Security Now 958 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
00:00 - Leo Laporte (Host)
It's time for security now. Steve Gibson is here and man, do we have a jam-back show? It's my favorite kind of show. Lots of listener questions and lots of Steve's answers. Will also learn what farbling is and why it turns out too much. Farbling is a good. It's too much of a good thing, something, something like that. Why Mozilla is unhappy with the heavy-headed tactics of Big Tech and I kind of don't blame him. And, of course, a picture of the week. That makes absolutely no sense. It's just part of the fun every week right here. But security now next. Podcasts you love From people you trust this is Tweet.
00:47
This is Security Now with Steve Gibson, episode 958, recorded Tuesday, January 23rd 2024. A week of news and listener views. This episode of Security Now is brought to you by Palo Alto Networks. Palo Alto Networks offers ZT for OT without the trauma you know. Keeping operational technology secure and running smoothly can be a tall order. It's enough to make even the coolest operations director wake up with night sweats. Well, now you can have peace of mind any time of the day or night with Zero Trust OT security. Zero Trust OT security from Palo Alto Networks delivers comprehensive visibility and security for all OT assets, networks and remote operations. The Palo Alto Networks solution provides exceptional OT protection with more than 1100 app IDs for OT protocols, 500 plus profiles for critical OT assets and more than 650 OT specific threat signatures supported. It provides best in class security while simplifying OT security management. It sees and protects everything in the network and it automates threat detection while implementing Zero Trust across all operations. Sleep better with the most comprehensive platform to detect, manage and secure OT assets. Learn how the Palo Alto Network Zero Trust for OT solution can achieve 351% ROI over five years. To learn more, find the link in the show description or visit PaloAltoNetworkscom. That's PaloAltoNetworkscom. It's time for security now.
02:27
I know, I know you've been waiting all week and here it is, Tuesday, just never comes around fast enough. But Steve Gibson is here with another thrilling gripping. How many pages did you say? 19 pages, 19 pages.
02:40 - Steve Gibson (Host)
And Leo, this week, people on Apple platforms will be able to see the pictures all around you.
02:50 - Leo Laporte (Host)
You didn't buy Vision Pro huh.
02:53 - Steve Gibson (Host)
No, no Me neither. I'm astonished by the technology and I don't think I know anybody except through Twitter who will have any.
03:06 - Leo Laporte (Host)
I'm coasting on those guys.
03:09 - Steve Gibson (Host)
Long term. I think VR can be astonishing because our animal natures get hooked by what our senses perceive. I mean powerfully, and in fact I actually have some comments about that later in today's show. So I think VR can be very powerful. I just think I remember when we tried to do the first generation of laptops and they had to have wheels, because you know, okay well, you can move it around, but you need to get Bruto to put it up on the desk for you. Finally, we got actual laptops, but it took a decade from when we first began trying. I think VR is like that. We're going to get there and until we do, everyone's going to be like, ah, vr doesn't work, it's nonsense, blah, blah, blah. It's like no, which is just too soon. You know our ambition is exceeding our technology at the moment.
04:12 - Leo Laporte (Host)
Yeah, you heard and agreed with, I think, Jason Snell's take.
04:16 - Steve Gibson (Host)
Yes.
04:17 - Leo Laporte (Host)
On Mac.
04:18 - Steve Gibson (Host)
Yes, I think it makes it's absolutely makes sense for Apple to be launching this now to get a whole bunch of developers going to. You know to be. They're going to learn so much Apple is from all the feedback and experiences and this is also first generation technology. You know it's incredibly impressive. It's not clear at the moment how it can be like super reduced. But you know there was a great movie, remember brainstorm with Christopher Walken. Yeah, christopher Walken, and the very first it was a Michael Crichton book, wasn't it?
05:00 - Leo Laporte (Host)
I think it was yes.
05:02 - Steve Gibson (Host)
The very first cap had. It was like, you know, all this crap and a huge umbilical going down to a cart that they had to push around next to the guy and through a succession of innovations they reduced it to a just a small little clip that you stuck on your head. That still had the same effect and yeah, we're going to get there, we'll get there. Yet I look at that the most modern that the underside of today's hard drives and there's a 16 terabyte hard drive.
05:34
It's got a little itty bitty circuit board like or that runs along the connector. Yeah. And it's like what we used to have was crazy compared to the degree of integration that we've we have today, have a card in a slot to run a hard drive. You know, yeah, and sometimes a daughter board and lots of cables running around and you didn't have.
05:54 - Leo Laporte (Host)
and now they've got 30 terabyte hard drives, which we never thought would happen, and I certainly bought those.
06:00 - Steve Gibson (Host)
They actually exist, Leo, because no one's ever managed to actually fill one. So how would?
06:06 - Leo Laporte (Host)
we know you got to run your little program on it. That's right On 30 terabytes it might take a little while.
06:14 - Steve Gibson (Host)
What do?
06:14 - Leo Laporte (Host)
we have what's on the menu for today.
06:16 - Steve Gibson (Host)
We have a episode 958 for this. Second to the last. That would make it the penultimate episode of January's security. Now no single topic jumped out and grabbed me, so I titled this a week of news and listener views, but that is not to say there's not a lot going on. We're going to find out what mistake Microsoft made that allowed Russians to access their top executives email.
06:47
What does the breach of the US health, health and human services department teach us? What does Firefox's complaint about Apple, google and Microsoft mean? Why has the brave browser just reduced the strength of its anti fingerprinting measures? Last year, cisa started proactively scanning. How'd that go? What new feature of smartphones has become a competitive advantage, thankfully, and just how incognito is that mode? Then we'll wrap up the week by looking at some of the best feedback from our listeners, including what's the future of fraudulent media creation? How should a high school listener of ours get started with computing? Why did a popular Android app suddenly became sketchy? What does Google's Privacy Sandbox allow websites to customize their presentations to their visitors? How might last week's LG smart washing machine have become infected? Does the protected audience API also protect its audience from malvertising? And why do big ISPs just pull the plug on DDoS's rather than attempt to protect them. Of course, we have a great picture of the week for our listeners to view and, I think, another great podcast this week.
08:13 - Leo Laporte (Host)
So somebody's saying that Brainstorm was not a Creighton book. It sounds like one, though. It seems like it would be. I'm going to have to watch that tonight. Maybe I'll watch it.
08:23 - Steve Gibson (Host)
It was a great Christopher Walken also.
08:28 - Leo Laporte (Host)
Natalie Wood, Cliff Robertson, Louise Fletcher what a cast.
08:34 - Steve Gibson (Host)
Yes, it's got a great cast, it is. It's also it's a very cautionary tale about VR. I mean, it is the early VR movie, the early VR sci-fi, and I'm tempted to say more, but I don't want to spoil that for any of our listeners, because he does something. Well, there are two very controversial aspects of it. So, anyway, said enough, great movie definitely I will watch it. It is a great. It is a good sci-fi movie From 1983?
09:08 - Leo Laporte (Host)
Wow, and it was Natalie Wood's last movie. Oh, that's sad. I will watch it. I loved her. All right, let's take a little break, shall we? And then we will get into the show and the depth. As you read your list of topics for today, I realized your show really is more and more about everything going on in computing. I mean, it is as much here's what's happening in computing show as Twitter is, frankly, since so much of it revolves around security these days. And privacy and privacy in technology.
09:41
So I can't wait. I have some thoughts about some of these topics too Cool. Let's talk about our sponsor for the first part of the show, Of course, the great Bitwarden. You know we are fans not just of password managers, but of the right password manager. You don't want to get the wrong password manager. Bitwarden is the right one. It is open source, it is cost effective and it can drastically increase your chances of staying safe online. Here is a nice new feature. This is one of the nice things about open source is that there really is continual development on this project, which is great.
10:17
Account switching now has come to the Bitwarden browser extensions. You can log in up to five separate accounts and switch seamlessly between them in the desktop and mobile apps and the browsers too. So, for you know, the obvious use is to keep your personal and your work account separate, which is a great way to do it. But you might also have other users on your machine. They can have their own Bitwarden. You don't have to share your password manager.
10:45
For self host organizations, Bitwarden has developed a helm chart to enable deployments to Kubernetes clusters, so I should mention that when they talk about self host organizations, you can host your Bitwarden vault yourself. You don't have to trust Bitwarden, even with your information. You can host it yourself. And now they've got a Kubernetes clusters so you can use Kubernetes to keep your software stack simplified and you know, without adding a new service, you just put Bitwarden in your Kubernetes stack. And I have to say, for every individual user, the fact that Bitwarden is free for unlimited passwords on unlimited devices, even supports pass keys and Yubu keys yes, they have now passwordless login with pass keys, all for free, forever. That's a pretty compelling story. Generating and managing complex passwords is easy and secure with a trusted credential management solution and the only one we use is Bitwarden. Get started with Bitwarden's free trial of a teams or enterprise plan or get started for free, as I mentioned, across all devices as an individual user free forever. Bitwardencom slash Twitter. That's Bitwardencom slash Twitter. We love Bitwarden. That's all I need to say.
12:08 - Steve Gibson (Host)
Now I just got. I just got my renewal notice from them, since it was a year ago.
12:13 - Leo Laporte (Host)
What do you pay?
12:14 - Steve Gibson (Host)
10, you 10 bucks a year. 10 bucks. I don't need to, but I wanted right, I'm going.
12:20 - Leo Laporte (Host)
Exactly, I pay the 10 bucks to for the premium account. I don't need to, but I want. I support them. I just think they're the greatest yeah.
12:27 - Steve Gibson (Host)
Okay, so I assume you've not yet seen the picture of the week?
12:30 - Leo Laporte (Host)
No, I always try to keep my eyes clean.
12:33 - Steve Gibson (Host)
That's good, and this will be one of those, because this one is oh, all right, I'm scrolling up now.
12:40 - Leo Laporte (Host)
I'm looking at the show notes. You can do it with me. Folks, let's scroll up. You have to wonder. Steve writes how much use that people gets. Okay, steve, you got me. That's hysterical. Do you want to explain? Okay?
13:02 - Steve Gibson (Host)
So so we're all familiar with the little people that people have on their, like the doors of their residences, where there's some lensing, so that you know, before you open the door to admit someone, you're able to stick your eye up to it and see who's standing on the other side.
13:21 - Leo Laporte (Host)
But that's usually on solid doors.
13:26 - Steve Gibson (Host)
Yes, not on a door with is basically four large glass panes. That's like what. That's pretty fun, and there's also a glass side panel. So, even if the door was solid, you still have to be careful about how you approach to the door. You couldn't approach from the left on the inside of it. They'd see you walking, you know, over to the door. That's very funny. So, anyway, so the point now, the only thing I could think, leo, is that the door comes in, in, in glass glass panel options.
14:04
Yeah, so you could have had it where the whole thing was white, with opaque white panels. Then the people would have mattered. So the people's probably there, regardless of whether you get glass or not. But it does make for a funny picture because you know who's actually be fun if the people who lived there actually had some fun with it, like someone's knocking at their door. So they go over the door and P and look through the people to see who it is. How funny. Anyway, thank you. Our listeners they are my. Our listeners are providing a constant stream of great photos that they think okay. Saw this in thought of you, gibson, so that's Okay.
14:45
Last Friday, the 19th, the rest of the world learned that Microsoft's top executives had fallen victim to a Russian state-sponsored password attack like what Password? Which breached their email accounts. Here's what Microsoft shared in their Friday blog posting, which was titled Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard. They wrote the Microsoft security team detected a nation-state attack on our corporate systems on January now this is, you know, a nation-state attack. Is how you dramatize the fact that somebody guessed your password. It's like whoops on January 12th 2024, and the Microsoft security team immediately activated our response process.
