccer matches, and Cloudflare made clear that it has mechanisms in place for dealing with illegal content.

01:01:24
Laliga's statement says Cloudflare is actively enabling illegal activities such as human trafficking, prostitution, pornography, counterfeiting, blah, blah, blah. But it would be more accurate to say the internet is actively enabling illegal activities such as human trafficking, prostitution, pornography, counterfeiting, fraud and scams, among other things. Because, yes, the internet as a whole does passively enable these things. Right alongside all the positive things, it also enables. The internet also enables and this is, of course, the net neutrality issue at the heart of Cloudflare's argument they're functioning as part of the Internet's content conduit and they are determined to remain as neutral as possible.

01:02:31
This action specifically targets IP addresses used to illegally access LaLiga content, which were shielded by Cloudflare. Just like other major US tech corporations, cloudflare enables criminal organizations, so now they've broadened this right other major US tech corporations. Cloudflare enables criminal organizations to digitally launder stolen illegal content, making them a complicit party in intellectual property crimes, as defined in Article 270.2 of the Spanish penal code. Wow, okay, now you know. There's really a simple solution to this.

01:03:12
La Liga could simply decide not to stream their soccer matches to the internet at all. Just like in the old days. Have fans attend their games. Then there's no problem. But no, they of course want all the benefits of this magical technology without any of the technologically enabled downside. They continue. It's important, they wrote, to emphasize that this is not a broad or indiscriminate block Right. All evidence to the contrary. You can't get to GitHub on the weekends and, despite the need to issue this explanation in the first place, they said La Liga is absolutely certain and has proof that these IPs are being used to distribute illegal content alongside legitimate material, so they know they're also blocking legitimate content. They said legal businesses affected by these blocks are those that Cloudflare has deliberately used as a digital shield.

01:04:20 - Leo Laporte (Host)
Oh, please.

01:04:23 - Steve Gibson (Host)
To obscure illegal activity without their knowledge and while profiting from it. Wow, they said, more than 50% of pirate IPs illegally distributing La Liga content are protected by Cloudflare. Despite multiple formal requests from La Liga for Cloudflare to cease its collaboration with pirate sites, the company has refused to cooperate, instead continuing to profit from the criminal activity it helps to conceal. La Liga has repeatedly reached out to Cloudflare, requesting voluntary cooperation. However, on Friday February 7th, the US tech company responded in a surprising manner, defending its actions as implausible and incoherent technical excuses. Oh, I'm sorry, defending its actions with implausible and incoherent technical excuses. This is probably just the fact that it's doing IP sharing. Yes, exactly this left La Liga with no other option but to take direct action. This issue is not unique to Spain. Similar measures have been taken in other countries to combat piracy of sports content. La Liga fulfilled its due diligence obligations before resorting to this step. And then they said Google, cloudflare, vpn providers and other entities facilitating piracy are responsible for the illegal activities they enable and profit from. La Liga, backed by the justice system, will not relent in its efforts to protect football and the interests of its clubs against criminal action related to audiovisual fraud and digital laundering. Unquote. So you know, don't shoot the messenger is a long understood principle.

01:06:30
To call out Google, cloudflare, vpn providers and other entities is to say the internet. Laliga wants to have all the benefits that derive from having the internet, which they did not create, carrying their content for effectively no cost, while also wishing to somehow prevent that no-cost carriage from being used in ways they disapprove of. It's understandable that, when served with an IP blocking court order, those ISPs within the court's reach had no choice other than to block access to that IP for all of their customers and, given La Liga's feelings, it's also understandable that they would have made such an appeal to the court. What's missing from the equation is the legal precedent that would prevent the court from producing the ruling that they did, as Cloudflare said in their statement.

01:07:29
Cloudflare has repeatedly warned about the consequences of IP blocking that fundamentally ignore the way the internet works. Indeed, other governments in Europe have acknowledged these concerns and concluded that IP blocking violates net neutrality. So hopefully this issue will escalate and have this lower court ruling overturned with a higher Spanish court. So the precedent will be created in Spain. La Liga's and all others' current and future appeals will then be thwarted and the principles of net neutrality, which is clearly the only way a sane internet can function and thrive, will prevail in the end. So I guess we chalk this up to growing pains, another one of these problems which technology has created and hasn't yet. The legal system hasn't yet decided how it's going to completely settle on this. We just need more. We need more legal precedent and a better understanding about technology works?

01:08:35
yes, exactly, clearly we we need another uh break you want some help here.

01:08:42 - Leo Laporte (Host)
You want a little help from me. I need some coffee. I'm glad to offer it. Our show today brought to you by I love this sponsor, us Cloud. I was a little confused when they came on board, so we talked to them. I called them. I said tell me more about your business. They said US Cloud we are. What do you think? Their business would be the number one Microsoft unified support replacement. I said, oh, their business would be the number one microsoft unified support replacement. I said, oh, okay, that's pretty cool. We actually now that was months ago because we've been talking about them for some time, ever since. In fact, they are the global leader in third-party microsoft support for enterprises. As I get to know their business better, I understand understand why they support 50 of the Fortune 500 companies.

01:09:26
The three big reasons, in my opinion, that people like US Cloud and prefer it. For one thing, you could save your business 30 to 50% switching to US Cloud over Microsoft's Unified and Premier support. Let me say that again 30 to 50% less than Microsoft Unified and Premier Sport, but less wouldn't be any good if it weren't better it is. It's faster twice as fast average time to resolution versus Microsoft. So half as much, twice as fast, okay. And they're there to save you money in ways Microsoft probably never will. For instance, us Cloud is excited to tell you about a new offering. This is, I think, something Microsoft's probably not going to offer Azure cost optimization. So you know, I mean, if you think about it, azure it's incredibly useful, right? But what happens is you know there's a little Azure sprawl, a little creep going on. If you don't evaluate your Azure usage pretty regularly, you might find you're spending more than you need to. Now. From Microsoft's point of view, that's a good thing. Maybe not so much from your point of view. Well, good news, saving on Azure is easier than you think, thanks to US Cloud.

01:10:41
They offer an eight-week Azure engagement for an eight-week Azure engagement. It's powered by VBox that identifies key opportunities to reduce costs across your entire Azure environment. You're not on this trip alone. You're going to get expert guidance. Oh, by the way, this is the third reason people love US Cloud. Us Cloud's senior engineers have an average of over 16 years with Microsoft products. They know their stuff. They'll be there to work you through this and at the end of the eight weeks, your interactive dashboard will identify, rebuild and downscale opportunities and unused resources. Now, these are just recommendations. You don't have to do any of them, but if you see some savings there, you can implement them and then reallocate those precious IT dollars towards things you might need. May I suggest perhaps investing your Azure savings in US Cloud's Microsoft support and save even more right, that's what a few US Cloud customers have done with this Azure engagement. They've completely eliminated their unified spend, saved money on Azure and unified.

01:11:47
Sam, the technical operations manager at Bede Gaming B-E-D-E says and this is his review we got this off right from the site. He gave US Cloud five stars. Sam said quote we found some things and you might be in this situation. See if this rings a bell. We found some things that had been running for three years which no one was checking. These VMs were, I don't know 10 grand a month, he said, but not a massive chunk in the grand scheme of how much we spend on Azure. But once you get to $40,000 or $50,000 a month, it really starts to add up. When's the last time you looked at your Azure spend right? So it's simple. You can stop overpaying for Azure. You can identify and eliminate Azure creep and boost your performance and you can do it all in eight weeks with US cloud Just one of many reasons people love US cloud.

