Security Now 929, Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte (00:00:00):
It's time for Security Now. Steve Gibson is here. We've got new browsers from DuckDuckGo and Opera now with ai. We'll also talk about kasperskys discovery of a severe bug on iPhones. That's why there was an Apple update, emergency update last week and the cost of doing business in the Russian Federation. That and a whole lot more. Coming up next security podcasts you love

Steve Gibson (00:00:27):
From people you trust. This is TWiT

Leo Laporte (00:00:35):
This is Security now with Steve Gibson. Episode 929 Recorded Tuesday, June 27th, 2023. Operation Triangulation Security now is brought to you by Ag One. Take ownership of your health with a simpler, effective investment with AG One. Try Ag one and get a free one year supply of vitamin D and five free Ag one travel packs with your first purchase of a subscription. Go to drink ag one.com/security now. And by lookout, whether on a device or in the cloud, your business data is always on the move. Minimize risk, increase visibility, and ensure compliance with lookout's Unified platform. Visit lookout.com today and by drta, security professionals often undergo manual tasks of collecting evidence. With Drta, companies can complete audits, monitoring controls, and expand security assurance efforts to scale. Say goodbye to manual evidence collection and hello to automation. All done at drta speed. Visit drta.com/twit to get a demo and 10% off implementation.

(00:01:47):
It's time for security. Now, the show where we cover the latest security news, of which there was a lot and I missed, but fortunately Steve's gonna fill me in. Hi, Steve Gibson.

Steve Gibson (00:01:57):
Yes, Leo, welcome back. We missed you last week. We had a, it's funny too, cuz I, throughout the podcast, I, I rec I recognize how much continuity there is in this podcast. And so, and we build on each episode builds on the episode before. Yes. Yeah. And so I kept saying to Jason, well, you wouldn't know this, but blah, blah, blah, blah. And like, trying to quickly bring him in to what we were talking about. But then I thought, well, wait, doesn't he produce this podcast? So maybe he's being forced to listen to it every week. Think whether he wants to, I think or not think, maybe be forced to listen to <laugh>.

(00:02:29):
Yeah. Yeah. Anyway, thank you Jason for how, for filling in. I really appreciate it. And we had a good time. So, so then I thought, maybe this is dumb that I keep saying, well, you wouldn't know this. And he's thinking, yes, it's an eye. I know it, I do, you know, it's a fair thing to say about anything you say on this show. You wouldn't know this because it's, it's advanced. These are advanced topics. Okay. But I actually created the second page of our show notes for you, Leo, because Aw, I just, I couldn't have you miss the things that we talked about mostly because there was only three. So <laugh> you know, yes, they were, they did know that. Yes. But, okay. But, so this week we're going to come back to a topic that we opened three weeks ago talking about Operation Triangulation.

(00:03:13):
And at the very end, Eugene Kaspersky tells us why he named it that, which I hadn't seen anywhere else. So today's podcast is chock full of news. We're gonna answer a bunch of questions. What has Duck Duck go just announced? What about the Tor project? Has opera just made a big mistake? What is the Casper Kaspersky os What's happening to non-US web hosting for Russians? Are SolarWinds executives finally gonna be held to account? We now have the US Space Force. What's coming next? What's the latest large site to support Paske? Who would, who would like permission to spy on their own citizens? And that's a little disturbing. Which facial recognition smartphone unlocking can you trust and which should not be trusted? And what was the inevitable shoe to drop following last week's coverage of this massive move it transfer mess. Then after sharing a bit of listener feedback, we're gonna take a much closer look at Casper skis discovery of a pervasive four year long iPhone spyware campaign.

(00:04:24):
And Leo, we've got another great picture of the week and a recap of last week's because I couldn't have you miss it. Steve. I am, I am touched and honored that you care so much <laugh> about me that you did that. That is, that is very sweet. I appreciate that. I have not looked, I have not peaked at any of our pictures of the week either. Good, because this one the, i i i was the, the, the picture, the concept behind the picture was not unique. But I'm happy with the caption that I gave it and it's, it ends up creating a wonderful effect for people who are in the know, as of course you and our listeners all on. Yes. You know, it'd be amazing, a really interesting point. I hadn't really thought about it, but it is true. You probably don't wanna miss an episode of this show.

(00:05:11):
And I hope none of our listeners are subscribe and download. And that way you'll always have a, a copy cuz we do build, each show does build a po you know, assume a certain amount of knowledge. Yeah. Security now is brought to you by G one. Many of you know Steve's a big believer in vitamin D, right? We've talked about that before. I was in Disneyland for a week. I late nothing but fried food. I am glad I had Ag one with me, like countless others. I wanna support my health without incorporating more pills or sacrificing my taste buds. AG one is the daily foundational nutrition supplement that supports whole body health. Through a science driven formulation of vitamins, probiotics, whole foods sourced nutrients. AG one delivers comprehensive support for the brain, gut and immune systems. Now of course, when you sign up for Ag one, you're gonna get their lovely canister and the pack and the scoop and all that.

(00:06:13):
But you also get some of these, these are great for travel. When we were down in Disneyland, even though I was living on fried food, I started each day with my AG one beverage. Delicious. My mouth is watering now just thinking about it. It's so good and it, and it's so good for you. Since 2010, AG one has improved there. Formula 52 times in pursuit of making the best foundational nutrition supplement possible with high quality ingredients and rigorous standards. AG one has become part of millions of daily routines, including mine. Individual supplements can be very expensive. I had a handful of pills I was swallowing at. Great cost. Ag one saves you time, saves you confusion, saves you money with each serving, costing less than $3 a day. When you subscribe, it makes it easier for you to take the highest quality supplements and just know, you know, confidently that you're, you're doing the right thing.

(00:07:08):
Whether it's improving digestion or supporting you with sleep. Ag one is the best bang for your buck a G one. I want you to remember that it's simple. It's a drinkable daily habit with just one scoop, or in this case, one pouch. I get the nutrients and gut health support. That's, that helps my whole body thrive and covers all the nutritional bases. So if you're looking to take ownership of your health with a simpler, effective investment, start with Ag one. Try ag one and get a free one year supply of vitamin D Steve, you'll like that. And five free ag one travel packs like this with your first purchase of a subscription. Go to drink ag one.com/security now. That's drink ag one.com/security. Now please use that address so they know you saw it here. Check it out. AG one. You've got mail, Steve. I, I hear, hear it.

(00:08:03):
I hear it. I forgot to silence my phone. Bam. Bam. Next to me <laugh>. So, so is it picture of the week time, picture of the week time and it's fun. Alright. Should I show the picture and Sure. I'll pull it up. I'm gonna see it first and then I will switch over to it so that, that you can <laugh>. Okay. Very, very good. Very funny. The caption you wrote, right? I wrote the caption. Yep. All right. Let me show it here. Unfortunately, it keeps shrinking down. I wanna show it full screen if I can, but I think it was Si Simon Rafa, our, our longtime podcast listener and follower who had the concept of it. And I thought it was very clever. When Apple creates a walled garden, they don't mess around <laugh>. And of course, what's the picture of Yep. Apple space.

(00:08:58):
Apple headquarters. Yep. Which is enclosing a beautiful garden. And that's one hell of a wall. It is a literal walled garden. Yeah, it actually is. Yes. Yeah. I I thought that was very cool. A lot of people pointed out that the Apple campus, the brand new headquarters of Apple, a few years old, faces inward, not outward. That's another another point to mention. Yeah. Yeah. And, and like, we don't, like, normal people don't ever get to see it, do they? I mean, no. Do they give no. Like it is just completely off limits to you get to go to the visitor center out here. Sometimes people get to go inside the ring, but yeah, you really have to be somebody special to be invited inside, inside the, the special space. Because I mean, it is like, you know, we, we see little bits of it on the W D W W W D C and it is just spectacular. Yeah, it really does look beautiful. I mean, when you got the money and Johnny, ive designed it with the help of Steve Jobs, you kind of get the best. Yeah. Okay. So now the next page of the show notes is the security catch up for you, Leo. Okay. Last week's picture of the week, starting week's, picture of the week.

(00:10:08):
If it's not tied down, of course, all that's left of this bicycle, which has been triple locked with 2 2 2 U locks on the wheels and even a lock around the seat. And of course all that's left is the wheels in the seat. The frame is long gone. Yeah, that's the problem. Bicycle thieves, I'll tell you. I just love it. So, okay, so the, the, the, the few subjects that we talked about last week, believe this or not, and you just had to know this Leo, which is why I didn't want you to miss it. Okay. The, it turns out that those brilliant researchers at Israel's, Ben Gearon, university of the Negev, who are always coming up with wacky ways of exfiltrating data, they listen to security now. And whoa. The, the lead researcher sent me a DM saying, Hey Steve, we've just finished some other research, you know, love the podcast.

(00:11:00):
Wow. We talk about them all the time. We do. And they're, they're listeners. So get this, you know, how much fun we've had joking about the fact that the flashing LEDs on our routers don't actually convey any data. All they're doing is showing that there's something going on on the wire. Well, that's true. It turns out however, that they have discovered that the power LEDs of equipment doing like secret computation is affected enough by the work required to process the secret information in crypto algorithms. That they have been able to recover secret keys by recording the, the L e D fluctuations. And they're even able to do it using an Apple iPhone 13. Oh man. Because even though the frame rate of the, of the iPhone is 60 hertz, it turns out that the, the imaging arrays are scanning at 60 hertz. So if you fill the frame with the image of an L e d, like by zooming in or holding the camera really close to it, you end up getting a, a two orders of magnitude.

(00:12:26):
So it goes from 60 hertz to six 60 kilohertz of effective scanning rate. And that's gives them enough, enough of a high sample rate to be able to capture minor intensity fluctuations, which they've been able to then reverse engineer the, the secrets that are being processed by the equipment. Wow. Wow. You just had to know, you just had to know that while you were off riding the dumb amazing gumbo ride. That's Yeah. <Laugh>, we were, we were, we were here doing real work <laugh>. I did read Ride the Dumbo Ride. You must have seen our Instagram post. Oh, I'm sorry. Well, I heard you did. Please. What, what about It's a small, small world. I did not go on this. I did not, but I did go on the Dumbo ride and, okay. That's okay. I'll show you. That'll be my picture of the week a little later.