15:47 - Leo Laporte (Host)
We pulled the chain.
15:49 - Steve Gibson (Host)
That's an emergency. Only Break glass and pull all the wires. Yeah, we entered our response process to investigate, disrupt malicious activity, mitigate the attack and deny the threat actor further access. Yes, we changed our password. Microsoft has identified the threat actor as Midnight.
16:17 - Leo Laporte (Host)
Blizzard. How did they identify it? Since any moron could have done this. It wasn't like a half-dee, you know, eight-stage attack involving a secret hash table or anything like that. Let's try Monkey123.
16:33 - Steve Gibson (Host)
Oh, what do you?
16:33 - Leo Laporte (Host)
know we're in Read the sentence about what they did. I love this.
16:39 - Steve Gibson (Host)
Okay, well, we'll get there.
16:40 - Leo Laporte (Host)
The.
16:40 - Steve Gibson (Host)
Russian state-sponsored actor, also known as Nobellium, now renamed Midnight Blizzard.
16:48
They must have lifted all the time it sounds much more dramatic and like how did you manage to survive the Midnight Blizzard? As part of our ongoing commitment to a responsible transparency. In other words, we're a publicly traded company and we have to tell you, as recently affirmed in our Secure Future Initiative, sfi, we're sharing this update. Beginning in late November 2023, the threat actor okay, now again late November, right, so now we have December and up to January 12th, so they've been roaming around apparently for a while. Beginning in late November 2023, the threat actor used a password spray attack.
17:34 - Leo Laporte (Host)
What's that, steve? What's a password? Okay, oh, and it's Merse. On what, steve? What did they use that password? Spray attack on.
17:42 - Steve Gibson (Host)
To compromise a legacy, non-production, test, tenant account and gain a foothold.
17:52 - Leo Laporte (Host)
And in other words, you know, they guessed the password, I guess the password of some old machine that's probably in a corner somewhere.
17:58 - Steve Gibson (Host)
Yeah, they should perspade it, Leo, and you know it should have been sprayed with cleanser. It's a password spray account attack.
18:05 - Leo Laporte (Host)
That's right, well right.
18:07 - Steve Gibson (Host)
That's why we know it's Nobellium they gained a foothold and then used the accounts permissions, which apparently were too permissive. Well, that's the real question right.
18:18 - Leo Laporte (Host)
Okay, so you got in this old server in a closet somewhere. Fine, with a bad password and no two factor fine. But what then?
18:25 - Steve Gibson (Host)
happened and then, in their attempt to minimize this, they said to access a very small percentage, but apparently it was sufficient. Who was the right percentage?
18:40 - Leo Laporte (Host)
They weren't interested in Joe and accounting. For some reason they only wanted to see such an Adele's email.
18:46 - Steve Gibson (Host)
But but get this, they have to enumerate right A very small percentage. This is because Microsoft has so many corporate accounts. A very small percentage of Microsoft corporate email accounts including that small percentage. Tiny percentage, just tiny. Members of our senior leadership team and employees in our cybersecurity, legal and other functions.
19:13 - Leo Laporte (Host)
Maybe they did get Joe from accounting.
19:15 - Steve Gibson (Host)
Yes, not good. Exfiltrated some emails. Oh boy, some right, we don't know how many. They know they're not telling us and attached documents, oh God. The investigation indicates they were initially targeting email accounts for information related to midnight blizzard itself. Like what do they know about us? Why'd they change our name? We liked nobellium. Now we're midnight blizzard, what. We're in the process of notifying employees whose email was accessed, because apparently that's a big process. So okay. It was only a small fraction, Steve.
19:56 - Leo Laporte (Host)
Let's not blow it out of proportion.
19:58 - Steve Gibson (Host)
It's a small fraction of a big number though, leo, so it's going to take a while for us to notify all those employees there and of course the guys who got in weren't interested in 99% of the email accounts. Only the good stuff, just the good ones, right, yeah, we got cybersecurity, legal and other not specified functions.
20:19 - Leo Laporte (Host)
And the people who run the freaking company.
20:22 - Steve Gibson (Host)
The leadership team. You know those guys, but apparently we can't get a hold of them right now.
20:29 - Leo Laporte (Host)
So we're in the process of notifying them. You don't know where he is.
20:33 - Steve Gibson (Host)
Now here we come. The attack was not the result of a vulnerability. What's up with a nice fresh change in Microsoft products or services? To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code or AI systems. I thought it's interesting, now that we're you know, being specific about whether they got into our AI or not. We will notify customers if any action is required. Now, that's all they did, but they sprayed everything.
21:05
Apparently, this attack does highlight the continued risk posed to all organizations right? Not just Microsoft. You know from well resourced nation state threat actors like the newly renamed Midnight Blizzard. As we said, they wrote late last year when we announced secure future initiative. Given the reality of threat actors that are resourced and funded by nation states, we are shifting the balance we need to strike between security and business risk. In other words, they've decided they're going to get more security focus. The traditional sort of calculus is simply no longer sufficient, they say. For Microsoft, this incident has highlighted the urgent need to move even faster than they apparently were.
22:03 - Leo Laporte (Host)
This is the worst kind of corporate doublespeak. They're implying that someone guessed the password of a little used machine that happened to have permissions to access their servers. Yep, that is the worst possible corporate governance. This is embarrassing to them, so they've waved. There's a lot of hand waving like oh no, it was a big nation state.
22:31 - Steve Gibson (Host)
They guessed the password. Everybody else is at risk. Oh my God.
22:37 - Leo Laporte (Host)
So they explained the digital.
22:39 - Steve Gibson (Host)
Yeah, so we will act immediately because we didn't before, so we're going to do it now to apply our current security standards to Microsoft owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes. This caused a disruption. This will likely cause some level of disruption while we adapt to this new reality.
23:12 - Leo Laporte (Host)
We've got to lock these things down.
23:18 - Steve Gibson (Host)
But this is a necessary step and only the first of several we will be taking to embrace this philosophy.
23:26 - Leo Laporte (Host)
You know what? I think? It was a PlayStation 2 in Satya Nadella's office. That's what I think they're not telling us.
23:35 - Steve Gibson (Host)
They won't tell us. We are continuing our investigation and we'll take additional actions based on the outcomes of this investigation. We'll continue working with law enforcement and appropriate regulators. We are deeply committed to sharing more information, right, oh, and here we come and our learnings. We're going to get some more learnings sharing, leo. Let the community can benefit from both our experience and observations about the threat actor. We can't see them, of course, because it's midnight and there's a blizzard.
24:11 - Leo Laporte (Host)
We've got to sketch though.
24:14 - Steve Gibson (Host)
We will provide additional details as appropriate. You will never hear from us again. Oh no, I added that.
24:21 - Leo Laporte (Host)
This is clearly written by. I mean the fact that you use the word learnings is the tell-off by corporate PR, not by a technical person, that is embarrassing Because, Leo, the technical people would spill the beans.
24:33 - Steve Gibson (Host)
We don't have that. We have to have someone who knows nothing. Write our announcement of what happened so that nothing will be known afterwards.
24:44
So it does read as a bit of a wake-up call from Microsoft and it's interesting because, you know, arguably they were telling us and they're right, there's a lesson here for every large enterprise. You know, as you said, leo, read them on the lines and actually reading the lines, it sounds as though some older systems still have older levels of security that they've been allowed to continue purring along undisturbed since, you know they weren't bothering anyone but they were still online and obviously accepting incoming log-ons and so getting sprayed with passwords. And you know, presumably newer systems are being deployed with stronger password quality minimums, multi-factor authentication, brute force detection, you know, spray prevention and all of the additional layers of security that have become modern standard practice. The lesson here, which Microsoft has just learned the hard way and which I wanted to bring up, you know, I wanted to bring to the attention of our IT managing listeners is that the law of the lowest hanging fruit applies to legacy machines that are not bothering anyone. You know they aren't bothering anyone until they become the source of ingress into an enterprise's interior. So just a note of caution to remember that bad guys won't attack the most secure entry points to an organization, or if they do, they won't get in. They will attack successfully the weakest, and that might be some machine that still has a password and policies that have not, that have not been considered safe since the turn of the century, and this is really a thing we all know. The lesson last pass learned by failing to proactively enforce PBKDF iteration counts, which were current at the time that they were introduced and they never changed them again. Security really is a moving target and older systems won't improve their older security on their own without it being revisited. You know we would not expect Microsoft to your point, leo to not put the best face on this possible. So we can assume that they did.
27:25
But the news of this breach received some harsh criticism from other quarters. Here's what one respected security reporting group had to say. They started by speaking about some email content writing. Microsoft's disclosure language does not specifically state that this was the only stolen material, but it is worth pointing out that Microsoft is currently hosting the Ukrainian government's entire network on its Azure cloud infrastructure. That's interesting. I hadn't encountered that little tidbit before. Anyway, they continue writing.
28:04
The breach has drawn quite an avalanche of criticism and ridicule for Microsoft for various and well deserved reasons. First, microsoft disclosed the breach late on a Friday night, a well-known scummy tactic. These people write to hide the incident from extended media coverage. Second, the breach took place weeks after Microsoft announced with bells and whistles its new future secure future initiative, a new plan to refocus the company's engineering efforts to improve the security of its own products. The new initiative was meant to mimic a similar pledge made by Bill Gates in 2002, named trustworthy computing, something we all know well those of us who have been in the industry. That led to significant changes to Microsoft's security posture and the creation of what we now know as patch Tuesday. Third, the new breach took place four months after Microsoft disclosed another state-sponsored hack, this one by China's Storm0558, which also had access to its internal network. That's the one we talked about extensively previously. And fourth, they wrote after promoting its multi-factor authentication as the next evolution of online account security. The fact that one of its test accounts got popped via a password spray suggests Microsoft was not high on its own supply.
29:44
The hack is quite bad, but not for most of you reading this. It may not have a material impact on day-to-day Microsoft users, but it has quite a reputational damage on Microsoft's position in the cybersecurity market. Having Russian intelligence services breach your cybersecurity team's email accounts to steal data about themselves, four months after the Chinese breached your production systems to steal US government emails, is not what this industry calls trustworthy. So, indeed, most of that criticism is covered by the observation that they didn't update their older systems. But I just want to say that it is certainly the case that old systems need attention and they should get it. So a useful reminder about that. A still unknown threat actor stole $7.5 million from the US Department of Health and Human Services in a security breach that took place between March and mid-November of last year.
31:01 - Leo Laporte (Host)
Now it's been six months, Stephen.
31:04 - Steve Gibson (Host)
I know I should say eight months. As interesting that the range is that broad it's kind of large. Yes, quite a lot of time between March and November. I need to think. The unknown.
31:18
The unknown attackers are believed to have gained access to a HHS system that processes civilian grant payments using spearfishing. They then proceeded to hijack payments for five grant recipients before being detected. The investigation to identify the perpetrators is still underway. So our takeaway here is that, once again, the human factor remains securities number one Achilles heel, having strong outbound security, such as I was reminded by that provided by the Adam Networks guys who so impressed me when I talked about them last year and also training, training, training, including reinforcing that training on a continuing basis. You've got to teach your people not to click on links Like you just have to, and then what the Adam Network guys do is a great job on neutering the clicking of the link, if someone still does so. It's so easy for a harried worker who has too much going on to click a link that they shouldn't, and that's what happened here.