01:12:44
Book a call today with us cloud and find out how much your team can save. Uscloudcom faster, better, less expensive support than microsoft uscloudcom. Call to book a call today. Get faster microsoft support for less. They're. They're really an impressive bunch. I had a great time talking to them. You will too. Uscloudcom Steve is now fully caffeinated, hydrated and ready to continue the programs.

01:13:18 - Steve Gibson (Host)
So indeed, through the years, we've noted that vulnerabilities discovered in OpenSSH are vanishingly rare and this project as a whole is widely regarded as one of the most secure of any open source project. And this is, of course, that's a good thing, is crucial, since OpenSSH's role is to be positioned on the front line, exposing itself to the internet while warding off all attackers. So when Qualys announces the discovery of two new and potentially weaponizable vulnerabilities in this crucially important remote access technology, it gets everybody's attention. Last Wednesday, qualys disclosed, they said, the Qualys Threat Research Unit, tru, has identified two vulnerabilities in OpenSSH. The first, tracked as CVE-2025-26465, allows an active machine-in-the-middle attack on the OpenSSH client when the verify host key DNS option is enabled. The second is CVE-2025-26466. Affects both the OpenSSH client and server, enabling a pre-authentication. Well, okay, it's a denial of service attack, so it's not access. Well, okay, it's a denial-of-service attack, so it's not access. The first attack, the 26465, succeeds regardless of whether the verify host key DNS option is set to yes or ask Its default is no. This attack requires no user interaction and does not depend on the existence of an SSHFP resource record. That's an SSH client, you know the one connecting to an SSH server. Look up and verify a server's host key using DNS records, which that's very cool Another example of DNS being so useful, just as an internet addressable database. So here you can ask for a given domain's SSH host fingerprint.

01:15:53
The vulnerability was introduced. They know exactly when this happened in December of 2014, so 10 years ago, just before the release of OpenSSH 6.8 P1. Although Verify host key DNS is disabled by default, that is normally set to no, so it's not a problem. It's only a problem if it's set to yes or ask. It was enabled by default in FreeBSD from September 2013 until March of 2023. Now, although I don't use the OpenSSH client on my own FreeBSD instances, when I saw that the date range included my most recent installation of FreeBSD, I checked and, sure enough, freebsd's default in a config file for the client is indeed set to yes. So for what it's worth, you know it is the case that you want to make sure verify host key DNS is. If I mean, especially when you're not using DNS host key lookup is set to no. But OK, it's not a huge problem if it is. We'll get there in a second.

01:17:11
And the second vulnerability both the OpenSSH client and server are vulnerable to this 26.466 CVE. Cve it's a pre-authentication denial of service attack. It is an asymmetric resource consumption of both memory and CPU, so it can be used to bring down the system that the OpenSSH server is sitting on, and that's not good. That was introduced in August of 23, so not that far back shortly before the release of OpenSSH 9.5 P1. On the server side, this attack can be mitigated by leveraging other existing mechanisms that OpenSSH provides, such as login grace, time max, startups and the more recent per-source penalties options. The recommended action for this is just to upgrade. Open SSH 9.9 P2 addresses all these vulnerabilities, and that's what everybody should do.

01:18:21
Qualys underscored OpenSSH's terrific security record, they wrote, despite these two vulnerabilities which again, they're not the end of the world, but be good to update, openssh's overall track record in maintaining confidentiality and integrity has made it a benchmark in software security, ensuring secure communications for organizations worldwide. Okay, so what do these two things mean? Qualis writes in the first instance, if an attacker can perform a man-in-the-middle attack via 26465, the client may accept the attacker's key instead of the legitimate server's key. This would break the integrity of the SSH connection, enabling potential interception or tampering with the session before the user even realizes it. Ssh sessions, they wrote, can be a prime target for attackers aiming to intercept credentials or hijack sessions. If compromised hackers could view or manipulate sensitive data, move across multiple critical servers laterally and exfiltrate valuable information such as database credentials and so on. Such breaches can lead to reputational damage, violate compliance mandates such as GDPR, hipaa, pci DSS and potentially disrupt critical operations by forcing systems downtime to contain the threat. In the second case, ssh is a critical service for remote system admin. If attackers can repeatedly exploit that second flaw 264.66, being a denial of service, they may cause prolonged outages or prevent administrators from managing servers effectively, locking legitimate users out. An enterprise facing this vulnerability could see critical servers become unreachable, interrupting routine operations and stalling essential maintenance tasks.

01:20:25
They said when the Qualys research team confirmed the vulnerability, qualys initiated a responsible disclosure process and worked with OpenSSH to coordinate its announcement and, of course, its remediation.

01:20:37
So bottom line is anyone who's worried about this and who uses the OpenSSH client may wish to make sure that their client's config file has that verify host key DNS set to no, and anyone who relies on OpenSSH should look for and install updates which are now available. And I just need to mention that Qualys provided a truly beautiful write-up of the details of this bug. If this were a podcast that looked at the details of software vulnerabilities, then this would be the topic of the week. They show some small snippets of OpenSSH code directly from the source and carefully describe how they went about discovering the problem, which became a vulnerability after they were able to engineer its exploitation. So the reason I bring this up is anyone who considers themselves to be a bit of a codesmith I think would be well served looking at that excellent page. I've got the link to it at the bottom of page 10 of the show notes, so I recommend it highly.

01:22:00
Okay, so some sobering news was made during last week's munich security conference. As reported by politico who wrote, the state of virginia's senator, mark warner, is working to build support on the hill for meaning, you know, in congress for major changes to amer America's offensive cyber policy, amid the government's continuing failure to fully evict China's salt typhoon hackers from US phone networks.

01:22:40
It's like what? Like we know they're in there and this is like. This is a problem, somehow what? Speaking to reporters on the sidelines of the Munich Security Conference last week, Warner said he now does not believe the US fully oust the elite beijing-backed hacking group salt typhoon from its telecommunications backbone, meaning the us's telecommunications backbone like what, without unleashing us hackers inside china, or at least credibly threatening to?

01:23:27
in other words, our technology is so weak that we give up, and so we're simply going to threaten china to get out, or else scare them out.

01:23:39
You need a rat catcher wow, holy cow, mark warner, quote your diplomatic pushback on the Chinese would be a hell of a lot stronger if the US could tell China we're going to go into your networks the exact same way you go into ours. Unquote. The first Democrat Politico wrote to come out so clearly in support of punching back harder in cyberspace against China in the aftermath of the salt typhoon breaches, with congressional Republicans and members of Trump's new administration having already signaled their support for that shift. Warner said that replacing aging and vulnerable networking equipment could cost the telecom companies tens of billions Just wait till you hear what the vulnerability is. Well, tens of billions. While evicting the Chinese from every nook and cranny inside the nation's sprawling phone system could take quote 50 000 people. Wait, don't we have a whole bunch of people out of work now, leo, we could put, we could, maybe we could use them 50 000 people and a complete shutdown of the network for 12 hours because no phones at all we're just that lame that we, we, we're just.

01:25:09
We give up china, just you know. Warner said that he has been in talks with the heads of the congressional intelligence committees and that quote consensus was already there, unquote for a new, more hawkish hacking strategy. The next step, he said, was quote putting meat on the bones of that idea, something that might require the formation of a bipartisan expert commission, he said. He also emphasized that he believed working through the hill and building support among Democrats was critical to a more robust cyber deterrence strategy. Warner argued that quote if it comes from Trump, you know, any Democrats will just say he's just going over the top. Unquote. Warner did say he felt part of the long term solution was the promulgation of new cybersecurity regulations for the telecom sector. Yeah, that'd be good. That's something the Biden administration and several congressional Democrats have supported, but the Trump administration has, at least for now, poo-pooed Overall.