(00:13:13):
<Laugh>. The last thing is that, believe it or not, we were hit, actually the entire industry was hit with a, the 25 year old persistent SQL injection vulnerability. Oh my gosh. Well, I know hu I was gonna say hundreds, but it's actually a couple thousand companies we're all using some software from a company called Progress Software called MoveIt Transfer. Oh, which is, yeah, yeah. Which A a A A a managed file sharing facility. Turns out horrible SQL injection vulnerabilities, all of them got their data exfiltrated and are now being ex extorted. And I mean, the list of companies that this happened to was astonishing. And so of course that set me off on a tirade last week about, you know, how is it that in 1998 this was observed as being a problem. Apple said, don't worry about it, it's not a problem.

(00:14:17):
And here we are now, you know, it's also been ow wasp's number one security threat, like, you know, constantly on their list. And it happened again. Oh. And the, the final announcement of last week was that spin right is at like completion where I, I proposed, I released Alpha 29 and then alpha 30, we are like right at the edge of this thing being done. It looks like I may actually have just broken something in the last, the last couple days, but, you know, a a so-called regression hands off, Steve, hands off. I'll get, I'll get that fixed. Stop touching. So, and here I am while you were talking about that literally on Dumbo and there's Lisa in her own. Is that Le is Lisa behind you here? Yeah, she had her own Dumbo. We didn't wanna share. She had her own Dumbo car.

(00:15:11):
Yeah. Okay. Yeah, it looks like to me, you're having too much fun on the Dumbo ride. It's kind of fun. I have to admit that's more my speed than the rollercoasters. She went on the Matterhorn. I did not. Wow. Of course, none of the rollercoasters at Disneyland are worth anything. They're not that you need, you need knottsberry farm kind of stuff. Oh, you are? Oh, you're a purist. Are you okay? Oh yeah. You know that the the, they used to call it California screaming. It's the inre coaster at the California adventure part of Disneyland. And, and in LA just down the road from you, I might add, has a roller coaster that is a rail gun. Did you know that? I love seeing the pictures of it. You, you were talking about it somewhere. Yeah. And I think that's so cool. It's magnetic induction.

(00:15:56):
Yes. They have these plates. Acceler acceleration. They have these plates and the cars. So you get positioned there instead of, you know, most rollercoasters. Oh, click a clack up a steep hill. And, you know, there's a lot of anticipation when we get to the top of that hill. We're going down. Hey, this one? No. Hey, I grew up at Santa Cruz, so I know all about the worst boardwalk. That thing. That was the thing. That's why I don't go on rollercoasters. Oh, I was in high. It's rickety wood. Oh. And boy, you just, and the beans are going by you 80 miles an hour from inches from your head. And I'm, that's the first and last rollercoaster I ever went on in high school. You know, the world has changed a lot. You used to have easy bake ovens where you could burn your fingers.

(00:16:36):
Yes. And you used to have chemistry sets Yes. Where you could actually create chlorine gas. Yes, I actually did. So I know that. But no, not anymore. Nope. No, no children. You cannot have anything that's actually fun to play with. No, you know, no, no, no actual rockets that, that, you know, work. Yeah. The rollercoaster are safer now. That's the upside. Yeah. So duck, duck browse joining the Mac os browser, they, which they launched last year, duck duck go now has their windows browser in public beta. Ah, good. And as we would expect from the privacy first search folks, the duck duck browser, and I sure do hope that's not what they're gonna actually name the thing it is privacy first it's sports. And I kid you not the duck player which is a YouTube player that allows viewing YouTube videos without privacy invading tracking ads.

(00:17:41):
What? And prevents what Yes. And prevents videos viewed from impacting future recommendations. So, well, they're not letting it track you and profile you. Enjoy it while you can kids. Cuz that's not gonna last. <Laugh>. No, YouTube has already blocked most ad blockers on YouTube. Yeah. I think it's just a matter of time. So the duck browser may not be long for this world. Sure. They, they claim that the browser's tracker blocking, which is built in, goes above and beyond what's available from Chrome and other browsers. They wrote our third party tracker loading protection, for example, blocks the hidden trackers from companies like Google and Facebook lurking on other websites before they get a chance to load. And it's unclear what what this means. They wrote smarter encryption to ensure that more of the websites you visit and the links you click are encrypted relative to other browsers.

(00:18:43):
Okay. So this was written not by the engineers, but by the marketing department. I'm sorry. Yeah, that makes no sense. I guess what, I guess <laugh>, I guess what they're saying is they're being more clever about choosing HTTPS alternatives when those are available. But really that problem's kind of been solved already. Yeah. So I'm not sure that that's that useful. Now here, okay, here's something that might be worth the price of admission, which being zero admittedly sits the, sets the bar rather low. They said, but they said cookie pop-up management a tool that automatically selects the most private options available and hides cookie consent popups. Yes. Yes. So I would like to have that. Yes, that would be good. I don't know how they do it because how are you going to like, automatically respond to arbitrary popups and choose the most private one?

(00:19:37):
I don't know. Hmm. Okay. Now here's a problem. They called it the fire button, as in lighting a fire it, and they said, burns recent browsing data in one click. Oh, please. I know. And there's also the fireproof option, and that's what it's called for any sites you wanna stay logged into. Now, I suppose if you name your privacy centric search service Duck, duck Go <laugh>, then you've already lowered expectations about, we know you hate that name <laugh> about the, oh my god, about the name you're going to use for other things. But somehow the idea of a web browser having a burn bag into which websites are tossed by pressing the fire button to light them on fire and reduce them to ashes unless you have fireproofed them ahead of time. I don't know, I these, you know, maybe it wasn't the marketing people after all Leo, because this really seems like, you know, it should not have gotten out on, in, in the public view.

(00:20:45):
<Laugh> the browser also offers built-in email protection to hide user email addresses behind uniquely generated@duck.com. Cuz that's what everyone wants to be known as addresses when signing up online. Now, while that sounds handy, it also would create some quite powerful lock-in effects if you are, if like all of your logins are some email address@duck.com. So I'm not sure about that. Anyway, the beta of the browser, which apparently goes by the catchy name DuckDuckGo, for Windows, is available from not surprisingly duckduckgo.com/windows. And they note that switching is easy since, of course, like all current browsers, it's able to import bookmarks and passwords from other browsers and password managers. Their announcement had a couple of additional interesting things to say. They wrote the browser doesn't have extension support yet, but we plan to add it in the future. And I would say, well, okay, if it, if it survives anyway, they said In the meantime, we've built the browser to include features that meet the same needs as the most popular extensions ad blocking and secure password management.

(00:22:06):
So they said of secure password management, our browser includes our own secure and easy to use password manager that can be ama that can automatically remember and fill in login credentials. Duckduckgo for, for Windows can now also suggest secure passwords for new logins, which of course everybody else has already had for a decade. This will get even more convenient soon when we roll out private syncing across devices, which, you know, you really can't use this until it has that. So you'll be able to sync your bookmarks and saved passwords between different devices, whether you're using a DuckDuckGo browser on Windows, iOS, Android, or Mac. Okay. Ad blocking DuckDuckGo for Windows is equipped with our privacy protecting alternative to ad blockers. The browser blocks invasive trackers before they load effectively eliminating ads that rely on creepy tracking. You know, because they said so many ads work that way, you'll see way fewer ads, if any at all.

(00:23:11):
We also removed the white space left behind by those ads. Oh, that's good. For a clean, yeah, for a clean distraction free look without the need for an outside ad blocker. So yeah, that sounds good. And finally, duck Player, our browsers more private way to watch YouTube. They said this built-in video player protects you from tracking cookies and personalized ads with a distraction free interface that incorporates YouTube's strictest privacy settings for embedded video. They said in our testing, by blocking the trackers behind personalized ads, duck player prevented ads from loading on most videos altogether. Which again, Leo, I says, I I agree with you. Like, let's see how long this lasts. Youtube still logs video views, so it's not completely anonymous, but none of the videos you watch in Duck Player contribute to your personalized recommendations or your YouTube advertising profile. You can lead the feature always on or opt in on individual videos.

(00:24:25):
And I thought that what was most interesting was that this recently created browser was apparently not simply window dressing surrounding chromium, which are, you know, pretty much everyone else's web browser including Microsoft's own edge. So they explained Duck, duck Go for Windows was built with your privacy, security and ease of use in mind. It's not a fork of any other browser code. Oh, that's interest the code, huh? Yes. Their own engine. Yes. Huh. All the well, kind of all the code from tab and bookmark management to our new tab page to our password manager is written by our own engineers for webpage rendering. The browser uses the underlying operating system rendering api. Oh. In this case it's Windows WebView two call that utilizes the blink rendering engine underneath. So that's interesting. On the other hand, what this means is this is all Virgin code and like, you know, don't trust it very far.

(00:25:39):
Right. Because, you know, my Microsoft abandoned blink in order in order to switch to Chromium for Edge. So Duck, duck Go has come along and said, okay, we're gonna use Blink. Is Blink the internet Explorer engine? I guess it is. Well, no it it was the, yeah, the i e 11 engine. Oh my God. I know. Okay. What know could possibly go wrong. What? Yeah, exactly. On the Apple, I presume it uses web kit, which is a pretty up to date. Yes. Standard. Yes, exactly. So they, they, they, they finished by saying our default privacy protections are stronger than what Chrome and most other browsers offer. And our engineers have spent lots of time addressing any privacy issues specific to WebView two, such as ensuring that crash reports are not sent to Microsoft. Cuz of course the crash report would also tell like Microsoft, which U r L you had pulled, which caused their precious browser rendering engine to crash.

(00:26:40):
And then so they can go fix it. So, okay, Leo, since Paul Theat appears to have an interest in exploring the experiences and features offered by various web browsers, perhaps when the subject of web browsing next comes up as it probably will, you know, tomorrow. Tomorrow, yeah. Yeah. Just yeah, just mention Duck duck. I'll ask go for Windows. Yeah. And yeah, see if he wants to go poke at it. He has certainly tried Duck Duck Co on his iPhone and and his max, so it won't be unfamiliar to him. And the I course many of us use their search engine, so Yeah. Yeah, yeah. All right. All while we're on the subject of, of browsers, I'll note for the benefit of any of our tour browser users, that version 12.5 has just been released. It supports a bunch of UI improvements, including a redesigned visualization of the tour circuit, which shows the to onion router, hops between you and whatever site you're visiting.

(00:27:40):
Basically, you used to have to go to, to a separate place in the browser. Now in the same way that you can click on the URL bar to like, like show certificates and things. Now in this, in the redesign UI for the tour browser, you were able able to, to click just ahead of the u of the URL and it drops down a little window showing you a cute little circuit diagram of, of, of you at this ip. And then the first runner router at this ip, the second, the second router in the chain at this ip, the third router at this ip, and then the site where you're visiting. So anyway, it's kind of cool. And finally, one more browser update. Not long ago everything was blockchain this and blockchain that, you know, blockchain was the magic pixie dust that was being sprinkled on everything to make it more better.