32:43 - Leo Laporte (Host)
Yeah, but Steve, when they use the devastating password spray attack you all bets are off.
32:54 - Steve Gibson (Host)
You met my good friend Bob Basuraba, a Canadian. His brother is actually a Hollywood actor, gary Basuraba, who I see on like he just he just makes little appearances from here and there. Gary is a non technical but just larger than life, just a big guy. Bob was telling him once about a ping flood and how like a ping flood was like pushing somebody off the net. And Gary, who knows absolutely nothing about computers, said well, why didn't they just use a reverse ping attack?
33:37 - Leo Laporte (Host)
Oh, there you go. Another one to add to my quiver of reverse ping attack That'll teach him to ping you ping? Him back.
33:50 - Steve Gibson (Host)
So also last Friday, mozilla posted a complaint to the industry under the heading competition. The title of this posting was platform tilt, documenting the uneven playing field for an independent browser like Firefox. Okay, so here's what Mozilla wrote. They said correctly browsers are the principal gateway connecting people to the open Internet, acting as their agent and shaping their experience. The central role of browsers has long motivated us to build and improve Firefox in order to offer people an independent choice. However, the centrality of the browser creates a strong incentive for dominant players to control the browser that people use. The right way to win users is to build a better product, but shortcuts can be irresistible and there's a long history of companies leveraging their control of devices and operating systems to tilt the playing field in favor of their own browser. This tilt manifests in a variety of ways, for example, making it harder for a user to download and use a different browser, ignoring or resetting a user's default browser preference, restricting capabilities to the first party browser or requiring the use of the first party browser engine for third party browsers.
35:35
For years, mozilla has engaged in dialogue with platform vendors in an effort to address these issues. With renewed public attention and an evolving regulatory environment, we think it's time to publish these concerns, using the same transparent process and tools we use to develop positions on emerging technical standards. So today we're publishing a new issue tracker where we intend to document the ways in which platforms put Firefox at a disadvantage. We wish to engage with the vendors of those platforms to resolve these issues. This tracker captures the issues we experience developing Firefox, but we believe in an even playing field for everyone, not just us. We encourage other browser vendors to publish their concerns in a similar fashion and welcome the engagement and contributions of other non-browser groups interested in these issues.
36:43
We're particularly appreciative of the efforts of open web advocacy in articulating the case for a level playing field and for documenting self-preferencing. People deserve choice, and choice requires the existence of viable alternatives. Alternatives and competition are good for everyone, but they can only flourish if the playing field is fair. It's not today, but it's also not hard to fix if the platform vendors wish to do so. We call on Apple, google and Microsoft to engage with us in this new forum to speedily resolve these issues. Okay now, of course, many of us prefer to use Firefox as our browser of choice. I have Chrome and Edge, but URL clicks are always sent to Firefox, me too.
37:45
It's my default browser. Yeah, and I have Firefox installed on all my various Apple iOS devices.
37:53 - Leo Laporte (Host)
Oh see, I haven't gone that far. They really don't make that easy and you're not really using Firefox.
38:00 - Steve Gibson (Host)
Exactly so. I dug a bit deeper into this new issue tracking system and it was quickly apparent that Apple had the most strikes against it. At this moment Mozilla is complaining about Apple Store forbids third-party browser engines. Support for third-party multi-process applications on iOS. Jit, you know just in time compilation support on iOS. Accessibility APIs on iOS Messages, integration, importing browser data, setting and checking default browser Origin-based associated domains, dependent features for third-party browser engines, browser extension support and beta testing support on iOS. Now we know how heavy-handed Apple is. I'm an avid user of Amazon's Kindle readers and also of Amazon's Kindle app on iOS, where I use it on iPads and my iPhone, and it is a constant and ridiculous annoyance that Apple refuses to allow Amazon users to purchase books through the Amazon app. Absolutely it's. It is so dumb it's necessary to use a web browser. Why? Because Apple has iBooks and cannot stand the competition.
39:34 - Leo Laporte (Host)
Well, they would let Amazon do it, but they would get 30% for it and the Corey Doctor was talking about this on Sunday. The margins on the books, the e-books is lower than 30%. So Apple, amazon have to give them all the profit, and then some Right. So it's just not. It's not gonna happen.
39:53 - Steve Gibson (Host)
It's just. It's just dumb. So I'm sure that Apple's reticence to allow Chrome and Firefox and any other and all other non-Sofari browsers to enjoy the same privileges they have on other platforms is largely about security. I mean, I get it, you know. As we know, browsers have become the number one way for evil doers to crawl inside our computers, so I don't blame Apple for that. But given my experience elsewhere and with Apple, I also have no doubt that some of this is just pettiness, which, as I said, should be beneath Apple For what it's worth, though I'm sure Apple is not, you know, singling out Firefox for prejudicial treatment. They treat anything that's not Safari as suspect. Yeah, exactly.
40:46
Mozilla is also unhappy with their experience over on Google's Android platform. There they voice three complaints Importing browser data on Android, some Android features launch Chrome instead of the user's default browser and lower quality search results in third-party browser engines on Android. I was curious to look into these three a bit further, especially the last one, which we'll get to in a second. What I found was interesting In detailing their complaint about importing browser data on Android, mozilla explained browsing information like history, bookmark sites and cookies is not accessible to third-party browsers on Android. This data is kept within a web browser applications data directory which is not directly accessible to third-party browsers, and there's no API or content provider to enable it to be imported. While this is sensitive data, mozilla agrees similar import functionality is possible on all major desktop platforms and Android is able to mediate access to other sensitive data with user consent. Not being able to import data creates significant friction. To change from Chrome, a user should be allowed to bring their data with them to another browser, and I think that seems like a legitimate complaint and a slippery way for Google to give Chrome an anti-competitive edge over any other browser its user might wish to switch to.
42:30
And the second issue raised some Android features launch Chrome instead of the user's default browser. That seems even more insidious. Mozilla explains features like Google search or discover In the pre-installed Google application ignore the user's default browser choice. Links to websites outside of the application are always opened in Chrome, regardless of the default browser. This is a widely used application, they say. Mozilla says with additional entry points from built-in features such as the search bar on the home screen and app launcher. Each time it opens a link in Chrome, a user is driven away from their default browser. All built-in applications and affordances that open external links should open them in the user's default browser. You know right, that would really annoy me, and this issue will be quite familiar to anyone who's heard Paul Therat ranting about.
43:34 - Leo Laporte (Host)
Microsoft and Edge doing the same thing. You breathe on it at launches.
43:38 - Steve Gibson (Host)
Yes, what me.
43:39 - Leo Laporte (Host)
Yeah, I'm here.
43:43 - Steve Gibson (Host)
As Mozilla says, every time Chrome is launched when the user has installed Firefox and asked Android to use, it drives the user toward Chrome, despite their clearly expressed browser preference. And it was the third item in Mozilla's platform tilt list of grievances that most caught my eye. They wrote lower quality search result pages in third-party browser engines on Android. That seemed like a real anti-trust showstopper. Here's what Mozilla explained. They said the web search experience is tightly integrated with a number of built-in features in Android and the experience provided to Firefox is inferior compared to the version provided for Chrome. As seen in the screenshots, identical search terms show less information and receive a lower quality design in Firefox on Android and for anyone who's interested, I have this side-by-side screenshot in the show notes. Whereas on page six of the show notes, where indeed you can see the Chrome has a fancy-looking display, at Firefox not so much. It's kind of got a little textual summary instead of some nicer graphics. You know you can't do graphics in Firefox.
45:10 - Leo Laporte (Host)
It doesn't. You can only do it in a proper browser, you know.
45:17 - Steve Gibson (Host)
Mozilla said. While strictly speaking, this is an issue with the Google search website, given the prominence and integration of search on Android, this is a meaningful user experience gap that creates an incentive for users to not choose a third-party browser.
45:34 - Leo Laporte (Host)
They've got a really good point. I mean, this is the same data coming from the same site, a Google site but they intentionally poorly render it on anything but Chrome.
45:45 - Steve Gibson (Host)
Yes, and you know why it's the user agent header. It turns out that Google's search results are based or biased against non-chrome browsers. That's terrible, I know, it is so wrong. If the user agent string is changed, then Google will provide the same improved experience to Firefox users as Chrome users. Now, user agent dependency is nothing new and once upon a time, chrome's page results rendering may have necessitated producing different results to differing browsers, but those days, you know those are long gone. This sort of deliberate bias is showing Google's own extreme pettiness.
46:34
And speaking of Microsoft and Windows, well, microsoft's own incestuous ties to its own web browser actually, as we know, have been the subject of antitrust lawsuits in the past, and big ones. Mozilla lists three complaints about Microsoft's and Windows treatment of Firefox, and you can imagine where this is going. The three complaints are setting default browser on Windows. Default browser is set to edge by several Windows flows and some Windows features. Launch edge instead of the user's default browser. It is, you know, starting to sound like a refrain. Under setting default browser on Windows, mozilla writes allowing a third-party browser to programmatically set itself as the default is an important platform feature. Without this, even after the user has installed the browser of their choice. They must navigate operating system settings and make the choice there as well. This adds friction and creates inertia to continue using edge, despite the user's obvious preference.
47:53
A well-established design pattern is to allow the third-party browser to invoke a system prompt which permits the user to easily confirm or reject the request to set the current browser as the default. This is an intuitive user experience that mirrors similar permissions models used in operating systems, browsers and web applications. Android and Mac OS offer such a capability. Unfortunately, windows does not support anything like this for third-party browsers. Browsers are forced to deep link into the Windows settings UI. On Windows 10, this requires several clicks and a double confirmation. In the settings UI On Windows 11, there is a set default button. Neither is sufficient. Windows should instead provide a method for third-party browsers to programmatically request they be set as the default, and to that I'll just say yep. This is the traditional way that we've all historically experienced the addition of a third-party browser being installed. The browser notices that it's not currently the system's default URL handler and asks its user whether they would like it to switch them over to using this browser instead. The user says yes, please, or no, thanks and it's done, but no longer. Microsoft, exhibiting the same pettiness we see from Apple and Google, clearly wishes to hold on to the use of Edge every way possible. As I sit in front of Windows 10, I'm periodically reminded of just how much my life could be improved if only I would allow their Edge browser to service my needs. No, thank you, and speak of the devil.
50:07
Here's Mozilla's second complaint. In general, the Windows 10 and 11 operating systems have persistent messaging that Microsoft Edge is the recommended browser for Windows and offer affordances to change the default browser to Edge. In some cases, the wording is misleading, asking a user to adopt recommended browser settings, which does not obviously suggest a default browser change. This messaging is a moving target, with examples added and removed from Windows over time, often on UI surfaces that appear automatically on update or otherwise, making it difficult to enumerate specific examples Right, so they become quite slippery. In all cases, mozilla says these Windows components are able to change the user's default browser directly and are not forced to use MS settings protocol deep linking that browsers are required to use. Windows should consume the same affordances and APIs that are available to third-party browsers for setting to default. Yep, just another of the many reasons I am perched in front right now of my trusty and crusty old Windows 7 system. You know I'm subjected to none of that extraneous crap.
