Security Now 935, Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte (00:00:00):
It's time for security. Now, Steve Gibson is here. We're gonna talk about Google's final, I guess, proposal for advertising without onerous tracking. It's called Topics, and Steve says it's a good thing. We'll also talk about password rules. Sometimes they can get ridiculous. And then Steve has some very good news for all of us. Stay tuned. You'll be celebrating Next on Security Now

This is Security Now with Steve Gibson. Episode 9 35, recorded August 15th, 2023. Topics arrives. This episode of Security Now is brought to you by Duo Protect Against Breaches with a leading access management suite, providing strong multi-layered defenses to allow only legitimate users in. For any organization concerned about being breached in need of a solution, fast Duo quickly enables strong security and improves user productivity. It's true. Visit today for a free trial and by the Building Cyber Resilience Podcast, a show about tech and security from the perspectives of data scientists, Dr. Anne Irvin, and career CISO Rich sson regarding the intersection of data finance and cyber risk management. Search for building cyber resilience on Apple Podcast, Spotify, or wherever you listen to podcasts. And by bid warden, get the open source password manager that can help you stay safe online, get started with a free teams or enterprise plan, or get started for free across all devices as an individual user at

It's time for security. Now, the show we cover the latest insecurity breaches. We've, what's going on with Move It <laugh> ransomware with this guy right here, Steve Gibson. Hello, Steve.

Steve Gibson (00:02:10):
All that good stuff for, it's the Move It Show these days, I swear to God. Yeah. for the middle of August. Yes. and okay, so there's a lot going on. The today's topic is topics, which has officially arrived from Google at long last. But we're gonna start by celebrating a birthday. Oh, it's not only 25 years ago that the iMac was created. Yes. But it's this podcast's birthday as well. Not quite so old. <Laugh> not quite so old. No, but we almost close, right? So yes. So we're gonna talk about that. Then I wound up encountering so many interesting thoughts shared by our terrific, that once I had written everything that I wanted to say regarding the emergence of Google's long awaited topics system, which replaces tracking while still giving advertisers what they need.

I had already filled up 18 pages of show notes and I ran outta space for any other news. So next week I'll catch up with everything else that's been happening. But the topic of topics is, I think, important enough to have most of a podcast for itself in any event. And so we're going to dig into e everything about that. And of course, we've got a terrific picture of the week. So I think another great podcast for our listeners. And as you can see, another, another accident here, <laugh>. Oh my goodness. You gotta be careful with those straight edge razors, you know, you could really get in trouble. Yeah, I was, I, it was so dumb because I had just finished a day of working on spin. Right. And I, so I showered and then I shaved, and I, my mind was a thousand miles away thinking about some detail of spin.

Right. I wasn't even paying attention, you know, and I, so that's a lesson is like Gibson. It's only gonna, you know, give it three minutes. That's all it'll take. And I have something too after your picture of the week. Oh, that's right. You said you had a physical picture of the week. I have a little physical thing. A little picture of the week. If you can tell me what this is, an IOT birdhouse. Well, in a manner of speaking, it certainly looks like a birdhouse. It there's no room for birds in this thing though. There a little red light on the, there's Ill red light on. There's a red going on and off on there, isn't there? I wonder what that is. Well, we'll show you in just a little bit. I think you'll be great. All right. You'll be, I think, pleased to see <laugh>.

Okay. What it is. But first a word from Duo. You know, duo I know Duo. We've all used Duo. I hope Duo protects against breaches with a leading access management suite. An access management suite. Let's get the emphasis right, the leading access. See, the problem is right, that bad guys are constantly banging at your door trying to get in, and you need a way to protect yourself. You need strong, multi-layered defensives. And we're in the modern world now, innovative capabilities that will allow legitimate users in, but keep those bad actors out. For any organization concerned about being breached, that needs protection. Fast Duo d u o quickly enables strong security and yet does not impede user productivity. And that's really important. We always think of security as being a trade-off with convenience, not with Duo. Duo prevents unauthorized access with multi-layered defenses, modern capabilities that thwart sophisticated malicious access attempts.

But here's the thing. Duo monitors the risk level. And when the threats go up, duo security goes up. When it's safer duo authentication requirements go down. That's how DUO enables high productivity. It only requires authentication when it's needed, which enables swift, easy and secure access. I think you're gonna be very impressed with duo. I want you to check it out. Duo does all the things we've talked about on this show. It's an all-in-one solution for strong M f a for passwordless, for single sign-on, for trusted endpoint verification, you can implement zero trust principles, verifying users and their devices with duo. Start your free trial. Sign up today, That's duo. Alright. Steve Gibson, I am prepared for a picture of the week if you would like. So this one is another one that's gonna require a bit of description, which I think I can give it.

It's a great picture. If you just see the show notes, you'll go, ah, out <laugh>. That's great. Just as you did. When, when, when, when you saw them, Leo. So imagine this is apparently a hotel which has a, a very vertical profile. And I think on, on the outward facing edge or side, you know, face of the hotel is probably a, a, a staircase, which is enclosed. But at each of the hotel's floors, the where, where there's like a, a a, a plateau between the, the stair stairs going up or down to the next level is an opening. And this, this opening would be square, except that the lower half is cut in away. Anyway. The, the, the overall effect is that the opening at each floor has exactly the, the profile of an RJ 45 ethernet jack, you know, e e ethernet socket, and somebody looking at the hotel said, you know, that looks like it looks like my a row.

It looks like my powered switch. <Laugh>. That's, that's exactly right. That looks familiar. You know, where have I seen this before? Oh, it's like the, on every router and every hub and so forth, <laugh>. So this, this person very cleverly positioned themselves in the right place, got a, it looks like maybe a four or five inch RJ 45 ethernet, you know, wired ethernet jumper, and is holding it close to the lens with the hotel in the distance, such that the, the, the ethernet connectors are the same size in, in this perspective as the openings in the side of the hotel looking exactly like you could plug this cable into the side of the hotel. Lovely. and of course, that's so great. The caption is we just need a jumper here, because that's what the, that's the short one is a jumper. Yes. I love it.

Little jumper. A little ethernet jumper now. Okay, now I have one for you. Got you. If you've listened to this show, and you, especially if you've listened to the holiday episodes, you know that Steve and his youth created something called the Portable Dog Killer. Right. Which was intended really not to kill dogs, but to chase them away by playing high pitched sounds that only the dog could hear. Right? Yep. Meet the portable dog killer from Pet Safe. This is, it's this, the reason it looks like a bird feeder or a bird house is so you hang, if you've got a neighbor with a dog that bothers you, just as that dog used to bother little Steve. Yeah. You hang this on the tree right by the fence when you turn it on. It's got a microphone up here that listens for barking. And when it hears it, and by the way, that's why the red light's going off it pay.

And I don't know, maybe we're, I don't know if we broadcast wide enough frequencies if people, if you're hearing a very high pitched tone right now, I apologize. That's the, it's called the Pet Safe c o b c 1000. See, I think the P D K would've been better, but it, but we have it here because Burke, as you might know, has his little dog, Lily, and she barks a lot. So Micah told him about this and said, if you buy this <laugh> and put it in the hall, we all thank you, <laugh>. No, I, I love it. Lily can bark all she wants. It doesn't bother me. Yeah. But what I thought was interesting is you thought of this years ago, never commercialized it, but here it is as a commercial product. The, yeah, very cool pet safe, portable dog killer <laugh> in the form of a bird house.

Isn't that amazing? See? Yes. And again, ahead of your time. I was, I was what, 15 or 16? So to me, calling it the portable dog killer, I mean, and it looked like a laser gun. So, you know, and we were all, we were raised on, on on Lost in Space and Star Trek and so, you know, that was what I was gonna call it. I think this is commercially probably a little more acceptable <laugh>. I think so too. Just yeah. Keep it arm length away from human ears to avoid hearing damage. The dog begins barking while you were setting it up. Mounting or hanging the, it's called the outdoor Bark Control. Ah, OBC 1000 O D B. Ah, yes. But but Burke came running in and said you should turn that off if you're gonna put it on the air. And Mike, Mike def in our listeners.

Okay. So Leo, you and I recorded episode one of Security Now oh my, on August 19th Oh my, of 2005. Wow. Today is August 15th, 2023. Holy cow. Which Uhhuh, which means that with today's podcast number 935, we will have finished our 18th year and next week's podcast will be the start of our 19th year. And when I went back to check the date, and as you, you've got it on the screen of that first podcast, which was, by the way, all of 18 minutes long. <Laugh>, you wanna hear a little bit of it? I think probably. I just, I just took a little s stop between. Yeah, yeah. Sounds exactly the same. I'll be honest. Oh, no, we didn't have our music yet. This was some other music I was using. Oh, that's very laid back. Yeah. Recorded. I'd like to introduce a brand new podcast to the twit lineup Security now with Steve Gibson.

This is episode one for August 18th, 2005. I like the music. You all know Steve Gibson. He of course, hears on Twitter regularly this weekend in Take. We've known him for a long time. He is been a regular on the screensavers and call for help. And you know, he's well-known to computer users everywhere for his products. He's very well known to consumers for I used to give you a better intro spin, right. Which was the inspiration for Norton Disk Doctor and still runs, rings around it. It is the ultimate hard drive diagnostic, recovery and file saving tool. Still is, I say that still every week, except now I say Mass story from But he's also been a very active consumer advocate working really hard to help folks. I, I think my voice sounds higher, but I don't think it actually is. I think it's a little bit of attention to the click of death slip in this thing, which was that was the zip drive we play a little bit hassle. Oh, oh, it's funny because I do hearing, hearing your voice. I remember that Leo, that young Leo <laugh>

Actually, I think it

Leo Laporte (00:13:54):
Was, and you're on Skype, so the quality of your

Steve Gibson (00:13:57):
Audio Terrible. The screensaver Show

Leo Laporte (00:13:59):
On the screensavers.