01:26:17
Warner said that he was apoplectic that so few people seem to be paying attention to salt typhoon, he said quote the fact that people's heads are not exploding still makes me crazy. Unquote. Wow, okay. Now, as we've often noted, we must assume that the you know, nsa has just as much penetration into Chinese networks as they have into American networks. I just you know we're not going to hear that news, right, but you have to assume that it strikes me as a sad state of affairs that our political leaders are now suggesting that we're incapable of securing our own networks and that the only way to get them out of ours is to credibly threaten to do more damage to them through theirs. Okay, so, speaking of salt typhoon, we've not gone in and dug any sort of a deep dig, so I decided to figure out like what the heck Salt Typhoon has been on the radar of several cybersecurity threat tracking groups for some time, of several cybersecurity threat tracking groups for some time.

01:27:47
The commonly known Salt Typhoon name is the one it received from Microsoft's threat intelligence group, but the same group, salt Typhoon, is also known as Red Mike by the INSICT group, which is the Recorded Future Network Intelligent Group's name. Meanwhile, kaspersky calls them Ghost Emperor and ESET tracks them and their activities as famous sparrow. Now, although Microsoft has not chosen to share their findings within the broader security community, others have. The news from Recorded Futures Network Intelligence Group is somewhat dispiriting, because it turns out that Red Mike, as these guys call it, is exploiting. Get this, leo, two very well-known long-since-patched, two-year-old vulnerabilities in Cisco's iOS XE web UI. Yes.

01:28:58
You heard that right. The infamous salt typhoon has been gaining entry into the world's telecom carriers using an exposed web management user interface. And not only that they are a pair of privilege escalation vulnerabilities 2023-201-98 and 2023-202-73. And yes, both dating back to 2023. The 201-98 privilege escalation vulnerability was found in version 16 and earlier of Cisco's iOS XE web UI, and the patch for it was published by Cisco in October of 2023.

01:29:56
Attackers exploit this vulnerability to gain initial access to the device and issue a Cisco iOS privilege 15 command to enable them to then create a local user and password on the device.

01:30:15
Following this, the attacker uses the new local account on the device to access it. They then exploit the associated 20273 privilege escalation vulnerability to gain root user privileges and once that's done, the group uses this new privileged user account to change the device's configuration and add a GRE tunnel which is similar to an encrypted VPN link, which then gives them persistent access and data exfiltration to update their Cisco iOS firmware to close to to fix this 18 month year old vulnerability, both of which were fixed in October of 2023, not to mention leaving a web management UI exposed to the internet. And that's the underlying cause of all of this mess is non-updated Cisco iOS gear for 18 months and an exposed web management user interface that allows the bad guys, these Chinese hackers, to get in, set up a persistent tunnel back out to them and then they have unrestricted access to the network of the telecom provider. If we simply I don't know how it takes 50,000 people to update the firmware on some Cisco devices that are still being supported, because this is only a year and a half ago.

01:32:05 - Leo Laporte (Host)
Government, it's mind bogboggling government let's aim elon at that.

01:32:10 - Steve Gibson (Host)
Elon here, I mean he would understand all of that. Elon, go fix this.

01:32:15 - Leo Laporte (Host)
Update the firmware on the cisco routers, just make it so yeah, you know, take all those doge kids and send them out updating firmware. I can get behind, behind that. That's not a bad idea.

01:32:28 - Steve Gibson (Host)
Okay, now, leo, for a while. I'm sure we were all somewhat intrigued by the news of this or that. Never heard of them before Cryptocurrency exchange being hacked and losing millions of dollars worth of. Never heard of it before Cryptocurrency or contracts or I don't know monkey icons or whatever, I don't know, monkey icons or whatever.

01:32:57
But, as also eventually happened with the constant torrent of ransomware attacks, over time they turned out to just be so much background noise, you know, and for the sake of our own sanity we stopped talking about every one of these because it was just constant.

01:33:16 - Leo Laporte (Host)
Yeah, but this one's different.

01:33:17 - Steve Gibson (Host)
But this one is Holy cow. Not this time, folks. Second largest major cryptocurrency exchange was, as they say, taken to the cleaners by a group of quite determined North Korean hackers to the tune of is everybody sitting down? Grip your steering wheel firmly if you're listening to this during your morning commute. $1.5 billion dollars worth of completely liquid ethereum tokens. 1.5 billion dollars wow, this makes it the largest crypto heist ever in history, probably the largest heist in history.

01:34:16 - Leo Laporte (Host)
Right, it is. How are you going to steal 1.5 billion from a you know armored car?

01:34:23 - Steve Gibson (Host)
I mean, yes, it is the largest heist of any time in history of the world, um, and it's nearly two and a half times larger than their previous record, which was the theft of $625 million from the Ronin network back in April of 2022. So I have a link in the show notes. You know, with decimal, eth are being transferred. That transfer was fraudulent. Ethereum peaked at around $4,000 each in early December of last year and is currently trading around $2,800 US, which, if you multiply 2,800 by 401,346, you get around $1.5 billion of liquidity. The second largest group, which is BitPay, lost. Okay, so the hack took place just last Friday, february 21st, and, in addition to being the single largest crypto heist ever, it's also considered to be one of the most complex crypto heists ever you know parenthetically kudos to bybit because we wouldn't know all these details if they hadn't been very transparent.

01:36:04
yes, they were and they have not been sunk. They they said we've got the liquidity to cover this. You know this does not put us out of business, but, uh, they're not happy about it. But yes, they were very upfront. So not only the biggest but the most complex crypto heist, the blockchain analytics firm Arkham Intelligence and or firms Arkham Intelligence and also the intelligence firm Elliptic, have independently claimed that they were able to track the hack to the Lazarus Group, which is a well-known North Korean advanced persistent group, an APT group. What we know is that Lazarus first infiltrated Bybit's network some time ago. They then quietly studied the company's internal procedures, identified and then infected with malware all of the multiple employees who are now required to mutually sign off on any major movement of the company's funds. This multi-sign-off requirement is obviously designed to solve the problem of any single employee being hacked or phished or scammed or whatever, but that didn't thwart the attack. This time, the hackers specifically targeted the process of replenishing the company's active wallets, known as hot wallets, where the company's daily operational funds are stored. When hot wallets run dry or low, crypto exchanges will move funds from their reserves, from the so-called cold wallets, to make sure there's enough liquidity to cover users' withdrawals and token inter-exchanges. The same goes for when hot wallets hold too much money. In those instances, crypto exchanges will move funds back to the offline cold reserves to safeguard those reserves from malicious actors and exploits and limit possible losses. So you know that all makes sense and actually that's what saved these guys. Right, because they've got something like 10 billion in in total reserve. Only one and a half only I'm saying total reserve, only one and a half only, I'm saying. But still not all of it, because they did have a bunch in cold storage and the bad guys didn't get that, but they did capture one massive transfer of 1.2 billion Bybit's.

01:38:50
Ceo Ben Cho says that when his staff wanted to replenish the hot wallets with new funds on Friday, the hackers altered the user interface of the crypto wallet software the company was using to move their funds. The modification appeared on the systems of every one of the multiple engineers who needed to simultaneously sign off in what is known as a multi-sig transaction. A tweet describing that what happened reads I have a tweet in the show notes from some random person who said the attacker somehow. Then we've got four points First, identified every multi-sig signer. Second, infected each signer's device with malware. Third, made the UI show a different transaction than what was actually being signed. Fourth, got all signers to approve without suspicion. And then he finished saying cold wallet security just got redefined.

