Security Now 960 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
00:00 - Leo Laporte (Host)
It's time for security now. Steve Gibson is ready. He's got some great stuff to talk about, including the new CISA Recommendations for home routers. I hope they're adopted. Some a massive flaw that really affects every version of Linux. It's being patched or has been patched, but you should know about it. Post quantum crypto added to our favorite browser and then An unforeseen consequence of Google's new anti-tracking changes. That's all coming up. Next on security now Podcasts you love from people you trust this is.
This is security now, with Steve Gibson, episode 960 Recorded Tuesday, february 6th 2024 unforeseen consequences. Security now is brought to you by Melissa, the data quality experts. All data expires About 25% per year, including the data in your customer database, your supplier database, your address records. For over 38 years, melissa has helped companies harness the value of their customer data to drive insight, to maintain data quality and support global intelligence. Melissa is flexible to fit into any business model.
Melissa verifies addresses for more than 240 countries on-prem in the cloud as a SAS app. There's even an API so you can ensure you're only putting valid billing and shipping addresses into your system. You can focus your spending where matters the most. Melissa offers free trials, sample codes and flexible pricing and an ROI guarantee, plus unlimited technical support to customers all around the world. You can even try it on your phone. Download the Melissa app it's free on Google Play or the iOS app store, no sign-ups required. Melissa has achieved the highest level of security status available by gaining Fed ramp authorization, and that's kind of Peace of mind for anybody using Melissa. Their solutions and services or GDPR and CCPA compliant. They make sock to and HIPAA high trust standards for information security management. Your data is secure at Melissa Bottom line. Make sure your customer contact data is up to date. Get started today. 1000 records cleaned for free at Melissa comm slash twit. That's Melissa comm slash twit.
02:38 - Steve Gibson (Host)
It's time for security now.
02:42 - Leo Laporte (Host)
Or was that one of the sounds that goes off when something happens? One of the way.
02:46 - Steve Gibson (Host)
And speaking of sounds, all of our listeners will be glad to know that little annoying beep in the background.
02:54 - Leo Laporte (Host)
Finally died you couldn't find a smoke detector right, but you couldn't figure it out.
03:00 - Steve Gibson (Host)
No, yeah, actually it was a water alarm which I had installed because my air conditioning Condenser was backing up and overflowing, so I needed to be a be alerted if that was happening. But I replaced the whole the the whole AC system a couple years ago with a brand new one that has all that built in. So I removed the water sensor and just stuck it aside and, as happens here, where we need to have archaeological digs to find things, always in a pile somewhere. Yes, it was.
03:36 - Leo Laporte (Host)
It was just buried literally buried Somewhere in the south of your living room.
03:43 - Steve Gibson (Host)
Okay, and then at some point it began going like, very briefly, very high pitch, and Not often like and, and some of our listeners began saying, steve, you got to check the batteries in your smoke detector? Yeah, because you know it's apparently there's a problem there. Well, no, and I could not find it, and it had been going on, I don't know, a couple years Maybe, and I just and, but I stopped hearing it when I didn't hear it.
04:11 - Leo Laporte (Host)
I haven't heard it recently. Is it still been going?
04:14 - Steve Gibson (Host)
Oh, it was it was going last week during last week's podcast.
04:17 - Leo Laporte (Host)
If you played the podcast every so often, go here anyway so and that's got a direct, because we have a lot of OCD listeners, I mean people who really can't handle that kind of thing. That was I'm sorry hearing it.
04:32 - Steve Gibson (Host)
I had adopted to my environment right and I so it's like you know. I thought I over things.
04:37 - Leo Laporte (Host)
I thought you'd fix it.
04:39 - Steve Gibson (Host)
Oh my god. So when I came in yesterday morning I heard so I thought, oh, thank god, the I knew at some point the battery would actually Finally die so that it couldn't even make these beats. Did you find it? I went right to it just Directly. I just like I pulled some things out of the way. There it was Wow indeed what it was.
05:13 - Leo Laporte (Host)
Did you stamp on it?
05:18 - Steve Gibson (Host)
I mean even moving it around.
05:21 - Leo Laporte (Host)
It was just on its last volt. Well anyway, silence did it. Was somebody chicken head 21 in our chat room. Our discord wants to know Was Elaine actually typing beep when it went off in the transcripts? Bless her heart, I wouldn't be surprised.
05:39 - Steve Gibson (Host)
She's a very little parenthetical Beep, you know.
05:44 - Leo Laporte (Host)
I haven't heard it in months. I mean, I knew about it people written in about it and I thought you'd fixed it last year. No, I just wasn't hearing it. Maybe, like you, I'd either grown attuned to it or I'm so deep now that I Can't hear that frequency.
05:59 - Steve Gibson (Host)
Wow, well, thank you for fixing that, that's Well thank you, thank me for my patience, and it is now finally gone.
06:08 - Leo Laporte (Host)
I told you about that avenue. I remember when we talked about this last, I told you about that avenue five episode. I don't know if you ever watched Avenue five after we talked about it. But uh, there were they're on the spaceship right and there was a beep. Nobody could figure out where it's going from. It was keeping people up, it was the whole thing. So this is not, this is not an unusual phenomenon. You maybe should make a variation of the portable dog killer, that is, the portable beep locator.
06:38 - Steve Gibson (Host)
Believe me, when this began I gave it some serious thought. It was impossible for me to find it, so I considered putting two microphones some distance apart and exactly, and locking on to that sucker. But then I thought, well, we really do want spin ride 6, 1 eventually.
06:57 - Leo Laporte (Host)
And Won't you be glad when you retire that you can devote your time to things like that.
07:02 - Steve Gibson (Host)
I think retire what never never, no, no, I've got to move, spin ride 7 on to the vision pro.
07:10 - Leo Laporte (Host)
So yes, we announced that during mac break weekly that you would make a Aversion for the vision pro not a problem.
07:17 - Steve Gibson (Host)
Yes, imagine walking through the bits of your mass storage, looking around and say, oh, look at that bad spot there, let's pluck that out. Oh gosh, yeah.
07:28 - Leo Laporte (Host)
So what is coming today on security?
07:33 - Steve Gibson (Host)
Boy. Uh, this is security now 9 60 as we begin of february. Um, this podcast is titled unforeseen consequences, which sort of crept up on me when I stumbled upon an odd reference to a piece in the financial times. Now, the financial times has one of the strongest paywalls you can find. I mean, they're not screwing around. They're like, hey, you know, we're just gonna tease you with the headline. You're not going any further, except they also allow themselves. I like I just googled the headline and there it was. So it's like, okay, well, you're not that worried about me, you know they they want to bring people to their uh paywall so you can decide if you want it. Anyway, they had a really interesting piece that is that talks about some, some consequences we've never considered that are like the dark side of google's killing third party cookies. So it's gonna be really interesting.
Uh, I think this is gonna be a riveting episode, but first we're gonna talk about what move syssa has just made that affects our home routers. What serious flaw was discovered in a core c library used everywhere by linux? Does open ssl still have a future? And what's ross come nonzor done now? How can a password manager become proactive with pass key adoption. Which favorite browser has just added post quantum crypto? What prevents spoofing of the images taken by digital signing cameras, if anything? And why are those insecure plc devices you know, the programmable logic controllers which run process automation everywhere ever being attached to the internet? And what may be an An undesirable and unforeseen consequence of google's anti tracking changes? Uh, oh yeah, it's uh gonna be a great episode and oh, leo, we do have a picture of the week.
09:47 - Leo Laporte (Host)
I only see the caption. I haven't scrolled up, but I I can tell from the caption it's gonna be a good yes it is.
09:55 - Steve Gibson (Host)
It may explain the power outages you've been having. Holy cow.
09:59 - Leo Laporte (Host)
Yeah, we, uh.
We were in the middle of twid on sunday. Fortunately we were not at the mid. On the mid, we were actually within minutes of ending it and everything just went dark and I had to go home and finish the show at home because there was no power here. And then, of course, as you noticed, I come in the studio and everything is all messed up because it's they don't survive power outages Very well. I had to play with a bunch of things. Anyway, we got it all working.
We will get to the show in a moment, but first A word from delete me, our sponsor. Have you ever searched don't do this, but I know you will because I'm gonna say it have you ever searched for your name online? It is a terrifying experience. You you won't believe how much of your personal information is available. The next step should immediately be visit, join, delete me, comm, slash, twit and sign up for delete me.
Delete me Helps reduce risk, and there are lots of them associated with having all that stuff online. I didn't eat that. Credit card fraud, robo calls, cyber security threats, harassment, unwanted communications overall. We started using delete me a couple of years ago when a text went out from our ceo's phone To her direct report saying I'm in a meeting but I need to get these amazon gift cards out to our hosts. Go buy me some Now. Thank goodness, our employees listen to our shows and they're well trained and they immediately Smelt something suspicious. But honestly, it came from her phone number. It came to their phone number. In every respect it looked legit. Where do they get all that information? How did they know who our direct reports are? That information is online.
Data brokers have it all. We sign up immediately for delete me and and, by the way, it has been a huge boon it is a cyber security threat to your business. If your executives, if your managers, are not you know, if their information is online and who they you know, boss around and all that stuff is just meat for these bad guys, these hackers. So here's what you do you go to join, delete me, comm, slash, twit. First step. You sign up. Uh, you give them some basic personal information, the information they're going to be looking for. That's how they figure out it's yours, right? So you have to tell them some stuff, and this is the stuff I want removed Delete me's experts.
