Security Now 1015 transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show
0:00:00 - Leo Laporte
It's time for security. Now Steve Gibson is here. We'll talk about Firefox's new privacy policy and while Steve is not concerned, a signal threatens to leave Sweden. Yeah, it's coming. I'm telling you Mozilla's commitment to manifest V2 and uBlock Origin. This week, chrome is pushing out V3. And then we'll talk about a new way to jam radio signals, very specifically, an individual signal in a sea of signals. It's actually a very cool technology. That and more coming up next on Security Now, podcasts you love.
0:00:38 - Steve Gibson
From people you trust.
0:00:40 - Leo Laporte
This is Twit. This is Twit. This is Security Now with Steve Gibson, episode 1015, recorded Tuesday March 4th 2025. Spatial domain wireless jamming. It's time for Security Now. Aren't you glad you I don't know what you downloaded it. You waited you're watching, aren't you glad You're glad? We wait, all of us till Tuesday comes around. Every week I see stories I go. I can't wait to hear what Steve thinks about this here. He is the man of the hour, steve.
0:01:18 - Steve Gibson
Gibson, aren't you glad you're out on your multi-mile run and you have something that will you could. They'll take your mind off the boredom of putting one foot in front of the other.
0:01:31 - Leo Laporte
I have a different way of saying it. It will exercise your brain as you are exercising your legs.
0:01:36 - Steve Gibson
Sometimes you need to be careful about, you know, gripping the wheel tightly, not going off the road. You used to sit on a ball, Leo, and we'd have to make sure you were centered over the ball.
0:01:46 - Leo Laporte
That was dangerous. I now sit in a very comfortable chair, no more balls for me.
0:01:49 - Steve Gibson
But I have to say, Then you had that strange harness. You were sitting on for a while. I was worried about you.
0:01:54 - Leo Laporte
Oh, that thing, yeah, that's gone.
0:01:58 - Steve Gibson
So we're at 15 episodes past the big Y1K event. We survived Everybody survived Episode 1015, our first for March. Oh, and this is titled Spatial Domain Wireless Jamming what? And it's not what you think. Oh, when I heard that, I thought, okay, cool. So spatial domain means you know that, aiming something, uh, and jamming stuff, like by blasting something with a signal oh, like a portable dog killer that would be.
Yes, that would be wrong. This is an astonishing new technology. Oh how fun. But we'll get there. First, we're going to look at Firefox's amending their privacy policy, followed by the world melting down. Yes, it did.
0:02:58 - Leo Laporte
Oh my Lord.
0:03:00 - Steve Gibson
I have a few things to say about that. Also, signal is now threatening to leave Sweden. What, oh yeah things to say about that. Also, signal is now threatening to leave sweden. We have oh yeah, we have some aftermath of the massive we talked about it last week 1.5, 1.45, 1.4, depending upon when, and you know what, how the ethereum is trading versus the dollar on the order of $1.5 billion by bit Ethereum heist. We now know more. It turns out there's a view that suggests it wasn't actually by bits fault. I'll explain how. Also, we have the Lazarus bounty monitoring and management site. You want to create a site if you're going to be managing a 10% commission on the recovery of that $1.5 billion We've got.
I'm going to talk about in the wake of. You were just talking about you were not wanting to restart Chrome because it was going to want to update and do to you what it just did to Andy, as he talked about on MacBreak Weekly. Mozilla has reasserted their commitment to manifest V2, which allows all of us who are still using Mozilla's Firefox to stay with the full-strength U-Block Origin. We're going to talk about what the ACM's plea for memory safe languages mean for developers. There's a takeaway for anyone who's wondering what language they should focus on. And we're going to also look at what exactly are memory safe languages.
Were it not for this spatial domain wireless jamming piece you know I'm a sucker for research uh, like the actual research articles uh, this would be today's main topic, so we're going to give it some time. Also, australia has joined the kaspersky ban. Uh, gmail announced that they're planning to switch from sms QR code authentication and again the world melted down with all kinds of I don't want to call them idiots, but I did say the word Everyone's screaming about how that's worse than SMS, because people can't read QR codes. My take is a little different. It's like how can that work? Anyway, we'll get there. I do have a listener Actually I think he's the guy who I'm thinking of who is out running right now. While he's listening to this, he'll hear his name mentioned. While he's running Reported a really interesting Spinrite success. We've got a bunch of feedback which we haven't had lately because I just haven't had enough time. And then we're going to look at an astonishing new technology for targeted radio jamming, targeted wi-fi jamming and leo, you're not going to believe this picture of the week.
This is one takes a minute to understand a lifetime to appreciate no actually people out there who how many times have I said you know, most people really don't have any idea how any of this stuff works.
0:06:14 - Leo Laporte
They're just I mean, and I feel sorry for them, it's just like you know, they, just they, just it must.
0:06:22 - Steve Gibson
We've heard that human lifetimes are being shortened. Right, it's like it's no longer. It's because of the anxiety that we've that the techies have created with all this stuff that nobody understands. They know they need it, they have to have their phone charged, but, as we're, as we're going to see here, how to get that to happen remains an elusive goal.
0:06:48 - Leo Laporte
Oh, this is interesting. This is interesting. All right, I can't wait Another wonderful episode of Security, now just around the corner with Mr Steve Gibson. But before we get into the meat and before I look at this picture of the week, which will take a minute to understand and a lifetime to appreciate, we want to talk about our sponsor for this segment of the show, legato Security. I love that name.
Let me talk about what Legato does. I was so. Of course, we're really careful, we vet our sponsors, and I had a nice conversation with the folks at Legato. I was very impressed with what they do. Actually, I suggested an analogy.
If you're a homeowner and you put in a burglar alarm, or you're a business and you put in a burglar alarm, it's no good if you don't have somebody monitoring it. Right, if the burglar alarm goes off in the middle of the night and you're at home, or if you're on vacation and you're a burglar, it's useless. You have monitoring. Well, the same applies to cybersecurity. Now, a giant business, I'm sure, has its own security, 24-7 security monitoring, but no business, small or mid-sized, could afford such a thing. That's why you need Legato Security. They provide the same standard of security controls that those big enterprises depend on, but you don't have to build your own internal security operations center. They call it a SOC and Legato has one. In fact, if you go to the website, it is sweet, it is nice, it's like NASA baby. They're monitoring your security, one of the things I love about Legato you don't have to change the tools you use. They work with your existing security infrastructure to give you the monitoring you need. As a recognized leader by CRN and MSSP Alert in 2024, legato Security transforms how businesses think about their cybersecurity, because Legato Security is, as I said, technology agnostic. They will work with your existing tools. They're an MSSP, a Managed Security Service Provider platform. They provide your business with a custom suite of security solutions tailored to your needs. But remember, they integrate seamlessly with your existing tools. Legato Security eliminates the need for a costly infrastructure overhaul. You don't have to start over. They have, though, on top of what you've got, their proprietary security operations platform. It's called Ensemble. It actually is a great front end to all of the tools you've got, because you've got a consolidated, prioritized, actionable alerts in real time on a single pane of glass. So it takes all the signals you're getting from your various security tools and puts them in one place.
Look, we were talking, steve, about the Google Chrome extension hacks that happened last year. And when did they happen? They happened Christmas Eve Because the bad guys knew everybody would be home and so they would have free reign to hack at least through Christmas Day, if not for the next two weeks. Hackers don't take holidays. In fact, they like you to take holidays. Hackers start working when you clock out. Legato Security's 100% US-based team provides proactive threat detection triage. They'll help you with remediation. They're there for that, too, 24-7, 365 days a year. They have a purpose-built SOC. By the way, I think sometimes people say, oh, I don't want to lose my job. No, they work with your security team. You still need that security team, but they can focus on the stuff that really matters and they can go home when it's time to clock out. I think this is really a great idea.
From entrepreneurs to Fortune 100 companies, legato Security creates custom MDR solutions that protect businesses so leaders can focus on growth. A recent customer said, quote Legato Security is the only supplier that has delivered everything they said they would, and we didn't have to drive them. They just get it done. I was totally impressed with the Legato guys, legato Security. I thought they won't call you to tell you you have a problem. When you get a call from them, they'll be calling to say, hey, we found a problem, we fixed it. We fixed it. It and security professionals. Legato Security's MSSP is here to augment your security team, not replace them. They're the professionals you want on your team. The pros from Dover will help you, will back up your cybersecurity forces and fortify your defenses proactively, 24-7, 365 days a year.
It's not enough just to have security tools. You need the expertise to back it up. Oh, they have a great thing. See, if your defenses are as strong as you think, go right now to the website and you can try their free risk assessment tool that will let you know where the gaps are. Visit legatosecuritycom, okay. Discover how they can help you regain control. And, yeah, enjoy your weekends like you used to Legatosecuritycom and don't forget that assessment tool. I think you'll find it very, very useful. Thank you, legato Security. Great to have you on security now, because they're kind of doing the same thing we try to do here. All right, I'm ready to scroll up. This is the moment I wait for all week. I gave.
0:12:15 - Steve Gibson
I gave this, this picture, the caption during the phone not charging tech support call. The customer asked, asked what do you mean? Usb charger?
0:12:28 - Leo Laporte
My phone. I plugged it into the USB charger but it's not charging. That's not good that it fits so nicely, is it no?
0:12:38 - Steve Gibson
it's not good. In fact, it gave me an appreciation of the fact that we're, you know, the techies who, as I have said, are pretty much responsible for creating the anxiety that everyone experiences. Now. We've been pretty good about making sure that the plugs and sockets only fit where they're supposed to fit. Yeah, you know. So you know you can't stick an Ethernet, you know RJ45, plug in anything where it's really not supposed to go. What? For those who are not seeing this picture? What we have is a usbc charging cable plugged into one of the an ac outlet. Oh boy, and again this sort of says people just don't really understand this technology, but it fits the hole it but but steve it fits the hole now you would.
You probably wouldn't get electrocuted from that, I hope I'm hoping that the that the outer metal ground sleeve of the usbc does not go far enough. That would not penetrate far enough in to come into contact with the. The copper spring on either side.
0:13:59 - Leo Laporte
Let's not try this at home, shall we do, do not? I wonder?
0:14:03 - Steve Gibson
if it does, let me just see, oh, oh, dear, yeah, because you're potentially connecting yourself to one side of the ac line, which could have, let's just say, very negative consequences, especially if you're one of the other clowns we saw recently who was in a swimming pool while barbecuing hot dogs on the electric thing he might do very funny, steve, I love it, thank you okay.
So, uh, by far the biggest brouhaha of the past week, at least among the circles this podcast and its faithful firefox using listeners move through has been the concerns raised by Mozilla's change to Firefox's privacy policy. Ars Technica's headline covering this and, believe me, they were one of every tech outlet. Ours headline read quote Firefox deletes promise to never sell personal data. Firefox deletes promise to never sell personal data. Asks users not to panic With the follow-up. Mozilla says it deleted promise because sale of data is what they haven't quoted. You know, quoted sale of data is defined broadly. Okay, so just first to set the background here, ours wrote Firefox maker.
Mozilla deleted a promise to never sell its users personal data and is trying to assure worried users that its approach to privacy has not fundamentally changed. Until recently, a Firefox FAQ promised that the browser maker never has and never will sell its users personal data. An archived version from January 30th right so just a month and a half ago literally says that it says so. In the FAQ, mozilla asked themselves does Firefox sell your personal data? Question mark. I mean it couldn't be any clearer than that. Answer nope, never have, never will period. And then they go on and we protect you from many of the advertisers who do Firefox. Products are designed to protect your privacy period. That's a promise period. Protect your privacy period that's a promise period. So you know, maybe part of the problem is that they got a little carried away with what they were saying before. On the other hand, it's the warm and fuzziness that everybody who would choose Firefox instead of Chrome would want from Mozilla. So Ars said that promise is removed from the current version.
There's also a notable change in a data privacy fact that used to say, quote Mozilla doesn't sell data about you and we don't buy data about you, period. The data privacy fact now explains that Mozilla is no longer making blanket promises about not selling data, because some legal jurisdictions define sale in a very broad way, meaning like overly broad. And so Mozilla is just. You know some. I mean, they have attorneys too, and you have to do what your attorney tells you or you could get in trouble. So so it says now Mozilla doesn't sell data about you. Perends in the way that most people think about selling data. But we don't buy data about you, but we don't buy data about you, since we strive for transparency and the legal definition of sale of data is extremely broad. In some places, we've had to step back from making the definitive statements you know and love. We still put a lot of work into making sure that the data that we share with our partners which we need to do to make Firefox commercially viable is stripped of any identifying information or share only in the aggregate or is put through our privacy preserving technologies like OHTTP. Okay then R says Mozilla didn't say which legal jurisdictions have these broad definitions.
Users criticized Mozilla in discussions on GitHub and Reddit. One area of concern is over new terms of use that say, quote when you upload or input information through Firefox, you hereby grant us a non-exclusive, royalty-free, worldwide license to use that information to help you navigate, experience and interact with online content, as you indicate, with your use of Firefox. Okay now, I'm not an alarmist by nature, as our listeners know, and I'm committed to Firefox, but Firefox is our UI portal to the Internet and to the world, so, by definition, everything goes through it. Therefore, language that reads when you upload or input information through Firefox, you hereby grant us a non-exclusive, royalty-free, worldwide license to use that information to help you navigate, experience and interact with the online content as you indicate with your use of Firefox. Even though I might want to, you know that one is a little bit difficult to rationalize. I don't believe that I want any web browser you know to be examining any of the information I input through it in any way for any purpose. Ours published the first edition of their report at 9.44 am Eastern Time last Friday, the 28th, the last day of February, eastern Time last Friday, the 28th, the last day of February. They then updated it less than an hour later at 1020 am writing.
