Security Now 930, Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte (00:00:00):
It's time for security. Now. Steve Gibson is here. There's a whole bunch of stuff to talk about. If you thought cookies were bad, will you hear about indelible row hammer fingerprinting. Steve will also talk about his usage of sync thing. He's got a pretty good workflow for backing up all of his assembly language. And then, yes, another critical sequel flaw in Move It File Transfer. Wow. All of that. And a lot more. Coming up next with Security Now
Narrator (00:00:34):
Podcasts You love From people you trust. This is Twit.
Leo Laporte (00:00:44):
This is Security Now with Steve Gibson. Episode 930, recorded Tuesday, July 11th, 2023. Ro Hammer, indelible Fingerprinting.
(00:00:56):
This episode of Security Now is brought to you by Thst Canary because thousands of ignored alerts help nobody get the one alert that matters. When somebody's inside your network for 10% off and a 60 day money back guarantee, go to canary.tools/twit and enter the code twit in the how did you hear about response? And by bit Wharton, get the Password manager that offers a robust and cost effective solution that drastically increases your chances of staying safe online. Get started with a free trial of teams or enterprise plan, or get started for free across all devices as an individual user at fit warden.com/twit. And by ACI learning it skills are outdated in about 18 months. So future-proof your business by staying ahead of the competition with customizable binge-worthy training. Visit go dot aci learning.com/twit to fill out the form and get more information on a free two week training trial for your team. It's time for security. Now, the show, we get Steve Gibson in here to tell us what's going down. Steve, the host of the show for how many years now? Steve? We're closing in on the end of year 1818. But when I think, you know, whenever I say that I get correct by Elaine, she says, no, you started in, we started in oh five. So when we 18 years? Yeah. Yeah. So when we finish 2023, and I think that's like in like next month, maybe August.
(00:02:32):
So
Steve Gibson (00:02:33):
Yeah,
Leo Laporte (00:02:35):
That's good. We're almost, we've almost reached maturity.
Steve Gibson (00:02:38):
We're almost sorry. The
Leo Laporte (00:02:39):
Alexa was making noise
Steve Gibson (00:02:41):
Of me <laugh> plugged there.
Leo Laporte (00:02:43):
Okay. Yeah. You're you're gonna be able to vote but not drink. So, and figure, go figure. Yeah. And, and, and, and defend our country's honor. There you go. Why don't you stay where you are and do your job? You're doing a good job right where you are. Yeah. I was, you know, a little nervous when we were, remember we had the lottery back when we were in high school. I know. It was like I got a high number. What was your number? Do you remember? I was also a high number. Yeah. I was well out of danger. Saw a breath of relief. Right. And I figured, you know, Leo, they weren't gonna put a rifle in our hands. They were gonna say, oh, look, look a gee. You understand <laugh>? Yeah. <laugh>. But we're gonna make you wear a uniform. Yeah. Even if you're staring at A C R T, it's like, what?
(00:03:26):
Why do I have with this? What? Anyway, I got a number of, so number of emails from people Yeah. Who said battle, dress, uniform, or bdu are very comfortable. Oh, that's good. Cause you know, we were talking last week, know what, you know what Yeah. About the guys in the cyber command wearing camo. You know, it would be better camo if it looked like the Matrix or something, you know, if it was green on black and Yeah. Yeah. That'd be good. Yeah. Yeah.
Steve Gibson (00:03:55):
So for security, now, episode nine 30. And by the way, Leo, we did confuse the world who are not in the US about what happened to last Tuesday's podcast. Oh. I also got a bunch of like, where'd it go? But I have to tell you, I had a very nice week off. So Steve used to hate days off, then he got married Yeah.
(00:04:16):
To a very attractive woman. And now he says, give me some time off. I'll think it, I'd be happy to, I'd be happy to stay home. So this is sort of an interesting evolution. Today's podcast is titled Ro Hammer Indelible Fingerprinting. And the title sort of says it all, but we're gonna get into the details cuz that's where it really gets interesting. But before we get into that, we're gonna ask the question. Could it be that yet another sequel injection flaw had was found in Move It's Transfer System? And what more has been learned about last month's widespread attacks of on that on all the users of that software? What is a rug pole? What horrible conduct was the popular of Avast AV found to be engaging in? Did China actually create their own Os? Version one is out. How many times can we say toot root while covering one story?
(00:05:20):
What's the controversy surrounding the latest release of Firefox 115? Did Russia just successfully disconnect itself from the internet? What are modern internet honeypots discovering? How much of your life's savings should you transfer into online cryptocurrency exchanges? <Laugh>. Okay, I'm thinking, yeah, a number. Is there a number lower than zero? I just, that, that is an easy one. <Laugh>. What, what did EU agencies just rule against meta and what happened to Apple's quickly withdrawn. Rapid security response Update yesterday. Mm. And after a bit of miscellaneous and some listener feedback, we're gonna look at the return of ro hammering. Wow. This time, not for a security breach. Oh, but for the purpose of creating indelible fingerprints. Oh, in other words, they can recognize your computer and you can't escape. Oh, that's not good. Yeah. <laugh> not good. Nevermind. I was all excited. Nevermind. And we do have a bizarre picture of the week.
(00:06:34):
Okay. Which we will get to in a minute, which I gave the caption a different definition of insanity. Don't look, I'm not looking until the, until everybody gets to see it. Okay. We'll have to see it at the same time. This episode of Security Now is brought to you by Thinkt Canary. Let me show you this though, before we go much farther. This is, well, a little honeypot in a tiny little box about the size of a external hard drive. This is my thst canary, and this is the coolest little thing ever. You know about honeypots. The idea is you put something on your network that looks interesting, maybe even valuable to a bad guy roaming your network. And then when they hit it, it's like, oh, gotcha. You know, you busted. You know, we talked to Bruce Cheswick some years ago when we were out in Boston doing that Security Now panel.
(00:07:27):
CHES wrote the first honeypot, but probably 40 or 50 years ago. Well, it's gotten a lot easier. Now. You don't have to do any programming at all. You just need one of these guys. Put it on your network. You see, I have power and an ethernet cable plugged into mine. Then you go into your console, the thinkt console and you set it up. And it could be a Windows machine. When I say it, it could be a Windows machine. It it, it is identical from the point of view of an outsider to a Windows machine, or in this case, it's a nas and it has a Sonology Mac address. And, you know, the DSM login is perfect. It does not look like something a like a honeypot. It looks like the real deal. But the minute a bad guy hits it, you get the alert and you get the alert.
(00:08:12):
That matters most to you in a way. You choose email, text, webhooks. There's an api. Of course it works with a SIS log that you get a console with every canary. So you can look on the web. There's plenty of ways to see it. No false positives, just the alerts that matter. Now, you might say, well, why I don't, you know, I have my perimeter security. We've got barbed wire, razor wire, we've got trained dachshunds, we are protected. But you know how it is these days, they're gonna get in, they sneak in through your employees, through emails, through spear phishing, that kind of thing. You gotta have something inside the network to let you know if there's somebody roaming around. And this sad case that you know, this, this happens all the time. I mean you know, I can give you example after example.
(00:09:00):
On average people don't know they've been breached for 91 days. That's three months. That's enough time for a bad guy to exfiltrate a lot of embarrassing customer information to figure out where you put your backups, to plant time bombs to do all sorts of stuff. You wanna know if they're in there. And this is how with a great little honey pie Canary does another thing, which is they, they create canary tokens. Little files you could spread around your network that are not attached to anything. They're just sitting in a folder on a hard drive somewhere. We have a few called things like payroll dot xls, you know, that are enticing. But as soon as they open it, bing, I'm gonna get the notification. You can make any service you want. Run on there. I I s open ss h file shares.
(00:09:49):
I have, I think I have Port 1 39 open on this just for fun. It is a really great security product. It's hard sometimes to find a security product that, that people can tolerate that doesn't annoy them, get in their way. More difficult to find one that customers love. But if you go to Canary Tools slash Love, you'll see all the unsolicited tweets from CTOs and CISOs and IT people all over the world who love their canaries. So, are you interested? Here's the pricing. Cause I know you, you know, you're smart. You want to know you, the number of canaries is gonna vary. Very few people just get one. You wanna put 'em kind of in a variety of places. A small business like ours might have a handful. Big bank might have hundreds. There are deployed, by the way, in all eight, seven continents are there eight?
(00:10:37):
There's seven, all seven continents. <Laugh>, 1, 2, 3, 7. Yes. seven, 500 bucks a year would get you five of these. Okay? You get your own hosted console, you get your upgrades, you get support, you get maintenance. If you sit on it and breaks or whatever, you know they'll send you a new one, no questions asked. I can get you a discount. If you put the word twit in the, how did you hear about a box? You're gonna get 10% off the canary for life. And even though I know how great this is, and I know everybody loves it, they're even gonna say, if, if you're for any reason unhappy, you have two months for a full refund, 60 day money back guarantee. Very few people offer a guarantee of that length. But here's the interesting point. And all the years we've been doing ads for the Canary, it's almost a decade now. Not one person's ever asked for a refund. These are great. You're gonna want it. You need it. Visit canary dot tool slash twit, the offer code twit for 10% off for life. Put that in the how did you hear about Us Box? Thank you. Thanks for supporting us. We love these guys, Haroon and his team. And thank you for taking a look at Canary Tools slash twit. All right. I'm Steve. My I'm gonna take off the blindfold for the picture of the week.
(00:12:01):
Well wait a minute. I have to push some buttons here before I can show them. It'll take a, it'll take a little bit of visual partial. It's one of those things I have to look at for a little bit before I understand what I'm seeing. Mostly because you won't believe your eyes. <Laugh>. Oh, come on my little, my little computer sometimes. There we go. Here we go. Okay, I am ready. I'm gonna roll and scroll up. A it says titled A different Definition of Insanity. What? Okay, why don't you describe, I I get it. It's so silly. <Laugh>. I'm glad they made nice thick cables <laugh> for this. So for this junction box. So, so it's hard to, I think I understand what's going on because there's a little bit of a giveaway with this post-it note down below the junction box. But so what, so what what we have is two massive conductor cables.
(00:13:06):
I mean, like, they look like they're an inch in diameter. They're huge. And they are running through the, like c coming in from the left of the picture. Both of them in parallel running through a junction box and then going out of the picture to the right. Then a and they're separated by maybe a couple inches then. Okay. So like these things carry some ungodly amount of current. These are, these are big. Yeah. There's one brand. These are one blue. Yeah. Clearly. You know, this is, this is two 40 at least. It's a lot of, lot of this is serious. So someone has, has removed the insulation from each of these about two inches worth of insulation. So we can see this massive copper cable that is that is being protected by the insulation. And then apparently needing some light. They have <laugh>, they've wrapped some wire around like one turn around each of them and run the wires out the bottom of the junction box.
