Security Now 1017 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show

0:00:00 - Leo Laporte
It's time for security now.

Steve Gibson is here. Some really interesting topics. We've always wondered about the cryptography used in Telegram's Messenger. Well, now we know what we thought it's not very good. We'll also talk about did Ukraine really attack xcom? Why your Firefox might have said, hey, you've got to update us, and then we'll take a look at testing your PC for one of the worst flaws ever Rowhammer and how you can do it as a way of kind of giving back. Plus, we're going to get you some great listener feedback and some sci-fi recommendations as well from the great Steve Gibson.

Next on Security Now Podcasts you love, from people you trust. This is Twit. This is Security Now with Steve Gibson, episode 1017, recorded Tuesday, march 18th 2025. Is your system vulnerable to Rowhammer? It's time for security now. Yes, the show you wait all week for. Our man of the hour, steve Gibson, is here to fill us in on everything that's going on. What are you covering your mouth for? So I don't talk over you while you're doing your intro. You know, talk over me all you want. People are not here for me, they're here for you, mr g so they're gonna get a lot of that.

0:01:30 - Steve Gibson
Um, we got a, uh, I think, a really interesting episode. Um, some researchers I forgot where they are, the german, I don't know. Well, we'll find out, it's a mystery right now. But there's three, three of them, I'm sure of that, and they decided.

0:01:48 - Leo Laporte
Well, at least we know that much.

0:01:50 - Steve Gibson
Oh, it's the Chaos Computer Group, oh, it is Germany. Then yeah, of the prevalence of rohammer. Rohammer hasn't gone away. It's still dogging us, they, the idea being that, if you read, if you, if you hammer on a given region of dram, you can upset the neighbors, which is true if you just hammer on your house, too, you.

0:02:22 - Leo Laporte
Yes, different kind of neighbor, but yes, yeah yeah, and so what we have now?

0:02:30 - Steve Gibson
it's over on GitHub. It's downloadable natively. You can install it on a USB thumb drive and run it and get a report on your specific system's susceptibility to Rowmer attacks and as part of this, you optionally upload anonymously your data to their cloud. You're able, if you don't like to do that or if you want to look at what's being sent, first it writes it to the USB stick and you're able to peruse it and go oh yeah, there's nothing here that I care about, and off it goes. To peruse it and go oh yeah, there's nothing here that I care about and off it goes. You get a brownie point from them.

If you do that, it's a chance to win some lottery, but I think it's like two chicken sticks or something. I mean it's nothing that you really care about, but they were trying to encourage this because they would like to get a much larger sample size. What they realized was that, while, yes, you can demonstrate this bit flipping problem on random systems, we really don't know how big a problem it is. So, anyway, everybody who's listening and hopefully lots more who will find out about this can run this test, submit their data, generate a much better sense for the prevalence of this, but that's not happening yet. First, we're going to talk about the long-needed and awaited and oh, it's just poetic, leo analysis of Telegram Messenger's crypto.

0:04:05 - Leo Laporte
Only you would think it's poetic. But okay, it's a work of art. We're going to have to pause and just steep in this for a while. I thought we knew how they did it. I thought this was widely known.

0:04:17 - Steve Gibson
We always knew it was crap.

0:04:20 - Leo Laporte
Oh Telegram, oh Telegram. Ah yes, they rolled their own, didn't they?

0:04:25 - Steve Gibson
They did. They're not using NSCL. It stinks.

0:04:30 - Leo Laporte
Oh boy.

0:04:32 - Steve Gibson
Yeah, but the best thing of this whole part is and these are like a team of five crypto guys, several from ETH, Zurich, and we got a guy from Amazon but he said I'm not affiliated with Amazon for this, I'm just a crypto guy but they produced the most eloquent statement of why modern crypto is modern, and it may even you may get a little wet in the eyes.

0:04:59 - Leo Laporte
Oh, a little teary. It's really good.

0:05:02 - Steve Gibson
Also, we're going to look at the truth behind Twitter's recent outage trouble. There was a lot. I got a lot of feedback from our listeners about this expiring embedded Firefox root certificate, and the question is, who was surprised by that? Well, it turns out, not so many people. Also, we got AI-generated GitHub repos, voice cloning, patch Tuesday and an Apple Zero Day. The FBI has warned of another novel attack vector that's seeing a lot of sudden action, and it's one that had never occurred to me, so I was like, oh, let's talk about this. Google is weighed in on age verification and all of that mess, and in a vacuum of age verification of all people, kazakhstan has decided to come up with their own solution.

0:05:57 - Leo Laporte
It's not wonderful. Also, isn't that where Borat's from? Yeah, I think it was his idea in fact.

0:06:01 - Steve Gibson
Yeah, I think it was his idea in fact yeah, probably. Also Google. Was Google served with an order from the UK, as Apple was? They wouldn't be able to say, would they? That's what people want to know. Yeah, can they say. Also, we've got a serious PHP vulnerability that everybody needs to make sure that they don't have.

0:06:24 - Leo Laporte
Or don't have PHP.

0:06:26 - Steve Gibson
So I'm glad to say. Well, lots of servers have PHP on their back end serving their pages. I mean I do.

0:06:36 - Leo Laporte
Your forums, right, are in PHP, aren't they? Yeah, yeah, yeah.

0:06:39 - Steve Gibson
But the good news is I wasn't vulnerable because of the way I set things up, but, for example, that the default uh xampp stack is vulnerable yikes, and that's what lots of people use. So I've got to make sure you don't have that. I did take the trouble to update my my php because the version I was running was vulnerable, but the way I was invoking it wasn't. So anyway, we got a bunch of great listener feedback, some sci-fi content reviews, and then we're going to look at how you can find out about your own system's row hammer of vulnerability. So you know, just your average, just your everyday.

Security now Typical I come home after one of these and I say to my wife you know, I think maybe this one was a good one everyone is a good one okay honey, and I might tell you my story, the story of hairpin that.

0:07:32 - Leo Laporte
Do you know what hairpin that is?

0:07:34 - Steve Gibson
oh yeah, in fact it's a it's a way of solving the problem of not being able to access your iot devices from an isolated network well, it turns out, I have a comcast business account that's what we use to stream and they disable hairpin that in their router.

0:07:50 - Leo Laporte
And I for the longest for literally eight months now since we closed the studio have been wondering why I can't get to my self-hosted wiki by its name, only by its number. Well, I now know they don't support hairpin that. Whatever, you're a thunk, who'd a thunk?

0:08:09 - Steve Gibson
you know who does is the uh ubiquity routers yes, I.

0:08:13 - Leo Laporte
If so, I'm using ubiquity behind the comcast router. Comcast, because I have a static ip address, says no, you have to use our router. Um, I might figure out a way around that, because that's they say, and actually this was going to be my question to you we could save it. They say it's for security reasons, they don't support it.

0:08:33 - Steve Gibson
I find that hard to believe now it's for support reasons. They don't support it. They don't want to try to explain to martha or, you know, jeffrey, or whomever, that. Well, look here's. I mean, because it's tricky to understand, that the data goes out essentially on the other side of the router and then is able to do a quick U-turn and come back in as something else. It's like what?

0:08:58 - Leo Laporte
It's a good description it is a hairpin, just so you know. The symptom is I'm running a server, a wiki server, internally inside my network on this comcast router. It's using its static ip address because I that's the best way to do it, uh, but I can't reach it from here by name. Dns doesn't work. I can only reach it by number. But if I go outside or I turn off my, uh, it works fine, works great, yeah, and I I never heard of this and so for the longest time I thought my server was broken. Anyway. You, of course, I should have asked you. Russell found it, our wonderful it guy. He did a little digging. He said I think that they turned off hairpin, that you know what? You should never turn off your backups. Let me tell you, uh-uh.

This episode of security now is brought to you by vanta v-a-n-t-a. You know, in business, trust isn't earned. It's not just earned, it's demanded right. Whether you're a startup founder navigating your first audit or a seasoned security professional scaling your GRC program, proving your commitment to security, has never been more critical or more complex. In fact, in many cases it's a requirement. That's where Vanta comes in. Businesses use Vanta to establish trust by automating compliance needs, and they can do it across 35 different frameworks SOC 2, of course, iso 27001, all of them really.

Vanta will help you centralize security workflows. You can complete your questionnaires up to five times faster. Proactively manage vendor risk too this is a must-have. Vanta can help you start or scale your security program by connecting you with auditors and experts to conduct your audit and set up your security program quickly. Plus with automation and ai throughout the platform. Vanta gives you time back so you can focus on the more important things, like building your company. Join over 9,000 companies. You want some examples? Atlassian, quora Factory and 8,997 others. Use Vanta to manage risk and prove security in real time.

For a limited time, our audience gets $1,000 off. $1,000 off Vanta. Go to vantacom slash security now V-A-N-T-A. Vantacom slash security now $1,000 off. You see, because we're in Silicon Valley or we're near Silicon Valley. Whenever I drive through the Silicon Valley area, you see Vanta's billboards everywhere and I always have to laugh. They have a cute little alpaca as their mascot. You can see it right here on the lower third if you're watching the video. But my favorite part of their billboards is the tagline compliance. That doesn't sock too much. I don't know why. I'm a geek. Thank you, vanta, for supporting the show. You support us by going to vannacom slash security now for $1,000 off. Now, steve, as always, I have sealed myself into a soundproof room before the show so that I cannot see the picture of the day. But are you ready? Shall I roll up?

0:12:24 - Steve Gibson
I need to tell you first yes, that they the caption that I gave this photo. This is one of those that will take a little minute or two to sort of absorb yeah that the caption is the nature of legacy technology. Oh, all, right, I'm gonna roll, I'm like technology, we're never able to quite get rid of much we might want to, don't?

0:12:46 - Leo Laporte
we know? This is microsoft's sad song. Oh my god, oh, that is hysterical. Uh, oh my well, look at that, kids. Okay, you better, you better tell people that is legacy boy. Yes, isn't?

0:13:05 - Steve Gibson
that wonderful wow, there's nothing below it wow, once upon a time there was a phone pole and it went from the ground up into the air. Yeah, as phone poles do they do and people began stringing wires. Sure.

0:13:23 - Leo Laporte
Isn't it wonderful?

0:13:24 - Steve Gibson
Oh, it's just wonderful, and so wherever this foam pole was located, it was a very busy region, yeah, and over time it accreted more and more wires, largely running north, south, east and west. You know, sort of in the you can see them coming and going. And then something happened. We don't know what happened, but the phone pole, you know lost its footing.

Actually, you're exactly right, leo. There were so many wires hooked to the top of this phone pole that some industrious person said you know, I bet we really don't need the foam pole to go all the way to the ground anymore.

0:14:10 - Leo Laporte
That's tensegrity, that's what that is right there in a nutshell.

0:14:14 - Steve Gibson
So some brilliant person or an accident or we don't know what, but it was very clearly cleanly sawed off below all of this transactional wiring happening at the top of the phone pole, so that there's just no more pole below the phone Unbelievable. Yeah, that's just wonderful and the nature of legacy technology. You know you can't get rid of it, right, I mean you need it, but apparently they had to run a bypass or or an underpass or something right, or a pedestrian walkway I don't know what's.

0:14:50 - Leo Laporte
They don't show what's below it. I'm just curious. But that's hysterical and it obviously it's working. It looks like all those wires have a nice tight. Uh, they're taut, they're good.

0:14:59 - Steve Gibson
Yeah, it didn't droop at all when, when they cut the pole out from under it, nope, still there. Wow, anyway, that's just one of our goodies. That's a good one, okay. So our listeners possessing long memories may recall how well repulsed I was by telegram's design. The first time I looked at it and we talked about it on this podcast it was just a pile of made-up nonsense. I mean, it just didn't obey any of the rules of cryptography, and since that was the general impression of it, which was shared by the informed crypto community this was 11 years ago back in 2014. Pavel durov, who we talked about a lot back then, his response to the community's shunning of his solution was to say okay, fine, you don't like what I just came up with on the kit in the kitchen table I think it was his brother who wrote it.

as I remember, I think you're right, yep, and so it was his fault. Pavel said, okay, fine, I'll put up a prize of $200,000. And this was in 2014, when that was more money To anyone who can decipher an encrypted message sent between two Telegram end users. You know you don't like my crypto. Fine, here's 200 grand Again.

The crypto community was unimpressed because that was beside the point. It's about elegance and it's about rule following, which is what you do if you want solid crypto, not someone dangling a carrot. So by 2014, and this was the point we already knew how to solve these problems correctly, and Telegram wasn't it Okay. So for this reason, I was very interested and I knew our listeners would be when I saw that a team of actual cryptographers had finally and boy, this was not easy, I think. I think it's like one hundred and seven pages or something of crap that they had to go wade through actual hard long. Look at what can best be described as the ad hoc cryptography which was invented out of whole cloth by Telegram. And I use the phrase actual cryptographers because the first thing that becomes clear to anyone looking at Telegram is that its designers were not Five cryptographers one from King's College, two from ETH Zurich, one from Tel Aviv University and the fifth, as I mentioned, from Amazon, last Monday published a paper containing their findings, which was just presented during the Eurocrypt 2025 cryptography conference.

I've got a link to the paper here in the show notes for anyone who doesn't mind scrolling, because it is a tour de force. Their paper's title was Analysis of the Telegram Key Exchange, and its abstract reads we describe, formally, model and prove the security of Telegram's key exchange protocols for client server communications. To achieve this, we develop a suitable multi-stage key exchange security model, along with pseudocode descriptions of the Telegram protocols that are based on analysis of telegrams, specifications and client source code. We carefully document how our descriptions differ from reality and justify our modeling choices. Our security proofs reduce the security of the protocols to that of their cryptographic building blocks.

That's all proper, of course, but the subsequent analysis of those building blocks requires the introduction of a number of novel security assumptions reflecting many design decisions made by Telegram that are suboptimal from the perspective of formal analysis, which is a really nice way, a polite way of saying you know, we did the best we could because we were just handed spaghetti. Anyway, they continue Along the way. We provide a proof of the security for the variant of RSA optimal asymmetric encryption padding used in Telegram and identify a hypothetical attack exploiting current Telegram server behavior. They said, parens, which is not captured in our protocol descriptions. They said, finally, we reflect on the broader lessons about protocol design that can be taken from our work, and that's where the poetry comes in, anyway. So, 104 pages later, remember most of the beautiful research stuff that we do here.