51:44
Ok, and lastly, mozilla says there are at least three prominent Windows features that open URLs in Microsoft Edge and not in the current default browser. The user's default browser choice should be respected when web pages are opened by built-in operating system features. The first is Windows Search, also known as Start Menu Search and formerly known as Cortana. The UI for this feature is represented by a taskbar search box or search button, depending upon the user settings, and a search suggestions slash results UI that appears when activated and updates as the user types. The suggestions and results UI also appears if the user starts typing when the Start Menu is open and by the Win plus S hotkey. All links from this UI, whether they initiate web searches or link directly to articles or results, open in Microsoft Edge regardless of the user's default browser. The second is the new Windows Copilot, currently only available on Windows 11, which appears as a docked window on the right side of the screen. If Copilot produces links in its responses or offers other links within its rendering area, these links open in Microsoft Edge regardless of the user's default browser. Third, there are Windows widgets, which are called news and interest on Windows 10 and a UI surface which can be activated by a taskbar button. These show information like news, weather stocks and sports scores. On Windows 11, new widgets can be added from third parties regardless. All links to a web page from widgets will open in Microsoft Edge, regardless of the user's default browser.
53:46
So, okay, in summary, what we have for Mozilla is highlighting and detailing pervasive pettiness and, you know, not playing fair on the parts of Apple, google and Microsoft. It's not like they absolutely refuse to accept a default, you know, to accept a browser change. That would probably get them in some serious hot water, right? Instead, they say, oh yeah, you could install a browser, and then they do everything they can not to really let the user use the browser not the way they obviously could if they wanted to Clearly not playing fair. So, leo, what do you think is behind this? Is this? Is this like gearing up for a little antitrust activity here?
54:37 - Leo Laporte (Host)
Yeah, I mean.
54:38 - Steve Gibson (Host)
Microsoft, seeing their market share dwindle.
54:41 - Leo Laporte (Host)
It's hard to explain because they, with Edge, they had an opportunity in the early stages and Paul Theraz always saying this to say hey, we're a better Chrome than Chrome. We're a Chrome without the privacy problems. You know. They've always knocked Google for its privacy plan. I mean, this bugs me about Microsoft all around is that they could actually do very well by saying we're a private platform, we respect our users, we keep it private, we have a better browser that's got less stuff. Instead, they put coupon codes in there and also, it's crazy stuff.
55:17 - Steve Gibson (Host)
I got shop. I got shopping crap. What the?
55:20 - Leo Laporte (Host)
heck, and so is it. They don't need the money. Except Apple doesn't need the money by, you know, charging 27% instead of 30% if Kindle uses its own Amazon link. These companies are greedy. I think, really what's happening, and we're seeing it again and again. We're seeing it in big tech, but we're also seeing it in our politics, where people go I don't have to, I don't care if you don't like it, it doesn't matter, right? I'm going to do what I want to do, I'm going to you, right? Screw it, you know.
55:54 - Steve Gibson (Host)
And the heck with the FTC, Basically abusing the power that they have.
55:57 - Leo Laporte (Host)
We're going to abuse the power.
55:59 - Steve Gibson (Host)
They're going to abuse the power.
56:02 - Leo Laporte (Host)
And they no longer care about governments, they no longer care about users, they care about profit. It's very disappointing, microsoft knows.
56:10 - Steve Gibson (Host)
Nobody has a choice.
56:12 - Leo Laporte (Host)
They're like forcing people up to newer versions of Windows, and those newer versions of Windows are increasingly creating lock in the thing that's frustrating is they don't need to do this, and they could do so well for themselves If they said no, no, it's a better Chrome than Chrome. We're privacy focused, we don't need to do all of that. You that, you own the computer, you own the platform. They would, I think, do better by doing that, and so it's baffling.
56:39 - Steve Gibson (Host)
Look at Chrome's market share. I mean they're dominant. My wife has Chrome on Windows 10, because she doesn't, and she keeps complaining about this Bing and, like it keeps binging her. She says how do I stop this?
56:54 - Leo Laporte (Host)
Yeah it's.
56:55 - Steve Gibson (Host)
I don't it's un-unfathomable.
56:57 - Leo Laporte (Host)
Yeah, it's just a but I honestly think that these companies got in the stage where they don't care and they just don't need to, and this is what Corey Docter is always talking about with in shit application they're too big to care. They're too big to care. It's time for them to squeeze us.
57:11 - Steve Gibson (Host)
Well, leo, twitter is not too big to care, so let's show our listeners how much we do care.
57:16 - Leo Laporte (Host)
We really do care, we care. We love our audience. We're going to take a little break. Come back with more in just a second, as soon as I tell you about Drata, our sponsor for this segment of security.
57:28
Now, drata solves a problem I think a lot of companies these days are suffering from, which is audits and manual evidence collection. With Drata, companies can complete audits, they can monitor controls, they can expand security assurance efforts to scale, and they can do it automatically and easily. In fact, the real question is why aren't you using Drata now? With a suite of more than 75 integrations, drata works with everything you already know. It streamlines your compliance frameworks. It gives you 24 hour continuous control monitoring so you can focus on scaling securely. Drata easily integrates with all of the applications you use AWS, azure, github, octa, cloudflare, and I go on and on and on. Drata's automated dynamic policy templates are great for companies that are new to compliance. It makes it easy to collect evidence automatically, as you were just talking about, steve. They also focus on employees. They have integrated security awareness training programs and, just as you said, automated reminders to continually keep the employees on their toes and to smooth employee onboarding. One other thing that all of security analysts are going to be absolutely interested in. They're. The Drata is the only player in the industry to build on a private database architecture that ensures your data can never be accessed by anyone anyone outside your organization.
59:02
All Drata customers get a team of compliance experts, including former auditors with hundreds of hours of experience under their belt. You get a designated customer success manager. You get pre-audited calls to prepare you for your audit begins. There's so many reasons you should be using it. One more Drata's audit hub. Auditors love this. You'll love this. It's the solution to faster, more effective audits. You can save hours of back and forth communication. You'll never misplace crucial data because it's all in the audit hub and it makes it very easy to share documentation with your auditor. Say goodbye to manual evidence collection. Say hello to automated compliance. When you visit dratdratacom, when you get their request to demo, you get 10% off dratdratacom. Bring automation to compliance at Drata speed. This is the thing you need. Steve, it is your turn once again.
01:00:07 - Steve Gibson (Host)
Meanwhile, last Thursday, the Brave browser, which is super popular among those who are truly privacy and anti-tracking concerned that's the one Paul Therat likes Yep notified its users that Brave would be reducing the strength of its anti-fingerprinting protections. That's weird. Under the heading, brave browser simplifies its fingerprinting protections, the Brave team wrote with desktop and Android version 1.64, in a couple of months and in today's nightly release for testing, brave will sunset strict fingerprinting protection mode. This does not affect Brave's industry-leading fingerprinting protection capabilities for users, but instead it will allow us to focus on improving privacy protections in standard mode and avoid web compatibility issues. Okay, now they say Brave will sunset strict fingerprinting protection mode and then immediately follow that with. This does not affect Brave's industry-leading fingerprinting protection capabilities for users. What, how?
01:01:23 - Leo Laporte (Host)
does that not what You're reducing protection?
01:01:26 - Steve Gibson (Host)
but it doesn't affect your protection, that's right so they said, Brave currently offers two levels of fingerprinting protections, which make it harder for tracking companies to identify you as you browse the web standard and strict mode. Over time, however, we've observed significant disadvantages of strict mode. Okay, here they are. First, in order to block fingerprintable APIs, strict mode frequently causes certain websites to function incorrectly or not at all. Okay, Whoops.
01:02:06 - Leo Laporte (Host)
So it breaks functionality? I can understand that, yes.
01:02:09 - Steve Gibson (Host)
This website breakage means that strict mode has limited utility for most web users. Next, fewer than half a percent of Brave users are using strict fingerprinting protection mode based on our privacy-preserving telemetry data. So you know, we know that, but don't worry, we're not spying on you. Third, this tiny cohort of users could be more vulnerable to being fingerprinted because they stand out as a result of using strict mode, which you know that's an unintended consequence. Although we've not seen issues around this, it is a valid concern, given that users who use strict fingerprinting protection might have done so because of an elevated concern about tracking Right. Why else would you do it? And fourth, maintaining strict mode and debugging why some websites are broken on Brave takes our engineers time away from focusing on default privacy protections that can benefit all of our users. They said these observations have led us to the conclusion that sun setting strict mode in Brave will actually be beneficial to our users' privacy, they explained. Brave's standard fingerprinting protection is already very extensive and the strongest of any major browser. Brave's innovative farbling of a number of major fingerprintable web APIs makes it difficult for fingerprinters to get a reliable unique ID on your browser. Going forward, we will continue to strengthen and expand Brave's standard fingerprinting protections so that all our users have ever-improving protection against fingerprinters, while maintaining the highest possible level of compatibility with websites.
01:04:12
Okay, first of all, you did hear me use the term farbling. I have no idea where they came up with that, but okay, I tracked it down and it's Brave's term for introducing some random jitter noise into the values being returned by the web APIs that are commonly used for fingerprinting. Those APIs are the Canvas API, webgl, webgl version 2, the WebGL extensions, the contents of the browser's user agent header, web audio, the browser's plug-ins, hardware concurrency, the enumeration of system devices, both their ordering in the enumeration and their labels and IDs, and the user's dark mode setting. Since I was curious and knew our listeners would be too, I tracked down the difference between Brave's soon-to-be-discontinued strict anti-fingerprinting mode and the mode that all Brave browser users will be left with. So here's how Brave describes the two modes. They said Brave has two levels of fingerprinting protections. In the default standard configuration, brave adds subtle noise to APIs commonly used to fingerprinting scripts without breaking websites and will provide good protections against web-scale online trackers.
01:05:55
Brave also includes a strict option. When set to strict mode, brave only returns random values from APIs commonly used by fingerprinters. This provides a higher level of protection against highly-determined attackers who may attempt statistical and or targeted attacks to identify users.
01:06:23
This mode will also break websites who depend upon these features to work correctly, so it's fuzzing versus farbling, I guess Well actually, I would say that the milder standard mode uses, dare I say, only moderate farbling of API values, which do not cause website issues, because only some of the least significant bits are being farbled. Well, there you go. Well, yeah, that's what you want in your least significant bits. It's a little bit of farbling, farbling.
01:07:00
But what strict mode does is to entirely discard the true API values and replace them with fully random values for these API calls that bear no resemblance to reality. Of course that's going to break stuff. Yes, my reading of this is that the original designers of Brave's anti-fingerprinting technology probably got their farble turned up too high.
01:07:26 - Leo Laporte (Host)
Oh, I hate it when that happens.
01:07:29 - Steve Gibson (Host)
I do not want that, joe. They probably thought you know, if a little farbling is good, just how great it would be if we just farbled the crap out of this.
01:07:44
But apparently after gaining more experience with this, they learned that some websites became quite upset when they were over farbled. You never want to over farble, but especially not on a school night. Oh yes, and actually I can see how the statistical analysis they refer to could theoretically be a problem, since over time the results from a low and safe level of farbling could be averaged out to obtain the true value around which the farbled values are clustered. But on balance I wouldn't worry about that too much. I think Brave is doing the best they can while not causing more trouble than the farbling is worth. So elimination of Brave's strict mode sounds like a good thing.
01:08:39 - Leo Laporte (Host)
Actually, they made a really interesting point, which is that so few people use the strict mode. It itself could be form of fingerprinting. Yes, I thought that's fascinating. You want to be in the herd, you don't want to be the one out on the outlying edges of it.
01:08:54 - Steve Gibson (Host)
You don't want to be singled out. Yeah, so if they saw someone's browser that's like producing wildly bizarre values, they'll go, ah we have an oval farbler. We weren't sure, but this guy's over farbling and there aren't that many of them out there.
