Security Now 972 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

0:00:00 - Leo Laporte
It's time for security now. Steve Gibson is here. Last night he was sitting in his armchair having a nice glass of Cabernet Sauvignon reading the news. When he saw the announcement that the United Kingdom is going to make a major change to how IoT devices work he is so excited he's come here he leapt to his feet and said we got to talk about this on security now. So we will. What happened with Chrome dumping, its plans to dump third party cookies? And let's talk a lot about pass keys. There was an interesting post Steve read and a lot of you read, saying it's not working. Are pass keys over? All that and more coming up.

Next, on Security Now Podcasts you love From people you trust. This is Twit. This is Security Now with Steve Gibson, episode 972. Recorded April 30th 2024. Paskies, a shattered dream. It's time for Security Now, the show where we I know you wait for this all week long, don't you? We cover the security field, the computer field, every other field, the sci-fi field, with this guy right here, steven tiberius gibson. May the fourth be with you. Yes, you are, oh, the fourth.

0:01:30 - Steve Gibson
Yes coming up. Um, you are correct, uh, about our the breadth of our coverage. I do have a little sci-fi mention, a real quickie, for those of us who have been, for those listeners who've been following along, what has turned out to be my favorite saga, which promises well actually I was gonna say out to be my favorite saga which promises well actually I was gonna say promises to be never ending, but it actually does have an end and this author is, you know, continuing to deliver on the promise okay but, uh, the choice for this week's main topic, uh, received some serious competition from some surprising legislation that came into effect just yesterday in the UK, in our dear beloved United Kingdom.

So we're going to start by taking a close look at what happened in the UK. That, I kid you not, promises to completely change the face of consumer IoT device security, like immediately. I know that's, you know, I don't think that's an overstatement. I think that the world as we have known it has just changed, have known it has just changed. So you can see why that was competing for for today's topic, which we'll get to. After that.

Uh, we're going to explore a little bit of like, well, like what happened with that, the news that just came in that you announced during last week's podcast leo, which was chrome's sudden change of plan regarding its third-party cookie handling. I'm going to get a little bit into that, but I'll explain why I'm probably going to punt most of it till next week, because it turns out that there's a lot. I also have a little bit of listener feedback to share and, as I said, news of the next installment in a long running sci-fi book series. I've also got some welcome news that I'm finally working on GRC's email system, which will come as great news for our listeners. And then we're going to finish by taking a look at a blog posting by an industry insider developer that a surprising number of our listeners.

This thing has gotten a lot of a track, a lot of traction out in the industry, and our listeners kept forwarding me links to it, asking whether pass keys is a shattered dream. Um, they've all been saying what do you think about this? And so you know. You know some neat stuff to talk about and, of course, a great picture of the week, for that's apropos of the topic that we've been covering lately, of Voyager.

0:04:14 - Leo Laporte
Yes, pass keys A shattered dream. The topic on today's it sounds like you know, today we go up and we come down. Yeah, I, I like pass keys. It is a shattered dream, although one could say you might have a little dog in this hunt because, honestly, the squirrel protocol that you created is a far better way of doing it.

0:04:40 - Steve Gibson
But because solved the problems that is dogging this. It solved the problems that is dogging this, but you know, I don't even mention it in my coverage because all of our listeners already know. They know that. You know I did solve it the right way and that's not what we got.

0:04:55 - Leo Laporte
And I suppose that ship has sailed and you just have to have the big guys behind it before it has any chance of being adopted. Well, and in fact this author.

0:05:04 - Steve Gibson
This guy is the author of a very strong WebAuthn library, the one for Rust that Susie is using and many others have forked from. He notes that Chrome has succeeded in killing some features just by not adopting it right exactly.

0:05:31 - Leo Laporte
Yeah, that's too much power in google's hands. If you ask me, well, they've got it. We will get the. I know it's too late now we will. Uh, by the way, I just start. You know I I used open ai's chat for a long time and made some GPTs and really like it, especially version four, but I just started using. On Sunday Kevin Rose said try Gemini, have you not tried? And so I tried Gemini Advanced and it is mind-blowingly good. So we got us a race which is exciting, very interesting, and I'm sure there'll be lots of security implications there. Gemini writes excellent code.

0:06:09 - Steve Gibson
Unfortunately, well, and did you see the blurb? I didn't get it in the show notes where, uh, chat gpt4, just given the list of cvas, we talked about it. Yes, is able to generate exploits, yes, just like here you go.

0:06:27 - Leo Laporte
They took 87% of the CVEs. They were given just the description and created the proof of concept.

0:06:34 - Steve Gibson
Working exploits for them. So script kiddies have been elevated.

0:06:40 - Leo Laporte
Oh, what a world we are. This is just getting wild, that's all I can say. Not in a good way, to be honest with you. All right, let's talk about our sponsor. Actually, this is a good time to talk about it. You might want to know more about your digital guardian, eset. We talk about ESET a lot. We use ESET here.

With ransomware, data breaches, cyber attacks on companies becoming increasingly prevalent in this world of ours, and you know that if you listen to the show it's important to have proactive security in place, ready to stop threats before they happen. Here's a stat that'll blow your mind On average, it takes 277 days to identify. That's nine months, more than nine months to identify and contain a security breach. 277 days During a breach time is your enemy, and it's important to act fast In fact, faster than nine months. Your managed detection and response service that brings threat management right to your doorstep, tailored to fit the size of your business or your current cybersecurity needs. With ESET's MDR, you'll enjoy 24-7 cybersecurity coverage with a potent blend of AI-driven automation and human expertise, bolstered by cutting-edge threat intelligence and with professional support backed by ESET's team of renowned researchers. Resolving issues becomes a manageable task, and and you can do it a lot faster than 277 days, I'm sure.

Join ESET at the RSA 2024 conference. You can connect with ESET at their booth. It's in the South Expo Hall. Better yet, have a drink with ESET at the ESET Happy Hour that's coming up Tuesday, may 7th, about a week from today. As a matter of fact, you can find out everything you need to know at businessesetcom. Optimize your security with ESET's MDR service, their Managed Detection and Response service. At businessesetcom, slash twit. We love, he said, we use, he said and we thank him so much for supporting security. Now ready for the picture of the week okay.

0:08:54 - Steve Gibson
So this resonated with me from something in my youth and I figured that you would, being the king of pop that you are, you know you'd go.

0:09:05 - Leo Laporte
Oh yeah, that's about this, but it drew a blank for you when I asked you yeah, well, it sounds like a I don't know what a joke, maybe an old joke.

0:09:13 - Steve Gibson
Okay, so we have a cartoon which is apropos of the topic we've been following about the fate of Voyager 1 and how, by some miracle, it is back on the air Anyway. So the cartoon shows a couple of cute little green aliens in their classic, you know circular UFO saucer with the glass bubble. And this saucer, however, is labeled salvage and it's got the tow truck hook off the back with a hook. So they're you know a nasa on it and its various you know probes and sensors and and and so forth, and the one alien is saying 15 billion miles on it, but the radio still works. And I'm it'm reminded of something about you. It is true, absolutely true.

I'm reminded of something about used cars back from my high school days there was some meme about well, it's broken down and only goes downhill or something, but the radio still works. Anyway, 15 billion miles, the radio still works. I thought that was a cute little observation. Okay so okay, yesterday, mark this day in your calendars Yesterday, april 29th, 2024, a new law went into effect in the UK, not just like legislation got submitted somewhere or well, we're going to give this some happened, and by the content, but the depth of the quality of the baseline requirements that this proposes, which is why we're going to spend some time on this, because this is huge.

And what was also odd was, I guess I must have saw this, I must have saw this, I must have seen this like immediately after it happened, because I looked around for, like other, more fleshed out coverage and nobody was picking up on it. Now there's like overnight. There's like overnight. It's like beginning to happen in the security, you know, infosphere, because it's like whoa what? So yesterday, only the Guardian, you know, in the UK, seemed to have anything to say and they didn't say much, but their headline was no more 12345. Devices with weak passwords will be banned in the UK. And the subhead was makers of phones, tvs and smart doorbells legally required to protect devices against access by cyber criminals. And you know, not just passwords, baby. That's just the tip of the iceberg. I mean, this is it's comprehensive legislation. In order to go, in order to get more detail, I went to the source. So this is the GCHQ's National Cyber Security Center blog, posted yesterday, which was titled Smart Devices New law helps to choose secure products and actually, even that's an understatement, because this impacts not only the manufacturers of devices that may not be in the UK, but also anyone importing them and anyone retailing them, and it's got some teeth behind it.

So it's not that the consumers in the UK are going to have a choice. There aren't going to be any noncompliant options to purchase and, of course, this ends up being global, because we're in a global economy, because we're in a global economy. Okay, so what GCHQ said in their sort of their top-level blog announcement? They said from April 29, 2024, manufacturers of consumer smart devices must comply with new UK law. That is yesterday. The law, known as the Product Security and Telecommunications Infrastructure Act, or PSTI Act, will help consumers to choose smart devices that have been designed to provide ongoing protection against cyber attacks.

Protection against cyber attacks the law means manufacturers must ensure that all their smart devices meet basic cybersecurity requirements. Now here they just highlight three and they happen to be the first three, but they're the first three of like 14, and they're all really significant. But the first three are the manufacturer must get this. I mean, it sounds like I wrote this from the podcast. The manufacturer must not supply devices that use default passwords which could be easily discovered online and shared. If the default password is used, a criminal could log in to a smart device and use it to access a local network or conduct cyber attacks. So again, this is just sort of the blog discussing the legislation. We'll get to the actual legalese here in a second. So they're sort of like explaining the why of these requirements at this point. Second one the manufacturer must provide a point of contact for the reporting of security issues which, if ignored, could make devices exploitable by cyber criminals. Right and three the manufacturer must state the minimum length of time for which the device will receive important security updates, and then they've fleshed that out by explaining when updates are no longer provided, devices are easier to hack or may stop working as designed. So that's just the top three which this law makes a requirement for the sale of anything, and I mean again, there aren't any loopholes in this. It's like if it's going to connect to the internet or a network, it has to have this, so they said.

