Security Now 959 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte & Steve Gibson (00:00:00):
It's time for security. Now, Steve Gibson is here with lots to talk about. Apple's response to the EUS Digital Marketings Act. Yes, the browser ballot is back. How many stolen user database records will fit in 12 terabytes? I'll give you a hint. It's more than the total number of people in the entire world. And finally, Alex Stamos explains what we knew, what we suspected all along. Microsoft has not been fully forthright about this most recent data breach. Learn how it may affect you all. Coming up next on Security Now podcasts you love

TWiT (00:00:39):
From people you trust. This tweet, this is tweet, tweet, tweet.

Leo Laporte & Steve Gibson (00:00:47):
This is security now with Steve Gibson. Episode 959 Recorded Tuesday, January 30th, 2024. Stamos on Microsoft Security. Security now is brought to you by Express VPN. Your phone carrier collects data on whatever it is you're doing on your phone. Verizon is even admitted. They can actually collect that information. They say to better understand your interests, but really they're selling it on legally to advertisers and other data brokers, which is why I use and recommend Express VPN Express. VPN is an app that prevents your phone carrier from being able to see the sites you visit and then selling it on the third parties with just one button. Tap all of your network data gets encrypted and rerouted through Express VPN's secure servers for ultimate privacy even when you're using your favorite apps. Express VPN, it works on all your devices. One subscription can be used for up to five devices simultaneously.

(00:01:51):
You can even put on your router individual machines. Your smart tv. Make it dumb again. Express V PN is the only VPNI use and recommend when your phone carrier tracks you, that is a gross invasion of privacy. You can either keep letting 'em cash in on you or you can stop 'em cold. Visit express vpn.com/security now get the same VPN I use. Take your online privacy back today. Use our link to get three extra months free. That's express vpn.com/security. Now remember that express vpn.com/security. Now it's time for security. Now. Hello. I know you waited all week for this guy to show up. Here he is. All you have to do is say his name three times. Steve Gibson, Steve Gibson, Steve Gibson, and he appears Mr. G. I actually do have clicking one's heels together three times later in the show. Oh my God. Great.

(00:02:46):
Mind. What do you know? That's right. I'm sure that explains it, Leo. That's definitely how it happened. Okay, so we're here last show of what month is this still? January. With a bunch of stuff to talk about. We're going to answer some questions as we always do. What changes will the eus soon to be enforce Digital Markets Act be bringing to Apple's traditional iOS policies. I know that's been a big topic for many of the podcasts on twit recently. There are a couple specific aspects that affect us that we'll be talking about. What OS is ransomware unable to infect? I could give you not 10, not 20, not even 50 questions or attempts to answer that. And I think you wouldn't pick up on this interesting result except that I want to use that os well, you will until you hear what it is. Oh, what has HP done now with their printer ink Policy More nonsense.

(00:04:01):
How many stolen user database records will fit into 12 terabytes? We have the answer. Can't you just delete that incriminating chat stream? Maybe not. Did Mercedes-Benz leave their doors unlocked? What's the latest on ransom payments rates? And after entertaining some questions from our terrific listeners and yes, a long awaited announcement from me. We're going to take a look at Alex Stamos was a little subtleties. I bet you can guess what it is. That one you only need one answer for. I won't say anything. We're going to take a look. All of our listeners know too. We're going to take a look at Alex Stamos reaction to Microsoft's most recent security incident response. Oh, I can't wait. Update. Oh, it's fun. I can't wait. Yeah, it definitely earned itself our title topic for the week and of course we've got a fun picture of the week.

(00:05:06):
So I think another great podcast for our listeners. I'm a big fan of Alex's. He's been on twig many times and twit and he's just so great. He has a real job now. They sold the Kreb Stamos security firm, so he's got a work got absorbed into Sentinel One. Yeah, he's now chief trust officer at Sentinel One. Great. That's great. I can't wait to hear what he has to say. This episode is brought to you by Pant Pan Optica. Cisco's cloud application security solution provides end-to-end lifecycle protection for cloud native application environments. It empowers organizations to safeguard their APIs, serverless functions, containers and Kubernetes environments. Panoptic ensures comprehensive cloud security compliance and monitoring at scale, offering deep visibility, contextual risk assessments, and actionable remediation insights for all your cloud assets. Powered by graph based technology. Panoptic a's Attack Path Engine prioritizes and offers dynamic remediation for vulnerable attack vectors, helping security teams quickly identify and remediate potential risks across cloud infrastructures.

(00:06:17):
A unified cloud native security platform minimizes gaps from multiple solutions providing centralized management and reducing non-critical vulnerabilities from fragmented systems. Pan Optica utilizes advanced attack path analysis, root cause analysis, and dynamic remediation techniques to reveal potential risks from an attacker's viewpoint. This approach identifies new and known risks emphasizing critical attack paths and their potential impact. This insight's unique and difficult to glean from other sources of security telemetry such as network firewalls. Get more information on pant's, website, pan Optica app. More details on pant's website, panoptix app. Steve, you got a picture for me? I haven't looked. I do, I haven't looked this week. We answer the question, how do you get hipsters to obey those keep out warnings? Well wait a minute. Let me see. Danger, danger, danger. And you could see we have a hipster approaching in the distance and there's no way she's going to cross that yellow tape line because the sign makes it clear Danger.

(00:07:35):
No wifi beyond this point. And there's also, it looks like another one. I wish we could read this other one. It starts Danger Lost Art, but I don't know. Yeah, I've wondered what that other one down in the corner said. Something law starts something in progress is what I think it says. That's hysterical. So clearly this is a coffee shop with a sense of humor. I think somebody's got a sense of humor. It's got sort of an SR license number, app something or other up. Yeah. And yeah, I dunno what that is. But anyway, I thought that was great and once again, thanks to our listeners for providing me with a constant flow. I've got some in the queue that are really wonderful too. This is really great. I love it. Okay, so in perfect timing, following on from last week's discussion of Mozilla's complaints against Apple, Google and Microsoft, we have the news initially reported by the Verge that Apple will be changing their browser engine policy for the eu, the European Union.

(00:08:43):
Under their headline, apple is finally allowing full versions of Chrome and Firefox to run on the iPhone. And I have a lot more to say about this after I share what the Verge said. What they said was with iOS 17.4 and what are we on 0.3 now I think right? Or 0.3 point something. Anyway, we all updated last week. There was a zero day the first one of the year that Apple had to remediate. It's hard to keep track. We were on 17.3, we had 20 last year, and so we're at the first one here at the end of January. Anyway, apple is making a number. They wrote of huge changes to the way its mobile operating system works in order to comply with new regulations in the eu. One of them is an important product shift for the first time. Apple is going to allow alternative browser engines to run on iOS but only for users in the eu.

(00:09:47):
Verge says since the beginning of the app store, apple has allowed lots of browsers but only one browser engine. WebKit is the technology that underpins Safari, but it's far from the only engine on the market. Google's Chrome is based on an engine called Blink, which is also part of the overall chromium project that's used by most other browsers on the market Edge, brave Arc Opera and many others all use Chromium and Blink Mozilla's. Firefox runs on his own engine Gecko on iOS though all those browsers have been forced to run on WebKit instead. And of course this is exactly what we were talking about last week with Mozilla's complaint that it's like all we can do is put a skin on this thing anyway, which means writes the Verge. Many features and extensions simply won't work anymore. Actually never would work. That changes with iOS 17.4, but does it We'll see anyone building a browser or building an in-app browser for their app can use a non-web kit engine if they wish.

(00:10:54):
And those are the important three words. Each developer will have to be authorized by Apple to switch engines after meeting specific criteria and committing to a number of ongoing privacy and security mitigations. Apple said in a release announcing the change at which point they'll get access to features like pass keys and multi-processing apple's. Also adding a new choice screen to Safari so that when you first open the browser, you'll be able to choose a different default if you wish. Apple is only doing this. They write because it is required to by the eus new Digital Markets Act, the DMA, which stipulates among other things that users should be allowed to uninstall pre-installed apps including web browsers that steer them to the products and services of the gatekeeper, meaning the platform provider. In this case, iOS is the gatekeeper, and WebKit and Safari are Apple's products and services.

(00:12:01):
The same section of the DMA also means Microsoft has to let people disable Bing web search and uninstall edge and it will cause other changes too. And we'll see how that goes. Even in its release announcing the new features, apple makes it clear that it is not pleased. This change is the result of the DMAs requirements. It means that EU users will be confronted, oh no, with a list of default browsers before they have the opportunity to understand the options available to them. Oh boy, the screen continues. Apple also interrupts EU users experience the first time they opened Safari intending to navigate to a webpage. Oh, the horrors Apple's argument for the app store has always amounted to only Apple can provide a good, safe, happy user experience on the iPhone. Regulators don't see it that way, however, and Apple's furious about it. The Verge says again, these changes only apply for iPhone users in the eu.

(00:13:21):
Apple says it allows European users to venture forth to travel without breaking their browser engine, but it will make sure only accounts belonging to people who actually live in the EU will get these new engines, or at least that obstructive experience of having to choose one elsewhere in the world. You'll still be getting WebKit Chrome and WebKit Chrome. Oh yeah. Right. Web kit's look and WebKit itself. Apple argues without merit or evidence says the verge that these other engines pose a security and performance risk and that only WebKit is truly optimized and safe for iPhone users in the eu. We're likely to see these revamped browsers in the app store as soon as iOS 17.4. This is still the Verge talking because I don't think so. As soon as iOS 17.4 drops in March, as in five weeks from now, Google, they write for one has been working on a non-web kit version of Chrome for at least a year, which is really interesting.

(00:14:41):
Makes you wonder what they knew that we didn't. European users are about to get a serious browser war on their iPhones or maybe not. Okay, so before the VIRs piece ended when they suggested that users would see new browsers in March, I was already, as I was reading this the first time, shaking my head since porting an entire browser engine to a new OS is no small task. Putting a browser skin over the web kit engine, which is what everyone else has done until now, is entirely different from running chromium's blank or Firefox's Gecko engines under iOS. And if this will only be allowed for users having accounts based in the eu, I'm wondering why anyone really cares. The branding skin is all anyone sees. And I was watching some of Mac Break weekly, your previous podcast today, Leo and I saw your very Apple knowledgeable co-hosts nodding their heads like Andy was like, and Alex, yeah, I don't care what's under there.