And they do this. Humans do this, which is really important. You cannot do this well automatically. Humans go out, they find your personal information. They have lists of literally hundreds of data brokers. New data brokers are added every day. There is no regulation on these guys. It's like the wild west, but delete me knows who they are. They will go there. They will reduce your online footprint, they will keep you in your family and your business safe, but then and this is really important they will continue to scan and continue to remove personal information regularly, because there's a loophole.
These data brokers have to have a place where you can say I don't want you to keep my data information. They'll delete it and say we deleted it, but then they still gather information. If you should have happened Somehow to show up in that information, well, they recreate your, your whole profile, the whole thing's back. I'm. I'm talking addresses, photos, emails, relatives, phone numbers, social media, your net worth, your property value and more. Now these expose everybody's got a different threat model right and since the privacy exposures in these incidents would affect everybody differently, delete me has real Privacy advisors you can talk to to help you make sure that you're getting the support you need and you know, to help you understand what they're doing and what you need to do. They're very good. Protect yourself, reclaim your privacy. The website again. Join to leetmecom slash twit. The code is twit for 20 off, so it's a good price. Join to leetmecom twit. Promo code twit at Check out. Thank you to leetme for the job you did for lisa and and and for all of our listeners.
14:01 - Steve Gibson (Host)
Join to leetmecom slash twit steve now, leo, you may scroll up and reveal huh, and reveal the cause of the power outages at twit studio.
14:15 - Leo Laporte (Host)
But this is the, the, the caption. But this is where you said you wanted the dangerous high voltage Terminal box. Oh, just sitting right out there, right out there in the public. I bet you there's a playground right next to it.
14:30 - Steve Gibson (Host)
Well, look what's on it, or aimed at it. Oh, we scroll down a little further. Oh, I missed that part.
14:37 - Leo Laporte (Host)
Oh, there's a sprinkler, sprinkling it.
14:42 - Steve Gibson (Host)
So for those who are listening I hope it's weather sealed.
Holy cow Out in the middle of something is this, you know, scary looking, high voltage, oh my box. It says attention, attention, with the, with the lightning bolts saying, you know, high voltage. There's a sprinkler, you know one of those, like those things that that shoots out a beam of water that's supposed to go about A thousand yards, which you know slowly rotates to water the entire park. Well, this box is about three feet away from it, receiving the full force of this water blast right in its face. You know, it's surprising. There aren't sparks flying out of this thing, oh my god. Anyway, yeah, you don't. You want to step cautiously on the wet lawn that surrounds this Electrical box. That's a great picture.
You could probably charge your Tesla just by parking on the lawn next to it.
15:42 - Leo Laporte (Host)
Yeah great, Wow, it's liquid cool. Yes, mashed potato says in our discord he said what it's liquid cooled Liquid. That's right.
15:53 - Steve Gibson (Host)
Yes, never gets hot. Okay. So under the headline, syssa and fbi release secure by design alert urging manufacturers to eliminate defects in soho routers. And I, I think everyone knows. So how SOHO, small office, home office is what that that abbreviation is. So last wednesday, syssa and the fbi publish guidance. This is the third such release of theirs. They've kind of and and this is the first aimed at down at at the consumer. Previously they were talking at the enterprise level. So they they published guidance on security design improvements for soho device manufacturers which is part of their new secure by design alert series, which focuses on how manufacturers should shift the burden of security Thank god away from from the customers who you know they just want this stuff to work, plug it in and set it and forget it by integrating security into the product design and its development.
So this third publication in syssa's series examines how manufacturers can eliminate what they call the path threat actors, the the the path threat, I'm sorry which actors are taking to compromise small office and home office routers. Now, they were specifically referring to a recent initiative. There is a group out of china known as the volt typhoon group, which the fbi just somewhat controversially took down by patching these routers and it was my intention initially To talk about that as our main topic this week, but I ran out of space actually on the podcast at time and I really needed to talk about this the consequences of what I realized was going to be happening as a consequence of stumbling upon this financial times piece. So I have that skewed, that that queued up for next week. But there was something that caught my attention in this which was unsuspected or unanticipated. They said syssa did in in in this joint fbi release that they wanted manufacturers to do three things automate update capabilities, remove web management from the wham, from the wan interface, and require a manual override to remove security settings.
Okay, so all of this podcast listeners have probably grown tired of hearing me talk about those first two points Automate updates and remove all device management from the public facing interface, the wan interface. Right, you just there's. You just don't need To manage to use a web interface aimed at the internet so that you can use, you can Access your device across the internet there. You know, what we keep learning is that we don't know how to do that safely because everyone keeps making mistakes. So, and you don't have to expose it to the public, because there are plenty of ways to get over onto the private land From the public interface, from the public internet, and then access that the device from the land side. That's the way we should do it anyway. The third one Was really interesting. I think it's brilliant.
They say require a manual override to remove security settings. In other words, routers should not accept remote or any even local over the wire in instructions which reduce their security. In the absence of a manual, physical, local confirmation of some kind, there's no substitute for the affirmation of one's physical presence at a router's location. You know, pressing a. I want to change my router's configuration button Is the wireless configuration button Is the one thing no remote attacker In beijing is able to do from the comfort of their cyber warfare bunker.
I think that the best way to do this would be to require a button to be pressed In order to place the router into Configuration change mode. So if a user logs into their router, you know they're welcome to do that. They're welcome to poke around and look at the router's various settings. But the moment the user attempts to change something which is important to the security of the system, the routers ui will pop up a little box and say please, please, press the Enable configuration changes button On your router to proceed, and it'll just wait. Once the button is pressed, the router will take down that little message and will allow the user to change its configuration until the user Either logs out of the interface or after some period of inactivity, because most people, just you know, leave their login cookie present and logged in so they can get back to it Easily if they need to.
You know so would this be potentially a pain in the butt? Yeah, especially if the router is in the attic. But you know, it's a classic trade-off between security and convenience. Requiring a one-time password is certainly not as convenient as not using one, but you know that requirement is clearly much more secure. So the problem being addressed is, you know, in this case is very real. You know, we are Are populating the world with insecure yet increasingly powerful consumer routers which are actually being taken over by malign remote forces that wish to exploit our traditional lack of focus on security. So Once again, I give big props to sysa for leading this truly necessary change. I think this makes so much sense. You know, yes, again, it will be a Bit of an annoyance to have to go to, to physically go to the router and press the button saying I want to enable configuration changes. But it's a brilliant requirement and I do hope that we see this and really we're not doing this all the time. And if you are, don't put your router in the attic, put it somewhere a little more accessible and that'll just become you know the way we do things in the future. I think this makes so much sense.
Um, while we were recording last week's podcast, the qualis threat research unit they called the tru, which is kind of a cool abbreviation was informing the world that they had recently unearthed four Significant vulnerabilities in the gnu C library, which forms a quarter stone For countless applications in the unix, I'm sorry, in the linux. Well, probably unix too. Well, not not gnu, but in in the linux environment. One of these four which they found is a severe vulnerability Tracked as cve 2023. Notice it's late. It's late last year 62, 46. This vulnerability affects major distros like, well, every version of linux, I think it's safe to say, but of course, including debbie and fedora red hat and boon to everything.
24:29 - Leo Laporte (Host)
It's clib right.
24:31 - Steve Gibson (Host)
Yes, it, it it's glib, c yeah.
24:34 - Leo Laporte (Host)
Yeah, yeah, yeah, yeah, yeah, yeah, yeah, yeah, yeah, yeah, yeah, yeah. That's you know, and that's that's the core c library that c depends upon basic standard functions. Yeah.
24:43 - Steve Gibson (Host)
Yes, it's linked into everything. Yeah, so the bug impacts versions going back to august of 2022, which is when the bug was introduced. It is an elevation of privilege flaw that can allow local attackers With access to a system to obtain root privilege access. So you know, we dodged a big bullet here, folks, because if this had allowed remote attackers to oh, then we have trouble, yeah, baby.
So here's what qualis explained about their discoveries. They started by saying before diving into the specific details of the vulnerabilities, it's crucial to understand these findings broader impact and importance. The GNU C library, or glib c, is an essential component of virtually every linux based system, serving as the core interface between applications and the linux kernel. The recent discovery of these vulnerabilities is not just a technical concern, but a matter of widespread security implications and Actually more about the bullet that flew by and we dodged. We'll get to more of that in a second, in other words. So you know it was more than a little bit shocking to QALUS to discover serious exploitable vulnerabilities in a core component of a system that is this widespread. Needless to say, linux is everywhere, including in every one of those SoHo routers we were just talking about, and we all need to keep in mind that fixing it today doesn't automatically fix it yesterday, which is another strong argument for allowing autonomous updating of unattended and unmanaged IoT devices. Anyway, qalus continues writing.
The vulnerabilities identified in G-Libc's syslog and Q-Sort functions highlight a critical aspect of software security. Even the most foundational and trusted components are not immune to flaws. The ramifications of these vulnerabilities extend far beyond individual systems they write, affecting many applications and potentially, millions of users worldwide. This article aims to shed light on the specific nature of these vulnerabilities, their potential impacts and the steps taken to mitigate them. The first vulnerability, cve 2023-6246, a significant security flaw has been identified in the GNU-C library's v-syslog internal function affecting syslog and v-syslog. This heap-based buffer overflow vulnerability was inadvertently introduced in G-Libc version 2.37 in August of 2022 and subsequently backported to G-Libc version 2.36, an earlier one, while addressing a different, less severe vulnerability. So, oops, it actually went. You know, the flaw was introduced in 3.37 and then they thought they were fixing an earlier vulnerability in 3.36, so they moved that code back into I'm sorry, into 2.36 and broke it as well. They write major Linux distributions like Debian that would be 12 and 13, ubuntu 23.04 and 23.10 and Fedora 37, 38 and 39 are confirmed to all be vulnerable. This flaw allows local privilege escalation, enabling an unprivileged user to gain full root access, as demonstrated in Fedora 38. So again, somebody standing in front of a machine where you are relying on them not having root and only being able to log in and do things as a non-root user, that reliance broke completely. They said in our analysis, the same function affected by CVE 2023.6246,. This one, they said.
