Security Now 956 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte & Steve Gibson (00:00:00):
It's time for security. Now, Steve Gibson is here an update on that CVE that provided a backdoor into Apple hardware. He's got some interesting afterthoughts. He also talks a lot about cyber warfare and the vulnerabilities in Ukraine Plus 23 and me's, latest disclosure. Is it really enough? All that more. Coming up next on Security Now podcasts you love
TWiT (00:00:31):
From people you trust. This is tweet.
Leo Laporte & Steve Gibson (00:00:39):
This is security now with Steve Gibson, episode 956, recorded Tuesday, January 9th, 2024. The Inside tracks Security now is brought to you by Lookout. Your data is always on the move, whether on a device in the cloud, across networks or at the local coffee shop. Now that's great for your workforce, but it is a challenge for IT security. That's why you need Lookout. Lookout helps you control your data and free your workforce. With Lookout, you'll gain complete visibility into all your data so you can minimize risk from external and internal threats. Plus ensure compliance by seamlessly securing hybrid work. Your organization does not have to sacrifice productivity for security. Your IT department is working with multiple point solutions and legacy tools. That's just too complicated for today's environment. That's why you need the single unified platform Lookout. Lookout reduces it complexity, giving you more time to focus on scaling or whatever else comes your way.
(00:01:44):
Good data protection. It's not a cage, it's a springboard letting you and your organization bound toward a future of your making. Visit lookout.com today to learn how to safeguard data, secure hybrid work and reduce it complexity. That's lookout.com. It's time. Yes, I know you've been waiting all week for IT. Security now on the air. Steve Gibson, our man about town. He's the expert on privacy, security, how things work, and really I think one of the most trusted people in this business. He's right here. Hi Steve. Hey Leo. Great to be with you again as we are plowing through year 19. Yikes of the podcast. Yeah. Okay, so this was a little bit sparse week in terms of security news and I have to say it's difficult to follow last week's blockbuster with something similar, although I do think I have something I'm lining up for next week, but there's still lots of talk about.
(00:02:48):
I want to start off this week by following up on last week's podcast, which was obviously about the hardware backdoor that had been discovered in Apple's silicon to support the conclusion I've reached since then as I've continued to think about it, that this was deliberate on Apple's part that they always knew about this and why. Then we're going to wonder whether everyone is as cyber vulnerable as Ukraine appears to be, and if so, why? And just how serious could cyber attacks become? What's the latest on the mess over at 23 and me? How's cryptocurrency been fairing and are things getting better, staying the same or getting worse? What Google Mandiant, their big security firm account got hacked. Just how seriously and legally do we take the term war in cyber war, and what are the implications of that? LastPass recently announced some policy changes, even if they're two years late.
(00:04:01):
What lessons should the rest of the net still take away from this during 2023? How did Windows 11 fare against Windows 10? What happens when users discovered that Chrome's incognito mode is still tracking them? And then after exploring some questions from our terrific listeners, I want to share the result of some interesting research I just conducted last week during the final days of the work on spin. Right? Six one. Thus today's podcast is titled The Inside Tracks. Oh, of the Inside Tracks of your Hard drive. Yeah. Oh, I like that. Someday hard drives will no longer have inside tracks, but some interesting news. Yeah. Oh good. Well, that's all coming up in this thrilling gripping edition of security now. But before we do that, may I talk about our sponsor for this segment of security? Now, a name you all undoubtedly know Palo Alto Networks.
(00:05:04):
Of course, Palo Alto Networks. Palo Alto Networks offers ZT for ot, zero trust for operational technologies without the trauma keeping operational technology secure and running smoothly. That's a tall order. And if you're doing it, you know right? It's enough to make even the coolest operations director wake up with night sweats. Now you can have peace of mind with zero trust, OT security. Oh, it's like the best of both worlds. Zero Trust OT Security delivers comprehensive visibility and security for all OT assets, networks, and remote operations. The Palo Alto Networks solution provides exceptional OT protection with more than 1,100 app IDs for OT protocols. 500 plus profiles for critical OT assets and more than 650 OT specific threat signatures supported it provides best in class security while simplifying OT security management. It sees and protects everything in the network and it automates threat detection while implementing zero trust across all operations.
(00:06:13):
We know zero trust is the way to be. This is the way to do it. Sleep better with the most comprehensive platform to detect, manage, and secure OT assets. Learn how the Palo Alto Network's zero trust for OT security solution can achieve 351% ROI over five years. To learn more, find the link in the show notes, the show description at twit tv or just visit palo alto networks.com. That's palo alto networks.com. We thank you so much for the work they do, which is excellent, and the support they provide for Steve and security. Now Steve, I'm ready for the picture of the week. I got all queued up here. Haven't looked at it yet though. I like to be surprised. Oh, I get it.
(00:07:03):
That's great. Here, let me show. That is great. It's lemme show everybody for the podcast. Yeah, perfect. For the podcast. So this is the, today actually on January 9th is the 17th anniversary or birthday of the introduction of the Apple iPhone. And anyway, so this is just a Apropo birthday cake. Really, Leo, when I thought about it until I realized, okay, most people get, wait a minute, there's only eight candles, Steve and only two of them are lit. That's true. Whoa, is that binary? Eight candles is a bite, right? An eight bit bite and yes, binary. So the candle representing 16 is lit as is the candle representing one. Now, what occurred to me though is first of all, you could probably get away with only seven, right? Because that would bring you up to 127 years old, which humans don't live that long. Danger plus you, however, plus you want a significant bit, so you can have negative numbers too.
(00:08:14):
Well, that would be interesting. Yes. Now the danger is though, that you can only approach this candle. This cake from the front. Oh, from the right side. Yeah, yeah. Yes. Because if it's backwards, then 17 turns into 136, which save it because in 129 years, no, 119 years, you'd be able to use this Leo. I'm afraid this podcast will not last that long. We are going past 9, 9, 9, but not to 9 9 9 9 9 9 9. I love it. Alright. Very nice. Okay, so I want to begin, as I said, with a bit of a follow-up to last week's news. Yeah, we've been talking about it. We talked about it on Mac Break Weekly today, we talked about on Twitter on Sunday. I think it's really a big deal story, which I'm not seeing anywhere but here. That's exactly right. And in fact I have, we have some q and a later and one of our listeners said, how is this not getting more attention?
(00:09:14):
Anyway, we will talk about that when we get there, but the way we left things last week in the wake of this revelation was with a large array of possibilities. Since then, I've settled upon exactly one, which I believe is the best fit with every fact we have, again, no speculation here, although again, we are never going to have a lot of answers to these questions. Many people sent notes following up on last week's podcast. Many doubted the NSA conspiracy theory because of those other not easy to effect steps involving other clearly inadvertent mistakes in apple's code that were needed by this particular malware. I don't know why it didn't occur to me last week, but it has now, as we know and have covered here in great detail in the past, apple has truly locked their iPhone down every way from Sunday, I believe from all the evidence and focus that Apple has put into it, that Apple's iPhones are truly secure.
(00:10:31):
But would Apple actually produce a smartphone handset that they, and I mean they absolutely, positively, truly could not get into even if it meant the end of the world. Oh, that's a very good point, right? If Apple believed that they could design and field a truly and totally secure last resort, backdoor means of accessing their devices in the event that the world depended upon it, I believe that they would've designed such a backdoor and I believe that they did deliberately and purposefully or their own views. Yes, and I do not think less of them for it. In fact, I think that the case could be made that it would be irresponsible for Apple not to provided such a back door. What if Dr. Evil had an iPhone with the launch codes on him? Right? Well, that's where I'm going here. We'll likely never know whether any external agency may have made them do it.
(00:11:56):
And yes, doing so could hardly be more controversial, but I could imagine a conversation among just a very few at the very top of Apple, Tim Cook and his head of engineering and of security, they had to have had a conversation about whether it should be possible under some set of truly dire circumstances for them to get into somebody else's locked phone. Obviously, the security of such a system would be more critical than anything but their head of engineering security would've explained as I did last week, that as long as the secret access details never escaped because it's impossible to probe anything that must be accompanied by a signature hash, there would truly be no way for this backdoor to be discovered. As I said last week, from everything we've seen, it was designed to be released in the field where it would be active yet totally safe.