(00:28:35):
Today, that role has been taken up by the phrase, which we were talking about at the top of the show. Ai, ai <laugh>. It really is the blockchain of this is blockchain. It really is exactly it. Exactly. I suppose it shouldn't surprise anyone that every other word in opera's announcement of their totally rebuilt from the ground up. All new web browser is ai. So last Tuesday they posted this, Hey, opera fans today we're excited to drop the big news that opera won, which is what they're calling it. The latest incarnation of the opera browser is here and ready for you to download. Here's the scoop they wrote. Opera one is your familiar opera browser, except as we'll see in a minute, it's not, but it's been given a major makeover. And we're not just talking about a new coat of paint. We've reimagined and rebuilt opera from the ground up, paving the way for a new era in which AI is not just an add-on, but a core part of your browsing experience.

(00:29:48):
So what's actually new? Well, for starters opera one is introducing area ar i the first ever native browser ai. There's also a totally fresh modular design and a bunch of game-changing features like Tab Islands ingrained within the browser. Okay? Now I'm not gonna spend any more time on this, and from the comments in the announcements posting which was the posting was long, the comments were as at least as long from what I could tell this totally new look feel and ai were not going over very well with existing opera users. You know, and in, in fairness, big changes always have that risk, right? Like, this is a completely changed look. It doesn't even look like a browser. It's got super roundness and things are floating around. Well, whatever these tab islands are, you know unfortunately it may be Gilligan's three, three hour tour <laugh>, it just doesn't, doesn't look like, like this thing is gonna go.

(00:31:02):
But anyway, for what it's worth, if there are opera fans out there wanted to let everyone know Opera one, take it or leave it, it's got AI in it. I don't know what that means, but you know, if you're curious, you can find out. Okay as we've reported the Kremlin in Russia is now moving away as quickly as possible from Western made smartphones. And this is like one of those, why did it take them so long? Because, yeah. So it only makes sense that they would turn to their own well-regarded Casper Ski for a solution to that end. Casper Ski has previewed the first version of their Casper Ski os a hack resistant. We don't know what that means exactly, but good mobile targeted operating system that they've been developing for the past several years. It was demonstrated at a business conference recently held in St.

(00:32:03):
Petersburg just earlier this month with the initial version equipped with a bare bone set of basic applications for phone calling, SMS messaging, an address book, and a settings panel. So, again, bare bones, Kaspersky says it's currently working on adding a chromium based web browser and support for a camera wifi and NFC features. They are looking for a partnership with a hardware smartphone vendor to produce a finished product, which will eventually be made available on Russia's internal market. And, you know, I don't have to tell them this because these guys know what they're doing, but if you want security, you need to hold back on features, right? I mean, you're not gonna be competing with iOS or Android unless you wanna just give up on security. I don't know what hack resistant means, but, you know, keeping this thing to a bare minimum of features is, is the way to keep it secure.

(00:33:11):
So it'll be interesting to see how this evolves. And this would of course provide an answer to Russia's need for something more secure than, you know, go buy an Android device from a Chinese vendor, which is what they've been saying up to this point. And while we're on the subject of Russia, the cost of doing web hosting business in Russia just increased. So I suppose that means that the cost of web hosting to Russian citizens located within Russia will also be increasing as those costs are passed along. Last Thursday, our favorite Russian internet watchdog Ross Ka Nazo named the the 12 largest and most popular internet hosting companies who must participate in some new legislation. I had Google Translate Ross Ka Nazo announcement from Russian. According to the legislation, foreign hosting providers whose users are located among other locations on the territory of the Russian Federation are subject to federal law number 2 36 dash fz, which is titled on the Activities of Foreign Persons on the Internet in the territory of the Russian Federation.

(00:34:41):
Inclusion in this list of entities imposes obligations on foreign hosting providers to open a branch, a representative office, or some legal Russian entity in Russia, post an electronic feedback form for Russian users on their website and register an account on the Ross Nanor website for interaction with local Russian authorities. Failure to comply with the legislation risks, the imposition of fines, and even access being blocked to their infrastructure. And the list is pretty much the who's who of internet hosting a w, AWS Digital Ocean, GoDaddy host, Gator Dream host, blue Host Hener, WP Engine Network Solutions, iOS, fast comment, and com. So everyone, yes, basically everyone. Now I did notice that Azure is not there. Is that, does Azure do web hosting or are they just cloud? Oh, that's a good question. Cloud, yeah. Service stuff. Yeah, you could probably run iiss on Azure and and serve it.

(00:35:58):
That's a good question. I don't know. Yeah, it was, they were sort of conspicuously missing anyway, nor is Google on there either. Oh, you know why? Because Microsoft and Google both already have offices with ah, humans in them. And the by the way, this, the whole point is so that there is somebody they can arrest. Yes, exactly. If if they don't like what you're doing, and you know, there's actual collateral damage. Yes. Yes. Some, some skin in the game. Some skin in the game, literally. Yes. Yeah. And, and, and so, so these guys are offering their services to Russians inside the Russia Federation. Sure. Yeah. Without themselves being there. Yeah. So, no. Yeah. Not gonna happen. Let's take our break, Leo. Yes. And then indeed we will continue. Indeed. Security now is brought to you by Lookout. I know you listen to this show because you're concerned about security.

(00:36:52):
And if you have a business, you know, everything has changed, right? Boundaries to where we work and even how we work have completely disappeared. They've dissolved. I just saw that 30% of the commercial real estate in San Francisco is vacant. People just don't go to the office anymore. That means your data is on the move. Whether it's on a device in the cloud, across networks, the local coffee shop great for your workforce. They love it, right? But it's a challenge for IT. Security, of course. That's where Lookout really makes a difference. It helps you control your data and free your workforce. It's a win-win. With Lookout, you gain complete visibility into all your data. You can minimize risk from external and internal threats, and you can ensure compliance. That's something we have to do now, right? By seamlessly securing hybrid work, your organization does not have to sacrifice productivity for security.

(00:37:50):
And your IT department will love it. With Lookout, IT security is a lot simpler. You know, nowadays, they're working with multiple point solutions and legacy tools. It's just too complex because you know one thing for sure. Complexity means there's holes, there's gaps in your protection. Look at single unified platform reduces that complexity, gives you more time to focus on whatever else comes your way. And you know it's coming your way, right? Good protection. It's not a cage. It ought to be a springboard letting you and your organization bound toward a future of your making. That's what lookout promises. Visit lookout.com today to learn how to safeguard data, secure hybrid work, and reduce it complexity lookout.com. Thank you so much for supporting security. Now, back to you, Steve. So slowly turn the wheels of justice. Oh yes. Solar winds. Remember Solar Winds? Of course we do.

(00:38:51):
Yes. From three years ago, they've said that some of its current and former executives have received what's known as a Wells notice from the US Securities and Exchange Commission for their role of overseer of, you know, the, the, the S E C is in the role of overseer of publicly traded companies. The notice in this case is in connection with the company's devastating 2020 security incident, which is of course why we all, and the only reason we all know the name SolarWinds a Wells notice is, is a letter that the s e c sends to companies when the agency is planning to bring an enforcement action against them. Solarwind says the s e c may fine or bar some executives from serving as officers or directors of public companies. So, you know you can't completely hide behind the corporate shield especially when something this bad happens.

(00:39:54):
Last Friday, the Senate Armed Services Committee announced that it will be formally exploring the idea of creating a new dedicated cyber force branch of the US military. So that like, I mean, it'll be standing alongside the army, the Navy, the Air Force, the Marine Corps, coast Guard, national Guard, and of course we have the Space Force. Now looks like we're on our way to having a cyber, like an official cyber force as a branch of the armed services. To to further this, a provision has been added to the 2024 National Defense Authorization Act, calling for an assessment of creating such a dedicated Cyberforce branch. And now, Leo, I have a picture in the show notes here at the bottom of page five, which shows this apparently in action. And what I wanna know is, why do these photos of US cyber defense always show guys with shaved heads?

(00:40:58):
That part I understand. And Camel, they're sitting, they're Yes, exactly. They're, they're sitting in front of their screens and keyboards dressed up in full camo, you know? And is this an attempt to avoid being seen by the webcam? It's actually the opposite of camouflage. If you think about it. They would be much harder to spot if they were wearing business suits and ties. Yes. It's pretty obvious that there is something going on here. And I don't think those outfits are comfortable, are they? I mean, they, I I don't know. Sad to say I, I've never served our country and have never worn them. I I don't know. Maybe somebody who is in the service knows. Do you, can you wear I mean, do you have to wear these the camo in all everywhere? Is this your uniform that you wear everywhere?

(00:41:50):
And what I don't see is a post-it note. If they just used a yellow Post-it note. Is there anything special, special about that? Red? That keyboard looks pretty good. That's like a, does look, look, look like a nice keyboard. Nice keyboards. That's a fancy, those are fancy switches, so I don't know. Yeah. Although look at the wire, like it is like stuck up in head in front of the display. I think this would, the whole photo set up, Leo. I don't think, Hey, you gotta get rid of that Logitech Bluetooth keyboard here, use this. But, but definitely dress up in camo because we wanna deffinitely we wanna show that, you know, you went through bootcamp in order to boot your computer. Yeah. I don't know. Yeah. Doesn't make any sense to me. Yeah. reverb Mike says they're comfortable. These bds and khaki khaki's comfortable.

(00:42:30):
He wore 'em everywhere. So there you go. Good to know. There you go. And I wonder if they actually do wear them, like in these cyber, I don't, I feel like they wear black t-shirts that say, you know, death metal. Yes, exactly. Hands on them. But I might be wrong. Like, like boot boot you or whatever. So who me? Yeah, <laugh>. Okay. Just a quick note that Apple has now added Paske support for logging into apple.com. You will need to wait for the formal release of iOS 17 iPad OS 17, or Mac os Sonoma to be to be able to do that or be using a beta. But for, for what it's worth, that support is there. Now, I suppose that other PAs keys clients should also work now as well. So if you're looking for somewhere to log in, you can do that at Apple.

