Security Now 943 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte (00:00:00):
It's time for security. Now. Steve Gibson is here. More victims of the move IT vulnerability. Would you believe it? We'll also talk about the future of the Brave Browser. Seems like things have gotten a little rocky. Steve is very suspicious of 23 and ME'S explanation about their breach. And then we're going to talk about cssa and their top 10 misconfiguration settings may be something you want to think about going forward. It's all coming up next on Security Now podcasts you love from people you trust. This is tweet. This is security now with Steve Gibson. Episode 943 Recorded Tuesday, October 10th, 2023. The top 10 Cybersecurity. Misconfigurations Security now is brought to you by our friends at IT Pro tv now called aci. Learning acis New cyber skills is training. That's for everyone, not just the pros. Visit go dot ACI learning.com/twit. As a TWIT listener, you'll get up to 65% off an IT Pro enterprise solution plan.
(00:01:14):
Just complete the form and you'll get a quote based on your team's size. That's go dot aci learning.com/twit and by dta. All too often, security professionals undergo the tedious and arduous task of manually collecting evidence. With dta, companies can complete audits, monitor controls, and expand security assurance efforts to scale. Say goodbye to manual evidence collection. Say hello to automation done at ADA speed. Visit ada.com/twit to get a demo and 10% off implementation. And by lookout, whether on a device or in the cloud, your business data is always on the move. Minimize risk, increase visibility and ensure compliance with lookout's Unified platform. Visit lookouts.com today. It's time for security. Now the show, we cover the latest news insecurity with this guy right here. He's the king, the man, the voice. If you're not listening to security now every week, you're missing it. Steve Gibson. Hello Steve.
(00:02:23):
So is it the latest news insecurity or in insecurity? In insecurity? Yeah. Yeah. One of my annoyances is when someone says you only have one choice. Well, isn't a choice. Does that mean two? Choose between two things. Now it's going to annoy me. That's one choice. You're right. You only have one choice is not a choice, right? Exactly. So you really have no choices if you have one and if you have two choices, then that's only one choice. So maybe that's what they mean. You have two choices, but there's only one choice. Well, why don't they say what they mean, Leo? That's just no good.
(00:03:02):
I was recently commissioned by a woman you and I both know well, to write a teaser for security now, and we were doing these trailers for all the shows that I'm not sure where they show up. They show up somewhere important. We don't know who. I don't know what they're they're for, but you know what Lisa says, record 'em. I record 'em. And as I'm writing, I'm thinking. So in each show I'm trying to write what I think makes this show an important to show to. And here's what I say for Mr. G when it comes to online security. Zero days clever and not so clever hacks. Steve Gibson is the acknowledged expert. If it's your job to protect the network you need, you must, must listen to security now, and I think that's accurate. This is, well actually that fits perfectly with today's topic.
(00:03:58):
The N SS A and CSA got together and produced a document based on the results of their extensive red and blue team operations. Oh, that's got to be interesting. Oh, it's really good. In fact, it's so good that already the title was the top 10 cybersecurity misconfigurations. I did not have room to say part one or the title would've fallen off the edges of the P D F and it wouldn't fit in the lower third of the video, which is all important, but we're going to start into it this week and finish it up next week. But we've got a lot of other stuff to talk about for security Now, episode 9 43 for October 10th. One question is how many people have downloaded GRCs latest freeware so far? Do we believe what? 23 and me have told the world about the leak of their customer's personal and private data.
(00:05:01):
What are the stats regarding all aspects of cyber attacks? How's the brave browser doing? Where and when is Google surreptitiously embedding tracking links into Google Doc exports? What high profile enterprise was also compromised by the progress software, MoveIt, SQL and Injection? What additional web browser just added and announced its support for encrypted client? Hello? What did Google just change with their release of their Pixel eight family of smartphones? I heard you guys talking about it on Mac Break weekly and it's great news. What's cyber initiative did the US Congress just overwhelmingly pass and what's dwell time and why do we care? And that's just the news. Then we'll also be entertaining many of our listeners questions and then starting into, as I said, the first part of our examination of a really terrific document that was just published by the N SS A and the CI essay.
(00:06:09):
And of course we've got a great picture of the week. So I think another great podcast for our listeners. I was just thinking as you go through those questions, that would be a great security news quiz if you've been following the week's security, a couple of them. I went, oh, I read that. Oh, I knew that, but a lot more. I did not. Are you in the loop? If you did not score 100% on our security quiz. Stay tuned then Stay tuned for the answers. All your questions will be answered in this thrilling gripping edition of security. Now, our show today brought to you by our good friends at A E C I learning and we love a C I learning. You probably say, well wait a minute, who are they? How do you love them? Well, for years since they started back in I think 2012 or 2013, our good friends at IT Pro TV have been sponsors of this show.
(00:07:03):
IT Pro TV is now called a C I Learning. So now, and they are studio sponsors. That's where you might've seen the name and you certainly should know about the name. If you are in it, want to get in it or you have an IT department that needs to keep up to snuff in today's IT talent shortage. Whether you operate as your own department or are part of a larger team, your skills have got to be up to date. 94% of CIOs and CISOs agree attracting and retaining talent is job one. It's tough. There are lots more than a million openings right now for security professionals in the United States alone. That's why if you've got talent, you should keep 'em up to snuff, you should retain them, you should keep 'em happy. And if you want to get into the business, this is a great time.
(00:07:53):
There is no better time. A C I learning has more than 7,200 hours of great on-demand content available. And if you don't watch all 7,200 all at once, in fact, they divide it up into 20 to 30 minute chunks digestible. They know you can only absorb three facts at a time. So they make sure that these are chunked up nicely. You can watch one at lunch, then watch one on your way home, that kind of thing. Watch or listen. And by the way, that number keeps going up and it's because they're always adding new content. All that content, all 7,200 hours is up to date and fresh. There's no point in learning about a technology that's gone or software is no longer offered or an old version of existing software. You don't want to study for tests where the questions have changed. A C I learning has eight studios running Monday through Friday all day recording new content.
(00:08:45):
They keep up. They have a massive commitment to keeping up with the current state of the art in IT and security. And by the way, the content, the shows they make, yes, they're informative, but people love them because they're very engaging. They use IT professionals working in the field, working pros who have a passion for the content that passion communicates. And if you're watching these, you share that, you get excited, you get enthusiastic. So you're entertained and you're informed. And that's what really is the secret sauce at a c i Learning. Their completion rate for the videos is 50% higher than the competition because they track how much of this was completed. It's more than 80%. It's really, really good. They also have tools that will help you in your work. For instance, they just introduced cyber skills, which is a solution not just for the IT department but your entire organization.
(00:09:40):
The new cybersecurity training tool, it's called Cyber Skills is for all members of your organization essentially. Really it's cybersecurity awareness training for non-IT professionals with cyber skills. You get flexible on-demand training, covering everything that your employees need to know from password security, phishing scams, malware protection, network safety. As with all of a C I learning stuff, it's engaging, it's entertaining. Their learning process is very fast. It's easy to follow material. In fact, a simple one hour course overview will give your employees attack specific training and knowledge check assessments based on common cyber threats they'll encounter on a daily basis. But then there's more. So that gets 'em started. And then there's bonus courses, there's documentary style episodes, there's a lot more information. And the employees I think really dig it because it isn't that horrible stuff that we've all been subjected to those like flash-based trainings that we've all, this is good stuff.
(00:10:47):
Real human instructors have a passion for what they're talking about and know how to communicate it so that your staff will get it. They don't have to be IT pros to help your network. In fact, frankly, they may be even more important that they learn these skills. How do identify a phishing email, that kind of thing. A C I learning also helps you invest in your IT team, your security team, and trust them to thrive while increasing the entire security of your business with great training. Look, I think this is something you need. Boost your enterprise cybersecurity confidence today with a C learning. Be bold, train smart with ACI learning visit go dot ACI learning.com/twit because you listen to twit, you'll receive as much as 65% off an IT pro enterprise solution plan. It's fill out the form and they'll tell you what the discount's going to be.
(00:11:39):
It's based on team size. But I got to tell you, there is no better training anywhere. And I know that for a fact. Go dot aci learning.com/take advantage of that and tell 'em you heard it here. Thank 'em for their support of Steve and the work he's doing because it's pretty darn important on security Now. I think we're ready for a picture, Steve. We are ready for the picture. I'm scrolling up. I'm going to see it for the first time here. 400 years ago, man, built the pyramid. Oh my god, that's terrible. All right, tell us what we're looking at here. Okay, so the text that I put with this is 4,000 years ago, man built the pyramids and it's been downhill ever since. This is horrible. So this is a picture, I don't know if this is the bottom of a stop sign or a parking meter, meter, a light pole or something.
(00:12:41):
It looks like, yeah, it's something municipal and you kind of see the yellow curb running along the side. And so this is on the sidewalk and it's really so sad. So this pole comes to a base, a square base rounded rectangle or a rounded square base that's with four mounting holes in each of the four corners of the square. Unfortunately, the location of the bolts coming up, they missed the holes. Well, what's weird is they got one, obviously the first one, right? They put that in first. So I think maybe the other caption would've been, oh, you meant that in centimeters. I think they drilled one hole, that one worked, but they forgot to drill the other ones, or maybe they put in the wrong spot. Well, I think what actually happened is that someone stole the first one of these and it had larger base.
(00:13:42):
Oh, I bet you're right. You can see that each of the three that didn't make it, they're also in a square pattern, but they're too far away to make the other three holes compared to the one that actually has a bolt through it. And frankly, Leo, when you look at the way this is mounted, is it any surprise that the first one got stolen? I mean, you just come along with a regular hex wrench and make off with whatever this was that was beautiful. But why do you want it is the question. Oh god. Oh, that is so horrible. Another picture of humanity at its best. So basically this heavy light standard is held down with one bolt and then washers on three quarters and then washers. Exactly. Yeah. Oh, that's terrible. We'll see. Yeah. Not good. Okay. But what is good is that since I know many of our listeners have been waiting for it, I want to start off by noting that GRCs latest freeware utility that Leo, you had a hand in incubating when you were horrified with the news of fraudulent drives.