(00:13:15):
So if Tim Cook were told that Apple could design and build and build in an utterly secure emergency, prevent the end of world escape hatch into their otherwise utterly and brutally secure devices, and this escape hatch could never possibly be opened by anyone else ever, I imagine Tim would've said under those conditions. Yes. I think that most CEOs who are in the position to understand that with great power comes great responsibility when assured that it could not possibly be maliciously discovered and abused to damage, their users would say yes, build it in. I trust Apple as much as it's possible to trust any commercial entity operating within the United States. I believe that they absolutely will protect the privacy of their users to the true and absolute limit of their ability. If the FBI were to obtain a locked iPhone known to contain exactly as you said, Leo, the location and relevant disarming details of a nuclear weapon set on a timer and hidden somewhere in Manhattan, I would be thanking Apple for having the foresight to create a super secure means for them and them alone to gain entry to their device.
(00:15:05):
And I'd argue that in doing so, they did have the best interests of their customers in mind. In this scenario, the great many iPhone users' lives would be saved. There are all manner of conspiracy theories possible here. Yeah, obviously, and this one of mine is only one of many, but of all the possible theories, I believe this one fits the facts best and makes the most sense. Of course, the first thing everyone will say is, yeah, but Gibson, they did lose control of it and it was being used by malware to hurt some of Apple's users. And that's true. In fact, that's the only reason the world learned of it. If this scenario's correct, apple never divulged this to any entity and never, this would never have been meant for this F-B-I-C-I-A or NSA to have for their own use. If an impossibly high bar were reached, Tim Cook would say, have an agent.
(00:16:20):
Bring us the phone and we'll see what we can do. But somewhere within Apple were people who did know, perhaps someone inside was set up and compromised by a foreign group. Perhaps Apple had a longstanding mole. Perhaps it was a gambling debt or the threat of some extremely embarrassing personal information being disclosed. One thing we've learned and seen over and over on this podcast is that when all of the security technology is truly bulletproof, the human factor becomes the lowest hanging fruit. Just ask LastPass how they feel about the human factor, which bit them badly. Okay, so where does this leave us today? We know that all Apple iPhones containing the A 12 through a 16 chips contain this back door and always will. We don't know that it's the only back backdoor those chip sets contain as we touched on last week. But Apple doesn't need another backdoor since they still have access to this one.
(00:17:35):
They locked a door in front of this one, but they can always unlock it again after being contacted by Kaspersky Apple's iOS updates blocked the memory mapped IO access that was discovered being taken advantage of by malware. But Apple is able to run any software they choose on their own phones, which means that Apple still has access to this backdoor should they ever need to use it. And this means that they've lost plausible deniability. They have the ability to open any iPhone that they absolutely must. So this poses a new problem for Apple when law enforcement now comes knocking with a court order as it's almost certain to with way below that bar requests for random iPhone unlocking to assist in this or that case. So this is a new mess for Apple. I'm sure they're facing that. Apple's most recent silicon is the A 17.
(00:18:46):
Yet Kaspersky told us that this facility had only been seen in the A 12 through a 16. If the malware did not contain that initial unique per chip generation unlock code for the A 17 silicon, and we know that it didn't, then this same backdoor might still be present in today's iPhone 15 and other a 17 based devices. That's the most reasonable assumption since it was there for the first previous five generations. Apple obviously likes to have it, but what about the next iteration of silicon for the A 18? Another thing we don't know is what policy change this disclosure may have for the future. We don't know how committed Apple was to having this capability, but I think I've made a strong argument for the idea that it has to have it. Have they been scared off? Well, maybe we'll see what happens now.
(00:19:55):
As I said, with law enforcement asking them to unlock everybody's iPhone, will they move it to a different location within the arm 64 bit of dress space yet keep it around as we were after last week, we're left with a handful of unanswered and unanswerable questions. But my intention here was to hone this down to explore what appears to be the single most likely scenario Apple designed and is quite proud of the GPU section of those chips, which contains the backdoor hardware. There's no chance they were not aware of the little hash algorithm protected DMA engine built into one corner of the chip. People within Apple knew listeners of this podcast know that I always separate policy decisions from mistakes, which unfortunately happen. So I sincerely hope that Apple's policy was to guard this as perhaps their most closely held secret and specifically that it was never their policy to disclose it to any outside agency of any kind for any reason. Somewhere however a mistake happened, and I'd wager that by now Apple knows where and how that mistake occurred.
(00:21:26):
What about the assertion that it may be is an ECC? That S box is an ECC table. We've seen the S box. That's not error correction. It's not. That's just, in fact, when I first saw that posting, I was excited that there might be somebody who actually had some information, but they know nothing more than anybody else. The idea that that hash is ECZ is complete nonsense. And so for me, I just thought, okay, well these guys don't know anything more than the rest of us do. It's easy to speculate. Yeah, yeah. Well, we know what that is. That's not ECC. Anybody who knows about error correction, and I have to because of spin, right? Knows that's got nothing to do with error correction. So that was complete nonsense. It was bss. Okay. Yes, yes. Eric. Correction, you feed something in, it does a lot of work.
(00:22:26):
You get a syndrome, which is an XOR mask against the data and it also provides a position of where that mask is slid to provide the X oring, which flips the bad bits into good bits. That's not what that S box is. That S box is a simple hash. So yeah, that's not ECC, but I'm glad you connected with this thought of mine, Leo, that of course there had to be a back door. Yes, of course. Of course. They have they and they alone to prevent the end of the world can open up any of their devices. That makes sense. And then they would super strong secure it, and of course they didn't need to go through the other three exploits to get to that part. Bad guy would. Right? And they didn't even know it was being abused until Kaspersky said, look what we found over here.
(00:23:29):
And they're like, oh shit. This is the problem with the back door of any kind is, and that's what would've said. And yes, that argument, and this of course has been the argument that everyone has always used against the EU saying, oh, just give us a way. It's like, no, it will be abused. This was, and this is really unfortunate, but I don't think Apple was wrong to do it. No. When you put it that way, it makes sense. It seems like a good thing to do. And now I'm hoping that Dr. Evil doesn't put the nuclear codes on his iPhone unless they have another back door, which is possible. Well, they haven't lost this one, Leo. This one is still available. Oh, all they have to do, I mean, they can reen, they locked a door in front of this one with an update.
(00:24:24):
They could unup update any form that they want to. Oh, of course. Duh. Yeah, so they still have full access to a 12 through a 16 get out of jail free card. And this is the problem too, because now the FBI and well, if the FBI didn't note that, the NSA will now tell them maybe someone's listening to this podcast now Apple can open any, now that cat is out of the bag, they can no longer say what they have been saying to the courts, we have no way in. Oh, interesting. Yes, you do. Oh boy, that's interesting too. You always have had a way in, you just didn't tell anyone. Well, now we found out because it leaked. It leaked from inside Apple, unfortunately.
(00:25:13):
Okay, so we talked earlier about the interesting abuse of internet connected cameras by Russia to obtain attack and improve targeting of their weapons strikes inside Ukraine. I saw a bit of an update on that last week after Russian hackers successfully hijacked at least two security cameras and used those cameras live video feeds to adjust their missile strikes targeting the city of Kiev Last week, once Ukraine's SBU, which is their security service, detected the attacks, they took down the cameras to prevent their further abuse. And part of the coverage of that was the information that since the start of Russia's invasion, more than 10,000 security cameras have been taken down across Ukraine 10,000. So hearing this, I kind of paused to wonder and also to worry about the situation here in the US in Europe, and with any of our allies back when we began this podcast, Leo, when loincloths were in fashion, the idea we're even older than the iPhone.
(00:26:43):
That's right, baby. The idea of cyber war was still squarely the stuff of fiction. From everything we hear, there are constant low level cyber skirmishes going on all the time. We know that the usual suspects of China, North Korea and Russia have talented hackers who are more or less continually poking around inside our computer networks. And for our own sake, I hope we're giving at least as well as we're getting since a cyber standoff is in everyone's best long-term interest. Everyone in the world, however, is pulling from the same common pool of technology. So we're probably all about equally vulnerable to each other. There's no reason to believe that the cameras we have everywhere here in the states and that Europe has throughout their countries are any more secure than those that Ukraine was using. And the same applies to all of our other interconnected technology.
