Security Now 933, Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte (00:00:00):
It's time for Security Now Steve Gibson is here. We're gonna talk more about satellite communications. We've got some really expert listeners, some fascinating insights into that. We'll also talk about Russia. They've, they've actually criminalized open source contribution and then virus totals. 2023 malware We've seen update plus a look at a radio solution used by law enforcement all over the world that is woefully insecure. It's all coming up next on Security Now.

Speaker 2 (00:00:32):
Podcasts you love from people you trust. This is TWIT.

Leo Laporte (00:00:40):
This is Security now with Steve Gibson. Episode 933. Recorded Tuesday, August 1st, 2023, Tetra Burst.

This episode of Security Now is brought to you by the Building Cyber Resilience Podcast. A show about tech and security from the perspectives of data scientists, Dr. Anne Irvin, and career CISO Rich sson regarding the intersection of data finance and cyber risk management. Search for building cyber resilience on Apple Podcasts, Spotify, or wherever you listen to podcasts. And by bit warden, get the open source password manager that can help you stay safe online. Get started with a free teams or enterprise plan trial, or get started for free across all devices as an individual user at bit And by brata, security professionals often undergo manual tasks of collecting evidence with Rada, companies can complete audits, monitor controls, and expand security assurance efforts to scale. Say goodbye to manual evidence collection and hello to automation. All done at draha speed is to get a demo and 10% off implementation.

It's time for security. Now, the show we talk about your security, your privacy, your health and welfare online with this guy right here, Mr. Steve Gibson of the Gibson Research Corporation. Hi Steve.

Steve Gibson (00:02:04):
Hello, Leo. Great to be with you for this first day of August. Yeah. As we we have, we're in the low eighties here. Yep. So we're like in like paradise compared to the rest of the country. It's either like to thunderstorms and tornadoes. And my my sister posted something on Facebook, was like some huge lightning storms she was in, in Colorado yesterday or, or last evening. And of course, you know, Arizona's breaking records is 110 degrees or, or higher for more days in a road than they've ever had. And, and here we are. It's a little humid, but otherwise it's great. Really? That's nice. I didn't, yeah, you don't get a lot of humidity, do you?

We're in an air. No, we don't. It's odd. It's odd for us. Yeah. Some El Nino thing happening. Oh, yeah. So and I'll just note that we are two weeks away from finishing our 18th year of this podcast. O m g 18 years. Wow. Yeah. I think it's August 18, or, yeah, I think it's I think it is. August 18 is our 18th is the end of year 18. We'll begin into 19, so. Wow. Very cool. So it turns out that advanced persistent threats have been leveraging satellite communications for many years. So before we wrap up all of our, you know staring at the heavens discussion, we're gonna look at that. We should, and I hope you will, and I know you will talk about what it's a terrible name, advanced persistent threat for what it really is.

Yeah. But I'm sure you'll explain that. Yeah, yeah, yeah. Also we're gonna find out what the next iOS release will be doing to further thwart device tracking. And I know you touched on that in your previous podcast on Mac Break Weekly and also what new feature Android six is releasing. But you also cast some doubt on whether that was happening on Mac Break weekly. Yeah. So I'm kind of curious to see whether that's the, whether we're talking about the same thing. Also, we've got some news on the latest forthcoming seventh branch of the US military. And we're gonna wonder why Russia suddenly criminalized con contributions to open source software, which is, can you bizarre believe that? Oh, 'cause they don't control it, right? Yeah. Uhhuh and what do we learn from virus totals 2023 malware we've seen update. Then we're gonna share, we got an amazing amount of terrific podcast related feedback from our astonishingly varied listeners.

We've got more people who know about satellite security, it turns out, who had some interesting stuff to add to our discussion last week, which I'm gonna share. And then we're gonna examine one of the revelations to be detailed during next week's upcoming Black Hat Hacking Conference in Las Vegas. Thus, the title of today's podcast, Tetra Burst. It turns out that when, when Europeans design a secure radio protocol that has four different encryption algorithms, <laugh>, which they allocate to different countries, you gotta say what? Why? So you everybody gets to use t e a one, except the European military gets to use t a two. Don't you kinda wanna wonder why you get an algorithm and you get an algorithm and you, and you and you <laugh>. That's right. Wow. And they're all secret and unpublished and Oh, that's not good. And it turned out that only by leveraging some zero days in a Motorola implementation of this encrypted handset were a bunch of guys in the Netherlands, able researchers in the Netherlands able to crack the secure enclave to, for the first time ever get access to these proprietary encryptions algorithms.

And oh my God, would you believe that they're not secure? So anyway, we're gonna have fun today. Why is it that people roll their own is, I mean, it's not like the Enigma machine that it's sub security through obscurity. Right? It's it, well, unfortunately, it, it's an attempt at that. The only only thing, the only, the only thing I can, the only way I can give them, well, I would give them a an out is to say that it's decades old. Ah. So this exists from the nineties, but I, I mean, I'm, I'm, I'm giving away a lot of the podcasts coming out. All right. Save it. Believe it or not, they've replaced them. Having been caught with new proprietary secret algorithms. If there's, it's okay. Now, there's no excuse. No. If there's one thing we know about crypto, it's gotta be open. Which is exactly why Russia doesn't like open.

Yeah. our show today, this is actually a new sponsor, wanna welcome them to the show, and I think you'll wanna listen to their show. The Building Cyber Resilience Podcast. From Resilience, the world is hyperconnected like never before. This advanced technology driven landscape is creating smarter businesses. That's good news to serve customers better. That's good news. But as we know, the territory also comes with threats host Dr. Anne Irvin, chief Data Scientist and VP of Product Management Resilience. And Rich SSON Chief Risk Officer talk about the positive outcomes of developing risk management and utilizing data science across industries to create a smarter business. They meet with top experts and innovators in the fields of risk management, cybersecurity, data science, to discuss the changing cyber landscape. And it's constantly evolving risks. They talk about things like, how are businesses beating the bad guys that are trying to harm their bottom line?

They talk about how businesses are managing risk and crisis without materially impacting the value to their customers. And sometimes it's a trade off, right? In building cyber resilience. The team answers these questions. And more recent episode just came out very timely talk about AI will chat G B t replace the underwriter that I never even thought of that the host talked to the chief strategist of AI and machine learning for the US Department of Defense Awesome. As well as the c r O of Symmetry Systems Incorporated and discuss AI for cyber attacks and how it affects defensive roles and security. That is a heavy topic. I can't wait to hear that one. Listen in. Learn how you can build a cyber resilient organization search for Building Cyber Resilience on Apple Podcasts, building Cyber Resilience. It's on Spotify, apple Podcasts, all the places, you know, the usual suspects where you listen to podcasts.

And thank you. We'll put a link in the show notes too, so you can just go direct thank you to the Building Cyber Resilience Podcast for their support. Sounds really interesting. I want to hear this one on, on ai. What a great panel for that building Cyber resilience. Look for it. Now let's build the picture of the week, shall we, Steve? Okay. This is, this is just, it struck me as funny. I've got a killer one coming for next week, but this was a repurposing an old photo with a wonderful caption that it's got nothing to do with security. But I just got a kick out of it. Okay, it's gonna take me a second. 'cause I did not have it on this computer. I have two different computers and I gotta make sure I got the one with the picture of the week. Now. I, which the good news is I haven't seen it yet. That's correct. So I will, you'll see my genuine reaction. First reaction is just, it's just cute. We'll do it together. <Laugh> <laugh>.

Okay. Okay. Mr. Spock never play with super glue. Do never play with super glue. This is just, it just shows Spock doing his Vulcan hand side, you know, with the two fingers stuck, that like, they're glute they might be stuck. Yeah. Like he was trying to wave my my best friend at the time a guy named Gary Rawlings was my best man at, in my first wedding. And I said, I said, Rawlings, do not embarrass me. You know, you're gonna do the best man speech, whatever you do. You know, 'cause I mean, he knew, he knew where the bodies were buried times, you know, to the power of infinity. And I, so he was very dangerous to have up there on stage. And I said, and he had a, like a, you know, kind of a dry sense of humor where he could really gone too far.

So I, I mean, I put the fear of God into him. And so he, he, he got up, he was, he received the microphone and he held his, he held his hand up and he said, Gibson, you know, told me I was forbidden for saying anything really that would embarrass him. So I'm just gonna say live long and prosper <laugh>. Now, Gary could not do the Vulcan hand sign, so he had rubber bands Oh no. Around his <laugh> around his fingers. That's hysterical. In order to make, in order to make them do that. So anyway, I can do it with one hand but not the other. I could do it with my No, I'm, I'm, I'm nondominant clearly a double, I'm a double Vulcan. I can I guess it takes practice can animate them and, you know, do whatever they need to do. Yeah.

<laugh>. Okay. Okay. So before we wander away, as I said, at least for the time being from the topic of satellite security, which turns out as a rich field, I mean, there's been, and it generated a huge amount of interest among our listeners, so I'm glad that we spent some time talking about this last couple weeks. I wanted to talk about another aspect of the use of satellites by bad guys, which is the, which again, I wasn't aware of, but makes sense when you think about it. The deliberate routing of internet connections through space. This is done as a means of thwarting the persistent efforts by law enforcement to track down, shut down, and sometimes take over the command and control servers and infrastructure who are just being used by the major advanced persistent threat groups. Since, you know, since it's another thing that we've never explicitly covered, I thought that now, while we're still looking, skyward would be a good time to add this to the growing list of things that we have covered.

So, way back in September of 2015, this is not news, this is eight years ago, Casper Ski published an informative research piece titled Satellite Turla, T U R L A, Turla is is the name of an a p t group. And, and so their title was Satellite Turla, A P t Command and Controlled in the Sky. O What, what is an a p T? Can you, I mean, I I know it's a resident, basically a resident infection. Yeah. I think the first time we encountered it on the podcast was when it one was discovered at Sony Entertainment. Right. and so they were wandering around for months inside the Sony systems. Like a long time. Yeah. Yes. And so that may have been where this notion of, you know, so advanced persistent threat, advanced obviously means it's not some script kitty doing, you know, up, up to nonsense.

This is a serious, a serious organizational intrusion. Persistent meaning that, you know, again, it wasn't something that was executed and then, and then died. It established a, a, a a, a a foothold in some sort of corporate asset. And from there, it then was used for surveillance over some long period of time. We've seen printers, for example, being an un, you know, no one would, would think of a printer as being a computer, but of course they are. And their firmware is no more secure than anything else, unfortunately, these days. And so we've seen apps that set up shop in printers. Yeah. Where as, as I said, no one thinks to look right. And then from there, they're, you know, they're on the network, so they're able to, to go out and see what's going on. So all of these things need some means of phoning home in order to report their, the, the things that they have found and also as we'll see to give, to create a means for allowing the bad guys back in over time.

So Kaspersky in their writeup stopped short of explaining the, the detailed network packet flow, but they did provide enough for us to fill in the rest of the technology. So, first I, I've skipped over some of their warmup introduction, which would be redundant for, you know, our audience. But I want to sort of create the background that they did create, and then we'll figure out how the packet flow works. So Kaspersky said, when you are an a P T group, you need to deal with many different problems. One of them, and perhaps the biggest, is the constant seizure and take down of domains and servers used for command and control. These servers are constantly appropriated by law enforcement or shut down by ISPs. Sometimes they can be used to trace the attackers back to their physical locations. Some of the most advanced threat actors or users of commercial hacking tools have found a solution to the take down problem, the use of satellite based internet links.

And again, this is in 2015, so this has only matured since then. In the past, Kaspersky wrote, we've seen three different actors using such links to mask their operations. The most interesting and unusual of them is the Turla group, also known as snake or Euro. Euro burros names, which, which come from its top class root kit. The Turla Cyber Espionage Group has been active for more than eight years, and that was more than eight years in 2015. And, and there's still a name that's around. So, you know, they've been at this for a while. They, Casper Ski said several papers have been published about the group's operations. But until recently, little information was available about the more unusual aspects of their operations, such as the first stages of infection through watering hole attacks. What makes the Turla Group special is not just the complexity of its tools, which include the, the Euro Boros root root kit, a k a snake, as well as mechanisms designed to bypass air gaps through multi-stage proxy networks inside lands, but the exquisite satellite-based command and control mechanism used in the latter stages of the attack.