01:09:09 - Leo Laporte (Host)
Yeah, that's really right. That's actually a fascinating insight into how this stuff has to work. You cannot un-de-fingerprint people by doing things that only a handful of people do, because then they get identified. It's really interesting. Huh, good on, brave. You know, it sounds like they did the right thing.
01:09:27 - Steve Gibson (Host)
Yep, I think so too, and we have added a word to our lexicon, leo.
01:09:33 - Leo Laporte (Host)
They mean fuzzing, right, I mean, that's fuzzing.
01:09:38 - Steve Gibson (Host)
I could have named the episode. You should have named it. Never over farble.
01:09:43 - Leo Laporte (Host)
On a school night.
01:09:44 - Steve Gibson (Host)
You should have that's right On a school night. You should have named it that it's not too late to change, steve, we can work it Okay. So, coming up on a year ago, in the middle of March 2023, I noted and was quite glad to share that CISA are already very proactive. Us Cybersecurity and Infrastructure Security Agency I never thought I was going to be able to just have that roll off the tongue, but yeah, cybersecurity and Infrastructure Security Agency next is Ross Kammanzo, you'll be the king was, was launching an even more proactive initiative.
01:10:23
They called it the ransomware vulnerability warning pilot and thank God they didn't try to make the abbreviation pronounceable. It's RVWP, so you know they're not Google. Yeah, and they described it this way. They said this is a. This is back in March.
01:10:39
Organizations across all sectors and of all sizes are too frequently impacted by damaging ransomware incidents. Many of these incidents are perpetrated by ransomware threat actors using known vulnerabilities. By urgently fixing these vulnerabilities, organizations can significantly reduce their likelihood of experiencing a ransomware event. In addition, organizations should implement other security controls, as described on stop ransomwaregov. However, most organizations may be unaware that a vulnerability used by ransomware threat actors is present on their network. Through the ransomware vulnerability warning pilot, which started on January 30th 2023. So, coming up on a year ago, CISA is undertaking a new effort to warn critical infrastructure entities that their systems have exposed vulnerabilities that may be exploited by ransomware threat actors.
01:11:45
As part of RVWP, CISA leverages existing authorities and technology to proactively identify information systems that contain security vulnerabilities commonly associated with ransomware attacks. Once CISA identifies these affected systems, our regional cybersecurity personnel notify system owners of their security vulnerabilities, thus enabling timely mitigation before damaging intrusions can occur. Cisa accomplishes this work by leveraging its existing services, data sources, technologies and authorities, including CISA's Cyber Hygiene Vulnerability Scanning Service and the administrative subpoena authority granted to CISA under section 2209 of the Homeland Security Act of 2002. As our listeners know, I'm 100% behind the idea of having the good guys proactively scanning for vulnerabilities. We know that the bad guys are, so to the good guys, my only question would be what took you so long? Anyway, CISA just published their 2023 year in review and it contained some gratifying news of the results from the first year of this pilot program, which I hope they can remove the pilot from it.
01:13:16
During this first year, CISA sent out more than 1200 notifications to US and international organizations, notifying them of early-stage ransomware activity on their networks. Cisa also sent 1700 notifications to organizations that had systems vulnerable to common ransomware entry vectors. In other words, the US is finally proactively scanning the public internet for vulnerabilities. Another. This totals an average of eight such notifications sent every day of the year last year. It is difficult to imagine that anyone would blow off a notification from this US agency saying that they've already found evidence of an existing network intrusion or of an existing public-facing vulnerability. So bravo, CISA.
01:14:26 - Leo Laporte (Host)
Yay, I'm looking for farbalcom, or perhaps farbal.
01:14:33 - Steve Gibson (Host)
Well, leo you do not want to look up farbal in the urban dictionary? Oh, is there actually a word? Oh, I made that mistake. No, you will not want to know what it is to farbal. Okay, so it says the urban dictionary. Okay.
01:14:48 - Leo Laporte (Host)
Good.
01:14:49 - Steve Gibson (Host)
So the listeners are doing so. Sorry for bringing it up.
01:14:52 - Leo Laporte (Host)
Yeah, oh, you managed to withhold that information until later in the show.
01:14:58 - Steve Gibson (Host)
Okay, so, in news of a growing and necessary trend which we've been seeing recently, samsung's just launched S24 series of smartphones will be receiving seven years of software and security updates. That was good news. Yes, that's an increase from the company's previous smartphone coverage, which was five years. So Samsung joins Google to be the only vendors to offer seven years of security updates for their Android devices. And the best news of all is that this suggests that the longevity of security support has finally become a recognized competitive advantage. That's nothing less than a big win for consumers and 100% great news.
01:15:57
Remember that we were recently talking about the lawsuit against Google over the consumers' misunderstanding. I'll put that in air quotes of the protections provided by Chrome's incognito mode. Remember it turned out it wasn't as incognito as we thought. In response to that, google is changing the text that appears in Chrome's incognito mode. The new text much more clearly informs its users that their activity will continue to be tracked, even while they're in the somewhat less than entirely incognito mode. It now reads quote Others who use this device won't see your activity, so you can browse more privately. This won't change how data is collected by websites you visit and the services they use, including Google downloads, bookmarks and reading list items will be saved Learn more and then you can click if you want more information. So, anyway, they decided maybe we need to be a little more clear about that.
01:17:12
Oh, I wanted to acknowledge that I received our listeners many notes that, for reasons I think I understand now, the images contained within the previous two weeks of show notes were not visible to users of Apple's iOS and Mac OS devices. Oh, that's interesting. It was also a coincidence that I had captured last week's picture of the week. Please provide an example of irony that that picture was missing, ironically. Ironically, yes. In any event, it appears that the trouble was that I always run the final show notes PDF which I download from Google Docs, where each document is authored through Acrobat's PDF optimizer, from which it very nicely reduces the document size, typically from a couple megabytes down to a few hundred kilobytes, and I don't know what may have changed, since it was nothing at this end.
01:18:30 - Leo Laporte (Host)
On the other hand, since my Acrobat I can see them though this is my Macintosh I can see them fine.
01:18:37 - Steve Gibson (Host)
Last week yeah. That's interesting, because I verified on my oh wait. No, I know why. Because I fixed them, oh yes.
01:18:48 - Leo Laporte (Host)
But this is the attachment in your email, so this would have been the thing that you sent to me, that's.
01:18:56 - Steve Gibson (Host)
You're right, that would have and that should have been broken.
01:18:59 - Leo Laporte (Host)
I verified that I I'm viewing it in the browser and let me see if I can view it in Apple's preview, because, as you know, I save all of your show notes because, god knows, I wouldn't want to lose any of them.
01:19:12 - Steve Gibson (Host)
Well, you want to feed them into some AI and have them, you know.
01:19:16 - Leo Laporte (Host)
Yeah, I did do that. By the way, it was not satisfactory. Don't You're safe? No, yeah. Well, so I'm looking on my so. This is on my Mac, both in the preview and, and this is the one you attached to your email, so it's the original.
01:19:32 - Steve Gibson (Host)
Well, my iOS, well, my iOS. I have an iOS device and indeed it did not show the pictures originally.
01:19:39 - Leo Laporte (Host)
Oh, iOS, not Mac.
01:19:42 - Steve Gibson (Host)
Well, I was told Mac, but that's a Mac.
01:19:45 - Leo Laporte (Host)
Let me look on my iOS. Huh, Huh, that's interesting.
01:19:49 - Steve Gibson (Host)
Anyway, my Acrobat, of course, is version 9 with a copyright of 2008.
01:19:56 - Leo Laporte (Host)
Which, by the way, should make it more compatible, not less, I know except that.
01:20:00 - Steve Gibson (Host)
So what? I believe because nothing else happened. Nobody else complained. Obviously, you're able to see it elsewhere. I think I had it set back to version 5 PDF compatibility. I think Apple decided to stop supporting some feature of older PDFs.
01:20:16 - Leo Laporte (Host)
Oh, yep, here it is on my iPhone. There's a blank where it should be a clear visual example of irony. Okay, all right, yep, so on the Mac it's okay, but apparently on iOS they don't.
01:20:30 - Steve Gibson (Host)
And I did find and fix the problem. So all of our listeners, both retroactively for those previous two weeks and also going today and in the future, well past 999,. We will have pictures.
01:20:46 - Leo Laporte (Host)
I'm going to open it in some other app on iOS.
01:20:49 - Steve Gibson (Host)
You're really curious about this, aren't you?
01:20:51 - Leo Laporte (Host)
Yeah, because this is the kind of thing I'm going to get calls about down the road. So I just want to make sure that, like, if I have a workaround, that oh well, if you open it in Google Drive you'll be able to see it, Then that would be. You know, let me see I'm going to upload it to Google Drive and then open it, and now still, it's a blank.
01:21:14 - Steve Gibson (Host)
I think it's oh, really Well, wait a minute, Let me. Oh so, when displayed on an iOS device.
01:21:20 - Leo Laporte (Host)
Yeah.
01:21:22 - Steve Gibson (Host)
Maybe that's it.
01:21:23 - Leo Laporte (Host)
Let's see. Here's the Google Drive, and I just uploaded it. All right, let's see if I can read that. Oh, did you see that? I did.
01:21:33 - Steve Gibson (Host)
That was interesting the thumbnail was there, hmm, ah.
01:21:41 - Leo Laporte (Host)
That's so even in Google Drive. I'm not seeing it. Let's do this again. Watch this. Yeah, did you see it? Briefly, it showed up.
01:21:47 - Steve Gibson (Host)
Yep.
01:21:48 - Leo Laporte (Host)
Yeah, I don't know what that means. Oh well, I'll leave the detective work to your fine forum members at GRCcom. It's fixed.
01:21:58 - Steve Gibson (Host)
Leo, we're going to start our Q&A, so let's do it, let's do it, let's sponsor. And then we will got some neat feedback from our listeners.
01:22:04 - Leo Laporte (Host)
Okay, good, that's great. Always enjoy that part, this part of the show brought to you by Collide. I've talked about Collide many times. I probably don't even have to do this ad because you're going to remember exactly what I said, right, that's in case you don't. You know what I'm talking about.
01:22:23
What do you call an endpoint security product that works perfectly but makes users miserable, right, useless, a failure. So the old approach to endpoint security is to lock down employees' devices and roll out changes through forced restarts. Or maybe you go down the hall and you say, get out of my way, I need to update this thing. That just doesn't work. It's miserable because you get a mountain of support tickets. Employees this is actually the worst case scenario start using personal devices just to get their work done and, of course, they're completely insecure. Oh, and maybe this is the worst case the executives. They opt out the first time. It makes them late for a meeting. I'm not using that crap, you're done. You can't have a successful security implementation unless you get the end users to work with you to like it right. And that's what's so great about Collide. It's a user-first device trust solution that notifies the user as soon as it detects an issue on their device. You've left your SSH private keys in your download folder unencrypted, or you're not running the firewall, or you've got a very old version of Plex on here I don't think it's secure and then tells the users how you can solve it without having IT intervene.
01:23:47
Users feel good, they go yeah, I fixed it all by myself. Plus, they're now part of your team. They're not working against you, they're working with you and, most importantly from your point of view, untrusted devices. They're now blocked from authenticating. The users can get in, but not those devices until the users fix it. It's great. The way they use is like when you go to the airport. You identify yourself with the TSA here's my driver's license and you run your luggage through the metal detector. But it's as if you know when you're using Okta, you're yeah, I'm me, but you don't run the luggage through the detector.