(00:27:55):
I've often wondered what I would do if I were starting out in the world today. I've always had a strong intellectual curiosity about whether I could hack other people's stuff, but doing so is both unethical and illegal. So I never have but participating in my country's defense and if necessary, it's offensive operations. I have to admit that has some appeal while also resolving the ethical and legal roadblocks. One thing is very clear. This is no longer the stuff of sci-fi. It's very real and it appears that our countries need us. So I've said it before, I'll say it again to our younger listeners who maybe haven't chosen a career path, get really good at this stuff and you're, your country needs you seriously. We know that our country is hiring and this is real, and boy, it'd be a lot of fun. I don't know about the camo though, Leo. You don't have to wear a camo. You could wear your BDU at home and we're skis to work. Okay. Okay. I give you permission, general Lee. It's okay. We have heard, however we've heard from our listeners, oh no, I got to put my camo on every morning. But they did assure me though, that they're comfortable that they're not stiff and starchy. They've got some sweat rings under their armpit, so that's good.
(00:29:40):
Okay. I think this topic is important enough for me to spend a bit more time on a specific example. Last Thursday, Reuters news service published an article titled Russian Hackers were Inside Ukraine, telecom's Giant for months. So here's some new information that was not public before that Reuters just published. They said January 4th. Russian hackers were inside Ukrainian telecom's giant Kiev stars system from at least may last year in a cyber attack that should serve as a big warning to the West Ukraine's cyber spy chief told Reuters the hack was one of the most dramatic since Russia's full scale invasion nearly two years ago, knocked out services provided by Ukraine's biggest telecom's operator for some 24 million users for days starting December 12th. In an interview, Ilya Viic, head of the Security Service of Ukraine's, that's SBU Cybersecurity Department, disclosed exclusive details about the hack, which I would call him more than a hack, which he said caused because he said caused disastrous destruction and aim to land a psychological blow while gathering intelligence. He said this attack is a big message, a big warning not only to Ukraine but for the whole western world to understand that no one is actually untouchable. He noted that Keystar was a wealthy private company with heavy investments in cybersecurity. The attack wiped almost everything, including thousands of virtual servers and PCs. He said describing it as probably the first example of a destructive cyber attack that completely destroyed the core of a telecoms operator.
(00:32:07):
Later following some investigation on December 27th, he said that they found that the hackers probably attempted to penetrate keystar originally in March or earlier, much earlier last year. He said for now we can say securely that they were in the system at least since May of 2023. I cannot say right now. When they had full access, probably at least since November, the SBU assessed, the attackers would've been able to steal personal information, understand the location of phones, intercept SMS messages, and perhaps steal telegram accounts with the level of access they had gained. A keystar spokesman said the company was working closely with the SBU to investigate the attack and would take all necessary steps to eliminate future risks, blah, blah, blah. Of course, that's the PR guy at the company that got blasted and following the major break, there were a number of additional attempts aimed at dealing more damage to the operator.
(00:33:15):
Ke Starr is the biggest of Ukraine's three main telecoms operators, and there are some 1.1 million Ukrainians who live in small towns and villages where there are no other choices, no other providers. People rushed to buy other SIM cards after the attack, which created large lines. ATMs using KEYSTAR SIM cards for the internet ceased to work, and the air raid sirens, which are used during Michelin drone attacks also did not function properly. In some regions post attack forensics are made more difficult because of the wiping of Kyiv star's entire infrastructure. But Vick said he was pretty sure it was carried out by sand worm, a Russian military intelligence, cyber warfare unit that has been linked to cyber attacks in Ukraine and elsewhere. A year ago, sand worm penetrated a Ukrainian telecoms operator, but was detected by key because the SBU had itself been inside Russian systems.
(00:34:26):
Vick said the pattern of behavior suggested telecoms operators could remain a large target of Russian hackers. And during 2023, the SBU said it had thwarted over 4,500 major cyber attacks on Ukrainian government bodies and critical infrastructure. So, okay, again, sadly, there's no actual reason to believe that things are any different anywhere else. Ukraine is using the same technology as everyone else. As I've said, all of the evidence we have suggests that our actual security is far more soft than we would like. What's generally, and thankfully missing is the motivation to abuse it, but the rise of cryptocurrency created the motivation to extort enterprises that smugly believe until then that their IT security budget was sufficient and that the threats were being overblown. No one thinks that any longer. The last thing we need is an escalation.
(00:35:44):
Wow. I know it is sobering. We've got little poking around the edges, but as I said, I hope that we're able to give as good as we get because we only hear about attacks against us. We don't get any information about what we're doing, how we're in other people's networks. But as I said, there's a career there. I also think there's some reluctance to go full bore on this because you're really, I mean, the obvious end game is attacking infrastructure, which could be horrific to civilians. Well, and when you do so, you're no longer covert, right? So it is a use it and then lose it and the threat nobody wants. Retaliation is so strong because you don't need, it's not like building a nuclear weapon. You need a few good hackers and probably almost any nation state could muster up enough hackers to be a threat. Leo, North Korea, where did they get their education? They didn't come over here and get taught at MIT. Actually, apparently some did, but anyway, covertly.
(00:37:03):
But that's the point is that this information is out there and it doesn't cost a lot to create a fancy bear. So it's really an interesting issue. It's not the end of the line on this one. You do not need huge rooms of spitting centrifuges and years of time. You need literally some guy in his mother's basement, literally. And Leo, let's take a break and we're going to talk about 23. And you and me, and I'm excited or not excited, but I'm interested being a longtime 23 and me user, and I was really kind of mad at the company. They said it was our fault. It was our fault. You should be. I know you should be. Before we get to that, let's talk about Collide, our great sponsor. We've talked about 'em before. When you go through airport security, there's one line where the TSA agents check your id.
(00:38:03):
There's another line where a machine scans your bag. Well, that's actually a good model for enterprise security. Instead, of course, passengers and luggage, it's end users and their devices. Now these days, most companies, of course check the id. They're very good at that first part of the equation. But user devices, they don't have a bag scanner. They roll right through authentication. Without getting inspected, they assume, well, you got in, so your devices are fine. In fact, this stunned me. 47% of companies allow unmanaged untrusted devices in to access the data. That means an employee can log in, identify himself, I'm an employee, but his laptop has a firewall turned off or hasn't been updated in six months, or has a copy of Plex on there that hasn't been updated in years or worse, that laptop could actually belong to a bad actor using employee credentials.
(00:39:02):
This is why you need collide. Collide solves the device trust problem Collide ensures that no device can log into your Okta protected apps unless it passes your security checks. Plus you can use collide on devices without MDM, like your Linux fleet, your contractor devices, every BYD, phone and laptop lurking in your company. Now, now we're talking, this is where you need it, right? Visit collide.com/security now to watch a demo, see how it works. I think you're going to want this K-O-L-I-D e.com/security. Now, great product from great company, and we love these guys and we thank him so much for supporting Steve and his efforts to secure it all. Now tell me how much trouble I'm in with my DNA. Okay. Okay, so things are still a mess at 23 and me, they've been hit with 33 lawsuits. Oh gosh, this last, yeah, I mean, and people take their DNA as like a privacy issue.
(00:40:12):
Who would've thunk? So anyway, this was last December was the revelation of the breach, which disclosed the personal information, and this is the number that stuns me of 6.9 million of their users. Okay, now just to remind everyone, the story is that 14,000 some accounts were first directly compromised using simple credential stuffing, reusing, known previously used passwords of each victim. I would argue that this had to be detectable right there, but you won't see what you're not looking for. And nothing else these guys did seems particularly impressive on the IT side. So they apparently weren't looking, looking there. Their heads turned. So okay. From there we're told that simply using the API that was available to any logged on user, since that's all these bad guys apparently were the attackers were then able to siphon off the personal data of an additional expanded 6.9 million unreached users.
(00:41:37):
Now, I suppose I'm still skeptical about this explanation because in my gut I find it difficult to believe that the designers of 23 and MES architecture could deliberately have set things up so that anyone logged into their system could have direct access to, on average the personal data of 493 other members. 6.9 million divided by 14,000 is 492.857, which is the average disclosure reach of each of 23 and MES 14,000 logged on users in order to believe that this is what actually happened. 23 and ME'S system had to be horribly designed from the start, which is quite dispiriting. And then in the wake of this catastrophe of their own making, adding insult to injury 23, and me attempted, and I'm sure you saw this, Leo, to change the terms of service for their users retroactively if you could believe that, to require them to agree to settle any disputes through arbitration in lieu of other legal action that didn't pass notice.