(00:43:26):
Okay. Now here's a bit of sadness that actually we'll be coming back to at the end of the podcast. Several European governments, specifically the French, German, and Dutch officials, are pushing the EU to add an exemption in its upcoming European Media Freedom Act. MFA European Media Freedom Act, which would explicitly, I can hardly say, I can hardly believe this <laugh> explicitly allow EU member states to continue spying on the electronic communications of journalists under the guise of national security. The push follows the results of the eus own Pega, P e g a commission, which advised the EU to head in the opposite direction by adding additional safeguards to protect democracy and the rule of law in the eu against the abuse of spyware tools. In Pega's report published last year, the commission said several EU countries were abusing surveillance technologies to illegally spy on their own citizens, including journalists under murky and vague national security justifications.

(00:44:51):
More than 60 journalistic organizations and civil society groups have signed a joint letter to the EU council advising against weakening the upcoming law and giving governments and explicit spying carte blanche. So yeah, apparently everyone else gets constrained by the GDPR and all that it brings. But the governments themselves, which are behind the GDPR, are seeking to legislate a loophole to allow themselves to use spyware, which of course is in itself, let's not forget illegal malicious software. Unbelievable. okay. Now it may be obvious to everyone, but I think it's still worth reminding everyone that just because Apple did a beautiful job and got the whole facial recognition challenge correct, that fact should in no way confer any presumption that anyone else did the same. A recent study updated an earlier study from four years ago, both concluded that with the sole exceptions of Apple and Samsung, the phrase smartphone facial recognition security is an oxymoron.

(00:46:27):
The updated research conducted by a Dutch Consumer Protection Association found that facial recognition systems on most of today's mid to upper tier smartphones, which is to say the only, the, the only smartphones that have any can be bypassed using a simple two-dimensional photograph. The research bipa the researchers bypassed facial recognition on 26 different smartphone models by showing photo of the owner to their phones. Only Apple and Samsung devices were found to be secure. Researchers were unable to bypass facial recognition on any of apple's iPhones. And only one out of 12 Samsung models failed the same test. 14 of the 26 smartphones that failed the test were ya ymi ymi models. Among the failures were Motorola, motos, Nokia is a one plus two Oppos and one Samsung Galaxy. Th that, that one Samsung was a Samsung Galaxy A oh four fours. And then all the rest were just like all of these Yami phones.

(00:47:53):
Now, of course, we'll all remember cuz we are all here on the podcast, when Apple first unveiled their facial recognition, the first thing that naturally occurred to all of us was to wonder how easily their technology could be spoofed. What we learned was that the, the phone projects a scanning dotted grid, an IR grid, which is viewed by offset cameras to determine whether what's being presented to it matches the model of the 3D face that was created and mapped when the phone's user was first presented to it, and deliberately moved around to, you know, register themselves and create that map while th that system, which is quite sophisticated, can be spoofed by creating 3D replicas of the user's face. No simple to create flat photo will do the job. So I just wanted to remind everyone that, again, just because Apple went to the extreme measures to create a highly spoof resistant facial recognition and unlocking technology, no one should assume that anyone else who offers facial recognition on unlocking also took the time to get it right.

(00:49:20):
Apparently no one, but Apple and Samsung did, you know, since getting it wrong is so much easier to do, that's what's typically done. And it seemed to me that the danger is that that facial unlocking would ha would've started off with a great reputation of being secure and that other manufacturers would just be riding apple's coattails by saying, yeah, we've got it too. Look, you can look at your phone and unlock it. Well, yes, and apparently you could show it a photo from the internet and unlock the phone just as well. So, you know, just a, just a caution that, you know, maybe you wanna actually do that if you have a non-Apple or Samsung phone to see, you know, how secure that unlocking really is. Well, I wonder if that includes Google or does Google not have face id? I guess Google doesn't.

(00:50:14):
I think they're big on thumbprints. Yeah, yeah, yeah, yeah, yeah. Yep. Okay. Google, speaking of Google has committed more than 20 million to the creation of cybersecurity clinics at 20 higher education institutions across the us The clinics will provide free cybersecurity training and hands-on experience for thousands of students. Some Google employees will serve as, as mentors and trainers at some of the clinics. Google also provide free scholarships to allow some students to attend its cybersecurity certificate program. In, in part of this announcement, Google said these clinics provide free security services in the same way law or medical schools offer free clinics in their communities. They give students the opportunity to learn and improve their skills while helping to protect critical infrastructure such as hospitals, schools, and energy grids. Now this sounds like a great idea, though. I'll admit that the cynic in me wonders whether this might not also be a terrific means for recruiting talent from those institutions. You know, not that there's anything at all wrong with doing so, after all, the reason those students are there is to acquire the knowledge and skills necessary to find gainful employment. So, you know, getting a headstart with Google might be a way to do that.

(00:51:44):
Okay. So now finally, I, I suppose it was inevitable that the subject of last week's massive move it maelstrom, which was last week's title. I suppose it was inevitable that progress software would soon be facing lawsuits because the damage that occurred was astonishing. And sure enough, at least two federal class action lawsuits had been filed so far in connection with this devastating sequel injection vulnerability, which was discovered and widely exploited in their software. At which of course we covered in detail last week. The lawsuits allege that it was the company's negligence, which led to the breach, thus putting their personal financial data that is the, the, all of the individuals who are bringing these lawsuits at risk. The first suit, which was filed on June 16th in US District Court for the Eastern District of Louisiana, alleges that the vulnerability led to the breach of the State Office of Motor Vehicles, which as far as we know it did Louisiana said that their Office of Motor Vehicles statewide was completely all of the personal data was exposed.

(00:53:11):
They announced the breach the same day warning, all that is l the L Louisiana State warning, all Louisiana motor vehicle drivers that their names, addresses dates of birth driver's, license numbers, social security numbers, and vehicle registrations and any other information that they had was likely stolen. You know, pretty much the whole enchilada about 6 million records were exposed and likely stolen The plaintiff in the first case, or Leanne's parish resident, Jason Berry, alleges that his personal data was put at risk by the breach. He alleges that the company also failed to promptly notify potential victims of the risk of exposing their personal information. The suit seeks class action status for others impacted by the breach. Now, I'll just note that that's nonsense because he brought the suit the same day that Louisiana announced the problem. So how, how could progress software have known that this was the case until Louisiana said, yep, we were hit by this.

(00:54:28):
So I don't think this stands much chance of going anywhere. And you know, you and I Leo, are both not big fans of class actions because most, that just seems like you know, a way to enrich attorneys. As we were recording last week's podcast on this topic, the second case was being filed in the US District Court for the District of Massachusetts on behalf of also Louisiana, three Louisiana residents Chaon Diggs and Brady and Christina Bradbury brought that class, the class exceeds a hundred people and the plaintiffs are seeking upwards of 5 million. Now, is that for the whole class or individually? That wasn't clear. But this is according to the complaint. The second Massachusetts case alleges that progress software failed to adhere to Federal Trade Commission guidelines for data security failed to protect customer data and failed to properly monitor its own internal systems.

(00:55:32):
Okay? Except that's not the nature of the breach that occurred. And, you know, I don't have any opinion more or less about this one way or the other. That is in terms of like the, from, from from the legal standpoint. One issue may be that the plaintiffs need to be more than just upset over the news of this happening. At this point, they may just be chasing ambulances. I suspect that they need to demonstrate that they have been individually and collectively damaged by the breach. And that may not be easy. Remember, as we talked about last week, the clap gang who are Russian Extortionists did say that they wanted nothing to do with government educational or police agencies. And that any data obtained from any of them would be immediately dis would be immediately deleted. So Louisiana is certainly a, a, a government agency as opposed to a a, a private enterprise.

(00:56:35):
So I hope that progress software's attorneys are up to speed on that and may be saying, look, as far as we know, there's no danger here. Everyone knows quite well that I have no sympathy whatsoever for anyone who designs web server software in such a way that it feeds any user provided text to a backend SQL database, which stupidly mixes commands and query text into the same text stream. Anyone who is still doing that 25 years after it was first observed to be a really bad idea, and with it being consistently the top vulnerability and ow OSPs top 10 list of really bad ideas is probably gonna get what they deserve. But we don't know in sufficient detail how this happened. You know, remember that back in November of 2015 when Marriott International acquired Starwood Hole Hotels and resorts, the Marriott execs didn't know that Starwood's network was hosting some serious security vulnerabilities.

(00:57:46):
And three years later, in September of 2018, that oversight came back to bite them hard Should Marriott had done an in-depth security verification? Yes. And perhaps they did. We don't know if vulnerabilities were not extremely difficult to find. They would all be eliminated before software was ever shipped. And, you know, the entire bug bounty industry and PO to own competitions would not exist. But the fact that bug bounty hunting can be a profession these days and poone to own is full of un previously unknown vulnerability discoveries. It just demonstrates that these things are high, hard to find. So in this case of move it and prog and progress software I don't feel any sense of Shaun Freud. This is a tragedy all around where everyone has lost our listeners know that I always completely separate mistakes from policies. So my only argument here is that the use of sequel in this way, in any way that opens the door for injection is a policy decision.

(00:59:08):
It was a mistake that this policy was not implemented perfectly. But if this database architecture policy had not been used at all in the first place, then there, then there would've been no reliance upon the filtering code needing to be perfect. And apparently some imperfections were found and exploited. So it'll be interesting to see o over time what happens with this. You know, lawsuits are unfortunate. We are in an industry where and Leo, I think it was on one of the other podcasts I heard somebody lamenting the bizarre fact of, of the hold harmless clauses in software licens licensing. Oh, yeah, yeah, yeah. We've talked about that a lot with Kathy GLIs yeah. And others on twigg. Yeah. Yeah, yeah. Yeah, I mean, it it's anomaly. Yeah. In this industry, basically, and we've all read it, if you ever read the ULAs this, we warrant no representation that this software will do anything it's supposed to do.

(01:00:20):
We are not responsible for anything it does wrong. It's your problem if it does it wrong, we're we're not liable. And it's actually coming up because of self-driving vehicles. That's the latest iteration of this is, is it who's responsible if a self-driving vehicle kills you? Isn't it the maker of the software? And, and so I think this is gonna end up getting rid of the whole harmless clauses. The president president Biden's put out a, I don't know, it ha doesn't have the force of law, but put out a, you know, kind of future of technology thing in which they say, we, we don't want these we, these clauses that prevent liability, we wanna override them. Wow. So I think it's an agenda of the White House at least. Yeah. Yeah. I mean, it, it, it, so it's a problem because, because it would be difficult to publish software if anyone could sue you if they were not happy with what the software did.