In this blog, we hope to shed more light on the satellite based command and control mechanisms that a p t groups, including the Turla Snake Group, use to control their most important victims. As the use of these mechanisms becomes more popular, it's important for system admins to deploy the correct defense strategies to mitigate such attacks for IOCs. Remember indications of compromise, see the appendix, although relatively rare since 2007, several elite a p t groups have been using and abusing satellite links to manage their operations. Most often, their command and control infrastructure, Turla is one of them. Using this approach offers some advantages such as making it hard to identify the operators behind the attack, but it also poses some risks to the attackers. On the one hand, it's valuable because the true location and hardware of the command and control server cannot be easily determined or physically seized.

Satellite based internet receivers can be located anywhere within the area covered by a satellite. And this is generally quite large. The method used by the Turla group to hijack the downstream links is highly anonymous and does not require a valid satellite internet subscription. On the other hand, the disadvantage comes from the fact that satellite based internet is slow and could be unstable. In the beginning, it was clear to us and other researchers whether some of the links observed were commercial internet connections via satellite purchased by the attackers, or if the attackers had breached the ISPs and performed man in the middle attacks at the router level to hijack the stream. We have analyzed these mechanisms and come to the astonishing conclusion that the method used by the Turla group is incredibly simple and straightforward, as well as highly anonymous and very cheap to operate and manage purchasing satellite based internet links is one of the options.

A p t groups can choose to secure their command and control traffic. However, full duplex satellite links can be very expensive. A simple du Now this is in 2015, a simple duplex one megabit up down satellite link may cost up to $7,000 per week for longer term contracts. This cost may decrease considerably, but the bandwidth still remains very expensive. Again and again, this is back in 2015. So things may have changed since another way of getting a command and control server into satellite's IP range is to hijack the network traffic between the victim and the satellite operator, and to inject packets along the way. This requires either exploitation of the satellite provider itself or of another i s p on, on, on the way. You know, in line, these kinds of hijacking attacks have been observed in the past and were documented by resis now part of dine in a blog post dated in November of 2023.

So two years before this one was written in September of 2015, according to Resis quote, various providers, B G P routes were hijacked. And as a result, a portion of their internet traffic was misdirected to flow through Belarusian and Icelandic ISPs. They said, we've B G P routing data that show the second by second evolution of 21 Belarusian events in February and May of 2013 and 17 Icelandic events in July through August of 2013. In a more recent blog post from 2015, these researchers point out that for security analysts reviewing alert logs, it is important to appreciate that the IP addresses identified as the source of incidents can and are regularly spoofed. For example, an attack that appeared to come from a Comcast IP located in New Jersey may really have been from a hijacker located in Eastern Europe. Briefly, commandeering Comcast's IP space. It's interesting to note that in all six cases discussed above were con were conducted from either Europe or Russia.

Okay. Now they write obviously such incredibly apparent and large scale attacks, have little chance of surviving for long periods of time, which is one of the key requirements for running an advanced persistent threat operation. It's therefore not feasible to perform the attack through man in the middle traffic hijacking unless the attackers have direct control over some high traffic network points such as backbone routers and fiber optics. And of course, that's unusual too. They said there are signs that such attacks are becoming more common, but there is a much simpler way to hijack traffic based internet traffic. Enter satellite link D V B S hijacking. They said the sat, the hijacking of satellite D V B S links has been described a few times in the past. And a presentation on hijacking satellite D V B links was delivered at black hat in 2010 in an SS 21 SEC researcher, or by an SS 21 SEC researcher.

So to hijack satellite D V B S links, one needs the following, A satellite dish, the size depends on the geographical position and the satellite. A low noise block down converter for no, typically called an L N B. And that's generally part of the satellite that you, you know, you get mount on, on, on your roof if you're subscribing to dish network or, or whatever. You also need a dedicated D V B S tuner, which is, takes the form of A P C I E card these days, and a PC preferably running Linux. They said, while the dish and the L N B are more or less standard, the card is perhaps the most important component. Currently the best D V B SS cards are made by a company called T B S Technologies. The T B S Hyen 69 22 SE is, is the best entry level card for the task.

And that can be had for about a hundred bucks. The T B S card is particularly well suited to this task because it has, it has dedicated Linux kernel drivers and supports a function known as brute force scan, which allows wide frequency ranges to be tested for interesting signals. Of course, other P C I or P C I E cards might work as well. While in general, the p the U S B based cards are relatively poor and should be avoided. Unlike full duplex satellite based internet, the downstream only internet links are used to accelerate internet downloads and are very inexpensive and easy to deploy. They're also inherently un insecure and use no encryption to obfuscate the traffic. This creates the possibility for abuse. Okay, so Casper see's article, as I said, did not go into any more detail about how this works. They switched to providing tables of IP ranges that had been observed in the past and noted the satellite internet service providers that were using those ranges.

But fortunately, we have all the information we need to understand the advantage this gives to anyone who's attempting to hide their command and control server. The key is that these internet communication satellites have extremely broad coverage areas, coupled with the fact that just like the internet, the IP packet traffic being carried is not itself encrypted. As we know, T C P and U D P are not encrypted protocols. They're just carriers of data that today is typically encrypted. That is the data they're carrying is encrypted, but they themselves, the actual underlying protocol is not an encrypted protocol. Okay, so imagine that some nasty nasty advanced persistent threat malware has been surreptitiously placed into a high value computer. And that more than anything, the bad guys do not want their command and control infrastructure, which this malware will be reaching out to, to receive instructions and updates and things to be discovered commandeered and shut down.

Presumably, this a p t threat group has many such infestations, which are all reusing the same infrastructure. So the loss of that command and control server would cripple the entire network that they had established. Okay? So they have their A P T malware periodically, periodically send a U D P packet to the IP of a previously chosen customer. Probably a big stable customer of a given satellite based internet provider. Having the malware send an outbound u d P packet has the effect of opening up return paths through any nat routing and firewalls that would otherwise prevent unsolicited traffic from entering the enterprise's network and reaching the malware laden machine. So you want the malware to initiate communications, which actually works in favor of this whole architecture. So this U D P packet is sent out to a previously selected customer of a satellite I s P.

So it will be received first by that I s P. So this is a block of the, of, of that ISPs IP space. It comes to the I S P, but unlike other ips, the received packet is beamed upstream directly at a chosen communications satellite. This causes it to then be rebroadcast out across the entire coverage area of the satellite. Indiscriminately. Somewhere down on the ground is that subscriber of that, of, of that internet, I s P but also somewhere else, anywhere else within that satellite's large coverage area. The malicious command and control server is silently lurking with its own satellite dish passively aimed up at the ISPs broadcasting satellite. It patiently listens for any U D P packets addressed to that ip since the subscriber will likely have their own nat router or firewall that will simply ignore any unsolicited nonsense as everything has to these days.

And since that subscriber may have been preselected to make sure that that's true, their receipt of that incoming packet will be ignored. Right? It's just a radio packet coming in on their satellite dish. But it will be what the malicious command and control server base station has been waiting for upon receiving that U D P packet. The base station can reply by sending its own u d p packet, via terrestrial ground internet, since there's no need for it to be returned to space, right? It's just an IP packet so they can drop it on any IP connection and it'll find its way back to the original malware that initiated it. This allows the command and control system to send whatever commands it may wish back to the querying machine. And the traffic doesn't need to only be U D P, nothing. It's just sort of easier for this example.

But nothing prevents the, the listening command and control base station from establishing a three-way handshake and bringing up an encrypted T c P connection. The key to the hack is that it's the world's largest air gap. The outbound traffic is being sprayed over a huge geographic area to be picked up by a totally passive satellite dish that there's no way of locating. And it could be anywhere, it could even be mobile with, as you know, within the, the, the range of the satellite and the command and control systems IP address being used is someone else's, not theirs. And so this, like, it's an air gapped man in the middle traffic interception attack that you know, is gonna work and prevent the command and control server from ever being discovered. So unfortunately, you have to give the bad guys some credit for this hack. It's pretty slick.

Okay. so Apple just updated its developer program to further crack down on developers who are abusing some of its a p i features, which are being used to collect data on user devices. And they're doing that as an underhanded means of tracking them online. Apple said that even if a user has given an app permission to track their activity fingerprinting, the underlying device is still not allowed yet. It is still going on. So with the release of iOS 17 and Mac OSS Sonoma this fall, developers who want to continue to have access to these features, which could and have been used to enable persistent device level tracking, are gonna have to provide a valid reason to Apple for having that, right. Apps that don't provide a good reason will not be accepted on the app store as, as soon as iOS 17 rolls out and Apple begins to enforce this policy.

And Leo, I'm, I'm astonished by the apparent value added by this tracking. I mean, we're, I mean, tracking it, it just, it must be that it provides so much more benefit to advertisers above and beyond just, you know, putting their ad on a page where it makes sense for their ad to appear. Well, I have strong opinions about this. <Laugh> advertisers think it provides value. There's a lot of evidence that personalized ads don't in fact work better. But a I agree. Yeah, but if you're an advertiser think about it. You, you would, I mean, there's a famous saying that I know my a I know that half of my ads work, I just don't know which half that they would love some idea that they're hitting a, an audience that's interested in buying, for instance. They haven't been able to, you know, on tv, you really can't do that if you buy network television, right?

That's why it's mostly brands on network television. They know, well, we're enhancing the brand Pepsi or Budweiser, right? And so that million dollar ad on Super Bowl is worth it. But for podcasts and websites and, and a lot of the digital world we have some targeting you. You can target, you know, Facebook and Google Live on this and it makes them feel better. I don't know if, you know, there's the, there's a third category advertising, which is the advertising we do, which is called direct Response advertising. That's why we always have a U R L or right, you know, on late night tv you'd see an 800 number or a, an offer code. That's another way of, of an advertiser kind of reassuring themselves that they're advertising is working. They're all imperfect. And all the studies I've seen say that tracking is not a very effective way of you know, that targeting your ads doesn't really make that much of a difference.

But advertisers believe it. And maybe even they know better. They're, the agencies need something, they're grasping at Stress Cross. Maybe may, maybe what's happened is that this is all to support a, that sketchy data broker business. No, no, no. I don't, I think that's a wonderful side business <laugh> for the companies to sell it. But remember, Google doesn't sell the data brokers. Facebook doesn't sell the data brokers. But they do. So they're doing it for their own purposes. They're doing it only internal. Well, they're doing it 'cause advertisers demand it per, I mean, that's why we do it. We do very limited tracking as, you know, a podcast. It's impossible to know with r s s feed anything but the IP address of the visiting computer, right? And, and we don't do more than that, but we do use services of a variety of different services.

Right now we're using something called pod sites that they're an independent third party. We send them the IP addresses of people who listen to security now. And the advertiser sends them the list of IP addresses of people who visited their site. The third party goes, okay, 32% of the people who heard the ad visited your site. They don't give the information to the advertiser. We don't get the advertiser's information. It's so, there's no matching of ipss. It's only done by the third party in, in a private way. And, you know, I even that I resisted, but honestly, we would not be able to sell advertising because, and that's the thing, the advertisers don't, they're spoiled, right? It's not even, they're spoiled. They just, they have a faith, a firmly held belief that, that this information helps them. And they refuse to buy. They'll only buy ads where they can get that information.

Frankly, we're lucky. We, we have a hard time selling ads against people like Google and Facebook who will say, I can give you 25 year old to 30 year old men in Petaluma, California. Would you like that? Or I can give you people with income over a hundred thousand dollars who live in the Northwest. Would you like that? We can't do that. You know, all we can say. So we are losing, frankly, we are losing out to Facebook and Google, which have about 88% of all the online ad sales because they offer that kind of information. So they're gonna keep doing it. And you know, you see Google doing all sorts of man, you know, maneuvers to get us to trust them. They don't. They don't. So they've turned off cookies. And we were talking the other day about this new web integrity initiative that they're proposing they're gonna build into Chrome.