01:24:24
Collide makes sure those devices are secured and that's the right user. It's designed for companies that use Okta works on every platform Mac OS, windows, linux, all mobile devices. If you have Okta and you're looking for a device trust solution that respects the users, makes the users a happy part of your team, visit kolidecomcom and watch a demo today. See how it works Collidecom. We thank them so much for their support. They've got a great product. Very happy to tell you about them on the show. All right, q&a time. This is actually. We used to do this every other show, right, steve? Yeah, I loved this.
01:25:08
I used to love doing this. Well listener feedback.
01:25:10 - Steve Gibson (Host)
We still do so.
01:25:11
Yeah we still do. Yeah, closing the loop. So our listeners said hello. I started my journey in cybersecurity two years ago. I've learned a lot and still have a lot to learn.
01:25:22
Recent news of AI generated videos got me scared because of the future world. My two-year-old son might be growing up in Too late. In your opinion, what would be the best solution for automatic verification of a video image or audio? I'm thinking of some kind of encryption from the camera, like a few episodes ago where photos are signed. But, if I remember correctly, this is flawed because anyone can buy such a camera, dig the key from the hardware and sign fake images. I believe this needs to be addressed as soon as possible and not like in 10 years. Ai really took off. Who knows what might be next? Okay?
01:26:09
So through the years, we've observed everything that's happening around us. This podcast, as a consequence, has arrived at a number of rules of the road, guiding principles which seem to apply. One of those that I've occasionally marched out is quite unsatisfying, though it doesn't render any less true. And that is not. All problems have good solutions, An example we were talking about last week being Internet DDoS attacks. Like it or not, the fundamental design of the Internet has made it inherently vulnerable to spoofed bandwidth, flooding attacks and other sorts of attacks, and I believe that we had the same problem here.
01:26:55
When I was growing up, I was fascinated by optical illusions. One that pops to mind is that two parallel lines can be drawn on paper and, yep, they look perfectly parallel. But place a series of radial lines exploding outward from a central point, and those still perfectly straight parallel lines look curved, no matter how you try to tell yourself they are not curved. Curved is what you see. The trouble is we're built to believe our senses, and our senses can be fooled. The corollary rule to not all problems have good solutions is that technology cannot solve all of our problems. For us, In fact, it's probably a zero sum, with technology inadvertently creating just as many problems as it solves.
01:27:50
Unfortunately, I am virtually certain that this listener's two-year-old son is simply going to grow up in a very different world than we have. It's going to be a world where the many things we were able to take for granted as being real depictions of events will simply never be the case. In a world for someone born recently and of course there's been some of that for us, the phrase oh, that image was photoshopped. That's long been a common meme. Until now, it's been the exception.
01:28:30
The fact that everyone perceives that what we're about to witness is a wholesale explosion in the volume of fictitious content masquerading as authentic suggests that, if nothing less, if nothing else, it's going to become a self-fulfilling prophecy, and I don't see this view as pessimistic. I think it's realistic. As they say, being forewarned is to be forearmed. For those of us who have been around for a while, this seems like a big change for the worse. We're accustomed to trusting our senses and believing what we see, but it seems all but certain that this is a comfort future generations will simply not have, but then neither will they miss it, since things will have always been that way for them. We old codgers will eventually die off grumbling what I was a boy, and so forth.
01:29:31 - Leo Laporte (Host)
I wonder what you think. So Cannon announced this a couple of months ago. We're doing it with a Stanford lab and the USC lab and Thompson Reuters. It's a proof of concept. The idea is using cryptographic methods. They're going to embed in the images metadata information about the image. So Cannon will basically verify in the metadata. This image was created with a camera. Nikon and Leica have approached the same idea. There is something called the content authenticity initiative. But I'm kind of with you. Anything that these companies can come up with, well, bad guys will just do an end around. In fact, it's a false sense of security because you say well, this has the Cannon stamp, this Cannon seal. It must be real.
01:30:18 - Steve Gibson (Host)
That's exactly right. Yeah, Exactly. I mean it is exactly analogous to the example we've always drawn of the DVD decryption keys in the DVD player. The DVD player sitting on the consumer's shelf had to have the keys to decrypt the DVD. It didn't take long until everybody had the keys, because they were sitting in the DVD player and they got extracted. It was going to happen. So Cannon's camera digitally signs the photo and actually I mean they've done so much technology because there's like this audit trail. You can only use Adobe's tools to make changes and the Adobe tool creates a pens metadata, creating an audit trail of all the modifications that were made to the photo.
01:31:12 - Leo Laporte (Host)
It's got a chain of custody for the photo, so you know exactly who's had it and who's touched it.
01:31:17 - Steve Gibson (Host)
It's just going to make a lot. It's trying to make money for people and it's again. It won't be long before it's hacked and cracked and there'll be photos that are like proven to be authentic of, like the sun, going supernova. Wait a minute. I don't think that happened.
01:31:35 - Leo Laporte (Host)
Yeah, this is why I'm glad you're going past 999, because this will, of course, be announced with fanfare and then it will be hacked, and this is how we're going to learn if it's been hacked or if it's reliable, because Steve will let us know. So I'm very grateful, because this isn't going to happen the next year and a half, but, boy, before the next election we're going to see a lot of fake stuff, and I do think that to this, to this listeners question the world has changed.
01:32:06 - Steve Gibson (Host)
The fact that you guys on MacBreak and Andy can create these astonishing images just by asking for them, that is earth shattering and it just means that people growing up now will not will. They will just always have been in a world that had the internet, which we didn't have in the beginning. That was a big change. They will have always had the internet and they will have always had a world where you can't believe the things you see. They'll just know that.
01:32:39 - Leo Laporte (Host)
And they will just not trust anything. They see right, that's not right.
01:32:43 - Steve Gibson (Host)
Because I was reminded of that wonderful sci-fi movie, which was it where the aliens believed they were receiving our TV transmissions from earth and they had no concept. They had no concept of fiction, and so they thought that they were documentaries of.
01:33:04 - Leo Laporte (Host)
To the moon. Alice Ricky. Yeah, they thought that was real. They didn't. They thought they were watching documentaries. I don't remember which book that was either, but that was a great idea.
01:33:15 - Steve Gibson (Host)
for me it was a movie Tim Burton, no, the comedian. Oh boy, I'm blanking on everything.
01:33:28 - Leo Laporte (Host)
Oh, I know what movie that is. That was a great movie, it was a fun movie, tim Allen, yes. It was a Star Trek movie, except it wasn't.
01:33:36 - Steve Gibson (Host)
Yes. That was actually a great movie. What's the name of that? A Sigourney Wiener was there and a bunch of others Wonderful movie.
01:33:44 - Leo Laporte (Host)
It was fun. Yeah, I forgot about that. Yeah, well, we'll keep an eye on this. There's also some real benefits, let's point out. We showed a video yesterday or a Sunday on Twitter of the president of Argentina speaking at Davos, and of course, what Davos saw was simultaneous translation, which kind of took all the life out of what he was saying. And then Alex Lindsay came up with this a deep fake of it, with true translation and his mouth moving in sync with the English language and spoken as if he, you know, in his own way, matching his own intonation and prosody, they call it, and it was really much better. So we're going to see some amazing things some very valuable things.
01:34:30 - Steve Gibson (Host)
So much of the content that Netflix has is in multiple languages and, if you know, if you're not watching the native language of the movie, you know your subtitle and the dubbing is terrible yeah. Yeah, and so imagine if they, if they could run their content through that and like fix it.
01:34:48 - Leo Laporte (Host)
That's just around the corner. I mean literally this year kind of thing. Yeah, yeah, galaxy Quest. So that was the name of the movie. Yeah, galaxy Quest. Yes.
01:35:01 - Steve Gibson (Host)
So Matthew Burrell said quick guidance question please. What three to four computer languages should I learn that as a kid graduates high school and looks to start a business that's mostly ground up, open source, secure from server side, that can do almost it all, et cetera, backup database, et cetera to web interface.
01:35:29
Basically website, login, manage clients, database, other, et cetera. Is there a good platform to start from, like Synology, or something that those languages could be built on top of? Thank you for all your knowledge, guidance and all that you do. Well, matthew, I presume that you're describing yourself here so you're a young person who's interested in computing technology and want to create intellectual property with computers and eventually support yourself. What you need more than anything is knowledge and experience. I told a story many years ago that had a somewhat surprising moral. The story was about my misadventures surrounding my construction of a sonic beam weapon which, being a high schooler at the time myself, I had named the portable dog killer. No dogs were killed.
01:36:26 - Leo Laporte (Host)
It does not kill dogs, it just chases them away.
01:36:29 - Steve Gibson (Host)
That was my name. The moral of the story was that all sorts of interesting and unexpected things transpired, but only because I was actively doing things. I was not sitting on my butt playing video games. Okay, so we didn't have video games back then, but there were still plenty of similar ways that my peers managed to burn away the seemingly endless hours of their day not learning anything, not pushing themselves and rarely experiencing anything new. I really didn't have any choice, since I loved electronics back then, as I love computers and computing today.
01:37:11
So if you truly love computers, being active, not passive, is the key. Turn off the video game that someone else created and start figuring out how to create your own stuff. And, more than anything, don't let having no idea what you're doing in the beginning stop you. That's not where you stop, that's where everyone starts. So pick a language, any language, it really doesn't matter which one. Python is nice, general purpose, easy to get going, with lots of help available online, and it can probably take you anywhere you want to go. Figure out how to get it to print hello world and you'll be off and going. Then choose another problem that's not much harder than that and solve that one, and so on, and before you know it, you'll be programming. The key is start, do it Get out and do it Exactly.
01:38:17 - Leo Laporte (Host)
Yeah, I'll give you a couple of specific suggestions. I agree with you on Python. Harvard University offers a free online version of its introduction to computer science course, which is excellent CS5050. They update it every year. It does, in fact, use Python as its core language. Python's nice because it's kind of like basic for us. It's not a language, maybe, that you would use a production code in, but because it's interactive and it has a REPL and you can kind of try and see what happens and stuff, it's a great language to start learning with. There is a famous and, I think, very good book that you can use. That's free, it's available, it's out there everywhere, call how to think like a computer scientist, and it is more than just Python. It is a Python work, but it kind of teaches you about the concept. It's really kind of a classic now and I think that's a really good way to start.
01:39:17 - Steve Gibson (Host)
And Python is on all platforms.
01:39:21 - Leo Laporte (Host)
It's perfect for what you just said, because you can start right now. In fact, if you can get a Raspberry Pi and run Python on it and you can be doing stuff instantly almost instantly so it's a very good choice. I often tell people not to just like you. Don't focus on the career or the business you want to start. Just start playing with it, because ideas will come to you. This is how you kind of get into it, this is how we got into it. We start playing with it and if you really love this stuff, as soon as you start doing it you'll go crazy. You'll go this is amazing. Look what I can do. I can make it say hello a thousand times or whatever, and you will get excited about it If you really get serious about learning how to like, if coding is what you want to do.
01:40:07
There's another free book that I recommend, called how to Design Programs H-T-D-P. It was used for years as an introductory course at Rice and at MIT. It uses a student version of a language called Scheme, but the language isn't important. They strip out all the complicated stuff so that you can just focus on concepts and by the time you get through that, you will really be a proficient programmer, and then the sky's the limit. So H-T-D-P. There are courses, in fact, at edxorg. Edx has CS50 for free and it has an excellent two-part course on how to design programs by a legendary programmer, gregor Kozalis. I took that and it was a really wonderful course. But you know, make it. You could start simple Just get a, get go online, get Python, read this book and even what works you through, how to install Python and everything that's. That's, that's a perfect book to start with.
