Transcripts

Security Now 925, Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte (00:00:00):
It's time for Security Now. Steve Gibson is here with lots of great things to talk about. Why the zip TLD is a really terrible idea. Why Meta got fined 1.2 billion by the Irish and what they're gonna do about it. And then Steve's gonna applaud a really nice move from brave to improve your privacy. It's all coming up next in security now.

(00:00:27):
Podcasts you love from people you trust.

(00:00:32):
This is TWiT.

(00:00:37):
This is Security now with Steve Gibson. Episode 925 Recorded Tuesday, May 30th, 2023. Braves brilliant off the record request. This episode of Security Now is brought to you by Duo. Duo protects against breaches with a leading access management suite, providing strong multi-layered defenses to only allow legitimate users in. For any organization concerned about being breached, that needs a solution fast to o quickly enables strong security and improves user productivity. Visit cs.co/twit today for a free triumph and by dda. Security professionals are often stuck with manual evidence collection With Jada, companies can complete audits, monitor controls, and expand security assurance efforts to scale. Say goodbye to manual evidence collection. Say hello to automation, all done at rota speed. Visit rada.com/twi to get a demo and 10% off implementation. And by Melissa, more than 10,000 clients worldwide. Rely on Melissa for full spectrum data quality and ID verification software.

(00:01:51):
Make sure your customer contact data is up to date. Gets started today with 1000 records cleaned for free at melissa.com/twi. It's time for security. Now, the show, we cover the latest news in the security sphere. And that's thanks to this guy right here, Mr. Livelong and Prosper. Steve Gibson. Hi Steve. And you know, Leo we could make a whole meal out of today's picture of the week. Oh I haven't seen it. You told me. Do not look at it until we're live. So I have a lot of looks only because I want our audience to be able to experience you seeing this for the first time. Oh, dear. So that, so that they will be incented to get it themselves to, to track it down. Okay. In show notes, because this is the most inspired thing that mean this, I didn't think anything was gonna beat the green ground wire stuck into the pale of dirt.

Steve Gibson (00:02:51):
I did enjoy that. Yes. Enjoy that. This one, this is, this is cleverness to a whole new level. Is it a visual again? It is. It'll take you a minute to Okay. To visually parse it. You'll, you'll, you'll look at and you'll go, what? And then it's like O m G. So, okay. I can't wait. Today, this is podcast 925. Or are they? I will next See you in June. This is our last podcast of May. Yes. titled Braves Brilliant off the record request. Rarely do we come across something that is a simple idea that's new and really offers value. And the brave, the, I said brave as in the Brave browser. Their privacy team came up with something that I am really hoping that the other browsers and adopt. And this becomes an industry standard. So we'll have a lot of fun talking about that.

(00:03:54):
But first we're gonna see why people are now suggesting that the initials HP stands for huge pile. We're going to ask what Google was thinking when they created the.zip top level domain. <Laugh>, which nobody asked for. Nobody asked for. Yeah. Nobody, nobody said, oh, gee. That's what we really need. Yeah. how has the Python Foundation responded to attacks and subpoenas? Do we believe A V P N service when it promises that no logs will be saved anywhere? Will Twitter be leaving the eu? Does bid warden now support past keys who just got fined 1.2 billion euros? And why so little? What feature did WhatsApp just add? And what's the story about Google's new bug Bounty for their Android apps? Then after a, after answering all those questions and sharing a brief bit of good news about spin, right, we're gonna look at Brave's brilliant off the record request concept which is a new feature that I hope as I said that the industry will adopt.

(00:05:08):
And after you tell us about our first sponsor, Leo, you are going to be able to pull back the curtain on probably one of the best pictures of the week. This podcast in its, I don't remember when we began the pictures of the week, but it's been decades. This is a, this is a topic. I'm saying a lot the best ever. All right. Coming up next. But first a word from Duo. I know, you know, duo, everybody I sure has had some experience of duo. Duo protects against breaches with a leading access management suite. That's their business access management. Strong, multi-layered defenses and innovative capabilities only allow legitimate users in and keep bad actors out. And what you need, any organization needs it. If you're concerned about being breached, you need that protection. You need it now. Cause now more than ever, right? Duo quickly enables strong security while also improving user productivity.

(00:06:11):
In fact, you could take it from me cuz I, I use Duo users love Duo. It's a great way to authenticate. Duo prevents unauthorized access with multi-layered defenses and modern capabilities that thwart sophisticated malicious access attempts. They increase your authentication requirements in real time as risk rises. Isn't that great? So when the threat level goes up, we're at DEFCON five. It it, it enhances your protection automatically. Duo enables high productivity, but only requiring authentication when it's needed. Enabling swift, easy and secure access. And again I I completely agree having used it, duo provides an all-in-one solution for strong MFA passwordless single sign-on and trusted endpoint verification duo. It's really the name in this business duo helps you implement zero trust principles by verifying users and their devices. I want you to start your free trial and sign up today. Here's the address. It's a URL shortener cuz it's Cisco, right?

(00:07:19):
Cs.Co/Twit. Get it. Cisco cs.co/twit. Find out more about Duo the best security out there, great for your business duo cs.co/twit. And don't forget to use that address, cuz they're gonna be looking, they're gonna be watching, they're gonna say is are they, are they seeing that ad? And you're gonna say, yes, I am cs.co/twi. I am All right, Steve. I am ready to, that is a neat domain name. Isn't that good Cisco? Because it's Cisco, right? So the.is like the, ah, well, I don't know. Siss cs not really, but, but it's, I I think phonetically, phonetically it works. Cisco. Yeah. Yeah. Cisco. Yeah. Yeah. Microsoft has aka a.ms. That's so great. You have a good one. Which is GRC sc for short code. Yep. I like that one. I like that. Yeah. alright. I am ready. I'll tell you what, let's do this all together.

(00:08:20):
Everybody all, oh, I gotta switch this over all together. Now we're going to look at the picture of the week. I might have to pull it up over here. Oh, no. There it is. Okay. You ready? We're gonna look together. I'm gonna scroll. Oh, wait a minute. Do you wanna see me as I scroll up? No. We'll, we'll be hearing you on here. You'll hear, you'll hear me okay. Yeah. It's pretty good. We're gonna watch together as we scroll up the old school way to add remote control <laugh> to <laugh> to a light switch. Well, well, well, I bet it works even when the power's out, it works. So if you don't want Russia or China to have control, if you're on the Battlestar Galactic <laugh> <laugh> and you don't want the Xs to get into your grid, if, if I, I think if we were to rewire the US electrical grid using this technology, then we, there wouldn't be any concern, right?

(00:09:21):
About like I o T and scada attacks and so forth. So tell us how this works, <laugh>. It's just brilliant. So this, this would be, if our grandfathers were inventive and, and the switch that they needed to control was in the other room, it was like on the wrong side of the wall. Yeah. So, huh. What do you do? So, <laugh>, you, you, you drill two holes through the wall about six inches apart. One, so that it comes out above the light switch mm-hmm. <Affirmative> and the other one. So that comes below the light switch. Yeah. Then you run some, some half inch PVC tubing through and put elbows on the ends in order to bend it down from the top and bend it up from the bottom. It's a little over-engineered, but it gets the job done. Okay. You know, then, then you thread a piece of string all the way through this contraption, drill a hole through the, the back Wow.

(00:10:25):
Toggle of the light switch. Tie the string to it, and then the string continues on down and back through the wall. So on the, on the operator side of the wall, <laugh>, there's two strings. You've got strings, two strings. Yeah. And you pull the upper string for all and it goes through the wall, pulls the switch up, and you notice while you're pulling the upper string that the lower string kind of goes in a little bit. Yeah. Yeah. So it's like, okay. And now the lights are on apparently in the room where you are. Right. Because apparent, like, it must be that this switch is controlling the wrong room. So someone said, huh. Huh. What are we gonna do about that? You know, we need, we don't wanna control the lights in our room hyster. So anyway. Yeah. This is just, oh my god, Steve, you've, you got a winner.