That's just one more way of them knowing who's there and advertisers insist on it. So that's, they think they have to do it. Whether they, whether anybody believes in it working, I don't know. But they think they have to do it. We have, we have to do what we have to do. Or we would have zero advertisers as it is. We lose a lot of ads. 'cause We can't give them, you know, people just go, I'm gonna buy Facebook or I'm gonna buy Google. Wow. So minus some of our advertising, not so much on this show, but some of our advertising is now direct insertion where we use a company, Libson company called Advertise Cast. We just started doing this. And we pause, put a sig, put a little trigger in there, and they stick in an ad. And those advertisers like them a little bit better 'cause they can geographically target.

We, you know, your IP address has a rough geographic location. So when this, when the, when one of our shows airs in Spain, for instance, a Spanish advertiser will buy that knowing that, well, I'm only 'cause they don't wanna buy us listeners 'cause they're not customers, right? So they'll have an ad and they say, oh, we know this is, these are the people who listen to this show in Spain. Here you can have that. So it's another form of targeting. But you know, advertisers, they, they demand it. And if you're an ad supported media company, you have to find a way to balance your, you know, your our, we believe in our community, and especially your listeners. They don't wanna be tracked. Well, no. And in this case, so we have Apple who's trying to thwart the, you know, surreptitious, underhanded device tracking, you know, they have themselves and they have all these ads themselves, this information themselves.

So they have first, and this is what we were talking about earlier, as you heard on Mac Break Weekly is first party tracking like Facebook and Google and Apple do. And of course, what they're really saying is, we want this to ourselves. We don't want some app on your phone to have the information. We have the relationship with the customer. We have. Yeah. They're not saying we don't want advertising and we don't wanna track you. They're saying we don't want them to track you. So we can <laugh> it's our, it's our advantage. So I'm a little, I'm cynical about this whole thing. Yeah. Well and there is a different form of tracking that you also touched on. And that's a more deliberate form. And that's back into the deep dive that we took a couple months ago on air tag tracking technology.

Oh, yes. The as we know this air tag tracking technology is Bluetooth based, so it's inherently crowdsourced. So this of course relates to the Apple and Google agreement. It's in both parties, interests Apple and Google to have a single common standard which they share so that both Apple and Android handsets can provide the tracking location feedback for each other's ecosystems. And you know, so what they announced when we talked about this a couple months ago was a joint specification, but it was really indistinguishable from what Apple had already been doing for several years with their air tags. So what appeared to have actually happened was that, you know, apple had opened their specification for Google and Google was happy to take it because, you know, they already had a, a, an established ecosystem and then people would be able to use their Android phones as, as, as track feedback devices as well.

So it's good for everybody. Last Thursday's news is that Google would soon be adding unknown tracking alerts to Android. They said in, in their announcement unknown tracker alerts, which we announced at IO 2023 are beginning to roll out in Android 6.0 plus users this month. And they also said, unknown tracker alerts currently work with Apple air tags and of course other third party tags. They said we'll continue to work with tag manufacturers to expand this important protection to other tracking tags over time through our joint industry specification. Now, what you had seen was a story that said that was gonna be put on hold Yeah. To the end of the year, which I mean, and I'm, so I'm not sure if, if unknown tracking alerts, I mean that's only unknown. Tracking alerts is one aspect of the whole air tag tracking. The other side being, you know, you own air tags and your device is telling you where they're located.

So that's, that's different than being aware of an air tag that is traveling with you. So maybe we're talking about two different things, or maybe we're talking about everything being on hold till the end of the year. Now, I'm not sure. Yeah, so I was full too. 'cause The headline of the article I was reading said it's rolling out <laugh> and at the last paragraph of the article is, well, so Google announced it at Google io in May. I mean, the problem is you can have air tags following you and around, unless you've installed an app on your Android phone, it doesn't know about air tags well installed. And it's running and it's running. And by the way, it doesn't work very well. So yeah, it's was reasonable for Google and Apple to try to solve this problem by Google building and into Android and, and, and, and so forth.

And so Google announced it in May that they were gonna do this at Google io. They had thought they were gonna put it in Android I think is, it is Android 14 is, is soon. But the, this article and, and I guess six, I guess 6.0 is, is the kernel right kernel version. So this article I'm reading along and they're gonna do it. They're gonna do it. And then the last paragraph of the article is Google has announced it's putting this off until the end of the year because of the Apple Google Consortium. They wanna work it out between the two of them. So I don't think it's in there now. I know I was very confused by this personally, so I don't <laugh> they've promised it and we need it. Well, but is it here? I dunno. Yeah. And so, so what I picked up on said, you know, our beginning to roll out to Android 6.0 plus users this month.

So I saw that too, too. And that was the same article that then said at the end of the article, well, except <laugh>, no. So I'm, except not. I'm very confused by the, the whole thing. Lemme see if I can find the article I read. 'cause I bet it was the same as the one you read. I bookmarked it in my in my thing here. And I think it was almost, it was as if they had written the whole article and then did nevermind <laugh> on, on the whole thing. It was Uhhuh <affirmative>. So yeah, the headline of this article is just as you said, Android will now warn about unknown Bluetooth trackers like air tag traveling with you, Sarah Perez writing for TechCrunch July 27th. Google today will begin to roll out a new safety feature, unknown traffic alerts, but then go down to the bottom.

Same article today, however, Google says this update is on hold. Wow. Wait a minute. Also announced, Google said it would update. Its f Okay, so I guess the alerts are there, but they are not updating the find mind network to work with third party. I guess that's the, that's what just what you said. Okay, so I, so if you read this carefully, which I didn't, apparently the update that's on hold is updating Find my to work with third party trackers. So they are gonna, but then, then it says the decision is made to wait to roll out these updates because Google is now working in partnership with Apple to finalize the joint unwanted tracker alert specification by year end. Wow. Really confusing <laugh>. I think we are getting the alerts. I think it was just a poorly written article that we are getting the alerts.

Yeah, I think that, I think, I think that is right is that you'll with Android 6.0 kernel, you'll begin to be told if something is traveling with you, the other stuff to come later. Yeah. And it does says currently work with Apple air tags, we will continue to work with tag manufacturers to expand this important protection. So I don't understand why it's not working with everybody, because you know, all I thought this, it's already all works the same A five standard. Yeah, yeah. But apparently not also announced. Google said it would update find might else network to help users locate other missile belongings, which can be located by third party Bluetooth trackers. Now Google doesn't sell a tracker, so anything Google works with is third party, including air tags, tile Chipolo. And I would say they don't yet sell one because, boy, I'm astonished by how popular Apple Air tags are.

Yeah. Remember? Oh, they, they're dominant shared the numbers. It was millions of them were selling well. And the thing, I think what really, there's lots of ways to track people as we know. And you know, there's one fewer air tag in use Now, Leah <laugh>, after you go, by the way, Bert gave me a much better hammer for next time I wanna destroy something, I now have a mini sledgehammer. He didn't understand fully my plan, my equal. Okay. So the National Defense Authorization Act, which successfully passed through the US Senate last week, included a provision requiring the National Academy of Public Administration, whatever the hell that is, to conduct an assessment on the feasibility of establishing a new formal seventh branch of the US military, which we've talked about several times, the US Cyberforce. So this does appear to be happening since many of our listeners have explained that wearing ridiculous camouflage clothing indoors is a bizarre requirement of the US military.

Now that's my word, bizarre, not theirs. You know, perhaps at least the cyber forces camo could have, you know, some cool cyber theme, like maybe like those, those green falling and fading symbols from the matrix, or maybe just do the whole thing as in, in ones and zeros. That would be very cool, right? Like make camo out of ones and zeros. Well, remember it's supposed to be camo, I think. Why can't they just make something that makes you invisible? I mean, let's do it. That'd be really good. Yeah, yeah, yeah. Make a stealth, a stealth, a stealth camo. That'd be good. Oh, yeah. Anyway, I, I do hope that someone gives this as much thought and serious consideration as it is clearly needed, because this us cyber force, if they're gonna have to wear some ridiculous outfit, let's, you know, let's make it techie and cool.

So a number of of our listeners are saying, including in the discord that, and somebody in the UK that they do have these alerts now on their on their I Android phones. So it it roll out. Yeah. Yay. Good. Thank you. I there's a do users listeners super use for feedback. Yeah, yeah. Now the other wrinkle is that both the Army and the Air Force, you know, obviously well established branches of the military have recently created their own new specialized cyber teams to support their traditional kinetic teams as we're calling them, you know, with cyber tasks related to intelligence gathering, electronic warfare and sensors. And I think that makes sense since those cyber teams which support the traditional kinetic forms of warfare are probably gonna be highly targeted and specialized for their specific tasks. Whereas the military's new seventh branch would be far more wide ranging, you know, and not all focused upon specific current Army and Air Force military operations.

So anyway but through all this, it is quite obvious that cyber, I know you love that term, standing by itself. Leo Cyber has well and truly arrived both on the front lines and soon in dimly lit dens filled with monitors and empty caffeinated beverage cans, <laugh> so, and pizza buckles. I wanna know what they're gonna be wearing. That's all I'm saying is, you know, we should explain for some reason this, so for some reason this really matters to me, we should explain that. A couple of weeks ago, Steve found a photo of the cyber defense command and they were all wearing BDU battle dress uniforms that were camouflaged, but obviously they're not in the jungle, so they're in a room, they're not even you can't even observe them from satellite reconnaissance <laugh>.

We have to find some stealth uniforms for them. Yeah, Tempest uniforms. Okay. So meanwhile, Russia continues to separate itself from the west. The Russian parliament just passed three bills, which once signed into law by Putin will ban Russian citizens from participating. I know this is crazy in the act, in the activities of foreign nonprofit organizations that have not specifically registered with the Russian government and none have commentary about this over on open notes that an unintended side effect will be that Russians using open source software would be prevented from contributing in any way to those projects, even from submitting bug reports. Now, as we know, today's open source software includes Linux, Firefox, most major database systems and programming languages. Now, I read the entire piece after having Google translated into English for me, and it only talked about the unintended consequences. I was unable to determine what the intended consequences of the three pending bills would be.

Why would Russia think this was a good idea? I know one of the reasons repressive regimes pass bills like this is for selective prosecution. So, okay. You know, if they need a way to get you, if they wanna stomp on somebody, yeah, they have a law force. Whoa, what's the copy of Linux doing there? You are in trouble, big boy. That kind of thing. Yeah. Yeah. I mean, I don't, I can't imagine they wanna stop all open source. I mean, they're using it. Yeah. The Russian official operating system is a Linux based offering system. Yes. And there are lots of really good Russian teams that are doing good work. Well, maybe that's who they're stalking. You wanna check, you wanna check the source code, but still, yeah, that maybe that's what it's all about, really. You know, it's kind of retaliation for the sanctions or something.

We don't want you to have any of our stuff, right? So virus total is out with their look at 2023 to date. It's always interesting since it, you know, they've got a a, a good snapshot since everybody is submitting stuff to them. You know, whenever I, as I've mentioned before, when I download some old archive from, from some sketchy looking sight, I immediately, you know, hand it to virus total to see what it thinks just because, you know, it's better to be safe than sorry. So they get a really good snapshot of this. So they they have some main takeaways from their most recent update. First of all, email attachments to no one's surprise, continue to be the most popular way to spread malware. However, traditional file types Excel, R t f, you know, rich text format files, CAB and compressed formats are becoming less popular.

Although the use of PDFs slowly decreased for the last few months. In starting in June of 2023, the biggest peak in P D F usage was observed during 2023 compared to the LA to the previous two years. So PDFs are still a big deal with a, like, you know, just a little, maybe they're, you know, a little summer slump for some reason. However, the big changes are in OneNote. Onenote and JavaScript both distributed through H T M L are the most rapidly growing formats for malicious attachments in 2023. With OneNote emerging this year as a reliable alternative for attackers to the traditional use of macros in others' office products, malicious OneNote files usually embed an additional malicious file. So OneNote is just sort of serving as a, as a recognizable container that seems benign. And I guess it's, you know, leave it to Microsoft.