(00:43:12):
And you can imagine that it didn't go over very well as we know anyone can make a mistake, but they're directly responsible for their apparently a incredibly crappy system design, which again, if they're to be believed, allowed any legitimate user to log on with their own credentials and then have access to the personal details of on average nearly 500 other users who they don't even know. So wow, it looked like a good deal. I'm also a member, for what it's worth, I spit in the tube years ago and because it seemed like a curiosity. Wow.
(00:44:06):
Okay, and speaking of the incentives created by cryptocurrency, the Estonian cryptocurrency platform coins paid, I don't think they knew who their coins were going to be paid to. Was the victim of another cyber attack losing an estimated $7.5 million worth of crypto assets? I said, since this is the second time this company has been hacked. The first time it lost $37.3 million in July. Coins paid blamed last year's incident on guess who? North Korea. I wonder who you call in North Korea to negotiate a settlement. Hey, how about we'll give you a 10% bounty and no hard feelings if you'll return to rest. I wouldn't hold my breath on that happening. Meanwhile, the gamma cryptocurrency platform says it lost 6.1 million worth of assets after a threat actor abused the infrastructure of one of its providers to manipulate exchange prices. And another threat actor has stolen nearly 4.5 million worth of crypto assets from the Radiant capital cryptocurrency platform. The technique used. There was a so-called flash loan attack. So I don't know where all this money is, where it's coming from and going to, but I am sure glad that none of it's mine. Somebody's getting a yacht. My God, Leo, it's just, geez. Oh yeah, we lost 37 million.
(00:45:56):
That's happens. We can make more. It's okay. Call North Korea and ask him if they'll accept a bounty and give us 90% back. No, it's the North Koreans who were having a party and got a yacht. Yeah, okay, so snuck. Okay, but let's take a larger view. Stepping back overall, during all of last year hacking attackers made off with more than 1.8 billion US dollars worth of crypto assets, and that was across 751 individual security incidents. There is some good news here though, since that number is way down as in by half from the 3.7 billion US dollars that were lost the year before during 2022. So that's good. Either people are pulling their money out of this crazy business or security is beginning to get better. I mean, it certainly was the wild west there in the beginning.
(00:47:15):
I don't remember the details, Leo, but Kevin was buying icons of monkeys or robots or something. Yeah, he was buying bored aids. What the heck? And then crypto punks, and then because he saw the writing on the wall, he offered his own icons. They were owls, and I think he and the consortium that did this, including a number of well-known NFT people like Bele made $50 million and where were we? It's unbelievable, those youngsters. Kidding. Anyway, according to the blockchain security firm, cerate, whom we've quoted from time to time, last year's top 10 most costly incidents accounted for more than 1.1 of that total, 1.8 billion stolen in total. So it's not like they're all thefts are equal. Right? The top 10 got 1.1 of the total 1.8, and speaking of behind the curtain, the most costly incidents were linked to leaks or compromises of private keys.
(00:48:39):
So that's how these attacks, the biggest ones happened was that people's private keys got loose more than 880 million that were stolen just that way. Last year, according to TRM labs, north Korean hackers were linked to 600 million of those total stolen assets. In other words, one third of all the cryptocurrency lost last year, the 1.8 billion went into North Korea. So yeah, maybe those are some of the MIT grads that they've got over there working anyway. They're not slouches. Oh, and lest we believe that these things only happen to people with low security awareness. An unknown threat actor recently hijacked the Twitter account of Google's Mandiant division. Right? The like high-end cybersecurity gurus. That doesn't bode well. No, it doesn't. Not the best on your resume. No. The account takeover was used to promote a, guess what? Cryptocurrency scam. The attack was just one of a number of similar incidents that hit many high profile Twitter gold badge accounts.
(00:50:01):
I don't know if you saw the, I saw this morning the SEC as in United States Securities and Exchange Commission was hacked on Twitter to put an announcement that they have just approved Bitcoin ETF spot purchases, which they were quick to point out they hadn't, and that was a hack. Nice. At this point, I don't know if I want to blame the account holders. I don't know if I blame Mandiant. Who knows what the Twitter security status is these days? Good point. Good point. It could easily be someone inside be Elon saw a blurb. Who knows? Well, I saw a little blurb that I did. It just passed by on my phone saying that Elon had used illegal drugs and that executives at Tesla and SpaceX were concerned. I brought this, I brought up this was a big, Hey, this was a big story in the Wall Street Journal on Sunday.
(00:50:58):
For some reason I brought this up on twit on Sunday, and the panel said, everybody knows that we've done that for years. Oh my God, he's using illegal drugs. And I would just note that there wouldn't be executives at Tesla or SpaceX. Neither would exist or it not for Elon, and who knows, maybe as a result from secret, those illegal drugs secret. Maybe that's his secret. Yeah, that's right. Okay, so just how seriously and legally, seriously do we take the term war when it's used in the phrase cyber war? Remember back nearly seven years ago, and Leo, you're going to get a kick out of this because you said what at the time in 2017, the monster American Pharmaceutical Company, Merck, suffered a serious ransomware cyber breach by the NotPetya group. What stunned us at the time, and as I said I remember you like what was Merck who was carrying significant cyber attack insurance, was claiming that the attack, which they said affected 40,000 of their PCs, would cost them 1.4 billion with a B dollars to clean up.
(00:52:31):
And I still say what? And it's like, listen, when you're kidding. Oh wow. So naturally their cyber insurance carriers, of which there were three, were none too pleased by the prospect of having to fork over 1.4 billion to what finance Merck's physical replacement of their entire PC inventory. I mean, it's not as if the machines melted. So what I would love to see the justification for this anyway, we covered this of course at the time and recall that the three Merck insurers who are on the hook for this were attempting to get out of their policy obligations by claiming that an exemption applied in the case of hostile slash war-like action. That's literally in quotes that that's what it says. It's a commonly present policy exclusion. So the question that has ever since then been working its way through our US legal system was whether or not a cyber attack could and should be considered to fall under this standard hostile slash war-like action policy exclusion.
(00:54:04):
And of course, this would be precedent setting since devastating cyber attacks are no longer theoretical and insurance to make enterprises whole in the wake of one have become crucial and ever more costly, both in premium and in reimbursement. Yeah, I think that that clause, by the way, is pretty common. Acts of God and acts of war are often exempt because Exactly. So the question is, can't expect insure against that. Is this an act of war? So until last week when New Jersey's state Supreme Court was set to hear oral arguments from both sides, a lower New Jersey appeals court had ruled that Merck was entitled to half of what they were seeking under their policy coverage. In other words, $700 million. The insurers still wanted to pay less and Merck wanted more, but just hours before oral arguments were set to begin, the parties announced that they'd reached a settlement.
(00:55:11):
Though the terms of that settlement have not yet been disclosed, given that Merck is a publicly traded company owned by its stockholders, I would imagine that the terms of the settlement will eventually become known. Interestingly, in amicus briefs filed before the scrapped oral argument, national associations for big business manufacturers and corporate insurance litigators at all argued the court to uphold the ruling that cybercrime did not fall under an insurer's hostile warlike action policy exclusion and plan a national flag as they put it on this issue to benefit insured businesses. But the decision it turns out, was not cut and dried. Dueling briefs from international law scholars debated whether foreign linked hacking against corporations is war like action. The takeaway for insurers should probably be that they're going to need to stand behind their cyber attack policies, and those paying for coverage by those policies should probably demand some explicit clarification from any policy that contains such potential wiggle room language. Because we haven't seen the last of cyber attacks, and unfortunately, we didn't really get the hard precedent set that many people were hoping one way or the other that this case would create. So last minute settlement, and it's like, okay, fine. Move along.
(00:57:01):
Last Tuesday, LastPass posted a blog titled LastPass is making account updates. Here's why. So I'm just going to share the opening paragraph because we're all well able to read between the lines, but LastPass said, you may have noticed that lately we've been asking our customers to make some changes to their LastPass accounts. These changes include requiring customers to update their master password length and complexity to meet recommended best practices and prompting customers to re-enroll their multi-factor authentication among other changes. All of these changes are intended to make our customers more secure, and we want to share additional context about the evolving cyber threat environment that's driving these requests so customers can better understand why these changes are important to do this. We'll address some of these recent changes and explain what threats are driving them and how these updates are designed to help, and it goes on.
