Security Now 937, Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte (00:00:00):
It's time for security. Now Steve Gibson is here. He's going to give you some more information about that win raw hack, how it works and how to fix it. We'll also talk a little bit about the Unix time story and t l s handshakes. They really need it. And do we really need H G T P S? Sometimes it turns out we don't. And then Steve's going to blow the lid off of an explosive story. Hard drives that lie. It's all coming up next on Security Now
(00:00:30):
[00:00:30] This is Security now with Steve Gibson, episode 937 Recorded Tuesday, August 29th, 2023. The Man in the Middle Security now is brought to you by Collide. Collide is a device trust solution for companies with Okta and they ensure if a device [00:01:00] isn't trusted and secure, it can't log into your cloud apps. Visit collide.com/security now. Book an on-demand demo today and by thanks Canary, thousands of irritating false alerts. No one. Get the single alert that matters when someone's inside your network for 10% off and a 60 day money back guarantee. Go to Canary tools slash twit and enter the code twit in the how did You Hear About Us Box and [00:01:30] by the Building Cyber Resilience Podcast, a show about tech and security from the perspectives of data scientists, Dr. Anne Irvin and career CISO Rich Seon regarding the intersection of data finance and cyber risk management. Search for building cyber resilience on Apple Podcasts, Spotify, or wherever you listen to your podcasts.
(00:01:52):
It's time for security Now. The show we cover, your security, your privacy, your online life with this guy right here, [00:02:00] Mr. Steven Gibson, our man of the hour. Hi Steve.
Steve Gibson (00:02:04):
Yo Leo, the last Can you be up? Can you No. Watch out for that super glue. Can you believe that it is the end of August? It's like, wow. I kind of can't believe it because we have a guy here, one of our employees who's been delegated to put up holiday decorations and when I came in this morning it said it right on the desk, [00:02:30] it's fall and he said it's not fall, it's August. Unfortunately it's now fire season. It is. We got a red flag warning today in Northern California. Yikes. Yikes is right. So we're at security now episode 9 37 and we're going to go until we have five digits, so nobody needs to worry.
(00:02:55):
Woo-hoo about running out after three.
Leo Laporte (00:02:58):
Steve and I have to making it [00:03:00] to the end of the Unix epoch. That would be good. Yeah, I like that idea. I do.
Steve Gibson (00:03:06):
So this week we have a really wonderful picture of the week in the form of a sort of a techie, what we say and what we mean counterpoint. So we're going to start off by spending a bit of time having fun with that. Then we're going to see whether updating to the latest win raw version might be more important than was clear last week. And while [00:03:30] H T T P S is important for the public internet, do we need it for our local networks? What about using our own portable domain for email? That's an idea. Does Google's new topic system unfairly favor monopolies? And if so, how? If you block Origin blocks ads, why does it also need to block topics?
(00:03:53):
Oh yeah, just how narrow or wide is Voyager [00:04:00] two's antenna beam and what does two degrees off axis really mean? We have the math now thanks to one of our listeners. Do end users need to worry about that Wacky windows time setting mess on their own desktops. And what's the whole story about Eunuchs time in T L Ss handshakes anyway, what can be done about fake mass storage drives, which are apparently now flooding the market? And finally, let's look [00:04:30] at Man in the Middle attacks, thus the name of today's podcast. How practical are they and what's been their history? Interesting. Interesting. You're doing something now that all successful podcasts, TV shows, radio shows do, which is not giving up. Not giving up. Actually you know what, that's number one. It really is longevity, especially in radio and I imagine in podcasting makes a difference. But calling back to previous episodes, [00:05:00] so we have a few topics this week that call back to previous episodes, but if you have missed those episodes, a, you should have listened to 'em, why didn't you listen to 'em?
(00:05:11):
But B, don't worry, we'll fill you in before we get too far. That's right. And if not, you'll have fomo. So fomo, no missing out. Watch out for the FOMO baby. There are 937 episodes. If you have not listened to all 937 at this point, you must go back and listen to them. They're all available at twit [00:05:30] tv slash SSN or on Steve site. And if you don't know what we mean when we refer to the portable dog killer, oh Lord. Oh wow. By the way, I forgot to ask you. You sent me a wonderful fidget spinner when they were big about four years ago. Yeah. Do you still fidget?
(00:05:52):
Yeah, actually what do you use? I have a little fidget ring right here, which is kind of nice because oh, it's got ball bearings [00:06:00] in there and you can spin it. Yeah, so the outer ring spins. Oh, it's kind of cool. Do you keep it on your finger and spin it that way? Yeah, I do. Yes, exactly. Interesting. Yeah, I do not, but should I need, I at some point have the urge to fidget. I have my spinner right here just in case in the drawer. I also, this is sort of related to the little tray at the top of my keyboard, which is just full of little paraphernalia. I don't know [00:06:30] it collects things itself is the keyboard has a tray or just the keyboard holder has a tray. The tray itself is sort of, it was the top of that Northgate keyboard. It had a little tray with clips, thumbtacks.
(00:06:44):
Oh and boy stuff finds way its way in there and then it never leaves covered. MITs exactly. Our show today brought to you by Collide with a K K O L I D E. It's a device trust solution for [00:07:00] companies that use Okta. And if you use Okta Bully for you, I mean Okta's a great solution. It makes sure that nobody could log into your network. It's not who they say they are. It authenticates your users, but there's another step you might want and that's what Collide provides. Not only is the user authenticated, but their device is assured, trusted, and secure and if not, they can't get in. Even if I know who they are, I'm not going to let 'em in with that insecure device. [00:07:30] That is brilliant. If you work in security IT and your company's using Okta, this is for you and it's because I think you probably noticed this when you listen to the show, there's a common thread through a lot of the breaches we talk about and it's employees, users.
(00:07:49):
Sometimes an employee's device gets hacked because of unpatched software plex. Sometimes an employee leaves sensitive data on an insecure [00:08:00] device or an insecure folder, their SS s h private keys in the download folder. In fact, sometimes people don't even secure their SS s h folder. So it's just sitting there. It's an easy thing to overlook. It seems like every day a hacker breaks in using phished credentials. Spearfishing is on the rise big time. It's maybe the number one way companies get hacked. The problem though, I don't want to blame your end users, I don't want to blame your employees. It's not not the problem. The problem is [00:08:30] the solutions you're using that are supposed to prevent and protect you from those breaches doesn't have to be that way. Now just imagine a wonderful world where only secure devices can access your cloud apps in this world.
(00:08:45):
Phished credentials, useless, nothing. And you can manage every oss, including Linux, all from a single dashboard. Plus you can get employees to fix this is amazing. Fix their own device security issues without creating more work for your IT team, [00:09:00] which is great. Now the employees are part of your IT team. In effect, they're on the team helping you out and learning about security while they're doing it. Good news is you don't have to imagine, don't even have to close your eyes. That's collide in a nutshell. That's collide. Visit K O L I D E collide.com/security. Now they've got an on-demand demo right there. You can see how it all works and I think once you see you'll go, a light bulb will go off and you'll say yes. That's the missing piece in our authentication [00:09:30] K O L I D e.com/security. Now it really works.
(00:09:36):
Collide.com/security now we thank him so much for supporting the show and the good work that Steve does. I am prepared now for a rather lengthy picture of the week and I think worthwhile. So it's referred to a spin, right, where you sort of put the best face on something when [00:10:00] you have a need to do so. When we say a horrible hack, what we mean is a horrible hack that I didn't write somebody else's horrible hack. That's right. But when it's a temporary workaround, it's a horrible hack that I did write. Yes. Yes. So when we say it's broken, then that means there are bugs in your code. When we say, well it has a few issues, [00:10:30] then that means there are bugs in my code. Wow. Obscure is someone else's code doesn't have comments. Self-documenting is my code doesn't need comments.
(00:10:46):
That's why it's an awesome language. Says someone which actually means it's my favorite language and it's really easy to do something in it or you are thinking in the wrong mindset is [00:11:00] it's my favorite language and it's really hard to do something in it. So like lisp, like Lis. Exactly, yes. And then we have, I could read this pearl script, which actually means I wrote this pearl script even then sometimes not, but okay. Oh boy. I wrote this pearl script in the last week. Let's make it that. I recently wrote it recently. Yes. And then I can't read this pearl script, which means I didn't write this pearl script or I wrote it last [00:11:30] week. It's impossible to read anybody else's. Then we have, oh, that's bad structure, which means someone else's code is badly organized or complex structure is my code is badly organized.
(00:11:47):
A bug is the absence of a feature I like out of scope is the absence of a feature I don't like. Yes, a clean solution is [00:12:00] it works and I understand it, then we need to rewrite it is it works, but I don't understand it. So then EMAX is better than vi means. It's too peaceful here. Let's start a flea war. Yes. And VI is better than emax means it's too peaceful here. Let's start a flea war and then [00:12:30] of course I M H O is the famous abbreviation, which actually means you're wrong. Yes. In my humble opinion you're following it. That's right. Yep. Okay, then we have a couple that don't have two alternatives. We have legacy code, which actually means it works but no one knows how. And then I love this Leo, we have control X, control C, lowercase, quit control [00:13:00] backslash escape, escape control C.
(00:13:04):
What's that? Which actually means I don't know how to quit vi. Yes, been there, done that. Oh God, so have I. It's like, oh, what do I do? Colon Q. Oh Lord. So what is a suboptimal implementation is actually the worst errors ever inflicted on mankind and then these test environments are too [00:13:30] brittle, actually means works on my machine. Have you tried rebooting? Oh lord. And then we have proof of concept is what I wrote. Perfect solution is how sales and marketing are promoting it. Very nice. Where'd you get that? It's really the table of the week. John Sling pointed out was the table of the week. That was one of our great listeners who ran across it and he said, Steve, I saw this and I thought of you and [00:14:00] I said, that immediately got promoted to the must read on the next episode of security.
(00:14:05):
Now I actually did have something else in place and I was like, no, that'll go next week. This one we have to play with. Well it's funny. It's true. I mean it's all true. Yes, as I said, spin is a thing, right? And it's sort of the nature of politics in the tech world. Okay, so last week I mentioned the recent release of a win RAR [00:14:30] 6.23 and I noted then that it fixed a pair of critical vulnerabilities that could have been used to execute code on its users systems. Well then came the news that this pair of vulnerabilities had been discovered by bad guys and had been actively exploited at least as far as last April, maybe sooner, and that wasn't seen bleeping computer's headline last Wednesday after last Tuesday's [00:15:00] podcast was win raw zero days exploited since April to hack trading accounts and since this really forms a cautionary tale, which might catch any of us if we were to even briefly drop our guard, I want to share some of the details which bleeping computer shared from group IB who were the ones who made the original discovery.
