Security Now 898 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte (00:00:00):
It's time for security. Now, Steve Gibson is here with lots to talk about. Red Hat Cryptographically signing its zips. How do you do such a thing? We'll talk about the FBI. Apparently they tried to use Pegasus. How legal is that? And then we're gonna talk about why people new way to map wifi access points or more threateningly to track people using wifi devices. All that more. Coming up next on Security Now podcasts you love

... (00:00:32):
From people you trust. This is TWiT.

Leo Laporte / Steve Gibson (00:00:41):
This is Security now with Steve Gibson, episode 898, recorded Tuesday, November 22nd, 2022. Why Peep

(00:00:52):
Security Now is brought to you by Tanium. Tanium Unites operations and security teams with a single platform that identifies where all your IT data is. Patches every device you own in seconds and implements critical security controls all from a single pane of glass. Are you ready to protect your organization from cyber threats? Learn more at tanium.com/twit. And by Barracuda. Barracuda has identified 13 types of email threats and how cyber criminals use them every day. Fishing, conversation hacking, ransomware plus 10 more tricks cyber criminals use to steal money from your company or personal information from your employees and customers. Get your free ebook at barracuda.com/securitynow. And by SecureWorks, are you ready For the inevitable cyber threats, SecureWorks detects evolving adversaries and defends against them with a combination of security, analytics and threat intelligence directly from their own counter threat unit. Visit secureworks.com/twit to get a free trial of Tais extended detection and response, also known as X D R.

(00:02:06):
It's time for security now to show where we cover your security, your privacy, your online exploits, your offline deploys with this guy right here, Mr. Steven Gibson. Hi, Steve. Leo, great to be with you again, as always. Good to see you. What is this? The pre Thanksgiving episode? It is of, yeah. Now. Yeah. And we're almost in the 900 s, which is a scary place to be. Actually, it was interesting because when I got Elaine's transcript last week, she said this was 897. Yeah. And she ex she reminded me, she said, okay, that means that we are 102 episodes from 9 99 and there are 51 episodes per year because we, we skip one for the holidays. She's paying attention, which means exactly, precisely. Two more years Wow. Of security. Now, I'll put that in my calendar. Oh, honey, I'm not gonna let you forget <laugh>. So by then you might say, oh, I'd like to keep doing this.

(00:03:14):
You know, Leo, I may have the hang of it by then, <laugh>. And so it'd be like, not not that big a deal. Well, as somebody who just quit the radio show after 19 years of doing that, I can kind of understand after a while you get to a point where it's like, you know, I've done everything I'm gonna do. And imagine now, I would say you could sleep in on Saturday, except that the show didn't start until 11. So if this really changes your, your sleeping habits, then we have a different problem. I get to do stuff on Saturday, which is, I mean, I've worked weekends for 19 years. That's a long time. Yes. In fact, what was happening was you were only working six hours on, you know, two days, Saturday and Sunday for three hours. Yeah. And then you and I were meeting once a month up in Toronto.

(00:04:02):
Yeah. You, you were spending four days up there to record 15, 15. I'm, I'm getting ptsd. I'm just hearing about it. That's just, and you crazy. And you had three unfilled weekday weeks. And so you said, you know, let's do some shows. I got a lot of time on my hands here. What was I thinking? Oh, let's, well, aren't you glad now that you have a podcast? I was, I've been telling people this is the first time I I've, I've, I've not been working for anybody in my whole working life. I'm working for myself for the first time ever. Something you know a lot about, but, well, except now you have a wife. So Well, as Patrick nor once told me, cause I said, I wanna work for the man. He said, Leo, there's always a man <laugh>. And in this case, the man is a woman.

(00:04:48):
But still, no, she we're partners. But, but it is kind of interesting that I've been a, you know, employee at 10 90. We're a W two employee for my, since I was 16 years old. So that's a, that is a big change. I think the podcast thing might work out. That's all I'm saying. Eh, it might turn out to be something I don't need to keep this job anymore. Yeah, it might. So we're gonna note this week many things. We've got a new version of Firefox. Google recently reached a nearly 400 million user tracking settlement. We've got some interesting legislative things to talk about. During these next couple hours, red Hat has started cryptographically signing its zip distributions. Like what you can sign a zip. Well, not really, but the FDI purchased, turns out the nefarious Pegasus software or the spyware, they, that it's just to kind of see what it's about.

(00:05:46):
Uhhuh grease paid 7 million Euros for a similar spyware called Predator Pass. Keys has a directory listing the sites where they can be used. So that will be exciting. The omb, the US Office of Management and Budget has decreed a quantum decryption deadline. Oh, oh, yes. And of course, we're all gonna pay attention to that. Also, 33, speaking of paying attention to the ftc 33 US State Attorneys General have asked the FTC to get serious, my friends, about online privacy regulation. We'll see how that turns out. We've got some engaging listener feedback and spin right is finally, eh, a day or two away from its final testing. What begin? I'm, yeah, it's done's. I'll explain, I'll explain. I've got, I have a couple drives here. There's three, three drives, which are weird and you should not write to these drives.

(00:06:49):
So I'll, I'll explain about that. Oh and then we're gonna wrap up by examining some chilling research, which allows the physical location in 3D space of every wifi device within its range. Like within a, a multi-story building or whatever facility to be accurately located within a meter or so by someone simply walking past or flying a tiny drone for about 20 bucks. So that's the white peep thing. So we're gonna talk about all this and we have a picture of the week that had you almost falling off your chair. It was pretty funny. It was, yeah. It's a pretty interesting, it was one, I liked it. I think a good podcast all coming up on this fine. 898Th edition of security. Now that's kind of amazing, isn't it? 98 <laugh>.

(00:07:54):
Well, you know, it's funny cuz the last tech I show is December 18th. And it's gonna be, I think episode 1955. I'm one shy of my birth year, and I've thought if I could just do, or actually one, it'll be 1954, and then the best of will be 1955. If I could just do one more. That's okay. That's okay. Our show today, brought to you by Tanium. Love these guys. Their, their position about all this security stuff is that, get ready for this. The industry's approach to cybersecurity has a fundamental flaw. And I think you'll agree when I say what it is, it management security point tools really don't do it all. They only offer a small piece of the solution needed to protect your environment. Many of them promise they can stop all breaches. They just can't. The key to a, we've always talked about layered security, right?

(00:08:47):
The key to a successful security strategy is layered security, but it's also information. Knowing what's, what's out there, there, what's going on, what the threats are, what's happening in your network. Making decisions based on stale data, trying to defend your critical assets from cyber attacks with tools that, that don't even talk to each other. That's no way for IT teams to navigate today's attack surface. It's time for a different approach. Tanium, it's one of these disruptors that has come along, burst into the scene and has transformed everything. Tanium says. It's time for a convergence of tools, of endpoints and IT operations and security. Now they have solutions for every sector, government entities, education, financial services, retail, healthcare. You could trust their solutions for every workflow that relies on end point data. They've got asset discovery and inventory instantly very fast. Which means you could track down every asset in your entire IT space and, and, and know what you own instantaneously.

(00:09:50):
They'll help you with risk and compliance management. They'll let you find and fix vulnerabilities in seconds at scale. Notice there's a, there's a little theme here at scale, very fast, right? Their threat hunting is amazing. Hunt for sophisticated adversaries in real time. You can do client management, automate operations from discovery to management. Again, across your entire estate. You've got sensitive data monitoring, which is important, right? You gotta index and monitor your sensitive data. You could do it globally in seconds. You know where every bit of data is and who has access to it. Even maybe more importantly, Tanium protects organizations where other endpoint management and security providers have failed all in one platform. Tanium identifies where your data is across all your entire IT estate can patch every device you own in seconds, can implement critical security controls. And it can do it all from a single pane of glass.

(00:10:48):
Just ask Kevin Bush, he's vice president of IT at Ring Power Corp. He says, quote, Tanium brings visibility to one screen for our whole team. And if you don't have that kind of visibility, you're not gonna be able to sleep at night. Sounds like Kevin knows what he is talking about. With real time data comes real time impact. If you are ready to unite operations and security teams with a single source of truth and confidently protect your organization from cyber threats, it's time. Yame Tanium. To learn more, visit tanium t a n iu m tanium.com/twit tanium.com/twitt. We thank you so much for supporting security. Now you support us by using that address so they know you saw it here. Tanium.Com/Twit. I'm ready, my friend, for the picture of the week. So for those who are not video connected here, as always, I have to explain this.

(00:11:46):
 We have a, a flatbed transport vehicle, a flat board trailer sort of thing. And it looks like there, there's a, on the left is a sort of a rust colored red container where someone probably said, Hey we, we need you to pick up some dirt. So, you know, bring a container. And we got some dirt for you, <laugh>. Well, apparently the container that they brought was too small. Yeah. Couldn't fit be because it's, you know, it's about one third of the back of this, of this trailer, this flatbed. And the rest of it has been piled up with the overflow dirt that didn't fit in the container. Now, in a scene world, they would throw a tarp over this whole thing, right? And like lock the tarp down. But maybe they didn't have a tarp. Anyway, some apparent rocket scientist here decided, well, you know, I've gotta do something right, because I've just got this exposed dirt on the big pile on the back of this trailer.

(00:12:57):
 So they did what they used, what they had. They threw a, about a two inch diameter belt across the top of the pile of dirt, which is about <laugh>. I don't know. It, it covers maybe 4% of the, of the pile. Mm-Hmm. <affirmative> the rest of it exposed to the air. Now there's the, you can sort of see off also on one side, Leo facing us there is like, there's, looks like there, the strap was somewhere else initially, cuz you can sort of see some of the dirt was flattened on the side there. Oh yeah. It's moving a little bit. Yeah. So it looks like, well it looks like maybe the strap was originally anchored on the, on the slot in the trailer. One notch further forward. See how points down? Too much time looking at. So there was, yes, there was <laugh>.

(00:13:46):
Are you telling me there's a reason spin, right. Took three years. No, I think Logan five in our chat room may have come up with something. It's not to prevent slippage, it's to prevent theft. Oh, it's brilliant. <Laugh>. You wouldn't want someone to steal dirt. Don't, don't steal under dirt, man. So, so, so this is like that pole that we saw that had the bike lock around, right? Yeah. Where it didn't, it did, it indicated an intention without actually providing any enforcement. I love it. Oh my. Anyway. Oh my, oh my once again, we're, we're, we seem to be drifting here a little bit off of the security related topics recently, but it's secure dirt. No, no, it's secure. Well, part of the, part of the goal of podcast is to have some fun. And so we're, we're providing some entertainment. Do that. Yes.

(00:14:36):
 okay. With Firefox, version 1 0 7, which was released last Tuesday a week ago. Nothing was earth shattering. There was no critical security fixes, but there were a very large and welcome collection of high severity things fixed. No zero days that were noted. There were also a couple moderate severity repairs. So, you know, it appeared to be primarily be released just to fix those things since there were otherwise even a large number of new features. A couple little developer things. You know, they're continuing to push the standards which Firefox supports forward because, you know, the web people can't keep their hands off of like, Ooh, how about if we added the ability for it to, to read your mind? That would be good. It's like, well, okay, we don't have that technology, you know, but let's develop an API for that so that when we do webpages will be, I mean, that's, this is what's going on.