Steve Gibson (00:13:59):
Yeah. Because, you know, they, they, I

Leo Laporte (00:14:02):
Can't believe, believe we of this show,

Steve Gibson (00:14:04):
The carrier technology, the, the bot technology, the, the technology, everything is like well

Leo Laporte (00:14:10):
Developed now. You don't sound different, but it poised to take

Steve Gibson (00:14:12):
Advantage of anything that happens in Windows.

Leo Laporte (00:14:16):
We got you a PR 40 more bandwidth hole started using as soon as they, and I was on the other side of that TT one line control. So I, so I didn't have Oh, you had 1.44 megabits, <laugh>. I didn't have today's bandwidth. There you go. Yeah. That makes a big difference. Yeah. If people want to hear this, it's still on the website. And the shortcut is twit tv slash ssn. One sn ones. So that, that episode was titled as The Worm Turns. Yeah. the first internet Worms of 2005. Holy cow. And it's Descri. I know. And its description made me shake my head. 'cause It reads how a Never Disclosed Windows vulnerability was quickly reverse engineered from the patches to fix it, and turned into more than 12 potent and damaging internet worms in three days. Wow. What, what does this mean for the future of internet security?

And here we are, 18, having just, you know, we're celebrating the 18th birthday of this podcast and so much has changed and so much has not. So anyway, thanks to feedback from our amazing listeners. One of the things that's been driven home for me during the past 12 years is how much this podcast means to our listeners. And I suppose how much it would be missed, at least for a while, if it were to ever end. Now obviously it's not, you know, it's gonna end sometime <laugh>, unfortunately, Leo, unfortunately in 65 episodes, we are not, we're not both going to live forever. <Laugh>. when, when William Shatner, who is currently 92, who is gonna live forever, I believe. Yes, yes. I think apparently, yes. You know, he's in remarkable physical and mental health. And of course he recently took that quite emotional for him. Yeah. Ride into Orbit and back. He was asked about his secret to long life, and, and he replied, simply don't die <laugh>.

Right. That's it. Don't die. Yeah. So I'll confess that while my middle name is not Tiberius, I'm gonna do everything to follow the Shatner plan. And thanks to our listeners, it occurs to me that perhaps this podcast should follow the Shatner plan too. As all of our listeners know, I've been talking about ending my involvement with episode 9 99. I'm here after 18 years, Leo, due to our gentleman's agreement to do a podcast together. And I think that I should remain here as long as that's what everyone want. What? Oh my God. You just made not only me and everybody in this building, but about a hundred thousand listeners, extremely happy. You're saying you're willing to go beyond 9 99. So, yes. How are we gonna get the four digits <laugh>? Can we start over at Zero <laugh>? Oh, I've, I've written some code in my life.

I can, I can figure out how to change three digits. Be still my heart. Oh my gosh. Thank you. On behalf of everybody listening, you, it seems to be the case that even after 18 years, everybody still wants this. Yes and yes. You know, and I feel as though we have a lot of leverage, by which I mean that this podcast appears to matter to a lot of people. Yeah, that's true. And that's enough for me. So at least it just came running in <laugh>. What, what? I gotta, lemme see if I can find a shot with her and it Well, you'll have to come around here and do it. <Laugh>. She's very happy. Yay. Yay.

Lisa Laporte (00:17:55):
And we still need to come down and harass you. Now I'll stop 'cause everyone will get mad. But I was like, what,

Leo Laporte (00:17:59):
What? There's a lot of excitement and I can hear the cheers in the other room. I mean, everyone was screaming. Patrick Delehanty is jumping up and down. Yeah, that's really great, by the way. So we head into, by the way, Patrick just told me he's updated Twits code, in fact he did a couple of years ago to support more than 9,999 podcasts. So, <laugh>, Steve, if you're willing to go 99, 99, I'll do it too. Well, you know, Leo, these first 935, they just flew by <laugh>. You know, it's like, I I was really feeling like you were kind of getting tired of doing it, to be honest with you, but you're not. Well as certainly as we head into year 19, I think we've at least established that we're not about to run outta material. Yeah. So, by the way, in the description of security now, one, it says this short podcast, <laugh> it literally, I thought at the time that it would be a short podcast, but bad guys just don't rest.

Hey, thank you Steve, and congratulations. That's really, really good news. We're very, it feel, I've known for some time and I thought this is the occasion where on our, on our 18th birthday that I should just say, you know, why, why stop doing a good thing. Oh, thank you Steve, on behalf of the entire internet community. Thank you. So a bunch of closing the loop feedback from our listeners. Some guy whose handle is gimmicks, G I M I X, and then cubed gimmicks cubed. His actual name appears to be Jordy. He said, Hey, Steve, today, and this was on Friday, Chrome greeted me with this dialogue and I have a picture of it in the show notes and it says, turn on an privacy feature. And those then goes into some details. And so he writes, Google adding a privacy feature and asking me permission to turn it on.

Uhhuh, extremely suspicious. I guess that's flock, which was implemented anyway, even if the community pushed back. Any advice on whether we should turn it on or not, maybe material for the next episode? Greetings from Barcelona. Longtime listener, Jordy. So I received Jordy's note, as I said on Friday, and I knew what it was. This was not flock. This was the long promised rollout of topics, which is Google's replacement for hidden tracking based profiling in favor of transparent site-based interest profiling, which is performed entirely client side, you know, in t n o style, and is entirely under the control of each individual Chrome user. I mean, it's a breakthrough. But I was greeted by it when I opened Chrome yesterday. Since I'm no longer a Chrome frequent flyer, I hadn't seen the dialogue when Jordy had had tweeted the, the, the picture of it to me.

Since the chromium browser's topics a p i is finally making its appearance. And since there's reason to believe that this will be the system that changes the world, it's time to revisit what it is and how it works, which we're gonna do shortly. So anyway, Jordy, thank you for being the first to point it out. I got the dialogue of, of my own and everybody else who's using Chrome will have been receiving this. So we're gonna talk about exactly what this is and how it works and why you should use Firefox and why you should use Firefox. Yeah, well actually wifi I, why I'm hoping Firefox will adopt this. I, I sincerely am. Whoa. Okay. That's a, that's a twist. Okay. Oh, yeah, yeah. I think, and, and you're, you're, you and I are gonna have some fun with this Leo because they're, you know, multiple sides to this.

Okay. Now, someone who chose the Unfortunate Handle burned Eye, I don't know why said something very interesting. So Burned Eye tweeted. Hi Steve. You may find this interesting. I know you're a Firefox user. So am I. Recently I have found out about this fantastic extension called Firefox Multi Account Containers. It solves an issue of being automatically logged into, for example, all Google Services. When you only want one, for example, YouTube, you can isolate into its own container where you can be signed in while all the other Google sites such as, Gmail, et cetera, can stay in a default container where you're not signed in. And those sites won't be affected by the fact that you're signed into YouTube. It's a browsing tab, virtual it's, he says it's a browsing tab virtualization in a way. He said, love it. Just as I love the Security Now podcast.

Longtime fan, Tim. Okay, so I was not aware of this slick browser extension and it does solve a problem I sometimes have. Its author explains it. Thus he says, the Firefox multi account containers extension lets you carve out a separate box for each of your online lives. No more opening a different browser just to check your work email under the hood. It separates website storage into tab specific containers. Cookies downloaded by one container are not available to other containers. You can even integrate individual containers with Mozilla's V P N to protect your browsing and location. With the Firefox multi account containers extension, you can sign into two different accounts on the same site. For example, you could sign into your work email and home email in two different container tabs, even if they use the same server, keep different kinds of browsing far away from each other.

For example, you might use one container tab for managing your checking account and a different container tab for searching for new songs by your favorite band. Avoid leaving social network footprints all over the web. He says, for example, you could use a container tab for signing into a social network and use a different tab for visiting online news sites. Keeping your social identity separate from tracking scripts on news sites. And protect your browsing activity in individual containers using Mozilla V P N. So you can shop while traveling abroad, but check your bank account from a server in your home country. And finally, after installing the Firefox multi account containers extension, click the containers icon to edit your containers, change their colors, names, icons. Long click the new tab button to open a new container tab. Anyway. Okay, though I haven't tried it, this seems very cool.

The one thing I would caution is that he writes, quote, keeping your social identity separate from tracking scripts on news sites. But as we know, and as we saw quite vividly last week with the links, Yahoo, in that example goes to, in order to track people containerizing explicit authentication cookies is not the same as fully anonymizing one's appearance on the web. I'm certain that someone examining the queries being admitted by or JavaScript running in adjacent containers would be able to detect that they're running side by side in the same browser. Nothing is simpler than noticing that the queries are all emerging onto the internet from the same private IP address. You know, he addresses this simple IP based tracking with the feature of an automatic tie-in with Mozilla's V P N Service. But this is not to say that the idea of being able to be logged into the same service under multiple identities with a single browser is not extremely useful.

I, I often, you know, wish I had a different account at the same place. And I do tend, tend to use a different browser if I need to. I remember when I was messing around with squirrel a lot, that was something I was having to do. So anyway, I wanted to share Tim's tweet so that we all know about it. And you know, those of us who are Firefox users are able to take advantage of it. Matthew Eck, he said Hi again. Have a question about full disc encryption on SSDs. If an SS s D is already in use in an unencrypted state, is it then impossible to fully encrypt it with BitLocker or Vera Crypt due to data stored in inaccessible blocks because of over provisioning and wear leveling? How can one encrypt an in use SS s D and guarantee all data is sufficiently scrambled?