(00:11:14):
You got a winner. Well, we have to thank, one of our listeners saw this and thought, okay, this is definitely gonna make it for a picture of the week. And Oh yeah. They were, they were correct. Okay. So I had never heard it suggested that HP stood for a huge pile until I went to catch up on the current state of those HP office, jet Pro nine 20 E Series ink jet printers, as we know, all of which were effectively destroyed at the firmware level more than now, three weeks ago. That was on the morning of Monday, a Monday May 8th. So three weeks and a day, right. 22 days ago as a consequence of an aberrant autonomous firmware download and install. And to add in zar injury, it may be that the entire purpose for this badly failed update was simply to tighten HP's grip over the use of non HP Printer Inc.

(00:12:16):
But whatever the motivation, the entire world, which has now been waiting, as I said, for 22 days, is filled with HP branded dead printers, which no longer print using anyone's ink. And what's becoming more and more glaring with each passing day now at 22, is that incredibly, there has been very unsatisfying communication from HP about this issue. Any call to HP service replies that HP is aware of the issue and fear not is working diligently on a solution, but we're talking three weeks now and a day. So, you know, no matter what solution is eventually forthcoming, this has not been very impressive responsibility taking on HP's part, I fully expected that when I checked back for today's podcast, I would get news of, oh, here's what we're gonna do. Static silence, nothing has been said, which is just, it's astonishing that, that, that HP says, oh yeah, you know, go to whatever it is, support.hp.com and join the crowd.

(00:13:29):
Wow. Okay. So not quite four weeks ago, back on May 3rd, Google, which is now a fully fledged domain name registrar, announced their eight new top level domains with a posting that was headlined eight new top level domains for dads, grads and techies. So the, the tl, the, the T L D R on this is, is Google Registry launches eight new top level domains. Dot dad, PhD, do prof, p o fq, short for esquire, do fu.zip dot, move, and.nexus. For the dads, they said <laugh> knock knock, who's there with Father's Day right around the corner. Dot Dad is here for the jokes, the games and the advice, whether you are a fit.dad, a gay.dad, or a dude, dad. Dad is the place to celebrate fatherhood. Leo, I think maybe they've gotten a little carried away over there in the Google domain registration world.

(00:14:52):
Anyway, they said, check out these interesting.dad websites. We've got classic dad where you get to play a fun eight bit game where your gold is to successfully mow the lawn while dodging pets and obstacles and preventing weeds from spreading. Or dear.dad, they say, check out this media platform dedicated to telling stories of Black fathers or daily.dad. It's a new book from Ryan Holiday that provides 366 accessible, you know, in case it's sleepier meditations on parenthood, a manageable slice for each day. Okay, so for the grads, they're saying may means graduation season for many in higher education. Were celebrating graduates and the professors who taught them well by launching Prof, PhD, and Esq, whether sharing legal advice for everyday life or teaching courses on behavioral science. These new domains are perfect for showing off your credentials. Hats off to these early adopters, says Google.

(00:16:06):
And so we have Erica e r i k aq and they tell us that Erica Colberg is an attorney and money expert who is passionate about better positioning people for success. A lot of attorneys would use Esq, that that would be popular. Yeah. Right. And so I I I think this being, this brings a whole new meaning to the notion of vanity domains. Exactly. Well, exactly, exactly. When I started using a weird domains, not.in other words anything but.com, dot net.org, people would always say like, I had leo.fm. They'd say, oh, you mean leo.fm.com? And I said, no, no <laugh>. Oh, because, and then you'd also see sites that would reject emails because they said, well, there is no email domain. Yeah, yeah, there is. Yeah. Right, right. So we also have casey.prof which is good for professors. That's fine. Oh, yeah. And that's Professor Casey Feiser or proofreaders would be good for us.

(00:17:04):
<Laugh>. Maybe Elaine would like that if, if you Well, she would complain about the lack of two os. Mm. You know, you really, you know, proof with one. Oh yeah. It's not good. So Casey Feiser is a technology ethics educator and science communicator who apparently thought, Hey, I need my own prof domain. And then we have Raphael PhD Raphael is an expert in post quantum cryptography. Well, he deserves holy homomorphic <laugh>. Yeah. Roughly cow. Well, also, if you understand how fully homomorphic encryption works Oh, you're a doctor. Yeah. And also privacy enhancing technologies and the application of these constructions. So, okay. But the real worry, and the reason for my bringing this up today is the new TLDs that do, that Google chose to create for techies. The third category under the heading of techies they write May is also the month of Google io.

(00:18:06):
As we know now, they said, our annual developer conference, whether you're learning to code, deploying a helpful tool, building your portfolio, or starting a new community.fu.zip dot move. And Nexus, have you covered, here are some examples from our developer community. So we've got gamers.nexus, which is their actual name. That's the name of the company. So the publication, right? Yeah. Yeah. They said Use gamers.nexus to review computer hardware and plan your next gaming pc or Hello world.food <laugh>. Learn how to learn how to code. Hello world. You bet. You better explain why FU is for coding. Hello World though. You Leo, you tell us. All right. We'll have fun with it. So there is an old military acronym, fubar effed Up Beyond All Repair, I guess, I don't know, fubar. And so that's been around since World War ii, right? Along with snafu and a few other choice military <laugh> recognition. FUBAR is beyond all recognition. Okay. Yes. Recognition. So programmers when they were making up dummy variables in their, you know, texts like, you know, Dennis Richie and, and Brian Kernohan and the c programming language would use fu and Bar as correct phony dummy variable names. But my question is, there's a dot fu Where's the.bar?

(00:19:36):
Yeah. What would fu Without Bar is like a, you would think they would wanna raise the bar real <laugh>, but dot fu is fun. I don't know who's gonna use dot fu. I might, maybe, should I go get Leo dot fu? Maybe I will. Yeah. You don't have enough <laugh>. So bit it a fu and, and url.zip. They say, you so don't, there is apparently a domain url, zip uhoh, they said create short, powerful and trackable links with url zip. So I guess somebody created a, you know, registered the domain and created a URL shortener called url.zip. And then finally david.mov which is watch videos by David Emel in this liminal space. Well, that's a, that's a $5 word <laugh> Boy. So, yeah. Okay. And, and just to finish off their posting before we look at not only what could possibly go wrong, but what did immediately mm-hmm.

(00:20:41):
<Affirmative> go wrong. Mm-Hmm. <affirmative>. Yeah. Catastrophically. Google finished saying, starting today, you that this was like May 3rd. Right? Starting today, you can register all of these new extensions as part of our early access program for an additional one-time fee. This fee decreases according to a daily schedule through the end of May 10th. So the third to the 10th. So that's seven days. So presumably on day one, you had to really want one of these in order to, you know, belly up to the bar and pay whatever they were asking, which dropped down successively on each day until it was back to their normal price on, on May 10th. They said all of these domains will be publicly available at a base annual price through your registrar of choice to make, although I went over to Hover and they don't offer zip, so they said, huh. What? No to make it super easy for anyone to get their website live, we've worked with Google sites to launch new templates for graduates, professors, and parents.

(00:21:46):
Oh, good. You don't even have to do any like, website code and just drop a template in. To learn more about pricing or our partner or our part participating partners visit registry.google. Okay. So it occurred to me that if those grads are looking for jobs in internet security, protecting the assets belonging to those dads, when Google's difficult to understand decision to offer domains under the.zip top level domain, you know, may create the full employment guarantee that those new grads have been looking for. The malicious exploitation of these.zip TLDs took exactly zero time since their abuse was so obvious to everyone except for apparently Google the new phishing technique is already going by the name file Archiver in the browser as just one of many examples. It can be leveraged to emulate file archiver software in a web browser when a victim visits a zip domain.