We identified two additional, albeit less severe vulnerabilities. One is an off by one heat-based buffer overflow, also in the VSyslog internal function, and an integer overflow issue, also in the same function, but, you know, not nearly as worrisome as this main one, they said. Based on our assessment, triggering those vulnerabilities appears more challenging than 62.46,. You know the primary problem. Additionally, they said, exploiting them effectively is likely to be more complex.
As for the last of the four vulnerabilities, a memory corruption issue was found in the GNU-C library's QSort function, caused by a missing bounds check. This vulnerability can be triggered when QSort is used with a non-transitive comparison function, just such as a simple comparison of A and B which returns A minus B, and using a large number of elements controlled by an attacker, potentially leading to a memory allocation failure. Okay, so what are the implications? Qalis writes the discovery of vulnerabilities in the GNU-C library's CISlog and QSort functions raises major security concerns, and these are sort of hypothetical concerns but still worth noting. They said. The CISlog vulnerability a heat-based buffer overflow can allow local users to gain full root access, impacting major Linux distributions. Similarly, the QSort vulnerability stemming from a missing bounds check can lead to memory corruption and get. This has affected all G-Libc versions since 1992. Yeah, in other words, all G-Libc versions effectively.
31:31 - Leo Laporte (Host)
Yeah, linux is only. Yeah, definitely, that's all of them.
31:36 - Steve Gibson (Host)
Yeah, right, they said these flaws highlight the critical need for strict security measures in software development, especially for core libraries widely used across many systems and applications. So, yeah, no kidding. Now what happens or the way this is managed behind the scenes is always interesting. So here's a quick blow-by-blow timeline from the discovery through the coordinated release one week ago today. So this began on early November, november 7th last year, 2023. So at the end of last year, november 7th, they said we sent a preliminary draft of our advisory, that is, a disclosure of their discovery, to Red Hat Product Security. Eight days later, on the 15th, red Hat Product Security acknowledged receipt of their email. The following day, on the 16th of November, red Hat Product Security asked us if we could share our exploit with them. The following day, on the 17th, they sent the exploit to Red Hat Product Security. Four days later, on the 21st, red Hat Product Security, they said, confirmed that our exploit worked and assigned CVE 2023, 6246, to this heat-based buffer overflow in VSIS log internal. Okay, so that is November 21st. Now we go to December. We're on December.
The next month, on the 5th, red Hat Product Security sent us a patch for this vulnerability 6246, written by the G-Libeseed developers and asked us for our feedback. Two days later, december 7th, they said while reviewing this patch, we discovered two more minor vulnerabilities in the same function. That's where that off-by-one buffer overflow and the other integer overflow surfaced. They said we immediately sent an analysis, proof of concept and patch proposal back to Red Hat Product Security and suggested that we directly involve the G-Libeseed security team. That was on December 7th. The next day, on the 8th, red Hat Product Security acknowledged your seat of our email and agreed that we should directly involve the G-Libeseed security team. We contacted them on the same day and they immediately replied with very constructive comments. They were already looped into this because Red Hat had previously forwarded this to them and then received the patch back from them, which then they sent back to QALUS. Three days later, december 11th, the G-Libeseed security team suggested that we postpone the coordinated disclosure of all three vulnerabilities until January 2024. We were at December 11th at this point, they said, because of the upcoming holiday season meaning people on vacation, people not around, people less available to respond immediately as this would require to the public coordinated disclosure of this, they said, yep, good, let's let the holidays pass and we'll deal with this immediately afterwards, December 13th still last year, before Christmas, red Hat Product Security assigned the two additional CVEs to the other two things that have been found. On January 4th this year they said we suggested either January 23rd or January 30th for the coordinated release. G-libeseed developers agreed on January 30th. That was last Tuesday. Now we're at January 12th. The G-Libeseed developers sent us an updated version of the patches for these vulnerabilities. The next day we reviewed these patches and sent our feedback to the G-Libeseed developers. Two days later, on the 15th, the G-Libeseed developers sent us the final version of the patches for these vulnerabilities. The following day, qalus says we sent these patches and a draft of our advisory to the Linux distros at OpenWall list. They immediately acknowledged receipt of our email and on the 30th last Tuesday coordinated release of this occurred.
There's an example of everybody being responsible, everybody responding to email. No one's sitting on this for months, the way we've seen Microsoft do so often. This is the way it's supposed to happen. Problem is found, the right people are looped in, it's reviewed, it's verified. Patches are created. Patches are verified. Some more tweaks are made. Everybody agrees about. Looks at the calendar. When would be a good time to let everybody know? That's the way it happens. A great look at how this happened. All the distros have been updated now Everybody who's in a situation where it might be a problem if a Linux system from the last two years is relying upon its protected root privilege. Well, it's not as protected as we were hoping, but at least somebody an attacker needs to be physically on your system.
37:32 - Leo Laporte (Host)
Yes, thank goodness, that's a relief. By the way, I bet you you could look at any quicksort and immediately know if there's a buffer overflow. This is not a hard thing to write. Everybody wrote it in compsci 101. I could see how you'd get a buffer overflow, but that seems like a pretty bone, so you're able to pass a function to Qsort to use. Oh yeah, yeah, because that's the function that determines what's lesser, greater, right?
38:03 - Steve Gibson (Host)
Yes, exactly so. It's the sorting determiner function which is where the problem actually is.
38:10 - Leo Laporte (Host)
That might be a little harder to trace, I guess. I mean, usually you just pass it less than or greater than. But okay, If you did something really elaborate, maybe you'd get something weird Interesting.
38:23 - Steve Gibson (Host)
Okay. So, speaking of libraries, OpenSSL has lost another big user, the CDN. Fastly, one of the biggies announced that they've decided to switch from OpenSSL, which they've been using to date, to the name you just got to love, because this is what you want from your SSL boring SSL. You want a boring SSL library. In their announcement they explained. They said OpenSSL has a long history of high severity vulnerabilities, including the notorious Heartbleed bug. In addition to the risk of exploitation, there is a significant operational cost incurred to rapidly test and deploy patches. And we're talking about so I don't think they say this anyway but this is on all of their edge system instances, so all of their edge routing, edge proxies where the CDN is. The CDN's network is interacting with the internet. This is where this goes. So, yeah, if some high severity vulnerability is found in OpenSSL, they like every one of those instances needs to be fixed immediately and that's a big pain in the butt. So they said, there's a significant operational cost incurred to rapidly test and deploy patches whenever a new vulnerability is announced.
Our primary goal in replacing OpenSSL with boring SSL was to reduce the frequency and impact of CVEs and improve the security of our TLS termination system for our customers. Boring SSL is a fork of OpenSSL that was created and maintained by Google. It is widely considered to be fundamentally more secure than OpenSSL because it is less complex. Openssl remains the Swiss Army knife of SSL libraries and a bunch of great work has been done over the years to improve it, but we are convinced that boring SSL provides better protection for our customers, they added. Our work began about a year ago with the ambitious idea of replacing OpenSSL on our edge for all incoming connections. We considered a few alternatives, but stuck with our original vision of migrating to boring SSL to gain the following benefits Smaller, more modern code base, A safer API. Boring SSL is an open SSL derivative and is mostly source compatible, making our migration less challenging, Diffusing, used by big players and maintained by Google. And similar performance to OpenSSL, they said. In summary, the consensus was that boring SSL offers a more focused code base, one without OpenSSL's myriad of legacy code, which makes it intrinsically more secure.
I didn't have it here just because it would take up a lot of space, but they showed the breakdown of code between OpenSSL and boring SSL. The boring SSL source code base is less than half the size of OpenSSL, so it just makes sense, as a technology is maturing, that it's also going to be getting a bit old and creaky along the way. In the case of OpenSSL, it spans decades, having started in 1998. So that makes it 26 years old and, as we know, SSL has evolved itself as a protocol dramatically during those 26 years. So Google created boring SSL and we know, for example, that Amazon's AWS service is running on their own very small, homegrown TLS stack. I'm sure that OpenSSL will remain the bedrock that it always has been for experimentation and testing that's always where new protocol stuff is worked out and for being, as Fastly said, the Swiss Army knife of SSL libraries.
But its deployment in critical new applications has probably seen its day and, as I was reading this and thinking about it, we've been using GitLab to manage all of the issues.
During the ending phase of spin rights development, we were just using news group threads initially, but one of our participants, well-known to all of the people in our news groups, Colby he was suggesting GitLab and I looked at it and I thought, okay, I'll give it a try.
So I brought it up on its own server and it's very nice. The problem is it has way more features than we are using, just as OpenSSL has way more features than Fastly is using, and they won't leave it alone, and it's so big and complex it's constantly having bugs and problems that are critical. So the analogy is perfect and, as a consequence, I am seriously considering moving to a much more modest, better fit for us issue tracking system. There's something called Red Mine, which looks like it is exactly what I want, mostly because they haven't touched it in a long time and I don't want to spend all my time maintaining a tool which is supposed to be helping us to manage a project. I just want it to manage the project and not require its own maintenance staff. So I can fully understand the trade-off that Fastly is looking to make and has made and, Leo, I think we should tell our listeners about a trade-off they won't have to make.