Their various security permissions allow OneNote to be opened when, when you click on something in a, on, on a webpage. So yeah, let's have OneNote bring it in. So OneNote files usually embed an additional malicious file, A V B A H T M L and JavaScript PowerShell or some combination of those. And as happens with, with malicious office attachments, the attempt is then made to convince the user to allow its execution. Payloads vary from malware from one malware family to another, but many of them access external URLs to then download a D L L file, which is camouflaged as a png, you know, which is an old trick used to bypass simple firewall rules or just to appear less suspicious to anybody who knows to look the most usual kill chain as <laugh> as it was noted and stated. Where OneNote format is involved is three steps.

The victim receives an email with a OneNote attachment. The male body encourages the victim to click on a button to see a hidden or distorted image or document. Second, this button executes a script, VB script a PowerShell or whatever. And that will launch a either embedded into the same script or downloaded from an external resource. And then finally, the external payload might be yet another OneNote file an image file renamed as a dot bat file, A D L L, this loaded into memory or even a Windows executable. So we have inherently dangerous capabilities mixed with social engineering attacks. And only one mistake made by one curious or inattentive employee within a major organization is all that's required to invite the malware in to set up shop. And who knows, contact a satellite internet provider in order to say, Hey, I made it in.

What do you want me to do? Following behind OneNote I s o image files for malware are now a flexible alternative for both widespread and targeted attacks. And their distribution as heavily compressed attachments makes them difficult to scan by some security solutions. So it says virus total i s o files are being disguised as legitimate installation packages for a variety of software, including Windows, telegram, any desk, and crypto Notepad among others. Virus in total said that, that, that they said, quote, our data shows that there was an increase in the number of malicious files attached to emails between March and April of 2023. In terms of suspicious attachments for the past two years, we have observed spikes in the number of suspicious P D F files linked to malicious campaigns. These files can be used for variety purposes, such as exploiting vulnerabilities or phishing, which is what happens most of the time.

And they said during 2023 so far, they saw a significant increase in the use of JavaScript distributed alongside H T M L used in sophisticated, sophisticated phishing attacks, which were designed to steal credentials, Excel, R T F Cab and compressed formats, as I mentioned before, and word interestingly seemed to be declining in popularity along with the others as malicious attachments compared to OneNote and JavaScript. So that's the wrap up on, on what's been happening so far in 2023. And we should have already taken a break, Leo, but let's do it now. I'm, I'm gonna share some amazing feedback from our listeners. Ah, I'm ready to go with amazing feedback. Our show today brought to you by, and you know, this is a, a product that you use. I know that, and that I use, and that most of our listeners, I hope by now are using, I know what it must be.

It's gotta be bit warden, right? The only, the only open source cross platform password manager you can use anywhere, anytime at home on the go at work. We are moving to bit Warden Enterprise as I speak here. And of course I've been using Bit Warden the individual plan, which is free forever on any device, unlimited passwords for some years. Steve uses it. We all love it. Look, I know you know that you have to have a password manager if you listen to Security now and you haven't figured that out yet. I, you know, it's funny because people can lie to themselves. People do they, so for instance, you know that the big, one of the biggest threats is maybe the biggest threat is reusing a password or using an insecure password because it's easier to remember. You should be making long, strong unmemorable to only random passwords and they should be unique for every place you use passwords.

You know that if you listen to the show, you know that, but you know in your head you go, well, I know, but my birthday and my dog's maiden name is easy for me to remember and nobody's ever gonna guess that. You should also know never to underestimate the ability of Root Force attackers. It is mind boggling what they can do than they are after everybody. So, and it's so easy to use a password manager and with Bit Warden it's free. All the data in your vault is end-to-end encrypted, not just your passwords. That's important. Not all password managers do that. No metadata is leaked out at all in the summer. 2023 G two Enterprise Grid report. Bit Warden solidified its position as the highest performing password manager for Enterprise leaving competitors in the dust, I might add. Bit Warden protects your data and privacy by adding strong randomly generated passwords for every account.

And most importantly, by making it easy to do that, easy to generate them, easy to use them, easy to protect yourself, and now they've added new features, which are even better. This is one of the advantages of open source. We've talked about the key derivative function, which makes it harder to brute force your password vault. Everybody's been using P B K DF two sometimes with too few iterations, I turn my iterations up to 2 million to give it the most protection. But there are better algorithms. There's the memory Hard R gone two algorithm. There's the B Crypt algorithm. Well, interestingly I think he was one of our users actually Ton one of our listeners, Steve, who wrote these 'cause it's open source, and did a pull request and, and, and offered implementations of these memory hard algorithms to bit warden, bit warden, looked at 'em, worked with Ton, and ended up saying, we're gonna do, we're gonna implement Argon, your version of Argon two.

Within a few months it was available. Everybody who's using Bit Warden 2020 3.2 or later, which it should be, everybody by now can use it. I turn it on immediately. Makes no difference in the speed or usability of Bit Warden, but it makes a huge difference for an attacker who wants to brute force y you know, it's just, it's, and the, and the default settings, by the way, those are the ones you use. They, they put in some extra stuff, which is interesting. Someday we'll talk about that. But just no, the default settings are exactly right. They also now have a username generator. So not only do you have a unique password for every site, but you can have a unique username. In fact, they work with five email services, including our sponsor Fast Mail. So you can still get email at that address <laugh>, which is really cool.

There are five different integrated email address services that you can use to create aliases unique to every account. So that makes it, you know, you get the bad guy, gotta get the password, they gotta get your new unique email address. It's not your real email address. And of course if you're using two factor, you should be, they gotta get that too. Because it's open source, you can see all of bit warden's code. It's on GitHub. You can look at it if you want. Now, I know most people when when I say that, go, well, I'm not gonna know what to look at. But here's the good news. Not only is it open to experts and anybody who wants to view it, they yearly go through a professional third party audit and publish the results on the website. So you can be assured.

Go look bit You can be assured that you are twit. Don't forget the slash tweet by the way. Bit Use that address if you will. That it's all secure and open source. They have some really nice features in the teams and enterprise organization plans that let you share data with coworkers across departments. There's a teams organization option $3 per month per user enterprise organization. The one we're gonna use is $5 per seat, per user. And of course the individual basic free account, always free, free forever. I ask them, is it free forever? You're ever gonna charge for that? They said, we can't. It's open source. We can't <laugh>. If we did, somebody would fork it and it'd still be free forever. So they have, this is not our business model. They say they do offer a premium account, which allows you to use two factor 10 bucks a year, a year.

I did that before I even knew what the benefits were, just 'cause I wanted to support 'em. 'cause I believe in what they're doing. There is a family plan as well. Six users. They don't have to be in your family. All of them get premium features for $3 33 cents a month. About 50 cents per user. What is it? 54 cents per user or something? 56 bit warden has launched its new bit Warden Secrets Manager. This is coming outta beta soon. This might be something as, as a developer you might wanna take a look at. It lets you keep developers secrets outta the source code so you don't actually commit them. And, but it keeps 'em secure in the vault. Okay? Right now our friends at Bit Warner are having a little, a little fun contest. They want to hear about you and why you love your password manager.

They do have cash prizes. It's a short video contest. But you're gonna have to check them for the rules and the details. If you go to bit, 'cause you've got talent, you can learn how to enter and win. Examples, rules, submission instructions, all of that. You got two weeks. August 13th is the deadline. Bit That's fun. Look, <laugh>, I shouldn't have to tell you. You need a password manager. If you don't wanna use one, it's on your head, fine. Tell your family and friends though, bit warden, do them a favor. At least get started with bit warden's free trial of a team or enterprise plan at work. Get started for free for yourself with your personal account. Bit They're just the best. That's all there is to it. And we you know, I've been using them and, and, and recommending them long before they became a sponsor.

I was just very glad that they became a sponsor so that you know, we could really tell you about Bit Warden and they could help support what we're doing here with Steve and security. Now, I did wanna mention Steve. I got a a email from somebody who says, oh, my V P N I think he's using Nord. Nord VPN is one of the VPNs that I think blocks cash fly of all things. I can't download your podcast. And and it may also be the trackers. You could whitelist the trackers. A lot of ad you block Origin, for instance, makes it hard to download. You can whitelist them. But what I would suggest is you pay for the podcast, you can get it individually just if it's just secured now, 2 99 a month, $2 99 cents a month, iTunes offers that. I think Spotify might as well.

Or get a club tour membership for seven bucks a month. Get everything ad free with no trackers, nothing. So we were talking earlier about trackers. We have to do trackers for advertisers, but if there's no ads, we don't. So if you want ad free versions and tracker free versions of all the shows, we offer that for people who want it. But we've gotta pay for it somehow. <Laugh>. So either you give us some money or an advertiser gives us money, it's your choice. But if you haven't yet joined, please twi tv slash club twit, get Steve's show by itself or get all of our shows for just a little bit more. Okay, Steve, on with the show. It's, it's funny too when, when, when you're talking about password managers, I, I just, I can't imagine life without one mean it's so much easier once you're used to it.

Right? Well, and I think that, yes, that and maybe 10 years ago, 20 years ago, well, I mean, you know, people had four or five online accounts. You know, me, it, they weren't, there wasn't that much to do. Yeah. There wasn't that much going on online. Now our lives are online and, you know, I mean, you know, all of our utilities we have accounts for and, and all of our various services, we have accounts and, and you know, if, if you want to, to grab a car and drive somewhere, or, I mean, I just, just, you know, all all of the airlines, you have account, I mean everything. And so if, if they're gonna all have their own password, you just have to, you have to. Even if it were memorable, you have to, but I can't tell you how many people I know in my own personal family even who know better.

But they, you know, it's just, well, yeah, I don Okay. Patrick Delehanty, our engineer says his dad, who was a US attorney, had a little black book of passwords. <Laugh> the problem is it, yeah, you can do that, but then you have to generate unique passwords each time. It's just easier to use a password manager and let it do the heavy lifting. Yeah. I think easier than putting in a notebook. You don't have to write it down. You don't have to remember. You don't have to look it up. It just does it. Yeah. Anyway. Okay. So some feedback Jeff Parrish, he said, thank you for another great episode. I am it for a healthcare facility. And this episode, referring to last week, made me review the H T M L of our E H R provider. I have now contacted them about the Google Analytics tracking they have on their site after we are logged in.

So that was cool and useful too. At least one of our listeners, actually another one, Robert c Covington. He's a longtime listener. I oversee cybersecurity for a large children's hospital system. Wow. Your podcast transcripts are frequently on my screen. Yay. During team meetings. Wow. <laugh>, that's awesome. He's, yeah. He said regarding website tracking and the recent O C R notice referenced in episode 9 32 last week, there is a side consequence I've not heard mentioned. Cyber insurance companies are now declining to cover any legal actions arising out of website tracking and collection of personal health information. This is sending many healthcare orgs scrambling to get tracking tools off their websites. Keep up the excellent work. Robert Covington. He says, oh, he's a pss. You fell into the classic trap on 9 32. It's hipaa, it, H I P A, not h I P P A. <Laugh>.

So <laugh>, thank you for the correction, Robert, and very interesting. That will certainly remove tracking from healthcare if they know that they're not gonna get any insurance coverage from their providers. If they do that and, and, and anyone gets called out for having, you know, personal health information explo disclosed. If there's trackers on there, it's, it's, you know, sorry, your insurance won't cover that. Wow. John Daigle said, hi, Steve, thanks for the shout out on the 25th July episode. That was last week. He said, I am the quote neat guy unquote, who you saw on twists this week in space talking about orbital debris. And he said was, he was joking. He said, I'm fairly sure you weren't referring to Jeff, and I'm really sure you weren't referring to Rod. Haha. So he said, thank you for your kind mention. He said, I've been a security now listener since episode one.