(00:15:27):
I've edited what bleeping computer wrote a bit for the podcast, [00:15:30] but basically what they said was a win raw zero day vulnerability tracked as C V E 20 23 38, 8 31 was actively exploited to install malware when clicking on harmless files in an archive allowing the hackers to breach online cryptocurrency trading accounts. The vulnerability has been under active exploitation since April of 2023 being used to distribute [00:16:00] various malware families including Dark Me GU Loader and the Remco R E M C O S Rat Revert Remote Access Trojan. And really that's got to be one of the best abbreviations or I guess acronyms we've seen in a long time, calling it a rat, which is perfect for remote access Trojan. Anyway, the RO zero day vulnerability they said allowed the threat actors to create malicious RAR and zip archives [00:16:30] containing innocuous files such as JPEG images, text files, and P D F docs.
(00:16:36):
However, when a user opens a file, the flaw will cause a script to be executed that installs malware on the device. Bleeping computer tested a malicious archive shared by group IB who discovered the campaign and simply double clicking on A P D F caused a command script to be executed to install malware. [00:17:00] The zero day was fixed in win rah version 6.23 released on August 2nd, which also resolved several other security issues including this flaw that can trigger command execution upon opening especially crafted RAH file. In a report released last Wednesday, researchers from group IB said they discovered the win raw zero day being used to target cryptocurrency and stock trading forums where the hackers pretended to be other [00:17:30] enthusiasts sharing their trading strategies. Their forum posts contain links to specially crafted win raw zip or raw archives that pretended to include the shared trading strategy consisting of PDFs, text files and images.
(00:17:48):
The fact that those archives target traders is demonstrated by the forum the PostIts like best personal strategy to trade with Bitcoin. [00:18:00] The malicious archives were distributed on at least eight public trade trading forums infecting at least a confirmed 130 traders devices. The total number of victims and financial losses resulting from the campaign are unknown anyway, so essentially there was a file you that was innocent, innocuous, and a folder of the same [00:18:30] name and when you open the file for reasons of this bug, which had been figured out by bad guys, a command script in the folder was executed and would cause malware to be installed on this victim machine. That explains it because we talk a lot about P D F for instance because it's an interpreter, it's really writing it's code and the P D F is [00:19:00] actually code and then the PDF reader is an interpreter interpreting the code, but it's been a long time since I wrote a long time ago an arc decoder, but I remember it was mostly lookup tables.
(00:19:12):
It wasn't really doing interpretation. So this makes sense. It's not that the raw file format is being interpreted, it's that you're including something hidden in the folder that then gets executed and so exactly it was the thing in the folder that got executed and that was unseen [00:19:30] and there was a bug in RAR that allowed a specially crafted archive to cause the folders contents to be executed. And then what it did, even though you were clicking on the P D F, it didn't open and launch the P D F. So the script did that so the user thought that their action was actually successful even though [00:20:00] it was a script that ran that action for them in order to hide the fact of what it was doing in the background. It's an unusually nice finesse because usually they don't care. They've already got you by that point.
(00:20:12):
They got you. Yeah, right. That's nice. Although they're wanting to get in there and then in order to suck someone's cryptocurrency trading out, so they probably do want to be on the DL in order to get that. They don't want to make you suspicious. Yeah, that makes a lot of sense to me. I was wondering if when R had some sort of weird interpreter [00:20:30] built in, but no. Okay. Okay. Think about this. Win R has been around forever. It's a trusted and robust archiving utility. I use it myself because it's highly configurable, much more so than zip for example. And when configured to use large compression block sizes and to generate a so-called solid archive, which is one that's not easily editable after the fact, it could achieve unmatched [00:21:00] compression levels. So naturally it's my choice. So I'm trying to imagine what would happen if someone who appeared to be trustworthy were to post a link to a RAR archive in a public forum.
(00:21:18):
I guess my first thought would be to wonder why it wasn't a zip since that would be more common, but I might assume that the guy was more techie and knew about archiving. [00:21:30] Since Raar does outperform zip, I would hope that I would have the presence of mind to drop anything like that first into virus total for its quick analysis and evaluation. And I'll just note for everyone here that it's possible to avoid even downloading a suspicious file first since virus total can be given a link to download and obtain [00:22:00] and then analyze a file without us first needing to do so. Oh, that's nice. I like that. Yes. So you're able to just right click on the link in the forum, copy the U R L, go over to virus total and then copy that U R L into virus total. It will download it and performance analysis and presumably it would've exploded in red alerts and everything.
(00:22:28):
Do we know that it would've [00:22:30] discovered it? It's able to open all of these archives and self decompressing files and you would see the malicious E X C? Yeah. Yeah. It would've absolutely seen this remote access Trojan and gone warning Will Robinson. Anyway, so in any event, I could imagine that I might open the R file since I trust WIN R and that's really [00:23:00] the crux of it, right? In this instance, my years long trust of a WIN R would've been misplaced and if my guard was down, I might've been bitten. So I'm not sure what lesson we take away from this. Never trust nothing and live in a cave isn't a practical strategy, but being unfailingly skeptical of anything being offered over the [00:23:30] internet by someone who you don't actually know probably is a practical strategy. And in fact, it's increasingly a survival strategy on the internet. And this points to the other mistake those victims made, they didn't really know the person who was offering the download. I mean it was just someone, and that's the whole idea. They wanted what the guy was offering. They couldn't have really known them or they [00:24:00] would've never downloaded the file being offered, or at least they couldn't have had the requirement of really knowing them or they wouldn't have downloaded the file.
(00:24:13):
That old adage of never taking candy from a stranger, it turns out to be as useful for adults as well as it is for children. And here some guy who they didn't really know was saying, Hey, here's my strategy and boy I'm getting rich on Bitcoin, so check this out. [00:24:30] Anyway, I suppose our takeaway is just to refresh our healthy skepticism of the internet and to remember to try to never drop our guard. All it takes, as we've often said is one mistake to ruin our whole day. So anyway, as it happens, I mentioned this update to WIN RAR last week because I'm a WIN RAR user and there were two exploitable zero days [00:25:00] and then it turns out, yep, not only were they exploitable, but they had been actively exploited and were biting people. So for what it's worth, you heard me mention that if you're also a win row user, I would increase the priority of updating your copy to 6.23 because does, it's such an old program, does it actually, it's modern but it's old.
(00:25:20):
Does it automatically look for updates and update itself or I bet it doesn't. No, no, no. Okay. And in fact, it's funny you mentioned that because when I [00:25:30] saw that I opened my copy of WIN RAR and went poking around the help and about and all that, no opportunity to update itself. There is a click to open the website and that takes you then to, it's on you, man. It's on you. Yeah. Check the version number man. And there is a vulnerability. The opposite example of WIN RAR is notepad plus plus, and boy, I don't know what the author of that is doing, but [00:26:00] apparently he has too much free time. Oh, a lot of updates because oh my god, every time I use it it's like, oh, there's a new version. It's like, no shit. Of course there is my Xbox, it's been an hour.
(00:26:13):
I only play a game once every few weeks and invariably they'll say, well, I have to download a 14 gigabyte file to do that. It's like, no, I don't. Please, thank you. Yeah. Now the good news is Notepad Plus Plus is elegant about updating. It'll say I have to close Notepad in order to update [00:26:30] as say, okay, fine. So it closes it and then it updates it, and then it says you want to reopen it. It's like yes. And Notepad Plus Plus does reopen the things that it last had opened. So it's not bad, but the is the more you do these little incremental updates, the more opportunity there is to make a mistake. True. And if somebody were to infect his server and get a bad version in there, you mean the whole world would suddenly have it? Yeah, a man in the middle attack, [00:27:00] something like that. Yeah, yeah. But this is why I like Linux and I like the package manager idea, which is that if you install everything with the package manager, all you have to do is periodically run your package manager and it will update everything that it's installed. That's a very nice Windows is slowly moving in that direction with WIN get, but that's the way to do it, I think. Yep.
(00:27:25):
Okay, so this is another of those episodes where [00:27:30] I recently received so many great feedback questions from our listeners that we have basically have a listener driven podcast, but lots to say about some of the things that they brought up. John May, he sent me an, is it an ex that he sent me? Leo, I hate that. Maybe I got an ex from John May. Anyway, it's actually a tweet but don't tell Elon. He said, Steve, I've been watching SSN since I retired from my IT job in 2020, [00:28:00] in this week's episode 9 36, so that was last week. He said, you talked about H T T P going the way of the dodo if Google has their way, what about on private subnets that cannot be routed over the internet? Why pop a message or hinder access if the traffic is staying local? I have many local devices I access via H T T P and don't want to add certificates.
(00:28:26):
Hopefully these will be exempt. And he said, GLAD 9, 9 9 [00:28:30] is not the end. Okay. So yes, the reason we need the encryption and authentication that T L SS provides to H T T P S on the internet is that the flow of packet traffic between the endpoints is out of our control on public networks and potentially exposed to the whims of bad guys. But that's not the case within a closed private network where the network components and all packet transit [00:29:00] are local, typically kept within a single residence as our local devices such as routers, network attached storage, webcams, home assistance and other I O T gadgets have become more capable. The traditional control panels filled with lights and buttons and switches have all been replaced by webpages published by a simple web server running in the device. And this is the point that John May is making.
(00:29:28):
I'm sure many of us [00:29:30] have had to fight with our web browsers when we wish to connect to a local router or other web interface over a simple H T T P connection. As John May worries, Google appears to be poised to make this somewhat more difficult in the future. Maybe to the extent of saying no more H T T P, I think that's probably going too far. We'll see now one solution would be to [00:30:00] set policy based upon the distinction between publicly routable and private non routable network ipss. And to be clear, when we're talking about non routable ips, we're talking about the three networks defined in the early days of the internet, much to the credit of its early designers because they have so much foresight which were specified by R F C 1918 a low numbered R F C from the beginning. [00:30:30] The most common that we all see when we're behind a consumer router is the address range that begins with 1 9 2 0.168.