Quote. Mozilla has since announced a change to the license language to address user complaints. It now says you give Mozilla the rights necessary to operate Firefox. This includes processing your data as we describe in the Firefox privacy notice. It also includes a non-exclusive, royalty-free, worldwide license for the purpose of doing as you request with the content you input in Firefox. This does not give Mozilla any ownership in that content. Unquote. Okay, now I had to reread that slowly several times. I think they're saying that in order to serve as a conduit for the information we input through Firefox, they need to say something about their legal position and obligations as our information conduit. Ars continues writing.
Mozilla also took heat from users after a Mozilla employee solicited feedback in a connectmozillaorg discussion forum. Quote this isn't a question of messaging or clarifying. One person wrote you cannot ask your users to give you these broad rights to their data. One person wrote Mozilla announced the new terms of use and an updated privacy policy in a blog post on Wednesday. That is, you know earlier than all this post on Wednesday, that is, you know earlier than all this.
After seeing criticism, mozilla added a clarification that said the company needs quote a license to allow us to make some of the basic functionality of Firefox possible. Without it, we couldn't use information typed into Firefox. For example, it does not give us ownership of your data or a right to use it for anything other than what is described in the privacy notice. Unquote. R said one of the uses described in the privacy notice has to do with users location data. Mozilla says it takes steps to anonymize the data and that users can turn the functionality off entirely. And, quoting Mozilla, mozilla said Mozilla may also receive location related keywords from your search, such as when you search for Boston, and share this with our partners to provide recommended and sponsored content. Where this occurs, mozilla cannot associate the keyword search with an individual user once the search suggestion has been served and partners are never able to associate search suggestions with an individual user. You can remove this functionality at any time by turning off sponsored suggestions. More information on how to do this is available in the relevant Firefox support page. And they finish.
Some users were not convinced by Mozilla's statements about needing a license to use data to provide basic functionality. One person wrote in response to Mozilla's request for feedback, quote that's a load of crap and you know it. Basic functionality is to download, and rendering web pages is no longer all that our web browsers do for us. A perfect example of this is this sentence I'm reading right now. It's in the PDF of the show notes that was originally entered into my Firefox browser courtesy of Google Docs, an astonishing word processing system that runs in our web browsers. So it's patent nonsense to suggest that the job of today's browsers is only to download and render static web pages. Those days are long past.
I think this brings us back to the free lunch dilemma and the reality that there's really no such thing. No one pays for or purchases the use of any web browser with their own cash. So far as I know, every web browser is free and I have that in quotes to use, and free is in air quotes, because are our web browsers truly free? Is it reasonable for us to expect to take and take and take from them while giving nothing in return? We want security. We want browser extension add-on stores without malware and abuse. We want absolute cross-browser compatibility and secure password storage and cross-platform operation. And and and and. Who's paying for all this?
We absolutely know that maintaining a contemporary web browser is incredibly expensive. Microsoft itself was unable to do it. They gave up their independence and the industry refuses to leave things alone. And the industry refuses to leave things alone. The World Wide Web Consortium, the W3C, refuses to stop moving forward with the introduction of successive advances. They want to evolve the web browser into a fully featured operating system environment. And I'm not saying that's a bad idea, because, after all, I'm editing these show notes in an astonishingly full-featured word processor, which we would not have if it were not for the W3C pushing forward on features and strong standards.
State-of-the-art web browser is not only a matter of finding and fixing bugs, but it also means serious, never-ending development to support the continually evolving standards. The result of all this has been the creation of an incredibly capable, complex and expensive-to maintain application platform that is so easy to take for granted. Mozilla's updated statement reads we still put a lot of work into making sure that the data that we share with our partners which we need to do to make Firefox commercially viable is stripped of any identifying information, is stripped of any identifying information or shared only in the aggregate, or is put through our privacy-preserving technologies. I, for one, believe them. These are the people who said they would never sell our data. I believe that their heart is in the right place. So if, as a Firefox user, anonymity is all we can obtain from Mozilla in return for their providing us with this amazing tool for free, then I'm fine with that. That's more than we get from Google and Microsoft. What's more, I'm very appreciative and I dearly hope we never lose this alternative to being swallowed by the chromium monster.
0:27:52 - Leo Laporte
So you're going to keep using.
0:27:53 - Steve Gibson
Firefox Absolutely, and I hope they stay solvent.
0:27:58 - Leo Laporte
Well, that's the main thing, I'm willing to put up with all of this just because I don't want them to go away, right, I mean want them to go away, right. I mean they're increasingly under pressure. Their market share is shrinking dramatically they're at about 6% now and the way they make money, frankly, is Google. Google basically gives them more than $100 million a year.
0:28:23 - Steve Gibson
Yep and I have my home page left. The home page shows all of that sponsored stuff and I have no problem having my. You know, when I hit my home button or open firefox and it comes up, some of those things are interesting. I I'll like scan I have a turn on yeah yeah, and it, and it's like if that's sending some money back to them, I have no problem.
0:28:44 - Leo Laporte
honestly, I feel like we should start paying for more stuff. I know this is a controversial thing to say. We got spoiled when the web started.
0:28:54 - Steve Gibson
everything was free and remember no one understood how everything was free.
0:29:00 - Leo Laporte
How is it free? How is Facebook free? What's going on?
0:29:03 - Steve Gibson
And, frankly, twitter never made money and look what we got yeah, so pay for the stuff we care about.
0:29:10 - Leo Laporte
You know, I I think that that's not a bad thing and I understand, uh, it's expensive, but but we've been basically hiding the true cost of these things and and paying for them with surveillance capitalism. So maybe it's time to not hide the true cost and face it. Yeah.
0:29:27 - Steve Gibson
I think what we need and we don't have is we need better control of incremental purchase stuff.
I mean like right now I have some micropayment system where we actually can see what's going on. You know, roku dings me and I get charged from Hulu and I've got, you know, I've got like charges coming in all different directions. There's no central management of that. And the other thing I dislike the idea of like paying. If I open a web page, I don't want to pay like on a per use basis. I want to say I'm willing to pay this much a month and as long as I do, I get as much use of that as I want. That's the model, and then I can choose if I say, okay, I want to turn that off now, but we're just not there yet. One of the things that I I I think about when I think about this, leo, is I think about the astonishing amount of money that our government spends, which comes from tax, from us paying taxes, which which says that if you have a large aggregate that too, because I just paid my taxes and it was a hell of a lot of money.
Yes, If you have a large aggregate of people who are all contributing, it ends up generating a huge amount of revenue. Yeah, now the argument is and no one disagrees that our government is not always doing the right thing with all that money.
Not super efficient that largesse that they have doing the right thing with all that money, all that large that they have. But but to me it suggests that if everybody using Firefox were to contribute something, then maybe that makes it viable. And it doesn't have to be you know that much, I, I, I don't know. The other thing we see is that an advertising supported model does work. You know, twit generates a, you know a significant amount of revenue from its sponsors and thank goodness for that.
0:31:33 - Leo Laporte
Yeah, we remember when we started security now, we didn't have any sponsors. No, and I don't know what I was thinking. I thought, oh, I didn't think we'll do it for free. We paid you, we paid me, I had to pay rent, uh, but we, we, we thought, well, we could do it with contributions, but it was never enough to do more than it was. At most, maybe ninety thousand dollars a year, not enough to pay you and me and pay red, let alone do all the shows that we do. So, and the club has been very good to us, uh, but it's only about five percent of our revenue we have to have advertising and look at at Google.
0:32:05 - Steve Gibson
I mean, there's the model of advertising-supported Internet presence, right, so anyway, so my feeling is… you get great as you point out.
0:32:16 - Leo Laporte
I'm really glad you said that. That's a hell of a free word processor. It's unbelievable. It's unbelievable yeah, I mean it's amazing what we've got for free, but it ain't free and that's important.
0:32:29 - Steve Gibson
yes, you gotta understand and we have google sheets and and and all the other stuff. I mean it is incredible and uh, so I, I, so I just sort of wanted to put everyone's outrage over, over mozilla, having to make sure that that they're not overstating what they're doing in order to cover their legal backside and what we know, and that we know their heart is in the right place. What they originally said is what they wish they could still say, but the, the attorneys got in there and said you know, know that's really not correct.
0:33:07 - Leo Laporte
Somebody posted on Reddit a diff of the old and the new terms of service and there's this big blank spot where there used to be. We won't sell your data, so I can see why people were upset, but you got to put it in context. I think you're doing a great job and again, if they want to sell it anonymously.
0:33:26 - Steve Gibson
If they anonymize it and say here, in general, are the people who are using our browser, how would you like to give them an ad? I have no problem with that at all.
0:33:35 - Leo Laporte
That's basically what we do. You know, we don't tell people anything about our listeners, we don't even know it. Yes, but we do do, because of the survey once a year. Tell them in aggregate they're very smart, very good people and you want to advertise to them and it works anyway. Thank you, time for a break and then we're going to talk about signals.
0:33:59 - Steve Gibson
Latest threat, they're this one another example how is signal free, right?
0:34:01 - Leo Laporte
I would sure like to know that. Another example how is Signal Free, right? I would sure like to know that. How is Signal Free? It's amazing. Anyway, we'll be back with more of the wonderful Steve Gibson in just a little bit. He's free, but he's brought to you by some very.
That's the other thing we do, and I think that that's really important. Not only do we not tell people anything about you personally, we everybody. So the sponsors we have are people we use, we know, we trust. I talk to them all. I make sure that they're doing what they say they're doing.
Bitward's a great example. Uh, we, bitwarden is an amazing password manager. It's the trusted leader in passwords, not just passwords but secrets. Like. I keep all my secrets in Bitwarden because it's a strong, encrypted vault Passkey management. You know, when passkeys first came out, you know they were tied to the device, but I didn't have my iPhone to use passkeys on the desktop and all that kind of stuff. Now I have it all in Bitwarden. So everywhere I have Bitwarden, I've got my pass keys.
With over 10 million users across 180 countries, over 50,000 business customers worldwide, that's wow, 50,000. Bitwarden has entered this year 2025, as the essential security solution for organizations of all sizes. Consistently ranked number one in user satisfaction by G2 and recognized as a leader in software reviews, data quadrant Bitwarden continues to protect businesses worldwide. I bet you didn't know. I mean, everybody knows how great Bitwarden is for individuals. It's great for business too.
Recently they announced the general availability of Bitwarden's native mobile applications. I've been using the Bitwarden app forever. I didn't realize it wasn't native. It's now native on iOS and Android. That means you get faster load times, improved functionality. You get platform-specific UI, which makes it more intuitive to use. Deeper hardware integration. That's a big deal for security, including biometric authentication and multi-device support. That enhances usability as well as security.
Plus, bitwarn has strengthened its password manager and I love this with SSH. So I never use a password to log into my SSH servers. I always use keys, but it's a long multi-step process to generate the keys, upload them to the server all this stuff Now. Now you can do it inside Bitwarden. This addresses a critical security challenge where up to 90% of authorized SSH keys in large organizations just go unused because probably it's just too complicated. By centralizing cryptographic key management inside Bitwarden, you enable secure storage. No longer will there be a risk of uploading your private key to GitHub. It makes it easy to import existing keys so you don't have to generate new ones, and this is amazing you can generate SSH keys now directly within the Bitwarden vault. So it's safer, it's more secure and it's easier for developers and IT professionals.
But that's just one of hundreds of great features that set Bitwarden apart. That, and, frankly, they prioritize simplicity. This is a better way to do SSH, a better way to do passwords, a better way to do passkeys. Setup only takes a few minutes. They support for your business. They'll support importing from existing password management solutions directly and, if you're curious, this is really important to me Bitwarden is open source, gpl licensed.
You can inspect the source code Anyone can and they are regularly audited by third-party experts and they publish the results of those audits. Look, your business deserves a cost-effective solution for enhanced online security. Your business deserves Bitwarden. See for yourself. Get started today with Bitwarden's free trial of a Teams or Enterprise plan and, as always, it's open source, which means it is free for individual users, all devices, unlimited passwords, pass keys and hardware keys too. If you an individual, it's, it's a no-brainer. Bitwardencom slash twit. I'm pitching the businesses too. It should be a no-brainer for you too. It's a great solution. Bitwardencom slash twit. We thank them so much for supporting a security now and supporting your security now. Now back to ste Steve with more security Clearly the ones to use.
Oh yeah, you use it right.
0:38:28 - Steve Gibson
Every argument in favor of it, exactly. Thank you, steve. Okay, so we have. I don't know if it's bad news, because I really do want this fight, but we have, so I won't say it's bad news. It's news.
On the governments versus enforceable privacy saga. Now Sweden's government has scheduled discussions next month of legislation to require communication providers to allow police and security services access to their message content. Not surprisingly, our friend Meredith Whitaker, signal Foundation's president, immediately responded to this news, saying that Signal will pull out of Sweden if the government there passes such a surveillance bill. In an interview on Swedish National Public Television, svt, she added that such a backdoor would undermine its entire network and users across the world, not just in Sweden, and, as we know, this is the second time Meredith has indicated that Signal would leave a country over its backdoor demands In 2023, she threatened to leave the UK if the government mandated backdoors in its Online Safety Act, and we all know that these matters are far from settled and they need to be. That's. You know. It's one of the big things happening in cybersecurity today.