(00:15:32):
So a little bit more of that is happening. Nothing else to see. It was interesting to me to see that Google recently settled something that we discussed four years ago. This was a suit brought against Google by 40 states attorneys general. They settled for 391.5 million where that number came from. Oh, you know, only the attorneys know. As I said, we talked about this four years ago, back in 2018, when these offices of those 40 states attorneys general sued Google, alleging that Google had been lying and misleading users into thinking that they had disabled location tracking in their account settings. The lawsuit followed some reporting that was produced by the Associated Press, which found that Google was continuing to track its users even after they had enabled the account privacy setting that claimed to turn off location tracking. So in that settlement, Google agreed to pay this 391 and a half million dollars in restitution.

(00:16:49):
And also, of course, to change the way it handled location tracking in the future. The, the first thing we're reminded of is that the wheels of justice when they don't completely fall off the wagon, do tend to turn slowly at least in the United States. So it took us four years to get to this point. The other thing we learned is that thanks to Google's posting about this, their own posting we learned what has changed since then. So their posting last week was titled Managing Your Location Data. And it brings new meaning to the phrase, putting on a happy face that <laugh>, they, they wrote location information lets us offer you a more helpful experience when you use our products from Google Maps, driving directions that show you how to avoid traffic to Google search, surfacing local restaurants and letting you know how busy they are.

(00:17:54):
You know, like all the benefits right of Google knowing where you are. They said location information helps connect experiences across Google to what's most relevant and useful and okay, yeah, that's certainly the case, or can be. They said over the past few years, right, while this lawsuit was in the works, we've introduced more transparency and tools to help you manage your data and minimize the data we collect. That's why we, and then they have three things launched. Auto delete controls a first in the industry and turned them on by default for all new users giving you the ability to automatically delete data on a rolling basis and only keep three months, 18 months or 36 months worth of data at a time. And if that sounds familiar to our listeners, it's cuz yes, we covered this when this was happening. All second thing they did developed easy to understand things.

(00:18:57):
I'm sorry, <laugh>. Easy to understand settings like incognito mode on Google Maps, preventing searches or places you navigate to from being saved to your account. And third, introduced more transparency tools, including your data in maps and search, which lets you quickly access your key location settings right from our core products. And they said, these are just some ways that we have worked to provide more choice and transparency consistent with these improvements. We settled an investigation with 40 US state attorneys general based on outdated, <laugh> outdated product policies that we changed years ago, as well as, but okay, you know, in addition to the 391 and a half million dollars outdated product policies we changed years ago, as well as a financial settlement, we will be making updates in the coming months to provide even greater controls and transparency over location data. So things to come. These updates include three things, revamping user information hubs to help maintain how location data improves our services.

(00:20:21):
We're adding additional disclosures to our activity controls and data and privacy pages. We're also creating a single comprehensive information hub that highlights key location settings to help people make informed choices about their data. Okay. So, you know, more transparency. Second thing, simplified deletion of location data. We'll provide a new control that allows users to easily turn off their location history and web and app activity settings and delete their past data in one simple flow. We'll also continue deleting location history data for users who have not recently contributed new location data history to their account. And third, updated the account setup. We'll give users setting up new accounts a more detailed explanation of what web and app activity is, what information it includes and how it helps their Google experience. So they finished today's settlement is another step along the path of giving more meaningful choices and minimizing data collection while providing more helpful services.

(00:21:40):
So it seems clear that what was going on during these four years, I mean, you know, lots of back and forth was some negotiation about the things that, that Google was being asked to do proactively in order to make what, you know, make what they were doing, make this tracking behavior, which initially got them into such trouble that, you know, these forties attorneys general decided to gang up and, and say, look, this needs to change. So, you know, stepping back from this a bit, it, it, it must be truer than, than I guess I'm able to understand that the more information an advertiser has about someone, the more revenue is generated by showing that person advertisements. You know, I mean, as our list, as our listeners know, I've always been somewhat skeptical about that. That I mean, that it, that it can mean that much.

(00:22:41):
But, you know, it seems to me that advertisers would not be trying so hard if it didn't really make them more money since they also know that no one wants to be profiled and tracked across the internet. So they wouldn't be risking our wrath to the degree they are if it really, really wasn't valuable to them. So anyway we've got, in a minute we'll be talking about a different issue with some more attorneys general and the ftc. I caught wind of a mention that Red Hat had started cryptographically signing its deployment zip files. Okay, now that made me curious, since I never heard of zip files being cryptographically signed. We've always talking about executables being signed and you know, we know that web, web assertions of their identity are signed, but that was new for me for zips. And with all the problems that we've been seeing with supply chain poisoning, obtaining verifiable assurance of an archive's unmodified authenticity, that would be great.

(00:23:58):
So a cryptographic signature could do that. And cryptographic signing wakes makes way more sense than the old school practice of publishing the hashes of files on the same site where the files are being hosted for download. Doing that never made any sense to me since if a bad guy was able to compromise a web server to alter the files being downloaded from that site, what would keep them from also updating the hashes shown at the same site as proof of a file's authenticity. You know, talk about a false sense of security. So anyway, this is a lot better than that. So I looked into what was going on and I found a posting by Red Hat titled Cryptographic Signatures for Zip Distributions. I paraphrased what they posted to remove a lot of their oversimplified descriptions for our audience. So they wrote, our Build System Brew produces our RPM and zip distributions and automatically hashes the archives.

(00:25:15):
It makes the hashes are used to validate that the files have not changed before they're uploaded to our CDN and made available to customers. We've taken advantage of this aspect of our build process and extended it by combining all of the hashes for a particular release and packaging them into an s a 2 56 sum file. So s a 2 56 s u m file, this file is in a standard format that lists the hash and the corresponding the corresponding file name of the particular file artifact, as is a term they use. It is commonly used across the industry to provide integrity to binary files. However, it's not limited to that. The Ssha 2 56 sum command on Red Hat Enterprise Linux, other Linux distributions and MAC OS natively support this file format. They said, since our software production team has completed their verification procedures, I'm sorry, once our software production team has completed their verification procedures, they sign off on the release from both a process and technical perspective.

(00:26:38):
The s a 2 56 sum file they created is signed by our latest release key, which produces a ASC file. This file is an Ask e Armor formatted detached signature file that proves the integrity and providence of the s a 2 56 sum file. And transitively the zip file artifacts enumerated within that file. The g g command on Red Hat Enterprise Linux, other Linux distributions and Mac Os supports the file format natively due to the potential damage that a lost or stolen private key could cause. We've taken additional steps to add assurance to the signatures we produce the primary technology behind. This is our signing server to sign these files. We use a high strength 40 96 bit private key, and our public keys are available on our website and the mit, you know, Massachusetts Institutes of Technology Public Key Server. Okay, so that's what they posted. Red Hats mention of a detached signature simply means that the signature itself resides in a separate file.

(00:28:10):
The signature is just a an an S SHA 2 56 hash of the file. It's signing, which is then encrypted under Red Hat's super secret. And in this case, very long 40 96 bit private key, which they're careful not to let loose. You know, just like my GRC code signing keys, it probably resides in a, an hsm a hardware security module where it literally cannot be extracted. It can only be used. So there's no reason for that signature file not to stand alone. That is, again, it's just you. So there's this, this composite file which contains this. The, the hashes and the files that they, that they were hashed from. That's just an a listing, a textual listing, an ASKIE file. That file is then s SHA 2 56 hashed. That's the file you whose integrity wanna verify that SSHA 2 56 hash is then signed with their, with their signing server and, and the res.

(00:29:33):
And which is to say that the, the SJ 2 56 hash is encrypted with the private key. So that creates an encrypted blob, which is the signature, and it's a free standing file. So somebody who then wants to verify that uses the Red Hats private key, which is available from several sources. So you don't have to worry about that being screwed with in order to decrypt the blob that will bring that decrypting, that blob re restores the SSHA 2 56 hash, which you can then use to verify that the file of the hashes that you've got matches and has not been tampered with. So you know, this is a welcome move as a deterrent to the abuses that we are now seeing and talking about more and more of today's supply chain. And it's probably where the broader open source community will need to go.

(00:30:41):
The glitch here, the glitch to doing that is that Red Hat Enterprise Linux Corporation, you know, red Hat Corporation has no problem maintaining a SI signing server and buying a certificate that asserts their identity. But the open source world has always had a problem with the need to pay for certificates. As we know, let's encrypt solve this problem by making TLS certificates free for web servers. But the challenge here is not the same. Let's encrypt offers no guarantees about the identity of a site. It provides domain validation certificates where the only requirement is for the certificate to match the server's domain name specifically, it does not offer that, is Let's encrypt does not offer o v organization validation certificates in order to issue OV certificates. Any certificate authority must by, by universal agreement perform some significant reconnaissance to positively verify the identity of the entity requesting the certificate so that the ness means something.

(00:32:02):
And what's more, of course, many open source projects are just some guy working alone without any organization to be validated. So maybe the solution will be, for example, to come up with a secure means for submitting repositories to GitHub for its signing with its signature. Then using some much stronger means for asserting the identity of the individual requesting the signing service, for example. That process might require much more rigorous multifactor authentication. Something again, you're, you're really wanting to put it out of the reach of bad guys to get in there and screw this up so that it means something. So it's a problem that needs to be solved, but you know, one way or another, we need a solution to this current supply chain pollution problem. And, you know, the application of a bit of, of a bit of crypto might be a place to start.

(00:33:04):
So, you know, hats off to Red Hat for doing a little pioneering here in, in that way, <laugh>. Okay. Now the FBI purchased Pegasus, you know, that's the NSO group's infamous smartphone spyware platform. They said it was for research and development purposes last week. Yeah. What are they developing? I wonder? Yeah. Last week, the New York Times ran a story with the headline internal documents show how close the FBI came to deploying spyware. Now I have a little bit different take on this, but we'll get to that in a second. The New York Times reported that last December, FBI director Christopher Ray told Congress, this is behind this closed door testimony that the Bureau purchased bureau is in, you know, federal Bureau of Investigation. The bureau purchased the infamous Pegasus phone hacking tool for research and development purposes. Well, it turns out that Foya, the US Freedom of Information Act can be quite handy for figuring out things that really happened.

(00:34:28):
Here's how the Times explained what they found they wrote during a closed door session with lawmakers. Last December, Christopher A. Ray spelled w r a Y, the director of the FBI was asked whether the bureau had ever purchased and used Pegasus. The, so like directly asked, the hacking tool writes the times that penetrates mobile phones and extracts their contents. Mr. Ray acknowledged that the FBI had bought a license for Pegasus, but only for research and development to be able to figure out how bad guys could use it. For example, he told Senator Ron Wyden, according to a transcript of the hearing that was recently declassified, but dozens of internal FBI documents and court records tell a different story writes the times the documents produced in response to a Freedom of Information Act lawsuit brought by the New York Times against the Bureau Show that FBI officials made a push in late 2020 and the first half of 2021 to deploy the hacking tools made by the Israeli spyware firm nso in its own criminal investigations that is in the FBI's own criminal investigations.