Proud Spin, right owner. And he says, and somewhere I have a certificate for a twit brick. He said, pretty sure I've not missed a single episode. At least not a whole one. At the beginning, I was in the US Air Force. I stuck around for hobbyist purposes and with a plan to go into cybersecurity. But I made a detour into space policy. Orbital debris is a clear and present concern. Oh yeah. If not actual danger. He said The space advocacy organization where I work considers this one of a handful of high priorities where there are a number of public sources for tracking objects in orbit. They don't all agree ACO according to, a relatively approachable source. Using that as a reference. And he said a high level summary is available here, and I have a link to it. It's a long U r l nano many satellites are in space.

And that's all hyphenated how hyphen many satellites hyphen arms. And I think I clicked that and it showed a picture of the Earth. And if that's an accurate depiction, it's, it is a little sobering. And I think it, it may be accurate because it actually shows some of Elon's satellite trains 4,500 SpaceX satellites, which is half of all satellites are SpaceX. Yes. yes. This is not, not SpaceX starlink, which is from SpaceX, but starlink starlink from SpaceX. Yes. I thought starlink. Oh, I was so happy when I, you know, oh, we're gonna have low cost internet coverage every corner of the globe. First of all, it's not low cost. It's very expensive. And second he's gonna put 42,000 satellites up. This is only one 10th. It's, it's gonna be star junk instead of star link. I mean, <laugh>. This is terrific.

So, so, so John said, there are about 7,700 to 8,400 active human made satellites in orbit around our planet. The vast majority, 90% are in low Earth orbit. And so that, that's less than a thousand kilometers up. About one third of these have been added in the past few years, mainly by SpaceX. Starlink, about 7% of the total are in geostationary orbit. The, the where, where these are l e o satellites, we were just talking about the G e o or, or our geo geo stationary, he said with the remainder in medium Earth orbit. Very few of those, he said almost 2300 inactive satellites, meaning they're up there. But you know, they, they, they died or they're dead, or their battery ran down or something. And he said, thanks for the shout out. And the, he's had the brush with greatness, Jonathan Washington dc He's the policy chair for the National Space Society.

And, and yeah, you had that on, on the picture, that beautiful picture of the earth. And I think, I can't see it there, but there, it showed like Elon's, you know, Starling chain? There's lines Yeah. Yes. Lines. New York Times. This Sunday had an article about the concern, the political geopolitical concern that Elon, who has, let us say seemingly slightly erratic, controls this starlink system. And the Ukrainian military relies on it. Yeah. For military communications. And they're concerned. <Laugh> they asked in May the Times reported, they asked the federal government, what's the deal with this? Elon? And the government basically went <laugh>. We don't know. Well, and we're also in bed with him. Right. Because now we're contracting with him to launch our major space payloads. I bet they're regretting that a little bit right now. <Laugh>, I mean, he just seems quite erratic and whew.

I'll find this New York Times picture. 'cause It's, it's actually animated and it's quite good. It's really nice. Really. It looks like similar data. 'cause Yeah, you could see this, these starlink trains in it. Yeah. Yeah. So we have another listener, another listener, John Sutherland, who's whose Twitter handle is at John Orion, which I got a kick out of. He said I wanted to offer a bit of knowledge I had about US military satellites. I was active duty and what is now Space Force for 11 years. And I'm currently a contractor still supporting space. I flew SATCOM for four years. Wow. Then taught for seven. That's cool. He says, I what an audience. We have amazing people in the audience. We have amazing listeners. It close me away. Yeah, it is great. He said, I taught both classified and unclassified classes, so I'm very familiar with where the line is for what's classified.

I can go right up to that line. Having just finished the second part of, of satellite insecurity, meaning last week's podcast, I can share that. Luckily, most of the problems you talked about are not as true for us. D o d satellites. Ah, I bet not. Yeah. We're welcome. Protected. I bet. Yeah. Yeah. He said the preconceptions that attackers would not have the equipment was never the case. China and Russia have always had similar ground station capabilities as we have. The oldest satellites I've worked with were developed in the late eighties, and they were highly encrypted and rolled keys constantly for communication satellites. The data is just routed. So encryption is as good as it could be on earth and not subject to the satellite's age, controlling the satellites i e moving them. Changing configuration is done with separate antennas that are monitored and any communication with them as watched in real time.

If someone did break this encryption, it would quickly be learned. As for physical attacks, this gets a little interesting with his, with his choice of words. As for physical attacks, the arms of attacking satellites is only a start when we table topped attacks and planned responses, TTPs tactics, techniques and procedures. We looked at jamming as SATs, which he'll explain in a second. Mechanical arms and lasers, jamming being the most common and ones we have actually seen happen. Most jammers are big ground-based semi-truck or ships that just try to overpower the uplink. So they're just No, they're, they're just blasting the same satellite target, hoping that, that it won't be able to receive the actual signal. He said most jammers. Oh, yeah. Oh yeah. So he said, he said, we have many mitigations to this. And I taught a class on RF attack and defense as part of operators advanced training as SATs, as he uses the term, as you talked about, with blowing up satellites from the ground are extremely unlikely at this point.

We're much more concerned with small satellites, with explosives. The idea being that an adversary would place and leave some small on a foreign satellite that could be triggered on demand at any time in the future. Whoa. So they're like, they're, they're plant, they're mining satellites without the satellite's knowledge. They creep up. Stick something sticky on the side that's a bomb with a radio and then leave, and that that can then be detonated in the future. So, I mean, what a mess. Leo. Can you imagine like everybody's satellites or have all these bombs stuck to them by, from other, from other hostile nations? Oh, Lord, <laugh>, I really want, I wanna ask these, by the way, here's the New York Times animation. This is 10 minutes of starlink satellites in Wait, in the future. No, no. This is as now July launched as of July 10th.

This is current. Look at all of them. Yes. <laugh>. Yes. Oh my Lord. Yes. I'm wondering if we're having second thoughts about letting Elon launch all of these. This is crazy. Wow. This is half of the entire satellite load. And they're only in a train before they've distributed themselves. Yeah. They deploy from the train. But if you look right, they, it looks like there's groups of two and three in some places. It's a really interest, there's definitely method to the madness. Yeah. Those trains you see are not yet deployed. They launched that one. Right. Wow. And then they slowly deploy. Isn't that wild? Wow. I want our satellite experts though, to tell me if I should worry about the Kessler syndrome, Kessler effect or not. Right. You know, so if you blow up a satellite and then debris from the satellite then blows up five more satellites and the debris from those satellites blows up 25 more satellites and on and on and on.

Could you occlude the, the night sky? Or worse? This has been demonstrated with dominoes, <laugh>, I'm, it's starting to work. It's not good. <Laugh>. I know there are missions that we, running missions and I think China's running a missions to snf up satellites. Like the moon moonraker thing we were talking about Uhhuh <laugh>. But why? I just, I mean, what happens, I mean, I guess you when they've reached the end of their life, they just go through the atmosphere in Berlin. All I can say is we should hold onto our D V D collection. <Laugh> be, because we do not wanna become too dependent on the on, on the internet, on space. Yeah. And maybe get some on, on space, on space-based internet. Crazy. So he he, he finished saying, I cannot talk to the mechanical arms as the line beyond, which I cannot talk is around this.

Ah, but it's safe to uhhuh. But it's safe to say that this has been looked at and is in some level of development by both sides. Huh? He said lasers are not a threat to all types of satellites, but China and Russia have used lasers to blind sensors of low fi flying spy satellites. This is hard to guard against, but we do equip satellites with shutters now, and for satellites lacking shutters, we only need to spin them around. You see? And he finished. There's more that cannot be talked about. But with your level of technical knowledge and a little imagination, you could get close to guessing what's going on. I can tell you I've never been surprised when I got a security briefing. So, very cool. Christmas. I thank you, Jonathan. Thank you. We have wonderful listeners. We thank you all. Yep. It's really fascinating.

And another one, Michael Vid. Michael is on the board of Oasp in Gothenburg, Sweden. Oh, well, and he's the guy who invited me, me to pre to present squirrel to their group. Well, it turns out that Michael knows more than a little bit sa about satellite software. Ah-Huh. He said, regarding authenticated telecom commands to satellites. Now, we talked about this last week, right? They, the idea being that telecom commands are ways you tell satellites to do things. But, but what the guys who reversed the firmware found was there was a surprising lack of authentication. He, so Michael said, what satellite programmers are most afraid of is bit flips caused by single event upset. What, what is termed an SS e u a single event upset? You mean cosmic rays? Yes. He says, wow. Which happened due to radiation in space. He said, imagine that an SS e u flips a bit in the key used to authenticate the telecomm command.

Right. Authentication would fail. And guessing which bit or bits flipped could take some time. That's why you have E C C. I mean that, I mean, we have ways to, he says, he says there are of course, mitigations, for example, using error correction codes or storing the key in multiple places. But complexity is the enemy of reliability and resources. Compute flash RAM onboard satellites have been very scarce historically, and people want reliable satellites. So they are hesitant to introduce new features. Flight proven he has, in quotes is the mantra. So the old ways live on the risk of losing the satellite because of an SS e u a spontaneous, a single event upset has been deemed higher than the risk that the satellite is hacked. Hmm. Not an excuse today, but that's how the industry is. And then he finished saying, Perens, I have written software for two satellites, <laugh>.

And he said, se Yeah. Like, like you said, Leo, our listeners are amazing. Wow. S se ESUs are also one of the reasons telecom commands exist to write to any memory location. NASA used this feature to restore a bit flip on Voyager two in 2010. Ger thir ger 33 years after its launch. Wow. So Michael also provided a link to a summary from J p L, you know, our, the Jet Propulsion Laboratory in Pasadena, which documented events surrounding exactly this happening back in May of 20 somewhat astonishingly Voyager two remains alive and functioning to this day. Though something happened with it just last week, which I'll get to in a second. We last checked in on Voyager two, nearly five years ago, when on November 5th, 2018, it became only the second spacecraft to ever exit our solar systems. Heliosphere. And remember, Leo, we considered whether this event might break the simulation that Leon, that that, that Elon among others appear to be convinced we are all living within.

But so far the simulation appears to be a holding. We were wondering if the, if Voyager two exited the heliosphere, was there a maximum radius at which the simulation, you know, w would you still be functioning? And whether, you know, Voyager two might just spontaneously disappear because it, it got too far away. Anyway, let's turn the calendar back 13 years to May 6th, 2010, when J P L wrote, they said, engineers have shifted NASA's Voyager two spacecraft into a mode that transmits only spacecraft health and status data, while they diagnose an unexpected change in the pattern of returning data. Preliminary engineering data received on May 1st, this would be May 1st, 2010, show the spacecraft is basically healthy. And that the source of the issue is the flight data system, which is responsible for formatting the data to send back to earth. The change in the data return pattern has prevented mission managers from decoding science data.

The first changes in the return of data packets from Voyager two, which is near the edge of our solar system, appeared on April 22nd. Mission team members had been working to troubleshoot and resume the regular flow of science data because of a planned role maneuver and moratorium on sending commands, engineers got their first chance to send commands to the spacecraft on a, on April 30th. It takes nearly 13 hours for signals to reach the spacecraft and nearly 13 hours for signals to come down to NASA's deep Space network on Earth. Voyager two launched on August 20th, 1977. So, wow. He said about two weeks before its twin spacecraft, Voyager one, the two spacecraft are the most distant human made objects out at the edge of the heliosphere, the bubble the sun creates around the solar system. Mission managers expect Voyager one, leave our solar system and enter Interstellar space in the next five years or so with Voyager two on track to enter Interstellar space shortly afterward.

Voyager one is in good health and performing normally. Ed Stone Voyager, project scientist at the California Institute of Technology in Pasadena said, Voyager Two's initial mission was a four year journey to Saturn, but it is still returning data 33 years later. It has already given us remarkable views of Uranus and Neptune planets we had never seen up close before. We will know soon what it will take for it to continue its epic journey of discovery. Meaning at that, what the point where he's talking about this something broke and it's, and Voyager two was no longer sending data back, you know, the, the, the science data that they wanted. And he said the original goals of the two Voyager spacecraft were to explore Jupiter and Saturn part of a mission extension as part of a mission extension. Voyager two also flew to Uranus in 1986 and Neptune in 1989, taking advantage of a once in a 176 year alignment to take a grand tour of the outer planets <laugh>.

