Security Now 967 Transcript
0:00:00 - Leo Laporte
It's time for Security Now. Steve Gibson is here. Lots to talk about, most importantly, that Apple exploit that everybody said was unpatchable. The end of the world. Steve says not so fast. Go fetch our topic next. On Security Now. This episode is brought to you by Zscaler, the leader in cloud security. Cyber attackers are now using AI and creative ways to compromise users and breach organizations. In a security landscape where you must fight AI with AI, the best AI protection comes from having the best data. Zscaler has extended its zero trust architecture with powerful AI engines that are trained and tuned by 500 trillion daily signals. Learn more about Zscaler Zero Trust plus AI to prevent ransomware and AI attacks. Experience your world secured. Visit zscalercom. Slash Zero Trust AI Podcasts you love.
0:01:04 - Steve Gibson
From people you trust.
0:01:08 - Leo Laporte
This is twit. This is security now, with steve gibson, episode 967, recorded tuesday, march 26th 2024, go fetch. This episode of security now is brought to you by Bitwarden, the password manager, offering a cost-effective solution that can dramatically increase your chances of staying safe online. Bitwarden has just launched a new feature I love this called Inline Autofill. That makes it easier than ever to log into websites. I noticed when it happened. I went oh, this is great.
A drop-down menu will appear when you select a username or password field on most sites, letting you quickly choose which login you want to use. Clicking on Login auto-fills the username and password and you're in. And, by the way, if you're on a site I don't know, I use it with Google, I use it with GitHub that supports passkeys. You'll like it even better. Click the link that says use your passkey. Bitwarden can store all your passkeys, which is nice because you can bring it with you to every platform. Bitwarden's on Instant login. If you're a current user, you got to turn this feature. On the autofill feature Go to settings and select autofill, then use the drop down box and show autofill menu. On the autofill feature go to settings and select autofill, then use the drop down box and show autofill menu on the form fields to pick which option works best for you.
That's another thing I love about Bitwarden they give you a choice. It's open source software, which means it's free for life for individual users, and that means as many passwords as you want, as many devices as you want. You can even use pass keys and hardware authentication keys like YubiKeys, free forever. Bitwarden, named by Wired, is best for most people. Honored by Fast Company, is one of the 2023 brands that matter in security and it's the only password manager Steve and I use. It's no wonder Bitwarden is the open source password manager trusted by millions. Get started with Bitwarden's free trial of a team or enterprise plan or get started for free across all devices as an individual user. Bitwardencom slash twit. That's Bitwardencom slash twit. It's time for security now. Yay, the time I look forward to all week and, in this case, for the last three weeks. Thank you to Micah Sargent for filling in. Steve Gibson, the man about town, is here to talk security.
0:03:35 - Steve Gibson
Micah did a great job. He held down the fort and was engaging.
0:03:40 - Leo Laporte
Good, I'm glad you like him, because in about a year he's going to be in charge of the whole damn thing. Good, I'm glad you like him, because in about a year he's going to be in charge of the whole damn thing. I noticed you doing the Leonard Nimoy salute. Just want to tell you it's Live, long and Prosper Day. Leonard Nimoy's birthday would be today, march 26th.
0:03:58 - Steve Gibson
Yeah, and boy. He was born in 31, I think, and last time we saw him he was looking it too, but he and the old Captain Kirk are still.
0:04:08 - Leo Laporte
Is Nimoy still alive? I thought he'd passed. He's still alive. Oh, that's right. I remember he did pass. Of course he did.
0:04:13 - Steve Gibson
Well, I haven't yet, and he and I have the same birthday.
0:04:17 - Leo Laporte
Oh, you weren't born in 1931, however.
0:04:20 - Steve Gibson
No no. No no 55.
0:04:21 - Leo Laporte
No, no, no, no. 55, baby. Happy birthday. I didn't know that. Happy birthday, yep. Well you are. So that means you're four months older than me.
0:04:30 - Steve Gibson
Yes, I am Well, and a couple years right. No, wait a minute.
0:04:35 - Leo Laporte
I'm November 56. You're March 55. So yes, Correct. So it's one year and a few months. Okay, yep, in a few months. Okay, yep, okay. So happy birthday. You going to do anything special to celebrate?
0:04:46 - Steve Gibson
Thank you. We initially had some plans to go have a fancy dinner. But I said to Lori yesterday, I said you know, I just would rather have a nice steak at home. So she's out picking up some beautiful. That's what she said actually. Yeah, you'd make a great wife Leo.
0:05:05 - Leo Laporte
Well, it should be. You know you should be. When I was a kid, my mom there was a birthday dinner that was the same every year. My mom would make for us and I looked forward to that. It was wonderful, happy birthday.
0:05:19 - Steve Gibson
So we have a tremendous podcast today. Of course it's titled GoFetch, which is the name that's been given by the. I would call it the discoverers, but it's sort of the rediscoverers, because they first stumbled onto this two years ago oh interesting and brought it up and in fact my theory is it's the reason that the M3 chip has a switch which M1 and M2 doesn't.
0:05:52 - Leo Laporte
Interesting.
0:05:53 - Steve Gibson
Because they kind of scared Apple but then but they weren't really able to make a strong case.
Well, boy has that case been made now. And in fact we're going to start off when we talk about this here in an hour or so about how wound up the tech press has gotten and, you know, miswound, because boy did they get it wrong. But we'll have some fun with that and, again, this is going to be one of our listeners' favorite types of episodes because it's going to be a deep dive. Listeners favorite types of episodes because it's going to be a deep dive. So get out your propeller cap beanies and wind them up, because we're, I'm you. By the time we're done, everyone is going to understand exactly what happened, why it happened, how it happened, what it means and, like you, you could, you know, go to a cocktail party and really put your friends to sleep well, I've been saying, because we've been talking about it obviously, uh, on twit and today on mac break week, and I've been saying, you know, I'm sure steve will cover this in a much more accurately and much more granularly.
0:06:57 - Leo Laporte
So tune into security now today. So I'm glad I didn't, I didn't coordinate with you, I just figured, oh, he's gonna jump into this one, so go fish, I also going to jump in briefly, because I'm not a legal scholar or expert.
0:07:10 - Steve Gibson
Just I have a couple of things to say about the US Department of Justice's antitrust suit against Apple. There are some arguments that they'll make about that are security related.
So it does impinge on us a little bit, but I just sort of have a little sort of an overview of of that and you know capitalism and monopolies and so forth. Uh, we're going to update on general motors. I don't know if you heard about this, leo, this astonishing violation of their car owners privacy. Oh boy, oh boy, that's unbelievable. Uh, also, we're going look at, we're going to answer the question what happy news is Super Sushi Samurai celebrating today?
0:07:51 - Leo Laporte
Okay, I don't even know what that is.
0:07:54 - Steve Gibson
Okay, good, whether Apple we're also going to look at whether Apple has abandoned its plans you were talking about this at the end of MacBreak, actually for its HomeKit-compatible routers and what appears to be shaping up to take their place. Will our private networks oh, this is cool going to be receiving their own domain names? Icann has been busy, and if so, what is it? The UN has spoken out about AI. Does anyone care? And what do I think the prospects are of us controlling AI? What significant European country just blocked Telegram? Also, what did the just-finished 2024 Pwn2Own competition teach us? Once again, Might the US be hacking back against China, as they are against us. I've long been bemoaning the fact that we never hear anything about the other direction. Well, we've heard something, and after a bit of interesting Spinrite update news and a bit of feedback from our listeners, as I said, we're going to spend the rest of our time looking into last week's quite explosive headlines about the apparently horrific, unfixable toxic flaws in Apple's M-series Silicon. Just how bad is it?
0:09:16 - Leo Laporte
Okay, good, and I've been saying don't worry, but we'll find out what the real expert has to say in just a little bit. I look forward to that and of course, we do have a fantastic picture of the week, courtesy of our marvelous listeners.
A great life hack, I think, something everybody might want to adopt. That's right. But first let me tell you about something you definitely want to adopt, which is our favorite little honeypot. Honeypot thinks it's canary. Now, the canary is designed by some very smart fellows who for years taught governments and companies how to avoid break-ins. Actually, they taught them how to break into computers in some cases.
They've learned a lot and they know that one of the biggest threats to you and your network, and to me and my network and to all of us, is not, you know, the perimeter defense, keeping the bad guys out, because we know that eventually they get in or maybe you've got a malicious insider. The biggest threat is not knowing that they're there. And we hear about breaches all the time where companies say, yeah, they've been in there six months a year, in some cases a couple of years, and we didn't know it. And boy, what bad guys can do if they have untrammeled access to everything inside your network. I mean they can exfiltrate information. That's why they ransomware now extorts you, you know, before they encrypt you. It helps them do their encryption job by finding out all the places you back stuff up. See if you have a Thinkscanary or two or three in your network, like some banks and big operations have hundreds. You've got the best defense against malicious insiders and hackers who've gotten in, because the minute they see that canary, they're going to think it's something valuable, not vulnerable valuable, valuable, not vulnerable valuable. An IIS server that's maybe not been patched lately, or a network attached storage device, a SCADA device, all kinds of things. It can be anything. A Linux box you can light it up like a Christmas tree, have every service turned on or judiciously just turn on a couple, knowing that the bad guys are going to say, oh, I can get into this one, but the minute they touch it, the minute they try to log in or access that server or open that file because you can also create files that you spread all over your network you're going to get a notification, just the notifications that matter. Very few false positives. We've had things canaries running on our network for some time. Never have had a false positive. The one time that went off in something like five or six years. The one time it went off, there really was something scanning all the ports on our network. Turns out it was inside the network. It was a kind of rogue device that we were reviewing, but we found it right away before it could do any damage. Thank you, thinks Canary. If someone's asking your lure, accessing your lure files, those tripwires you spread around, then, by the way, they can be PDFs, they can be Excel file, or they look like PDFs, excel files, and as soon as the bad guy goes well, let me open this, let me examine this, let's see what this is. You're going to get that notification as soon as they try to log into your fake internet SSH or internal SSH server. They're going to immediately get a notification to you.