(00:30:40):
Actually it's 1 9 2 0.16800 extending through 1 9 2 0.1 6 8 2 5 5 2 55 and that's a group of 6 5 5 3 6. Ipss though for consumer use, we usually keep the third octet fixed, [00:31:00] typically at a zero or a one and use the 2 56 ips by changing the last rightmost lower octet in addition to the 1 92 0.168 slash 16 network, which has been defined by that R F C. It also specifies a private network which is 16 times larger than that one, which goes from 1 7 2 point 16 through 1 7 2 0.31, [00:31:30] and the third and final one is 16 times larger than that one. So it's 2 56 times larger than the 1 92 0.168 network and that's the one that consists of all ips beginning with 10 dot and then all three of the other octets fall within that ten.network. So yes, because none of those will be routed over the internet, [00:32:00] it would be tempting to have browsers willing to simply trust all connections to or from IPS within those three private ranges and allow H T T P connections there.
(00:32:17):
But doing so would mean that we trust every IP within that range. In a small residential setting, that probably makes sense, but many large corporations also use the same [00:32:30] large private network ranges internally for their intranets and in such settings access to raw network traffic is probably not well protected. There's networking closets around where it's easy to tap into the network flow, so eavesdropping over those networks becomes feasible and widely allowing H T T P across large corporate networks [00:33:00] would probably be extending trust too far. We typically don't have such security concerns within a small local network, but adopting a general browser policy of not requiring T L s connections for private networks might be too permissive since not all private networks are as we know, fully trusted. Fortunately, a middle ground that probably makes sense is the use of [00:33:30] a self signed certificate. As we know, publicly trusted certificates are signed by a certificate authority that the web browser already trusts, so the browser inherently trusts any certificates that any of its already trusted certificate authorities have signed. Which brings us to the question who has signed those certificate authority certificates, [00:34:00] which it already trusts. It turns out that in every case the certificate authority has signed its own certificate.
(00:34:10):
Certificate authority route certificates are self-signed and they're trusted simply because they've been placed into the browser's root certificate store. And in turn, that means that nothing prevents an appliance like a router or a NASS [00:34:30] from creating and signing its own certificate. When connecting over H T T P SS with T L Ss, the first time a browser encounters a self-signed certificate, it will typically balk complain and say to its user, Hey, this guy is trying to pawn off a self-signed certificate, which naturally wasn't signed by anyone I already trust. [00:35:00] What should I do? Do you want me to trust it? To which the user can reply, yes, trust this certificate from now on. The procedure varies from browser to browser and by version, but basically the self-signed certificate gets added to the browser's internal store of trusted root certificates and from that point on, it will be possible to establish regular T L SS H T T P S connections [00:35:30] with encryption and a limited level of authentication.
(00:35:36):
I say that it's a limited level of authentication since as long as the device in question keeps the private key of the certificate it created to itself, no other device on the network or anywhere else for that matter can impersonate it. The user's web browser will have stored and been told to trust [00:36:00] the web serving devices matching public key. That's what gets stored in the root store, the public key. So if the user's connection were to ever be intercepted by some other device, there's no way for that other device to reuse the trusted device's public key since it would never have access to its matching private key. So you do get a level of authentication [00:36:30] even using a self-signed certificate as long as the entity which created that self-signed certificate doesn't let go of its private key. Many years ago I used open S S L to create a self-signed certificate with an expiration date 100 years in the future, and I did that because I didn't want to be hassled by the need to keep updating my own self-signed certificate.
(00:37:00):
[00:37:00] That's fair. As it would expire and it worked great at the time. I've not tried to do that recently and I'm wondering maybe somebody knows and will let me know whether today's nanny browsers would complain that the certificate's expiration date is too far in the future. Remember that and maybe self-signed certificates are allowed to be exceptions, but we know that web certs [00:37:30] now can only be valid for up to 13 months in the future. So maybe the day of creating a 100 year life self-signed cert is over. In any event for now, we are able to tell our browsers to trust local H T T P connections, so they're not happy about it, but they'll do it in Firefox. For example, I get a red slash across the [00:38:00] padlock when I click connect to my local as router or my local Sonology nas, but when I connect to my local PF SENSE firewall router, the little padlock shows an exclamation point and if I drill down, like click on the padlock in Firefox and then say, show me more, I get a popup and [00:38:30] I put it in the show notes for anyone who's curious.
(00:38:35):
And what I see is that PF SENSE created a self-signed cert that I previously asked Firefox to trust. And so it says the website is 1 92 0.16, 8.0 0.1, and so that I IP is in the cert and has to match in the same way that a normal certificate has a domain name which has to match [00:39:00] this screenshot from Windows xp. What is it? Looks a little dated, just a little bit dated. I may be wrong, but it's Windows seven. Okay, okay. It's nice. I like it. Anyway, I remember those days. Anyway, and then it says verified by and the verified by where it would normally say DigiCert for example, it says PF SENSE [00:39:30] web configuration, self-signed certificate. Anyway, and I clicked on it. That self-signed certificate is valid from January 3rd, 2020 through January 25th, 2025, so that's not bad. That's four and a half years. That's a nice range.
(00:39:53):
And that does suggest that self-signed certs are allowed to have a longer life than current [00:40:00] certificate authorities signed certificates, which are limited to 13 months. Remember that's that 397 days. So anyway, I noted that Chrome was not happy with the PF Sense self-signed certificate since I had not bothered to also tell Chrome to trust it, but I don't really care. I don't use Chrome that much. Anyway, there is a simple process for adding the certificate to Chrome's root trust store. So anyway, I just wanted to go over that for background. [00:40:30] I can't see any of the browsers removing the ability to add our own trust roots in the form of self-signed certificates. No, you have to and it's something you have that you only need. Yeah, exactly. And it's something you only need to do once for the life of that certificate, so it would be nice.
(00:40:49):
It is on you to go, whoa, this is self-signed, it's my device, as opposed to I'm out on the internet and my sonology lets me do either that or use [00:41:00] Let's encrypt and I actually would prefer to use Lets and Encrypt, but I have to open a port for it and blah, blah, blah, blah. Exactly. It's kind of annoying. Exactly. You have to have a public domain name on the internet in order to do that, which I do and I do, but then the script that it runs has to get out through that port and blah, blah, blah. So I just use the self sign certificate or you just say No. In fact, for [00:41:30] me, I just said, yeah, I don't care if the Sonology NAS has a red slash through the padlock because I'm happy to talk to it on H T T P.
(00:41:38):
I mean, I'm looking at it. It's sitting right here next to me, so no bad guys are in there. Jack Skinner said, Steve, I was listening. Oh, you Leo. It's 36 minutes. Take a break. Let's take a second break. Good thinking, nice time management. Well done. Much better than mine. I usually get to the ads [00:42:00] three quarters of the way and I go, oh God, I got a problem here. Security now is brought to you by Thinkt Canary, which is a gosh, the best little cleverest little device ever. And I know when you've talked a little bit about honeypots in the past, and maybe you're the kind of guy like Bruce Cheswick who just writes their own honeypots, but for the rest of the world, honeypot is [00:42:30] hard to write. Well, and if you write a honeypot, you got to make darn shows. Somebody doesn't break out of the honeypot, right? So maybe instead of doing it yourself, you want to get one of these devices. Most companies unfortunately discovered that they've been breached way too late. Take these scenarios, see how your company would fare last month an attacker, this is a hypothetical attack. 20 year users compromised them and has been reading the company chat [00:43:00] since then, they've been looking through that chat for keywords, embarrassing data, whatever comes up.
(00:43:10):
Did you have some way of knowing that? Or what if your lead developer was targeted and compromised, they were at the coffee shop, right, and somebody got on their laptop. Would you notice when they then log onto your network at work? I can give you a third scenario. [00:43:30] One of your DevOps is running a copy plex, not on his laptop, but on somewhere else on his private network, but he's forgotten to update it for two years and it's got a known exploit that it's been used by a hacker to get into his network and then onto his laptop, and now he's logging into your corporate network. Oops. How would you know? Well, I can tell you one way with canary tokens. Now, we talked about the hardware device, but this is really cool. In fact, when we [00:44:00] first talked about the canary, we talked about canary tokens.
(00:44:03):
The idea that this device then could create PDFs, docs, RO files if you want, that are spread throughout your network. They look like regular files. They are regular files except for that. When somebody tries to open them, they phone home, they go back to the canary here and say, Hey, somebody's opened this document. You might nobody was supposed to. You want to check that out. That is nice. They're [00:44:30] trip wires. You can drop an infinite number of them if you want. I mean, you probably don't want to do that, but as many as you want all over. They even have canary tokens that you don't need the hardware they can phone home with t I think it's better to have the hardware then it looks like it's talking to a local IP addresses instead of the known Thst IP address. The whole point about this kind of security is this is their philosophy at thst trivial to deploy with a ridiculously high [00:45:00] signal quality because you don't want a lot of false positives.
(00:45:03):
Three minutes is set up. You choose what you want these to be a Linux server or Windows server Mines and na. They have the right Mac address. They in every respect, even to a savvy canny hacker look like what they pretend to be, but when they are attacked, when the hacker tries to open them or log in, you'll get a single useful alert that says, you know what? There's somebody on your network. [00:45:30] Almost zero false positives. We've had zero false positives. We've had this on the network for years. We did have one positive, positive and I was really glad to see that and found the device that was scanning our network from within. This is a great way to know if somebody's in your network before they get dug in, everybody who buys a thanks Canary or multiple ones, in fact, you might want many of them all throughout your network.
(00:45:57):
A lot of banks have hundreds casino [00:46:00] backend operations, thousands or a business like ours might have a handful. You get your own hosted management console. You use that to configure the canary. Everyone can be different and also to handle events. Events can come through the console, but they can also use Slog. There's an A P i Webhooks are supported. It can slack you or email you or text you, all of that stuff. There's little room for doubt. If someone browsed a file share and opened a sensitive looking document on your canary, you'll be immediately [00:46:30] alerted and you'll know, Houston, we have a problem. It is rare to find a security product that people actually tolerate, let alone love. But people love their canaries, whether they're hardware canaries like this one VM or cloud-based canaries, they have those now too. They're deployed and yes, I dare say loved on all seven continents.
(00:46:52):
In fact, you can see the love go to Canary Tools slash Love and all the, I don't know what we call 'em, Steve Zes, [00:47:00] I'm going to call 'em Zes, all the zits and the emails full of customer love for Thst and the canary. So how much is it going to cost? You know what? I love this. These guys are very upfront, upfront pricing. You know exactly what you're going to get. Let's say you want five that would be good for a small business or maybe even a medium. SMBs, 7,500 bucks a year for five. You get your own hosted console, you get upgrades, get support, [00:47:30] you get maintenance. You sit on the canary, no problem. They'll send you a new one. It's about the size of an external hard drive. That's what it kind of looks like to me. And it's got two connections, one for power, one for ethernet, and that's that. And it's on and it's doing its canary thing. If you use the offer, go twit in the how did you hear about his box? 10% off the price forever. As long as you use him 10% off, thanks Canary. I guarantee you, you're going to love this. [00:48:00] It's great. But if you don't for any reason want it, you've got two whole months to return it for a full money back guarantee. Full refund every penny.