Thanks again. Okay, so since I plan to fork the early work on Spin Write seven into a separate product named Beyond Recall, I will eventually acquire a great deal of firsthand experience solving these problems. Matthew's correct in assuming that where leveling defective region sparing and over provisioning inherently take data containing mass storage regions out of service, rendering them inaccessible through the mass storage devices. Normal data. A p i, there are two different means for fully erasing all traces of data, even data that's inaccessible. The problem is that they erase all traces of data. What Matthew wants to do is to take an SS s d that's already seen some use and add external full disen encryption to that existing device while not leaving any while not leaving the inaccessible regions, which might still contain some previously in use unencrypted data unencrypted. And as far as I know, that's not possible.

He'd like there to be some command to destructively and permanently erase only all of the inaccessible regions. But I'm not aware that any such command exists. This means that he would need to copy the drive's contents to another device, then arrange to securely erase the entire drive, which would and does include all user inaccessible areas, then implement BitLocker or Vera Crypt or whatever encryption on that drive, then restore the drive's original contents. So unfortunately no way I know of, of just doing it in place that that, that inaccessible previously unencrypted data will stay there until you perform a secure erase on the drive, which is the only thing that will get rid of it. 'cause You can't get to it otherwise. Most of these storage controllers have manufacturer proprietary undocumented, typically unknown, you know, back doors that allow you to manipulate stuff.

That's something I may end up getting into depending upon how things go with Beyond Recall, but no, nothing known publicly. Trevor Welch said, hi Steve. I have a spin right question. I have a mixed array of drives, hard drives, SAT SSDs, M two SSDs, and probably even some weird proprietary external hard drives. I'm finally getting my act together and gonna be backing them up to a NAS and backing that up to the cloud. Is there any advantage to running spin right on any of these drives before I do this? Or do I run the risk of maybe pushing one of the drives into its demise while running spin right and being unable to then copy all the information off. Some of these discs are very old, 10 to 15 years maybe, and are in unknown condition as of right now. So I just wanna make sure I give myself the best chance of being able to get as much data as I can off of them.

He says love the show and excited for spin, right? Six one to come out maybe an announcement on Tuesday. Well, okay, no announcement today. As always, with a project of this size, with as many moving pieces as this has working to get to the, there's nothing left to be done. State reveals additional things that need to be done. And I'm reminded of that old thought puzzle, which suggests that it's impossible to actually get to your destination because before you can, you first need to get halfway there, then halfway there again and halfway again and halfway again and so on indefinitely, thus, theoretically unable to ever reach the goal. But you know, we're down. We are down. The good news is to very few remaining known things that need addressing. So yeah, it's looking like one of these weeks. Very soon I will have an announcement for the listeners of this podcast.

As for Trevor's question, I don't see any reason to run spin right on any of those drives ahead of time. Just try copying all of their data off at the file level. You know, file by file. Copying programs are notoriously finicky about hitting errors during their work. But there are copying utilities that will retry for a while, then skip over any trouble they encounter. Even the old Xco program from back in the Ms Doss day, which is still present. It has an ignore errors during copying option. And I'm a big fan of robocop on Windows. It's got all kinds of, of extra feature switches that, that allow this to happen. The one thing these tools won't and cannot do is deal with problems in the file systems metadata, which spin right can do since they depend upon that metadata to find the file names and the file content locations in order to copy it. But otherwise, it's usually possible to get most of the data from a drive. But if any trouble is encountered along the way, I'd say by all means, let's spin. Right? Have the drive to see whether it's able to fix those areas that may have been troublesome.

Matt g tweeting from at M P G A G E <laugh>, he said he wrote, this might be the most annoying password rule list <laugh> I have ever seen. Oh, this is a game. I bet. Is this the game? Well this is really it. No, this is really interesting because it's got some hidden gotchas. He said you can't use a password generator because any repeat of a single character makes the password invalid. Oh, please. He said, thought you would enjoy. Okay. That's terrible. Now actually this is this, there's, there are so many good things here. So, okay, here's what the rule list is. And by the way as we'll see from the bottom rule, this is JP Morgan Chase's. Yeah. Password creation guidance. So first must be eight to 32 characters long. Must include at least one upper case, one lower case, and one number.

Okay? Those are kind of standard must not have special characters or punctuation. Okay? Yeah, I don't like that yet. This must be different than your previous 24 passwords. <Laugh> what? <Laugh>, where? Where'd that number come from? What I know. Oh, it gets better. Leo must not include your email ID partly or fully. Okay. Must not include your first name or last name. That's fair. Alright. Okay. What, what if your last name or first name has well is monkey, what are you gonna do then? Huh? Here, here, here's a problem. Must not include more than two identical characters. That makes no sense. Okay. Get this must not include more than two consecutive characters. Wait, what? <Laugh>. I know. I know. And you can't have more than two consecutive characters. Okay. must not use the name of the financial institution. J p m Morgan, JP Morgan Chase, JP Morgan Chase or JP P M C.

I wonder how much those last couple, not the last, last one, but the consecutive characters and identical characters reduces the password space. Oh Leo, you have been way down. You have been paying attention to this podcast. I, I, I credit you that definitely Matt's tweet included a screenshot of those, of those requirements, which we just shared. Now, there are three problems that come to mind. First, one of the rules reads must not include more than two consecutive characters. Yet we know from the first rule that the minimum password length is eight characters. So it's unclear how you create any password longer than two characters. <Laugh>, if you must not include more than two consecutive characters, well you gotta put a number in between them, right? They mean alphabetic characters. I I it's not clear <laugh>, they just said characters. Characters. Yeah. Yeah. This guy was a character.

Whoever wrote this. Yeah. So it, now, so it must be that the author of this rule meant to say two consecutive identical characters. Oh right. Maybe except that the preceding rule is you can't have any include must identical characters at all. Well, no, it says must not include more than two identical characters. Now again, the here the digit two is not necessary because you could just say identical. Yeah, identical characters, right? Yeah, it's redundant, but, okay, fine. So that means that the misworded following rule, they must not include more than two identical hearers is redundant because it's fully covered by the one that precedes it. Okay. But aside from that grammatical nitpicking, there are two bigger problems. The very first rule states that the password must be eight to 32 characters long. Okay? So a minimum of eight characters really an eight character password is sufficient given all of the rest of the rigamarole.

The JP Morgan Chase customers are being put through nice nonsense, just nonsense. And when you think about it, Leo, given how difficult they've made it to create any password. Yeah. 'cause your password manager doesn't know these rules. No. No. So no, it's gotta be done by hand. But given how difficult they've made it to create any password that somehow manages to get through the gauntlet of those rules, users would be hugely incentivized to quit after somehow working out <laugh> an eight character string that qualifies. Yeah, you're right. Okay. You're guaranteeing an eight character password. That is exactly right. And that brings us to the third and worst problem of all these ridiculously exactly. As you immediately saw, these ridiculously onerous rules are going to drive users to create the shortest possible passwords, while at the same time making brute force guessing vastly easier and more practical.

Any intelligent brute forcer will be informed by the same limiting rules as the password creators. So this dramatically and incredibly reduces the possible brute force search space. You know, no special characters or punctuation. Wow. I always hate it when I see that one about I hate that. Yes. That's so stupid. Yeah. Talk about dramatically reducing the alphabet size and thus the search space, those same rules which make it difficult for a customer to create a qualifying password automatically discards a vast universe of passwords that would've been possible and that an attacker would've needed to try. But now the attacker already knows that those would not have worry. Don't worry about those. Yeah, that's great. Imagine all of the guesses where more than two characters are the same. None of those ever need to be tried. Unbelievable. Know what a perfect real world example of someone thinking that they're being quite clever by forcing their customers into compliance when they're inconveniencing those customers while at the same time making things far easier for the attackers.

Unbelievable. And we see this all the time at this point. Yeah. It's just, you know, trying, trying to make it better and making it worse. Have you, go ahead. You wanna take a break? No, you, yeah. Yeah. I just wanna know if you've seen the password game? 'cause This is so fun. From Have you ever heard of this? Okay, I haven't. No. Okay. And I'm not gonna show you this if you have anything to do tonight because uhoh Okay, so it's at Maybe just show it to me until after spin. Right? 6.1 shift. It's, it's to make fun of all of these. Okay, so I'm gonna do monkey it has to include a number. 1, 2, 3. Okay. Uppercase letter. Okay. I'll make the m and upper uppercase. That's good. The digits in your passwords must add up to 25 <laugh>. So three plus eight is 11 plus nine is 9 25.

Okay. Password must include a month of the year. June. Okay. One of our sponsors, shell Roman numerals should multiply to 35. Oh. So this has to be maybe, oh, so that's seven times five. So that maybe this will be v i I and then this will be V. Okay. Oh, capcha. D 22. BD D two two. Now is it, does it always give you the, the same requirements? Yes. Or do those So I've just ruined it by doing the capcha. 'cause There was a 22 in there, so now I can eliminate everything but a three. Okay. it's two, two. So it's two plus two is four. Okay, I get it. 1325. Okay, <laugh>, here's where I stop. Your password must include today's wordle answer <laugh>, by the way, it is today's wordle answer. I've done this before. John and I have both done this.