Talk about share is I don't know, 7, 17 pages, not 104. I think there's 107. Anyway, this was not a short paper. They conclude under the poetic heading the brittle monolith that is telegram. But it's not just their heading that's poetic. Listen carefully here to how beautifully they describe the way cryptographic protocols should be designed versus what they found lurking in the heart of Telegram. So here's, on page 104, they conclude In theory, the design of a cryptographic protocol has the sole purpose of achieving the protocol's security goals efficiently.

In actuality, however, to achieve this goal, it must also achieve the goal of allowing at least a sufficiently motivated expert to convince themselves that the protocol achieves these goals. Oh, this is so pretty. In other words, the central insight of what is commonly referred to as modern cryptography is that a cryptographic design is also tasked with being easy to reason about. A fundamental paradigm of achieving this goal is modularity, where different components of the design can be reasoned about in isolation and then generically composed to establish overall security guarantees. It's just beautiful. This modularity is typically achieved by relying on building blocks that provide strong security guarantees on their own, as opposed to only, and potentially in, specific compositions, and by breaking the dependency between different components of a protocol by avoiding reuse of secret material. Okay, I'll interrupt here just to say that, obviously, reading between the lines, what they found was that just a bunch of goo was just kind of like thrown in a big pile and scrambled around and connected to itself and it's like here you go. I mean, remember that's what we saw back then. Anyway, they said Telegram's failure to achieve this design goal is the root cause for the limitations and complexity of our proofs and our seeming need to reach for unstudied assumptions on cryptographic building blocks than would otherwise be necessary.

We will now discuss these issues and highlight several of the main telegram design choices and their effect on our proofs of security. We begin with mere complications, then move on to limitations and seemingly necessary ad hoc assumptions. We finish by briefly recapping our hypothetical attack. We also discuss this is after 104 pages of leading up to this. We also discuss design choices that led to these issues and note that the same design choice often led to several different difficulties for arguing for the security of telegram, leading to necessary repetitions in what follows. In other words, they're trying to do the best they can when given a mess, they're trying to do the best they can when given a mess, and we're trying to agree that this thing was secure, but it wasn't easy. And several pages after that, under the heading Reliance on Unstudied Assumptions, they added In Appendix C we describe several unstudied ad hoc and new assumptions that we used in our proofs.

These assumptions could have been avoided if, for example, collision-resistant hash functions like SHA-256 or SHA-3 had been used instead of SHA-1, meaning that's what Telegram is using meaning it's not collision-resistant today and if proper key derivation functions had been used, meaning it doesn't. So, in other words, the cryptographic design of Telegram is a mess at a time when a mess can and, for very good reason, should, be avoided. Telegram is likely secure enough for everything and everyone who's using it and relying upon it. No one is saying it isn't, but its design actively fights against that actually ever being proven. So I suspect that Pavel's $200,000 reward, at least for the foreseeable future, is secure, as is Telegram. But there was no reason to just do it this way, because by the time they were designing crypto, it was already well established how to solve all these problems, and they just didn't. You know Pavel's brother, as you remind us, leo just said you know, I'm just going to, we're going to do our own thing, because who will ever be able to prove it isn't? And he's right, no one can.

Those of us who watched the early rise of Twitter will recall the frequently seen fail whale. Its appearance usually indicated that the service, which was struggling to grow fast enough to keep up with its exploding demand back in the early days days, was temporarily unable to do so. That is, I mean, there was just too much desire for it. But the good news is those days are now long past. However, last week, twitter was on the receiving end and someone wrote back and said Steve, why are you still calling it Twitter? Well, because I started with a retrospective, I suppose. But the only problem I have with X is that it's so unspecific. I mean, for what it's worth, the tech press is still saying Twitter, and when you say X, you're almost compelled to say that service that was formerly known as Twitter, as if you're talking about Prince. That's now a strange glyph.

Anyway, twitter was on the receiving end of a widespread, high bandwidth DDoS attack and, as we know, widely sourced, very high bandwidth attacks are now what's required to take major sites and services down. What's required to take major sites and services down. In the case of last week's attacks, those who track such things and there are a bunch of different groups who do saw massive traffic originating from IP addresses in the United States, in Vietnam and Brazil as the top three, and Brazil as the top three among many other countries. So I was annoyed when Elon Musk later told Larry Kudlow during an interview on Fox Business Network that the attack came from Ukrainian IP addresses. What actually happened was that a group which offers DDoS attacks for hire, named Dark Storm Team, took credit for X's Monday outages.

I don't have any problem when someone has a differing opinion, but Elon could have either said nothing or said he didn't know where the attack originated or why it was launched, or said he didn't know where the attack originated or why it was launched. You know, it would have been even better and accurate to say that, like most modern attacks, they come from all over the globe. And I get it that he's very busy and I would imagine he probably didn't have any actual information at all and he shouldn't be expected to know everything. Like I said, he's busy, but singling out and naming ukraine as the source of the attack first of all was not true, at least from a bandwidth standpoint, which is knowable and, of course, doing so appears to serve a current political agenda.

0:29:41 - Leo Laporte
Yeah, but it was propaganda. He he probably knowingly lied. I I don't, I don't, I can't understand how he could not know that. It's not true? I just think he's busy.

0:29:51 - Steve Gibson
I mean, you know well, he's busy. You know, larry said hey, your twitter was down, what about that? And he should have said I I haven't been brought up to speed yet, I don't know anyway, but for what it's worth, we do know that it wasn't ip addresses in ukraine, so I just wanted to clear that up.

0:30:09 - Leo Laporte
In fact, there, really weren't many coming out of ukraine? No, exactly it's not where you would go if you wanted to do a ddos.

0:30:18 - Steve Gibson
No, and and frankly I don't think you can ddos anyone through starlink because it doesn't have that much bandwidth. You need landlines that get warm with all the packets that are moving through them. So, interestingly, last Friday, a critical Firefox root certificate expired Earlier last week and this is what generated so much feedback from our listeners because everyone knows I'm a Firefox fanboy. Mozilla wrote on March 14th 2025, a root certificate used to verify signed content and various add-ons for various Mozilla projects, including Firefox, will expire. Mozilla projects, including Firefox, will expire without updating to Firefox version 128 or higher or the ESR. You know the extended service release 115.13 or later for ESR users, including Windows 7, 8, 8.1 and Mac OS 10.12 through 10.14 users. This expiration, that is, the expiration of this root cert, may cause significant issues with add-ons, content signing and DRM-protected media playback. Now, just to be clear this is a root certificate not the way we normally think of it, not like a public root. This was a private root embedded in the Firefox XE, so that's why it was necessary to have an up-to-date version of Firefox. Mozilla said if you don't update Firefox, features that rely on remote updates will stop working and your installed add-ons will be disabled. Drm protected content, such as streaming services, may stop playing due to failed updates. Additionally, systems dependent on content verification could stop functioning properly. In other words, lots of bad stuff.

They said this update is necessary for all Firefox users running versions earlier than, as I said, 128 or ESR 115.13, including those Firefox for desktop on Windows, macos and Linux, as well as Firefox for Android. If you were sent to this article through an in-app message in Firefox, it means your browser version is outdated and needs to be updated. Okay now, since I'm still using actually, I'm sitting in front of it right now Firefox on a Windows 7 machine, I was initially concerned, but I just checked and my ESR edition had already updated itself past well, past that point. It's currently at 115.21.0 ESR.

And in researching this further, it became clear that, unlike those sites which you know, we often we sometimes see I won't say often where their TLS certificate expirations clearly are catching them by surprise because their site suddenly went offline and it's like, oops, we fired the guy that normally updates that every year. In this case, mozilla said would be needed that 115.13, were both first made available on July 9th of last year, 2024. So, like nine months ago, you know, anyone who hasn't updated their Firefox even once since then, would have no one to blame other than themselves if something were to go wonky with their client. Was just reminding everyone for the sake of doing so, a few days before that certificate's expiration, which was formally retired nine months before nine months ago that if, for any reason, somebody might still be running a Firefox from from last summer, then various important things might stop working so this could happen to me, though, because firefox is not my primary browser anymore, but I have it on my machine.

0:34:55 - Leo Laporte
If you never launch it, it never gets updated right, so it's not inconceivable that you could, you know, have it sit there for a year I think it launched.

0:35:03 - Steve Gibson
Actually, I think it updates at launch. You know, that's the thing it would. It would update for a year.

0:35:05 - Leo Laporte
I think it launched. Actually, I think it updates at launch. You know that's the thing it would. It would update as soon as I launched it, right? Or does it say, hey, restart to update, because I see that on chrome I don't get.

0:35:13 - Steve Gibson
We don't get that with firefox unless you go to the about box but normally it says you know you're updated. I think that where someone would get caught out would be if they had some version of Firefox or I mean some running instance that was never restarted Like. Someone actually sent me a picture of a Firefox error message on a like Wendy's fast food drive-through kiosk and it was, you know, like Firefox was unhappy about something and it was like Firefox was unhappy about something. But so there might be an instance where it would just been running for months on end and never restarted. A kiosk would be exactly that Right, right, yeah, yeah.

And you know also would be exactly this, leo.

0:36:01 - Leo Laporte
Oh, I know you know you want to do a little. I don don't know you want to like meet one of our sponsors one of our fine sponsors. We're more than a half hour in so that's the time to do you know these guys pretty well.

I'm talking about who? Bit warden? Oh yeah, I do. Bit warden, of course, is our favorite password manager, the trusted leader, and not just passwords, but secrets and pass keys as well. In fact, I just saw that I think it was wired magazine picked it as its favorite password manager, and one of the reasons they liked it is the exact reason I like it it's open source. You know you can't verify telegrams, crypto, except kind of like by poking at it. Um, because it's not open source. But that's why you want, anytime you're using crypto, you want to look at the source code, right, because then you can verify. It does what it says it does, and no more and no less. Bitwarden has more than 10 million users now. I'm so happy to say that I think we might have contributed a little bit to that across 180 countries. But I think what a lot of people forget is Bitwarden is great for business too over 50,000 business customers worldwide. In fact, bitwarden has entered the year as the essential security solution for organizations of all sizes, consistently ranked number one in user satisfaction. That's by g2. Recognized as a leader in software reviews data quadrant, bitwarden continues to protect businesses worldwide.

Tax season is here. This is a kind of a nightmare time for security professionals. For years, my tax preparer would email me my return and or or they would say, okay, send us your documents and stuff. And I'd say, encrypted, right? And they'd say, well, no, just email them, that's fine, nobody else. Well, tell your financial uh you know preparer, your accountant or your tax reporter to pair about Bitwarden send. In fact, if you're a Bitwarden customer, you can use it right now Securely send those financial documents to your tax preparer with Bitwarden Send. It does end-to-end encryption, so your tax forms remain protected. And here's the thing the recipient doesn't need an account to access them, so you don't even have to set your preparer up ahead of time. Don't use risky email attachments. Share anything confidential, like tax documents, with password protection, expiration dates. There's even view limits giving you full control over who can see the sensitive information.

Now's the time, this is the month, to use Bitwarden sensitive information. Now's the time. This is the month to use bitwarden. By the way, uh, bitwarden commissioned some research from 451, research that, uh, that, among other things, showed that, despite the rise of multi-factor authentication this was a shocker to me 65 of enterprises don't use it. They rely solely on passwords, uh, which really reinforces the need for, at the very least, strong password management and security and compliance strategies. In fact, the survey also showed with password management, even though it was cited as the number one IAM challenge for 35% of the organizations, only 21% implemented passwordless authentication, pass keys or single sign-on, which means those enterprises are facing ongoing credential security risks.

If you're not using a password manager, you know your employees are writing the password on a Post-it note and put it on the monitor. I mean, it's just, it's not good. Bitwarden is the way to go. It offers enterprises essential tools to strengthen their security posture. With end-to-end encryption you get MFA enforcement, secure password sharing which addresses both current password dependencies and future authentication needs. That's one of the things I like about open source. Bitwarden is up to date because its users contribute. They do a pull request and they will add features to Bitwarden, and Bitwarden invents them, looks at the source code and incorporates them in. So Bitwarden is nimble. They are fast at implementing anything that you need for security.

But despite all of this, what sets Bitwarden apart is its simplicity. Bitwarden's setup only takes a few minutes. They import from most password management solutions, so if you're moving over. It's an easy thing to do and, as I said, it's open source. That means their source code. It's on GitHub, it can be inspected by anyone, is regularly audited by third-party experts. That's the only real, ironclad guarantee that you're getting something that is totally reliable, totally secure, done right. Your business deserves an effective solution for enhanced online security. See for yourself.

Go to bitwardencom slash twit. You get a free trial of the Teams or Enterprise plan and, of course, as always, bitwarden is free. Unlimited passwords, pass keys, hardware keys for individual users Free forever for individual users. Bitwardencom slash twit. Bitwardencom slash twit, and we thank them so much for their support of security. Bitwardencom slash twit, and we thank them so much for their support of security. Now, bit wardencom slash twit. I have to show you Steve. Uh, somebody in our club, a twit, just showed us. He's watching security now in the barber shop. Oh, put away the playboys guys. We've got Steve Gibson. Isn't that awesome? Wow, that'sve gibson isn't that awesome.

Wow, that's some crazy isn't that awesome that is uh, this is a club twit member who I think is the barber.

0:41:54 - Steve Gibson
His his name is sirio barber okay, well, that would explain it then so I think it's his shop. Anyway, thank you, you know for most people getting their haircut. If you can fall asleep during that, that's good.

0:42:08 - Leo Laporte
I get sleepy anyway, getting a haircut. No, this will keep you awake, steve, keep you awake. Uh-huh, uh-huh, uh-huh.