You choose a profile for your ThinkScanary device and, by the way, you can change it. It's fun to play with it. There are hundreds to choose from. I mean, it's so accurate. It got down to the Mac address. You know my Synology fake Synology NAS honeypot actually has a Synology Mac address on it. The DSM is up to date. It's DSM 7. It looks real and it's authentic looking. It's really incredible.
You set up your Thinks Canaries, choose the device you want, takes a second, you register it with the hosted console for monitoring and notifications and you're done. You wait, bad guy, in your system, malicious insiders, any adversary, will immediately let themselves know, because that's what they're looking for. Is that stuff you've spread around? The Thinkst Canary is genius. Visit canarytools, slash twit.
As I said, the number you have may vary. Let's start with five. Good starting point $7,500 a year. They're very affordable. You get five of them, your own hosted console. You get upgrades, support, maintenance, don't worry. Get five of them, your own hosted console. You get upgrades, support, maintenance, don't worry. You don't have to use their console. By the way, for notifications email, text, webhooks, slack there's an API. The sky's the limit. You can get notifications any way you prefer. Okay, syslog, yeah, support Syslog.
If you use the code TWIT in the how Did you Hear About Us? Box. By the way, 10% off forever. And if you're at all nervous, you should be reassured. You can return your Thinks Canaries for a full refund any time. In the first 60 days. There's a two-month full money-back guarantee. But I have to tell you they've been advertising on this show for years. In all that time, nobody has ever asked for their money back. Once you get it installed and you see how easy it is and you see the need for it, everybody says this is the best thing ever. In fact, if you go to canarytoolslove. You can see all the love people have for the Canary. Canarytoolstwit to sign up. You get your offer code. Twit in the. How did you hear bass box for 10 off? You gotta have this thing. Canarytools slash twit. We thank him so much for supporting steve's vital work here at security. Now, so a picture of the week time.
0:14:43 - Steve Gibson
So for all my life, leo, I have found coat hanger wire to be really convenient, so useful it is. And you know you used to get the coat hangers back from the dry cleaners with your shirts on them and they have a little bit of a paper wrapping on them but you can take that off.
0:15:05 - Leo Laporte
But that gauge of coat hanger is perfect, I mean you can bend it into all kinds of useful shapes Stick it down the drain to pick up to hook a ring that somebody lost, Exactly.
0:15:17 - Steve Gibson
Yeah, so useful. Exactly, you know, it's just super handy. Well, now, here we have an application that I would not recommend.
0:15:26 - Leo Laporte
Well, I think this is a great life hack. Don't you think everybody should do this? Let me show people what we're talking about here.
0:15:40 - Steve Gibson
So somebody has a USB charging cable which is way too long, a a usb charging cable, yeah, which is way too long, and maybe they need it to be long. But this is like a neatnik person and I think we're seeing sort of a theme here because they've, they've, they've coiled up this way too long. I mean, it's like this looks like 15 feet of of usb charging cable, but you know you don't want it flying around on the floor, right? So they've coiled it all up Now. Okay, now what are you going to do? You got this coil of USB charging cable. You need to hang it somewhere, so, and it doesn't really, you can't really hang it on the charger. Know, I've always found coat hanger wire to be really handy for making stuff, so, and happen to have a pair of pliers around. So, uh, basically fashioned this beautiful. I mean, by all measures, this is a beautiful hook.
0:16:46 - Leo Laporte
He spent some time with his little pliers. They're bending and curving.
0:16:50 - Steve Gibson
It's gorgeous yeah, it is great. And boy does it work as a hook to hang right around the prongs of that apple five watt charger just goes right around those beautiful therein lies the problem. What, um, I've? I've never, I don't think, recall ever actually touching the, the, the leads of my o-meter to, to the, this wire, it. It must be that they are, that it is coated with some sort of an insulating varnish of some sort. Otherwise this would have already exploded.
0:17:33 - Leo Laporte
Notice, though, there's a switch here. I think that he has not switched it on yet.
0:17:38 - Steve Gibson
Oh boy.
0:17:39 - Leo Laporte
And I think he's going to get quite a surprise.
0:17:42 - Steve Gibson
Put your shoes on and use the toe of your shoe to turn this plug on.
0:17:46 - Leo Laporte
By the way, another point, because he looks like he really is OCD and careful. He has installed his plugs upside down Right. He's got the ground. They're not a smiley little face. They're not smiling. They're not looking like a little happy face. Yeah, yeah, what's going on there?
0:18:05 - Steve Gibson
yeah so anyway. So just so people are thinking that we haven't completely lost our mind the the the point is that this hook has two legs that go up up behind this usb charger and then bend around in a in u shape to hang over the two prongs of the ac plug. Yeah, there you go, wire on wire on wire.
0:18:34 - Leo Laporte
It's like they made it for this. Oh it's beautiful.
0:18:38 - Steve Gibson
I mean it is.
0:18:39 - Leo Laporte
It is a beautiful construction, but no, the minute you plug it in, what would happen? Would it heat up, would it start to glow or would it actually short the thing?
0:18:49 - Steve Gibson
out. The good news is, all homes ever made, even when they had, you know, screw them in fuses in the fuse box in the basement, where they had some cut out, such that if, if any circuit suddenly drew too much power, rather than it exploding in your face down in the basement, something would go boom and and then you'd now, of course, what you, what you don't want is to run out of fuses because you know, don't put a penny across it.
0:19:22 - Leo Laporte
No, that's right then what?
0:19:24 - Steve Gibson
what people did was like oh shoot, I don't know why this fuse blew, but it's inconvenient. So I seem to be all fresh out of fuses here, let's just stick a penny in the hole.
Let's stick a penny in the socket and screw the blown outout fuse on top. Anyway, yes, folks, do not do this at home. The only thing I can think, leo, is that there must be some varnish on this, but as over time as it's used, it's going to get moved back and forth riding on the top of the prongs of this plug and it's just gonna explode at some point ever put metal around the prongs of your plug.
0:20:13 - Leo Laporte
I learned that in eighth grade when leo on that note yes, we are.
0:20:19 - Steve Gibson
We do have our the cue the picture queued up for next week and it's another goodie. It's a variation. It's not the same. We don't want to get repetitious here, but we're going to have just as much fun with it.
0:20:33 - Leo Laporte
Somebody told me that that is the commercially preferred way of installing a plug socket. It's upside down like that. And then somebody else in the Discord says that's how you know it's a switched circuit. I've never seen that before. But just to the reason I'm saying that, to preclude all the email that you and I inevitably will get from licensed electricians who will say absolutely that's the way to do it correctly.
Thank you for not overflowing my inbox I also uh hope that I am not the subject of the picture of the week next week, because I installed yes, uh, yesterday we had a little lighting problem and uh, I and my brother-in-law did a little like electric work, electrical work, uh, installing a new under counter lamp and you see that switch right there. That's uh just right to the right of joe there. As he was installing the wires, he accidentally backed into it and switched it on and got a little bit of a shock.
0:21:32 - Steve Gibson
Oh, yes, I see you're still wearing the avocado shirt from sunday I am wearing.
0:21:37 - Leo Laporte
This was right after I got home sunday. They said get in here. And I am also wearing, as sharp eyes will see the most useful device for a home handyman anywhere. Yes, you have. You have a head mounted lamp a headlamp yeah please do not make that the picture of the week next week. I'm just begging of you, okay yes, sometimes when laurie oh, you've got one too. Look at you.
0:22:04 - Steve Gibson
Well, I've got. No, these are the magnified.
0:22:07 - Leo Laporte
Oh, that's. And what do you wear that for, Steve, besides looking like an alien?
0:22:14 - Steve Gibson
When I'm building things like this.
0:22:16 - Leo Laporte
Oh yes, you've got to get very close, that's right. Are you soldering with those on?
0:22:22 - Steve Gibson
Those are little surface mount components. They're a little itty-bitty, so yeah.
0:22:26 - Leo Laporte
Yeah, that's a lot of work Anyway.
0:22:29 - Steve Gibson
Anyway.
0:22:30 - Leo Laporte
Take that off and let's continue. Believe it or not, we have news to get to. Yes, okay.
0:22:35 - Steve Gibson
Last Thursday, march 21st, it was, by all measures, a rough day for Apple. Not only, as I mentioned, did the tech press explode with truly hair-on-fire headlines about critical, unfixable, unpatchable, deeply rooted cryptographic flaws rendering Apple's recent M-series ARM-based silicon incapable of performing secure cryptographic operations.
0:22:59 - Leo Laporte
Incapable. Incapable.
0:23:01 - Steve Gibson
Can't be done which is the topic we'll be spending the rest of the day's podcast looking at in some detail once we get this thing started, because actually it's super interesting was joined by 15 other states and the District of Columbia which wishes it was a state but isn't in a lawsuit alleging that Apple has been willfully and deliberately violating Section 2 of the Sherman Antitrust Act. Now I'm just going to share five sentences from the DOJ's comments, which were delivered last Thursday. They read were delivered last Thursday. They read as our complaint alleges, apple has maintained monopoly power in the smartphone market, not simply by staying ahead of the competition on the merits, but by violating federal antitrust law period. Consumers should not have to pay higher prices because companies break the law. Okay, we allege that Apple has employed a strategy that relies on exclusionary, anti-competitive Okay Huh Apps and accessories and less innovation from Apple and its competitors. For developers, that has meant being forced to play by rules that insulate Apple from competition. Okay, now, this is not clearly a podcast about antitrust law.
We all know I'm not an attorney, nor am I trained in the law, so I have no specific legal opinion to render here. However, I've been a successful small business founder, owner operator throughout my entire life, and I'm certainly a big fan and believer in the free enterprise system and in the principles of capitalism. But I also appreciate that this system of competition is inherently unstable. It has a natural tendency for the big to get bigger through acquisition and the application of economies of scale and leverage. That same system that creates an environment which promotes fair competition can be abused once sufficient power has been acquired. Those of us of a certain age have watched Apple being born, then fall, only to rise again from the ashes. My own first commercial success was the design, development, production and sales of a high-speed, high-resolution light pen for the Apple II, which allowed its users to interact directly with the Apple II's screen. To my mind, there's no question that as a society we are all richer for the influence that Apple's aggressive pursuit of perfection has had on the world.