Now, not everyone, even in Sweden, is on the same page, no-transcript. The question is what happens with iMessage and Google Messenger? You know Apple. As we know, apple shutting down the enabling of new full end-to-end iCloud storage encryption by UK users is one thing, but what happens if Sweden mandates, as they apparently plan to, that all communications occurring within its borders be decryptable?
Just over a year ago, it was last february, when we covered apple's announcement of their pq3. That was, remember, post-quantum level 3. They they cut, they cut the created this kind of cockamamie leveling system where signal they put at level two because level two didn't have perfect forward secrecy and they were going to be enabling a dynamic rolling and rekeying of all messages, which gave them not only post quantum technology but also so-called level three, which they just sort of created out of whole cloth. And thus they were claiming last February that it would be fully state-of-the-art encryption. Ok. So now Sweden says sorry about that, but we've just unilaterally enacted legislation to reverse, remove and restrict the privacy rights Swedish citizens have been enjoying with their use of iMessage.
You know we're not going to allow anyone in Sweden to enjoy the benefit of that level of security, because you know it makes us nervous and it might be abused. Because it makes us nervous and it might be abused, even though everybody has it today and has always had it as long as iMessage has been around, right, Because it's always been encrypted. So we know what Signal's going to do. They've made that very clear and they really have to follow through with the promise. Right, but what will Apple do On this topic? I solicited some help from chat gpt's. Uh oh, three mini model.
0:43:13 - Leo Laporte
Okay, what will apple do? Is that what you asked it?
0:43:15 - Steve Gibson
no, I worked with it to come up with a good acronym for this mess, and together we came up with one. Oh good, I present NOCRYPT N-O-C-R-Y-P-T, which stands for Nationwide Outlawing of Cryptography, restricting your Privacy To Wow that's a good acronym, isn't that good?
0:43:41 - Leo Laporte
Wow, congress should start using chat GPT. That's very good.
0:43:47 - Steve Gibson
No crypt, no crypt.
nationwide outlawing of cryptography, restricting your privacy too so leo I, you know, I, I hope sweden goes forward with this. I want you know, we, we need this resolved. We need you know because, apple, what are they going to do? They can't decrypt iMessage, I mean maybe. But wow, I mean that's bigger than saying, okay, well, we'll turn off you know full end-to-end encryption for iCloud so you can get you know. If someone has got iCloud backup on, you'll be able to get into that. But saying, we want all your communications decrypted, that's a direct strike, you know, at iMessage. What does Apple do? Wow, okay, by bit.
Aftermath, following up on last week's news of the largest ever cryptocurrency heist by north korea, the short version is it looks like they're probably going to get away with it. I have an interconnection chart here on the show notes uh, here at the bottom of page five, which is from Chainalysis, which analyzes blockchains. It depicts the complexity of North Korea's laundering efforts so far. That's literally the movement of pieces of Ethereum between and among exchanges, as you know, taking you know every endpoint that is shown. There is an intermediate address with token swaps and cross-chain movements that not only attempt to obscure the stolen funds, but also serve to demonstrate the far reaching consequences of this exploit across the broader crypto ecosystem. Basically, everybody is feeling the effects of this as North Korean anonymously breaks this apart and tries to move it around. Chainalysis reports that a whopping 40, 40, 40 million of the 1.5 billion dollars have been recovered. So you know. Only another 1.46 billion dollars to go, chainalysis wrote, is recorded on a public ledger, right? I mean, that's the whole concept of Bitcoin and blockchain and the various cryptocurrencies. Every transaction is recorded in a public ledger, which enables authorities they wrote and cybersecurity firms to trace and monitor the flow of illicit activities in real time. The flow of illicit activities in real time.
Collaboration across the crypto ecosystem is paramount in combating these threats. The swift response from Bybit, including its assurance to cover customer losses and its engagement with blockchain forensic experts, exemplifies the industry's commitment to mutual support and resilience. By unifying resources and intelligence, the crypto community can strengthen its defenses against such sophisticated cyber attacks and work toward a more secure digital financial environment. And they finish. We're working with our global teams, customers and partners across both the public and private sectors to support multiple avenues for seizure and recovery in response to this attack. Already, we've worked with contacts in the industry to help freeze more than 42, actually it's 40,. I wrote 40, later I saw it's 42 million. So freeze more than 42 million in funds stolen from Bybit and continue to collaborate with public and private sector organizations to seize as much as possible. We will continue to provide updates on this matter. So again, 40 million out of 1.4, 1.5 billion. Okay, that gives you a sense for how difficult it is, even though all of the transactions are public. Nor, clearly, the North Koreans behind this were poised and ready, assuming they were going to get this windfall, to break it up in pieces and just scatter it to the four corners and then mix it up and move it around and and break it down into pieces small enough that they wouldn't be individually obvious. So answers to the questions of how Bybit could have screwed up so much so as to lose that 1.4, 1.5 billion in Ethereum to North Korean hackers are beginning to trickle in.
What's been learned is that the intrusion into Bybit was less of their making than was originally reported. No-transcript. Safe wallet is a multi-sig wallet provider. So, first of all, who knew such a thing existed? Well, the Bybit guys did and they said hey, there's this service that does multi-sig wallet provisions. We need that, let's use them. The new evidence reveals that the North Korean hackers initially hacked SafeWallet. The hackers injected, so it's one of those managed service provider sort of attacks where it's somebody you subcontracted some of your stuff to got hacked and that's what brought you down Wow domain, which selectively targeted Bybit's, smart contracts and multi-signature process. Safewallet says it has now removed the code. One would hope, and also, in the meantime, the FBI has independently confirmed North Korea's involvement in the hack and linked it to a group that it tracks as Trader Trader, which is also Lazarus.
Now, okay, this notion of a multi-sig wallet provider was news to me, so, being curious about this, I went over there. I went over to see what they were about and I got a kick out of this. You might do it, leo, see if it's still up. I just Googled Safe Wallet and they've got curly braces around the name wallet. I think it's probably just safewalletcom or something. Safewalletcom or something. Anyway, when I went to their homepage, I was greeted by an intercept which dimmed the entire screen and gave me a little pop-up which required that I click on. I understand, yep, there it is. It says security notice. It said due to recent security incidents, it is important to always, in caps, verify transactions that you are approving on your signer wallet. If you can't verify it, don't sign it. And then it says more information on how to verify a safe transaction can be found in the corresponding help center article with an off-site link or off-page link and then the big I understand button.
0:52:37 - Leo Laporte
So this wasn't there last week and you can't get through to the rest of the site until you understand.
0:52:43 - Steve Gibson
Yeah, that's right to the rest of the site until you understand. Yeah, that's right. So these guys are like whoops. We got to do a little CYA here. So you click on that and then you're able to go through Now. And then an abbreviated form of this message was repeated at the top of the page, behind that front page intercept.
Now, without digging into the weeds of all this, what we see is evidence of this newer trend. You know broadly this newer trend of assembling a working system from many various bits and pieces of services offered by others. You know there's plenty of support for the concept of let's not reinvent the wheel, right. You know the idea of allowing specialists to focus upon their specialty where they're able to add value. This is the modern day equivalent of, you know, building apps from library components. And, of course, we've seen that this model can and has suffered from supply chain attacks. So it's not without a downside. In the same way that the managed service provider model caused a lot of cryptocurrency I mean a lot of ransomware to creep into the, I remember it was dental offices a few years ago that were across the board being hit with ransomware demands. Turns out, they were all using the same dental services managed service provider, and that's how the bad guys got in. So now we've seen another example of a failure of the online service provider model. Given all the evidence we have now, I would tend to hold the Bybit guys less. I don't know if I would hold them completely harmless, but less responsible because their network wasn't hacked. A service provider whose security they were relying on was hacked. They trusted in the security and integrity of a service whose entire job it was to provide exactly that trusted security, and that service let them down. You know the very expensive breach. More lies at the feet of the safe wallet service provider whose network was infiltrated and then was used to perpetrate this one and a half billion dollar heist. So still ouch.
Meanwhile and this page you're going to want to look at, leo LazarusBountycom. Actually it's a shortcut of the week so it's easy to get to GRCSC slash zero I'm sorry, 1015. It's today's episode number grcsc slash 1015. This is a very cool page. As I noted last week, the Bybit guys know how to motivate the Internet's bounty hunters, not that it looks like it's actually going to make much difference, but you know, as we said, they're offering them a 10% instant payout bounty for the recovery of any of the stolen coinage. They named this the Lazarus Bounty after the infamous North Korean gang who, as I noted, the United States FBI and others have independently confirmed was behind the theft Confirmed was behind the theft. The Bybit guys quickly created a bounty leaderboard and payout tracking website to manage this bounty. That's, as I said, it's this week's shortcut of the week, so anybody can get to it by going to GRCSC, slash 1015, which is today's episode number.
As of Sunday evening evening before last, when I was writing this page, the total available bounty is $140,000. So that's 10% of the estimated $1.4 billion that was stolen and, as I noted before, the range varies between $1.4 and $1.5 billion due to fluctuations in the price of Ethereum. The total aggregate awarded so far of that available $140,000 is $4,286. Is $4,286. So you know, 4.2k, a little over $4,000. And that's spread across 17 bounty recipients, but the largest of those is some guy who managed to find and lock down $42 million. Find and lock down $42 million. So that's the 42 million that I mentioned earlier that the chain analysis guys talked about.
So what's clear is that the 1.5 billion 1.4, 1.5 billion was almost too much value to launder in order to keep it subsequent laundering sub transactions from being suspicious. I mean it was. It was a lot of money to hide in a public ledger system, which is what all of the cryptocurrencies are. That $1.5 billion needed to be broken into a huge number of much smaller transactions, much smaller amounts, and then spread out into many wallets and then rapidly moved, broken, reassembled and further mixed.
Last week I described the process as something of a shell game, and I think that's a pretty good analogy. And at this point, what are we? Uh, maybe 10 days downstream and we only have one guy, uh, who has managed to, you know, snag 42 million of the 1.4 billion. As the detectives say, the trail is growing colder with each passing day, so it's looking like those proceeds. Very few of them are going to find their way back home. So it'll be interesting, though, this Lazarus Bounty site, grcsc slash 1015, it's got some animated graphics and it's. It's kind of fun to create a leaderboard of the recovery effort, but it's looking.
0:59:33 - Leo Laporte
There's only one player, you're not really gonna have much of a leaderboard yeah, well, exactly there are 17 uh bounty hunters that are listed there.
0:59:44 - Steve Gibson
Uh, last time I checked a couple of days ago, but still most of them are just are not finding much at all. So it's looking like the bad guys are going to largely get away with this and we should talk about a good guy, leo, who our sponsor. What funny.
1:00:01 - Leo Laporte
You should mention that you're so, you're so kind You're so kind.
1:00:06 - Steve Gibson
Thank you, Steve. Then we're going to talk about Mozilla's commitment to manifest V2.
1:00:11 - Leo Laporte
Oh good, there's a lot of concern about because Chrome just pushed out the update, the V3 update. No more uBlock Origin for Chrome. I'm going to try not using uB origin and just using. I have next dns. It has most of the same filters available to it, so I think like a pie hole or or some other way of doing it, not on the machine but on the on the more centralized might be sufficient. We'll see.
1:00:40 - Steve Gibson
It was interesting to hear andy talk about it. He updated Chrome, ublock Origin shut down and he said, oh my God, I can't surf the web. I mean, it was you know. For him he experienced a night and day difference without uBlock Origin.
1:00:56 - Leo Laporte
If it isn't working right. So I'm going to set it up. I'm going to remove uBlock Origin and I have NextDNS filtering everything. Anyway. We'll see how well it does on all that garbage Wow, not that. Ads are a terrible thing.
1:01:18 - Steve Gibson
Many of our advertisers and, as Andy said, it was the ads that cover up half the page.
1:01:25 - Leo Laporte
It's the intrusive, obnoxious, yes, the really obnoxious ads. No, sorry. Plus, there's security issues associated with all this stuff.
1:01:33 - Steve Gibson
We all get to run a script.
1:01:34 - Leo Laporte
Yeah, you will block a lot of those scripts and so forth. I've been using this for years. It's going to be interesting to see the web without it. I'll let you know.
Meanwhile, let's talk about vim, our sponsor for this segment of security. Now v double e a m. You know there are a lot of things. Your a lot of assets your business has, but I think the most valuable asset is your data right, and that includes your emails. It includes your customer lists, it includes proprietary designs. That's all data. These days, that's the most important thing most companies have, and without your data, your customer's trust turns to digital dust. That's why you need Veeam.
Vee, veems, data protection and ransomware recovery if, if those are two words that should, should get your ears perked up. Veems data protection and ransomware recovery ensures that you can secure and restore your enterprise data wherever and whenever you need it, no matter what happens. As we learned last week, some cases it's illegal to pay ransomware gangs. You don't want to do that. Wouldn't it be better if you could restore your data and be done with it? That's what Veeam does. It's the number one global market leader in data resilience, trusted by over 77% of the Fortune 500. I should really emphasize that More than three quarters of the Fortune 500 uses Veeam to keep their businesses running when digital disruptions like ransomware strike.