I just love this. It is just so cool. You know, real science among its many findings. Voyager two discovered Neptune's great dark spot, a 450 meter per second oh, and 450 meter per second, 1000 mile per hour winds. It also detected geysers erupting from the pinkish shooted nitrogen ice that forms the polar cap of Neptune's Moon Triton working in concert with Voyager one. It also helped discover actively erupting volcanoes on Jupiter's moon io and waves and kinks in Saturn's icy rings created by tugs of nearby moons. Voyager two is about 13.8 billion kilometers, 8.6 billion miles from Earth. Voyager one is about 16.9 billion kilometers, 10 and a half billion miles from Earth. The Voyager were built by G P L by <laugh>, by J P L, which continues to operate both spacecraft. Caltech manages J P L for nasa. Okay, so May 6th, 2010. And something is broken and has gone wrong with Voyager two such that the spacecraft science data is no longer being properly formatted.

11 days later on May 17th, 2010, we learn what went wrong. Engineers at NASA's J P L said Monday, May 17th, that one flip of a bit, oh, in the memory of an onboard computer, appears to have caused the change in the science data pattern. Returning from Voyager two, A value in a single memory location was changed from a zero to a one on May 12th. So that was, yeah, so on, so on May 12th, engineers received a full memory readout from the flight data system computer, which formats the data to send back to Earth. They isolated the one bit in the memory that had changed, and they recreated the effect on a clone computer at J P L. They found the effect agrees with the data coming down from the spacecraft. They're planning to reset the bit to its norm to its normal state on Wednesday, may, May 19th. And then three, three days later on May 20th, we have the report of the conclusion of this high stakes drama.

Engineers have successfully corrected the memory on NASA's Voyager two spacecraft by resetting a computer bit that had flipped reset commands were beamed up to the spacecraft yesterday, Wednesday, May 19th and engineering data received today confirm that the reset was successful. The Voyager team will continue monitoring the engineering data. And if the bit remains properly, reset commands to switch to the science data mode will be beamed up to Voyager two on Saturday May 22nd. Receipt of science data would then resume on Sunday May 23rd. And all of that did happen on schedule, but I also noted that something else happened. Just last week, NASA's blog posting Friday, July 28th of this year, read a series of planned commands sent to NASA's Voyager two spacecraft, right? Still going strong on July 21st. So the the, toward the end of just a couple weeks ago, toward the end of last month, inadvertently caused the antenna to 0.2 degrees away from Earth.

Now, when you're billions of miles away, two degrees, baby, you know, I mean, you might as well be looking in the other direction. So as a result, Voyager two is currently unable to receive commands, whoops. Or transmit data, whoops, back to Earth. Voyager two is currently located almost 12.4 billion miles from Earth. And this change has interrupted communications. No kidding. Between Voyager two and the ground antennas of the Deep Space network. Data being sent by the spacecraft is no longer reaching the Deep space network. And the spacecraft is not receiving commands from ground controllers. Right? It's, it's who Voyager two, however, is programmed to reset its orientation multiple times each year to keep its antenna pointed at Earth. The next reset will occur on October 15th, which should enable communication to resume the mission. Team expects Voyager two to remain on its planned trajectory during the quiet period.

Voyager one, which is almost 15 billion miles from Earth, continues to operate normally. And finally, a couple of interesting tidbits about the Voyager probes. Uplink communications to the Voyagers is via SSB Band at 16 bits per second. While an X-band transmitter provides downlink telemetry at 160 bits per second, normally, and 1.4 kilobits for playback of high rate plasma wave data. Although I think that I saw that the plasma wave science equipment has been turned off due to power consumption. All data are transmitted from and received at, at the spacecraft via the 3.7 meter high gain antenna. So that's the big high gain dish. And obviously being a dish, it's pointy, so you gotta point it in the right direction. Electrical power is supplied by three radio isotope thermoelectric generators, rtgs. The current power levels are about 249 watts for each spacecraft. As the electrical power decreases, power loads on the spacecraft must be turned off in order to avoid having demand exceed supply or otherwise, the voltage would drop.

As loads are turned off, some spacecraft capabilities are eliminated. So a Nat NASA maintains an extremely cool real-time Voyager status page, which continuously shows the location of both spacecraft and other other interesting tidbits such as which science modules are currently turned on and off. Given the amount of available power. So I created a, a shortcut GRC sc slash voyager. 'cause The page is so cool. We haven't looked at it since we last talked about the, the Voyager probes GRC sc slash voyager, or you could just Google Voyager mission status. And that will bring up as the first link, that page where, I mean, and is updating as you watch it on the fly, how far both of these probes are, and also whi which science modules are turned and off. So anyway, big thanks to our sat, our satellite informed listeners for their, for their listening.

For their information. We won't lose Voyager because it's gonna reorient. So that's good news. Yeah, right. I don't, I do wanna correct myself. It's not Ger I was looking it up. I thought, well, which one was Vier? Voyager one or Voyager two? Neither <laugh>. Oh, vier. I, is this a spoiler now? No, don't, I won't tell you what I'm talking about. If you know, then, you know, vier was Voyager six, which was, which was, remember this is a movie that came out in 1979, which was to be launched in 1999. Ah. So we <laugh> and of course, ah, there is no <crosstalk>. It's a future Voyager. It's a future VO that we haven't launched yet, of course. Which explains how it got so smart. 'cause By 1999, AI was happening. It's funny how we, how we thought, how we thought all this stuff would be happening by now.

Anyway, great story. Oh, Leo, everyone wants to know where their flying cars are. Yeah, yeah. You know? Yep. No, and I, now I know that would be a very bad idea. So yeah, Voyager Two's been out there for 45 years. Unbelieving. That is really, that is, that's amazing. Gosh. Yeah. Wow. So, John David Schober, he said, Hey, Steve, on ssn 9 32, I heard you talking about how you're keeping the rack of servers at level three and not moving to the cloud in case you wanted some interesting reading. Here's a blog post from David Hanssen, founder of 37 Signals, and Basecamp, and creator of Ruby on Rails. D hh. He discusses David Meyer Hanssen. Yes. Yes. David dhh. Yep. Yes. He discusses how they regret moving their business to a W Ss and how expensive everything was, and how much better life is being back on their own hardware.

So first of all, John, thanks very much for the pointer, since this topic is quite near and dear to my heart. And since I think it might also be extremely interesting to a large number of our listeners, I wanna share the blog posts that John pointed to. As John said, this was written by David h Hanssen, and it was posted just last October 19th, 2022, titled Why We're Leaving The Cloud. David wrote, Basecamp has had one foot in the cloud for well over a decade, and hey, h e y has been running there exclusively since it was launched two years ago. We've run extensive, we've run extensively in both Amazon's cloud and Google's cloud. We've run on bare metal virtual machines. We run on Kubernetes. We've seen all the cloud has to offer and tried most of it. It's finally time to conclude. Renting computers is mostly he has in friends a bad deal.

For medium-sized companies like ours with stable growth, the savings promised in reduced complexity never materialized. So we are making our plans to leave. He continues. The cloud excels at two ends of the spectrum where only one end was ever relevant to us. The first end is when your application is so small and low traffic that you really do save on complexity by starting with fully managed services. This is the shining path that Heroku forged and one that has since been paved by render and others. It remains a fabulous way to get started when you have no customers, and it'll carry you quite far. Even once you start having some, he says parens, then you'll later be faced with a good problem. Once the bills grow into the stratosphere as usage picks up. But that's a reasonable trade off. He says. The second meaning, the, the second use the use useful use case is when your load is highly irregular.

When you have wild swings or towering peaks in usage, when the baseline is, is a sliver of your largest needs, or when you have no idea whether you need 10 servers or a hundred, there's nothing like the cloud when that happens. Like we learned when we launched h e Y, Hey, and suddenly 300,000 users signed up to try our service in three weeks instead of our forecast of 30,000 in six months. But neither of those conditions apply to us today. And I would say neither of them apply to me. G r C and actually probably to twit, he says they never did for Basecamp. Yet, by continuing to operate in the cloud, we are paying and at times almost absurd premium for the possibility that it could. It's like paying a quarter of your house's value for earthquake insurance when you don't live anywhere near a fault line.

Yeah, sure. If somehow a quake two states over opens the earth so wide, it cracks your foundation, you might be happy to have it, but it doesn't feel proportional, does it? Let's take Hay as an example. We're paying over half a million dollars per year for database. He says r d Ss, you know, related relational database and search elastic search services from Amazon. Yes. When you're processing email for many tens of thousands of customers, there's a lot of data to analyze and store. But they'll strike. This still strikes me as rather absurd. Do you know how many insanely beefy servers you could purchase on a budget of half a million dollars per year? Now the argument always goes, sure, but you have to manage these machines. The cloud is so much simpler. The savings will, will all be there, will all be there in labor costs.

Except no, he says, anyone who thinks running a major service like Hay or Basecamp in the cloud is simple, has clearly never tried. Some things are simple, others are co, are co more complex. But on the whole, I've yet to hear of organizations that at our scale, being able to materially shrink their operations team just because they moved to the cloud. It was a wonderful marketing coup, though sold with analogies like, well, you don't run your own power plant either, do you? Or our new infrastructure services, really your core competency then lathered up with a thick coat of new, new, new paint and the cloud K as in caps as beamed. So brightly only the Luddites would consider running their own servers in its shadow. Meanwhile, Amazon in particular is printing profits, renting out servers at obscene margins. A w s profit margin is almost 30%.

And he says 18 and a half billion dollars in profits on 6 62 0.2 billion in revenue. Despite huge investments in future capacity and new services, this margin is bound to soar. Now that the firm said it plans to extend the useful life of its servers from four years to five and is networking equipment from five years to six in the future, which is fine. Of course, it's expensive to rent your computers from someone else, but it's never presented in those terms. The cloud is sold as computing on demand, which sounds futuristic and cool and very much not. Like something as mundane as renting computers, even though that's mostly what it is. But this isn't just about cost. It's also about what kind of internet we want to operate in the future. It strikes me as downright tragic that this decentralized wonder of the of the world is now largely operating on computers owned only by a handful of mega corporations.

If one of the primary A W SS regions goes down, seemingly half the internet is offline along with it. This is not what DARPA designed. Thus, I consider it a duty that we at 37 signals do our part to swim against the stream. We have a business model that's incredibly compatible with owning hardware and writing it off over years. Growth trajectories are mostly predictable expert staff who might as well em, em employ their talents, operating our own machines as those belonging to Amazon or Google. And I think there are plenty of other companies in similar boats. But before we can more broadly set sale back toward lower cost and decentralized shores, we need to turn the rudder of our collective conversation away from the cloud serving marketing nonsense about running your own power plant. Up until very recently, everyone ran their own servers and much of the progress in tooling that enabled the cloud is available for your own machines as well.

Don't let the entrenched cloud interests dazzle you into believing that running your own setup is too complicated. Everyone and their dog did it to get the internet off the ground in the first place. It has only gotten easier since it's time to part the clouds and let the internet sunshine through. So it's kind of a, anyway, he's a crack bot, but okay, <laugh>. Yeah. You say there's a lot of reasons. I'm you, I'm, you'd want a cloud. What's you know, for AI training for instance, you're not gonna go out and buy a thousand cards from Nvidia and a bunch of servers and stuff just for the training and then what? And then just let 'em sit in the basement. Well, you just gave a perfect use case for the cloud, and I've heard that suggested you would use the cloud to train the model and then run it locally, then to run the model.

