Security Now 932, Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte (00:00:00):
It's time for security Now. Steve Gibson is here. Get ready. We're gonna talk about a lot of things that farewell to a hacker we know and love no longer with us. Sad to say. We'll also talk about Apple. They're saying you keep this up. We're leaving the uk And a proposal that Google says might eliminate the need for ad blockers. That and satellite and security are two all coming up next, security. Now. This episode is brought to you by Cisco Meraki. Without a cloud managed network, businesses inevitably fall behind. Experience, the ease and efficiency of Meraki's single platform to elevate the place where your employees and customers come together. Cisco Meraki maximizes uptime and minimizes loss to digitally transform your organization, Meraki's intuitive interface, increased connectivity and multi-site management. Keep your organization operating seamlessly and securely wherever your team is. Let's Cisco Meraki's 24 7. Available support. Help your organization's remote, onsite, and hybrid teams always do their best work. Visit meraki.cisco.com/tweet podcasts you love

Speaker 2 (00:01:19):
From people you trust. This is twit.

Leo Laporte (00:01:28):
This is security now with Steve Gibson. Episode 932 Recorded Tuesday, July 25th, 2023, satellite in security, part two. This episode of Security Now is brought to you by dda. Security professionals often undergo manual tasks of collecting evidence. With DDA companies can complete audits, monitor controls, and expand security assurance efforts to scale. Say goodbye to manual evidence collection and hello to automation. All done at DTA speed. Visit dta.com/twi to get a demo and 10% off implementation. And buy acci c i learning, help your team exceed its potential by giving them the entertaining and cutting edge training they deserve. Visit go dot aci learning.com/twi to fill out the form and get more information on a free two week training trial for your team. And by bit Warden. Get the open source password manager that can help you stay safe online. Get started with a free teams or enterprise plan trial, or get started for free across all devices forever as an individual user at bit warden.com/twit. It's time for security now, the show we cover your safety, your security, your privacy, and everything else online with this guy right here, Mr. Steve Gibson. Hi, Steve. And basically show you that you have

Steve Gibson (00:02:58):
None of the above. Yes. Despite all of the efforts.

Leo Laporte (00:03:02):
Yeah. Which you probably knew, so, which,

Steve Gibson (00:03:04):
Yeah. Yeah. And that makes it much more fun. And the reason that we're never gonna run out of things to talk about. That's true. We're gonna, we're gonna finish our two part episode today on the topic of satellite insecurity in our listener feedback section. It turns out we've got, I think I, I, when I, when I was first putting this together yesterday, one of our listeners identified himself as in the satellite security industry. And since then, I ran across another. So we've got some listeners who are saying, Hey this is great. But first we're gonna talk about what Apple recently had to say to the uk. Answer the question of what's Google's web enforcement integrity, I'm sorry, web environment integrity and why it's become so controversial. Who's the latest to express unhappiness over Google Analytics? What happy news did the UK deliver to iot security community?

(00:04:03):
And what has the US along those lines not done so far? Might you, our listener, be qualified listeners that we know how we have more than one be qualified to join the US' forthcoming expeditionary cyber force. What's the latest on ransomware attack payouts? And also on the, the latest on the massive move it maelstrom and who's the most recent major player to announce the adoption of pass keys? Once we have all the answers to those questions laid out, we're gonna spend some time with our faithful listeners, then wrap up, as I said this second part of our two-part, look at the current and unfortunately, quite distressing state of satellite insecurity. And it's it's gonna be fun because it's it follows the model of the development of security that we've been tracking now for the 18 plus years of the podcast. And we do have a great picture of the week thanks to another one of our listeners.

Leo Laporte (00:05:06):
And I have a, an update from Alan Melano, my Ss s d guy. Oh, remember we were talking last week about whether A, you should turn off the swap file on Windows and b, if you do have it on, whether you should ever have it on an S Ss D. And you know, for years, our recommendation was put it on the fastest drive you've got. In fact, it put it on the inner circle of the fastest drive you got. So you get the, the best performance on your S S D or your swap file. Alan says, Hey, Leo, you're both right. Yes, it does add wear. No, it's not enough to worry about asterisk, assuming you have sufficient DRAM to handle most tasks that are not constantly heavily swapping the disc, if you, you are.

Steve Gibson (00:05:46):
So it's not thrashing,

Leo Laporte (00:05:47):
Right? Yeah. If you are on a very memory constrained system, swap can quickly become most of the Ss s d rights. In extreme cases, it could wear a drive faster than its rating. He says, you want to come on a show with you two. And referee <laugh>.

Steve Gibson (00:06:01):
Thank you, Adam. Actually, I I, I, I did have one of our listeners compliment us on the fact that we had a discussion. We obviously had different positions and had a disagreement, but there was no puffery and no, no one got upset. We just sort of, you know, you said, this is what you think this, I said this what? Anyway, he said it was really refreshing. So,

Leo Laporte (00:06:21):
<Laugh>, you never hear that anymore, do you?

Steve Gibson (00:06:23):
These days? No. We've, it's it's all pretty polarized.

Leo Laporte (00:06:27):
Yeah. So you know, I mean, I personally, I I didn't, can you even still turn off the swap file on, on Windows? I mean, I'm surprised if they still,

Steve Gibson (00:06:36):
You. I have none. None of mine are on. They're all turned off.

Leo Laporte (00:06:38):
Can't do they work great. Can't do that. Okay. Yep. Now I am gonna tell you about our sponsor, and then we're gonna get into the meat of the show, especially. Hey, the most important part, the picture of the week. A picture of the week, absolutely. But first it's a word from Draha, our sponsor Draha has a question for you. Is your organization finding it difficult to collect manual evidence and achieve compliance as your organization grows and scales? As a leader in cloud compliance software by G two draha streamlines your SOC two, your I S O 27 0 0 1, your P C I D S S G D P R, HIPAA and other compliance frameworks, providing 24 hour continuous control monitoring. So you could focus on, you know, what you do best. And on scaling securely with a suite of more than 75 integrations, ADA easily integrates through applications like a W SS and Azure, GitHub, Okta, CloudFlare, and more countless security professionals from companies, including Lemonade and Notion and Bamboo hr have shared how crucial it has been to have Rada as a trusted partner in the compliance process.

(00:07:51):
You can expand your security assurance efforts using the Rada platform, which allows companies to see all of their controls and easily map them to compliance frameworks to gain immediate insight into framework overlap. ADA's automated dynamic policy templates, support companies new to compliance using integrated security awareness training programs and automated reminders to ensure smooth employee onboarding as the only player in the industry to build on a private database architecture, your data can never be accessed by anyone outside your organization. And of course, all customers receive a team of compliance experts, including a designated customer success manager. And ADA's team of former auditors has conducted more than 500 audits. Your ADA team keeps you on track to ensure there are no surprises and no barriers. Plus ADA's pre-audit calls prepare you for when your audits begin. ADA's Audit Hub is a solution to faster, more efficient audits.

(00:08:50):
You can save hours of back and forth communication, never misplace crucible evidence and share documentation instantly. All interactions and data gathering can occur in DDA between you and your auditor. So you won't have to switch between different tools or correspondence strategies. ADA's risk management solution, you can manage end-to-end risk assessment and treatment workflows, flag risks, score them, and then decide whether to accept, mitigate, transfer, or avoid them. ADA maps appropriate controls to risks simplifying risk management and automating the process. ADA's Trust Center provides real-time transparency into security and compliance posture, which improves sales, security reviews, and of course, better relationships with customers and partners. So, say goodbye to manual Evidence Collection and hello to Automated Compliance by using drta.com/twit d a t.com/twit dda, bringing automation to compliance at dda speed. Visit dda.com/twit today. And we thank DDA so much for their support of the show. Now, I think, Steve, you have a picture of the week for us.

Steve Gibson (00:10:08):
So this is a great one. I, I gave this one the caption why reading the manual is always a good idea, but it could also have the caption. There's more than one way to skin the cat. Imagine that you have a sort of an old school coffee pot, but you know, sort of re reminiscent of a teapot where, you know, it's got the main pot and then a sort of a a, a what? A a, a pouring spout. Spigot, you know, sort of like, like, like up and, and pointing out. Well, the traditional way of pouring coffee from that pot would be to pick it up by its handle and move it over to the cup and, and, you know, and tilt it until the coffee runs out of the spout. Right? Well, this picture demonstrates the alternative means of pouring yourself a cup of coffee.

(00:11:00):
Or what happens if you're trying to figure this out and you haven't read the manual which is <laugh>. We have a guy blowing, he's got his whole mouth over the top, the, the, the open top of the, of the coffee pot. He's blowing really hard down into the coffee, which of course forces the coffee up the spout and through a parabolic arc in the air landing in the coffee cup. And, you know, in this era, this day and age of, of Photoshopping and fake pictures and things, you wonder, did this really happen? The coffee landing in the cup looks kind of real. His, he does have his eyes focused where he's aiming where they should be. He's aiming, yeah. <Laugh>. Yeah. He's like having to, 'cause you have to, he has, he's gotta meter his blow in order to get the velocity correct, or he is gonna overshoot or undershoot.

(00:11:59):
I, I'm sure this was not the first take of this particular operation. Anyway, if this is real, I salute him. Congratulations. And of course he's gonna have a mess because as he stops blowing, then all the coffee that's in flight is going to, you know, oh, it's a mess. End up being a mess. But if this was, this was an actual photo stop, action caught, you know, midstream. Congratulations. Definitely a great candidate for our picture of the week. Well, and actually it made it into the picture of the week. So and boy, Leo, I've got some other ones, some good ones coming. So I had to share a bit of sad news, uhoh with our listeners. You already know the wider world received the news at the end of last week that the famous and long since Reformed hacker, Kevin Mitnick, had quietly passed away the previous Sunday on July 16th, which was just three weeks shy of Kevin's 60th birthday. He had been fighting pancreatic cancer for more than a year. And he left, unfortunately behind his wife, an unborn baby. So I know that Leo, you were good friends with Kevin. He was on the back in the tech TV days, the screensavers a number of times, often with Wozniak, who was also a, a friend of Kevin's.

Leo Laporte (00:13:26):
And yeah, we have played on Sunday on Twi. I guess that's why, you know, that I know I played a little clip from the screensavers where we had Kevin come on. After eight years he'd been banned from using the internet because of his conviction and his jail time and his probation had ended, and he came on the screensavers to use the internet for the first time. So we brought in Emmanuel Goldstein from the 2,600 magazine, famed hacker. He was the devil on on Kevin's left shoulder. And Steve Wozniak, the angel on his right shoulder as Steve, by the way, brought him a brand new MacBook to use for

Steve Gibson (00:14:01):
Yeah, yeah. Power Book. Yeah.

Leo Laporte (00:14:03):
Very, very nice of him. And and so you can see that it's on YouTube if you search for Kevin Mitnick and the Screensavers.

Steve Gibson (00:14:11):
And, and it had a great cartoon as Woz had had one of the artists at, at Apple draw a neat cartoon where it, it showed the, the, the power book on a, on on, on a table just out of reach from, from Kevin who was behind bars trying to like, poke at it and, and reach it with a stick or a cane or something from, from inside his cell. So funny. Yeah, it was,

Leo Laporte (00:14:35):
It was really, he wasn't allowed to use anything, you know, not just a computer, but a, a smartphone of any kind. And

Steve Gibson (00:14:42):
Well, you know, Leo, he could have taken over the world Yeah. If he had a smartphone from, from his cell. So I don't

Leo Laporte (00:14:46):
Know if he was joking, but he said he couldn't even use an electronic toilet. I don't know if that was a joke or serious, but <laugh> Wow. Yeah, they, well, you know, it's, it was a federal crime. Yeah. I think you know, there was some agreement that he was perhaps over punished and over prosecuted for a relatively mono crime. But anyway, he was freed well, and it's sad to, to see his, you know, finally having a family after all that time yeah. To miss out on that is, is very tragic. He was a really sweet guy. I really liked Kevin.