(00:14:52):
It exists about somewhere around 14,000 copies have been downloaded about 4,000 a day at the moment. I put it online on Friday evening. And in the show notes, these are actually the 12 U S B drives I purchased from Amazon. Every single one of them is fraudulent. They're brand new, just purchased on the valid drive page. I provide the 12 URLs to Amazon to these drives on Amazon for just for people to see for themselves. I mean, but here's a telling point. This SanDisk what's supposed to be a SanDisk extreme micro SD card SanDisk isn't there? It just says extreme. Correct, correct. So these are all like, and Amazon does nothing to stop this. No doubt, no nothing. But I mean, even some of them came in really nice looking like they were trying to copy Apple's packaging, and I thought, oh, well, this will be legitimate.
(00:16:02):
None of, so these are all one terabytes and none of them actually were one terabyte. They're not a single one in the lower right. You see a two terabyte over in the lower left is a 2 56 gig, not a single one of them was what they claimed. How big were they? They were all mostly 32 or 64 gig. You know what they probably all little micro SD cards in there, right? Well, exactly. So it's enough to take a fat file system format. They all look legitimate. One, the fancy one even had it actually had a lightning connector on one end and a U S B on the other and on the drive was stored A P D F showing how to use it. I mean, it looked fantastic, and it only had one quarter of the storage that you thought you were getting, and the others are far less.
(00:17:00):
So anyway, wanted to let everybody know that it exists. We have had some, I think I've seen two instances where Windows Defender said that it was a virus and quarantined it, but 14,000 downloads and it's not affecting most people. So as I said, this is unfortunately, we're in a land where it's going to take a while for the software to age enough so that basically its hash, its digital signature acquires a reputation, and it's the reputation that protects software from these false positives now and nothing else. Oh, the other really interesting thing I found that I think some of our listeners will find interesting is that some drives test pretty quickly under valid drive. Other ones test even legitimate drives very slowly and valid drive shows you if it's waiting to read or waiting to write, that is waiting for a read to return or a write request to return.
(00:18:17):
And after you've processed a drive, it gives you a report with a lot of, excuse me, statistics about the read and write speed, the average, the median speed, the standard deviation, and also something known as the coefficient of variance, which is the standard deviation over the mean. So you actually get a sense for how much spread there is in the reading times and the writing times. But what's really interesting is that many of these drives are surprisingly slow. Well, okay, the reason is, and I've mentioned this about the technology of NAND flash storage, is in order to erase or to write data into NAND memory, you're having to push through a layer of insulation in order to inject or remove electrons. That requires a degeneration of a higher voltage than normal. Typically around 20 volts is required, but U S B devices only have access to five volts.
(00:19:31):
So there is something known as a voltage pump or a charge pump inside all NAND devices. It has to be turned on, and then it has to basically pump up the five volts to 20 volts through a switched capacitor system in order to be able to start writing. That takes time. And so what valid drive is showing people is the amount of time it takes before that drive is able to do any writing. SSDs typically scream along because they've got much more sophisticated electronics in them, but even some low, low-end modest thumb drives will also run very quickly because they've just been engineered well. But there are definitely some thumb drives that just crawl along with Val Drive because, so the reason this isn't normally a problem is that operating systems tend to write whole multi megabyte files or multiple files at a time. If you're copying a directory or a whole bunch of photos over to a thumb drive, it's all being written at once.
(00:20:53):
So that charge pumping to get ready to write only has to happen once and then that time is amortized out over all of the writing that you're doing. But valid drive is like the worst case. It only reads and writes little four K pieces of it at a time, and it's switching back and forth between reading and writing and reading and writing. In order to read, you have to dump that high voltage so it gets dumped, then the reading happens. Now, valid drive wants to write that same spot, so you have to wait again for the NAND to basically charge itself back up in order to be able to write. So anyway, as always seems to happen when I get into these things as happened when I started working on Spin write six and the Reed speed utility came out and we found out that many SSDs were slower at the front of them because they were having more trouble reading data that hadn't been written for a long time because that's where the operating system was.
(00:21:56):
We always end up finding some interesting new stuff. Now I'm going to go, I have a drawer full of these suckers. Yeah, that's interesting. I'm going to download Vdrive and go through all of 'em. And of course, it's 95 K written in Assembler and you don't have to install it and blah, blah, blah. Anyway, neat new utility, and the people over in the news group were saying to me when I said, what do you think about this? And they said, oh, yeah, yeah, you got to do this. It's going to be very popular. I think they're probably right. This is going to be thousand is a good number. And that's just probably people who are in the news groups or are listening to this show. I'm sure that the general public finds it. We got to put it up on Redditer somewhere. It'll be, well, I did tweet the news on Friday, and so nobody's on Twitter. Come on. It's a bunch of nut jobs.
(00:22:49):
Speaking of nut jobs, yes. Last week after internal private customer data was found circulating on hacker forums. The well-known, actually, I think it's number one D N a aggregation analysis and profiling service 23 and me announced that the accounts of some of its users had been accessed through credential stuffing attacks. Of course, we've talked about the nature of those before because I think this is, I need to pick this apart a bit. Here's the first three paragraphs of their announcement. They said, we recently learned that certain 23 and me customer profile information that they opted into sharing through our D N A relatives feature was compiled from 23 and me.com accounts without the accounts user's authorization. After learning of suspicious activity, we immediately began an investigation. While we're continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled their login credentials.
(00:24:11):
That is usernames and passwords that were used on 23 and me.com were the same as those used on other websites that have been previously hacked. We believe that the threat actor may have then in violation of our terms of service accessed 23 and me.com accounts without authorization and obtained information from certain accounts, including information about users, d relatives profiles, to the extent a user opted into that service. Yeah. Now I'm just looking at my, because I am one of those people I opted in, I use 23 and me, they were a sponsor. I got my whole family to do it. And of course, we're all sharing our data with one another. So that means we qualify. My password is, I'm looking at it from one, probably from LastPass, but it's right now it's in Bid Warden and it's long and it's strong, and I'm sure I didn't use it anywhere else.
(00:25:09):
So that means I'm probably okay. Right. It's password reuse. That's the problem. I don't believe them. Oh, no. The more I've thought about this, the less it appears to pass the smell test. Oh, no. My problem is the sheer quantity. How would they get that many records? Yes. Yeah. Yes. The quantity of customer records that were apparently retrieved the attacker claims to have 7 million records, that means half they'd have to try 10 times that number of passwords, right? Well, users, I mean, they're saying 7 million customer records. Well, part of the reason they could have a huge number is because, for instance, with me, my account, you get in my account, you're going to get all the relatives. Right, right, right. So it's a multiplier of some number. Exactly. But they're saying they have half of 23 and me's user base. Yeah. No, that can't be credential stuffing.
(00:26:11):
That can't be. And Leo, the nature of the data fields leaked looks very much like the internal raw database records. The initial data leak on hacker forums consisted of 1 million records, which was data for Ashkenazi Jewish people. Yeah. I'm one of those people. 4% and millions more are we're told by the hackers of now available for purchase. So if we're to believe 23 and me think about this, if we're to believe 23 and me, they're saying that all the attackers did was log on as some other valid customers, and that they were then able to obtain apparently complete records for millions of other 23 and ME users. In other words, any 23 and me user can log in as themselves, then do the same thing that the attackers did. Really? Yeah. That's what they want us to believe. Well, now I'm concerned because the other thing they said is no genetic information was leaked. I'm unfortunately, no, I'm really concerned. We can't believe anything they've said because this just does not, and I noticed if you read what they said, they were very careful to say, we currently believe this. This is what we think has happened. We believe. We think those are waffle words. Yes. So they've left themselves an out, and again, they're asking us to believe that you could log in with your valid credentials and then do this because they're saying that's all the bad guys did.
(00:28:03):
I don't know. It's not my business to pursue this, but many people are quite sensitive to the disclosure of their very personal and private, especially their genetic information. I hope that someone in a position of authority digs a bit deeper and asks 23 and me to further explain what to me, from what we've seen so far, looks a lot more like public release or public response coverup of a far larger problem. And these guys should be grown up enough to know better than to do that if that's what happened. Again, don't know, but it just seems really suspicious that apparently 7 million records were exfiltrated apparently by just locking in as other people as regular customers. I mean, they could have created their own account and then logged in as themselves and then done this where we're being told. So I dunno, something seems fishy to me. Microsoft published their digital defense report for 2023, and the numbers make for some interesting reading.
(00:29:23):
It has a bunch of interesting facts worth sharing. I've just got the bullet points here. So for example, of the 78% of IOT devices with known vulnerabilities on customer networks, okay, first of all, 78% of iot devices have known vulnerabilities on customer networks. 46% are not patchable. In other words, just, I mean, I guess it's good that half of them are, that's seems like an optimistic number to me, but still half of them can't ever be fixed. They just don't offer patching as an option, even though they're iot devices and 78% have known vulnerabilities. Whoops.
(00:30:11):
Yeah. Since 2019, attacks targeting open source software have grown on average 742% since 2019. So in four years, a tax targeting open source software have grown on average 742%. Not surprising, right? We talked about it last week. You find out that it was with regard to the EXIM mail server, there's an open source server. You learn that there's a vulnerability in the authentication somewhere. So, hey, you got the source bad guys. Dig through it and figure out where it is. Much easier than reverse engineering it from the binary. Also, fewer than 15% of non-governmental organizations, NGOs have cybersecurity experts on staff. Fewer than 15%. What? One in eight. Wow.
(00:31:15):
Coin mining activity was found in 4.2 of all incident response engagements. So not so high. Not like it's a hundred percent, but still. So what? That's one in 25. So not much at all. 17% of intrusions involved known remote monitoring and management tools. In other words. So 17%, we know the way they're not having to hack things. They are getting in through remote monitoring and management, like remote desktop protocol unfortunately. But other things too, so-called adversary in the middle. This is now what we're calling, we used to call it man in the middle. Now it's an adversary in the middle. So it's a I T M instead of M I T M, adversary in the middle. Phishing domains grew from 2000 active domains in June of last year to more than 9,000 by April of this year. So yes, phishing is unfortunately proving to be a constant source of ways for the bad guys to get in 156,000 daily business.