(00:16:03):
So again, the branding skin is all anyone sees. As I mentioned last week, I use Firefox on my iPhone and multiple iPads. To me it looks and acts like Firefox and I appreciate its various features. For example, it's possible for my login to my Mozilla account to function and then sync tabs across my various devices, including my iOS devices. Just now. When I picked it up to double check on that, it asked me whether I wanted to pick up editing this podcast's Google document on my iPad. So again, and we know that for example, add-ons that are Firefox add-ons have no prayer of operating there, but it's still, it's got the Firefox little logo and it looks like Firefox. So I presume that compatibility with the eus DMA, their digital markets act will mean that the sort of link stealing behavior Mozilla was complaining about, which we talked about last week, which continually pulls users back to safari that'll probably actually have to disappear motor.

(00:17:20):
If Mozilla is resource constrained as they presumably are, I would much prefer to have them keep their focus on the desktop where it matters and ignore this as a distraction, which after all only applies to EU territory. So why would they bother to go to all the trouble of porting the true Firefox base over to iOS for a piece of the world when it already looks like everybody has Firefox who wants to, okay. Now before I share the big worry that this story prompted in me, I want to share a bit more about this. The day after the verges coverage, M rumors followed up with a little additional coverage under their headline. Apple further explains iOS 17 point four's new default browser prompt in the eu. So m Rumors said, after updating to iOS 17.4, which is currently in beta iPhone, users in the EU will be prompted to choose a default web browser when they first open Safari.

(00:18:38):
In an email today, apple shared additional details about how this process will work. Apple said iPhone users in the EU will be presented with a list of the 12 most popular web browsers from their country's local app store at the time and noted that the options will be shown in random order for every user as much as ballots in the US have their orders randomized in order to remove the bias of just picking the first one. If you're in a hurry, apple shared as an example, an alphabetical list of the browsers that will currently be shown in every EU country. Okay? So it's a long list. 12 of the most popular browsers. Mack Rumor said we've elected to highlight browsers that will be shown in France, Germany, Italy, and Spain as examples. So, okay, you're in France, you opened Safari the first time, and so these are not randomized, these are alphabetical, right? We have the Aloha browser. What we have, I guess it's better than Ciara. We have brave and goodbye. Let's not forget we've got Brave Chrome DuckDuckGo.

(00:20:10):
Oh yeah, yeah, yeah. That's a browser. That is a zero net zero browser. So they have carbon neutral browser. Yeah, they also have a search that's carbon neutral. Yeah. Meaning what? You have to only inhale when you're using it. Yeah, something like that. They probably, I mean maybe they have green network centers are more likely they buy carbon credits. But anyway, that's their pitch. Well, okay, now we have Edge, we got Firefox. We have the onion browser. I thought that was interesting. Didn't know there was a Yeah, an opera private browser. Deluxe. Yeah, quant and Safari now. Okay, that's in France. Germans, oh, they get their own list. Aloha. Some are very familiar by now. Aloha, brave Chrome. Duck. Duck. Go eia, keep inhaling Edge. Firefox Ivanti Webb at work. Then the Onion browser, opera Safari and u.com. AI search assistant made the top 12 over in Germany.

(00:21:26):
Italy looks pretty much the same as Germany. Let's see, Spain, yeah, pretty much the same as the other guys. So anyway, sort of an overwhelming, like what browser would you like to pretend to be using? They've done this before. This is a, so-called browser ballot and they made Microsoft do this for a while. Wow. Yeah. And were there many when Microsoft did this? Yeah, you had to scroll the page in order to, wow. Is sleep near on any of these? Because that was the one that's the Scandinavian browser that really got a lot of benefit from us. Well, there are 23 other countries in the U that this change applies to. So each country will get its own list owned and yeah, you may be able to find your favorite depending on where you are. So Mack rumor says it's been possible to change an iPhone's default web browser through the settings app.

(00:22:24):
Since iOS 14, apple has now gone a step further and added the default browser prompt in Safari to comply with new regulations under the eus DMA in the eu. iOS 17.4 also allows web browsers to use web engines other than Apple's web kit, which of course is of most interest to us and again, in March this is going to happen. Okay, so okay, this clarifies a few things. If all of these browsers are currently the top 12 most popular in each EU country's regional Apple app store, then they're all, as we know, currently using simple skins over WebKit. Since that's all that's been possible until now, that means that users will likely not initially be changing the underlying engine, just the skin. They'll be prompted to proactively pick a skin. And I imagine that a great many of them, I don't know, given a choice, will opt for Chrome since that's the browser that dominates the desktop that after that, if specific browser vendors see some reason to invest importing the chromium or Mozilla engines over to iOS, then that might happen.

(00:23:48):
Now, the one reason I can see Google investing in a full chrome port is that they badly need their privacy sandbox API to be running everywhere if tracking. Now that's assuming that Apple doesn't port the privacy sandbox API into WebKit, which I hope they do as much in the same way that I hope that Mozilla adds it to Firefox. It's open source. So, and Google would like to see this thing become a standard, but if Apple doesn't do that, Google needs their privacy sandbox API to be running on iOS devices so that when users choose the chrome skin, it's more than just skin. And of course that can happen a ways down the road, right? So in March, people in the EU get this choice and they say, well, what do you know? I want to go with Chrome? And initially, now I should also mention that Google's been working on this port for a year.

(00:24:58):
As I mentioned before, maybe they knew something. So before long it looks like it will be possible to actually have real Chrome and the extended advertising user interest API over on iOS platforms. But again, it's really difficult to imagine that Mozilla would either have the resources or would choose to spend them because this is only happening in the eu. We don't know what the future holds for this. I mentioned a big worry that this announcement triggered to me. What we see here is Apple capitulating to the demands imposed by a regional legal framework. I suppose they have no choice if they wish to continue operating in the eu. The Verge made it clear that Apple is furious about this, but capitulating they are, and this reminded me of the pending European E-I-D-A-S 2.0 legislation. Remember the one which intends to compel the world's web browsers and operating systems to accept without recourse any and all root certificates that the EU may choose to require browsers to honor the eus. DMA is about competition and antitrust. Its aim is to water down apple's vice grip on its traditional heavy handed business practices there. So it's not directly comparable to the E-I-D-I-S 2.0 legislation, but I do get a sinking feeling about this.

(00:26:39):
It may be a good thing that I'm no longer committed as my first and only priority to getting spin, right finished because there may be a need to keep our browsers clean of EU and four certificates if our browsers when we're not in the EU, try to impose those on us. We'll see. Okay. Now Leo, we're going to answer the question, what operating system cannot be infected by ransomware? Under the heading dodged a bullet. We have the news. Okay, we have the news that the third largest bank in the world, which is China's ICBC was hit with a ransomware attack, which got into and would've compromised their entire network. Yikes. Except for one tiny detail running Windows four. I don't know what, believe it or not, in this year of our Lord, 20 24 3 1, the Critical Currency Trading Network used by China's ICBC bank was being run by a Nobel NetWare server.

(00:27:57):
There you go. Nice choice. Excellent job boys, as they say, if it's not broken. Anyway, a Nova net worth server was so entirely alien to the ransomware, which had no idea how to infect the server or get up to any other mischief that nothing happened. Consequently, the bank just shrugged off the attack, cleaned some modern workstations that had succumbed and got on with their day in this year of the dragon. Wow. Wow. Yeah, yeah, they probably have ASCI text terminals and they're typing. Wow. I guess it wouldn't be asci though in China it would be much more tricky. Oh yeah, that's right. I don't know. That's a good question. Okay, so the news that many of our listeners forwarded to me recently was that HP has once again been bricking their printers when those printers are found to contain third party ink cartridges. Here's what nine to five Mack wrote under the headline third party ink cartridges, brick HP printers.

(00:29:19):
After antivirus update, they said HP is pushing over the air firmware updates to its printers, bricking them if they're using third party ink cartridges. But don't worry, it's not a money grab says the company. It's just trying to protect you from the well-known risk of viruses embedded in ink cartridges. What HP has long been known, they write for sketchy practices in its attempt to turn ink purchases into a subscription service. If you cancel a subscription, for example, the company will immediately stop the printer using the ink you've already paid for. In other words, disconnect from the network before you cancel your subscription. Wow, this is just so wrong. hp, CEO, Enrique LOEs somehow managed to keep a straight face. They said while explaining to CNBC that the company was only trying to protect users from viruses which might be embedded into aftermarket ink cartridges. He said it can create issues where the printers stop working because the inks have not been designed to be used in our printers to then create security issues.

(00:30:55):
We have seen that you can embed viruses in the cartridges and through the cartridge, go to the printer from the printer to the network, and then it takes over the world. Ours, Technica asked several security experts, actual experts, whether this could happen and they said this is so far out there, it would have to be a nation state attack on a specific individual who somehow got a cartridge sent to them. Your freak from Russia here, congratulations. Why is the label in Russia printed in Russian? Well, we don't know, but trust us, it's going to be good. Yes, perfectly good ink. So one expert said purely from a threat modeling perspective, I'm skeptical unless it's a nation state doing a tailored attack. Another expert said, as someone who works for a different ink jet print company, I'd say it's pretty terrible engine design if you could maliciously craft a cartridge to contain a virus.

(00:32:06):
Now we're not talking about a liquid virus, right? It's not something that you don't want to inhale. This is like a computer virus on what the chip that monitors the ink level. Anyway, he said the amount of information which needs to be stored on the cartridge is fairly small like a serial number, right? If the data is not in the format, you expect rejected as invalid. And as a matter of fact, HP is known to be quite good at rejecting such things. The last expert asked said, I've seen and done some truly wacky hardware stuff in my life, including hiding data in SPD EE Proms on memory dims and replacing them with microcontrollers for similar shenanigans. So believe me when I say that this claim is wildly implausible even in a lab setting, let alone in the wild and let alone at any scale that impacts businesses or individuals rather than selected political actors.