Steve Gibson (00:15:17):
Yeah. So last Thursday, B B C News carried a story under the headline, apple Slams UK Surveillance Bill Proposals <laugh>, but the first line of their piece was a showstopper. It read, apple says it will remove services such as FaceTime and iMessage from the UK rather than weaken security if new proposals are made law and enacted. So, okay, I mean, we've sort of been waiting to hear from Apple, right? We've heard from Signal and we've heard from WhatsApp. So as we know, since we've been tracking this super engaging struggle between the commercial forces who want to enforce absolute privacy, and those in the governments who are wishing to make privacy conditional, the UK is seeking to update their invest, and I can't say this word, investigatory Powers Act, the I P A, which was originally created in 2016. So now, you know, seven years later, they want to update it.

(00:16:20):
It wants to require messaging services to clear their security features with the UK's home office before releasing them to customers. The act also lets the home office demand that security features are disabled without telling the public. And under this forthcoming update this would have to be immediate upon the home office's demand. So, WhatsApp Signal, and all of the others have previously expressed their strongest possible opposition to this with signal making, what has been, you know, up to now the strongest public statement stating that they will simply walk as they put it from the uk. Now, you know, apple has clearly been in opposition to this too, but until now, it hasn't drawn any such sharp line in the sand. But that's what just happened. The UK government has just opened an eight week long con, what they called a consultation on the proposed amendments to the I p A, the government's claiming that they are not seeking to create new powers, unquote, but only to make the act more relevant to the current technology, Uhhuh <affirmative>.

(00:17:35):
So Apple has submitted its formal nine page response to this now open consultation period. Apple formally opposes three things, having to tell the home office of any changes to product security features before they're released. The requirement for non-UK based companies to comply with changes that would affect their product globally, such as providing a backdoor to end-to-end encryption and having to take action immediately if a notice to disable or block a feature is received from the home office, rather than waiting until after the demand has been reviewed or appealed, which is the way things are today, apple says three things. It would not make changes to security features specifically for one country that would weaken a product for all of its users. Second, some changes would require reissuing a software update, so could not be made secretly. And third, the proposals quote, constitute a serious and direct threat to data security and information privacy unquote, that would affect people outside the uk.

(00:18:50):
And, you know, remember that what the governments with the various governments here are asking for is not simply the ability for these various encrypted services to respond to targeted court ordered surveillance. You know, that's an entirely different ask. What the governments are seeking now is universal surveillance of all communications of all kinds for all of their citizens. And, you know, it's hard to argue that that's not new. You know, that's not an update to anything that exists today. The B B C in their report quoted a cybersecurity expert, professor Alan Woodward from Surrey University, who said that technology companies are, quote, unlikely to accept the proposals in an understatement. He said, quote, there is a degree of arrogance and ignorance from the government if they believe some of the larger tech companies will comply with the new requirements without a major fight. And I think that Signal and Apple have been quite clear that they have no interest in or need to fight in order to avoid breaking any newly enacted legislation.

(00:20:03):
They'll simply pull their services from those regions, which enact laws that seek to violate the privacy of their users, period, you know, fight over, you know, nothing to fight about. Then we'll see what the voters in those areas think of the fact that their government has essentially denied them these services, which they have been having and enjoying with no problem. And now apparently they can't any longer. And we'll also see how the bureaucrats, law enforcement and intelligence services, like not having any secure messaging services available for them in support of their own needs for privacy. You know, what's good for the goose. So the home office told the B B C that the Investigatory Powers Act was designed to quote, protect the public from criminals, child sex abusers and terrorists. You know, that's obviously an honorable goal, but the price for doing so, you know, is just too high at least using this technology.

(00:21:04):
So anyway, the, you know, we've been following this fascinating evolution. And it, you know, it is interesting that, you know, here, this professor says, oh, you know, the government's ignorant. They think they can do this. Well, you know, governments create laws, right? And so, you know, they could create any law what that they want to, but no one's forcing Apple to do something it doesn't want to do. So it'll be interesting to see if, you know, does the UK back down when they realize that you know, these, these companies are serious? Or is it gonna take a, a period of not having these services available? And then what <laugh> anyway, really, really interesting. Okay, four Google engineers have put forth a proposal unofficially that immediately generated a huge backlash across the web developer community, despite the fact, and in some cases, perhaps due to the fact that this proposal was dropped on GitHub as one of the engineer's personal projects, not from Google, officially, many Google skeptics see this as Google's sort of backdoored means of sliding this quietly into the stream, you know?

(00:22:27):
Well, but if that's what it was, it didn't work because it quickly hit everyone's radar. The developer's termed this proposal, this basically at a web standards proposal, web environment integrity. Well the industry, however, quickly slapped it with the term web d r m and noted that it would instantly provide a means for websites to refuse to offer their content to any browser running an ad blocker or to disable ad blockers remotely. And given that Google's revenue stream is largely advertising the fact that this new web standard was proposed sort of off the books by four web developers who all just happened to be employed by Google, well, one could be forgiven for questioning or at least wondering about the true motives behind this. And, and essentially it does indeed amount to web D R M A means for enforcing the display of exactly what any website wishes to, to be displayed by empowering websites to selectively remove all user freedom at their web client end to alter the website's display in any way the website chooses.

(00:23:52):
Now, okay, this is not to say that there could not also be true significant upside user benefits. For example, allowing a banking website to rigorously controlled what, if any, third party extensions are enabled when a user visits their site, you know, essentially locking the web browser client in order to enhance the visit security. Well, you could see that could be a good thing, but it's equally obvious that taking this control away from users could be abused, excuse me, by allowing any website to decide on behalf of their visitors what browser environments are acceptable. Okay? The engineer authors start off their description of web environment integrity. By explaining, they said, users often depend on websites, trusting the client environment they run in this trust may assume that the client environment is honest about certain aspects of itself, keeps user data and intellectual property secure, and is transparent about whether or not a human is using it.

(00:25:14):
This trust is the backbone of the open internet critical for the safety of user data and for the sustainability of uhhuh the website's business. Some examples of scenarios where users depend on client trust include, and they give us four users. They say like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads rather than bots. This creates a need for human users to prove to websites that they're human sometimes through tasks like challenges or logins. Okay? Second, users want to know they're interacting with real people on social websites, but bad actors often wanna promote posts with fake engagement, for example, to promote products or make a news story seem more important. Websites can only show users what content is popular with real people.

(00:26:22):
If websites are able to know the difference between a trusted and untrusted environment. Third users playing a game on a website, wanna know whether other players are using software that enforces the game's rules. And finally, users sometime get tricked into installing malicious software that imitates software like their banking apps to steal from those users. The bank's internet interface could protect those users if it could establish that the requests it's getting actually come from the banks or other trustworthy software. So, you know, yes, there are undoubtedly some valid use cases, but this is a, this is a problem too. You know, whether or not this proposal ever advances past the controversy created by its appearance. You know, it points to attention that appears to be developing, should websites be able to reach across the internet and exert full control over the experiences of their visitors. When we run a native app on our local computer, we have very limited control over what it does and how it works.

(00:27:40):
You know, we can launch it and terminate it, but that's about it. It's not difficult to imagine that many websites would like to enforce that same level of control. Anyway, I put a link in the show notes for anyone who might be interested in digging deeper into this specific proposal, because this thing may just be, you know, immediately shot down like a Chinese weather balloon. It's probably not worth going any further. Will you know, if it ends up taking hold, we'll certainly be giving it a much deeper look. I mean, it, I, I looked at this spec. It, it uses protocols related to web auth n So it's reusing some of that. It uses public key crypto and this notion of, of something attesting to the, the state of the client at the user's end in order to essentially, you know, provide web d r m. And, you know it, it was interesting to me that Google said, yeah, you know, websites that have ads are going to, you know, they need the advertisers to know that real people are looking at them. And I'm thinking, Uhhuh. And those websites also need visitors not to be able to blind themselves willingly by using an ad blocker. So both sides to that argument.

(00:29:07):
We've noted a number of times that various EU countries have been complaining and have even now taken to suing organizations within their own borders who are continuing to use Google Analytics, which they state potentially transfers private identifiable data outside of their borders. But now this concern has come home to roost with a letter that the Federal Trade Commission, you know, our F T C and the US Department of Health and Human Services h h s, have sent to 130 hospital systems and telehealth providers warning them about their obligations to protect their client's personal health information. So, listen to this. They wrote The Office of Civil Rights at the U US Department of Health and Human Services and the Federal Trade Commission are writing to draw your attention. And this was sent to 130 hospital systems to draw your attention to serious privacy and security risks related to the use of online tracking technologies that may be present on your website or mobile application.

(00:30:23):
And imper impermissibly disclosing consumers sensitive personal health information to third parties. Recent research news reports, F T C enforcement actions and an O C R bulletin have highlighted risks and concerns about the use of technologies such as the meta slash slash Facebook pixel and Google Analytics that can track a user's online activities. These tracking technologies gather identifiable information about users as they interact with a website or mobile app, often in ways which are not avoidable by and largely unknown to users. Impermissible disclosures of an individual's personal health information to third parties may result in a wide range of harms to an individual or others. Such disclosures can reveal sensitive information, including health conditions, diagnoses, medications, medical treatments, frequency of visits to healthcare professionals, where an individual seeks medical treatment and more. In addition, impermissible disclosures of personal health information may result in identity theft, financial loss, discrimination stigma, mental anguish, and or other series negative consequences to the reputation, health or physical safety of the individual, or to others.

(00:31:53):
Health insurance Portability and Accountability Act of 1996, reminding us of hipaa, H I P P A. If you are a covered entity or business associate under hipaa, you must comply with the HIPAA privacy, security, and breach notification rules with regard to protected health information, which is transmitted or maintained in electronic or any other form or medium. The HIPAA rules apply when the information at a regulated entity collects through tracking technologies or discloses to third parties in, for example, tracking technology vendors includes p h i personal health information. HIPAA regulated entities are not permitted to use tracking technologies in a matter that would, in a manner that would result in impermissible disclosures of P H I to third parties or other violations of the HIPAA rules OCR December, 2022 Bulletin about the use of online tracking technologies by HIPAA regulated entities provides a general overview of how the HIPAA rules apply.

(00:33:05):
This bulletin discusses what tracking technologies are and reminds regulated entities of their obligations to comply with the HIPAA rules when using tracking technologies. To the extent you are using the tracking technologies described in this letter, meaning, you know, meta Facebook Pixel, and Google Analytics on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security in security of individuals health information. So, yeah, while this is not the same as the, you know, thou shall not use commandment that EU countries are issuing to their own local entities. Google has been anodizing for the past 17 years, now since 2005. And only now does it appear that people are beginning to say Hey, hold on here a second. And, you know, just looking at what happens, you know, under the hood of these tracking technologies.

(00:34:25):
Leo, I know that you've, you've covered this. I thought this was interesting. At least the, the US side of this the European Union has just approved a draft version of what they are calling their Cyber Resilience Act. It's a set of new cybersecurity related rules for I O T devices. The ACT passed the eus Industry Research and Energy Committee with 61 votes in favor won against and 10 abstentions. Under the new regulations, vendors must get this, vendors must ensure their products meet a certain set of criteria before being sold in the Eurozone. Products will have to come with automatic security updates as the default option. Yay, must ensure data confidentiality using encryption, and vendors must inform authorities of any attacks. And the new rules are expected to enter into effect by next year. This is great news for the consumer overall, since any product sold globally, which include the Eurozone would need to be in compliance. So for example, US consumers would reap the benefits as well. And in this case, the EU is ahead of the US since all we have managed to get done here so far is to design an attractive shield emblem that will be placed on any devices <laugh> that, that are compliant with a set of standards that don't yet exist <laugh>. But hey, at least we have a pretty looking emblem shield. Yes.