Yeah, lots of people do that. I mean, I think hybrid Leo is very common. Leo, you say you're not in the cloud, but level three isn't on-prem, aren't you? In the cloud? Well, everybody has some tier one service provider. I mean, so you have an I you, you, you have a but your servers are in your house. No, no. My servers are a dr. A short drive away in a data center. Not, but that's not the cloud. 'cause You own the hardware. Correct. Okay. All right. I mean, my website is right down the hall. It literally is OnPrem here, but except you've talked about how expensive Mastodon is, ma Mastodon free macon's running the cloud. Yeah. No matter how big it gets. So that's a, well, there's an example. I wanted to run Mastodon in the cloud 'cause I didn't want to maintain it and and run it off the servers here.

And because we don't have enough local bandwidth to run it. I mean, obviously 37 signals can afford to buy many, many gigabits of bandwidth. Ah, right. I mean come on <laugh>. He's kind of a crackpot. He's a well-known crackpot <laugh>. But you know what, by the way, since he put that out, he has succeeded. They are all off the cloud now. Yeah. Cool. We'll see. I'd like to see what his bills are for running it locally. The problem really is that he doesn't see those bills. 'cause It comes in form of rent and electricity and air conditioning and things that he doesn't consider climate costs. Well, I pay about a grand a month and I for all of G R C and all of my servers and all of my bandwidth. But you're kind of a cloud 'cause you're running in a network operation center.

You're not running OnPrem Well, no, he's talking about renting Rentre rent machine. Oh, he's talking about the same thing. A colos. Yeah. Yeah. A colo is going backwards a little bit, I think, but okay, fine. It's whatever. You know, there's a lot, I mean, there are a lot of businesses who will that and that, and that of course was the whole point of his blog. Po po post was that it isane to go backwards. Okay. That, that, you know, the cloud, the, the, the promise of the cloud did not materialize. Anyway, I wanted to share it with our listeners. No, no, it's good. 'cause It is the, it is my position. It is what I'm doing. And I have fixed costs. I could run massive on servers till the cows came home. Right. And it wouldn't cost me anything more. Right. Except your time. No.

How, no, no. Well, I mean, I, I, I, I maybe visit level three annually. My servers are typically up for three or four years at a time. Right. So, yeah. I mean, it's just not, it's not a problem for me. Yeah. But, you know, I, I built the stuff right once so I don't have to be Right. You know, continually nursing them. And Leo, we're an hour and a half in and we haven't even gotten our main topic. Let's take our third break. Okay. And then talk about Tetra burst. You didn't wanna play danger. Danger. Okay. That's fine. <Laugh>. That's fine. Let's talk about Drta and then we're gonna get to the TE Traverse. Only Steve knows why I played that. Steve is, is well aware. However, <laugh> our show today brought to you by drta. If your organization is finding it difficult to collect manual evidence and achieve continuous compliance as you grow, as you scale, you may wanna know about Rada, a leader in cloud compliance software G two said that I didn't make it up.

D Rada streamlines your SOC two, your I S O 27 0 0 1, your P C I D S S, your G D P R, your HIPAA and other compliance frameworks, providing 24 hour continuous control monitoring so you can focus on scaling securely. With a suite of more than 75 integrations, ADA easily integrates through application like A W s Azure, GitHub, Okta, CloudFlare, countless security professionals from companies, including Lemonade and Notion and Bamboo HR have shared how crucial it has been to have ADA as a trusted partner in the compliance process. You can expand your security assurance efforts using the ADA platform, which means you can see all your controls, easily map them to compliance frameworks and gain immediate insight into things like framework overlap. ADA's, automated dynamic policy templates, support companies new to compliance, using integrated security awareness training programs and automated reminders to make sure you're gonna have smooth employee onboarding.

And as the only player in the industry to build and you'll like this, Steve, on a private database architecture, your data can never be accessed by anyone outside your organization. All customers receive a team of compliance experts, including a designated customer success manager and ADA's team of former auditors. They've conducted more than 500 audits between them, means your ADA team keeps you on track to ensure there are no surprises, no barriers. You'll love ADA's pre-audit calls so you can prepare for when the audits begin, and then when it's time for the audit. ADA's audit hub is fantastic. It's the solution to faster, more efficient audits. We'll save hours of back and forth communication. You'll never misplace crucial evidence. You could share documentation with your auditors instantly. All interactions, all data gathering can occur Inda between you and your auditor. So you don't have to switch between different tools or say, wait a minute, let me see if I can find that.

Or different correspondence strategies. With ADA's risk management solution, you can manage end-to-end risk assessment and treatment workflows. You can flag risks, you can score them, and then decide whether to accept, to mitigate, transfer, or avoid them. DDA maps appropriate controls to risks simplifying risk management and automating the process. ADA's Trust Center provides realtime transparency into security and compliance postures, which improves sales security reviews, gives you better relationships with customers and partners. Say goodbye to manual evidence collection, say hello to automated compliance, go to DTA, D R A T a dta, bringing automation to compliance. Atta speed. That's D r A t And by the way, if you ask for a demo, you can get 10% off at that website, And now back to security. Now we, we, we do need to explain the danger. Will Robinson okay. <Laugh> sound effect. <Laugh>, go ahead.

I gotta Steven Perry, he sent a note. He said, hi, Steve. I was listening. He, he's a regular, by the way, in our discord. We love Steven. Ah, yeah. He said, I was listening to you yesterday's security now episode, and wondered if anyone had ever shared with you and Leo a little bit of trivia about the show lost in space, which of course, we both cut our teeth on. Mm-Hmm. <affirmative> you know, as kids, everyone knows and uses the catchphrase. Danger Will Robinson, of course, one of our faves, he says, but did you know that it was only ever said once <laugh> in the entire run of the show? Wow. It was season three, episode 11 when it happened. But who's can? It was never said. It never said again. Yeah. But that is the phrase we all know and love about the show. Thought I'd pass it along. Have a good day. Well, I, I'm, I was astonished by that. I, I did a little bit of looking around the internet agrees with Steven <laugh> and apparently one of the reason is that the robot was always waving his arms around saying, danger. Danger. That's what he said. 'cause Danger, danger. We add the Will Robinson. So you know what it means. If I just said danger, danger, you wouldn't know. But anyway, yeah. You think what

Rod Pyle (01:55:54):
I am sorry, will Robinson. I am afraid I goofed

Leo Laporte (01:55:59):
<Laugh>. I have many, by the way, many robotic quotes. A

Rod Pyle (01:56:05):
Robot does not live by programming alone. Some culture is required to keep my tapes in balance.

Leo Laporte (01:56:10):
<Laugh> Little do we know the future, they're gonna still use tapes in the robots. Yeah. Yeah. Actually, it's funny how, how that the use of that term has, has hung on. I mean, we were, people are still saying, did you take it? Nature, nature <laugh>. Nature, nature <laugh>. Okay. So by far the news that was most forwarded to me this past week was that the encrypted security of a globally used secure in air quotes radio communication system whose security has been trusted and relied upon worldwide, turns out not to be as secure as everyone hoped and was led to believe. And moreover, the system's insecurity was well known and kept secret by those whose commercial interests depended upon the se the system being trusted when it was not trustworthy. Wired did a beautiful job of describing the situation and their story last week titled, code Kept Secret for Years Reveals Its Flaw a back Door.

And they followed that with a secret encryption cipher baked into radio systems used by critical infrastructure workers, police, and others, meaning lots of, lots of military around the world is finally seeing sunlight. Researchers, woo. Researchers say it isn't pretty. Now I'm gonna share Wired's coverage of this while lib liberally interjecting my own commentary. So here's what Wired described. They said for more than 25 years, a technology used for critical data and voice radio communications around the world has been shrouded in secrecy to prevent anyone from closely scrutinizing its security properties for vulnerabilities. Now. Okay, anybody? <Laugh>, if you've listened to this podcast for only one of our almost 18 years, you know that anytime you hear the the, the, the technology was was, was kept private to prevent anyone from scrutinizing, scrutinizing its security properties for vulnerabilities is not good news. Anyway, but Wired said now it's finally getting a public airing thanks to a small group of researchers in the Netherlands who got their hands on its who got their hands on it and found serious flaws, including a deliberate backdoor.

The backdoor known for years by vendors that sold the technology, but not necessarily by customers, exists in an encryption algorithm baked into radios sold for commercial use in critical infrastructure. It's used to transmit encrypted data and commands in pipelines, railways, the electric grid, mass transit, and freight trains. It would allow someone to snoop on communications to learn how a system works, then potentially send commands to the radios that could trigger blackouts, halt gas pipeline flows or reroute trains. Researchers found a second vulnerability in a different part of the same radio technology that is used in more specialized systems, sold exclusively to police forces, prison personnel, military intelligence agencies, and emergency services, such as the C 2000 communication system used by Dutch Police, fire Brigades, ambulance Services, and Ministry of Defense for mission critical voice and data communications. The flaw would let someone decrypt encrypted voice and data communications and send fraudulent messages to spread misinformation or redirect personnel and forces during critical times.

Three, Dutch security analysts discovered the vulnerabilities. Five vulnerabilities in total in a European radio standard called Tetra, which stands for Terrestrial Trunked Radio, which is used in radios made by Motorola Dam, D a M m hitter and others. The standard has been used in radio since the nineties, but the flaws remain unknown. Remained unknown because encryption algorithms used in Tetra were kept secret until now. The technology is not widely used in the us well not widely, but it is here where other radio standards are more commonly deployed. But Caleb Mathis, a consultant with AM Pier Industrial Security, conducted open source research for wired and uncovered contracts, press releases and other documentation showing tetra based radios are used in at least two dozen critical infrastructures in the US because Tetra is embedded in radios supplied through resellers and system integrators like Power Trunk, it's difficult to identify who might be using them and for what.

But Mathis helped wired identify several electric utilities, a state border control agency, an oil refinery, chemical plants, a major mass transit system on the east coast, three international airports that use them for communications among security and ground crew personnel. And the US Army training base. The researchers with midnight blue in the Netherlands discovered the tetra vulnerabilities, which they're calling Tetra Burst in 2021. Okay, so three year for two years ago, they discovered this, but agreed not to disclose them publicly until radio manufacturers could create patches and mitigations. And we know how that typically goes. Not all of the issues can be fixed with a patch, however, and it's not clear which manufacturers have prepared them for customers. Motorola, one of the largest radio vendors, did not respond to repeated inquiries from Wired. The Dutch National Cybersecurity Center assumed the responsibility of notifying radio vendors and computer emergency response teams around the world about the problems and of coordinating a timeframe for when the researchers should publicly disclose the issues.

And as I said at the top of the show next week, is Black Hat and all will be revealed there in a brief email. N C SS C spokesperson, NARAL Scheffer called Tetra, a crucial foundation for mission critical communication in the Netherlands and around the world, and emphasized the need for such communications to always be reliable and secure, especially during crisis situations. She confirmed the vulnerabilities would let an attacker in the vicinity of impacted radios, intercept, manipulate, or disturb communications, and said the N C S C had informed various organizations and governments, including Germany, Denmark, Belgium, and England, advising them how to proceed. A spokesperson for dhss. CISA here said they're aware of the vulnerabilities, but would not comment further. The researchers say anyone using radio technologies should check with their manufacturer to determine if their devices are using tetra and what fixes or mitigations are available.

The researchers plan to present their findings at the Black Hat Security Conference in Las Vegas when they will release detailed technical analysis as well as the secret tetra encryption algorithms that have been unavailable to the public until now. They hope others with more expertise will dig, will dig into the algorithms to see if they can find other issues. So Tetra was developed in the nineties by the European Telecommunication Standard Institute, or Etsy, E T S I. The standards include four encryption algorithms, T e a one, t e A, two, three, and four. So I'll just call them T one, two, three, and four. That can be used by radio manufacturers in different products depending on their intended use and customer. Okay, so <laugh>, as I said, whoa, wait, what? The four different encrypted encryption algorithms can be used by radio manufacturers in different products to, depending upon their intended use and customer.