That should tell you something. It's because Veeam lets you back up and recover your data instantly, and it's across your entire cloud ecosystem, wherever that data lives. In fact, in many cases, you won't even have to worry because Veeam will proactively detect malicious activity. And then it also helps you do something you probably should be doing anyway, which is automating your recovery plans and policies. You are prepared. You do have a recovery plan right. Get real time support from ransomware recovery experts Should the worst happen. You are not alone with Veeam. Veeam data is the lifeblood of your business. Get data resilient with Veeam. V E E A M. Go to Veeamcom to learn more. Honestly, veeam, why aren't you using Veeam? That's really the question. Veeamcom. We thank him for supporting Steve and the great work he v2, which forced the full-strength uBlock origin to finally and fully leave the Chrome Web Store.
1:04:40 - Steve Gibson
And of course we knew that. Gore Hill you know he said I'm not going to screw around with this anymore, I'm not going to try to, you know, keep uBlock origin here. I'm just going to try to keep uBlock origin here, I'm just saying no. Mozilla took the opportunity to reaffirm yay their commitment to remaining V2, compatible With their blog posting titled Mozilla's Approach to Manifest V3, what's different and why it matters for extension users. After some prologue about the role and importance of browser extensions, they explained right now, all major browsers, including Firefox, chrome and Safari, are implementing the latest version of this platform, manifest V3. But different browsers are taking different approaches and those differences affect which extensions you can use.
Principle 5 of the Mozilla Manifesto states, quote individuals must have the ability to shape the internet and their own experiences on it. That philosophy drives our approach to Manifest V3. They said. First, more creative possibilities for developers. We've introduced a broader range of APIs, including new API functionality that allows extensions to run offline machine learning tasks directly in the browser. To run offline machine learning tasks directly in the browser. Second, support for both Manifest V2 and V3. They said, while some browsers are phasing out Manifest V2 entirely. Firefox is keeping it alongside Manifest V3. More tools for developers means more choice and innovation for users. I'll just note that you know mozilla adding some functionality for running offline machine learning tasks. Nobody cares no, no, nobody cares about firefox spinning off some API that Chrome doesn't also support. So good luck with that. But you know we need Firefox to remain Chromium compatible so that it can display all the web pages that Chrome can. Anyway, they said. Mozilla said giving people choice and control on the Internet has always been core to Mozilla. It's all about making sure users have the freedom to shape their own experiences online.
Google began phasing out Manifest V2 last year and plans to end support for extensions built on it by mid 2025. That came a little early, but that's you know. That's now that change has real consequences. Chrome users are already losing access to you block origin, which I thought was interesting. Mozilla called out by name that is it's. You know there are many extensions that are dependent upon manifest V2 features. You block origin is famous, they said, ublock Origin, one of the most popular ad blockers, because it relies on a manifest V2 feature called blocking web request. Google's approach replaces blocking web request with declarative net request, which limits how extensions can filter content, and, for anyone who is interested, we've gone into this in detail in the past, looking at exactly what these two APIs do and how they differ, and why V3 support without V2 is a problem too, is a problem, mozilla said, since APIs define what extensions can and cannot do inside a browser. Restricting certain APIs can limit what types of extensions are possible. Firefox will continue supporting both blocking web request and declarative net request, giving developers more flexibility and keeping powerful privacy tools available to users, in other words, a superset of either of those, of either of the manifests. So we pretty much knew this was what Mozilla had planned, but it's nice to have their intent made very clear and with the internet becoming ever more important and websites, unfortunately, ever more. But it's nice to have their intent made very clear and with the internet becoming ever more important and websites, unfortunately, ever more insistent upon monetizing our presence there, it's increasingly important to have a tool like uBlock Origin that's able to return to us some modicum of control. Okay, now, as I said, we're going to talk about memory, safe languages, and this would have been our main topic were it not for me stumbling upon this incredibly cool technology that we will get to at the end. So let's talk about this.
The ACM is the Association for Computing Machinery. It's founding in get this 1947, when, you know, computing machinery was an abacus makes it not only the world's largest scientific and educational computing society, but also the oldest. It's a nonprofit professional membership group with nearly 110,000 student and professional members based in New York City. It publishes over 50 journals, including the prestigious Journal of the ACM and two general magazines for computer professionals, the Communications of the ACM, also known as just Communications or CACM. The ACM's motto is Advancing Computing as a Science and Profession.
The February issue of the Communications of the ACM, in its Security and Privacy section section, contained an article titled it is time to standardize principles and practices for software memory safety. The article was co-authored by 21 professionals spanning academia and industry and I mean Google and Microsoft, and, like everybody, it was a who's who of contributing authors, everybody having expertise in memory safety research, deployment and policy. In it they argue that standardization is an essential next step. Standardization, an essential next step to achieving universal strong memory safety. Okay, and I'm just going to share the introduction of this very long, detailed and well-thought-out editorial they wrote. And well-thought-out editorial they wrote For many decades.
Endemic memory safety vulnerabilities in software-trusted computing bases TCBs is an acronym. They use Trusted Computing Bases. Tcbs have enabled the spread of malware and devastating targeted attacks on critical infrastructure, national security targets, companies and individuals around the world. Again, endemic memory safety vulnerabilities in software. During the last two years, the information technology industry has seen increasing calls for the adoption of memory safety technologies. These have been framed as part of a broader initiative for secure by design from government, academia and within the industry itself. These calls are grounded in extensive evidence that memory safety vulnerabilities have persistently made up the majority of critical security vulnerabilities over multiple decades and have affected all mainstream software ecosystems and products, and also the growing awareness that these problems are mostly entirely avoidable by using recent advances in strong and scalable memory safety technology.
In this Inside Risks column, we explore memory safety standardization, which we argue is an essential step to promoting universal strong memory safety in government and industry and, in turn, to ensure access to more secure software for all. During the last two decades, a set of research technologies for strong memory safety, memory-safe languages, hardware and software protection, formal approaches, memory-safe languages, hardware and software protection, formal approaches and software compartmentalization have reached sufficient maturity to see early deployment in security-critical use cases. However, there remains no shared technology-neutral terminology or framework with which to specify memory safety requirements. This is needed to enable reliable specification, design, implementation, auditing and procurement of strongly memory safe systems. Failure to speak in a common language makes it difficult to understand the possibilities or communicate accurately with each other, limiting perceived benefits and hence actual demand. The lack of such a framework also acts as an impediment to potential future policy interventions, as an impediment to stating requirements to address observed market failures preventing adoption of these technologies. Standardization will also play a critical role in improving industrial best practice, another key aspect of adoption. Finally, this inside risks column is derived from a longer technical report published by the same authors, which includes further case studies and applications, as well as considering the potential implications of various events and interventions on potential candidate adoption timelines.
Okay now whoa, you know like bureaucratic overload, but it's also easy to read between the lines here what's being said and understand like. These are the common and universally agreed upon framework and terminology. Like, and that the government and private commercial sector purchasers of next generation network and security technology will have some actionable means for specifying in their requests for quotes, bids and purchasing contracts that every component of the system has been developed in and is using only memory-safe language technologies. In other words, this is coming, the writing is on the wall, and what that writing says is that the time is now for anyone who may have ambitions to sell their future products to government or large enterprises to begin the process of rewriting those products from scratch in approved memory-safe languages. I can 100% guarantee that future purchasing requirements documents will be specifying that only appliances that have been written in pure memory-safe languages will be considered for purchase and that if any problem should later occur and it turn out that the proximate cause of the trouble was the use of non-memory-safe languages, the supplier will be held responsible for the damages due to their having made substantial fraudulent misrepresentations. Wow, that's what's going to happen. This is the responsibility pipeline. So there is a great website, memorysafetyorg, created by the ISRG, the Internet Safety Research Group.
They explained. They said our first goal is to move the Internet's security-sensitive software infrastructure to memory-safe code. Many of the most critical software vulnerabilities are memory safety issues and, leo, this is your favorite term buffer overflow, oh yeah, baby. Memory safety issues in C and C++ code, including fuzzing and static analysis. Such mitigations do not eliminate the risk and they consume a lot of resources on an ongoing basis. Using memory-safe languages eliminates the entire class of issues. We recognize the amount of work it will take to move significant portions of the Internet C and C++ software infrastructure to memory safe code, which, in other words, are rewriting what we already have. They said, but the Internet will be around for a long time. There is time for ambitious efforts to pay off. By being smart about our initial investments, focusing on the most critical components, we can start seeing significant returns within one to two years.
Our second goal is to change the way people think about memory safety. Think about memory safety. Today, it's considered perfectly normal and acceptable to deploy software written in languages that are not memory safe, like C and C++, on a network edge, despite the overwhelming evidence for how dangerous this is. Our hope is that we can get people to fully recognize the risk and view memory safety as a requirement for software in security-sensitive roles. Okay, now, this effort is called PROSSIMO P-R-O-S-S-I-M-O, is called PROSSIMO P-R-O-S-S-I-M-O, and it's being funded by contributions from Google, aws, cisco, the Sovereign Tech Fund, craig Newmark, philanthropies, philanthropies there we go, that's the word Philanthropies.
1:20:50 - Leo Laporte
Yes, chainguard Cloudflare Shopify and others, all the good guys, this is good.
1:20:56 - Steve Gibson
Yes, it is really, really good. Their current initiatives include get this an implementation of TLS, that is, you know, the transport layer, security, the security we all rely on, an implementation of TLS in Rust, the Rust language, where they say let's get the Rust TLS library ready to replace OpenSSL in as many projects as possible. Of the Linux project they write let's make it possible to write memory safe drivers for the Linux kernel. There's a project called Hickory which will be a memory safe, high performance, fully recursive DNS resolver and that one is nearly ready for prime time. There is an AV1 project to create a fully memory safe AV1 decoder to deliver great performance. There's a project to develop a high performance, memory safe Zlib compression library. Of their pseudo project they say let's make the utilities that mediate privileges safer. So they're literally going to rewrite pseudo in a memory safe language. Let's make the utilities that mediate privileges safer, so they're literally going to rewrite sudo in a memory-safe language. And they have similar initiatives for NTP, apache, curl and various other tools.
1:22:25 - Leo Laporte
So if the future, is it always Rust, though? No, okay, no.
1:22:31 - Steve Gibson
In fact, that's exactly where I'm heading here, leo. Good, okay, if the future is memory. Safe languages which ones are those?
yeah the memory safetyorg site has a page asking and answering what is memory safety? What I appreciated was that they perfectly summarized this in just two sentences. They wrote Memory safety is a property of some programming languages that prevents programmers from introducing certain types of bugs related to how memory is used. That's the first sentence. Second sentence Since memory safety bugs are often security issues, memory safe languages are more secure than languages that are not memory safe. That's it, plain and simple. Memory safe languages are more secure, and so why wouldn't industry begin saying, oh well, then, that's what we want. That's what's going to happen. Could not be more clearly and succinctly stated Memory safe languages are more secure. Ok, so what languages? That page continues with their answer and explanation writing memory-safe languages include Rust, go, c, sharp, java, swift, python and JavaScript Python memory-safe.
Is it really yeah?
1:24:06 - Leo Laporte
Okay, because you don't get pointers, that's right. No pointers means yeah, okay, that's fair. Yeah, no, that's right.
1:24:12 - Steve Gibson
No pointers means yeah, okay, that's fair.
1:24:14 - Leo Laporte
yeah, they said languages that are not memory safe include C, c++ and assembly. Yeah, because you can do anything you want in assembly. Oh baby, no guardrails, no guardrails. If you're writing assembly, it's on you, man.
1:24:30 - Steve Gibson
So they said to begin with, they said, to begin understanding memory safety bugs. We'll consider the example of an application that maintains to-do lists for many users. We'll look at a couple of the most common types of memory safety errors that can occur in programs that are not memory safe. So the first is out of bounds reads and writes, also known as Leo Memory buffer overflows. Yes sir, yes sir, they said. If we have a to-do list with 10 items and we ask for the 11th item, what should happen? Clearly, we should receive an error of some sort.
We should also get an error if we ask for the negative first item. Under these circumstances, a language that is not memory safe may allow a programmer to read whatever memory contents happen to exist before or after the valid contents of the list. This is called an out-of-bounds read. The memory before the first item of a list might be the last item of someone else's list. The memory after the last item of a list might be the first item of someone else's list. Accessing this memory would be a severe security vulnerability. Programmers can prevent out-of-bounds reads by diligently checking the index of the item they're asking for against the length of the list. But programmers make mistakes the length of the list. But programmers make mistakes. It's better to use a memory-safe language that protects you and your users from the class of bugs by default. Yes, in a memory-safe language we will get an error at compile time or a crash at runtime, crashing the program may be severe, but it's better than letting users steal each other's data. A closely related vulnerability is an out-of-bounds right In this case. Imagine we tried to change the 11th or negative first item in our to-do list. Now we'd be changing someone else's to-do list and then the second class is use after free. Imagine we delete a to-do list and then later request the first item of that list. Clearly we should receive an error, as we should not be able to get items from a deleted list. As we should not be able to get items from a deleted list, languages that are not memory safe allow programs to fetch memory that they've said they are done with and that may now be used for something else. The location in memory may now contain someone else's to-do list. This is called a use-after-free vulnerability.
And finally, how common are memory safety vulnerabilities? Okay, they said, in a word, extremely, they said. A recent study found that 60 to 70% of vulnerabilities in iOS and Mac OS are memory safety vulnerabilities. Microsoft estimates that 70% of all vulnerabilities in their products over the last decade have been memory safety issues. Google estimated that 90% of Android vulnerabilities are memory safety issues.