(00:58:08):
My only complaint, of course, is that it's closing the barn doors after the horses have all run off. This would've been very nice to see several years ago, and history would've been written differently had that been the case. This effort is clearly an attempt to respond to the theft of the master data vault and to mitigate future disasters requiring everyone to re-enroll their multi-factor authentication basically means get a new private key at each end so that if that has also somehow been compromised, nobody. Okay, I was wondering about this. So it's the theory being that the secret, which is key to a time-based, one-time password has also been leaked. Right? Okay. Or could be. So they're just saying, let's start over. New secret. Yeah. No reason not to. It's sort of the equivalent of people saying, oh, change your, change your password just because we think it's time.
(00:59:13):
I was like, oh, okay. Yeah. I've always felt like, well, wait a minute, if my password's good, why am I changing it? But different ways as we know that advice has been reversed now. Yes. It's no longer thought took that back. Yeah. Yes. But it isn't a bad idea to occasionally redo your two factors, it sounds like. I would agree. I mean, if there had been some leakage, that secret is kept in the clear generally. Well, that secret is at their end and in your authenticator, so you don't want, if there's been a breach, I mean, this sort of says that maybe they also lost their two-factor authentication data and instead of just their user vault, it's hard not to read between the lines and say, what, you had another problem here, or This was a little more extensive than you said it was maybe.
(01:00:11):
Wow. Yeah. Now, as for this new 12 character minimum password complexity requirement, that only makes sense, and I want to talk about that a little bit. What should really be happening at this point across the internet, and I mean everywhere, is that users should begin to be forced to increase the security of their logons. It should not just be happening at scattered sites in the wake of devastating attacks. Any service that supports logons where a breach could have devastating consequences for its users should start doing the same. Users really want to reuse their, and I have that in air quotes, personal password everywhere, monkey 1, 2, 3, 4. That's still today, 2024. That's the typical behavior. Obviously not among this podcast listeners, but pretty much everywhere. Never underestimate the strength of inertia. Users do not want to change, and they will not change unless and until they are forced to.
(01:01:37):
We now have the technology to enforce password complexity rules on the user in their browser. Thanks to client side, JavaScripting users hate password requirements. Why? Because those requirements prevent them from using their favorite universal PET password everywhere, and those requirements mean that they may need to deal with unique passwords per site, at least to some degree. The question is whether the internet should continue to let them, if the internet continues to allow this past behavior, it will never change. We all know that. Why would it change? Users will need to be forced, but every site is understandably terrified of doing that because they don't want to alienate their users. The rational solution is for sites not to pretend that their users have security that does not exist. If a site is not going to enforce a sufficiently high level of password complexity, then it should not assume that its users have any actual log on protection, and it should act accordingly.
(01:03:04):
Or perhaps the client side, JavaScript, which can see the user's plain text password for itself before it is locally hashed and then sent to the server, should examine the JavaScript, should examine the password's complexity, and send along a complexity ranking of the hashed password's strength. Then a site that does offer some sensitive services could explain to its logged on user that the password they're using is fine for logging on, but for their protection, a better password will be required before they're allowed to do anything sensitive that they would not want hackers to be able to do in their name. So I suppose I'm saying that the industry has clearly been dragging its heels because it has not been forced to change, and this has allowed users to in turn, drag their heels and continue with habits that no longer serve their best interests. Web portal designers would be, well-served to keep this in mind.
(01:04:24):
So good thing that LastPass said, okay, we're going to make some changes, but gee, had they been keeping up with current practice and recommendations that would've been happening all along, and talk about a base of users who would understand. I mean, it's one thing to ask logons at granny's cookie site to do complex passwords, but LastPass, obviously people would be willing to do that. But also talking about inertia, I mean, who's still using LastPass except somebody who's said, I'm not going to change. I'm still, I'm not going to change. True. I mean, I would think many people would've done what you and I did and switched, but yep. Remember the podcast title was Leaving Last Pass. Leaving Last Pass. Yeah. I mean, I guess the theory is, well, now LastPass will be more secure than anyone because they got bit, and so they're going to do everything they can not to get bit twice, I guess, except that we know that they thought they were secure. Right. That's always the conundrum. They thought they had this covered and Whoops. Whoops. Yeah. So just a little quickie as the beginning of 2024, because this just fascinates me. Windows 10 is holding on to two thirds of the desktop while Windows 11 has been gradually creeping upward from about 16% to now 26% of desktops across 2023. People generally like what they have, and again, inertia.
(01:06:16):
We should really rename the podcast. It's the Inertia Show. Yeah. I love what you and Jeff do this week in general. That's a great title, and I think this week in inertia would be I not change it. I'm happy. Just pry it out of my, this is from the guy who's been on Windows seven since before the Stone Age, but okay, sitting in front of it right now, my friend. Okay, Steve, I noticed Windows seven is holding strong, by the way, has not gone down. I think that's the yellow line on that chart, right? Yeah. Yep. Yeah, that's me. I'm there. In fact, there's a little uptick there. No, I didn't install another one. No, there's Steve. I'll Steve install another one. I'm Windows 10 in the evening. I'm Windows seven during the day because it works great. Oh, it's like a mullet.
(01:07:06):
Windows seven in front, windows 10 and back. Is that dear than a Mulligan? No, mul. That's a haircut. Okay. The following bit of Google tracking news made a lot of headlines recently, so I thought I would just mention it too. Remember back in 2020 when Google was found to be tracking users in incognito mode, and this resulted in a ridiculously large class action lawsuit. And just for the record, everybody, I know you already know it, but Leo and I do not generally fans of ridiculously large class action lawsuits because it just attorney enriching. So the news is that the lawyers on each side of this dispute have reached an agreement as happens more often than not on the eve of such cases moving forward to trial, when you're big, you tend to be a target of attack since the presumption, at least among scummy attorneys, is that it's worth some money from the big guy just to make the nuisance lawsuit go, because they're going to spend more money defending this nonsense than they are just saying, fine here, buzz off.
(01:08:23):
At the same time, unfortunately, being big also increases the tendency of companies to throw their weight around, bully others, and imagine that they can get away with whatever behavior they want. Thursday before last, US District judge, Yvonne Gonzalez Rogers put the trial that had been scheduled for this case on hold in California after attorneys said they'd reached a preliminary settlement. Judge Rogers had previously rejected Google's bid to simply have the case dismissed saying she could not agree that users consented to allowing Google to collect information on their browsing activity when an incognito mode, the class action, which was filed in 2020 by the law firm, Bo Schiller and Flexner, and that's boys as in David Bo. Oh yeah. Don't mess with David. Don't mess with David claimed that Google had tracked users activity even when they set the Google Chrome browser in incognito mode. It said this had turned Google into a unaccountable trove of information on the user preferences and potentially embarrassing things.
(01:09:48):
It added that Google could not continue to engage in the covert and unauthorized data collection from virtually every American with a computer or phone and oh, I forgot to mention the class action lawsuit, 5 billion with a B dollars. That's actually low for class action more than the cryptocurrency and all the cryptocurrency lost in the last two years combined. I'm sorry, you were saying it more what? I think it's actually low for a class action lawsuit, but maybe I'm against Google. Yeah, apple just decided to settle. Its half billion dollar lawsuit. People are getting $92 each, but you had, so I guess half a billion compared to 5 billion. Wow. Yeah, yeah, yeah. 10 times. Anyway, so I think my take on this is that it's a case of the fine print coming back to Bite You. Google claims that the users of their incognito mode were duly informed and knew that tracking was still occurring, even though the post incognito mode residues from their browsing such as history and cookies were not retained.
(01:11:06):
Apparently some of their users disagreed and felt betrayed. So anyway, just another lawsuit settled. The industry moves on. Maybe this creates some pressure on Google to change this aspect of their behavior. I don't imagine most people spend much time in incognito mode. They only jump in to do something that they don't want to. Well, it's really hide from your spouse mode, and that's what people probably try to explain to people, but they didn't do a very good job of it. So as I said, this was a rather thin Newsweek. I think we made the best of it. Talked about a lot of interesting stuff. I think I may be on to an interesting independent analysis of the privacy protections created by Google's topics API and other components of Chrome's Privacy Sandbox. If it pans out, I'll have that for next week. Let's take our final break and then we're going to do some Closing the Loop feedback from our terrific listeners, which also bring up some great points, and I have an interesting piece of research results to share with our listeners to close today.