0:42:15 - Steve Gibson
All right on we go. So we knew it was going to happen, and it's also probably little surprise that it happened not long after AI became the big buzzword, that it happened not long after AI became the big buzzword. An unknown threat actor has deployed a large number of malicious GitHub repositories which infect users with malware. That's not such news. Trend Micro says descriptions for the repositories have been generated using AI tools, so we're beginning to accelerate the rate at which bogus GitHub malware is. You know, repos areploys the Luma Stealer malware to exfiltrate users' credentials Because they're looking to get developers' credentials in order to launch supply chain attacks to infect their own actual valid repos and get their stuff widely distributed and get their stuff widely distributed. So beware of repos that actually they don't look like they're written by some Russian national trying to write English anymore.

0:43:35 - Leo Laporte
Oh no, they're good. Now they're grammatically perfect.

0:43:39 - Steve Gibson
Oh boy.

0:43:41 - Leo Laporte
They sound that way too.

0:43:42 - Steve Gibson
A Consumer Reports study found that Speechify, lovo, playht and Descript made no efforts to ensure that users had consent to reproduce another person's voice. So those are four out of the top six. Voice cloning apps don't have any problem if you reproduce someone's voice without their permission. They are, as I said, they are the top four out of those. Four out of the top six have no protections against abuse. They allow threat actors to easily clone anyone's voice. Given a sample. Consumer report study also found that voice cloning scams are seeing a wider adoption across the fraud landscape.

0:44:32 - Leo Laporte
You know where it sounds like your grandma is calling and you know, and asking for some money it's so funny because my mom's stock brokerage I won't say the name keeps pushing me to use voice identification it is.

0:44:46 - Steve Gibson
So yesterday, I mean it is it's a bad idea. Yeah, wow, like I mean, first of all, it was never good right, I mean, that's my thought.

0:44:56 - Leo Laporte
It's convenient, I guess, but yeah, no.

0:45:01 - Steve Gibson
Maybe it just puts people off, like, oh you know if some Russian is trying to scam you.

0:45:08 - Leo Laporte
Then it's like, okay, I'll go somewhere else?

0:45:12 - Steve Gibson
No. Last Tuesday, microsoft patched a modest 58 vulnerabilities, among which six were actively exploited zero days. You know that's only a third of what they've done recently, leo. So that's like oh OK, we'll, we'll wake up FastFat File System Driver Remote Code Execution Vulnerability, ntfs Information Disclosure another one of those and an NTFS Remote Code Execution Vulnerability and Microsoft Management Console Security Feature Bypass. So those were all being exploited as zero days among 52 others. So you know, update when you can.

Apple also patched a zero day in their WebKit, affecting both iOS and Mac OS, and Apple did describe it as an extremely sophisticated attack. So not easy to do. But you know they they fixed it. Now. This bit of news was interesting to me. This bit of news was interesting to me. It never occurred to me. The FBI is warning that their agents are increasingly seeing scams involving free online document converter tools, and they posted a note saying that we want to encourage victims to report instances of this scam. They said in this scenario, criminals use free online document conversion tools to load malware onto victims' computers, leading to incidents including ransomware. Fbi denver special agent in charge. I wonder, leo, do they have any non-special agents? Or are all their agents special?

0:47:11 - Leo Laporte
because I think they are all special agents. Come to think of it, they're all special agents. You would want to be like not the special agent, but you don't want to get that one.

0:47:20 - Steve Gibson
They're may not always be special agent in charge, but you can be special agent.

I think they're all special. Anyway, this guy's name is Mark Michalak and he said, quote the best way to thwart these fraudsters is to educate people so they don't fall victim in the first place. Amen to that. If you or someone you know has been affected by this scheme, we encourage you to make a report and take actions to protect your assets. Every day, we are working to hold these scammers accountable and provide victims with the resources they need. Unquote, so the FBI said.

To conduct this scheme, cyber criminals across the globe are using any type of free document converter or downloader tool. This might be a website claiming to convert one type of file to another, such as a doc, into a PDF. It might also claim to combine files, such as joining multiple JPEG files into one multi-page PDF. The suspect program might claim to be an MP3 or MP4 downloading tool. They said these converters and downloading tools will do the task advertised, but the resulting file can contain hidden malware giving criminals access to the victim's computer.

The tools can also scrape the submitted files for personally identifying information, such as I don't know who would have a social security number in such a file, but okay Dates of birth, phone numbers, etc. Banking information, cryptocurrency information, seed phrases, wallet addresses and so forth, email addresses and passwords. And they finish saying unfortunately, many victims don't realize they've been infected by malware until it's too late and their computer is infected with ransomware or their identity's been stolen. The FBI Denver field office encourages victims or attempted victims of this type of scheme to report it to the FBI Internet Crime Compliance Center at wwwic numeral threegov by the way, I did a search, not all fbi agents are special agents oh special agents are the criminal investigators or detectives who, in other words, you might have a.

0:49:41 - Leo Laporte
You know, the t lady is just an agent, not a special agent.

0:49:43 - Steve Gibson
So does it say like FBI generic agent?

0:49:46 - Leo Laporte
Yeah, there are agents. Other employees of the FBI who handle administrative tasks, paperwork or phone calls may be broadly referred to as agents, but are not special agents.

0:49:56 - Steve Gibson
So I guess everybody is an agent. That's what you are. You're not an employee, you're an agent. Well, I wouldn't go that far either.

0:50:07 - Leo Laporte
You think there are non-agent employees. You can't be arrested by a, by anybody but a special agent ah they're senior to the agents, but there may also be other jobs. I I'm sure the person who empties the trash in the offices is not an agent. That's a good point. I would think. I don't know. I just I asked ai. Ai told me that that's good. Well, we're gonna believe it until we learn otherwise until we learn, until it was a hallucination, it was all a dream uh, anyway, I just wanted to point this out.

0:50:36 - Steve Gibson
I had it never occurred to me should have that downloading like using an icon uh, it's occurred to me only because how often do you do a google search?

0:50:46 - Leo Laporte
you've got a doc and you want to turn it into a pdf, or you've got you know a word, perfect document, yep, and. And how often does that happen? And in the old days I used to go out on the internet and look for tools, not anymore.

0:51:01 - Steve Gibson
It comes right up in a search is how do I convert this? And it says, oh, just click this link for a free document conversion. And you think, oh good, I don't have to install another one of those stinky programs. I just want to get it done, because I only have this one thing to do. What's interesting?

0:51:16 - Leo Laporte
to me is that they still work. So it sounds like they're taking existing programs and and modifying them. Yeah, they still do the job. So I guess that way you go. Oh good, I got the PDF, you don't think about it.

0:51:36 - Steve Gibson
When.

0:51:36 - Leo Laporte
Boris asks to purchase your document conversion domain name. Big bucks, we got some Bitcoin here, just include your PHP code, please.

0:51:42 - Steve Gibson
That's right. Yes, the top court in South Korea rejected Meta's final attempt to dismiss a $4.6 million fine five years ago South Korea's privacy watchdog we talked about this back then. This was back in 2020 for sharing the data of 3.3 million South Koreans with third parties without their permission or authorization. They lost that battle. Then they appealed. They've now lost the appeal. The final highest court in South Korea said we need some money, so they've got to pay.

0:52:23 - Leo Laporte
Was it a breach or did they actually?

0:52:25 - Steve Gibson
sell it. It was actually sold. They were just saying here's who's using us in South Korea.

0:52:35 - Leo Laporte
See. So for a long time I've said, oh, you don't have to worry, because Meta's never going to sell your information. They sell, that's their secret sauce. They sell ads against that information. So they say, well, you want 35 year old men in south korea, we can deliver that.

0:52:53 - Steve Gibson
But to learn that they're actually selling that well, actually the article says sharing, so maybe not monetizing overtly, but but you know, like with their advertising partners right there, they want their advertisers to know as much about you as they can, because we know that makes it a more valuable ad.

0:53:11 - Leo Laporte
Yeah, but they don't so for them to say here's steve gibson's personal information is different than saying I will sell you an ad that will reach steve gibson and people like him, because if you give steve gibson's personal information, well, who knows what meta is up to? Yeah, anyway what apparently the, the I have to adjust. What I've been telling people is what I'm thinking the.

0:53:33 - Steve Gibson
The search into this said that meta without permission five years ago selling sharing the data of 3.3 million South Koreans, enough so that they have just lost all of their appeals and are going to have to pay a $4.6 million fine, which of course, is a drop in the bucket for Meta. I mean, they have that in the petty cash drawer for the delivery guy when he comes up.

0:53:59 - Leo Laporte
But at least we now know they do that. That's the key to that. Yeah exactly Wow.

0:54:12 - Steve Gibson
Okay. So Google has weighed in on their side of the age verification requirements. Google is and speaking of Meta, google is reportedly to be extremely upset over Meta's sponsorship. Is the way Google phrased provider the store, essentially offloading it, offloading the responsibility from individual apps, which is, of course, why Meta thinks that's a good idea. Last week we looked at what Apple was doing and last Wednesday Google posted their position about this under the title Google's Legislative Proposal for Keeping Kids Safe Online. So they're calling it a legislative proposal, meaning we're offering this to the legislators as what we suggest people do. And in an indication of Google's annoyance with Meta, the tagline under that read legislation pushed by Meta would share kids' information with millions of developers without parental consent or rules on how it's used. We have a better way. So here's what Google said they wrote.

Everyone wants to protect kids and teens online and make sure they engage with age-appropriate content, but how it's done matters. There are a variety of fast-moving legislative proposals being pushed by Meta and other companies in an effort to offload their own responsibilities to keep kids safe to app stores. These proposals introduce new risks to the privacy of minors without actually addressing the harms that are inspiring lawmakers to act. Google is proposing a more comprehensive legislative framework that shares responsibility between app stores and developers and protects children's privacy and the decision rights of parents. One example of concerning legislation is Utah's App Store Accountability Act. The bill requires app stores to share if a user is a kid or teenager with all app developers. They said. Effectively millions of individual companies close parens without parental consent or rules on how the information is used. That raises real privacy and safety risks, like the potential for bad actors to sell the data or use it for other nefarious purposes. This level of data sharing is not necessary. A weather app doesn't need to know if a user is a kid I'm still annoyed by the use of the term kid, but okay. By contrast, a social media app does need to make significant decisions about age-appropriate content and features. As written. However, the bill helps social media companies avoid that responsibility, despite the fact that apps are just one of many ways that kids can access these platforms, and by requiring app stores to obtain parental consent for every single app download, it dictates how parents supervise their kids and potentially cuts teens off from digital services like educational or navigation apps. Okay, I don't quite get that, but okay. By contrast, we are focused on solutions we Google that require appropriate user consent and minimize data exposure.

Our legislator framework, which we'll share with lawmakers as we continue to engage on this issue, has app stores securely provide excuse me industry standard age assurances only to developers who actually need them and ensures that information is used responsibly. Here are more details and we have a few bullet points. First, under privacy preserving age signal shared only with consent, they write. Some legislation, including the Utah bill, require app stores to send age information to all developers without permission from the user or their parents. In our proposal, only developers who create apps that may be risky for minors would request industry standard age signals from app stores and the information is only then shared with permission from a user or their parent. By just sharing with developers who need the information to deliver age-appropriate experiences, and only sharing the minimum amount of data needed to provide an age signal, it reduces the risk of sensitive information being shared broadly. 100% agree Appropriate safety measures within apps, they wrote. Under our proposal, an age signal helps a developer understand whether a user is an agent or a minor. The developer is then responsible themselves for applying the appropriate safety and privacy protections. For example, an app developer might filter out certain types of content, introduce take-a-break reminders or offer different privacy settings when they know a user might be a minor. Because developers know their apps best, they're best positioned to determine when and where an age gate might be beneficial to their users, and that may evolve over time, which is another reason why a one size fits all approach won't adequately protect kids Under responsible use of age signals. They wrote.

Some legislative proposals create new child safety risks because they establish no guardrails against developers misusing an age signal. Our proposal helps to ensure that age signals are used responsibly, with clear consequences for developers who violate users' trust. For example, it protects against a developer improperly accessing or sharing the age signal. Alongside with any age assurance proposal, we support banning personalized advertisements targeting users under age 18 as an industry standard At Google. This is a practice we've long disallowed. It's time for other companies to follow suit.

And finally, under centralized parental controls. They write. Recognizing that parents sometimes feel overwhelmed by parental controls across different apps. Our proposal would provide for a centralized dashboard for parents to manage their children's online activities across different apps in one place and for developers to easily integrate with period. So they finish. Google has demonstrated our commitment to doing our part to keep kids safe online. We're ready to build on this work and we'll continue engaging with lawmakers and developers on how to move this legislative framework for age assurance forward.

So, yes, if that sounds like a lot of what Apple was saying last week, that's it.

Yes, I mean, with Apple and Google being the two gorillas in the market, they appear to be converging onto the same solution. Essentially, parents are able to group the phones of their family members and indicate which phones belong to their minor children. Once this is done, children wishing to download applications with mature ratings will require parental consent. Developers of restricted apps have no need to know anything about those who are downloading and installing their apps. The fact that they're able to do so means that they have permission, either by using an adult's phone or because a parent or guardian gave a child permission. So essentially, providing control only where it's necessary, which is very much like what Apple suggested and we talked about last week. So it feels like that's where we're going, and it also feels like Google is rolling up their sleeves, calling this legislative proposal, so they're going to respond to legislation like what we just saw happening in Utah and say no, no, no, let's do it this way. This is the way it should be. Unfortunately, our current administration seems upset with Google. I guess actually Biden's was too.

1:03:32 - Leo Laporte
Yeah, it was actually Biden's FTC that brought the complaint that began the whole antitrust work.

1:03:37 - Steve Gibson
Yeah, I got a kick out of this because I mentioned at the top of the show I got a kick out of this because I mentioned at the top of the show, kazakhstan has a different approach. The Kazakhstan government has get this introduced SIM cards specifically designed for use of and by children In Kazakhstan. All parents will be required to buy and deploy the new SIM cards for use in their children's devices. The cards come with built-in filters to restrict access to dangerous websites and social media. The cards also report a child's location to parents through a special app. So, overall, it feels as though things are rapidly becoming a mess, with random and uncoordinated legislation being created left and right, and frankly, I lay this at the feet of Apple and Google, who both resisted taking the action they could and should have taken on this many years ago. They were like no, no, no, no. We don't want any responsibility, we don't want any part of this, you know, and it's only when bad legislation and bad solutions are finally being created that now they're saying oh well, okay, yeah, what you're doing is wrong, here's how we'll do it. So you know, I guess you know, better late than never.