(00:23:03):
Mr. Docks is a security researcher we haven't quoted in some time, although we did some time ago. He recently said, with this phishing attack, you simulate file archiver software, for example, win RA in the browser and the use and use a.zip domain to make it appear more legitimate. In other words, threat actors are creating realistic looking phishing landing pages using modern web tools. You know, HTML c s s, JavaScript, which mimics legitimate file archive software hosted on a zip domain to, to elevate social engineering campaigns. Users. The, the point when you, when you click on a zip file, and you know, most people don't know if it's a single click or a double click, so they go with two because you know that's better than one. So, you know, whe whether you single click or double click, if it's a, if it's a u R url, you're gonna be taken to a site ending in zip, and the site is gonna, is going to pop up and, and look like an archiving program.

(00:24:11):
So you think you've opened the zip file on your local machine, when in fact you are on, you've opened your browser mimicking an an archiver, and now you're under the, the control of this, of this site. When you click anything else that, that you want to use the archiving software for. So the search bar in the Windows file Explorer will also emerge as a, a sneaky conduit where searching for a non-existent zip file opens it directly in the web browser. Should the file name correspond to a legitimate.zip domain. Our Mr. Doc said, this is perfect for this scenario, since a user would be expecting to see a zip file, once the user performs this, it will auto launch the zip domain, which has the file archiver template and is able to appear legitimate. The problem of course, that created all this is that the new.zip and.mov top level domains are also both legitimate file name extensions.

(00:25:22):
So this invites confusion. When unsuspecting users mistakenly visit a malicious website when they believe they've opened a file, they could then mean misled into downloading malware trend. Micro agrees that this is anything but a good idea. They said zip files are often used as part of the initial stage of an attack chain, typically being downloaded after a user accesses a malicious U R L or opens an email attachment beyond zip archives being used as a payload since it's also likely that malicious actors will use zip related URLs for downloading malware. The crux of them, of the concern they said is that with the introduction of TLDs that are identical to well-known file extensions, bad guys are, are going to cook up clever new ways to take advantage of this resulting confusion and ambiguity. If nothing else, it clearly equips bad actors with another new vector for fishing.

(00:26:30):
Then I got a kick out of malware BYS labs. I mean the, the, the, the sec the tech security industry just, you know, went nuts over the idea that we now have a ZIP tld because it was so clear to everyone how bad this was gonna be. Malware Bites labs, which titled their recent discussion of this Ill-advised move by Google Zip domains a bad idea nobody asked for. They wrote, if you heard a strange and unfamiliar creaking noise on May 3rd, it may have been the simultaneous rolling of a million eyeballs. The synchronized ocular rotation was the less than warm welcome that parts of the IT and security industries they say, he said, this author included gave to Google's decision to put zip domains on sale. Okay. So then the author had some additional useful things to say, which I think is worth sharing. He said domain names and file names are not the same thing.

(00:27:38):
Not even close, but both of them play an important role in modern cyber attacks and correctly identifying them has formed part of lots of basic security advice for a long, long time. The T L D is supposed to act as a sort of indicator for the type of site you're visiting. Dot com was supposed to indicate that a site was commercial and.org was originally meant for nonprofit organizations. Despite the fact that both.com and.org have been around since 1985. He says, it's my experience. And most people are oblivious to this idea against that indifference. It seems laughable that.zip will ever come to indicate that a site is zippy or fast as Google intends. And it's like, so that's what zip it's like it's, oh it's cuz it's Zippy. Okay. Quoting Google quote, when you're offering services where speed is of the essence, a do zip URL let's your audience know that you are fast, efficient, and ready to move well, but anybody can do it.

(00:28:55):
So that's literally, it's literally what they said. Yes there. There's no, you don't have to pass a speed te Leo in order to get the zippy zip url. Well, that's just a moron copywriter who wrote that, right? It's just some marketing idiot because obviously it's dopey. But I wonder what the technical thinking is. Maybe we'll always make some money. It's, I just have no idea. He says, meanwhile, plenty of users already have a clear idea that.zip means something completely different. Since the very beginning files on Windows, computers have used an icon and a file name ending in a dot, followed by three letters to indicate what kind of file you are dealing with. If the three letters after the dot spell z i p, then that indicates an archive full of compressed zipped up files. The icon he says even includes a picture of a zipper on it because reinforcement is good and confusion is bad.

(00:29:57):
Unfortunately, Google missed that message as it happens. He says, cyber criminals love zip files and the last couple of years have seen an explosion in their uses. Malicious email attachments, typically the zip file is first in a sequence of files known as an attack chain in a short chain. The zip file might simply contain something bad in a longer chain. It might contain, it might contain something that links to something bad or contains something that contains something that links to something bad or contains something that links to something that contains something that links to something bad. Anyway, you get the idea. He says the key to it all is misdirection. The attack chain is there to confuse and mislead users and security software criminals use other forms of misdirection in file extensions too. An old favorite is giving malicious files to extensions, which of course we spoke about it at the beginning of this podcast, 18 plus years ago, like evil, zip xe.

(00:31:04):
The first one, zip in this case is where to fool is where to fool you. The second is the real one. A dangerous dot exc executable file type. Given the choice of two users have to decide which one to believe. Most aren't even faced with that choice because windows helps with the subterfuge by hiding the second file extension. The dot xe the one you really should be paying attention to by default. So you just see something rather zip domain names get the same treatment. Criminals make extensive use of open redirects. For example, webpages that will redirect you anywhere you want to go to make it look as if their malicious URLs are actually linked to Google, Twitter, or other respectable sites, less sophisticated criminals. Just throw words like PayPal or anything else you might recognize into the beginning of the link. And hope you'll notice that bit and ignore the rest.

(00:32:03):
Because again, a lot of links just look God, look like gobbly goo. You kind of look at it and go, what the heck? Oh, there's PayPal. Okay, good. He says, against that backdrop, Google inexplicably decided to introduce something that will generate no useful revenue, but will give cyber crooks an entirely new form of file and domain name misdirection to add to all the others we're still wrestling with today. So what good criminals do with this new toy, he says there's no better example than that provided by security researcher Bobby Roach, a r a u c h, in his excellent article, quote, the dangers of Google's dot zip tld in it Roach challenges readers to identify which of the following two URLs is a malicious fish that drops evil dot xi on their machine. And I've got the two links in the show notes. They begin ht dps colon slash slash github.com/kubernetes/kubernetes/archive/refs/tags/v1 2 1 1 zip, and then the exact same URL accepted in front of the final V V1 seven one zip.

(00:33:37):
There's an at sign and he says, the answer is that the evil link is the second one. The top one opens a zip file called V1 two 7.1 zip, which was, you know, downloaded from from github.dot.com domain. The second one would go to the domain V1 27 1 zip, which in this hypothetical example, triggers the download of whatever that site wants to provide. I did not know that about url. So the ad sign changes the parsing. Yes. And, and it turns out those forward slashes are not actually forward slashes. There, there's a Unicode character. Oh, that looks the same. So this looks like it is rooted@github.com. Yep. But in fact, those are not forward slashes until we get to this. Exactly. I see. That makes sense. Exactly. So it isn't just the ad sign, it's you have to use some tricks. Y yes. Unfortunately, all the browsers display that Unicode as a forward slash mm-hmm.

(00:34:44):
And it passes right through the browser. Mm-Hmm. So lit. So, so here's the problem for this audience. I would be hard pressed to look at that second url Yeah. And think that that's a problem. It looks absolutely legitimate. Https calling slash slash github.com. That's all you need to know, right? Anything to the right of that is gonna be, is gonna be somewhere underneath github.com. We've taught everybody, we've trained ourselves to look for that root t l d that's where it's rooted. And now we can ignore the rest, but no. Yep. Wow. So he says, in other words, so, so me speaking, in other words, the internet just became a whole lot more dangerous, even, even for those of us who take some pride in all this stuff in knowing how to examine URLs and knowing our way around what chance, you know, do our friends and relatives have.