(01:01:21):
And I mean, there are clauses in there that, that say our, our our, our entire liability is to refund the purchase price. Right. Except that, you know, giving you your money back for the car that, you know, do it that plowed into a crowded Yeah. That's not gonna do it. Group of people, that's not gonna work in this. I mean, this is how the court system works. Now. You can sue anybody for anything. Suing just means I'm going to court. And right. But the good news is in I want hopes, in most cases, judges will throw out frivolous and stupid suits. But, but maintain suits that have merit and and because the attorneys know that they won't even take up a case. Right, right. When they know that the judge was not gonna get past square one. And there are some states that have slap laws which I think are probably a good idea, which if it is a frivolous lawsuit and found to be then the, the, the person who brought the lawsuit is, is liable for costs.

(01:02:18):
And those are effective as it deterrent as well. Yeah. But I do agree, and we were talking about this on Sunday with Alex Lindsay, maybe this is what you're remembering. His dad is a trial lawyer. I do agree that that's one of the important ways people can hold these big tech companies accountable. Yeah. Is su them. Yeah. So David Shelton, he sent me a tweet, he said, at S G G R C, I have loved listening to security Now over the last 10 plus years. And I believe it has helped me greatly in my IT career, from technician to IP to IT admin. Now I have a non IT question. Is it just me or have I been hearing a fire alarm low battery beep in the background in several podcasts? Oh, I haven't heard that. Thank you. I'm glad you haven't.

(01:03:14):
Leo, many of our listeners have David, I dear, wish I was, wish it was your imagination. No, it's been going for several months. Yeah, you're kidding. Something You can't find it. <Laugh>. I cannot find it. Something in my environment. It's beeping. Started beeping occasionally, many weeks ago and I have no idea what it is or where it is. So frustrat, it's not any of my smoke detectors. It's, and and the room it's in is full of equipment. So there are great many places It could, it might be since it began, I've embarked on several missions to locate, oh my God, locate and find it. But the chirp is so short that I don't get enough of a sample to obtain a bearing. And plus it's a high frequency. So it's hard to figure out, you know what, yes. You wrote you years ago as a youth, you did the portable dog killer.

(01:04:10):
I think you need to write something, make something called chirp, find a high free, a high frequency sound locator. Yeah. Yeah. Cuz it has to record it and do it instantaneously. You could do this, Steve. It's not too late. <Laugh>. Fortunately Spin right is almost finished. So this gonna be your next project. Yeah, I, it's chirp finder. I tend to tune it out. I really don't hear it that much, but, and I was, I was self-conscious about the podcast, but since the Heil microphone is pointing away from the room where it's happening, I thought, okay, it's probably not gonna be very much. I remember hearing it several months ago, but I haven't heard it lately. It's going on, it's been going on nonstop. Oh my God. And I'm waiting for the battery to die. So, so far that hasn't happened. My goodness. Anyway and, and it's funny too, cuz I like, I'll, since I'm unable to determine the bearing, I'll wait for it to happen.

(01:05:06):
Then I'll go stand over near where I think it is. Everybody knows this. Look and wait again, <laugh>, we're all waiting that, oh, I hate that. I hate it. And of course it always happens in the middle of the night. Right, right. There is a great, there's a TV show you probably haven't seen. I think it's on HBO with the guy who was in house, I can't remember his name, but he is the captain of a Hugh Laurie. Hugh Laurie, the Captain <laugh> of a, it's a science fiction comedy of a cruise ship, space cruise ship. It's called Avenue Five. And there's one whole episode devoted to a beep <laugh> <laugh>. And it beeps. It doesn't beep consistently. It beeps at random intervals. No one can sleep. Some people laugh every time it beeps. Some people hunch over. It's actually a very funny episode.

(01:06:03):
If you get a chance to see it. I'll, I'll find the episode number. Actually, I watched the whole thing. I thought it was pretty good. But avenue five, avenue five Fever worry a lot. It's freaky that he has an English accent because none of that shows when he's playing Dr. House. Oh, it's a big part of the show. They, there's a lot of tongue in cheek. It's actually very funny. It's the guy who did Veep. He's very talented. Arman Yanu. But it just missed slightly and I guess it was canceled, but it, it was good. Oh, anyway, look for, look for that. You need, I'll, I'll track it down. You need a chi, a chirp finder of some kind. I know. And I did find myself thinking, how can somebody must have done this already? Like, there must be like, if, if you had two phones that were in, in communication Oh, so you could triangulate it, you mean?

(01:06:51):
Yes. You, you, you, you could use time of arrival in order to determine where it was. Anyway, darn dunno, I, I'll eventually find it. Fabian Santiago said, I'm still sore for and with you about Squirrel versus Paske, et cetera. It does warm my heart to see the Squirrel iOS Test Flight client app still receiving updates, though, he said just today for me. So I wanted to take this opportunity to give Jeff Arthur Squirrel's iOS client author, a shout out and a thanks for his continuing work on Squirrel. I know that it's been a labor of love for him, and it would be terrific if something were to ever come of it. If Fido two web often and pass keys evolves to require elliptic curve crypto as one of its available crypto suite options that would immediately enable the use of squirrel style deterministic rather than random private keys.

(01:08:00):
And that would in turn mean that all of the other work that has been done on Squirrel to solve all of the other problems that today's paske clients still have would be immediately available too. So we'll see how this evolves. All may not be lost, but, you know, I'll be on to spin right. Seven and beyond by that point. And of course, chirp finder, very <laugh> and very I important. Yeah, get to get to work on that, Steve. There's a lot of people out there who would appreciate it. That's it's gotta be to, to have an opportunity to, to track that down. Okay, so David r Bunting, he said it, he, he's tweeted me Jungle Disc. Do you still recommend it? Thanks Steve. Okay, so no Jungle disc for, for those of those listeners who haven't been around since the beginning was one of our very early and very good t n o as in trust, no one client side encrypted cloud storage solutions.

(01:09:08):
They were purchased sometime ago by something called Cyber Fortress. And I, those probably wear, those guys probably wear camo too, and it appears that, that they've completely gone corporate. So it just, unfortunately it's not free and it's, yeah, they got, they got, they got gobbled up essentially. Such a cool product. Yeah, it was, it was great back then. So today my number one favorite choice and recommendation is the Canadian firm and service sync.com s y n c.com. You can get five gigabytes for free to see how you like it, or you can use my referral code to start off with six gigabytes. So you get an extra gigabyte for free. And that's just GRC sc slash sync S Y N C. So grc.sc/sync. All you have to do is create a username and password, no credit card required or anything else.

(01:10:13):
So it's, it's, you know, really absolutely free. Now I've been using them since I checked August 7th, 2019. So we're approaching four years, and in my opinion, they are a total win. The only downside is that they don't support Linux and although they know that there's a demand for it, especially from our listeners, you know, unfortunately the, the demand for Linux is dwarfed by the interest in Windows and Mac, both, which they do support. So there's no sign that Linux is coming. What I like most about Sync is that it's probably the right solution for most people because it just works when it's installed. It creates a sync folder in the systems directory tree. And anything that's placed under there is, whether it's folders or files, Tru a complex tree, anything is kept fully and immediately backed up to the cloud. And it is t n o, it's locally encrypted with all the bells and whistles you would like.

(01:11:25):
You can ask for a link if you wanna share a file and it, and it'll be locally decrypted on the recipient's browser. I mean, they really did this correctly. If you've got multiple machines, all of their sync directories are kept fully crossed, synchronized through the cloud. And all this is done with deep versioning so that you're able to go back to previous versions from between six months and a year using their web interface. You're able to, to browse back in time to retrieve something, even files you have previously deleted. It's also zero configuration about how often you want to sync. It just sinks everything all the time. Using the Windows tray utility, it's possible to select things you may not want to sink for some reason, which are within, within the tree underneath your sink folder. So there's some optional flexibility there. When I was deep into spin right Work, all of my code and management scripts assumed that the Assem directory that I use as the root of all my assembly code was at the C drives root.

(01:12:40):
But to have it all backed up to the cloud and synchronized between machines, which is what I really wanted, cuz I have two locations it had to be underneath the Sync directory. So what I did was I moved the back slash asem directory under the Sync directory, then I created a Windows NTFS Junction link so that an apparent slash asem directory on the route would be alias to the Asem directory under the Sync directory. So nothing needed to change everything that's in my code and scripts and everything still referenced slash em so that everything worked, even though it was actually over in the sync directory and it all worked perfectly. And I have to say there have been several times when the fully automatic detention of previous file versions has come in very handy. So once again, if you're interested in their free trial, you can use grc.sc/sync, which will bounce you over to them with my affiliate code Depended to start you off with an extra gig for a total of six.

(01:13:56):
And then, you know if you like it and I just checked their basic personal plan is $8 a month, which buys you two terabytes of storage and you're able to increase that as needed. So that's my storage. Did you stop using THI sync thing? No. Okay. No, because that would, wouldn't that do what you wanna do with your ASM folder? It would, although it wouldn't give me the additional level of, of cloud storage. A cloud cloud storage backup. Because, because Sync thing is purely peer to peer, right? And in fact, I, I, I have that in my, I haven't mentioned that in my show notes. I wanted to mention one other thing. So anyway, so sync.com would is my current and well proven. I've been using it for four years. Recommendation for a simple to use foolproof cloud storage solution if you don't need Linux clients.

(01:14:53):
Now, I should note, and Leo, we've talked about this a little bit, that while I am still using sync for many things, I have since switched to using a pair of cross synchronized SONOLOGY NAS boxes and I am so impressed by sonology boy, you know, the ev I mean all, every contact I have with it, I just think, well, but these guys got it right. So I'm using a very nice free Windows utility called at Max Space Sync up S Y N C U P at Max Space Sync Up that synchronizes my various directories on my Windows machine to the local Sonology, nasa and then the sonology NASAs are, they use whatever they have that that is built in in order to to mirror each other at my two locations. So basically I've kind of created my own little personal cloud system using two Sonology NASAs.

(01:16:05):
But I did wanna mention to people this Max sync up because it is a, it is a beautiful windows solution for, for, for producing synchronization to local shares. It will also sync to Google Drive and it's been independently reviewed by a bunch of of stuff. You can find them online and it gets, you know, all the stars. And before we leave the discussion, I wanted to mention Sync thing. I'm glad you made sure I would not forget it, Leo. It is a terrific peer-to-peer cross-platform solution that is quite happy with Linux. I still have Sync thing running on a surviving Drbo, which is Linux based. And that instance of sync thing is keeping my wife's fleet of remote Windows laptops synchronized out in the field. And it really is a terrific peer-to-peer solution. And I know, Leo, that you have you know, gotten up to speed on it and, and like it a lot.