(00:33:15):
So these experts are recognizing that, well, if you given enough motivation in designing a custom attack in a lab, somehow getting a specific cartridge into someone's printer, maybe, but not like HP is protecting their customer base and the world because you know those cartridges. Anyway, HP is facing a class action lawsuit, no surprise there for deploying the bricking code without informing printer buyers of its intention to do so. The lawsuit explains, this is a class action brought against HP Inc. For requiring customers who had purchased certain brands of printers to use only HP branded replacement ink cartridges rather than purchasing ink replacements from its competitors. HP accomplished this through firmware updates. It distributed electronically to all registered owners of the printers, which effectively disabled the printer if the user installed a replacement ink cartridge that was not HP branded. In the same time period, HP raised prices on the HP branded replacement ink cartridges.

(00:34:43):
In effect, HP used the software update to create a monopoly in the aftermarket for replacement cartridges, permitting it to raise prices without fear of being undercut by competitors. So sometimes you get what you deserve. It's pretty, in this case, it is just over the top bad greed. Yeah, and actually we'll be discussing greed a little bit later today because it seems to be comes up lot a recurring topic unfortunately. So we have a leak that's being called Moab because it's the mother of all breaches, MOAB, totaling an astounding 12 terabytes of data contained within 26 billion with a B database records. So if you were wondering whether you would ever have an actual need for that 15 terabyte hard drive you purchased recently? Well, yes, there would be three terabytes left over after you transferred the Moab breach onto that drive. The super massive leak, as it's being called, contains data from numerous previous breaches, including data from LinkedIn, Twitter, Weibo, Tencent, and other platforms, user data making it the largest collection of stolen user data ever discovered.

(00:36:29):
Data includes records from thousands of meticulously compiled and reindexed leaks breaches and privately sold databases. Bob Chenko, we've mentioned him before, he's the guy who appears to specialize in discovering open and exposed databases online. He was behind this discovery, although the owner of the database was initially unknown, an outfit known as leak lookup, which is a data breach search engine, said it was the holder of the leaked dataset. The platform posted a message on X saying the problem behind the leak was a firewall misconfiguration and how which was fixed. While the leaked dataset contains mostly information from past data breaches, it almost certainly holds some new data that has never been published before. For example, the cyber news data leak checker, which relies on data from all major data leaks, contains information from over 2,500 data breaches with 15 billion records. But Moab contains 26 billion records.

(00:37:47):
That's an additional 11 billion records. That's four people in there are in the world. Yeah, there's probably some duplicates. Duplicates, yes, that is organized in 3,800 folders, presumably 3,800 individual data breaches occurring through time with each folder corresponding to a separate data breach. While this doesn't mean that the difference between the two automatically translates to previously unpublished data, billions of new records point to a very high probability of that being the case that there is some never before seen information. Researchers believe that the owner of the Moab has a vested interest in storing large amounts of data and therefore could be a malicious actor, data broker or some service that works with large amounts of data. The researcher said the dataset is extremely dangerous as threat actors could leverage the aggregated data for a wide range of attacks, including identity theft, sophisticated phishing schemes, targeted cyber attacks, and unauthorized access to personal and sensitive accounts.

(00:39:02):
While the team identified over 26 billion records. Duplicates are also likely, however, the leak data contains far more information than just credentials. Most of the exposed data is sensitive and therefore valuable for malicious actors. A quick run through the data reveals through the data tree reveals an astoundingly large number of records compiled from previous breaches. The largest number of records, 1.4 billion, just one source, 1.4 billion comes from 10 cent qq, a Chinese instant messaging app. However, there are 504 million from Weibo, 360 million from MySpace, 281 million from Twitter, 258 million from Deezer, 251 million from LinkedIn, 220 million from adult friend Finder, 153 million from Adobe, 143 million from Canva, a hundred, 1 million from vk, 86 million from daily motion, 69 million from Dropbox, 41 million from Telegram and on and on down the list. In addition to data on individuals, the leak also includes records of various government organizations in the us, Brazil, Germany, Philippines, Turkey, and others.

(00:40:42):
If anyone wonders where and how targeted credential stuffing attacks originate, one would need to look no further. The database contains names and addresses, very personal information, password hashes and in the clear email addresses. So the people who discovered this are to some degree, I think understandably hyping it up a bit, but this is not to say that it's not a seriously worrisome collection of potentially potent data. We should also keep in mind however, that it is a collection of data gathered from all previous data breaches. That means that it is aging and is no longer current or at least much of it is no longer current. No one should ever have their security breached. But anyone who is still using 1, 2, 3, 4, 5, 6 as their single global password, which fortunately is becoming quite difficult to do any longer thanks to password policies, if you're still using 1, 2, 3, 4, 5, 6, you should not be surprised if your account were breached.

(00:41:58):
And really no big database is required to even use to even try using 1, 2, 3, 4, 5, 6 in order to get in. So we know that there's something to be said for pulling all this together and indexing it and making it rapidly searchable. That's I think, the threat where, for example, who knows whether the people behind the 23 and me hack took the account data that they could see pulled from a massively large and index database like this to obtain a bunch of hashes which had been reversed, and then use those for password spraying or speaking of spraying, the same thing could go for Microsoft. So anyway, just interesting that we're talking about a single one-stop shop for 12 terabytes of data. You ask what it contains. The answer is, well, what doesn't it contain? Because apparently everything that has ever been breached, that's ever been put out on the dark web or elsewhere has been pulled together.

(00:43:19):
Leo, speaking of pulling together, let's take a break, tell our listeners why we've all gathered here and then well everybody we're to proceed. Well, we've gathered here for you, Steve, but it's thanks to the good auspices of our friends at Collide that we are actually doing this in front of cameras with microphones and the lights are on. So I think that's nice. That and our club TWIT members collide is a very useful tool for anybody who uses Okta. Let me paint a picture for you. When you go through airport security, if you've ever done it in the last 20 years, there's a line where you go through the TSA agents and they're checking your id, and then after you do that, there's another line where a machine scans your bag so they're verifying your identity and the safety of your luggage, right? Same thing happens in enterprise security, but instead of passengers and luggage, it's end users in their devices.

(00:44:20):
Now these days, most companies are getting pretty good at the first part of the equation. In fact, if you're using Okta, you're the best there is, right? You check out user identity, but the problem is nobody's looking at the devices. They just roll right through authentication without getting inspected. In fact, 47% of companies allow unmanaged untrusted devices to access their data. Well, that means an employee can log in from a laptop that has a firewall turned off or a out of date version of Plex on it or hasn't been updated in six months or worse, that laptop could actually belong to a bad actor impersonating the employee using the employee's credentials. Collide solves this device trouble because Collide ensures that no device can log into your Okta protected apps unless it passes your security checks. Plus, you can use Collide and devices without MDM like your Linux fleet, like contractor devices, every BYD, phone and laptop in the company.

(00:45:25):
Visit collide.com/security now watch a demo, see how it works. I think you'll be impressed. K-O-L-I-D-E collide.com/security. Now, thank you so much for supporting the good work Steve's doing here at Security Now. Okay, so federal investigators, our warning companies, which are under investigation that they may not and must not delete chats, and that they must arrange to preserve conversations that have taken place via business collaboration and ephemeral messaging platforms in dual coordinated press releases. Last Friday, the US Department of Justice and the US Federal Trade Commission announced updated language in their preservation letters and specifications documents they send to companies, which fall under federal investigation. The new language updates, evidence preservation procedures to cover modern tech stacks such as Slack, Microsoft Teams, and Signal. I guess without that, they figured that unless they were very clear what they meant by thou shall not delete, companies could say, oh, well, we didn't know you meant that companies that receive subpoenas or other legal notifications must take steps to preserve chat logs and disappearing IM messages and any who do not will be subject to obstruction of justice charges.

(00:46:56):
The problem of course, is that being charged with obstruction of justice might be better than revealing what they were deliberately talking about and then chose to delete. The Deputy Assistant Attorney General of Justice Department's antitrust Division said These updates to our legal process will ensure that neither opposing counsel nor their clients can feign ignorance when their clients or companies choose to conduct business through ephemeral messaging. And this updated guidance comes as the DOJ faced difficulties pursuing its antitrust lawsuits against Google and Amazon. So there were some targets they had in mind February last year. The DOJ accused Google of lying when it claimed its auto, IT auto suspended its chat auto deletion feature. In addition, the DOJ claimed that for a period of four years, Google trained employees to delete internal chats and move conversations to off the record platforms because it anticipated facing antitrust litigation in the near future.

(00:48:13):
Later in November last year, the FTC accused Amazon of deleting more than two years worth of internal signal employee chats after the agency started a multi-state antitrust lawsuit. I have a representative snippet of the DOJs evidence hiding complaint in their antitrust case against Google it just a few lines it reads. And so this is from the federal complaint says, the newly produced chats reveal a company-wide culture, speaking of Google, of concealment coming from the very top, including CEO Sundar Phai, who is a custodian in this case. In one chat, Mr. Pcha began discussing a substantive topic and then immediately wrote also, can we change the setting of this group to history off? Then nine seconds later, Mr. Pcha apparently attempted unsuccessfully to delete this incriminating message, and there's a reference to a piece of evidence where there's a serial number, but it does have the words goog play.

(00:49:37):
So one wonders what they're talking about there. The complaint continues. When asked under oath about the attempted deletion of the message, Mr. Pcha had no explanation testifying. I definitely don't know, and I don't recall. Like Mr. Pcha, other key Google employees, including those in leadership roles, routinely opted to move from history on rooms to history, off chats, to hold sensitive conversations, even though they knew they were subject to legal holds, meaning after they've been told they need to retain all records, this thing says indeed they did. So even when discussing topics they knew were covered by the litigation holds in order to avoid leaving a record that could be produced in litigation, as the examples below make clear, Google destroyed innumerable chats with the intent to deprive plaintiffs, meaning the federal government and other litigants of the use of these documents in litigation. Okay, so the federal government is making it very clear that digital recordings of private conversations may not be deleted from the moment of notification of pending litigation.

(00:51:02):
If executives wish to hold private off the record conversations, they're going to need to do it the old fashioned way, face-to-face in a private setting with no one recording. And Leo, it sort of begs the question too. What if you use a system where one of its features is not to record long-term history? I guess you're not allowed to is the point, right? But are you allowed to then have a private, you always think, take your clothes off, go in the middle of a field and have a conversation. Throw a big thick comforter, a blanket over yourself. I was watching an old movie called The Yards with Joaquin Phoenix, and he was meeting with, he's a kind of a mobster meeting with city councilman, or I guess he was a borough president, and the borough president made him take off all his clothes, and then he took off all his clothes before they had a conversation to make sure that they weren't wearing a wire.