(00:14:18):
Oh, I didn't see the bottom <laugh>. It's a little light bulb where there, where it's been used to power a light bulb. Like a little one. Yeah, like a regular, you know, Edison screw-in base light bulb. And, and so it's like, as, as if like, this is the way you wanna light the room or something is like by opening up Godzilla's power supply he had, we don't even, by the way, the little wires aren't even soldered under the copper. No. They're just wrapped around it and twisted it. It's just like, as I said, oh, this is a different definition of insanity. Now what's his post-it greater than underscore, what does that mean? Yeah, I think, I think that's meant to say greater than ground as if to say, by the way, these wires are lies. Oh, they're hot. That's what the layout means. Yes. It says these are hot.
(00:15:18):
Yes. I, I think this was all set up as some insane way of determining whether these are energized. So don't touch them kids. We've striped up the insulation and opened the junction box. Just to let you know, don't touch them. Yes. Now I'm sure all of us old school geeks learned a long time ago the trick of sticking your tongue on a nine volt battery. Yeah. <laugh> to, yeah. To see whether it was good or not. Do not do that here. No, no. Be because you'll have no tongue left. Anyway. Wow. This was just, this was just like crazy that this was done so informally. But, but, but the only way I can explain this is that this was some like poor man's way of determining whether the power was on, on these, you know, godzilla's revenge cables. And presumably that box, cuz it isn't really a junction box.
(00:16:21):
It's just got two wires going through it. It's in, it's built. I mean, it's for this purpose. Presumably they closed it up after they showed you their clever little hack. I hope they Oh, they did <laugh>. I hope they did. Because I dunno about you, but I'd be really tempted to lick it. I don't know why. I just wanted, you know. Yeah, yeah, yeah, yeah. Anyway, thank you. We have such great listeners who are now on the constant p prowl for gates in the middle of nowhere. <Laugh> and, and weird wiring bridge bridges that go you nowhere. And strange wiring. I and I, well, I have a few more. I'm not gonna give 'em away, but we got some more fun things coming. Okay. So anyone who understands the inherent danger of exposing the unnecessarily powerful SQL command stream to web servers, especially web server visitors, will not be surprised to learn that yet.
(00:17:22):
Another instance of this extremely common and potentially devastating source of vulnerabilities has been uncovered in progress. Software's MoveIt transfer system, unfortunately, or rather, fortunately the previous problems drew the attention of security researchers in this case HackerOne and trend Micros zero day initiative researchers. They decided to have their own look at move its code. The good news is they responsibly disclosed their discoveries, still more discoveries so that patches could be prepared and made available to progress softwares, beleaguered users. At the same time, progress also patched another pair of high security vulnerabilities, which were not SQL injection. There was one that allowed you to crash the, the move it server. It's like, okay, fine. So after literally an update per week there, so far there have been three required updates about a week apart each, which patched critical vulnerabilities. It's time to do it for the fourth time in four weeks.
(00:18:38):
And I seriously don't know what I would advise move its users to do at this point. I, I would be, I, I I guess I would feel extremely uncomfortable if I were to understand the inherent danger that this system presents to its users. You know, as, as we covered three weeks ago in episode 9 28, literally, I mean truly thousands of progresses customers were penetrated and did have their internal private data ex exfiltrated to Russia. Then they were extorted by Russia's clop cyber criminal organization. And so, and the problem going forward is that due to the extremely poor fundamental security design of this move IT system, there's no reason to believe that the last serious data exfiltration problem has now finally been found. You know, sure the system is doubtless far more secure than it was four weeks ago. But the problem is, this class of bugs, these sequel injection bugs are slippery and unfortunately bad guys are highly motivated to find a way in.
(00:19:58):
And you know, as for move it itself, well we're back here on the topic of move it hacks the most current forensics conducted by Huntress Labs suggests that the attacks on those thousands of move it using companies appear to have been limited to just data theft and extortion. Which, you know, is a good thing cuz they, there was, these were really powerful intrusions. The LOP cybercrime group has not yet been observed deploying ransomware into any of the incidents linked to its exploitation of, of MoveIt. Hunters also said that it has not observed Alop gang expanding access into full network compromises, which again, they could have done. The gang has apparently deliberately limited itself to infecting and infiltrating only the hacked move it appliance itself. So, as I said, things could have been far worse if a much more aggressive attacker had been found behind this.
(00:21:07):
And the other thing too that sort of gave us some pause is that the cop gang from the beginning said, we are not going to do anything with the data of governments or law enforcement. Almost as if they were a little put off by the aggressive response, which some of the earlier ransomware attacks engendered. And they just kind of wanted to say well, you know, we're bad, but we're not that bad. And so, governments and law enforcement, if we get your data by mistake, we're just gonna delete it. So don't come after us. Oh, no. And, and also educational institutions, because there was a it wasn't Carnegie Mellon. It was some major university got exfiltrated anyway so ho hopefully nothing came of all that. I was scanning a news blurb about another crypto exchange mess. And I was like, yeah, yet, yet another one.
(00:22:14):
In fact, we have some numbers a little bit later. And, and everyone should understand that the bar has been raised fairly high for me by this point. So that it's not all of these that I bother to bring up because it's just, it's just like, why monitor the flood? You know, you're wet so you're <laugh>, you know that there's a water problem. But, you know, there's just so much of this going on. And it's safe to say that the entire crypto world is in pandemonium. But then I ran across a term that's taken hold in the industry, which left me shaking my head. And really there is some value to having everyone in our community of, of, of podcast listeners really appreciating the degree to what a mess things are. So here's the news that I encountered, which is interesting in itself, which concludes with this new bit of terminology.
(00:23:13):
Last Friday, June 7th, approximately 126 million worth of crypto assets were mysteriously transferred from the accounts of cryptocurrency platform multi chain in what is believed to be a hack. And that this is according to blockchain security firms Peck Shield slow mist. And we'll be talking about slow, we'll come back to slow mist a little bit later. Look on chain and cert K. And maybe, you know, you have a problem when there's <laugh> four firms, like l like when monitoring blockchain security is immediately a business that's, you know, might be a bit of a problem. So multi chain is sort of a meta platform, which as its name sounds, interconnects different blockchain platforms allowing users to exchange tokens across them. And as a result of this incident, it was, it, it was shut down. Multi chain was shut down to investigate. You know, what happened At the moment, neither multi chain nor any blockchain experts know exactly what it is that happened.
(00:24:29):
Serta k believes some of the platform's, private keys were probably compromised, although this theory has not yet been confirmed by anyone else. Fortunately, due to quick intervention by platforms like Circle and Tether, 65 million of those 126 million which were moved from multi chain wallets were frozen pending the determination of what happened. So there was like, you know, if nothing else, as a consequence of there having been so many problems, the industry is getting a bit better at just saying, okay, what, you know, stop, you know, freeze everything. Let's, let's figure out if this is good or not. This is also the second time this year that multi chain has suspended its operations. It also halted trading at the end of May. At the time the company said it couldn't perform server maintenance because its c e o had gone missing, and they didn't have access as a consequence to the entire platform.
(00:25:37):
The rumor was that its c e o had been detained by Chinese authorities. So multi chain never indicated whether its c e o had rejoined the company. If the recent incident is confirmed, this would be the company's third hack In the past two years, it lost 3 million in January of 2022 and another 8 million in July of 2021. Okay, so that's a bit of the background. Here's the, here's the way this piece of news concluded, which made me just shake my head. It said, blockchain experts aren't ruling out a rug pool either. And I thought a what? A rug pool. Yes. A rug pool is when a cryptocurrencies platform developers run away with their money themselves, they pull the rug out from under their own operation. So what we have here is an industry that is so unstable that the term rug pole has been coined as a shorthand to mean the bank's vault got all filled up with value and then the bankers just decided to take it because, you know, why not crazy?
(00:27:09):
And you know, Leo just the other day we were both observing that neither one of us is generally a big fan of attorney enriching class action lawsuits. But I stumbled over some news that really makes you shake your head and maybe think, well, maybe there's a place for them. Well, I think another one, it's nothing. I mean, nobody makes any money, right? But except the attorneys. But it does uhhuh it does call these companies to account boy, which can have some value, right? And yes. And that is why I'm hoping that a big one lands on this firm. Oh, good. The Netherlands has a foundation known as the C U I C, which is for consumers United in court. This C U I C foundation has filed a class action lawsuit against the quite well known security firm. Avast, C U I C alleges that from its special position in its users PCs, and not a few of them either, Avast collected data on its users' activities, which it then sold to online advertisers without its users knowledge or consent.
(00:28:31):
Everyone who used a vasts AV products or browser extensions between May of 2015 and January of 2020 had their data collected and sold. The list of products includes Avast online security, a V G online security, the Avast secure browser, the AVG secure browser, and the AVG online security extension. The collected user data was sold through a US-based subsidiary named Jumpshot. A vasts shut, shut down jump shot back in January of 2020 after there was some hint of what was going on. And, and that was exposed so much as I generally despise class action lawsuits. In this case, as I said, I hope that the proverbial book gets thrown at them. You know, this is a deep betrayal of trust and it's sad. Avast has been around for 28 years, since 1995, near the beginning of the PC era, and is currently in use by 435 million users.
(00:29:48):
The only thing you can figure is that it must have been that the proceeds from collecting and selling data on the habits of that many individuals was just too much for them to resist. I wouldn't mind seeing them put out a business over this, frankly. Essentially this was commercial spyware running in the PCs of those 435 million million users. That's ironic. You get a secure browser. Oh yeah. It's secure from everybody but us <laugh>. That's right. We're, we're gonna keep an eye on you, but we're, we're gonna let you know if any other spyware comes in, but you know, these, were, we're giving ourselves, we're giving ourselves a, a vast acquired avg. These are the two free antiviruses that a lot of people use cuz they were free. Not quite so free it turns out Well, it just reminds you if you're not paying for it.
(00:30:38):
Yeah. Huh. There's some way they're monetizing this. That's exactly right. Okay. So we've been observing that the era where it was feasible to actually create a new operating system from scratch has long since passed that the b o s, you know, b e O S Yep. It occurs to me as that that was probably the last entry that reached some level of maturity and had some adoption and critical mass. But of course then, you know, even it couldn't make it. And that was the late nineties. I I think people looked at that and said, oh yeah, you can't write a new operating system now. It's just a, it's a Mac and Windows. Right. And Linux World and that's that. Right. You know, and, and no, and there have been some various small hobby efforts, but you know, they never get very far either. Actually, B Os is still around as haiku.