Although most smart devices are manufactured outside the UK, the PSTI Act also applies to all organizations importing or retailing products for the UK market I mean like Amazon. So they said. Failure to comply with the act is a criminal offense, with fines up to 10 million pounds or 4% of qualifying worldwide revenue, whichever is greater. They said the law applies to any consumer smart device that connects either to the Internet or to a home network, for example by Wi-Fi. This may include and here's the first of several enumerations that we're going to be encountering, but here they said, smart speakers, smart TVs and streaming devices, smart doorbells, baby monitors and security cameras, cellular tablets, smartphones and games consoles, wearable fitness trackers, including smart watches, smart domestic appliances such as light bulbs, plugs, kettles, thermostats, ovens, fridges, cleaners and washing machines. They finish, the NCSC has produced a point-of-sale leaflet for retailers to distribute in-store to their customers. It explains how the PSTI regulation affects consumers and why it's important to choose smart products that protect against the most common cyber attacks.

So you know, it's the end of April. Right, it's not the beginning. This is not April Fool's Day. This happened on the 29th and the first thing I need to say is holy crap, where did this come from? Turns out it's been in the works for five years and just not much, you know, hasn't been drawing much attention to itself. So fines in the amount of the greater of 10 million pounds I think that was 12 and a half million US dollars at this point, at the current exchange rate, or 4% of a manufacturer's qualifying worldwide revenue, whichever is the greater.

You know, this is the sort of legislation that can really make a profound overnight difference in consumer security. And since a great many manufacturers have shown through their actions or, you know, deliberate inaction, that they need to be made to change, this is the change that's required to make them to change. This is the change that's required to make them, since this is huge and potentially affects all products worldwide which might find their way to the UK. Well, because it impacts not only manufacturers, as I said, but anyone who imports or retails such products. I needed to get a bit more backstory, so I did some digging products. I needed to get a bit more backstory, so I did some digging on the govuk website, I found the actual legislation. It turns out, as I said, it's been quietly in the works for several years and it really is a law, not just some watered down milk toasty recommendations that we see too often here in the US.

The Verge picked up on this and in their coverage they noted that here in the United States our FCC is trying something similar in its forthcoming Cyber Trustmark program. You know they liken it to the Federal Energy Star program, explaining that the Cyber Trustmark logo indicates which products comply with the program's recommendations, which includes strong default passwords. But, like Energy Star, nobody's forcing companies to go along with it, and consumer product packaging has become so encrusted with certifications and compliance logos that it's unclear whether anyone even notices. As we know, consumers are focused on three things Does it do what I need, what does it cost and what additional nice-to-have features does it offer? Whether or not a connected light switch has a default password is the last thing on anyone's shopping list. In other words, while the United States continues to be completely lame on this, the United Kingdom has taken the only action that has any chance of actually producing results for the consumer, and thanks to the fact that we still live in a blessedly globalized economy. Everyone, everywhere, will obtain the security benefits that the kingdom is now requiring as a matter of law.

Since this matters to everyone, everywhere, and since it's going to change the face of internet-connected consumer technology, let's take a closer look at what the legislation actually has to say. First of all, this comes from a non-profit organization that is the actual think tank behind the legislation, which is what got enacted, known as the European Telecommunications Standard Institute, or ETSI, e-t-s-i. We've spoken of them in the past. This work has been underway, as I mentioned, for the past five years, having started back in 2019 in February, with a publication of its version 1.1.1, and it's been quietly making its way forward year by year. The baseline requirements document is the one that's most relevant. It's a 34-page PDF that I've given a GRC shortcut to. The shortcut is ETSI E-T-S-I, so if you're curious, you can just put GRCSC slash ETSI into your browser SC slash ETSI into your browser, and you'll be bounced over to a document titled Cybersecurity for Consumer Internet of Things Baseline Requirements.

The document's introduction explains, they said as more devices in the home connect to the Internet, the cybersecurity of the Internet of Things, iot, becomes a growing concern. People entrust their personal data to an increasing number of online devices and services. Products and appliances that have traditionally been offline are now connected and need to be designed to withstand cyber threats. The present document brings together widely considered good practice in security for Internet-connected consumer devices in a set of high-level, outcome-focused provisions. The objective of the present document is to support all parties involved in the development and manufacturing of consumer IoT with guidance on securing their products. The provisions are primarily outcome focused rather than prescriptive, giving organizations the flexibility to innovate and implement security solutions appropriate for their products.

The present document is not intended to solve all security challenges associated with consumer IoT. It also does not focus on protecting against attacks that are prolonged or sophisticated or that require sustained physical access to the device. Rather, the focus is on the technical controls and organizational policies that matter most in addressing the most significant and widespread security shortcomings. Overall, a baseline level of security is considered. This is intended to protect against elementary attacks on fundamental design weaknesses, they say, such as the use of easily guessable passwords. The present document provides a set of baseline provisions applicable to all consumer IoT devices. It's intended to be complemented by other standards defining more specific provisions and fully testable and or verifiable requirements for specific devices which, together with the present document, will facilitate the development of assurance schemes.

Many consumer IoT devices and their associated services process and store personal data. The present document can help in ensuring that these are compliant with the general data protection regulation. You know our GDPR. Security by design is an important principle that is endorsed by the present document. Okay, so my goal for today's discussion of this is to accurately convey how comprehensive this document and the legislation that backs it up actually is, which I was just I was astonished by. So here's the bullet point. I assembled this from the document just to give you a sense for how comprehensive it is. So here's the list of its main topics no default universal passwords. Implement a means to manage reports of vulnerabilities. Keep software updated Securely. Store sensitive security parameters. Communicate securely. Minimize exposed attack surfaces. Ensure software integrity. Ensure that personal data is secure. Make systems resilient to outages. Examine system telemetry data. Make it easy for users to delete their data. Make installation and maintenance of devices easy. Validate input data and data protection provisions for consumer IoT. They go into at length and, again, these are not like gee. We wish we had these.

The legislation is about the policy. As I've always said, there's a complete difference between policy and mistakes. Anybody can make a mistake, but policy is, you know, is your stated goal, and so this legislation enshrines these goals as the policy that consumer IoT devices sold in the UK must incorporate, must incorporate. They must have these as policies, you know, as operating goals which are implemented in the device. So each of these major topics is broken down into multiple pieces, and each of those pieces is tagged with one of four possible requirement levels. Now here's where, for a moment, I was concerned that my enthusiasm for this was going to be dashed, because we've got mandatory, recommended, conditionally mandatory or conditionally recommended, and I thought, oh great, well, if everything is just recommended, then we've gotten nothing. Turns out, almost everything is mandatory. So there are a few things where they backed off of mandatory, but for the most part it's mandatory across the board.

The scope of what the document covers is also very clearly laid out. That is, you know, to not allow people to say, oh, that doesn't apply to us, so we don't have to do that. Nope, I don't think anyone's going to get a free pass here. It says and this is in the baseline requirements document the present document specifies high level security and data protection provisions for consumer IOT devices that are connected to network infrastructure, parens such as so they even broadened it, you know to network infrastructure, meaning if you're connected to something, this is for you, they say. Parens such as the internet or home network and their interactions with associated services. The associated services are out of scope.

A non-exhaustive list of examples of consumer IoT devices includes and it's pretty much what I just said, but there's additional ones here connected children's toys and baby monitors. Connected smoke detectors, door locks and window sensors. Iot gateways, base stations and hubs to which multiple devices may connect smart cameras, tvs and speakers. Wearable health trackers. Connected home automation and alarm systems, especially their gateways and hubs. Connected appliances such as washing machines and fridges, and smart home assistants machines and fridges and smart home assistants.

They said the present document provides basic guidance, through examples and explanatory text for organizations involved in development and manufacturing of consumer IOT on how to implement those provisions. Table B1 provides a schema for the reader to give information about the implementation of the provisions. Now, okay, table B1, that's the table which breaks down all the topics and subtopics with the mandatory or recommended categories, but then the idea is that manufacturers will print this out and be required to fill in, for every one of those items, the compliance level of their device, attesting then to the fact that they have met the recommendations. So they said, devices that are not consumer IoT devices, for example, those that are primarily intended to be used in manufacturing health care or other industrial applications, are not in scope of the present document. So this is squarely aimed at consumer IoT, residential-style devices. Of course, once that's all that's available for the consumer, for the consumer, you know, other enterprises and anyone who purchases the devices get the benefit of all these features which have been required at this level. And they said the present document has been developed primarily to help protect consumers. However, other users of consumer IoT equally benefit from the implementation of the provision set out here.

Okay, now the document does differentiate something it considers to be a constrained device Basically and again, nobody gets a free pass on this one but they did recognize that there are some things that, while they're connected and consumer devices, they have too many constraints to meet what is otherwise a set of very high bars. So they said the present document addresses security considerations specific to constrained devices, for example, window contact sensors, flood sensors and energy switches are typically constrained devices. So to give everyone a sense for how well thought out and specific this is, here's the document's definition of what it means by a constrained device. They said a constrained device is a device which has physical limitations in either the ability to process data, the ability to communicate data, the ability to store data or the ability to interact with the user, due to restrictions that arise from its intended use. They said.