(00:35:54):
The officials developed advanced plans to brief the bureau's leadership and drew up guidelines for federal prosecutors about how the FBI's use of hacking tools would need to be disclosed during criminal proceedings. Like, okay, how how did you get this information? Well it came to US uhhuh. So the Times rights, it's unclear how the bureau was contemplating using Pegasus and whether it was considering hacking the phones of American citizens, foreigners, or both. In January, the times revealed that FBI officials had also tested the NSO tool, Phantom, a version of Pegasus capable of hacking phones with US numbers. The FBI eventually decided not to deploy Pegasus in criminal investigations in July of 2021, amid a flurry of stories about how, about how the hacking tool had been abused by governments across the globe. But the documents offer a glimpse at how the US government over two presidential administrations wrestled with the promise and peril of a powerful cyber weapon. And despite the FBI decision not to use Pegasus court documents indicate the Bureau remains interested in potentially using spyware in future investigations. Okay. And of course, the Times reporting brings up the question of Christopher Rays apparently misleading testimony in front of Congress. Senator Ron Wyden is not, hap is not happy about that in a statement from his office. It read, it is totally unacceptable for the FBI director to provide misleading testimony about the Bureau's acquisition of powerful hacking tools, and then wait months to give the full story to Congress and the American people.

(00:38:04):
So the Times revealed in January that the FBI had purchased Pegasus in 2018, and over the next two years, tested the spyware at a secret facility in New Jersey. Since the Bureau first purchased the tool, it has paid approximately 5 million to the NSO Group. Now, it seems to me that the issue with Pegasus is less about its use than its potential for misuse and abuse. The worry is that once they have it repressive governments would be unable to resist the temptation of using it to spy on political rivals. We'll see an example of that here in a moment. And of course, dissidents and other non-criminal actors, and of course Pegasus doesn't respect geopolitical boundaries. So anyone who has it can aim it at anyone else anywhere. But in the United States, we have a system for, for obtaining court orders, for searching and for making legal within bounds what would otherwise be illegal reconnaissance.

(00:39:23):
So as long as the FBI would only be using Pegasus within our constitutional protections, I think that it would be a useful tool to empower their criminal investigations. And yes, they would be required to tell a judge that this is what we want to do, this is how we're gonna do it, and we have probable cause and all the other, you know, requirements of getting a court order to pursue things like a wire tap and so forth. So it seems to me yes it is problematical because it could be abused, but if we're gonna have systems that are that, that are otherwise not prone to be subject to court order search, then maybe this is the way it happens. Yeah. I mean, what do you think? I mean, we allow wire taps under court order. Exactly. Exactly. Is this is Pegasus somehow too dangerous to be used?

(00:40:31):
I think the concern is it just, its control. The, all the reports we have suggest that it is a zero click tool, right? Which it is possible to target at an individual's smartphone. And it goes in against all of the attempts by Apple and Google, you know, iOS and Android to keep it out. There are enough ways in that it gets in and then it's able to provide the entity that deployed it with information. You know, the, the equivalent of someone unlocking their phone and also being eaves dropped on it's able to, you know, it is a surveillance tool. I guess the question always is, is it, is it, first of all, it's gonna be a very expensive, it's a million dollar surveillance tool, right? It's very, very expensive. Yes. Mul multi, multi, because it can't be used too often or it loses its, its usefulness because as soon as the companies, you know, know, find it, they'll, they'll defend against it.

(00:41:35):
So these, these zero days are very, very expensive, especially, and it might no click. It also might very well be that it is tightly tethered. Well, it, that's actually, and this might have been the problem, as I understand it, the so group is responsible for the hack's. You don't just give the FBI Pegasus and say, have fun with it guys. Yes. It doesn't work that way. Right? Right. Right. So that's another problem is that some international company and Israeli company would then be privy to what you're doing, right? Yeah. That might be a bigger problem and other entities may not care. But that may be something that we can't, you know, get over. And in fact, maybe that was the beginning. You know, the, you know, in, in testimony like this, there's typically some piece of truth. So probably, yeah. The FBI said maybe we need to be empowered with this tool, right?

(00:42:30):
Because we're unable to get in any other way. So let's buy a copy and let's learn how it works. Let's have the Pegasus experience so that we can decide if this is something that, you know, we can sell to the greater government. It's my understanding that what you are buying really is the NSO group access. They trigger it on, let's say they wanna spy on my phone, the NSO group gets into my phone, triggers it, and then hands control over to the fbi, right? So, right. I'm sure that's illegal <laugh> in the US because that's, that's an Israeli in a company, not even a government entity, but a, a business that you're, the FBI says, okay, well wanna hack Leo's phone, here's his phone. Hack it for us. I don't, I that can't be legal. So you're right. They just, it literally was research. They just wanted how, you know, let's, let's understand it a little bit better.

(00:43:26):
Yeah. But I can't imagine the NSO giving the keys to the kingdom, to the FBI either. That's why they do it that way, right? No, yes. And, and in fact, I have a, a another related story that sort of speaks to that Greece, the, you know, the Athens government, Greece bought a related program predator for 7 million euros. Wow. a recent report in the Greek press claimed that Greece's government paid 7 million euros to it. Inte Alexa, I N T E L L e x a inte Alexa for access to the predator surveillance and spyware platform, and an additional 150,000 euros for the ability to rotate Ted new targets per month. So that says, yes, they were not given, you know, carte blanche. They had to, you know, their, it is tightly tethered to under in intellectual control. So this little bit of accounting news follows the massive scandal of the Greek government having been caught using the spyware to go after not only rival political parties, but also journalists and prosecutors investigating government corruption.

(00:44:51):
So this is the, this is the double edged sword, is that, you know, it, it seems to be impossible for governments that purchase this to, to behave themselves. Again, I would hope that if it were made possible for the FBI to acquire this technology, it would be done above board. It would be done within the constitutional protections of the government. I'm sure there were those who, you know, Edward Snowden, who don't believe it. It could be possible. But we do have, we've set up a situation where, where the technology that our private citizens and corporations are using is not subject to court orders. And, you know, thus the tension that we're currently under. So anyway, it's, again, as I said, it seems to me the problem is less about the tool than how it's used. Mm-Hmm. <affirmative>, you know, it is technology. It already exists and it's going to exist.

(00:45:52):
So it makes more sense to me to properly regulate and control its use than to attempt to deny it completely. Which, you know, just forces its use underground and maybe it's old fashioned, but I also feel like we're the United States. We should be better than those other guys. You know? I agree. You know, we should have higher standards. Just, just cuz other countries use these tools, doesn't mean we have to. Yeah, I agree. Leo, I also, you want a break? Okay. I do <laugh>. You agree that it's time to take a break. You and I both agree about that. Our show they brought to you by Barracuda, we love Barracuda. Barracuda is a security company that we use, we work with, and a lot of people should be working with. They have done some really interesting research. They have a, a threat you know, a really, really high quality threat team.

(00:46:49):
And they have identified 13 kinds of email threats that are in widespread use. Cyber criminals are using 'em every day. Some of them, you know, fishing, spear fishing, conversation hacking ransomware. There's actually a total of 10 plus three. So 13 tricks, the three I've just mentioned, and, and 10 more that cyber criminals use to steal money from you, from your company or personal information from your employees and customers. So now the question every business owner should be asking is, are we safe? Are we protected? I ask brussel this every time I see him email cyber crime. It is probably the number one way bad guys get into your system. And it's becoming more sophisticated. Attacks are getting harder and harder to prevent. Perimeter defenses are often insufficient. They're gonna use social engineering, you know, fear and, and, and urgency to convince your employees to do something they ought to do.

(00:47:50):
Social engineering attacks, including spearfishing and business email compromise cost businesses on average $130,000 in instant, $130,000 in incident as demands for COVID 19 tests, for instance, at the beginning of a 2022 row course. What happens? Barracuda's researchers saw an increase in covid 19 test related fishing attacks between October and January of this year. 521% increase because the bad guys, you know, they're, they're watching the headlines again, fear and urgency, right? They're gonna prey on your weaknesses when everybody got a really interest in cryptocurrency in the late 2020. And I guess they're interested now for other reasons now, but, but a year ago, remember, and there were all these ads encourage fortune favors the brave and all that. The price of Bitcoin went up 400% between October, 2020, April, 2021. Guess what? Barracuda research found that impersonation attacks using Bitcoin and crypto as the, you know, that come on increased 192% in the same period. The internet crime Complaint Center last year, the IC three received 19,369 business email compromise and at email account Compromise complaints. I'm sure that's just the tip of the iceberg. That's the ones, those are the ones that came into the IC three with adjusted losses of over 1.8 billion.

(00:49:20):
It's not enough to secure your email at the gateway. The perimeter defense not gonna do it. You gotta, of course, you gotta have, you gotta have gateway security to protect against, you know, malware, viruses, zero days, all that stuff. Spam, you gotta fight that too. But your gateway's defenseless against spear fishing against targeted attacks. Attacks, you know, that seem to come from the boss, you know to an employee by name, for instance, protection at the inbox level. And, and by the way, this has to include AI and machine learning. It's necessary to detect and stop the most sophisticated threats. I got a solution for you. It's very easy. Just get the copy of the Barracuda report. You should be reading this. Your IT department should be reading this 13 email threat types to know about right now. It explains how cyber criminals are getting more and more sophisticated every day.

(00:50:12):
How you could build the best protection for your business, your data, and your people. And of course, do it with Barracuda. Find out about those 13 email threat types you need to know about and how Barracuda can provide complete email protection for your teams, your customers, and your reputation. Get your free ebook at barracuda.com/securitynow. Barracuda.Com/Security. Now, barracuda your journey secured. We thank em so much for supporting twit and especially for supporting security Now. And Steve's work, they care a lot about your security and they know Steve is here to make a big difference. You help us, by the way, when you use that address always with all of these ads, go to barracuda.com/securitynow. We thank you, Barracuda. Otherwise, they don't know why they're suddenly getting so much more business. And they are. And we, we needed to know It's us.

(00:51:07):
It's us Baby <laugh>. All right, Steve, on we go. So the password manager, one password has added support for pass keys to its offering. And in a nice promotion of pass keys, they've created a community supported online directory listing online services, currently supporting Passkey authentication. I've been waiting for this because I wanna play with PAs keys. You know, I've got iOS 1.1 point or 16.1 0.1 I think now, and it's supposed to support pass keys, but I've never tried it. So now we can. So this directory is@passkeys.directory. I didn't know there was directory was a tld. Really? They've just gotten outta control. Leo is there a dot Leo? It probably is. Anyway so again, pass keys.directory takes you to this listing. It currently has 43 companies listed with their URLs, although some are flagged as mfa, so, you know, multifactor authentication.

(00:52:16):
So I suspect that they might not be pure pasky login. They may be pasky plus another factor, which would be annoying. So anyway, some notable names on the list, which do appear to be pure passkey authentication without that MFA tag include a one password passkey demo page of all things Leo Best Buy. Woo. It's about time, Beth. Yeah. Supports Pass Carnival Cruises. Good. eBay. Good. Kayak. You know, the, the travel site microsoft.com. Again, nest Cafe. Like what? Sure. <laugh>. Why not Nvidia, PayPal and Robin Hood. So anyway, I just discovered this as I was putting the, the, the, the podcast together. So I have not made any time to experiment with and explore, but I am an avid buyer on eBay. Oh. Of often buying like old hard drives that I need to make sure that spin right works with. Or in fact, I'll be talking about spin right in a few minutes here, because I actually did just buy four drives from eBay, which were specific drives that I needed.