(00:32:38):
Email compromise attempts were observed between April, 2022 and the same time, twenty twenty three, a hundred fifty 6,000 daily business email compromise. So boy, that's another huge attack. Target 41% of the threat notifications Microsoft sent to online services customers between July, 2022 and June, 2023. So basically summer to summer, one year, 41% of threat notifications went to critical infrastructure organizations. In other words, those that you don't want to have hacked because they're in charge of the electric grid or power generation, or who knows. The hydroelectric dams. The first quarter of 2023 saw a dramatic surge in password based attacks against cloud identities. So again, not surprising things are moving to the cloud.
(00:33:47):
That's where the passwords are. Microsoft blocked on average 4,000 password attacks per second over the past year. So this is just, it's a constant barrage of credential stuffing. Approximately 6,000 multifactor authentication. Fatigue attempts were observed per day, so multifactor authentication is under attack as well. The number of token replay attacks has doubled since last year with an average of 11 detections per a hundred thousand active users in Azure Active directory identity protection. So doubled DDoS attacks are on the rise with around 1700 attacks taking place per day. Cumulating at up to 90 terabits of data per second. So huge attacks, I mean, you're gone off the net. I mean it. These are just massive attacks and 1700 of them per day state-sponsored activity pivoted away from high volume destructive attacks in favor of espionage campaigns. 50% of destructive Russian attacks observed against Ukrainian networks occurred in the first six weeks of the war.
(00:35:12):
In other words, there was an initial surge of Russian attacks against Ukraine, but that has since diminished Ghost writer continues to conduct influence campaigns attempting to sow distrust between Ukrainian populations and Eastern partners who support Kyiv, both governmental and civilian. And finally, Iranian operations have expanded from Israel to the US to target Western democracies and nato and stepping back from all of that, the thing that struck me most is unfortunately, this is not an industry taken as such in which we would like to see such growth. I mean, it's not like it's the same this year as it was last year or anywhere you would call this explosive growth. Unfortunately, it's exploding in cybersecurity and network attacks and intrusion attempts. I mean, it is a massive increase over the course of just one year. It would be way better if things were pretty much as bad this year as they were last year. But unfortunately, that's not what these numbers suggest. We're seeing real growth in cybercrime activity and unfortunately in its success across the spectrum. Wow. It's unclear what, if anything, this news might mean for the future of the Brave Browser, but Brave Software confirmed that it has just laid off 9% of its staff,
(00:37:01):
Yikes,
(00:37:01):
Across departments. That's not good. And we don't have an absolute number. We don't know how large the staff is that 9% of it was let go. The company didn't indicate how many people were affected, but said his decision was driven by the tough economic climate saying brave eliminated some positions. As part of our cost management in this challenging economic environment, several departments were affected amounting to 9% of our staff. They had already been taking steps to bolster their revenue sources. This year in April, brave Search dropped Bing's Index to start relying on its own indexing solution. So it saved money there. In May, the company released its own search, a p i for clients, with plans starting from $3 per thousand queries. That is uses of its a p i. It also offers different plans for ai, data model training, data with storage rights, spell check, and auto suggest. Last month, brave introduced image news and video results as part of its search a p i. So it's doing what it can. And Leo, you'll be honored to know that Brave has named their forthcoming AI assistant after you what? Leo? At least it's called leo. Well, it's
(00:38:24):
Better than twit, I guess
Steve Gibson (00:38:25):
That is. Well, while the plan is for Leo to be available to all users, Leo will also have a premium tier. Leo, you're getting a premium tier. I think we need a premium tier. Yes, indeed. That'd be great. Yes. To offer features like higher rate limits and access to more conversation models. That paid premium tier will help pay for the cost of a p i access and hosting for everybody else. So anyway, brave is making a dare I say brave attempt at cutting, forging their own path in an environment where that's not easy to do. I support 'em. We would like, yes, we would like to not see a monoculture among browsers. Well, that's why I use Firefox, because Brave is still chromium, right? I do. Yep, exactly. I do too. As we know, someone named Joe posted on Fosson saying, he said, today I found out that Google Docs infects H T M L exports with spyware, no scripts, but links in your document are replaced with invisible Google tracking redirects.
(00:39:41):
He said I was using their software because a friend wanted me to work with him on a Google Doc. He's a pretty big fan of their software, but we were both absolutely shocked that they would go that far. Okay, now, I was curious to see, since the show notes are written in Google Doc, we use Google Docs big time. So I was curious. So I first exported these show notes as a P D F, which is what I normally do, and as far as I could tell, their embedded links were clean. But I wanted to see whether I could substantiate Joe's claim. So I then exported the show notes as H T M L, and sure enough, the embedded URLs all point to Google with the original visible U R L as a parameter along with a bunch of tracking gibberish. I have a picture of it in the show notes.
(00:40:39):
So if you look at it, it's GRC sc slash, it's one of my shortcut URLs, but what's actually there is www.google.com/url, question mark Q equals, then my U R L followed by amper SA equals D source equal editors, U S T equals and some gibberish serial number, and then U S G and another gibberish asci thing. So that's nothing I did or wanted or created, but, and what that means is if that H T M L, anyone clicks on links in that H T M L, Google is tracking them, I have no idea why they would care to want to. I guess it's just because they can. But anyway, it probably has to do with editing permissions and things like that too, right? I mean, they want to know if you, because you can save something that they can't edit or they can't edit or comment on and all that.
(00:41:44):
So I guess it, so yeah, I wouldn't go forward It'ss functionality. I wouldn't call it spyware. Well, it's not functionality because all it's doing is it's bouncing the person who clicks through Google and then to the destination U R L. So I mean, it's counting or tracking or who knows what. Anyway, it's clearly deliberate and it sure doesn't seem like it's any of Google's business. What links are clicked in the future on an H T M L export of something created by their docs. I mean, they don't do it where they can't, it doesn't look like it's in Doc X for exports or in PDFs. Anyway, I just thought everyone should know, and that Joe was right in his post about what was going on over on fosson, our podcast nine 28th of June 20th. So that was what, a couple months ago? Well, June 20th was titled the Massive Move It Maelstrom.
(00:42:50):
That's one that Jason co-hosted. Leo, what a mess this has been. It's a gift that just keeps on giving. Oh my God. And just all it was in this day and age, as our listeners know, was an SS Q L injection. It was just a sequel injection. Anyway, it just came to light as a result of a disclosure that Sony filed with its US authorities that the Sony Interactive Entertainment was among the now more than 2300 companies. 2300, who were impacted by the exploitation of that sequel injection vulnerability. So anyway, Sony said that nearly 7,000 of their families and people were families and employees were affected as the consequence of that information leak. Obviously, they learned nothing from the Sony Pictures entertainment leak of two years. This is first thing that occurred to me. Yep. God. And while we're talking about encrypted client, hello, last week, this was a week ago today.
(00:43:59):
On that day, Mozilla our browser, yours and mine. Leo was busy announcing that in Firefox one 18, which I just checked. It's what I was sitting in front of when I was writing this last night, is now supporting Encrypted client. Hello. And I really liked their page. I grabbed two pictures from their announcement page. It has such a very clean and simple graphic to highlight the difference between non-encrypted client hello and encrypted hot client. Hello. It just shows, here's your phone running Firefox and with standard SS n I server name identification example.com is flying through the air toward the web server, and then the t l s channel brings it back, but with encrypted client, hello. It's encrypted in a channel in a little tunnel going to the server and encrypted coming back. So very clean. And they also summed up last week's deep dive, the one we did quite succinctly.
(00:45:10):
They simply wrote, E C H uses a public key fetched over the domain name system to encrypt the first message between a browser and a website, protecting the name of the visited website from Prying eyes and dramatically improving user privacy. And then later they explained that E C H must be paired with D N Ss over H T T PS D O H to secure and hide that initial public key fetch as well over D N Ss. Anyway, as we know, Cloudflare's web proxy front end has switched on E C H support for all of their free tier client sites, which is a gazillion. Now, we need the other standalone web servers to catch up and offer their support and experimental implementation for open S SS L now exists. So that will help to get Unix and Linux-based servers, which are using the open S S L library for their encryption connectivity on board and running with it.
(00:46:22):
And in time, it seems clear that all the rest will join. Since user privacy is dependent upon the site they're connecting to. That is once their browsers all support E C H, it's dependent upon the site they're connecting to, offering its support for the privacy of all incoming connections. The sites need to publish a public key in their D N s, which the browsers are then able to use to encrypt the first packet to the server. So up to sites to do this, and as soon as the software catches up will be able to do that.
(00:47:03):
The Pixel eight and the eight PRO now offer two additional years of updates. Last Wednesday, Google announced that its newest phones, the Pixel eight and the Pixel eight Pro will now receive seven years of software and security updates, a two year bump from the previous five year support that they were providing for their Pixel devices. And everyone listening understands the importance of long-term security updates for consumer devices. Updates really do need to extend throughout the useful life of consumer devices. It doesn't do any good to say, oh yeah, we'll support your phone for two years because we want you to buy another one. Well, the phone still works, so you're going to give it to somebody who's going to have an unsupported phone. And smartphones, as we know, are currently among those devices needing the most protection. No other device is more prone to attack than smartphones, and few other devices are as complex or as exposed to the multiple channels of external material that smartphones are.
(00:48:13):
So props to Google for stepping up and going from five years to seven years, something known as the MACE Act passed. What's the MACE Act? You're likely wondering, well, MACE stands for Nancy Mace, who was coincidentally one of the bill's co-sponsors. Nancy is a Republican representative from South Carolina, but the acronym mace, m a c e, aside from being Nancy's last name, which I guess is coincidental, stands for modernizing the acquisition of cybersecurity experts. Actually, she probably took her name and figured out how she should make a, yeah, I think she, unless she changed her name to match the act, which seems unlikely. Yeah, that'll be going a little too far. Yeah. So modernizing the acquisition of cybersecurity experts, MACE and the US House of Representatives, which is presently having a difficult time agreeing on the time of day, is apparently in wild agreement over this one, this idea, because the act passed through the house on a vote of get this 394 to one.