An analysis of zero days that were discovered being exploited in the wild found that more than 80% of the exploited vulnerabilities were memory safety issues. The slammer worm from 2003 was a buffer overflow, an out-of-bounds write. So was WannaCry an out-of-bounds write. The Trident exploit against iPhones used three different memory safety vulnerabilities two use-after-freeze and an out-of-bounds read. Heartbleed was a memory safety problem, an out-of-bounds read Stage fright on Android. Two out-of-bounds writes the ghost vulnerability in GLIB-C. You betcha an out-of-bounds write. These vulnerabilities and exploits, and many others, are made possible because C and C++ are not memory safe. Organizations which write large amounts of C and C++ inevitably produce large numbers of vulnerabilities that can be directly attributed to a lack of memory safety. These vulnerabilities are exploited to the peril of hospitals, human rights dissidents and health policy experts. Using C and C++ is bad for society, bad for your reputation. It's bad for your customers.
1:29:48 - Leo Laporte
It's bad for your brain. In other words, it is bad, it's bad, it's bad for your brain, In other words it is bad.
1:29:52 - Steve Gibson
It's bad. Okay, now there's just a little more that I think is worth sharing. They asked what other problems are associated with languages that are not memory safe. They said languages that are not memory safe also negatively impact stability, developer productivity and application performance. Because languages that are not memory safe tend to allow for more bugs and crashes, application stability can be greatly impacted. Even when crashes are not security sensitive, they are still very poor experience for users, very poor experience for users. Worse, these bugs can be incredibly difficult for developers to track down.
Memory corruption can often cause crashes to occur very far from where the bug actually is. When multi-threading is involved, additional bugs can be triggered by slight differences in which thread runs, leading to even more difficult to reproduce bugs. The result is that developers often need to stare at crash reports for hours in order to ascertain the cause of a memory corruption bug. These bugs can remain unfixed for months, with developers absolutely convinced a bug exists but having no idea of how to make progress on uncovering its cause and fixing it. Finally, there's performance. In decades past, one could rely on CPUs getting significantly faster every year or two. This is no longer the case. Instead, cpus now come with more cores To take advantage of additional cores, developers are tasked with writing multi-threaded code. Unfortunately, multi-threading exacerbates the problems associated with a lack of memory safety. As a result, efforts to take advantage of multi-core CPUs are often intractable.
In C and C++, For example, mozilla had multiple failed attempts to introduce multi-threading into Firefox's C++ CSS subsystem Firefox's C++ CSS subsystem before finally successfully rewriting the system in multi-threaded Rust. So what's the right path forward, they ask. Use memory-safe languages. There are lots of great ones to choose from Writing an operating system or kernel or web browser. Consider Rust Building for iOS and macOS. Swift's got you covered. Network server Go is a fine choice, and those are just a few examples they write. There are many other excellent memory safe languages to choose among and many other wonderful use case pairings.
1:32:55 - Leo Laporte
And I might mention common Lisp is memory safe. Racket is memory safe. Most schemes and Lisp's affect all schemes and Lisp's to my knowledge are memory safe.
1:33:02 - Steve Gibson
I just want to throw that in. Yes, and if you enjoy pounding your head against the wall?
1:33:07 - Leo Laporte
if you like. Parentheses, if you love it if you don't mind.
1:33:12 - Steve Gibson
You know basically, um, if you like parentheses, you'll love it. If you don't mind basically updating the printing on the keycaps.
1:33:21 - Leo Laporte
It's not APL, it's not that bad.
1:33:24 - Steve Gibson
For shift nine and shift zero. You will wear out the legend on your open and close parentheses keys.
1:33:34 - Leo Laporte
Well, that's a good point, yeah.
1:33:35 - Steve Gibson
Yeah, anyway, I wanted to take some time to share this here because I know from the feedback I receive from our listeners that we've got listeners who are wondering about their own paths forward. We've got listeners who are wondering about their own paths forward. The points about application stability mean that memory safe languages are not only more secure, they are clearly I mean, no one could doubt that they're also inherently more stable. They're easier to debug and easier to maintain when they're used to create solutions and products. We all know that my own native programming language is assembler, which is essentially the machine's native language, right, with absolutely no guardrails no guardrails. It would be really interesting to talk to some other truly hardcore coders who are as fluent with assembler as I am, because my actual feeling is that C and C++ are dramatically more dangerous than raw assembler itself. This is because C's entire design goal, its original design goal, was to be as absolutely low level as possible and just barely enough above the actual machine so as to obtain machine independence. That was what its designers wanted. That's how they designed the language. The result is that the C compiler may not do what its programmer expects. In a way, I think this makes C far more dangerous than assembler, where there is no middleman to mess things up. You know, I am writing to the machine, it does exactly what I tell it to.
And, leo, I did put a little cartoon here at the top of, appropriately, page 13 in the show notes Uh, we have, uh, in this cartoon sort of a programmer schlubby looking guy. He's at the pearly gates and St Peter is looking at his laptop and the cartoon shows St Peter saying says here, you should be in hell, but since you coded in assembly, we'll count it as time served. Yeah, so, yeah, anyway, it would be interesting to see whether other assembly language tends to be far more bug-free than the code that other coders typically produce and that we encounter written in high-level languages. So I don't know. The significant takeaway here, however, should not be that you program an assembler. I'm not suggesting that.
1:36:50 - Leo Laporte
No, please don't.
1:36:52 - Steve Gibson
He's a trained professional folks, Leo has Lisp and I have Assembler, and we don't recommend that anybody use either of those. I think it should be a recognition that the only thing that's keeping unsafe and net productivity ineffective languages like C and C plus going today is inertia. Every listener of this podcast is well aware of what a powerful force inertia can be. We might even label it the main governing force. I think it's like. I think inertia is the universal force, and you know I'm in its grip myself. Right, I am never dropping my use of assembly language, but I'll be 70 years old in about three weeks, so I am far closer to being done than I am to starting out.
My serious advice to anyone who is closer to starting out would be to seriously consider grabbing a development environment for Rust or Go or Swift or Python and spend some time becoming very comfortable with one or more of those next generation memory safe languages. Java is also very strong for internal enterprise development and a huge amount of code that's written is not aimed out to the rest of the world, but it's used inside the enterprise. Those are very nice, safe jobs If you can land one. You know there, there really has been a change here. One, you know there. There really has been a change here, so I think that you'll want to. You know, uh, you know, increase your possibilities. Uh, add comfort in some of those languages to your resume. Uh, I think it would be a net boon.
1:38:52 - Leo Laporte
And, on that note, I agree a hundred percent. Yeah, yep, it's amazing that people are still using c and c plus. I mean, I look, I love c. C is a beautiful fun language. It is a beautiful fun language. It's it's, probably has gives me the same thrill that using assembler does for you. Pointers and pointers to pointers and pointers to pointers to pointers.
Boy, can you get yourself tangled up yes, just malik some memory and go, but uh, yeah, it's. You know. Just the thing is, if somebody is really writing an assembly and writing serious assembler code, they are so deeply enmeshed in what's going on they're not going to put a pointer to a, to an empty buffer. They don't even have a raise, right yeah, so it's just not going to come up because you know what you're doing. You're in there with the hardware.
1:39:42 - Steve Gibson
The problem is c makes it too easy, frankly yes, it allows somebody who should not be running with scissors.
1:39:50 - Leo Laporte
Right To run with scissors.
1:39:52 - Steve Gibson
To run with scissors, exactly.
1:39:55 - Leo Laporte
All right, we're going to take a break. Come back More to come. I'm dying to know what the title of this show is and what it possibly could possibly mean. We will find out soon, folks, we will. But first a word from ThreatLocker. I love these guys. They just had their uh, zero trust world conference. I wonder how it went. Um, who went there? Some? Oh, the untitled linux show. Jonathan bennett went. I'm gonna have to ask jonathan how it went. Fascinating stuff.
What is threat locker? It's the easiest, simplest way to do zero trust affordably, to harden your security with ThreatLocker and never have to worry about zero-day exploits or supply chain attacks again. Worldwide companies like JetBlue trust ThreatLocker to secure their data and keep their business operations flying high. I'm really glad. Like memory-safe languages, the concept of zero-trust has really spread now and people get it and they know why it's such a good thing.
Imagine taking a proactive. Here's the three key words now deny by default approach to cybersecurity. Blocking every action, every process, every user unless authorized by your team. That's in a nutshell what zero trust is. Thing is, threatlocker is the most affordable, easiest way to implement it and you'll like this. It gives you a full audit of every action, which gives you two things. First of all, risk management, because if something happened with an app, you know who was using it. You know exactly who was using it and who wasn't using it right. It's also great for compliance, because you have an audit trail. You have a complete audit trail for every action taken. Plus, threatlocker has a very, very good, 24-7 US-based support team. They are there to get you on board, but also beyond. They're really really smart, really useful. In fact. I would encourage you to take advantage of them.
This is all about stopping the exploitation of trusted applications within your organization. It's about keeping your business secure, protected from ransomware. Organizations. Across any industry can benefit from Threat Locker's ring fencing. What it does is isolates critical and trusted applications from unintended users and uses or weaponization. It limits attackers lateral movement within the network because they can't access what they're not authorized to access, which, for an attacker, is everything.
Oh, great here. This is good news too. Threat locker works for max. So, on your heterogeneous network, you're golden. Get unprecedented visibility and control of your cybersecurity quickly, easily and cost effectively. I was blown away when I checked the prices. Very affordably with ThreatLocker's Zero Trust Endpoint Protection Platform. Visit ThreatLockercom. Get a free 30-day trial. Can't go lower than that Free right dot com. Get a free 30 day trial can't go lower than that free right and learn more about how threat locker can help mitigate unknown threats and ensure compliance at the same time. A really great solution. And when you get to the website, look at the people who use threat locker that'll give you some idea. Threat locker dot com. We thank them so much for supporting Steve Gibson and for giving all of us an easy way to implement zero trust. Okay, steve Arino, what is all of this stuff you're?
1:43:16 - Steve Gibson
talking about here. Just a quick note that the Australian government has now banned the use of Kaspersky products on government systems. Yep, all Australian government agencies must uninstall any existing Kaspersky software by April Fool's Day, april 1st. Government officials said that the software poses an unacceptable security risk to Australian government networks, opening it to foreign interference, espionage and sabotage. As we know, it's not fair. There's been no credible evidence shown of any wrongdoing on Kaspersky's part, and they remain valuable contributors to global security. But they're Russian, so they're being painted with the same broad brush and while it may not be fair, it is understandable and you know it. It could be that they get subverted or be made to do bad things, and you know it's creepy, I understand so, but it's still sad. Ok, so from reporting by Forbes that was picked up by ZDNet and pretty much everyone else, that Google's Gmail will be dropping their historical use of less than super secure six digit SMS transmitted codes for being used as a multi-factor authentication factor, replacing them with QR codes. So, rather than asking a user to enter a code received via text message, users wishing to log in will be presented with a QR code which they'll be asked to scan with their phone. Okay, but it's unclear to me. I mean, that's all we were told, that's all we've heard, and it's unclear to me how this would work exactly. Exactly, the original text messaging solution relied upon users having their phone number pre-registered with their account, so their ability to receive a random code at that phone number was meant to serve as proof of their control over that pre-registered phone number and, by extension, the handset that number is currently associated with. In the parlance of multi-factor authentication, this would add an additional factor the something you have factor tocommunication systems are not secure in the face of outright hacking or various SIM swapping schemes that can and have been used to intercept text messages in the past. But, as I said, what's unclear to me is how presenting the user with a QR code solves the problem.
The reporting on this says that using a QR code prevents someone from being tricked into revealing the six-digit code they've just received like some sort of a phishing attack. Okay, so that on-screen QR code, which nobody can read, presumably contains a Web page link with a bunch of crypto crap in its URL. You know that's very fancy, but it's unclear. What prevents a bad guy who's trying to log in from receiving that QR code themselves and then scanning it with their phone. You know what makes it any more secure. You know thinking that I must be missing something. I checked around and I found that, a this is such big news that everyone else is reporting it too. That, b everyone is just repeating the same information from the one Forbes guy. And that, c the very few people who have stopped to ask exactly how this would work have the same questions I have.
You know, just waving our arms around and saying QR codes instead of SMS codes does not a secure login protocol make? Many sites are screaming that having Gmail using QR codes makes the situation worse, since users cannot natively read QR codes so they could be used to get up to all manner of mischief. But stepping back from the hysteria over all this, for a user to authenticate securely with an additional physical factor, that physical factor must be something that an attacker cannot also have. This is what made secure physical tokens. You know the little dongles. You know the go-to solution when maximum security was required. But a generic smartphone doesn't fill that bill.
The only way I can see this working would be for future Gmail users to also have some sort of synchronized Gmail authentication app running in their smartphones. That application would receive the QR code to close the authentication loop, our code to close the authentication loop. And yes, I know that does sound suspiciously like the technology I originally developed and documented and demonstrated in Sweden and in Ireland and here on Twit many years ago. The Squirrel technology essentially created a physical software token in its user's phone using a QR code to close the loop. So it'll be interesting to see if Google follows in squirrels footsteps in that regard too. And you know what they say about imitation and flattery. Well, there may be some flattery coming my way, who knows. I can't see how Google does this without adding an app in the user's phone, and you know that's what I did with Squirrel.