So if that doesn't smell fishy, I don't know what does. So Wired explains this. Wired says t e a one is for commercial uses for radios used in critical infrastructure in Europe and the rest of the world. Though it is also designed for use by public safety agencies and military according to an SC document. And the researchers found police agencies that use it. T two is restricted for use in Europe by police emergency services, military and intelligence agencies. Okay, so T one is for commercial uses, whereas T two is restricted for use in Europe by police, emergency service, military and intelligence agencies. What's the difference? T three wired rights is available for police and emergency services outside Europe in countries deemed friendly to the eu like Mexico and India. Those not considered friendly such as Iran only had the option to use T one T four.

Another commercial algorithm is hardly used. The researcher said the vast majority of police forces around the world, aside from the US used tetra based radio technology after conducting open source research. Tetra is used by police forces in Belgium and the Scandinavian countries, east European countries like Serbia, Moldova, Bulgaria, and MA and Macedonia, as well as in the Middle East in Iran, Iraq, Lebanon, and Syria. Additionally, the ministries of defense in Bulgaria, Kazakhstan, and Syria use it. The Polish military counterintelligence agency uses it as do the Finnish Defense forces and Lebanon and Saudi Arabia's intelligence service to name a few critical infrastructure in the US and other countries use Tetra for machine to machine communication in SCADA and other industrial control system settings, especially in widely distributed pipelines, railways and electric grids where wired and cellular communications may not be available and now get a load of this blast from the past.

Although the standard itself is publicly available for review, meaning, you know, the the paper printed standard saying this is what we're going to offer you for your radio to use. The encryption algorithms are only available under assigned N D A to trusted parties such as radio manufacturers. The vendors have to include protections in their products to make it difficult for anyone to extract the algorithms and analyze them. Oh boy. To obtain the algorithms, the researchers purchased an off the shelf Motorola, M T M 5,400 Radio, and spent four months locating and extracting the algorithms from the secure enclave in the radio's firmware. They had to use a number of zero day exploits to defeat Motorola protections, which they reported to Motorola to fix. Once they reverse engineered the algorithms, the first vulnerability they found was a backdoor in T one. Okay, so first of all, huge props to these guys.

No one made it easy for them to obtain the information they needed in fact, their efforts were deliberately being thwarted at every turn by the use of, you know, requiring a assigned N D A, which they were not able to agree to because they wanted to disclose it and a secure enclave. And they needed to find zero day exploits, brand new zero day exploits, and then use them to crack the lid off the code. And let's also just pause for a moment to thank our lucky stars that this reverse engineering conduct has been deemed legal. If white hat hackers like these guys could be jailed for conducting research in the interest of improving the security of the products they're examining, even when doing so is not in the interest of those who are working hard to keep those secrets, the world would be far less secure and only the bad guys would be pursuing such reverse engineering.

They would not be agreeing to keep their secrets quiet. They would never be disclosing them because they would then be turning around and leveraging them. And all of this stuff that we talk about on this podcast constantly, which is being reverse engineered at significant effort and cost by, by good guy researchers. None of that would be happening because doing so would be illegal. Thank goodness that decision was made making it so that this, this kind of research is safe. So here's what they found. All four tetra encryption algorithms use 88 0 bit keys, which the researchers say, and I would agree even more than two ga two decades after their release, still provides sufficient security to prevent someone from cracking them. And I'll note that the keys are rotated and they're dynamically changing. So it's not like they're just fixed a 80 bit keys. They're, they don't, they're, they're ephemeral.

So they're not around long enough for that to be a problem. But they are around along, they are around for a while. T one has a feature in quotes that reduces its encryption key length to just 32 bits, which the researchers were able to crack in less than a minute using a standard laptop and samples of just four cipher texts, which of course you get by, by, you know, putting a radio up in the air and receiving some, some of this encrypted communication. Brian Murga, the chair of the technical body at Etsy. You know the people behind this responsible for the Tetras standard objects to calling this a backdoor. He says, when they developed the standard, they needed an algorithm for commercial use that could meet export requirements. Now remember, this is more than two decades ago to be used outside Europe. And that in 1995, a 32 bit key still provided security.

Although he acknowledges that with today's computing power, that's no longer the case. Remember these guys, the researchers cracked the key in less than a minute. Matthew Green are well-known. Johns Hopkins University cryptographer and professor calls the weakened key quote, a disaster unquote. He said, quote, I wouldn't say it's equivalent to using no encryption, but it's really, really bad. Gregor leaner a professor of computer science and cryptographer with the security research team known as CASA at Rural University Bcha in Germany says it would be stupid unquote <laugh> not missing any words for critical infrastructure to use T one, especially without adding end-to-end encryption. On top of it, he said nobody should rely on this unquote TRO insists that most that the most anyone can do with a backdoor is decrypt an eavesdrop on data and conversations. Tetra has strong authentication. He says that would prevent anyone from injecting false communication.

That's not true. Says wetzels. One of the researchers Tetra only requires that devices authenticate themselves to the network. But days and void days and voice communication between radios are not digitally signed or authenticated. The radios and base stations trust that any device that has the proper encryption key is authenticated. So someone who can crack the key as the researchers did, can encrypt their own messages with it and send them to base stations and other radios. While the T one weak weakness has been withheld from the public, it's apparently widely known in the industry. And governments. In a 2006 US State Department cable leaked to WikiLeaks. The US Embassy in Rome describes an Italian radio manufacturer asked, asking about exporting tetra radio systems to municipal police forces in Iran. The US pushed back on the plan. So the company representative reminded the US that encryption in the tetra based radio system they plan to sell to Iran is less than 40 bits.

Indeed 256 times less than 40 bits 'cause it's 32 bits. Implying that the US should not object to the sale because the system isn't using a strong key. The second major vulnerability the researchers found isn't in one of the secret algorithms, but it affects all of them. All of them. The issue lies in the standard itself and how Tetra handles time sinking and key stream generation. When a Tetra radio contacts a base station, they initiate communication with a time sync. The network broadcasts the time and the radio establishes that it's in sync. Then they both generate the same key stream, which is tied that which is tied to that timestamp to encrypt the subsequent communication. Wetzel says the problem is that the network broadcasts the time in packets that are unauthenticated and unencrypted. As a result, you can time spoof an attacker can use a simple device and ask you, Leo, you probably have one in your pocket to intercept <laugh>.

No, I gave it to Father Robert to take to black hat. Oh yeah, that's good. You'll get some use out of it to intercept and collect encrypted communication passing between a radio and base station while noting that the timestamp that's initiated the communication. Then he could use a rogue base station to contact the same radio or a different one in the same network and broadcast the time that matches the time associated with the intercepted communication. Basically for, you know, resetting them to the key that he already has that from that was decrypted earlier. The radio is dumb and believes the correct correct time is whatever the base station says it is. So it will generate the key stream that was used at the time to encrypt the communication. The attacker collected the attacker, recovers the key stream and can use it to decrypt the communication collected earlier to inject false messages.

He would use his base station to tell a radio that the time is tomorrow noon and ask the radio to generate the key stream associated with that future time. Once the attacker has it, he can use the key stream to encrypt his rogue messages and the next day at noon send them to a target radio using the correct key stream for that time. In other words, it was really badly designed even in 1995. There were all kinds of holes in the system, not just secret algorithms for encryption. Wetzels imagines Mexican drug cartels could use this to intercept police communications to eavesdrop on investigations and operations or deceive police with false messages sent to radios. The attacker needs to be near a target radio, but the proximity is only dependent on the strength of the rogue base station signal and the terrain. He says quote, you can do this with a, within a distance of tens of meters.

The rogue base station would cost less than $5,000 or less. So Etsy tro down the attack saying, tetras strong authentication requirements oh boy would prevent a non authenticated base station from injecting messages. Wetzel disagrees saying Tetra only requires devices to authenticate to the network, not to each other. The researchers didn't find any weaknesses in the T two algorithm used by police, military, and emergency services in Europe, but they did initially think they found another backdoor in T three. Given that T three is the exportable version of T two, there was good reason to believe it might also have a backdoor to meet export requirements. Anyway we basically have a system which is full of holes, has been used for what, 28 years since 1995 has, is known to be insecure, never received the upgrading that it should have received, but as I said, that never happened.

So as I and Wired noted in eight days, all the wraps will be coming off of this. When the research team presents their work and findings during black hat in Las Vegas. With Tetra, we have a legacy encrypted radio communication system being widely used today throughout the entire world, including in the US And it not only contained multiple really exploitable flaws that were only fixed after security researchers cracked it open and shamed its creators with the threat of disclosure. And even now they're not actually saying okay, yeah, you got us. You're right. It also contained deliberately weakened encryption, which most of the world was given to use while some agencies knew of the weakness and were apparently leveraging that knowledge for eavesdropping. And now we learn that the Etsy group who did all of this has replaced their earlier flawed work with more of the same keeping their encryption secret after, after, after rotating the, the, the original T one through four ciphers out there are now new ones.

And they too are kept secret. Even though we have, you know, well vetted, well-tested, well-functioning, lightweight, high performance encryption, nobody should be rolling their own any longer. It's just crazy. Why would anyone ever trust these people? Ah, so true. This reminds me of ssss seven. Although SSSS seven is still around the sideand that is totally hackable on every phone. It's still around just 'cause you can't, it's too hard to change, right? Right. Well, we do have the requirement for, for encryption intersystem, but that's what has not happened, right? Intru system encryption has happened and they're supposed to be doing intersystem, but the problem is apparently they're making too much money outta spam. Yeah, right. There you go. They really don't want to limit it. There you go. They don't wanna limit it. Yeah. Ah, does not compute. That's just the way it is. <Laugh>, even the robot has an opinion on that one. Well, that concludes this thrilling gripping edition of security now as we edge into our 19th year. Couple more weeks coming up on it. Wow. Only 66 episodes left. I guess we're counting down to Steve Gibson's at, which is proudly not in the cloud <laugh>.

All you have to do is go to and then you will see all sorts of good stuff including spin, right? The world's best mass storage, maintenance and recovery utility. You, you need this. If you've got hard drives or solid state drives version 6.0 is still there, but it is soon to be replaced by six one. You will get a free upgrade when six one comes out if you buy today, You can also get the show there. Steve has canonical 64 Kilobit audio version, but he's got two unique versions as well. A handwritten human transcribed version of it by the great Elaine Ferris. So you can read along and as, as one of our correspondents said, just put it on your screen whenever you're leading a meeting <laugh>. So you can point to it. You can <laugh>, you can also get 16 Kilobit audio if bandwidth is an issue.

We have 64 Kilobit audio and even video. That's our unique format at grc sorry, TWIT TV slash sn. You can also subscribe in your favorite podcast player or watch it on YouTube. There's lots of ways to to come every week, but please do visit us every week if you'd like to watch us live. The absolute freshest version as it emerges from the mouth of Steve Gibson. You can go to live TWI tv every Tuesday. Times vary. It should be, it's supposed to be one 30 Pacific, four 30 Eastern, 2030 U T c. Often it's more like two o'clock, 5:00 PM, 2100 utc. But if you know what the heck, tune in a little bit early that that stream's running all day and all night. There's always something good there. Live Twit tv. You can also ask your Amazon Echo, your Google Assistant to to listen to Twit Live.

Sometimes you say twit live because they're dumb <laugh> and and you might have to say on YouTube or tune in or something, but if you fiddle around with it, you'll be able to get it to play. And that's nice. You can listen all the time. Steve, thank you so much. Have a wonderful evening my friend. Wonderful weekend. Pleasure. We'll see you next time on Security. Now Rodo. Bye.

Rod Pyle (02:24:08):
Hey, I'm Rod Pyle, editor in Chief AD Astra magazine. And each week I joined with my co-host to bring you this week in space, the latest and greatest news from the Final Frontier. We talk to NASA chiefs, space scientists, engineers, educators and artists, and sometimes we just shoot the breeze over what's hot and what's not in space, books and tv. And we do it all for you, our fellow true believers. So whether you're an armchair adventurer or waiting for your turn to grab a slot in Elon's Mars Rocket, join us on this weekend's space and be part of the greatest adventure of all time.

All Transcripts posts