(00:52:11):
So there's a longstanding precedent for this. I guess I, it's pretty funny. The only way to be sure, but I'm guessing that they can't say, you may not have any conversations in person. The court can't say that, but they can say, you may not use any technological means that don't leave a paper trail. Right? I guess they can. I think that must be what they do say. Yeah. Isn't that interesting? Yeah. Yeah. Okay, so here's one that'll really well really ruin Mercedes Day. Mercedes-Benz accidentally exposed, putting it mildly would be a trove of internal data. Not a Moab, but a trove. It's not a Moab. No, it's a trove. By leaving a private key online that gave unrestricted access to the company's source code. Yikes. And that key was there exposed for more than 90 days, almost 120 days before it was discovered, and responsibly reported by a co-founder and the chief technology officer for the London based group.

(00:53:37):
Red, sorry, red Hunt as in for red October. Red Hunt Labs. Let me guess. They pushed it into a git and published it. Did they really? Oh, that's hysterical. What Red Hunt discovered during so easy by accident, I got to say. Yes. Yes. What they discovered during a routine internet data scan earlier this month, earlier January, was a Mercedes employee's authentication token sitting in a public GitHub repository. This token served as an alternative to using a password for authenticating to GitHub. As such, it would and did grant anyone full access to Mercedes GitHub Enterprise Server, which would in turn allow the download of the company's entire collection of private source code repositories. Red Hunt said that the GitHub token gave unrestricted and unmonitored access to the entire source code hosted at the internal GitHub Enterprise server, the repositories. Now, here's where it goes from bad to worse.

(00:54:54):
The repositories include a large amount shy of a Moab, I agree, but still of intellectual property. Get this connection. Strings, cloud access keys, blueprints, design documents, single sign on passwords, API keys, and other critical internal information. Red Hunt provided evidence that the exposed repositories contained Microsoft Azure and Amazon Web Services, keys, a SQL database, and Mercedes source code. It's not known if any customer data was contained within the repositories. This is why we're glad we drive BMWs. Oh, wow. Wow. But it's so easy to do. You go get AD and then you push it and it's all there. Yes. Last Monday, TechCrunch serving as a middleman for Red Hunt disclosed the security issue to Mercedes. On Wednesday, a Mercedes spokesperson confirmed that the company revoked the respective API token and removed the public repository immediately. They said, also, we can confirm that Internal Source code was on a public GitHub repository by human error, the security of our organization products and services is one of our top priorities.

(00:56:33):
We will continue to analyze this case according to our normal processes, depending, depending on this, we will implement remedial measures. Now, since the exposed key was first published last September, it sat there through the balance of September, all of October, all of November, all of December, and most of January of this year. What's not known is whether anyone besides Red Hunt may have discovered and taken advantage of the exposed key and weren't forthcoming as Red Hunt immediately was Mercedes declined to say whether it is aware of any third party access to the exposed data or whether the company has the technical ability, such as through access logs, to determine if there was any improper access to its data repositories. The spokesperson cited unspecified security reasons. We've previously, of course, and to your point, Leo covered that GitHub has begun proactively scanning repositories for these sorts of inadvertent disclosures when they recognize them, but they don't know everybody's format of anything that they would consider sensitive.

(00:57:59):
So easy to, they're doing the best job they can. Yes, it is. I guess the question is, why are companies using GitHub instead of their own GIT servers? Yes. Our software and intellectual property management systems have become so complex and interdependent that they have also become brittle to these sorts of human errors, and I don't see that changing. We are moving in this direction, and they provide a great deal of power and flexibility and leverage. But as you said, boy, if you make a mistake, it also amplifies the mistake just as much as it amplifies the power that it provides when it's all working correctly. Wow. The good news is fewer ransoms are being paid. The number of ransomware victims who opted to pay ransoms fell to an all time low by the end of last year. The cybersecurity firm, Cove Ware, we've talked about them before.

(00:59:10):
They track these things, estimates that only 29% of victims paid ransoms during the fourth quarter of 2023. That's down from 85% who were choosing to pay back when we began talking about this, and when they started tracking it, which was the first quarter of 2019, so four years ago when this all began to really ramp up. So 85% initially, now we're down to 29%. So that's great ware attributes, the fall to improved data, backup and recovery strategies in corporate environments and companies getting smarter about not trusting empty promises made by ransomware groups. So it's like, yeah, I mean, here we are years downstream.

(01:00:07):
Not only does the Ccio absolutely know about this, but there's no way that the CEOs and COOs in these organizations are not all aware of the threat posed. And somewhere along the way said to the CIO, what resources do you need that you don't have? If we get hit by ransomware, we don't want to be taken down. So the world has changed. That's good. Okay. I have some feedback from our listeners, Conrad. He tweeted, Steve, please take a deeper dive into the technology behind verified camera images. My gut reaction he writes is, you've overlooked something because public key cryptography should allow the images to be verifiable and unmodifiable. Okay? There are, without a doubt, many amazing things that public key crypto can do, and I am deeply enamored of them. That's what I built the whole squirrel system around. It was all public key crypto based.

(01:01:21):
But in the case of the verified camera images, you must ask yourself, what could a camera contain that cannot be copied by someone who gets their clutches on such a camera? I contend that anything a camera can know, someone can find a way to pry out of that camera to duplicate whatever it knows, and in doing so, duplicate its ability to make a strong assertion of it. Image's, origin. In other words, this entire system to depends upon the camera, which is out in public, being able to keep a secret and everything we know tells us that's almost certainly not possible If someone is sufficiently motivated, the most common application we have today of public key crypto is the dynamic creation of secure connections to remote web servers where those servers are asserting their identity. Only one thing allows that system to work, which is that those servers are not accessible to others.

(01:02:47):
If they were the secrets they're protecting could be stolen and others could impersonate them. That's the difference in the security model of the camera versus a remote server. It's the remoteness of the server that allows it to protect its secrets. The fact that it can only be accessed through a carefully managed TCP connection, the infamous Heartbleed vulnerability demonstrated what would happen if server secrets could be accessed through a side channel. The server's secrets would be compromised. So it's not that the public key crypto doesn't still require secrets. It does. It's just that only one side of the transaction needs to be able to keep something secret. Unfortunately, when a camera is signing the pictures it takes, it's the private key that the camera is using to perform the signing that needs to be kept secret. Building a state-of-the-art hardware security module into the camera, which is I'm sure what they've done will likely make it as difficult as possible to extract the HSMs key.

(01:04:11):
The unanswered question is, will it be difficult enough? And this is one only time we show this, one of the first cameras to do this. This is the like M 11 P, which is supporting the content authenticity initiative watched by Adobe, Twitter and the New York Times. And it's exactly as you say, and by the way, it may be that it is difficult to do that, and that's why it's such this is a $10,000 camera. Why it's starting here is that they probably did build in a secure enclave. I mean, it must have, right? Oh yeah. I'm sure they went to every length they could to keep anybody from ever extracting its private key. And the thing of course that happens is you could strip it out, you can get a JPEG of the image that doesn't contain it. What's interesting about this, though, I think it's kind of cool, is it's signed when you take the picture, and it's a form of metadata, but it's not in the X if it's signed.

(01:05:16):
And then when you modify anything that's also recorded when you modify it in Lightroom. So there's a chain of custody, which I think is very interesting. Yeah. The Adobe software maintains a complete audit trail of any changes that are made to the image. So you always have those and you're able to rewind it all the way back. So I think the main point, I guess, is that you'll certainly see images that don't have these credentials, but if you see an image that has the credentials, you're supposedly going to be able to say, oh, I see who took this and I see how it was modified. Is this an actual recording of something that really happened? And yeah, I guess the only way that could be forged is they'd have to get the camera and somehow get their credentials out of the camera. Well, yeah. And that's just it is that everybody, these cameras will be floating around now. Now, maybe, and it's probably the case that every camera has a unique private key. I think that's the case. Yes. So it would be this camera signed, this is alleging that it signed this image. So what they could do is make any extraction of the key, a destructive process. So the point being that the only way to really pull off a spoof would be to arrange to extract the key, excuse me, and leave the camera still intact and its owner not knowing that anything had been done.

(01:06:54):
But in general, the problem is, the idea is that it is being put forth as the means of detecting any spoofing of the image. And so that images signed with the CAI system are trusted at a higher level. And that will be true until I'm sharing a piece of research a couple of years from now, from the guys, as you said, from the university, the University of the Negev who were able to hear a conversation across the quad by bouncing a laser off of a plant leaf. Those guys are going to say, well, yeah, unfortunately there's a side channel attack that was available. We were able to aim our sniffer at it while we took a picture, and now we know what the key is. Steve, you trust a credential from an iPhone, right? I mean, that's a similar thing with a secure enclave and so forth. That hasn't been Craig's, right? So I think it's similar to this. Anyway, you've given it a good excuse to buy this $10,000 camera and report back to you. So I will just pick one up and Leo, you one. It is crucial. It's now tax deductible thanks to you. It's crucial that the pictures you take of Lisa's birthday party be authenticated, authentic only. Absolutely, yes. And unmodified.

(01:08:32):
Okay, so yeah, okay, now I have to get, anyway, I got your approval. I just think get leases now. We're set. That's right. Good luck with that. It's for work, honey. JG 1 2 1 2 G. He's tweeted. Hi, Steve. I was just listening to Security now and got hooked into the $15 per week flashlight story. I had to look into it. I found it on the Play store and followed the link to their website, simple mobile tools.com. He said, I thought, very strange. The site says open source and free. So I clicked on the GitHub link at the bottom. Sure enough, it's open source. So I looked at the developer's page on GitHub, and that's github.com/tibi. He says, wow. His graph shows he was extremely active up until the end of October, 2023, then completely stopped. He says, that's so strange. I would really like to know what happened to him.