45:22 - Leo Laporte (Host)
Oh no, this is not a trade-off. This is choosing the perfect product for your particular use. In this case, if you want to become an IT professional or you want your team to be more adept at securing your business, at keeping you safe, at doing the job they do, you need to know about our friends at ITProTV. You almost certainly know about them, but maybe you forgot that they are now ACI learning. That's the main point is now ITProTV is ACI learning. You already know ITProTV. They've been with us really since inception that when they started, they started advertising on security. Now, well, as a part of ACI learning, now ITPro has expanded the things it can do, providing so much more for you as an individual, as an IT learner, but also for IT teams, for your team. Aci learning covers all you need with audit, with cybersecurity and with IT training. I mean, it does it all. You get a personal account manager so you make sure you're not doing redundant training, you're not wasting people's time.
People hate it when they learn or ask to learn something they already know. For one thing, but also, maybe you don't need training in a certain area. In that case, they'll help you tune your training to be exactly what you need. So your team only focuses on the skills that make a difference in your organization and you can leave unnecessary training behind. And, of course, aci learning has kept all the fun, all the personality, all the informativeness of ITProTV their famous sport while amplifying their robust solutions for all your training needs. Your team be entertained while they train, and they love it too, with short form content, over 7,200 hours to choose from.
And you might say, well, it's got to be old. No, that's brand new, up to date, because they're always recording in their eight studios every day of the week, so you're getting the most up to date training. Visit goacilarningcom Twitter. For teams that fill out the form, you get a free trial and up to 65% off an ITPro Enterprise Solution Plan. Fill out that form and find out how much you're going to save at goacilarningcom Twitter. We love these guys. They've been such a great sponsor for more than a decade. I think it seems like they started in 2013. I think they did so. Just keep up the good work and thank you, aci Learning. Now back to Steve Gibson, who is going to show us how to write a proper quicksort. No, he's not. That's not what he's going to do.
No, Although I would take that class. Steve, I would Sanitize your inputs.
48:09 - Steve Gibson (Host)
So recall that last December 1st, russia put a new communications law into effect which required all hosting providers of Russian websites to register with none other than Roscomnanzor. This law requires all cloud and web hosting providers to register with the Roscomnanzor Agency, which is, of course, their Russia's telecommunications watchdog. So far, 266 web hosting providers have registered with Roscomnanzor, and all are local companies. Not a single external provider has registered, and those providers are responsible for about one third of all Russian websites. Now, I don't know what's up, but this does seem a little suspicious that not a single external provider has registered. So it makes me wonder whether this is actually like a backhanded Russian way of forcing the remaining one third of Russian sites which are currently being hosted by external providers, none of which, suspiciously, have registered, and all of which and here's the point are subject to being cut off at some point in the future, if this is in some way of forcing all the Russian sites into Mother Russia's hosted services rather than continuing to use those non-Russian territorial providers. We'll see how this goes, but Roscomnanzor has made it clear that at some point non-registered providers will be cut off from access to Russian territory. So again, don't know what that means, but we'll see.
Also, last Tuesday, google's security blog announced a very nice sounding new feature for Android's password manager. The blog's title is effortlessly upgrade to pass keys on Pixel phones with Google's password manager. Okay, so it turns out this is less Google specific than they're making it sound. Well, I'll explain that in a second. Here's what Google said. They said Google is working to accelerate pass key adoption. That's good for everybody. They said we've launched support for pass keys on Google platforms such as Android and Chrome, and recently we announced that we're making pass keys a default option across personal Google accounts. We're also working with our partners across the industry to make pass keys available on more websites and apps, which, as we know, is what's required for this to make any sense at all. Finally, they said we took things a step further. As part of last December's Pixel feature drop, we introduced a new feature to Google password manager pass key upgrades. With this new feature, google password manager will let you discover which of your accounts support pass keys and help you upgrade with just a few taps. This new pass key upgrade experience is now available on Pixel phones, starting with the Pixel 5a, as well as Pixel tablet. Google password manager will incorporate these updates for other platforms in the future.
Best of all, they wrote. Today we're happy to announce that we've teamed up with Adobe, best Buy, docusign, ebay, kayak, money Forward, nintendo, paypal, uber, yahoo Japan and soon TikTok, to help you bring, to help bring you this easy pass key upgrade experience and usher you into the passwordless future, they said. If you have an account with one of these early launch partners, google password manager on Pixel will helpfully guide you to the exact location on the partners website or app where you can upgrade to a pass key. There's no need to manually hunt for the option in account settings and because the technology that makes this possible is open and otherwise yes, it's actually not Google's any website or app, as well as any other password manager, can leverage it to help their users upgrade to pass keys for supported accounts. It's all part of Google's commitment, they said, to help making signing in easier and safer. Okay, so they're saying that at launch, this initially works with Adobe, best Buy and so forth, but why them and not everyone? It's just that this group is first to adopt a new standard. We've all seen how our password managers are able to perform a security checkup right, like to notify us when we may have reused a password somewhere where we're using the same password for two different accounts. So this is our password managers being proactive about our security. Well, it turns out that there's an open standard means by which any website that supports pass keys is able to advertise the fact that it supports pass keys in a way that any password manager is able to check for and, similarly, advise.
I did a bit of digging and I found the page where Google describes this. It's titled promote pass key upgrades in Google password manager. Of course, this actually applies to any password manager that does this. There's nothing Google password manager specific about this. Anyway, they wrote there. Now this is aimed at web app and website developers, so that's the portion of the site where this was found. So, talking to website developers, they said integrating pass keys into your app or website is just the beginning of your pass key journey.
After your initial deployment, one of the challenges you will likely encounter is making sure your users understand what pass keys are and how to create them. You should suggest creating a pass key immediately after the user signs in, using their password and verifying with a second factor. Remembering passwords and entering one time passwords while switching between different apps and tools can be frustrating for users. Recommending the creation of a pass key at this moment is an opportune time, as users are likely feeling this frustration. In addition to the self-managed promotions, google password manager can now suggest creating a new pass key on behalf of your website or app. So, under the user's experience, they say, on pixel devices, google password manager discovers that your website or app supports pass keys, suggests users to create a new pass key and directs them to your pass key creation page, leaving Google out of this.
What this is about is a very welcome, standardized and uniform way for any pass key supporting site to declare its support in a machine-readable way. So this is, as I said, more broadly than just Google. You know. This means that any password manager on any platform are you listening? Bitwarden could examine the entire inventory of its user's saved passwords and use this standardized protocol to proactively check the web domain of each password for its support of pass keys. And if an available pass key had not yet been configured on that account, the password manager could take the user directly to that site's pass key setup page.
The standard used is we've talked about before. It's the forward slash dot well-known web directory which is located at the root of a domain, and there's a pass key hyphen endpoints JSON-formatted file there under that well-known directory that contains two URLs one to enroll a new pass key and another to manage existing pass keys. So again, any pass key supporting site should take every opportunity to enroll its users the next time they're logging into the site and that the site sees that they're using a password supporting client, a pass key supporting client. That's the primary way we can expect pass keys to become adopted, but it will also be cool for them to be able to come at this from the direction of the pass key enabled password manager to have them reveal the sites to which we could enroll and switch over to pass key logon and authentication. I agree, so very cool.
58:58 - Leo Laporte (Host)
Now that Bitwarden supports pass keys, I find myself much more likely to use it because it's cross platform, because I work on all platforms. So, yeah, apple, I have my pass keys for some things in my iPhone, but if it's not everywhere it's not useful. So I really like it that Bitwarden supports it and I've used it a number of times now to log into Google and stuff and it's like wow, that was easy, really is good. Yeah, I wish we'd done squirrel, but hey, next best thing.
59:24 - Steve Gibson (Host)
We got what? Well, if wishes were fishes or something? So okay, and just a quick note that Mozilla has added support for Mozilla for post quantum cryptography to its developer, firefox nightly builds. So we'll all be seeing it once the release build is published on the main channel. It can be enabled as soon as it's available by going to about colon config and then looking for securitytlsenable underscore, kyber. And the good news is that Firefox is search in that about config. I mean, remember how long that about config is. I mean it's ridiculous. The scroll bar just disappears on the screen.
There's so many things that you can tune and tweak so you're able to do a substring search. So you could just put in kyber and it would immediately bring you to that entry. So anyway, just a nice forward move for Firefox and I've got some feedback to share before we get to the main goodie here Jeff Zellin. He said Steve, I've been a listener to security now for quite some time and I've really enjoyed and gotten a lot out of your what he calls the correspondent school that we conduct here every week. He said I wanted to let you know there is a way to get your TOTP tokens out of LastPass. It's a little Python script that rebuilds the QR codes for you. It also allows you to print them off. In case you didn't know about the quote, steve Gibson offline backup and storage technique, which of course, is printing all. I have printed out every QR code for every one of my one-time passwords and stapled them together in a chief and they're in a drawer and it's come in handy a couple of times.
01:01:31 - Leo Laporte (Host)
Sure, no it's good to have that.
01:01:32 - Steve Gibson (Host)
yeah what I needed to bring up a new device. So anyway, jeff wrote later to say I didn't write this. I didn't mean to say that I wrote this. Anyway, I've got a link to it. It is if you just it's on GitHub, if you search for LastPass authenticator export, you'll find it. I checked it out and it looks nifty. It allows you to regenerate your original QR codes, which you may have fed to LastPass and, if so, display them, capture them by a device that may be starved for them, or print them out. So anyway, just a cool note.