Things as simple as product packaging will never be the same, but for some time we've been hearing complaints about Apple's having taken this too far. It's understandable for competitors to complain and to ask the government to step in and do something. At some point that becomes the government's very necessary role, just as we saw previously when the same thing happened with Microsoft and, some would argue, ought to happen again with Microsoft. For many years, the US government has done nothing, while Apple has continued to grow and continue to aggressively use its market power to increase its shareholders' wealth. The question is when does use of market power become abuse of market power?
The next few years will be spent in endless depositions and expert testimony, working to decide exactly what sort of cage Apple needs to be constrained within. One thing we know is that many of the arguments Apple will be making on its own behalf will involve security the security inherent in its closed messaging system, the inherent security of its closed app store. You know things we've touched on many times in this podcast. You know things we've touched on many times in this podcast Apple will allege that by keeping its systems closed, it is protecting its users from unseen nefarious forces which create freely interoperable, super-secure, cross-platform messaging. Suggests that Apple's own messaging technology could work similarly if they wished it to.
During the news coverage of this since Thursday, I've encountered snippets of evidence which suggests that the government has obtained clear proof of Apple's true motives, where Apple's technology has been designed to support Apple's interests rather than those of its users. In any event and you know, maybe those are aligned. That's really the question, right? Are Apple's interests and its users' interests perfectly aligned?
Nothing is going to happen on this front for a long time. Years will pass and this podcast will be well into four digits by the time anything is resolved with the DOJ's antitrust lawsuit, that the laws being written and enacted within the European Union today will be forcing Apple's hand long before the DOJ finishes making its case. All that may eventually be required will be for the US to force Apple to do the same thing that they're already doing over in Europe here as well that they're already doing over in Europe here as well. But as for whether Apple designed Silicon cannot perform secure cryptographic operations, that is something this podcast can speak to authoritatively, and we'll be doing so once we've caught up with some more interesting news and feedback.
0:29:23 - Leo Laporte
I always said back in the day in fact it was during it was funny how you began this with the good old days of Apple, because back in the day when the Department of Justice was suing Microsoft, I always said, if Apple were as big and powerful as Microsoft, they'd be just as bad. But they aren't. In fact, they almost went out of business in 97. And now that they are even a little bit bigger than Microsoft, yeah, they're just as it's what happens, it is.
0:29:52 - Steve Gibson
It is exactly what happens. And it's not that anybody is a bad person. I mean, they'll argue that they're the executives argue that it's their job to maximize shareholder wealth.
0:30:05 - Leo Laporte
That's capitalism.
0:30:07 - Steve Gibson
Yes, exactly, exactly, and so it's a fundamental property that there need to be constraints. And, of course, in the US we have those. Boy is it painful to get them. But you know, it's interesting, and I think I heard Rnee saying that he thought he was gonna have to spin up another podcast in order to, you know, keep track of this. So you know I'm not gonna, I'm not gonna bother with that no, we're not gonna do it.
0:30:35 - Leo Laporte
Yeah, no, no, it's a it'll go on and on and we'll mention it once in a while and that'll be it right it will, it'll it'll.
0:30:42 - Steve Gibson
This thing will go for years, you know, exactly as it happened with Microsoft. So last week we shared the difficult I mean truly difficult to believe, but true story that General Motors had actually been sharing actually been sharing and by sharing I'm pretty sure the proper term would be selling the detailed driving record data of its car owners, down to how rapidly the owner's car accelerated, how hard it braked and its average speed from point A to point B. Leo, they literally have instrumentation in there that is monitoring everything the car does, and these cars are all interconnected. Now it was all being beamed back to GM, who, it turns out, was selling it to LexisNexis, a major data broker, anyway. So what happened was and this was a New York Times or Washington Post, I think it was the New York Times piece last week that just blew the lid off this Some guy I think he was in Canada or maybe he was just up north he saw his insurance go up 21 percent in one year, although he had never been in an accident.
And or, and, and and didn't have tickets, and didn't have tickets, and so when he asked his insurance company why they sort of hemmed and hawed, he also tried to obtain alternate insurance and all the quotes that he got back from competing companies were the same. Finally, one of them said well, you should check your Lexus Nexus report because it's a little worried about your driving habits.
0:32:45 - Leo Laporte
So now there's a credit like a credit report. There's now a car driving report. But you know what, in some ways A I'm not surprised Insurance companies have for years had offered good driver discounts. In the past you used to have an app and stuff.
0:32:58 - Steve Gibson
I'm not surprised to hear this and honestly Optionally installed right for, like, low mileage drivers, where it would monitor everything.
0:33:05 - Leo Laporte
I'm sure we talked about it on this, yeah but this is good for you and me, because insurers, instead of this guy who really is not a safe driver, paying the same as you and me, who drive like little old men because we are, uh, we should get reduced right and they, he, should pay more.
0:33:22 - Steve Gibson
It's fair, I think and should it be done without consent?
0:33:28 - Leo Laporte
well, in a way, I bet you he did consent. I bet you there is somewhere a document that he signed when he bought that car that said data is being collected. You saw the mozilla report last year. We talked about it, about how cars are a privacy nightmare.
0:33:44 - Steve Gibson
Yeah, well, we were all wondering recently how your sexual habits were being recorded by a car. It's like what Is it monitoring the?
0:33:53 - Leo Laporte
suspension If this car be rocking, as you well know, don't you be?
0:33:57 - Steve Gibson
knocking OK. So the good news is this produced an outcry which caused GM to immediately terminate this conduct, and no doubt threats of lawsuits were involved too. They said GM is immediately stopping the sharing of this data with these brokers. The report said, after public outcry, general Motors had decided to stop sharing driving data from its connected cars with data brokers. Last week, news broke that customers enrolled in GM's OnStar smart driver app have had their data shared with Lexus, nexus and Verisk. Those data brokers in turn shared the information with insurance companies, resulting in some drivers fighting a much harder or more expensive exactly as you said, leo to obtain insurance. To make matters much worse, customers allege they never signed up for OnStar Smart Driver in the first place, claiming the choice was made for them by salespeople during the car buying process.
0:35:05 - Leo Laporte
Yeah, and you know what it comes with the car and you know it's good. It's all for your safety. That's why we put it in, so that if you get in a wreck you can press the OnStar button. That's right. That's why they did it.
0:35:17 - Steve Gibson
And people will come. Yes, we're not big brother watching over you. No, of course not. Okay, so, uh, I saw this bit of happy cryptocurrency news that just made me smile. It seems that last week, the blockchain game I didn't know you had a there was a blockchain game, but, yes, someone has made a game out of blockchain and it's called Super Sushi Samurai. Super Sushi Samurai had four point six million dollars worth of its tokens stolen. However, it just reported that they had all been recovered. So what happened? They explained that the hack was actually the work of a security researcher who exploited a bug in their code to move the funds out of harm's way to prevent future theft.
0:36:13 - Leo Laporte
Yeah, that was all. Yeah, that's right Super.
0:36:16 - Steve Gibson
Sushi Samurai described the incident as a white hat rescue and has ended up hiring the white hat to be a technical advisor. So that's what I call a G-rated happy ending.
0:36:32 - Leo Laporte
Okay, yeah, I believe it, why not?
0:36:35 - Steve Gibson
And also you guys touched on this on MacBreak and also you guys touched on this on MacBreak. Apple Insider has some interesting coverage about Apple's apparently failed initiative to move their HomeKit technology up into home routers. I was a fan of this, since it promised to provide router-enforced inter-device traffic isolation, and the only place that can really be accomplished is at the router. Our listeners know that I've been advocating for the creation of isolated networks so that IoT devices would be kept separate from the household's PCs, but what Apple proposed five years ago, back in 2019, would have additionally isolated each IoT device like with that level of granularity from all the others. So here's what Apple Insider explained.
They said Apple's HomeKit secure routers were announced in 2019, but were never really taken up by manufacturers. And now some vendors are claiming apple is no longer pursuing the technology, and we'll get to why in a minute. Home kit secure routers, they wrote, were introduced by craig for, uh uh, federighi federighi, I know his name, I. The problem is, you know, I'm a big star trek person. I want to say the problem is, you know, I'm a big Star Trek person.
0:38:02 - Leo Laporte
I want to say Ferengi, which you know Craig Ferengi over there at Apple headquarters.
0:38:09 - Steve Gibson
We have to stop from saying that it's not Ferengi. Come on, steve, that's pretty funny.
0:38:14 - Leo Laporte
I would never have guessed that, Wow so.
0:38:18 - Steve Gibson
Craig Federighi at Worldwide Developer Conference 2019, and, in the same breadth and at the same time, they introduced HomeKit Secure Video. The latter, that is, homekit Secure Video, took time to reach the market, but it was used and manufacturers adopted it, even if others would not. Okay, now, during this year's just happened CES 2024, two router vendors separately told Apple Insider that Apple is no longer accepting new routers into its program. If that claim is correct and it probably is, since it came from the same rejected manufacturers, given the lack of HomeKit secure routers on the market, that is, in five years, not much happened. It appears that Apple has abandoned the idea, even though Apple still has active support pages on the matter. However, apple Insider noted that it also has support pages on airport routers too, and those are, as they put it, dead as a doornail.
0:39:23 - Leo Laporte
Those really are dead. Yeah, I was so excited that Apple would offer this security standard that we could have some confidence in the security and, frankly, firmware updatability of our routers.
0:39:34 - Steve Gibson
It's a little disappointing to me yeah, anyway, it's not going to happen. They've backed out Apple Insider. To make a long story short, pulled the various routers that Apple listed. There is one Linksys Velop AX4200 and an Amplify Alien router are apparently the only two that are currently listed by Apple as being supported. That are currently listed by Apple as being supported. Eero has a notice saying that its Eero Pro 6E and 6 Plus do not support Apple HomeKit and they have no plans to offer Apple HomeKit router functionality.