(00:48:11):
I have to point out Canary, I've talked to things all the time and things folks said, you've been offering this two months money back guarantee for as long as these ads have been on for years. I don't know how many, five, six years they said, no one's ever asked for it, not once. Which tells you that's another way [00:48:30] to know. People love these things. They love 'em, they really work. They're great. Go to Canary Tools slash twit. Don't forget, put twit and how'd you hear it about Box for 10% off Canary Tools slash twit. I mean look, we've said it many times, security is a multilayered process, right? But do you have anything right now that would let you know that there's somebody in the network for sure without bugging you? No. Get it if you don't, you need it. Canary Tools slash [00:49:00] twit, and we thank them so much for their many years of support of security.
(00:49:05):
Now I think this is the only show they advertise on because they know that people listening are security professionals. They know where to go. It's the right audience for them. Yeah, okay, on we go, Zeke, you like Ze by the way. X Z E T Z I Z did it. Yeah, Jack Skidder said Steve, I was listening to this week's podcast. It had some feedback in regards to having third parties host your email [00:49:30] versus running your own. There's a third option, purchase your own domain name and use a third party that allows its use. I do that, right? It's brilliant. Of course. That's like if FastMail went away, it's still going to my email and message address. I just make it go somewhere else.
(00:49:50):
Exactly's ya, duh, thank. Oh, but wait, but wait, if we're using the obfuscated address, that might not work because they have to translate it. [00:50:00] So what I do, which is why by the way, I don't use those weird obfuscated addresses. That one password and Bit Warn and others will let you use. I just have a domain. I won't say what it is. And then I can use anything with FastMail, anything I want at that domain. Multiple accounts, yes. So every single, when I signed up for Verizon, it was Verizon at this, I'll say it LaPorte email. And so every time I sign up for something, it's that person's name or that company's name at LaPorte email. [00:50:30] So I do control that. If Fast Mail went away, I'd still work. It'd still work. Exactly. So he says then if a third party host shuts down, you simply point your domain name to a new provider and you have access to set up and use those email addresses again Anyway.
(00:50:44):
Yes, Jack, terrific idea. It moves a user's email away from an end user's I S P, who we know is probably hostile to having an email server running out of their home. I mean you virtually can't do it any longer, [00:51:00] but the user still maintains full control over their domain. And I did a quick Google search. There's a bunch of email providers. Zoho is one blue something is another. Anyway, there's a bunch that will allow you to bring your own domain to them. And then what you want is the ability to have multiple accounts. And so you just create email accounts and they also talk about having [00:51:30] email routing services and so forth. So anyway, yes, that solves the problem. That's what Mail sponsor does. They do the d n s for at least a dozen of my domains. So I can get email at any of those domains whenever I set up a new website, I don't want to handle the email at that website.
(00:51:47):
I have FastMail to it. And so I can use the MX record to point to FastMail and the other records, the A record to point to the website and being able to use your own name. I mean it's like the reverse [00:52:00] of a o l, right? Yes. It's a good domain instead of an embarrassing domain. No one at this point should ever be using a company's name as their domain for their email. Even if you're using Gmail, you should be using your gibson.com or something. You shouldn't be using gmail.com. That's silly. And also Jack said, he said also related to Google topics with the restriction that an advertiser will only get a topic [00:52:30] if they have first seen that user on a different website related to that topic, do you think that this will give Google added power to be a monopoly in this space?
(00:52:41):
He said it seems like sites will have the incentive to use a single advertiser. So that's sort of an interesting point that that actually had occurred to me before. The fact that an advertiser is only able to obtain topics for a visitor at a given site when that advertiser [00:53:00] has previously seen them at a site that's associated with the topics that were going to be provided favors larger advertisers with greater reach since the user's browser will have encountered that advertiser at many more different websites. Thus they'll be more likely to qualify for receiving topic information about that user. Now the answer to the question Jack asks [00:53:30] at the end is unclear to me that is, he says, it seems like sites will have an incentive to use a single advertiser. If websites are reimbursed by advertisers, based on how well targeted their visitors are, which is to say how many topics are being returned to the advertisers on their site, then larger advertisers having greater reach would have superior targeting.
(00:53:57):
If they were to reimburse more, [00:54:00] then that site might choose to place more of their ads with them than with some advertiser who's paying less. But that logic would appear to apply to just as well to today's advertising climate as much as in tomorrow's topics based system, if that's what ends up surviving. So anyway, it's unclear to me how topics furthers a monopoly, but it certainly does further the larger advertisers, [00:54:30] because the way Google has designed this, topics are being filtered. It's essentially based on the reach of an advertiser. So it does sort of suggest we're going to see further consolidation and fewer larger advertisers on the internet. And I don't really have any basic sense for what the spread of advertiser size and reach and so forth is our advertisers [00:55:00] hugely geographically oriented or oriented by country or language or what. So anyway, it certainly is interesting that we have topics that we do, and I forgot to even bring up the issue of language.
(00:55:17):
Obviously topics would be language independent because it's actually an index number into a list of topics. And so they would be, index numbers are language neutral, [00:55:30] and then the lists get translated into whatever language. So anyway, Don Edwards said, hi Steve, if you block Origin is blocking all the ads on a website anyway, what difference does it make if Google Topics is on or off? He says, as far as I can tell, a typical website, does it use the topics a p i only the sites that actually serve the ads. So if no ads are served, [00:56:00] no topics are registered with the browser. Am I wrong? And anyway, so that's a good point. I said, but this gave me an opportunity to say at least the way I use you Block Origin is to allow acceptable ads. And I've got that in quotes. That's like a term I'm not, and we talked about a long time ago, Leo, back in the ad block plus days, I'm not against seeing ads on websites if it helps [00:56:30] them to generate revenue.
(00:56:32):
And as I've said, I'm not even against them knowing a little something about me as long as it's not invasive of my privacy. If again, it helps them to generate revenue, I am against having things flashing at me and screaming at me and jumping up and down in a futile attempt to get my attention. That's annoying. So there is this acceptable ads initiative [00:57:00] which identifies advertisers who agree not to do any of that. So it's not the case that as a uBlock origin user, I'm seeing no ads. I'm just not being driven into an epileptic seizure by the tame and considerate ads that I do see. And if for anyone who doesn't know about this, it's acceptable ads.com is the site that sort of runs all of this. [00:57:30] And there was some controversy about larger advertisers being able to buy themselves into that list of acceptable ads. But all I can tell you is that when I look at somebody's web experience who's not doing this, it's like I can't believe they survive. And whereas mine, I'm like unconscious of there being any ads. They're just not in any way annoying [00:58:00] to me. So again, I'm happy to provide some support if putting the ad in front of me generates some revenue for the website, great. It feels a bit like a cheat. I'm not clicking on any ads, but fine, I'm happy to pay the price. What brand of coffee do you buy?
(00:58:24):
What kind of laundry detergent do you use? Yeah, fortunately [00:58:30] brands work. I hate to tell you. Yeah, I do. Yeah, I click on the ads. So you mean just sort of seeing it in front of you ads work and then you Yeah, I mean you don't buy no name laundry detergent. You buy Tide, right? You don't go to Joe's Coffee Shop, you go to Starbucks. So the ad doesn't have to work by getting you to click it. I'm not, look, I'm not a fan of ads either, but in fact, I think one of the reasons Netflix and others have done so well without ads is people are thrilled to watch a TV [00:59:00] show. I loved watching The Diplomat without any ads, and you can even see when you're watching these shows, it originally was on what fx you could see where the Denu Mall happens and they pause because it's time to sell Tide and then they come back no ad. In fact, the ad is disruptive that they sometimes go back a little bit in the show to remind you what you might have forgotten watching. Exactly, yes.
(00:59:30):
[00:59:30] If you were the first purchaser of a TiVo, I was second in live because I cannot watch live broadcast television. It's impossible. All I will say though is you can't both not watch ads and complain about the subscription. Somehow this stuff has to be paid for. It ain't free. I know that because twit doesn't exist in a vacuum. We have to either either join the club for seven bucks a month or watch ads. I don't care. You do whichever [01:00:00] one you prefer, but you got to pay. I mean, Steve's not cheap folks. He's not that expensive either. But we got to pay people, we got to pay the lights. Okay, so a bit of math here, which I loved. Philip the Rich, he said, Voyager two's antenna does not produce a pencil beam. The 3.7 meter dish at SSB band, [01:00:30] which is around 10 centimeter wavelength, has a limited resolution of around the arkan of 0.1 over 3.7 or 1.5 degrees.
(01:00:45):
So who knows that might be around 10 DB down at two degrees off axis. So not so incredible that they were able to boost the power to shout [01:01:00] and get a command through to say its beam was off the earth by five au is therefore somewhat misleading. So Philip, I love the math. Thank you. And that does explain why they even bothered to shout at Voyager two. I'm sure they knew exactly how attenuated their signal would be and thought that there was a chance that the message might get through Anyway. Anyway, very cool. We have the best listeners, Leo [01:01:30] Peter Chase said re the Windows time problem. I use an ancient program called Dimension Four, which pulls various time servers. There's an re. Wow. Do you know Dimension four didn't, didn't ring a bell for me. He said it pulls various time servers. He says, in my case, every 30 minutes to keep my computers on time after listening, I went in and turned off set [01:02:00] time automatically in Windows settings. Was this a relevant thing to do or does this issue just apply to servers? Interesting question. Yeah, this dimension four comes from a day when you didn't have N reliable N N T P servers. You could get the time from. Remember, you had to set time in the old days. Yeah, yeah, yeah, yeah. And I remember listening to Wwv Go TikTok, the time at the tone. [01:02:30] Yeah.
(01:02:33):
Okay, so it appears to be relevant. That is this whole s t s thing that we talked about last week. And we'll talk again about it in a second to Windows 10 and on and Server 2016 and on. In other words, yes, I know that my own WIN 10 workstation did have the utilize SS S L time data value in its registry. [01:03:00] So Windows 10 Pro has this s t s time setting. However, this is different from set time automatically, which I believe should be left on. It's right there in the control panel says set time automatically. Windows normally references an internet time server@timewindows.com. So I think it [01:03:30] makes sense to leave that feature enabled. And when I opened my control panel under Windows 10, it showed when the last time that server was pulled and Windows made sure that it was still set correctly.