Leo Laporte (00:36:14):
I, I liken that to shipping the T-shirt before you have the product

Steve Gibson (00:36:18):
<Laugh>. Yeah. Look what it, look how pretty this is gonna be. We don't know what it means yet. We don't know what you're gonna have to do to get one, but don't you want it?

Leo Laporte (00:36:28):
Yeah,

Steve Gibson (00:36:30):
Leo, let's take a break.

Leo Laporte (00:36:31):
All right. We did talk about it on twig. 'cause Stacy, as you know, is an iot guru. And the NIST guidelines you know, are accurate, are good. And if they follow those NIST guidelines, I guess it'll, you know, including the thing you and I both care about probably the most, which is o over the year updates, firmware updates of your IOT devices.

Steve Gibson (00:36:51):
We, yes, in fact I don't think I talked about it on the podcast, but the Zeel routers mm-hmm. <Affirmative> had a problem in April and they're now all being commandeered into a botnet. Yeah. 'cause you know, sorry about that.

Leo Laporte (00:37:05):
Right? Can't update 'em. Nope. Yep. And so that's a, that's a big problem. Not just for you as a user, but for the internet as a community. Let's talk about our find sponsor, A E C I learning, and then we will continue on with Steve and his, his litany of security woes as I like to think of it. Our show <laugh>, our show today brought to you by, and you might say, well, who is this a c i learning when they're at home? You know them because it's IT pro. And now they're even better than ever. In today's world, IT talent shortages are a big deal. In fact, it means it's more important that your skills are up to date than ever before. 94%, almost all CISOs and CIOs agree, attracting and retaining cybersecurity talent is increasingly critical to their roles. Those jobs are out there.

(00:37:59):
You wanna keep your current job, you wanna get promoted, you want to get a new job, you a c i Learning is your pal. They help you. And if you've got an IT team, they help your team invest in the security of your business. They a c I learning now has more than I think when we, the last IT Pro ad we did, they said they have 5,800 hours of on-demand training. It's now more than 7,000 hours. And it's up to date, by the way. 'cause They have seven studios running all day Monday through Friday, creating new content. 'cause The tests change. The, the products change. The rules change. And so they gotta keep up to date. They had new episodes every day. And you will love a c i learning's content. In fact, we know people do 'cause it has a 50% higher completion rate than other training videos.

(00:38:50):
People just enjoy the engaging training, partly 'cause they're learning. I mean, that's job one, right? They're informative, but partly 'cause it's intriguing. And the instructors have a passion for the subject, which communicates right through a c i Learning has now partnered with the best in the industry. They've added insights, which is their new skills gap analysis tool. This is interesting. It'll give you the assurance that you're getting what you thought you were getting when you paid for the training. For instance, 87% of companies have identified skills gaps. Their IT team knows this, but don't know that the times have changed. They need to know more about that. Insights is here to revolutionize the way businesses retain, train, and engage employees. It's a very easy to use assessment tool. It lets you clearly see and take action on your team's strengths and weaknesses to future proof your business.

(00:39:43):
The team analysis dashboard allows managers to monitor progress. So you know what training you need to assign, how to develop talent. You've got somebody who's good at this, Hey, I think they'd be great at cybersecurity. Let's, let's advance them up. It offers global industry data to assess how your team stacks up against its peers insights. It'll take into account various factors, job roles, functional areas, emerging technologies to give you, this is such a useful tool, a comprehensive assessment of the skills needed for success in today's rapidly evolving professional cybersecurity landscape. You'll feel much better knowing that your team is learning the right thing at the right time. And hey, maybe you'll do it. And they, and, and insights will say, Hey, they know everything they need to know. Seems unlikely, but maybe <laugh>, but it's just good to to know, right? Check out. A c I Learning has this new cyber skills solution too.

(00:40:36):
This is great. An entertaining, effective, and engaging cybersecurity training tool. Not for the IT department, but for other members of your organization. Non-IT professionals. Actually, the IT department can do it too. It depends on their job roles. The idea is to boost enterprise cybersecurity confidence. So it's flexible training covers everything that we talk about on this show. Everything you wish your employees knew, things like password security, phishing scams, how to avoid them, how to identify them. Malware prevention, network safety. You'll gain access to additional objective specific courses that'll help them understand this stuff, including fun stuff, anime content and documentary style episodes featuring acis subject matter experts. Fun way to learn the stuff your all your employees need to know to protect your business. Look, these are the training solutions your business has been waiting for. Future proof, your team and your business with insights and cyber skills, brand new from a c i learning.

(00:41:37):
I just love it. How they're really keeping up on, on the latest in all of this stuff. Helping you be more prepared. Learn more about ACI learnings, premium training options, and that new insights tool. It's at the website. Go dot aci learning.com/twit. And by the way, for teams from two to a thousand volume discounts, start at just five seats. And they can be big, big, hefty discounts depending on the size of your team. Of course, go dot aci learning.com/twit. Look, just fill out the form, get more information, and you can do a free two week trial for your team. That's enough for them to take one course. I think if they, if they go at it. And I think that's a really great way to see how much they enjoy it, how good this stuff really is. Go. I know once you see it, you're gonna want to go dot aci learning.com/twit. We thank 'em so much for their supportive security. Now, as, as it pro has been for a decade, a supporter of this show. It's really great. Steve, let's go more to, more to do here.

Steve Gibson (00:42:40):
So we know you listened to the podcast, so you already have some qualifications. Do you like to travel? See far away places? Yes. And wonder what the people there are saying. Yes. Enjoy wearing ridiculous camo. What, when sitting in front of a computer? <Laugh>? Well, you may be just what the US is looking for. Lieutenant General Timothy haw the nominee to become the next head of the N S A and Cybercom has pledged to create expeditionary cyber forces. Oh dear. That can be, that can be deployed into far off lands to reach important tactical targets in forward locations. So get ready to pack up your laptop and head out <laugh>.

Leo Laporte (00:43:27):
Wow. Wow. Yep. See the world.

Steve Gibson (00:43:31):
We're not gonna, we're not sitting in some bunker in Colorado anymore. No, no, no, no. We're going to update our T s A passport and and drive. See the world and wonder what they're saying when you get

Leo Laporte (00:43:43):
There. Wow. That's hysterical. Yeah.

Steve Gibson (00:43:45):
Yeah. I mean, it's true. Expeditionary cyber forces. So fun. Okay. So I have it in the show notes. A chart showing from the beginning that this started being measured in 2019 to now the percentage of ransomware payouts that have been made per attack. Like based on the number of attacks. It depicts happily, a more or less steady drop in the percentage of ransomware attacks, which actually result in cash being paid. When ware began tracking ransom payment rates at the start of 20 19, 80 5% of ransomware attacks resulted in payments. Today, that number has hit an all time low of just 34%. Ware's. report, which was just published on Friday, was titled Ransomware monetization rates fall to record low despite jump in average ransom payment. So, you know, the news is not all good, but it's great that today only one out of every three attacks results in payment.

(00:45:02):
It sure beats 85% from four years ago. The first three sentences of their report reads in the second quarter of 2023, the percentage of ransomware attacks that resulted in the victim paying fell to a record low of 34%. The trend represents the compounding effects that we've noted previously of companies continuing to invest in security continuity assets and meaning. You know, you're not put outta business completely when your, when, when your machines are encrypted. Continuity assets and incident response training, despite these encouraging statistics, ransomware threat actors and the entire cyber extortion economy continue to evolve their attack and extortion tactics. Still good news down to one out of three. So, you know, hopefully that cools things down a little bit because, you know, 84% guarantee of payment that was, that would've been much harder to resist than one third when there's also, you know, a non-zero chance of of the bad, of, of the good guys catching the bad guys, which we've seen a number of times.

(00:46:13):
In an update on the MoveIt mess EMS aof reports that the total number of confirmed victims of the progress software move it transfer SQL injection attacks has now passed 380. And Cove Ware expects that the Russian LOP gang behind the attacks will receive somewhere between 75 and $100 million in total. So unfortunately it was a worthwhile attack for those guys to launch. Yeah. And there's the, they're on the screen is the, is the, the gradual, you know, pretty much, it's not a straight line, it's a wavy line, but it's, you know, from 2019 it's been heading downward. That's good. Ba ba basically, I think four years ago everybody got caught with their servers down. And it was 85% payouts. Yes. In the, in 2019. Wow. It was almost a, almost a guaranteed payout. If, if, you know, if your company got zapped with ransomware, it was like, oh crap. You know, send them some money. We need our data back. Yeah. You know, and now down to one out of three. That's good. That's good. That's great progress. Yeah. the latest major player to be adding support for passkey, would you believe

Leo Laporte (00:47:36):
Tiktok? All right.

Steve Gibson (00:47:38):
Yay. They said they, they, they said we'll begin rolling out passkey for iOS in certain regions. And I thought it was interesting that they didn't, and they didn't list the us. They said, starting with Asia, Africa, Australia, and South America beginning this month. And they said, and anticipate expanding the other geographies and operating systems over time. And they also noted that they become a member of the TikTok, I mean, of the Fido Alliance. And Leo, I, I was watching something the other day some talking head show that was, oh, it, it was in regards to the to, to the strike the, the Hollywood actors and, and screenwriters strikes TikTok has equal revenue to like the big streaming services. It's massive.

Leo Laporte (00:48:23):
Oh yeah. Oh yeah.

Steve Gibson (00:48:24):
I hadn't, no. And this is like, you know, Henry doing his cooking videos? Yeah,

Leo Laporte (00:48:28):
Yeah.

Steve Gibson (00:48:29):
It's astonishing.

Leo Laporte (00:48:30):
Don't knock it. He's got pretty good income himself. <Laugh> <laugh>. I'm happy he is paying his own way. Yeah. He's got, he's like two. And I asked him the other day, 'cause I saw him, he was making a chicken cordone blow sandwich and <laugh>,

Steve Gibson (00:48:44):
As one

Leo Laporte (00:48:44):
Does, as one does. I said, where'd you get the ideas for this? He said, I just make them up <laugh>. And I asked him, he said, TikTok, you know, he has more than 2 million. I think it's two point something million, 2.2 million followers on TikTok. He said, yeah, but it's not my my primary platform anymore. Instagram's kind of taken over and he really wants YouTube shorts and YouTube to be his place. 'cause The payouts are better. That's the difference. Ah, that's the difference, you know? Yep. YouTube's making money, but they keep it <laugh>. That's the problem.

Steve Gibson (00:49:15):
Wow. And it's like, what is it? It's like $800 billion or something. I mean, it was like, yeah. A it was like, and and it was, it was in a chart showing Netflix and Hulu and Yeah. But

Leo Laporte (00:49:25):
You know what? The content on TikTok is much more compelling and people spend more time watching it, not you and me we're old.

Steve Gibson (00:49:33):
I don't even Yeah,

Leo Laporte (00:49:34):
Yeah. Younger people never seen people. Tiktok people spend a lot of time scrolling and you know, you got the eyeballs is a great place. Plus you can put more ads in. You can't put ads in Netflix. Or you can, but no, you can't put,

Steve Gibson (00:49:46):
Remember having, remember when we had that much time, Leo?

Leo Laporte (00:49:49):
Ah, those were the days <laugh>.