(00:31:32):
There's an open source project. Yes, yes. And of course Google wrote fuchsia, but they're putting it on their IOT devices. It's not a, it's not. Well, and did they write it from scratch? Yeah. Yeah. They said they did. No, no, they started from scratch. Really? Took years. Yeah. Wow. But it's not a general purpose os Right. Well, well, and with Linux being open source and with an incredible amount of effort already having gone into it you know, that's where any sane project would start today. Start with the Linux colonel. Absolutely. And sure enough, that's exactly the conclusion that China came to. Yeah. Recall that China announced that they were going to be replacing the West's windows with their own, you know, in quotes operating system. It's actually Linux under it's quite attractive covers. I have a link in the show notes. Leo, if, if you wanna scroll through the pictures of the screenshots.
(00:32:30):
I mean, it is, frankly, it's gorgeous looking. Yeah. A lot of people have been saying nice things about this. You know, it's, it's called Open Kylin, but it's K Y I n, it's Tu Right? Well, it's based on the Linux 6.1 kernel. Okay. they've been working on it for many years. It's available for X 86 arm and risk five architectures. They're clearly trying to make it look like Windows. Z's got a recycle bin here and Grounded Corners. Yeah. On, on the, yeah. I mean, it is really pretty. Yeah. yeah. So X 86 arm and Risk five more than 200 companies, 74 special interest groups and 3000 developers contributed to the effort. And the good news is if for any of our English speakers it does have an English language option. So you know, looks, it looks very pretty. So, anyway, so that, that, that answers the question about what China is doing and is their intention to say goodbye to Windows and hello to Open Kylan.
(00:33:33):
I'm all for that. As long as they put, you know, they treat it as Open Rasha did the same thing. Right. Wasn't there a Red OS or something like that? I don't know what they're doing. I did note that Firefox is the browser for this, so that's great too. Yeah. Yeah. I want to, you know, we want, we wanna keep Firefox alive. Yeah, that's right. Well, now you got a billion new users. Yeah. Okay. So I might not normally mention an extremely severe CVSs 9.9 vulnerability, except that it's in Mastodon. And when you learned that the vulnerability has been named Toot Root <laugh>, oh boy. You really, you have no choice but to talk about it. So the Mastodon project has fixed the critical root and tooting toot root vulnerability, which, and get this, it was bad, allowed bad guys to commandeer any Mastodon server simply by posting a mastodon toot containing a malicious multimedia file extension.
(00:34:40):
Oh, wow. Yeah. Oh boy. And as we know, that's not an easy thing to defend against. Right. Because the, the extension is, I mean, it's very difficult to get multimedia Correct. Because multimedia codex are massively complex. Interpreters and interpreters are tricky. Yeah. So the good news is that once the trouble had been discovered, everything proceeded properly from there. Patches were released two days before the details were published. And in fact, there was an announcement that there was gonna be a release two days before that. So the whole system proceeded. And here's what's interesting too, is Tut root was discovered by security researchers at Cure 53 because they were conducting a security audit at the behest of Mozilla. Oh, I don't know why Mozilla said, oh no, Mozilla's launching a Mastodon. They're go, they're doing a Fed averse. Ah, that's why, that's why Then that would be it.
(00:35:46):
Yeah. Before, before we die Smart, before we jump in, we want you guys to, to, you know, get, give it a security audit. And sure enough, the audit came up with a potentially very serious vulnerability. And as we know, you know, these guys were just looking at, at the Mastodon code, bad guys could have too. And so what the good guys can find, the bad guys can find Right. Better that the good guys found it first. Yep. So, and we're patched, if you're curious with that social Yep. And have been since the, the, you know, the patch came out, we have a very, very good administrator. Yep. In Total Cure 53 discovered four security flaws. And again, props to somebody for naming this toot route. <Laugh>. Cause you know, that's a good name. That's a good name.
(00:36:36):
Okay. So those of us who are using Firefox will find that we're now using Firefox one 15 since one of my two primary workstation machines. In fact, it's the one that I'm sitting on in front of right now, is still running Windows seven, and it's running perfectly. I also received the notice that this would be the final release of Firefox for this machine other than security updates. You know, and that's fine. Since security updates is all I really need anyway, edge and Chrome had both given up on me several months ago. The somewhat controversial new feature in Firefox one 15 is Mozilla's declared ability to remotely prevent arbitrary extensions to run on arbitrary websites. Hmm. Uhhuh for some reason, this has upset people, which makes no sense to me. I cannot imagine that Mozilla's motives would ever be anything less than pure. So if they know something I don't, about some extension I'm running, and how some evil website I might mistakenly venture into is able to abuse that extension that I'm running, then by all means shut it down and thank you very much.
(00:38:02):
And that's what happens in the Chrome extension store everywhere. Right? Well, so, so they, there's blacklisting extensions. This I I think what's not just in the store, correct. Oh, so this is the, this is the browser itself, and it's per website. So it's, it's, it's more fine grained blacklisting. So, so in their explanation of this, Mozilla said, Mozilla maintains an open ecosystem for add-ons, which gives developers many choices in how they create, use and deploy their work. The same openness also provides malicious actors more opportunities as well. And I think that's the key is, is that, that they have some evidence that the, their openness, you know, is being abused by bad guys who are using the access to the code to find, you know, previously unseen problems, just like we were talking about with Mastodon. So while M Mozilla said, while Mozilla can identify and block malicious add-ons discovered through tooling reviews and user reports, this is not always enough.
(00:39:16):
Firefox version one 15 introduced quarantined domains with, you know, capital Q, capital D. So that's their formal name for it, quarantined domains to protect user privacy and security. When we discover significant security issues presented by malicious actors, this feature allows us to prevent attacks by malicious actors targeting specific domains where we have reason to believe there may be malicious add-ons. We have not yet discovered users can also control this behavior for each add-on in the add-on manager, you know, at about colon add-ons, starting with Firefox version one 16. So the next major release, and they, and they, they, they finish saying, we will be further improving the UI for users in future releases. Okay. So one 15 lacks some UI for this, but that's coming in one 16, which I won't get on window seven, but I don't care because I'm happy to leave this in Mozilla's.
(00:40:27):
Far more focused hands. Now an example of an extension developer who drew some attention over, you know, like his upset with this is a guy named Jeff Johnson who's posting, carry the headline, Firefox one 15 can silently remotely disable my extension on any site. And it's like, yes, that's by design. And why would they if it wasn't for the protection of the users of the extensions? And anyway, Jeff begins his grumbling by writing. He said, Firefox version one 15.0 was released on July 4th, but I'm not celebrating. I'm concerned about a new feature. He has that in air quotes, in the release notes. And then he quotes them saying certain Firefox users may come across a message in the extensions panel indicating that their add-ons are not allowed on the site currently open. We have introduced a new backend feature to only allow some extensions monitored by Mozilla to run on specific websites for various reasons, including security concerns.
(00:41:46):
So that's what he quotes Microsoft saying, and he says, for various reasons, that's quite uninformative and mysterious. And he says, I'm all in favor of giving users control over which extensions are allowed to load on which sites. Safari already has this feature on both Mac OS and iOS. My concern he says, is not about user control, little of which even exists in Firefox one 15 as I'll show later, but rather about the remote control that Mozilla has now given itself to, again, to which I say, so what <laugh>? I mean, you know, that's good. We that's what we want. So anyway you know, Mozilla is in the driver's seat here. They, they must review and examine and digitally sign any extension before Firefox will even consider running it. And they also maintain, and Firefox enforces a formal blacklist to disallow any previously signed extensions that are later found to be militias.
(00:42:56):
So all they're doing is adding an additional level of granularity and control by supporting the intersection of specific extensions and specific web domains. Sure. We may not understand exactly why, but they must have seen a need and decided that they're going to fill it for the safety of their users. So, you know, maybe the guy just needed to draw some attention to his site by, by posting this. I don't really understand. Oh, no one ever does that. That's <laugh>. That's, that couldn't, that couldn't be the motivation couldn't be the case. No. How selfish <laugh>. Okay. So as we previously observed, Russia has been making noise about their own rru net which is what they call the portion of the internet located within their territory. It appears that Russia now has a law which requires, and I get to say it, Ross Kanan <laugh> to perfor to perform an annual test disconnection of the internet for the purpose of verifying are you net's stability when it's functioning as a freestanding network.
(00:44:20):
And they're claiming that happened in the very early morning last Wednesday, July 5th. However, people in Russia are doubtful someone named Natalia crap kva. She, she tweeted last night, Russia test disc tested disconnecting itself from the global internet on June 5th, around two to 4:00 AM Moscow time authorities tested the sovereign internet system, which led to disruptions of various websites and government infrastructure services. Russian railroad services and food safety systems were reportedly disrupted after the sovereign internet testing on the morning of July 5th, she then links to a Moscow Times article about this. However, someone named Oleg shov, quoted her reply, quoted her tweet and replied, please don't take Russian or anyone's claims about testing disconnection from the global internet at face value. Always remember about incentives within the system to exaggerate one's work. There are plenty of reports that there were no universal break in connectivity.
(00:46:00):
There is no real evidence that the drills caused disruption of Russian railroads and the agriculture regulator. I mean this in a literal sense. There is no evidence cited in this Moscow Times piece as I tweeted earlier. R Z D and that's the Russian railroad. R Z D problems started before the exercise and continue today, most likely caused by pro Ukrainian DDoS attacks. And in fact, earlier Oleg had tweeted the website and app of Russian railroads have been disrupted for four days. Customers are told to purchase tickets offline according to R Z D. This is due to hacker attacks. The problem persists today despite yesterday's statement and says he, he, he finishes the IT army of UA implied its role. And lastly, somebody else whose handle is u g underscore s i g tweeted. Yes. A quick look at the sites that monitor internet plumbing did not reveal any great disruptions during the time period identified in the reporting.
(00:47:23):
One would've expected to see massive routing drops and other disconnections, but I didn't see any of that. So yes, disconnecting from the internet in any meaningful way for the purpose of isolating all of Russia from the west. You know, have you seen how big Russia is that would indeed be visible to anyone monitoring the Internet's operation? It seems likely that if anything was done at all, it was some token gesture. You know, like they pulled the plug on the Kremlin or something, you know, it's like, oh look, he stopped, we stopped it. No, no Russian, no, no Western connection. No, no Facebook, no evil. Google, you know, and then they, they, you know, plugged it back in again and that was their annual test. So, you know, and in fact there, there were reports of, of pro Ukrainian forces taking credit for shutting down Russia's rail system using DDoS attacks.