(01:03:46):
So I would not turn off set time automatically. I would, if you're concerned about this, I would turn off that utilize S S L time data in the registry. It's a D word normally set [01:04:00] to one, set it to zero. And Skynet who tweets from Fairlane 32, he said, Steve, I'm curious, is the s t s feature. He has in air quotes only in domain controllers and we know now that it's not. It's in all WIN 10 and both desktop and server variants. He says, I have two servers running server 2019 standard and they've never exhibited different clocks. [01:04:30] They're not domain controllers. That said, I do have a bunch of Dell plexes and he says, as you know, he's participating over in the spin ride development work. And he said that communicate with one of those servers because of our time and print management software for the public access computers, I have had in the past few weeks a few workstations with an error message during boot up that says, warning clock not set [01:05:00] and giving me the option to hit F one to try again or F two to go into the bios set up to configure the clock.
(01:05:09):
I go to the bios and the clock is off. Not by 137 years mind you, but it's still off after resetting it and rebooting it's fine. Sometimes I don't even bother. I just reboot the machine and Windows booth fine and the clock shows the correct time. Is this behavior because of s t s? No. Or is it the [01:05:30] local c moss chip getting, shall we say, tired and sleepy, which is the case and he says, thanks for the info. Okay, so motherboards generally have a very long life battery, which keeps a very low power oscillator running 24 7 to keep track of the time and date. But the batteries do die over time and sometimes the clock is not read properly. Actually, I recently struggled [01:06:00] with this with spin, right since some motherboards disable hardware interrupts and cause time to be lost while spin right is running because spin right's calling into the bios when it's talking to U S B devices and they literally time freezes from the perspective of all programs running outside of the bios.
(01:06:23):
Hardware interrupts are just off, the keyboard won't work, nothing happens. So I needed to be [01:06:30] reading the motherboards real-time clock on the fly and it turns out many are surprisingly flaky. Part of the problem is that this is ancient technology and the real-time clock uses what's known as a ripple counter instead of what's known as asynchronous counter. With a ripple counter, that means that each digit overflows into the next higher digit so that when [01:07:00] a digit wraps around from nine back to zero, its carry ripples to the next digit to the left in the counter. So it's possible to sample the count while it's in the middle of updating and rippling, and as a result, you'll get a bad time reading. So for spin write, I designed another heuristic algorithm to figure out what time it really was without [01:07:30] being fooled by inaccurate values. And so far it appears that mine was designed somewhat more carefully than Microsoft's that Microsoft did for Windows 10 and later, and for their server super ever is his tweet handle.
(01:07:52):
He said, strangely, the T L SS spec going back to the very first SS S L version one [01:08:00] has a client hello that includes and this he's talking about the handshake that includes the eunuch timestamp but acknowledges this is SS S L version one. The spec acknowledges that clocks are not required to be set correctly. Then he says in 2013 someone drafted an R F C [01:08:30] titled deprecating G M T Unix time in T L Ss, and he includes a link, he says, but it doesn't look like it ever left the draft phase. The acknowledgement of its futility raises the question of why it's there at all. Okay, so this brings us back to last week's discussion of heuristics. I left last week's podcast curious myself, so I did a bit of Googling and digging [01:09:00] around. Here's what I learned. We've spoken of cryptographic protocols which require aons aons standing for a number used once.
(01:09:14):
Typically, naas do not need to be secret, but they do need to be unique. If nonces are not unique, then in the case of T L Ss, this opens the opportunity for replay attacks. [01:09:30] This brings us to the question of how to produce anon that's guaranteed to be unique. One way which was suggested in that earliest SS S L document, SS S L version one, was to concatenate the eunuch time, which as we know is a 32 bit binary count. That changes once per second to concatenate that 32 bit binary count the Unix time with another 32 [01:10:00] bits of random noise. Together they would produce a 64 bit knots. Each endpoints 64 bit knots would be concatenated with the others. That is, that's what the handshakes are sharing. Among other things, they are each sharing their 64 bit knots. They each then concatenate them to produce a final shared 1 28 biton, which is then used to drive the t [01:10:30] l s crypto.
(01:10:32):
Now when you think about it, if the requirement and it's a firm requirement is for an endpoint to never make the mistake of reusing aons, one way to do this would be to start with that 32 bit Unix time, which is going to change once per second, then have a second 32 bit count, which just increments [01:11:00] once every new connection. The only way for such a system to issue a duplicate knots would be for that second 32 bit connection attempt counter to wrap around and return to a previous count before the 32 bits Unix time, which changes every second had changed, which [01:11:30] of course means that you'd have a 32 bit count counting from zero to 4.3 billion before it wraps back around to zero. Do that within a second, 4.3 billion T L SS handshakes for one machine in a second. No, that's not going to happen.
(01:11:54):
So that's a useful solution. You're not [01:12:00] going to get a repeated knots just by taking Unix time, changing it once per second and concatenating it with a connection attempt counter, which is 32 bits. So it's going to have 4.3 values before it repeats. A second will have elapsed before that 4.3 billion count has had a chance to wrap around Now, okay, somebody might suggest that using a simple counter to form the second half of that 64 bit knots [01:12:30] is a bad idea since it would make the system's knots easily predictable. Now, that's not a known problem for T L Ss, but known problems have a tendency to become or unknown problems have a tendency to become known problems. So there's a simple and secure solution. Take a 32 bit cipher using a randomly chosen key and use that to encrypt a 32 bit counter to produce an unpredictable [01:13:00] sequence of 32 bits that would therefore never repeat in less than 4.3 billion uses.
(01:13:08):
Okay? Anyway. But here's the point. The only requirement for that 64 bit handshake knots is that it never repeats. That's it. The use of E'S time has always merely been a suggestion in the t l s specification, not a requirement. [01:13:30] Interesting. It was just one way that this could be done, which is why the open SS s l folks decided to never do it back in December of 2013, so nearly a decade ago, right? Because here we're in 20 23, 2 guys, one with the tour project and the other with Google produced that T L S working group internet draft standard with the title deprecating G M T [01:14:00] Unix time in T L s and the brief abstract, it's one line, or it's actually two lines, reads this memo deprecates the use of G M T Eunuchs time field for sending the current time in all versions of the T L S protocols handshake.
(01:14:19):
A rationale is provided for this decision and alternatives are discussed. Okay? I'm just going to share the introduction. It's three paragraphs and it's interesting. They wrote [01:14:30] a decade ago current versions of the T L SS protocol dating back to the S S L 3.0 describe A G M T Unix time field sent in the clear as part of the T l s handshake and we know that it actually goes way back to S SS L version one, but they're only talking about what was then current. While the exact format of this field is not strictly specified, typical implementations fill it with the time since the Unix [01:15:00] epoch January 1st, 1970 in seconds. This practice they write is neither necessary nor safe. Wow. Yeah. According to R ffc 2, 2, 4, 6, the T L S protocol version 1.0 G M T Unix time holds the current time and date in standard Unix 32 bit format.
(01:15:25):
Second, since the midnight starting January 1st, 1970 G M [01:15:30] T, according to the sender's internal clock, they're still quoting from the spec clocks are not required to be set correctly by the basic T L SS protocol. Higher level or application protocols may define additional requirements. So they said this text is retained unchanged in R F C 43 46 and R F C 42 46, [01:16:00] meaning subsequent iterations of the T L S spec. They said the G M T UNIX time field was first introduced in SS S L 3.0, the predecessor to T L S 1.0. The field was meant to preserve the protocols robustness in the presence of unreliable random number generators that might generate the same random values more than [01:16:30] once. If this happened, then S S L would be vulnerable to various attacks based on the non uniqueness of the random fields in the client. Hello and server.
(01:16:43):
Hello messages. Using the time value in this way was meant to prevent the same random value from being sent more than once, even in the presence of misbehaved random number generators. So [01:17:00] we spent a lot of time in the early days of this podcast talking about bad random number generators and how easy and common it was to have them. So the idea was pair up a 32 bit random value that may not be that random with something that is incrementing once per second because that way, even if the random value comes back around before too long, at least the time will have changed. So the [01:17:30] concatenation, the 64 bit concatenation of those 2 32 bit values will itself be unique. So anyway, they go on to explain that. As I suspected and mentioned last week, one of the problems with using Unix time was that it could make clients identifiable by serving as a form of fingerprint, but mostly they noted that the only reason for using Unix time was that it was a convenient [01:18:00] means for changing the bits in half of the 64 bit knots every second to protect against a repetition in the other 32 bits from a poor random number generator.
(01:18:11):
Okay, so this brings us back to Microsoft. The bottom line is that Microsoft incorrectly assumed that every incoming T L S connection was supposed to contain the 32 bit Unix time [01:18:30] of the other machine that it was connecting with. And now we know that's not true. It's at best a suggestion and a convenience for the implementation. The original spec even explicitly states that connecting machines are not required to have the correct time, and that's still in today's spec. It's just meant to be an incrementing value. I'm certain that Microsoft built in some sanity filtering of their own. That's why [01:19:00] it mostly works. And then they have that confidence level heuristic that we talked about last week, but the underlying assumption that handshakes will contain G M T time, especially when the massively popular open SS s l doesn't, that's flawed. And then as we've seen, they're apparently shockingly stubborn about fixing this issue.
(01:19:27):
It's hurting their users and they apparently [01:19:30] refuse to care. I wanted to close the loop on the question of T L Ss handshakes and Unix time and now we know what's going on. Okay, now, Leo, last week I mentioned that I had a tantalizing something else that I wanted to share about spin, right? I've been on Tenter hooks ever since. So let's take our last break and then I'm going to talk about something that we discovered, which is really quite terrifying. Oh no. [01:20:00] Oh yes. That's a good tease. That'll keep people listening through the commercial. You're good, you're good. Steve Clarification coming up. But first a word from our sponsor, the folks at the Building Cyber Resilience Podcast, the world is hyper connected like never before. This advanced technology-driven landscape we all are living in is creating smarter businesses that's good to better serve customers.