Anyway, so you know, not everything that gets announced happens. That gets announced happens, and asking router manufacturers to modify their firmware to incorporate the required HomeKit functionality, and it appears that it may have taken some significant customization. It was just never going to get off the ground, and this is probably for the better, since it appears that we have already and oh, thank God, blessedly quickly moved beyond disparate proprietary closed IoT ecosystems, which, you know, is where it looked like we were headed, with Amazon Alexa and Apple's HomeKit and Google's Home and Samsung's SmartThings, all creating their old let's do our own thing. All the buzz appears to now be surrounding the interoperability technology known as Matter. This was formerly known as Chip, which stood for connected home over IP. It's now been rebranded as Matter and everyone appears to be seeing the light. Nobody wants to be left out. All those guys I just mentioned Amazon with Alexa, apple with their HomeKit, google with Home and Samsung SmartThings have announced and are supporting Matter. It's now at version 1.2, open source, source license free. Anyone can create Matter compatible devices. If they follow the spec, they will interoperate and more than 550 companies have announced their commitment to Matter.
Right, I mean, uh, all of the biggies are going to be supporting matter. They really have no choice and at this point I just I wanted to make sure I brought it up because I wouldn't purchase something. You know that that random ac plug that I got for a, shockingly, I don't know, it's four dollars or something. It's amazing. How can this be an internet connected device? It's just like what the plastic and the prongs would cost $4.
It does report back on your driving habits, however, oh it's got a little eyeball in it that follows you around the room. It's kind of freaky, but anyway, Does Matter have though.
0:42:35 - Leo Laporte
I mean, the thing about Apple's HomeKit router standard was it had security requirements built in. But does Matter have something like that?
0:42:44 - Steve Gibson
That's what they were. You're right, that's what they were going to produce. I think Matter is about interconnectivity, right, right, and which is not to say it couldn't be made more secure, but you know that's not their focus, right? And Leo, we're having so much fun. I think we should take a break so that I can re-caffeinate. Obviously, I don't need more caffeine, but what the heck?
0:43:05 - Leo Laporte
Fun equals breaks. Is that what in your mind? Is that how it works? Our show today, brought to you by Panoptica.
Panoptica, cisco's cloud application security solution, provides end-to-end lifecycle protection for cloud native application environments. It empowers organizations to safeguard their APIs, serverless functions, containers and Kubernetes environments. Panoptica ensures comprehensive cloud security compliance and monitoring at scale, offering deep visibility, contextual risk assessments and actionable remediation insights for all your cloud assets. Powered by graph-based technology, panoptica's attack path engine prioritizes and offers dynamic remediation for vulnerable attack vectors, helping security teams quickly identify and remediate potential risks across cloud infrastructures. A unified cloud-native security platform minimizes gaps from multiple solutions, providing centralized management and reducing non-critical vulnerabilities from fragmented systems. Panoptica utilizes advanced attack path analysis, root cause analysis and dynamic remediation techniques to reveal potential risks from an attacker's viewpoint. This approach identifies new and known risks, emphasizing critical attack paths and their potential impact. This insight's unique and difficult to glean from other sources of security telemetry, such as network firewalls. Get more information on Panoptica's website, panopticaapp. More details on Panoptica's website, panopticaapp. We thank Panoptica for their support of security. Now Back to Steve.
0:44:51 - Steve Gibson
Thank you, my friend. Okay, in a cool bit of news, icann, the Internet Corporation for Assigned Names and Numbers, is going to make an assignment. It's in the process of designating and reserving get this a top-level domain specifically for use on private internal networks. In other words, our 10-dot and our 192.168-dot networks and there's a 17.16 thing in there too will be obtaining an official TLD of their own. So local host may soon be less lonely. Here's the executive summary, which explains and lays out the rationale behind ICANN's plans. They wrote in this document the SSAC, that's the Security and Stability Advisory Committee because you know that's what you want in your Internet is some security and stability advising. They recommend the reservation of a DNS label that does not and cannot correspond to any current or future delegation from the root zone of the global DNS, which is the very long-winded way of saying we're going to get our own dot, something TLD, they said. This label can then serve as the top-level domain name of a privately resolvable namespace that will not collide with the resolution of names delegated from the root zone, that is, you know, the public DNS root zone. In order for this to work properly, this reserved private use TLD must never be delegated in the global DNS root.
Currently, many enterprises and device vendors make ad hoc use of TLDs that are not present in the root zone when they intend the name for private use only. This usage is uncoordinated and can cause harm to Internet users. Oh my, the DNS has no explicit provision for internally scoped names scoped names and current advice is for the vendors or service providers to use a subdomain of a public domain name for internal or private use. Using subdomains of registered public domain names is still the best practice to name internal resources. The SSAC concurs with this best practice and encourages enterprises, device vendors and others who require internally scoped names to use subdomains of registered public domain names wherever possible. However, this is not always feasible and there are legitimate use cases for private use TLDs, and I'll just note that you know. For example, an individual could register a domain with Hover, who I don't know if they're still a sponsor of the Twit Network. They are still my domain name provider.
0:47:50 - Leo Laporte
I've moved everything away from network solutions once it became clear I don't think they're a sponsor anymore, but we still love them.
0:47:56 - Steve Gibson
Yep, they're the right guys. Anyway. So you know, johnny Appleseed, you could get that. Of course you can't get dot johnny appleseed, so that wouldn't work, but but you could get, you know, uh, a dot com or some inexpensive subdomain of some, some established top level domain, and this, you use that for your own purpose because you, because you have that subdomain, nobody else is going to be able to use it publicly, so you're safe. So that's what these guys are saying. So they continue.
The need for private use identifiers is not unique for domain names, and a useful analogy can be drawn between the uses of private IP address space and those of a private use TLD.
Network operators use private IP address space to number resources not intended to be externally accessible, and private use TLDs are used by network operators in a similar fashion. This document proposes reserving a string in a manner similar to the current use of private IP address space. A similar rationale can be used to reserve more strings in case the need arises. Okay, so they go on and on. Anyway. Finally, after all the bureaucratic boilerplate has settled down, icann wrote the Internet Assigned Numbers Authority, iana, has made a provisional determination that internal should be reserved for private use and internal network applications on whether the selection complies with the specified procedure from SAC 113, more bureaucracy and other observations that this string would be to verify that it would be an appropriate selection for this purpose. So it's all but certain that internal will be reserved and will never be used for any public purpose and therefore it would be safe for anyone to start using it for any internal purpose.
Yeah, I think that's very cool Dot internal and I saw some commentary saying well, it only took 30 years.
0:50:19 - Leo Laporte
It's like, that's true, that is true, it's true.
0:50:23 - Steve Gibson
Took them a little while, okay, so last thursday, as I said uh earlier, was a very busy day. Uh, not only did the doj announce their their pursuit of apple and apple's m series silicon was discovered to be useless for crypto but the united nations general assembly adopted a resolution on artificial intelligence. Not that anyone cares or that anyone could do anything about AI in any event, but for the record, un officials formally called on tech companies to develop safe and reliable AI systems that comply with international human rights, and I love this. They said quote systems that don't comply should be taken offline. So you know, if you have a mean AI, just unplug it. Folks, officials said the same rights that apply offline should also be protected online, including against AI systems. I've never said much about AI here. Just as I'm not trained as an attorney, I do not have any expertise in AI systems. What I do have, however, is stunned amazement, as they would say over in the UK. I am gobsmacked by what I've seen. It is impressive isn't it?
0:51:43 - Leo Laporte
Oh my God, you know I haven't ever asked you and we talk about it all the time on the other shows. But what do you think the future holds?
0:51:50 - Steve Gibson
Well, here I come. So what I may lack in expertise appears to have been made up for by my intuition, which has been screaming at me ever since I spent some time chatting with ChatGPT4. My take on the whole AI mess and controversy can be summed up in just four words, and they are good luck. Restraining anything yeah, that's my attitude, exactly. Good luck. Restraining anything yeah, that's my attitude, exactly. Yes, I doubt that any part of this is restrainable. At some point in the recent past we crossed over a tipping point and we're seeing something that no one would have believed possible even five years ago. Everyone knows there's no going back. Only people who have not been paying attention imagine that there's any hope of controlling what happens going forward. I don't know and I can't predict what the future holds, but whatever is going to happen is going to happen, and I'm pretty sure that it's bigger than us. Yes, we're not a sufficiently organized species to be able to control or contain this look, look, how well we've done with the nuclear proliferation.
0:53:16 - Leo Laporte
Yeah, and that that's. It's still incredibly hard to purify enough plutonium to make a bomb. It's trivially easy, and the process is well, well known to make an LLM. It's out, it's out, it's done.
0:53:33 - Steve Gibson
It would be like government saying whoops, stop exporting crypto. Yeah, like what? Exactly? Exactly, you know. And so, leo, you and I are on the same page. I mean it is, and if we don't like, do it. We know North Korea is not sitting around doing nothing, they apparently have quite smart people.
Yes, it annoys me that they're so good at hacking, but boy, they are serious hackers. Yeah, and so you know, you know it's going to happen. It is it, I would argue it already has, and we just haven't it hasn't dawned on us yet. Yeah, right, like there there's some inertia of recognition, but I for one.
0:54:16 - Leo Laporte
I'm excited. I mean, this is sci fi we are going to live in. I think I might even live to see it. A very weird and different future it's coming. Yeah, it's going to be fun. Buckle up.
0:54:31 - Steve Gibson
That's exactly right. That's exactly right. Okay, so a few more points to get to. In a somewhat disturbing turn, Spain has joined the likes of China, Thailand, Pakistan, Iran and Cuba to be blocking all use of and access to Telegram across its territory. This came after Spain's four largest media companies successfully complained to the high court in spain that telegram was being used to propagate their copyrighted content without permission. A judge with spain's high court had asked telegram to provide certain information relating to the case, which, apparently, telegram just blew off and ignored. They chose not to respond to the judge's request, so he ordered all telecommunications carriers to block all access to Telegram throughout the country. That began yesterday. So you know it's a problem.
0:55:34 - Leo Laporte
I'd be very interested to see how this holds up because I heard that about a third of Spain uses Telegram.
0:55:41 - Steve Gibson
Yes, it has already created a huge. Yeah, yes, there's a huge consumer backlash against this, as one would expect.