(01:09:37):
If you hear any news, please let us know. I love a good mystery. Thanks, Jason. Jason, ask and you shall receive our listener. Mega Scrapper brings an end to the mystery mega scrapper. Tweeting from at Mega Scrapper says, hi, Steve. I'd like to follow up on last week's listener feedback about the absurd subscription prices for a flashlight app. I was made aware of the entire simple mobile tools suite, which includes simple flashlight after watching a video by Brody Robertson, and again, we have a link in the show notes for anyone who's curious. Unfortunately, he writes, what happened with Simple Flashlight was exactly what you presumed in your reply to that listener last week with very little notice. The owner slash primary maintainer of the app sold the entire suite to an Israeli publisher, Zippo Apps, which is, that's all good old zippo, which is notorious for the practice of acquiring existing apps and slapping on an outrageously expensive subscription plan.

(01:10:54):
But not all hope is lost. He says the entire suite is open source, GPLV three licensed and one of the maintainers already forked it under a project called Falsify, including Simple Flashlight. It seems to be still in early development, and I can't find the app on Google Play Store, but keep an eye out when it gets released. Thank you very much for your work. Look forward to 9, 9 9 and beyond. Okay, so thank you. Make a scrapper for your follow-up on this, and for the information that this is the sort of thing that happens with highly popular apps in the Google Play Store. The description for the video that he linked says, I was a fan of the simple mobile tool suite for a really long time, and then out of nowhere, the developer, Tibor CAPTA just sold the entire project and ran away with the bag.

(01:11:56):
Would you say, luckily it's capta capta. That's very good, Leo. Yes. Wow. He says, so. Anyway, it was, we would agree it's certainly Ty Bo's right to do whatever he wanted to with his own intellectual property. It's clear that since the entire project is open source, it was his project's developer keys that was of actual value because they allowed its purchaser to take over the official popular app and then upgrade it into the existing channel of owners. And boy, this caught everybody's attention, John Daigle, he tweeted, Hey, Steve, in response to the flashlight app story, first to access the flashlight brightness, swipe down from the top right to get control center. Okay, so now he's talking about iOS rather than Android. He says, long press, the flashlight icon solved. Okay. I tried it on my iPhone and I was amazed. I tried to tell you this last week. You did tell me, but I didn't know you meant iPhone, Leo. It has four levels of brightness I never knew. Now, this is super useful to me. Since the flashlight defaults, it's really bright to a setting that should be labeled visible from orbit.

(01:13:38):
All I want to do is I want to read the menu in a darkened restaurant. I'm not trying to signal aliens for pickup, so I immediately set it to its lowest level, which will be much more appropriate in the future, and it won't blind my fellow diners if I inadvertently pass its laser beacon across their vision. Okay. Before I get to John's second point, I just want to mention something that's quite annoying. I have this dull sense that there is vastly more available from today's iPhone than I'm aware of, but how would I ever discover this on my own? I guess I just have to sit around and press on everything to see if anything happens, which is annoying. The original concept of the graphical user interface was that it was discoverable.

(01:14:39):
What was so cool about it was that you had nested dropdown menus running along the top of the screen. Unlike the text command interface that preceded them, you could sit down and run the mouse around the screen and find everything that you might need. Today, it's easy to do the basic things for the phone, but it's annoying to imagine just how much more remains hidden behind the need. And here's where I said at the top of the show, you need to click your heels together three times in order to discover something. How would you know just as Dorothy had no idea how to get home to Kansas? John's second comment. I recently ran across another long time Trusted app that was sold. It's the super excellent network toolbox on iOS. I think it's been mentioned on security now in the past. It has a host of powerful networking tools, but the longtime developer sold the app sometime late in 2020.

(01:15:42):
When I first opened the app after recently resetting all settings, I got the Network Toolbox wants to track you across websites alert. He said the sales slash transfer was all silent. As far as I'm aware, considering the app has a lot of sensitive functions, the trustworthiness of the developer is rather important, so beware and all of these stories got me to thinking that perhaps Google and Apple really ought to consider adding proactive notification to apps when their ownership changes hands. Oh, I like that. Yes. Yeah, I've never participated in such a transfer, so I don't have any clear sense for whether a developer might simply turn over their entire online identity to a third party purchaser or whether there's some more formal and controlled process for doing so. But if it's knowable to Google or Apple, it would seem useful to add a bit of friction and visibility to this otherwise very slippery and transparent process. There's a lot of trust that's built up over time, so if that publisher changes, it seems to me that those being asked to trust someone new should know, and this is a big issue, as you've mentioned in Google Chrome extensions where this seems to happen a lot. So yeah, I mean, I think with the Apple thing you kind of have to have a developer account, so they should know. They should be clear. I think if it moves to a different developer.

(01:17:35):
Brian Doyle tweeted, well, he brings us another example of Mozilla, which they could add to their growing list of good luck with that grievances against the tactics being employed by those who wish to use their own platforms to their competitive advantage. He tweeted, hi Steve. I came across this message while looking for a way to save full web pages into OneNote and had to laugh at Microsoft implying that Firefox is not a modern browser thought you might enjoy. Here's the original site, and I went there too and grabbed this screenshot. It's onenote.com/clipper, C-L-I-P-P-R. If you go there and Firefox up comes State-of-the-Art Looking website, and it says right off the top of the screen, OneNote Web Clipper is no longer supported on Firefox browser and works best using a modern browser. Oh boy. Like Microsoft Edge. Oh boy. Yeah. Not that stinky old Firefox. Oh yes, so out of date Firefox.

(01:18:52):
Oh yeah, that's right. Come on. Geez. So, wow, that's sad. Cheap shot. It really is. It's a cheap shot. Yeah. Someone who's Twitter handle, I didn't really get until I said it phonetically is S-H-I-P-R-K-T. Clearly shipwrecked. He said, hello, Steve. I hope you don't mind me sending you a message. No, that's Twitter. Could you discuss on a future Security Now episode why Credit Karma is storing over one gigabyte of data on my iPhone? Yikes. What on earth? Yeah, what on Earth uses that much data for a credit app? Thanks for your time. Okay, so as I said, if I don't mind receiving messages, which is why I go in search of them for every week for the podcast, but neither do I have any idea why the Credit Karma app might be storing over one gig of data on anyone's iPhone. One thought I had was to wonder whether this one gig might include the app itself.

(01:19:59):
In that total, one of the sad trends we see is applications becoming increasingly and in fact obscenely bloated. They evidence no respect whatsoever for the user of their apps. I'm sure that very few consumers are even aware of this, which is why there's little cost associated, reputational cost associated with being so careless with the consumption of other people's storage. Anyway, curmudgeon rant off. I would love to put this question to our listeners who we know are quite resourceful. I poked around a bit, but I didn't find anything obvious about Credit Karma's iOS app resource consumption, so if anybody finds anything, I'd be happy to share. I would. I mean, you could just delete it when you delete something from the iPhone, it says you want to delete the associated data. You say Yes, install it again, log in again, and I don't think you've lost anything from Credit Karma.

(01:21:02):
It may be that it's recording every transaction you make, and that's added up over time, but I think starting over probably wouldn't hurt. They should be storing that on their servers, not yours personally. Yeah, that's a very good point, Mark Guy, and it looks like from his Twitter handle, it's SD twit guy. He appears to be a fan of the network or Twitter. A lot of people call Twitter twit, which blows the hell out of me. That's a very good point, but he, he has also listening to security now, so he said, I heard your comment about staying on Windows seven on the 1 23 24 podcast last week. He said, my main system is Windows seven ultimate. They'll have to pry it out of my cold dead hands. He said, it's stable, it runs perfectly. I subscribe to Zero Patch and still get updates for Ms. Security Essentials.

(01:22:03):
Plus I use Malwarebytes Premium, never had any problems, plus I know where everything is. I bought a used Windows 10 laptop and I can barely find anything. I also am an avid fan of Windows Media Center. Nothing else comes close to its functionality. It's how I watch and record tv, so I will never update my system. Yeah, it will remove it if you do so. He's probably right to stick with seven. Yeah, yeah. He said, I'm also a huge sci-fi fan, and I love in all caps that you and Leo talk about your fave sci-fi authors books and series. Thank you. Okay, so I wanted to mention two things from Mark. I know that Mark and I are far from alone among the listeners of this podcast. Just like with that Nove NetWare server, it's working, so don't mess with it. And yes, at some point I'll rebuild my machine around Windows 10.

(01:23:05):
Since I'm an MSDN developer, I could still actually register a new machine as Windows seven, but I'm not totally insane. I'm typing this into a Windows seven workstation, mostly because moving to Windows 10 would take a non-zero amount of time, and like Mark and many of our listeners, why bother when this 64 bit edition of Windows seven is working fine for me? The second thing I wanted to mention follows from Mark's comment where he said, I'm also a huge sci-fi fan and love it that we talk about this job. I've been intending to mention that after investing in about six of those Eon 14 novels, the ones invariably featuring voluptuous, heavily armed female commandos on their covers, despite the fact that another hundred or so of those novels remain, I had finally reached my limit following a number of recommendations. I gave the Expeditionary Force novels a try, but they just didn't grab me.

(01:24:13):
They're written in a first person narrative style that just didn't work for me, and I kept waiting for something to happen. Now, my trouble might be that they're a bit too realistic and not that much actually happens in life. Once you've read much of Peter Hamilton's work, you're somewhat cut loose from the need for an excess of reality, which never, never kept Peter from telling a story. But in the meantime, Rick Brown, spelled RYK Brown, the prodigious author of the Frontiers Saga series, had dropped a few more books in his third of five planned 15 book story arcs. Since we're up to book 10 in arc number three, we've passed the halfway point.

(01:25:08):
75 books is what he is got planned. I've turned a number of my very close friends and family members onto this series, and I have been unable to shake them loose. They want nothing to do with anything else. They just want more Rick Brown. As we know, I've wandered around. While I've been waiting for more, I happily consumed the entire Silver Ships series following another recommendation from a listener and of course some of those Eon 14 series. Anyway, I'm bringing all this up because Rick Brown's writing style, his deep characterization, his perfect management of a large and growing number of very different and distinct characters, and the fact that you never need to wait long for some action continues after 40 books, which is how many I've consumed to be absolutely enjoyable and gratifying. All the books are available under Amazon's Kindle Unlimited plan and as audio books from Amazon through the 19 years of this podcast, we've shared our discoveries of many terrific books for sheer solid entertainment value. I think this series deserves everyone's attention, so I just wanted to be sure that, again, it was on everyone's radar. A couple last things, DLE von Dazzle tweeted. Quick question. Yes, Mr. Dazzle, DLE Von Dazzle, he said, as you are an avid user of Windows seven, how do I continue to use websites that use HSTS? That's HTTP, secure Transfer Security, SSTS. I've forgotten what it's, I know what it is. I forgot the abbreviation. Yeah, something like that. HSTS.