Note physical limitations can be due to power supply, battery life, processing power, physical access, limited functionality, limited memory or limited network bandwidth. These limitations can require a constrained device to be supported by another device, such as a base station or companion device, and they give some examples. A Windows sensor's battery cannot be charged or changed by the user. This is a constrained device. Another example the device cannot have its software updated due to storage limitations, resulting in hardware replacement or network isolation being the only options to manage a security vulnerability. And that ends up being important, because this astonishing baseline requirements also deals with firmware updating. And, yes, it has to be enabled by default. It's just like.

Where did this come from? Third example a low-powered device uses a battery to enable it to be deployed in a range of locations. Performing high-power cryptographic operations would quickly reduce the battery life, so it relies on a base station or hub to perform its validations of updates. Another example device has no display screen to validate binding codes for Bluetooth pairing or five. The device has no ability to input, such as via a keyboard, any sorts of authentication information. So obviously, where things are either impossible or impractical for these requirements to be met, well, they're excused under the grounds that it is a constrained device. But otherwise, no free pass. Okay, so the document's too long and detailed for me to go through in detail here, but I do want to again give everyone a sense for how well thought out, thorough and serious this is. So I want to look deeply at this. No universal default passwords. And, leo, let's take our second break, and then I will do that, if leo, I'm sorry, I'm talking to mom.

0:35:06 - Leo Laporte
You want to say hi you want to say hi to mom say hi to steve hey mom, I'm gonna run, go to dinner.

Okay, I love you, mama. Bye, she's right, it's five, it's five o'clock. It's five o'clock there and here. You know, what happens is she's got the uh, an alarm on her amazon echo to wake her up. So she called me and then, and then it starts going off and I had to explain to her how to go over to it and turn it off. So I guess what she, what she normally will do, is leave, go to dinner and by the time she gets back the alarm is stopped because I don't think she knew how to stop it ah, these fancy consumer devices

she loves it. You know what I? She wanted to thank me because I gave her and I hope that this uh has a good password on it I gave her a um. This company called nix play makes a 15 inch frame. It looks like a painting painting frame, but it's a digital photo frame and I can email pictures to it. I control it from here and she just sits and looks at it all day. So that makes her really happy. She's just like having my family here. So, anyway, we will continue in a moment. Sorry for that personal interlude.

Our show today brought to you by Vanta the single platform that you need for continuously monitoring your controls, reporting on security posture and streamlining audit readiness. It does it all. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. With Vanta, you can automate compliance for in-demand frameworks like SOC 2, iso 27001, and HIPAA. Even more, vanta's market-leading trust management platform enables you to unify security program management with a built-in risk register and reporting, and streamline security reviews with AI-powered security questionnaires. G2 loves Vanta Year after year. Check out this review from a chief information officer. Quote Vanta's indispensable in achieving and maintaining compliance and best security practices. The platform's automated processes significantly reduce the manual workload associated with compliance tasks. Wouldn't you like that? Over 7,000 fast-growing companies like Atlassian, flow, health and Quora all use Vanta to manage risk and prove security in real time. Watch Vanta's on-demand demo. You'll see it at vantacom security now. Learn everything you need to know. V-a-n-t-a dot com slash security now. We thank Vanta so much for their support for security now and boy.

0:37:49 - Steve Gibson
May 7th is going to be a busy day it is the apple event is may 7th.

0:37:54 - Leo Laporte
Rsa conference is going on. You should come up. I have a I have a.

0:37:58 - Steve Gibson
I have a large inventory of very aging and and slowing down oh, ipads you're an ip.

0:38:04 - Leo Laporte
You're an iPad user. I know.

0:38:06 - Steve Gibson
I love my iPads and I've not purchased any for many years because there's no new iPads and I think that this time they know this, by the way.

0:38:17 - Leo Laporte
I mean, I have an iPad 6, which I've had for three years. I very rarely use my iPad Pro.

0:38:23 - Steve Gibson
I didn't even know. They had numbers.

0:38:25 - Leo Laporte
Oh well, they don't. You rarely use my iPad Pro. They've got to get away. I didn't even know they had numbers. Oh well, they don't, you have to know.

0:38:29 - Steve Gibson
Oh, you have to know. I think I have. I know I don't have the iPad 1. Remember how that was like? It was like a whale. Oh yeah, it had this weird bowed back.

0:38:37 - Leo Laporte
You don't want that, yeah, no, we've come a long way OLED screens, and what's intriguing is this rumor you're going to have the M4 and a lot of AI built in, so this might be something you really do want, I think.

0:38:49 - Steve Gibson
Well, and I read on a black screen with amber type, so that would be great for low power consumption.

0:38:58 - Leo Laporte
I just ordered. There's a new Kobo reader, the Libra 2 Color, that uses color e-ink and I'm very intrigued by that Because it will have some color. It won't have amber on black probably.

0:39:12 - Steve Gibson
All the color I've seen has been always washed out. Yes, exactly, very low contrast.

0:39:18 - Leo Laporte
Well, we'll see. It also has a stylus and you can take notes and stuff.

0:39:22 - Steve Gibson
I do love my Remarkable you turned me on to that. That is the best. Thing.

0:39:26 - Leo Laporte
Yeah, yeah yeah, it's great for coding because I use it all the time to sketch out problems and what I'm trying to understand.

0:39:34 - Steve Gibson
Oh, that's exactly what I do. I'm a big diagram drawer. Exactly when I'm trying to parse something, it's like wait a minute, because that's the only way you can deal with the off by one. Problems is is you?

know, examples of it. Yep, I'm the same way, okay, so uh, as I said that I'm not going to go through the entire document. It is too long and wonderful. I mean, I already sound like I'm over caffeinated at this point because I'm so excited by what is in here. It's just astonishing. I mean, again, it's like you took 20 years of this podcast and distilled all of its recommendations that we've come up with on the fly, when things have been obvious and when we've seen something go wrong over and over and over. It's like okay, when are we finally going to do this? And here it is, and they just didn't miss anything. That's great, that's fantastic. Wow, going to do this. And here it is, and they just didn't miss anything so that's great, that's fantastic wow, I'm, it's just you know.

And again, it's not like, again, it's not recommendations, it's law. Yeah, in the uk, okay, so I wanted I do want to like do a little bit of a deeper look into the first one they address, because it is crucially important. Under the banner no universal default passwords, they say where passwords are used, all consumer IoT device passwords shall be unique per device or defined by the user. There are many mechanisms used for performing authentication, and passwords are not the only mechanism for authenticating a user to a device. However, if they are used, following best practice on passwords is encouraged by you know, by which they mean again, this doesn't. They've not softened this as a recommendation. They're saying encourage people when they use a password, to use a good one, they said many consumer IoT devices are sold with universal default usernames and passwords, such as admin-admin for user interfaces through to network protocols.

Continued usage of universal default values has been the source of many security issues in IoT and the practice needs to be discontinued. The above provision can be achieved by the use of pre-installed passwords that are unique per device, and or by requiring the user to choose a password that follows best practice as part of initialization or by some other method that does not use passwords, for example, during initialization of a device generates. For example, during initialization, a device generates certificates that are used to authenticate a user to the device via an associated service like a mobile application. To increase security, multi-factor authentication, such as use of a password plus OTP procedure, can be used to better protect the device or an associated service. Device security can further be strengthened by having unique and immutable identities. Where pre-installed unique per-device passwords are used, these shall be generated with a mechanism that reduces the risk of automated attacks against a class or type of device. Pre-installed passwords must be sufficiently randomized. Passwords with incremental counters, such as password 1, password 2, and so on, are easily guessable. Further, using a password that is related in an obvious way to public information sent over the air or within a network, such as MAC address or Wi-Fi SSID, can allow for password retrieval using automated means.

Authentication mechanisms used to authenticate users against the device shall use best practice cryptography appropriate to the properties of the technology, risk and usage. And I should mention that they're also in. Here is a complete description of their use of all the terminology. So here they just said best practice cryptography, but in an addendum they specifically outline what that means that is required to be used where they use this term. So again, there's nothing that they missed. They said where a user can authenticate against a device, the device shall provide to the user or administrator a simple mechanism to change the authentication value used.

When the device is not a constrained device, it shall have a mechanism available which makes brute force attacks on authentication mechanisms via network interfaces impractical. For example, a device has a limitation on the number of authentication attempts within a certain time interval attempts within a certain time interval. It also uses increasing time intervals between attempts, or the client application is able to lock an account or to delay additional authentication attempts after a limited number of failed authentication attempts. This provision addresses attacks that perform credential stuffing it actually says that in this document for consumer IoT devices or exhaust an entire key space. It is important that these types of attacks are detected by the consumer IoT device and defended against, whilst guarding against a related threat of resource exhaustion and denial of service attacks. Incredible. What I just summarized is broken into five individual provisions in the document, but each and every one of them is tagged as mandatory. So, for example, if a device offers password-based authentication, it can no longer be shipped from the factory with a default password, and the device must also incorporate proactive defenses against brute force and credential stuffing attacks. It must incorporate some form of lockout mechanism.

This legislation changes everything but still not often implemented best practice, even not yet implemented from high-end enterprise-level devices, and mandates its use today for a residential doorbell. This is huge. Section 5.3 is titled Keep Software Updated and picking some bits from it. For example, it says Developing and deploying security updates in a timely manner is one of the most important actions a manufacturer can take to protect its customers and the wider technical ecosystem. It is good practice that all software is kept updated and well-maintained. All software components in consumer IoT devices should be securely updatable.