(01:17:07):
Well, I've been using it for years. I that's really my only backup solution. I sync, I put sync thing on every computer. Yeah. but, and maybe you didn't know this, there is a third party sync thing app for sonology. So I make sonology my master sync thing and I make sure it's re it's, it's for read only. It doesn't delete, it only reads it's, it receives only so that way you don't have any accidental deletions. Nice. Its, it records everything I've ever had. And then I do the same thing as you do with sonology. I have a dual Sonology set up, one at home and one here. So that gives me offsite, that gives me my class redundancy. Yeah. None my, none of my stuff is ever in a cloud. But it is redundant and it's offsite and it's all done with sync thing.

(01:17:53):
And sync thing is Windows, Mac, Linux, and that, honestly, I think sync dot com's great. I just, without a Linux client, it's not gonna help me. Right? Yeah. Will do you know if the sync thing for Synology requires a container? I thought that it was, it was only, there's two. I didn't think it was, there's several native, there is a Docker sync thing, but there's a native sync thing. It's a third party app. So you have to enable the third party app stores. I think it's from the Sync thing folks, and it runs not in a, you do obviously have to have some additional software running. I think Node has to be running or something. But, but, but then it runs and it does. And so the, the key with sync thing, which it took me a while to figure out, is, I know it's a, it is funky, but you have to only let one start from one place <laugh>.

(01:18:38):
And that will be the default folder name cuz it uses a long obscure GUI for each folder name. Let the, the master, whatever that is, could be your sonology if everything's there, be the name of that, the GUI of that folder, and then ex make that be the one that introduces to everybody else and let everybody else say, yeah, I'll take that, I'll take that, I'll take that. My mistake sometimes was creating a documents folder on two different machines. Then you have two documents folder cuz the GUIs are different. And so it's better to say, this is the canonical documents folder. Let that replicate to everything. And once I figured that out, I, it's been working flawlessly ever since. It's, it's, there are a few little things, you know, if it can't copy something, it looks like there's, there's been an error and it's just, you know, it's just being cautious, just letting you know.

(01:19:29):
And I have seen some people say it's accidentally deleted everything, which it could in theory because anytime you synchronize that could happen. That's why it's good to have a Readonly copy somewhere. Yes, sonology is is probably the best one for that. So I'm I and sync thing's free open source. I love syn thing. That's just amazing. Really. Agreed. Yep. Okay. I thought I'd said all I had to say about spin right? Until I caught. It's done, Steve. It's done well. I caught up with my Twitter feed yesterday and found a very heartwarming pair of tweets from someone whose name is crazy ERs so crazy ERs tweeted, had a catastrophic hard drive failure. All my finished photos were ready for print, thought my memories were lost forever until someone on Twitter recommended this software spin right by Mr. Steve Gibson at SG grc. He said, here is his website to find spin right data recovery.

(01:20:32):
And he tweet that tweet included apparently one of his photos, which is beautiful. And then in a follow-up, he said, don't know how else I can thank you for your amazing hard drive data recover software. When I print my next photo book, I'm gonna send you a copy. Thank you. And so he's not a security now follower. He doesn't, didn't know me from Adam. But someone said, oops get a copy of spin, right? And he did, and he ran it and he, he got of all, all of his photos back. And so there, there's that one. And then there's also one of a, of a ba of Bear cub up in a tree. And I was thinking, boy, it's dangerous to take pictures of bear cubs, but maybe he had a long lens. And so he was actually in a, in a different state.

(01:21:23):
Anyway, I'm hoping that spin right six one's ability to once again run on drives of truly any size with any format file system and in a reasonable amount of time will help to dispel the lingering misperception that Spin Right's Day has come and gone. You know, you know, here's fresh proof that Spin right is still alive and well. And his recovery was done with 6.0. So, you know, the, there's more goodness coming soon. During all of the testing that we've been doing, many of us are watching Spin, right, recovering sectors of data just as well today as it ever has. If not, perhaps a bit more so since modern drives have pushed the data storage envelope e even further. And I'll just say that I have a few surprises up my sleeve for version seven, which is why I'm already committing to, that'll be the next thing I work on.

(01:22:19):
And Leo, before we get to the last thing we're gonna work on for this week let's tell us our, our listeners why we're here indeed, Mr. Gibson. Of course, our show today brought to you by drta, D R A T A is your organization's finding it difficult to collect manual evidence and achieve continuous com continuous compliance as it grows and scales. As a leader in cloud compliance software by G two dorada streamlines your SOC two i s O 27 0 1 pci, I dss, gdpr, hipaa and other compliance frameworks providing 24 hour continuous control monitoring so you can focus on scaling securely. With a suite of more 75 integrations, ADA easily integrates through applications such as aws, Azure, GitHub, Okta, and CloudFlare. Countless security professionals from companies, including Lemonade Notion and Bamboo HR, have shared how crucial it has been to have ADA as a trusted partner in the compliance process.

(01:23:24):
And you'll be able to expand your security assurance efforts using the ADA platform, which allows companies to see all of their controls and easily map them to compliance frameworks. To gain immediate insight into framework overlap, ADA's automated dynamic policy templates, support companies new to compliance using integrated security awareness training programs and automated reminders to ensure smooth employee onboarding as the only player in the industry to build on a private database architecture, your data can never be accessed by anyone outside your organization. All customers receive a team of compliance experts, including a designated customer success manager. And ADA's team of former auditors has conducted more than 500 audits. Your ADA team keeps you on track to ensure there are no surprises or barriers. Plus ADA's pre-audit calls prepare you for when your audits begin. ADA's Audit Hub is a solution to faster, more efficient audits, save hours of back and forth communication, never misplace crucial evidence and share documentation instantly.

(01:24:25):
All interactions and data gathering can occur in ADA between you and your auditor. So you won't have to switch between different tools or correspondence strategies. With ADA's risk management solution, you can manage end-to-end risk assessment and treatment workflows. You can flag risks, you can score them, and then you can decide whether to accept, mitigate, transfer, or avoid them. Drta maps appropriate controls to risks simplifying risk management and automating the process's Trust center provides real time transparency into security and compliance posture, which improves sales, security reviews and better relationships with customers and partners. Say goodbye to manual evidence collection and hello to automated compliance by visiting drta.com/twit. That's dta.com/twit bringing automation to compliance at drta speed. And we thank Drta so much for supporting security now Steve. Okay, so three weeks ago, while covering the week's news for episode two 9 26, which was our Windows platform binary table topic, we touched on Casper skis discovery earlier in the week of something unknown, which was apparently generating unexpected network traffic, which they had just found crawling around in their network.

(01:25:49):
And the unknown traffic appeared to be originating from some of their iPhones at the time. I quoted them saying the malicious tool set does not support persistence, most likely due to the limitations of the os. The timelines of multiple devices indicated that they may be reinfected after rebooting. The oldest traces of infection that we discovered happened in 2019, thus four years as the time of writing in June, 2023. The attack is ongoing and the most recent version of the devices successfully targeted is iOS 15.7. Now about 15.7 turns out to be a clue that we'll get back to at the end. Okay, so recall that they were examining iPhone backups to detect traces of this infection and they had named this still unknown malware campaign Operation Triangulation. That being the title of today's podcast, you might expect that we're returning to this because they now know a lot more than they did then.

(01:27:00):
And their knowing a lot more coincides with the need all iOS, iPad, os, Mac, OS and Watch OS users had to restart their devices last Wednesday when Apple pushed out a raft of emergency updates in response to what Casper Ski discovered. Okay, so what did Casper Ski Discover? They used mobile device backups to look at partial snapshots of those devices file systems from what they determined. There's this sequence of events. The target iOS device receives a message via the iMessage service with an attachment containing an exploit without any user interaction. Thus zero click the message triggers a vulnerability that leads to code execution. The code within the exploit downloads several subsequent stages from the command and control server, and that includes additional exploits for privilege escalation after successful exploitation. A final payload is downloaded from the command and control server that's a fully featured a p t advanced persistent threat platform.

(01:28:16):
The initial message and the exploit in the attachment are deleted. So they explained that at the network level, a successful exploitation attempt can be identified by a sequence of several HTTPS connection events. They said legitimate network interaction with the iMessage service, usually using the domain names, star dot e ess.apple.com. Then download of the iMessage attachment using the domain names dot iCloud content.com and content.icloud.com. So they're able to see those interactions. Course, regular non malware iMessage attachments will do the same thing. Then multiple connections to the command and control domains, usually two different domains, and I'll share a list here in a second. Typically, net flow data for the command and control sessions will show network sessions with significant amount of outgoing traffic. So lot of data flowing out from the phone, and that makes it a little unusual. The iMessage attachment is encrypted and downloaded over https.

(01:29:46):
The only implicit indicator that can be used is the amount of downloaded data is about 242 kbit. So basically they're reduced as we can see, to relying upon metadata since they have no visibility into the phone. Then they said, using the forensic artifacts, it was possible to identify the set of domain names used by the exploits and further malicious stages. They can be used to check the DNS logs for historical information and to identify the devices currently running the malware. That is, you know, so if you look at DNS logs, depending on how far back you have them, you'll spot DNS lookups to these domains, which you now are able to associate with this active malware today. And based on which devices you have, which are today generating d n s queries to those domains, you now can determine which of your iOS devices are currently infected.

(01:31:01):
So those domains are add as in ad data market.net, backup rabbit.com, business video news.com. Cloud sponsor S P O N C e r.com, data marketplace.net mobile gamers stats.com. Show ee analytics.com tag click cdn.com, topography updates.com, unlimited teacup.com, virtual laughing.com, web trackers.com, growth transport.com, and then a nstv.net and ans seven tv.net. So you know, they're obviously meant to appear kind of like benign generic, like if you saw that happening, you'd go, okay, you know web trackers.com of course tag click dot, you know, cdn.com Yeah. And like, okay, virtual laughing.com. Well, who knows? But, okay, so again, wouldn't raise any red flags necessarily, especially when you consider all the other, like, you know, remember that, you know, a website when you load it now has hundreds of other DNS lookups that are occurring. So this would just get lost in the noise. So essentially they are unable to see into their iOS devices, which they're sitting here like they're holding them and they know they're infected with malware because they've been able to see, you know, what's going on.