(00:35:47):
Anyway, I've placed a link to Bobby Roach's full writeup, which explains in detail how simple it is to craft dot zip URLs that look convincingly like URLs for well-known sites that are offering zip archives for download. Whereas in fact you are going to a site that somebody registered under azo, the the.zip t l d you know, it is, it is really a problem. And I, I just can't understand it. In fact I've, I've skipped over a, a bit of the malware labs stuff, but, but he said it's also possible that.zip will simply die on the vine if enough companies choose to block it. Just block it. Last. Yeah. LA Yes, last week, citizen Labs, John Scott Railton urged his nearly 200,000 Twitter followers to simply block it all, saying that chance that new.zip and.mov domains mostly get used for malware attacks is 100%.

(00:36:58):
So he said it's for you and your organization to decide if you should block it. But I will point out that if you are going to the best time to do it is now almost nobody is currently using it and nobody is gonna use it in the future if it's routinely being blocked. Little tip of the hat too to Firefox, because I'm doing this in Firefox, this is the forged slashes and in Chrome, this would take you to a bad website in Firefox. It says what? <Laugh>. Oh, oh, think you're going where you think you're going, buddy. Nice. So that's that's Firefox, I guess, has decided to ignore those or not treat those Unicode characters as slashes. Well, and I mean the well known author Robert Limos writing for Dark Reading, his coverage was titled googles.zip dot Move Domains Give Social Engineers a shiny new tool.

(00:37:57):
Oh yeah. Wired headlined the real Risks in Google's new dot, zip and Move Domains Tech target, the potential danger of the new google.zip top level domain. And why Combinator, the dangers of Google's do Zip tld. So, you know, you just don't see that when new top level domains come out for, you know, like.pizza and things. <Laugh>, who cares? No, who cares? One other problem is, and this is another thing people should do at least on Mac and I think on many browsers they're set by default to open safe files. So, and, and zip is normally considered a safe file. So when Safari sees a zip file, if you haven't unchecked that box, it will try to open it. And so you can go to a.zip and get a, what looks like a.zip that tries to open as malicious. So, yep. Another thing everybody should do, and I don't on Windows, do I think just as a convenience browsers, just assume while a.zip is safe, windows now puts it in the tree.

(00:39:02):
It's in your final tree. Oh, that's terrible. I hate that. Oh, it, my, my, I I actually, I, I have subfolders where I put my zips because I don't want them to be expanded in this tree of, of like the, the, the, the, the rail, the regular directory tree. Again, Microsoft wanted to make it easy, so thank you very much. Yeah. Probably some way to turn that off, but I just, well, certainly if you're on a Mac, disable open safe files by default. Cuz that's terrible. So, Leo, after our next break, we're gonna talk about PII and something interesting that just happened to them. Oh yeah. Cuz we talked about them last week. Yeah. They, they were under attack and they've responded. Yeah. Yeah. Well it wasn't just last week. We talking about them for many, many weeks. Yeah. Constant problems with these supply chain attacks.

(00:39:53):
Maybe that's why you ought to pay attention to our sponsor, huh. Dta. D R A T A. If your organization is finding it difficult to collect manual evidence and to achieve continuous compliance as it grows and scales, you oughta know about DRA as a leader in cloud compliance software. G2 dubbed them that I dubbed the leader in cloud compliance software. DDA streamlines your SOC two, your ISO 27 0 0 1, your P C I D S S, your gdpr, your hipaa, you know, all those compliance frameworks are now, you know, in varying degrees. Responsible for DRA makes it easy by providing 24 hour continuous control monitoring automatically. So you could focus on all those other important things like scaling securely. DDA has a suite of more than 75 integrations, so it works with all the things you work with. Aws, Azure, GitHub, Okta, CloudFlare, countless security professionals from companies, including Lemonade and Notion and Bamboo HR have all shared that stratta is critical as a trusted partner in their compliance process.

(00:41:06):
You'll be able to expand your security assurance efforts using the gerta platform so that you can see all your controls, easily map them to compliance frameworks. So you'll have immediate realtime insight into what's going on, including framework overlap, which is actually a great thing to know about Dora's o. Automated dynamic policy templates, support companies that are new to compliance, using integrated security awareness training programs and automated reminders to ensure smooth employee onboarding. They're the only player in the industry to build on a private database. That's super important. Your data can never be accessed by anyone outside your organization. Andrada is a partner. I mean, I think that's really important. You, when you become ARA customer, you'll get a team of compliance experts. You'll have a designated customer success manager. Andrada has a team of former auditors, people who have done more than 500 audits that can keep you on track to ensure there'll be no surprises, no barriers.

(00:42:07):
They'll even do a pre-audit call or maybe more than one with you to prepare for when your audits begin. Those auditors are so handy they could say, you, you gotta, you can't no stop what you don't wanna do. That buddy draw's Audit Hub is the solution of faster, more efficient audits, save hours at back and forth communication. When you're communicating with your auditors, you'll never misplace crucial evidence. You'll share documentation instantly. All the interactions and data gathering occurs inta between you and your auditor. So you don't have to switch between different tools or correspondence strategies. I bet you auditors think this is the bee's knees. With strata's risk management solution, you can manage end-to-end risk assessment and treatment workflows. You can flag risks, you can s score them, you can decide whether to accept them, to mitigate 'em, to transfer them, to avoid them.

(00:42:57):
It's up to you. But you got the knowledge right now. You have now, you know, DDA maps, appropriate controls, two risks, simplifying risk management and automating the process. And there's DDAs Trust Center, which is beloved because you're getting real time transparency into your security and compliance posture. That's great for sales customers love it. Security reviews, auditors love it. Better relationships with partners. It's good all around cuz everybody's aware now everybody knows how important compliance is. Say goodbye to manual evidence collection. Say hello to automated compliance by visiting draha.com/twit, D r A tta.com/twit, bringing automation to compliance at dorada speed. And look at all, look at all those awards from G2 Best Results, best usability leader, best relationship mo Momentum leader. I mean this, this is the, this is the one dda.com/twi. We thank you so much for supporting security. Now on we go with the show, Mr.

(00:44:11):
G. So last week I noted that the Python Software Foundation had been forced to take the unprecedented step of temporarily shutting down all new account and Python package creation due to an overwhelming automated attack on the world's, you know, leading Python software registry in response to the attack plans are now underway to require two-factor authentication for all PII accounts. And even more interestingly, to reduce the instances where PII portal needs to store a user's IP address. Okay, well we'll get to that second one in a second cuz that I thought what? Anyway, in a major, but welcome and probably inevitable policy change by the end of this year. All accounts that maintain a Python library on the PI PI portal must choose some two-factor authentication method or have their access to PII features limited. The foundation says that the move comes to improve the supply, their, their supply chain security of the Python ecosystem.

(00:45:23):
The requirement for two-factor authentication is intended to help block account takeovers, which has been a problem in the past. And also to raise the bar for those automated attacks like the ones that Pipi has just been subjected to over the past few months. Two factor authentication has been supported and available, but its use has been optional and there's not been much uptake because people just haven't cared that much. So that's what's changing. Last year the foundation offered free security keys to the maintainers of its top 1% of all packages. In a move to show the PI pie devs that two factor authentication would not be a serious disruption that some for some reason believed it would be. Okay, but it's the second piece of news that I thought was the most interesting as I was reading the reports that the foundation was making that, well they, they, they said they were making an effort to purge IP addresses from their server logs, replacing them with hashes of the IP addresses, or in some cases geographic data provided by Feedly, which is their cdn.

(00:46:35):
I didn't understand what that had to do with anything. The foundation said that the only systems that will see plain text versions of a user's IP address will be their rate limiting systems. And even those they will work on replacing, providing some additional detail. The foundation explained that they would be salting their hashes because the I P V four address space being relatively small at only 32 bits would allow for the creation of hash reversing lookup tables. As we know, the normal practice with salted hashes is to pick a unique per hash salt at random, mix that in as you're hashing, hashing the thing you want, and then store the salt alongside the hashed value. This would allow a, a later IP comparison by using the same salt against a candidate IP to see whether the hashes match when you do the same thing. But in this case, that normal approach doesn't provide the level of protection that the foundation requires due to the fact that the 32 bit I P V four search space is still so small compared to the speed of, of today's, you know, GPUs that are able to do very high speed hashing.