So you now go off to solve Wordle. It checks, it checks <laugh>. So you now go off to solve Wordle. It will give you a chess problem in just a bit. At one point your password starts to catch on fire and you have to sort out <laugh>. This is anyway for our listeners. It's Neil. N e l f u n. Yes. Password game. He does a lot of fun games. I guarantee you. 'cause You're smart. You'll get, you will dig this. I have never gotten past the fire. John says he's gotten past the fire. <Laugh>. What's the last step you got to John? How far did you get? I think he said he got 20, 25 rules. Something like that. It goes on. I, the guy who created it, Neil said he's never, he's never finished it. <Laugh>. You'll enjoy it, Steve. Alright. Wow.

Now we're gonna take a break. Please, folks, do not go off and do that. Stay tuned. You can do it tonight. Enjoy your, enjoy the rest of security. Now, before you engage on this, it's like the paperclip game. Once you start, you, you know, you kiss the rest of the day. Goodbye. Our show today brought to you by a great podcast. You're really gonna like, it's the Building Cyber Resilience Podcast. As you know, our world is hyperconnected more than ever before. This advanced technology driven landscape is creating smarter businesses to better serve customers. But yeah, there's always a but as we know, along with all these smart businesses, there's a, a threat. Lots of them hosts Dr. Anne Irvin, chief Data Scientist and VP of Product Management at Resilience. And Rich Cyan, who's the Chief Risk Officer at Resilience, talk about the positive outcomes of developing risk management and utilizing data science across industries to create a smarter business.

It's not just an ad for resilience. Actually, this is so smart of a company because yes, it tells you about resilience in their business, but it also talks about the whole issue and is a great way to learn about this. They meet with top experts and innovators in the field of risk management, cybersecurity, and data science. And I love the data science part of this. Dr. Irvin is the chief data scientist at resilience. So the data science stuff is fascinating. They discuss the changing cyber landscape. It's constantly evolving. Risks, how businesses are beating the bad guys, trying to, you know, harm the bottom line and how businesses are managing risk and crisis without impacting the value to their customers. And having a data scientist in there is interesting 'cause there's a lot of data science involved in this. And that's what made it very interesting for me.

There was a good episode that just dropped, I guess is what the kids would say. It was called AI will chat. G P t Replace the Underwriter. The host talks to the chief strategist of AI and machine learning for the Department of Defense. They get great guests as well as the C r O of Symmetry Systems Incorporated. They talk about ai and its use in cyber attacks. Its use defending cyber attacks, how AI affects defensive roles and security. Really good stuff. But every episode's fantastic. Listen in and learn how you can build a cyber resilient organization. And I even just even love the concept of resilience. You know, it's not like a brick wall. It bends, but it holds no matter what. Right? Searching for building cyber resilience whether you do it on Apple Podcasts, Spotify, wherever you listen to podcasts, you will find it, it'll give you a chance to subscribe.

We thank the Building Cyber Resilience Podcast for their support. Again, search for Building Cyber Resilience, that that's the best way to find it. And we'll also put a link in the show notes. That's another way to do it. Truth TV slash building Cyber Resilience. You gotta listen to it. It's great. If you like this show, you'll love it. Anybody who's ever looked at underpasses being built in California has noticed that they are no longer brittle. Yeah, they are resilient. That's right. They're, they are something sitting in a pocket so that if an earthquake shakes it, it doesn't crumble. It just rocks around a little bit and, and hopefully returns close to where it started. So what's the worst kind of building to be in an earthquake? It's not a, it's not a wood frame building. It's a brick building. Those are deadly. Yeah. Yep. No give, no give.

So Josh Randall, he's at an SSN 9 34. You mentioned that many sites now require you to create an account with an email so that they can spam you later. That's precisely why I use Duck Duck Go's email alias. Yep. That's duck duck, which I recall you were rather negative about a few episodes back. When I create an account with any new service or site, now I let D d g create a new random email address for me that is an alias to my main d d g account, which is in turn an alias to my actual email. I can receive messages at my actual email through any of these alias d d g emails and reply to those messages without ever revealing my actual email. And if any site or service ends up spamming me through one of my random aliases, I can simply deactivate it and poof, no more spam.

Okay, so lemme just be clear about my negativity. I wasn't aimed at duck, duck go specifically. I'm 100% behind the use of email aliases. I think as the kids would say, Leo, they rock <laugh> and I use them and I use them myself all the time. I have hundreds of email aliases. But the thing that's different is that the aliases I use are created by my own email, which I'm not going to decide to suddenly terminate. Or if I were to, it would be my decision under my control, given the importance of email as our account recovery and proof of identity. I would be nervous to be asking any third party provider for such a service if I used it in such a widespread fashion. Unlike a use it once credit card number, an email address needs to be inherently static and persistent. If DuckDuckGo were ever to decide to terminate that service, it would create a significant inconvenience for its users who would need, who are using it in this fashion, who would need to manually change every one of their registered email addresses everywhere they had ever used them.

Again, I love the idea and I get it, but not everyone is able to run their own email server, especially since consumer ISPs actively block their customers from running local email transports. But anyway, so love the idea. And I guess I wish there were a, a way to do it that seemed really safe. But yeah, I mean, I never even thought about that I use, I have my own you know, I have fast mail, I have my own domains, and so I can have an infinite number of app Yep. Domains. So I just do that. And those are, those are all unique, but maybe a little bit more guessable than, you know, XYZ at zm z dd. Well, and, and as you know, because you've been following me up for a while, my email address changes annually. Yeah, you're smart. That's a that's such a good idea.

Yeah, because you don't want for that reason, <laugh>, right? <Laugh> or, you know, they can on Twitter or not if they know the algorithm or Greg, if you are a friend of Steve's, you'll know the algorithm and then you can reach reaching David Halladay, he said in SSN 9 33, you highlight that Russians are now prohibited from contributing to open source. However, any G P L product makes it very clear that the user must contribute to the project for the license to be valid. Thus, the new Russian astro Linux based OSS cannot be legally possible. Oh, okay. Now, as I understand it, the G P L requires that any improvements which are made thanks to having had access to the source code must be returned to the project. And so, yes, I think that David's point is correct, not that Russia will be particularly concerned about violating the licenses of the West.

Russia has essentially stolen Linux from the Linux project, but with the rising political tensions, who's surprised by that? Oh, some math. Thomas. a, a pale neck. Hope I didn't mangle your last name too bad. A P A L E N E, he said regarding satellite crowding. Steve, I really enjoyed the episodes and satellite hacking and related satellite info. However, the follow-up discussions on swarms of satellites needs to be put in perspective for which we thank Thomas. A three D graphic of white dots showing all the satellites and debris orbiting the Earth does look a little bit frightening. However, if the satellite size were displayed at the correct scale relative to the earth on the graph, you wouldn't actually see any satellites at all except for possibly the International Space Station. Star link's 40,000 plus satellites in particular sounds like a lot, but if you imagine 40,000 cars equally spaced over the entire surface of the earth, it doesn't seem nearly so bad.

The effective surface area of a 300 kilometer orbital shell is about 560 million square kilometers. And 1100 kilometer orbital shell is about 700 million square kilometers. The starlink orbital plan includes three shells, ranging from 340 kilometers to about 1100 kilometers. The debris issue is a concern and launch agencies do need to make sure it doesn't get out of control. For now, all of the items in orbit are on average thousands of miles away from each other. The skies won't be darkening anytime soon. And again, Thomas, thank you for that very valuable perspective. That's very useful. That's a good excellent point. Space is big. Space is big. Really big. Yes, yes, yes. Which is why, you know, things are zooming around and mostly not hitting each other right. When they do, of course is pretty spectacular. But anyway, Brian Norwood said, catching up on this week's episode, and this is what came to mind on the Voyager two segment with the shout.

He said, next year we'll find out. We let a Borg equivalent know exactly where we are. Remember that NASA was able to regain con that's <laugh> <laugh>. Wow. He said, remember the voyager that they were NASA put out a high power pulse Yes. In, in order to get Voyager two to, to reorient itself. Now, I think I've noted before as a sci-fi enthusiast looking at all the trouble we have right here on Mother Earth, where we're all basically variations on humanity. That as I grow older and hopefully somewhat wiser, I am coming to appreciate where I once used to bemoan how difficult it appears to be to travel between the stars. There's that famous and pithy observation that quote, good fences make good neighbors, unquote. So these days I'm much more satisfied with reading fantastical stories and books than actually having any first contact.

You know, let's hope they're not coming here to take our water, because that would not be good. Brian Gluck said, can you please share the name of the session manager that you use in Firefox, which I mentioned last week. He said, I had one that I loved that saved all of the open windows and tabs, but it stopped working a number of years ago. I think it was called Session Restore, but I honestly don't recall. I would love to know which one you're using. I missed that. This functionality and don't like to download and add on into Firefox without a recommendation from someone I trust. Okay. It's called Tab Session Manager as three words. And I just noticed that it's also available for Chrome and Edge and it really is a nice piece of work. I've been using it for many years, so I'm happy to vouch for its value and stability.

It's free and user supported. And having just written all that, I just sent its author $25 through PayPal since I would like to keep it around. Nice. It is, you know, it, it's open source. It's on GitHub, the guy's maintaining it. And you know, Firefox does sometimes make a radical change to, you know, that, that requires rewrites of, of of their add-ons, which is exactly how Brian's earlier thing, that session restore, you know, some guy created it and wandered away. Then Firefox changed and broke the extension. So the fact that this thing is being maintained is a good thing. And finally, rusty tweeted at S G G R C, how many people have pointed out that the two degrees off that Voyager was pointing at 12.3 billion miles was a bit under 430 million miles, or about five times the average distance between the earth and the sun.