0:55:48 - Leo Laporte
Yeah, I remember brazil tried to do this and they ended up having to back down. I think it was for whatsapp, but they ended up having to back down because it's can't. We can't communicate. What are you doing, well?
0:55:59 - Steve Gibson
have you seen the movie brazil leo?
0:56:01 - Leo Laporte
that explains the whole problem.
0:56:02 - Steve Gibson
That was, that's right. Great, yes, wonderful movie. So last week, vancouver held its 2024 pwned own hacking competition. One security researcher by the name of manfred paul distinguished himself by successfully exploiting get all four of the major web browser platforms. He found exploits in Chrome, Edge, Firefox and Safari. He became this year's master of Pwn and took home $202,500 in prize money $2,500 in prize money Overall. And here's really the lesson the competing security researchers turned hackers successfully demonstrated 29 previously unknown zero days during the contest and took home a total of $1.1 million in prize money.
0:57:01 - Leo Laporte
That money comes from the companies that they're pwning. Pretty much right, yes.
0:57:06 - Steve Gibson
Yes, 29,. Okay, 29 previously unknown zero days were found and demonstrated. To me this serves to demonstrate why I continue to believe that the best working model that's been presented for security and okay, yes, I'm the one who presented it is porosity, porosity, porosity. You know, we don't want it to be, but security is porous, is porous. How else can we explain that one lone research hacker is able to take down all four of the industry's fully patched browsers whenever someone offers him some cash to do so and that, overall, 29 new, previously unknown zero days were revealed when others were similarly offered some cash prize incentive? You know, you push hard and you get in. That's the definition of porous and that's the security.
We have to give a shout-out to Mozilla's Firefox team, who had patched and updated Firefox in fewer than 24 hours following the vulnerability disclosure Frederick Braun posted on Mastodon quote. Last night, about 21 hours ago, manfred Paul demonstrated a security exploit targeting Firefox 124 at Pwn2Own. In response, we have just published Firefox 124.0.1 and Firefox ESR 115.9.1, containing the security fix. He says please update your foxes fix. Please update your foxes. Kudos to all the countless people postponing their sleep and working toward resolving this so quickly Really impressive teamwork. Again, also, kudos to Manfred for pwning Firefox again. So you know, this is the way security is supposed to work at the best of times, white hat hackers are given some reason to look and compensated for their discoveries, which makes the products safer for everyone, and then the publishers of those products promptly respond to provide all of that product's users the benefits of that discovery Yay, the benefits of that discovery Yay. And in this welcome bit of news, perhaps we and others are giving as good as we get.
I've often noted that all we ever hear about attacks on our infrastructure are Chinese state-sponsored attacks that are successfully getting in, you know, and I note that naturally we never hear about our similar successes against China. It's not like the NSA is going to brag. So I've wanted to believe that we, you know, while we would not be destructive if we were to get in, that we'd only seek to have a presence inside Chinese networks so that they understand that we're just security agency themselves urged their local companies to improve their cybersecurity defenses. The Ministry of State Security said that foreign spy agencies have infiltrated hundreds of local businesses and government units. So that does sound like we may be at parity in this weird cyber cold war that we're in. I hate it, but you know it's what we've got.
Oh, and just a reminder there has been an observed significant increase in tax season related phishing. So I just wanted to remind everyone that, as happens at every time this year, you know, phishing scams suddenly jumped with all kinds of like. Oh you, just we received your electronically submitted return but it had a problem. Please click here. That's not from the IRS. So everybody, put up your skepticism shields and resist clicking. I have two quick notes of news that I think everyone will find interesting.
On the Spinrite front, one of the things that quickly became apparent as our listeners were wishing to obtain and use 6.1 was that the world had changed in another way since Spinrite 6's release back in 2004. Back then, linux was still largely a curiosity, you know, with a relatively small fan base and no real adoption. Not so today, at least not among our listeners. Back in 2004, it was acceptable to require a Spinrite user. I mean just assumed that a Spinrite user would have Windows which they would use to set up the boot media, since Windows and Mac was pretty much all there was and Spinrite was never really targeted at the Mac market. Today we've encountered many would-be users who do not have ready access to a Windows machine, and they've been having a problem. So I needed to create a non-Windows setup facility that I have long envisioned but never needed until now. Today it exists.
Over at GRC's pre-releasehtm page is, as before, the downloadable Windows DOS hybrid executable and now also a downloadable Windows DOS hybrid executable and now also a downloadable zip file. The zip file, which is smaller than 400 K, contains the image of the front of a 4 gigabyte fat 32 DOS partition. So any spinrite owner without access to Windows because using Windows is still easier may choose to instead download this zip file and it's personalized. I've added on-the-fly partition creation and Spinrite is added to the file system. It's then truncated and I've got on-the-fly zipping. I've been busy. It contains about an 8-point. The zip file, which is less than 400K, contains an 8.3-megabyte file which is named SR61.img. Any Linux user can, you know, dd, copy that file onto any USB thumb drive to create an up to 4 gigabyte FAT32 partition that will immediately boot and run Spinrite. Tricky bit that I worked out last week is that when this drive is booted for the first time, if the media onto which this image file was copied is smaller than the partition described by the image, which is a four gig partition. For example, you know Spinrite's owner copies the image to an old but trusted 256 megabyte thumb drive. A little built-in utility named downsize kicks in, examines the size of the partition's underlying physical drive and dynamically, on the fly, downsizes the partition to fit onto its host drive. It's all transparent and automatic and since the same technology was also going to be needed for Spinrite 7, it made sense to get it done. So it's there now.
Second point A new wrinkle to surface last week is bad RAM. Over in GRC's web forums a Spinrite 6.1 user reported data verification errors being produced by Spinrite when running on his cute little Zima board. Spinrite always identified and logged the location of the apparent problem, but from one run to the next there was no correlation in where the problems appeared to be occurring. And when he ran the same drive under Spinrite on a different PC it passed Spinrite's most thorough level 5 testing without a single complaint and he was able to go back and forth to easily recreate the trouble multiple times on one system but never on the other. The trouble multiple times on one system but never on the other.
The inhabitants of the forums jumped on this and suggested a bad or undersized power supply for his Zima board, flaky cabling and anything else. They could think of all great suggestions. Finally, I asked this user to try running the venerable memtest86 on his brand new Zima board and guess what? Yep memory errors. There should never be any. But the first time he ran memtest86, it found six, and the second time it found 101. Seeing that we ran memtest86 on all of our Xima boards, that is, all of the developers, and they all passed with zero errors, as they always should.
So this user had a Xima board with a marginal DRAM memory subsystem. There was no correlation in the locations of the errors that Spinrite was reporting from one memory, from one memory. Oh that his mem test was reporting from one pass to the next. But there were always two specific bits out of the 32 that mem test 86 always identified as being the culprits. They were soft and Spinrite was getting tripped up by this machine's bad RAM when it was performing data verification that's available from Spinrite's levels 4 and 5. The problem was not the drive, it was the machine hosting Spinrite and the drive. So by this point our longtime listeners who've grown to know me listening to this podcast. Know what I'm going to say next? Yep, spinrite 61 now tests the memory of any machine.
1:08:11 - Leo Laporte
It's running all ever wow, who needs mem test?
1:08:15 - Steve Gibson
I've got spinrite. Actually it works great. Uh, it's it's like, immediately found the errors uh this guy was having. What's interesting is that Spinrite 1.0, back in 1988, also built in a memory test. Back then it made sense to verify the RAM memory that would be used to temporarily hold a track's data, while Spinrite was pattern testing the physical surface and giving it a fresh, new low-level format. But I don't know when it happened.
Somewhere along the way I removed that feature from Spinrite. We never heard of it ever being useful. So my initially over-cautious approach seemed to have been proven unnecessary until last week. Approach seemed to have been proven unnecessary until last week. So late last week I implemented a very nice little DRAM memory tester right into Spinrite and then had the guy with the Badzima board give it a try. It successfully determined that his machine's memory was not reliable and Spinrite will then refuse to run on any such machine after making that determination. You know it's just not safe to run it and of course no such machine should be trusted for actually doing anything else. You know it's like a send it back to the manufacturer or if you can change the RAM or diagnose it. So anyway, this new built-in RAM testing feature which is not yet present. Don't go download an updated copy of Spinrite. It's not there yet, not yet present in any Spinrite that's available for download, but it'll appear along with a few other minor improvements that I've made shortly. So I'm sure I'll be announcing it next week. And I just have two little pieces of feedback from our listeners, because we have lots to still talk about here. I got a note from someone whose handle is Jazzman. He said hi, steve, great show, as always.
I work in a cell phone free environment. Not only no service, but we're not allowed to bring them. We have Internet computers but we're not trusted to install anything on them. The problem sounds like he is with the NSA. The problem is I like to have two-factor authentication to protect my email and other stuff. My understanding is if I were to use passkeys, I need my phone. I use Bitwarden with two-factor authentication. My question are there any good solutions for a cell-free environment? Kind regards, bjorn.
Okay, so we've been talking about this for the last couple weeks, whether to have two-factor and now optionally pass keys managed by your password manager or to keep it separate In a phone-free environment. I agree that relying upon Bitwarden for all authentication services is likely the best bet. I think it's probably your only bet, right? We would usually prefer to have passkeys or our authenticator on a separate device, like a phone, but where that's not possible, merging those functions into a single password manager like Bitwarden makes sense. And I should just note that Yuba keys are also pass keys capable and they're able to store up to 25 passkeys in a Yuba key. So a Yuba key is another possibility if that somewhat limited passkeys capacity doesn't pose a problem.
And finally, william Ruckman. He said hi, steve, are passkeys quantum safe? I thought public key crypto was vulnerable, and we've also been speaking just recently about how the big difference between username and password and pass keys is the essentially symmetric crypto secret keeping. Whereas pass keys uses public key crypto, which is why William's asking whereas PassKeys uses public key crypto, which is why William's asking. So it's a terrific question because, as we know, it's the public key crypto that PassKeys offers, which is why WebAuthn, which underlies PassKeys, already provides for plug-in future-proof crypto. So PassKeys and WebAuthn, slash FIDO2, will all be able to move to quantum safe algorithms whenever that's appropriate and as soon as we've settled on them and they've been standardized.