Also one last little bit. The Spanish government passed a bill last week to impose very stiff fines on companies that produce and dispense unlabeled AI-generated content. And when I say stiff fines, we're talking up to 35 million euros or yeah, wow, get your attention or 7% of a company's global annual revenue, which whichever is greater, whoa. The law intends to curb the spread of deep fakes and non-consensual adult content, such as producing fake celebrity videos. Spain is the first country in the EU bloc to incorporate provisions from the EU AI Act into its national legislation. So they're saying we're going to fine you if you do not clearly label content as AI generated. I think that's reasonable.

1:06:13 - Leo Laporte
The fine's not, but I think we need it. The fine will take your breath away. Yeah, yeah.

1:06:20 - Steve Gibson
Okay, we're going to talk about Google and the canary after another break, because we're now at an hour in the Google and the canary.

1:06:29 - Leo Laporte
Wow, google and the canary. I think it's a reverse canary? I'm not sure, if it's a reverse canary.

1:06:33 - Steve Gibson
We'll have to think about that.

1:06:35 - Leo Laporte
Oh, that's, a good point, no it's a canary. It's a canary. Okay, well, we could talk about what the difference is. Yeah, yeah, uh, yeah, well, we'll talk about it. Save, save.

1:06:46 - Steve Gibson
Put a pin in it as a canary is published, I'm thinking that a reverse canary is the absence of something that is the canary right.

1:06:54 - Leo Laporte
Right, so if you say in your legal disclaimers, and we have not an never received a warrant from the united states government, and then it disappears, that's a reverse canary right, because you've in without saying anything, you have said something. So what apple did a canary? I'm glad we get these things cleared up. You see, you don't just learn about security here, you learn about the use of the english language.

1:07:22 - Steve Gibson
But I do have this podcast is for the birds, literally.

1:07:26 - Leo Laporte
I do have a sponsor here you might want to know about. I love these guys. It's a company called threat locker. Uh, oh man, I had a. I spent an hour or two talking to him about what they do. I was not only impressed by what they do, but but how affordable it is.

So you know, if you listen to the show, ransomware is just crippling businesses all over the world Phishing emails that start it, you know. Or infected downloads, like Steve was just talking about. Malicious websites, rdp exploits. How do you defend yourself? You don't want to be the next victim. Well, you need Threat Locker's zero trust platform, the key on all of this. It takes a proactive here's the three words you need to hear deny by default approach. It blocks every unauthorized action, protecting you from both known and unknown threats, and it's trusted by global enterprises like jet blue, the, the port of vancouver. Think about this that you know. This is a terrifying thought for them to be shut down by ransomware. They rely on threat locker to shield them from zero-day exploits, supply chain attacks and providing complete audit trails, which really helps, not just for compliance, but for just figuring out what's going on, who's doing what. Threatlocker's innovative ring fencing technology isolates critical applications from weaponization. It stops ransomware cold. It limits lateral movement within your network so important Keep those bad guys from snooping around.

Threatlocker works across all industries. Yes, it supports Windows, but also Mac environments, and they have great 24-7 US-based support. You get comprehensive visibility and control with ThreatLocker. Mark Tolson, who's the IT director for the city of Champaign, illinois, it's really gratifying for me to hear city government, state government, schools, universities using ThreatLocker. He's an IT director for the city of Champaign, illinois. Mark said quote ThreatLocker provides that extra key to block anomalies that nothing else can do If bad actors got in and tried to execute something. I take comfort in knowing that ThreatLocker will stop that. Stop worrying about cyber threats. Get unprecedented protection quickly, easily and cost-effectively with ThreatLocker.

Go to the website. You won't believe how effective and how affordable it is. Actually, can you afford not to do it? That's the real question. Threatlockercom slash twit. They have a 30-day free trial. You'll see how easy it is to set up and implement and learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. Perfect solution. Threatlockercom slash twit. We thank them so much for supporting Steve's good works here at Security. Now, threatlockercom slash twit. That's how you let them know when you go to that site threatlockercom. Slash twit. That's important that you heard it here. Okay, steve, I want to hear about Google's Canary.

1:10:33 - Steve Gibson
Okay. So last Friday the record ran a piece that caught my eye In the wake of what has become an extremely public withdrawal of enabling Apple's strongest privacy guarantees for iCloud backup in the UK, many have wondered including, it turns out, elected members of US legislation about Android and Google. What's their similar status relative to United Kingdom of you know their even larger Android ecosystem, which is designed and managed by Google.

1:11:11 - Leo Laporte
I wondered this too. I figured, if they went after Apple, I'm sure they must have gone after Microsoft and Google and everybody else right?

1:11:19 - Steve Gibson
Yes, the record gave their coverage of this question the headline. The record gave their coverage of this question the headline. Google refuses to deny it received encryption order from UK government and apparently they've been asked directly and rather pointedly receiving a secret legal order from the British government. According to a bipartisan group of members of Congress who are concerned, westminster may have demanded that several U S technology companies provide its security services with a mechanism to access encrypted messages. It follows the British government reportedly issuing such a secret legal demand, officially known as a technical capability notice, to Apple. Apple is believed to be contesting the demand at a closed court hearing on Friday, and I assume they meant last Friday.

1:12:20 - Leo Laporte
This most recent Friday, the 13th or 14th, yeah.

1:12:23 - Steve Gibson
This most recent Friday, the 13th, yeah, or the 14th, yeah. In a letter published Thursday. Last Thursday, the members of Congress US Congress complained about the secrecy of this court hearing, arguing quote it impedes Congress's power to conduct oversight, including by barring US companies from disclosing foreign orders that threaten Americans' privacy and cybersecurity. Unquote.

Despite widespread reporting of this TCN issued to Apple, the company Apple is prohibited from confirming whether it had received such an order under the UK's Investigatory Powers Act. In their letter, the members of Congress wrote that Apple had informed them quote that had it received a technical capabilities notice, it would be barred by UK law from telling Congress whether or not it received such a notice. Companies who have not received such a notice are obviously free to say so. The group wrote. Google also recently told Senator Ron Wyden's office that if it had received a technical capabilities notice, it would be prohibited from disclosing that fact. Experts, including from Britain's own intelligence community, have said that the government's attempts to access encrypted messaging platforms should be more transparent. Academics described the home office's ongoing refusal to either confirm or deny the legal demand as unsustainable and unjustifiable. Okay, so what does this?

1:14:19 - Leo Laporte
mean.

1:14:20 - Steve Gibson
Let everyone know who is listening to this podcast know that I have not. I am not in receipt of any such or similar demand from the UK government.

1:14:34 - Leo Laporte
And Leo, I am not either. Scout's honor I would imagine.

1:14:38 - Steve Gibson
You are equally free, yes, and now you have. You have said the same thing.

1:14:43 - Leo Laporte
So that's, conclusive.

1:14:45 - Steve Gibson
Not that the UK government has any interest in either of us or anything that we may have encrypted but we wouldn't be able to say anything had we received that, including denying it, I presume right. I could not, apparently, confirm or deny actually, I bet you could deny it.

1:15:00 - Leo Laporte
But if you said I cannot confirm or deny, that's the reverse canary, isn't it you?

1:15:08 - Steve Gibson
could say yeah, I mean you could be lying so doesn't google's refusal to simply say as I just have and as you just have right that they are not in receipt of an order which compels them to not disclose such an order automatically mean that they are in receipt of a similar order from the UK.

1:15:31 - Leo Laporte
A reasonable induction. I agree yes.

1:15:35 - Steve Gibson
And also, wouldn't that make sense? Wouldn't we also expect Google to be just as much a subject of this as Apple? Right? And if Google were, not think about that. If the UK only required Apple to comply, wouldn't that constitute unfair meddling in the direct commercial interests of these two commercial platforms? Like publicly be able to decrypt the confidential and private information of their users while not requiring exactly the same from others would put apple at a significant commercial disadvantage relative to its competitors.

So that's not copacetic. It seems clear that, whereas news of Apple's receipt of this leaked out, you know, the same may have happened within Google. That is the same receipt of this, but it hasn't leaked, you know. And of course, some have suggested that Apple's leakage may have originated from within Apple itself as a means of opening this issue to the disinfecting light of day. So interesting. I think we have to assume that Google is also in receipt of this. And they're just, you know, they're not. They're like you know, Sergeant Schultz, they don't know anything, they're not going to say anything, and I guess many of our listeners, our younger listeners, don't know what I'm talking about. But look up Hogan's Heroes and you'll find out.

And this brings us to another piece of related reporting from the record which they posted last Thursday, which was the day before this. They said their headline was Calls Grow for UK to Move Secret Apple Encryption Court Hearing to Public public session. The record wrote politicians and civil society groups in the United Kingdom are calling for a secret court hearing expected on Friday about the British government's encrypted encryption demands on Apple to be held in public. It follows warnings from experts, including from Britain's own intelligence community, that the government's attempts to access encrypted messaging platforms should be more transparent. Academics described the Home Office's ongoing refusal to either confirm or deny the legal demand as unsustainable and unjustifiable. The schedule for the investigatory powers tribunal, the only court in the country that can hear certain national security cases, includes a hearing set to take place behind closed doors on Friday, presumably last Friday, featuring the tribunal's president, Lord Justice Singh, alongside the senior high court judge, Justice Johnson.

It follows Apple disabling the option for its British users to protect their iCloud accounts with end-to-end encryption last month, in the wake of a reported legal order from the British government requiring Apple provide it with access to encrypted iCloud accounts. The hearing is purportedly the company's attempt to contest this order, although it is unknown on what legal grounds that attempt is being made. So, like you know, Britain has this law, they're saying. You know, commercial entities that we serve a secret order to must comply. So how does Apple say, no, Maybe it's this competitive disadvantage thing I talked about, I don't know. Anyway, the British government continues to say it neither confirms nor denies the existence of such legal demands. Apple has not confirmed the reason the encryption feature was turned off and would be prohibited from doing so.

1:19:33 - Leo Laporte
Yeah, they can't say anything.

1:19:35 - Steve Gibson
That's just nuts. This whole thing is nuts, this whole. You know we're giving you secret orders that you can't ever talk about. But it's going to, but it requires that your behavior be modified.

1:19:45 - Leo Laporte
But you remember, we've talked about it. We do the same thing. The patriot act sent. You can send it. They send out national security letters and you cannot say that we have received a national security letter and revealed all your information to the government.

1:19:58 - Steve Gibson
You can't tell anybody that I guess the the issue here is that apple cannot comply, and so they're. They're forced to comply, they're forced to change the rollback, their technology, and so that's a big deal is.

1:20:26 - Leo Laporte
Telsey gabbert or the dni has said we have a treaty with england that says we won't spy on their people if they don't spy on our people, and this investigatory powers act specifically said no encryption. We want to be able to read everything globally, not just for uk citizens. We want to read steve gibson's stuff, and that's, according to telsey gabbard, a violation of our own treaties with great britain right. So that may be where the argument goes in this seat. We'll never know, because it's a secret court as well.

1:20:54 - Steve Gibson
So in a.

In a joint letter that was sent thursday to the head of this, lord justice singh um, by a collection of British civil liberties groups, they asked him to use his discretion because he had discretion to open the hearing to the public, arguing that doing so would not prejudice national security.

The campaigners for this issue said they wrote there's significant public interest in knowing when and on what basis the UK government believes that it can compel a private company to undermine the privacy and security of its customers. They argued that there are no good reasons to keep this hearing entirely private. It's probably embarrassment right, given that the existence of the secret legal order has been publicly reported and effectively confirmed by Apple's decision to remove its end-to-end encrypted service for British iCloud users. Politicians from opposition parties, including the Conservative Party, liberal Democrats and Reform, have also called. I mean everybody wants more transparency from the home office. David Davis, a Conservative Party politician whose long campaign to limit state surveillance powers, told Sky News the government needed to explain its case to the public if it wants quote effectively unfettered access to private data.

1:22:28 - Leo Laporte
So this is all good Secrecy is the authoritarian's friend. That's really sad yeah.

1:22:35 - Steve Gibson
And all of this mess, all this noise is what we need. You know these decisions need to be made, so I'm glad this is all you know coming to a head. Yeah, me too. It's what we need to have happening, because all this needs to be decided one. So I'm glad this is all coming to a head. Yeah, me too, it's what we need to have happening, because all this needs to be decided one way or the other. And, importantly, since the delivery of privacy and confidentiality is a commercial, competitive attribute, whatever the rules finally turn out to be must be universally applicable to all parties, equally and evenly. You know, and at this point, nothing about this process of secret UK government compulsion, you know, can become or remain the status quo. It has to change.

1:23:20 - Leo Laporte
I agree.

1:23:22 - Steve Gibson
Okay. So everybody with PHP-based servers listen up. Before we get to some feedback from our listeners, I want to make absolutely certain that anyone who's responsible for any PHP-based Windows web servers so not those running Linux this is not a Linux issue. Running Linux, this is not a Linux issue. You know I'm running Windows-based PHP servers at GRC our web forums, our email system, the GRCsc, you know, shortcut link redirector all that's over on its own server Because these are PHP-based.

That server is sequestered. It is on an isolated network that has no access to the rest of GRC because it's PHP, for exactly the reason I'm about to be telling everybody about. You know I had the ability to do that and since it wasn't code that I wrote, it's going to have its own little home where you know if it melts down, well, it'll be unfortunate, but it's got backups and rolling backups and everything. Still, I did not want it to be able to reach over into GRCcom and everything else that's there. Um, the good news is that the several ways the PHP interpreter and there it is, like you know, interpreter right, we know what a danger interpreters are the several ways the PHP interpreter can be invoked only the oldest, original method of using the php-cgiexe executable gateway, or, frankly, the phpexe itself, if it were to be placed in the php-cgi directory, is vulnerable.