I wanted to make sure that our listeners knew that was available. Thank you, jeff Brenty said RE oddly inflated app data. He said if you look in iPad or iOS settings general iPhone, ipad storage, wait for the list to load and then select an app, you'll see that the size of the app itself is listed separately from its documents and data. He said and this is referring to a question that came up last week. He said, when trying to free up some storage space previously, I found a few apps whose documents and data appeared to be way more than seemed reasonable. Remember it was that some credit karma was occupying a gig of space in some guy's phone and he's like what? So, anyway, brenty says that he deleted the app, reinstalled it and it was now at one tenth of the size it had been previously. And he said so.
My theory is that some, maybe many, maybe most, have logging, caching and likely other unnecessary stale data that builds up over time which they simply don't bother to clean up on their own. So, yes, deleting and reinstalling will likely save you a lot of space. Of course, I've always found the same is true with setting up a new version of Windows. It's like, oh well, let's just start over again. Someone whose handle is mental calm. Today he said greeting Steve, longtime SN student twit club member, spin right user. He says so excited that you have 6.1 ready for primetime.
I'm reaching out to say thanks for your mention of learn DMark yesterday. So he was tweeting. On Wednesday he said it's really helpful RE a confusing protocol. So this just serves as a reminder to me to mention that learn DMark website that we mentioned and that's learndmarccom we mentioned and took a look at last week. It was a huge hit among our listeners. From all the feedback that I've seen, one person said that the site was offline and suggested maybe that it was because we mentioned it. That's would be flattering. Except that the nature of a podcast is that the, the listening is well distributed in time, so it's not like a, you know, a purely live event where you know we bring websites down by talking about it. But you know, and I guess what if you, we used to do that on back in the tech days.
01:05:13 - Leo Laporte (Host)
Oh yeah, they called it slash dotting a site. It's been a while since we've done that.
01:05:23 - Steve Gibson (Host)
Frankly, having downloads distributed is a good thing because it, you know, it's better for everybody. Ron tweeted high Steve, this is in regards to sync. I messaged them after your item on security now and this is what I received he said, and then he quoted me what sync responded saying hi there, ronald Bailey from sync here, thanks for reaching out. There was a bug identified within the sync mobile app regarding the iOS files app integration which prevented folks from navigating within the sync folders files involved via the app. The files app Users were still able to navigate within the sync mobile app. This files app integration bug has now been resolved. There's a link to it. Let us know if you have any suggestions and any further suggestions. Thanks again, writes Bailey from sync. So anyway, just a follow-up. Do that previous listener who was feeling a little despondent because the reply he got from sync suggested that well, yeah, so don't do that, we'll get around to it someday. You know that put us all off of sync a little bit is like what, but apparently that was it. That was a red herring. Sync did get on it quickly and fixed it and it's back up and running. So thank you everybody.
Jonathan Rouse said hello, mr Gibson, exclamation point. Firstly, you have been a role model for me all throughout high school, college and now as I redirect my career into education. Nice, thank you for the hours of laughs and education, as well as Leo and the rest of the twit team. I figured you might want to see the response Windows Defender gave, and then he cites the version of Windows Defender. When downloading the, the spinrite 6.1 pre-release, after manually allowing the program, it went along perfectly in creating a USB boot drive, but regardless, I wanted to show you what I encountered. I'm hoping the new and improved ISO created Will work with ventoi Bootable drives as well and I can't wait to try it out. Thanks again for all the years of dedication and I hope to be half the teacher. You seem to be in your sleep.
01:07:47 - Leo Laporte (Host)
So first, of all sleeping, I want to.
01:07:50 - Steve Gibson (Host)
I can only say and I know that you, leo, feel similarly that I am so pleased that this podcast and twit have been so useful to you, you bet, yeah, the good news is that, since you're just starting out, you have a lifetime of teaching ahead of you, so I do wish you all the best as you launch into your career. As for Windows Defender's Reactions to spin right, yes, it continues to be an annoyance, but I noted that he sent his tweet last Tuesday and things may have become better since Most recent experimentation suggests that Windows Defender is happier. And as for ventoi, you will likely have discovered that spinrite 6.1 and 1 ventoi are not getting along currently, but that will be resolved shortly. I'll have more to say about then ventoi in a minute when I update everybody about spin right huge fan of ventoi.
01:08:47 - Leo Laporte (Host)
I really like that. I use it all. Thank you, yeah, good, good, good very nice.
01:08:52 - Steve Gibson (Host)
Yeah, another Thomas is his handle. He said At SGG RC about crypto signing camera. He said it can work if the private key is in a removable HSM assigned to the photographer he slash, she or she slash. He will then be able to prove that she slash, he is the author. Now, okay, that is some nice thinking outside the box, or, in this case, outside the camera. This if this were done, it would make the private key about the owner of the key, not about the camera. Right, and the key is presumably more easily Protected by them then having the key locked inside the camera. You know you still have to protect the key, but owners would have the incentive to do that since their photographic reputation is on the line. So, anyway, I haven't any heard anyone talk about that. I think that's a very neat idea.
01:09:57 - Leo Laporte (Host)
It's not the problem that they're trying to solve, though. They're trying to Solve the problem of authenticity of the of the photo and correct. I just I have been playing with this Content, think you call it. What is it? It was a name for it, content.
01:10:16 - Steve Gibson (Host)
The content protection yeah stuff.
01:10:18 - Leo Laporte (Host)
Yeah, and I have it turned on on my camera right now and it associates the serial number, I guess, with the name, I don't. You know. Now you can remove it. You absolutely can remove it, because you can remove any Exif information in a photo by just Jpeg it and you know, saying don't save the act. There's lots of ways to strip off, exit. But I guess the point is that this is going to be used by news organizations where they they could, they aren't going to remove it and they could provable, provably say this is created by this camera At this time and that can't be, can't be modified.
So right, you know, I think that's the idea is that this is this photo is not a fake, is you know? And here's the chain of custody it even shows in this information? You know how I edited it and and so forth? You know what what program was used to edit? I think it shows that somewhere, maybe not on this one, but it does have.
01:11:13 - Steve Gibson (Host)
I know that, I know that the, if you're using Adobe's tools, yeah, which are the only ones that are authorized to do this, that it does absolutely, you know, create basically a Chain of custody through the editing.
Yeah yes and and and you make a really good point because it's if, if it's not trying to authenticate the reputation of the, not, it's not trying to authenticate the reputation of the person who took the picture you, if the reputation is assumed like you know. You know, I, an accredited, well-known news agency, which brings us to the next question that Dell Anderson asked. He said grateful you're going past 999, can't help but ask a basic question about digital camera authentication. What would prevent a very low-tech workaround where the digital camera light and Nikon, like a, etc. Takes a perfectly authenticated photograph of a digitally manipulated image?
01:12:21 - Leo Laporte (Host)
Ah, the excellent point, an analog loophole, yep.
01:12:27 - Steve Gibson (Host)
How would this fancy Nikon camera? No, it wouldn't. It was photographing a high resolution 2d image rather than reality. Yeah, and so I replied to Dell that I had the same thought, as I imagine many of us have. The problem is that the Authentication and I have that in quotes does not and cannot extend out to the actual Landscape or subject that's being photographed.
This signing technology is intended to prevent the manipulation of an image's digital recording after it's been captured optically. But this you know. But doesn't this beg the question what's to prevent someone from presenting a fake scene to the camera to capture and then sign? Okay, now I understand that this is a different problem. This is not the problem this camera was designed to prevent. This camera was designed to prevent undetected post image capture manipulation, and what it was designed to prevent is a significant problem. You know so.
Anyway, I think that you know what we have to keep in mind is the threat model and what it is we're trying to say. We're unable to say you know, leo, as you instantly got we're unable to say that what they know, that the scene that the camera took a picture of, was authentic. What we are able to say is, to the best of our ability. After the camera took the picture, we know, we know exactly what was done to it in a verifiable fashion. So again, you know. And and what's cool about this is we talk about threat models and what we can and cannot Assert in in the realm of security. So there's a perfect example of what we can and cannot assert and what we can and cannot protect which by the way I want to thank.
01:14:30 - Leo Laporte (Host)
You gave me an excuse to buy a new camera, so I appreciate that, steve. Oh, leo, for that research you have. That I had to do it.
01:14:37 - Steve Gibson (Host)
Absolutely exactly, yeah, and if the IRS, would you know, ever audits you and says I'll give him this, give him a, give you exactly, if you know, absolutely important that you were able to demonstrate that Slardy Bart fast. I love the name. You know where that's from, we know, we know, right, I wonder if Google needs native iOS engine to make the new ad auction stuff work? And the answer is absolutely and without question. The entire Privacy Sandbox API is a collection of new web browser features intrinsic to the web browser that requires a bunch of data storage locally. I'm sure this is why we that they with, why they've been working on a native Implementation for iOS, even though it isn't clear to the outside world how they might get it into iOS.
There is, you know, there's so much that we don't know yet about how we're gonna get to where we are today. You know Google wants to move the entire world, and moving the world is no Exaggeration, you know, given that advertising supports the internet, the required size of this change Would be difficult to understate. Like everything needs to change. Google already has control of nearly all desktops and Android, which are the majority of smartphones. So I guess my questions are what are Mozilla and Apple thinking about this. You know what conversations may be going on among them, because this is big stuff and actually this is the. This is what we're gonna be talking about here. As we end today's podcast, ion tweeted and I know what his first name is, it's not actually Ion. He said Stephen. I'm personally inviting you to the gathering of the Stevens.