(00:49:32):
Well, I think it's a good idea then. Who was the one in this question? I guess it must be. It does make me curious though, who the holdout was. Probably Joe Manchin. He didn't like anything. Is Tommy Tuberville a senator or a representative? He's a senator. Maybe. Is Tommy? Go old Tommy. He probably voted against it. But this was in the house, not in the Senate. Oh, it was in the house. Okay. Well, anyway, could be anybody in that house. Yeah, exactly. The other co-sponsor of this bipartisan bill was California Democrat Katie Porter. Oh, and she's good. I like her. Oh yeah. She's just about as far to the left as Nancy is to the right. To the right. Yeah, yeah, yeah. It's perfect on this. They agree it's bipartisan. So the MAC Act is aimed at addressing shortages in federal cybersecurity positions by expanding the pool of eligible applicants by lowering the education requirements.
(00:50:29):
Now, at first, you might think, whoa, wait a minute. We don't want kindergartners setting up our firewalls. No, no. That's not what this does. Under the legislation, agencies would be allowed to consider an applicant's education only if their education directly reflects the competencies required for the position. So apparently before this, you had to have a master's degree in social sciences or political science or something, and then also have your cybersecurity certificate. Now, no. Only the education that matters. The bill would also require the Office of Personnel Management to publish annual reports, detailing changes to minimum qualifications for cybersecurity positions and data on the education level of people in those positions now. So anyway, the bill is now headed to the Senate where it's expected to pass, and that will give Tommy Tuberville an opportunity to say no, he can weigh in. It's probably going to, it seems like a good idea, I guess, right?
(00:51:37):
I think so. It's an emergency. Well, so the problem is, Leo, there is a serious shortage. I mean, we need more cybersecurity people. Everybody should go to ACI learning and study so that you can get that job. Yes. Even if you didn't go to college again, they're not going to care. It shouldn't matter as if long as you've got your certification level, you're good to go. That's right. The skills are what came again, I think that's great. So dwell time has plummeted. Oh no. Who would've thought that? What's that? I know who wonders what that is. Those who track, monitor and remediate the consequences of ransomware attacks, use the term dwell time to reflect the time from the initial network intrusion until the ransomware encryption event is triggered. So those monitoring this dwell time are reporting that attackers are deploying ransomware on breached networks faster than ever before in just 12 months.
(00:52:44):
That is the past year. The median dwell time of ransomware groups on hacked networks has fallen from four and a half days to less than one day, which is to say, a year ago, your network would be breached. Four and a half days would go by until your network was encrypted no longer. According to the security firm, SecureWorks ransomware is now being deployed within one day of initial access in more than half of all engagements, and in as few as five hours from initial network penetration in 10% of all cases. Okay. Now, one of the reasons for this is that the percentage, this is the other interesting thing, the percentage of human-driven attacks has risen dramatically. At the time, several years ago, we talked about how bad guys would have a pending inventory of victims that they would be getting around to when they had time, when they were able, I mean, there was just so many available networks.
(00:54:00):
This victim pool was coming into them from automated scanning and attack malware that would get into a host network, settle down, and then phone home logging in to its command and control network and say, okay, boss, what do you want me to do now? But that was then these days, the majority of attacks are human driven in real time. It's not that there are fewer vulnerable systems. As we noted at the top of the podcast, there's more than ever, unfortunately, it's that there's a lot more manpower available because this is where the money is. This stuff is paying off. So now a live human attacker is doing the penetrating. They quickly get the lay of the land, look around, see what's up, and if the network appears to be a useful victim, they will immediately set about exfiltrating all the data that they can in order to use it for blackmail purposes later.
(00:55:02):
Then find and prepare to encrypt all of the systems within reach, and as we saw in 10% of the cases, in as few as five hours of initial penetration. So you just can't sit around on known vulnerabilities and think, yeah, I'll get to that after lunch. I wonder. It's interesting because they may be eating your lunch dwell time was increasing also because they wanted to wander around exfiltrate stuff. There were other things they could do, but I wonder now if it's shrinking because of better defenses. Like if somebody gets in, they think, yeah, we better take advantage of this before they catch us. Yes. That's a very good point. Awareness has certainly skyrocketed as well. A lot of people with canaries in their enterprise, right? Yes, yes. And you can imagine that once upon a time, the IT guy would hang his head low and walk into the CEO's office and say, chief, we've been hit by ransomware. And a few years ago, the CEO would say, ransom. What? Now? Everybody knows what it is. Now. It's more like the C E O that's with his hair on fire running into the IT department saying, do something. Yeah, exactly. And speaking of doing something, Leo, let's do something. It's now your turn. Let's do that. Now your turn to do something. I can do that. I can do that.
(00:56:34):
Yeah. It's fascinating. I don't know if it's in your story rundown, but M G M. Yes. Is it in your rundown? We'll talk about it later. No, no. So they were, as we know, Caesar's was hit by ransomware, paid probably half the ransom, not the full amount. Got themselves back online and got online and M G M, they're saying they declined to pay and they suffered from at least a week of disruptions. And they're now saying it's going to cost them a total of a hundred million dollars, million dollars for all the remediation. And that 10 million of that was just hiring consultants and figuring out what was going on and dealing with it. But good for them, I guess, for not paying, because that's what the F B I wants you to do. Because if you pay 'em, it just encourages them. I don't know. It's probably cheaper to pay, did pay, and unfortunately, it's yes. And they went to M G M. Yeah. There was a song once that I think the title was, is Cheaper to Keeper.
(00:57:39):
Okay, I'm just a little tip. Don't sing that with Laurie around. I'm just saying. Just saying, all right, let's talk about our sponsor of the hour. Dta. I mean, we're talking security, right? We're talking compliance. We're proving to clients, partners that you and government regulators that you are in compliance. I was surprised to learn that most companies still are doing this manually collecting evidence to prove compliance manually as your organization grows. I have to think that that's becoming more and more onerous. That's why you need to know about durata, a leader in cloud compliance software. That's what G two says. Durata streamlines your SOC two, your ISO 27 0 0 1, your P C I D S S G D P R, your Hippo and whatever compliance framework you're working with, or in many cases, multiple frameworks, providing 24 hour continuous control monitoring automatically. So you can focus on scaling securely, keeping people out of the network, all the important stuff.
(00:58:45):
But you know, you're getting the compliance done. And what's great is Rada integrates with everything you use. More than 75 integrations, A W S, Azure, GitHub, Okta, CloudFlare, I can go on and on. So many companies have turned to Rada as their system gets more complex, as the requirements become more challenging. Lemonade uses Rada notion. We love Notion uses. Rada Bamboo HR is using rada. They've all shared how critical it's been to have DDA as a trusted partner in the compliance process. So it's actually more than just automation. You'll expand security assurance efforts using the ADA platform, which lets companies see all their controls to easily map them to compliance frameworks. So you'll know immediately if you've got framework overlap, ADA's, automated dynamic policy templates, support companies new to compliance using integrated security awareness training programs and automated reminders to ensure smooth employee onboarding. One of the things about ada, they're a partner.
(00:59:47):
They're with you the whole way. They're the only player this you'll appreciate in the industry to build on a private database architecture so your data can ever be accessed by anyone outside your organization. That's, I think, pretty important these days. You'll also get, and this is part of the partnership, a team of compliance experts, including a designated customer success manager, somebody, a number, a person, a face you could call, you could talk to, you could say, I need this, I need that. What's going on? That's so valuable. You really have to have that. Plus ADA's team of former auditors, they've conducted more than 500 audits, many, many more hours between them. This ADA team will keep you on track to ensure that there are no surprises, no barriers come audit time. In fact, they've got pre-audit calls. It'll help you prepare before your audit begins.
(01:00:38):
They also have this great tool called Audit Hub, which is the auditors love this. You'll love this. It's the solution to faster, more efficient audits. Save hours of back and forth communication. You'll never misplace crucial evidence all in the hub. You could share documentation instantly. All interactions and data gathering occur in Rada between you and your auditors. So you won't have to switch between different tools or correspondence strategies. It really streamlines the process. With ADA's risk management solution, you can manage end-to-end risk assessment and treatment workflows. You can flag risks, you could score them. You could decide whether to accept, mitigate, transfer, or avoid them. ADA will map appropriate controls to the risks which simplifies risk management automates the process and the trust center. I'm giving you a bunch of different ADA tools. This is another one. Trust Center provides real-time transparency into security and compliance posture.
(01:01:34):
And that's nice because you can share that. It'll improve your sales, it'll improve your security reviews, and give you a better relationship with customers and partners. Trust is a keyword in all of this, isn't it? Say goodbye to manual evidence collection. Hello to Automated compliance by visiting dta.com/twit, D A TA dta.com/twit dda. Bringing automation to compliance at DDA speed. You'll really wonder how you survive without it. dda.com/twit, we thank him so much for supporting what we do here. The very important work Steve does here at Security now. So David Sherman, a listener asked via Twitter, which is better passkey via bit warden or passkey via browser or squirrel sync. Well, there's a thorn. Yeah. How does Sync passkey among different browsers? Thanks. Passkey is, by the way, can I just say this? And we've been talking about this on the shows, not just, this show has really not turned out to be all things.
(01:02:45):
No, I agree. I think the best answer to his question is that Passkey management is still too new and too much in fluxx for any answer to necessarily hold for long. But there's an essential point. I don't think I've made clear enough in the past. Sadly, PA key management has been shrouded in hocus pocus because the purveyors of PAs keys have, from all appearances, desperately hoped to be able to use the mysticism surrounding this promising new technology to retain and corral their users into their own proprietary environments. The universally missing feature of simple passkey export and import is astonishing to me. We all know what a password is. We make them up and we use password managers or our browsers to remember and regurgitate them on demand. But no one really knows what a pass key is because no one's ever actually seen one. It's all just mysterious.