(01:20:30):
[01:20:30] But along with all that smarts, as you know, if you listen to this show, come a few threats. That's why you want to listen to the Building Cyber Resilience Podcast hosts Dr. Anne Irvin. She's a, by the way, she's one of my favorite specialties. She's data science, chief Data Science at Resilience and VP of Product Management at Resilience. And Rich sson, who's the chief risk Officer, that's a good title too. I like that. C r o talk about the positive outcomes of developing [01:21:00] risk management and utilizing data science across industries to create a smarter business. That's two great people for this show. And then they bring in experts and innovators in the field of risk management, cybersecurity, and data science to discuss the changing cyber landscape and its constantly evolving risks. How are businesses beating the bad guys that are trying to harm the bottom line?
(01:21:24):
How are businesses managing risk and crisis without materially impacting the value to their customers? [01:21:30] You can't give that up either. The Building Cyber Resilience team answers these questions and more in a very recent episode. Ai, they talk about AI too. Who doesn't these days will chat G P T, replace the underwriter? I never even thought of that. The hosts talk to a very, this is a great guest, the chief strategist of AI and machine Learning for Ready, the United States Department of Defense [01:22:00] who knew they had a chief strategist in charge of AI and machine learning. Wow. They also talked to the C R O of symmetry systems. They discuss AI for cyber attacks, how it affects defensive roles and security. This is very timely and it was fascinating. Listen in, learn how you can build a cyber resilient organization. Search for building cyber resilience, building cyber resilience.
(01:22:25):
You can look forward on Apple Podcasts, Spotify, whatever you use to listen to podcasts. [01:22:30] And we do thank the Building Cyber Resilience podcast for support and security now and we're glad to support 'em right back. We'll also put a link in the show notes that might be the easiest to go to. TWIT TV slash ssn. Thank you Building cyber resilience. Anne and Dr. Irvin and Rich, we appreciate the support and I hope everybody will listen to the show. Now I'm on Tenter Hooks, Steven, tell me. Okay, so I mentioned last week [01:23:00] that I had something else I wanted to share. One of our very prolific testers whose handle in our news group and in GitLab is Milq at lowercase Q. That's just how we've always known him. He reported a month ago on July 27th that one of his oldest, actually his oldest 2 56 megabyte flash memory devices, megabyte flash memory devices was showing [01:23:30] up red in spin, right?
(01:23:33):
Red means that there's something spin right doesn't like about the drive. None of his other U S B flash drives had any trouble. Just that one. Now, one of the great things about GitLab for me is its issue tracking. I'm desperate not to let any problem fall through any cracks, but I cannot be everywhere all the time. As it happened when milq filed this issue [01:24:00] that the gang was testing the latest spin right build while I was working on the Windows app, which installed SPIN right onto U S B drives DiSette and CDs to make them bootable. So the DOS side wasn't where I was focused at the time, but once the Windows utility was ready for its first testing, I turned the gang loose on it and switched back to spin. Right? The error that spin right was reporting was that Milk Q's flash drive [01:24:30] had failed spin right's transfer confidence testing, although spin right would allow the user to retry the test or even to push past the failure if they want spin, right?
(01:24:43):
Couldn't vouch for how it was working with that drive. Now remember that I mentioned last week that spin right now has an extremely flexible driver that learns about the environment it's in in order to make absolutely positively [01:25:00] certain that the driver has settled upon the right parameters for a drive and controller. It performs a series of confidence tests on each drive. It encounters it first fills a nine sector buffer with pseudorandom noise and then copies it to a secondary buffer. It then goes to the end of the drive to read the drive's last nine sectors into that first buffer, [01:25:30] which should overwrite all nine sectors of that pseudorandom data that was preloaded there. It then compares the two buffers to verify that none of the sectors match that assures us actually assures spin, right? That reading from the media into RAM is actually happening because the reed will have changed all nine sectors [01:26:00] of the reed buffer, which will then no longer match noise that was preloaded there.
(01:26:07):
It then takes the nine sectors that it read and copies them into the secondary buffer. It inverts the primary buffer and writes the nine sectors of inverted data back to the drive. It then refills the buffer with new pseudorandom data, then rereads the data, which it just [01:26:30] wrote, which should now be inverted if it was actually written over the buffer. So it then reverts the buffer and then compares all nine sectors with the original drive data that was first read and saved. And it verifies now that all nine sectors match between the two buffers and finally it rewrites the originally red data back to the drive, restoring it to its original contents. [01:27:00] Okay, now spin right goes through those gymnastics to absolutely and positively confirm that it's able to properly both read and write to the drive across multiple sectors. Those tests and comparisons will fail unless everything is working.
(01:27:23):
There are a number of other things that spin right does after that. But it was that confidence testing that Mill Q'S flash [01:27:30] drive was failing. And what's significant is the drive wasn't complaining. The drive was saying everything was fine. Now, several years ago, I might've doubted spin write more than the drive, but we now have 764 registered users in GitLab. So spin write has been quite well pounded on by this point and we don't see drives failing. This stood out. It was completely [01:28:00] unusual. I should note that read and write errors reported by the drive are fine if they occur at the time. If the drive says that it's unable to successfully read or write, that's no problem since that's not what we're testing for here. So spin right will simply move nine sectors over toward the front of the drive and try again. And this entire process is [01:28:30] tolerant of storage errors. Again, that's not what we're looking for.
(01:28:36):
So here's the gotcha of milk queue's drive. It was failing this test and was not reporting any errors. Spin Wright told it to read nine sectors and it said it did. And Spin Wright confirmed that nine sectors had indeed been read then Spin, right told it to write nine sectors and it said it did. [01:29:00] But when Spin Wright asked it to read those nine sectors back, they were not the nine sectors that had just been written. This drive was accepting read commands and write commands and apparently ignoring the right commands. Since Spin Wright now has the ability to check an entire drive this way, MILQ started spin right at its new level five, which reads, [01:29:30] inverts, writes, reads, and verifies, then re inverts, writes then rereads and verifies what Milq discovered. Was it exactly the halfway point. The drive silently stopped writing. It also sped up considerably, which was interesting.
(01:29:53):
Well, it wasn't doing anything else exactly. Since writing to flash is much slower than reading. [01:30:00] So Milli Q's drive was labeled 2 56 megabytes and a query for the drive size, which is what Spin right did declared itself to be 256 megabytes, but it was only storing 128 megabytes. And here's the real gotcha. No operating system would detect this. Operating systems assume that unless a drive reports an error when writing [01:30:30] data, that data was properly written and modern drives take on a lot of responsibility for making sure that that statement is true. What was diabolical was that the drive appeared to be functioning perfectly. It was formatted with a fat file system and Milq had used it to successfully store and retrieve a great deal of data through the years, but perhaps he'd never stored more than 128 [01:31:00] megabytes of data there. Now, when this was discussed with GRCs spin, right.dev Newsgroup, many people there, some who have a deep background in data recovery we're not the least bit surprised because it turns out that, and this is why I'm bringing this up, there is an epidemic of fake drives flooding the retail market.
(01:31:27):
I suppose in retrospect, we should [01:31:30] not be surprised, but I wanted to make sure all of our listeners were aware since the fat file system, which is the default file system for all such drives because it's universal, the fat file system places all of its file system metadata at the front of a drive. The famous fat stands for file allocation table, which is what gives the file system its name and [01:32:00] the route directory and so forth are all written at the front of the drive. A 16 megabyte compact flashcard might have its firmware tweaked to lie about its size, then be relabeled and sold as a 512 megabyte compact flashcard. Such a card will format without any trouble and it will appear to be working [01:32:30] perfectly. Then a wedding photographer sticks this brand new card into their camera and spend Saturday taking photos before, during, and after a wedding only to later discover that although a directory listing shows that all of the photos taken are there, the actual content of those files is not, [01:33:00] and those precious memories are irretrievably lost forever, this turns out is a surprisingly common occurrence.
(01:33:09):
Just Google, fake Ss s D or fake thumb drive and be prepared to get bored scrolling the screen. It is endless. When this came up last week, I jumped onto Amazon and purchased the cheapest two terabyte thumb drive [01:33:30] they had. It's silver and beautiful. I have a picture of it in the show notes. It's got that blue U S B tongue to indicate U S B 3.0 and that two terabytes cost me $26 and 88 cents. And that's when your troubles began exactly by the way you said in retail. But I think Amazon is probably the source of 99% [01:34:00] of this crap. And eBay, Amazon and eBay. Oh yeah, eBay and I guess Alibaba if you bought stuff there. Yep. Alibaba and Ally Express. Exactly. So this thing arrived last Friday. I plugged it into spin, right? And the screen immediately turned red. That drive immediately failed spin right's, end of drive data storage test.
(01:34:26):
I was curious about what it was doing. So I stepped through the writing and [01:34:30] reading and writing process at the end of the drive and its behavior was really bizarre. It seemed to sometimes write but not reliably. And as I kept poking at it, it suddenly stopped failing and it began working correctly, at least for those nine sectors at the end. Were some bad spots, remapped. So they're now good maybe. But remember we're talking about [01:35:00] if you want to believe this, 16 trillion bits of storage. That's right. Two terabytes, right bytes. So eight bits in a byte, 16 trillion bits of storage in a tiny sliver of metal enclosed plastic. I'm skeptical that such a drive contains much wear leveling technology or much technology at all. I'm actually skeptical that it contains 16 trillion [01:35:30] bits, but we'll get to that in a moment. What I know is that it was not initially working and that a bit of exercising, it sort of began to appear to work, at least at the end of the storage region.
(01:35:44):
Who knows if other unexercised areas of the drive function similarly, relying upon this brand new drive from Amazon would be a disaster. We know that. And remember writing to it and reading from it produced no [01:36:00] errors. That is it just said, yeah, fine. Got the data, move along. Everything's working. That's what's scary. Yeah. Yes. So there's no indication that it's not storing everything when in fact it may not be storing anything. Now, one possibility is that not all flash storage is created equal. Chips are manufactured in large wafers that cut into individual pieces and tested. So [01:36:30] there's some manufacturing testing that's done to qualify each chip for sale. What happens to chips that fail to make the grade say that they don't get an F, but perhaps they get a D minus? You have to imagine that there's a market for chips that fail to make the grade.
(01:36:50):
Someone will buy them and package them for sale on Amazon or eBay or AliExpress or Alibaba. It looks like memory. It [01:37:00] just isn't very good or reliable and maybe it isn't memory at all. But I think this is a relatively new phenomenon that has arisen in the last few years. I'm inclined to believe that Mill Q's drive, since it is so very old, may have just failed. It probably once was a 2 56 megabyte drive and the chip that was providing the second half of its storage died. [01:37:30] But there's absolutely no doubt that fake mass storage is a very real problem today. And Leo, I have another picture in the show notes. If you scroll down a bit, this was sold as a high-end SS S d for those who can't see the picture, are those matchsticks in there? What the hell? What is this? So that is an SS S D case.