1:13:04 - Leo Laporte
So yes, good, that's good news. And it would be backward Quantum safe. It would be backward to all the passkeys you already are using and all that you would right, maybe not You'd have to regenerate them all.
1:13:16 - Steve Gibson
Yes, If you change the crypto, you would have to regenerate the pass keys, because you're holding private keys with a specific algorithm and there is actually no way for the website even to help you.
I mean, you might go through a use your old pass key, now use your new pass key, and if you did that sequentially, then it would get actually Squirrel had a similar facility, so it would use the first authentication to assert your identity and thus honor the second authentication, which would be from the newfangled crypto, and now it would have the public key under the new algorithm.
1:13:59 - Leo Laporte
Cool, we don't have to worry about it.
1:14:01 - Steve Gibson
Yet there's only about four sites that use it I know, I saw, I saw in doing some of some research just yesterday. So I I saw someone, someone who had something to sell. They were trying to sell some equivalent of a yuba key, I think, and it said, since the majority of the Internet's websites are now using pass keys, I thought are you in a time machine? What are you talking about?
1:14:26 - Leo Laporte
Oh, you're talking 2030. Oh yeah, Maybe, Maybe, yeah, the majority.
1:14:33 - Steve Gibson
as long as you only log into PayPal, yeah right.
1:14:37 - Leo Laporte
There's literally just a handful of sites that use it. I know it's too bad, because it's so easy when it works. I heard you talked a lot about that last week with Micah and I agree with you. I think it's going to be a big improvement. Someday, someday, our prince will come.
1:14:55 - Steve Gibson
Okay, after our final announcement Leo, oh boy, we're going to have some fun. Oh boy, get the beanies lubed I don't know if you should say that. I should say that out loud anyway.
1:15:10 - Leo Laporte
Uh, unlube the beanies for a moment, because we are going to talk about our sponsor for the section, collide. I love collide, k-o-l-i-d-e. Yeah, I know you've heard us talk a lot about KOLIDE. I've sung its praises. Did you know? They were just acquired by 1Password? Now I'm sure some people go, oh no, no, that's good news.
Both companies are leading industry security experts creating solutions that put users first. I mean, it's a great partnership and you should be happy to know Collide is going to continue doing exactly what it's been doing. For the last year or so. Collide Device Trust has helped companies using Okta ensure that only known and secure, very important devices can access their data, and that's what they're going to still do, just as part of 1Password. That means more resources. It's great news.
If you've got Okta and you've been meaning to check out Collide, this is a perfect time to do it. Collide comes with a library of pre-built device posture checks or you can write your own custom checks for just about anything you can think of, which means you can say to your users hey, you got to fix that. You got to fix that Before we let you in the network. You got to patch your stuff or get the latest browser or update your operating system Plus. I love it because you can use Collide on pretty much anything without MDM. So that means now your Linux fleet is included, your contractor devices and, of course, every BYOD phone and laptop in your company. Now that Collide's part of 1Password, it's just going to get better. Check it out at kolidecom slash security now. Collidecom slash security now. You can watch a demo there and learn more about it. It's a really smart idea. Collide K-O-L-L-I-D-E dot com slash security now. We thank him so much for supporting Steve and the show. And now let's talk about Fetch Go Fetch.
1:17:14 - Steve Gibson
So go Fetch. Last Thursday, the world learned that Apple had some problems with their cryptography. Unfortunately, it would be impossible to determine from most of the tech press's coverage of this whether this was an apocalyptic event or just another bump in the road. Ars Technica was apparently unable to resist becoming clickbait central with their headline Unpatchable Vulnerability in Apple Chip Leaks Secret Encryption Keys. Wow, that would be bad if it was true. Fortunately, it's not the least bit true. It's not unpatchable and it's not a vulnerability in an Apple chip. Kim Zetter's Zero Day goes with.
Apple chip flaw lets hackers steal encryption keys. This chip flaw in air quotes theme seems to become pretty popular, even though nowhere did any of the actual researchers ever say anything about any chip flaw. Even Apple Insider's headline read Apple silicon Vulnerability Leaks Encryption Keys and Can't Be Patched Easily. What Apple was told 107 days before the disclosure back on December 5th of last year. Apple is certainly quite aware of the issue and I'm sure they're taking it seriously, and for their newer M3 chips, all that's needed is for a single bit to be flipped. Tom's hardware went with. New chip flaw hits Apple's silicon and steals cryptographic keys from system cache. Go fetch. Vulnerability attacks Apple M1, m2, m3 processors can't be fixed in hardware, oh dear, except for a few details, it's not new, it's not a flaw. Nothing ever hit Apple Silicon. And as for it not being fixable in Apple M1, m2, or M3 processors, if you have an M3 chip, just flip the bit on during crypto operations and the unfixable problem is solved. And finally, as we'll see by the end of this topic today, there are equally simple workarounds for the earlier M series processors. Okay, so you know.
I could keep going, because the material in this instance was endless. Not a single one of the headlines of the supposedly tech press stories that covered this characterized this even close to accurately. It's not a flaw. Nothing is flawed. Everything is working just as it's supposed to. It's not a vulnerability in Apple Silicon. Apple Silicon is just fine and nothing needs to change. It is certainly not unfixable or unpatchable. Cyber News headline was M-series Macs can leak secrets due to inherent vulnerability. The only thing that's inherently vulnerable here is the credibility of the tech press's coverage of this Holy cow. It really has been quite over the top. After sitting back and thinking about it, the only explanation I can come up with is that because what's actually going on with this wonderfully and subtly complex problem. No one writing for the press really understood what the researchers have very carefully and reasonably explained, so they just went with variations on Ars Technica's initial unpatchable vulnerability in Apple's chip nonsense Under the assumption that Ars must have actually understood what was going on.
1:20:58 - Leo Laporte
So everyone just copied them. I just assume Dan Gooden knows. If he doesn't know, that's right.
1:21:02 - Steve Gibson
right, you know dan's on the ball typically, but and we do know, in fairness to dan he doesn't provide the headlines. It's what went back. When I was writing the tech talk column for info world, I was often really annoyed by what my columns were. Were were head, because that's not what I said in the text. But you know, some copy editor I guess that's what they're called, you know, gave it the headline that would get people to turn to the page. So, okay, not Dan's fault.
Okay, the TLDR of this whole fiasco is that a handful of researchers built upon an earlier two-year-old discovery, which three of them had been participants in back then. That was dismissed at the time by Apple as being of only academic interest. It's yet another form of side attack on otherwise very carefully designed to be side channel attack, free, constant time cryptographic algorithms. The attack surrounds an arm-based performance optimization feature known as DMP, and I was thinking, boy, if the acronym had been EMP, that would have really blown the tech press right off the top. Anyway, not EMP, dmp, and a variation of the same type of optimization is also present in the newest Intel chips, the Razer or something or other. Anyway, I'll get to that, okay. And so true to Bruce Schneier's observation that attacks never get worse, they only ever get better. About a year and a half after that initial discovery two years ago, which never amounted to much, it turned out that the presence of this DMP which I will be explaining in detail optimization feature actually did and does create an exploitable vulnerability that can be very cleverly leveraged to reveal a system's otherwise well-protected cryptographic secrets. After verifying that this was true, the researchers did the responsible thing by informing Apple, and we have to assume Apple decided what they wanted to do next Okay. Unfortunately, that true story doesn't make for nearly as exciting a headline, so none of the hyperventilating press explained it this way. One important thing that sets this apart from the similar and related Spectre and Meltdown vulnerabilities from yesteryear is that this new exploitation of the DMP optimizer is not purely theoretical. All we had back in those early days of speculative execution vulnerabilities was a profound fear over what could be done, over what this meant. It was clear that Intel had never intended for their chip's internal operation to be probed in that fashion, and not much imagination was required to envision how this might be abused, but we lacked any concrete real-world proof of concept. Not so today, and not even post-quantum crypto is safe from this attack, since we're not attacking the strength of the crypto, but rather the underlying keys are being revealed.
The GoFetch proof-of-concept app, running on an Apple Mac, connects to the targeted app, also on the same machine, which contains the secrets. It feeds the app a series of inputs that the app signs or decrypts or does something using its secret keys, you know, basically inducing it to perform cryptographic operations that require it to use the secrets it's intending to keep. As it's doing this, the app monitors aspects of the processor's caches and it shares the processor's caches, which it shares with the targeted app in order to obtain hints about the app's secret key. Okay, so how bad is it? As I mentioned, the attack works against both pre and post-quantum encryption. The demo GoFetch app requires less than an hour to extract a 2048 bit rsa key and a little over two hours to extract a 2048 bit diffie hellman key. The attack takes 54 minutes to extract the material required to later assemble a kyber 5 12 bit key and about 10 hours for a dilithium-2 key, though some time is also required afterwards for offline processing of the raw data that is collected. In other words, it is an attack that is practical to employ in the real world. Okay, so what exactly is DMP? What did the researchers discover and how did they arrange to make their Macs give up the closely held secrets being hidden inside?
The research paper is titled GoFetch Breaking Constant-Time Cryptographic Implementations Using Data-Memory-ory-dependent prefetchers. Okay, now that sounds more complex than it is. We have breaking constant-time cryptographic implementations. We already know that a classic side-channel vulnerability, which is often present in poorly written crypto implementations, is for an algorithm to in any way change its behavior depending upon the secret key it's using. If that happens, the key dependent behavior change can be used to infer some properties of the key. So the first portion of the title tells us that this attack is effective against properly written constant-time cryptographic implementations that do not change their behavior in any way. That's not where things got screwed up. The second part of the paper's title is using data memory dependent prefetchers, and that's what's new here. If you guessed that the performance optimization technique known as DMP stands for data memory dependent prefetchers, you'd be correct.