(00:48:28):
So again I don't think that actually happened. And Leo would you like a little water break my friend? I'm gonna, what will happen yes, is me hydrating and then we will continue. This episode of Security Now is brought to you by Bit Warden. I love Bit Warden because it is the only fully open source password manager that's cross-platform. Can be used at home personally, but could also be used at work. In fact, we're converting over to Bit Warden for work on the Go and is trusted by millions, including me and Steve with Bit Warden. All the data in your vault, of course is end to end encrypted, not just your passwords, no metadata goes, gets leaked out. Right? And of course, bit Warden is using strong encryption. They offer a choice over pbk DF two, they have another key derivative function Argon two as an option, which is memory hard.
(00:49:30):
And so when Steve likes and recommends I convert it over to that with no penalty, you have to have the latest version of Bit Wharton. So you should check before you do this, all your advice is have 2020 3.2, I think, but now I feel even more secure. With Bit Warden Plus Bit Warden keeps adding great new features. Their username generator lets you create a u a unique email for each account. And you can use one of the five integrated email alias services, including our other sponsor Fast Mail. With that, you could also create unique username names or just kind of random username names. The reason you might wanna do that is now the bad guy not only has to get your password, he has to get this unique email or this unique user just, it's another layer of security. That's all.
(00:50:17):
And, and I love Bit Warden because they're always adding new features. And I think part of that is it's open source. You know, the Argon two implementation was contributed by a, a listener to our show. I think Nexin and bit Warden, you know, was a pull request bit Warden vetted it, tested it, audited it, and said, you know what, this is a good thing. And they added it in and they did that pretty quickly. It was in, within a, a month or two. It's really, it's really great. On top of being public to the world, anybody can look at the source code. Bit Warden also has professional third party auditors performing audits every single year. Results are also public published on their website. So it is really open source security you can trust if you are using let's say Amazon web services, you know, you have S3 buckets, that kind of thing.
(00:51:06):
You know that a lot of times when you access these things, you'll have an API key and a secret, which is effectively a password bit. Warden has just launched a new bit warden Secrets Manager. It's in beta, but it's in an end-to-end encrypted solution that lets teams of developers share stores centrally manage and deploy those secrets like API keys and machine credentials. You know, so often people end up pushing those into their GitHub repositories. This is so much of a better solution. And how many times have you heard about S3 buckets being compromised? Cuz the secrets were compromised? Secrets Manager keeps those sensitive developer secrets outta Source Code eliminates the risk of them being exposed to the public. They are looking for developers to test out the new Secrets manager and provide feedback. If you are interested, go to bit warden.com/secrets beta. This is why I love open source password managers.
(00:52:02):
If you use it in business, you can share private data securely with coworkers across departments or the entire company. Again, fully customizable and adaptive plans. They have a bit warden teams organization option that's $3 a month, their user. We're gonna go for the enterprise plan. That's $5 per month per user. But, and this is really important, individuals can always use the basic free account, unlimited number of passwords, free forever, guaranteed. You have my word. I asked them, I said, you ever gonna do what those other guys did and pull this? They said, no, that's not our business model. We're open source. We can't even if we wanted to, we couldn't. You can always upgrade as I did to a premium account, 10 bucks a year, come on. I just wanted to support him. I, you know, but that gives you two fa and some other additional features.
(00:52:49):
Or you can bring the whole family, get all the premium options with the family organization. That's up to six users for just $3 33 cents a month. Anybody listening to this show knows, and I hope is using a password manager, right? I just wanna tell you, the one I really recommend is our sponsor Bit Warden, the only open source cross-platform password manager that could be used at home on the go at work, trusted by millions of individuals, teams, and organizations worldwide. Free forever as an individual or get a free trial of the teams or enterprise plan bit warden.com/twit. You need this thing, you'll want this thing. You shouldn't go on the internet. You shouldn't be making passwords without Bit Warden. And yes, of course they're gonna be doing PAs keys more details on that to come bit warden.com/twit. We thank 'em so much for the great product and for supporting security now, but trying to get them for an a as an advertiser since well for years basically <laugh>.
(00:53:50):
All right, fully hydrated and ready to go with Act two <laugh>. So trust Waves, spider Labs Group carried out a six month experiment creating a globally diverse honeypot network. They wrote to obtain a better perspective of tax worldwide, Trustwave has implemented a net of honeypots located in multiple countries around the globe by distributed honeypots in such a manner, we can gather a reliable set of information on the methods and techniques used by attackers and their botnets. In our pursuit to explore the current threat landscape, we established a honeypot sensor network across six countries, Russia, Ukraine, Poland, uk, China, and the United States. Okay, so basically they established a widely geographically distributed set of listening posts across the internet, collecting all of the incoming arriving packet traffic for a period of half a year. What did their six months of listening reveal? They found that fully 19% of traffic that probed their test honeypot network was malicious.
(00:55:22):
So one in five packets incoming malicious. And of that malicious traffic, 95% came from IOT botnets, which were out scouring the internet, trying to locate and exploit new devices and, and you know enlist them into their botnets. So we have a world now where, where 19% of the traffic at arriving at arbitrary ips will be malicious. One in five packets is trying to do something bad. And 95% of those are from iot botnets looking for a vulnerability in something that has been discovered trying to take it over. That's the reality of today's world. Wow. Yeah. You know, it's not just the occasional packet, right? I mean, there's a lot of traffic coming to an active IP that is valid. And so for 20% of that to be bogus, that's just astonishing. Well, so I know I've already talked about, we, we just, you know, ear earlier in this podcast, the crazy losses being visited upon various cryptocurrency exchanges and services.
(00:56:43):
But in preparing today's news, I ran, I ran across a more comprehensive summary that sort of an aggregation of this that I wanted to share. You know, and, and remember that I had already mentioned slow mist a week ago on Monday, July 3rd, three days after the first half of 2023 ended, the blockchain monitoring group slow missed, published their 2023 midyear blockchain security and anti-money laundering report. They started off by explaining this report delves into blockchain ecosystem security summarizing key security incidents and funds recovery status in the first half of 2023. It aims to help readers identify suspicious transaction patterns and behaviors by analyzing typical cases and explore the anti-money laundering landscape within the blockchain ecosystem. Their report is lengthy and detailed and there's no need to go into all of that, but here are some of the high points that <laugh> that, that will catch anybody's attention.
(00:57:59):
Get this more than $922 million worth of cryptocurrency assets, 922 million. So just shy of a billion dollars worth of cryptocurrency assets were stolen in the first half of this year. 2023 across a total of, and that is to say occurring during 185 security incidents, 185 incidents. What is that? Is that one a day? That's, that's one a day. Oh, in, in half a year. <Laugh>, that dollar figure is now, is interestingly less than half of what was lost during the first half of 2022. During the first half of last year, 2022 hackers stole 2 billion worth of crypto assets across, interestingly, 187 incidents. So the same number of incidents in the, in both the first halves of this year and last year in total during 2022. That is last year. Chain chain analysis is the name of the, of the reporting firm reported the loss of more than, so this is in 2022, loss of more than 3.8 billion worth of assets.
(00:59:39):
It's unclear why the first half of this year saw fewer funds like half the funds, which were stolen compared to the first half of last year. But no one believes it's because cryptocurrency platforms have become more secure. As we saw, the total incident count was 180 5 versus 180 7. So essentially the same, nearly half the funds stolen this year were so, so far in the first half of this year, were taken from N N F T Defi and across and cross chain bridge platforms, which, you know, like, like that, that multi chain that we talked about before, that's like a new thing. And they lost a total of 487 million in 131 incidents. So about half of the total amount WA was just in that. And the year's largest hack so far was the, was the oiler finance in incident where the platform lost 197 million.
(01:00:50):
The hacker, that hacker eventually returned most of the stolen funds in one of the 10 incidents where attackers returned any stolen crypto. Usually, you know, that's in return for amnesty at a bounty, which is typically, you know, a hefty percentage of their total take. So just saying it should be so abundantly clear that the world is still a long way away from figuring out how to do any of this securely. So it is really difficult to see how participating in any of this is worth the risk. It's just, it's just crazy. And, and I know none of our listeners are, are like that nuts, you know, they're not gonna stick their tongue across those two high tension cables either. But, you know, we all know somebody, actually, we have some neighbors who are like telling us, you know, expounding on the, the benefits of cryptocurrency investment.
(01:01:51):
It's like, and I just, you know, I, I bit my tongue and not because it was sore from having stuck it on a nine volt battery <laugh>, did they ever try to sell you Amway or anything like that? Oh, you know, that's the problem with the pyramid scheme. You've gotta get others to join, otherwise, your initial investment is yeah, quickly worthless. Yeah. So the world is continuing to struggle. Well, actually, I would argue the struggles are just beginning over issues of cross border internet consumer privacy and the monetization of consumer data. Two examples. The European Union has just ruled that what meta is doing is illegal under the eus G D P R. The European Court of Justice has ruled in a case between Meta and Germany's federal cartel office, including that META'S interpretation of the eus G D P R regulation is illegal.
(01:02:52):
The court cited with the German agency, which ruled in 2019. You know, this, as we know, these things always take a long time. Here we are, what, four years later. That meta was bypassing GDPR privacy protections by taking delay collected, taking data collected by various of its services without proper use, con user consent and merging it behind the scenes. The aggregated data then allowed meta to continue tracking German and EU users to feed its advertising business. The court's ruling bars meta from engaging in such behavior in the future. It also, that's the first also keeps threads out of, out of the eu, I think. Yeah. Yes. Meanwhile, Sweden has just joined Austria, Denmark, France, and Italy in their growing crackdown on Google Analytics use. The Swedish Data Protection Agency has fined two local companies, and these are hefty fines. I I can't imagine they're gonna get paid.
(01:04:03):
The Swedish Data Protection Agency just find two local companies for their use of the Google Analytics service and has recommended against future use of the tool. A 1 million Euro fine was handed out to Swedish Telco Tele two and a 200 and a, and a 25,000 Euro fine to a local online retailer, C D O N. The fines were handed out because companies allowed Google Analytics to collect data on Swedish citizens, which was then transferred to the US as I noted Sweden. Thus, thus becomes the fifth EU member state to find or recommended to recommend against the use of Google Analytics, which we talked about, you know, a couple months ago now, assuming that the EUS legislation holds up and, you know, they have every right to create and enforce whatever legislation they choose. It looks like it's gonna become truly necessary for our large multinational internet service providers to establish and run fully independent facilities, which are able to demonstrate complete autonomy within each national region.