(01:03:54):
Don't worry. We got this hocus pocus behind the scenes, and we're told that it's all super wonderful and hacker proof and so forth. Okay, so here it is. A pass key is nothing more than a private key. And as such, it's not some impossible to represent mystical token. It's just a relatively short blob of binary data. So it could easily be turned into a QR code or into a short and manageable base, 64 encoded string of text. And at that point, it could be moved from place to place, printed out and stored somewhere for safety. All of a user's pass keys could be exported as a simple C S V file for safekeeping, but for some bizarre reason, end users are not allowed any of those freedoms today. Expert users want it, and everyone could have it, but no. However, I don't expect this mystical barrier to survive in the longterm because it is trivial to export and import pass keys for backup and cross platform sharing.
(01:05:18):
So someone will be the first to create a simple QR code, textual or C S V file, passkey, export, and import. Then everyone will want it, and it will become a required feature for any pasky system. But unfortunately, we're certainly not there today because the system is still so new and Pasky support hasn't yet become the commodity that someday it presumably will. And Leo, I agree with you. I don't have a single one. I mean, not even one. I, first of all, very few sites are using it. I created one. You may remember I was on the air with you doing it for Best Buy, and I only then found out, well, it's only on my iPhone. And I think this is vendors wanting you to lock in. I mean, I have a passkey for Best Buy. Why can't I use it on my Linux machine?
(01:06:15):
Why can't I use it on this Windows machine? Well, you can't inside your iPhone. Yep, yep. And as I said, there's nothing to prevent your iPhone from putting up a QR code, and you show it to your Linux webcam, and now the Passkey is there. And this was what you did with Squirrel. You built this portability in. But see, you didn't have the same economic incentives that Apple and all these other companies have. They want to keep you on their, and unfortunately what they've done is killing this thing. Yeah, I think so. I mean, basically nobody is like, I don't want this. I know what a password is. I don't know what a pass key is. Just show them. I mean, again, it's like it's not some mystery. It's a little bit of binary, and you put it in a QR code, print it out as text, and then you'd have way more flexibility and freedom and you'd lose none of the power.
(01:07:15):
It still uses public key crypto that the site sends your client a challenge, which you have to sign using your private key. So it's not subject to replay attacks. I mean, all the other good things that Squirrel and IES both have stays available. I think their argument is, well, users cannot be trusted with this magic stuff, so we're going to hide it from them. And do they just trust us? But that just doesn't work. And as a consequence, this thing sort of D O A, unfortunately, yeah. I mean, when I go to Google, I can log in with my PA key, and then it puts up a QR code@google.com, and then I have to aim my phone at it. And then the phone says, okay, you and I'm doing the face id, and now I'm logging into Google. And so it kind of works. Oh, yeah.
(01:08:15):
I mean it works, but who wants it? That's the problem. It's so much easier, especially if you're using a password manager. It's so much easier. Yeah. All right. Heinrich Ow. He offers us a view from inside an I S P. He said, hi, Steve, after your deep dive into encrypting the client, hello. And I should preface this by saying this is a little chilling after your deep dive into encrypting the client. Hello. An old internal dilemma has resurfaced. I've spent years, he said at a European I S P where ideas about selling content filtered access control or insights would occasionally come up. Some of the veteran business folks who had experienced the unencrypted internet era demanded similar services. Here I had to explain that H TT P SS everywhere was happening, but we often circled back to the possibility of inspecting T L SS packets for user insights.
(01:09:28):
That's one way of user insights, user insights. That's what we're going to monetize. He said this usually boiled down to two customer value areas, child content protection and enterprise content filtering with the underlying goal of monetizing data from blanket internet use inspection. He said, we eventually did not offer these services during my tenure. He said, my ongoing struggle revolves around balancing parental concerns for children's online safety with the goal of internet privacy. E C H, despite its complexity, is a step in the right direction as I'm aware of the I S P efforts to tap into this revenue stream while publicly championing privacy. E C H can put an end to this hypocrisy, but as is often asked in privacy, what about the children? My question to you, Steve, relates to those two customer value areas in the context of E C H becoming a reality.
(01:10:37):
First, who should take responsibility for child protection services? Now, the E C H is coming. Not all children have parents who can actively monitor their online experiences and how could it be done correctly? Second, are there valid reasons for enterprises to engage in content filtering, be it for security or other purposes? I personally struggle to see the value in the case of spending time on non-work activities on the internet. It seems more like a cultural issue within the company rather than an internet access problem. Best regards, Heinrich. Okay, so in answer to his first question, who should take responsibility for children protection in a world where t l s packet filtering will finally be thwarted? The first thought that comes to mind is local d n s service filtering. I think that's the best solution by far. If a family's home is using, for example, the free open D N SS Family Shield service, which is as easy as configuring the residential router to use a specific pair of IP addresses.
(01:11:51):
For anyone who's curious, I have them in show notes. 2 0 8 6 7 2 2 2 1 2 3 and 2 21 2 3. Then there's no need to see into any aspect of the t l s connections once they've left the family's router, since unwanted domains will never have their IP address resolved in the first place. And Heinrich's. Second question. Are there valid reasons for enterprises to engage in content filtering, be it for security or other purposes? I doubt that the addition of encrypted client hello will change the enterprise environment. Much as we've talked about in the past. An enterprise's network is owned by the enterprise and all of its employees should be informed and aware and kept aware that the content of the enterprise's network is not private and that nothing they do over that network should be considered private. We've talked about placing a strip of paper to constantly remind every one of that fact along the top of every company owned computer monitor and of having the human resources department remind every employee of that fact every year during their annual review.
(01:13:22):
So that's the enterprise's policy view. The practical implementation of such technology within the enterprise is already well established. All non-pro T L SS connections will be blocked from ever leaving the enterprise's network and any system wishing to connect to the external internet will need to have the enterprise's proxy servers root certificate added into its root store. When that's been done, all outbound T L SS connections will be intercepted and accepted by the enterprise proxy middle box, which will in turn connect on behalf of each user to the remote resource while being able to fully examine in detail and filter the contents, not only of where they're connecting to, but everything that goes on during that connection. So for the enterprise, the addition of encrypted client hello won't change anything. The enterprise will need to update their middle boxes firmware to add support for E C H, but otherwise life goes on as it has before.
(01:14:36):
That's great to hear it from the inside and I S P and the silly rationalizations that they come up with. Oh, it's for the kids, it's we're doing this. Yeah. Can't we somehow make money from knowing what our clients are doing? That's really, it's there some way we can do that. Yeah, that's it. Matthew Cal, he tweeted, does having a very good password. He says, mine is about 140 bits of entropy have any effect on encryption with a low number of iterations. Now, it's interesting that this is not a question that we've directly addressed during our focus upon the question of iteration count. We've exclusively focused upon iteration count as the way to slow down any brute force password guessing attack. But the only reason such an attack needs to be slowed down is because we are assuming that the user may not have chosen a super strong password in the first place. That means that given a sufficient number of guesses, the attacker will eventually obtain that the not very strong password just by trying a whole bunch. Wikipedia reminds us that in one study of half a million users, the average password entropy was estimated to be about 44 0 0.54 bits. So a little over 40 and a half bits of entropy, and the medium to strong password threshold is regarded as around 50 bits of entropy. If you've got 50 bits, that's considered to be the low end of a strong password.
(01:16:34):
So 50 bits is nine and a half bits more. Then the study quoted as being typical. So thanks to the power of powers of two, and we're using powers of two because they're binary bits that can have two states raising that raising two to the power of 9.5, which is to say the number of more entropy bits for a strong password versus the average. So two raised to the 9.5 is 724. That tells us that the difference in brute force resistance between that study average password strength and one that's on the lower border of being strong is 724 times the strength going from 40.5 bits of entropy to 50. So now let's look at Matthew's question. Matthew claims to be using what he calls a very good password, having around 140 bits of entropy. Now that we've created some context, it should be clear that if Matthew is correct and his password truly contains around 140 bits of entropy, it's not a very good password.
(01:17:58):
It's an insanely good password. Oh, you scared me. Good, insane. It's great. If 20 bits of entropy is the lower bound of a strong password, then Matthew has added 90 bits to that 50 bits to get up to his 140. Once again, turning to the power of powers of two 90, additional bits of entropy results in a password that is 1.238 times 10 to the 27 stronger. Now, to help us understand the size of that, number 27, that's the number of zeros. 27 is three times nine and nine zeros is a billion, which we have that three times. In other words, Matthews 140 bit entropy password is 1.238 billion, billion, billion times stronger than a strong password. That seems pretty good password we consider to be. Let's take it. Yeah. Wow. So Matthew's question was, does having a very good password mine, he says, is about 140 bits of entropy have any effect on encryption with a low number of iterations, and the answer is a resounding hell yes.
(01:19:37):
If you have such a password, you would be fine with zero iterations since the only reason we iterate is to protect weak passwords. If you really have a strong password, and I'm talking to everybody now, you have nothing to worry about. When we change the iteration count back in the last past days from 5,000 to a hundred thousand and a hundred or now to 600,000, we've increased the attacking difficulty only by a factor of one 20. But just adding seven binary bits of entropy, seven binary bits is 128 times because that's two to the seven a hundred twenty eight. So a password having just seven additional bits of entropy would provide more cracking resistance, 128 times more than jumping the iteration count from 5,000 to 600,000, which only increases it by 120 times. So the key takeaway here is that increasing iteration counts is a linear increase, whereas in adding bits of entropy is exponential.
(01:21:06):
Every single bit of entropy added doubles the cracking difficulty. So when you've doubled it seven times, that's 128 times stronger that you've made it. Therefore, anyone who has a really strong high entropy password, even back then when their vaults were stolen from LastPass, even if it's not as ridiculously strong as Matthews has really nothing to worry about. Regarding P B K D F iterations, increasing iteration counts is far weaker protection than using a truly strong password. In which case it doesn't even matter how many times you iterate. So really could be zero. These key derivative functions, whether it's pbk, DF two, or Scrt or Argon two, they're really kind of belt and suspenders to protect you. You don't have a great password. Yes, they linearly slow down the attack, right? But adding bits of entropy exponentially slows down the attack. So have a good, long, strong, truly random password.