Listener of ours, matthias DeWolf, is about to hear me share the experience he wrote to us about after purchasing his first copy of Spinrite. In desperation he gave his email the subject line Success Story, level 3 Dead Kingston SSD and he started off writing I own a portable Kingston XS2000 USB-C 4TB drive to store my backups. He included a link in the email which I have in the show notes for anyone who may be interested, and I was surprised by the small size of the drive's package. It is a lovely little drive. It's like if anybody remembers matchbooks, uh, or a match matchbox, matchbox cars yes, match boxes.
it is just a cute little thing. It's available in 500 gig two and four terabyte capacities and, as might be expected, the four terabyte version is a little pricey. It can be purchased online for less than this. I would imagine that it could be purchased for less than the suggested retail, but Kingston's site lists the four terabyte drive at 272.88 pounds, which is about 350 US dollars at the moment.
1:51:19 - Leo Laporte
Oh, that's a little pricey yeah.
1:51:20 - Steve Gibson
You know. So my point is when a little drive like this dies for $350, it's not something you want to give up on and die it had. Oh boy, he explained. He said I configured the drive with two partitions two terabytes for Linux and he says Lux encrypted EXT4 and two terabyte for Windows NS and BitLocker to go. So this is a techie listener of ours.
He said the drive recently started throwing nasty errors when trying to read files from it. I first noticed issues when I was working on the Linux partition. While copying a file, the copy operation stalled and the drive completely disappeared from the operating system. And he said Peren's HP Omen laptop running Ubuntu 24.04 Cinnamon and he said. Then he said see messages output at the bottom of the email.
He said at first I thought it was perhaps a USB bus error or a bad cable. I thought it was perhaps a USB bus error or a bad cable, but the issue persisted and I started seeing file copy errors with Explorer hangs and USB disconnects on my Windows 11 OS while working on the Windows partition. I got really worried and started investigating. I could reproduce the errors on several laptops and different USB cables and ports. He said One by one, keeping track of the ones that killed the drive. He said I knew of the existence of GRCcom Shields Up and Spinrite since somewhere in the 90s and I started listening to the Security Now podcast about a year ago because I started running and got really bored while running for hours.
1:53:31 - Leo Laporte
By the way, $150 on Amazon so much better.
1:53:35 - Steve Gibson
Wait, wait, wait, wait For the four terabyte one, oh four.
1:53:37 - Leo Laporte
That's for two terabytes. I don't see the four on this, so maybe they don't offer that in the US. But two for $150 is not bad. Who needs four, yeah?
1:53:46 - Steve Gibson
And it's a beautiful little thing, it's cute, yeah, little thing, it's cute, yeah, yeah, he said. And during the long runs I also heard your stories about the positive effect of spinrite. Level three runs on the consequences of the read disturb problem that affects ssds. I put one and one together and suspected this drive might contain a controller that handles the tough, slow reads badly and dies. And it turns out he was exactly right. And he said, side note, I never had the need for Spinrite. I was always able to recover my data using open source Linux tools and, believe me, I've done a lot of recovery.
1:54:29 - Leo Laporte
Here's the four terabyte 269. So it's a little more expensive. Yeah, okay, sorry, didn't mean that.
1:54:36 - Steve Gibson
He said I've done a lot of recovery. Don't tell anyone that you know a thing or two about computers.
They will find you, they will find you With their unreadable disks or NAS appliances. Oh boy, and he said. But as I lost access to the disc with other tools, I bought a copy of Spinrite, he said. I figured it was also a way to support your work. So I went ahead and ran Spinrite against the Kingston drive. Level two reads also killed the disc and made it go offline. Repeated runs killed it, every time at the same percentage and more or less the same sector.
And he actually took a picture of his screen which I have in the show notes just for anyone who's curious. It's a screen I am well familiar with, as are many of our early testers of Spinrite. It says this drive has just taken itself offline. The drive is now returning device fault status. It must be power cycled, shut down and restarted to clear this condition and perhaps resume operation. Device fault occurs when a drive encounters an exceptional condition from which it cannot recover. This could be transient or permanent, and it might only occur when Spinrite is working on a specific sector or region of the drive. It may be possible to resume Spinrite past this sector or region. Unfortunately, spinrite cannot do this on its own. Since this occurs, power cycling is required. And then I, and that this shows the location where this trouble occurred was at 1.8198 percent right at the beginning 81800167.
So yeah, right at the, you know, at the start of the drive, he said. He said so. I moved on and tested a partial level three. I interrupted it at one percent to see if the level two read would make it further on the disk afterwards. And behold, it did it did. This time the level two read died right after the one percent of data I rewrote using the level three scan, meaning that it it used to die sooner. But he ran level three up to one percent and now level two was able to read up to the stop, the point where he stopped level three, meaning up to the point where level three stopped repairing the drive. He said so I let it run for three days across the full four terabyte disk. The drive was rewritten completely and no errors were found during the level three scan. I was able to read all my files afterwards, both on Linux and windows. I am amazed and still trying to understand what your tool is doing differently. I suspect it might be something in the read a sector write, the same sector logic and the lower speed it does it at. He said.
I'm also starting to hate SSD technology more and more. Its only advantage is speed, but the industry has done so many bad things and compromised to try to reduce the cost. I had my fair share troubling SSD issues. The most memorable one is probably my bug report to Kingston about their SV100S2 drives. It took me six months to convince them. Their SSD died after 126 days of uptime after a cold boot. It took them a long time to believe me and then discover a 32-bit overflow in the SSD controller firmware. His email provided a link to a Kingston release notes PDF where he quotes it saying notes PDF where he quotes it saying quote resolves an issue where the drive becomes unresponsive after continuous usage for two thousand nine hundred and eighty two hours and thirty seven minutes without power cycle. They said issue does not occur if drive is power cycled prior to the 2,982 hour limit and his note concludes in any case.
He said I owe you a beer or two. Kind regards, matthias, very nice. So I have a couple of thoughts. First of all, matthias, I consider our books completely balanced here. You owe me nothing, though I'd be glad to share a beer. You purchased a copy of Spinrite, which does indeed allow me to afford to keep GRC on the air and to keep various GRC products alive and moving forward. The revenue from the sales of my software also serves to remind my wonderful wife that I'm not completely insane to be spending the majority of my time working on software. You know that was the deal we made when we met. She knew what she was in for, but a bit of positive reinforcement goes a long way. How?
2:00:05 - Leo Laporte
did you bring that up? So say, honey, I may disappear four hours at a time from time to time, but I'm just writing software, I'm not nuts and when I come back my eyes may be a little glazed. I may be kind of walking into walls. That's because my mind is elsewhere.
2:00:27 - Steve Gibson
And I'll be more open to you wanting to reupholster everything because I will have made some money. Oh, good, okay.
2:00:34 - Leo Laporte
Is she reupholster everything because I will have made some money? Oh good, okay. Is she reupholstering everything? No, oh good, just as an example. Yes, sorry, I didn't mean to interrupt. Continue on.
2:00:50 - Steve Gibson
So, matthias, you have offered a textbook, perfect use case for Spinrite, and I should say that the only part of your story, matthias, that made me grimace was that three days were required for a full rewrite of a four terabyte USB connected drive. I'm sure this was largely due to Spinrite still being hosted by DOS. The performance improvement for USB connected drives will be one of the biggest benefits offered by Spinrite 7, because it will run natively under Windows or Wine, and occasionally rewriting entire SSD drives is so beneficial for their health that I'm eagerly looking forward to the day when doing so will be more practical. Even better will be Spinrite's ability to surgically locate and rewrite only the slow spots of SSDs that have become troublesome, but one step at a time of time. The other comment that I had was that I have come to feel exactly as Matthias has about SSDs. They are screamingly fast, but they cannot be relied upon.
I have switched every one of GRC's servers, which were initially all SSD, back to using spinning drives exclusively. Every one of the SSDs I was using eventually died, and I had purchased the highest quality, modest size, most reliable single-level cell SSDs available. Didn't matter. Now, no data has ever been lost, since even the SSDs were running in a RAID 6 configuration with full two-drive redundancy, I would never run any mission critical drive solo. The non-RAIDed SSDs that I use are automatically backed up to Synology NAS boxes, which all have spinning disks with a maximum two-drive redundancy, and the working directories where I spend my days are being continuously backed up with SyncThing to the same NASs. So these days and I know this is what you preach too, leo mass storage is just too inexpensive to not plan for its failure. But when something does eventually die, as happened with matthias's cute little four terabyte backup drive, as long as I'm alive I expect that spinrite will be there to save the day and will only be getting better at doing so.
2:03:33 - Leo Laporte
I am shocked to hear you say you do not purchase SSDs anymore. Nope, I have found them to be more reliable than physically spinning drives. You find them maybe less. All I know is that every one of them that I have used uh in a production environment died I mean my sonology is spinning drives, but that's more because it's too expensive to put ssds in there, but every computer I buy it's. You'd be hard pressed to buy a pc or a laptop these days with a spinning drive.
2:04:09 - Steve Gibson
I don't think they make them anymore. Yeah, and I mean I'm happy for the speed, but believe me, they're backed up.
2:04:18 - Leo Laporte
Well, I mean, I'm backed up anyway, but I've never had an SSD drive. I've had plenty of these little thumb drives die, but those are crappy. I've never had an SSD or an NVMe M.2 drive die, ever. But I'm not. You say production environment, you mean on your servers. Yes, yeah, that maybe makes sense.
2:04:37 - Steve Gibson
I'm not running a server anywhere except for this, although Matthias just had it happen to that little Kingston 4TB. It's a little backup drive.
2:04:46 - Leo Laporte
Well, that doesn't really surprise me. I'm talking about nice internal SSDs. I mean, god knows what kind of heat profile that little doohickey has, and so forth. Yeah, I mean, it doesn't look vented at all. Anyway, I'm surprised. Okay, I find SSDs extremely reliable. Huh, okay, you know Backplace does that annual report. I should go look. They just published it again because they buy more drives than most people, um, and they may.
2:05:19 - Steve Gibson
I mean, let me see what they say, because that's interesting I think everybody in in in the in the cloud is using spinning drives. Really, there's so much more affordable.
2:05:28 - Leo Laporte
I mean they're way more they're, they're way less expensive cheaper, yeah, per gigabyte, but I don't know if it's way less expensive anymore. Huh, I think that that's gotten.
2:05:38 - Steve Gibson
Uh, that's narrowed that difference okay, so a little bit of feedback from listeners. Josh fenton said hi, steve. In the latest episode you mentioned that apple will, after some date, disable gdp for Apple users in the UK. How would this actually be possible? If the only thing that Apple's servers possess is an encrypted blob of data without the key to decrypt it, then wouldn't it be impossible for Apple to unilaterally revert users' encrypted data back to plain text? I can see how they could simply delete the blob, but with syncing across devices enabled, this would result in massive data loss for users. Thanks, josh Fenton.
So I was sure of the answer, but I went over to Apple support to check Under the topic how to turn off advanced data protection for iCloud. Apple writes you can turn off advanced data protection at any time. Your device will securely upload the required encryption keys to Apple servers and your account will once again use standard data protection. So your device will securely upload the required encryption keys to Apple servers and otherwise it unblinds Apple to how to decrypt your blob. So what's unique about advanced data protection is that Apple never gets that key, which they normally do. So this is something that can be done by the user. This also suggests that a future update to iOS and Mac OS, if it comes to pass, will enable the OS to inform its user that Apple's advanced data protection feature is being withdrawn from the UK and that, after acknowledging this notice, adp will be disabled globally for their account. At that point, every one of the users logged in devices will disable its local ADP setting and revert to traditional non-end-to-end iCloud storage, or, in other words, apple just gets a copy of the key from the device which disables it, and then they are then in compliance with what the UK requires. So it seems like it's going to be possible.
A listener requesting anonymity said Viscount Systems Freedom Access Control. You know that's that ridiculous, unbelievably poorly designed access control system we talked about last week. Viscount Systems Freedom Access Control now secures the US Department of Homeland Security Security. What could possibly go wrong?
Which uses the physical security system in dozens of field offices of citizenship and immigration services the department's largest agency, so that's just great. As we'll recall last week, this is the ridiculously insecure system that publishes its default username and password in its notes and tells the user you know you really should change that, but 43% of the people don't. Billy Sherratt said what was that company you talked about on SN within the last couple of years with a subscription service offering really slick Windows patching and memory? Ok, that would be ZeroPatchcom, the numeral zero, p-a-t-c-hcom, and I'm glad that Billy brought them up again. Just remember everybody, windows 10 will be going out of update service in October, will be going out of update service in October, and we don't yet know what Microsoft is going to charge end users to continue receiving the patches into the future, but the ZeroPatch guys have said they plan to offer updates for the next five years and on their $27 per year. So again, to my way of thinking, a lot is still up in the air. Is Microsoft really going to charge end users for updates that they're making available to enterprise customers? Are they going to force people to Windows 11, which won't run on the hardware that it could run on, just because I don't know. We'll see.
David Thompson said I had a question what network monitoring software are you using? He said. I've just seen in the past during the DOS on GRC you look up at the top left corner to see the status. Just curious if you had any to share.
2:10:45 - Leo Laporte
Somebody paying a little bit of attention?