(01:12:18):
Well, I have an interesting sponsor to share with our listeners today. If you are ready to move to a better password manager, can I talk to you about Bit Warden? We use Bit Warden. We love Bit Warden. It's open source, and frankly, in this day and age, with attacks happening with greater frequency, with all sorts of smart malware, AI generated malware and everything, and meanwhile, you're just blindly entering stuff into online platforms like an ai, even balancing the potential of AI and the need for heightened security, a daunting challenge. Fortunately, there are simple ways to secure your private information online In the age of ai, first step in mitigating and protecting your privacy and your security using a good password manager. There is none better than Bit Warden Open Source free Forever for unlimited passwords on all the devices you use. iOS, Android, Mac, windows, Linux.
(01:13:23):
You can even use a YubiKey in the free Forever personal edition. And because it's open source, they assure me, they say we're never taking features away. That's the idea, right? But Bit Warden's also great for your business. We're moving over to Bit Warden Enterprise. There's a bit Warden team plan. In fact, you can get started with the free trial of Teams or Enterprise right now, or as I said, get started for free across all devices as an individual user free forever. Bit warden.com/twit. So if you have family and friends, I know you use a password manager, but if you have family and friends say, well, I don't want to pay for a password manager or whatever, you got to overcome the inertia. Tell 'em, Hey, free forever. You can ask us passwords, their passkey supports. Great. Now, because I have bit worn on every platform I use whenever I'm offered a passkey, I accept and it doesn't store it on my hardware, it stores it in Bid Warden, which is fantastic.
(01:14:16):
I even saved my notes in there. Cross-platform, secure at Work, at home on the go. There's only one bit. Warden bid warden.com/twit. Please use that URL so they know you saw it here. Get yourself a copy, get your friends to get a copy. There's no reason not to have a password manager, and this one's the best bid warden. Okay, Steve, you're up. As I mentioned at the top, we had a listener, Carl Smith, who sent a tweet. He said, at S-G-G-R-C, how has Operation Triangulation not received more press coverage? He says, this is huge and then four exclamation points. And of course, as I mentioned, I agree with Carl. I suspect that Apple is benefiting hugely from the fact that while what's really going on here, which obviously everyone who listen, who listens to this podcast understands is truly monumental. It was also patched with yet another iOS update and the public at large has no way of discerning that this one is any different from any of the others that proceeded it through the years.
(01:15:28):
And really, some Russian security analysts found something they presented during the Chaos Communications Conference in Hamburg. What's that? That's not going to make the nightly news. The popular news Media cannot begin to explain this to the average consumer. So I bet the news producer just says, talk about the weather. While Apple breathes a huge sigh of relief in the knowledge that they didn't take any PR hit from what might've been a disaster for them. And let me put a plugin for you, Steve. That's why people listen to this show. That's why they listen to twit because we can cover technical stuff in a way that's intelligent and so that you get that information. If you're not a member of Club Twit support what Steve's doing, TWIT TV slash club twit. That's all I'm going to say. But this is why you need us and we need Steve.
(01:16:29):
Sorry, I didn't mean to throw you off there. I couldn't resist. It's like this is why we do what we do because the mainstream media is not going to cover this stuff. No, never. And even the tech press it waters it down. I mean, they're in a hurry. They've got lots of other stuff to do. This is just one of a gazillion stories that they're trying to cover for us. It's like, whoa, hold on, stop the presses. This is a podcast today, but you're Ji sec said, hi, Steve. Great work on SSN 9 55. That was last week. He says, I'm wondering why Apple has not implemented ROP attack similar to what Intel has done. Would this break the chain of this sophisticated attack? Also concerning to see that Apple has left the back door in the SOC to get in. Thank you for your hard work.
(01:17:22):
So he's referring to the use of ROP return oriented programming, which we mentioned and talked about a bit last week. It's a living off the land practice of using bits of code that's already present in the target device to obtain the effects that are needed for the attack. I'm certain Apple has return oriented programming, attack prevention in place, as must any highly secure attack prone operating environment these days. But while ROP makes attacks far more difficult by scrambling and randomizing the memory locations occupied by code, that code is still present in memory. It's just been moved at load time into initially unknown locations. One of the things the Kaspersky guys noted was that a huge amount of the malware bulk was spent examining the system's memory. Now we know why. So that would likely have been code designed to locate the bits of executable code that they needed in order to execute their exploit. So while ROP can make attacks much more difficult, it's also not a perfect solution. We still don't have one except let's not have any bugs and we certainly haven't gotten there yet.
(01:18:52):
Two notes. Robin Kers. He said on SSN 9 55 you had Ethan Stone giving you a quick note that he had problems closing the Edge browser. While it is true that when you close the window, the edge processes keep running, there's an easy way to close the browser. If you clip the ellipses in the upper right, you find the option. It's actually way down at the bottom at the very bottom to close Microsoft Edge all the way down. This is in contrast to clicking the X close box at the upper right, which may only close the user interface and someone calling himself War Wagon who posts often, he's a well-known contributor to GRCs news groups. He wrote, here's a fix for edge running in the background Open edge, click the three dots in the top right and click settings in the dropdown menu in the top left, do a search for startup S-T-A-R-T-U-P one word.
(01:20:04):
And for me, I had to wait a while, but it takes Edge a surprisingly long time to produce any results, but it does. He says On the right you'll see two options, startup Boost and continue running background extensions and apps when Microsoft Edge is closed. He said, turn both of those off. That should remove Edge from the task manager when it's closed unless you also have some website notifications enabled. Okay, so those are some great suggestions. Here's what I found when I closed my instance of Edge just using the standard X close box in the upper right, it did not continue My Edge, did not continue running anything in the background following War Wagon's advice. I found that I had the Startup Boost option turned off already and that's what made the difference with Startup Boost turned on Edge does not close unless you open the ellipses menu and choose close down at the bottom.
(01:21:17):
So that's what Startup Boost means. Just stay, just don't go away, never stop. Yes, yes. Just clicking the ui Xbox only closes the UI and it definitely leaves a bunch of processes. I initially had 16 edge processes running. It whittled itself down to 10 eventually, but still it's crazy. It's just sitting there squatting on ram and obviously taking up some time from your machine. So anyone who wants to truly close Edge will need to either turn off Startup Boost or use the ellipses menu and select close down at the bottom of that menu. If you've got Startup Boost turned on, if you have ample memory and would rather have Edge Pop onto the screen instantly because basically it's always running, then you can turn on Startup Boost and that's what you'll get. So thank you guys for the feedback. I'm glad that we got some closure there.
(01:22:26):
Tom check, he tweeted, he said, I'm guessing this is out of scope for how Spin right should be used, but I tried to boot my Windows VM into spin, right? Because I wanted to run it on the internal drive of the vm. I first tried this with 6.0 and it booted up. So I then downloaded the pre-release Windows XE and created a new ISO. I uploaded that to the vSphere host, attached it as a cd and told the VM to boot using the bios. This time it went right into the attached. And I have to tell you, when this thing came up in Twitter, what is it? My heart went into my throat or something or my hope sank anyway, I thought, oh no. Anyway, he said, I'm sending it in case it's of any help to you, but understand I'm using the software in a way it wasn't intended to be used.
(01:23:29):
Hopefully it helps in some way. So anyway, yes, as I said, when I saw Thomas's screen capture showing that spin, right had intercepted the processor's attempt to execute an illegal instruction, and I saw because at the very top of the screen he was running the latest release 5.06, which is believed to have no such remaining loose ends. My first thought was, oh no, now what? But then I was greatly relieved to read that this was the result of him attempting to run spin Write six one within a virtual machine. I decided to share this question because there has been a great deal of interest in running spin write in virtual machines for various reasons. So I need to discourage and disabuse everyone of that idea. Spin Write six oh was and is a very tame and well-behaved generic Doss application by comparison spin, right? Six one really is not spin right now assumes that it has access to true physical hardware and it does things like briefly switch the processor from real mode into protected mode in Doss. In Doss then directly alters the processor's memory management segmentation registers to remove real modes traditional 60 4K byte segment limitations. So what you're saying is don't run this through virus total.
(01:25:22):
Well, it's surprising this version is tripping zero. That's interesting on virus totals, but I will say is don't try to run this on other van Real. Yes, on other than real hardware. After it tweaks the hardware segmentation registers, it switches back into real mode using an oversight on Intel's part. They had an original bug in the 2 86 and because of that, bless their heart, they never changed that behavior, which allows hackers like me, and this was also the way very large games like Doom were able to run under Doss is this allows you basically a flat 32 bit four gigabyte address space even though you're in real mode. So it creates a hacked but quite reliable pseudo mode known as flat real mode. And that allows spin right six one to talk to the A HCI driver memory mapped IO up at the high end of the 32 bit address space which you would otherwise have no access to and to be able to use 16 megabyte or even larger buffers. So it's very safe to say that Spin Rights six one and any kind of emulated virtual environment are going to not be seeing Eye to eye.