(01:27:14):
Anyway, someone will tell us Anyway, he said, it's a new install on an Oldish Lenovo idea pad all in one. So he recently installed Windows seven. He says, is there a way to update the SSL libraries as none of the update managers for different music production applications I own seem to work either. He finishes Keep up the amazing work on spin. Right, and here's to episode 9 9 9. Okay, I'm having no trouble with Windows seven and HSTS sites such as GRC, which was one of the earliest to adopt HSTS, even though I've forgotten what it stands for and its permanent registration in Chrome, which GRC also was an early adopter of under my WIN seven setup notes. I have a subdirectory named before registering or installing WIN seven updates, and that subdirectory contains three specific Microsoft updates. There is an SHA 2 56 update, a servicing stack update, and an update, which is KB three ten two eight ten.

(01:28:35):
From my notes, it appears that you should find those three individual standalone updates and install them in that order. Then you can successfully bring Windows seven current and all should be well. So the fact is Windows seven, which was first published in 2008, yes, it's showing its age. It didn't support signing things, things being with SHA 2 56. It only knew SHA one and so that would explain why he's unable to update his other, what was it? Different music production applications. Their updating systems are probably using SHA 2 56, which Windows seven does not support. Out of the box you need to install the SHA 2 56 update for Windows seven. Then it will probably work, and are we finally, almost couple left. A listener who asked to remain anonymous said, Steve, my company is switching to Bit Warden from LastPass as a result of me raising the issue a year ago, which is a result of your discussion on the podcast.

(01:29:51):
Please keep this anonymous if you mention it on the SN podcast. My question is, can I get a readout from you on the advisability of adding TOTP time-based one-time password codes and secrets into Bit Warden so that it can fill in the field on sites you're logging into? He says, personally, it gives me a Gibson response and feels like all your eggs are in one basket. If you do that, what do you think regards longtime listener, et cetera? Okay, so we've mentioned before about this, but it's worth just covering again, and I know that Leo, you Concur since I've heard you say the same thing on other podcasts, but I've also had some time to think about this and perhaps to mellow about it a bit. I understand the convenience, but it's also true that it represents a classic trade-off between convenience and maximum security.

(01:30:58):
My honest feeling is that the actual risk of having all the eggs in one basket is likely less significant than the benefit that comes from ease of use. That is the risk is less of a concern than the benefit it provides in terms of ease of use. So if for example, it was ever a matter of not registering and using a time-based one-time password due to the inconvenience of needing to use a second authentication device, which would be more secure, and for example, last week Paul Ott was explaining this wife has absolutely zero interest in anything that gets in her way. Then yes, it would be better to have bid warden able to automatically fill in the one-time password field than not to use Time-based multifactor authentication at all. I have no problem keeping my one-time password tokens in my iPhone and in manually transcribing them.

(01:32:11):
I don't have to do it that often, and I really appreciate the real true sense of security I get from that, but that's just me. So better to use any one-time password than none, even if it's being automatically filled in by the browser and if given a choice, it's better not to have the browser filling it in, even though the actual danger I think is realistically small bid warden wouldn't have done it if it was really a big problem. They did it because it's like, okay, you still get all these benefits from a one-time password. Why burden the user if we could do it for them, if there were some way they could separate, like keep the TOTP secrets in a vault somewhere on a different country from where the in case there's a breach. That's the fear, right? Somebody in the LastPass breach, if somebody had gotten both LastPass password vault and the TOTP secrets, which many people did use in last best, then you would not be quite as secure.

(01:33:18):
So if there could be, you can with Bit Warden on a personal account anyway, store your vault yourself. Maybe if you just stored, I wonder if you could separate the TOTP database out. I'll have to look into that, but you're right. You know what, I'm sure fine. You know what, use scrt or I guess you have to use Argon two as your pvk DF two, use a really long miserable master password or better yet, pass keys. I've been using Keys now with Bit warden for passwordless login, and while it doesn't work everywhere, it's very convenient where I can use it. We're putting PAs keys in Bit Warden might as well put your TOTP secrets in there too, right? Yep. Yeah, I agree with you. Convenience, yep. Yeah. Again, it better than not using them at all. Way stronger than just a username and password. So if that's what it takes, do, it depends on your threat model.

(01:34:17):
If he's working for the NSA, well, then you should do something else. Yeah, George Pal, he said, that's at Pal George. He said, Steve, I'm a devoted listener and longtime spin right owner, though I wish it worked on Max. I gave up Windows completely years ago. Okay, George. The good news is I made some changes a few months ago to allow spin, right? Six one to run on max where it can means Intel max, where it's possible to boot from a USB or a cd, typically through bootcamp. The previous trouble with spin right on Mac had been with the keyboard since spin, right? Was accessing the keyboard hardware rather than using the bios. I changed that so that spin right could work with some less PC compatible Dell machines, and we got Mac compatibility in the bargain. Nice. A number of testers have confirmed their ability to now run spin. Right on Macs, you were using the brings me line for the bios on the keyboard.

(01:35:30):
Yeah, they are. Well, no. Even PCs that use USB keyboards do take the time to stuff the keyboard data into low ram, which is what the hardware does. Mac doesn't do it, so the Max PC emulation is slightly less compatible than all the others, and I am finally able to announce, yes, I need drum rolls, please. After more than three years of work, I am completely satisfied that spin right six one is as good as it can be and that it is finally ready for release. There is nothing left I'm aware of that could be done to further improve spin right's functions. I could keep fussing with it forever adding this or that convenience feature around the edges, but it's already received a large collection of new convenience features, and it is by far the best spin right that's ever been created. It's been proven to work in every environment that it's been placed in by more than 818 testers who've registered with our GitLab instance and who've obtained it through my release announcements in GRCs web forums.

(01:37:01):
It's finally done. Hallelujah. Wow. Officially, its code still calls itself release candidate six, and it makes sense to let it rest for a bit before it's moved to final release one since I would prefer not to have to be tweaking the code after it's been released and there's really no hurry while the paint is still wet and drying. I'll be working on spin right's documentation, which will all be browsable and explorable online since many people prefer to click on a video than to read text. I'll also create some video walkthroughs as I did for read speed so that someone can get a feel for what spin right looks like while it's running. Nice. Next, once the documentation is finished, I'll be bringing GRCs long awaited email facility online to get our promised incoming email bag set up to receive incoming mail from this podcast's listeners.

(01:38:06):
So many people have written that they had to painfully log into Twitter to get a note to me. Anyway, I get it. That'll finally be changing and I'll create a weekly mailing list for this podcast so that those who would like to receive a weekly summary and link to the show notes will be able to get that as well. I'm sure I will continue posting on Twitter. I'm not yet sure whether I'll continue monitoring incoming tweets and dms there. I'll just play that by ear. I'd very much like to consolidate the channels that I need to follow. An email is the most universal medium, which we all share. I've had so much positive feedback from people saying, yes, yes, yes, please just let me use email. And once all of that is in place, I'll finally begin the process of notifying all 20 years worth of spin rights past purchasers, since I imagine many of those 20-year-old email addresses are no longer valid. My plan is to send out the announcements of the free availability of 6.1 starting from the most recent and is gradually heading toward the least recent so that What's the oldest, I'm not the oldest account. I'm not seeing a hundred percent bounces of everything. Yeah. Who's the longest owner of Spin right after you?

(01:39:37):
Well, I mean, this is only, my online database only goes back to 2003. And it's funny too because Laura and I had Sue my employee for the past 40 years over to dinner, and we were talking about this because once six one is available, we're not going to continue allowing people to upgrade from earlier versions of spin, right? Because it's been 21 years. Yeah, I think that's fair. It's just ridiculous. It's like, come on, guys. So she was excited because that meant she no longer needed to run Fox Pro in a DOS Box. Our original database where from every single person who ever bought any copy of Spin right, is in a Fox Pro database, which we call Dino because yes, it is a, it's a dinosaur boy dinner parties at the Gibson's. They're really, the conversation is fascinating. Actually. There's quite a few people listening right now.

(01:40:52):
Would love to have been at that party. Well, that's great. Congratulations, Steve. That's really good news. That's great. So look for your email if you still have that account from all those years ago. Well, and the reason I'm bringing it up this way, I did some research in the last week about emailing and the world has become such a sewer with spam that GRC cannot just suddenly start sending out email in great volume because we don't have a reputation. So the beauty is by using the security now email and having people sign up and I'll send them a confirmation, that's a better, there you go. That way the world will start seeing GRC doing mail, which is valid, and it's being accepted by people instead of, what the hell is this? And that'll allow us to establish a reputation, and it turns out reputation matters in the same way that it does with the use of a digital certificate to sign software, and I'm not in a big hurry.

(01:42:02):
I don't have to notify everybody in one day. I'll just let it kind of dribble out slowly over time so that again, we're not setting off any alarms in the anti-spam centers of all ISPs in the world. Actually, I should have asked you about this because starting February 1st, Gmail is going to require that all messages are authenticated with a C and SP, F and D Kim. We already have been for quite a while we're SPFD, Kim D and dmar. In fact, there is an amazing site, you have to go look at it. I think it's called Learn DA. Lemme see if I can bring it up. Not the easiest thing in the world, I can tell you right now. So over-designed, oh, there it is. Yeah. Learn dmar.com. This guy, whoever he is, he's a man after my own heart. So over-designed this thing.

(01:43:10):
It is a gorgeous site, so he gives you a one-time use email address to which you send any piece of email that allows them to pick it up and then check all of your security settings. SPFD, Kim and DM A C, which basically uses SPF and D Kim and verifies all the proper security settings of whoever it is who's sending out email on your behalf. And I passed all of the tests with flying colors, but it was just a beautiful experience. He's got stuff floating around the screen to fill in the fields. It was delightful. So learn, lemme send him some email. I'm pretty sure I use, of course, fast mail our sponsor and I'm pretty sure that Fast Mail is doing that all for me. Even I didn't fill out anything. I didn't fill out anything. He said, what you just got, he says, waiting for incoming mail and after waiting a while, you don't have to write us an entire love letter. Wait a minute, did I not send it? This guy is great. Oh, you call it a beautiful site. It is. Let's say text. Just wait, just wait. Oh yeah, look, now it's getting pretty quiet here. Waiting.