(00:53:33):
So anyway, I ought to be able to give logging into eBay. Paske, I think I, I'm seeing it. Let me, let me log in and I'll show you. I'm gonna log into, I'll go to Carnival Cruises and it says create create an account here. Lemme show you this. I'm gonna make it bigger. And see that log with your phone's. Face ID or fingerprint. That's pass keys. Oh, it may not say pass keys. Right, right, right, right, right. So scan this. QR code. All right. Let me try it with your phone's camera. Oh, so this is, yeah, that's cool. I'm so glad this is the first time I've seen it. All right. I scanned it with my camera. I'm logging in. Enter your email. Okay. I always Oh, and, and the site knows Leo. Look what it's doing. Oh, it does. It knew I did something.

(00:54:25):
Yeah. Car. How would it know that? Oh, the, because you're, I'm going to a special url. That, that, that QR code? Yes. Okay. Connection Loss. Something went wrong. Try again. Oh, crud <laugh>. Well, well, after all it is Carnival Cruises. So we're working, working on it. So now what do I do now? What do I do? Did I take another picture? Let's do it again. Did you already Can't, do you, do you have an account at Carnival? Not Carnival, no. Okay. Not Kayak. How about Kayak? Well I think the idea is you would have to, oh, should I go somewhere? I already have an account. You wanna see what that, that looks? I don't know. I, that looks like <laugh>. I, I don't know. Let me, let me just, I didn't do it quickly enough. Probably. Let me try. What happens if I log out of eBay?

(00:55:15):
Cause I'm like, statically. <Laugh>. Yeah. So now I'm pressing continue. Do you, oh, here it is. Do you wanna allow carnival.com to use Face Id continue. I'm using Face id. It worked. And look at this on the phone, it now says, let's see if I can find that Passwordless sign in. Enabled, enabled Fast login by Own id. But this is PAs keys, right? You've gotta be PA Keys. Yeah. So that's cool. So now it's once you know, complete your profile, blah, blah, blah. But now I presume from now on I can just use my phone. I love it. Yay. Yes. Yes. Now I have a Carnival Cruise line login. <Laugh>. Sure. I want that. <Laugh>. No, actually the cruise line that we do go on is owned by them. So I guess that's one of the cruise lines we like to go on. Again, I this is the weirdest list. Like Best Buy Carnival Cruises. I would, don't you think it's like, I should trust these people cuz they're at least on top of it. Chase is not there. B of A is not there. Yeah. Bank's gonna be a higher standard, isn't it? You know, if you nest cafe but not Starbucks, it's like, okay, I don't know what's going on. But anyway, I think it's gonna be lower stakes companies. Don't you think initially a bank that's gonna be problematic? Probably, yeah. I guess Microsoft has become lower stakes. You're <laugh>.

(00:56:48):
Would I like to receive emails? No. Do I accept their terms and conditions? Yes. Have you already booked your cruise? No. Okay. Now, now I guess the next time I go there, let's go on another let's go on another computer. This is, this is first time I've ever used this. That's cool. So now I'm gonna see log and it's gonna say log with your phones face ID or fingerprint. I'm gonna click that scan. Oh, I have to scan it again. Does that, is that right? Is that what it should be doing? Yes. Yes. Because you don't, you haven't transferred your PAs key into that computer. And then it says, do you wanna log in using a saved account? Yes. Logging in. Bingo. Hi Leo. When's your craze <laugh>? It works. It's a little onerous. It's so will I always have to scan my QR code to get in?

(00:57:42):
So, well, so what you're doing is you're using your phone's pass key, right? In order in order to authenticate across to a different device, right? You, and this was the problem that I talked about is that, is that if, you know, squirrel would, there would only be one. But, but, so you need to create another pass key in your laptop. And so there is, there should be a way to, to you, you can't export the PAs key, but you can, you can link them. You, you can create another PAs key and then link them so that they're identified as the same. So yeah, see I don't see, I already have a Microsoft account, but I don't see any way to log in if you haven't set up passkey with Passkey, right? I'm just going to the Microsoft site. Now I do have an account and I could sign in, but I'm gonna say, could I do this with my passkey?

(00:58:35):
No. But maybe if I go into my account, I could set that up. What's that little thing down at the bottom sign in options. But that's, I already looked at that and it just gives me GitHub or forgot my username. That's not, that's not pasky. I bet you I have to go to the Microsoft account. They'll log in normally and then say, and I would like to establish PAs keys with this account probably. Yeah. Yeah, that would make sense. Yeah. I'll try it while you're talking. Anyway, all of our listeners now again, PAs keys.directory you can check back there and maybe eventually some more interesting sites will be available. I think it's hysterical that Robinhood is using it. <Laugh>. Yeah. Yeah, yeah. I bet FTX would've if they go go to pasky.directory and see what it Oh, oh, there's more than just this. Okay. Yeah, yeah, yeah.

(00:59:21):
Just Oh yeah, yeah, because there was a bunch of things that also had MFA for tags for some reason. So, so you can see the, the little, the little green dots are just sign in, sign in and here's CloudFlare mfa. Yeah. So I didn't know what that meant. I, it probably means I need a password to log in and passkey, like it's two factor. Yeah, that's what I'm thinking too. Just DocuSign. I could sign in or I can have a interesting, well, I have a GitHub account. Let me let me play with that a little bit and see. Ah, okay, cool. Yeah. In other news, again, paske.directory, our listeners okay, so from the having fun with bureaucracy department, <laugh> comes an edict from the omb, the uss Office of Management and Budget has ordered federal agencies to scan their systems. Oh yes. Scan those puppies carefully scan a man, scan 'em, and provide an inventory of assets containing cryptographic systems that could be cracked by quantum computers. <Laugh>

(01:00:29):
In the coming years. Just how would you know? Well, Leo, okay, first of all, there is probably not a single computer in the government that doesn't use and depend upon some public key crypto and none of the currently deployed public key crypto, there's no way is is quantum resistant. Yeah. So the OMB could have simply said give us a list of all your computers. That's a good point. And, and, and by the way, stop using them. Yeah. the, okay, so the next point worth noting is just a reminder that no one has come near to building a quantum computer anywhere so far as anyone knows, that could even begin to think about breaking actual public key crypto. Oh yes. Factoring the number 27. We can do that. It's magic. But the number 35 we're not quite there yet. Give us another 10 years or so and we'll be able to factor 35.

(01:01:34):
Okay. Now that said, I'm on the record agreeing that there's absolutely no reason not to move us to quantum safe crypto sooner rather than later. You know, let's not wait till we need it because we know how slow and painful these moves can be. So, you know, just as assure or just as soon as we are absolutely sure that we're not gonna be making a big mistake, because that's possible. Remember that one of the candidates that had already been chosen, already selected was recently cracked by conventional computers. So it would be a lot better that, you know, for us to stay where we are, where we know we can't crack today, the algorithms we're using before moving prematurely to something that we presume some future non-existent mythical quantum computer should also be unable to crack. So the OMB edict stated that federal agencies had until May 4th, 2023. So like this, that, you know, this coming May 4th, I don't know why May 4th, but that's it. And the NSA ordered that all government agencies handling classified information must use quantum resistant encryption by 2035. Okay, so that's 13 years from now. By then we ought to be up to factoring 45. So good to be, we'll be switching over to quantum computers any minute, you know, before we need them <laugh>. Yeah.

(01:03:27):
 okay, so this other piece of attorney's general news that I wanted to share one of the developing themes of this podcast is the observation that we're still in the wild west stage of the creation of the internet. It remains an unregulated or only very loosely regulated medium. And of course globally it's an uncoordinated total disaster. The idea that we've linked our fundamentally insecure networks to those of openly hostile nations should give anyone pause. Yet that's what we've done. Chinese, Russian and Iranian cyber criminals under the protection of their nation states, who have no love for the US are able to openly attack the networks of US corporations and its private citizens. And yes, there's reciprocity. You know, the US is able to do the same to them. And presumably that's happening too, although there seems to be a surprising lack of information about that.

(01:04:36):
 You know, but, you know, reciprocity doesn't make any of this sane. You know, it's like, you know, mutually assured destruction. So we can only hope that the internet our grandchildren will use as adults 30 years from now will be much different from the one we've been watching being born through these past 30 years. I bring this up because various democracies around the world, notably the EU and the us among others, are inching forward cautiously in an attempt to provide their citizens with some legally enforceable rights to privacy and personal information. At the moment we have clear statutes, outlawing, overt network intrusion and attack. When those laws are broken, people lose their freedom for doing so. But nothing yet prevents or regulates the passive collection of as much internet user data as possible. Google was sued by those 40 states attorneys general, not for tracking, but for tracking after they said they weren't.

(01:05:45):
As long as a company doesn't say that they won't do something, they can do pretty much anything they want. So how do we get this to change? Here's a hopeful example. Last Thursday, a coalition of 33 state attorneys general co-signed a letter formally urging the US Federal Trade Commission, our FTC to pass legislation which would regulate online data collection practices. Might not happen, but it's a good start. These ags said they are concerned about the alarming amount of sensitive consumer data that is amassed, manipulated, and monetized. And they also said their, that they regularly receive inquiries from consumers in their states about how their own data is being hoarded and abused. Okay, so since we've still got a bit of time and I think this is extremely important, I'm gonna first share just the introduction in the letter, which was submitted to the FTC and signed.

(01:06:53):
It's really pretty, they have like different colors of ink on the signatures. I don't know how they pulled this off, but it was like, you know, signed by 40 states attorneys general. So in their, in the beginning of this letter, they said we, the attorneys general of Massachusetts, I'm not gonna read them all cuz they didn't en list them all, but they, they did some Massachusetts, Connecticut, Illinois, New Jersey, North Carolina, and Oregon joined by the respective attorneys general of the undersigned states right to the federal trade commission in response to the August 22nd, 2022 advanced notice of proposed rule making on commercial surveillance and data security. So this was, this was something that the FTC put out there and asked for comments. So that was proposed a a, an advanced notice of proposed rule making on commercial surveillance and data security. That all sounds great. So they said, as the Chief Consumer Protection Officials in most of our respective states, we hope to inform the commission as it contemplates new trade regulation rules governing commercial surveillance and data security.

(01:08:11):
The State attorneys general commend the FTC for, for its comprehensive review of corporate surveillance and data security. In preparing the notice, we too are concerned about the alarming amount of sensitive consumer data that is amassed, manipulated and monetized. Our offices frequently receive outreach from consumers concerned about the privacy and security of their information. Research supports that consumers are worried about commercial surveillance and feel powerless to address it. Oh, really? Yeah. <laugh>, imagine that, and it's interesting, we're just going on the record here. Many consumers believe that tracking by companies is inevitable, yet often do not even know what is being recorded. These fears intensify when they learn more about the commercial surveillance economy, and in particular, consumers fear falling victim to identity theft and data misuse. A majority doubt that their data can be kept secure. Contributing to these concerns is the fact that companies that companies are often collecting more data than they can effectively manage or need to perform their services.