Three of the seven coauthors of today's paper co-authored the earlier groundbreaking research two years ago, which described their reverse engineered discovery of this DMP facility residing inside Apple's M-series ARM-derived chips chips. Back then, they raised and waved a flag around, noting that what this thing was doing seemed worrisome, but they stopped short of coming up with any way to actually extract information, and the information that they had was made public. Now we don't know for sure that sophisticated intelligence agencies somewhere might not have picked up on this and turned it into a working exploit, as has now happened, but we do know for sure that Apple apparently didn't give this much thought or concern two years ago, since every one of their Mac M series chips was vulnerable to exploitation several years later. Okay, I'm going to share today's research abstract today's the the updated current research abstract and introduction, since it's packed with information and and some valuable perspective, and then I'll break it down. So they wrote.
Micro architectural side channel attacks have shaken the foundations of modern processor design. The cornerstone defense against these attacks has been to ensure that security critical programs do not use secret dependent data addresses. Put simply, do not pass secrets as addresses, for example, data memory instructions. Yet the discovery of data memory-dependent prefetchers, these DMPs, which turn program data into addresses directly from within the memory system, calls into question whether this approach will continue to remain secure. This paper shows that the security threat from DMPs is significantly worse than was previously thought thought and demonstrates the first end-to-end attacks on security-critical software using the Apple M-series DMPs. Undergirding our attacks is a new understanding of how DMPs behave, which shows, among other things, that the Apple DMP will activate on behalf of any victim program and attempt to leak any cached data that resembles a pointer. From this understanding, we design a new type of chosen input attack that uses the DMP to perform end-to-end key extraction on popular constant-time implementations of classical and post-quantum cryptography.
And by way of introduction, they said, for over a decade modern processors have faced a myriad of micro-architectural side-channel attacks, for example through caches, tlbs you know translation, look-aside, buffers, branch predictors, on-chip interconnects, memory management units, speculative execution, voltage, frequency scaling and more. You know. As we know, even like the sound of the power supply changing can leak information. They said. The most prominent class of these attacks occurs when the program's memory access pattern becomes dependent on secret data, for example cache and TLB. Side channel attacks arise when the program's data memory access pattern becomes secret dependent. Other attacks, for example those monitoring on-chip interconnects, can be viewed similarly with respect to the program's instruction memory access pattern.
This has led to the development of a wide range of defenses, including the ubiquitous constant time programming model, information flow based tracking and more, all of which seek to prevent secret data from being used as an address to memory control flow instructions. Recently, however, augury that's what they called their first research two years ago, a-u-g-u-r-y, and it related to an auger being used demonstrated that Apple M-series CPUs undermine this programming model by introducing a data-memory-dependent prefetcher that will attempt to prefetch addresses found in the contents of program memory. Thus, in theory, apple's DMP leaks memory contents via cache side channels, even if that memory is never passed as an address to a memory control flow instruction. Okay, and again I will explain exactly what all that means. I've got a couple paragraphs left.
They said despite the Apple DMP's novel leakage capabilities, its restrictive behavior has prevented it from being used in attacks. In particular, augury reported that the DMP only activates in the presence of a rather idiosyncratic program memory access pattern, where the program streams through an array of pointers and architecturally dereferences these pointers architecturally dereferences these pointers. This access pattern is not typically found in security-critical software such as side-channel hardened constant-time code, hence making that code impervious to leakage through the DMP, with the DMP's full security implications unclear. In this paper, we address the following two questions Do DMPs create a critical security threat to high-value software, and can attacks use DMPs to bypass side-channel countermeasures such as constant time programming? This paper answers the above questions in the affirmative, showing how Apple's DMP implementation poses severe risks to the constant time coding paradigm. In particular, we demonstrate end-to-end key extraction attacks against four state-of-the-art cryptographic implementations, all deploying constant time programming. And just to be clear, when they say end-to-end attacks, they mean they run something and they get the key, meaning all the work is done. Nothing left for the reader to finish. You know this thing works.
Okay, as we've had the occasion to discuss through the years on this podcast, the performance of DRAM, the dynamic RAM memory that forms the bulk of our system's memory, has lagged far behind the memory bandwidth demands of our processors. Through the years we've been able to significantly increase the density of DRAM, but not its performance. And, as we know, even the increase in density has met with challenges in the form of susceptibility to adjacent row interference, which led to the various DRAM hammering attacks. But on the performance side, the saving grace has been the processor.
Memory access patterns are not linear and non-repetitive. They are typically highly repetitive. The programs almost always loop, meaning that they are executing the same code again and the processor. The processor's repetition of the same instructions, and often the data for those instructions, can be fulfilled much more quickly from the local cache than from main memory. During our discussions of speculative execution, we saw that another way to speed up our processors was to allow the processor to run well ahead of where execution was, and if the code encountered a fork in the road in the code's flow, it would fetch ahead down both paths of the fork, so that once the path to be taken became known, whichever way that went, the system would already have read the coded instructions for that path and have them ready to execute. In practice, this is accomplished by breaking our processors into several specialized pieces, one being the prefetch engine, whose job it is to keep the execution engines fed with data from main memory. Many instructions do not make any main memory accesses. They might be working only within the processor's internal registers or within what's already present in the processors local cache. So this gives the prefetching engine time to anticipate where the processor might go next and to guess at what it might need. In a modern system, there's never any reason to allow main memory to sit idly by, not even for a single cycle. A good prefetching system will always be working to anticipate its processor's needs and to have already loaded the contents of slower DRAM into the high-speed cache when the processor gets to needing it.
Okay, now let's add one additional layer of complexity. One of the features of all modern processor architectures is the concept of a pointer. A location in memory or the contents of a register could contain an object's value itself, or instead it could contain the memory address of the object. In that second case, we would say that the value in the memory or register contains, instead of the value of the object itself, a pointer to the object. As a coder, I cannot imagine my life without pointers. They are absolutely everywhere in code because they are so useful. We need one bit of new vocabulary to talk about pointers. Since a pointer is used to point to or refer to something else, the pointer contains a reference to the object, so we call the act of following a pointer to the object dereferencing the pointer. We'll see the researchers using that jargon in a minute.
But first let's think about that cash-fillingfetch engine. Its entire reason for existence is to anticipate the future needs of its processor, so that whatever the processor wants will already be waiting for it and instantly available from its cache. The processor will think that its pre-fetch engine is magic. The processor will think that its pre-fetch engine is magic. So one evening, probably about seven years ago, some Apple engineers are sitting around a whiteboard with a bunch of half-eaten pizzas. They're brainstorming ways to further speed up Apple's proprietary silicon. Given the time frame, this would first be able to appear in their A14 bionic processor. So one of them says you know, we're already doing a great job of fetching the data that the processor is going to ask for. But when we fetch data that contains what looks like pointers, we're not fetching the data that those pointers are pointing to. If the data really are pointers, then there's a good chance that once the processor gets its hands on them, it's going to be asking for that data next. We could anticipate that and have it ready too, just in case it might be useful. I mean, what's the whole point of being a pre-fetching engine? I mean, right, that's the whole point. That's what we're here for Now.
At this point the pizza is forgotten and several in the group lean forward. They're thinking about the kinds of cars they're going to be able to get with the raises this idea will earn them. Then they realize they need to make it work first, although they're immediately hooked by the idea because they know there's something there. One of them plays devil's advocate, saying but the cache is context-free. What he means by that is that the prefetch engine sees everything as data. It's all the same to it.
The prefetcher doesn't know what the data means. It has no meaning in DRAM, it's all just mixed bytes of instructions and data. It's a hodgepodge. It's not until that data is fetched from the cache and is actually consumed by the processor that the data acquires context and meaning. The answer to the but the cash is context free guy is yeah. And so what if some data that's being added to the cache looks like a pointer and if it's pointing into valid DRAM memory, what's the harm in treating it as a pointer and going out and also grabbing the thing that it might be pointing to? If we have time and we're right, it's a win for the processor. The processor won't believe its luck in already having the thing it was just about to ask for already magically waiting there in its local cache.
So finally, after their last dry erase marker stops working from the hastily scribbled diagrams on their whiteboards. They're satisfied that they're really on to a useful next generation optimization. So one of the masks? Okay, this is good, but it needs a name. What are we going to call it? One of them says well, how about data memory dependent prefetching, or DMP for short? So here we've just seen a perfect example of where and how these next-generation features are invented over pizza and dry erase markers.
And it's also easy to see that the security implications of this don't even make it onto the radar is anticipating a possible future use of what might be a pointer and prefetching the thing it's pointing to, in case they're right and it is a pointer, and in case the processor might eventually ask for it. It's disconnected from whatever the processor is doing. Right, it's a data-memory, data memory dependent prefetcher. What this amounts to is a somewhat smarter prefetcher. It cannot be certain whether it's fetching a pointer, but in case it might be, it'll just jump ahead even further to also prefetch the thing that what might be a pointer may be pointing to.
Okay, so now let's hear from the geniuses, who likely also consumed their share of pizza while they scratched the itch that had apparently been lingering with at least three of them for a couple of years, ever since that first bit of work, when they discovered that Apple had dropped this data memory-dependent prefetcher into their silicon. Here's how they explained what they came up with. They said we start by reexamining the findings in Augury. Re-examining the findings in augury here we find that augury's analysis of the dmp activation model was overly restrictive and missed several dmp activation scenarios. Through new reverse engineering, we find that the dmp activates on behalf of potentially any program and attempts to dereference any data brought into cache that resembles a pointer. This behavior places a significant amount of program data at risk and eliminates the restrictions reported by prior work. Finally, going beyond Apple, we confirm the existence of a similar DMP on Intel's latest 13th generation Raptor Lake architecture with more restrictive activation criteria.
Next, we show how to exploit the DMP to break security-critical software. We demonstrate the widespread presence of code-vulnerable-to-DMP-aided attacks in state-of-the-art constant-time cryptographic software, spanning classical to post-quantum key exchange and signing algorithms. Okay, and then, finally, this last bit is the key to everything. I'll read it first, then I'll take it apart. They said our key insight is that, while the DMP only dereferences pointers, an attacker can craft program inputs so that, when those inputs mix with cryptographic secrets. The resulting intermediate state can be engineered to look like a pointer if, and only if, the secret satisfies an attacker chosen predicate. For example, they said imagine that a program has secret S, takes X as input and computes and then stores Y equals S XORed with X to its program memory. The attacker can craft different Xs and infer partial or even complete information about S by observing whether the DMP is able to dereference Y. We first use this observation to break the guarantees of a standard constant time swap primitive recommended for use in cryptographic implementations. We then show how to break complete cryptographic implementations designed to be secure against chosen input attacks.