(01:27:05):
Guillermo Garcia, he said, hi Steve, just listen to SSN 9 55 and your description of the certificate discovery tool. As I consider using it, I'm wondering how to reinstall a certificate that I might erase or delete and later realize that I need. Okay, so there's actually a very cool solution to this. The Windows certificates snap in that you Leo demonstrated last week has a large number of preexisting folders and it's possible to simply drag and drop certificates between the folders. There already is an untrusted certificates folder, which on my WIN 10 machine contains a certificate trust list folder, and I think it had one thing in it, but if you drag a certificate from the Trusted root certificate authorities folder onto the untrusted certificates folder, the system will spontaneously create a nice new certificates folder underneath the untrusted certificates folder, which can contain and document any certificates that you've chosen not to trust. In fact, you can experiment with using this on any of the expired ca certificates that are currently in the Trusted Route certificate authorities folder. It turns out there's a bunch of 'em and they would not be trusted anyway because they're expired.
(01:28:56):
If you sort by expiration date, you'll see that brings all the unexpired ones to the top. You'll find that there are a bunch in there that would never be valid anyway. So you could just, if you want, drag 'em over into the untrusted certificates folder, which makes them untrusted and takes them out of circulation. So anyway, dragging these certificates back and forth is simple and I would expect that to be error free. And should you ever discover that you needed one that you had dragged into the untrusted certificates folder, you still have it? It's still there. That's awesome. Just drag it back. Wow. Yep. Very simple answer. So Guillermo, thank you for asking the question AJ Drea, he said, Steve, do you list on grc.com how to lock credit at the credit bureaus? All I keep finding are paid sites that will do it for me.
(01:29:54):
Okay, don't pay anyone to, oh boy. Crazy. No, believe it or not, this is also messed up that the terms lock and freeze have important and different meanings. This listener used the term lock, how to lock the credit, but a freeze is what everyone wants and be careful not to go for a lock since some of the services actually charge a fee. They're allowed to for locking, but they no longer, they used to, they used charge for freezing. Yeah, the Feds, right? They no longer allowed to charge for freezing. They used to make Freeze is free, but then it was like $35 to unfreeze. In some states it was crazy. So there's a federal law requires them to freeze and unfreeze Unlimitedly for free. So I don't have a page at GRC, but Investopedia has a terrifically clear page which explains all the details and provides very good links to each of the credit reporting bureaus.
(01:30:58):
I have the full long how to freeze and unfreeze your credit Investopedia link in the show notes, but it's also this week's GRC shortcut of the week. So anybody can easily find it. Just go grrc sc slash 9 5 6 and that'll bounce you to the Investopedia page where you'll find links to check them all directly into the freeze and unfreeze pages of each of the credit bureaus. Yeah, and so does the Federal Trade Commission. They have a very nice page if you don't trust Investopedia, which you should, but there's a government page also that describes all of this, and I use this all the time because once you freeze it, you can't apply for credit. So you've got to unfreeze it. And when I just recently bought a new car, I unfroze it for three days. I said, which reporting service do you use? They said, TransUnion, they make it fairly easy.
(01:31:59):
They don't want you to unfreeze or freeze because it costs you money. And did you see an automatic expiration? An automatic, yes. That is cool. I think that's the cool thing. As I mentioned a couple of weeks ago, I applied for an Amazon credit card since I purchased so much through Amazon, just even like it made sense, but that's the first time I already had all of my bureaus frozen. So when I went to do it, they automatically have an automatic refreeze after an expiration time that you're able to set. So I think that's very cool. Remember these credit reporting agencies make their money by selling your information to credit cards and others so they can make you offers. So they don't want you to do this, but the Fed said, no, no, you have to allow this. And so they do somewhat grudgingly in some cases, the only one that didn't have an automatic unfreeze was Experian. For some reason. They said, well, if you turn it off, it's going to be off, man. So I have to now go back and Experian and turn it back on. But everybody else had an automatic unfreeze. Of course they want that, right? They don't want you to have it frozen. Oh no, but that's right. They don't want you to unfreeze. They want you to forget and leave it unfrozen. That's right. Yeah.
(01:33:18):
Andre Couture said, hi, Steve, regarding the picture of the week for episode 9 55. Remember that was the EU to US power converter that made out of paperclips and baling wire and grandma's stockings. Anyway, he said, well, I remember having to do something very similar many years ago while traveling to Europe for a presentation I had to give. I had forgotten the European power adapter, so I used what I had on hand and in my luggage to establish a connection. You do what you have to do, right? LOL and I. Well, I suppose that there is no other choice then. Yeah, one does what one must. I can imagine that would be something well remembered. And Peter G. Chase tweeted Ari ad hoc adapter. He said, I can't possibly be the first one to point out that while different countries may vary, the EU voltage is usually 240.
(01:34:26):
While of course the US and Canada are both one 20. So whatever appliance was on the other end of that cord very likely got fried almost immediately. Actually, not so, not so because, and the reason I know this is your laptop, many appliances now in the US are rated for one 10 to two 40 are able to handle, they can handle either voltage, right? So that's why in many cases you could just use an adapter. I would still not recommend that method, but you can use an adapter without a transformer. You don't need to go through that. Again, I would say everyone don't try this at home. No. Or in this case, don't fry this at home, please. I beg of you.
(01:35:09):
Okay, so finally the inside tracks. I am feeling very good about where spin right is today. No new significant problems have arisen for several weeks despite significant and continual testing. And those people whose drives spin right was previously having trouble with have all reported back in that spin right's latest pre-release managed to plow through those drives, known sticky spots, while effectively recovering and repairing everything that it encountered. Several have publicly stated that they've been amazed and impressed. So it very much feels as though spin ride is back and that I will be letting it go shortly to share some sense for where my recent focus has been. I spent the past few days exploring whether I could improve spin right's remaining time to work prediction back when spin right was born in the late eighties. Drives were sectored like pie slices with radials stretching out from the center, which described the region of each sector around the circumference.
(01:36:27):
In fact, we've grown so used to using the term sector that it has completely lost its original meaning. The term was born when these were literally angular sectors of a disc. The problem with this simple sectoring was that the tracks at the outside of the disc were physically longer than the tracks nearer to the center. Yet back then, all tracks contain the same amount of data. If all tracks contain the same amount of data and the outer tracks have a longer circumference and the inner tracks have a shorter circumference. That meant that the individual bits were being written with reduced density around the outer tracks and increased density around the inner tracks. Disc drive, read and write. Electronics were originally separated from the drive in an outboard controller and drives had no intelligence at all. They were basically just some read-write electronics and a stepping motor.
(01:37:36):
But IDE drives where IDE stands for integrated drive Electronics changed that by placing a drives read and write electronics onto each drive. Once that was done, the drive was able to become something of a black box. It could simply declare how many sectors worth of storage it contained and everything about how it worked in detail could be kept internal drive. Designers very quickly saw that this meant they could dispense with the whole original notion of sectoring as it once was done. If the outer tracks had a larger circumference, they could take advantage of that to store more data around those longer tracks. And this also allowed them to push tracks further inward toward the center of the drive by reducing the storage bit rate so as not to be cramming too many bits into too small a circumference. This in turn allowed them to squeeze every last bit of storage into each drive and to make more complete use out of each physical disc's surface.
(01:38:57):
There is however, one cost to that which is often overlooked, which is that the data transfer rate drops as we move inward toward the inner tracks. If we think of the beginning of the disc storage as the outer tracks, then the end of the drive is the inner tracks where things are slower. The reason this matters to us today is that, or especially to me, but also to spin rights users, is that spin right's original remaining time estimation system assumed a uniform data rate across the entire drive. In other words, it performs a linear estimation. It continually monitors the total elapsed time required to get however far along it has and projects its completion time, assuming that the rest of the drive will be the same as the average of everything. It is seen so far. Now, that was accurate and it worked well for spin write versions one and two and three.