Steve Gibson (00:49:53):
Okay. So we got some feedback from our listeners. Alan e said, I agree that I would never save two factor authentication seeds in my password manager, but it may be the least bad option for protecting shared business accounts on social media accounts in some cases. And so I just wanted to say, I didn't intend to suggest that there was no justifiable use case for having a password manager store time-based token secrets. The question was just a perfect opportunity to highlight and about a, a beautiful example of the inherent tradeoff that which exists between user convenience and security. And to that end, Steven Haver, he said re bit Warden, T O T P. He said, it's actually it huge increase in security for people who otherwise can't be bothered to turn on two factor authentication, which can't argue against that. He says it's also extremely useful with shared logins that are shared with multiple people, people via a bit Warden organization mode account.

(00:51:08):
He said, but for more tech savvy people, I understand why you would want the greater compartmentalization. He said, I run a hybrid approach where my less important he has in air quotes, t o TTPs are in bid warden. The more important ones are in O T P auth, as are all of mine, he said, and the most important ones are web often on, you know, meaning pass keys on my security keys. He said, in a way, T O T P seems like a dying format for those who already use a security key as Fido slash U two F slash web often become available on more and and more sites. And you know, now soon TikTok. Whereas he said once there were 40 secrets in my O T P auth, now I'm down to just a handful. He says, thanks for a great podcast and super excited to take 6.1 out for a spin soon signed, Steven.

(00:52:13):
So thank you, Steven. And of course, I agree with everything Steven has just said, and he, and with his hybrid approach, which makes sense. I suspect that for most people, you know, just using Bit Warden will be the way to go. But again, my point was to use this more of an, as an example of the, the nature of the, you know, always the trade off that exists between convenience and security. You know, super long password, way more secure, way less convenient. So, you know, you need some way to manage that. SS is Custom Palace, I'm sorry if I butchered your name, but I tried he said he wrote, Hey Steve how exactly is Threads blocking Europeans using VPNs? He said, I thought that the idea of A V P N was that they cannot tell where you're located. Are they blacklisting ipss of the popular third party VPNs?

(00:53:13):
What about self-hosted ones? Okay, so that question has multiple parts. The first part is that there are, there are two ends to every connection and every end inherently knows the address and therefore the rough location of the other end of a connection. So when someone in the EU connects to meta, directly, meta gets their IP address and can choose to refuse it the clearest way to visualize what A V P N does is to see it as two connections. The user's connection to the V P N service and the V P N services connection to the destination. So when a customer's connecting through A V P N meta doesn't see the customer's IP and their rough location Meta's being connected to by the V P N, so that's the only IP N location that meta sees. This brings us to the second part of, of, of Sakas question, which is, are they blacklisting ips of popular third party VPNs?

(00:54:23):
And the answer to that is probably yes. That's certainly one way to do what they are doing. It might also be that in the interest of preserving their users' privacy, VPNs might be deliberately stripping out some user tagging information that a user's web browser would normally provide. So Meta might either and or be detecting the presence of a middleman in the connection through the means of the metadata in their requests. But either way, meta can simply decide not to honor indirect connections through VPNs specifically because they can be used to mask the user's true location. And finally, as for self-hosting VPNs, the question would be where the VPN's traffic would emerge onto the internet. Self-Hosting sort of suggests that the endpoint is still located local to the user, but then its IP would be geo-located and blocked. So it would be necessary to self-host A V P N in such a way that the VPN's traffic emerged onto the internet from a non blocked region.

(00:55:39):
You know, that might be doable, for example, by spinning up an a w s or Azure Cloud instance. But that seems like a lot of trouble to go through just to obtain foreign access to threads whose popularity, by the way, appears to have collapsed overnight. And on Leo, on on Sunday's Twitch show, you and your two guests talked about the collapse of Threads traffic. One of the guests noted how Easy Meta had made it for Instagram users to join threads. You know, even I joined Threads because Yeah, I have a sta I have a stagnant Instagram account, you know, and I wanted to grab my handle just in case Threads might amount to something someday. Are you at SS

Leo Laporte (00:56:22):
G G R C on threads?

Steve Gibson (00:56:24):
I, that's exactly me. Okay.

Leo Laporte (00:56:26):
Yep.

Steve Gibson (00:56:27):
All right. But, you know, I also wanted to note that thread's apparent overnight success was always entirely illusory because when it's made that easy to join, joining doesn't actually mean anything.

Leo Laporte (00:56:42):
Right. That's true. You know? Yeah.

Steve Gibson (00:56:44):
It, you know, it's reminiscent of the news web, the, the, the, the news website paywall model. You know, remember that originally all sites were free and ad supported. Then some of them thought, Hey, look at all the traffic we have. Let's charge a little bit of money for people coming. And mostly people said, wait, what? You want actual money? I think I'll, you know, I'll find the same news elsewhere. Thanks very much. So it's gonna be very interesting, I think, to see how, over the long term, how Meta's Threads does. And that's really the only metric that matters. Well, I can't, I, of

Leo Laporte (00:57:24):
Course, Elon gave it a nice big boost over the weekend, <laugh> by changing the name of Twitter to X.

Steve Gibson (00:57:30):
Oh. And you know, who has the trademark?

Leo Laporte (00:57:34):
Microsoft has one. There are many.

Steve Gibson (00:57:37):
Yes. And maybe, maybe it will be dilution, but Meta also owns a trademark. Yeah. Which is very, I mean, it looks exactly like same x close enough. And, and, and, you know the, the, as as we know for a trademark, it is, the test is whether a user might reasonably be confused by someone's conflicting use of a register trademark.

Leo Laporte (00:58:03):
And by the way, this is why I'm very glad that Twitter is no longer Twitter and Elon is no longer

Steve Gibson (00:58:11):
That's a good point. Twitter,

Leo Laporte (00:58:14):
We had words, we had a little, we had some words with them back in the day.

Steve Gibson (00:58:18):
<Laugh>, I remember back in the early

Leo Laporte (00:58:20):
Days. And I'm very, I'm very pleased that they're now x and I will not start a podcast network called X <laugh>. It's not a great name if you ask me.

Steve Gibson (00:58:29):
And he can't, he can't have or get x.com can he?

Leo Laporte (00:58:33):
He has x.com? Yes, he

Steve Gibson (00:58:35):
Does.

Leo Laporte (00:58:35):
He's had that since day one. So the story is hysterical. Interesting. I mean, he tried to rename pa interesting when he, so PayPal before it was PayPal was x.com. He's had it since then. Oh. And the story is Peter Thiel and Sam Levsin, his co-founders fired Elon. 'cause He wanted to re, he wanted to use X as the name for PayPal. And they said, no, we're gonna call it PayPal <laugh>. And so that was when he left PayPal. And he took his money with him and of course started a few other things since then. He, like

Steve Gibson (00:59:08):
X and I'll note, PayPal has done, PayPal has done just fine since Elon left.

Leo Laporte (00:59:13):
Oh, yeah. Yeah. He was apparently difficult. But one of his kids is named X, you know, X is part of the name, but he likes that letter for unknown. 'cause He's, you know, why? 'cause He's nuts. <Laugh>.

Steve Gibson (00:59:29):
Well, I would argue that Twitter does need some competition. I mean, it's like some real competition and there's a lot thread. I can't think of any better threads. There's

Leo Laporte (00:59:38):
Blue sky, there's of course Mastodon. There's a lot of good choices. Yep. The problem is they're fragmenting the overall space, I have to say. Right. Because it's meta a lot of brands a lot of politicians, a lot of newsmakers are all on threads. So that may be just how they win is just, that's where everybody went. Right.

Steve Gibson (00:59:57):
And if, if Meta could actually deliver on some of the challenges that this kind of platform inherently has, you know, which, which Twitter was str admittedly struggling with. But, but, you know, honestly, apparently working to fix or like, you know, at least mitigate Right. You know, having a sane platform. I mean, I've, I've listened to so many people who, who are disappointed in what Twitter has become because it used to be a place they could quickly go to get news, and it's just not that anymore. Yeah.

Leo Laporte (01:00:30):
Yeah. So we

Steve Gibson (01:00:31):
Need, I don't, I think, think

Leo Laporte (01:00:32):
It's good to have something that like that in the world. What

Steve Gibson (01:00:36):
Do you think? Yes. It's a real need. Yeah. It's an ab it's an absolute need. Yeah. Matthew and Eck, he said, hi Steve. I'm looking into getting some wireless keyboards for the office. And I was concerned about the security. I'm glad of the connection between the keyboard and the dongle. He says, not Bluetooth one, like the Logitech K 400 plus. He said, have you found any info on this? And if man in the middle attacks are a problem for these kinds of devices, what about the security of Bluetooth keyboards? Are they any better? Okay, so that's a

Leo Laporte (01:01:11):
Great question. Since I just bought a Bluetooth keyboard. Tell me <laugh>, I'm

Steve Gibson (01:01:14):
Glad you did. And that's what my wife is using and I'm gonna explain why. Oh good. You are both using those. Oh, good. Many years ago we talked about the very early widely available wireless keyboards, which claimed to be offering encryption. But we had some fun at the time. Yes. Because the encryption turned out to amount to nothing more than X oring the bite that the keyboard sent with a static value. You know, literally it was an Xor mask, which would always flip the same bits in the bite, regardless of what was being said. So at best we would call that obfuscation. Since passively recording the use of the keyboard and performing a frequency analysis of the character seen would quickly reveal the, the, the exact fixed Xor mask. And once you have that, everything typed could be unscrambled and you know, anything Oh, and anything desired could be injected.

(01:02:18):
Okay. Now the keyboarding question uses Logitech's own unifying receiver technology. It's not horrible security in as much as it uses a e s encryption encounter mode. Unfortunately, they tried to do it on the cheap. Mm-Hmm. And a security review of the technology four years ago resulted in C V E 2019 13,053. And that C V E was the result of an incomplete fix for C V E twenty sixteen, ten seven sixty one. Three years before that Logitech has publicly stated that they feel it's good enough and that they will not be changing anything. And of course, at this late date, changing anything would be quite dis unifying. Oh. So from a quick look at the current state of Logitech's technology, it appears that allowing an attacker to press a few keys on the keyboard. This is with the Logitech unifying receiver technology as it is today. That's that little

Leo Laporte (01:03:30):
Thing that ships the dongle. If you want, you could put in your

Steve Gibson (01:03:32):
Computer. Right, right. And I've got, you know, my mouse has one. Yeah. Because, you know, me too. I like Logitech mice. The AMX

Leo Laporte (01:03:39):
Mice are great.

Steve Gibson (01:03:39):
Yeah, right. So allowing an attacker to press a few keys on the keyboard while sniffing its transmission is all that's needed. Also, the protocol leaks metadata for things like turning the numb lock and cap locks lights on and off, and for other functions. This allows for entirely passive attacks for a e s in counter mode to be used securely. The counters values can never be reused under the same initialization vector, but enforcing that guarantee is difficult for any bare bones protocol, which is what Logitech created for their mice, keyboards, pointers, and other peripherals. So the solution is simple, where true security is important just use the full Bluetooth protocol though, you know such a keyboard may be more expensive, and they probably are than Logitech's. You know, K 400 plus. Now know all of my own keyboards are wired, but as I said, my wife uses a Logitech MX Keys keyboard. I think those are keys. Oh yeah. It is a lovely, yeah, lovely low profile keyboard. It uses a full Bluetooth, low energy link once it was paired to her Windows 10 machine. She has never had a problem with it. So I, I can vouch for that. And the, and the protocol. I wanted

Leo Laporte (01:05:12):
A keyboard, a Bluetooth keyboard that would I have two computers, one monitor, and I wanted a Bluetooth keyboard that would allow me to switch back and forth. And and that was Bluetooth and it, I also wanted clicky keys. I know you're a clicky key fan. Oh, boy fan. Yeah. I really, I'm gonna recommend this 200 bucks. It's not cheap, but the key Cron Q one Pro wireless, custom mechanical keyboard. And I happen to like the brown switches, the Kron Browns Uhhuh <affirmative>. But this is a really wonderful I first keyboard I've really loved in a long time.