01:41:02
Yeah, it's really good. I have a lot of opinions on this, as you might, as you might imagine.
01:41:08 - Steve Gibson (Host)
Well, yeah, and I know you've been asked through the years on on your radio station and I love coding, it's so much fun, even if you don't do it for a living.
01:41:18 - Leo Laporte (Host)
It helps you understand how computers work. You'll be much better at troubleshooting and using computers and it's a wonderful hobby. I don't I don't do anything serious with it anymore, but I love doing those coding challenges and stuff. It's just, it's like doing crossword puzzles. It's fun, yeah.
01:41:33 - Steve Gibson (Host)
Yeah, a listener, d Bluer. He said hi, steve, I'm a computer forensics instructor Cool.
01:41:41
I've been in Canada and I've been listening since episode 20-ish and love the podcast. Thanks for agreeing to push past 999. Hey, I just wanted to see if you think my hypothesis holds up for a 720 plus flashlight app. Did this app potentially get hijacked?
01:42:03
I've had this free flashlight app on my Pixel phone for over a year, as it allows me to control the brightness, since the stock flashlight doesn't have this option. It's been great and simple. I think it used to show a small banner ad occasionally, but nothing intrusive. Today I tried to use it and I got a pop up video ad play for about 20 seconds before I could use the light. I thought, okay, maybe they need some money to keep development going. How much can be the? How much can the paid version be? I really like this app, so why not chip in a bit?
01:42:41
$15 US $15 US dollars per week exclamation point, you read that right. A subscription for a flashlight, like four times the price of Netflix. $50 per month or 720 per year for a flashlight. My hypotheses are one the app developer got compromised or hijacked and someone is trying to scam its users of hundreds or thousands of dollars, or the developer had this in mind all along, hoping to get a handful of users subscribed, thinking a flashlight app couldn't possibly be worth more than $15, not realizing it's a subscription Either way. Wow, is this what our world has come to Subscription based flashlights. Anyway, keep up the amazing work. I recommend this podcast on all my courses. The app is called simple flashlight, produced by simple mobile tool and has one million plus downloads Wow.
01:43:46 - Leo Laporte (Host)
Who needs a flashlight app?
01:43:48 - Steve Gibson (Host)
Every phone does flashlights built in, except that this app allows variable brightness, which he really liked. He didn't want it to be just set up to blinding, so you can do that, okay. The fact that this app has over one million downloads and that it played a 22nd ad video, and that the app is just a once free flashlight app, strongly suggests that its original developer, who had acquired a large user base, accepted an offer to sell the app to another party. We covered this happening many years ago, also in the Android app store. The developer would be conscientious and well meaning, perhaps tired of keeping an app updated and current for little to no return. Then someone would come along and offer to buy the app from them outright.
01:44:51
The developer of the free app, seeing one last chance to cash in and make some money, would take the deal and turn over his developer keys to its new owner.
01:45:03
The new owner, a scam artist, would quickly burden the app with crap designed to make more money than the purchase price they paid to acquire the app, which was like, which was like? Likely not very much. The scammer would figure that all of those million plus users would run it and generate revenue from the ad and, just as our listeners suggested, there might be a few, if only a tiny fraction, who might not be paying attention and who would inadvertently subscribe at this inflated rate. Technically, the app's new owner had done nothing wrong, but neither is this a particularly upstanding way to generate income, and anyway that would be. My guess is that the app changed hands and its new owner decided I mean it changed hands specifically so that the new owner could squeeze its install base and, just you know, basically kill it. And well, with a bazillion apps on the, on the Play Store, who cares if there's one, as you said, leo, when fewer flashlight app, because eventually no one uses anymore because it wants a ridiculous payment and makes you watch an ad.
01:46:20 - Leo Laporte (Host)
Yeah, I mean. The fact that I made a flashlight app tells you that he was already kind of a scammer to begin with.
01:46:27 - Steve Gibson (Host)
Michael Garrison said hey, steve, I'm listening to episode 957 about the protected audience API and I have a question I'm hoping you could help me out with. I work with small businesses who have no interest in putting ads on their site, but I'm wondering whether they can still make use of the new ad functionality. Say, a company like Twit wants to be able to customize what shows they feature on their homepage for new visitors. With a proposed and abandoned flock proposal, the bitmap of interests stored by the browser were available to the site itself, so if they knew which bits represented interest space, they could alternatively move the this week in space banner higher on the page or move it below other banners. With the topics API, my understanding is that wouldn't have been possible because the same requester, the ad company, would have to have seen the same browser on multiple other sites, obviously leaving first party site owners in the dark, probably by design. Now, with the new API, I can't find a solid answer yet on whether the site itself would be able to see what categories of interests visitors might have that are visiting it. I assume it won't be available to the site owners, but if you know one way or the other, I'd love confirmation. Thank you for your great work on the show. Can't wait to see what email system you come up with for communicating in the future.
01:48:10
Okay, my reading and understanding of Google's privacy sandbox system, which I should say subsumes both the topics API, which is part of it, and the protected audience API altogether my reading agrees with Michaels. One of the significant objections I remember, leo, you talking about this on some of the podcasts after flock was introduced one of the significant objections raised against the earlier flock that was the federated learning of cohorts system was that a first time visitor to a site would be disclosing information about themselves to that site without any previous interaction, and many privacy advocates found that to be a big step in the wrong direction. The privacy sandbox is vastly more complex than flock and it employs that complexity to effectively blind all of the parties so that all information flows into the user's browser and none flows outward. And when ads are shown, their fetch and display frames enforce a new level of interframe excuse me and page isolation. The objections to flock taught us that websites are specifically unable to learn anything about their visitors. That was a big privacy, no, no, that flock had, and the privacy sandbox enforces that privacy, even for the sites users are visiting, because that's what they want. They want that privacy.
01:50:07
Guillermo Garcia said I have a question about the washing machine bot. Is it safe to assume that this malware is configured to infect this specific washing machine? In other words, is someone writing code for this model? How can malware infect various IoT devices, or is there a unique one for each make, a model? Many thanks, and I'm looking forward to being part of 999 and beyond. Okay, so I'd suggest that the best, the best answer to that question is a is kind of an all of the above.
01:50:46
In the generic case of scanning the internet for potential victims, we know that there have been turnkey IP stacks sold into the embedded device market which were later found to contain critical remote code execution vulnerabilities, often in their fragmented packet reassembly implementation, since that's an example of something that's been very easy to specify and turned out to be surprisingly difficult to implement securely. So it would be possible to scan the internet for any IP presence that could be compromised by such an attack. That might be common to a wide variety of different IoT devices, different makes and models, and vendors who had all purchased this same embedded IP stack to start with. And then we definitely have the frequent and common case and the washing machine might be part of that too of a known vulnerability having been discovered in some specific internet connected appliance, after which those devices are directly targeted. And then we have the other frequent case of a patch being made to a widely popular device and that patch being quickly reverse engineered to start an arms race to see how many devices can be compromised before each individual devices administrator has applied the patch to prevent just such remote takeover. In the case of the LG smart washer, I was wondering how myself last week, how a remote attacker might have gotten into such a machine in the first place, if that's what indeed happened to cause that three and a half gigabytes of upload bandwidth per day. Any such device would be behind a NAT router that would not be admitting unknown traffic. Now the washing machine might support UPNP, which would allow it to open a port for incoming traffic, but why would a washing machine need to be publicly visible? Another means of compromise might have been entry through some other means, such as a border router vulnerability, for example. If its owner had enabled remote web administration and a problem had been found there which, as we know are not uncommon. Then, once inside the network, a scan would likely have found everything on the LAN and at that point a known vulnerability in that specific washing machine might have been exploited to install a bot, or the machine might be running a small Linux. So a generic exploit against Linux could install a generic Linux bot and then it would have joined a botnet. So you know, any or all of the above could have happened.
01:53:55
Roger Stenerson asks Hi, steve, the Protected Audience API sounds interesting and promising. However, the number one reason I use Ublock Origin and ScriptSafe is to block malvertising. Will the Protected Audience API help in that area? To 99 to 999 plus and beyond? Thanks for all you do. Best regards. Thank you, roger. Okay, so I'm pretty certain that individual ads, once selected by the web browser, will still be able to run their own scripts within their fenced frame, fenced frame being the name of one of the APIs, the Fenced Frames API. So we should not expect any added protection from malvertising.
01:54:48
Roger's question caused me to do a bit of digging into the related Fenced Frames API. The fencing that's created applied the same sort of cookie and other asset stove piping that Firefox implemented quite a while ago, the idea being that, rather than all cookies and other asset storage, sharing a single large database which is indexed by the domain performing the access, thus allowing, for example, an advertiser to access information stored under their domain from any website hosting one of their ads, because now each first party website I got myself confused under their domain from any website hosting one of their ads. That's the way things have been. What's happening now, moving forward and Google is introducing this with this fenced frames API is that, as with Firefox, each first party website has its own private database containing anything that any third party might set while at that site. But if you go to a different site, that same third party is now setting its data in a completely separate site for that website. So there's no longer any chance for advertisement scripts to share data across sites. So that's what we're getting with Protected Audience API, but, I'm virtually 100% sure, no explicit malware protection. That still isn't something I mean. Google is protecting their users against any malicious scripting, whether from ads or not. So we have that. But you know malware that presents a link that says click here for a special discount on your next, you know, on your car insurance renewal. Well, you take a risk when you click the ad.
01:57:09
Defensive Computing's Michael Horowitz, who runs a number of sites. One is Defensive Computing. He also has this really great about router security. He says, steve, regarding the hacked washing machine, if the router supports outbound firewall rules, the hacked device can be blocked from making any outbound network connections or, depending on the router, perhaps blocked from contacting certain IP addresses or certain domains. Surely, he says, pf Sense can do this. Okay now, of course PF Sense will do this, and such firewall rules can be tied to the machine's fixed ethernet MAC address in case its IP should ever change. You could even make a firewall rule that would track the machine's IP changing to block it.
01:57:59
You know, but I'm not the one with the LG smart washer on the net, so I'm not the one with the problem. I was more referring to the typical LG smart washer owner who would typically have no idea what was going on with their own network. I'm certain that our security now podcast listeners could readily block this activity. So really that's not an issue. But Michael added something else that I thought was interesting. He said I live in an apartment building with a laundry room in the basement. Both the washing machine, both the washing machines and the dryers report their status to the internet running, not running, or x minutes until finished. He says this was helpful in the pandemic to avoid personal contact.
01:58:52 - Leo Laporte (Host)
Was your washing machine?
01:58:55 - Steve Gibson (Host)
Yeah well, because it's an apartment building, but it's a common tool, if you're washing.
01:59:04 - Leo Laporte (Host)
You go upstairs and then it lets you know when it's done. Yeah, that makes sense, exactly so.
01:59:09 - Steve Gibson (Host)
Anyway, I had said last week that I could not imagine why anybody would have their machines online. This is a pretty good example. So if you're on like the ninth floor and you want to know if the machines are in use before you take the elevator down to the basement and find out that, oops, you know they're all busy, so that's kind of cool, I can certainly see a use case for that. And finally, skynet tweeted hi, steve, is there really no way for ISPs like Cogent to differentiate between good and bad traffic, so that when a DDoS occurs, they can all route only the bad traffic? Can you explain why an ISP is not able to do this? Okay, could they? Perhaps the best way to describe it is that doing so and I'm not kidding you is beneath them.