(01:22:21):
The kind a password manager generates for you. I guess you probably shouldn't keep, well, you could. You could keep your vault password in your password manager. It just wouldn't be any use if you didn't have an access to it. Okay. Okay, so a listener said, hi, Steve. According to this torrent freak article, CloudFlare has enabled encrypted client Hello for all customers on free plans, which includes many pirate sites. The new privacy feature makes it impossible for internet providers to track which websites subscribers visit. As a result, it also renders pirate site blocking efforts useless if both the site and the visitor have E C H enabled, and he provided the link to this to comment that this torrent freak.com page. So, okay, this is inevitable and it's analogous to the encryption debate, right? We want to enhance privacy, but we're unable to enhance only the good guys' privacy.
(01:23:42):
Everyone gets their privacy enhanced, even those who will criminally abuse that privacy. The question the world has been struggling with for the last few years is whether our inability to restrict who gets more privacy means that no one should have anymore, but it's looking like the world is going to agree that giving more to everyone is the best solution. The Torrent freak article that our listener linked to was interesting and it shed a different light onto the emerging presence of encrypted client. Hello, connections. I've trimmed it down a bit to remove the stuff we already know, but here's what Torrent Freak observed. They said CloudFlare has enabled encrypted client hello for all customers on free plans, which includes many pirate sites. The new privacy feature makes it impossible for internet providers to track which website subscribers visit. As a result, it also renders pirate site blocking efforts useless if both the site and the visitor have E C H enabled website blocking has become the go-to anti-piracy measure for the entertainment industries when tackling pirate sites on the internet.
(01:25:03):
The practice has been around for well over 15 years and has gradually expanded to more than 40 countries around the world. The actual blocking is done by internet providers often following a court order. These measures can range from simple D N Ss blocks to more elaborate schemes involving server name indication, SS n I eavesdropping, or a combination of both. Thus far, the more thorough blocking efforts have worked relatively well. However, as privacy concerns grew, new interfering technologies have emerged. Encrypted, D N Ss and SS N I, for example, made blocking efforts much harder, though not impossible. A few days ago, internet infrastructure company CloudFlare implemented widespread support for encrypted client. Hello, a privacy technology that aims to render web traffic surveillance futile. This means that site blocking implemented by ISPs will be rendered useless in most if not all cases. E C H is a newly proposed privacy standard that's been in the making for a few years.
(01:26:21):
The goal is to increase privacy for internet users and it has already gained support from Chrome, Firefox Edge, and other browsers. Users can enable it in the settings, which may still be experimental in some cases. The main barrier to widespread adoption is that this technology, this privacy technology requires support from both ends. Websites have to support it as well. CloudFlare has made a huge leap forward on that front by enabling it by default on all free plans, which currently serve millions of sites other subscribers can apply to have it enabled. The push for increased privacy is well intended, but for rights holders, it represents a major drawback too. When correctly configured E C H defeats site blocking efforts, tests conducted by Torrent freak show that I S P blocking measures in the uk, the Netherlands and Spain were rendered ineffective. This doesn't automatically apply to all blocked sites as the sites must have E C H enabled too.
(01:27:40):
We've seen mixed results for the Pirate Bay, perhaps because it has a paid CloudFlare plan, but other pirate sites are easily unblocked. This new privacy feature hasn't gone unnoticed by pirate site operators. The people behind the Spanish Torrent site, Don Torrent, which had dozens of domains blocked locally, are encouraging users to try E C H. Yeah, no kidding, Don Torrent notes before E C H, your online privacy was like a secret whispered in the wind, easily picked up by prying ears. But now with E C H by your side, your data is like hidden treasure on a remote island inaccessible to anyone trying to get there without the right key. This feature encrypts your data so that neither ISPs nor organizations like a c E and M P A can censor, persecute and intimidate websites they consider illegal. CloudFlare and other tech companies rights Torrent Freak are not supporting E C H to make site blocking efforts obsolete.
(01:28:54):
However, this privacy progress likely won't be welcomed by rights holders who've repeatedly criticized CloudFlare for hiding the hosting locations of pirate sites. Torrent Freak reached out to a major anti-piracy organization for a comment on these new developments, but we've yet to receive an on the record response. It wouldn't be unthinkable, however, that we will see more blocking lawsuits against CloudFlare in the future. So of course, we touched upon briefly the content filtering thwarting aspect of E C H last week, but we didn't explore the real world consequence to those like the Motion Pictures Association who have been using legal means to force the blocking of sites containing pirated copyright content. Looks like that ability to do so, it's going to be short-lived at this point. As I said at the top of this, everyone getting their privacy increased means that the bad guys do too, and the world has decided that's the way we're going to go, which I think everyone agrees is the right direction.
(01:30:06):
Skynet tweeted this E C H stuff is going to mess with my public wifi content filtering, isn't it? I just got, yeah, he said, I just got my vendor to figure out what was blocking patron's eBooks from being downloaded onto their Kindles and now this. Thanks, Steve. Thanks a lot. Anyway, so think of the authors. That's right. Think of the authors. This was, we all know not my doing. I'm just reporting the facts grin, but as for it messing with someone's public wifi content filtering, yep, it's going to do that. I presume that E C H is somehow protecting itself from protocol downgrade attacks. We've talked a lot about them in the past because they could be tricky to prevent. The original downgrades were H T T P S to H T T P on an initial H T T P connection that was attempting to switch itself to H T T TTPs.
(01:31:12):
The encryption since the connection was not yet encrypted under H T T P, something like a script running would simply change all the http s URLs into H T T P, keeping the connection and all of its components unencrypted and leading each end to assume that the other end had a problem with encryption when that was not true. So downgrade attacks have always been a problem. In the case of E C H, for example, as we know, it only works when both ends support it and at this early point in time, support is probably more surprising than not. That is you. It's like, Hey, I can get E C H. Great doesn't happen that often.
(01:32:05):
So if for an example, an outgoing or incoming initial T l s handshake packet were to be tweaked to show that E C H was not supported by that packet, when in fact it was the other end would shrug and not be surprised. Meanwhile, the domain name would be exposed to anyone watching the traffic because it wouldn't have the advantage of encrypted client. Hello, encryption. Hopefully, and I don't know, I did a little bit of poking around. I couldn't come up with an answer quickly. Hopefully ECH h's designers were aware of this problem and did come up with some means of preventing middlemen from removing ECH H support on the fly from connections before E C H has a chance to get started. Otherwise, its attempted presence would just be a temporary inconvenience anyway, in the case of this, our listeners skynet's public wifi, any E C H using clients would also be using D N SS over H T T P S and thus not his local access points, D N Ss.
(01:33:25):
So unfortunately, filtering D n S wouldn't work either. I mean, it actually is going to present a problem to local wifi content filtering. That's true for this next question. I anonymized it myself. He didn't ask me to, but I feel as though this person's tweet should be anonymous. He said, Hey Steve, you mentioned in a recent episode that the Linux kernel has fixed the epoch time issue in kernel build 5.10. I feel like that might've put too many people at ease. Not only are old devices still running out of date kernels, but modern stuff does too. As I've mentioned before, I work for Checkpoint a company with firewalls protecting a massive portion of the internet. We serve millions of businesses, including all of the Fortune 500 companies, which account for decent chunks of the packets moving across the internet, all having to pass through one of our firewalls.
(01:34:41):
After many years of fighting with r and d checkpoint finally upgraded its OS to move away from Linux kernel 2.6 0.18 to 3.0. As of 2020, this is the latest anyone can run 3.10 still with the EPOCH code issues. I shudder at the thought that we still have customers running code that has passed end of life over a decade ago. Even if r and d begins working on a migration to Kernel 5.10 today, it would take years to finish and decades to move everyone off the older releases, all of that on current modern state-of-the-art key infrastructure that the world relies on, I think people should still expect a huge mess at the end of epoch time. Thanks for the wonderful show. Looking forward to more episodes to 9 9 9 and beyond, and not having to use Twitter anymore. Well, maybe someday soon. All the best. So anyway, that note speaks for itself and I thought it was a valuable look inside the reality of the commercial use of Linux-based appliances.
(01:36:13):
There really is, and if it's not broken, let's not break it mentality and really after Checkpoint built a robust firewall architecture on top of an old OSS kernel, if it's working, why change it? If it's primarily being used to boot one's own code and important things like the open S S L library can be kept current, then why mess with the boot loader, which is essentially what Unix or Linux has become there. The problem is though, the earlier Linux file system timestamps are all using the signed 32 bit time. So any reliance upon file times is going to go berserk in 2038. On the other hand, that's that's still 15 years off, so we're going to be okay, I guess. And Leo, I think we'll still be doing this. We may both be driving new cars by then maybe. Yeah, we'll probably be driving our last cars by then.
(01:37:22):
15 years from now, you and I don't know if we'll be driving, but we'll see. Ah, it's coming pretty quick. Hopefully hate to say it, and I hope my car is not running at Linux. Colonel pre 3.10, that's one thing for sure. Matt tweeting as at Slater 4 5 0 4 1 3. He said, Hey Steve, there's something that still bothers me about that recent Microsoft hack. He's talking about the capture of the key in the crash dump. There were far too many coincidences where the attacker just happened to know various flaws. Okay, so just to interject, Max's referring to the fact that not only was the secret key resident in RAM and then captured by a system crash dump, but then there was a chain of no fewer than every single one of five flaws were required for that crash dump image to migrate itself all the way to where it was able to be reached by an attacker.
(01:38:34):
So anyway, Matt continues saying he continues writing unlike regular flaws in a desktop OSS where you can continually poke at it with a debugger attached to the os. Most of the surface of a cloud instance being attacked also happens to be blind to outcome observation like the modern version of blind SS Q L injection, yet pinpoint accuracy was achieved regardless of that multiple times. It's almost as if the attacker had source code to examine sort of like the access and download that was achieved during the SolarWinds attack two years ago. He says, I don't like conspiracy theories and I'm aware we will never know, but this seems far more likely that an attacker guessing their way through this much obscure and highly technical knowledge. I remember back on security now, episode 800, there was a passing comment. Microsoft made publicly that they do not rely on source code being kept secret as a security feature.