01:16:49 - Leo Laporte (Host)
Note how it's written. I love it. Yes, it's PhD.
01:16:53 - Steve Gibson (Host)
Yes, he said next year in 2025, we're going to set a Guinness World Record for the most people named Stephen in one area. First goal gather the Stevens in this discord, and he provided a link. Next goal conquer the world. And he said you down, you down. So I thanked Ion, whose first name is presumably Stephen, for thinking of me, but I explained that I was pretty sure that traveling to a massive meeting of meeting of people With whom I phonetically share a first name, for the sake of contributing with my presence to the setting of a Guinness Book record Is not something that, when the time was approaching, I would be glad I was taking the time to do, but I told him that I looked forward to hearing more about how it goes, even in absentia.
01:17:54 - Leo Laporte (Host)
So, no, thank you, stephen, we're having fun creating the regular expression for Stephen, with a ph or a v Discord, and I think we got it actually curly braces and then a couple brackets and an or Yep.
01:18:17 - Steve Gibson (Host)
Yep, okay, so we've all seen video segments of Complex manufacturing facilities where thousands, if not hundreds of thousands of cans or you know something, bottles or boxes or whatever Are moving through a complex system that's sorting and spinning and stamping and printing or counting or whatever it's doing. You know, like these crazy looking manufacturing facilities you know Treadmills and and and gates opening and closing, routing stuff. I love that.
01:18:54 - Leo Laporte (Host)
It's one of the things I love on tiktok Is there's a. There's a bunch of tiktok videos of how stuff's made.
01:19:01 - Steve Gibson (Host)
It's always fascinating, always very cool, yeah, so Just as some of those pre electronics, early computers, used banks of mechanical relays. You know, back before the advent of the, you know back before the advent of computers, process control engineers, as they're called, would design insanely complex control systems built up from individual mechanical relays. We would call such a system discrete as opposed to integrated. Then, blessedly, integrated electronic solutions became cost effective and these large process control solutions were replaced by plc systems, programmable logic controllers. These plcs were not very smart because they didn't need to be. Basically they were replacing a bunch of relays. You know they were essentially if a, then b, wait until c, then do d and once e go back to the start. But being solid state, they were at least more reliable. Now, remember that we have the term Of a hardware or software bug, because back in 1947 a dead moth, you know a bug, was found to be the underlying cause of harvard's mark 2 relay computer not working correctly. Anyway, you know relays are not as reliable as solid state because you know they can actually have bugs. Anyway, we've talked about these plcs On this podcast multiple times because attaching them to the internet has turned out to be a generally really bad idea. They were never designed for that and it hasn't been turning out well.
I'm bringing all this up today because I received a long, insightful and interesting direct message From a listener whose thoughts about the problems with plcs are worth sharing. Here's what dillon wrote. He said good day. I am an engineer and occasionally work with programmable logic controllers and I have some thoughts on why these sadly make the news in a bad way Sometimes. I believe most of the problems boil down to two root causes. Number one Increased demand for real time data. Just like the can bus protocol in the automotive industry, plcs were invented and took hold in manufacturing when security was not a concern and on protocols were developed to have plcs talk to each other and to advanced peripherals like motor controllers, touchscreens, printers or even skata supervisory control and data acquisition computers. I believe the demand for telemetry and data aggregation is the real reason most plcs get exposed, not because remote WAN side control is needed or used. I have experienced this.
Management wants to know how many widgets were produced, how fast they were produced, how many past qc Was there downtime? Was it planned? Are there idle shift hours? Is one shift of operators more efficient than another? And on and on and on. He says I don't need or want to remotely access a plc and a machine to change anything about it. It has done the same job over and over and over correctly for a decade. But the data the plc can store and transmit is the reason it's connected to a network and pulled every 15 minutes for new numbers. To satisfy this need, plc manufacturers are building in web servers, sql, light databases, tcp, ip stacks and a lot of things that have no business being attached to a device based on 1960s technology that has no provision for security. Again, going back to the automotive comparison, the inventors of CAN bus at Robert Bosch company Could not have imagined cars would be driving down the road with IP addresses connected to a global network all the time and would have security flaws that let anyone observe and change CAN bus communications inside the vehicle. And then he says, number two security conscious staff Are not involved with plcs.
Even though many consider plcs to be outdated, at the end of the day they are exactly like an Arduino or similar microcontroller. They store a program that has executed in a loop at high speed and the code is evaluated every scan through the ladder logic and just a quick plug. They do this for decades in terrible environments with noisy electrical signals and with fantastic circuit protections. Reverse the polarity on your arduino and you're going to amazon to shop for another one. Reverse the polarity on a plc. Not a darn thing happens. You'll realize you made a stupid mistake. Flip the polarity back and everything works.
Anyway, he says, the people who program these are aging out and I suspect globally fewer people know how to program ladder logic than did 20 years ago. I'm 36 and I learned to program them 15 years ago, but it seems I'm in the minority in my age group amongst peers in my industry. My observation is this IT people don't understand or want to understand plcs, and plc programmers have no incentive or instruction to make the devices secure. It staff doesn't consult with the programmers to tell them what security practices they should follow or review the final configuration of the plc. Conversely, the programmer just needs the machine to work and they're probably fighting numerous mechanical, electrical and pneumatic problems While completing the programming and those pneumatic problems.
01:26:10 - Leo Laporte (Host)
We had a pneumatic problem.
01:26:11 - Steve Gibson (Host)
That's why I didn't get the code.
01:26:12 - Leo Laporte (Host)
Do not underestimate those. They can be a nightmare.
01:26:17 - Steve Gibson (Host)
You do not want a problem with your air pressure. No, any extra changes could break the house of cards they've been building. Imagine everything seems to be working but all that remains is a communication problem. Some plcs have manuals 700 to 1000 pages long and various communication features are scattered throughout the pdf. No organization there. An inexperienced programmer, engineer who's under pressure to compete the already late project Might just start turning everything on, even if they don't know what it is or what the risks are.
Require authentication nah, uncheck that box. That could be the problem. Max number of connections equal one. Well, I don't know what counts and what doesn't, so let's just set it to 10. Set admin password better. Make sure that's blank or default. You know don't want to. You know don't want to keep something from connecting. Oh, and don't change the port number. That other device over there might be assuming the default port is used. We don't want to break something that works now and lose ground.
He says honestly, I don't even think we ever are going to fix this. Either industries will eventually move to more advanced systems, which is already happening in some cases, like PC based control with National Instruments, lab view or their competitors, or existing older plcs just need to be kept in a DMZ or well guarded network segment. The trouble is, when things aren't broke, they don't get fixed. So already exposed or at risk PLCs are just going to be sitting there connected to networks to harvest data, waiting to be leveraged for attacks, and these are the things that keep massive swaths of our public utilities functioning. So, dylan, I think you got all of that exactly right, and I've said it before, I'm sure this won't be the last time I say it this podcast has amazing listeners, no kidding. So thank you, dylan.
01:28:39 - Leo Laporte (Host)
There's something cool about PLCs Is it kind of writing an assembly language to write to one, or yeah it's a very low level tree logic.
01:28:49 - Steve Gibson (Host)
So it's literally if A then B, if not, or wait this long, then trigger this. I mean, it is the thing that moves the arms back and forth in those assembly lines.
01:29:03 - Leo Laporte (Host)
I'm sure there are high level interfaces, though, to see, forth was originally designed to do that, to program those things. Well, forth was designed to aim, a radio telescope, that's right, yeah, I imagine the aiming mechanism was something like a PLC.
01:29:21 - Steve Gibson (Host)
It was definitely, you know, turn motor on wait till star moves to center turn motor off?
01:29:27 - Leo Laporte (Host)
Exactly, yeah, charles Moore. Yeah, yep, I love this stuff. There's something cool about putting your code in a hardware device.
01:29:35 - Steve Gibson (Host)
Well, leo, it's a robot. Robots are cool, very cool, so it is cool. Yeah, it's cool about I mean, like the way to motivate, you know, grade schoolers is Robots. Yeah, remember, logo was the original the old turtle logic, the old 12. Yeah, Exactly yeah.
01:29:53 - Leo Laporte (Host)
Yeah, and of course, start is a great way for high school students to get into robotics. The start competition yeah, you're right, that's cool.
01:30:01 - Steve Gibson (Host)
Yeah, I think the idea, and I think also that's where. What is that world that you create? Oh, lego blocks.
01:30:10 - Leo Laporte (Host)
Yeah, yeah, roblox, yeah, roblox. They're absolutely learning that kind of logic in Roblox, exactly what they're learning. Yeah, man, I wish I, you know, I would wish I had another 50 or 60 years. I'd like to really get into some of this stuff Very cool, okay.
01:30:26 - Steve Gibson (Host)
So lastly, just quickly on the spin right front, last week I rewrote GRC's code signing system my original design.
Oh, you just rewrote it in a week, no bigs. Well, I knew how it worked by then. It took me a month to get it working the first time. But yeah, I did rewrite it because the way I had done it, which was to build the code signing into GRC's server code, had not proven to be 100% reliable. And it needs to be. It turned out that when I was restarting the server, the code signing system did not like that restart, so that was a problem Anyway. So I redesigned the system under a client server model where we now have code signing as a service. The code signing service runs in the background, with the web server being the service's client, sending it files to be signed. So far, I'm feeling really good about it. It came up, it worked the first time and it has been flawless ever since. It has never stumbled or had a problem, so this feels like exactly the right solution. Oh, and in the process I was able to switch the signing from using an SHA1 over to SHA256, so that feels better too.