Steve Gibson (01:05:49):
And does it, do you actively switch it to, between computers or does it just pair No,

Leo Laporte (01:05:55):
No. Well, in this one, and I like it this way, function key one is the first computer function. Key two is a second, I think you

Steve Gibson (01:06:02):
Four. Oh, so you could have both machines on and listening. Oh, yeah,

Leo Laporte (01:06:04):
Yeah, yeah. That's

Steve Gibson (01:06:05):
Right. In, in, in sort of a K V M style.

Leo Laporte (01:06:08):
Yeah. Except it's so a little more manual. 'cause I, my mouse is the same thing. I have a Logitech mouse that has three Bluetooth pairings. So I switched the mouse to two <laugh> function, two on the keyboard. And then my H D M I port, I switched to, to, you know, port two on the monitor.

Steve Gibson (01:06:23):
Leo <laugh>. Leo. Leo, you qualify for the Expeditionary Force cyber team.

Leo Laporte (01:06:30):
I, I do wear my bdu at, at while I'm playing.

Steve Gibson (01:06:34):
V if you've got jammies that look like camo <laugh>, you're good to go. I, I <laugh>

Leo Laporte (01:06:41):
It is a little bit manual, but I, I have had such bad experiences with K V M switches over the years that yeah. I just, I thought, you know

Steve Gibson (01:06:50):
What, no, that's very cool. That's great.

Leo Laporte (01:06:52):
And it works perfectly every time. It's really a good way to do it.

Steve Gibson (01:06:55):
Yeah. And you may well want to have the other machine screen still visible while you're overtalking to that. And I could do you to, to,

Leo Laporte (01:07:00):
Yes. I could do that. In fact, exactly. One of the computers I do keep on, 'cause it's a server, so it's always running. So I don't want to, I don't want to, I wanna be able to switch back and forth while they're live, and that works Nice. That's great. Yeah. Nice.

Steve Gibson (01:07:15):
<Laugh>, Glen Lau asked, is it possible to spin right a phone, iOS or Android to speed up the phone? And unfortunately, I'm pretty sure that would not work. While it would be possible to plug the phone into a PC to view it as a drive, only the user facing storage portion would be seen, not the underlying hidden protected kernel and apps, which is really what you'd want to be rewriting. So, you know, users don't get any access to that from the outside. Yeah. And we don't want them to,

Leo Laporte (01:07:45):
By the way. Right.

Steve Gibson (01:07:47):
Jorge Morgan, he said, heisty, I'm a big fan. I've been listening to security now for years. I was wondering a couple of weeks ago when you talked about your sink thing set up, you said you don't like containers. Is it just because of the added complexity, or do you have more reasons? Ah, okay, so good question. Great question. Only personal preference. I totally get it that there's a place for containers like Docker. I agree that they are a terrific solution for many applications, but just for myself, I've often seen how quickly things can get out of control when the approach, which I would characterize as just throw some more code at it, is taken. So if I need to run sync thing on sonology, and the only way to do that was to be containerized, then that's what I would do. But Leo, thanks to you, I don't need to do that. Yeah. It just feels much better to be running sync thing as a native sonology build

Leo Laporte (01:08:47):
Talker's very light lightweight. The idea is you're using the same operating system on multiple containers. They're somewhat isolated from one another. So they're pretty

Steve Gibson (01:08:57):
Lightweight and and it brings all of the dependent libraries and

Leo Laporte (01:09:01):
Stuff. Exactly. Exactly right. But Docker is by default, not particularly secure. So that's something that made me nervous about running it on my sonology, which must be secure.

Steve Gibson (01:09:11):
Right. Well, and there, there's a perfect example of why my, you know, KISS approach is works for me. Yeah. in a, his question reminded me of another aspect of a story that I shared before of how when I attended that DigiCert customer advisory meeting in Utah nearly six years ago, I casually mentioned like during some coffee time, the rack of equipment that I had at the level three data center. And all the guys around the table turned and looked at me like I had two heads. So I said, what? And, and one of them said, you know, and he was clearly speaking for all of them since the rest of them were like nodding their heads. He said, Steve, no one does hardware anymore. And I took that to mean that they'd all moved all of their infrastructure to the cloud and we're now paying Amazon or Microsoft or whomever for virtually hosting their entire infrastructures.

(01:10:17):
But I also noted that everyone, but I worked for a major corporation and that none of them, but I were paying the bills for their infrastructures. That's true. And, you know, and, and it, and, and it is true that I do occasionally need to drive over to level three to exchange a dead Ss s d or a spitting drive, which has died in a raid. You know, it's not an emergency, but it's like, okay, I received email saying we're, well, you know, we've lost a drive. Come, come give us a little T L c, but in return for that. And of course, I do also enjoy getting to touch actual hardware, which always feels good. My infrastructure costs are fixed and very low. Yeah. I own all the hardware, so I'm renting space, cooling, bandwidth and power. And these days that doesn't very much, because level three actively wants to keep me from virtualizing my infrastructure with a w Ss or Azure. You know, I don't tell them that, but, you know, they have nothing to worry about. They're not gonna be losing me. So when Jorge, and, and it is tweet asking, is it just because of the added complexity, or do you have more reasons? Actually, my first thought was, Hey, I even avoid compilers wherever possible. <Laugh>.

(01:11:43):
Wow. <Laugh> he hand assembles his code with a pencil. That's right, baby. A piece of graph paper. 1, 1, 1 0, 1 0 1, 1, 0 0. People wonder why is it taking, why is it been right taking so long? 1 1 0 0 0, 1 1, 1 0. Brian Whedon, he said, Steve, love the show this week on satellites. I work in the space sector on this issue. Wow. As you are prepping next week, I can offer up an open source report that my org puts out, which includes an entire chapter on cyber attacks on satellites. I have a link in the show notes. He said, looking forward to next week's part two. So I followed the link that Brian provided, and since it's exactly on point for today, I'll share the report's introductory paragraph, which introduces the term counter space. It reads, space security has become an increasingly salient policy issue. Over the past several years. There has been growing concern from multiple governments over the reliance on vulnerable space capabilities for national security and the corresponding proliferation of offensive counter space capabilities that could be used to disrupt, deny, degrade, or destroy space systems.

(01:13:08):
This, in turn, has led to increased rhetoric from some countries about the need to prepare for future conflicts on earth to extend into space and calls for some corners to increase the development of offensive counter space capabilities and put in place more aggressive policies and postures. We feel strongly writes his org, that a more open and public debate on these issues is urgently needed. Space is not the sole domain of militaries and intelligence agencies. Our global society and economy is increasingly dependent on space capabilities. And a future conflict in space could have massive long-term negative repercussions that are felt here on earth. Even testing of these capabilities could have long lasting negative repercussions for the space, environment, and all who operate there. The public should be as aware of the developing and risks of different policy options, as would be the case for other national security issues in the air, land, and sea domains.

(01:14:19):
The 2023 edition of the report assesses the current and near to term future capabilities for each country, along with the potential military utility. The countries covered in this report are divided up into those who have conducted debris causing anti-satellite tests. The United States, Russia, China, and India, let me say again, countries covered in this report are divided up into those who have conducted debris causing anti-satellite tests. The us, Russia, China, India, and those who are developing counter space Technologies, Australia, France, Japan, Japan, Iran, North Korea, wonderful. South Korea and the uk. It covers events and activities through February, 2023. And I have to say, when you scroll down and just look at some of the charts wow. I, I, I appreciated the idea that, that just testing. He would, he that, you know, this, this report noted that just testing some of these things like debris causing events, meaning you, you deliberately blast some out of service, no longer used satellite to see if you can.

(01:15:57):
And unfortunately, it exp <laugh> explodes and a lot more debris now to be tracking. Wow. And in fact, I was watching you you twit was replaying a, I guess a recent episode of this week in space in the live feed before Mac Break Weekly. And you had a guy, neat guy on who was talking about exactly this, about like the problems with the number, the individual pieces of crap that now have to all be individually tracked and it actually is causing a problem when you wanna launch something new up there, because it's gotta, you have to find a clear path. And so you need to time your launch window so that your, whatever it is, rocket will be moving through an a place where it's not gonna hit any of this crap on its way up. <Laugh>. Oh my God. Not to mention the Kessler effect, right? I mean, at some point point, we, well, that is it. That is the Kessler effect, is that something hits something else and then that hits something else, and you end up with this domino explosion of junk. Mm-Hmm. <affirmative>. Oh, Leo, we are not so clever. I, you know, here's

Leo Laporte (01:17:09):
The good news. It will shield us from the sun. So climate change is no longer an issue. <Laugh>. Well, it may,

Steve Gibson (01:17:17):
It may shield us from departure,

Leo Laporte (01:17:19):
<Laugh>, <laugh> it may change the climate in the wrong direction, but okay. At least we'll cool off. We don't have those hot

Steve Gibson (01:17:27):
Summers.

Leo Laporte (01:17:27):
What you,

Steve Gibson (01:17:28):
Someday parents will tell their children, you know, eclipses used to be infrequent events. Now it's like, what are mommy? What are these shadows passing along the ground? <Laugh>? Well, yes, earwig that's now

Leo Laporte (01:17:47):
Really Is that, that's something, is that the name of the future Earwig? Is that what we're gonna Yeah,

Steve Gibson (01:17:50):
That's, yeah. Okay. That, yeah. We're gonna start, we're gonna, we're gonna call our, I I figured that was safe. That's, that's not a name that anyone's using

Leo Laporte (01:17:57):
Today. No one's using Earwig. I can't wait to read your first IFI novel, Steve. That'll be fun.

Steve Gibson (01:18:03):
Earwig.

(01:18:04):
I have no big spin Right. News this week at the start of the work, I, I am at the start of the work to update spin, right? Well, actually I'm well into it. You remember that when I began three years ago, I created that new U Ss B drive set up capability since I knew that was gonna be needed. So I'm in the process now of amalgamating that that a knit disc technology into the windows spin right component. I'll get that done. I'll release it for testing to our group. I'll come back and, and give the, the Doss spin, right? Another rev. 'cause A few pieces of debris have accumulated there in its orbit. And then I will end up merging it all together and we will have spin, right? Six one. So on that note, Leo, let's take our final break, and then we are gonna look at more about what could go wrong in the space.

Leo Laporte (01:18:59):
Oh. Oh boy. I can't wait. I, I love it that we have somebody from the Secure World Foundation listening to the show and, and keeping us honest. That's, that's promoting cooperative solutions for space sustainability. Didn't know such a thing existed. This episode of Security Now is brought to you by Bit Warden Boy, am I happy I use Bit Warden? You know the drill. You need a password manager, A vault, something that encrypts your passwords. It generates long, strong, unique passwords and keeps track of them so you don't have to something that makes sure your secure well Bit Warden is the only open source cross platform password manager you can use anywhere, anytime at home, at work, on the go. We've all switched. Steve Switched. I switched with Bit Warden. All the data in your vault is end-to-end encrypted. You, I mean, I shouldn't even need to say this, but just, you know, so, you know, there's, you know, some other password managers.

(01:20:03):
A lot of the metadata is not encrypted. It's all encrypted with Bit Warden. In the summer 2023 G two Enterprise Grid report bit Warden solidified its position as the get this highest performing password manager for the enterprise leaving competitors in the dust. We're switching over, of course here. Bit Warden protects your data and privacy by adding strong, randomly generated passwords for each account. They're so good you can't remember them. Good news, you don't have to, you can even go a step farther with a username generator, which allows you to create unique usernames for each account. Or, and if, if you listen to our ads for Fast mail, they're one of the five integrated email services that allow you to generate real addresses that are unique to each account that go to your email. So any, there are five email alias services out there that Bit Warden will work with automatically.