(01:05:26):
And of course, that's, everyone's fighting against that, you know, the, the, the internet service providers, you know, Facebook, Google, apple, and so forth, because it won't be cheap or easy to do so, but, you know, they're gonna go kicking they're, they're, they're gonna go kicking and screaming, but it does look like the future. It doesn't seem like there's gonna be a way for them to get around this because, you know, they really are, you know, aggregating user data and using it for their own benefit. The problem is, it's right now, it's crossing national lines yesterday, and I didn't have a chance to listen to Mac Break, Leo, so I don't know if you guys talked about this, but Apple issued Oh yeah. And then almost immediately retracted. Yeah. An emergency update. We did talk about it just one hour later. They took it back.
(01:06:19):
Yeah. Just after posting and began pushing one of their new emergency, you know, it's the rsr, the Rapid Security response updates. This one was iOS, iPad, os, Mac, os, Ventura, and Safari. An hour later it was canceled and withdrawn. So what happened? According to reports posted to Mac, rumors forums, Facebook, Instagram, WhatsApp, zoom, and other websites started producing warnings to their visitors about their updated Apple Safari browsers not being supported. Okay? So the update repaired a web kit zero day vulnerability that had been discovered while it was under active exploitation. And that brings Apple's patched zero days count to 10 for the year so far. Okay. But get a low to what happened. The previous versions of the various ioss were 16.5 0.1 for the ioss. And, and in the case of macOS Ventura, 13.4 0.1, what Apple did, since this was meant to just be a quickie RSR web kit patch, was to leave the primary version number unchanged at 16.5 0.1 and to simply a penned a lower case.
(01:07:48):
A enclosed in parentheses to the end of the version number. So as a consequence of this change, safari dutifully began appending that same per parenthetic a to the end of its user agent version string. And that was quickly revealed for some reason, to deeply upset and confuse the user agent string parsers being used by a number of quite popular web servers. So in the user agent string, it said version then forward slash 16.5 0.2 is what I've got in my notes, that with a parentheses, lowercase a no, separated by a space, and apparently that was all it took. So Apple quickly retracted this update to minimize the damage that it was doing and advise people if they were seeing this problem, to immediately roll back to the previous version. And they have said that they would be releasing a b update and presumably it'll, obviously it'll have the same zero day fix, but they will, I guess not put this into the user agent not version using string.
(01:09:14):
Yeah. Yeah. I kind of blame, I don't know. There, there's blame to go around because why are they being so picky about the user agent? Like, I agree. I I I I think that, that they, that the, those web servers were using some common software Yeah. That is common to them. Right? Whi which, which failed in parsing because that, so there's an a, well, what version is that? I don't know. No, no. Stay away. Yeah. And, and, and for example, I, I, I have an actual picture of the user agent's string, which was captured by the updated software, and there's a bunch of stuff in parentheses, right? Apple WebKit slash 6 0 5 0.1 0.15, space K html comma, like Gecko <laugh>. So you, you would think that they're just gonna ignore what's in the parentheses. Yeah. but no, apparently not. Probably some, you know, complex grip that just fails, right?
(01:10:14):
It just stumbled, right? Yeah. Yeah. So a couple of weeks ago we were talking about syn synchronized sonology NAS boxes and sync thing and sync.com and that free Windows app max sync up since I've changed what I'm doing since then, I wanted to update everyone, correct the record, and share a cool little bit of tech. I soon recognized that the problem with using that at Max Sync Up Windows solution was that while it did provide bidirectional sync, it did not have an active agent running in the local Sonology nas. So it could not be proactively notified of any changes made there due to the inter sonology synchronization, which I have between my sites, just as you have between your sites, Leo, and that turned out to be a, now you mentioned Leo LA when we were talking about this, that there was a native means for running sink thing, right.
(01:11:22):
Without needing some messy docker or container encapsulation. So that sent me looking, and sure enough, I found it, as you said, by trusting an additional and very clearly trustworthy source of sonology add-ons, I found a native Sonology build of Sink thing. So Sink Thing is now running natively in each of my NASH locations. Isn't that a great feeling? Oh, I love it. Yeah. Yeah. It is just right. And, and you said it for, I hope, receive only, so you it might, you can set a sync thing folder to be receive only, or send and receive or send only. And I think my, that, what you wanna do on a sonology is make a receive only, which means it will never delete anything. So it will only aggregate new versions. It will never delete old, or if you delete files on one machine, it won't delete 'em from the backup that makes it a backup, a true backup instead of a sync.
(01:12:24):
You see what I'm saying? Right. So that's sort of a different purpose than I have. Oh, okay. You want just sink, sink? Yes. Yes. Okay. So, so, so, so, so, so I have an asem tree on on my machine in front of me and an asem tree on the machine in my other location. Yeah. And I just, I want those two assembly language code trees to be kept synchronized. Got it. You don't, you wanna synchronize deletions as well as new files, right? Yeah, yeah, yeah. Right, right. And so, so I, so I've got Sonology run, I, I mean, I have, I have sync thing running on my various Windows machines. It's performing local only land sync, and then I use the built-in Sonology, the inter sonology NASA sync in order to keep those two Sonology. Right. Sonology, NASA is the same. Right.
(01:13:15):
So that's a really good solution. You don't need a cloud now at all. Really? No. No. And I, you know, I don't trust a cloud. I, I'm okay, so, and anyway, so, so I wanted to share how I'm handling the internet exposure. Sonology offers lots of, you know, log on to your sonology NAS remotely functions, you know, and to which I say thanks, but no thanks <laugh>. I get it, that that might be the right thing for some people, but it presents too great a vulnerability that can go far too wrong if the bits hit the fan. As we know, featurize is what bites us. So I have all of that, you know, join your NAS to the Happy Sonology Land community stuff turned off. You know, my sonology, NASAs are little independent islands. What I want from my NASAs is zero third party and zero public internet exposure.
(01:14:23):
And it's possible to have that at each location. A pf sense firewall is what's facing the internet, as I've noted before. Pfs sense is incredibly handy for performing static port mapping to bypass Cox's consumer port filtering. But in this case, I'm using another nifty feature of pfs sense, which is DNS driven firewall rule updating. In other words, pf Senses firewall rules can track IP changes through dns. Each of the pf sense firewalls opens a single port, which can only be connected to by the other endpoint, which is to say, I have explicit IP to explicit IP openings through the PF sense firewalls. But that means that each endpoint needs to know the other endpoints. IP pfs Sense also has a very capable and mature Dine DNS client module. So I'm using a free Dine DNS service to track the IPS of each endpoint for the other endpoints use.
(01:15:47):
As I noted PF Senses, firewall filters can be slave to DNS lookups. So if either endpoints IP should change, though that actually doesn't happen very often with a cable modem. That local PF Sense instance will note that the IP is received from the I S P Cox has been changed. So it will use its Dine DNS client to update the Dine DNS service with the, the, the news of its new ip. The other endpoints firewall will then automatically update to allow a connection only from that new ip. And yes, this, because I'm depending upon dns, which is not fully secured, this solution is just ever so slightly less secure than the absolutely secure solution of manually configuring the ips of each endpoints firewalls. You know, I could do that if it were absolutely necessary. But what this protects me from is the primary threat, which is having my use of sonology known in advance from an internet-wide scan, and then being vulnerable to a targeted attack due any suddenly discovered vulnerability in sonology software. So anyway, I just want, it's, it's cool that I, that the PF sense can use Dine DNS to publish its ip, and that it's also able to use DNS to automatically edit the filter rules in its firewall in order to, to, to track the ips of anything that that is, that might be changing, that needs to have access in. And that would also be very cool if you were traveling and wanted to have access in, in, into your network only from the IP where you currently were.
(01:17:50):
So I wanted to share that little tip. And Leo, thank you for letting me know that I could run Sync thing on my sonologist. It is. Yeah. I just, I just think it's such a great, it's absolutely program. And then, you know, I have it on every machine I I use, so Yep. It's great. Yep. Yeah, it keeps them all synchronized for people who want to use it for backup on a Sonology na, when you set it up, you, you know, you get all the folders. I, I, I basically said, you know, my Mac is the introducer, so just whatever it says it wants to share, except, but then I go in the settings of the folders and I make them receive only. And according to Sync thing, that means it will still, if there's a change on the Mac, it will go to the sonology and it will still synchronize that change to other computers.
(01:18:37):
But if I have a deletion on any computer, it will not delete it on the sonology, which is what I want. Cuz it's backup. Right. I want it to have everything ever. Cuz the sonology is huge and never, cuz my real fear with any synchronization tool is that you can synchronize deletes. And if you, if you delete a folder on one machine, then it deletes it on all the other machines pro it propagates through the whole network. Yeah. Then it's not a backup. So it's very important if you want to use the syn thing as backup. And I do believe it works fine. It has for a long time for me. Yep. If you send it to receive only on those folders on the sonology, then there'll be backup folders. And I don't know if you've looked at it, but Sync Thing also has a very nice and mature version tracking system.
(01:19:22):
I use the staggered file system, which is fantastic. Yeah. Yep. Yeah, it's really good. Yeah, they, and everybody, it's open source and free. Free. So it's the best. Yeah. And, and, and also widely multi-platform. Yeah, yeah, yeah. Everywhere. Have it everywhere. Yeah. So a couple of little Closing the Loop pieces George Gie, he said, hi, Steve, longtime listener of the show, and I owe a lot of, a lot to you for all the IT knowledge I've gained. Thank you. Had a question and was wondering if you might know, is it possible to read odd file system discs like those found at enterprise level Xerox machines? Oh boy. <Laugh>. He, he said, trying to prove or disprove a theory of what's left on these drives. Ah. And so, yes, it is definitely possible to look at and examine raw discontents independent of any file system under Windows.
(01:20:21):
My favorite piece of freeware is called H X D, capital H lowercase x, capital D. The full name is H X D freeware, hex editor and disc editor. If you Google that, you'll find it. I have a link to it in the show notes made by a, a neat German guy. You can, you can ar if, if you can arrange to attach that drive to any Windows machine, H X D will allow you to open the drive without mounting any file system. And then you have all of your f you know, familiar windows browsing tools, you know, a scroll bar. So, so, so you, you can very rap rapidly, scrub through the drive page at a time search for strings and, and so on. And you would immediately be able to determine, you know, what was there depending upon, you know, whe whether it's encrypted or not, and so forth.