(01:44:44):
Oh, so after you send it, it gets pretty, huh? There it is. Oh, it came. Yeah. Wake up Neo. Hi there. Learn D Mark. My name is dio. Oh, this is so cute. Oh, just wait, it gets better. Look at that. Oh, you're right. This is nice. It's so well done. Oh, this is nice. Oh my gosh. You're right. I take it back, Steve. This is a beautiful site. Holy cow. Let me shrink it down so you can see the whole thing. Press any key. Okay. Is used to look up the domains. SPF policy running SPF. Yes, Laport do email has ANS SP F policy. It should have all of these DKMD mark and SPF because they use FastMail is one of the reasons I have my domains hosted by FastMail. Oh, this is really nice. He did a great job and this is nontrivial, I got to say the stuff behind the scenes that he's doing to do the validation. That's great. Very nice. Anyway, it keeps going as you press keys and it runs through, performs all the tests to demonstrate that the person doing your mailing has got their act together. Somebody says out of sync in our discord says, that looks like a web devs resume.

(01:46:04):
You're probably right. Yeah, that's good. Yeah, you're probably right. A lot of CSS. Oh, look at that. Sliding on over there. Look at that. It's just beautiful. Yes. My D Kim I think is okay. I see you've included a D Kim signature. I retained the signature pass validation. All right. There's a pass. Yeah, this is almost like a video game. This is hysterical. It's just gorgeous. So I know I'm going to pass all three. I'm using fast mail, but still That's great. This is sponsored by URI ports. Oh. Oh, wait a minute. Could you scroll? I scrolled. Yeah, you scrolled. So it had to adjust Don scroll. Kids do not do what Leo did. Alignment is a Yeah, it looks like I'm okay, right? Yeah. There we go. Now I'm getting the passes. It's because I scrolled up. I couldn't put the pass. Okay, you need to work on that CSSA little bit.

(01:47:01):
Good. We got passes everywhere. Very nice. Yeah, very nice. So bottom line is because of spam, you're going to have to really start making sure your emails provider is doing all this. Of course, if you're going Gmail to Gmail, you don't have to worry about that, but if you're going any other email provider, including especially your ISP, you might want to check and make sure it's okay. I like this. What is it again? Learn D mark.com. D-M-A-R-C for those who are listening. Yeah, really, really great. I just stumbled on it because I was doing a little research into what am I going to have to do in order to not get wind up, not get blocked on DNS and block lists and all that crap. This is actually, I guess UI Ports is a company that does this DA monitoring, so that's why they're so good at it.

(01:47:58):
God, this piece of word. Okay, last sponsor and then we're going to talk about Alex Stamos and what he feels about Microsoft security. He actually put that in quotes. Security. Security, yep. This episode of, well, I'll talk to you about security. Who was it the other day? They had a breach. Was it 23 and me, where they said, yeah, we figured it out like three months after the guys broke in and they'd been wandering around without it. It was very upsetting. Long. It took 23 and me to know that it was there. This is why you need the things to canary this. Exactly. See, they don't have one. I knew they didn't have one. Thinks Canary. We use it. You got your perimeter offenses, but what happens if they're breached and it's not hard? You could have a password spray attack against an old server lying around and suddenly everybody's in.

(01:48:58):
Thinks canaries are honeypots. They can be easily deployed in minutes. If someone is accessing your honeypot or your lure files, you could put lure files, X ls. I have XLS files called payroll information, or you could be really obvious, employee social security number, PDF, whatever you want. But the minute those lure files are attacked or someone accesses your Think Canary, which is posing as something else, mine's a Nest device. You could have a fake SSH server, a Windows seven server, IIS. They could be a hundred different things and perfect impersonations too, right down to the Mac address. When they're penetrated, when they're attacked, when they're tapped, your thinks Canary immediately tells you you have a problem and no false alerts, just the alerts that matter. Choose a profile for your Think Canary device, register it with a hosted console for monitoring and notifications. Then you wait.

(01:49:55):
You can get it notified by the way, any way you want. Text, SMS, text, email, webhooks, slack, whatever you want, sis log. Then you wait. Attackers breach your network or malicious insiders already in your network. They start snooping around. They make themselves known instantly. By tripping those trip wires and your thinks canary, I'll let you know. Visit Canary tools slash TWIT for just 7,500 bucks a year as an example. You get five fixed canaries. You get your own hosted console, you get upgrades, you get support, you get maintenance, and if you use the code twit in the How did you Hear About Us Box, you're going to get 10% off, not just for the first year but forever for life. And I should point out, if you're at all skeptical, you can always return your Canaries within their two month 60 day money back guarantee for a full refund.

(01:50:46):
But I also should point out that during all the years, and it's been many that we've been doing these ads, not one person has ever asked for a refund because it's great. You want this, you need this 23 and me, I'm looking at you Canary Do Tools slash twit end of the Code twit and the how did you hear about his box? Thanks. Canary. Canary Tools slash twit. I'm sure Alex Stamos would not say nasty things about this, but what did he say about Microsoft Steve Gibson? Okay, so recall that Midnight Blizzard is the dramatic renaming Microsoft gave to the Russian State sponsored group, originally known as No Beum, which most recently managed to crawl inside Microsoft's network to obtain access to data belonging to their uppermost top level executives. As we covered last week, late Friday night before last, Microsoft slipped out the news that a lesser protected system had succumbed to the Russians after being sufficiently sprayed with passwords.

(01:51:58):
What Microsoft shared at the time left no one feeling satisfied. So last Thursday on the 25th, Microsoft attempted to offer additional useful information. Most observers, however, have still been left wanting the reading between the lines that we did last week appears to have been correct. At the top of last Thursday's lengthy update, Microsoft wrote as stated in the MSRC blog, given the reality of threat actors that are well-resourced and funded by nation states, we are shifting the balance we need to strike between security and business risk. The traditional sort of calculus is simply no longer sufficient for Microsoft. This incident has highlighted the urgent need to move even faster. If the same team were to deploy the legacy tenant today, mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled to comply with current policies and guidance resulting in better protection against these sorts of attacks.

(01:53:11):
Microsoft was able to identify these attacks in log data by reviewing Exchange Web Services EWS activity and using our audit logging features combined with our extensive knowledge of Midnight Blizzard. In this blog, we provide more details of Midnight Blizzard, our preliminary and ongoing analysis of the techniques they used and how you may use this information pragmatically to protect, detect, and respond to similar threats in your own environment. Using the information gained from Microsoft investigation into Midnight Blizzard, Microsoft Threat Intelligence has identified the same actor has been targeting other organizations, and as part of our usual notification process, we've begun notifying these targeted organizations. Okay, now that's enough of that. As I noted, many if not most observers of Microsoft's handling of this incident have come away less than impressed. So I wanted to share the highlights of an important industry shaping interview. Alex Stamos conducted with CNBC last Friday to remind everyone, Alex is a computer scientist.

(01:54:33):
He obtained his ECS degree from Berkeley today. He's an adjunct professor and lecturer at Stanford University Center for International Security and Cooperation. He first popped onto our map when he left Facebook after serving as their chief security officer, and then in 2021 teamed up with ex CSA director Chris Krebs. Recall that Chris was fired from his position as director of CSA by President Trump after CSA put out a statement declaring that the 2020 US presidential election had had been the most secure election in American history. So Chris and Alex were both free, and they formed the Krebs Stamos group. That group later became part of Sentinel One, where Alex now has the title of Chief Trust Officer. He often serves as an expert witness in court and provides expert testimony to Congress. Okay, so Alex, credentials are well established within the industry and government. The following, which I wanted to share is what he posted last Friday following his interview on CNBC and following Microsoft's updated breach disclosure. The title Alex gave his LinkedIn posting was Microsoft's dangerous addiction to security revenue.

(01:56:07):
Under that headline, he wrote this, he said, on Monday, CNBC gave me a chance to discuss Microsoft's Friday night News dump of a new breach by Russian Intelligence Services, in which I called for more details from Microsoft so that other organizations could defend themselves. Yesterday we gained a bit more transparency in the form of a blog post from Microsoft's security. Again, in air quotes, the commercial security division of Microsoft. Some reactions he wrote, first Microsoft buries the lead with this paragraph. Then he quotes them, quote, using the information gained from Microsoft's investigation into Midnight Blizzard, Microsoft Threat Intelligence has identified that the same actor has been targeting other organizations, and as part of our usual notification processes, we've begun notifying these targeted organizations. Alex says translation, since the techniques outlined in the blog only work on Microsoft hosted cloud identity and email services, whoops. This means that other companies were compromised using the same flaws intra better known as Azure Active Directory and Microsoft 365. Microsoft's language here plays this up as a big favor. They're doing the ecosystem by sharing their extensive knowledge of Midnight Blizzard, when in fact, what they are announcing is that this breach has affected multiple tenants in their cloud products. Oh my God.

(01:58:10):
And he says, and in a subsequent update to his original posting, Alex notes that Joseph Men of the Washington Post has several sources indicating that at least 10 other companies were breached and will be disclosing those breaches soon. This isn't the same as the exchange server vulnerabilities we've been talking about. This is not the one that China used this. This is different. Yep, yep. Oh boy. 10 more breaches. At least 10 that were part of this. They sure downplayed this. I knew they were too. You could tell they were bearing. Yep, yep, yep. Second point, he makes Microsoft continues to downplay the attack by using the term legacy. He says one of the big open questions from last week was how an attack against a legacy non-production test tenant could lead to access to the emails of key Microsoft executives. Yeah. How did that happen?

(01:59:17):
He says, we get a bit more detail in this paragraph and we quote them Now, midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment. The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant them Office 365 exchange online full access as app role, which allows access to mailboxes. Alex says, I've seen this fundamental problem in multiple investigations, including the one that Microsoft worked so hard to label as SolarWinds incident. He says, Azure AD is overly complex and lacks a user experience that allows for administrators to easily understand the web of security relationships and dependencies that attackers are becoming accustomed to exploiting.