(01:40:11):
But it has become less and less true as the end of drives have become slower and slower as advancing technology has allowed them to push more data closer in to the disc center where tracks are the shortest. The result is that for today's spinning drives spin right's estimation will always underestimate the total time it will require. So as I said, I spent the last few days looking closely into this to see what I might be able to improve. I've learned some interesting things that I thought I'd share while they're still fresh in my mind. What I found after examining a handful of different multi terabyte spinning drives is that the ends of those drives have half the performance of their beginning tracks. Wow. That is a big drop off half, right? I mean, this goes back to the old days when I'd always put my swap drive at the beginning of the hard drive, right?
(01:41:22):
Because it was faster than the internal drive. Exactly. We didn't know that that was the case. Now, at first blush, that sounds awful, right? But the decrease in performance is not linear. What we're really looking at is area rather than circumference. And as we know, area changes with the square of a circle's radius. What this means is that while a drives data transfer, performance does steadily decrease as we move inward toward the drive's end. The decrease is very gradual until we get much closer to the end of the drive where it finally begins to drop significantly. Okay, so let's put some numbers to this in general, spin Wright's current linear estimator takes about a minute to stabilize, which is to say it needs 60 seconds of operation to have established a sufficient baseline of work in time and distance to settle into a prediction that no longer varies.
(01:42:38):
And what I found through lots of experimentation on many different contemporary spinning drives is that it's necessary to add an additional 30% to spin right's initial front of drive only linear estimation. So for example, to make the math easy, say that spin right predicts a 10 hour run for a drive. The actual running time due to the very end of the drive being much slower will be 13 hours. So 10 plus 30% of 10, did I say 30, 13, 13 hours. So you're adding three hours to spin right's. Initial prediction of 10. Now here's another interesting factoid that falls out from the math in which I verified multiple times. Experimentally the first 60% of the drive requires exactly half of the total running time. So the last 40% of the drive requires the second half of the total running time or expressed another way, whatever length of time is required for spin right to get 60% of the way through the entire drive is the amount of time that will be required for it to finish.
(01:44:08):
Now, I'm not certain yet exactly what I'm going to do with this information, but I needed to gather it to know what I was dealing with. This obviously does not apply to solid state storage since it's not spinning or even to shingled magnetic storage. SMR format drives since both of those technologies track when memory has been written to, I should say, when and if memory has been written to them. And so they don't read anything from their media when spin write checks to see what's there. If nothing has ever been written, as is often the case at the end of those drives, and we've seen this, we've seen that later. Portions of those drives, both SSDs and SMR spinners appear to be performing much faster, much faster at the ends than at the front where they have stored data. They don't slow down. As we go along, they speed up.
(01:45:22):
And since drives are supposed to be black boxes, which we just trust with our data, now there's no requirement for any drive to declare what technology it's using. And many if not most, do not give spin ride any indication of what lies beneath their interface. The 30% rule could just be a common rule of thumb for spin right's users, at least initially, they know better than spin, right? Knows whether they're testing a spinner or a solid state drive. So the rule of thumb for spinning media would be to start spin, right? Give its predictor a minute to settle down, see how long it expects to be running. Then add 30% to that, and that's a pretty good indication of where you will be with a spinning drive. The other thing I'm considering, and I think I'm probably going to do it, is changing spin right's label on the screen.
(01:46:24):
It's currently right justified and it's got a bunch of spaces in front of the word time. I'm thinking I'm going to change it to EST space time as in estimated time. Then as soon as spin right gets to the 60% point, it will have acquired sufficient awareness of the drive, maybe having seen a gradual decrease in performance over that span of time to get to 60%, to be able to reliably determine that the drive is spinning and that as much time remains as has been spent so far. So at that point, it would adjust its timer and change the e est.to, I don't know, real time or true time or good time or good time's. Good. So that at that, yeah. Then at that point, as soon as spin right said true time, then you would know that it was at the halfway point and spin, right would be able to project what its probable completion time would be much more accurately. Yeah. Makes sense. So in any event, after I'm finished with this podcast here today, which I will be in about one sentence, I plan to make those final changes after which I believe I'll finally be content to declare spin, right? Six one, finished and ready for the world. Now, will you wait for another episode of security now to announce that or will you just do it?
(01:48:04):
The nature of this is sort of a soft event. For example, I'll take right now there's all this pre-release jargon all over the ui, so I'll take that out so it no longer says pre-release. I'll declare an actual release candidate. I need to just let a day or two go by or five to see if anything happens. No showstoppers, maybe spin, right works better if the word pre is in front of release. You never know that be a weird regression, but you never know it's computers. I know. Yeah. Turns out that was an important part of the lookup table. Oh no. Well, we'd actually have an example from our own experience. Nobody knows to this day, I don't know why Spin right? Five is better at recovering data from DIS gets that spin, right? Six. It is like spooky. I've stared at the six oh code.
(01:49:06):
I didn't change anything. Actually. I kind of remember that I did, but I don't remember what it was. But then I've gone back and looked and I got the five oh source and I've got the six oh source. They look the same, but spooky, something happens. There's like for some reason now the good news is floppies are gone, but we actually do routinely recommend to six oh users who are having problems like really need to recover data from a DiSette use five oh and all six and six one owners have access to five if they really do need to recover something from a sket. Isn't that funny? Five is better and no one knows why. Computers, I tell you, there's a little spookiness going on. It's a great mystery. Steve Gibson, all the spookiness happens@grrc.com. While you're there, pick up your copy of Spin Write six.
(01:49:58):
You'll get six one pretty soon I would guess. Free upgrade for all 6.0 buyers today@grc.com. World's best hard drive, maintenance and recovery utility, floppy discs and SSDs. So the works, you also should go there to get, there are a couple of unique copies of the show that only Steve has. Show notes are there. Of course, we have 'em on our site linked to his, but he has a 16 Kilobit audio version for people with really limited bandwidth or expensive bandwidth. He also has, of course, the normal 64 Kilobit audio and transcripts, really good transcripts written by Elaine Ferris. She does a great job. So that is all@grc.com. At our site, we have the 64 Kilobit audio, but also we have video TWIT TV slash ssn. You'll also find it secured now on YouTube, which is great. If you say, oh, I want to send my boss this little snippet or whatever.
(01:50:58):
Please do. I can't remember the exact addresses. youtube.com/security now or Security Now show. But you know what, if you go to youtube.com/twit, there'll be a link there. That's where you should go. If you want to watch the show live, we do it live every Tuesday right after Mac Break Weekly, which usually is sometime between one 30 and 2:00 PM Pacific, 5:00 PM Eastern, 2200 UTC. We stream it on YouTube for people who want to watch the show as we do it. Of course, our Club TWIT members get access to it through our Club twit Discord video feed. There's a stage there as well. What else can I tell you? Subscribe to Club twit. It really helps us out if you can. We really appreciate it. A lot of people just buy the Security Now show. That's $2 99 cents, but for a few bucks more, you can get all the shows plus access to the Discord and the other stuff.
(01:51:50):
Oh, I know what I wanted to mention. We're doing the survey. We do this every year. We know you, especially Security Now, listeners don't want us to spy on you and good news, we can't because it's an RSS feed. But we do like to know more about you. It helps us with our programming. It also helps us with our advertising. So every year round about this time, we do a survey. It's at twit tv slash survey 24. That's the new one for 2024 twit TV slash survey 24. We've shortened it considerably, so it shouldn't take you more than a few minutes, but please if you can do that, it really helps us. We'll make sure listeners to every show respond so we get a good well-rounded idea of what you're interested in. Tweet tv slash survey 24. Steve's on Twitter at SG grc. You can leave him dms there. As dms are open. That's where it's a good place to send him pictures of the week or questions or comments. And yep, Steve, have a great week. We'll see you next time on Security. Now I get my friend. Till then,
(01:52:51):
Bye bye.
Rod Pyle (01:52:53):
Hey, I'm Rod Pyle, editor in Chief VA Astor magazine, and each week I joined with my co-host to bring you this week in space, the latest and greatest news from the Final Frontier. We talk to NASA chiefs, space scientists, engineers, educators, and artists, and sometimes we just shoot the breeze over what's hot and what's not in space books and tv, and we do it all for you, our fellow true believers. So whether you're an armchair adventurer or waiting for your turn to grab a slot in Elon's Mars Rocket, join us on this weekend's space and be part of the greatest adventure of all time
TWiT (01:53:26):
Security.
Ad (01:53:33):
So how do we get AI right?
(01:53:35):
Well, we need the right volume of data and massive compute power. But with HPE GreenLake, we get access to supercomputing. To power AI at the scale we need
(01:53:45):
Search HPE, GreenLake.