He says it's fantastic that they were both able to hear and send. And so Rusty, you take the prize as the only listener whose tweet I've seen took the time to do the math and give us a calculated answer. My own intuition suggested that this had to be the case. But it's nice to have some numbers to go along with it. So about five times the distance between the Earth and sun is how far off angle, you know, off the, you know, away from us that Beam was passing when Voyager was trying to talk to us. You know, we weren't, we weren't hearing anything that it was sending any longer. Okay. And, and Leo, let's do our last break just so that we can do topics as in, in one whole piece. I like it. By the way, I'm making some good progress on our password <laugh>. Oh my goodness. I did have to identify this country and it took me a little while, you know but the name of the hotel was the giveaway. I looked that up on the internet. So now I just have to get a leap year in here without changing the addition. Maybe I better do the ad instead. What is that? What is that black blob? Oh, that's the current phase of the moon as an emoji.

Yeah, it's a wa it's a, a waning crescent right now. Oh. So it says insert the, insert the the <laugh>. I, I I did, I did get some, some, some crap from kids in school over the waning gibbon. Yeah. The waning Gibbon moon. Yes, that's right. Yes. This is the waning gibbon. Anyway, it's I'm only, I'm only you know, a, a fraction of the way along, but I've got a great password, I must say. Okay. Now does Chase you use emojis in your password? Probably. I, I wanna say though, you missed our first episode where we talked about topics. Yeah. And you, I need to have your attention for this one. 'cause It's important for you to get this just, I'm just saying, okay. I'm not moving. I had to get up and run up and down the hall and celebrate and I did miss that first image.

But I, but I won't miss this next one. I'm paying attention now. Okay. And and I might add it's time to mention Bit Warden. My, my personal, well, I don't wanna say it all. My sponsors are my children and I'm, I'm fond of them all, but boy, I really like this one. And incidentally, if you do want to use that DuckDuckGo email feature, bit warden supports it. In fact, nice. If you, if you if you're using Bit Warden, my favorite password manager when you press the button to generate a pa, you can generate a password or generate a, a login, an email. And it uses, I think it uses the the five different services including FastMail that will generate see, I don't know about Duck, duck go, but I'm gonna use FastMail because if Fast Mail goes outta business, so does my email anyway.

Yeah. So I think it's alright to use FastMail for this, this bit. Warden is the only open source cross Open source is really important to me, as you know. And I think for any security thing, having it be open source is a really big deal. Cross platform password manager you can use anywhere, anytime I use it, I, last time I checked Steve's using it. Of course, as everybody should be using a password manager, bit warden's my favorite. However, all your passwords are encrypted and, and in their vault, not just your passwords. By the way, some password managers let other information, like the sites you visit leak out in plain text. Everything's encrypted with Bit Warden. They solidify their position as the highest performing password manager for the enterprise in the summer 23 G two Enterprise Grid report. The highest performing password manager for Enterprise bit Warden protects your data and privacy by letting you create strong, randomly generated passwords for each account.

I don't think they have a setting for no duplicated letters, however, <laugh>. So maybe you might not be able to use it for Chase, but you can use it for everything else. I use it everywhere. I use the username generator as well, which lets you create usernames that are unique for every account. Works with Fast Mail and DuckDuckGo five different integrated email alias services. It's open source and that's important. It's on GitHub, which means it's completely transparent. It's not just that people are vetting that code. They also bring in professional third party audits every single year. And they publish the results of those audits without editing on the website. So, you know, bit Warden is open source security. You can trust. There's a second benefit to being open source. People contribute back to it. And we've been talking about this listener que to the show created a a argon two memory hard key derivative function.

He issued a pull request to Bit Warden said, I've written this for you, bit Warden said, great. They vetted it. All right, we're incorporating it in. So now you can use P bk DF two and you, you could set it to, I said it to 2 million iterations. But even better, you can use Argon two. And now your memory hard. This is the advantage of being open source, right? We're all in this together. Bit. Warden has some great features for Enterprise. You could share private data securely with coworkers across departments or in the entire company. Fully customizable plans for your needs. They can adapt 'em to your needs. The Bit Warden Teams organization is $3 per month per user. We're gonna move to the enterprise organization plan. That's $5 per month per user. But I really should emphasize for all the individuals listening, bid Warden's basic free account is free and free forever because they're open source.

It's free forever. That gives you unlimited passwords if you wanna add to it or just contribute back, which I do, you can get the premium version 10 bucks a year. I get to use two FA because of that. But the free account will always be free for unlimited passwords and unlimited devices. So you, you know, if you've got a family member who's not using a password manager and you say, well, you know, I want you to try a password manager. They say, I don't want to pay for it. Give them, set 'em up with Bit Warden. Seriously set 'em up with Bit Warden. It's so much better than whatever the heck they're doing. The whole family can get involved and anybody can be in your family. By the way, the family organization gives up to six users premium features. That's a $3 33 cents a month, so that's even more affordable.

Per individual bid Warden has launched the New Secrets Manager. We talked about this, it's in beta right now. This is really great. If you're a developer, how often do developers accidentally commit their a w s Secret or a p i you know, into the, into the public Source code repository? Oh, it's a source of a lot of breaches. Secret Manager keeps those sensitive developer secrets out of the source code, which eliminates the risk of public exposure. You can try it out if you want. It is, as I said, in beta, but they're getting close to release. But if you're willing to try the beta and it's, it's solid bit beta is the address for that. Look, anybody who listens to security now is using a password manager. I mean, that's a given. But use the one that I use that Steve uses.

That's the best. Get started with bit warden's free trial of a teams or enterprise plan, or get started free forever across all devices as an individual user. Bit This, I shouldn't have to say this again, it should be the last word on the subject, bit It's, it's just a no-brainer. Alright, Steve, I am paying attention. I am not leaving this seat. I am listening to every word. Go right ahead. I think you're gonna, you're gonna find this useful as our listeners will. So, okay. The right answer doesn't always present itself The first time when we encountered flock, which should stand for failed learning of cohorts. Yes. Instead of federated learning of cohorts, and you explain Leo, that in, in referring to it as flock, Google was clearly struggling to keep with a bird theme <laugh>. It turns out they were struggling too hard and the flock flew.

The coop. Yes. But as I said, the right answer doesn't always present itself the first time. Sometimes it's necessary to experiment and iterate. You know, the reason spin right, took three years is that there were a lot of avenues I went down that I ended up backing out of. It's like, okay, well, that, that, that approach didn't work to be a universal solution. So let's try this. So the design of topics, which is Google's final solution for the replacement of profiling by tracking shows that Google has learned a great deal from their previous attempts. And we not only have a system that's ready for primetime, it's beginning to roll out. Now it's, it's in Chrome today. Now, we initially covered the topic's a p i about a year and a half ago, immediately following Google's first announcement of this proposed new system. This occurred, Leo, during one of your rare absences from the podcast.

Security Now is a February 1st, 2022 podcast was titled The Topics a p I Oh, I know why. I was in Portugal at the time and having a grand <laugh>. So there, yes. Okay, well, we're glad for you. Yes. j j Ja, Jason held down the fort. And I have always regretted that you missed that discussion because having you understand that is, this is critical because, you know, you're on, you appear not surprisingly on many podcasts here. Yes, I do. So I'm listening. Fortunately, we have another shot at, at the, at this and this time it matters even more because unlike Flock topics is probably going to fundamentally change the way the internet works. Hmm. Now, as we noted last week, D n t stood for Do Not Track. Whereas G P C, you know, global Privacy Control is an explicit request for privacy enforcement.

You know, in other words, they're not the same thing. G P C is not about tracking even though much of the tech press refers to it as an anti tracking measure. Similarly, Google's topic solution is not some new means for tracking users on the internet, even though virtually all of the tech press is calling it that. I think the problem is that since tracking is all we've ever known and change is difficult, everything is assumed to be some form of tracking. But as, as everyone is gonna understand by the time we're finished here today, Google's topic system is explicitly and almost painfully a non tracking solution. If I may be permitted to use the term, it is truly a privacy forward system for allowing websites to learn a little something about the topics which may interest their visitors. Period. Full stop. Again, topics is a privacy forward system for allowing websites to learn a little something about the topics which may interest their visitors.

It is a means for allowing Google, you know, the Internet's massive advertising behemoth to continue to deliver user relevant advertising without tracking topics does not utilize any sort of tracking. None. It's basically Google seeing the writing on the wall. That tracking may not be permitted indefinitely, but they'd like to continue to exist indefinitely. They know that it might eventually be outlawed, at least in some jurisdictions. So they wanna have some sort of user profiling replacement ready if that happens. And in fact, they've already announced that Chrome will begin deprecating its support for tracking via cookies starting next year in 2024. Now I use the term user profiling just now deliberately, because while that's what topics is, it is an entirely different and vastly weaker form of profiling from what we're acco what we're accustomed to with profiling via tracking many hidden entities on the internet know, everywhere we go, a visit to a site for erectile dysfunction gets logged into many hidden databases over which we have no control.

And that information is then made available for sale. I, I didn't do it. I somebody else is using my computer. That's right. Somebody borrowed your computer. Yeah. You, you you left it unattended Yeah. At Starbucks. That's, it was it was Lisa. Yeah, that's it. Yeah. So it's, it's hardly surprising. That's not anything that anyone wants to have Everywhere you go, everything you do being secretly logged into hidden databases over which we have no control under the topics system, and assuming an absence of tracking, which is a separate issue we'll get to in a minute, only your local browser sees that visit and that visit is not recorded. It only knows that this is a site having the topic of health and wellness. So that health and wellness topic gets added to the topics you have shown an interest in for the week. That's it. Thanks to the creation of this new technology that we're gonna go into.