(01:21:02):
Because it's open source, you can transparently view all of Bit warden's code. It's on GitHub. It's not just public to the world though. Github also has professional third party audits performed every single year. The results are published completely on their website. There is no mystery. Bit Warden is open source security you can trust. They now have a bit warden plans for teams or for larger businesses. The enterprise share private data securely with coworkers across departments or the entire company with fully customizable and adaptive plans. The teams organization option is $3 per month per user. We are going with the enterprise plan. That's $5 a month per user here at twit. And of course, it all starts with the always free. This is really important individual plan in Bit Warren's basic free account, because it's open source will always be free.

(01:21:58):
You don't have to worry about them taking away features. Unlimited passwords on every device you use. I upgraded just 'cause I wanted to support them. And this was a few years ago to $10 a year. Oh my for the premium account, that does gimme two factor and I think you're gonna want that. Or get a family plan. The whole family just $3 33 cents a month. That's up to six users. And it doesn't have to be blood relatives either. <Laugh>, bill Warden has launched, we mentioned this last time, it's a Secrets Manager. It's in beta still, but it keeps those sensitive developer secrets out of Source Code and eliminates the risk for public exposure. If you know you up, you committed to GitHub and suddenly, oh look, there's the a p i key in the Secret. Oh, ooh, not with Bit Warden.

(01:22:44):
It'll take care of that. Right now our friends at Bit Warden have a little thing going on. They want to hear why you love your password manager. They are offering cash prizes. They want short videos. Bit warden.com/talent. Bit warden.com/talent. Learn how to enter and win. There are examples. All the rules submission instructions. You have till August 13th, 2023 to tell Bit Warden why you love your password manager. I should just submit this ad, frankly, <laugh>, because I do love Bit Warden. We're fans. Look, if you listen to security now, my God, if you're not using a password manager, what you, we know you're using one. The only question is, which one I suggest Bit Warden get started for free forever with a bit Warden individual plan, or get a free trial of a teams or enterprise plan. It's just the best bit warden.com/twit bit warden.com/twit. I have no hesitancy, highly recommending this. Bit warden.com/twit. Okay, Steve, let's talk about satellite insecurity part. Duh.

Steve Gibson (01:23:59):
So of course, last week we began our coverage of this important topic. Now, I'm gonna confess that I rolled my eyes. When our previous US president, Donald Trump announced the creation of Space Force, a new branch of the military intended to focus upon what happens above our heads. My eye rolling was mostly due to a lack of appreciation, which I now have of what is an obvious need. Satellites are uniquely vulnerable to many forms of attack, both physical and cyber attacks, you know, are actually happening. Last week we learned that ground-based missiles are capable of destroying satellites from the ground. And that space borne robot satellites capable of both repairing friendly satellites and deliberately damaging hostile satellites are not science fiction. They exist too. I, I was, I was thinking, I don't remember what that James Bond movie was, where the opening scene showed some, some spaceship Big Ma opened Moon

Leo Laporte (01:25:13):
<Laugh>. It was Moonraker. They took the satellites in. He was stealing the satellites.

Steve Gibson (01:25:18):
Yes. Right? Yes. Anyway, so that, that's not it was, it was fiction then. Not so much now. Now so much. Yeah. So it was against this backdrop that, you know, all of this was triggered by the recent publication of a research paper, which demonstrated that those satellites orbiting above are also disturbingly vulnerable to ground-based cyber attack, which is our focus today. The short news blurb, which about this, which initially caught my eye, said satellites security decades behind. And boy, by the time we're finished with this today, you're gonna understand exactly how bad, how true that is. A team of academics from Germany has analyzed the firmware of low earth orbit satellite models and found satellite security practices lagging by decades compared to modern laptops and mobile devices. Researchers found the firmware to be prone to several types of vulnerabilities, lacking basic protection features such as encryption Wow. And authentication. Huh. The researchers claim they devised attacks that could hijack satellite systems, cut satellites off from their ground stations, move satellites to new areas, and even crash them to the ground or into other space objects.

Leo Laporte (01:26:42):
Oh, no. A message to q <laugh>

Steve Gibson (01:26:44):
<Laugh>. As I, as I mentioned last week, the researchers assembled their research into a paper titled Space Odyssey, an experimental software security analysis of satellites. The research was delivered during the recent 44th i e e e symposium on security and privacy held two months ago in May. And it was awarded a distinguished paper award for the conference. So here's what the team described of their finding in their papers. Abstract. They said Satellites are an essential aspect of our modern society and have contributed significantly to the way we live today. Most notable, through modern telecommunications, global positioning and earth observation in recent years, and especially in the wake of the new space era, the number of satellite deployments has been, has seen explosive growth.

Leo Laporte (01:27:44):
It was, you only lived twice. I got the wrong movie. Moonraker would be the obvious one, right? Ah, of course you only lived twice. Yep. Yep. They cut, captured the satellites. <Laugh>, that's

Steve Gibson (01:27:56):
Just, that's

Leo Laporte (01:27:57):
Perfect. There's James Bond in his space suit 'cause oh oh seven is is good anywhere. And here they come. Oh. Uhoh. Yep. Oh, no, <laugh>. Oh, no. Anyway, we can

Steve Gibson (01:28:10):
Do it. Boy, is that a ho is that a hokey looking satellite

Leo Laporte (01:28:13):
Before C g I, I have to say <laugh>, we really put up with a lot of crappy looking stuff. Didn't Oh, we didn't know any better.

Steve Gibson (01:28:21):
Yeah. Don't, don't watch any old episodes of lost in space, Leo. It really does.

Leo Laporte (01:28:25):
They don't age well, do they? You know, danger

Steve Gibson (01:28:28):
Will Robinson? Yeah.

Leo Laporte (01:28:29):
That he was about to fall over every time he waved his arms. <Laugh>. Wow.

Steve Gibson (01:28:35):
So they said in this paper we provide a taxonomy of threats against satellite firmware. We then conduct an experimental security analysis of three real worlds firmware images. We base our analysis on a set of real world attacker models and find several security critical vulnerabilities in all analyzed firmware images. Actually, 13 wow critical problems spread among three satellite actual satellites. They said the results of our experimental security assessment show that modern in orbit satellites suffer from different software security vulnerabilities, and often lack, and often a lack of proper access protection mechanisms. They also underlined the need to overcome prevailing, but obsolete assumptions. To substantiate our observations, we also performed a survey of 19 professional satellite developers to obtain a comprehensive picture of the satellite security landscape. Okay, so in other words, after this team of six researchers had uncovered what they thought they had uncovered, they were like, what?

(01:29:50):
Really? So they, they did this survey just like as a sanity check to say, like, to confirm that what they thought they saw was like, then the guys were like yep. That's the way things, that's the way we do it. So they begin by explaining a bit of the history of the industry, which I wanna share since it will be so entirely believable and even understandable, though also so obviously wrong to our pod, our podcast audience. So these guys explained, they said satellites are sophisticated technical devices that are placed in outer space for research purposes, or to provide terrestrial applications with services that leverage the coverage of the Earth's surface from a distance. While the first satellite Sputnik dates back to 1957. We are in the midst of a renaissance of space flight referred to as the new space era. Especially in recent years, we've observed an enormous growth in the number of earth orbiting satellites.

(01:31:00):
According to the United Nations office for Outer Space Affairs, U N O O S A, the number of satellites has nearly doubled from 4,867 in 2019 to 9,350 last year. In 2022, the majority of these satellites form mega constellations like starlink, which plans to launch more than 40,000 satellites in coming years. So, put that in perspective. We don't quite yet have 10,000. We have 9,350 last year. Star League wants to put up an additional 40,000. They said small satellites are at the heart of this new space era as their size and the website, the web as their size and the widespread use of commercial off the cell off the shelf. C O T Ss commercial off the shelf components makes them affordable even for small institutions. Furthermore, they cover a broad spectrum of use cases ranging from commercial applications like earth observation machine to machine communication and internet services to research applications such as technology testing, weather and earthquake forecasting, and even interplanetary missions, although their applications vary widely, small satellites commonly consists of radio equipment and microcontroller boards.

(01:32:38):
Hence, in the broadest sense, their computer systems connected to a ground station on earth and sometimes even to other satellites because they rely on wireless connections for command and control and use microcontrollers. They are potentially as vulnerable to attacks as any other connected IT platform on earth. Can you say I o ot? Except not. I, you know, it's so, it's not internet of things, it's space of things. This issue they say has not been very relevant in the past since access to ground stations was expensive and limited to large satellite operators. However, the situation changed fundamentally in recent years. Get a load of this. I didn't know this. Nowadays ground stations are even affordable for private individuals. And with the emergence of Wait, what? Ground <laugh> Ground station as a service. What G A A S models, uhhuh, such as those offered by Amazon Web Services and Microsoft Azure.

(01:33:49):
The air, the entry barrier becomes even lower. They said, we've seen in the mobile network security domain how the provider's assumption that the radio equipment required for attacks would be to costly and out of reach for attackers was ultimately disproved by technical technological advances. You know, right. Like the pineapple and Leo, that thing you have in your pocket. Oh, the flipper zero. Yes, that's right. So, affordable ground stations create a new novel attack surface where adversaries can communicate with satellites and take advantage of software vulnerabilities. If they successfully compromise the satellite's firmware, they can access the satellite and potentially take over complete control of the system. And in fact, these guys did that. They said, despite warnings being made early little has been done to address this problem for several reasons. Once again, our favorite anti security thing, inertia. Yeah. Well, and some lack of understanding.

(01:34:59):
They said, while the lack of security standards for satellites and the complex supply chain complicate the situation, the main reason is the inaccessibility of satellite firmware. Right. It's like, it's it's up there. It can't get it. So they said historically, satellite developers have relied on Oh yes. Security by obscurity, the developers of the Iridium network even mentioned that their system would be too complex for attackers. Yeah. How'd that work out? Attackers have nevertheless successfully decrypted the communication of the network. The inaccessibility of satellites in orbit makes dumping of the firmware by researchers very challenging, if not impossible, impeding progress in this area. Hence, the developers of satellite firmware act as gatekeepers and do not provide researchers with research subjects. And just, just, I'll, I'll pause here for a second and think about almost every instance that we talk about here of, of a security researcher finding serious problems in some widget wasn't supported in any way by the widgets widget maker.

(01:36:26):
It was them taking the widget apart and sticking some probes into its brains and sucking its firmware out through a JTAG interface. That sounds painful, painful <laugh>. It's, oh, the widget is never the same. Leo <laugh>. Yes. No, that's the only, it's not good, it's not bad news. We, we, it's not good for the widgets. No, but some have to be sacrificed for the greater good. So, so here's the problem. When your widgets are flying around, you know, miles above you, you can't get 'em. So they said, previous commentators have acknowledged that the topic is still understudied and conclude that collaboration between satellite development and the security field is required. Additionally, well-known topics like the security of satellite communication, the security of satellite-based internet services and threat scenarios for satellites have recently gained increasing attention. Thank God. And it's about time. However, discussions around individual satellites typically lack technical details of satellite and real world foundations due to the inaccessibility of satellite software.

(01:37:34):
Okay. So we have a situation where the physical isolation that's inherent in anything launched into orbit has supported a laxity of security rigor. And it also really sounds as though the developers of these systems have not been following along with the startling being made in the capabilities of the underground hacking community here on the ground. As we've seen time and time again, if money can be made through some hack or attack, it's gonna happen. And those attacks are only gonna be improving over time. It is a very good thing that Bitcoin was not a satellite based cryptocurrency, or there wouldn't be any satellites left in orbit today. But in all seriousness, the us China, and Russia don't care about the price of Bitcoin. What they want is the ability to instantly cripple each other's above earth command and control infrastructure. If the, you know, what suddenly hits the fan?