02:00:10 - Leo Laporte (Host)
It's not we, just it's not the kind of thing we as an ISP would do.
02:00:15 - Steve Gibson (Host)
That's exactly right. They simply cannot be bothered. It's just not worth it. I've had about 30 years of experience with ISPs of all sizes and I've seen that the smaller the ISP and the closer they are to their subscriber, the more individualized service it's possible to have?
02:00:36 - Leo Laporte (Host)
I would have SonicNet. That's exactly right.
02:00:39 - Steve Gibson (Host)
But the top tier internet backbone carriers like Cogent don't need to be bothered with those details, so they aren't.
02:00:50 - Leo Laporte (Host)
In the words of Lily Tomlin we don't care, we don't have to.
02:00:56 - Steve Gibson (Host)
Exactly. If some traffic is causing their downstream equipment any trouble whatsoever, they'll simply drop that traffic as far upstream as it's possible to do so. Now, the other change we've seen since the first early attacks is in their blockability, or lack thereof. The days of the simple ICMP, the TCP, sin packet or UDP reflection floods have waned a bit Back. When spoofing source IP addresses was important to hide the traffic source, they were used. They still exist, but they've largely been replaced by non spoofable HTTPS query floods, and those require highly specialized services, such as those we often talk about offered by Cloudflare and others, to block. So these attacks can no longer be selectively blocked by simple firewall rules. So, yeah, some ISPs like Cloudflare can lots behind you know who are. Just you know, if you're just getting generic traffic from the internet, you're going to get flooded and your ISP is going to say oh sorry and pull the plug on you until the flood stops. That's the way the world these days.
02:02:22 - Leo Laporte (Host)
But you could get something like Cloudflare or Amazon Cloudfront in front of your IP address and protect yourself from that.
02:02:32 - Steve Gibson (Host)
Yes, yeah, now you're paying a price for the protection, right, so you know. So you're getting connectivity and you're getting protection both, yeah, so.
02:02:42 - Leo Laporte (Host)
I think Cloudflare has a free tier. I don't know if it would work for what you want to do. They actually do have a free tier, you're right, yeah. And I'm not sure it's very good, I think.
02:02:49 - Steve Gibson (Host)
Yeah, how much? Yeah, yeah, okay. And lastly, a note about spin right, since we are we appear to be for the moment on the cusp of spin rights imminent release, so I thought I'd update everyone very briefly, as I planned. After last week's podcast, as I said I would, I finished the work on identifying and patching the known buggy AMI bios, which handled USB connected drives, and, after some verification and testing, later in the week I posted the next incremental release of spin right. Oh boy, the overall reaction within spin rights testing community was jubilation, since I mean it was. I got so much, you know, since spin. Spin right had now lifted what I had been feeling and I expressed last week as my previously heavy handed 137 gigabyte clamp on any and all USB access.
02:03:53
But it wasn't long before reports of new spin right crashing began to be seen. People were running spin right on their larger drives plugged into a USB port, and spin rights own attempt to execute an illegal opcode capture screen began popping up. In other words, the something, somewhere, a bug in the bios, was causing the bios to execute an illegal, illegal opcode and spin right which traps those things popped up a notification saying whoops, something is not right here, and it brought everything to a halt. Well, it turned out that HP and Lenovo and other bios is on. Older machines were also being found, unfortunately, by spin rights testers at this point to be buggy and they were altering main memory and causing application crashes. Spin rights ability to patch the flaw that we found in those AMI bios to allow them to then safely work past 137 gig was a fluke which just happened to work. I couldn't believe it when Paul Farer, like, put some no ops in the bios and suddenly it worked past 137 gig Again. Now I know why, because I completely reverse engineered that aspect of the AMI bios. I see what it was doing. I understood why. It was a solid fix, as it turned out, and I added that code to spin right.
02:05:31
Spin right now patches the AMI bios and then it works. But in general, altering something as significant as an access size limitation would not be expected to be simple and it turns out that HP bios is are in ROM, so they're not even patchable. Anyway, I have a new plan which I will be starting on tomorrow. I think it's going to work, so I'll have news of that next week, I think. I think I know how to solve this problem, even though it is really turned out to be a sticky wicket. But so many people are so excited to have this band lifted. I mean, I could just simply put the clamp back on, as it has been up until last week, and we'd be safe, but some of our listeners would be unhappy. So I think I have a. I think I figured out how to, how to slice this thing just right, and everybody will have a win.
02:06:29 - Leo Laporte (Host)
And this is why when I code, I don't write it for any general purpose computing of any kind. There's too many things out there that can go wrong. I just don't want to deal with it.
02:06:47 - Steve Gibson (Host)
When, when Peter Norton had me up for lunch to Santa Monica and told me he wanted to buy spin right, he said you know, steve, it's the most requested feature for the users of the Norton utilities. They all want it. So now I want to buy it from you. Obviously I told him no, which was the best decision, I best business decision I ever made. He said, and he was. We were very high in a tower in Santa Monica and so he, like he, looked to the south because that's where I, where I was located, and he said. He said, when I first heard about spin right, he said I thought I was going to look out there and see a big mushroom cloud, because you can't do safely. What, what, what you were doing.
02:07:42
He said it can't work. But he said somehow you did it, yeah, you pulled it off. So yeah, that was 35 years ago and I'm still pulling out, still pulling off and it ain't easy, let me tell you.
02:07:54 - Leo Laporte (Host)
But you know, I think you probably appreciate being able to do it all by yourself, rather than have a team of people and having to kind of get that code to work with this code and all of that.
02:08:04 - Steve Gibson (Host)
There's just too many problems Actually what I have the best of all worlds. It's me in my little hovel, my little cave, and and hundreds of testers. Yeah, we have 800 people, see that's. I think it was 487 people downloaded the most recent release and then ran it and oh my god, is that important. So it's like it's just perfect and we've got great communication. You know, it's just, it's, it's ideal. And boy, I can't wait to get this done and start on spin right seven. Nice, it won't have any of these problems because it won't have any bios. Thank god we're getting rid of the bios.
02:08:50 - Leo Laporte (Host)
Although that was the thing right you were able to do. Interrupt 18 and and let the bios do all the hard work, right?
02:08:56 - Steve Gibson (Host)
It's why. It's why spin right was compatible for everything. Right Was that it was hiding behind the bios right and the bios would would deal with all of these problems.
02:09:06 - Leo Laporte (Host)
Right, right, right, now you got to do it. Now you got to do it, which is better in the long run, of course.
02:09:12 - Steve Gibson (Host)
Oh, leo, it's so fast. Yeah, it turns out that my half a terabyte per hour estimate was was low. It's been right. Is doing better than that. Nice, that's fantastic. It's suddenly really practical.
02:09:25 - Leo Laporte (Host)
Can't wait. So here's how you get it. Folks go to grccom now. Admittedly, you're getting six, not 6.1, but this way you're in, you're part of that team of people who are helping Steve make this the best product ever, and you will get a free copy of 6.1 when it comes out.
02:09:41 - Steve Gibson (Host)
And if you get it right now, you can use it to crash your machine. If you have a buggy, if you have a buggy, bios and plug in a big drive.
02:09:48 - Leo Laporte (Host)
We call it the buggy bios tester. See, I'm thinking you have valid drive and you have buggy bios tester. It's great, it's perfect. Actually, valid drives. Another reason to go there. Make sure that thumb drive you're buying actually has what it says it has for storage and so many other things and those are all free shields up. I mean, he does so much great work at grccom. That's also where you will find a copy of this show and unique copies. In fact, he has the 64 bit kill a bit audio that we have. He also has the 16 kilobit audio, which is so scratchy you'll think you're listening to Thomas Edison from 1909, but it has the virtue of being tiny. He also has transcripts that are high fidelity. I mean perfect fidelity, created by Elaine Ferris. Go to grccom Now if you want video.
02:10:38
That's where we come in. We have copies of the show audio and video at twittv slash s n for security. Now there's a security now YouTube channel which you can. Actually it's a great thing to have. If you say, oh, you know what I gotta? I gotta send this thing to my friend Joe, because he will never. But whatever you know, you can clip it on YouTube and then everybody can see it. It's a very easy way to do that. We also have, of course, a podcast, so you can subscribe and your favorite podcast client and download it automatically and in fact, that's probably the best way, so you don't ever miss an episode. You don't want to miss an episode of this. There's something in every episode that you're going to go. Oh gosh, I'm glad I heard that. Seriously, every single episode, maybe many, many things like that.
02:11:22
We do the show on Tuesdays right after Mac break, weekly. That means the time varies somewhere around two o'clock Pacific, 5 pm Eastern, 2200 UTC. The show streams on youtubecom slash twit. We begin when the show begins, we end when the show ends. So if it's nothing there yet, we haven't started yet. But just go there. Actually, you know, if you subscribe, I think, or do you have to hit that alert bell? There's a way on YouTube to get a notification when we start the live stream. That's probably a good idea. And, of course, I should probably mention Club Twit If you are a Club Twit member. We keep the stream going in the discord all the time. It's a great way to see what's going on behind the scenes before and after the shows, things like that.
02:12:03
Club Twit members also get ad-free versions of all the shows, shows we don't put out in public, like Hands on Mac, hands on Windows, untitled Linux show. A lot of people love that. It's a wonderful show with Jonathan Bennett, home Theater Geeks with Scott Wilkinson, ios Today with Rosemary Orchard and Micah Sargeant. That's in there now too. Those are all yours to keep for free. Well, not completely for free, because it is seven dollars a month, oh my gosh.
02:12:31
We've kept it low because we want everybody who listens to our shows to be in the club. We need it. It helps us keep going. It gives us a steady income. Advertising it turns out not the best, most reliable form stream of revenue, but you should be.
02:12:48
We have more than 750,000 people listen to our shows every month. 750,000 unique listeners Right now. Let's see, well, let's monitor. It's not on, but it's somewhere around 11,000 members in the club. That means, honestly, we should probably have 739,000 more members. We'll settle for 5 or 6,000 more. Join the club. We want to have you in here and, honestly, if we get to maybe 5% of the total audience, we would have to worry about advertising at all and we could add new shows and we could grow and we could make sure that Steve gets to episode 9,999, and that's, I know, the most important thing of all. Join the club Twittertv slash club, twitter. While you're at the site, take the survey If you haven't done that already. I want to get everybody listening to security now in on the survey. That way we know what you like, what you want, what you want more of. That's at twittertv slash survey 24, but it's also on the front page. It should be easy to find. Thank you so much, mr G. We did it.
02:13:47 - Steve Gibson (Host)
958 in the can Yep, and we'll be back for 9.59 a week from now, january 30th. Last podcast of January the penultimate.
02:13:59 - Leo Laporte (Host)
This was the penultimate podcast of January. As you said, he loves that word.
02:14:05 - Steve Gibson (Host)
Thank you, steve, I know what it means. Now that I know what it means, Take care. Now we're going to go for farbling.
02:14:14 - Leo Laporte (Host)
I'm not looking it up, I'm not.
02:14:19 - This Week in Space (Announcement)
Hey, I'm Rod Pyle, editor and chief of Ad Astor magazine, and each week I joined with my co-host to bring you, this week in space, the latest and greatest news from the final frontier. We talked to NASA, chief space scientists, engineers, educators and artists and sometimes we just shoot the breeze over what's hot and what's not in space books and tv, and we do it all for you, our fellow true believers. So whether you're an armchair adventurer or waiting for your turn to grab a slot in Elon's Mars rocket, join us on this week in space and be part of the greatest adventure of all time.