Detail topics provides a means by which a user's web browser may learn by inference about its users' current interests by virtue of where they take their browser on the internet. And the browser is then able to judiciously make a few of those interests known to websites and advertisers who ask. Okay. Now, before we get into the technology, I wanna make it clear that as usual we're here to talk about technology and that I'm deliberately agnostic on matters relating to the non-technical questions of whether or not any profiling is a good thing. Whether or not it is driven by tracking is any form of profiling. Okay, I get it. That con that question is controversial. There are those who feel very strongly that all use of the internet should be anonymized to every degree possible. Like anybody at the E F F, apparently they feel that it is their right to minimize the value they present to a website.

And it's supporting advertisers by remaining anonymous and as anonymous and as unknown as possible. They feel that every visit to any website should be siloed with no other site or third party content provider having any information about them that they don't supply to the site being visited. I get that. And you know, you know, Leo, you and I were just discussing here last week, whether the value obtained by user profiling is really worth what advertisers believe it's worth. Now that's not something I can speak to Google and advertisers and sites like Yahoo clearly believe it is, or perhaps they just want it because that information is available and they'd like to know who they're spending their advertising money on. Perhaps that feedback allows them to better tune the content that their sites offer. You know, okay, whatever. What I do know though is that user profiling via tracking represents the height of privacy intrusion.

As far as I know, an immutable record of every website I have ever visited is squirreled away in multiple massive, hidden and inaccessible to me profiling databases. And I have zero control over that. That's the world we're in today. But if topic succeeds and Google would appear to be in the position to single-handedly deliver its success, it is a far less intrusive profiling technology. And in addition to being a much weaker information gatherer, Google has chosen to provide its users complete control over the topics their browser presents to the world, including turning it off altogether for full anonymity. I'll explain that further in a minute. So if only on that basis topics at least represents a huge step in the right direction. Yes, by default some interest profiling remains, but the means of obtaining those significantly weakened profiles is no longer tracking. And users have complete visibility into their online profile and are able to curate, edit, and even delete, as you know, de delete any of it or all of it as they choose.

So it's a compromise. But there are many websites begging for our support. My feeling is if voluntarily letting them know something about who we are allows them to generate as they claim significantly more revenue from our visit, is that too high a price to pay? Again, it's an individual decision, but now in a world with topics at least it's one we are able to make. Another of the arguments presented by the naysayers is that if topics is embraced, we have no guarantee that tracking will end and that we won't merely be adding another powerful profiling technology on top of the existing mix. And those people are right. But as I noted above, Google is planning to begin the deprecation of explicit tracking support via cookies once topics has come online. And if Google truly wants to prevent tracking once they no longer need it, you know, neither it nor its bad press, they're in the perfect position to do so.

Ultimately though, as with G P C, it may come down to legislation and that's fine. If legislation is what's required, do not track might yet be reborn this time enforced by local or national legislation, making it illegal to track someone who has indicated that they don't wish to be tracked. And the European Union is likely to outlaw it all together. If a viable alternative to profiling via tracking is present that is an alternative to profiling via via tracking is present right As it will then would be thanks to topics, it will be difficult for the trackers to make the case for why users need to be tracked to support the Internet's advertisers and content creators. Okay, so three and a half weeks ago on July 20th, tech Crunch noted that topics was finally arriving. They wrote, Google continues the rollout of its privacy Sandbox APIs, its replacement for tracking cookies for the online advertising industry today, right on schedule and in time for the launch of Chrome one 15 into the stable release channel, Google announced that it will now start enabling the relevance and measurement APIs in its browser.

This will be a gradual rollout with Google aiming for a 99% availability by mid-August. And here we are on the 15th and micro. Got it. At this point, Google doesn't expect, they said to make any major changes to the APIs. This includes virtually all of the core privacy sandbox features, including topics, protected audience attribution, reporting, private aggregation, shared storage, and fenced frames. It's worth noting that for the time being privacy Sandbox will run in parallel with third party cookies in the browser. It won't be until early 2024 that Google will deprecate third party cookies for 1% of Chrome's users. That's, you know, to make sure nothing unforeseen and horrible breaks. After that, they wrote the process will speed up and Google will deprecate these cookies for all users By the second half of 2024, the ad tech industry, they said has been able to test its readiness for the eventual third party cookie deprecation, in part through the relevance and measurement origin trial.

With these features moving into general availability, Google will end this trial and revoke the tokens to run experiments on September 20th, 2023 for Chrome users. Google will now start rolling out its user interface and that's what has happened to allow them to manage privacy sandbox data in the browser, including ad topics sites, suggested ads and ad measurement data. This rollout will run in parallel with the A P I releases. Google will soon make enrollment and attestation a mandatory process for ad tech companies that want to access these APIs on Chrome and Android. So they will be able to continue to do some local testing as well. And finally, they said Google notes in their recent announcement quote, shipping these APIs is another key milestone in the ongoing Privacy sandbox timeline. This marks the beginning of the transition from sites testing in the origin trial to integrating these APIs in production.

We'll be keeping you updated as we progress through enabling the APIs to the opt-in testing with labels in fourth quarter 2023. The 1% third party cookie deprecation in first quarter 2024, heading towards the full third party cookie phase out in the third quarter of 2024. Okay, so here's how topics works. The essence of topics are individual topic tokens, zero, one or many, which are assigned to individual websites. For example, my site might be associated with computers and electronics, network security and computers and electronics programming and networking, internet security. So when someone visited, their own web browser would record their interest in the topics associated with Those topics, those three, but their visit to itself would never be recorded other than in their regular local browser history. As is always done, the only thing retained by the browser to indicate their interest in those topics would be those three numbered parameters.

For example, in Google's current 349 topic list, which they refer to as a taxonomy, there's arts and entertainment as a general topic, if nothing more specific is available. But then there's arts and entertainment. And then under that, acting in theater and comics, concerts and music festivals, dance, entertainment, industry humor. Another humor is the subtopic live comedy. And it goes on like that with arts and entertainment, having a total of 56 token entries before we switch to autos and vehicles, which has 29 subcategories, which brings us to beauty and fitness and so on. You get the idea. So here's how Google's specification explains this. They said the topics are selected from an advertising taxonomy. The initial taxonomy proposed for experimentation will include somewhere between a few hundred and a few thousand topics. They said our initial design includes around 350 and I counted them it's 349 as a point of reference, the I a b audience taxonomy contains around 1500 individual topics and will attempt to exclude sensitive topics.

And, and they said we're planning to engage with external partners to help define this. The eventual goal is for the taxonomy to be sourced from an external party that incorporates feedback and ideas from across the industry. Okay, under today's tracking technology, if someone were to visit a website, for example, concerning the termination of pregnancy, that visit would be tracked and recorded by unknown and unknowable third parties. But under the forthcoming topics system, the topic associated with that site might be health and wellness and nothing more specific. So this really is privacy centric. And as we'll see, Google has bent over backwards to ensure that the topics a user's browser, volunteers cannot themselves be used as a tracking beacon. Google explains the topics will be inferred by the browser. The browser will leverage a classifier model to map site host names to topics to classifier. Weights will be public, perhaps built by an external partner and will improve over time.

It may make sense for sites to provide their own topics via meta tags, headers, or JavaScript. But that remains an open discussion for later. I have a link in the show notes to the official I a b taxonomy in the form of an Excel spreadsheet for anyone who's interested. So you can just sort of see what an existing advertising taxonomy looks like. Okay. So as a user roams around the web, their browser infers the topics of the various sites they visit using this classifier, which is built into the browser, which maps the site's domain name to the topics that are relevant for it. For any given domain, the classifier may return nothing, no topics one topic or more. There's no set limit. So between one and three is what's expected. So it is possible that a site might map to, you know, no topics.

And so does it add to the user's accumulating topic history or it's possible that a site adds several topics or increases the popularity weighting of the user's existing topics by being another instance of their interest in health and wellness. For example, web browsers which support the topics a p i divide the flow of days into discreet epochs, which are each one week long, but it would be more precise to say one week worth of seconds long since there is no alignment to any calendar. Each browser instance chooses for itself randomly when each week long epoch begins and ends all of a user's browsing activity is grouped into these week long epochs and only the most recently finished previous three epochs are retained. In other words, as soon as the currently open epoch closes at the end of its weekly cycle of, or its week long cycle, the topics it contains becomes the most recent and is then available along with the two next most recent epochs.

And the one that had been the oldest of the previous three is completely discarded. This has the effect of causing every user's browser to completely forget everything it had acquired and knew about its user on a rolling basis every four weeks. This is neat since when a user's interests change, the topics which reflect their new interests will realign with them automatically. In the past, we've talked about the dom, this that standardized document object model, which is what our browsers, the way our browsers represent pages that we visit. One of the objects that's always present in this model for an example is, is the document object. And it has properties like the body, which is the documents, body text images, which is a collection of all the images present in the document and links, which is a collection of all the links present in the document.

The topics a p i adds the browsing topics property to every page's document object when a website or one of its advertisers queries the documents browsing topics, they will receive up to three topics from the topic taxonomy, one from each here, one from each of the preceding three weeks. And those three topics will be returned in random order. When a visitor visits a site, the site will be able to obtain up to three topics which might help it or its advertisers to choose a more relevant ad. It was decided to provide three topics so that that is, you know, three so that a site that doesn't see visitors often or that is a specific visitor will still obtain sufficient information about the visitor. It doesn't see often to choose something useful and a granularity of one week was used between a user's topic updates.