01:40:06
Now, not surprisingly, bybit's loss of that one and a half billion dollars in ethereal tokens did not go unnoticed. And since this makes many investors nervous about other potential weaknesses by bits security you know weaknesses in and about by bits security the company did say that news of the hack had led to a surge in withdrawal requests. Uh, ceo Cho wrote that the company had received more than 350,000 requests from customers to withdraw their funds and that this surge of departing money could lead to delays in processing. In response, bybit set up a bounty for the recovery of the stolen funds. Get this up a bounty for the recovery of the stolen funds. Get this offering to pay anyone who is able to recover the funds 10% of anything they're able to recover. I'll take it, uh-huh. This has, in turn, set off the biggest bounty hunt on the internet, with the winners being eligible to earn up to a whopping $150 million. Right, 10% of one and a half billion.

01:41:25
At the same time, not surprisingly, the perpetrators, who were naturally standing by and ready to deal with this massive windfall quickly began laundering their funds in the hopes of hiding their tracks and diffusing the proceeds of their theft among the world's cryptocurrency exchanges. They're moving quickly because if they leave the funds in their normal wallets, they risk having them hacked back by multiple parties, including law enforcement, bounty hunters and other threat actors. Another tweet observed and this was from VXDB tweeted Lazarus has started laundering the 1.4 billion stolen ETH. And they said uh uh. Exchcx, a no KYC exchange, has recorded an abnormal spike in ETH volume 20 K ETH in the past 24 hours versus its usual 800 ETH. Their Bitcoin reserves are also empty, but their ETH reserves have increased by 900% to tuck it away in random corners of the internet, so that it's not all in one place and hopefully can't easily be tracked and recovered. And we know, since blockchain activity can be monitored and tracked, we now have a bit of a shell game underway.

01:43:14
So what's our takeaway from this? If we're wise, every event teaches a lesson that prevents its recurrence, and hopefully, others are also able to learn and gain from seeing what has befallen others and take away the same lessons without needing to first fall off the same cliff, in this case. I think the lesson here is that the systems which manage these massive cryptocurrency reserves need to be far more isolated from everyday systems than they currently are. In other words, they need to be fully air-gapped, with nothing less being sufficient. Be fully air-gapped with nothing less being sufficient. These are lessons that the professional intelligence community and those practicing the highest security in the world learned decades ago, and nothing we've done since, with our computer and networking technology, has served to make air-gapping any less necessary. We could easily argue that, in fact, the reverse is true, and that air gapping systems that absolutely and positively must never be compromised, has grown more necessary today than ever before.

01:44:33
I would bet that Bybit has just learned the same painful lesson. They obviously felt that requiring a multi-person, multi-keyed funds transfer authorization process would be sufficient. It's certainly better than requiring just one person. They just learned a one and a half billion dollar lesson, though that it wasn't enough. That's amazing. Wow, wow, um. Okay, we're going to talk about, uh, some sadness about us falling behind in cyberspace after another word from a sponsor leo very good.

01:45:14 - Leo Laporte (Host)
Thank you, steve. Our show for this portion of Security Now brought to you by longtime sponsor guys. I really appreciate Thinkst Canary. The guys and gals at Thinkst Canary have a lot of experience as pen testers. They've been teaching governments and businesses how to break into computers for more than a decade and it was after that experience they came up with these incredible thinks canaries.

01:45:41
These are honeypots. They are attractive to the bad guys. They will let you know the minute the bad guys just touch them, just tap on them a little bit, they can be easily deployed. That's the biggest thing, right? We know honeypots work, but normally they're technically a challenge.

01:46:02
You don't want to put something on your network that can make your network more vulnerable. These don't, these guys really know what they're doing. You want to put something on your network that looks so valuable a hacker cannot resist it, and that's what these things canaries are. They can represent anything. They can look like a Windows server, a Linux server. You could be a Christmas tree of services. All the lights turned on are just a few select services turned on. They can be SCADA devices. They can be NASs. That's what mine is, it's a Synology NAS. They can be well, I mean just the sky's the limit. An SS server, uh, ias server, they also could create all the. Each of these things can create lore files, little individual files that look like excel spreadsheets or word documents or pdfs or whatever you want, and you can give them provocative names, like, I know, employee information, dot xls, that of thing.

01:46:56
The minute somebody gets into your network and tries to log into the things canary or access those lore files or brute force that fake internal SSH server, you're going to get an alert immediately telling you you have a problem. No false alerts, just the alerts that matter. And, by the way, they'll alert you however you want. I mean text message, of course, beeper, email, api they've got a very nice api webhooks, slack, uh, I mean really any syslog, of course. So if you've got a thing skinnery and you get an alert, you know we've got to do something about this. I I've only gotten one alert once, and it was indeed a device in our offices that was probing every single other device in the office. We tracked it down quite quickly and got rid of it thanks to the Things Canary.

01:47:48
So how does this work? You choose a profile for your Things Canary. It's so easy that you could change it every day if you want. It's so much fun to play with it. And, by the way, the impersonation is excellent. They have the right MAC address. They have the login screen. For my Synology NAS. It's a DSM-7 login screen. It's indistinguishable from the real thing. That's the point. Hackers aren't dumb, but they're going to be fooled by this. Once you choose a profile for your things canary and then you register it with the hosted console, they'll do the monitoring, the notifications, again, any way you want it. Then you just sit back till you need it to wake up. Attackers who've breached your network or malicious insiders basically any adversary who's in your network will make themselves known just by accessing the Things Canary, trying to log in. You actually get valuable information. When you see the email and login they use, for instance, you know a little bit more about what they know.

01:48:49
How much does all this cost? It's really affordable. It depends on, of course, how many Things Canaries you need. A big operation, a casino back end might have hundreds. A bank might have hundreds. A small business like ours? A handful. Let's say you need five Thinks Canaries. Well, go to canarytoolscom for $7,500 a year. That's all you get. Five Thinks Canaries. You get your own hosted console.

01:49:14
All the upgrades and the support and the maintenance are built in, and if you use the code TWIT in the How'd you Hear About Us box, you're going to get 10% off for life. If you want to try before you buy, that's fine. They have a two-month money-back guarantee for a full refund 60 days to try it. Don't return it, though, because you don't hear anything, because that's good news, and if you want, you can stage an attack and see what you get back. It's actually. These are amazing.

01:49:42
Two months money back guarantee should reassure you, but I have to tell you, during the I think it's eight years now that we've partnered with Thinks Canary they tell me their refund guarantee has not once never been claimed. When people install Thinks Canaries, they not only are grateful, they're relieved, they go. I don't know how we did without it. Thank goodness we've got it now. Visit canarytools slash twit. Make sure you use that address so they know you saw it on security. Now Enter the code TWIT in the how did you hear about us box and you'll get that 10 off canarytools slash twit. We thank you.

01:50:20 - Steve Gibson (Host)
Thanks, canary, and now back to steve arino okay, so we have north korean backed hackers stealing around one and a half billion dollars of cryptocurrency by the way, that's not the first.

01:50:35 - Leo Laporte (Host)
They've stolen many billions of dollars over the years. That's how they get hard cash yeah, it is.

01:50:42 - Steve Gibson (Host)
Unfortunately, it's a profit center for north korean hackers. They're good at it. Um, speaking at the well, the, I was gonna say that the former head of the nsa and who's also the ex-cy Command head, said in a wide-ranging speech and subsequent interview just this past Saturday, three days ago, that the US is falling behind its enemies in cyberspace. Wonderful Speaking at the District Con Cybersecurity Conference in Washington DC, retired General Paul Nakasone said that quote our adversaries are continuing to be able to broaden the spectrum of what they're able to do to us, unquote. And he said that the United States is quote falling increasingly behind its adversaries in cyberspace. Unfortunately, he would be in the position to know, having led the NSA and then been in charge of Cyber Command. So you know that's the guy whose opinion you care about. Here's what CyberScoop wrote in their coverage of the event, and in fact they were the people who interviewed him. They said Nakasone said incidents like Chinese government backed breaches of US telecommunications companies and other critical infrastructure, as well as a steady drumbeat of ransomware attacks against US targets, illustrate that, quote the fact that we're unable to secure our networks, the fact that we're unable to leverage the software that's being provided today the fact that we have adversaries that continue to maintain this capability.