1:25:20 - Leo Laporte
Well, we've known this for years, right? I mean, this is not a revelation.

1:25:23 - Steve Gibson
Well, we've known this for years, right, I mean, this is not a revelation. Well, cgi is not safe, but the XAMPP system still uses it by default. That's what it's using.

1:25:35 - Leo Laporte
I remember putting an open file share on my server. This was many years ago and what I didn't think. I thought people were going to upload files. They, somebody did. They uploaded a php file and executed it because I was running cgi, php, cgi and any file in any folder can be executed if it's php, yep, it's a big flaw, I learned. I learned a lesson then it's it's really bad.

1:26:01 - Steve Gibson
Yeah, so none of the newer approaches, including mod PHP, fast CGI which is what I'm using or PHP FPM, are vulnerable. However, as I said on Windows, the common use of the so-called XAMPP stack is vulnerable in its default configuration because it uses the PHP CGI executable to invoke the PHP interpreter and XAMPP refers to the Apache web server, the MariaDB database and both the PHP and Perl interpreters. So I breathed a personal sigh of relief at this, since all of GRC's many web servers have always been configured to use the fast CGI method of invoking PHP of a supported PHP, which means if you're on the 8.1 track, be 8.1.29 or later. If you're using 8.2, be at 8.2.20 or later. I'm at 8.2.28. As of yesterday, because of this news, I brought my servers up to speed because I was back on a vulnerable version, and it's easy to be. That was last summer and the good news is I have fast CGI, so in this case I wasn't vulnerable. But it's like yikes. And if you're on PHP 8.3, be at 8.3.8 or later. And unfortunately, this still leaves a massive population of publicly exposed PHP servers vulnerable to complete system takeover, that is. I saw the command line. I'm not keeping a secret, but it wasn't worth putting the show notes a command line that, when received by any of these vulnerable PHP systems, causes the system to reach out and download from an external server the content that they then want to execute on the vulnerable host. So I mean it's really bad. It's as bad as it could be. Okay, so here's the backstory. The news that put me onto this was just published by the Record. They wrote.

Researchers said Friday and this is the point, because, as I said, this is about nine months old, but it's just ramping up Researchers said Friday that a vulnerability initially exploited mostly in cyber attacks against Japanese organizations is now a potential problem worldwide, said exploitation of the bug, tracked as CVE-2024-4577, extends far beyond initial reports, referencing, in particular, a blog post published Thursday by Cisco Talos. The Talos team had said an unknown attacker was predominantly targeting organizations in Japan in January through the vulnerability which affects a setup called PHP CGI that runs scripts on web servers. A patch was issued last summer. Cisco Talos said the attacker's apparent goal was to steal access credentials and potentially establish persistence in a system, indicating the likelihood of future attacks. Granawi said it observed similar activity beyond Japan, revealing a far wider exploitation pattern demanding immediate action from defenders globally. That is this thing has just recently exploded, thing has just it's recently exploded. Get this there are 79 known ways to exploit the vulnerability and remotely execute code on a compromised system, and I think we need paul simon for this.

1:30:17 - Leo Laporte
79 ways to expect yourself.

1:30:20 - Steve Gibson
That's right yes, and not only remotely execute code, but remotely execute code which you've induced your server to download for you. Wow, I mean, it is really awful.

It's really bad. The PHP scripting language they wrote is decades old and is widely used in web deployment. Widely used in web deployment. Quote. Attack attempts have been observed across multiple regions, with notable spikes in the US, singapore, japan and other countries throughout January 2025. Cisco Talos said Thursday that the attacker it studied used a command and control server that deploys a full suite of adversarial tools and frameworks. Why not download them all? I mean, this thing will let them download anything they want into a vulnerable server and then run them.

1:31:14 - Leo Laporte
Yeah, get them all. It is just awful. Put all 79 exploits on there.

1:31:19 - Steve Gibson
The researchers said they believed the attacker's motive was to move beyond just stealing credentials. Researchers at Symantec had reported exploitation of this CVE last August against a university in Taiwan, not long after the patch was issued. The discovery of this is credited, now, leo, to an old friend of ours whom we have not heard much from recently, good old Orange Tsai. Oh yeah, at DevCorp, mr Pwned-Own Uh-huh. In just the previous four years, orange Tsai has won in 2021, 28th of Top 100 Microsoft Most Valuable Security Researchers Award.

In 2021, the champion of Pwn2Own Vancouver, also in that year, the third of top 10 web hacking techniques for exchange server remote code executions server remote code executions. He also won the Pony Award in 2021 for the best server-side bug for Exchange server remote code executions. The next year, in 22, he was the champion of Pwn2Own Toronto In 2024, last year, first of top 10 web hacking techniques for research of confusion attacks and the fourth of top 10 web hacking techniques for research of worst fit attack. So we know the guy. I mean, this guy is a super hacker and a responsible researcher.

1:33:02 - Leo Laporte
He probably makes a lot of money doing this, I imagine yeah.

1:33:07 - Steve Gibson
Last June 6th, when DevCorp published their security alert titled CVE-2024-4577, php CGI Argument Injection Vulnerability. It drew the security industry's attention they opened with. During DevCore's continuous offensive research, our team discovered a remote code execution vulnerability in PHP due to the widespread use of the programming language in the web ecosystem and the ease of exploitability. I mean, this thing is drop-dead, simple to exploit and that's one of the big concerns. This is script kitty heaven. Devcore they wrote classified its severity as critical and promptly reported it to the PHP official team. The official team released a patch on 6.6. Please refer to the timeline for disclosure details and I'll interrupt here just to say in their published timeline we see the way this is all supposed to go. For one thing, the PHP developers well understood the nature of critical bugs. You know, can you say interpreter? I mean, they've had their hands full for decades dealing with PHP interpretation bugs. And secondly, they all know Oren, sy and DevCore. So when you get a universal scope bug report marked critical from these guys, your plans for the next several days, if not weeks, just changed. So the timeline says on May 7th, devcorp reported the issue through the official PHP vulnerability disclosure page. That same day PHP vulnerability disclosure page. That same day, php developers confirmed the vulnerability and emphasized the need for a prompt fix. Nine days later, on May 15th, php developers released the first version of the fix and asked for their feedback. Two days later, on the 18th, the developers released the second version of the fix and asked for additional feedback. Two days later, on the 18th, the developers released the second version of the fix and asked for additional feedback. Another two days later, php entered the preparation phase for the new release version. That was May 20th.2.20, and 8.1.29.

Under description the DevCore people. So we're back to the DevCore disclosure now. Under their description, they explained while implementing PHP, the team meaning the PHP team did not notice the best fit feature. Get this, leo, you're going to love this bug. Oh my God. The best fit feature of encoding conversion within the Windows operating system allows unauthenticated attackers to bypass the previous protection of CVE-2012, number 1823, by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack. In other words, this PHP bug was originally found and fixed 13 years ago Wow, back in 2012. But Windows employs its own best-fit Unicode character conversion feature best-fit Unicode character conversion feature and OrangeSci discovered that many apparently 79, other deliberately crafted Unicode character sequences would be transliterated by Windows on the fly and used to bypass the fix from 2012. So this vulnerability had been there since 2012, never repaired, as it was believed to have been, and was under Linux, because Windows just changes characters as it wants to.

1:37:44 - Leo Laporte
To whatever the best fit would be.

1:37:46 - Steve Gibson
That's right. You didn't really mean that you meant this.

1:37:51 - Leo Laporte
It's a better fit.

1:37:52 - Steve Gibson
Yes, and, oh whoops, it bypassed a fix that we put in to prevent that from happening 12 years ago Wow.

1:38:02 - Leo Laporte
Yeah.

1:38:03 - Steve Gibson
Wow. This thing is so bad, for example, that a single query issued to any vulnerable Windows web server can cause, as I mentioned it, to fetch any remote file named in the query and then execute that file, no matter what it might be on the vulnerable machine file, no matter what it might be on the vulnerable machine. That's not anything that anybody wants to have happen on their server. Under the impact section of their disclosure they were very clear. They wrote this vulnerability affects all versions of PHP installed on the Windows operating system, installed on the Windows operating system Period. All of them, they also noted, since the branch of PHP 8.0, php 7, and PHP 5 are end-of-life and are no longer maintained anymore. Server admins can refer to the Am I Vulnerable section and the answer just is yes to find temporary patch recommendations in the Mitigation Measure section and in that Am I Vulnerable section they wrote for the usual case of combinations like Apache, http server and PHP server, administrators can use the two methods listed in this article to determine whether their servers are vulnerable or not. It's notable to address that scenario. Two is also the default configuration for XAMPP for Windows. So all versions of XAMPP installations on Windows are vulnerable by default as of this writing, it has been verified that when Windows is running in the following locales, an unauthorized attacker can directly execute arbitrary code on the remote server, and so they showed traditional Chinese using code page 950,. Simplified Chinese using code page 936, and Japanese using code page 932. For Windows running in other locales, such as English, korean and Western European.

Due to the wide range of PDP usage scenarios in other words, it was just too much for them to check it's currently not possible to completely enumerate and eliminate all potential exploitation scenarios. There are just too many to fix. Therefore, it is recommended that users conduct a comprehensive assessment, verify their usage scenarios and update PHP to the latest version to ensure security. And even though I was using a non-vulnerable, fast CGI implementation, I'm not taking any chances, so I did move to the latest version yesterday that was written last June. Since then, it's been widely confirmed that this vulnerability can be exploited anywhere and on any vulnerable server, regardless of local language configuration.

Therefore, by far the safest and most recommended mitigation is to update to a version of PHP that once again fixes this problem, assuming that you have 8.1.2.3,. It's just a sub version update, so it should be as simple as just dropping new binaries into the, the P, the existing PHP, directly uh, directory, uh, and and then you're, you're good to go. So you know it should be a simple fix, but I just I wanted to absolutely be sure, because this thing is so bad and it is so likely that that many default configurations will be vulnerable and the, the exploitation of this is ramping up, you know, very, very quickly. So I want to make sure all of our listeners know, and anybody that they know that may be running PHP on a Windows server, it's only Windows that is the problem, because of Windows, unicode, it's Unicode that is doing this best fit character translation nonsense, which essentially created a workaround on behalf of the attackers for the fix that had been implemented back in 2012 when this was first found amazing.

Okay, I need to take a cat. Please catch my breath and sip some coffee and we're going to talk. We're going to look at listener feedback next. I think we all need to catch our breath after that actually geez.

1:42:42 - Leo Laporte
I'll never forget that. I thought I was. I can't. It must have been the very early days of the show. I think I was giving people a place they could upload something to the server, so I had an open file share. What I didn't understand is that somebody could upload plain text php file that could then execute yep. Fortunately I think we I caught it before it got I think I remember you talking about it on the show too.

It was like that was quite an eye-opener. I guess you know PHP can be executed from if you're using the CGI, from any folder anywhere, unless you specifically lock it down. We learn right. That's the whole point of the show. That's the whole point of being human we make mistakes and we learn. I hope we've learned now that we better back up our data and make sure we have copies of it.

This episode of security, now this portion of the episode brought to you by veem v-e-e-a-m, the data resilience experts without your customers' trust turns to digital dust. That's why Veeam's data protection and ransomware recovery ensures you could secure and restore your enterprise data wherever and whenever you need it, no matter what happens. I don't know why every company in the world isn't running Veeam. To be honest, it's close as the number one global market leader in data resilience. Veeam is trusted by over three quarters of the Fortune 500, 77%, to be exact to keep their businesses running when digital disruptions like ransomware strikes. This is no accident. Ransomware strikes. This is no accident. These companies understand they cannot take time out to fix ransomware or pay the ransom or get the reputation damage. That's why they use Veeam. Veeam lets you back up and recover your data instantly, and I didn't realize this. But one of the hard things I should have known about ransomware is data now lives all over the place.

With veem, you can recover, backup and recover your data across your entire cloud ecosystem. Every bit of it you may not even get bit in the first place being proactively detects malicious activity, so you can stop it cold. You can also remove the guesswork by automating your recovery plans and policies. You do have a recovery plan and policy in place, right? Well, vim will help you. If you don't get real-time support from ransomware recovery experts, should the worst happen, you're not alone. You got vim. Data is the lifeblood of your business. Get data resilient with vim v-e-e-E-A-M. Go to Veeamcom to learn more. You'd be crazy not to Veeamcom to learn more. It's the only way. It's the only way, my friends. All right, steve, I hope you are thoroughly refreshed.

Ready to go Next phase. What do they call it the back quarter of the show? Or Next phase? What do they call it the back quarter of the show? Or I don't know what they call it.

1:45:49 - Steve Gibson
So our listener, sam Miarelli, wrote hey, steve, on the applications thing, meaning employees from North Korea, he said. I run an industrial cyber security business. Last year, before we all knew about these things, we got an applicant who we hired to work in person who was incredible on the CV, lots of certs, including for FortiGate and video interview. We foolishly ignored warning signs when the in-person manager first met him post-offer and pre-start and things seemed a bit off.

After he started it was immediately clear the CV didn't reflect his actual skills. You know he was Googling how to apply firewall rules on modern GUI firewall admin interfaces. When I endorsed him, I chalked up his strange conversation style during the video interview to be from his accent and cultural, as he's from India, and he had all the right answers and wow again, what a great CV. In hindsight I'm convinced he was using an AI interview helper tool like at final round underscore AI, which I hadn't heard of before. At finalround underscore AI, sam said of course it's impossible to prove these things, so we're having to think harder about how we screen applicants in the future. Lots of phonies out there, not just the North Koreans.

1:47:28 - Leo Laporte
So a little bit of feedback from one of our listeners and a tip on the AI you might want to use for your next job. That's right If you happen to be interviewing.

1:47:38 - Steve Gibson
Want to sound a little more polished.

1:47:40 - Leo Laporte
Yes.