(01:38:45):
These researchers felt that they were able to significantly contribute to an understanding of satellite based insecurity in three ways. They said, first we present a taxonomy of threats against onboard satellite firmware, such as systematic review of the attack surfaces allows us to better represent the complex nature of satellites and categorize securely security relevant findings throughout the paper. Second, we conduct an experimental and comprehensive security analysis of three real world in orbit satellites to better understand the attack surface and the current state of software security. In this particular domain, we focus on low earth orbit LEO satellites as this fo this orbit is the main focus of the new space era. Meaning these are the ones that are gonna be going up a lot and we need to get them secured. And, you know, if we become dependent on these little puppies, oh, and boy are they little get a load of this.

(01:39:53):
They said the most prevalent satellite, you should call them little Leos, then <laugh>. Little Leos. That's right. Aw, <laugh>. The most prevalent satellite class is the nano satellite. Whoa. Nano Leos more specifically the cube sat, which is a standard form factor of 10 centimeter cubes. Okay. Called units or ues. Okay. That's four inches on a side. Wow. I know these satellites. I know, I, I wonder if you're gonna be start calling them cluster satellites. That, that'd be bad. Anyway, these satellites typically weigh less than one and a third kilograms per U and are used in many different projects after a long period of persuasion trust building discussions and contracts, you know, they had to sign, we obtained access to several, three satellite firmware images that we were able to analyze. In other words, you know, they couldn't get 'em from the, the air. So they said, look, we are, we're, we're Germans <laugh>.

(01:41:06):
You can trust us <laugh>. We are, we're gonna sign contracts. We're gonna, we only will. We'll, we'll tell you what we find you, you haven't ever bothered to look at your own code. Please let us look at it. We're, we're gonna help you. We're chairmans. We know how to find this stuff. That's right. Yes. all vulnerabilities they said have been responsibly disclosed to the vendors. They said, note that the entry barrier to identify these vulnerabilities was complex. Given the sensitive nature of these systems. To the best of our knowledge, our work is the first to demonstrate exploitation of satellite firmware vulnerabilities, allowing attackers to gain persistent control over the satellite. Third, and this is where they said, we conducted the survey of 19 professionals to ask, are you serious about this? And there were 17 satellites that they had technical information about.

(01:42:04):
And those participants had worked on a total, an aggregate of 132 different satellites. So, you know, this was the right group of people to ask. So thankfully, satellite communications is not entirely a standards free roll your own environment, although it is nothing like the internet. There is a standards body known as the C C S D S for consultative Consultative Committee for Space Data Systems. C C S D S. It's a consortium of numerous space agencies that agree together on the standards that'll be used for a satellite's communications. So the C C S D S provides the protocol standards for communicating with all components and parties involved in spacecraft operations. The standards cover all the layers of the O ss I networking model, usually offering a couple of options per layer Two protocols stand out and were examined by these researchers. There's the higher level protocol, which is like R T C P on the internet called the S D L S, which is the Space Data Link Security Protocol.

(01:43:26):
And as I said, it's, it's the data link layer, like, like t l s and then there's the lower level protocol, which we would call ip and on the in, in the internet. And that's called the s p p, the Space Packet Protocol. So their paper then delves into the detailed inter communications among the various satellite components. The attacker's goals are no different in the sky than they are on the ground. They would love to take over the entire package if they could, but failing that, being able to tap into the communications flow might be all that's available. And if so, they'll take that. But if, if even that is out of reach, then denying the services provided by the satellite to its rightful users is the final fallback. That should all sound familiar 'cause it's exactly what we have down here on the ground.

(01:44:21):
The research has explained that the information containment that has historically existed until recently has been crumbling with the many recent changes taking place within the satellite industry. You know, and that makes sense, right? If there's only like three companies making and launching satellites, then it's easy to keep your secrets secret. But as we know, the more people who know a secret, the less secret it is. They said for decades, the satellite community and developers have acted as gatekeepers for the topic of satellite security. By keeping the software and components of satellites under lock, they created a barrier of obscurity that prevented any meaningful research on this subject. Hence, external communities had no way to study satellite internals and potential security issues in recent years. This changed as the developments in the space domain have moved towards the use of common off the shelf components. In other words, not some bizarro one-off processor, but a cortex or, and, you know, a a, you know, a a a, a standard chip that IDA Pro or Gira would be able to reverse the, the code for.

(01:45:41):
Also we have open satellite designs and open source libraries. They said these factors have been multiplied by the explosive growth in the number of satellites and the inherent increase in the size of the community. Hence, the number of people holding knowledge about satellites has been steadily increasing. Overall, we argue that a transformation is slowly happening concerning the effectiveness of security by obscurity in space borne assets. In other words, it's not gonna hold any longer folks. And so you can't be relying on that the way you have in the past. And they conclude with this. As a result, we must assume that attackers have detailed knowledge of the target satellite, including detailed documentation and access to firmware images. Further, several open source satellites already enable attackers to study satellites. We therefore assume attackers have detailed knowledge of satellites, including their firmware except for their cryptographic secrets.

(01:46:49):
So in other words, this is the modern security model which is being brought to an industry that never had it before. You know, at least from the standpoint of these researchers, the satellite industry may not have caught up yet. But the only way for researchers to test current satellite security is with an honest set of assumptions of the threat model. As we know, it's always necessary to assume that one's adversary knows everything about the design of their target, because too often that's exactly the case. Another area that they needed to address, they termed the myth of inaccessibility. They wrote until recently, it was generally assumed that satellites always communicate with prohibitively expensive. They, they use the abbreviation gss, meaning ground stations. As a result, only a few actors could attack a satellite similar to the assumption for mobile cell phone networks many years ago. Unfortunately, this assumption had a major impact on the adaptation of security features for satellites, meaning the lack of them.

(01:48:03):
However, ground station prices have dropped significantly in the past few years. Today it's possible to create a fully functional ground station of your own, you know, in your backyard for less than $10,000. And there are open source communities around developing ground stations. In addition, G A A S, as we said, ground station as a service provider such as Amazon Web Services or Microsoft Azure, rent a ground station to the user or allow ground station owners to monetize unused ground station capacity by temporarily renting it to end users. Right? <laugh> what could possibly go wrong as a result? One does not even need to own ground station equipment to interact with satellites. Additionally, transceivers for specific satellite services have become so compact and cheap that Leo even has one in his pocket. I do, I do. So cheap. Yes. That <laugh>, oh wait, that's the card.

(01:49:05):
Just stand outside. Stand outside and, and point to the heavens Leo. Furthermore, there are now many LEO satellites constellations in space with satellite to satellite communication capability. So they're able to talk to each other at the same time. There is an increasing number of smaller research LEO satellites. There are already a number of satellites with significant communication capabilities in space that are even intended to be used by third parties. Therefore, we believe that there is a paradigm shift in the assumption that satellites are inaccessible, which is particularly pronounced for low earth orbit satellites. Okay, so the researchers examined a trio of satellites with widely varying architectures. Actually, that was one thing that sort of impeded their, their research. There was one that was based on a Leon, oh no, it was the A V R 32 that was just announced very recently. And its instruction set was not yet well supported by the various disassembles, but they, they, so there were three satellites.

(01:50:19):
One used an arm cortex M three, another used, as I said, that much more recent AV R 32 instruction set. And the third used a Leon three. I wonder if Leon is, is like for l e o, you know, with an n anyway, Leo Nano. Yeah. A Leo, a Leon three spark V eight processor, and all three cases upon reverse engineering, the satellite's current firmware using id you know, I D A I, IDA Pro and Gira both, which we've covered in the past. In each case, they uncovered multiple remotely exploitable vulnerabilities that led to remote code execution, meaning these things are vulnerable. In return for receiving access to the firmware images, they responsibly disclosed their discoveries of a total of 13 of these. All of them were bad vulnerabilities across the three satellites they examined. The good news is that Skybound firmware can be uploaded.

(01:51:32):
The bad news is that, for example, in the case of that arm Cortex M three processor contained in a satellite, which was launched in 2013, the firmware update process they were told takes anywhere from several days to a week depending upon the ground station and link quality. This is due to the low bandwidth U H F V H F components, which run at wait for it 9,600 BOD and the sharing of bandwidth. So to share a sense for the sorts of things they found in these 13 items they wrote, insecure by design telecom commands. TCS is an abbreviation for telecom commands, which is the process of obviously sending a command up to something in orbit. So they said even with no access protection, a satellite should be designed so that telecom commands do not compromise the satellite stability without further validation to deliberately present telecom commands.

(01:52:48):
This is in one particular satellite, allow arbitrary reading and writing of memory on the technical level. They said the attacker controls all parameters passed two mem copy through command arguments such that these I know, Leo, I hear you in the background. Yes, I know it's unbelievable. <Laugh>, I didn't even have my mic on and you heard me <laugh>, such that these two telecom commands are dangerous. Tcs, anyone with a custom ground station could utilize them to gain remote code execution and seize control of the satellite. They said noteworthy the ability to execute arbitrary code, which these provide would allow an attacker to write firmware updates to the flash memory persistently making the takeover irreversible modern operating systems such as Linux or Windows deploy defenses to prevent trivial exploitation of such vulnerabilities. But the RTAs in this arm, cortex M three based satellite does not feature any such protections in particular, neither a SS L R.

(01:54:07):
Of course, we know that's a address space layout. Randomization nor stack cookies, which prevents trivial buffer overruns are used to prove the impact of this vulnerability. We built an exploit, sent our payload over the calm I interface to our rebuilt satellite in the lab and executed arbitrary code in our case, we placed sound over the connected speaker. Okay, so just to be clear, this satellite that they're referring to actually had deliberate commands, which were received over its communications link, which allowed any of the machine's memory to be read back, written to, or moved around <laugh>. I mean, it's again, this is, this is like Microsoft that built that command into the early windows meile, right? That, you know, where you, if the meta at the meta file interpreter didn't do what you want, you could just put some native code in the meta file and tell the machine to execute it.

(01:55:21):
What could possibly, possibly go wrong with running your own native code from a, from a, you know, a, a piece of a a a media file that the machine could be sent anyway? What could possibly go wrong with allowing, you know, firmware to be rewritten in a, in an in orbit satellite using some commands that are not authenticated anyway. So, of course, coming from a security war state that the security war state that we have all been living in for many years now, it is, it, it's almost difficult to appreciate what they mean when they say that the security of many of these satellites relies upon a lack of access to satellite communicating ground stations. In other words, they were not kidding at all. Some of these satellites, as I said, will actually obey by deliberate design remote commands to read, write, and move memory around with no concept of protection.

(01:56:24):
Just because they thought, well, you know, who can talk to these things, very few people and we're not gonna give them our firmware. So they're never gonna know what's up there anyway. Here's another example. They call this one trusted i c p size field. Upon receiving an I C P packet, the packet is passed through a free R tos data queue to the command scheduler, which executes the associated command. Using the included arguments. We observed that a function parsing the command structure does not validate the length of arguments field against the total length of the I C P packet. I mean, this is security 1 0 1, right, or it's payload. Thus, any external attacker can specify a malicious field length, which indicates that the arguments would be longer than they actually are. This causes a command handler function to use more bites from the memory heap that intended leading to a buffer over read.