(01:21:19):
But anyway, yes, George, absolutely possible. I would recommend H X D for Windows. And I think all of our various oss have some means of allowing you to look to look at a raw discontents. Now Fairlane posting as Skynet, he said, I'm late watching last week's podcast, but thanks for sharing about the chirping of the mystery smoke detectors <laugh>, he said, hilarious, but not uncommon that you can't find it. I've had that happen at home. You said you didn't have any smoke detectors. What about carbon monoxide detectors? We have both. And when I can't find the one chirping, I will take out all the batteries of all of them. Oh. And start, and then start, start putting them back in one at a time until I fund that starts beep when I, until I find the one that starts, that starts beeping.
(01:22:10):
Oh, that's fun. <Laugh>. So, yeah, I, I, I, I mentioned this because it generated a huge thread o over the news group. It turns out that this is a very common problem. Oh yeah. But it's, and and by the way, we don't know if it's a smoke detector. It could be a lot of things in your house. It could actually, I know what it is. Oh, you found it? Oh good. Yeah. it is a for a while. Well, a actually, several years ago, the drain line on my air conditioning system clogged Oh. And that called the, the, that caused the, the, the con the condensate from the in inside coils to fill up back up and begin running water down into the people below me and the people below them. Cuz I'm at the top of, of, of, of a three stack. The good news is, and when you hear those screams from downstairs, you know who that is.
(01:23:03):
<Laugh>, there's no mystery about it. So I decided when this was all fixed, I added my own water leakage detector and it's got a ni vol battery in it. And it were eye to find it and stick my tongue on it. It would, my tongue would tell me that it is no longer at nine volts any longer. And so that's the thing that is chirping, because it's trying to let me know that it's no longer reliably detecting water. However, the news, the, the, I don't need that information because I have since replaced the whole air conditioning system that has a built-in water monitoring and automatic shutoff system so that the, the, the water detector was superfluous. I took it out and have lost it. And it is busy chirping. Oh no. Wherever it is. Oh, no. Oh, see, it's worse. I know, I know what it is.
(01:24:01):
I still can't find it. It's under a, it's under something. <Laugh> uhhuh <affirmative>. But that's the problem. That frequency, for some reason it's hard to echo locate. And if it only would like do it for a second Yeah. Instead of like, instead of like, what, what, what? Yeah. Yeah. And she can get closer and closer. But I think cuz it's such, you know, normally high pitch frequencies you can echo locate, but I think cuz it's so high pitched, it bounces off everything. Yes. Where wherever I go, it seems like it's somewhere else. It's there. Yeah. Yeah, yeah. Oh yeah. Yeah. Totally awful. Totally horrible. By the way, if you ever figure out, I replaced all my carbon monoxide detectors in the house the other day. They have americium in them, which is a radioactive material. If, and I've been talking with my friends, no one could figure out, what do you do with this stuff?
(01:24:46):
You don't wanna put it in the landfill. Nobody takes americium. The best I could come up with is somebody said, if you have a friend who works at a hospital, they have hazardous, radioactive disposal bins. Get them to put it in that <laugh>. Wow. So get your feedback folks to help with that too. <Laugh>. Okay. Oh, and we did have another person, Steven McCauley said, longtime SN listener. You probably already got the answer since I'm usually listening a day late. But the military requires wearing the quote uniform of the day. Yeah. While on duty. He says, for most branches, that is the working battle dress uniform. B d u he says, which is camo. So Yes, indeed. Yeah. But maybe, and again, the camo is for a jungle. They have desert camo. If you're in the desert, they should have cyber camo.
(01:25:50):
It would be really good. I want submissions for cyber camo. We need, we need cyber camo <laugh>. And if we told Alec Lindsay he'd have a photo of cyber camera Oh yeah, you would. By the time we were done. I'm sure I'm gonna work on it right now. Come to think of it. I have mid journey too. <Laugh>. That's good. So Simon Zafa brings us our cringe of the week. He said at S G G R C attended a security conference that offers attendees the option to line up for a help yourself lunch. However, if that queue gets above a certain length, remaining delegates are provided an a la carte dining instead. This, of course, is to prevent buffet overflows. Oh, boo. That's a dad joke. Ooh, yes. The old buffet overflow when the line to get lunch gets too long. That's terrible. Oh TWS said, hi, Steve, during a podcast from a couple of months ago, you mentioned a favorite authenticator app that you use.
(01:27:00):
Could you remind me what it was? Had been using Google Authenticator for many years, but I do not like these new changes. You didn't tell me what they were, but okay. I don't like them either. Thanks so much. Thanks. Thanks for making a great podcast. And of course, spin. Right? Looking forward to the new version. So it's O t pau o tp space, A u t h. The since, since Google search, I mean, Google search since Apple's search is crappy you know, put something in. And what you're looking for is just a simple gray padlock. It's called O T P space, A u t H. And it's just a, a gray padlock. And I love it again written. It's also written by a neat German guy. I will throw in my favorite, which is I trust those Germans also open source free two f a s and it's iOS and Android.
(01:27:53):
And as long as we're throwing things in here are Steve Gibson and Leo LaPorte in cyber camo. Oh no. Bdu. According to mid journey. My god, this actually works, doesn't it? <Laugh>, that was just one of several choices. Let's see what else we've got here. Here's I kinda like this one. It doesn't look like us. Which one do you like? The red, the green. It's definitely, I like the green. Yeah, I think that, yeah, that's the one I upscaled. I thought that was yep. That was very attractive. I don't know what the hood is, but <laugh>. That's your tempest, that's your tempest proof hood. That's right. It's cold down here in Southern California. <Laugh>.
(01:28:36):
Okay. Sorry. Wow. <Laugh>. Yeah. Okay. So speaking of spin, right? Yes. Sunday evening, I posted the 33rd alpha release and noted that it was the first release candidate. Oh, baby. Yeah, we're getting there. So, so this is the first release candidate for the DOS component of Spin, right? Six one. It appears to be finished that release spin right's new embedded faq. And the people who read through it found three hyphen characters that were not displaying correctly. They, it showed as a lower Clay case u with an accent over it. But so far everything appears to be holding this evening while the news group gang continues to pound on what we now have, I will begin the work of updating spin right's Windows app with the new USB formatting in knit disc technology that I started out creating three years ago.
(01:29:38):
Basically putting all the pieces together and that will then move us to actual spin, right? 6.1, which once we know that it's working and tested, will just be replaced on the website. And that's what Will, will begin, you know, offering I'll let everybody here know that at that point that they're able to update their six oh. With the, the easily downloadable and installable version. And Leo, yes. Last, last Wednesday during week, windows Weekly, something I don't recall what now caused you to note that for spin right's future I had chosen Oh, yes. To finally leave Doss, I was gonna ask you about this in favor Yes. Of another operating system. You had been using Free dos, right? Yes. Yeah. Yeah. okay. So the first exposure many of us had to Intel processors was IBM's pc. Mm-Hmm. <affirmative>, as we know it contained Intel's 80 88 and then 80, 86 and so on.
(01:30:47):
But as we also know, Motorola was bidding to have their 68,000 processor chosen. And in fact, that's what Apple used in their first Macintosh pc. To this day, I still wish that's what IBM had chosen. Yeah. Since it was a truly lovely processor. I mean, it was just a gorgeous architecture and I wanted to program it, you know, in assembly language. But that's not what we got. My point is that Intel didn't create their processors for the pc. The IBM PC project chose the already existing Intel processor family. Mm-Hmm. <affirmative> as the basis for their PC product line. So that begs the question, what operating system did other early Intel X 86 customers use who were not building PCs? You know, they were building elevators, trains, planes and automobiles, launching telecommunications satellites, and installing commercial HVAC systems. These things had no screens in keyboard. They were as embedded processors and they did their work mostly without any recognition of any kind.
(01:32:07):
Well, it turns out that in many cases, those companies chose to use a real time operating system, which had been created by, I don't know what it is with me in Germany these days, but a German named Pete Peterson. To give everyone an idea of who has always been using Peter's RTOSs, 32, just the beginning of his alphabetical customer list reads, 3M Company, Adaptec, Agilent Technologies, Airbus Air Force Research Laboratory, Alcatel Attel, at and t, bell Labs, Audi, Bayer, Blount, B M W, Boeing, Bosch Telecom, Carl Zeiss, Carnegie Mellon, ser, Daer, Desh, telecom, digital Research, Dow Chemicals, DuPont, Erickson Mobile, E t H, Zurich Ford, Fuji Photo, Goodyear, Hewlett Packard, Honeywell Aerospace, IBM's Research Division, J P L, Lawrence, Livermore National Laboratory, Leica, Andon. Anyway, and that's just are the ALS kids, <laugh> you, you and I skipped a whole bunch of, of, of like lesser known in the, yeah.
(01:33:27):
Anyway, so you get the idea. And to that we can now add to that list. Gibson Research Corporation. Ah. so it's a real time operating system. Yes. Okay. Yes. As opposed to dots. E exactly. It, this os predates everything. Huh. Peter has been licensing it to the who's who of industrial Intel processor users around the world since the early nineties. And as Peter explained in his going out a business letter at the end of last year, <laugh>, this is what cracks me up. I was accurate in that. Right. Okay. <Laugh>. Right. The, the trouble was, it is a finished product, right. Like, like spin. Right. It doesn't need to get better. Exactly. Yeah, exactly. It perfectly interfaced his customers provided code to their Intel based hardware. And what's, moreover, over the years, he ran out of bugs because it was done. That's nice.
(01:34:26):
It was complete. Wow. It was perfect. There was nothing left to fix. So his customers faithful, though they were, through the decades, they stopped paying for annual maintenance because they never had any problems that needed fixing. So I purchased it, lock, stock, and source code. I own the result of those 30 years of embedded operating system software refinement. Have you looked at, do you, have you looked at the source code just to kind of Oh, it's just gorgeous. It, it's, it's assembly obviously, right? No, it's all in C Oh, it's all in the c The whole thing's written. Okay. It's written in c which is fine because all of my code will still be in assembly. Sure. And it is, I mean, it is lean 16 K is the OS overhead. Wow. Wow. So that's amazing. I, yeah, so I mean, it's exactly the right thing.
(01:35:22):
It, it, it's able to boot on U E F I or bios it, you know, it. So, so I, I, that's really what I needed. And it, it, it runs its, it is its own 32 bit protected mode operating system. And it has cloned a large subset of the original WIN 32 A P I, which Paul now poo-poos, but it's what I'm still writing to cuz it's like, you know, the real A p I anyway, so I I, I'm, I cannot wait to get started on spin. Right. Seven Wow. And you don't care that it's outta support because you got the source. Yeah, it's done. It's done, it's done. I've got the source code and, you know eventually there will be some mass storage technology that follows N V M E. Right. because spin Right seven will will be supporting NVM e.