1:47:41 - Steve Gibson
Ian Beckett said actually these were a couple tweets at SGGRC regarding SN1012, our episode and Microsoft's SysInternal tools. He said these tools are so popular it's astonishing Microsoft's engineers don't securely recode these tools. The little sync toy tool he said download, now removed from Microsoft's sysinternal site, still provides just about the only way to simply do a regular Windows sync backup to external drives using a trusted tool. The pitiful inbuilt Windows 11 backup tools only purpose is seemingly to drive revenue to OneDrive subscriptions. He said I really despair of Microsoft nowadays. He said I really despair of Microsoft nowadays. Unless it generates online services revenue, they have little interest in user experience.

Then Ian is, of course, referring to the DLL injection vulnerabilities that were recently discovered to adversely impact the security of the use of sysinternals tools. Rather than loading the standard system DLLs from the system's well-known directories, the tools have retained Windows' once deliberate, though extremely insecure, design of first looking in the executable's own execution directory before looking elsewhere. This allows bad guys to drop their own malicious versions of these DLLs, perhaps even older versions of Microsoft's own signed Windows DLLs that contain long-since-patched vulnerabilities, allowing them to effectively turn back the clock to be exploited again. Microsoft reportedly said tough beans, we're not planning to fix them, they said, which seems irresponsible and, as we noted at the time, frankly, even if they were fixed, there's still a massive inventory of them already deployed out in the world and they never receive updates of any kind. So it's a mess. Tycoon Tom tweeted at SGGRC hi Steve, what's that networking app that shows you net traffic? The company was from Australia, he was just. You know. He heard me referring to it.

I got it running on my Mac right now. It's a win, isn't it? Yeah, it's networks N E T W O R X from a company called soft Perfect. I've got a link in the show notes for anyone. It's free for 30 days, after which I would be surprised if you don't want it forever for $15. As I noted, it will easily monitor the local machine, but my favorite feature is that from a local machine, it's also able to monitor the real-time usage of the entire network by watching the router's SNMP interface byte counters.

1:50:53 - Leo Laporte
Oh nice, oh, I forgot about that. Yeah, nice, oh, I forgot about that. Yeah, yeah, oh, I got to do that, that's great.

1:50:58 - Steve Gibson
Yes, you're able to set it up to monitor your entire family or local network land use.

1:51:04 - Leo Laporte
I need to do that. Yeah, very nice, very cool, very nice, good recommendation. Thank you, steve.

1:51:10 - Steve Gibson
John David Hicken wrote I'm not even sure it deserves a CVE. Oh, he's talking about the backdoor, the so-called backdoor from last week. I'm not even sure it deserves a CVE. This may well be similar to the case of the Win32 API and it's a DLL versus the at least one time undocumented API of NTdll. He said these ESP32 undocumented commands may not be guaranteed to survive the next chip redesign Device driver writers. Beware Cheers, john. Now, john's, of course, talking about last week's backdoor. That wasn't a backdoor. Hans, of course talking about last week's backdoor. That wasn't a backdoor.

As we said, there were some undocumented functions in the SOC the SOC, the system on a chip hardware and he's 100 percent correct that no one should be relying upon them for their own code, since, being unofficial and undocumented, the Chinese chipmaker Expressif should feel free to change their function or remove them entirely at any time. And I also agree that even assigning a CVE in retrospect was ridiculous. Though I understand the discoverer's motivation behind doing so, you know they were advertising this as a big, bad backdoor, which was the narrative that most of the tech press picked up on this. So yeah, you know you got to have a CVE to make it sound more real and scary. Mark Goldstein wrote thanks for sharing Roger Grimes' story on the North Korean hackers. You did an important public service. The recitation of the story was funny and compelling podcasting, he says I told Roger of your recitation.

1:53:07 - Leo Laporte
Oh, good Nice.

1:53:09 - Steve Gibson
And Mark said in 2009,. I wrote a business plan for my company, america Online, to acquire LastPass, he said. The CEO said we were not in the security business, meaning AOL was not, so my proposal was shut down, although one day I'd visited Joe and his team with dozens of ice cream sandwiches on a hot Washington DC day. Mark wrote after the first breach at LastPass, I searched for a new password manager. I read what cryptologists said. I read FAQs and everything on various password manager websites FAQs and everything on various password manager websites. Finally, I found that 1Password had written some technical papers, including their security model. It explained their various security choices. I could not evaluate all the crypto, but I understood their perspective of the vulnerabilities of password managers. I discovered that they knew users of 1Password could create easy-to-crack master passwords, so they used the master password along with a strong certificate to create the security for each instance of the password manager on a PC, mac, iphone, etc. When I create a new instance of 1Password, it copies the strong certificate to the new device. If someone cracks my 16-character password, they still must crack the 64-bit certificate. Good luck. He finished writing. This is why I chose 1Password.

He finished writing. This is why I chose 1Password. Subsequently, I use 1Password on my iPhone and Windows PC. Their cross-platform implementation of PassKeys works great for me. Passkeys on 1Password is my security solution. Regards Mark, and I should mention that 1Password is also a sponsor of the Twit Network and I wanted to thank him for sharing his note and experiences, and many of us agree that that's a great. You know that 1Password is doing a terrific job. I should note that I've always also been a fan of 1Password's additional user account entropy, which they introduce using a client-side blob. While it means that it must be duplicated and replicated across all of a user's devices, that's a one-time requirement. That then creates and provides very strong additional, enduring security forever, which makes sense to me.

1:55:53 - Leo Laporte
Yeah, we've talked about this before and I remember I asked you is it more secure? And you said well, if you use a good password, it's not, but just as Mark says, it's for people who use monkey123. But then it makes me wonder what do you need the password for? You've got the certificate.

1:56:10 - Steve Gibson
Yes, right, it's very much the way you and I also use.

1:56:13 - Leo Laporte
It's called the suspenders.

1:56:14 - Steve Gibson
You and I use certificates for SSH login. That's right. So it's both a password to say this is who we are and a certificate so that if somebody else tries to spoof who we are they can't get in.

1:56:29 - Leo Laporte
Actually, once I have the certificate set up, I don't use the password anymore. I just automatically log in because it's a key, strong exchange.

1:56:35 - Steve Gibson
Yeah yeah, uh. An anonymous listener said steve, please keep my night, my name confidential. He said I would like to explain to you what happened to last pass a few years ago. I work for a major cloud distributor and this occurred during a meeting with their CTO at the time, since LastPass was one of our vendors. I asked what happened and the CTO explained that the dev at home was using Plesk on his personal Mac, which was hacked due to a Plesk media server that had not been updated. That much we know, he said, but the primary issue was that he was logged into the LastPass network from his personal machine. I asked the CTO why he was able to log into LastPass's network from a personal machine, since they had policies in place to prevent that. The CPO confirmed that they did not enforce their own policies. Also, the secret AWS keys where they stored their customer vaults was kept in last-pass corporate secure notes, so it was readily accessible to anyone Wow, even those who didn't need access to them.

1:57:54 - Leo Laporte
And, of course, as everyone knows, plesk is written in PHP, so it's doubly secure.

1:57:58 - Steve Gibson
Oh, so your evaluation, he said, of the product wasn't wrong. It's a good password manager, but the we haven't had previously. Since we cannot know how and where crucial decisions were being made, there's really no way to assign specific blame. But one thing we do know is that LastPass really dropped the ball on the PBKDF iterations issue, kdf iterations issue, and there's really no excuse for that. They just didn't care. We know that because once this was brought to the glaring attention of the industry, then they went to the trouble of autonomously updating everyone's iteration counts later, you know, retroactively. This proves that they could have done so at any time but never had bothered to before. As we know, I always draw a sharp distinction between policy decisions and mistakes. The LastPass developer, whose machine was doubtless targeted and compromised, was not practicing good security hygiene and LastPass was not managing the connections to their corporate network securely. So the developer made a bad mistake, but not a priority decision to like to fix that, as it should have been, and that's unforgivable that they need to be held accountable for, and it's only those people whose, whose um last pass vaults are being cracked retrospectively, retroactively, essentially because they had zero iterations or some 500 low early iteration count. And that is all on LastPass.

Jeff wrote to us Steve Mandiant is reporting on an espionage campaign by China exploiting Juniper Big Iron routers and he provided a link to that from Mandiant, which is the Google-owned security firm, and he cites it saying, quote end of life hardware and software writing. Yeah, that's the thing I see all the time. He said you don't want to know what I found on the network of my Fortune 500 defense employer last week. It's a bit of a dog bites man story, but it's part of a pattern by China to infiltrate critical infrastructure and hold it at risk as part of their national strategy. Signed Jeff. He says PS Ha, I forgot to use my GRC registered email. I appreciate the instant bounce so I could fix that and resend in less than two minutes. Okay, so since Jeff referred to his Fortune 500 defense contractor employer, I left off his last name, though it's familiar to me since he's been an avid provider of feedback through the years. I was familiar with the news that he, linked to older Juniper routers, have problems that have been resolved in later devices and those older routers are no longer receiving up receiving updates, so they're stuck running older firmware that will never be repaired. Still, those routers are well built and running.

So it's difficult for any CIO to tell his CFO that you know we need some money and a bunch of money to replace some aging network infrastructure equipment. You know. The CFO replies okay, what's wrong with it? Isn't it still working? And our responsible CIO says well, yeah, but it's old and it's no longer being maintained by its manufacturer so it could have some security weaknesses that could possibly be remotely exploited by foreign hostiles. And the CFO says so, you're saying that, as far as you know, there's nothing wrong with it and it's still working just fine. But there might or might not be something wrong with it and we wouldn't know. And our CIO, feeling that he's losing this one, says yes, that's exactly right, we could be in danger. And the CIO or I'm sorry, the CFO ends the discussion saying, okay, I get what you're saying here, I really do.

But you know we have some very, very pressing needs and they're not what ifs, they're real. It only makes sense for those to take priority. So I don't know how this changes over time. Certainly every one of the C-suite executives appreciates the need for proactive security. That CFO would not blink at the need for an industrial strength firewall appliance to keep the bad guys out, if they didn't have one and I'm sure there was one from the get go, and I'm sure that intellectually, everyone also appreciates the need for security updates and patches. Everything around them is constantly being updated and patched and fixed their phones and their PC and now even probably the cars they drive and we're all being told that these measures keep problems from ever occurring. But we never actually see any of these supposed problems right, so they remain intangible and it makes it a little difficult to sell. It feels like this is going to require a cultural change and that's just going to take time.

And while I intensely dislike the rental model, as we know, you know that the world is moving toward in the case of keeping older gear secure, there's real value being offered. Where I believe that, for example, juniper has missed a trick is in choosing to allow their appliance, their older appliances, to fall out of maintenance and to not tie its continued operation into an annual paid maintenance agreement. They're leaving money on the table by not offering to keep their older devices alive and maintained in return for some cash. The very many companies with older and still working Juniper gear. They're not updating to newer devices because the older devices their customers already have are still working. But those customers do truly need security maintenance for those devices going forward and they would probably pay for it if they were allowed to. But they're not. They're being told oh, you got to. You know it's obsolete, it's old, it's no longer being maintained. You got to buy new stuff and it's not cheap. It's a lot more expensive than it was when they bought the first stuff. So why abandon a customer and their ongoing need for security? To me it makes no sense. But that's the way the business is happening.

Bruce Olson said I wanted to make sure you knew about this claim being made by users on Reddit. It seems that the organization behind Zima boards and that company is called Ice Whale. He said, maybe selling user information, as some folks have started receiving marketing targeted at email accounts given to Zima board. And he's finished. That's all I had to say Thanks for all the great work and always looking forward to the next episode. Bruce from Michigan. So that's disappointing, right, it's certainly a reason for using an email aliasing service so that this abuse can be controlled by the email's recipient and, in the case of Ice Whale, the Zemo board creators.

I guess I can't say that I'm surprised. I receive a great deal of promotional email with all manner of special offers and come-ons from them, like directly from them. And I just went over to their site and the top of the page has a bright orange scrolling banner saying sign up now and unlock up to $50 for new members. So they're very promo. Happy over there at Ice Whale. And if this concerns you, this argues for purchasing their boards through Amazon, which you can do. But I suppose I would just chalk it up to you know the cost associated with obtaining a perfect little single board PC having two network interfaces, two SATA ports, a PCIe expansion slot and Linux preloaded. All for 90 bucks, 90 US dollars, and you've got this perfect little machine. It's still the best deal around, even if one does need to give them a temporary throwing throw away email address.

And what was freaky is that I did not plan this. Freaky is that I did not plan this as I was moving through my email feedback. The next note that popped up after Bruce's note about the ice whale selling our contact data, was this note from Bill Allen with the subject loving my Zima board, and I've got two pictures that Bill included with his email in the show notes. He wrote Steve, I got started with a ZimaBoard specifically to run Spinrite more easily on hard drives in my office, which it does very, very well. But of course it would, because that's what I use to develop Spinrite 6.1. And it's got a SATA port, so you just connect it right and it can run three dots.

2:08:33 - Leo Laporte
It's got a sata port, so you just connect it right and it can run free.

2:08:36 - Steve Gibson
Does, yeah, a pair of sata ports?

2:08:38 - Leo Laporte
yeah, I was gonna say. I mean, I'm not sure it's had better than the raspberry pi which is 35 bucks, but that is how it's better. It's got a sata port yeah well, and it'll run.

2:08:45 - Steve Gibson
Spinrite and the raspberry pi won't, won't right exactly right.

2:08:49 - Leo Laporte
Yeah, is it an x? It's a x86 architecture. It must be be. The Xima board is yes.

2:08:55 - Steve Gibson
It is Intel-based. Interesting Anyway, so he said. But the Xima board has turned to a bit of an obsession and a really fun project platform. He said here's my Xima board system, and he showed us a picture of it all wired up and another picture of a screen. He says to its right is an outboard PCIe card carrier for the NVMe M.2 drive it's booting from. And he said, upper left is a mini travel wireless router in client mode, he said down, and to the left is an Adderlink IPKVM which is giving me keyboard, mouse and video access to it across my local network via its internal VNC server, currently running FreeDOS, as shown in the other photo. That FreeDOS install also has Spinrite 6.1 on it. Of course he says thanks for pointing us to the Xima board. Best regards, bill in Crowley, texas. So anyway, I've received many similar reports through the years since my discovery of this lovely little device. It's not super powerful. I always purchased the smallest of the three available models, since it was just going to be running FreeDOS, which, you know, uh, can be powered basically by a squirrel cage. But these little boards are the machines that built and tested spin right. So anyway, I just thought I would, you know, share that fun bit of feedback. Uh, it is a great little solution.