(01:57:38):
Hence, an attacker could include other data in the attacker tc, the, the telecom command, which leads to a control data leak. Again, we verify that this works on the real satellite by testing it on our recreated hardware and managed to successfully exploit the vulnerability. The leak itself is reliable and is not impacted by environmental conditions. But extracting specific secrets depends on the heap layout. This vulnerability is reminiscent of the well-known open SS s l Heartbleed vulnerability. Or how about this one, which describes something they found in a different satellite ops. SAT uses a flash file system to store files, and I don't know which OSS that uses. Maybe they say, oh, I think it's another free R os oss. Opso OPAT uses a flash, a flash file system to store files, including the image existing telecom commands allow to create new files and write to them, providing the capability to upload a malicious firmware image onto the satellite to change the file system path.

(01:58:57):
Pointing to the current image critical commands must be enabled, which is agl, global Boolean value in the satellite settings. Crucially, changing this flag can be done via a telecom command that does not require verification. Hence, external attackers can conduct arbitrary firmware updates, which allows them to seize control over the satellite. Interestingly, similar critical functionalities are also hidden behind the same flag, indicating that engineers were aware of its critical importance, but decided not to implement further protection. Okay, so anybody can flip the flag, which is said, which is protecting this. And once you do, it's not protected as our other important functions. And once it's not protected, then you're able to upload your own firmware, name it what you want, and then change the path to the current image causing the satellite to switch to it.

(02:00:07):
And here's the last one. I'll share a problem In a widely used library, a widely used, they write a widely used space. Ss we have the space S D K, that would be the S S D K, I guess <laugh>. This a widely used space. SS d k utilizes the U F F SS library, which implements a low cost flash file system. I'm sure that's what F f Ss, you know, flash file system. The library is used on roughly 75 spacecraft. Wow. And according to the library's author, who I guess is proud is also used by nasa, huh? They wrote, we identified a stack based, I guess that I would be a space stack based <laugh> <laugh> buffer overflow vulnerability in the file renaming procedure where the name of the new file is copied to a buffer of static size. I know without any size check.

(02:01:11):
Oh Lord, resulting Now again, this library is used in roughly 75 spacecraft and NASA is using it. Yeah. Resulting in arbitrary code execution. We experimentally verify that this vulnerability can be exploited to gain arbitrary code execution. In ops sat, this function is only exposed in an inaccessible uart debug port posing no security threat to opat in its current state. Still moving files is a reasonable file system interaction to be exposed via telecom commands to semi privileged attackers. Hence, any of the other roughly 75 spacecraft implementing such functionality are also likely to be vulnerable. Okay? So by this point, everyone should have an idea by now of like, what's been going on. These guys were not kidding when they characterized the satellite industry security as lagging behind by several decades. Thanks to an attitude of, well, we are not the PC industry, we are not connected to the internet and you can't talk to our birds without special equipment.

(02:02:37):
The security concerns that all of us on the ground here have been fighting for the past several decades and has created endless fodder for this podcast. Does it appear to have sunk in at all? Sure, there are instances of mistakes that have not been caught like these guys. But the most glaring insanity are deliberately designed commands which are insanely powerful and lacking in any authentication, assuming that those commands will never be issued by anybody because, you know, they're not connected to the internet. They require a ground station. That assumption may have been useful 10 years ago, but it holds today. They implicitly assume that no bad guy will ever be able to get their hands on a radio, even now that Amazon and Microsoft will happily lend you one of theirs. So I sincerely hope that this work and others similar to it have or will come to the attention of all of the relevant parties. The good news is that down here on the ground where we have the internet and you know, it's been connecting everyone to everyone else for, you know, since its beginning, we have had to develop highly insanely well, you know, peaked security awareness. And so hopefully that'll rub off on all of the space bound guys.

Leo Laporte (02:04:13):
You know, I just always assumed that NASA put a lot of effort into secure code and testing and, and all of that stuff. Maybe NASA does, but obviously there's a lot of commercial space going on,

Steve Gibson (02:04:29):
Right? Right. You know, and Leo, come on. Would Elon delay the launch? Oh God of a star link <laugh>.

Leo Laporte (02:04:42):
No comment.

Steve Gibson (02:04:43):
Just launch it now. We'll fix it in orbit. We'll

Leo Laporte (02:04:46):
Fix it in orbit. That's right. That should be the name of the show. <Laugh>. We'll fix it in orbit. We'll fix it in orbit. Yeah. Yeah, yeah, yeah. Steve Gibson, you're the best. We look forward to Tuesday all week long so we can all listen and hear your words of wisdom and your perspective on what's going on in the world around us. Tuesday's 11, I'm sorry, one 30 Pacific, four 30 Eastern, 20, 30 U T c. If you wanna watch us do it live live. If you just can't wait, you just can't wait. Live. Twit TV has live audio and video streams. We just kind of run it all the time. And often you'll see a show in the making after the fact. You can get copies of the show. It is a podcast after all@stevesitegrc.com. He has the six standard 64 Kilobit audio, but he also has an unu, a unique version the 16 Kilobit audio for the bandwidth impaired. He also has really good transcripts, and that's useful not only for reading while you're listening or just reading by itself or searching all of that@grc.com. While you're there, pick up spin, write version six. What do you think? A hundred days? 90, 50, 40.

Steve Gibson (02:05:56):
I, I've gotten into so much trouble by

Leo Laporte (02:05:58):
Estimating. You can't say, you shouldn't

Steve Gibson (02:05:59):
Say, you know, if if anyone's told me that squirrel would've taken seven years, yeah, I would've said

Leo Laporte (02:06:05):
No. It's always a mistake to estimate the release of software or of anything for that matter. But here's what I do know. If you go there to get your copy of version six of the world's Best Mass Storage, maintenance, and Recovery Utility, you will get a free upgrade to six one the minute it comes out. You can also participate in the development of six one, the beta test and all of that stuff, grc.com, there's lots of other great stuff there. Leave questions or comments for Steve at grc.com/feedback. He's also on x his ex handle <laugh>.

Steve Gibson (02:06:37):
God, are we really gonna say that? I

Leo Laporte (02:06:39):
Think we have to. Wow. I

Steve Gibson (02:06:42):
Don't know. That is the official, that is the official name. It

Leo Laporte (02:06:44):
Well, but if you go to x.com, it still says it redirects you to twitter.com. So of course, this was a well thought out transition. You know, there's still some residual Twitter, so I guess until that goes away, we'll say on Twitter, his dms are open and he did make sure that that's the case at SG grc. That's his Twitter handle, soon to be his ex handle by which we don't mean his former handle. It's very, very confusing. You can get on Amanda versions of the show at our website, two Twitter tv slash sn. We have audio and video. That's our unique format if you wanna see Steve Smiling Mustache. We also have a YouTube channel dedicated to security now, and you can subscribe of course in your favorite podcast player. Get it automatically. Now, some of you have said to us, but what about all those awful ads?

(02:07:41):
Well, there is an ad free version available for you a couple of ways you can do that. You can buy the show by itself at free for $2 and 99 cents a month. But why not spend a few bucks more support twit? Seven bucks a month gets you all the shows ad free plus all sorts of other stuff that is not available in public. Like hands-on Macintosh with Micah Sargent. Hands-On Windows with Paul Ott, the Untitled Linux Show Scott Wilkinson's Home Theater Geeks. It's where we launched this week in space because the the members pay for it, right? Seven bucks a month. You also get the Discord, lots of benefits. If you wanna know more either the $7 version of the 2 99 version, go to twit tv slash club twit and all will be revealed. I think that's it for this episode of Security. Now, Steve, I have to say we finished your recommendation. The diplomat. Ah, holy cow. Did they leave that <laugh>? It's just hanging, man. I, that it was, not only was it a great season, but what a great way to end it. And now I'm just dying to find out what happens. And I guess they're, they're shooting right now for season two, so we won't have to wait too

Steve Gibson (02:08:53):
Long. Can they be during the strike?

Leo Laporte (02:08:55):
Oh, that's a good question. They must be on hold now. Oh, correct.

Steve Gibson (02:08:58):
Yeah. Yeah. Well, I I was delighted that they immediately announced a second season. Yeah. Mean it was so, so obviously a big win.

Leo Laporte (02:09:07):
Oh yeah. Great show.

Steve Gibson (02:09:08):
So, and it really real, it, it blows cocaine bear out of the water <laugh>,

Leo Laporte (02:09:12):
Which was her, did you watch Cocaine Bear? Carrie Russell is in, in both. I agree. So I understand your interest in both, but no, it does. Lisa and I have yet to finish Cocaine, beer Bear. We bought it now.

Steve Gibson (02:09:23):
Don't bother nothing good happens. We've

Leo Laporte (02:09:25):
Tried to watch it <laugh>. No, several times. Every once in a while Lisa will say, you wanna finish cocaine beer? And I say, not tonight, honey. I haven't. I

Steve Gibson (02:09:34):
Also tried to watch that Command Z thing that was released by Soderberg

Leo Laporte (02:09:40):
Supposed to be good. Is it good? No, no, no, I didn't think so.

Steve Gibson (02:09:44):
We, we, we got about two episodes in. They're only short the eight minutes and then 50 minutes. It was just, it was dumb. It was, it didn't, it didn't make it, I

Leo Laporte (02:09:54):
Have to say after succession ended, I kind of felt like, oh, we're done. TV is never gonna be as good as again. And the diplomat gave me hope again. I really

Steve Gibson (02:10:02):
Enjoyed it. Yeah. And, and I guess the second half of Dune is probably on hold now too. Not everything's

Leo Laporte (02:10:07):
On hold. If it's not Well wait minute. They might have finished Dune. Yeah, they're probably editing it. So maybe that one will be Okay, good. But we're gonna go through a long drought. I have a feeling in the next year or so.

Steve Gibson (02:10:19):
Yeah, fortunately we don't mind baking shows and so we've been watching a lot of baking

Leo Laporte (02:10:23):
Shows. I will not be reduced

Steve Gibson (02:10:25):
To

Leo Laporte (02:10:26):
The British Bake Off. I will not <laugh>, you know, severance also had an ending that left you hanging in the air like the diplomat like that. And it is, it is definitely on hold 'cause of the writer's strike and now the Sac strike. So we may never, we may maybe a while before we find out what happened. That's hard. That's like the, those Peter F. Hamilton books that I just won't read the first of the trilogy. Oh yes. You cannot until they're all done do wanna. Yes, exactly. It's just Right. You're exactly right. But I loved the diplomat so much and what a twist at the end. I know. I'm so glad you did. It was so fun. And I just, I love the way she was her character. Yeah. Well you know what, this is what happens when you have a, a woman created, produced, directed and written show is the women are no longer just, you know, there for set dressing wallflowers.

(02:11:15):
Yeah. Yeah. She was great in it. Yeah. Alright, Mr. G a pleasure talking to you. Have a great week and we'll see you next time on Security Now. <Inaudible>. Bye. Yeah, I just really loved it. I'm glad. So good. Got better and better. And, you know, there were a few holes towards the end. I could tell they're trying to wrap this up without, but it just, what, and I, you know, I'm looking at it, I'm going, wait a minute. That means <laugh>. I know, I know where was, so you know who was standing where. Yeah. When that happened. Yep. Well, that's the big question, right? Ah-Huh. She's got a little tear coming down. Yep. I, well, we'll see. I don't want to No, no spoilers. Nope. Everybody should watch it. No, thanks Steve. Hey, buddy. Bye. Bye.

Rod Pyle (02:12:03):
Hey, I'm Rod Pyle, editor in Chief VAT Astor Magazine, and each week I joined with my co-host to bring you this week in space, the latest and greatest news from the Final Frontier. We talked to NASA chiefs, space scientists, engineers, educators, and artists, and sometimes we just shoot the breeze over what's hot and what's not in space, books and tv, and we do it all for you, our fellow TRO believers. So whether you're an armchair adventurer or waiting for your turn to grab a slot in Elon's Mars Rocket, join us on this weekend space and be part of the greatest adventure of all time