(00:47:59):
So instead the foundation said that they're gonna use a single secret salt that is not a, a public salt, a secret salt, which will not be stored in the database and that they would be taking steps to protect it against any leakage. Okay, so that was all well and good, but it's still left unanswered. The question of why the foundation was bothering to hash their databases, IP addresses, you know, what's the point? The answer that came was somewhat chilling. It's the same reason Express p n a sponsor of this network goes to great lengths to protect their user's IP addresses. Okay, get a load of this. The news of this major engineering effort came two days after the foundation revealed that it had been subpoenaed by the US Department of Justice to reveal information on five pi PI accounts. The requested information included the user's IP addresses, but also the IP addresses of all users who had downloaded packages from those five users.

(00:49:17):
The foundation wants to eliminate their own ability to respond to such subpoenas in the future, thus protecting the IP addresses and thus to some degree, the identities of those who are uploading and downloading Python libraries. So the problem here is essentially identical to the issue with encryption. You know, while no one wants to provide care and comfort to criminals, there's also a reasonable re presumption and expectation of privacy. And unfortunately, we keep seeing instances of government overreach such as the other story we covered last week, where the US F B I abused the powers of the f a data collection to improperly search the personal communications of Americans more than 300,000 times in a little over one year according to the US Senate Intel Committee. If the government wants the trust of its citizens, the government needs to first be worthy of that trust. And these revelations, you know, about them not being worthy, don't engender much trust.

(00:50:31):
And now we have very strong privacy enforcing technologies that are gonna, you know, move their ability to have the information that they want even under subpoena out of their reach. Other package registries have also announced plans to require their users to enable two-factor authentication. And while the Python foundation's move to purge IP addresses from logs and databases is a novel solution, it may develop into more standard practice in the future. So, you know, as a fly on the wall, I'm curious why the Department of Justice, you know, produced a subpoena that, that that required that the Python Foundation comply in their, in their full disclosure posting. They said they were caught by surprise. They had the information and they complied because at that point they had no choice, but they're going to move that information out of their own grip so that they are not able to comply in the future.

(00:51:43):
And speaking of not being able to com to comply in the future, an object lesson story appeared in the news last week. The so-called super VPN service by the publisher, super SoftTech, whose Android app, and there also is one from iOS. The Android app has been downloaded more than 100 million times, was exposing more than 360 million records due to its Chinese developer leaving the app's database open and exposed to the internet. And that database contained all the information the V p N provider explicitly promised would never be exposed, including information on all of its paid customers, including details such as EMA emails, the customers real physical ips, geolocation information and V P N servers. They had connected to the ba the database was secured only after it was discovered and reported to the developer by security researcher Jeremiah Fowler. And it's worth noting that Jeremiah's findings contradict the app's Google Play Store listing at the time it's been since removed, where the service claimed no logs saved anywhere as one of the benefits and features of its use. Our obvious takeaway lesson here is that it's very easy for anyone to make the claim to not be retaining any logs. No one using A V P N wants their usage to be logged. There's zero benefit to the user from having their V P N provider logging their activity. But it's obvious that the anti logging claim needs to be true for it to have any value whatsoever. So our takeaway is that it, it really does matter who is making the claim.

(00:53:52):
Well, Twitter may be facing stiffer headwinds with the EU 27 Nation block after Twitter last Friday, chose to drop out of a voluntary European Union agreement to combat online disinformation. The Associator press reported that European Commissioner Theory Britain tweeted actually he used Twitter, right? He tweeted that Twitter had pulled out of the EU disinformation code of practice that all other major social media platforms, including Google, TikTok, Microsoft, Facebook, and Instagram among others, have all pledged to support. He added the Twitter's obligation remained referring to the EU tough new digital rules taking effect in August. Breon said you can run, but you can't hide. Okay, well, so a little bit of tough talk there. There were early signs that Twitter was not prepared or planning to live up to its commitments. The European Commission blasted Twitter earlier this year for failing to provide a full first report under the code saying that it provided little specific information and no targeted data.

(00:55:12):
Breon said that the new digital rules that incorporate the code of practice fighting disinformation will become a legal obligation. Okay? But you know, Elon, as we know, is notorious for ignoring any legal obligations that he doesn't actually need to heed Breon concluded by adding someone ominously quote, our teams will be ready for enforcement uhhuh. It'll be interesting to see what, if anything that amounts to perhaps some monetary fines that Elon will ignore. I think that's gonna be about it. I doubt that the EU has the uos to block all Twitter access outright. So I think Elon is probably just, you know, gonna be successfully calling their bluff. There was also a flurry of confusion in the tech press last week over bid warden's announcement of their increased support for pass keys. I read some misreporting and I thought, wow. I mean, before I knew it was misreporting, I thought, great, I can tell everybody that bit warden will now be able to operate on passkey based sites.

(00:56:25):
No it's not what we, the actual news was not what we, what we've been hoping for, at least not yet. Apparently it's coming soon. Bit Warden is saying that end users will be getting passkey support for their bit warden clients sometime later this summer. What was the news was that their passwordless.dev site, which we've referred to at the time, shortly after Bit Warden acquired that group that you know, that, that they acquired not long ago. That they are offering APIs and code libraries now formally available to enable enterprises to add backend passkey web au end support into their authentication flows. So it's gonna, it's all open source and it's gonna make it much easier to do that. And there was also news that bid warden client users would be able to use PAs keys to authenticate to their bit warden client, which, you know, makes the entire chain as soon as the client is able to authenticate to, to, to websites will make that whole authentication chain complete. So, you know, bit Warden doing good stuff making web often more accessible, but we don't yet have a client that we can use through Bit Warden in order to log into websites. And again, even if we did, where would we log in? Because the, you know, there's no one yet really supporting it.

(00:57:59):
As I was scanning recent news for interesting updates and discussion, the phrase 1.2 billion Euro G D P R fine was difficult to ignore. It appears that Ireland's Data Protection Commission wanted to get everyone's attention. So they levied a 1.2 billion euro fine against Facebook's parent meta for their failure to comply with the EU GDPR laws. The Irish officials acclaim that meta illegally transferred the personal information of EU users to the US without their approval. What's apparently meant by this is the issue where Facebook data resides as in, you know, in a data center. Sometimes there, sometimes here, so this I D P C, the Ireland Data Protection Commission has ordered the company to cease all data transfers and delete existing user data within six months. And in case anyone was wondering, yes, 1.2 billion is indeed the largest fine so far imposed. I, I I guess I would say requested.

(00:59:23):
I don't know, not and they're gonna appeal it. Obviously it's gonna be a while. Yeah. Under the EU G D P R. Now to my mind, this represents a failure of imagination. Leo, on the part of those plucky Irishmen, if they wanted to really get everyone's attention over a fine that was never gonna be paid anyway, they should have gone directly to 1.2 gazillion euros. Well, they can go as high as I think 10% of revenue, they can go pretty high. Huh? That's true. Yeah. Not a gazillion, I think no one makes that much money, but Well, why settle for a mere billion when you could ask for a gazillion? Well, here's my question, and we talked a little bit this on Sunday. You know, email requires that my message goes from the server in my country, the server in your country. Yes. I I presume Facebook messages and Facebook posts have the same thing.

(01:00:24):
It doesn't make sense in a modern internet to say, your data has to stay in our country. I understand why they would want that so meta, but does it break the internet meta for their part? Said, let us think about it. Okay. No <laugh>, that's probably the right answer actually, to exactly no one's surprise. Meta said that they would be appealing, as you said, Leo, this nonsense. And so in more detail, meta explained that they were being unfairly singled out for attack because thousands of businesses, maybe even a bazillion businesses and organizations rely on the ability to transfer data between the EU and the US in order to operate and provide their everyday services. They explained that the real issue was not about you know, one misbehaving companies GDPR violating privacy practices, but rather that there are fundamental conflicts of law between the rules in the US and in the eu.