01:52:24
Nakasone, who led NSA and Cybercom from 2018 until early last year and is now founding director of Vanderbilt University's Institute of National Security, said he fears the threats of the future are going to get more dangerous. One example is, quote we're starting to see the beginnings of the bleed from non-kinetic to kinetic for cyber operations, he said, referring to actual physical damage. Nakasone said, quote what's next is that we're going to see cyber attacks against a series of platforms, being able to actually down platforms with ones and zeros. A board member for OpenAI. Nakasone also talked about how artificial intelligence could make cyber offense more potent. Specifically, he mentioned the notion of generative targeting, such as the idea of physical drones choosing their targets powered by AI. Because, leo, what could possibly go wrong? He should read some Daniel Suarez to see how he thinks about the wisdom of autonomous, ai-powered drones. Cyberscoop continues writing and quoting him, quote we're starting to challenge this idea of humans in the loop, and I also offer to you, as we think about artificial intelligence needs, think about cyber weaponry. He said, quote how far are we talking to this idea of being able to create an agent that's going to move through your network. That's going to change based upon topology of the network being able to evade the defenses that are there. Choosing targets of the future unquote.

01:54:27
Members of the Trump administration and some members from both parties in Congress have called for the United States to get more aggressive with offensive operations in cyberspace. In a separate conversation with reporters, nakasone said he agreed with those sentiments. Nakasone's Cyber Command conducted operations dating back to at least 2018 to disrupt Iranian and Russian hackers, in conjunction with more defensive hunt-forward missions in other nations designed to fortify allies' defenses and detect future threats against the United States. He also advocated for a philosophy of persistent engagement to be in constant contact with cyber enemies, proactively rather than reactively. Nakasone said of offensive operations quote we need to do more of that. Certainly, it's not just the only thing we need. He said that one of the points of persistent engagement was to ensure anyone who attacked US election infrastructure knew they would suffer consequences from the United States. He said quote can be more forthcoming in terms of some of the things. Oh, can we be more forthcoming in terms of some of the things we did? Yeah, I think there's opportunity. Ok, so that's interesting. That suggests that we did something in response to foreign interference with our national elections, but that, whatever it was, was kept on the down low.

01:56:09
In his speech, nakasone said the top priority for the United States should be hiring top talent. Under President Donald Trump, the government has been removing some of those who were in the cyber talent pipeline. Eventually, nakasone said quote we're going to have to be able to engage folks again and say, hey, please come and work in government unquote it's an open question how long any damage to the trust of potential hires will last. He said. Another change under Trump is that Defense Secretary Pete Hegseth has reportedly sped up the implementation of a cyber command overhaul from 180 days In other words half a year, six months to 45 days just a month and a half. In response to a question from CyberScoop, nakasone said how doable is it? It's really doable when you can get the direction from the secretary. Asked if he was worried about whether the tightened timeline would lead to that implementation suffering, nakasone answered only that the concepts of Cyber Command 2.0 have been in the works for a while already. And then, actually that's true. I'll just add that the Cyber Command 2.0 initiative was started toward the end of Biden's administration, so that was already underway. And finally, they wrote during a question and answer session with the with the district con audience.

01:57:40
Nakasone did not voice any criticisms of Trump's purge of top military officials, such as General Charles CQQ Brown, chairman of the Joint Chiefs of Staff. While praising Brown's work, nakasone said at the end of the day, the president gets to choose his own principal military advisor. So, yikes, we're apparently not giving as well as we're getting, as I was assuming and hoping we were. You know the NSA is as annoyed as we all are over our inability to secure our own networks, and the future planners are seriously considering AI powered attack drones without any of those pesky slow humans in the loop. You know having second thoughts and gumming up the works in the loop. You know having second thoughts and gumming up the works. And again, it's just so easy to pose our favorite rhetorical question what could possibly go wrong?

01:58:49
Wow, I wanted to announce the achievement of another of my own milestones for the work that I'm doing on the DNS benchmark. Friday evening I dropped the fifth pre-release of the DNS benchmark and, just to be clear, these are not betas or even alphas. They are incremental works in progress. You know, for example, the first of the pre-releases was the day after Christmas where the benchmark was first able to query and benchmark remote DNS name servers over IPv6. Until then, it was only IPv4. So December 26th it got IPv6 capability. Last Friday evening's fifth pre-release published its new ability to also query name servers using DNS over HTTPS and DNS over TLS. So the two encrypted protocols that it will be supporting once it reaches its final version, two completion. All of that is now working and, as always, the reason for this wide spectrum testing is so valuable.

02:00:09
You know, even though everything appeared to be working perfectly, for me the result of that fifth release has been the discovery of a bunch of things that I had missed, a handful of bugs. So that's what I want. I could not be happier that the benchmark's final release will be as completely bug-free as version one of the benchmark was when I released it 16 years ago. So onward. And finally, the great backdoor replacement. Leo, last week's call for a replacement for the term backdoor produced the expected massive wave of replies. So first, thank you everyone. As I mentioned earlier, we now have 16,350, I think it's actually 353, subscribers to the weekly podcast emails, so I'm receiving all the feedback I could ever ask for from all of these listeners. Among the suggestions for backdoors replacement were many fun ideas, but the one that I saw multiple times from multiple suggestions from our listeners and the one that feels best. Best is simply master key. Oh the idea yeah.

02:01:38
The idea that Apple or any other similar provider, when put in this position, would arrange their technology so as to have a master key that, implicitly, only they would know. I think that term you know, it's well understood, it's immediately understood, it's clear and it offers precisely the concept that I was looking for. You know, since, while the key itself is a secret, the designed in existence of such a key and such a capability is not. So as we know, apple may decline to ever, put, ever support any form of master key. They just may say no, we never want that. But that's the right term. I like it way better than a backdoor. Again, backdoor just doesn't sound right, it doesn't have the right meaning and connotation, whereas Apple holding a master key, that's exactly the right thing. And we know they don't want to right, they don't want the responsibility. And all of the crypto people will argue if you have a master key, then somebody can pick the lock.

02:03:01 - Leo Laporte (Host)
Didn't we used to call it like key escrow?

02:03:04 - Steve Gibson (Host)
Yeah, and you could arrange a key escrow.

02:03:09 - Leo Laporte (Host)
You can take a big key and break it up in pieces in order to, like you know, Although you don't have to do escrow, you just have to give it to somebody, you just have to hide it somehow, protect it somehow yeah, so maybe the s the key escrow is the key that is given to the okay we are going to talk about the most egregious access to an access control system imaginable after our final break.

02:03:37 - Steve Gibson (Host)
Great, uh, and this is just gonna. Everybody, in fact, everyone's gonna be able to play along with this. I'm gonna. You will too, leo. Just wait for this.

02:03:46 - Leo Laporte (Host)
This is unbelievable well, I uh, we're not gonna take long. It's just gonna be a quick uh reminder that uh, yes, we have sponsors, that's wonderful, but they don't provide the the full wherewithal to do this show and all the other shows we do. We've tightened our belt as much as we can, but we we need to rely on our listeners, our audience. Uh, for the rest, and that's why we created club twit almost three years ago now, as a way for you to support the work steve and all of our other hosts do here. Doesn't, by the way, it doesn't go to me, uh, it goes to paying the bills, frankly, um.