(01:09:31):
Our consumer privacy related enforcement actions and investigations have resulted in settlements and like Google that have provided significant business practice changes to strengthen data security and privacy going forward. But there is still more work to be done. Our submission highlights the heightened sensitivity of certain categories of consumer information, the dilemma of data brokers and how they surveil consumers, and how data minimization can help mitigate concerns surrounding data aggregation. Okay. Then the letter goes on at quite some length detailing five general categories of abuse. Unfortunately, in an effort to be very clear and to drive their points home, that part is too long to share. But I found a separate release about this action from New Mexico's attorney General Hector Balderas in it addressed each of these five points by reference quite succinctly. So those I wanna share because it's good stuff. So first, there, there, so there's five, five categories, location data, he said, or his office said.

(01:10:49):
According to the letter, many consumers are not even aware of their location in that their location information is being collected. And when a consumer wishes to disable location sharing their options are quite limited. The attorneys general recognize the sensitive nature of this information, which can reveal intimate details of daily life, such as where they live and work their shopping habits, their daily schedule, or where they visited the doc, or whether they visited the doctor or pharmacy. Laws passed in states like California, Connecticut, Virginia, respect, the use and collection of location data can provide a framework to inform the FTC through the rule making process. So this is, this is him saying, or his office saying, look at what for location data things look at what California, Connecticut, and Virginia have done. Use that, you know, consider using that as a framework. Biometric data. The coalition urges the FTC to consider the risks of commercial surveillance practices that use or facilitate the use of facial recognition, fingerprinting or other biometric technologies.

(01:12:01):
Many consumers provide this information to companies for security purposes or to learn about their ancestry, but consumers are not always made aware of when their data is collected, how it is used, or if it is resold for purposes to which they never meaningfully consented medical data. The FDC should also consider the risks of practices that use medical data regardless of whether the data is subject to the health insurance Portability and Accountability Act of 1996, popularly known as hipaa. And the privacy rule, medical data not necessarily covered by HIPAA is referred to as health adjacent data, which can be collected by many devices. For instance, smart watches, health monitors, sleep monitors, and health or wellness phone applications. The letter also highlights medical information risks through examples such as the storage of health related internet searches or appointment scheduling information being passed to others through online tracker tools.

(01:13:11):
In other words, you get a sense for how comprehensive this letter was that the 40 state's attorneys general submitted to the ftc. Two more to go data brokers. The attorneys general reiterated to the FTC that persistent dangers of data brokers. Data brokers provide consumers, I'm sorry, data bro. Brokers profile consumers by scouring social media profiles, internet browsing history, purchase history, credit card information, and government records like driver's licenses, census data, birth certificates, marriage licenses, and voter registration information. Data brokers use this information to create profiles of certain consumers, which can be purchased by almost anyone based on susceptibility to certain advertising or likelihood to buy certain products. This scale of aggregation of anonymously gathered information can identify consumers and put consumers at risk of scams, unwanted and persistent advertising, identity theft and lack of consumer trust in the websites they visit. And lastly, data minimization. The attorneys general say that it is vital that the FTC consider data minimization requirements and limitations with respect to data collection and retention. The letter encourages the FTC to examine the approach taken in California, Colorado, Connecticut, Utah, and Virginia Consumer privacy laws, which mandate that businesses tie and limit the collection of personal data to what is reasonably necessary in relation to specified purposes. Limiting the collection and retention of data by businesses will improve consumer data security as businesses will have less data to protect and less data potentially available to bad actors.

(01:15:20):
Okay, so I think if nothing else, this is a useful start in the United States where we exalt capitalism, no one wants to strangle innovation, but we all know that we're a long way from being, you know, from being in danger of that. Much of what is going on today is only able to happen under the cover of darkness because consumers are blissfully unaware. You know, what did Apple discover when they started requiring their apps to proactively obtain cross application tracking permission? They found that nearly everyone who was asked declined, no thanks, you know, and no surprise. So we can expect any improvements to be slow going. As I always say, change is slow, but the pressure is there and it's not gonna go away. At least I think we're moving in the right direction. And you know, this, you know, 40 states getting behind this, you know, one wonders why it's not 50.

(01:16:21):
Well, who knows? Some presumably buckled to some pressure. Okay. some closing the loop. Things that I think are interesting. Vincent, Stacy shot me a note that I wanted to share. Regarding, we, we were talking about the concern that was raised by a, a different listener about the ZMA board and how when he changed his its credentials, it was only away from the log on of Casa Os, Casa os it was only for the web portal log on and all of the other credentials remain the same. He was concerned that that that would, that the lack of changing of other credentials was unknown to Zima board users and that they might get themselves in trouble, for example, if they turn this thing into a router. Anyway, Vincent Stacy tweeted, hi, Steve pf Sense installs its own version of Linux and won't have the default users of another distribution.

(01:17:26):
And that's a very good point for anyone who's interested in using a Z zma board. As a pf sense router, though, just for the record, it's actually free BSD Unix that pfs runs on top of and brings along with it. But the main reason why a ZMA board would not be my first choice as a router is that unless a network expansion board were to be plugged into its P C I E by four slot, it only has a pair of land Nicks built in. And I would expect a router today certainly one that any of our listeners would be using to have a few more network interface controllers, a few more nicks for implementing useful multi-network isolation. So I can't see it being a big being really popular as a router. There are some, you know, some better you know, fan list solutions like that.

(01:18:26):
What is it? The SG 1000? I think that that that I've talked about before. Charles Turner tweeted as possible fodder for a listener feedback section in a future episode of Security Now podcast. I have a question, a rising from the discussion you and Leo had on Tuesday. Okay. He says November 15th, that was last Tuesday during security, now episode eight 97 memory safe languages. Yep. Last, last podcast, he says, with the future of Twitter in doubt, what is your prediction on the long range fate of Mastodon? The cynical part of me gives Twitter a 50 50 chance of either a rebounding back to its former glory as or and beyond, or b, becoming a 44 billion version, billion dollar version next iteration of MySpace and Ftx <laugh>. Okay. So it's clear to us all that Twitter is currently in turmoil. And I don't have any firsthand sense for just how fragile Twitter's technology is internally.

(01:19:39):
And it seems to me that matters a lot. If the previous regime engineered really solid bulletproof systems, then it ought to be able to withstand Elon's shaking of its foundation. But overall, I'm a big believer in inertia and in things generally changing much more slowly than we expect. Now, of course, Elon could trip over the main power chord and Twitter could go dark until someone plugged it back in. And I suppose I'm interested in what Elon is doing there. You know, he's an interesting character and somehow he, he's managed to get other people in the past at least to do some truly amazing things. I'll never forget the site of those twin booster rockets returning to and landing on that floating platform for reuse. Yeah, that was truly astonishing. Yeah. Technology and it's Elon's, SpaceX, Starling technology, which actually works, that's enabling Ukraine to survive.

(01:20:44):
Russia's increasingly aggressive attacks against its infrastructure. Again. Thanks Elon. Mostly though, my take is that I think Elon is just having fun with his life as is his, as is his right <laugh>. Right. You know, I hope he's having fun. It's expensive, fun <laugh>, you know? And what about our lives? <Laugh>? He doesn't care. He doesn't care. No. No, he doesn't. He thinks re simulations. That's why. It's it's his life. Yeah. And he's not a guy who likes to make small waves. Right. Elon's waves are big. And let's not forget that Twitter made him do it. They insisted that he honor his wildly overpriced purchase offer. He didn't wanna buy Twitter, they made him buy it. So it seems to me that Twitter is getting what it deserves. The Elon treatment <laugh>, he's showing them that he can do anything he wants to with it. Yeah. So all of this made me curious about what he is doing with it.

(01:21:54):
I, you know, I pick up little bits here and there, but I don't follow news feeds or even Twitter because they interrupt my work and my train of thought. So it was with some joy that I stumbled upon a site, which I figured had to exist somewhere. The sites called Twitter is Going great.com <laugh> in the spirit of Molly White. Yep. And yes, of course it's offering up its share of Shout and Freud. So keep in mind that it's naturally gonna be biased, but it's still a lot of fun. The site hosts a simple timeline of Twitter's Elon related happenings. So now I can check in from time to time whenever I want to, you know, to get a sense for what's going on over there. I mentioned it because I imagined that some of our listeners would also appreciate knowing about this nicely distilled timeline event resource.

(01:22:52):
It's hysterical. Cause it's all tweets <laugh>. Yes. I guess that's, that's a best source of what's going on at Twitter, I guess. Yeah, Twitter is going great. Dot com. I'll show you another one that you should read. Okay. This is from a Twitter reliability site, reliability engineer. Oh I think former Matthew Tejo, he's on sub stack and it's, I think you would enjoy this. I barely understood it, but he talks about all of the redundancies, all of the automation. He says, when I came in the list of servers was on a spreadsheet. Now of course, it's a much better system and he did a really good job. It sounds like he and his team did a really good job of making it run. He was in charge of the cash the cash team, which was a pretty big deal because everything you're getting is served from cash.

(01:23:47):
None of it's served from well, Leo, I, I don't didn't want to interrupt you, but does Eddie, has Eddie, anyone stopped to think about what it does? Oh, it's phenomenal. Yeah. It is un frigging believable. This is just a fraction of it what Twitter actually does. Yeah, yeah. I, I can't imagine building this system. Oh, yeah. I, it just astonished. Well, read this. I think you'd enjoy it and it's just a fraction of what is going on. And but his point is these things are designed to run unattended a lot. We automated everything we could. And so it should, unless something, you know, nobody's gonna kick the plug outta the sock <laugh>. I hope there's more than one plug. But you piss off. You piss off. He might well long, he might, he just might pull the plug. So, but, but you wouldn't expect it to all fail.

(01:24:41):
All of a sudden. There may be bugs here and there and stuff, and there may, and the real problem is there may not be somebody to solve that problem, which cascades to another one, et cetera. Then I read, I've read a number of articles. We had Phil Li, who was the founder of Evernote, very, very well rounded. I was very impressed with Sunday. He's a smart guy. And yeah, he was saying, you know, give Elon's as you do, give Yon some credit. There was a good article by a former Tesla engineer that says Elon did exactly the same thing in 2018 to Tesla. He was firing people, he was spending the nights there, he was bemoaning there might be bankrupt. This was all in the lead up to the type three the model three of the Tesla. And said, this is kind of how Elon works.

(01:25:23):
Obviously, you know, for some people not the ideal situation. That's why so many have left Twitter voluntarily as well as involuntarily. But I've also read articles who say that say, you know, this is how he, he's reinventing Twitter is get, you have to get rid of almost everybody and then build a team of people who believe in your vision. He hasn't really communicated that apparently, but who believe in your vision for he's still, he's still making it up. He's making he's making it up as he goes along. Nobody, you know, I don't, I'm confused. I see stuff that looks crazy. He says, you're gonna have a committee to approve who, who comes and goes. And then he just says, now I'm gonna bring him back. And, you know, it's just, it's, it's, it seems chaotic <laugh>. There was one, there was one piece there that, that, that said, he sat down and explained to the core team how, how advertising should be tweets.