So that sites and advertisers, which are seen much more often by a user's browser, will learn at most one new topic per week. And not all websites receive the same weekly topic from any given user. Here's how that works for each week. Once, once the, that, that, that, that, that epoch closes and the topics have been selected that were the most popular for the preceding week. For each week, the users top five, which were obtained from the web domains they visited during the preceding week are determined using that topic's classifier. And again, at no time does the user's browser collect any external, or I'm sorry, contact any external servers for help with choosing. It is all done locally. It's all client side. So five master topics are chosen from an examination of the preceding week's browsing history. And one additional topic is chosen completely at random from the entire taxonomy.

So it will have nothing to do with the user wi with, with, with a user's usage history at any time. It just, it's completely random. Okay. Then when the document browsing topics a p i is called by a site or typically an advertiser on a site that the user's visiting or JavaScript running, you know, on its ads, the topic returned for each of the three weeks. The, the one topic returned for e for each one of the three weeks, which remember are also returned in random order. So that means nothing is chosen from one of those top five plus that one random topic as follows with a 5% chance. So one in 20, the randomly chosen topic will be returned and that's there, that's put in there as a deliberate wild card. Otherwise the other 19 out of 20 times the value of an H Mac hash is computed from a static per user private key.

So every single browser instance is unique. The, the, the weak number that is, you know, as the browser is creating and closing these epochs, it will be incrementing the, the weak number. So a user a static user, private key, the weak number and the documents and the document pages, website domain name, they're all mashed and hashed together. And the result is then taken module five to produce a uniformly distributed value from zero to four that is used to choose one of the users top five topics for that week. The same thing is done for the top five topics during each of the earlier two weeks. And it's those three topics which are returned in random order. Now this may seem overly complicated, but it's quite clever and very privacy enforcing the use of an H Mac keyed by a per user secret. The weak number and the domain of the webpage means that for that week the user's browser will always present the same one of five topics except for that 5% chance of the wild card to anyone querying from the same site.

But that every different site will also see an unpredictable but constant for them one of five topics for that user for that week. This is done to minimize the amount of information being disclosed since this guarantees that no site will receive more than one fixed topic per user per week. And each site only ever receives one of the five real topics, which makes it impractical to cross correlate the same user over time. This 5% noise is introduced to ensure that each topic has a minimum number of members as well as to provide some amount of plausible deniability, meaning that no topic can be regarded as absolute. It may have been deliberately chosen at random. And remember that the exact point in time where a user's week ends and the next one begins, that's fixed also, but chosen at random by their browser. So this, this introduces some additional uncertainty and noise since not everyone's web browser will calculate new topics at the same time on the same day and, and nor will it be changing them.

Now there's one last extremely tricky bit that's a bit of a mind bender, but it's an important privacy safeguard guard for the entire system. It addresses the problem that flock had and which you Leo mentioned several times on other twit podcasts and probably this one. The problem was that flock was broadcasting a token which was a condensation of the person's web browsing history and thus by extension a condensation of them and those who knew how to interpret the token would know what it meant. And this token was being presented to any website they visited without prompting. So you quite correctly identified this as introducing a significant reduction in user privacy. You'd go to a site you'd never visited before and immediately your browser would be telling them a lot about you even though you'd never been there before. So this problem did not fall upon deaf ears and the topics a p I incorporates a mitigation for this.

It's worth reminding everyone that there's nothing whatsoever salacious or even really very interesting about the list of topics. They are really quite bland and dry, but they make sense from an advertiser standpoint. So the first point is there's just no way for anything very personal to be revealed or represented by these topics. But even given that the topics a p I incorporates a very strong filter and going, and here's the mind bending part, I'll explain it and I'll provide an example because <laugh> the explanation won't do it. Not every website that calls this a p I will receive all of the users three chosen browser topics only a p i callers that observed the user's browser visiting some site which mapped to the topic in question that would be returned within the prior three weeks qualifies to receive the topic. I know it's hard. In other words, if an advertiser on a website did not call the a p i sometime in the past three weeks for that user's browser when they were visiting some site which mapped to a topic that would be returned now, then the topic will be filtered out and will not be included in the three topic array returned by the a p i.

Fewer topics will be returned since, as I said, this is somewhat mind-bending. Here's an example. During the previous couple of weeks, a user has been browsing a lot about travel. So for the time being the browser has learned about them and chosen to represent their travel related interests to the world as they visit other sites. So now suppose that they're at a site about gaming and an advertiser on that site runs JavaScript in an ad insertion frame, which queries the document browsing topics a p i to re to receive the three chosen topics of interest to the user. And they have, of course come in no particular order from among the topics that the user's browser has chosen to offer anyone querying about its user while they're on this gaming site. Remember that each week the top five topics of interest are chosen and one of those five is selected from each of the previous three weeks based upon a hash of the domain name being visited.

Okay? So only if that advertiser advertising on the gaming site had queried that user's browsing topics a p i sometime during the previous three weeks while that browser was at some other site whose topics matched the topic the user's browser had chosen to offer at this site. Now would that topic be allowed to be returned and thus be presented to that advertiser? In other words, in order to obtain an interest topic from a user when they're wandering around anywhere on the internet, an advertiser must have previously asked their browser about them during the past three weeks while they were on a site whose topics may have contributed to the topic they're offering this week. This prevents the problem that flock had of recklessly blabbing about a user's interests. Here's another way of thinking about it. In a world with topics and nothing else, assuming that we've blocked third party cookies, fingerprinting, and all other tracking mechanisms, the ad or maybe outlawed the advertiser doesn't know who the user is, but they will have recently queried the user's browser while the user was at a website whose topics matched the topic the user is now offering.

Google explains that this extra topic information filtering is intended to quote, prevent the direct dissemination of user information to more parties than the technology the a p i is replacing. In other words, third party cookies and other tracking mechanisms. Another way of phrasing it is that this ensures that third parties don't learn more about a user's past than they could have with cookies. Okay? As I've mentioned, the history window, which limits the inclusion of topics available to each caller is three weeks only. The topics of sites that use the a p i or host ads that query the a p I will contribute to the weekly, weekly calculation of topics. Moreover, only sites that were navigated to via a deliberate user gesture are included as opposed to a redirect, for example. So it's not possible to bounce users around to load up their browser with topics that won't work.

If the a p I cannot be used for any reason. If it's disabled by the user or by a response header, then the page visit will not contribute to the weekly calculation. So it's easy for sites to opt out if they choose, if the user opts out of the topics a p i themselves by disabling it, which is trivial, it's a switch you can throw in, in Chrome. Or if they're in incognito mode, which automatically completely disables the topic system or the user has cleared their browser history, no topics will be returned. So the goal of the topics a p i is to take a step toward increasing user privacy compared to our current state, which <laugh> would not be difficult, while still providing enough relevant information to advertisers that web, that websites can continue to thrive, but without the need for invasive tracking enabled via existing tracking methods.

One other crucial aspect of the whole topic solution is the user's understanding and sense of control. Very, very few users are ever gonna understand what we've just described. They don't really need to. But but what they will see is the list of the topics that their own browser has accumulated over the past three to four weeks. Their, it's displayed right there on, you know, in their browser on that page. And if they're co and they are completely free to either delete any topic they choose or even permanently disable it from ever coming back, Google wants this to succeed. So they wanna give users of, of this system all the, the, all the all of the control that they can imagine. The API's human readable taxonomy, which is what is displayed on the page where you can just see the topics for yourself, enables people to learn about and control the topics that may be suggested about them by their browser.

And as I said, they're free to delete or disable any of them. Clearly. One of the things that we all complained about with Flock was that it was this bizarre, you know, completely opaque token blob that meant nothing to anyone unless you had the, you know, the magic formula for what all the bits meant. And Google completely fixed that. And also unlike Flock, which built its hash from every site visited only sites that include code, which calls the topics a p i are included in the browsing history eligible for to for topic frequency calculations. In other words, sites are not eligible for contributing to topic frequency calculations unless the site or an embedded service, you know, an ad or whatever has taken action of calling the A p i. So that's the operation of Google's topics a p i, which is now in place in Chrome today.

And presumably in other chromium browsers which choose to implement it, I AML it'll be there. They'd have to turn off, you know, turn it off and remove it if they didn't want it. We know what the E F F would say. They want nothing less. They're satisfied with nothing less than pure and absolute anonymity. But a website operators say that would cost them dearly. I have no way to judge how much revenue websites would lose if targeted advertising were eliminated. And I certainly wouldn't shed a tear over the end of any companies whose entire business model was secretly tracking users against their wishes and selling this information. You know under the table. To me the topics a p I feels as if Google is finally getting really serious about offering an alternative to tracking one, which apparently advertisers can live with and which will provide the websites which use it value.

After all, Google is a massive advertiser themselves and they plan to shut down Chrome's third party cookies starting in 2024 with full elimination by the middle of next year. And if they will shut down the redirects that the use of Google shirts creates, I would be very happy with that too. 'cause That annoys the crap outta me <laugh>. Anyway, once they've done that we can imagine that Chrome will become extremely tracking hostile topics, gives users not only a sense of control, but actual control by allowing them to view, delete, disable the topics that are currently being judiciously doled out about them. And this brings us to an interesting question. If our personal interests are separated from tracking so that the things we're interested in can be shared cleanly, and if that minimal sharing provides significantly greater advertising revenue to the sites we frequent, are we willing to voluntarily give sites that benefit?