When the device is not a constrained device, it shall have an update mechanism for the secure installation of updates they have in quotes securely updatable and also in quotes. Secure installation Means that there are adequate measures to prevent an attacker misusing the update mechanism. Measures can include the use of authentic software update servers, integrity-protected communications channels verifying the authenticity and integrity of software updates. It is recognized that there are great varieties in software update mechanisms and what constitutes installation. An anti-rollback policy based on version checking can be used to prevent downgrade attacks. Update mechanisms can range from the device downloading the update directly from a remote server, transmitted from a mobile application or transferred over a USB or other physical interface. If an attacker compromises this mechanism, it allows for a malicious version of the software to be installed on the device, meaning that there are provisions for preventing that happening. Thus they're explaining what the danger is.

An update shall be simple for the user to apply. The degree of simplicity depends on the design and intended usage of the device. An update that is simple to apply will be automatically applied, initiated using an associated service such as a mobile application, or via a web interface on the device. If an update is difficult to apply, then that increases the chance that a user will repeatedly defer updating the device, thus leaving it in a vulnerable state. Automatic mechanisms should be used for software updates should be used for software updates. If an automatic update fails, then a user can, in some circumstances, no longer be able to use a device. Detection mechanisms such as watchdogs and the use of dual bank, flash or recovery partitions can ensure that the device returns to either a known good version or the factory state.

Security updates can be provided for devices in a preventative manner as part of automatic updates, which can remove security vulnerabilities before they are exploited. Managing this can be complex, especially if there are parallel associated service updates, device updates and other service updates to deal with. Therefore, a clear management and deployment plan is beneficial to the manufacturer, as is transparency to consumers about the current state of update support. State of update support. In many cases, publishing software updates involves multiple dependencies on other organizations, such as manufacturers that produce subcomponents. However, this is not a reason to withhold updates. It can be useful for the manufacturer to consider the entire software supply chain in the development and deployment of security updates. It is often advisable not to bundle security updates with more complex software updates such as feature updates.

A feature update that introduces new functionality can trigger additional requirements and delay delivery of the update to devices. The device should check after initialization and then periodically whether security updates are available. Again, the device should check, they said, if the device supports automatic updates and or update notifications or update notifications, these should be enabled in the initialized state and configurable so that the user can enable, disable or postpone installation of security updates and or update notifications. They said it is important from a consumer rights and ownership perspective, that the user is in control of whether or not they receive updates. There are good reasons why a user may choose not to update, including security. In addition, if an update is deployed and subsequently found to cause issues, manufacturers can ask users to not upgrade their software in order that those devices are not affected. But they're saying again secure by default, secure by policy If it can update itself, it should but recognize that there are reasons that it might not.

They said the device shall use best practice cryptography to facilitate secure update mechanisms. Security updates shall be timely. Timely in the context of security updates can vary depending on the particular issue and fix, as well as other factors such as the ability to reach a device or constrained device considerations. It is important that a security update that fixes a critical vulnerability, ie one with potentially adverse effects of a large scale, is handled with appropriate priority by the manufacturer. Due to the complex structure of modern software and the ubiquity of communication platforms, multiple stakeholders can be involved in a security update. Okay, so what? We're talking here, and I just shared the tip of the iceberg, but it is all like that I had this vision of you last night or the night before, sitting by the fire, your feet up.

0:53:50 - Leo Laporte
You got a little something to drink. You're reading through this. You know your beautiful wife is across the way sitting reading her magazine and every five minutes you go wow or yes, I imagine every step of the way, because this is all the stuff you've been saying all this time.

0:54:11 - Steve Gibson
It's astonishing, leo. I mean they even have in there. You know, protocols which are used on the WAN should not be exposed, or on the LAN should never be exposed to the WAN.

0:54:25 - Leo Laporte
They came this close to saying three dumb routers, right, I mean, that's impressive, I'm very it is astonishing that that this thing exists.

0:54:34 - Steve Gibson
So again, grcsc slash, etsy etsi. That will bring this 34 or whatever number of pages things it was to you and it is all like that. What we're talking about here amounts to nothing less than the forced and immediate maturation of more than a decade of lazy consumer product security design. End user security is finally being prioritized over device development and support costs and, yes, even convenience. It had to happen sometime, and all indication is that sooner or later it was. You know it was going to need to be forced. That happened yesterday, wow.

0:55:26 - Leo Laporte
And it's law. Right, I mean this is in the UK. This mean this is in the uk, this is the law. Wow, it is the law.

0:55:31 - Steve Gibson
That's amazing, yes and a law with teeth in it. It's not like you know. Oh, you pay a 2500 penalty. No, it's 10 million pounds or four percent of your revenue. Whichever is greater, it's significant, yeah, yeah.

So I mean basically like everything on the shelf that isn't already in compliance, and we'll note that many routers, many consumer routers now, are right. They've, although I don't think they've gotten, I think they're still. You know, uh, like, like the default username and password still starts off with admin and password or something, but they are updating themselves and they do have that on by default. So you know, that's good reference somewhere to these crazy, huge, like the Mirai botnet, that owe their existence to the fact that these policies have never been required, enforced or present before and, as a consequence of web authentication being on the WAN and default usernames and passwords, these things could just be taken over. And so the UK is finally saying enough of this, what you know, come on, you guys haven't gotten your act together in the last decade. Well, we're going to require it now. If you want to sell stuff in the UK, you have to do this and it will probably increase cost a little. But, as we know, once this is done, it's in a chip, you just stamp it out and so, yeah, users are going to have to learn that. They're going to have to, you know, like, read the directions instead of assuming it's admin, admin or just has no password and like, oh, oh well, I'll give it one later and then never get around to it. Instead, every device will have a unique password which they'll have to write down or change to make it one that they want, but it won't be. You know, off the shelf, all of them sitting there on the shelf with the same password to start and and again. That's just like one of 40 different amazing topics that they've dealt with. It's astonishing. Yeah, yeah, okay.

So while we were recording last week's podcast, the news dropped thanks to you, leo, covering it that google's plans for chrome's full phase out of third party cookies would not be occurring this year, as had been planned and, needless to say, much anticipated for this week's podcast. I had hoped to follow up on that news, to learn and then report on what was going on, the beginning of my research into Google's interactions with the UK's CMA, their competition and lines of whether Google's new system goes far enough. And actually, having just covered what we covered, I'm not that surprised at this point, because they really seem to be, you know, getting busy. Where concerns have previously been raised, for example that smaller advertisers may be disadvantaged, the UK now appears to be discounting those concerns and complaints.

But I ran out of time for this research because, leo, you know, I was in front of the fireplace, as I was last evening. My glass of Cabernet got empty and I thought, okay, well, we'll tackle this next week. We ran out of space, so I'm going to I will have the news of this next week because there was lots of material and it's possible to get a much better understanding of what's going on.

0:59:42 - Leo Laporte
You need an overflow podcast. That's what you need, that's right. No one would object if you decided to do one, that's for sure.

0:59:51 - Steve Gibson
Okay, so a bit of closing the loop. Just two pieces of closing the loop. Feedback. Guillermo Garcia said hi, steve, listening to the feedback on the counter race condition, which our listeners have had a lot of fun with, he said I wonder what would happen to a process that wants to increase the counter if the previous owner of the counter was switched out of context and did not return the ownership before being switched off? Would this active process get stuck and have to wait for the previous one to regain context and return it Again? Many thanks, okay, so many of our listeners reported that they found the discussion of object ownership within a multi-threaded environment very interesting.

But at no point did I talk about what happens when something goes wrong. Right, I just talked about if everybody does the right thing and behaves themselves. This is how cool it is when everything is perfect. But, for example, notice that nothing actually prevents the shared counter from being incremented by a thread that does not first acquire ownership of the object. In this instance, in the example that I painted, there is no enforcement. It's all and only by agreement among the process's threads and since they're all part of the same process, it's in their best interest to abide by the rules mutually, but it doesn't take a deliberate act to mess something up.

Bugs happen, as we know. A typical bug in a complex multi-threaded environment is that, for example, a thread will acquire ownership, then follow some code path that causes it to fail to release its ownership. At that point, that counter can never be incremented again and any and all threads that need to may stall waiting for an object's ownership to be released. And who among us, especially back in the early days of Windows, has not experienced an application lockup and freeze? Or, you know, its menuing UI mysteriously stops responding, or the app apparently dies and refuses to do anything, although it's still there on the screen and looks like it should be going, but it's not. Some things might still be functioning, where other things suddenly become non-responsive. One of the most common causes of such things happening is that somehow the ownership of a shared object was not freed by its owner. Threads can sometimes get into trouble. If a thread, for example, attempts to divide by zero, that thread will be terminated by the operating system. Or if a thread mistakenly attempts to execute some data, an illegal instruction can be encountered and again, the thread will be immediately killed In any event, if that thread happened to own some shared objects at the time of its termination, they would likely not be freed, and other threads, or even a respawn of the terminated thread, might then be unable to succeed ever again after that. Shutting down and restarting the application might be the only way to clear out such stuck ownership.

Not surprisingly, many solutions for these sorts of problems have been created over time. One of the best things about software is if you've got a problem, there's probably a way to fix it, which is what makes it so fun. Not surprisingly, people have been very clever. For example, there's a system known as Structured Exception Handling, or SEH for short, which actually allows a thread to protect the system and itself from its own possible misdeeds deeds. I've implemented structured exception handling in Assembler and I've used it when my code had no choice for some reason other than to try to do something that might fail catastrophically. And what doing this allowed me was then to try something and not lose control, but to have that failure recoverable, and then I could deal with the consequences. And there are also entirely different ways to manage shared object ownership than that simple exchange instruction which I chose specifically to demonstrate the simplest of all possible solutions, which it is.