(01:36:16):
Okay. And so, you know, for spin right, nine or 10, I'm gonna want to be able to support that. So I have the source which will allow me to continue to evolve this operating system going forward. Is it still in, you still use N 18? Or is that available on it? Or is that a, is that, that's bios, isn't it? The interruption to use? Oh, yeah, yeah. BIOS is all gone. So you don't have any bios dependencies anymore. Correct. and does, does it use RTOs to do the disc reads and writes? Or are you doing that all internally low level? I'm not exactly sure. It does, it does provide a, a, a disc interface and what's really nice is that it's got file system support Oh. For, for, for FAT 32 for all the fats Handy and for N T Fs.
(01:37:04):
Yeah. I, I'll need to add, you know, XT and, and so forth. Okay. For, for, for the, for for the others. But but normally Spin Right. Doesn't care about file systems. Right? Well, it doesn't today, but that's where it's headed. Yeah. You'll be able to tell that I want to recover this file that I can't read. Oh yeah. That's, that's nice. Oh, I'm looking forward to that. Oh, yeah. And why spin? Right. The whole drive if only a, a, you know, a quarter of it has files on it. Yeah. Only spin Right. The files. Yeah. Interesting. So I, yeah, I've got lots of plans for, for seven and beyond. What do you use the OS for? I guess running the program, right? Loading and running Well, yeah. Yes, exactly. It, it, it, it, it it sets up the processor. It handles multiple cores, basically.
(01:37:52):
It, it does everything that I don't wanna doing. And like you know, and you know me, I may end up, you know, replacing a bunch of it with, with, with Assembler or, or fixing it here or there, but it just sort of gives me a start. Also, it's got vast support for network adapters and it allows cross network debugging. So I'll be able to run it on another PC and it's understands Visual Studio. So I get to run in my very nice Windows debugger mode while I'm actually operating code in the other machine. And because it runs over the network, if a customer has a problem, I'll be able to debug it on their machine no matter where they are. Mm. So there's some really very cool advantages going forward. Nice. Nice. We should take our final brief. Oh, yes. And then, and then we're gonna talk about fingerprinting that we cannot get away from.
(01:38:59):
Kind of wish our toss was our advertiser at this point. <Laugh> love to do an ad for our toss. So is Peter, what's he gonna do? Is he he's retiring or he must be about my age, because he's been at this as long as I've been at Spin Wright. And Yeah. I mean, he wrote a sort of a sad note and he said, well, you know, that's it. Yeah. I think what happened is that that C O V I D finally tipped over Mm. I, I think companies looked at their bottom line and thought, you know, where, where, where, where can we trim the sales? Right. And it was like, well, let's just let our license expire because, you know, there's no, we, we don't need it anymore. That's why I am lately been begging people to join Club Twit.
(01:39:43):
We don't want our license to expire. Well, and and the other thing too is that if you were starting today to build an H V A C or a a CAT scanner or an IV drip, you would not put an Intel processor. No, no. In it you would put a, a little arm chip. Sure. That's and that's right. And that's what you'd use. So That's right. The problem is no new, no new application was, is gonna be using the p the old PC architecture. Right. But I am, it's perfect for me. <Laugh>, there's a few legacies like you still around. That's right. That's nice. That's right. Well, we don't want you to but, but retire either, Steve. So I'm, Nope. Now you got me all excited about spin, right? Seven. It's gonna be good. <Laugh>. alright, let us talk about our sponsor.
(01:40:38):
How about, and then we will act three of of security. Now. Will, will ha happen, our show today brought to you by, and you probably see the signs everywhere and the banners, ACI learning, you might be saying, well, ACI learning, what is ACI learning? Well, you know, it pro they've been our trusted sponsor since they started a decade ago providing, engaging, entertaining IT training for our listeners. Now they're part of the ACI learning family, which means IT pro's capabilities are gonna grow lot. Of course, they always will stay with their highly entertaining bingeable short form content that they're famous for. But now there's more than 7,000 hours to choose from. Wow. You know, 30% of ACI learnings customers are, are, are MSPs managed service providers. I should have to define that. If you're at msp, you know, you also know how important it is for your team to keep up to date on the latest technologies.
(01:41:36):
Your clients expect you to be up to date on cybersecurity, on audit, on all of the things that a modern enterprise needs to do to stay operating and and profitable. Well, let me tell you, ACI Learning is dedicated to supporting your team MSPs through any challenge. Msps love, for instance, the ACI learning labs, the Practice Labs. You could test and experiment before deploying new apps or updates without compromising your live system. You could try out your skills on virtual machine labs with multiple instances of Windows servers, desktop clients, and you could do it anywhere, Mac os, Linux even on a Chromebook. You could prepare for those challenging certification examinations by taking the test before you take the test practice questions, take and retake to make sure you're ready for the real thing. Check out this testimonial from a happy MSP team leader. He said, quote, I had 110 engineers in the field.
(01:42:36):
We had dozens of IT pro accounts last year alone, they passed over 40 certs. Wouldn't you like that for your team? And I can tell you, your team would like that too. And it's a great portal that they have the, the ACI Learning Pro portal that'll let you justify the spend. You'll know exactly that. You know what your ROI is. You can manage seats, you can assign an unassigned team members access monthly usage reports. See metrics like logins, viewing time courses, viewed tracks completed and all in a visual format. So it's easy to show the boss. See, see, they're taking the courses. They're learning, they're getting better. It's working. ACI Learning is the kind of training pros in IT love and people are trying to get into it. Love on average, in in the training industry completion rate on their videos, 30%, 70% bail before they watch the whole thing.
(01:43:30):
Not with ACI learning, their completion rate is above 80%. That's a lot better. That's because their content's great. It's enjoyable, you're learning from it, but you're also enjoying your time with it. Stay compliant with regulations. Identify potential risks and weaknesses before they become problematic. ACI learning is ISO certified. Oh, and if you are going to Black Hat this year, you want to check out acis, they'll be there. Booth 1589 at Black Hat, August 5th through 10th. Stop by say hi. Learn about their new cybersecurity awareness training. That's called Cyber Skills. They'll be showing that off. Also, the new skills gap analysis tool. Really great for knowing where you need some training. They call that Insights. Again, booth 1589 at Black Hat ACI Learning. Try it for yourself, then bring your whole team along for individuals. 30% off a standard of premium membership when you use the offer code.
(01:44:30):
TWIT 30. TWIT 30. And for your team from two to a thousand, learn about ACI pre learnings, premium training options across audit IT and cybersecurity by going to go dot aci learning.com/twit. Volume discounts by the way, start at five seats. Fill out the form@go.acilearning.com slash twit for more information. You can find out about their free two week training trial for your team as well. I think you're gonna love it. It's a very good thing we know cuz we've been with 'em for a long time. Go dot aci learning.com/twi. We thank him so much for supporting Steve's good works here at security now. So at the end of February next year during N D S S, which is the Network and distributed System security symposium, which will be held in San Diego, the recently completed work of a team of six uc Davis researchers will be presented.
(01:45:37):
Their paper is titled Sin Sent Practical RO Hammer Fingerprinting. Another title might have been the creation of a DRAM super cookie. Here's how they describe their findings in their papers. Abstract they wrote fingerprints, leverage the heterogeneity in hardware and software configurations to extract a device. Fingerprint, fingerprinting, countermeasures attempt to normalize these attributes such that they present a uniform fingerprint across different devices or present different fingerprints for the same device each time. We present centara a row hammer fingerprinting approach that can build unique and stable fingerprints even across devices with homogeneous or normalized and obfuscated hardware and software configurations to this end sent leverages the process variation in the underlying manufacturing process that gives rise to unique distributions of row hammer induced bit flips across different DRAM modules. Sari's design and implementation is able to overcome memory allocation constraints without requiring root privileges. Our evaluation on a test bed of about 100 DRAM modules shows that centara achieves 99.91% fingerprinting accuracy cent's fingerprints are also stable with daily experiments over a period of 10 days revealing no loss in fingerprinting accuracy.
(01:47:37):
We show that sari is efficient making, taking as little as 9.92 seconds. So less than 10 seconds to extract a fingerprint. Sari is the first practical row hammer fingerprinting approach that's able to extract unique and stable fingerprints efficiently and at scale. Okay, so this is some brilliant work and it's one of those discoveries that's immediately obvious in retrospect. RO hammering is a subject that's come up over and over through the years for us. What we know about it is that in order to obtain maximum storage densities from our systems dynamic ram, the storage cells have been shrunk and the number per unit area has grown. And effectively any margin for error has been deemed too costly and has thus been eliminated. What we wind up with is Maine system memory that can be pushed over the edge through deliberate abuse, where in this case, abuse amounts to just hammering on one memory address, which can, with distressing success cause adjacent memory bits to spontaneously flip from a zero to a one or a one to a zero.
(01:49:17):
This breaks all of the rules since there's nothing inherently wrong with reading one memory address over and over. So through the years we've seen this unwelcome consequence of too much data being stored in too little space, being very cleverly leveraged in many different ways to breach the protective hardware, enforced barriers, isolating virtual machines from each other, or imbuing unprivileged processes with full root kernel privilege. And now today we have another consequence of this aggressive hardware engineering. The observation that tiny variations in the manufacturing of today's DRAM chips allow them to be uniquely identified in the field, thus enabling indelible fingerprinting where previous RO hammer researchers needed to search physical DRAM to find a location whose bits could be flipped. These uc Davis researchers realized that identifying the exact location of such flipping and of which bits were flipped in which direction produced what could be used to uniquely and indelibly identify one specific piece of DRAM out of the multitude and that would never change throughout the service slice of that storage device.
(01:50:57):
So here's how they frame their accomplishment in somewhat greater detail. They said in this work we investigate a stronger threat model where a fingerprint aims to extract unique and stable fingerprints for devices with identical hardware and software configurations over extended periods of time. To this end, we aim to capture fundamental differences in the physical properties of the device's hardware as unique fingerprints. Our key insight is that a fingerprint may be able to extract fingerprints from inherent differences that arise as a result of minute process variations in the hardware CMOs manufacturing process. As users seldom modify their device hardware, these fingerprints remain stable as long as they account for differences resulting from process variation in the same hardware. While prior research has explored variations in, in internal clocks, GPUs and CPUs, we are the first to successfully leverage memory dram for fingerprinting.
(01:52:25):
You know, it's, I I was thinking about this remember back in the early days of hard drives where, where like the MFM drives came with a printout of where the defects had been located in the factory and you were supposed to enter those defects into the low level so that, so that those sectors would be marked bad from, from the start. Well back then no one was thinking about fingerprinting anything, but those defects were a fingerprint. Sure. There you for the drive. Yeah. Yes. Cuz you were never gonna have the same map on two different drives because they were the, they were physical surface blemishes that the manufacturing process was unable to, to like, not to have any of. So this is the same thing. These are, these are, these are defects that are not bad enough to disqualify the DRAM from use, but they are bad enough to uniquely identify a specific DRAM chip from all others.