(01:26:16):
And he, and they said they are, he said, native. Yeah, it should be native. It is. Yeah. That's exactly my problem with the average. Yeah. He, you know, so he's coming somewhat from ignorance, but you're right, he's also a pretty interesting, he's probably sleeping there. He's there, he says he is four hours a day. And, and, and, you know, he'll figure this thing out. He, and he he's a weirdo. And some of the things he's tweeted, I'm not thrilled about some of the pictures and stuff. This is from 1:20 AM at Twitter. He, this is when he in, you know, came, had everybody come in Saturday or Friday night, Saturday morning to explain how Twitter works. And these are the, the, the skeleton crew there. He is sitting with them, but this is his picture of what they drew on the whiteboard. This is not a code review.

(01:27:06):
This is explaining in rudimentary fashion to somebody who doesn't know how this stuff works, how it's working. <Laugh>, I get, you know what we don't know yet. He may, this may be Twitter 2.0, he's inventing, and maybe this is how he works. I would never wanna work for him, but people will, and we'll see what happens. There was an interesting moment I was watching a press conference when Biden was off in the East. And it was that awkward <laugh>, that awkward press conference where he meant to say Cambodia, and he said Columbia three times. It's like, oh, Joe, oh Joe. But, but, but, but someone in the press pool asked him about Elon and, and so understand that our relationship, the government has a relationship, right? Yeah. With Elon, because he's now SpaceX and we've got all these contracts, right?

(01:28:04):
So Biden just locked up, you know, he <laugh> he didn't know what to say because it's like, oh, you know, I can't, I don't dare piss off Elon, or, you know, we're gonna be in real, we're not gonna have any, he said, we're looking into it though, you know, it is, it's very complicated. Cuz Elon has relationships with not just the US government, but many other governments. Tesla sells a lot of cars and builds them in China. It's a complicated system and it kind of a bull in a China shop. But we'll see. I just think he's a car. I just think he's a character and I think he's having fun with his life. Yeah. And you know, and we're too bad though. Observer Twitter is a valuable resource. It's not a public resource. It's not even publicly held company anymore. And he, it's incredibly valuable, but it's a shame.

(01:28:51):
That's why I crashes it, you know? Well, I mean, I, I he's just, he's led a bunch of loons back on recently. Yeah. And, you know, but I don't, I don't ever see, see tweets from loons. I have a very quiet experience with Twitter. I just talk to our listeners, right? And, and they talk to me and it's just a great little channel. So, you know, I don't care who says, know that, that vaccines are garbage, who cares? Okay. Leslie McFarland said, hi, Steve Uhoh. If Twitter implodes are you, are you going to Ma Don or somewhere else? Your Security Now podcast is topnotch security and quality. Well, thank you Leslie. So, okay, in order to get the word out to 18 years worth of spin, right owners, I will shortly, and I mentioned this before on the podcast, be setting up an old school email facility.

(01:29:45):
 One of the several lists that I'll be maintaining will be for security Now listeners who would like to subscribe to the weekly links and the show notes and a description of each week's podcast, which I post to Twitter. And it'll be nice to have more than 280 characters for that. So, so that will be a possibility. And you know, as for Mastodon, I have no idea. I, I'm, I'm not looking folks, remember it took me 10 years to get Steve on Twitter, right? Patience. Thank you, Leo <laugh>. I'm, I'm, I'm, I will get him. I'm not looking, I'm not looking for more connectivity. We'll see how Twitter goes as it is. I spend most of my time in GRCs quiet news groups. There you go. Getting actual, getting actual work done. Yeah. And now we have GitLab for managing Spin, right. Bugs and feature requests.

(01:30:35):
And I have GRCs web forums, which will soon be quite active since that's where Spin Right's Tech support will be hosted. And a lot of new users are gonna be using Spin, right. Six one and, and have questions or maybe not. Cuz it's pretty much the same as it was. It just works a lot better. You know so anyway, I I just don't have any additional bandwidth available for new conversation opportunities. You know, I doubt that Twitter can actually implode. It's, as you said, Leo, it's too big and too important. You know, I doubt that even Elon can or will kill it. You know, and I have an alternative means for communicating my and GRCs events to anyone who cares through good old email. So, and I will extend this offer after episode 9 99. You can always use us to tell the world I would bet a lot of spin, right?

(01:31:27):
Users and owners listen to various other things we do, and we have a lot of different channels, including Twitter channels. So, and Leo, we still have two years, who knows, who knows from two, two years from now <laugh>, what'll be going on? <Laugh>, okay. Someone said I, where'd his name go? Oh, I didn't have his name here. Shoot, I think it was Walt. Anyway, he said, Steve, did you see there's a project Hail Mary in I m db, he said, crossing my fingers. Anyway, indeed, there is a, a, a Project Hail Mary movie is in the works. Well it is currently flagged as in development. If you had listened to our interview with Andy Weir some years, some months ago when it came out, he'd already optioned it. And he told me, and I wasn't too thrilled. I don't know how well I hid my discomfort that Ryan Gosling had signed on for the lead.

(01:32:22):
I saw that too. <Laugh>, I saw that and I went, oh, okay. But yeah, we're gonna, you know, Andy was gonna be on some months ago, but he had just had a baby. We'll get him back on. And by the way, Daniel Suarez has a new book, the sequel to his Delta book is coming out soon in I think next January. And we'll, we got a lot of fun reading those. Those are great. Yeah. So we'll get him onto, so yeah, we, we'll keep an eye, I'll have Andy on long before a movie gets made. We'll get the latest on that one. Okay. So speaking of books we've loved, so many people have written to me that telling me that they have, that they're loving the Silver Ships series that I wanna share a tweet I received two days ago from the first person I know who has, or we know who has finished the entire 24 book series.

(01:33:19):
I was horrified as I started to read the tweet that he might have written something of a spoiler, but that concern was misplaced. So here's the content of the DM that Bob Grant sent. He wrote, wow, wow, wow. Superb ending to the series. There was enough great writing and new intrigue in the first part of this final book in the Silver Ships series to be a great book in and of itself. However, the wrapping up of all the various storylines from the previous 23 books, and he says, parens 20 Silver Ships and the related four PY books at the end was superb. There were joyful and poignant endings to each of the major characters from the books. I have to say that this is the best series I've ever read. Not to take away from Weber's honor verse, and of course he's talking about David, David Weber's, you know honor Harrington series.

(01:34:25):
That was one of the early series that we talked about in this podcast. Or Rick Brown's Frontiers series, he says, both of which I've enjoyed. But these 24 books have been a joy to read from beginning to end. And then he said after a little break to catch up on some other reading, I plan to start the new Scott UJA series called Gate Ghosts, whose first book is Access Crossing. And as I mentioned to you, Leo, there are six more in that series after these 24. So anyway, obviously Bob has been following along with my previous reading discoveries. He knows of and read David Weber's honor verse series and Rick Brown's work in Progress Frontiers Saga series. And you know, for what it's worth, I'm in complete agreement with him about this being the best series I've ever read. I'm at the start now of book 19 of those 24, so I have six to go.

(01:35:22):
 And having already made this large investment in this series, I'm delighted to learn in advance that it ends wonderfully. So anyway one last piece, Simon. He said, hi Steve. Persistence paid off. I was able to disable one time code feature he has in quotes, he's talking about PayPal. He said, you can call PayPal and ask to unconfirmed your phone number. It may impact use of the PayPal app, but as long as you do not confirm phone number, it will not text security codes. So that's why wait a minute, <laugh>, which is less secure having no two factor or having SMS two factor? Oh no, no, no. You can still, oh, you still have Authenticator or ubi? Oh, oh, still. Yes, yes, yes. No, I did that on Twitter too. You, you had to have SMS to enable two FA on Twitter, but once you'd set up a key or an authenticator, you could then disable it.

(01:36:29):
So you're saying you do the same on PayPal? Yes. Although there is no UI for doing it. Oh, interesting. You need to contact, turn off the phone to contact them. Yeah, you have to contact them and say, please unconfirmed the phone number and that makes sense, right? Yeah, because you the phone number I don't have, somebody else don't, right? Yeah. Right. Yeah. Anyway it was Simon who originally noticed and communicated that it was always possible to cause PayPal to send an SMS code for account, you know, slash password recovery. Yeah. However, I should note someone else sent me a note and I'm, I apologize to that person for letting it slip, letting his name slip. But he sent me a note that if, if users set up their own personal account cover recovery questions, you know, those like, you know, who was your favorite high school teacher and what was the name of your first dog or whatever.

(01:37:22):
If you set those up, they cannot be bypassed. Oh. So that's another solution. Deliberately choose impossible to guess. No matter how well someone knows you account recovery questions and assuming that that information is correctly provided, then you'll be safe from hijacking cuz nobody else will know what it was that that you set up. It's just like three more passwords basically. Yeah, yeah, yeah. Okay. Finally, I mentioned last week that I, I ha that I thought spin rights new A H C I driver was not working correctly. I was wrong about that. It was working correctly. It was the location in my code where I was taking the hash of spin rights results that was causing a false positive detection. So I found and fixed that and made some other final improvements. Then as planned I up, I I updated GRCs server to get it ready to manage all subsequent downloads of the pre-release testing versions of spin.

(01:38:30):
Right? That will be forthcoming. That work is finished and the server has been restarted and is now standing by to make spin, right available. I have one final feature to add, which came up about two, about 10 days ago. Spin right six one has four levels or degrees of its operation. The first level never performs any writing to a drive under any circumstances. It's strictly read only. I'm not sure why, but it always seemed like it ought to offer that. So it always has. The second level is allowed to perform data recovery, so it will selectively rewrite only those regions of the media that are in need of repair. Level three goes further. Since refreshing any drives data is generally good for it, and that's because latent and evolving soft errors are completely hidden by all modern drives. Level three always rewrites the drives data as it's moving through the drive.

(01:39:38):
And level four goes even further. Writing in writing inverted data, reading it back to verify it, then rewriting the original data and reading it back to make sure that it was written correctly. Okay, I mentioned this because there are three classes of drives that I refer to as being right hostile and should only be used under spin rights. First to read mostly levels. Those drives are SSDs whose media we know is incrementally fatigued by writing to it hybrid drives, which incorporate an SS D on their front end to serve as a non-volatile cash and SMR drives where SMR stands for shingled magnetic recording. Shingling, exactly like it sounds, refers to the deliberate overlapping of adjacent tracks. In order to push track density to insane levels, if you picture a shingled roof, you cannot change an embedded shingle without pulling up the shingle above it. And then the shingle above that one and the shingle above that one and so on.

(01:41:03):
The same is true for SMR drives, which makes writing to them something you wanna do as little as possible. As I mentioned, this issue just came up in spin right's news group discussion a couple of weeks ago. Since I want spin right to continue doing everything possible for its user in this case, warning them if they are about to perform a level three or four scan on any drive, which should not be written to needlessly I need to be able to detect that. But I didn't own any hybrid or SMR drives, so I immediately tracked some down on eBay. And those four drives have all arrived. The last two just came in yesterday's mail. So after today's podcast, I'll be adding detection of those drive technologies to spin, right, so that it can take responsibility for warning its users if they're about to do something that they probably don't want to do.