02:04:21
So if you uh are not yet a club member, may I make a pitch? There are some real benefits. You get all the shows ad free because you're paying a mere seven bucks a month, the cost of that quinti vinti latte plus minus two, minus two, two bucks, uh. You also get, uh, all of the special events we do and so forth and so on, and and really, you also get the warm and fuzzy feeling to know that you're supporting the shows that we do here. If you want to keep listening to twitch shows, best way to do it twittv, slash, club twit. That's all enough, said, don't need to belabor the point. Uh, steve, let's find out what is freedom, and I want to know more about this, okay, so?

02:05:06 - Steve Gibson (Host)
uh, I'm. I assume you have a browser in front of you yes uh, open it and search the internet for the phrase which is the title of today's podcast Freedom Administration Login. And I did that a couple of days ago and I got a full page of search results.

02:05:26 - Leo Laporte (Host)
That's not a good sign.

02:05:28 - Steve Gibson (Host)
I happened to click on the one that began. It was an IP address 98.174.254.140. Do you see that there?

02:05:38 - Leo Laporte (Host)
well, let me uh. I was actually uh using my ai search engine, which was giving me instructions, so let me just go to google, uh, because that's probably the better place to just get the raw results yep freedom.

02:05:53 - Steve Gibson (Host)
What I did?

02:05:54 - Leo Laporte (Host)
administration freedom administration login okay, oh look, it's been asked for so many times.

02:06:02 - Steve Gibson (Host)
Okay, oh yeah, look at there's the ip addresses. Wait a minute these are actual page after page. I clicked on the 98.174.254.140. Do you see, is that one there?

02:06:16 - Leo Laporte (Host)
uh well, probably is it's hard to find it. It's a needle in a freaking a stack. There's 98.191. Is that one? Oh, try it, I don't know. Um, let's see what we get. So this is. This is a login, okay now. I don't want you to go any further, because I don't want to be, you don't want to break the law Prosecuted under the Computer Fraud Act.

02:06:41 - Steve Gibson (Host)
Today's main story just makes you shake your head.

02:06:45
But the underlying lesson is too important to ignore. Even so, if it weren't already so public, I would not be shining any brighter light on it. This is that bad. It's that bad, but I guess I'm glad others have, even if I would have probably passed. The first sign of something having gone very wrong was the following short news blurb, which read quote default password in Hirsch building entry systems systems hersh enterprise, hersh enter phone is the name. Hersh enter phone. Building entry systems contain a hard-coded username and password for their web admin panel that can allow threat actors to unlock doors via the internet.

02:07:35 - Leo Laporte (Host)
See this is a little suspicious. This page I pulled up because the copyright ends 2013, so this is one of those. It's just been left there for that one probably is the 12 years that I found 98, 174, 254.140.

02:07:50 - Steve Gibson (Host)
It was prettier looking than that one.

02:07:53 - Leo Laporte (Host)
I did, yeah, I did, yeah. There's different this.

02:07:55 - Steve Gibson (Host)
This is the more modern look, right, yeah, really nice big blue screen with a 3d cube on it is the one that I ended up see.

02:08:03 - Leo Laporte (Host)
They all look a little different depending, I guess, on the so again it's been around for a long time, which again sad, um.

02:08:11 - Steve Gibson (Host)
Okay, so the the hard-coded username and password for their web admin panel reads this news that can allow threat actors to unlock doors via the Internet. The default creds are for the admin account named Freedom that uses the password Viscount.

02:08:31 - Leo Laporte (Host)
Which is the company that makes this?

02:08:32 - Steve Gibson (Host)
Yes, yes. According to security researcher Eric Daigle, there are more than 700 Hirsch enter phone systems available over the Internet, with most used by a parent, by apartment blocks across the US and Canada.

02:08:57 - Leo Laporte (Host)
Hirsch says customers did not follow their instructions to change the default passwords. However, who reads the manual these days anyway? Really?

02:09:03 - Steve Gibson (Host)
That pesky manual. Hey look, it works, Martha, we're done.

02:09:07 - Leo Laporte (Host)
Oh my God, Fire it up.

02:09:08 - Steve Gibson (Host)
Okay, what is Freedom used for? It unlocks all the doors of all these apartment buildings, oh no, and it manages all the entries and all the key fobs and logs everything.

02:09:21
Just wait, just wait, leo. Oh, that's not good. Hirsch says customers did not follow their instructions to change the default passwords. However, the misconfigurations discoverer, eric Daigle, says customers are never prompted to change the password during the setup process. Tracked as CVE-2025-26793, the vulnerability has a 10 out of 10 severity score and well, okay, the news says is very likely to be exploited. I'll be surprised if listeners to this podcast haven't already thought okay, the news says is very likely to be exploited. I'll be surprised if listeners to this podcast haven't already thought well, I'm in a coffee shop. Anyway, this is likely the understatement of the year Eric gave his blog posting the title Breaking into Dozens of Apartment Buildings in Five Minutes on my Phone and the subhead is what a place to use default credentials.

02:10:28
In his posting, eric shared his entire process of discovery, which is so fun that it bears sharing here he explained. A few months ago I was on my way to catch the C bus when I walked by an apartment building with an interesting looking access control panel. I wrote down the Mesh M-E-S-H. Mesh by Viscount brand name and made a note to look at. Look into it when I had a chance. I ended up just missing my ferry, he says parens, the 30-minute Sunday headways are brutal, he said so I decided to see if I could find anything promising on my phone while waiting at waterfront for the next boat. Brings up a sales page advertising TCP IP compatibility to remotely program and maintain the system. He says. That sounds promising. So let's try to find a manual Mesh by Viscount. File type, colon, pdf. That's a search gets us an installation guide.

02:11:34
Page four explains how to log into the system's web UI. Eric attached the screenshot he took of his Android mobile phone, from which we learn, among other things, that his location has very good 5G coverage, but that he's also in rather desperate need of recharging his phone's dying battery. He's also in rather desperate need of recharging his phone's dying battery. On that page we see the statement. The default logon information for the Freedom Web application, as well as the underlying Linux operating system, are listed in the table below. Both are case sensitive, you know, and you want to be sure to point that out to the hackers. These should be changed from the default during the software configuration process. And below that is a table showing that the Freedom login has the username Freedom and the all lowercase and the password, viscount, all lowercase, and that the underlying Linux system has the password. Guess, yes, administrator, and the password is blank. So don't need to bother with that pesky Linux password. Eric's blog posting notes default credentials that should be changed, with no requirement or explanation of how to do so. Surely no building managers ever leave the defaults right, and even if they did, they'd surely have no reason to expose this thing to the Internet, right, right?

02:13:13
The screenshot from the manual tells us the Web UI login pages. Title is Freedom Administration Login, which gives us something to search for. Page has the title Freedom Administration Login, which means that Google will have discovered and happily indexed all of them sitting there wide open on the internet. Now I was hoping that the server might have used some non-standard port. Silly me and everyone can do this right now from home or from your mobile phone, just like Eric did while he was waiting for the ferry and desperately hoping that his phone's battery would last. Just search the internet for the phrase Freedom Administration Login and you'll be rewarded with with countless hits.

02:14:14
I clicked on one. The web server is using port 80, not 443. So it's HTTP and not HTTPS, which you know makes it cheesy for an application like this, but you know. So I told Firefox that, yes, I wanted to go to this old school HTTP site and I have the link in the show notes for anyone who cares and sure enough, I was greeted with a beautiful big login page for Viscount Systems Freedom, and there in the upper left was the prompt for the systems administrative login username and password. Naturally, that's as far as I took it, but Eric went in. Here's what he shared Under part one of his blog, posting personally identifiable information galore. He wrote exposing the panel to the Internet is dumb. Yeah, that's one word for it. That's a four letter word, that's good.