(01:39:46):
But I wonder if this accidental visibility may now be coming home to roost, and it is a good point, as Matt says, we'll never know, but it was if nothing more, a surprisingly glaring sequence of successive failures all required in sequence that brought that key into the hands of someone who then also knew what to do about it. My memory is not complete, but it seemed like it wasn't necessarily triggered by the bad guy. In other words, there was a key, it was in RAM due to a flaw in Microsoft. It was saved as a dump, but the bad guy didn't trigger that. Then there were further mistakes were made kind of things where it went from a private network to the public network, multiple stages where they had code in place that was supposed to scrub their crash dumps for keys, but it didn't work.
(01:40:45):
It didn't work. So in every case, Microsoft had to fix stuff, but I don't think this was triggered by the bad guy. I think it was a crime of opportunity where that dump of got its way into the public and then the bad guys know one thing they do know, you look at crash dumps for private keys and that's when he found it. I think you're making a very good point. Yeah, it was really just bad coding on Microsoft's part. It didn't need to be very bad discovered by anybody. It just happens. Brings bad karma, whole new meaning to bad karma. I do have one piece of rata and then we're going to take our last break and then begin to talk about the top 10 cybersecurity. Oh, I can't wait. That's a great subject. Oh, it is. I can't wait. Last week I misnumbered the shortcut of the week 8 42 instead of 9 42.
(01:41:37):
So yeah, technically that would've made it a shortcut of the week from about two years ago, which was not what I intended. Elaine, who transcribed the podcast of course, and several of our listeners picked up on my mistake, that shortcut just to remind everyone was to the very nice YouTube video explaining how to set up sync thing. So for anyone who may have thought, Hey, that's great. Steve created a shortcut for this week's podcast 9 42, and then found that it didn't work. Okay, oops. The link I created was grrc sc slash 8 4 2. Sorry for the confusion. What can you one at 9 42 now? No, I figured I'd just tell everybody where it went.
(01:42:25):
You could probably Google it too. Sync thing tutorial and something like that. Yeah. When I was setting up this week's properly numbered shortcut of the week, I noted that 555 of our listeners took me literally and followed the 8 42 link to learn more about Sink Thing. Good. They're smart, so I'm glad for that. Or they're used to me like they really mean number. Oh, let's guess. Let's roll the dice. Take a chance. Alright, Steve, let's take a break and then I am fascinated to learn this is very meaty, very good piece. The top 10, we should do it like a Letterman countdown from 10 to one cybersecurity misconfigurations. Maybe we can get Tom Selleck or somebody in to read those. But first a word from our sponsor, this episode of Security Now is brought to you by Lookout Boy, you know this business, go downtown and see how many people are wandering around.
(01:43:29):
The geeks are all gone because business has changed forever and we thought maybe it would come back to normal after Covid. But no, and I think it's a good thing. People can work where they want, when they want and how they want, but that also means your data, your company data is always on the move, whether on a device in the cloud, across networks at the local coffee shop in Bora Bora. Now that's great for your workforce, but a little bit of a challenge for IT security. That's why you need lookout. Lookout helps you control your data and for your workforce. With Lookout, you'll gain complete visibility into all your data so you can minimize risk from external and internal threats, plus ensure compliance by seamlessly securing hybrid work. Your organization does not have to sacrifice productivity for security and Lookout makes it security a lot simpler working with multiple point solutions and legacy tools in today's environment.
(01:44:32):
That's too much to ask, but that's probably what your IT department's doing. That's why they need lookout with a single unified platform. Lookout reduces it complexity, which means your team has more time to focus on what's going on out there or whatever else comes your way. Look, good data protection, it shouldn't be a cage. It should be a springboard letting you and your organization bound toward a future of your making. So why don't you go visit lookout.com right now, learn how to safeguard data, secure hybrid work, and reduce IT complexity. Now, that's a nice bundle, isn't it? lookout.com. We thank him so much for making this possible. Without Lookout, I don't know what we'd be doing. We wouldn't have Steven Security. Now that's all without our fine sponsors. You were talking about Letterman and the demo, and of course you'll remember the Johnny Carson. Yep. The great Carmac sba.
(01:45:39):
Yes, that's right, yes. Great. CarMax. Last Thursday, the US National Security Agency, our N SS A and the awkwardly named cybersecurity and infrastructure security agency, our CISA jointly published a cybersecurity advisory. Of course, everything has initials, so it's the C S A, right, the cybersecurity advisory, the C S A. This advisory was a result of N S A and cisa Red team and blue team activities, as well as the activities of both agencies hunt and incident response. That's of course h I R teams. The advisory identifies and highlights the most common cybersecurity misconfigurations, which they continually uncover within organizations and the report details, the tactics, techniques and procedures, which of course is TTPs, which the bad guys use to exploit these misconfigurations checklists. I think such as these, and obviously you agree, Leo can be very useful because over and over and over in this podcast, we encounter the many consequences of the tyranny of the default.
(01:46:56):
You add multifactor to your authentication. Great, good move. But did you carefully read through all the cautions that is publisher included? Has this new facility been fully configured correctly or did it take longer than you expected to get it going? And so now you're late for a meeting and had to run off leaving it probably forever. The way it came out of the box reading through this advisory, I feel as though this podcast has been serving its listeners well, since nothing here will actually surprise anyone who's been listening for long. These are the topics that we often focus on. In fact, number one on the list is default configurations of software and applications. Okay, so today we're going to hit the high points on this advisory, but this work really drills down into very useful and actionable specifics. In fact, there's so much here. This is really only going to be part one of talking about this so much, and their intention really was to get specific, not just to kind of produce a top 10 list of, and you got to figure out what that means, but they dig in.
(01:48:14):
So that makes this thing too long even for us to cover in two parts at the level of detail that it offers. But every listener who's responsible for their enterprise's network security really would do well to spend some time with it on their own. So it's available as both a webpage and as a very nicely formatted 44 page. Like I said, it goes into depth 44 page P D F. I've made the P D F edition. This week's carefully numbered GRC shortcut of the week. So GRC sc slash 9 4 3 will redirect you to the pdf, which resides@defense.gov, and I also have the link to the original webpage up at the top of the topic of the show. Okay, so without further ado, I'm going to quickly enumerate these top 10 most common and most troublesome cybersecurity network related misconfiguration issues. Then we'll begin digging into each one a bit deeper.
(01:49:26):
So top 10 R default configurations of software and applications. No surprise there. Improper separation of user slash admin privileges and one of our sponsors of twit will love this. One. Insufficient internal network monitoring. That's clearly a biggie. Number four, lack of network segmentation. How many times have we talked about that, especially in a residential setting with untrustworthy IOT things? Number five, poor patch management. In other words, not keeping up with updates or not prioritizing updates. Number six, bypass of system access controls. That'll be interesting to see what they have to say about that one. Weak or misconfigured multifactor authentication methods. Again, not quite clear what they mean there. Insufficient access control lists on network shares and services. Okay, now there we're talking about it works for everyone if we don't make the ACLS too tight, so let's just leave 'em the way they are. Bad idea number nine, poor credential hygiene.
(01:50:46):
And number 10, unrestricted code execution. Again, that's one of those, well, if we start restricting things, things are going to break, so that's not good. Unfortunately, it can be very useful for the bad guys. So the N S A and the cisa C I S A elaborate just before they get into the details on those top 10, they explain these misconfigurations illustrate first, a trend of systemic weaknesses in many large organizations, including those with otherwise mature cyber postures. And two, the importance of software manufacturers embracing secure by design principles to reduce the burden on network defenders. In other words, they're saying both ends of this are at fault, and I think that's exactly right. They said, properly trained, staffed, and funded network security teams can implement the known mitigations for these weaknesses, meaning it is possible to secure things. And secondly, software manufacturers must reduce the prevalence of these misconfigurations, thus strengthening the security posture for all customers by incorporating secure by design and default principles and tactics into their software development practices.
(01:52:20):
They wrote N S A and CISA encourage network defenders to implement the recommendations found within the mitigation section of this advisory, including the following, to reduce the risk of malicious actors exploiting the identified misconfigurations. So remove default credentials and hardened configurations, disable unused services and implement access controls, update regularly and automate patching, prioritizing patching of known exploited vulnerabilities. Of course, that's a big CSA issue. Reduce restrict audit and monitor administrative accounts and privileges. They said N SS A and CISA urged software manufacturers to take ownership of improving security outcomes of their customers by embracing, secure by design and default tactics, including embedding security controls into product architecture from the start of development and throughout the entire software development lifecycle, eliminating default passwords, providing high quality audit logs to customers at no extra charge. We have seen a case where you had to pay more for the logs and that didn't work very well.
(01:53:45):
And finally, mandating multifactor authentication. That is the software manufacturers should be mandating multifactor authentication. They said ideally phishing resistant for privileged users and making M F a default rather than an opt-in feature. In other words, both parties is what we are seeing here Right off the bat, the software manufacturer and the software user have responsibilities. A perfect example that they mentioned is default passwords. The users of any system must change the default passwords when they're first setting up their software, but the creators of that software should also absolutely come up with Subway to avoid ever having a default password in the first place. In other words, yes, the people using it should know to change the default, but there shouldn't be a default for them to have to know to change.
(01:54:52):
So just how serious is this simple seeming problem of default credentials? Actually, it's a bit shocking when you look at how many different ways these defaults can be abused. The document explains a few. They wrote, many software manufacturers release commercial off the shelf network devices, which provide user access via applications or web portals containing predefined default credentials. For of course, the built-in administrative accounts, malicious actors and assessment teams regularly abuse default credentials. So again, this is coming from real life experience with red team and blue teamwork and post-incident response. They're finding malicious actors and assessment teams regularly abuse default credentials by finding credentials with a simple web search and using them to gain authenticated access to a device resetting built-in administrative accounts via predictable forgotten password questions, leveraging default virtual private network credentials for internal network access, leveraging publicly available setup information to identify built-in administrative credentials for web applications and gaining access to the application and its underlying database and leveraging default credentials on software deployment tools for code execution and lateral movement.