Mark Jones wrote a note that has some detailed lead in, but I loved his story, which is a bit of a head shaker. So the subject of his email feedback was AI and Microsoft Defender. Get this, mark wrote. Dear Steve, love the show. Loyal listener since episode one, club Twit member. I really appreciate you and Leo. I encountered something new that illuminates some of the comments you've made recently about AI.

I volunteer with an organization that has websites and a newsletter. About half our membership is employed by one of two big multinationals. Both are Microsoft shops. Both have lots of barbed wire wrapping their IT infrastructure. Microsoft Defender blocks questionable sites. The sieve is set pretty tight. At one point when I was still working there, grccom got blocked and I'll just insert a little note here.

For many years I was hosting known viral code for research purposes at GRCcom. The page contained, you know, the various archives and was very clearly marked. As you know, download at your own risk. Everything was red and flashing and you know it was very clear that this was, you know, old viruses that people might want to play with. But any search engine or trawling bot sees zip archives containing known dangerous viruses and freaks out. So since there's no interest in that really anymore, that's long since removed and some of those false positives that others were also reporting have ceased. Anyway, mark's note continues.

I moved 25 years worth of our organization's newsletters to its own site three years ago. The site is only three PHP files, some XML for SEO and a bunch of PDFs. I made the move after consultation with IT folks at the company I used to work for prior to retiring. They indicated that simpler was better at keeping out of the crosshairs of security sites. Sites that allow visitors to upload files are particularly troublesome to the corporate IT folks and our main site over my protests has WordPress plugins that accepts uploads. Has WordPress plugins that accepts uploads.

Just recently the site and he's talking about his site, midlandchemistorg started being blocked by the corporate Microsoft protection meaning of the company he used to work for, which is using Windows Defender. He said I went to an IT friend and asked how I could fix it. After three years of being okay, the site was suddenly being blocked. He was kind and connected me with someone responsible for the blocking. Here is where AI comes in. Get a load of this in. Get a load of this.

The filters, meaning Microsoft Defender filters, are now AI-based, not rules-based. He could not tell me why the site was being blocked. Because there was no rule being tripped. There are no rules anymore. Something about the site triggered the AI algorithms. No reason could be given. It was just AI, just as you described. Ai makes connections that may elude human interpretation. The good news is there is a way to whitelist sites, provided I can find an employee willing to take responsibility. Regards, mark. Wow, you gotta love that one. We turned all site blocking over to AI, so it just does whatever it does. We no longer know what or how.

2:14:53 - Leo Laporte
Welcome to the future so this is the defender that everybody has on their windows machine, right?

2:15:00 - Steve Gibson
yep, wow, yep, interesting a listener who just uses his initials, pv, said steve, I was recently casting a line out into the sea of Kindle Unlimited suggestions. Unfortunately I also ran into the Artifact book you talked about before, but I also found a winner. The series is called Dumb Luck and Dead Heroes by Skylar Ramirez. It starts out a bit rough in the first book. Both main characters are at very low point in their lives and there's a lot of wallowing in that. But it picks up really fast and there's a lot of crazy fun space adventure and just the right amount of humor. And I thought of this because I know that our listeners enjoy books that incorporate some humor. And he said, besides the main books, he has a lot of little side stories that are the strange but true details behind one of Brad's stories and there's also three books about his best friend who's also a King's Cross assassin, which are a bit of a different tone but fun as well. He said I generally am not a fan of side stories but I enjoyed all of these to 1100 and beyond signed PV. So anyway, I appreciate, uh, and I am forwarding PV's recommendation without any of my own review, so I can't vouch for and I'm not vouching for the dumb luck and dead heroes book or series by Skylar Ramirez, but it's got some humor in it and I just wanted to let our listeners know if they're looking for another one of our listeners' recommendations.

While we're on the topic of sci-fi reading, for my part I am remaining ever more deeply hooked on Neil Asher's novels. I'm now into the third of the first five novel Agent Cormac series and toward the end of the second one I realized that I was really having a good time. As I mentioned, I am super finicky about the quality of writing and these are fully satisfying for me in that regard, and he's building up some really interesting characters. You know it's still pulp. You know I'm not meaning to suggest otherwise and it's not free. Unlike PV's discovery of those dumb luck and dead heroes novels, which he found through Amazon's Kindle Unlimited, these Neil Asher novels are $7 each but, as we've said, with a five-shot Starbucks latte now at $9.50, I am easily obtaining more than $7 worth of entertainment from each of these. And given how much Asher has written and the comments online that they only get better and better with time and I'm going back to the beginning and starting from there I know I'm going to be stuck reading everything that he's written for quite a while. And lastly, before we get to today's main question of just how susceptible any of the PC-compatible machines you may have may be to Rowhammer attacks.

And while I'm reviewing sci-fi stuff, there's something Laurie and I watched and immensely enjoyed last Friday evening. Who knew I had a subscription to Apple TV and that I enjoyed science fiction themes? If some such person were to recommend the Gorge to me, having just watched it Friday night, I would have been appreciative of their recommendation. So, having seen and enjoyed the movie immensely, I am hereby making that recommendation to our listeners. As the movie unfolded, it had all the promise of being what I call a perfect movie, and there aren't many of them. They're rare, and this is not one. Um, they're rare, um, and this is not one. As the plot unfolded, the movie was perfectly paced. It was in no hurry to get where it was going. You had no idea. You could not guess what it was about. Even I mean, it was a mystery for the viewer. It unfolded gradually. Only necessary facts were revealed. Also, it happened to star that actress who played the chess prodigy in the Queen's Gambit.

2:20:08 - Leo Laporte
Anna Taylor-Joy Really like her Big eyes, very easy on the eyes.

2:20:31 - Steve Gibson
She is one of the two protagonists, okay, so I have to say that it got a bit ridiculous, like maybe they were trying to create a video game tie-in in the latter part of the movie. But having said that, I could easily watch the entire first portion of the movie again. I mean, it was so satisfying, and I imagine that a lot of our listeners may be a little less finicky about people who never die despite how many shots are fired at them, that kind of thing. But okay, still, you know, I'm no longer 14. I'm not a fan of implausibly ridiculous, over the top violence, but it's there on Apple TV. If you're a subscriber, you already have it waiting for you, and I do recommend it. It was, you know, don't? It's not? It's not, as I said, it's not an award winner. But it was, you know, don't, it's not?

it's not, as I said, it's not an award winner, but it was really enjoyable and the first half was it was perfect it was it was really good good, I'll have to check it out and leo, let's give our listeners a recommendation of something else, perfect, and then we're going to look at rohammer, in this case, club twit.

2:21:36 - Leo Laporte
Now I know those of you who are watching, uh in our discord know all about club twit and I apologize because if you were just if you had downloaded this, we would have cut this out, because that's one of the benefits of club twit people who pay less than a starbucks venti latte seven bucks a month get ad-free versions of this show and all the other shows.

So that is you know. I think some might say that's the chief benefit. You do get access to our Club Twit Discord, which I think is a significant benefit. That's the hangout for all the Club Twit members. A great bunch of people, people, great conversations going on and we have lots of events inside the clubhouse for club twit members coming up tomorrow at 6 pm. It's kind of a cozy evening of crafting. 6 pm pacific with micah, micah sergeant. He's doing. He's building miniature stuff, miniature houses, miniature rooms. But you could do. But you could do Lego, you could do needlepoint, you could code Whatever it is. Your craft is build boats, whatever. You could join Micah and a bunch of people for a chat and a get-together. We just started doing this. Anthony Nielsen said we need an AI user group. So every fourth Friday we get together and talk about AI.

Of course there's lots of special shows in the club, like the Untitled Linux Show, hands-on technology, hands-on Mac, hands-on Windows Photo Time's coming up April 3rd. Chris Marquardt I am going to do another coffee segment with Mark Prince. He emailed and said I've got a great guest. I said let's do it. So there's benefits there get action, access to the club, access to the discord ad, free versions of all the shows, but really the real benefit is you are supporting what we're doing. If you enjoy the programming, if you find yourself listening to one of our shows more than once a week, I think joining the club would be a great thing for you and for us. Seven bucks a month twittv, slash, club twit that's all it takes. Now, if you are already a member of the club or you don't want to be the member of the club but you want to do something to help us, of course and I hear from people a lot oh, I buy all the products, or many of the products you mentioned. That's a great way to help us support our sponsors.

You can even do something as simple as leaving us a review. We found that advertisers pay attention to the reviews. I don't how many stars we have on iTunes. I have no idea. I know it's a good show, so I don't pay a lot of attention, but advertisers, they're always looking for a shortcut. They do so another way you can help us go to your favorite podcast client iTunes is probably the most popular and leave us a five star review. Say why you listen to steve and what you like about the show. That's another way you can help us out. So we are really a user supported, a listener supported, network. Uh, we have advertisers, yes, but but we're nothing without you, and your support means the world to us. Let us know what you think. Join Club Twit. Twittv, slash, club Twit. We can't wait to welcome you into the little clubhouse there. Now back to Steve Arino, because I'm dying to find out what's going on here.

2:24:48 - Steve Gibson
It's rare that we're able to invite the listeners of this podcast to actively participate themselves in cutting-edge security research, but this week, a research team that has been looking into and questioning the actual dangers presented by Rohammer attacks is asking for as much breadth and depth of real-world participation from the field as they can get. This amounts to downloading an ISO file, writing it to a thumb drive, then booting and running the Arch Linux OS and Rowhammer data gathering tests that it contains. I immediately downloaded the 1GB ISO, used the latest for me, rufus version 4.6 for Windows, to transfer that ISO onto a 32GB thumb drive, booted it on my Zima board and let it run in the background while I worked on the podcast. Okay, but let's back up a bit. We've been talking about the many various aspects and versions of the original discovery known as Rowhammer since its first description back in 2014. It was 11 years ago that this was first found. In the inevitable quest to increase the density of main system dynamic RAM you know the RAM that's typically measured in tens of gigabytes engineers squeezed every last bit of noise margin out of their designs. The RAM still worked, systems booted and, for the most part, ran reliably. But then some clever researchers came along and asked a question no one else had before. They asked what if we were to hammer over and over and over on one row of ram or on the ram on either side of one row? Might that confuse the nearby bits? And we know the answer to that question. It turned out that yes indeed. Not only can neighboring bits be affected, but those effects can be powerfully weaponized to completely collapse and bypass the security boundaries and guarantees upon which all modern computing relies for its operational security.

During the decade that followed, since 2014, these surprisingly prevalent and successful attacks have been elaborated upon and expanded by many groups of researchers across the globe. The attacks have been strengthened. As Bruce Schneier reminds us, attacks never get worse, they only ever get stronger. They've been optimized, they've been sped up. Research has have even demonstrated Web based exploitation via JavaScript code and even using network packets. The receipt of network packets to induce Roehammer vulnerabilities. And after the industry reacted to the initial news of these exploitable weaknesses with improved designs like DDR3 was where we were then. Ddr4 was supposed to fix it, but didn't. Ddr5 was supposed to fix it, but still hasn't. The industry reacted, trying to fix this New designs, faster refresh, detection of row hammer attacks on the fly. Anyway, nearly four years ago, in May of 2021, google's security blog posted Introducing Half-Double New Hammering Technique for DRAM Row Hammering Bug. Google's summary of their discovery is worth a quick review, since it nicely lays out today's situation, they wrote. And so this was six years downstream from the original revolution or revelation of row hammer, they said. Today we're sharing details around our discovery of half double, a new Rowhammer technique that capitalizes on the worsening physics of some of the newer DRAM chips to alter the contents of memory.

Rowhammer is a DRAM vulnerability whereby repeated accesses to one address can tamper with the data stored at other addresses. Much like speculative execution vulnerabilities in CPUs, rowhammer is a breach of the security guarantees made by the underlying hardware. As an electrical coupling phenomenon within the silicon itself, rowhammer allows the potential bypass of hardware and software memory protection policies. This can allow untrusted code to break out of its sandbox and take full control of the system. Rowhammer was first discussed in a paper in 2014 for what was then the mainstream generation of DRAM DDR3. The following year, google's Project Zero released a working privilege escalation exploit. In response, dram manufacturers implemented proprietary logic inside their chips that attempted to track frequently accessed addresses and reactively mitigate when necessary. As DDR4 became widely adopted, it appeared as though Rowhammer had faded away, thanks in part to these built-in defense mechanisms. However, in 2020, the Trespass paper showed how to reverse, engineer and neutralize the defense by distributing accesses, demonstrating that row hammer techniques are still viable, and we did a podcast on. Trespass went one step further and demonstrated exploitation from JavaScript without invoking cache management primitives or system calls.

Traditionally, rowhammer was understood to operate at a distance of one row. When a DRAM row is accessed repeatedly, the aggressor bit flips were found only in the two adjacent rows. The victims on either side. However, with half double, we've observed row hammer effects propagating to rows beyond adjacent neighbors, albeit at a reduced strength. Given three consecutive rows A, b and C we were able to attack C by directing a very large number of accesses to A, along with just a handful dozens of flips to B, have a nonlinear gating effect in which they appear to transport the row hammer effect of A over through B to C. Unlike trespass, which exploits the blind spots of manufacturer-dependent defenses, half-double is an intrinsic property of the underlying silicon substrate. This is likely an indication that the electrical coupling responsible for Rohammer is a property of distance, which makes sense to me. The physics involved effectively becoming stronger and becoming stronger and longer ranged. As cell geometries continue to shrink, distances greater than two are conceivable.