02:15:15
Dumb, but fortunately none of these systems were accessible using the default. And then he says just kidding, of course they were the very first result. Happily lets me in with the freedom colon viscount login. That's the old school way of putting a username and password in the URL. He says where you put freedom colon Viscount, he said. The first interesting thing here is the users section. Eric shares another screenshot from which we learn that he's now on Wi-Fi and his phone's battery is much happier. The screenshot he shares has blanked out the site's URL for the sake of his blog posting the building's physical address and the full building residents' names. But they're all there in their full glory alongside each resident's unit numbers, so anyone can see exactly who lives where. Eric notes this maps residents' full names to their unit numbers. The building address is also used as the site title. That's already not great, but it's worse. In conjunction with the events section. This is a multi-year log of every time a fob associated with a certain suite number accessed an entrance or an elevator. So we can now easily determine that, say, john Snow of Unit 999 at 123 Bear Street in Vancouver, bc, comes home every day at 6 pm. Oh, for good measure. There's also a user's section which exposes every resident's phone number.

02:17:16
Then we get to part two, breaking in, where Eric writes the personally identifiable information. Leaks are pretty wild, but the most interesting thing we have access to is the controlled areas section. In here I can apparently register new access fobs and here I can apparently register new access fobs, disable existing ones and change the doors they're authorized for. The system for this is somewhat convoluted. Fortunately I don't need to understand it at all because I can just unlock any entrance I want through an override function any entrance I want through an override function. And there I have a screenshot of that page from the show notes showing main entrance door, main entrance access, and a dropdown list box with very pretty colorful icons, leo, showing unlock with a green uh hasp open and then lock and then lock down. And I suppose lockdown means that it will no longer unlock for individual users. But yes, you are able to simply choose the green unlocked icon. You'll hear a clunk at the front door and then you can just waltz right in. So an attacker has the ability to unlock any of the doors, any of the doors, elevators, everything controlled by this otherwise rather high-end building access control system. And Eric notes, so I can break into this building in about five minutes without attracting any attention whatsoever.

02:18:58
Neat, and then we get to Eric's part three. How widespread is this? Eric writes maybe I just got lucky that the default credentials worked on the first result and this is actually really rare. Let's get back to a desktop and scan more properly, he says, which he then does. He uses some semi-automated scripting to attempt logging into the 742 exposed instances that his quick search turned up. It might be that using a more robust scanner would find many more, but of those 742, eric's script was able to successfully log in to the building's access control system of 43% of them just shy of half, leaving them completely vulnerable and unprotected, while also disclosing information about the building's residents that many would find quite objectionable. So why is Eric sharing all this, despite the fact that this is significant and far from being merely a theoretical vulnerability? Presumably because he first tried to do the right thing, but the vendor who indirectly created this mess in the first place could not be bothered to address it.

02:20:32
Eric's responsible disclosure timeline shows that at the last year, at the end of last year, on december 20th, he discovered this. So five days before christmas he was looking. He was waiting for the ferry. A week later, on the 27th, he wrote. Current vendor of mesh, identified as hir, a subsidiary of Vita Protect Group, contacted them On January 9th. The CEO of Identiv, former vendor of Mesh, was contacted Two days later. Hirsch Product Security responds requesting details and are asked if they intend to alert their clients On the 29th. Okay, so that was the 11th. So 18 days go by. Hirsch replies stating that these vulnerable systems are not following manufacturers' recommendations to change the default password they're holding it wrong, that's right.

02:21:37
The next day. I know I love that. The next day, on January 30th, hirsch asked for an update as to. Hirsch was asked for an update as to whether clients running vulnerable systems have been alerted. No response to that. On February 14th, the CVE a 26793 was assigned as a 10 out of 10. Yes, everyone knows why. And on the 15th this was published. So anyone who's been listening to this podcast for long will be well aware that there are several fundamental design flaws present here Really.

02:22:19
First and foremost, as Eric briefly noted, there's almost certainly no need for an apartment building's access control system to be exposed to the public internet. No, so while the Linux-based web server on the network would need to have its web server bound to the internal LAN interface to allow for administrative access by management on the LAN, it should never be bound to the WAN interface. Even Cisco is unable to do this correctly and expose web UI to the public Internet, so certainly these clowns can't. The second thing that's wrong with this picture is the entire concept of built-in, factory-supplied usernames and passwords. Those days must come to an end, and that should have happened long ago.

02:23:23
The lesson the industry has learned the hard way over a span of decades of trying very hard not to learn it is that usernames and passwords is a place where security must trump convenience and the associated annoyance of the. I cannot log into my management portal. Tech support calls which will result Deal with it. There must be no default username and password and also no form of manufacturer hidden backdoor username and password. As we know, any of those will be discovered the first time anyone goes looking. The system simply needs to generate a long, unique username and password the first time it is started. When it discovers their blank, it needs to use whatever entropy it's been able to gather from the universe up to that point which is trivial for any connected device, given unpredictable network packet timings Then use that entropy to initialize the username and password to pseudo random gibberish. This cannot be left to chance or to someone reading please change the username and password from their initial default and then presumably thinking yeah, I'll get back to that once everything else has settled down. You know it is absolutely important for the system to enforce their being changed just once or being set just once to something completely random and unguessable. Given that the username and password will initially be gibberish, an administrator should be free to change them immediately if they wish. Or the gibberish can be written down, or the user's password manager can be used to record it, or the browser's automatic built-in offer to remember it for its user can be accepted. The point is, today's ubiquitous tools mean that gibberish is no longer the daunting problem it once was. So let's have gibberish.

02:25:42
We've learned that doing what these clowns have done of shipping their system with a publicly documented and thus publicly known username and password, while also allowing the system to be accessed from the internet is asking for exactly the sort of trouble that will now be visited upon every one of this system's owners Guaranteed. And finally, adding insult to injury, the damn things all have the same web portal page title, meaning that a simple Google search brings up hundreds and hundreds of potential victims with, as Eric's login testing script discovered, a 43% chance of those publicly known usernames and passwords allowing any casual passerby to see who lives there, where exactly they live, to view detailed historical logs of their comings and goings and to unlock any of the doors that are controlled by the system's so-called security. Lord only knows how many other similarly insecure systems exist in the world today. There's no way the owner of these systems, who are obviously not IT-trained and focused admins, will ever be made aware of this trouble until they begin suffering from mysteriously unlocked doors and mysterious thefts that cannot be explained because there's no sign of break-in.

02:27:23
At that point, who's ultimately responsible for the damage that results? Well, yes, the bad guys. You know it's criminal to do this, but it's going to happen. The saddest thing is that all this is so avoidable by better system design. It would be tempting to conclude that the coders who are designing and implementing such security systems must have no security training. How could they? But who knows, perhaps the coders did have security training, but when they presented a secure system with a strong password policy system built in and no public access, they were overridden by management, demanding an easier-to-use system that would not burden them with tech support calls and would allow them to have remote access for easier support.

02:28:19 - Leo Laporte (Host)
That's the bingo right there. Yes, it's about support, reducing support expenses.