(01:32:58):
All they're able to see is the, the metadata traces of what these devices are doing. And they're able to get additional metadata from examining iPhone backups and from, you know, the, these DNS lookups that they're able to intercept. So as I noted before, this whole process of iPhone security serves as a double-edged sword. It attempts to prevent malware from gaining a foothold in the device, but it just as strongly prevents legitimate researchers from gaining a foothold to understanding any malware that does manage to get into a device. And one of the distressing and growing trends we're witnessing is that these incursions are not arising from some black hat bad guys wanting to sneak into our devices. The driving forces here appear to me legitimate democracies, well, and in some cases autocracies, but even democracies such as those in France, Germany, and Netherlands. And, you know, those are the only ones who have raised their hands to ask whether this could please be made less illegal.

(01:34:14):
And, you know, unofficially sanctioned, we know that more traditionally repressive regimes are also doing the same without asking for anyone's permission. So my point is, the more we learn about the increasing pressure to obs to subvert the privacy of our personal communications devices predominantly coming from the world's governing bodies, the more happy I'm becoming that Apple has been steadfastly working in this direction from the beginning. You know, there was a time maybe 10 years ago when the, all this effort that Apple was putting into this seemed a bit like overkill. Well, I no longer think that unfortunately, we're still talking about this today because they haven't yet succeeded in getting it 100% buttoned down, and it's not even clear that it's gonna be possible. While we're still using our current hardware architectures and our current software models, all the evidence suggests that new critical bugs are being introduced at about the same pace as old bugs are being found and eliminated.

(01:35:27):
Windows is certainly showing no signs of running out of bugs to patch, and nor unfortunately is iOS. While it's true that iOS may have many fewer of them per month, it only ever takes one. Okay, so back to Kaspersky, in their pursuit of this hardware over the past of this malware over the past three weeks, they've posted a series of updates, their most recent one being last Wednesday, coinciding with apple's release of patches for the zero day zero click problems Casper Ski has uncovered. So Casper Ski wrote over the years there have been multiple cases when iOS devices were infected with targeted spyware such as Pegasus Predator, rain and others. Often the process of infecting a device involves launching a chain of different exploits, for example, for escaping the iMessage Sandbox, while processing a malicious attachment and for then getting root privileges through a vulnerability in the kernel.

(01:36:36):
Due to this granularity, discovering one exploit in the chain often does not result in retrieving the rest of the chain and obtaining the final spyware payload. For example, in 2021, analysis of iTunes backups helped to discover an attachment containing the forced entry exploit. However, during post exploitation, the malicious code downloaded a payload from a remote server that was not accessible at the time of analysis. Consequently, the analysis lost the ability to follow the exploit. In researching Operation Triangulation, we set ourselves the goal to retrieve as many parts of the exploitation chain as possible. It took about half a year to accomplish this goal, and after the collection of the chain had been completed, we started an in-depth analysis of the discovered stages. As of now, we have finished analyzing the spyware implant and are ready to share the details. Their comment about this taking them half a year took by surprise.

(01:37:56):
I had assumed that when they said they had caught this malware in their network, they meant a week or two before, but they apparently meant half a year ago. And that they've only recently been making the results of this ongoing research public. And now in retrospect, that does make more sense since they, that what they were revealing is far more than a week's worth of effort at reverse engineering. So they said the implant, which we dubbed Triangle DB, is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability it. Okay? So what I believe is that they found that kernel vulnerability told Apple about it, and that's what got fixed. That corresponds with the C S V. That will be sh that I'll be wrapping up with here in in in a second. It doesn't look like they have yet found the the, the iMessage sandbox escape nor the, the the transient attachment, which is what gets in there, talks to the command and control server, and then downloads the final advanced persistent threat.

(01:39:22):
What they, what they finally got probably by intercepting the, the TLS communications, setting up a, a TLS interception proxy. And, and, and then, and then using that in order to, to decrypt the HTTPS transaction, when one of their infected devices reached out to, to the command and control server to download th this final piece, they were able to obtain the final piece and then reverse engineer it. And that's what they're now talking about today. Being able to foreclose the kernel vulnerability might stall this, but it means that we still have the other parts of the attack chain that as far as we know, they're saying they have not yet been able to obtain. So they said it's deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted. That's what we have known from what they said before.

(01:40:24):
Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again in case no reboot occurs. The implant uninstalls itself after 30 days, unless this period is extended by the attackers, the Triangle DB implant is coded using objective c a programming language that preserves names of members and methods assigned by the developer in the implants Binary method. Names are, yes. You don't need a symbol table. Yes, you got 'em. They're built in. Yes. Wow. Method names are not obfuscated. However, names of class members are uninformative acronyms, which makes it difficult to guess their meaning. Okay, so in other words, exactly as you said, Leo, a huge aid to anyone wishing to reverse engineer objective C code the names and thus the purpose and the intentions of the code routines remain visible, but in this case, the names of the variable parameters they're exchanging are not useful.

(01:41:43):
Examples of method names which they found are populate with fields, MAC OS only populate with SIS info, get CFO for dump UNM hecht string and get build architecture. So having those names is far more useful than unnamed hexa decimal address offsets, which is all that's generally available from any language that compiles all the way down to native machine code after any space. West space wasting symbols have been removed, although the variable names that were were contained in the exploit code are far less useful. They noted that in many cases it's possible to guess what their acronym names mean from context. For example, lowercase o s capital V is the iOS version, and lowercase I capital me contains the devices I M E I. Anyway, they, they continue to explain once the implant launches, it starts communicating with the command and control server using the proto buff library for exchanging data.

(01:43:02):
The configuration of the implant contains two servers, the primary and the fallback. Normally the implant uses the primary server and in case of an error, it switches to the fallback server by invoking swap LP server type method. And again, they are able to see the name of that in the code. Additionally, the sent and received messages are encrypted with symmetric triple d e s and asymmetric RSA crypto. All message are exchanged via the H T D P S protocol in post requests with the cookie having the key G and a value that is a a digit string from the public KI configuration parameter. So, so the cookie has the, some of the, the public key parameters used for doing the RSA crypto. Basically, they've complete, they've been able to completely reverse engineer. The thing that runs in RAM after this exploit finally is, is finished getting itself installed into the system.

(01:44:11):
They said the implant periodically sends heartbeat beacons that contain system information, including the implant version, device identifiers, the I M E I, the M E I D, the serial number and so forth. And the configuration of the update, Damon, whether automatic downloads and installations of the updates are enabled. So my first thought upon hearing that was that it was interesting that heartbeat data was being periodically sent since that makes this thing more noi, more noisy, and thus more prone to discovery. But then it occurred to me that an iPhone is probably already extremely noisy with all of the legitimate traffic that it has going back and forth. So any heartbeat data, which is relatively infrequent and not that much, you know, not high bandwidth, is likely able to hide in plain sight without fear of discovery. They said the command and control server responds to heartbeat messages with commands.

(01:45:17):
Commands are transferred as, oh, and I should also mention that one reason you need a heartbeat to be outgoing from the phone is that holds open any gnat that you've got between the outside public internet and wherever your phone is behind Nat. So if you didn't have a, an, an occasional heartbeat going out, there would be no way for command and control to, to access the phone behind Nat, because there would be no mapping. The nat would look like a, you know, like the one-way valve. It is like a firewall. So, so, so having a heartbeat a you know, creates a a, an opportunity for commands to be sent back to this implant. They said commands are transferred as proto buff messages that have type names starting with C R X. The meaning of these names is obscure. For example, the command listing directories is called C R RX show tables.

(01:46:21):
And changing C2 server addresses is handled by the command C R X config DB server. In total. The implant we analyzed, they said has 24 commands designed for, and they've, they've shortened them down into five categories, interacting with the file system, creation, modification, exfiltration, and removal of files. Second, interacting with processes, listing and terminating them. Third, dumping the victim's key chain items, which can be useful for harvesting victim credentials. Fourth, monitoring the victim's geolocation, and finally running additional modules which are mock o executables loaded by the implant. These executables are, are reflectively loaded and they're binaries stored only in memory. So their documentation lists each of the individual commands or each of those 24 in details and explains each one's purpose. I won't enumerate them here, but it should be abundantly clear that essentially this represents a full and deep remote takeover of any exploited iPhone.

(01:47:40):
Okay, and get a load of this. They said one of the interesting commands we discovered is called C Rx poll records. It monitors changes in folders looking for modified files that have names matching specified regular expressions. Change monitoring is handled by obtaining a UNIX file descriptor of the directory and assigning a V node event handler to it. Then whenever the implant gets notified, it's proactively notified by the file system of a change. The event handler searches for modified files, which match the re rejects provided by the attacker. Ju think for a minute about how sophisticated this thing is then such files are scheduled for uploading to the command and control server. So in other words, it's possible for the command and control server to prime the advanced persistent threat implant in a device to autonomously notify the server when something in that device happens of specific interest to it.

(01:48:57):
When a change in the contents of a directory occurs, a check is done for relevancy. And if that comes back affirmative, the files in question are queued for transmission. In a very real sense, it is no longer your iPhone in your pocket, it is theirs. Talk about being pod, they said while analyzing triangle db, we found that the class CR config used to store the implants configuration has a method named populate with fields MAC OS only. This method is not called anywhere in the iOS implant. However, its existence means that MAC OS devices can also be targeted with a similar, the implant requests, multiple entitlements permissions from the operating system. Some of them are not used in the code, such as access to camera, microphone, and address book or interaction with devices via Bluetooth. Thus, functionalities granted by these entitlements may be implemented in modules which they hadn't seen.

(01:50:11):
Then at the end of the work of assembling all of this, I found an earlier note written by Eugene Kaspersky himself. And this was written at the beginning of this month. He said, we believe that the main reason for this incident is the proprietary nature of iOS. This operating system is a black box in which spyware like triangulation can hide for years. Detecting and analyzing such threats is made all the more difficult by Apple's monopoly of research tools, making it a perfect haven for spyware. In other words, he said, as I have often said, users are given the illusion of security associated with the complete opacity of the system. What actually happens in iOS is unknown to cybersecurity experts. And the absence of news about attacks in no way indicates there being impossible as we've just seen. Okay, now I thought that was interesting.

(01:51:24):
He's clearly annoyed and that's a bit of sour grapes by their inability as security researchers to obtain any visibility into what's going on in inside an iPhone. At the same time, you know, they are Russian security researchers and you know, I, I've never seen any reason to mistrust them, but there are people who are unhappy that Kaspersky is in Russia. As we've seen and as he has said, they are limited to monitoring encrypted traffic for metadata and making iPhone backups and sifting through that detritus for clues. I can understand his frustration when, you know there are, when, when they are also targets of these attacks and what he, and he, what he just said, echoes, you know, that thought that occurred to me a few weeks ago when I realized that Apple's high level of security has the unintended effect of protecting malware from discovery.