Now Spenright's paint continues to dry nicely. One popular tool, which I think is the right way to put it, one popular tool for carrying around and booting ISO image files is something called Ventoy, which, leo, you obviously are a fan of. When I initially heard someone report that Spenright 6's ISO, spenright 6.0's ISO files worked fine with Ventoy, but the various pre-releases of Spenright 6.1 did not, I planned to eventually get around to looking into what was going on with that. That's the sort of thing one does while the paint is drying. So once I got the signing system redesigned and apparently finally working perfectly, I took a look at Ventoy, which I've never used, since I don't do a lot of portable ISO image booting.
01:32:44 - Leo Laporte (Host)
Yeah, it's widely used for things like having 20 Linux distros on a single USB key.
01:32:49 - Steve Gibson (Host)
Which you are welcome to yes.
01:32:55 - Leo Laporte (Host)
Well, here's a good example. I would love to have Spenright plus the Windows installer on a single USB key and be able to switch between the two right.
01:33:03 - Steve Gibson (Host)
So I brought myself up to speed on Sunday. It is a very slick open source project and tool. It's installed onto a USB thumb drive. Then you simply drop ISO files into its directory. When that drive is then booted, it presents a list of the ISO files it found and allows its user to select any of them to be booted. So I certainly understand its appeal for anyone who wants to carry a toolkit around on a thumb drive. Right, okay, anyway, it turns out that the DOS environment Ventoy creates does not have, or the PC machine environment that DOS boots into doesn't have, the HMA. That's the high memory area. Now, okay, the high memory area is one of the cleverest hacks ever invented.
01:34:05 - Leo Laporte (Host)
Underscore hack however.
01:34:07 - Steve Gibson (Host)
And it is a hack. It is a 64K memory segment that starts at FFFF, the last 16 byte paragraph of the machine's first one megabyte of RAM. Since memory in a segmented memory model is referenced by a positive offset from the start of a segment, starting a segment at FFFF allows for accessing 64K minus 16 bytes past the one megabyte point. In other words, this allowed PCs still running in real mode to access an additional 64K of RAM when they were only supposed to be able to access a megabyte. It's actually a megabyte plus 64K minus 16 bytes. Anyway, it is a neat hack that the PC industry came up with and adopted in the later years of DOS, and all recent DOSes have been able to load themselves and their buffers into that region in order to leave more conventional memory available for their programs to run.
Since the DOS execution environment created by Ventoy does not provide that, at forces DOS to load low, and it turns out that there is just barely insufficient RAM left over for Spinrite 6.1 to run, and I mean just barely.
It turns out that the slightly smaller size of an unsigned version of Spinrite, which is a few K smaller, does run as easily does the much smaller DOS only Spinrite executable. So after today's podcast, I'm going to tweak the Windows component of Spinrite, which is why we let paint dry just a bit, so that the bootable ISO image it builds will contain Spinrite's 81K DOS executable rather than the full 250K hybrid DOS and Windows executable. That smaller Spinrite for DOS should then run without any trouble under Ventoy, and a bootable ISO has no need for the full, larger Windows version anyway. In the meantime, nothing new, not one new bug has appeared in the last several weeks, despite the fact that more than a thousand people now have downloaded and have been using the pre-release this release candidate 6 of 6.1. So I'm going to continue to let us paint dry while I work to get this new Spinrite documented online, then on bringing up GRC's email system, and at that point we'll start letting everyone know that it is ready for prime time.
01:37:22 - Leo Laporte (Host)
Very good, how exciting.
01:37:25 - Steve Gibson (Host)
It is very exciting and, leo, let's tell our listeners about the advertiser they're excited to hear about.
01:37:32 - Leo Laporte (Host)
I will, and we're going to do something exciting and fun.
01:37:40 - Steve Gibson (Host)
Like something very disturbing.
01:37:42 - Leo Laporte (Host)
Uh-oh. Well, you want something disturbing. I got a real story just came in Three million malware infected smart toothbrushes have been used in Swiss D-DOS attacks. These toothbrushes I have one at home have a Mram, they have a processor and apparently they're hackable and have been enslaved that's a little bit of an inappropriate word into botnets Inscripted how about that? Into botnets and used in D-DOS attacks. Can you believe that this is from Tom's Hardware? Thank you, tom's Hardware, for that Distopian vision. You might want to secure your toothbrush. I don't know how you would do that. You can't take.
01:38:32 - Steve Gibson (Host)
I guess they're online, I don't know what you can do to.
01:38:36 - Leo Laporte (Host)
You know, and I also want to plug. Before we get into the ad, I'd want to mention Club Twit, one of our. One of your uh uh correspondence there mentioned that he was a club member. But I'm hoping people are saying, well, what is that? Well, it is how we are supporting this effort going forward. Steve says we're going past 999.
Advertisers were maybe a little less buoyant about the prospect. We've decided that in order to really keep this thing going and we really really want to keep it going we need to get you involved, our listeners. I always had that as the vision. I always really wanted this to be uh ad, not ad supported, but but listener supported. Uh, and you know, the nice thing about having ad support was we can make it available for free and we will. We will continue to do so to people who can't afford it. But if you can, seven bucks a month gets you ad free versions of all of our shows. It gets you uh access to special shows we don't put out anywhere else, like uh, scott Wilkinson's home theater geeks.
Ios today is now inside the club Um, the untitled Linux show. Hands on Mac, hands on windows a lot of great content. Uh. Plus, you also get access to one of the best communities ever, which is our club twit discourse. Everybody who's there paid at least seven bucks a month to be there. You'd be amazed at how that improves the level of discourse. You know, eliminates trolling. People are great, they're nice, they're smart, we have wonderful conversations. If you're interested and then you would like to keep this show going and all of our shows going, we would love you to be part of the club. Uh, all you have to. In fact, if we just get, if today we're at 10,922 paid members, all we need is 78 more members right now. If we could cross that 11,000 mark right now, that would make me feel pretty darn good. Visit twittv, slash club twit and uh and join the fun, and we thank you in advance for your support. I should mention, of course, our sponsors are very much a part of what we do. Still, we love them, and our sponsor for this segment of security now is Vanta.
From dozens of spreadsheets yeah, people still use spreadsheets to fragmented tools, to manual security reviews, managing the requirements for modern compliance and security programs is increasingly challenging. Are you using a spreadsheet to keep track? Oh, please, you need Vanta, the leading trust management platform. Vanta helps you centralize your efforts to establish trust and grow across your organization. G2 says Vanta is the best. They love Vanta. Year after year, they've loved Vanta. Here's a review example, just one of many from G2, from a chief technology officer quote there is no doubt about Vanta's effect on building trust with our customers.
As we work more with Vanta, we can provide more information to our current and potential customers about how committed we are to information security, and Vanta is at the heart of it. They're scared. They want to know that you're protecting their data. Automate up to 90% of compliance, strengthen your security posture, streamline security reviews and reduce third party risk. You don't want to say, hey, you see, we got this spreadsheet, you see, we're very set. You don't want to do that. You need Vanta.
Speaking of risk, oh, here's one security. Now listeners, vanta is offering you a free risk assessment. All you have to do is go to Vantacom slash security Now. Generate a gap assessment of your security and compliance posture, discover, shadow it and understand the key action to de risk your organization. It's all at Vantacom slash security Now. Get that free risk assessment. You need this, you want this and you'll find out more about Vanta to Vantacom slash security Now. And I love, I love their slogan compliance. That doesn't sock too much, vanta. We thank them so much for their support. On, we go with the show and the scary part is now okay, this is for grownups, this part, yes.
01:42:56 - Steve Gibson (Host)
So yeah, everybody knows how bullish and excited I am about Google's privacy sandbox. Yes, so we all know I'm a bit of a fanboy for technology, and this is a bunch of very interesting new technology that solves some very old problems. Google clearly understands that their economic model is endangered due to the fundamental tension that exists between advertisers primarily themselves, who demand to know everything possible about the viewers of their ads, and those viewers, along with their governments, who are becoming increasingly concerned about privacy and anonymity. The emergence of global privacy control and the return of DNT do not track has not gone unnoticed by anyone whose cash flow depends upon knowing something about the visitors to their websites. As we've been covering this through the years, we've watched Google iterate on a solution to this very thorny problem, and I believe though the final solution was to transfer the entire problem into the user's browser that they found a solution that really can work, but and this is a huge but that informs today's title topic it appears that the rest of the world does not plan to go down without a fight. Not everyone is convinced. Certainly not everyone believes that they're going to need to follow Google, and it turns out that there is a workaround. That is not good. So a recent Financial Times headline read Amazon strikes add data deal with reach as Google kills off cookies, which was followed by the subhead Media Sector Scrambles to deal with fallout from phase out of cross website trackers. So, with a little bit of editing for the content for our listeners, the Financial Times writes Tech giant Amazon has struck a deal with the UK's largest publisher, reach, to obtain customer data to target online advertising as the media industry scrambles to respond to Google's move to axe cookies.
In one of the first such agreements in Europe, amazon and Reach unveiled a partnership on Monday designed to compensate for the loss of third party cookies that help gather information about users by tracking their activity across websites to help target advertising. Google said this month that it had started to remove cookies on its Chrome browser, following a similar move by Apple to block them over Safari, aiming to switch off all third party cookies by the end of the year. Reach said it will partner with Amazon on sharing contextual first party data, for example allowing advertisers to know what articles people are looking at, with the US tech group using the information to sell more targeted advertising on the UK publisher sites. The company said the deal comes quote as the advertising world tackles deprecation of third party cookies, a long anticipated industry milestone that Google kickstarted in early January. Unquote. Financial details for the arrangement were not revealed. The partnership involves the contextual advertising of Mantis, originally a brand safety tool that could ensure that brands were not being presented next to potentially harmful or inappropriate content. The tool is also now used to place ads next to content users may want to see, helping to better target specific audiences with relevant advertising. Other publishers also use Mantis. Amazon's ad director of EU ad tech says, fraser Locke said that. Quote. As the industry shifts towards an environment where cookies are not available, first party contextual signals are critical in helping us develop actionable insights that enable our advertisers to reach relevant audiences without sacrificing reach, relevancy or ad performance. Unquote.