(01:37:55):
It was sold as a high-end SS s d, that's ballast to give [01:38:00] it some weight. Oh my God. And then it's all held together with glue stick With hot glue. Hot glue. Yep. So that's a thumb drive that was stuck a little to A U S B to U S B adapter. They even ran the wires from the light of the back of the thumb drive older around to an L E D. They took the extra time exactly so that this thing would flash. [01:38:30] Oh my god. And if you didn't know, I mean, so somebody purchased this believing that it was an S S D with all of the endurance and longevity that you would to make it feel heavy. They've got a couple of little bolt of nuts in there and I don't know what those copper things are, just some crap lying around the shop just to give it some weight. Just some heft. Yep. Oh my god. So it doesn't feel empty and then they glued it down so it wouldn't rattle.
(01:39:00):
[01:39:00] Exactly. Wow, this is awful. This is what is out there, Leo. So this could be a big money maker for you if spin right could somehow, because obviously the drive controllers are trusting the drives and the drives are lying. It would be really valuable if spin, right, could actually check and see what the capacity of a drive was. So the first question is how can we tell if a solid state memory is fake [01:39:30] depending upon the cleverness of the memory controller, which is to say to which lengths its perpetrator goes. There's actually only one way to know for sure, which is to simultaneously have every sector of the memory committed and in use, and then verified you'd fill the entire memory with deterministic pseudorandom data. That's not ideal. That's going to take time [01:40:00] and wear it out. Yes. Well, one, yes, one pass of writing. But you're right, it's not ideal. This is done to prevent data compression, which is apparently another trick which is being employed by some cheaters. So the amount of data you can store is a function of what you store because they're compressing the data that's also been seen. So once it's filled in this way, the entire memory would then be read to [01:40:30] verify that it still contains the deterministic pseudorandom data.
(01:40:36):
This is the capability and the capacity that the memory claims it offers. And of course, it's what you believe you've purchased. Anything less is a cheat and there's actually no way to fake out that test. Now, if you really want to know for sure, it's necessary to do this because a much smaller memory [01:41:00] could be arranged as an M R U A most recently used cache so that if you moved through the memory reading and writing it piecemeal, that would be fooled even though the entire memory could not be used at once because it didn't exist. Okay, now, Leo, I'm right where you were performing. This true full test is beyond the scope of spin, right? Six one. But now [01:41:30] that I know this is happening out in the world, spin right seven is going to incorporate this full pseudorandom fill and verify technology because this is the sort of ultimate assurance that spin right should be able to offer.
(01:41:44):
Now having said that, in today's reality, it seems unlikely that scammers are going to go to the trouble of engineering and M R U cash to fake out lesser tests as it is today. Spin [01:42:00] right six one will instantly disqualify any fake storage that places its reduced memory at the front of the drive. Now it could place some front and some at the end and then spin, right? Wouldn't detect that seven will. And so I forgot where I was going to say. Oh, so six one would instantly detect it if there's no storage at [01:42:30] the end, just as it did with mill queue's drive. And since this has been a recognized problem for a while, a handful of freeware utilities have been created to detect fake solid state storage. I've not looked at them, so I can't vouch for their operation or behavior, but they do exist and they're easy to find.
(01:42:54):
So I don't know what I purchased from Amazon for 26 88. [01:43:00] It looks all shiny and new, but no way can that be trusted to store data. I have a feeling that I'm going to run a little test of my own in the background to fill that drive with serialized data and see if it actually can be read back after it's been written. We'll see. But we do know that it was not generating an error when I [01:43:30] was telling it to write something and it said it did when in fact it didn't. This is really problematic because there's really no way to tell nope what you're getting unless you, I guess you could open it up, but even then wouldn't necessarily tell you anything. Nope. I bought a 10 terabyte drive a while ago and for the longest time I couldn't figure out why my SONOLOGY wasn't working.
(01:43:53):
And I realized with this, and I says, this drive is not doing 10 terabytes, not doing what it said it was going to do. And I wonder if that was also [01:44:00] a scam drive brand name. I think it was probably a Western digital red. But who knows? It could been it was bought on Amazon. Some guy could have taken a label and stuck it on. Well, and remember we once talked about and showed on the show a Seagate Drive where the word Seagate was misspelled. Misspelled. Yeah. Because it looked close enough. So unless you looked very closely, you didn't realize, I know you're going to put this in seven. Couldn't you just write a little utility [01:44:30] just like Steve's little utilities that just filled the drive up? Just said, yeah, I see I'm able to write a terabyte worth of stuff here. Well, in order to do it right, it needs to be fast.
(01:44:45):
These drives are big and it needs to follow that fill with a complete trimming of the drive to formally release all the storage and show that it's no longer in [01:45:00] use. This is a real problem. It is a real problem. Golly. Yeah. Oh, well. Whatcha going to do with that two terabyte thumb drive? I'll take it off your hands if you don't want it. I could use the storage. Oh Lord. Wow. I know. Alright man, in the middle time. And finally today's topic, the [01:45:30] man in the middle was inspired from another question from one of our listeners, John David Schober. He said, Hey Steve, quick question regarding insecure H T T P traffic. Even if the site has no user interaction like logins, wouldn't it being H T T P still put the user at risk for malicious injection of stuff like JavaScript miners or overriding downloads [01:46:00] to include malware?
(01:46:02):
Seems like something that HTTP S would secure even if the site were just read only. Okay, now that's certainly a great point and many of our listeners wrote to say the same thing. So I just chose John's at random to represent all those who asked essentially the same question. And everyone is correct in their observation that the lack of authentication and encryption would mean that if someone could arrange to place themselves [01:46:30] in a man in the middle position and intercept traffic flow in an intelligent fashion, then an unsecured conversation could be altered. So I wanted to take a moment to expand upon this to first establish a bit of perspective and to also examine the practicality of man in the middle attacks, which are I think far more easily said than done. It's their practical difficulty that explains [01:47:00] how we survived in a mostly unsecured internet until Let's Encrypt came along relatively recently.
(01:47:11):
We should remember that the lack of persistent encryption was the way most of the internet worked until only very recently. And things mostly worked just fine without everything encrypted all the time. As those of us who've been around for a while will recall it was once the case [01:47:30] that encryption was only employed on most websites when a login form was being delivered and its user's name and password contents were being submitted. The sense was that it was only during that brief interchange where eavesdropping really needed to be prevented. I'll be the first to say that was probably never really true. But at all other times, most websites were using more economical H T T P connections [01:48:00] whose traffic was not safe from even eavesdropping. Our long-term listeners will recall Fire Sheep. That was a Firefox add-on, which provided a convenient user interface for hijacking other people's logged in session cookies and thus their logged in sessions.
(01:48:21):
As I reported at the time, I tried it at my local Starbucks. And that is a brand we all recognize. I never impersonated [01:48:30] anyone of course, but the Fire Sheep web user interface quickly populated with all of the logged on accounts of the other patrons with whom I was sharing free wifi. And all I would've had to do was click on one of those icons to be logged into the websites they were using as them. It was a sobering experience. Now today, thanks to the pervasive use of T L s and H T T https, [01:49:00] we have communications privacy. So that scenario cannot happen. So it's definitely a good thing that we have more security today than we did in the past. No question about it. But the use of http SS and T l s is also, let's remember, not an absolute guarantee. I'll remind our listeners of something that we covered at the time a few years ago, the headline of a story in bleeping [01:49:30] computer read 14,766, let's encrypt SS S L certificates issued to PayPal phishing sites 14,766.
(01:49:48):
Every one of those connections to those 14,766 sounds like the number of votes I need. Fake PayPal sites [01:50:00] was authenticated, encrypted, super secure, immune to any man in the middle, interception and malicious. So just the fact that we have the padlock glowing and happy doesn't mean we're okay. We know that the reason our web browsers have been gradually downplaying the increasingly [01:50:30] pervasive use of the H T T P SS that they've been driving, which boasts its padlock, is to not give their users users a false sense of security just because there's a padlock and all is well. Well thanks to let's encrypt, that may not be the case. So how was it that we survived as long [01:51:00] and as well as we did before most websites had their communications encrypted all the time? The answer is there is a world of practical difference between passive eavesdropping, which is trivial.
(01:51:17):
You can do it in your local Starbucks or could and active interception eavesdropping as in the fire sheep example, is trivial. Whereas active traffic interception [01:51:30] is not something that's practically available to common malicious hackers. And that explains how the preen encrypted internet managed to survive until we got it encrypted. I've often talked about practical traffic interception. Once upon a time antiviral content scanners were installed at the network borders of corporations to maximize and filter [01:52:00] all of the traffic passing through on the fly. Encrypted connections, however, posed a problem. So the solution was to create middle boxes, which would fully proxy such connections by intercepting and terminating the T L s handshakes at the box, then establish a second connection to their user's browser within the organization. Since the traffic intercepting middle box needed [01:52:30] to create certificates to stand in for those remote websites, it was proxying.
(01:52:36):
They needed to have some means for browsers to trust the certificates they were creating and presenting. The controversial and underhanded way this was done for a while was by obtaining a certificate from an already trusted certificate authority where that certificate itself had bits set in it, which permitted it to sign [01:53:00] other certificates. In that way, it was possible for the middle box to transparently create certificates on the fly as if it were a trusted authority. The industry quickly clamped down on that practice. Since allowing random hardware to create globally trusted certificates was extremely dangerous and prone to abuse. So today, any T L SS proxying Middle Box that wishes [01:53:30] to create trusted certificates on behalf of other websites can only do so by installing, you guessed it, its own self-signed root certificate into every browser's trusted root store. Nice callback, Steve.
(01:53:49):
This essentially makes it a trusted certificate authority, but only within the organization that's behind it being protected by it and [01:54:00] whose browsers have installed its certificate. So both in the earlier unencrypted days and today when nearly everything is encrypted, it's possible and practical for hardware to be installed into a network which allows for traffic, interception, filtering, and potentially alteration. But again, such interception hardware resides in a privileged position that is not available [01:54:30] to common hackers. I was trying to think of an instance where traffic was actually being intercepted against the wishes and best interests of its users. And I remembered that there was a time when some slimy ISPs were caught injecting their own crap into the UN H T T P web pages of their customers. [01:55:00] Now, there is a perfect example of why we would want and would benefit from having end to end encryption of our web traffic.