(01:01:34):
And that's, it's those laws that need to be brought into alignment. And they said, notably, Paula respective policymakers are expected to be resolving all of this in this coming summer. So yes, meta formally stated that they would be appealing the ruling, including the unjustified and unnecessary fine and seek a stay of the orders through the courts. And meanwhile, Facebook continues unimpeded throughout Europe. So, wow. Just, I mean, crazy. This is, I gu I guess, you know, if you have the GDPR then you wanna try to use it, but Yeah, I mean, I, I don't, I I honor their desire to protect people's. I don't, I I understand that. And, you know, some fines like the fine against Google for saying we turned off location tracking but didn't. Yeah, that doesn't bother me at all. Yeah. I just think that, I don't understand how the Internet's supposed to work if everything has to stay, it's like, well, your email will only work in Ireland.

(01:02:42):
Like you can only email people in Ireland. Huh? You can only message people in Ireland. I don't, I don't understand what they're thinking. Well that's, that's, that's why it's, that's called iMessage. It's Ireland message. Ireland message <laugh>. That's right. Apple knew this all along. That's right. Okay, so while we're on the subject very briefly of meta and Facebook, I wanted to note that WhatsApp messaging announced on Monday it was, oh, actually, actually Monday before last night yesterday, that they would be adding a feature that iOS users received with the update to the 16 versions of iOS and iPad os, which is the ability to edit after the fact for up to 15 minutes. The content of any recently sent message in the, in the case of iOS, apple allows up to five edits of a message during that 15 minute having been sent window, which I suppose is useful if you're really having a difficult time getting the message right.

(01:03:42):
Anyway, I was, it was, as it happened, I was glad to be reminded of this new feature in iOS 16, since I have a buddy who frequently follows up messages with little asterisks and like single words where he rereads the message after he sent it and goes, whoops. And then, you know, lets me know that he realizes there was a typo. And I, since I, since I put this in the show notes last night, I've sent him a text and said, Hey, guess what, mark? You're able to edit your messages after you send them. So he's very excited. And just so just a reminder, Dar e everybody else that you know who's using WhatsApp or iOS and iMessage and and iPad os, you can now edit things after you sent them. And finally, Google has announced a new bug bounty program aimed at their own franchises, Android apps.

(01:04:34):
They've named it mobile V R P for Mobile Vulnerability Reward program. And in describing the program, they said Google's mobile vulnerability rewards program Mobile V R P, focuses on first party Android applications developed or maintained by Google, and by that they mean, or a Google property. The mobile V R P recognizes the contributions and hard work of researchers who help Google improve the security posture of our first party Android applications. The goal of the program, the goal of the program is to mitigate vulnerabilities in first party Android applications and thus keep users and their data safe. Only apps published by the developers in the list below, or apps in the tier one list are in scope for the mobile V R P. So that's apps by Google LLC developed with Google Research at Google, red Hot Labs, Google Samples, Fitbit llc, nest Labs Inc.

(01:05:46):
Waymo, L L C, and Waze, w a z E. So there are three general classes of vulnerabilities that qualify under their rewards program. The first of the three is arbitrary code execution, where they explain vulnerabilities of this type allow an attacker to execute arbitrary code in the context of the vulnerable application in order to qualify the ace. In other words, arbitrary code execution should allow an attacker to run native code of their choosing on a user's device without the user's knowledge or permission. In the same process as the affected app, meaning there is no requirement that the OS sandbox needs to be bypassed. So, and they provide three examples. For example, an attacker gaining control of an application, meaning that code can be downloaded from the network and executed or overriding a dot. So file with a malicious dot. So file, which is then executed by the victim app or executing Java code in order to call the, the, you know, exec F function, which is then able to run arbitrary native code.

(01:07:06):
They said that merely tricking a user into installing an app and executing code within that app itself does not qualify. So it's gotta be an your ability to execute your own arbitrary code within one of Google's family of apps. The second of the three qualifying classes is the theft of sensitive data, which includes vulnerabilities that lead to unauthorized access to sensitive data from an app on an Android device where the scope of the qualifying data is data that enables unauthorized access to a user's account. You know, login credentials, authentication tokens tokens that are able to perform sensitive state, changing actions that result in non-trivial damage to the victim or sensitive user-generated data contact list information photos, unless they've been made public by default. Content of a user's messages, you know, email ims or texts call SMS logs, web history or browser bookmarks.

(01:08:13):
So basically getting data that you're not supposed to be able to get from any of Google's apps. And finally, information that is linked or linkable to an individual such as medical, educational, financial or payment data including employment information. So they did note that location information alone does not qualify. They don't, they don't feel that's significant enough. But, you know all the other stuff that you should not be, have access to does. And lastly, that, that, those are the first two classes. The last one is just additional vulnerability types, which are in scope path traversal and zip path traversal vulnerabilities, which lead to an arbitrary file, right? Intent redirections leading to launching non-sport application components. Vulnerabilities caused by unsafe usage of pending intents and orphaned permissions. The range of rewards is as high as $30,000. You would need to do a zero click arbitrary code execution in one of their apps, but if you can do that, you've got $30,000 and they go down to about 750 bucks, depending upon severity and, and class of, of apps.

(01:09:34):
So anyway you know, the, what we have witnessed is the emergence and clear success of the concept of bug bounties as a, like a, a functioning chunk of the security infrastructure in our industry where good guys are paid for finding and responsibly disclosing previously unknown and important bugs. And if you're good at it, you can make a living. I wanted to, to just quickly note that since last week I finished the full rewrite of Spin of Spin Right's, mass Storage Data Operations backend, and I finished testing it all by the end of the weekend. So Sunday evening, I released the 28th alpha, alpha 28 to the gang over in GRCs Spin ride.dev news group, and they have begun putting it through its paces. I have not been looking obsessively at it yet because I've been working on this podcast, but it looks like it's going pretty well.

(01:10:42):
I'm, you know, I'm sure I'll have something to report about that next week in my own testing. I can say that it felt significantly more solid and responsive than it had before. And it did incorporate many new features, you know, essentially thanks to the, all of the revelations that I was experiencing over the last six months. So I'm very glad that I took that month to scrap and re-engineer that very important part of spin, right? You know, that's where all the actual work happens. And Leo, after our final sponsor insert, we're gonna, I'm gonna be able to share the first really cool new idea that I've seen for browsers in some time. Nice. I can't wait. But first a word from our sponsor, Melissa, the address experts, a leading global data quality, identity verification, and address management solutions provider. We've been talking so long about them as the address experts.

(01:11:42):
I'd like to talk more about the other things Melissa can do. They just released brand new Melissa's Clean suite and Data Quality Suite. They've been named leaders by g2, the leading peer-to-peer software platform in the 2023 data quality and address verification spring report. We see we have the best sponsors, they're leaders. Melissa has also been named a momentum leader and a high performer in the same report across the small business, mid-market and enterprise segments. Melissa got various awards, including good partner, easiest to do business with, easiest setup, highest user adoption, and easiest admin. I've been singing the praises of Melissa for a long time. I'm glad to see them get that kind of recognition. Along with leader status. Melissa ranked highly in the price category, very nice for clean suite and data quality suite across many segments. Melissa's team believes that data quality should never cost more than it saves.

(01:12:43):
Isn't that a nice kind of point of view? You should be a positive return on investment. They continue to offer affordable, high quality solutions for data quality and address verification. And let me tell you, it is expensive to have bad data. Poor data quality can cost organizations an average of 15 million a year. And of course, every year that goes by, the more losses you can accumulate. Melissa eliminates waste, eliminates lost opportunities from incorrect mailings, improves customer satisfaction with seamless real-time identity verification data. Melissa's matching and de duplication tools help establish a single high quality customer record linking all the customer touchpoints for a perfect 360 degree view of each customer. Melissa complies with the United States Postal Services move update requirements, which assures the most current address data through processing right through the USPS's National Change of Address database. So you're getting the most up to date information, and they've been doing this since 1985.