2:10:47 - Steve Gibson
He's being, yes, very observant. You know I would have done that, and okay. So because my primary servers are running Windows, I've taken to just using the built-in Perfmon app which you know, performance monitor, which monitors the server's performance counters, and Windows allows this to be done remotely. But doing that is definitely not safe. This would normally mean exposing Windows infamous port 445 to the public internet, which would be begging for a visit from a hostile foreign power. You know this might be abbreviated OMDB, which in this case would stand for over my dead body. So I've arranged to have secure access to the Windows performance counters of my remote servers without ever exposing any ports to the internet.
But this is a good opportunity for me to mention my very favorite LAN monitoring tool. I use and depend upon it at both of my locations. It is so handy for keeping track of the WAN side of my internet connections. The tool is called Networx N-E-T-W-O-R-X. It's from a company called softperfectcom S-O-F-T-P-E-R-F-E-C-Tcom, and I've talked about it before. I just took a snapshot of its perfect little network monitoring window which I always have up. The red trace is incoming traffic, so if I or anyone in the household is downloading something, that line will jump up and the green is outgoing traffic and the green is outgoing traffic. If I do something, for example, like save a large file that's being mirrored to my local NAS, that will happen. A few seconds later. Syncthing will detect the local change and reach out to the other NAS to clone this changed file there. So I'll notice a jump in the green outgoing bandwidth line while the file is being sent.
The author of this tool also knows that a logarithmic scale is what's needed to make this sort of chart useful, so that's an option which I'm using. You can see in the chart that Leo has up and that I have in the show notes that it is at you is at 10 K bits, then the next lineup is 100 K bits, then 1.0 megabits, 10 megabits, 100 megabits and 1.0 gigabits. So the dynamic range of this is what you would want, as opposed to a linear chart. That's just not nearly as useful. But the coolest thing about this tool which, by the way, has a bazillion other features, most of which I have no use for, but it can do all kinds of different things the coolest thing is that it's monitoring my router rather than this PC am able to see the NAS using the NAS that is elsewhere on my network using my network's outgoing bandwidth. This is the chart of my aggregate LAN traffic at the LAN interface, which is the same as the WAN traffic on the other side of the router. I really love it. I don't know. It's just comfortable to be able to keep an eye on what's going on, to see the traffic coming in and out of your network. You can grab it and try it free for 30 days before deciding whether it's worth 15 bucks to own it forever.
You know the decision I made and while you're over there at softperfectcom, look around. The company was founded in the year 2000. They're based in Brisbane, australia, and from what I've seen, they are doing great work. Something else that might be of interest is a free web browser cache relocator, which they offer. You can do this manually, but this little freebie makes it very easy. In their description of the app they write internet browsers intensively use a folder on your hard disk for temporary data the browser cache. There are various reasons why some users want to relocate this folder. For example, moving the cache to a RAM disk can speed up browsing, offload the hard drive or reduce the wear and tear on the SSD. This utility is intended to be used in conjunction with SoftPerfect's RAM disk, which offers all the benefits of creating disks in RAM, increasing computer performance, mitigation of the physical disk's wear and tear and reduction of file system fragmentation.
2:16:09 - Leo Laporte
It also is a menu item on the Mac which is really great, with all these different reports. This is a really very cool app. This is Mac, windows and Linux. Which app? All these different reports? This is a really very cool app. This is mac, windows and linux. Uh, which app that? The network's app? Oh, the performance monitor that you were talking?
2:16:20 - Steve Gibson
about it is so cool. Yeah, I can't I cannot tell you it is it is and for people who use a, a larger tray, like like windows 10, has a tray at the bottom, it's able to actually run the little chart in the tray.
2:16:36 - Leo Laporte
Well, that's what it's doing here on the Mac, you see. Oh the chart itself, you mean.
2:16:40 - Steve Gibson
Wow, yeah, you're able. I'm not sure. It looks like that line would be too thin to have a chart on it.
2:16:45 - Leo Laporte
Yeah, I think it's not going to be able to do that. Yeah, this is great, oh 15 bucks. I know 15 bucks. I'm using Fring right now. I think this is as good, if not better. Switch it to.
2:16:58 - Steve Gibson
LogRhythmic, logrhythmic, yeah, and you get a much better. There ought to be an option.
2:17:05 - Leo Laporte
Yeah, I'm sure there is somewhere. This is all new.
2:17:08 - Steve Gibson
I just downloaded it on your recommendation yeah, yeah, I didn't realize it was available for the Mac. Yeah, isn't that great. Yeah, these guys, they really know their business.
2:17:16 - Leo Laporte
It does a net stat window. I mean, this is fantastic.
2:17:21 - Steve Gibson
Yeah, there's a bunch of really cool stuff. Look at that. And as I said, also take a look at the other things they offer. There are things that would be of of use for, like, you're able to monitor which applications are using uh, uh uh which of your bandwidth, and more so my guess is this is one guy right who's just, you know I think yeah it feels like a one guy some aussie who says I've been writing this for 20 years and I know how to do it.
2:17:48 - Leo Laporte
He's probably doing an assembly. Yep, there are settings. Yeah, let's see volume, volume unit, uh, graph. We'll go to the graph settings, probably logarithmic. Be there.
2:17:58 - Steve Gibson
Very cool, yeah, it is uh, it is a beautiful piece of work. I just love having it so, oh yeah, big difference. Much prefer the logarithmic scale, you're right yeah, it's because that way, when a you'll know it.
2:18:10 - Leo Laporte
Yeah, yes, yes.
2:18:14 - Steve Gibson
Because you want to be able to see useful information when something's not going on and not have it be just pinned to the top of the chart when something big is happening.
2:18:25 - Leo Laporte
Right, this is great.
2:18:27 - Steve Gibson
Very nice.
2:18:29 - Leo Laporte
Very nice, let's see.
2:18:32 - Steve Gibson
Do we have anything else? Uh, uh, alfred, uh, dessinger, he said hi, steve, I just received this notice after 31 years n trust is out of the ca business. Oh yay, and that doesn't surprise anyone new, you know, as know. They flagrantly, you know, ignored the CA browser forum. We talked about this extensively last summer when Chrome finally decided they were going to have to pull them out of their root store. They would not be no certificates issued by them after Halloween, october 31st of last year would be honored by Chrome. And bye, bye. You cannot survive if Chrome is not going to like your certificates. And so, basically, they sold their, their existing customer base, to Sectigo. And of course Sectigo is not the greatest of CAs either, and of course Sictigo is not the greatest of CAs either. They renamed themselves from Komodo after they ruined the Komodo name.
2:19:38 - Leo Laporte
Yes, we know Komodo.
2:19:40 - Steve Gibson
Oh, yes, so okay, one last break and we're going to talk about spatial domain, wireless jamming, and well, it's about amazing, amazing technology. Well, it's about time. Amazing technology.
2:19:56 - Leo Laporte
The only Backblaze report I could find on SSDs. They use hundreds of thousands of hard drives. They say they install a new hard drive every 20 hard drives every minute. But the only report I could find was from three years ago, unfortunately. But they did say that SSDs were marginally more reliable than the hard drives that they have. But they only have a few thousand SSDs. So that's probably I mean it's more than an anecdote, but it's less than a reliable statistic.
Less than a billy goat. Yeah, I mean, of course you should use what you want. I just uh, you scared me because I'm very happy using ssds everywhere we want you to be happy.
2:20:41 - Steve Gibson
um, I mean, we have solid state storage in our phones and our laptops and in our tablets. Uh, it is the thing to use, but you know they're not perfect and engineers have squeezed the crap out of them and essentially, that's why they slow down is because they are struggling to read.
2:21:06 - Leo Laporte
They still do but their performance gets hurt, and that may be more telling than failure rate is performance degradation. Yep, but thank God, there's spin right that's all.
Thank you very much in fact, I'm getting a new servers arriving today with a four terabyte ssd, uh and a uh and a 500 gigabyte or a terabyte a boot drive, and I will probably want to run spin right on those before I set it up, won't I? Yes, I, yes, I will, steve, nothing much, no ad block here, but this would be an awesome time for me to mention our club, as I mentioned. I'd say only about 5%. Well, let's put it a different way. Advertisers only cover about 95% of our costs. That leaves 5% Uncovered. Without that 5%, well, I might not have lights today, or Steve might not be here or our other hosts.
We want to keep operating at full capacity. Frankly, we'd love to increase that number because the more members in our club, the more we can do. So this is a blatant begging moment for you. I would love for you to join the club. There are benefits. We're not asking for your $7 without giving you something. No, by the way, that's all. It costs $7 a month, less than one Quinty V venti latte at starbucks, my friends did. You say it was nine dollars. That's ridiculous. 9, 50, that's, that's absurd. For a cup of coffee. Um well, I think seven dollars is fair, considering all the content that we deliver, all the fun too. You get ad free versions of all the shows because you're if you're giving us money, we don't need to play ads for you. You wouldn't even be here in this plug if you were a club twit member. Now I have to point out a lot of club members say, yeah, I still get the ad feed because I like to hear your ads. So, okay, that's fine, you, it doesn't mean you can't listen to ads. Just you have the option.
What you do get also is the club twit discord. And again, not everybody goes into the club twit discord, but when you're there it's a great place to hang out, not only during a show to talk about the shows, but also, uh, everything else. Geeks are interested in all of our shows, have forums there. There's a software development group in here. You could talk about what steve just mentioned about memory, safe coding, languages, uh, everything's going on. We even have a let's play segment where they're, uh, where they're playing minecraft and other games. Uh, together we do have a minecraft server, thank you, that's back up and running, thanks to lion admiral 1981, who has kindly volunteered to keep that running. So you get the discord, you get the uh, the ad free shows.
You also get some events. For instance, thursday photo time with chris marquart. We do that every month. Micah does his crafting corner that's coming up in a couple of weeks. Uh, every quarter Stacey's Book Club and other great events going on. I'll do some. I'll turn on the cameras every once in a while just for fun to say hello. When you socialize, you inform. That's right, newman, it's a great place to hang. If you're not yet a member of Club Twit, I would very much love to ask you to join, and the Discord really is full of fun a little gifs and so forth, twittv slash, club Twit. Enough said. I don't want to belabor it, but thank you in advance. We really appreciate our club members. It's great to have you in Club Twit. All right, steve, you've got to tell me what the hell this is that you're talking about here.
2:25:01 - Steve Gibson
This is mind-boggling. Everyone who's been following the podcast for a while knows that the way to my heart is through technical research papers. Nothing beats going to the source and hearing from the researchers who actually did the work. So when I saw this work from a team of German academics, which was presented during last week's Network and Distributed System Security as the NDSS Symposium 2025, which was held in San Diego, california, I knew that I needed to at least put it on everyone's radar. Now, there's no action item takeaway from this, but you know, I think it was probably the paper's catchy title Spatial Domain Wireless Jamming with Reconfigurable Intelligent Surfaces, which you know.
2:25:51 - Leo Laporte
Well, that got my attention, that's right.
2:25:54 - Steve Gibson
That is a crowd stopper, okay, so listen to what these guys explain in their papers. Abstract they said wireless communication infrastructure is a cornerstone of modern digital society, yet it remains vulnerable to the persistent threat of wireless jamming. Attackers can easily create radio interference to overshadow legitimate signals, leading to denial of service. The broadcast nature of radio signal propagation makes such attacks possible in the first place, but at the same time poses a challenge for the attacker. The jamming signal does not only reach the victim device but also other neighboring devices, preventing precise attack targeting. In this work we solve this challenge by leveraging the Emergingfigurable intelligent surface RIS, reconfigurable intelligent surface RIS technology for the first time for precisely targeted delivery of jamming signals.
2:27:07 - Leo Laporte
Boy, this is bad. Yeah, this is bad.
2:27:09 - Steve Gibson
Yeah, in particular, we propose a novel approach that allows for environment adaptive spatial control of wireless jamming signals, granting a new degree of freedom to perform jamming attacks. We explore this novel method with extensive experimentation and demonstrate that our approach can disable the wireless communication of one or multiple victim devices while leaving neighboring devices unaffected. Wow, as five millimeters okay, that's one-fifth of an inch remains unaffected, sustaining wireless communication at a data rate of 25 megabits per second. Lastly, we conclude by proposing potential countermeasures to thwart RIS-based spatial domain wireless jamming attacks. To thwart RIS-based spatial domain wireless jamming attacks. Okay, now I have a picture in the show notes from their paper. It shows a grid of antennas. Now, this immediately suggests that they've created a 2D steerable beam jamming transmitter using a phased grid array. Now, that would be an entirely reasonable conclusion and it would be wrong If that's what these guys had done. It would be a nice piece of work, but by now it could hardly be novel. Would be a nice piece of work, but by now it could hardly be novel. What is novel here is that this panel, leo, does not itself transmit anything. It is entirely passive. It is reflective. It is selectively reflective, can arrange to selectively target and deny an active Wi-Fi device located some significant distance away and I'm like nine meters, like 27 feet away in their setup from functioning. This is the sort of cool I mean uber cool next generation cyber spy tech that the NSA and CIA will want to immediately set up in a lab somewhere to fully explore. It is just so cool.
So here's what the inventors of this explain. They said wireless communication systems are ubiquitous and seamlessly provide connectivity to the smart and interconnected devices that permanently surround us. In our modern daily lives we frequently use instant messaging, media, streaming, health monitoring and home automation, all of which rely on wireless systems and their constant availability. However, wireless systems utilize a broadcast medium, meaning the air, the ether, a broadcast medium that is open to everyone, inherently exposing a large attack surface. One particular critical threat is wireless jamming, which allows malicious actors to perform denial-of-service attacks with minimal effort. In a classical jamming attack, the adversary transmits an interfering signal that overshadows the desired signal, preventing a victim receiver from correctly decoding it. Crucially, loss of connectivity impacts the functionality of wireless devices and can thus have potentially far-reaching consequences, such as smart grids, smart transportation and healthcare systems. Recent media reports underscore the real-world threat potential of jamming attacks, for example, criminals, disabling smart home security systems and preventing cars from locking. This basic attack principle has previously been studied by a large body of research, can leverage various jamming waveforms, such as noise or replayed victim signals, and vary the attack timing, jamming constantly or only at certain times.