But before I close out this conversation, I would be remiss if I did not mention one of the classic problems with multi-threaded environments, which is known as the deadlock. A deadlock can be created when two threads each separately own an object but also need ownership of another object that the other owns. In other words, say that there are two objects, both of which need to be simultaneously owned by a thread in order to complete some work. One thread currently owns the first object and the second thread currently owns the second object, and each of them needs to obtain ownership of the object that the other one already has. Both threads will patiently wait for something that will never occur, since neither will relinquish its ownership of the object it owns until it, however briefly, is able to obtain ownership of the object it needs, which the other thread owns, and it's also waiting for the object the first thread has. So, consequently, neither will ever succeed and we have a classic deadlock, as it's known in computer science.

But Guillermo's question highlights something else that I did not talk about. He talked about multiple processes sharing objects, in other words inter-process object sharing, whereas all of my discussion has been about multiple threads within a single process intra-process object sharing. It is possible to share objects between processes. For example, windows allows this by using unique names to identify objects. Then separate processes that know the common name for an object can open the object to obtain its handle very much like opening a file by name after which operating system calls can be used to check the shared object status, to obtain and release ownership of it and so on.

And it's also possible to set timeouts while waiting for an object's ownership to be granted. If that amount of time passes, the object wait will be ended and the waiting process will be notified that the object never became available during the amount of time that the thread said it was willing to wait for it. During the amount of time that the thread said it was willing to wait for it, and even returning to our original example with the exchange instruction, remember that a thread that wants to obtain ownership attempts to obtain it and the result of the exchange instruction informs it whether or not it was successful. If it was not successful, it's fully able to decide what to do next. Right, I mean, it's not. It doesn't have to wait forever. It can go do other things and try again later, or it might ask the operating system to put it to sleep for some length of time. That's an extremely friendly thing to do, since the thread is voluntarily giving up the rest of its running time slice, which allows the OS to schedule other threads. Then, when the thread is reawakened by the operating system, it can again attempt to obtain ownership and then decide what to do.

Anyway, I know I'm weird. All this fascinates me and I have never encountered, as I said before, anything as pure and clean and gratifyingly complex as coding. I get it, it's not for everyone, but if it is, it could be terrifically rewarding, and I know, leo, that you also love to go. Oh, I love it.

1:09:10 - Leo Laporte
I live for it.

1:09:12 - Steve Gibson
One last tiny bit of news. Apparently, the New York Times last week picked up on this story of you know, we were talking about the Lexus Nexus selling drivers' driving habits. It turns out that the New York Times had a story on Wednesday that General Motors had accidentally, says GM enrolled millions of people into its OnStar Smart Driver Plus program, of people into its OnStar Smart Driver Plus program. Consequently, if consumers chose not to enroll through the phone app, it would do so anyway. Unenrolling requires consumers to contact OnStar customer support line. However, turns out some people do not trust them and have started stripping the electronic devices out of their cars. So reports the New York Times.

Anyway, just a little bit of follow-up on that. Mistakes had happened and we showed that detailed report last week and I've seen several others since then, all looking identical because it's coming from the same company. So, leo, let's take our our last break, or no, our second to last break. I want to again update our listeners on a bit of sci-fi and where I am in my work, and then we're going to get into our main topic you bet, by the way, the the book club loved the baba verse so much, so a lot of them are now uh, on to book two.

1:10:46 - Leo Laporte
uh, anthony Nielsen who read book one for the book club it was Stacy's book club Stacy was a little reluctant. She wasn't crazy about it because she didn't like Bob, which is, you know, if you don't like Bob, there's a lot of Bob in the Bobiverse. But Anthony Nielsen said oh yeah, book two kind of eased his concerns about book one.

1:11:11 - Steve Gibson
I'm going to have to reread the whole thing, because september book five is coming out very exciting.

1:11:13 - Leo Laporte
The fifth, there's gonna be a fourth baba verse. There are four, there's gonna be another one, I mean a fifth one, right? Yeah, it's amazing cool anyway. Uh, so that was your recommendation. Thank you, and I look forward to hearing more and it came through our listeners.

1:11:22 - Steve Gibson
It was from our. Yes, I remember that, yeah me steve, you know, check it out and I have to say that my taste often differs it's a little lightweight. It's lightweight, it's a, it's fun, it's not yeah, and actually what I'll be recommending in a minute is also lightweight.

1:11:40 - Leo Laporte
Yeah, okay, I'm reading hyperion right now, which, which is the opposite of Lightweight, one of the classic science fiction novels that I never got around to reading, so I'm enjoying it quite a bit. I think I have the paperback around me. Yeah, I mean, it's a classic, right? I mean I've never read it. It's amazing. Our show today brought to you by One Big Think. If you listen to the show, we know you're a big thinker. You might like One big think, the number one big think.

Most mid-sized high-growth organizations need to focus on their core offerings. We call it sticking to your knitting right. You just don't have the volume of work to keep a full-time privacy and AI team busy, nor can you attract or even afford top talent. They're getting swooped up by Apple, google, microsoft, openai. Good news that's where one big think comes in.

Privacy and AI compliance are. You know they're table stakes now. They're just here to stay. They're part of the game. Regulations around the world, though, are constantly changing, and new regulations developing it seems like every day, and new regulations developing it seems like every day. If you're involved, you know you've got to embrace concepts like privacy by design. What we were just hearing transparency, purpose limitation, data minimization data subject rights. Are you ready? Do you even know where to begin? Well, I can tell you One big think.

With one big think, services organizations gain the capacities and capabilities of a DPO, a data protection officer, and an AI expert, giving you all of the above everything you need at a fraction of the cost, while maintaining independence requirements. So defining terms you're probably familiar with this, but a DPO, a data privacy officer, is an enterprise security leadership role responsible for overseeing data protection strategy compliance implementation to ensure compliance with GDPR and California, ccpa and CPRA, and so forth. A DPO's role might include informing and advising the company and employees of their data protection obligations and compliance requirements, serving as the primary point between the company and relevant supervisory authorities, and a lot more. You need this, obviously, but if you're, like us, a midsize or growing company, you may not have the resources to do it. You got to learn more about how to give your organization sustainable privacy and AI compliance in a way you can afford and support.

Go to OneBigThinkcom. That's the number one B-I-G-T-H-I-N-K dot com. Onebigthinkcom you know what I can tell you right now. It'll be a load off your shoulders, onebigthinkcom. Now back we go to Mr G and sci-fi time.

1:14:34 - Steve Gibson
Yes, on the science fiction reading front, I wanted to mention to our many listeners who've been enjoying Rick Brown's ongoing Frontiers saga that book 15, I'm sorry, book 11 of 15, in his third of five 15 book story arcs became available yesterday in the Amazon US store. I received Rick's announcement that his latest novel, titled the First Ranger, is now available for download in the US, although apparently international availability may lag a bit, as is apparently common. I've received so much feedback through the years from our listeners who've enjoyed following this adventure and it is one long adventure, uh now at 41 full-length novels, uh, that I want to make sure everyone knew that book 11 was here now. Uh, I told some family and friend, uh, some family members and friends and they just jumped up and down because I've there's just if it's right for you, then it is really right for you. It's primarily character-driven. He offers us very fully formed individuals with very distinct and at times annoying personalities. In a way it's a bit like Star Trek, where it's less about whiz-bang science fictional technologies than about how the various characters whom we've come to know over time, how they deal with what comes their way. I find it very satisfying and in addition to many in this podcast audience. As I said, I've turned friends and family members onto it and they're completely hooked.

For those who have never looked at the series, as I mentioned, amazon Kindle is where it is. It's part of the Kindle Unlimited plan and the novels if you're not a member of Kindle Unlimited, they're not very expensive if you just purchase them outright. So here's what I know Anybody starting the first book will know within an hour whether they have just started into a journey that already has 41 additional books waiting for them, and they are just as compelling as as the first one. So, uh, it's. You know we've, we've. Sci-fi is a passion of mine. We've talked about it, leo, you and I, through the. You know we're in our 20th year of the podcast now, oh my god.

1:17:23 - Leo Laporte
And and your skin is still beautiful, buddy.

1:17:28 - Steve Gibson
Many authors, many adventures, a lot of fun.

1:17:33 - Leo Laporte
Yes, I'm referring to something that happened before the show. Don't worry folks, you didn't miss anything.

1:17:38 - Steve Gibson
Okay, and finally, on my own work front, last week I finished updating various GRC pages with the news that 6.1 was now available. This is not 6.1's documentation, which is still quite sorely needed. This is just enough to hold us over until I have email communication up and running, after which my plan is to plow into Spinrite's extreme need for documentation. Spinrite's extreme need for documentation. I cringe whenever you know someone asks a question that you know really should be there on the website documented. But I'm getting there as soon as I can. But I have a method here, and getting email up and having our podcast audience help me develop an email presence and a reputation is, you know, part of what it takes these days, because you know, as we know, spam is such a problem that the large receivers of email have gotten, you know, very picky about the bounce rates and you know spam flaggings and so forth. So, anyway, I want to get that working and then, while that's happening, I will be able to start working on the documentation. So, anyway, I'm working on email and I know how many of our listeners are excited that Twitter will not be the only way to get a hold of me, to get a hold of me. So our main topic. Actually, you know, after that first topic you can see why it was competition for this one. So we have two big ones.