(01:13:52):
They really are the experts. They've specialized in global intelligence solutions to help organizations unlock accurate data for a more compelling customer view. And don't worry, your data is absolutely safe with Melissa. They know it's precious. That's why they continually undergo independent security audits to reinforce their commitment to data security, privacy and compliance requirements. SOC two compliant, HIPAA compliant, GDR compliant, GDPR compliant. Your data is in the best hands because your data's worth a lot. So make sure you keep it up to date. Get started today with 1000 records cleaned for free. Melissa.Com/Twit. They've been a great partner of ours for years. We, we love them and you'll love it too. Melissa.Com/Twit. We thank Melissa so much for supporting security now all these years, and thank you Security now listeners and fans for supporting us by using that address. That way they know you saw it here, melissa.com/twit.

(01:14:56):
All right, Steve, I, I've been kind playing with the Brave Browser. In fact, a couple of weeks ago, Paul Throt made it his app of the week sounds like maybe it's a good browser to use for privacy. Well, they've done something I think is very cool. Last Wednesday, the Brave Browser privacy Team announced a slick new forthcoming feature that, as I said at the top of the show, I would love to see obtain some traction within the wider browser community, meaning, you know, also being adopted by Google for Chromium and Mozilla for Firefox. It's called request O T R, where O T R is short for off the record, the shortest summary of this interesting new idea is that this feature allows websites to suggest to the browser that this user's visit to the site should probably be forgotten and thus remain off the record.

(01:15:57):
So here's how the Brave Privacy team explained their idea. They said, starting in version 1.53, brave will begin rolling out a new feature called Request Off the Record. This feature aims to help people who need to hide their browsing behavior from others who have access to their computer or phone. Now, initially, this sounds like incognito mode, right? But it's not. So they said, for example, a person who's the victim of intimate partner violence, who needs to find support services without their partner knowing, or someone needing to find personal healthcare without others in their home finding out request. O T R allows websites to optionally describe their own content as sensitive. The browser can then ask the user if they would like to visit the site in O T R mode where the site is visited in a clean temporary storage area. Sites visited in O OTR mode are not saved to your browsing history.

(01:17:02):
And any cookies, permissions, or other site data do not persist to disk. Meanwhile, all other normal sites visited are stored and treated normally hiding the fact from anyone who may access the device later that any unusual behavior happened. Braven tends to work with other browser vendors to standardize O T R so that at risk browser users can be private and safe across the web regardless of which browser they're using. This features been designed with the input of and in collaboration with several civil society and victim advocacy groups. We agree with Mallory Coell, the C T O at the Center for Democracy and Technology, who said, quote, brave browser's. Attention to detail with O T R mode where users can more easily choose which websites are recorded in their browsing history is an important privacy innovation that can protect users in attacker, you know, situations, or anyone who wants more control over what their browser remembers and what it doesn't.

(01:18:12):
This feature empowers people who browse the web, all of us, and gives us more agency over content consumption. Okay, so brave said, some users need to hide their browsing from people who have access to their device. Most often when people talk about web privacy, they're talking about protecting personal data from other websites, for example, blocking Google from a recording the sites visited. However, web users have other privacy needs too. Needs that are currently poorly served by most browsers. They said, consider Sarah a hypothetical web user who lives with Stan, a physically abusive partner. Sarah needs to use the web to learn about legal, medical, and other support services in her area so she can safely exit their relationship. Stan, though, suspect Sarah May be planning to leave and begins monitoring Sarah's phone, computer and other devices to see if she's contacting support services. Unfortunately, not only do browsers fail to protect users like Sarah, they actually make it easier for abusers like Stan to digitally surveil them.

(01:19:27):
Browsers record a wealth of information about our browsing behavior and interests, both explicitly browsing history DOM storage and cookies, and implicitly cash state save credentials, URL auto complete, where still the tools browsers do include to protect people like Sarah are incomplete and or difficult to use correctly. Browsers currently provide some tools to help users hide their activity on sensitive sites. However, these tools are insufficient to protect people whose safety depends on hiding visits to specific sites from people who have access to their device. Existing tools either hide too much, thus inviting suspicion from abusers too little, thus allowing abusers to recover browsing history or otherwise difficult to or, or are otherwise difficult to use successfully. Private, also known as Incon incognito windows allow users to browse the web without their browsing activity being permanent recorded. Unfortunately, private windows do a poor job protecting users from on-device surveillance.

(01:20:38):
It's easy to forget to open a private window before visiting a site, especially under stress, thus causing the site visit to be permanently recorded. It's equally as easy to forget to close the private window and thus continue browsing in the private window beyond just the target sensitive site. This can reveal to the abuser that private browsing modes have been used, which on its own may elicit suspicion or put the victim at further risk. Similarly, some browsers include advanced browser controls that could be used to delete browser storage for specific sites. This approach has the drawback of needing to be performed after the site was visited instead of protecting the user during the visit, which may put the user at risk if the browser needs to be closed quickly. Additionally, these controls are often difficult to find and more difficult still to use correctly by non-technical users.

(01:21:39):
And finally, these browser controls typically only allow the user to delete stored values for the site. For example, cookies or permissions, but do not allow the user to delete other traces of the site, for example, browser history or cass. Finally, some sensitive sites include quick exit buttons in the site themselves, which allow a visitor to quickly navigate away from the site in a way that may be semi difficult for an abuser to detect. While useful, this approach is also incomplete. Quick exit buttons cannot delete many types of site data, for example, permissions or caches, and are constrained in their ability to modify the browsing history. Further, they depend completely on the correct implementation by the site. The browser is unable to protect the user. In contrast, Braves request O T R approach provides a comprehensive way for sensitive sites to request to be omitted from a user's browsing history and local storage.

(01:22:52):
Any site can request to go off the record and the user is prompted to determine whether they would like to do so. If so, the browser creates a temporary storage area for that site and does not record the site visit in the user's browsing history. The OTR session is tied to the site and any other sites. The user visits, even in the same tab, along with any sites visited in any other tabs are recorded in browsing history. As usual, Brave's implementation of request O T R protects the user in the following ways the user is prompted and proactively asked upfront whether they wish to have their visit forgotten after they leave. The users protected the entire time they're visiting a sensitive site, they don't need to attempt to scrub their browsing history later. Other non-sensitive sites are recorded as usual, which prevents the appearance of a of large gaps in browsing history that might look suspicious to an abuser.

(01:24:07):
All target site behaviors are prevented from persisting to disk, including cookies, Cass browsing, history permissions, et cetera. And finally, O T R prevents sites from abusing the feature. A site cannot go off the record unless a user explicitly gives the site permission to do so. Brave has developed request O T R specifically to help people suffering from intimate partner violence or people otherwise needing to hide visits to sensitive sites from their browsing history. However, O T R is intentionally a general browser feature and is intended to be usable by any site on the web. There are currently two ways for a site to request to go off the record. In brave, the primary intended way is for the site to include the header request hyphen O T R colon space one in the website's response to the initial navigation request to a site. If the browser receives this header, the browser will halt the navigation and ask the user if they would like to visit the site.

(01:25:26):
Off the record. If the user says yes, then the browser does two things. It does not record the site visit in the browser history, and it creates a temporary storage area for all caches, cookies and permissions. The browser continues using this temporary storage area for all subsequent pages visited within the same tab within the same site. When the user closes the tab or navigates away from the site, the temporary storage area is discarded and browsing behaviors return to being recorded as usual. The second way a site can request to go off the record is to be included in Brave's preloaded list of request off the site partner sites. These are sites that victim that, that serve victims of intimate partner violence and have told brave they're interested in being considered a sensitive site by default. Thanks to the browser, you know, in the browser, this list is intended as a bridge measure until all such sites have the opportunity to implement the previously mentioned header approach.