(01:55:11):
No one wants to have their I S P monitoring their activity, literally everything that they do, let alone injecting their own crap into content that our web browsers receive. So yes, there's an example which was not theoretical of an entity in a privileged position. [01:55:30] Our I S P whom we're paying to carry our data and connect us to the internet betraying our trust and not only spying on our activity, but injecting its own traffic into our connections. Again, to actually pull off a man on the middle attack, however, requires that the attacker arrange to have a privileged position where they're able to intercept, capture, buffer, analyze the traffic that's flowing past. [01:56:00] It is easier said than done, but as we've always seen where there's a will, there's a way. And as those examples show, adding encryption to connections makes that job decidedly more difficult In doing a little more brainstorming, I came up with one way that Google's new always try http SS first approach would help.
(01:56:26):
One of the other attacks we've talked about in the past was the protocol [01:56:30] downgrade. In such an attack, an attacker would arrange to convert all of a webpages, H TTP S URLs to H T T P. The browser wouldn't know any difference and would make its queries over H T T P. But with Chrome's automatically trying HTTPS upgrade those rewritten http, those rewritten HTTPS would be treated as [01:57:00] https, thus thwarting the attempt to downgrade connections for the sake of keeping a browser's communication unencrypted. I think that what Google is doing is a good thing. Trying to upgrade an HTTP U R L to HTTPS prevents any protocol, downgrade, horseplay, and provides more security for its users. And like many of our listeners who hope that we don't lose all [01:57:30] use of good old H T T P, especially for local connections to our own appliances where encryption and authentication offer little if any value, I doubt that losing H T T P is in the cards anytime soon.
(01:57:45):
After all, it took quite a while for F T P to finally be deprecated and removed from our browsers. And the file transfer protocol was never as popular as H T T P remains today. [01:58:00] Actually, I'm somewhat surprised by Google's statement that five to 10% of their traffic that their monitoring of Chrome's own users remain over H T T ttp. That seems surprisingly high today. It can't just be all for me clicking on my, but it would include that my non-encrypted Yeah, it would include that. And I think we've talked about this before. Somebody said that in enterprise [01:58:30] it's very common that you would have a H T T P link because it's within the network of the company. Okay, that makes sense, right? That intranet traffic would not be encrypted. Yes. Right. Anyway, so to answering that question, does everything need to be HTTP s?
(01:58:49):
I'm still not convinced. I understand the arguments and I agree with our listeners who pointed to the potential for man in the middle attacks. We've just reviewed how difficult but possible [01:59:00] such attacks actually are. They require an attacker to be in a privileged position with some serious hardware. H T T P S makes that more difficult but not impossible in every case. It seems to me that the way things are today is probably right. If some random website, like the example I gave last week of c time.com, which publishes that wonderful list of PC and Doss interrupt [01:59:30] APIs, if they don't care enough to encrypt their site, even now that certificates to do so are freely available with minimal effort, then that ought to be up to them. Am I going to avoid using such a site because it's not encrypted? No, I am put in much greater danger by downloading files over H T T P SS from file archives.
(01:59:56):
That's truly terrifying. And I avoid doing so [02:00:00] at all costs, but sometimes there's no choice. And of course, the first thing place that file goes is over to virus total to have it scanned to make sure that as far as anyone knows, it's okay. As for H T TTP only sites, I think it ought to be the sites and their visitors' decision whether the site wants to remain unencrypted and whether their visitors want to visit overly demonizing. The lack of authentication and encryption to me seems wrong, [02:00:30] especially when Let's encrypt is cranking out fraudulent t L s certificates at a phenomenal rate, which are then being used to spoof legitimate websites which have full authentication and encryption. So there, yeah, I mean this always bugged me.
(02:00:58):
I'm reading, I've mentioned this many times, [02:01:00] but I'm reading a book about political power called the Power Broker about a guy who designed New York City over the wishes of the electorate because he wasn't elected. But the big question is, do the ends justify the means? And so this always bugged me that Google the ends, Google was going for made sense. HT P T P S should be everywhere, but the means bugged the hell out of me, which is we [02:01:30] will give you a better ranking in the search results if you do H T T P S because there's two shouldn't be related. They're using their power and it's a way of using your power to achieve something that on the face of it is good, but is it ever okay to misuse your power even if the ends do, the ends justify the means? And it really bugged me, and I still don't think so.
(02:01:55):
I agree. And in fact, if you've just summed up [02:02:00] exactly what infuriates everyone about national politics is a constant display of the people who have power abusing that power. Well, and if you read this book, you realize it's much worse than you thought. And the guy who wrote it, Robert Caro, is now working on, he's got four volumes out a fifth volume on his L B J biography. And there's a perfect example of somebody you could look at and said, in many cases what he did, like the Civil Rights Act [02:02:30] really was great. But then if you look at the means, he was very corrupt. And is it okay ever to use your power in that way? And I don't know if it is, I think it ends up tarnishing the ends. No, it's about ethics, right? It's sort of a beginning to be a lost form.
(02:02:55):
Well, that's really the eyeopener on this Robert Moses book is [02:03:00] politics has always been this The worst. Just the worst. And it's filled with people who have that notion that, well, okay, it's okay to cheat and lie and steal a little bit. I'm trying to do something good here. And that's the problem. That's the problem, Steve. Always really a great show. This was really fun. I'm so glad that we are going to continue on. Here we are at 9 37. It's right about now that I would start to be thinking there's 62 more episodes. [02:03:30] I don't know. Yep. I couldn't stand the countdown. No, I don't want the countdown. It's gone. And you know what? As I said, you can quit at episode a thousand if you want. You're only really obligated to go to a thousand and then you've satisfied your promise. No bait and switch here, baby.
(02:03:48):
Well, that's not even bait and switch. And if at any time it becomes onerous, you just say, yeah, I think I do want to retire. I feel the same way. I'm going to keep doing this as long as [02:04:00] it's fun. As soon as it's not fun, there's no reason to beat yourself up. Although you are making a major public service. So maybe you should. Anyway, if you will, I like this show. There's a couple of ways you can support it. First of all, go to Steve site grc.com and buy a copy of Spin, right? His bread and butter is what pays this guy's bills, puts his ham sandwiches on the table at lunch, grc.com. Spin Write 6.0 is the current version. 6.1 is coming, [02:04:30] you will get a free copy if you buy today of the next version, and you'll get to participate in its development. What's his name?
(02:04:39):
Milq. See what a contribution Milq made, right? Yeah. There you go. Got a whole thing going out of that. grc.com. While you're there, pick up a copy of the show. Of course, he's got that too. 64 Kilobit Audio. That's the standard version, but he also has 16 Kilobit audio. No one's got that. [02:05:00] That's for people who don't have a lot of bandwidth. Like Elaine Ferris, her transcriptionist, Elaine lives in a ranch somewhere in the middle of nowhere. So she needed small files and she probably doesn't still, but we're doing it. We'll keep doing it. Yeah, I'm sure she has more bandwidth now than she did then. But anyway, she does a great job transcribing all of this. And those transcripts are available also@grc.com. Leave feedback at grc.com/feedback. Or better yet, there was somebody in the chat room saying [02:05:30] to a scooter X our chat mod, can you pass Steve a message to which Scooter X says, I don't even work for Twitter.
(02:05:35):
What are you talking about? And I said, look, just go to x.com. I prefer to call it that than the other x.com And dmm, Steve, his dms are open at SSG grc. That's his, alright, I'll say a Twitter handle. His ex handle. Yeah, calling it an ex handle. Sounds like, well, what? Oh, what's your handle [02:06:00] now if that was your ex handle? Yeah, no, and then it's got the Porn Association and everything. It's just the worst brand name ever. I am happy because it doesn't conflict with us. And as you know, we had a beef with Twitter for more than a decade over that. It's the service previously known as Twitter. Yes. Yeah. Okay. You can call it that. That's what everybody in the magazines and all the websites calls it. S g GRCs is handle, still call it a handle. Anyway, we have Audio 64 [02:06:30] Kilobit audio at our website.
(02:06:31):
We also have video if you want to see Steve's smiling face. And that is all at TWI tv slash sn for security. Now there's a YouTube channel dedicated to security. Now that's a nice way to, if you say, oh, I really want to share this little bit about SolarWinds with my company, you can go there and you can snip it from YouTube and send it on to the boss and he can watch it that way. Best thing to do though, I know you want all 937 episodes subscribe in the podcast client of your choice. That way you'll get [02:07:00] them as they come out. Now, we only put the last 10 episodes in the feed, otherwise the feed would be gigabytes. So if you want anything prior to 9 27 TWIT tv slash ssn and you can download them all. Even some people have written scripts to scrape all the shows and all that stuff because you should have 'em all.
(02:07:19):
It's like you should have every episode of this show. This is one of those shows where you want every episode. If you're not a Club Twit member, please, we'd love to have you. It helps pay for everything and [02:07:30] you get no ads if you go to twit TV slash club twit, just seven bucks a month and there's a lot of benefits. Steve, have a wonderful week. What are you watching on TV these days? I should do this at the end of every show. What are you watching? What are you reading? So we are catching up with Better Call Saul. Great show. Oh my. Oh great. Oh my God. Isn't it good? We're just astonished by the filmography of it, the way it's [02:08:00] designed. It really is. Vince Gilligan is a genius. I can't wait to see what he does next. He did Breaking Bad and this. Yep. Brilliant. And both are the best things ever made. Yep, I agree. And what are you reading? I am still on Rick Brown's Frontiers book. 700 of the Frontiers. Yeah. Let's see. It would be, I'm on book 11. No, no. Book nine. The second of the third set of 15. [02:08:30] So it's 39 Book 39. Yes. Book 39. Yep.
(02:08:37):
And they're great. They've got neat people and it's easy, I think what you have 50 volumes in a series, you can let AI take over and write the next 150. Yeah, just read these and keep going. Yeah, just keep going. That's right. What's next? You tell me. Alright, Rick Brown and Breaking Better Call Salt. I'm going to ask you this from now [02:09:00] on. I think people want to know people be curious. Yeah. Thank you. Have a wonderful week. We'll see you next time in security now. Bye Steve. Thanks buddy. Bye.
Jason Howell and Mikah Sargent (02:09:09):
It's midweek and you really want to know even more about the world of technology. So you should check out Tech News Weekly. The show where we talk to and about the people making and breaking the tech news. It's the biggest news. We talk with the people writing the stories that you're probably reading. We also talk between ourselves about the stories that are getting us even more excited about tech news this week. So if you are excited, [02:09:30] well then join us. Head to twit tv slash tnw to subscribe.