Today's podcast title Pass Keys A Shattered Dream. It gets its title from a blog posting from last Friday. It was a thoughtful posting by a guy named William Brown who is the author of a popular web auth-in package for Rust. In fact, it's pretty much the web auth-in package for Rust. It generated significant attention within the security community and a little bit later within our own listener community because after I had already chosen it as our topic, everybody started tweeting me links saying oh my goodness, what do you think about this? So his WebAuthn package is WebAuthn-RS, which describes itself as WebAuthn framework for Rust web servers solution. It's the protocol and specification that a PassKeys client on the user's side uses to communicate with a web server that supports webAuthn. So, for example, just as a web server will offer some form of username and password login, possibly with additional factors such as time-based, one-time passwords or something else, such a server might also offer support for the WebAuthn protocol as a means for allowing remote clients to identify and authenticate their identity over a network.

In the case of this author's Rust implementation of WebAuthn. He described WebAuthn by writing. Webauthn is a modern approach to hardware-based authentication user with an authenticator device, a browser or client that interacts with the device and a server that is able to generate challenges and verify the authenticator's validity. Users are able to enroll their own tokens through a registration process to be associated to their accounts and then are able to log in using the token which performs as a cryptographic authentication. This library meaning his that he wrote aims to provide useful functions and frameworks allowing you to integrate WebAuthn into Rust web servers. This means the library implements the relying party component of the WebAuthn FIDO2 workflow. We provide template and example JavaScript and WebSM bindings to demonstrate the browser interactions required.

Okay now, the only thing I'll note about what this author wrote as I pointed out right at the start, and it might be significant is that this appears to have first been written back in the earlier FIDO 1 era, when hardware dongles were the only way the FIDO group was willing to roll.

As we know, the requirement for purchasing a piece of hardware, while potentially ensuring greater security, was finally accepted to be a bar too high. So the FIDO group basically capitulated to allow software-only the privilege of authenticating with what evolved into FIDO2. So my point is that the author of this WebAuthn crypto library for Rust appears to have started this back at the hardware only dongle stage of FIDO1, and he simply changed FIDO1 to FIDO2 in his introduction. This may be significant for what he subsequently wrote and published last Friday, since the introduction of FIDO 2, with its accompanying pass keys, promised to make this work his work far more relevant. Before I share what he wrote Friday, I want to note that the section following that brief introduction I really loved it. It was titled Blockchain Support Policy. Okay, now this is for right a web auth N package that has nothing to do with the blockchain.

1:24:03 - Leo Laporte
I'm thinking it's going to say none, but okay.

1:24:07 - Steve Gibson
Exactly Nothing to do with the blockchain. I'm thinking it's going to say none, but okay, yeah, exactly. So he said blockchain support policy and he wrote this project does not and will not support any blockchain related use cases. Use cases we will not accept issues from organizations or employees thereof whose primary business is blockchain, cryptocurrency, nfts or so-called Web 3.0 technology.

1:24:38 - Leo Laporte
Right on right on Period Period. End, of statement Yep.

1:24:42 - Steve Gibson
And of course you know we know why he said that right, there's been so much nonsense surrounding. You know the blockchain will solve all of society's ills nonsense and especially within the identity authentication space that it's easy to imagine how much of that this guy may have been fending off through the years. Guy may have been fending off through the years Elsewhere. He notes that his library has passed a security audit performed by SUSE Linux's product security and that other security reviews are welcome. And as a total aside, I thought it was also interesting that, on the topic of compatibility, also interesting that on the topic of compatibility, under known broken all caps, keys, slash hardware, he notes keys, slash hardware. He notes Pixel 3a, slash, pixel 4 plus Chrome does not send correct attestation certificates and ignores requested algorithms and he said, not resolved. And Windows Hello with older TPMs, he said often use RSA, sha-1 signatures over attestation which may allow credential compromise or falsification. Okay, so Friday, he gave his blog posting the title, as I said, that I reused for today's podcast, although, well, his was Paskey's colon, a Shattered Dream, although I added the question mark, his posting was not a rhetorical question. His was meant as a statement. So before I share what William has written.

I wanted to take a moment to note that, in order to do justice to his choice of words, I am going to again need to use a term on this podcast that makes me uncomfortable Uh-oh, although the fact that the term was the American Dialect Society's Word of the Year for 2023 suggests that it's a term we're all destined to be encountering more and more often. That term is enshitification. Oh yeah, oh yeah, the American Dialect Society's Word of the Year last year, leo. So I am somewhat eased about its usage due to its lineage and the fact that Wikipedia does not shy away from devoting a rather extensive page to its definition, describing its description and its discussion, with extensive examples of this happening. Wikipedia describes enshitification as the pattern of intentional decreasing quality observed in online services and products such as Amazon, facebook, google search, twitter, band camp, Reddit, uber and unity. The term, they write, was used by by writer Corey Doctorow in November 2022, and the American Dialect Society selected it as its 2023 Word of the Year. Doctorow has also used the term platform decay to describe the same concept.

And for what it's worth you know, allow me to commend this Wikipedia page to our listeners. I found it to be somewhat gratifying and affirming because while I was reading and agreeing with everything it said, I felt a little bit less like the crotchety old timer yelling at the kids to get off the lawn. You know, in other words, objectively and sadly, deliberately, some things actually are getting worse. It's not just that you and you and I, leo, are getting older and everything seems worse. And also, not far into this, he refers to a. He meaning sorry, done with Wikipedia. He meaning William Brown, the author of this, refers to a system whose name is spelled K-A-N-I-D-M, which is a term I had never encountered before. Its homepage explicitly explains it's pronounced car nadium, even though there's no r anywhere to be seen. You know, I mean, I guess it's. I would say, uh, canadium maybe, but you know, carnadium, which of course reminded me of carpe Diem and I don't know, maybe I don't know where the name came from.

1:30:18 - Leo Laporte
S-a-d-e is pronounced Charday. I think it's a Britishism that they are as inserted.

1:30:24 - Steve Gibson
Yeah, oh, that's interesting. You're right, it is. Yeah, yeah, okay, carnadium, carnadium. So it is a sprawling open source identity management platform developed in Rust by the SUSE Linux project. I've been looking for something like this. Well, there it is. Okay, it appears that William's WebAuthn library was adopted into that multifaceted identity project to provide its WebAuthn functionality. So when we hear him refer to in his blog posting Carne Diem, he's referring to his library's significant participation in that project. And that explains also why SUSE's security people have reviewed and approved of his library, because it's the one they chose for their big identity management platform. Okay, so he said at around. You know, leo, let's take our last break before.

1:31:27 - Leo Laporte
I get into this. Keep it a secret what he says.

1:31:30 - Steve Gibson
I won't have to break in the middle of it, right, right.

1:31:32 - Leo Laporte
This is good, I'm enjoying it. This is good, I'm enjoying it. And yeah, we've all decided here that you can say inshittification, because it's just a word with a bad word in the middle, but not in the beginning or the end.

1:31:45 - Steve Gibson
Well, and in crappification it doesn't have the same ring to it.

1:31:49 - Leo Laporte
We've been saying inshirtification, just like carnadium. You're adding a phantom R.

1:31:59 - Steve Gibson
But I don't know.

1:32:00 - Leo Laporte
That's confusing. Does that mean you have to wear more? To wear more shirts? Yeah, okay, steve, our show last sponsor is brought to you by a great sponsor lookout, love the lookout. Talk about it a lot.

Today, every company is a data company. You know that. That means every company is at risk. You also know that Cyber threats, breaches, leaks these are words no CISO wants to hear, but they are the new norm, and cyber criminals grow more sophisticated by the minute. At a time when boundaries no longer exist, what it means for your data to be secure has really changed. But that's why Lookout's so great. From the very first phishing text to the final data grab, lookout stops modern breaches as swiftly as they unfold, whether on a device in the cloud, across networks or working remotely at your local coffee shop, lookout gives you clear visibility into all your data, at rest and in motion. You'll monitor, assess and protect without sacrificing productivity for security. With a single, unified cloud platform, lookout simplifies and strengthens, reimagining security for the world that we'll be today. Visit lookoutcom today to learn how to safeguard data, secure hybrid work and reduce IT complexity. That's lookoutcom. We thank him so much for supporting Steve and his very important work. And now back to the enshitification of PASCIs Of PASCIs.

1:33:33 - Steve Gibson
Okay, so the author of this web auth in library, well regarded, built into SUSE's Linux identity platform, written in Rust, lots of experience from back in the dongle days, the early 501 days. He wrote last Friday. At around 11 pm last night my partner went to change our lounge room lights with our home light control system. When she tried to log in, her account could not be accessed. Her Apple keychain had deleted the passkey she was using on that site. This is just the icing on a long trail of enshitification that has undermined WebAuthn. I'm over it at this point and I think it's time to pour one out for passkeys. The irony is not lost on me that I'm about to release a new major version of WebAuthn RS today as I write this, of WebAuthn RS today as I write this, in 2019, I flew to my mate's place in Sydney and spent a week starting to write what is now the WebAuthn library for Rust. In that time, I found a number of issues in the standard and contributed improvements to the WebAuthn working group. Even though it took a few years for those issues to be resolved, I started to review spec changes and participate more in discussions.

At the time, there was a lot of optimism that this technology could be the end of passwords. You had three major use cases. Second factor passwordless and username-less. Second factor was a stepping stone toward the latter two. Passwordless was where you would still type in an account name, then authenticate with a PIN and touch your security key, then authenticate with a PIN and touch your security key. And user nameless is where the identity of your account was resident and thus discoverable on the key. This was, from my view, seen as a niche concept by developers, since, really, how hard is it for a site to have a checkbox that says remember me? This library ended up with Carnadium being, to my knowledge, the very first open source identity management platform to implement passwordless, which is now PassKeys. The user experience was wonderful. You went to Carnadium, typed in your username and then were prompted to type your PIN and touch your key. Simple, fast, easy. For devices like your iPhone or Android, you would do similar Just touch your Touch ID and you're in. It was so easy, so accessible. It was so easy, so accessible.