(01:26:37):
There are a few caveats. Users should be aware that Braves request off the record feature cannot protect users from other software on their computer that might record information about what sites they visit. Examples of software that brave browser cannot hide browsing history from include browser extensions, network spying, malware or spyware installed on the device. Information saved by sites before or after you visit off the record. In other words, you know, that's obviously just out of scope, operation, system level, logging and crash logs. They said BRAVE is exploring what additional protections can be provided using such threats. But users should be aware that as with systems like private browsing mode, Braves request off the record mode only prevents recording of core browsing behaviors and data. They finish saying, we're excited to release request off the record in the upcoming version, 1.53 of our desktop browser with an Android version coming in 1.54.

(01:27:46):
We'll be rolling it out to user shortly, though people interested in testing the feature can now enable it by visiting brave colon slash slash flags and enabling pound bracket or brave hyphen hyphen request hyphen OTR hyphen tab. They said, please note this should only be done if you understand the risk of testing experimental browser features, blah, blah, blah. We're also excited about the next steps we're taking to further improve the request O t R feature. First, we're working with experts and researchers at George Washington University and Pat Borne University to evaluate how request O T R is understood by users and how we can further convey to users exactly what protections the feature does and does not provide. We will sh both share the research that results from this collaboration on this blog and incorporate it into future versions of request OTR and brave. And finally, we're interested in working with other browsers, organizations and web companies to potentially standardize request otr so that users of other websites and browsers can benefit from the protection.

(01:28:59):
Our current implementation is the result of working with a wide range of abuse advocates, technologists, browser specialists, and NGOs. And we're eager to continue working with similar organizations to best support web users. So to all of that, foregoing, I say, a huge bravo. You know, as I said in 2023 with our web browsers at their current level of maturity, it is extremely rare to encounter something so clear, so clean and so simple. That is, I would argue, able to offer new and useful benefits to a user's browsing experience. And this new feature is such a thing. The user's experience of this is perfect. It could be baked into every browser, and most of us would never have any idea that it was present. But the moment someone who was in an environment that might make them vulnerable, visited a website that understood that by virtue of the services it offers its visitors might need the site's help in protecting themselves, the website could immediately prompt the browser to proactively ask the visitor whether they would like all of their use of this site to remain off the record and be immediately forgotten after they've left.

(01:30:28):
You know, it's, it's clean and simple and, and I think a wonderful addition to the traditional incognito mode of browser usage. And I, so I hope that the clarity and the objective goodness of this idea captures the imaginations of those at Google and Mozilla as well, and that it would grow into a worldwide web standard that I think it deserves to be just, you know, simple, but you know, and easy to do. But I think really, you know, a worthwhile benefit. There's some question in the chat about how this differs from a incognito mode or a private browsing mode. I, I would say that it's that you, that requires you to take that action explicitly. It also requires that you not do other things. The problem is, while you're in there, your browser's not logging, right? So, so if somebody was suspicious and looked at your history, they would see a block of time when they knew you were on the computer right?

(01:31:34):
And doing something that there was no record. Also if, if you suddenly got interrupted you would ha you have to, you, you'll like, you know, close in incognito mode, you might forget and leave it open. So, and what I, most of what I like about this is that, that somebody innocent who wasn't thinking in advance is proactively asked, yeah, oh, you are visiting us. Would you like this to be forgotten? Right? And they think, oh, yes, yes, thank you, <laugh>. Yes. And so that's all they, so it, so it's that proactive. And again, not no, no sites would, would ever display this to us unless the site itself knew that the type of services they were offering, right? Were those that like a woman's health clinic or a Yes. Yeah, of course. Yeah. Yes. Yeah, I think that's great. I think it's just brilliant.

(01:32:28):
Yeah, it's simple. It's a tiny little thing trivial to do. And, and so, so what it is, what it is, is, whereas incognito mode is mostly the things I'm doing, I don't want Google to remember, or my browser to remember you know, whatever it is, you know, any tabs, you know, that you open, this is just a, it's more selective just for the site that you're visiting. So other things you do during the time, other tabs you visit, other links you click, they'll all be there. Just not, just not this one selective site. And for me, also, the fact that it's proactive is the key that, that the, that this type of site says would you like this not to be remembered by your browser? Ooh, yes, thank you. <Laugh>. Yes. That's a matter of fact. You're of course you're also free to decline it.

(01:33:21):
You say, no, I, you know, I don't care. I'm fine. Yeah, yeah, yeah. I just think it's very clean. Yeah. Very nice, Steve. Always a fascinating and informative podcast. Thank you so much. Episode 9 25 is in the books. If you want a copy of it, there are a variety of ways you can get it. You've already heard it. I think many people <laugh>, otherwise you wouldn't be hearing me. Now, other many people listen live. So they get the freshest version. We do the show on Tuesdays right after Mac Break Weekly. So that's about one 30 Pacific, four 30 Eastern, 2030 utc. The live audio and video streams, which run all the time, are@live.twit.tv. So there's audio and video. If we're not recording a show, they'll be re you know, previously recorded versions of those shows. So there's always something, there's, we're always there to keep your company, let's put it that way.

(01:34:14):
After the fact, you can go to steve site grc.com. He has copies of the show. He has the normal 64 Kilobit audio that we have and the podcast feeds have. But he also has a couple of unique versions, A 16 Kilobit audio that he created for the bandwidth impaired. It's a little scratchy, but it's small. He also commissions really well done transcriptions from Elaine Ferris. So you can read along as you watch or I've used it to search Steve Site for a topic we've covered. So those are great. And of course, the 64 Kilobit audio. It's all@grc.com. Show notes are there as well in the PDF form. While you're there, pick up spin, right? That's Steve's bread and butter and the world's best mass storage, maintenance and recovery utility, six point oh's, current 6.1 s imminent, as you heard, we're getting there.

(01:35:04):
You'll get a free upgrade if you buy now. So don't hesitate. Grc.Com, lots of other free stuff there. If you have a question or comment, you can leave a feedback form at the website, grc.com/feedback. Or on Twitter, Steve is sg grc on Twitter and his dms are open. Good place to leave. Pictures of the week, comments and questions. SG grc. We also have copies of the show, 64 kbit Audio. He wants to go. You want to go <laugh>? You can go. I thought you were wrap it up. Spiels. Almost done <laugh>. Very close. We also have 64 Kilobit audio versions that showed our website as well as video. That's our unique contribution TWIT TV slash sn. When you get there, there's a link to the YouTube channel dedicated to security now, the video version, and of course to many podcast players as well as the RSS feed.

(01:35:56):
Just, you know, search for security now on your favorite podcast player. You'll find it and you can subscribe and that way you'll get all the new episodes the minute they come out. Steve, we're done. Have a great week. We will see you next time. We might even have something to talk about after the Apple announcement. I know. Yeah, I'm looking forward to that. That's Monday, what is it? 10 o'clock Monday, 10:00 AM on January on June 5th, and of course the next day Mac break, weekly and security now. So, yep. If there's anything in the security realm, we'll talk about it. <Laugh>, thanks Steve. Ah,

Jonathan Bennett (01:36:28):
Hey, we should talk Lennox. It's the operating system that runs the internet, bunch of game consoles, cell phones, and maybe even the machine on your desk. But you already knew all that. What you may not know is that Twit now is a show dedicated to it, the Untitled Linux Show. Whether you're a Linux Pro, a burgeoning ciit man, or just curious what the big deal is, you should join us on the Club Twit Discord every Saturday afternoon for news analysis and tips to sharpen your Linux skills. And then make sure you subscribe to the Club twit exclusive Untitled Linux Show. Wait, you're not a Club Twit member yet? We'll go to twit.tv/club twit and sign up. Hope to see you there.

All Transcripts posts