Google has been working with JEDEC, an independent semiconductor engineering trade organization, along with other industry partners, in search of possible solutions for the Rowhammer phenomenon. Jedec has published two documents about DRAM and system-level mitigation techniques. We are disclosing this work because we believe that it significantly advances the understanding of the Rowhammer phenomenon and that it will help both researchers and industry partners to work together to develop lasting solutions. The challenge is substantial develop lasting solutions. The challenge is substantial and the ramifications are industry wide. We encourage all stakeholders server, client, mobile, automotive and IOT to join the effort to develop a practical and effective solution that benefits all our users.

So everyone is worried about the possibility of what this would mean, but despite all the academic work that's been done, there have never been any reports of actual Rowhammer attacks in the wild. This is reminiscent of Spectre and Meltdown right, but it might also be more relevant to the Y2K worry here, where, despite the fact that the world did not end on Y2K, that may have been largely due to so much work going into making sure beforehand that it would not end beforehand that it would not end. But in the case of all the various Roehammer attacks, questions have been raised about the attack's true feasibility in real-world scenarios. This brings us to the December 2024 presentation at Germany's 38th Chaos Communication Congress, during which a trio of academic researchers observed that the actual practical impact of these various ram-hammering attacks remains unknown and is still therefore largely theoretical. They noted that past academic research always used small they considered them relatively microscopic sample sizes. They said the density of memory cells in modern DRAM is so high that disturbance errors like the Rohammer effect have become quite frequent.

An attacker can exploit Rowhammer to flip bits in inaccessible memory locations by reading the contents of nearby accessible memory rows. Since its discovery in 2014, we have seen cat and mouse security game, with a continuous stream of new attacks and new defenses. Stream of new attacks and new defenses. Now, in 2024, 10 years after Rowhammer was discovered, it's time to look back and reflect on the progress we've made and give an outlook on the future. Additionally, we will present an open source framework to determine whether your system is vulnerable to RoHammer.

In 2014, researchers reported a new disturbance effect in modern DRAM that they called RoHammer. The RoHammer effect flips bits in inaccessible memory locations just by reading the contents of nearby memory locations that are accessible contents of nearby memory locations that are attack accessible. They trigger the Rohammer effect by accessing memory locations at a high frequency using memory accesses and flushes. The root problem behind Rohammer is the continuous increase in cell density in modern DRAM. In early 2015, seaborn and Dullian were the first two to demonstrate the security impact of this new disturbance effect. In two different exploit variants, they demonstrated privilege escalation from the Google Chrome NACL sandbox to native code execution and from unprivileged native code execution to kernel privileges code execution, and from unprivileged native code execution to kernel privileges. Later in 2015, gruss et al demonstrated that this effect can even be triggered from JavaScript, which they presented in their talk RowHammerjs Root Privileges for Web Apps.

Now, in 2024, it is precisely 10 years after Rowhammer was observed. Thus, we believe it is time to look back and reflect on the progress we've made. We have seen a seemingly endless cat and mouse security game, with a constant stream of new attacks and new defenses. We will discuss the milestone works throughout the last 10 years, talking about the presentation they're about to give to the Chaos Congress, including various mitigations, making certain instructions illegal ECC, doubled refresh rate, trr, targeted row refresh and how they have been bypassed. We show that new Rowhammer attacks push the boundaries further with each defense and challenge. While initial attacks required native code on Intel x86 with DDR3 memory, subsequent attacks have also been demonstrated on DDR4 and more recently on DDR5. And more recently on DDR5. Attacks also have been demonstrated on mobile ARM processors and AMD x86 desktop processors. Furthermore, instead of native code, attacks from sandbox, javascript or even remote attacks via network have been demonstrated as well.

Furthermore, we will discuss how the Rowhammer effect can be used to leak memory directly, as well as related effects such as row press. We will discuss these research results and show how they're connected. We will even talk about the lessons learned and derive areas around the Rowhammer effect that have not received sufficient attention so far. We will outline what the future of DRAM disturbance effects may look like, covering more recent effects and trends in computer systems and DRAM technology. Finally, an important aspect of our talk is that we invite everyone to contribute to solving one of the biggest unanswered questions about Roehammer what is the real-world prevalence of the Roehammer effect? How many systems in their current configurations are vulnerable to Roehammer? As large-scale studies with hundreds to thousands of systems are not easy to perform. Such a study has not yet been performed. Therefore, we developed a new framework to check if your system is vulnerable to RoHammer, incorporating the state-of-the-art RoHammer techniques and tools. Thus, we invite everyone to participate in this unique opportunity at the 38th Chaos Communication Congress to join forces and close this research gap.

The site. They called their overall work Flippy Ram because it's flipping bits. So F-L-I-P-P-Y-R. Flippy Ram. But the site has the dot between the R and the M, so F-L-I-P-P-Y-R dot A-M. You know H-T-T-P-S. Colon slash, slash. F-l-i-p-p-y-r dot A-M. That's where all of this lives. That's where all of this lives. Anyone who's interested, should, you know, go to flippyram, grab a copy of the open source test tool. They say when you get there, welcome to our flippyram study.

We want to analyze the prevalence of Rowhammer in real-world systems. Everybody can participate in our study. The entire source code is open source and available via GitHub. You can either build the ISO yourself or run the entire study using Docker. However, we highly recommend using the ISO image. And the ISO is just flippy. You know, flippy ram. Slash hammer, isoiso.

They said simply follow these steps, download our ISO image and flash it to a USB thumb drive.

See the following links for instructions for Windows, mac and Linux. Boot the system you want to test using the thumb drive you created before, specify the time the experiment should run and confirm your participation in the study. They said when you do not want to participate in the study, you can still check if your system is vulnerable to Rowhammer without submitting any data. Step four wait for the experiment to finish. Step five you'll get a brief overview of the results. Additionally, the raw results will be stored on the thumb drive for you to inspect afterwards. And six the results will be uploaded to our server and you can access them using a URL shown at the end of the test, only if you confirm to participate before. Okay, so first of all, you should know you are asked afterward if you want to do the upload, so there's nothing happening behind your back. None of your data will sneak away. The default testing time is eight hours, so the idea being you know you run this overnight while you're not using your computer, and then it's done in the morning.

2:42:50 - Leo Laporte
It's a probabilistic attack. It doesn't work every time. Correct.

2:42:54 - Steve Gibson
Exactly, and so it requires some patience, and unfortunately they don't have anything cool like a running total on the screen of like row.

hammer strikes so you're not getting any results available on the way. It does take a while to get going. On my Zima board, I wasn't sure it was working because it has four stages and it went to 100% on the first stage, then it went to 55% on the second stage where it sat for a long time. The first stage is fetching info, but that's not from the network, it's just from the system, apparently. Then retrieving addressing functions that's stage two, and my Xima board sat there for a long time. But I have also since then run it on one of, actually on a next generation GRC server platform that I have not yet deployed. So I mean it's got I don't know how many cores this thing has 27 or something and I mean it is a screamer. It acted exactly the same way. It sat at a hundred percent for a while or took a while to get to a hundred percent. Then the second stage sat at 55 for a long time. Since I started it yesterday afternoon on the server and let it run until this morning, I let it run for 16 hours. I should have known nothing would show, because this is a server platform with error correcting. You know it's got ECC RAM, server RAM, which is unusual, and it came out. It came back completely clean, but on the other hand, it was nice to actually see that validated. So it will take some time.

Once it finishes, you get a summary on the screen. Summary on the screen it writes a long report in log files in text on another partition that it creates on your thumb drive which you are able to look at. And then this morning I got a big QR code that I took a picture of with my phone phone and the phone also wanted to open it, and so I haven't had a chance to look at it. But there you get a detailed report from their server which analyzes an incredible amount of information. I mean these log files. I don't know how many hundreds of log files I had that it had, that had it written out. So anyway, for what it's worth, I'll be uploading and I did all of my results and I would hope others would too to give them as large a cross-section. I think it'd be interesting, if you have older machines to see whether like old DDR3 or DDR4 machines, to see if they're actually vulnerable to Rowhammer attacks.

2:45:58 - Leo Laporte
Now they say Macintoshes, you can run this on a Mac. Yeah, okay, yeah, so it's not an x86.

2:46:06 - Steve Gibson
Yeah, I don't have any non-x86 hardware here, or I would have done that, but I imagine that it is multi-platform.

2:46:13 - Leo Laporte
So anything with ddr345 yeah is five immune no five's not immune attacks have surfaced for ddr5.

2:46:22 - Steve Gibson
Basically everything we have in the world now is still vulnerable to rohammer to some degree yeah interesting and they said I mean, this is dumb.

they said an incentive. The following two rewards can be won when you upload a valid data set, you'll receive a cryptographic token. This token is generated by hashing random data. And when you upload your data set, you will save this token separately in our database or, I'm sorry, we will save this token separately in our database. This means the token is not associated with your data set. This ensures that you can participate in the raffle without linking the token to your data set. Please make sure to bookmark or save the token. Then they said the first 10 valid tokens they receive via email will get a flippy RAM t-shirt. I'm sure those are long since gone. And then everyone who sends us an email with a valid token will participate in a raffle and have your chance to win a 10-euro Amazon gift card.

The more tokens you send us, the higher your chances are. So token away. Anyway, they've got two releases of the tool so far, version 1.0 and 1.0.1. They published the SHA-256 hashes of both the ISOs, if you want to make sure that they weren't tampered with, although I've never understood the logic of that, because if someone was going to tamper with the ISO, they would just tamper with the with the posted SHA-256 also.

Yeah, Anyway, fine. Anyway, at the bottom of the show notes I have a link to the the Chaos Communication Congress presentation. It's a multilingual soundtrack, so it's probably available in your language. If you want to listen to the whole presentation and I hope our listeners will, you know, have some fun Copy it to a thumb drive. So it's probably available in your language.

If you want to listen to the whole presentation, and I hope our listeners will have some fun Copy it to a thumb drive, run it on your machines overnight, see what you find out. Let me know via our SecurityNow feedback, because it'd be fun to share some of our listeners' results and also submit your data to them. It's all anonymous, no information that you care about. I mean you're booting from scratch, right, and they tell you if you're worried about any of your mass storage devices, disconnect them while you're running the test and then the machine knows nothing about you, has no ability. But you can also look at the source code and I'm sure these are good guys in any event. So a fun thing for our listeners to do.

2:48:58 - Leo Laporte
Yeah, kind of interesting While you're waiting for episode 1018. And it runs for eight hours. That's the fixed amount of time, or can it run for a different amount of time?

2:49:10 - Steve Gibson
It defaults to eight. It's got hours and minutes in a little field and you can change it. I changed it to 16 for my server.

2:49:18 - Leo Laporte
Well, why not?

2:49:19 - Steve Gibson
Because I had 16 hours I was going to be away from it, so what the heck?

2:49:22 - Leo Laporte
Yeah, and I mean honestly, it's conceivable that it wouldn't even get a hit in that amount of time. So right, I mean, there's no. Like I said, it's probabilistic, it's not.

2:49:33 - Steve Gibson
It's going to be interesting to see what our listeners find. I did not get much satisfaction from the Zima board. I think that its hardware you know it is sort of an embedded system, so it's not a full PC, and a number of the tests that they had the Zima board did not qualify for Right right.

2:50:00 - Leo Laporte
So it'll just be interesting to have it run on more systems. Very cool, yeah, yeah, you can find out why. You know, I meant to mention this when you read the message from the person who wanted to remember the name of the network speed tester. You do very complete show notes, notes which have links to all this stuff. So you don't have to write to steve to say what was the name of that thing you mentioned last week. Just go to grccom and get the show notes. It'll be undoubtedly in there.

Uh, the show notes are practically a transcript of the show, uh, and then, of course, there's the transcripts there as well, as well as two unique versions of the audio of the show. Steve does 16 and 64 kilobit MP3s of the show, so if you want a smaller version of it, you can get it there. That's at GRCcom. We have the 128 kilobit version and the video at our site, grccom, also the home of Spinrite. Uh, would run lovely on a zima board if you have one, or any time, anything you can. You, you have to have a machine that can boot into bios. Yes, correct, yeah, yeah, uh.

2:51:03 - Steve Gibson
That's why the zima board's a good idea, because then you could test the hard drive on something that does boot into bios yeah, and in fact, in order, in order to run this test, I had to enable uh uefi on the zima board, because I had it disabled because I wasn't using it. Right, you don't use it.

2:51:19 - Leo Laporte
GRCcom get the world's best mass storage, maintenance, recovery and performance utility. That's Steve's bread and butter. There's lots of free stuff there too, lots of information, and if you want to email Steve or if you want to get copies of the show notes mailed to you or as occasional, very occasional uh email blasts, you can go to grccom slash email and submit your email address. Uh, steve does leave those boxes unchecked. So if you want the newsletter, make sure you check those boxes for those two different emails, uh that steve sends one every week, one very rarely. Grccom slash email.

2:51:58 - Steve Gibson
That's also how you have to the other one only once, ever so far.

2:52:01 - Leo Laporte
That's very rare. You do have to do that if you want to email Steve, because he just rejects every email out of hand unless he knows your address. So validate your address GRCcom slash email. Our website for the show twittv slash SN. As in security, now you can get copies of the show there. There's a link to the YouTube channel. There are links to a couple of podcast clients that you could use to subscribe, but really any podcast client is going to have a security now on it and that's the best way to get the show, whether you want audio or video.

Of course, club twit members have their own special feeds that have no ads, so that's why you pay seven bucks a month for that. What else can I tell you? Join the club twittv slash, club twit. Leave a review for the show. That would be very much appreciated. Five stars, if possible. Don't mark us down a star, for I don't know for anything. It's five stars, that's it. Period, that's it. That's all there is to it. What else? We do the show every Tuesday, 11 am Pacific, 2 pm Eastern Time, 1800 UTC, and I mention that because you can watch us do it live Certainly not a requirement, but if you would like to see the very freshest first edition of this show. Uh, you can watch if you're in the club, on discord or youtube or twitch or tiktok or xcom it's these are all open to all. Uh, kick facebook and linkedin eight different ways to watch live. Uh, we will be back next tuesday with the dynamic, ever-loving Steve Gibson for more security news. Steve, have a wonderful week and I'll see you then.

2:53:38 - Steve Gibson
Right on my friend Bye.