(01:42:02):
 And then with that little lap, that last bit of technology in place, as far as I know, spin right six one will be ready to start its final stage of pre-release testing. And you know, as for that, I'm absolutely certain that there are things I've missed, things I just can't see because I'm their author. But that's why we test. What I am confident of is that at this point, so much testing has already been done by far the bulk of the work, that there are no show stoppers remaining. It should be a matter of cleaning up debris. So by next week's podcast, it will have been under test for I'm hoping that this is a Thanksgiving present for our testers, so I should have a good calibration on where we stand. Nice. Incidentally project Hail Mary is the book of the month for Stacy's book club in January.

(01:42:56):
If you have read it or want read it, that's a good book to read and discussion. All, all read it and loved it. It was oh, it's great. Great book. And if you can listen to the audio book, there's some features the audio book has that the written page cannot, that makes it kind of fun too. Anyway, it's good either way. Would you like to come back and talk about why Peep in just a bit? Absolutely. All right. Sure. A word from our sponsor, secure Works. Secureworks is a leader, you probably, I'm sure you know the name and cyber security. They build solutions for security experts by security experts. They offer superior threat detection and rapid incident response all while making sure customers and you'll like this, are never locked into a single vendor. Secureworks offers an open extended detection and response platform, Tais XDR extended detection and response.

(01:43:48):
It's now time to get get it. If you've been thinking about it, this is it this year, cyber crime will cost the world. It's estimated 7 trillion with a T by 20 25, 10 0.5 trillion last year. Ransomware totaled $20 billion in damages that we know attacks occurred every 11 seconds. It's estimated 10 years later, ransomware will cost 265 billion a year in strike every two seconds. And I think that's the optimistic <laugh>. I think that's the optimistic guess. Make sure your organization is not the next victim. You don't wanna be in those stats with SecureWorks xd. Secureworks Tais provides the superior detection you need identifying more than get this 470 billion security events a day, a day. They've got their, they've got their feelers out everywhere. They prioritize the true positive alerts, they eliminate all that alert noise, which means you're gonna focus on the real threats. But it's important that you get that intelligence right, that you know what's going on out there.

(01:44:57):
In addition, Tais offers unmatched response with automated response actions. And that way, because they're automated, you eliminate the threats before the damage is ever done. Fast response is key in all of this. With SecureWorks Tais managed xdr, you can easily leverage those great SecureWorks experts to investigate and respond to threats on your behalf. This helps you cut dwell times, decrease operational burden, reduced cost. And with Tais and SecureWorks managed xdr, you've got 24 7 by 365 day a year coverage. What does that mean? Well, if you experience a Christmas Day security event, or half your team is out sick, you don't have to worry. You can trust SecureWorks is behind you. And of course, these days everybody's suffering a lack of a dearth of security talent. It's hard to find those people, right? Don't worry. Secureworks acts as an extension of your security team on day one, alleviating cybersecurity talent gaps, which means you can customize the approach and the coverage level you need and never be caught.

(01:46:04):
You know, I don't wanna say with your pants down, but you don't wanna be surprised. Let's put it that way. What happens if you've already found an intruder in your system? I want you to write this. Get a piece of paper, write this down. 1-800-BREACHED. Even if you're not a customer, one 800 breach That number connects you with a SecureWorks Emergency Incident Response Team. They can provide you with immediate assistance any time of the day or night, and they can respond to and remediate a possible cyber incident or data breach. One 800 breach. Put it, put it, put it in your, in your wallet, put it on a Post-It note at SecureWorks, you can learn more about the ways today's threat environment is evolving, the risks it presents to your organization. They've got case studies, they've got reports from their very, very good counter threat unit and a whole lot more.

(01:46:52):
Here's what you do right now, secureworks.com/twit. Go there right now, get a free trial of Tais xdr. No words I can use to describe it will really give you that full scope of what they do. It's kind of amazing. Secureworks.Com/Twit, get that free trial SecureWorks defending every corner of cyberspace secureworks.com/twit. Thank you SecureWorks for supporting everything we do here at security now. Now, whatever it is, I wanna know what is why peep little by peep Little why peep? So imagine a technology that allows someone walking past a multi-story building or a drone fly by to accurately locate and pinpoint within that building or any other similar space, closed or open with a positional accuracy of about a meter, the location of every wifi device such as security cameras and locks and switches, and anything else on wifi. That capability, which, you know, jumps off the pages of science fiction movie scripts, is not only here now, but it costs about $20.

(01:48:08):
The two researchers who figured out how to make this wifi mapping technology real named Y Peep, they presented their research during the recent ACM mobile com 22, which was held last month in October in Sydney, Australia. Here's how they describe what they accomplished. They said, we present why peep a new location revealing privacy attack on non cooperative wifi devices? Y peep exploits loopholes in the 8 0 2 point 11 protocol to elicit responses from wifi devices on a network that we do not have access to. It then uses a novel time of flight measurement scheme to locate these devices. Why PEEP works without any hardware or software modifications on target devices and without requiring access to the physical space that they're deployed within. Therefore, a pedestrian or a drone that carries a Y peep device can estimate the location of every wifi device in a building. Our Y peep design costs $20 and wastes less than 10 grams. We deploy it on a lightweight drone and show that a drone flying over a house can estimate the location of wifi devices across multiple floors to meter level accuracy. Finally, we investigate different mitigation techniques to secure future wifi devices against such attacks.

(01:49:49):
Okay, so you know this, this has never been done before. The, the key components here are the, the non cooperative nature and the fact that this, the, this is from, this is being done by a probe, which is not on the wifi network. So they set this up and, and frame the problem explaining the problems they encountered and how each such problem was solved. They, they said, we live in an era of wifi connected TVs, refrigerators, security cameras, and smart sensors. We carry personal devices like smart watches, smartphones, tablets, and laptops due to the deep penetration of wifi devices into our lives. Location, privacy of these devices is an important and challenging objective. Imagine a drone that flies over your home and detects the location of all your wifi devices. It could infer the location of home occupants, security cameras, and even home intrusion sensors.

(01:50:57):
A burglar could use this information to locate valuable items like laptops and identify ideal opportunities when people are either not at home or away from a specific area. For example, everyone is in the basement by tracking their smartphone or smart watches. The promise of pervasive connectivity has been to merge our physical and digital worlds, but the leakage of such location information brings arguably the worst aspect of the digital world, pervasive tracking into the physical world. In this paper, we show that there are fundamental aspects of the wifi i e 8 0 2 point 11 protocol that leak such location information to a potential attacker. We demonstrate that it is possible to reveal accurate location of all wifi devices in an indoor environment, a non cooperatively without any coordination with wifi devices or the access points b instantaneously without waiting for devices to organically transmit packets and see surreptitiously without any complex infrastructure deployment in the, in the surrounding.

(01:52:18):
Our goal is to expose the security and privacy vulnerabilities of the 8 0 2 point 11 wifi protocol. By demonstrating a first of its kind non-cooperative localization capability. We hope that our work will inform the design of next generation protocols. So they said, we note that there's been much work past work in wifi based positioning. However, such past work does not enable non-cooperative surreptitious localization of wifi devices. First, most of this work relies on cooperation from end devices. For example, the client needs to switch channels or physically move or share inertial sensor data. Second state of the art techniques such as array track rely on antenna arrays with multiple antennas that are typically bulky and cannot be easily carried by a person or a small drone. Deploying multiple such antenna arrays near a target building makes the attack less practical and easier to detect. And I don't know if they said, but way more expensive, obviously.

(01:53:31):
Third R SSI based and remember that's received signal strength indicator R SSI based techniques rely on fingerprinting or trained models that require physical access to the target space. Finally, most of these needed, most of these need client devices to continuously transmit wifi packets or share their received wifi packets. By installing an application, an access, we cannot assume for such privacy revealing mechanisms. So they say we present Y peep a system that is quick, accurate, and performs non-cooperative localization. It does not require any access to target devices or the network access points. It does not even need the attacker to connect to the same wifi network in our attack. The attacker, a lightweight drone or a pedestrian passes by the house carrying a small wifi capable device and estimates the location of all wifi devices in the target environment. We exploit the design of the 8 0 2 point 11 protocol to first generate wifi traffic from non-cooperative clients.

(01:54:49):
Then use a novel time of flight based technique to locate these devices. Why PEEP solves the following challenges? Okay, the first challenge generate wifi traffic without cooperation. They explain we must A, identify all devices in the network quickly at the start of the attack, and b, generate wifi traffic continuously from such devices to perform location estimation. A simple solution to identifying devices is to passively wait for wifi devices to transmit a packet. This approach is problematic because it requires the attacker to linger around for a long time. Instead, we exploit the 8 0 2 point 11 power saving mechanism, which is available in all 8 0 2 point 11 standards from 11 A and B up through 11 ax by injecting a fake beacon imitating the access point that tells all connected wifi devices to contact the access point to receive buffered packets. This beacon elicits a response from all devices on the target wifi network.

(01:56:11):
Once we've identified all devices, we use targeted packets to each of these devices to perform time of flight measurements on these devices. The attacker requires exchanging packets directly with target devices. Therefore, natural traffic from a target device cannot be used. Recent work has shown that 8 0 2 point 11 devices always respond to packets with an A, even when the packets emerge outside the wifi network and are unencrypted or incorrectly encrypted. We use this flaw to perform time of flight measurements to any target device. The challenge in using wifi is that wifi devices are in the sleep mode most of the time and their radios turned off. We have designed a technique that allows an attacker to keep the radio of target devices on during the attack so that they keep sending acts. Okay. So basically what these guys did was, was to recognize there was a way to to to, to, after learning about the beacon in, in a residence or a, a corporate facility or wherever, to simulate a broadcast from the beacon, which will induce all wifi devices to respond when they respond, they're gonna get each device's MAC address.

(01:57:42):
That then allows them to individually target those devices selectively and in real time in. So basically they, they, they get an instant inventory and then they switch into an active tracking mode. Where they are, they're, they're spewing out packets measuring round trip time, which they, what they, which they call time of flight in order to determine their the instantaneous, an instantaneous distance. They're away from each of the devices. And of course as they move all of those various vectors are changing length. And by changing their path, they're able to infer where the device must be in order for its vector to have changed as it did over time. So then they explain the second problem they had was localization in the face of noisy, what they call S I F S, which is short for short interframe space. So they explain in 8 0 2 point 11 acts are sent at a fixed interval after receiving a data packet.

(01:58:57):
This interval is called short interframe space, space or SIFs as illustrated in the figure that they have in their notes, they said Y peep measures the round trip time between a packet transmission and an A reception and subtracts the SIFs. This allows y peep to estimate the time of flight and hence the distance between the attacker and the target device. Unfortunately, our experience, our experiments reveal that even though the wifi protocol mandates SIFs to be 10 microseconds in practice, this delay can vary from eight to 13 microseconds. Such errors can randomize the location estimation process. We build a new algorithm to correct for such variations in time of flight estimates and finally dealing with multipath effects. They explain that the time of flight measurements are error prone because multiple copies of a signal arrive at the receiver from multiple paths, you know, reflection of signals within an environment.