(01:52:29):
He has just said exactly that. So this is everything that ca that Casper Ski has publicly shared so far. And the glaring piece of information that is lacking, perhaps because it's unknown, is any commentary about how this thing crawls into iPhones by escalating or and escaping from Apple's security controls. We have one clue about what I think is probably the la the late stage of this, which are thanks to the C V E, which is associated with one of apple's updates last week. This is CVE 20 23, 30 2,434 titled Integer Overflow in Colonel Apple wrote an app may be able to execute arbitrary code with colonel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7 and then credit is given to three Russians who all work for Casper Ski. So it appears that Casper ski, you know, knows a little bit more than what they were saying because they didn't talk about that aspect of it for the time being.

(01:53:53):
And given that this vulnerability apparently enables the la the later stage of a powerful zero click iPhone takeover, hopefully we'll never learn more because we really don't have to. It'll be patched, but there'll be phones that will never get patched. So it's better that it's just left unsaid. Oh, and one last piece of information that came from Eugene Kaspersky was an explanation for the choice of the name triangulation, which I had been wondering about. He wrote PS why the name triangulation to recognize the software and hardware specifications of the attacked system. Triangulation uses canvas fingerprinting technology drawing a yellow triangle in the device's memory. So what he means there is that it's possible and often used to ask graphic rendering software to draw into an offscreen buffer. And it turns out that the precise details of one graphic renderer compared to another may differ ever so slightly.

(01:55:12):
The difference might be invisible to the naked eye. But for example, when a diagonal line is drawn as when rendering, when rendering a triangle, the exact values chosen by the line smoothing antialiasing algorithm might differ from one generation or model of a device to another. The practice known as Canvas fingerprinting uses those invisible yet significant details to tell devices apart. So thanks to Kasperskys Intrepid work with their forensic analysis being actively impeded every step of the way by the very security they were trying to strengthen last Wednesday's Apple updates foreclosed upon a kernel vulnerability that had apparently been in active use for at least four years. We'll never know who or why or what or where, but at least now we know how do the bad guys have another way in? Unfortunately, that seems more than likely what's most annoying and a bit galling though, is the idea that our own governments may be the customers for whatever comes next.

(01:56:37):
Yeah, it's almost certainly nation states, right? Yes, yes, sure. These are very expensive. Yep. Oh boy. To to, to give, to be able to purchase that kind of capability to send anybody you want who has an iPhone and iMessage and then have that level of access to their device, you know, to be able to, in fact, there there was some mention that they are that like any previous video or audio recordings are immediately exfiltrated and sent back. Right? Would it be, I mean I've heard other researchers complain that Apple's security makes it hard for them to, for instance, take a look at any given iPhone and know whether it's compromised. Right? Right. How exactly In fact, here the only way they knew was by looking at at the communications traffic behavior. Yeah. From the device. Yeah, because you're, you can't see inside it, right? It's a black box, you know, and I'm thinking about Google's Chromebook, which is also quite secure and Google keeps that secure by having you know, a, a hash of some kind describing the system files. You know, I would wonder if there, if Apple really wanted to, if there'd be some way that they could show system integrity without revealing the contents of the device.

(01:57:57):
I see what you mean. So, so like I, well, I mean Secure Boot works that way with certificates, but but it also validates that the firmware is official firmware. Right, right. Although the problem, I guess Apple already does that. That's Yeah, I I I was just gonna say the problem is there's a bug if there were no bugs Right, the system would be perfect. Right. And so it's the, it's the imperfection and the security that is the problem. Yeah. Okay. That makes sense. Just feel like Apple could make some sort of effort to be more transparent. No, cuz you, I mean, honestly I look, there's security by security and I don't think that's a good plan, but there is also a security by locking the son of a gun down, encrypting everything and not making it visible to anybody. You know, I I think that's, that's fine.

(01:58:52):
It seems like Apple could have some sort of canary or something that would let you know if there had been tampering. Maybe not, I'm sure. I mean, I think the problem is that the canary could be put to sleep, right? It's a bug as you said, right? Yeah. So bypasses all security. Yeah. You, you, you just gas the canary and then you, and then it's like he's alive. Okay. He's a, he's alive. What are you thinking about? He's alive. Yeah, he's just sleeping. Canary only have one foot. He's just sleeping. It's okay. <Laugh>. That's right. Do we trust Kaper Kaspersky? No. I guess in this regard we do. I really do. I I I, you know, it, I just, I, I, you, you, you know, our listers know that. I hate the broad brush of saying, oh, alls Chinese software's bad and all Russian software's bad is like, all Chinese people are bad.

(01:59:42):
Right? That's just ridiculous. Right. You know, I think Kaspersky, I mean they're giving Apple fixes for zero days. Yeah. It's, it is such an interesting conundrum. It is, it is a, yeah, I mean I probably wouldn't use Kaspersky antivirus, but I think this kind of research is, is verifiable. So it's not like the Russian, it's not like Putin told him to say this, you know, so I wouldn't put their software on my system. That's a bridge too far. Perhaps I have to say I feel the same, although I'm, you know, well only because I don't put anyone's software on my system. Well, that's right. That does that can't, can't dress anybody. Steve, you've done it again. A great episode of security Now. Thank you for catching me up. I appreciate that <laugh>. I'll let you know what happens next Tuesday cuz you're not gonna be here won.

(02:00:37):
In fact, the whole place is shut, shut down. No, and I wanted to let our, I wanted to let our listeners know that they won't need to be caught up in two weeks because they'll be mi they'll be missing nothing next week. That's right. 4Th of July, go out and celebrate the US Independence Day. We always get emails and letters from our international listeners, which we have quite a few saying what happened. So just to let you know, this is a US holiday coming up on the, the next Tuesday. And so we'll be taking Independence Day off while we still have a country. We're gonna celebrate it while we're still somewhat independent. That's right. We will celebrate. Steve, thank you so much. Great job. If you want a copy of this show, there's a number of ways you can get it. My favorite way is if you join Club Twit cuz then you get ad free versions of this show and every show we do, you get access to the Club Twit Discord, you get access to events in Club Twi.

(02:01:29):
And there's a couple of events coming up that I wanted to tell our audience cuz I know you're science fiction fans. So coming up Thursday, it's Stacy's book club and what I'm told is a wonderful science fiction book by Anna Lee knew. It's called The Terraforms. You know, if you're a fast reader and I know you are cuz you listen to the show, which means you're smart, you could probably read this book by Thursday at 9:00 AM 9:00 AM Pacific for that. But you wanna stay tuned if you've been watching the excellent Apple TV plus show The Hive, I'm sorry, the silo. I confuse hives in silos, <laugh> Silo <laugh>, then you will definitely wanna tune in Thursday at 1:00 PM Pacific, 4:00 PM Eastern Time because Aunt Pruitt has scored a great interview with the author of the Books Silos based on wool. Hugh Howie will be our guest.

(02:02:23):
Very exciting. He, he wrote Wool Silo and The Balloon Hunter. And if you're a Hugh Howie fan, and even if you've just watched a TV show, I think you probably are, that's four o'clock on Thursday Eastern 1:00 PM Pacific. In a couple of weeks we're gonna have an inside twit alcohol fueled. Rod Pyle does a fireside chat. There's a lot of stuff going on in the club. Jason Howell's working on his new AI show. In fact, I have a special announcement normally, of course all about Android would be coming up in about half an hour. The show's been canceled. I'm sad to say always breaks my heart to cancel a show. But due to lack of interest, <laugh>, but Jason is excited about moving on. I, he and Jeff Jarvis wanna do an AI show five 30 tonight, about an hour from right now.

(02:03:12):
Jason will open a informal gathering in the club to discuss ideas for what this AI show should be. So if you want some Input Club members, stay tuned about an hour in Club Twits discord. So ad free versions of all the show The Discord, which as you can see is, is a buzz in place. Shows we don't put out anywhere else. That AI show will be Club Twit exclusive hand Home Theater Geeks with Scott Wilkinson, hands on Macintosh with Michael Sargent Hand on his windows with Paul Theat, the Untitled Linux Show that gives his all these are club exclusives, which is not to say they'll always be exclusive to the Club, but that's where we launch these shows. Eventually, they may come out into the public as this week in Space Stud. So we have a, the, the reasoning behind this is we, we can't, it's expensive to launch new shows if they're not gonna, you know, grow and become viable.

(02:04:04):
But launching 'em in the club means you pay for it, club members pay for it. And so it makes it possible. So that is why the club is so important to us. That's one of many reasons. Seven bucks a month, $84 a year. There's family plans, there's corporate plans. Please, if you're not a member, please consider it. If you like what we do, if you wanna support Steve and the team Twit tv slash club twit, increasingly it's it, you know, I I didn't want to cancel all about hand Android. I didn't want to cancel Hop. The future of this network depends on you. The stepping up and joining the club TWIT tv slash club twit. Steve has a great site. He has free versions of the show, ad supported of course@grc.com while you're there, pick up a copy of Spin, right? That's how he makes his money.

(02:04:53):
6.1 is the current version. 7.0 as you heard, is just around the corner. You'll get a free upgrade if you buy. So there's no reason to hesitate grc.com. He has 16 Kilobit audio, he has transcripts, he has show notes, the show 64 Kilobit audio as well. All there. You can leave messages for Steve, either there at grc.com/feedback or on Twitter at sg. His dms are open. We have 64 Kilobit audio and video. That's our unique flavor of the show at our website, twit tv slash sn. You can go right there, get a copy. It's ad supported, so it's free. You could subscribe in your favorite podcast player. We have links on the webpage to that. There's a YouTube channel too. But however you get it, make sure you don't miss an episode because as generous as was Steve was catching me up. I don't think he'll be doing that every week, <laugh>. No. But we will see you in two weeks for the f the July 11th edition of security Now. Cool, Steve, have a great 4th of July and we'll see you. Thanks buddy. You too. See you in two. Bye. Hey there, Scott Wilkinson here In Case you hadn't Heard, home Theater Geeks is Back. Each week I bring you the latest audio, video news, tips and tricks to get the most out of your AV system product reviews and more you can enjoy Home Theater Geeks only if you're a member of Club Twi, which costs seven bucks a month. Or you can subscribe to Home Theater Geeks by itself for only 2 99 a month. I hope you'll join me for a weekly dose of home theater. Gee,