As evident from the many existing attack strategies, wireless jamming has been incrementally refined and has become increasingly sophisticated. One particular example for this is the case of selective jamming attacks. To illustrate a potential attack scenario, consider an adversary attempting to sabotage a complex automated manufacturing process. Distributed actuators might take orders from several previous processing stages that have to be executed in a timely fashion, risking manufacturing failure. Otherwise, here the adversary could use selective jamming to simulate local loss of connectivity on a single actuator but not the entire plant, which would likely trigger some emergency shutdown response. So far, the only means to realize such a selective jamming attack is via so-called reactive jamming, where the attacker analyzes all wireless traffic in real time to decide on the fly whether to send a jamming signal, relying on the existence of meaningful protocol level information not protected by cryptographic primitives. In our manufacturing plant example, selective disruption of the actuator would require the attacker to receive and identify every packet directed to the recipient before sending a jamming signal. This restricts the attacker positioning rather close to the victim. Other downsides of this approach are that it can be mitigated by fully disguising packet destinations, and the attack realization being rather complex and cumbersome.
In light of those aspects, we are interested in novel attack strategies resolving the aforementioned shortcomings. Clearly, the ideal solution would be to physically inject a proactive jamming signal directly and only into the victim device. But this is not possible due to the wireless nature of jamming and the inevitable broadcast behavior of radio signal propagation to other non-target devices. Thus we aim to answer the following research question how can we physically target and jam one device while keeping others operational? We solve this challenge by means of a reconfigurable intelligent surface RIS to devise the first selective jamming mechanism based on taming random wireless radio wave propagation effects control, allowing to maximize and minimize wireless signals on specific locations. The attacker gains spatial control over their wireless jamming signals. This opens the door to precise jamming signal delivery towards a target device, disrupting any legitimate signal reception while leaving other non-target devices untouched Other than reactive jamming. This is a true physical layer selection mechanism allowing realization independent of protocol level information. In other words, they don't have to decode what's coming and going. They just shut it all down. Moreover, the attacker only needs to detect signals from considered devices, removing the need for any real-time monitoring and reaction to ongoing transmissions.
In this work, we experimentally evaluate risk-based, spatially selective jamming attacks against Wi-Fi communication, showing that it is possible to target one or multiple devices while keeping non-target devices operational. To accomplish this, we exploit that considered devices transmit signals, allowing the attacker to passively adapt to the scene. Apart from the attack's core mechanism, we study crucial real-world aspects, such as the attack's robustness against environmental factors. We additionally verify the effectiveness of our attack in real-world wireless networks where mechanisms that could counteract the attacker at play, for example adaptive rate control of Wi-Fi networks. We show that risk-based selective jamming even works despite extreme proximity of devices, for example 5 millimeters, and investigate the underlying physical mechanisms. Finally, we perform comparison experiments with a directional antenna, showing the significance of our risk-based approach. In summary, our work makes the following key contributions we propose the first true physical layer selective targeting mechanism for wireless jamming, enabling environment adaptive attacks in the spatial domain. Second, we present an attack realization based on risks, using passive eavesdropping to determine an appropriate risk configuration, which is the key to deliver jamming signals towards targeted devices while avoiding non-target devices. Third, we present a comprehensive experimental evaluation with commodity Wi-Fi devices, environmental changes and an in-depth analysis of the physical properties of our jamming attack.
Okay, and one last note about these new RIS reconfigurable intelligent surfaces. They write an RIS is an engineered surface to digitally control reflections of radio waves. Digitally control reflections of radio waves. Digitally control reflections. That's all they're doing is reflecting radio waves, enabling smart radio environments. They said. It is worth noting that RISs are likely to become pervasive as they hold the potential to complement future wireless networks such as 6G. Here the propagation medium is considered as a degree of freedom to optimize wireless communication by redirecting radio waves in certain directions, for example to improve signal coverage and eliminate dead zones, to enhance energy efficiency and data throughput and building low complexity base stations.
They said an RIS does not generate. An RIS does not, and this is what's so. Just it's shocking to me. An RIS does not actively generate its own signals, but passively reflects existing ambient signals. For this it utilizes some number of identical unit cell reflector elements arranged on a planar surface. Importantly, the reflection coefficient of each reflector is separately tunable to shift the reflection phase. Typically, an RIS is realized as a printed circuit board with printed microstrip reflectors, enabling very low-cost implementation. To reduce complexity, many RISs use one-bit control, for example, to select between two reflection phases 0 degrees and 180 degrees, corresponding to the reflection coefficients plus 1 and minus 1. This allows the control circuitry to directly interface with digital logic signals from a microcontroller. The technology is still under development, which is why RISs are currently not widely used in practice. At the time of writing, first implementations are being made commercially available and field trials are being carried out. And field trials are being carried out.
And then, after many pages of very cool detail and, by the way, I've got the link to the whole PDF at the top of this in the show notes for anyone who wants to dig through it and I know a couple of our radio experts are going to be curious their paper concludes. In this paper we investigated the merits of the RIS technology. Their paper concludes spatial domain enabling protocol-level agnostic selective jamming. For this, the attacker first determines risk configuration by eavesdropping wireless traffic from the victim devices. In other words, it listens using its antenna grid in order to locate in a two-dimensional vector the location of the device it wants to block. Then it switches into passive mode and just by bouncing the radio off of itself that it is receiving ambiently in the environment, it's able to shut down that Wi-Fi device, they said. Then the attacker uses the wrist to reflect the environment's ambient radio signals, with the effect of jamming the wireless communication. This is alien technology Jamming the wireless communication of targeted devices while leaving other devices operational.
We have demonstrated the effectiveness of the attack under real world conditions with extensive experimentation using commodity Wi-Fi devices. They used pies and things and an open source risk pies and things and an open source RIS. Notably, we found that it is possible to differentiate between devices that are located only millimeters apart from each other. Overall, our work underscores the threat of wireless jamming attacks and recognizes the adversarial potential of RISs to enhance the landscape of wireless physical layer attacks. Wow, now I know that our listeners enjoy being clued in, even if with only the broad strokes that I've been able to share here.
Just knowing that such capability exists is mind-blowing. What this means in practice is that very low power, undetectable, targeted jamming of specific radios is now possible. It's low power because the device is not itself needing to emit any strong, overwhelming radio signal. It's merely selectively inverting the reflected phase of what it receives across the elements of its two-dimensional surface. And this reflection property is also what makes it undetectable again, because it's not emitting any flooding radio signal that any bug detector can detect Nothing. It's also undetectable because the sum of these reflections can be focused onto the device, the device's exact antenna location, so that, even being half an inch away, no jamming effect would be detectable. As I said earlier, I'd be very surprised if researchers at the NSA and CIA didn't already have their sleeves rolled up, taking a close look at what this means for our on-the-ground defensive and offensive operations.
2:45:21 - Leo Laporte
This is just astonishing technology and very useful in a movie theater. So there's. That.
2:45:29 - Steve Gibson
Actually, for a while I had an illegal cell phone jammer when I was so, because I got so upset over people having loud cell phone conversations you see I knew that and and you could use this to to target that phone. Uh, and how?
2:45:47 - Leo Laporte
does it know, though, what mean you're not aiming it.
2:45:51 - Steve Gibson
No, it actually is aimed. Oh, you aim it. Well, it listens across its surface, it listens to the device transmitting and is able to by the timing of the received signal across this grid of 2D elements. Received signal across this grid of 2d elements the. Because, right, if, if the radio is off at an angle, then there will be a, the, the, the signal will arrive slightly before right on one edge of the array versus the other and so it's able to use the, the phase of the received signal, to determine in two degree space where the transmitter is.
Then it reverses the scenario, but it doesn't send anything, it simply reflects anything coming in back and is able to shut that radio down. I mean, leo, it's just freaky.
2:46:55 - Leo Laporte
Well, I'm sure that the the folks, the screenwriters at the recruit and a lioness and Taylor Sheridan, they're all taking note of this. This is now a new tool they can add to. Nobody will believe it.
2:47:06 - Steve Gibson
That's the right. They might as well just use beaming up Scotty technology, because you know who would think this would work. And here these guys have done it.
2:47:18 - Leo Laporte
You know who would love this is Steve Wozniak. He loved this kind of thing. I bet he's making one right now. Very interesting. It's funny. I had no idea what you were talking about with the title of the show, but now I still have no idea what you're talking about with the the title of the show, but now I still have no idea what you're talking about spatial domain wireless jamming. It's exactly what it says.
2:47:40 - Steve Gibson
Our listeners need to know that this is possible very cool.
2:47:43 - Leo Laporte
It's actually really cool. Yeah, thank you. My friend, steve gibson is at grccom that's his home on the internet stands for the gibson research company or corporation. He, uh, he's there, uh, 24 7 to offer you copies of spin. Right, if you should happen to have mass storage, you probably need a copy of spin, right? I'm firing mine up as soon as my server comes, gonna boot up into that. Uh, what a free dos. And whatever it is now you use, what is it called the DOS that you bought?
2:48:13 - Steve Gibson
Oh, RTOS.
2:48:14 - Leo Laporte
RTOS, he bought his own operating system. He owns it. Just so you can run Spinrite on any, any machine that'll boot up to you. Couldn't do it on a Mac, unfortunately, but any UEFI or EFI or BIOS machine to work on right.
2:48:30 - Steve Gibson
Well, not on M-based Right, not on the Apple Silicon, yes, but not on the Apple Silicon. On the Intel device.
2:48:36 - Leo Laporte
Yeah Well, this is going to be a Linux server, so before I put the Linux on there, I will spin right those drives. It's the world's finest mass storage maintenance recovery, and this is why I'm going to do a performance-enhancing utility. How often do you recommend running that on your SSDs? Maybe yearly or more often?
2:48:55 - Steve Gibson
I would say annually. I think that is a good tradeoff. The argument is that SSDs' lifetime is consumed by writing Right.
2:49:05 - Leo Laporte
But we're only talking about so you don't want to do it too often.
2:49:07 - Steve Gibson
You don't want to do it daily, right, but annually, oh my goodness, when you consider the service life of the device, what is maybe 10 years, right?
2:49:15 - Leo Laporte
So, and boy does it make a difference in performance, I mean people are like I guess, if you notice it's slowing down, they could also do it then.
2:49:22 - Steve Gibson
Right, yes, exactly yeah, and you're able to do a read test non-destructively. 're able to read? And if you see the performance is lagging, then it's like well, now it's time to do a rewrite.
2:49:34 - Leo Laporte
So you can even do a little diagnostic. That's like that's great, uh. Grccom while you're there, of course you can get. Uh. Well, first thing I would suggest is go to grccom slash email, validate your email with the system so you can email steve with questions, comments, suggestions while you're there. You can also sign up to get the show notes emailed to you ahead of time, usually 24 48 hours ahead of time. You'll get a copy of the show notes so you can look at the picture of the week and and laugh along with steve. Uh, you can also um uh, get a second newsletter. That's a very infrequent emailing about important events. For instance, I bet you're going to let us know when DNS benchmark is available. That will be the next email. Yep, grccom.
He has two unique three really, if you count the transcripts copies of this show. He's got a 16 kilobit audio for the bandwidth impaired, a 64 kilobit audio, which we don't do anymore. We used to but we now do 128 kilobit audio. So if you want a smaller download and, frankly, the 64-kilobit audio is full quality, you won't be losing anything that's the place to go. He also has transcripts written by Elaine Ferris, so they're very good. They're not AI transcripts, they're excellent quality transcripts and show notes, all at GRCcom. We have our 128-kilobit audio and our video available at our website. That's twittv slash sn for security.
Now when you're there, you'll see a link to the youtube channel great way to share clips. This show above all others. I think people should be sharing clips with friends, family, uh, people who are looking to jam, uh drone signals, that kind of thing. This is, this is the show to share. Just share that little clip there. It also helps us spread the word and you can also subscribe in your favorite podcast player and get it automatically audio or video the minute it's available. We do stream live so that you can watch it if you want. The very absolute newest version of the show, the freshest version. We stream every Tuesday right right after mac break, weekly, sometime between 1 30 and 2 pm pacific, that's 4 30 to 5 pm eastern. Now we are going to be heading into a daylight saving time on sunday. Steve, I hope you're ready already. Set the clock back or forward. Don't set it back, you'd really be two hours off.
Set it forward, spring forward. That means that the time that we will stream is going to change, at least from the point of view of UTC. So 2 pm Pacific, 5 pm Eastern, and now that would be 2100 UTC. So you can watch us live. Eight different places to watch. Now that would be 2100 UTC, so you can watch us live. Eight different places to watch. Club members get to watch on Discord, but there's also YouTube, twitch, tiktok, xcom, facebook, linkedin and Kik. So anywhere you want to watch at those hours you can watch live. Thanks to our club members for making this show possible, our great sponsors. Most importantly, thanks to you, steve Gibson. I look forward to seeing you again in a week, next week. Bye.