Okay, so they realized that apple's dmp technology is far more aggressive than they initially appreciated. It is busily examining all of the data that's being put into the cache for all of the processes running in the system. It's looking for anything that looks pointer-like and, when found, it's going to go out and prefetch that because it may be pointing to something that the processor is going to ask for in the future. Their next step was to realize that, since this pointer-like behavior is highly prone to producing false, positive hits which would prefetch miscellaneous, bogus data, and since it operates indiscriminately on any and all data in the system. They can deliberately trick Apple's DMP system to misfire. When it does, it will prefetch data that wasn't really being pointed to, and they can use standard, well-understood cache probing to determine whether or not the DMP did in fact misfire and prefetch. Since the cause of that mixes secrets with what they provide, it reveals information about the secret. They induce the isolated process containing the secrets to perform a large number of cryptographic operations on their deliberately crafted data, while using the now well-understood behavior of the DMP to create an inadvertent side channel that leaks the secret key, even though the cryptographic code itself is being super careful not to behave differently in any way, based upon the value of the secret key. In other words, it's being betrayed by this advanced operation of the prefetching cash. The code's care doesn't matter, because the cryptographic code, you know, as I said, is being betrayed.
What I've just explained is a version of what these very clever researchers revealed to Apple back 107 days ago, from last Thursday in early December last year. So what does Apple do about this? You know, this does seem like the sort of thing Apple ought to be able to turn off. This does seem like the sort of thing Apple ought to be able to turn off. One of the things we've learned is that these initial nifty, seeming slick performance optimizations, like Spectre and Meltdown and all the others, always seem to come back to bite us sooner or later. So the lesson we absolutely, as an industry, have to take away and you know it's surprising we haven't yet is that anything like this should have an off switch to these researchers' initial Augury DMP paper back in 2022, that Apple added that off switch to their M3 chip. Apple announced it on October 30th last year, the day before Halloween and that M3 can have DMP turned off.
I've heard, but I haven't confirmed, that Apple's own crypto code is flipping DMP off during any and all of their own cryptographic operations. So it may only be non-Apple crypto code running on Macs that are endangered on M3-based machines. The researchers cite their compromise of the Diffie-Hellman key exchange in OpenSSL you know, not an Apple library and the RSA key operations in the Go language library. So, again, not Apple's in the Go language library. So, again, not apples.
So what about the non-M3 chips? The Apple A14, bionic, the M1 and the M2? Well, it turns out that these so-called SOC you know systems on a chip all have multiple cores and the cores are not all the same type. Only half of the cores are not all the same type. Only half of the cores are vulnerable because only half of them incorporate the DMP. Apple's M series have two types of cores the bigger Firestorm cores, also known as the Performance cores, and the smaller IceStorm cores, also known as the Efficiency cores. On the M1 and M2 chips, only the Firestorm performance cores offer the problematic DMP prefetching system. So all Apple needs to do is to move their crypto over to the smaller efficiency cores. Crypto operations will run more slowly there, but they will be completely secure from this trouble. So is Apple going to do any of these things? Have they already?
The press thinks that nothing has been done yet. I find that curious, given that the concerns are real and that solutions are available. But so far, all the press has reported. Now again, apple knew about this in early December. All the press has reported that Apple has been curiously mute on the subject. Apple just says no comment. This is doubly confounding, given that Thursday's research disclosure came as no surprise to them, right? And also that the firestorm of truly over-the-top apoplectic and apocalyptic headlines that have ensued as a result, you know, really does need a response. I imagine that something will be forthcoming from Apple soon. Until then, for what it's worth, the attack, if it were to happen, would be local and would be targeted, and would require someone arranging to install malware onto the victim's machine. It's not the end of the world and, as I'm always saying around here, anyone can make a mistake, but Apple's customers would seem to need and deserve more than silence from Apple, so we ought to hear something, but at least now we understand exactly what's going on.
1:55:25 - Leo Laporte
And, by the way, if somebody can install that on your system, they could also just put a keystroke logger on there. There's all sorts of ways they can get full access. That's you know, right. In fact, that's probably a lot easier to do it some other way than a side channel attack. Does it take a lot of monitoring and trial and error to have this side?
no it doesn't it takes an hour and you get the key, okay and so so you actually do get a secret that was trying to be protected so I could see a nation state saying oh good, all right we'll do is we'll get this on there through some other malware exploit, we'll run it and then we'll erase all traces.
1:56:04 - Steve Gibson
Guy, I'll never know he was hacked, but we've got the key and we've got the key forever, right until he changes right and and, yeah, and, and the point I made was that you know, when this became public two years ago, you know these guys apparently stopped their research. We don't know the NSA did. The NSA might have gone. Hey, that's interesting, let's take a look at that oh, and if the NSA could?
1:56:30 - Leo Laporte
NSA's probably been working on this same thing forever, right? I mean, they know about these side channel attacks. They know about speculative execution. They know what Spectre and Meltdown produced on the x86 platforms. I'm sure they were looking for it too. Just whose professors are better, I guess? Yeah, hopefully we have good profs. I think we have good profs in the NSA. Good will hunting notwithstanding, mr Steve Gibson, ladies and gentlemen, happy birthday, steve. Thank you very much. Very nice, you're getting there One more year and it's going to be a big one. We're going to have a big party for you next year.
1:57:05 - Steve Gibson
I know. I just hope there's no loss of function.
1:57:09 - Leo Laporte
I want to keep doing it at my current rate, it's fine. Getting old is not so bad as long as the body understands it needs to continue doing everything properly.
1:57:20 - Steve Gibson
And then you know and objectively, the the the sad thing is. I mean, I feel great.
1:57:27 - Leo Laporte
I don't seem to have lost any of my energy or anything.
1:57:28 - Steve Gibson
But objectively you look at 80 year olds and they're they, you know they.
1:57:35 - Leo Laporte
Uh, there's not much you can do to slow that down. My mom's 92 or 91 and I, you know she's still going strong.
1:57:43 - Steve Gibson
I'd be happy if I were in her shape in 20 years or 13 years.
1:57:49 - Leo Laporte
I don't think you'd be writing spin right 10, but let's hope you're doing some fishing might keep the brain sharp. I know, look what I'm working on. You know I'm trying to keep the brain sharp. I'm what's going on here. So, uh, having a lot of fun with the code coding. I feel like if I can do this, I still have something upstairs I love to code.
1:58:12 - Steve Gibson
Coding is so much, there's I am so happy.
1:58:14 - Leo Laporte
Yeah, really is so much fun. In fact, I had kind of a breakthrough this morning. That's why I'm kind of looking at this.
1:58:21 - Steve Gibson
Oh, cool, that's nice.
1:58:22 - Leo Laporte
Yeah, day 19 on Advent of Code. It's a lot of fun. Steve Gibson lives at GRCcom, the Gibson Research Corporationcom. That is where you'll find, of course, spinrite, the world's finest hard drive. Actually, all mass storage, maintenance and recovery utility 6.1's out. Kids, go on and get yourself a copy. And if you already have a copy of that, well, browse around.
There's all sorts of other wonderful stuff, including this show. You'll find it actually a couple of unique versions of this show at GRCcom the 16-kilobit audio, which is the smallest audio version of the show. He also has the 64-kilobit audio, which sounds a lot better. He also has transcripts, handcrafted by Elaine Ferris, so you can read along as you listen, or search or feed them to your AI and make an AI. Steve, whatever it is that you need to do, you can do it with those GRCcom. We are at twittv and, of course, the security now shows twittv slash SN. We have 64 kilobit audio as well, but our unique format is video. You can watch Steve's smile and face. You can watch us do the show every Tuesday right after Mac Break Weekly. It usually works out to around 1.30 pm Pacific, 4.30 Eastern, 2030 UTC, and we stream that live on YouTube, youtubecom slash twit. So tune in when the show begins, tune out when the show's over. But if you subscribe and you hit the bell, then you'll get a notification whenever that's about to happen.
1:59:58 - Steve Gibson
And try not to tune out before the show's over.
2:00:01 - Leo Laporte
Well, I thought in the Discord I noticed a couple of people saying okay, I don't understand what he's talking about. I think I'll leave now. I always just try to let it drift over my head and hope that it will seep in at some point.
2:00:14 - Steve Gibson
I've often suggested exactly that strategy. Don't worry about the details, you'll just get the feel for it.
2:00:19 - Leo Laporte
I've learned a few things you know from listening to this show over the last. What is it? 15, 16 years, something like that? Honey, we're in year 21. 21? Or is it 19?
2:00:29 - Steve Gibson
No 20.
2:00:30 - Leo Laporte
Yeah, because we Twitter itself will hit. It's 19th birthday is next month, is in a couple of weeks. That's it, okay. So you're a little younger than that, just a tad. So you are in your 20th year. You will be in your 20th year soon, yep, which is kind of mind boggling. I didn't even think podcasting in the last 20 months, let alone 20 years, episode 967.
Yeah, have a great birthday. I hope you get some cake. You know, I bet you. Lori, right now she's got the apron on, she's whipping up the batter. She's going to make you a nice cake. A little coconut cream icing on top somewhere.
2:01:07 - Steve Gibson
She's going to be cooking a nice medium rare steak, that's all you care about, and a little cab A little. Santa Cruz.
2:01:12 - Leo Laporte
Mountain cab. That's a great idea. Thank you, steve, have a great idea. Thank you, steve, have a great week. And all of you thank you, especially to our Club Twit members who make this show possible. If you're not a member, seven bucks a month. Twittv slash, club Twit. Take care, steve.
2:01:28 - Steve Gibson
Bye, buddy, see you next week. Oh, or is it still going to be March, or is it April?
2:01:32 - Leo Laporte
It'll be April. See you in April. Live long and prosper, mr Gibson. Bye, bye.