I know with absolute clarity that I am, if it's really that valuable, please accept it as my micropayment, you know, the ffs absolutist will disagree with me, and that's fine. Topics finally makes that an individual personal choice that each user of Chrome can make for themselves. So is the chief difference between this and flock? The fact that it doesn't broadcast it it's, you know, it's kind of private, otherwise it seems similar. It's like a modified flock to me. So I maybe anything that creates information could be considered a modified flock. What, what's different? Is it, it there's nothing about it that's opaque, so it doesn't use this a weird hash of websites that no one can interpret, right? That was a big problem. So what Google has done is they have, they've created a an a very simple, basically it's simple.

The, the browser itself. Chrome will know what, what few topics, TWIT tv, the domain TWIT TV stands for, you know w out of a list of about 1500 there, there will be the some number of topics you know, zero through three for that are associated with TWIT tv and that is built into Chrome. You said 1500, you mean 349? No, no 349 is is just their current working. Oh. Oh. But it could be as much as 1500. Okay. Yes. Yeah. There, there really isn't a limit on the number, but the I A B currently operates with 15. Yeah, they have 1500. Yeah. But it's ridiculous. It's demographics and stuff like that that probably the website isn't gonna show there will be no, no race, no gender, right? Nothing. So that'll limits a number of the i b topics. And, and, and so the point is that that A, so the, so Chrome knows what twit TV is, right?

And, and, and you'll have from that, that taxonomy you know, up to three things that are associated with, with twit. So when, when someone visits the twit site, when the browser sees that, that that their, that their user has visited twit TV and internally knows those three topics, it is, it, this is this classifier, it is built into the, it is built into Chrome. All the domains are built into Chrome and, and what it is that they're associ and, and the up to three topics that they're associated with. So the browser dumps those topics into a bin it just accumulates them. And at the end of a week, all of topics associated with all of the sites the visitor went to are at the end of a week this epoch ends. So at that point, the, the, the, the five topics that were hit the most are chosen as the things the visitor cared most about in the previous week.

And the five topics that were chosen from the week before are moved down to the second week. And, and, and, and the topics that were from the second week are moved to the third week. So we have three weeks, each week has five topics. So now when an advertiser queries the browser at a site based on the domain where the, where where the advertiser is querying, the browser itself will select one from each of the five topics for each of the three weeks, deliberately scramble them and say, here are some things this, the, the, this, the user of this browser is interested in. And that's it. That's the entire system coupled with a user interface where the user is able to go and look at what those topics are and say, no, I'm not interested in that and delete it. Or, oh, I don't ever want to be associated with this.

And so disable it so that it can never be be as, be affiliated with them. So it is, it is, there's no tracking. Google has gone to extremes to, to disclose a, a minimal amount of still useful information about the user and that's it. Yeah. And it's in there now. This seems fair. I mean, honestly, I think it is really, I think it is really fair, Leo, this is how we sell ads on twit is, you know, yes. Your topic is, is tech and in the case of your show it's security and it's enterprise. And those might be the three topics. Exactly. Exactly. And I have no problem with that. That's stuff that a human could deduce anyway. Exactly. It's not, yeah. And it just all makes something that a human would do anyway, I think. Yes. And and I think that the reason we're having trouble with this is that we've, we have had such an adversarial relationship with, you know, the big bad internet and, and how it wants, you know, and, and cookies planted and, and you know, panoptic click and fingerprinting and all of this crap.

I mean, so, so it's difficult to say, wait a minute. I mean, that's what this is. There's, and Google's like, that's what Google wants. It's like, yes, there's a lot to be said for a privacy forward system that still allows advertising to be topic based, as you said at the beginning. Who knows if that works or not, but at least we know advertisers demand it so <laugh>, we're gonna have to give it to 'em. And that means that they, and that means that they pay sites for it, right? Yeah. I mean, we are advertising supported and, and we don't, you know, we don't have to worry about this kind of stuff 'cause we're a podcast, not a website. But if you're a, if you're the verge, this is good news. This is something you want. Yes, yes. And, and, and, and really for me, I do have an interest in health and wellness.

And so if saying, yeah, I have an interest in health and wellness, right? If that's a micropayment that I can make to sites that I visit, I wanna support them that way. And to be clear, you say that only by your behavior, by visiting that site. Correct. That's where it gets that information from. It's really what it's saying is it's categorizing sites and then when you come to visit it, now they've got and, and are they attaching that to an identifier? They are. Right. So it does follow you around. You visited a health and wellness site, so when you go to visit something else, it knows that's you. Yes. well you, so you, you visit something else in that browser. So it's the, it's your browser. It's the browser's. Yeah. Yeah. It's all, it's all t n o it's all local. Right? Right. And that's the other cool thing about it is that it is transparent and it is local.

Yeah. I think it's a, a good thing. I hope. It is. I mean it's, I mean, it's like, it's, it's the answer we want. And you're right. I mean, groups like E f F, which I support probably come from the point of view that no ad is a good ad and <laugh> as a result, nothing's gonna, nothing's gonna make them happy, except, you know. Yeah. Who, who supports them <laugh>. Well, yeah, right. No, they're not ad supported. I support them by giving them money, which comes from ads on your show. So I guess, yeah. And support Wikipedia. I, I, I get my little, same thing, my little, my little monthly notice. Yeah. And, and thank you. Yeah. That's what I do with E F F. I, yes, this is good. This is very good. I'll be curious to see, I think at some point E F F and others are gonna have to say, look, we're gonna have something.

Let's choose something that does the least harm. And this seems to be it. Finally, this was Google's kind of plan all along was try some stuff, see what people said. Yep. That's why it was always in beta. Interesting. Yep. Now you said it's gonna propagate to all other chro, chromium based browsers. This may not because it's not going to chromium, I presume, or is it? I think it's in chromium. Oh, that's interesting. I don't knows interest. I think it's interest in chromium and now, and now you can see why I want it in Firefox. It's not a bad thing. No, no. I think it's a, it's a good thing. Yeah. They finally came, got to a point, <laugh>. It was almost a, a silent negotiation where they finally said, well, okay, will this work? No. All right. Well, how about this? I think that's, yeah.

I I think it's exactly right. Yeah. Is is that they, they came up with something that provides a minimum of information yet something that useful to advertisers. Well, we'll definitely be talking about it tomorrow and this week in Google. Yep. And I will be looking more into it myself. Very interesting. As always, you know, and boy, thank you for the very good news at the top of this show that you might, and by the way, you, you know, you're an at will podcaster if at some point, episode 1004, you go, well, that was a terrible idea. I quit. Nobody's gonna stop you. Right. Well, and, and I, as I said, I've been feeling this for a while. I just, it's hard for me to imagine like, you know, killing something that's good. Yeah. Like, you know, thank you. Well, it's and needed.

And you're, and you're doing something that's making a difference, everyone says. So, yeah. So I'm gonna, I'm, I'm gonna thank everybody and thank, thank you for doing it, by the way. Yes, it is in chromium. I'm just looking at the chromium site. Cool. It is part of Chromium. And we will definitely talk about it. And I think the world will be talking about the Steve Gibson promise that at least we're gonna get an episode 1000. I can't promise any more than that. <Laugh>, Steve, you're the greatest. I appreciate it. Catch Just like on episode one, where you'll find the world's best hard drive, no mass storage, maintenance, and recovery utility. It's the only thing that's changed. The software itself hasn't, although 6.1 is imminent, and when 6.1 comes out, it'll support a whole much more stuff, which is great, including modern U E F I computers and, and, and so forth.

That's really good news. Grc.Com, pick up a copy of Sprint, right? While you're there, you can get a copy of the show. Steve has the usual 64 Kilobit audio, but he has two unique formats, A 16 Kilobit audio for the bandwidth impaired and transcripts handcrafted by Elaine Ferris. So you can read along as you listen, or you can search all of, along with a lot of other great stuff. We have Audio 64 Kilobit audio at our site, but we also have video at twit tv slash sn. You can get it there. You can subscribe in your favorite podcast player, get it automatically. There's also a YouTube channel dedicated to the show. If you want to clip a little something and send it to somebody, that's probably the easiest way to do it. Of course, club Twit members are chatting along and they're, I gotta tell you, they found many animated to celebrate the the, I don't wanna say return of Steve Gibson <laugh> the continuation of Steve Gibson, something like that. They were, they, I'll just show you a couple of the, they were, they were very excited. <Laugh>. There was a, there was a general sense of, wow, we were all very excited. If you're not in club twit, <laugh>, join the festivities. <Laugh>.

Seven bucks a month gets Yad free versions of all the shows and a whole lot more twit TV slash club twit. And yes, unlike irc, you get animated gif Oh, I, that's, that's the earlier Shatner, not dying <laugh>. Ah. So thank you, Steve. Have a wonderful week. You've given us friend reason to celebrate. We're gonna get out the champagne. Have a great evening. See you next week, ed, for years more. Bye.

Rod Pyle (01:58:29):
Hey, I'm Rod Pyle, editor in chief of VAD Astor Magazine, and each week I joined with my co-host to bring you this week in space, the latest and greatest news from the Final Frontier. We talked to NASA chiefs, space scientists, engineers, educators, and artists, and sometimes we just shoot the breeze over what's hot and what's not in space, books and tv, and we do it all for you, our fellow true believers. So, whether you're an armchair adventurer, or waiting for your turn to grab a slot in Elon's Mars Rocket, join us on this weekend's space. You'd be part of the greatest adventure of all Time.

All Transcripts posts