I remember how it almost felt impossible that authentication could be cryptographic in nature but so usable and trivial for consumers. There really was the idea and goal within FIDO and WebAuthn that this could be the end of passwords. This could be the end of passwords. This is what motivated me to continue to improve WebAuthnRS. Its reach has gone beyond what I expected, with parts of it being used in Firefox's Authenticator RS, a whole microcosm of Rust identity providers being created from this library and my work, and even other languages, webauthn implementations and password managers using our library as the reference implementation to test against. I cannot understate how humbled I am by the influence WebAuthnRS has had. By the influence WebAuthnRS has had.

However, warnings started to appear that the library was not as open as people. I'm sorry that the standard. Warnings started to appear that the standard, the WebAuthn standard, was not as open as people envisioned. The issue we have is well known. Chrome controls a huge portion of the browser market and development is tightly controlled by Google. An example of the effect was that the Authenticator Selection Extension of the WebAuthn Specification.

This specification extension is important for sites that have strict security requirements, like you know, the government, because the extension supports the attestation of the make and model of the authenticator in use. If you know what the website's attestation, I'm sorry. If you know that the website's attestation will only accept certain devices, then the browser should filter out and only allow those acceptable devices to participate. So, like you know just to pause here for a second that would be so cool, right? If your bank, for example, required more than just a browser-based passkey because it is pure software but needed a hardware dongle or needed a biometric reaffirmation of your identity when you tell it that you want to transfer some amount of money somewhere, then you absolutely want this protocol to be able to specify the type of authentication device that would be used and for the browser to then prompt for that level of authentication.

Anyway, he says. However, chrome never implemented it. That alone led to the entire feature being removed from the spec. It was removed because Chrome never implemented it. This demonstrates that if Chrome doesn't like something in the specification, they can just veto it without consequence. Later, the justification for this not being implemented was quote we never implemented it because we don't feel that authenticator discrimination is broadly a good thing.

Authenticator discrimination is broadly a good thing. They users should have the expectation that a given security key will broadly work where they want to use it. Unquote, he says. I want you to remember this quote and its implications. Users should be able to use any device they choose without penalty, he says. Now, I certainly agree with this notion for general sites on the Internet, but within a business where we have a policy around what devices may be acceptable, the ability to filter devices does matter. So he says, this makes it possible to go to a corporate site and apparently successfully enroll a security key, only to then have it fail to register. Even better, if this burns up, you know, consumes one of your limited resident key slots, which cannot be deleted without a full reset of your device. This might happen since the identity provider rejected the device's attestation, and he says, that's right. Even without this, identity providers can still discriminate against devices without this extension. But the user experience is much worse and internal feature flags that they can use for Google's needs. They can simply enable their own magic features that control authenticator models for their policy, while everyone else has to have a lesser experience.

The greater warning here is that many of these decisions are made at F2F as he puts it, face-to-face meetings held in the US. This excludes the majority of international participants, leading some voices to be stronger than others. It's hard to convince someone when you aren't in the room, even more so when the room is in a country that has a list of travel advisories for foreign travelers, including violent crime is more common in the US than in Australia. There is a persistent threat of mass casualty, violence and terrorist attacks in the US. And quote medical costs in the US are extremely high. You may need to pay up front for medical assistance.

Okay, now, the point he's making here is that Google has outrageously outsized power to decide what does and does not succeed in the world due to their unilateral control of their Chrome browser. That which Chrome does not support dies. And he's also observing something that might not ever occur to those of us who are happily camped out here in the US, which is that, unfortunately, the US can apparently be somewhat frightening and expensive for volunteer open source developers wishing to have their voices heard from other countries. His point is those voices are too easy for Google to ignore.

And, leo, when I was thinking about this, this brought to mind something that Stina Evansvard often mentioned to me through the years. After founding Yubico in Sweden, she understood the critical importance of geographic location, so she deliberately uprooted her young family and relocated to Silicon Valley. She knew that if she was going to succeed, she needed to be where the action was and specifically to be able to attend face-to-face meetings with Google executives and others. In the list of authenticators on William's WebAuth and RS site, yubico's products are all mentioned first, because when it mattered, she was there in person and I know, as you know, leo, truth be told, uh, it's often quite difficult to say no to stina so yeah, and that's how you met her at rsa, coming down the escalator.

1:44:34 - Leo Laporte
So you're right, in person, yep, makes a big difference. But don't ask Marcus about what it means to be an open source developer in the United States, marcus Hutchins, because of course he was arrested on the tarmac, trying to leave Trying to leave the United States. So I understand why there's a little chilling effect on open source developers here.

1:44:54 - Steve Gibson
Well, and I guess you really do. I mean, I'm sure those travel advisories exist. I don't know how much you have to heed them, but still. Um then, under the topic of, or the subtopic of the descent, as he put it, he said in 2022, apple announced pass keys. In 2022, apple announced PassKeys. At the time, this was really just nice marketing, a nice marketing term for passwordless, and Apple's PassKeys had the ability to opportunistically be user nameless as well. It was, all in all, very polished and well done. But of course, thought leaders exist and Apple hadn't defined what a passkey was exactly. One of those thought leaders took to the FIDO conference stage and announced passkeys are resident keys, while at the same time they unleashed a PassKeys dev website.

The issue is described in detail in another of my blog posts, but, to summarize, he writes this push to resident keys means that physical hardware security keys are excluded because they often have extremely low limits on storage, the largest being 25 for YubiKeys. That simply won't cut it for most people who have more than 25 accounts and that I'll just mention. That's one of the biggest annoyances with the whole PassKeys technology is you know the per, the requirement for significant storage per pass key? That is, you know, the big thing that I don't have there, that's the the. The approach that I took with Squirrel explicitly avoided that by by. You know, squirrel explicitly avoided that by being able to create similar security per domain keys, meaning that you only had to have one, instead of this problem of in the case of YubiKey, they're able to store 25. But once you hit that limit, you need another one.

1:47:16 - Leo Laporte
I know that's a big frustration for me. I wish they'd had more memory.

1:47:19 - Steve Gibson
Yeah, yeah, anyway. So okay then. William then coins a term that Cory Doctorow might appreciate. Doctor, oh, might appreciate. He terms the period following the announcement of pass keys as the enchitocene period.

I like it yeah, all right, you should have seen period, yes, he says. Since then, pass keys are now seen as a way to capture users and audiences into a platform. What better way to encourage long-term entrapment of users than by locking all their credentials into your platform and even better, credentials that cannot be extracted or exported in any way? Both Chrome and Safari will force you into using either hybrid, where you scan a QR code with your phone to authenticate. To use a hardware security key requires clicking through multiple menus, and even their default is not a good experience, taking more than 60 seconds' work in most cases. The UI is beyond obnoxious at this point. Sometimes, I think the password game has a better user experience. The more egregious offender is Android, which won't even activate your security key if the website sends the set of options that are needed for passkeys. This means the identity provider gets to choose what device you enroll without your input. And, of course, all the developer examples only show you the options to activate Google passkeys stored in Google Password Manager. After all, why would you want to use anything else? A sobering pair of reads are the GitHub pass key beta and GitHub pass key threads. There are instances of users whose security keys are not able to be enrolled as the resident key slots are filled. Multiple users describe that Android cannot create pass keys due to platform bugs. Some devices need firmware resets to create pass keys. Keys can be saved on the client but not on the server, leading to duplicate account presence and credentials that don't work on the server, leading to duplicate account presence and credentials that don't work or, worse, lead users to delete the real credentials. The helplessness of users on these threads is obvious, and these are technical early adopters, the very users we need to be advocates for, changing from passwords to passkeys. If these users cannot make it work, how will normal people from other disciplines fare? Externally, there are other issues. Apple Keychain has personally wiped out all my passkeys on three separate occasions, pass keys on three separate occasions. There are external reports we've received of other users whose keychain pass keys have been wiped just like mine. Consequently, as users, we have the expectations the keys won't be created correctly or they will have disappeared when we need them most. In order to try to resolve this, the working group seems to be doubling down on more complex JavaScript APIs to try to patch over the issues that they created in the first place. All this extra complexity comes with fragility and more bad experiences, but without resolving the underlying core problems, it's a mess. And then for the future, he says.

At this point, I think that pass keys will fail in the hands of the general consumer population. We missed our golden chance to eliminate passwords. Through a desire to capture markets and promote hype, corporate interests have overruled good user experience once again, just like ad blockers. I predict that passkeys will only be used by a small subset of the technical population and consumers will generally reject them. To reiterate, my partner, who is extremely intelligent, an avid computer gamer and veterinary surgeon, has sworn off pass keys because the user experience is so crappy. She wants to go back to passwords, and I'm starting to agree.

A password manager gives a better experience than pass keys. That's right. I'm here saying, he writes, passwords are a better experience than pass keys. Do you know how much it pains me to write this sentence? And yes, that means multi-factor authentication with time-based, one-time passwords is still important for passwords that require memorization outside of a password manager. So do yourself a favor. This is what he writes Get something like Bitwarden or, if you like, self-hosting, get Vaultwarden. Let it generate your passwords and manage them, if you really want passkeys, put them in a password manager you control.

1:53:14 - Leo Laporte
Oh, I agree 100%.

1:53:16 - Steve Gibson
Yes, but don't use a platform-controlled passkey store. Yes, and be very careful with physical hardware security keys. If you do want to use a security key, only use it to unlock your password manager and your email Within enterprise manager and your email Within enterprise. There still is a place for attested security keys where you can control the whole experience to avoid the vendor lock-in parts. It still has rough edges, though. Just today I found a browser that has broken attestation, which is not good. You still have to dive through obnoxious user experience elements that attempt to force you through the default QR code path, even though your identity provider will only accept certain security models, so you're still likely to have some confused users.