(02:00:12):
They said the strongest path may not necessarily be the direct path since the attacker is far away and obstructed from the target. This problem is further exacerbated. Indeed, our measurements reveal that why pee's individual time of flight measurements are error prone. For this reason to counter this challenge, we take what they call the wisdom of the crowd approach. Even though each measurement is noisy. Why peep involves quick packet act sequences at the millisecond level. So they're doing, you know, thousands per second. Therefore, we can collect hundreds of measurements as the attacker flies by or walks by the target. We exploit the spatial diversity of these measurements to get an accurate position estimation of our targets. So, you know, that's a brilliant and completely workable solution. Individual measurements are noisy, but the truth can be found by sorting through thousands of measurements made over time from different positions.

(02:01:20):
And then they talk about their implementation. They said, we've implemented our design on an ultralight d mini two drone. You probably have one Leo using off the shelf. Well, I have the mini three, but Okay. Actually something I can finally, I can do with it. Yeah, yeah, there's a picture in there paper of it. It's kind cool. Yeah. Yeah, it's neat. Yeah, it's sort like stuck on the front of it. Yeah, I don't know how well they fly with that on there, but I guess it's not too heavy. They managed to do it. Yeah. anyway, they said using off the shelf s P 32 and e P 82 66 wifi modules, our hardware weighs 10 grams and costs less than $20. It can be deployed on lightweight drones or carried by a person. Our evaluations in a real environment shows that Y peep finds the location of target devices in an 8 0 2 point 11 ax wifi six network on three different fla, three different floors of a house with a median error, a 1.2 meters in around two minutes.

(02:02:32):
The contributions of this paper are, we present a new way for 8 0 2 11 protocol features to perform time of flight based positioning of wifi devices. Without having any control over target devices. We find that many devices deviate from the standard time for SIFs, which creates a challenge for localization. We design a localization technique that finds a target device without knowing the exact s f SIFs used by the device. We present a solution for future wifi chip sets that allows authenticated devices to perform localization while disabling non-cooperative attacks. So consider these facts, which they then enumerate the Y peep attacks work with any wifi device without instrumentation. In other words, without any application or firmware level changes, it does not need physical access to the enclosed physical space and does not need to break the encryption of the wifi network. Once the target MAC address is obtained, the target device doesn't even be connected to wifi, due to the ease of attack.

(02:03:53):
Why PEEP has many privacy and security limitations they write. We list some examples some example implications below. In these scenarios, we assume that it is common for a person to carry a wifi capable device such as a smartphone or a smartwatch. Also note that the type of device iPhone versus smart sensors can be identified through various means like the vendor specific information in the Mac address. Okay? So and they give us four examples. One, one impacting security. An attacker contract the location of security guards inside sensitive buildings. For example, banks, if they carry a smartphone or a smart watch and notice that this is real time. So moving targets are fine. They will get real time feedback as things move within the area that they're surveilling. A privacy implication, an eaves dropper can fly a drone over ho over a hotel to find the number and types of rooms currently occupied.

(02:05:01):
This could be done by a rival hotel trying to find detailed information of how target business is performing. Wifi devices that belong to a room such as smart TVs can be filtered based on MAC addresses. If other devices such as tablets and laptops are found in a room, it can be considered occupied. And this can be done in the middle of the night when most guests are in their rooms. Or a privacy security implication. If the MAC address of a device that belongs to a person of interest is known, why peep contract that person individually in a crowd? Oh, that. Or using scary uhhuh or inside a building like a shopping center or an airport even when their device is not connected to any wifi network. So this is so you could tail somebody with one of these in your pocket. Yep. That's interesting.

(02:05:57):
Yeah. Security. Why PEEP could be used by burglars to find out the occupancy status of specific parts of a building. For example, the burglar can find out all the people are on the second floor and the basement is empty. Why PEEP can also be used for positive use cases. And I like this. For example, in a hostage situation, the police can fly a drone over the building to find out where the hostages are kept, because many hostages might have smart devices on them and they would be collected together in a dense group and not moving. It might also be possible to track the attackers as well. Okay. Then anyway, through the balance of their paper, which is lengthy, they proceed to deal with every aspect of their system and present its solution. So my point is, the method to do this today is now in the public domain.

(02:06:53):
So anyone who wants to do it and has the skill set to replicate their work, can, you know, I could do that. Many of our listeners could do that, and I would not be surprised if we didn't eventually see an off the shelf turnkey y peep mapping system that would allow anyone with only a few dollars to spare, to obtain this potentially powerful remote wifi mapping capability. Very much the way script kitties are using scripts that they were unable to write until now. We've had a general sense that the goings on inside our homes and offices were at least moderately private. The idea that someone standing outside in the middle of the night could first take a complete inventory of all wifi devices within the area non cooperatively without connecting to or knowing our network's password, and then determine the approximate location of every one of those devices, whether they're upstairs or downstairs, and generally where might not be unsettling to some people, but there are likely some situations at installations where having such knowledge in real time could be very valuable to the wrong sorts of people.

(02:08:12):
The authors spend some time near the end of their paper talking about possible future mitigations and the overall outlook there is bleak. The bad news is that since this is a hardware level attack with on which only leverages standard wifi features, which are implemented in the core wifi silicon, nothing can be done in firmware or software. All wifi chips today will and do respond to the probe request packet sent during the use of this technology. It will take a future generation of why CHI of wifi chips to deliberately break the wifi specification or the spec to be updated in order to sanction this by not re replying within a microsecond or two, but by deliberately randomizing, whoa, excuse me, deliberately randomizing the short interframe space interval. So that time of flight information cannot readily be determined. Doing that will allow wifi to work while still making location impossible.

(02:09:28):
So anyway, that is, that is why Apple randomizes Mac addresses on its iPhones though. I wonder if that is effective as a countermeasure. Actually, that's different than this. This doesn't need Mac addresses, but if you were, if I were following you around, I would need your Mac address to know it's you. I'm not talking about the mapping feature, but ah, that is true. Yes, yes, yes, that is true. Mac addresses, as we know, are fixed when, when, when the phone is attached to a network. Right? They're only randomized when it's not, when it hasn't joined a network. Once it has then, then it uses its actual Mac address. But you're right. Following you around the Mac address, I, I forgot exactly what the algorithm is. I think they change it every 15 minutes, but okay. And I wonder if, you know, since you know it's him for 15 minutes and then the MAC address changes, there might be some way to say, ah, yeah, that's, he's just changed his Mac.

(02:10:26):
I don't know. Not in a, not in a crowd. Not in a crowd. Cause you would be you Yeah, because you would be getting you, you would be so first of all, you would be, you'd be only pinging that and then suddenly there would be no reply. Yeah, yeah. Right. So it would then go dead and, and you have to, you would've lost it by that point. Point, yeah. Yeah. You'd have to go back into broadcast mode, right? In order to get replies from everybody in the neighborhood. I'm less concerned about somebody mapping my house. I knew you wouldn't be <laugh> from wifi access points. But the tracking thing is concerning. I think. Others, I think there's Android phones that also randomize Mac well remember Pixel too. It's not the, it's not the wifi access point that they're locating. It's all your security cameras, right?

(02:11:09):
And anything wifi, right? Anything, anything wifi. Yeah. Yeah, yeah. Again, less worried about that, but the tracking thing is a real cause for concern, but it must have been a threat anyway. That's why they're randomizing Mac addresses. I would think. There must be other reasons, right? Well Apple did that for privacy. For privacy, right? Yeah. Yeah. It's interesting, really clever. I the Multipath thing is what I find most interesting, the algorithm to get around that. Fascinating. Yeah. Why peep little, why peep? Why peep? The paper is in the show notes if you want to read it. It actually makes pretty good reading. Mr. Stephen Tiberius Gibson. Again, we have come to the end and every time we come to the end of a show, I think we're one step closer to episode a zero zero <laugh>.

(02:12:06):
 But it's okay man. It's okay because I'll survive. We will survive. Yeah, we got two, two years. Let's not, let's not worry about it's two years. It's a lifetime. Ah, can happen. May fly. Ah Steve is@grc.com. That's his website. That's of course where Spin Right Lives, the world's finest mass storage, maintenance and recovery utility. Grc.Com is also where you'll find copies of this show. It's one of the places, but it is the place to find the 16 kilobit version for the bandwidth impaired and the beautifully handcrafted human crafted transcripts. He also has a 64 Kilobit audio. You can leave feedback at the website, grc.com/feedback. Those those spin right forums are there lots of other stuff including Shields Up. There's so much great stuff. Grc.Com. We have the show at our site as well. Of course, TWIT TV slash sn.

(02:13:02):
There's a full-time YouTube channel dedicated just to security now, all 898 episodes. And of course you can subscribe in that way. You'll get it automatically whenever there's a new one. Like right now. Just get your favorite podcast app. If you wanna watch us do it live. We do it live every Tuesday. We stream kind of behind the scenes audio and video of everything we do at live dot twi. Do tv time's vary cuz it's right after Mac Break Weekly. You around about 2:00 PM Pacific, 5:00 PM Eastern, 2200 UTC on Tuesdays. Tune in early. Maybe you'll get a little bit of Mac mixed in with your spin. Right? But that's okay. Club members of course are always invited to chat with us in our Discord, which is a wonderful place to be by the way. I'm sure you got an invite, Steve, but if you didn't, we'll send you another one.

(02:13:55):
 You're always welcome there to another place you can communicate with your audience. I know you don't wanna talk to 'em. I know, but, but if you ever did, they're here. Yeah. I think I have been. I I, I have you been in there? Okay, good. Yeah. that is that is also where you can get in the club free had free versions of all the shows, shows that we don't normally put out, like hands on Windows with Paul Thro, hands on Mac with Micah Sergeant, the Untitled Lenox show. That's Stacy's book club I was talking about. All of that's those are club activities. And we also have a tip plus feed with stuff that doesn't make it into the shows. There's really a, a lot of value for less than a blue check on Twitter for seven bucks a month, go to twi.tv/club twi to join.

(02:14:37):
We have yearly plans. We also have corporate plans. It really does help us out a lot. You know, we want to keep producing these shows and with your help I think we can and a whole lot more, you know and plus all the other things we do to keep the communi community involved. If you want to leave Steve a direct message, his tweets are open, SG grc, his dms are open, and someday, maybe they'll even be encrypted. Who knows? That's the latest thing. Elon's saying. What about, I've been talking to Moxi. He says, I've been talking to the creator signal about it and an encryption despite the fact that apparently he's banned moi from Twitter. But that's, you know, that's another matter entirely. Yeah. And he actually did fire the encryption team that was working on it. <Laugh>.

(02:15:27):
It's a rollercoaster. It's fascinating. It's just fun. It's a soap opera. This Yeah. It just, you just can't take it too seriously. It's like, it is like us politics. Just sit back and enjoy the Yeah. Yeah. I guess. Okay. I, I have politics anywhere. Yeah. What are you gonna do? Right? Any nation's politics. Yeah. Yeah. Mr. G, thank you so much. Always appreciate all you do. We'll see you next time on security now. Ah, hey, I'm Rod Pile, editor in Chief VAD Astra Magazine. And each week I joined with my co-host to bring you this week in space, the latest and greatest news from the Final Frontier. We talk to NASA chief space scientists, engineers, educators, and artists, and sometimes we just shoot the breeze over what's hot and what's not in space, books and tv, and we do it all for you, our fellow true believers. So, whether you're an armchair adventurer, or waiting for your turn to grab a slot in Elon's Mars Rocket, join us on this weekend space and be part of the greatest adventure of all time.