The loss of cookies means that almost all internet users will become close to unidentifiable for advertisers. The risk for advertisers is that their advertising offer becomes much less valuable at a time when they're already losing ad revenues, which has led to thousands of job cuts in the past year. Reach last year announced 450 roles would be axed. Other media groups are also looking at deals involving their customer data. According to industry executives, some publishers are experimenting more with registration pages or paywalls that mean people first give first party information that they can use, such as email addresses and logins. Reach is already seeking to harvest more such data from readers.
John Steinberg, a chief executive of Future, said that the quote elimination of third party cookies is one of the biggest changes to the advertising market in the digital age. Unquote. He added that quote advertisers and agencies will be looking to publishers that have a high quality editorial scale and rich first party data unquote. And predicted that quote advertisers, agencies and quality publishers will work even more closely together to reach audiences that drive outcomes for brands. Unquote. Sir Martin Sorrell, chief executive of advertising firm S4 Capital, said that some clients that did not have access to first party data on their customers were panicking. He said that there would be more focus on getting customers to sign up to websites with their information as companies attempted to boost their stores of consented data. Unquote.
Okay, so let's think about this for a minute. This notion of requiring more user signups is interesting and it's not something that had occurred to me before. This article makes it clear that the advertising industry is not going to let go and go down without a fight. They don't want to change, they don't want to adopt Google's strongly anonymous, interest-based solution. No, they want to continue to know everything they possibly can about everyone, which is something Google's dominant Chrome browser will begin actively working to prevent, at least using the traditional tracking methodology. So what are they going to do and what's up with this signing into sites business?
It occurred to me that one way of thinking about the traditional presence of third-party tracking cookies is that, because they effectively identify who is going from site to site on the Internet, there's no need for us to explicitly sign up when we arrive somewhere for the purpose of identifying ourselves to the site and its advertisers. Cookies do that for us, silently and unseen, on our behalf. Who we are when we visit a website is already known From all of the cookies our browsers transmit in response to all of the transparent pixels and beacons and scripts and ads that laden today's typical website. But soon all of that traditional, silent, continuous background identification tracking is going to be prevented and the advertising industry is finally waking up to that reality. What this means for a website itself is significant, perhaps even drastic a reduction in advertising revenue, since, as we know, advertisers will pay much more for an advertisement that's shown to someone whose interests and history they know. That allows them to choose the most relevant ads from their inventory, which makes the presentation of the ad that the viewer sees more valuable and thus generates more revenue for the website that's hosting the ad.
And that's, of course, been the whole point of all this tracking. That's why websites themselves have never been anti-tracking, and it's the reason so many websites cause their visitors' browsers to contact so many third party domains. It's good for business From the website's perspective and it increases the site's revenue. And besides, visitors don't see any of that happening. So tomorrow, when visitors swing by a website with Chrome, which no longer allows tracking, and those visitors are therefore anonymous and far less valuable to that site's advertisers, how does a website itself de-anonymize its visitors to know who they are for the purpose of identifying them to its advertisers, so that those advertisers will pay that site as much money as possible?
We thought those cookie permission pop-ups were bad, but things might soon be getting much worse and those sign up to create an account forms may also attempt to obtain as much demographic information as possible about their visitors. You know, oh, while you're here creating an account, please tell us a bit more about yourself by filling out the form below, so that we can better tailor our content to your needs and interests. Uh-huh, right. Such form fill will likely be a one time event per browser, since a persistent first party logon cookie will then be given to our browser to hold and return to the site. So it will only be a brief hassle once.
But the result of filling out a form to create an account at every site which might begin to require one will be that our visits to that site will no longer even have the pretense of anonymity. We will be known to that site and thus we will in turn be known to every one of that site's advertisers. We may forget that we have an account there. We may find our name shown in the upper right hand corner of the screen with a menu allowing us to log out, change our email address, our password, etc. And password managers are likely going to become even more important because typical internet users will be juggling many more internet login accounts than they've ever needed before. Historically, we only ever needed to log on to a site when we had some need to create an enduring relationship with that site.
That is what promises to change. Sites with which we have no interest or need to be known will begin insisting that we tell them who we are in exchange for access to their content, even though it will be free, and the reason for their insistence will be that we become a much more valuable visitor once they're able, in turn, to tell their advertisers exactly who we are. And it's all perfectly legal because no tracking is happening. We sign up and implicitly grant our permission for our real world identities to be shared with any and all of that site's business associates. Most people will have no idea what's going on. Maybe it won't actually be that big a deal. It won't be obvious why sites they've been visiting for years are suddenly asking them to create an account. They already have lots of other accounts everywhere else, and the site won't be asking for money just for their identities, which most people are not concerned about divulging.
One thing we can be certain of is that a trend of forced identification before the content of an advertising supported website can be viewed will cause the EFF to have a conniption. Anything could ever be more antithetical to their principles. The EFF wants nothing short of absolute and complete anonymity for all users of the Internet, so this represents a massive step directly away from that goal. The EFF would be well served, in fact, to get behind Google's initiative, which is far more privacy preserving than this end around that appears to be looming. It almost makes third party cookie tracking look attractive by comparison. I don't want to be forced to create accounts for every low value website I might visit briefly. If this happens, it's going to change the way the Internet feels. It's going to be interesting to see how all this shakes out and, yes, I am more glad than ever to be going past episode 999, since it's going to be very interesting to be observing and sharing what comes next.
01:59:36 - Leo Laporte (Host)
We agree, our mission has really just begun. For a long time the last five years I thought, well, we've kind of done it all. How much fun is there in the newest iPhone or whatever. But no, I think times are getting very interesting. Actually Something of interesting.
It turns out we have 11,000 paid club members. It didn't happen during the show, it happened last night, but I guess my dashboard is a little bit behind. Still, that's great. Let's go to 12,000. What do you say?
We would love to have you in the club and thank you to all of you. What's great is I do see a lot of new faces in the Discord. Not everybody who joins the club ends up in the Discord. A lot of people aren't Discord users. But I see a lot of wonderful new people in there and I welcome you all. It's really fun to be in there and talk to you and talk to our hosts. We'll get Steve in there Someday. He's still on Twitter folks, so let's not, we don't want to push him too hard. Steve, you're the best. I really appreciate the work you do. Really, it's clearly the most deep technical show we do on the network and people really value it. So thank you for that. We really appreciate it and I encourage everybody to check out Steve's site, grccom. That's where Spinrite lives 6.1. But the new Ventoy Compatible 6.0,. But the new Ventoy Compatible 6.1 coming soon. You're going to be able to do that right, you're going to be able to make it work.
Oh yeah, oh yeah. Yeah, I'll have it later today. Oh well, asking you shall receive. He's a wizard with that assembly code. Grccom has lots of great stuff that's free as well. In fact, I would check out his Valid Drive thing. That is. So what a great tool you made for checking to see if the USB key you bought actually has the capacity it's supposed to have, so you can return it if it doesn't. That's free and there's a lot of other stuff. Shields Up has been there forever and has a wonderful tool for checking the security of your router. When you're there. You can also get a copy of the show.
Steve has two unique versions of the show versions. We don't have A 16 kilobit audio version. That's for the bandwidth impaired and in fact, the reason the 16K version was created. Elaine Ferris is an incredible transcript. She's a farrier, she does horseshoeing and out at the farm. They didn't have a lot of bandwidth, so Steve made a smaller version for her. She types up those transcripts. Beep not included apparently. It's for everybody that'll be there. And of course, the 64 kilobit audio. We have the 64 kilobit audio at our site, twittv slash SN for security.
Now there's also a YouTube channel dedicated to security. Now that's actually a great thing to know about. If you hear something, you go, oh, I got to send the boss this clip or a friend this clip. I want them to know about this thing. You know your friends bugging you about about you know third party cookies. You say, well, you ought to hear what Google's up to now, all that stuff. You just get a little clip off of YouTube and share it with them. That's good If you do that. It helps us, it brings awareness to the work Steve's doing here and, of course, the best thing you can do for yourself and for us is subscribe in your favorite podcast client. You'll get it automatically the minute it's available and we make sure you get to listen to every single show. Steve, have a wonderful week.
02:03:13 - Steve Gibson (Host)
Thank you, my friend. We'll dry out down here in the wet Southern California.
02:03:18 - Leo Laporte (Host)
You were okay, right, you didn't have a sprinkler hitting your high voltage. No, Okay. I'll see you next week.
02:03:26 - Steve Gibson (Host)
See you on the 13th. Bye.
02:03:30 - Speaker 3 (Host)
Hey there, scott Wilkinson here. In case you hadn't heard, Home Theater Geeks is back. Each week I bring you the latest audio video news, tips and tricks to get the most out of your AV system, product reviews and more. You can enjoy Home Theater Geeks only if you're a member of Club TwiP, which costs seven bucks a month, or you can subscribe to Home Theater Geeks by itself for only $2.99 a month. I hope you'll join me for a weekly dose of Home Theater Geek-a-Doo.