02:28:26 - Steve Gibson (Host)
Yes, that worrisome log4j vulnerability that was discovered back in December of 2021, which kicked off our 2022 podcast year, turned out to be more worry than reality, for exactly one reason. It was difficult to do. Its fruit was not low-hanging. It was up at the top of a very tall tree, well out of reach for all but the most determined and capable hackers. We've learned that not all would-be hackers are rocket scientists. There is indeed an upper crust of elite hackers who can hack anything, but their numbers are blessedly few. The great mass of hackers are those who need to be following a script. My point here is that this freedom administration login catastrophe doesn't even require a script. It's not low hanging fruit. The fruit has fallen off the tree and is lying on the ground waiting to be picked up or kicked around a governing rule of computer abuses the easier it is to abuse, the more often and likely it is to happen. I came to full attention when I encountered this story this week, because it's been a long time since we've encountered anything that's been begging this loudly to be abused, and there's no doubt that it will be, especially when you add in the fact that the physical street address for the building being managed by these systems is loudly presented at the top of every logged in page. Come on in, guys. It's unbelievable. There's no need to guess which buildings may as well have left all their doors permanently unlocked and the schedules of their tenants posted publicly, given that it's trivial to log in to these portals to determine their physical address and that the majority of these facilities appear to be located in Canada. So said Eric. Said Eric, a good Samaritan among us might take it upon themselves to log in, determine the building's address and notify the building's management of this glaring security trouble. If anyone listening to this podcast wishes to do so, despite having the best intentions, I would advise taking some anonymizing precautions. Oh yeah, since we've seen instances where white hat hackers are still being accused of wrongdoing and technically using even publicly posted credentials to log in when you don't have permission. That's a crime, but it would make for a nice security project for anyone interested in doing some good. And it's somewhat astonishing that the publishers of this atrocity this, you know, it's an atrociously insecure access control system replied to Eric that well, you know, vulnerable systems are not following manufacturers' recommendations to change the default password. Of course it's their fault Rather than taking any proactive measures to cure these and any future recommendation failures. Well, that's a recommendation failure For anyone who might be interested in pursuing this. I've included the link to Eric's blog posting on the last page of this week's show notes.

02:32:02
I haven't mentioned that, even if these systems default username and password are changed, you know we're still looking at the always questionable security presented by exposed internet-facing web UI portals. Right, we know how challenging their security can be. It's some Java, some JSP is the thing that answers this login, that generates this login page. So who knows? You know where that came from and what. You know whether that could be bypassed there. Well, might be some you know, albeit less trivial means of bypassing these systems login security. Having them exposed to the Internet at all and readily indexed by anyone who looks is just such a bad idea. And readily indexed by anyone who looks is just such a bad idea. In any event, no matter what happens from here, this did make a great case study for our 1014th Security Now podcast. Len Leo, you and I will see everyone back here next week for number 1015. Wow.

02:33:16 - Leo Laporte (Host)
Yes, we will. What a great story, and not at all surprising. Surprising, there's so many like that, you know, and you don't even have to use show dan, just google. That's all it took google. Wow, uh, I hope I don't get in trouble for showing those, uh, google search results. How could you? I mean it's that's it.

02:33:34 - Steve Gibson (Host)
It it's eric's blog posting. Uh, posting, I found it on a referred to in a different news site, so it's out there. Otherwise I wouldn't have talked about it. But it's such a good object lesson. It is like how bad. I mean just how bad it could be. Yeah this is. This is just egregious.

02:33:53 - Leo Laporte (Host)
And I think to some degree this is. This happens again and again because companies want to save money on support and so they know that somebody is going to forget the password that they set on their login screen to control all the locks in their apartment building. And they're going to call them and they say, oh well, good news, and they're bragging that you can access it over the internet.

02:34:14 - Steve Gibson (Host)
You should not be able to access it over the internet who needs?

02:34:18 - Leo Laporte (Host)
to.

02:34:19 - Steve Gibson (Host)
You know, in the rare case that that's necessary, then enable it, but don't have it on by default.

02:34:27 - Leo Laporte (Host)
Yeah, yeah, I mean, I think in some cases that's probably something they want the manager's off-site or something, I don't know.

02:34:34 - Steve Gibson (Host)
And somebody paid a bunch of money for thiso. It's not like this is free, right? This was an expensive access control, so it's got controls on the elevators and all the doors and it's logging people's fob use and I mean I'm sure it's tens of thousands of dollars well, if there's any justice, people uh will sit up and take notice, and the next time somebody needs a security system for their apartment complex, they may not buy freedom talk about leaving the back door unlocked yeah, steve gibson.

02:35:03 - Leo Laporte (Host)
The front door to his, to all the glories that is steve gibson as grccom. That's his website, the gibson research corporation. There you'll find spin right, his bread and butter, the world's best mass storage, maintenance, recovery and performance-enhancing utility. Soon, as you said, dns Benchmark. I look forward to buying the pro version the minute it's available. While you're there, you can also check out this podcast.

02:35:31
He's got two unique forms, three. Well, really everything he's got is unique. He's got a 16-kilobit version of the. He's got a 16 kilobit version of the audio, a 64 kilobit version of the audio. We don't actually do that anymore, we do 128 kilobit. I found out that's because apple does some re-encoding to some weird you know 48 kilobit thing or whatever, and so we want to give them the best quality before they do the re-encoding. Uh, you also have transcripts written by elaine ferris, a real human being, not an npc. So you can get uh, you know, read along as you listen, or use it to search. Uh, it's a great, it should be part of your collection, you know.

02:36:12
Print it out, put the podcast on cds and put it on your in your bookshelf. Then you'll have it your, your heirs will have it forever after there is uh, uh, what else do you have? That's that's. I think that's it. 1664 transit oh, no, show notes, those are there too, although you could get those emailed to you ahead of time. If you go to grccom slash email, give Steve your email address and that's just so that you can email him, because he doesn't let anybody who's not been validated ahead of time email him, and he described that in a few episodes back. But there are two checkboxes there where you can subscribe to the Security Now newsletter, which is weekly, and then, of course, the very infrequent newsletter that he sends out with other information. But that's your choice. Those are not checked by default. Grccom slash email we have 128-kilobit audio it's twice as good at our website, along with the video which Steve does not have have, wisely considering that anonymity is more important than showing his shining face to the world. Uh, that's at twittv slash sn.

02:37:25
There's also a youtube channel. You find a link there, a dedicated security now great for sharing clips. So if you're going to share a clip, that's the easiest way to do it for you and for your recipient. Uh, you can make a clip of just a minute or two or whatever you want of the show and everybody can click on it and open YouTube. That's really transparent for them. They don't have to have a video. Remember the days when you had to have a video player on your computer and it was all so complicated Much easier now, thanks to YouTube.

02:37:51
We also, of course, because it is a podcast, let you subscribe, want you to subscribe, encourage you to subscribe, encourage you to subscribe. It's free. All you have to do is get your favorite podcast client and search for Security. Now we do the show live. That's another way you can consume it. You can watch live every Tuesday right after MacBreak Weekly, which ends up around sometime between 1.30 and 2 pm Pacific, 5 pm Eastern, 2200 UTC. Have I said everything I need to say? I think so. We stream live on YouTube, twitch, xcom, tiktok, facebook, linkedin, kik and, yes, club Twit. Members get to watch in our Club Twit Discord. Steve, have a great week. I will see you back here next Tuesday.

02:38:39 - Steve Gibson (Host)
Thank you, my friend.

02:38:40 - Leo Laporte (Host)
Till then, bye, it'll be march, yay, excitement stay on top of tech trends without the time sink. Twittv short form podcasts are built for busy leaders like you, delivering essential insights in minutes. Hands-on Mac and Hands-on Windows provide quick tips for Mac and PC, while Hands-on Tech quickly addresses common tech challenges to keep your operations running smoothly. If your conference room needs an upgrade, Home Theater Geeks explores the best screen and sound systems. And if you like watching the shows, join Club Twit to get full video access, ad-free versions and more. Get tech knowledge that matters on your schedule. Download our short format shows now at twittv or your favorite podcast player.