(02:00:47):
In many organizations, Azure AD is deployed in hybrid mode, which combines the vulnerability of cloud. He says Paren, external password sprays, and on-premise NTLM and Mimi Cats meaning combining vulnerabilities both outside and in. He says, identity technologies in a combination that smart attackers utilize to bounce between domains, escalate privilege and establish persistence. He says, calling this a legacy tenant is a Dodge. This system was clearly configured to allow for production access as of a couple of weeks ago, and Microsoft has an obligation to secure their legacy products and tenants just as well as one's provision today. It's not clear what they mean by legacy, but whatever Microsoft's definition, it is likely to be representative of how thousands of their customers are utilizing their meaning. Microsoft's products today, Microsoft does. He says, however, offer all of us some solutions, which brings us to point number three, which he labels Microsoft is using their own security flaws as an opportunity to upsell.

(02:02:25):
He writes, these sentences in the blog post deserve a nomination to the cybersecurity Hutzpah Hall of Fame. I love you, Alex, as Microsoft recommends that potential victims of this attack against their cloud hosted infrastructure first detect, investigate, and remediate identity based attacks using solutions like Microsoft Intra ID protection. Oh yeah, you need that. Yeah, that's right. Number two, investigate compromised accounts using Microsoft Purview Audit Premium. You don't have that yet. Oh, we should get that too. Got to get that. And three, enforce on-premises, Microsoft intra password protection. Don't want to get sprayed for Microsoft Active Directory Domain services. He says, in other words, Microsoft is using this announcement as an opportunity to upsell customers on their meaning Microsoft's security products, which are apparently necessary to run their identity and collaboration products safely. He says, this is morally indefensible just as it would be for car companies to charge for seat belts or airplane manufacturers.

(02:04:02):
You know where he is going to charge for properly tightened door bolts. It says it has become clear over the past few years that Microsoft's addiction to security product revenue has seriously warped their product design decisions where they hold back completely necessary functionality for the most expensive license packs or as add-on purchases. And I'm just going to interrupt Alex for a moment to note that while all of this is highfalutin enterprise stuff, I've long made the same point about Microsoft leveraging the insecurity of their out of support operating systems. They blithely offer additional years of extended security support for their otherwise out of support operating systems to their enterprise customers, while at the same time starving the end users of those same operating systems of that vital security in a bald effort to force users to move to newer operating systems, which they neither need nor want if the security updates are available anyway, deliberately withholding as ransom the patches to your defective operating system because you can is morally indefensible and reprehensible.

(02:05:46):
Anyway, my 2 cents referring to Microsoft's two recent posts. Alex says, while these two arrogant and circumspect posts do at least admit the urgent need to move even faster in securing their products, he says, I would argue that Microsoft has a much deeper cultural problem to solve as the world's most important IT company. They need to discard this poisonous idea of security as a separate profit center and rededicate themselves to shipping products that are secure by default while providing all security features to all customers. He says, I understand the need to charge for log storage or human services, but we should no longer accept the idea that Microsoft's basic enterprise offerings, including those paid for by the US taxpayer, should lack the basic features necessary to protect against likely attacks. He says, my current employer competes against some of these products from Microsoft, but if Microsoft did a better job by default, that would reduce the need for Sentinel One and other security vendors to provide basic safety protections for all the language about the sophistication of the hackers behind this attack. There's nothing here that is outside the norm for ransomware groups attacking Microsoft's technologies and Microsoft customers of all sizes should be that these techniques will be deployed against them if they do not pay extra for the secure version of Microsoft's cloud products. Wow. 21 years after the trustworthy computing memo, it's once again time for some soul searching in Redmond.

(02:08:01):
You go, Alex. So bravo. Alex, I love the system of free enterprise. We enjoy in these United States. The prophet motive provides strong impetus to innovate and provide value, but the lure of increased profit carries a danger when an executive faces a decision about whether to include a desirable and important feature in the base product or to charge extra for it, a crucial feature that's necessary for this system of free enterprise to deliver its maximum value to the public at large rather than to simply further line the pockets of those executives and their shareholders is competition. While it's an enviable position to be in, Microsoft is only able to get away with these USY practices because they have no real competition in the markets they dominate. This has been a problem for them in the past, and it may be again in the future. Yikes. I'm glad that, I'm glad that people like Alex are saying this on CNBC and posting this in his LinkedIn feed because we need to shine a light on this. We'll have to talk about it tomorrow in Windows Weekly too, because this is a really much worse attack than we had hypothesized. At least it is much worse than we thought. It is broader and apparently a huge number of Microsoft's customers, well, well, 10 anyway. Yeah, that's just the tip of the iceberg, I'm sure.

(02:09:49):
Mr. Gibson. This is why we listen every Tuesday to Security now, and I especially want to thank those folks who are subscribing members to security Now because you help make this show possible listeners like you, a couple of ways to do that. You can of course pay 2 99. A lot of you just pay 2 99 because you just want this show and you just want to support this show. That's fine. For a few bucks more $7 a month, you could support the whole network. And of course, security now is not a standalone product. It relies on the studios, the lights, the cameras, the staff, the team. We have to pay for all of that. And so if you like this show and any of the other shows we do and you want to support it, we would sure appreciate your support to twit tv slash club twit.

(02:10:35):
You'll get ad free versions of this show and every other show you'll get additional shows we don't do anywhere else, like Hands-on Windows with Paul. We've got HandsOn McIntosh with Micah sart. We've got the Untitled Linux Show with Jonathan Bennett. We've got the Home Theater Geeks with Scott Wilkinson. Stacey and I are going to be doing Stacey's book Club in about a week, February 8th. We are going to be doing Paolo Bache, Gallup's the Water Knife, talk about a dystopian future, but there's lots to talk about there. That's the book club. All of this for club members only, and of course, access to our Wonderful Club to Discord. Seven bucks a month. I think it's a good deal, but mostly do it to support the work we do here and we're very proud of it. We love to do it and we want to keep doing it. Steve's agreed to go for another, well at least another 41 episodes, but he can't unless we get your support.

(02:11:34):
Advertising supports dwindling. I'm starting to hear drum beats from other podcasters. You're going to hear a lot of networks and podcasts go under this year because the ads just aren't there. We were very fortunate of started the Club a couple of years ago, and we are really fortunate to have 10,738 paid members, but we need to get to 20 or 30,000. We need to get, I would love to get 5% of our audience. That's all. One in 20 to subscribe. Maybe you're that one. Help us out. That would mean we were no longer dependent on advertising and that would make a big deal difference to us here. twit TV slash club twit, while you're there, take the survey. Last chance. We're going to cut off the survey at the end of the month, January 31st, twit TV slash survey 24. Another way you can help us, let us know a little bit more about you so we can make sure our programming is spot on. It also helps us sell advertising, gosh knows we need that help. Twitter tv slash survey 24. Alright, enough begging. Go to Steve's site. Can you get 6.1 today, Steve? If I go there right now?

(02:12:41):
No. Well, yes and no. Many people are using it. The forums, forums.grc.com. I've been announcing all of the incrementals and I announced that we were at release candidate six as far as I know it was done. So anybody who has spin right is able to get what will almost certainly be the final spin, right? I mean, it's like it's done. It's been done. Frankly, it's been, as you've been hearing me say, there were a bunch of last things that I wanted to take care of. I just don't know of anything else that there is left to fix. So it's done.

(02:13:23):
I've got work to do to roll it from a marketing standpoint to roll it out. And what I'll do is it makes sense to let it sit for a couple weeks, then I will officially make the change. I don't want to have it be what new purchasers download until I've got documentation. Yeah, that's so that they can see what's going on. So this gives me a nice opportunity to get the documentation updated on the website and once that's done, then I'll switch it over grc.com for more information. While you're there, you can get a copy of this show. Steve offers the only 16 kilobit audio versions of this show. He also offers transcripts, Elaine Ferris's. Very well done, transcripts of the show. Nice to read along while you listen. Both of those available@grc.com. Oh, I realized how I should have answered your question, Leo. If you just go to grrc.com/prerelease, then that brings up a form.

(02:14:24):
You put in your current spin right serial number, and you get a link to download what will be six one. Oh, fantastic. Well, there you go. It is here. That's official. It is, yeah. grc.com/prerelease and give it your serial number. You get spin right, six one. We have copies of the show audio and video at our site tv slash sn. Of course, there's a YouTube channel, which is great for sharing clips. I know a lot of people like to do that. You might want to share that little Alex Stamos piece with some friends of yours running enterra. It might be worth letting 'em know. Get a little heads up. We also have a, of course, it's a podcast. So we also have a feed, which means you can subscribe in your favorite podcast client, apple Podcasts, Google Podcasts, pocket casts, overcast, whatever it is you like, and you'll get it automatically as soon as it's available.

(02:15:14):
And we think that's a good way to get the show we record on Tuesdays. Now you can watch us do this. We've decided to open up the live feed of the production so you can watch the video as we're making it warts and all on YouTube, youtube.com/twit, but it's only during the show's production. We shut it down and rest of the time only club members get to see that secret behind the scenes stuff. The good stuff. No, that's pretty much more of the same. But we want to give you some incentive to join the club, but we also want to make it easy for you to watch live. So if you are around Tuesday afternoons around about 2:00 PM Pacific, 5:00 PM Eastern, 2200 utc, stop on by youtube.com/twit and watches do the show and then you can download a copy later. Steve, have a great week. We'll see you right back here. It's February. That's right, baby. Take care. Bye.

Club TWiT (02:16:13):
Hey, we should talk Linux. It's the operating system that runs the internet, but your game console, cell phones, and maybe even the machine on your desk, and you already knew all that. What you may not know is that TWIT now is a show dedicated to it, the Untitled Linux Show. Whether you're a Linux Pro, a burgeoning man, or just curious what the big deal is, you should join us on the Club Twit Discord every Saturday afternoon for news analysis and tips to sharpen your Linux skills. And then make sure you subscribe to the Club TWIT exclusive Untitled Linux Show. Wait, you're not a Club Twit member yet? We'll go to twit tv slash club twit and sign up. Hope to see you there.