(01:53:36):
So they said we leverage RO hammer to extract fingerprints by capturing the side effects of process variation in memory modules at a high level hammering a memory row. In other words, repeated read or write operations in a short time interval. Results in bit flips in adjacent memory rows. In this paper we show that the pattern of bit flips due to RO hammer can be leveraged to build a fingerprint. We also show that the pattern of RO hammer bit flips is sufficiently unique and stable to build a reliable fingerprint for the population of computing devices, billions of devices to build intuition. We visualized the distribution of bit flips produced by e executing RO hammer at the same locations on two identical DRAM modules at two different points in time. And the results looked promising. The distribution of bit flips was reasonably similar on the same DRAM modules at different points in time while being noticeably different across the pair of modules.
(01:54:57):
So that was our starting point. Centa is a practical row hammer based fingerprinting approach that exploits bit flip distributions to extract highly unique and stable fingerprints. Even among homogeneous devices with identical software and hardware configurations, meaning nothing else would allow them to be fingerprinted. They are essentially identical, but they're not using all the exact same DRAM chips. They're using their own DRAM chips over an extended period of time. Centa overcomes three main challenges that make it then practical for first the bit flips triggered by RO hammer are non-deterministic. In other words, hammering the same location does not flip the same set of bits. Thus a fingerprint has to account for this non-determinism to extract stable fingerprints. We identify certain practical scenarios that exacerbate this non-determinism, where comparing set similarity to match fingerprints fails, falls short. With centara, we hammer the same locations multiple times to extract a probability distribution of bit flips as fingerprints.
(01:56:31):
We then compare the divergence of these distributions that leads to better re-identification of devices even where there is a drastic difference in the specific set of bits flipped. In other words, they deal with the fact that they're actually dealing with frequency distributions as opposed to specific bits flipped. They said second fingerprints are constrained by the abstractions provided by the operating system to allocate memory. Right? Like, you know, virtual memory. The, the memory that an app sees is not the a, not the actual underlying physical memory due to the, the, the page tables that exist between. So they say these abstractions provide limited access to contiguous physical memory and hide information about their allocation on the DRAM without root privileges. These constraints prevent fingerprints from trivially tracking the location of bit flips to fingerprint devices. We use the insight from our measurement study that the distribution of bit flips in contiguous two megabyte chunks of memory is unique and persistent to overcome this challenge.
(01:57:52):
Armed with this insight, we sample enough two megabyte chunks to guarantee access to the same chunk for fingerprinting. And that is, I think, quite clever and a bit chilling since it means that this can actually be accomplished without privileges like by a web browser. Third memory modules implement mitigations against row hammer such as target row refresh, which we've talked about before. They said, while prior research has demonstrated ways to craft hammering patterns to bypass T r R, they provide limited insights towards operationalizing them to trigger bit flips at scale. Sonari systematically identifies effective patterns for at scale fingerprinting using rowhammer. We then evaluate sonari on a set of 98 dims across six sets of identical DRAM modules across two major DRAM manufacturers. Sonari produce a high entropy meaning many significant bits of fingerprinting precision, which you want if you're gonna identify a single device among billions.
(01:59:11):
And you know, if you got 32 bits of entropy, well we know that's 4.3 billion devices and they said so with high entropy with a highest fingerprint accuracy of 99.91% corresponding to a precision across that population of 98 dms of 100% precision and recall of 97.06%. Sonari also demonstrates high stability with daily experiments to extract fingerprints from the same devices over a period of 10 days without any degradation in fingerprint accuracy. Our experiments show that Sonari only suffers a minor loss in accuracy of 0.9% in presence of external factors that are not under the control of fingerprints. It might be something like temperature variation, for example, but affect the distribution of bit flips. So, oh, such as CPU frequency they said. We also investigate the trade off between the accuracy of cent's fingerprints against the efficiency of cent's approach. In terms of the time taken to extract fingerprints.
(02:00:31):
Centara is able to extract a fingerprint in as little as 9.92 seconds. So just shy of 10 seconds. As I mentioned before, reducing the overhead by more than 95.01% while degrading accuracy by just 0.64% and they finish. Therefore, our key contributions include they're four things practically extracting highly unique and stable fingerprints. Using RO hammer, we practically demonstrate sonari on the largest scale of DRAM modules in current literature. Second, handling non-deterministic bit flips. We handle non-deterministic bit flips by hammering the same memory chunks multiple times and using the divergence between probability distributions of bit flips to re-identify the same devices when they're seen a second time. Third, overcoming memory allocation constraints. We overcome memory allocation constraints by devising a novel sampling strategy. That that is the, that that two megabyte chunks that guarantees access to the same chunk of memory for fingerprinting. And finally, operat operationalizing bypass techniques for ro hammer mitigations.
(02:01:59):
We bypass row hammer mitigations, you know, like target row refresh by identifying effective hammering patterns that can trigger bit flips at scale. So their paper is 16 pages long and I just shared an edited down summary from about the first page and a half through the balance of their document, they proceed to explain in absolutely complete detail how they pulled this off and how anyone else could as well. And uhhuh and there's no mystery left anyone who is sufficiently skilled and motivated who wanted to implement an indelible tracker for anything that uses dram. And I'll just note that's everything now has all the information required to duplicate this technology. So Ro Hammer has struck again, you know, in a way it's ironic cuz the original RO hammer was not, was kind of non-trivial to implement, right? Right. You had to be pretty sophisticated. Is this this is easier to do.
(02:03:13):
Yeah. Yeah, you're right. Because, because the RO hammer depended on exact bit timing, flips timing. Yeah, yeah. In order to get what you wanted to change right Here they just look at, at at, at like big spread of what got flipped and go, okay, just remember that. So could you do this in JavaScript in a browser? Yes. Thanks for publishing that article. Yeah. Now everybody knows. Yeah. because they've been looking for indelible ways to fingerprint individuals for a long time. Yeah. I mean obviously cookies are no longer the way to do it and this is why the cookie banner just pisses the hell outta me because it's identifying something's not a threat when real, real threats like this exist. Yes. I mean this is, this is very straightforward it sounds like. Oh, well, yeah. It it's gonna end up, you know. Yeah.
(02:04:07):
it, it'll be implemented in wem because there you can do it at, at full speed, right. And it'll be a, a web wem module that websites load into your browser and run in order to see who you are. Oh, hi Steve. Good to see you. Good to see you again. Uhhuh. Yeah. You can block all the cookies you want, buddy. We don't care. Yeah. And in fact, when, when, when you think about it, we are, we've been thinking in terms of fingerprinting, browsers, but if you ran, if you ran someone's app in your machine, like in like Instagram desktop or, or some other app, oh, the app could also would, would obtain the same fingerprint. The machine is unique as Yeah. As Yeah. Not the browser. The machine is unique. Yeah, exactly. So it, so, so it's cross browser and cross app identification.
(02:05:02):
Nice. <laugh>. Yeah. Well, it's not that surprising. It's, it's great work. I mean, it's amazing that they thought of this and I love the analogy you used because now I I completely understand what they're doing, you know, that makes sense. Yeah. Mr. Gibson, as always Chef's kiss. This show is a regular listen for everybody who wants to know what's happening in the world of computing, especially in the world of security. You can listen to us or watch us do it live every Tuesday right after Mac Break Weekly. It should be around if, if all is going well. 1:30 PM Pacific, four 30 Eastern, 2030 utc. The live streams audio and video are at Live Twit tv. If you're watching Live chat with us, live at IRC twit tv or of course if you're in, if you're one of the privileged few in Club Twit, you could just go to the Discord and hang there behind the Velvet Rope.
(02:06:03):
You know, let me put a plugin for Club Twit. It's very it's inexpensive. It's seven bucks a month. You get a add free versions of this show and all the shows. We do special shows. We don't put out any other place like the Home Theater Geek Show with Scott Wilkinson. Handson Macintosh with Paul Tht HandsOn. I'm sorry. That's that's Micah, that's that one, isn't it? It's Paul Thot. Does HandsOn Windows. We're, we've got all, also we're gonna launch the AI show in the club. And the reason we do that is not cuz we want to keep everybody else out, but because the club pays for it. You know, launching a show is expensive, but, but that's where your seven bucks goes. That keeping the lights on, keeping the staff employed. We don't want to cancel any more shows. Revenues are going down.
(02:06:48):
We count on you, the listeners to support us. If you can't afford it, that's fine. This show will still be free ad supported. But if you can, it would make me feel very good if you would just go to twit tv slash club twit and sign up today after the fact. This show's available at our, our website, twit tv slash sn. We have audio and video. Steve also has it at his website, grc.com. And he has two unique formats. He has a 16 Kilobit audio, which is lower quality, but a smaller file size for the bandwidth impaired. He also has two transcripts. He commissions from Elaine. And she does such a great job. That's a great way to read along as you listen to the show or to search, et cetera, et cetera. All that's at grc.com. While you're there, pick up spin, right?
(02:07:33):
Version six is still current, but as you can see, we are getting really close to the re release of 6.1. If you buy today, you'll get six now and 6.1 the minute it comes out. It's Steve's bread and butter. It's great to support his work. You can see it is ongoing. Gr c.com, the world's best mass storage, maintenance and recovery utility. You can also get other stuff at Steve's site. There's a ton of stuff. It's a wonderful place to go. Just, you know, set aside an afternoon to browse around. Steve will take feedback there, grc.com/feedback, but he's also on Twitter at sg grc and his dms are open. If you wanna send him a picture of cyber camo or something like that. <Laugh> a picture of the week candidate, that kind of thing at SG grc. We will be back next Tuesday. No more holidays for a while. Thank you Steve Gibson. See you next time on Security. Now. A pleasure my friend. See you next week. Bye.
Mikah Sargent (02:08:35):
Oh, hey, that's a really nice iPhone you have there. You totally picked the right color. Hey, since you do use an iPhone and maybe use an iPad or an Apple Watch or an Apple tv, well you should check out iOS today. It's a show that I, Micah Sergeant and my co-host, Rosemary Orchard host every Tuesday right here on the Twit Network. It covers all things iOS, tv, os, HomePod, os, watch, os, iPad os. It's all the OSS that Apple has on offer. And we love to give you tips and tricks about making the most of those devices, checking out great apps and services and answering your tech questions. I hope. Check it out.