(01:56:29):
They said in addition to devices that provide network access, printers, scanners, security cameras, conference room, AV equipment, voiceover internet protocol phones and internet of things, devices commonly contained default credentials that can be used for easy unauthorized access to these devices as well. Further compounding this problem, printers and scanners may contain privileged domain accounts loaded so that users can easily scan documents and upload them to a shared drive or email them. Malicious actors who gain access to a printer or scanner using default credentials can use the loaded privileged domain accounts to move laterally from the device to compromise the entire domain. So, okay, my feeling is that the awareness of the danger posed by dangerous defaults of any kind has been very well known for decades. So at this point, any manufacturer who's still shipping products with dangerous default settings, which they expect their customers to know to change, and in frankly, which must be changed in order to have any security, such a manufacturer at this point is beyond lazy.
(01:57:58):
Many, if not most users, even obviously at the enterprise level, presume that the way things come from the factory are intended to be the way they should be, thus the tyranny of the default takes hold. But if this was not the case, if it was the case that defaults were secure, we wouldn't have the tyranny of the default. It would be the blessing of the default because these things would be ready to go secure out of the box. And there is the, I think we know the occasional sighting of a manufacturer who gets it, who requires their user to invent their own admin password right off the bat. You can't go any further until you do that during the initial setup and configuration of the device. Then it'll make you log off and log back on using it to prove that you're able to, and then you'll be able to move forward.
(01:59:04):
But not until then, and even sometimes that's annoying when you're in a hurry and just want to get something, a test set up, up and going and running, but you run across a device which was whose design was done correctly, they've got no defaults, so they're inherently far more secure. But again, even today, even though we know how to do that, everyone knows how to do that. These sightings are still the exception rather than the rule. So the responsibility is still rushing upon the rest of us, those users who use these things. The document notes also some interesting specifics. They said certain services may have overly permissive access controls or vulnerable configurations by default. Additionally, even if the providers do not enable these services by default, malicious actors can easily abuse these services. If users or administrators enable them, or I would argue, argue, leave them enabled.
(02:00:15):
Again, not secure by default. Assessment teams regularly find the following, insecure active directory certificate services, insecure legacy protocols and services, insecure server message block, SS M B service, looking more closely at legacy protocol and services and insecure server message block services. They note many vulnerable network services are enabled by default and assessment teams have observed them enabled in production environments. Specifically assessment teams have observed link local multicast name resolution L M N R and NetBIOS name service N BT nss, which are Microsoft Windows components that serve as alternate methods of host identification. If these services are enabled in a network, actors can use spoofing poisoning and relay techniques to obtain domain hashes system access and potential administrative system sessions. Malicious actors frequently, frequently exploit these protocols to compromise entire Windows environments. This is what's happening during that dwell time. After someone gets in while they're busy digging deeper into the network, they said malicious actors can spoof an authoritative source for name resolution on a target network by responding to passing traffic, effectively poisoning the service so that target computers will communicate with an actor controlled system instead of the intended one.
(02:02:04):
If the requested system requires identification, authentication, the target computer will send the user's username and hash to the actor controlled system. The actors then collect the hash and crack it offline to obtain the plain text password server message. Block service is a Windows component primarily for file sharing. Its default condition, including in the latest version of Windows, does not require signing network messages to ensure authenticity and integrity. And we've touched on this not that long ago in the podcast, they said, if S M B servers do not enforce SS M B signing, which again is not required by default because oh my God, oh heavens, it might break something. We'd have to go find out and what and then fix it. They said malicious actors can combine a lack of SS M B signing with the name resolution poisoning issues above to gain access to remote systems without needing to capture and crack any hashes at all.
(02:03:14):
So as I'm reading that, another thing occurs to me, there's an aspect of asymmetrical warfare that applies here. These systems have grown to be insanely complex over time, and they're dragging along a growing encrustation of legacy protocol crap so that nothing from the past ever breaks and everything that someone might have continues to work, even though if no one has anything, if they plug it in, oh, it needs to work, and this is true, even if the organization themselves doesn't have any of that stuff, it's all still there because it was on by default to make sure everything just works out of the box, but it is also horribly insecure. So the beleaguered it professional who just wants things to work, doesn't mess with those things. Again, assuming that if it came that way, it's supposed to be on. Sure, he or she also wants them to be secure, but first they have to work.
(02:04:30):
But the bad guys have an entirely different agenda, and I understand that this is obvious, but I think it's still critically important. The bad guys are living off of this debris off of all of this. What if maybe we'll need this someday legacy stuff they've learned and know the ins and outs of how to abuse these retired or retiring systems that persist. And this is the asymmetric aspect. As we know, security is all about the weakest link, so it literally does no good to have super security on the latest spiffy new network layers. If the ancient networking protocols are still left lying around active and enabled, the enterprise may not be using them, but that doesn't mean the bad guys will not be abusing them. Okay, so we are at page 18 in the show notes, which is, that usually means we're out of time, and as I look at the clock, we're also at two hours, but there is still so much really good meat here to discuss segmentation of user and admin privileges, lack of network monitoring and lack of network segmentation, poor patch management, bypassing of access controls, weak, were misconfigured, multifactor authentication, and more.
(02:05:55):
So next week I plan to continue digging into some of the remaining high points of this very important document. So stay tuned. It is, it's fascinating, and at some point, the cease of people wrote us and said they wanted to get on the show. We should talk about maybe they wanted to talk about this. I don't know. We could ask him about it.
(02:06:18):
That's a good point. Yeah. Yep. We will do a show with some CSA guys. I think it's a good idea. Yeah, but really all we need is one guy right here, this guy Steve Gibson, c e o, and boss@grc.com. That's the Gibson Research Corporation, which is the source, the one and only place where you can get spin, right? The world's finest mass storage, maintenance and recovery utility. Currently 6.0, 6.1. Soon, we think I'm back to it now. Any minute now. Yep. Val Drive is done. And we were already in just like in the cleanup phase where it's like, well, this log entry seems a little confusing kind of thing, so we're close, it's done, it's running. We just have to, and actually Valla drive's Windows component. I mean, it is a Windows thing. I started with the Windows Spin right app and mutated it into that.
(02:07:25):
And then all of the technology that I ended up adding now goes back over to the spin right side. So a lot of this work does help. It was helping spin right from the start. A good coder reuses code. We know that. Yep. And Steve, Steve is a very good coder. One spin, right? The good news is if you get six now, you'll get six one the minute's available, so for free. So it's just kind of part of the deal. He also has lots of free stuff. Derive is just the latest grc.com. You can leave him some feedback there at grrc.com/feedback. Of course, the GRC forums are a great place to have a conversation with other Steve fans. He's also on Twitter. Well, he isn't exactly, but I see a lot of Twitter stuff in the show today. So maybe you're still following dms on Twitter, is that I'm still there, yeah.
(02:08:14):
Okay. At sg grc on x.com, he has the podcast on his website, grc.com. Well, two unique versions. In fact, he has the main version, the 64 Kilobit audio version, but he also has a 16 Kilobit audio version. What's that? What is that? One's fifth, the size something one fourth. The size. One fourth, yeah. Yeah, one quarter of the size. So that's for bandwidth impaired. There's also a text version, transcripts written by Elaine Ferris, our transcriptionist. She's very good. That's probably the smallest of them. All of that. grc.com, you can come to our site, twit tv slash ssn for the 64 Kilobit audio, but also for video. We offer that You can download it from the site, you can subscribe in your favorite podcast player. There's also a YouTube channel with a video dedicated to security. Now, we invite you to do all of that. If you want to watch us do it live, like at the very freshest version, still steaming hot.
(02:09:17):
You can watch us do this every Tuesday right after Mac Break Weekly, right? I'm just going to say 2:00 PM Pacific, 5:00 PM Eastern, 2100 utc. If you want to catch that live at Live twit tv, there's audio and video. Now, if you're watching live, do join us in our club Twit Discord. There's a lot of reasons to join Club Twit, ad free versions of all of our shows, special shows we don't put out in public, like the interview Ant did with John Scalzi last week, science fiction author extraordinaire, and The Discord, which is a great place to hang to chat about the shows and about anything else you're interested in. That's just $7 a month, and I think it, I think it's a real value for Dollar. We really try hard to make it worth your money, and you'll get the nice feeling in knowing you're helping keep keeping us on the air because advertising sales is dwindling rapidly for podcasts in general, and we're not immune, but we've got a great audience that should keep it going for a long time. Twit TV slash club twit for more information. Steve, have a wonderful week, and I will see you next week right here on Security Now. Will do for 9 44 next week. Bye.
Advertisement (02:10:34):
Hey, we should talk Linux. It's the operating system that runs the internet about your game consoles, cell phones, and maybe even the machine on your desk. And you already knew all that. What you may not know is that Twit Now is a show dedicated to it, the Untitled Linux Show. Whether you're a Linux Pro, a burgeoning CISs man, or just curious what the big deal is, you should join us on the Club Twit Discord every Saturday afternoon for news analysis and tips to sharpen your Linux skills. And then make sure you subscribe to the Club TWIT exclusive Untitled Linux Show. Wait, you're not a Club Twit member yet? We'll go to twit tv slash club twit and sign up. Hope to see you there.
(02:11:23):
Curiosity Stream is the streaming service for people who want to know more. And now check out Curiosity's new series. The Real Wild West Rolling Stone Magazine says, it's the history of the West. They usually don't teach you the
(02:11:35):
Mythology of the West left out. A lot of the people say they've never seen a black cowboy. This is the history book,
(02:11:41):
But
(02:11:41):
Did you know about these other facts?
(02:11:43):
Watch the Real Wild West. Now on Curiosity Stream with monthly, annual, and bundled plans. Find the one that works for you@curiositystream.com.