Despite all this, I will continue to maintain WebAuthn RS and its related projects. They're still important to me, even if I feel disappointed with the direction of the ecosystem. But at this point in Carnadium, we're looking into device certificates and smart cards instead. The UI is genuinely better, which says a lot considering the state of the PKCS 11 and PIV specifications. But at least PIV won't fall prone to attempts to and shitify it. Piv stands for personal identity verification. It's a standardized physical smart card system that's heavily used by government and military. The technology to create digital identity cards has been around for a long time and they are so fraught with their own problems that they aren't really an alternative to solve the web's authentication needs. So I think that for me, the thing that's so sad is that Corey Doctorow's term and the examples of and shitification that Wikipedia documented make very clear that these are deliberate usury outcomes. The shortest of Wikipedia's example is what Uber did. Wikipedia writes. App-based ride-sharing company Uber gained market share by ignoring local licensing systems such as taxi medallions, while also keeping customer costs artificially low by subsidizing rides via venture capital funding. Once they achieved a duopoly with competitor Lyft, the company implemented surge pricing to increase the cost of travel to riders and dynamically adjust the payments made to drivers. Payments made to drivers. So nearly all of the problems William observed in his posting are the things we on this podcast independently noted from the start as inherent problems with the way passkeys have been rolled out.

As I've observed on several occasions, the fact that passkeys were implemented in a non-portable way as a vehicle for creating implicit platform lock-in is almost a crime. But the new thought that William proposes is something that had never occurred to me. Perhaps it's because I've been blinded by Passkey's superior public key technology, which offers so many potential authentication benefits. Even though the benefits are theoretical, I've never questioned whether or not Passkeys would eventually become the new standard for the web. But William writes. The new standard for the web, but William writes.

At this point, I think that passkeys will fail in the hands of the general consumer population. We missed our golden chance to eliminate passwords through a desire to capture markets and promote hype. When I read that the first time, I was surprised, but at the same time, you know, I have still not adopted passkeys. I've never registered a single passkey. I don't have even one anywhere. I don't encounter websites that offer passkey authentication. So there's that.

But mostly because authentication matters crucially to me, I want to feel that I'm in control of my authentication, and that starts with thoroughly and deeply understanding it. I do thoroughly and deeply understand Paskey's underlying cryptography but, as William explains, that's what's then been done with that underlying crypto has been made deliberately opaque as a means of just trust us individual platform lock-in. The problem is, my authentication is far too important for me to entrust to any company that might choose to you know, dare I say, and shitify it, that I can touch and feel and copy and paste and see, stored and managed by a cross-platform password manager which is everywhere I need it to be, allows me to really understand the status of my authentication. One thing I also have is a long and growing list of TOTP one-time passcodes, and the reason I'm absolutely comfortable with that is that, again, they're tangible things that I can control, see and understand.

Has the entire techie insider industry just been playing with itself this whole time? Have we been imagining that authentication can and should be made entirely invisible because passkeys can theoretically make that happen? Will end users who don't know anything about the underlying technology say well, I don't know how it works, but it certainly was easy. But then what about when it doesn't work? What about when someone needs to log on from a device that's outside the provider's walled garden? These are all problems we've previously identified and questions we've asked before.

I've always assumed that this was just the typical extreme adoption inertia we always see. It never occurred to me that pass keys might ultimately fail to ever obtain critical mass and to eventually become more dominant than passwords. While poking around to get a broader perspective, I encountered a recent piece in Wired titled I stopped using passwords. It's great and a total mess With the intro. Pascis are here to replace passwords. When they work, it's a seamless vision of the future, but don't ditch your old logins just yet. Unquote.

The author explained that, as William said, things didn't always work. He also noted that having multiple clients all popping up and asking whether you want to save passkeys with them had become annoying, but the biggest problem he had was remembering where he had stored which passkey. Now, as someone who spends some time pondering which of the multiple streaming providers carries the show my wife and I have been watching that definitely resonated. Our advice at the start of this Passkey saga was to wait until a single provider offered Passkey's support across every platform that might conceivably be needed, since PassKeys portability was not something that anyone was even talking about back then. In fact, back then it was clearly an overt password lock-in move. So I wanted to share the news that Bitwarden, the solution that William's posting referred to and a sponsor of the Twit Network earlier announced on the 10th of this month that pass keys for iPhone and Android clients had just entered beta testing. So I'm very glad to see that my chosen open source password manager will soon be offering passkey support.

Now what's going to be needed, based upon the experience of the author of the Wired article, will be the ability to assign a single passkey handler to a platform, much the way we currently assign a handler for a platform's URL links. Having all of a platform's Passkey-aware clients popping up solicitations to store a Passkey with them seems like it would quickly become annoying. On the other hand, setting up a new Passkey doesn't happen that often. On balance, I still don't feel much pressure to give up my use of passwords, since they're working perfectly for me today. The other factor is that website login has become so persistent that I rarely need to re-authenticate to most sites. Each of the browsers I use carries a static cookie for each of the sites I frequent, so I'm already known everywhere I go for each of the sites I frequent, so I'm already known everywhere I go. For the foreseeable future, I expect to hang back and wait.

2:03:21 - Leo Laporte
The dust is still settling on Paskies and Paskies doesn't solve any problem I have today, even though they're cool.

2:03:36 - Steve Gibson
Squirrel had only taken off. But you see the problem, which is Anything, anything, anything anything new?

2:03:38 - Leo Laporte
well, but it's not just that. The platforms aren't going to support it unless they own it, and it gives them lock-in. That's why apple loves this, that's why google and microsoft and they want the lock-in, and that's why I use only and I agree with him, only use bitwarden or some sort of open source manager that you can at least take with you to do it. But oh, this is sad because it really it's a great idea, but the writing's on the wall. Very few websites use it.

2:04:06 - Steve Gibson
Yes, yes, and if they start to use it and then their users have problems with it, they'll pull it Right. I mean, it could disappear as an option because it's not worth it to them.

2:04:19 - Leo Laporte
Everybody knows how to use a username and password. Squirrel really solved all these problems, and that's sad because it really was. Oh well, what can you do? You've kind of gotten over it.

2:04:35 - Steve Gibson
I've gotten over it. I solved the problem, I satisfied myself and, and you know, we had a lot of fun developing it and and working out all of the edge cases and so forth.

2:04:45 - Leo Laporte
And you know, now I'm on to solving other problems this is where you jump up from your easy chair, grasp your cabernet and you shake your fist at the clouds guys and say why. I ought to Steve Gibson, grccom that's his home on the Internet, the Gibson Research Corporation Go there to get Spinrite, the world's best mass storage maintenance and recovery utility. 6.1 is out and fantastic If you've got an SSD. This is the kind of unexpected benefit of it. You can use 6.1 to speed up your SSD. That's fantastic. What an improvement.

2:05:27 - Steve Gibson
Yeah, as I say recover lost performance.

2:05:31 - Leo Laporte
Yeah, not just files, yeah.

2:05:33 - Steve Gibson
It is data recovery and performance recovery.

2:05:36 - Leo Laporte
We'll have to say mass storage, performance, recovery and maintenance utility. We'll add that GRCcom While you're there, you can get a copy of the show. Steve has the usual 64-kilobit audio, but he also has 16-kilobit audio if you've really got a bandwidth crunch. He also has really well-done transcripts, written by Elaine Ferris, so you can read along as you listen to the show. Now you've got to wait a few days for those. She's actually hand crafting them. They're not AI generated. So a couple of days from now you'll be able to get that at GRCcom, along with a lot of other great freebies and vitamin D information, all sorts of stuff. It's a little grab bag of goodies.

2:06:19 - Steve Gibson
Our DNS benchmark just passed 9 million downloads.

2:06:23 - Leo Laporte
Wow. So if you want to use a different DNS server from your ISP, maybe you're looking at the quad nines or quad ones, or maybe open DNS or next DNS, something like that. Run the benchmark first to see which one's fastest.

2:06:37 - Steve Gibson
It will rank all the DNS servers that are available and show you which one returns answers quickest for you, which is important, and it's different for every geographic location. And when you bring up a page and it makes 237 off-site references to other crap all over the internet, the response time of all of those other domains is important.

2:07:00 - Leo Laporte
I've noticed sites are really getting more and more sluggish. The internet is just slow to a crawl. Another form of inshittification, anyway, we so. Steve is on Twitter, I should mention, or xcom at S-G-G-R-C. His DMs are open there. You can leave him questions or I bet he values us even more Pictures of the week. If you've got some good, cute ones, you can also get the show from us. Twittv slash S-N that's the page dedicated to security. Now Steve has his show notes. We have some abbreviated show notes, but we also have video, which steve does not have. I don't know why you'd want it. Steve's always and I have agreed this is not something anybody needs, but the new york times, by the way, told us this week video podcasts are the next big thing. So, steve, we're just ahead of the curve. That's all just 20 years ahead.

2:07:51 - Steve Gibson
Why, my goodness, it's the next big thing.

2:07:55 - Leo Laporte
Uh, let's see what else. Join Club Twit if you'd like to show and you want to keep it on the air. The advertisers are great, we love them, but they're not enough. They don't cover the costs and we need to cover the costs because daddy ain't got no big bank roll to pull out of. So if you want to keep hearing Security Now and Twit and Mac Break Weekly and all the other shows we do and all the great stuff in the club, just join the club. It's less than a five shot venti latte.

Two bucks less per month yeah, one of those a month and you pay for the club and you get-free versions of all the shows. You get video for all the shows that we put out. Some of the shows we do, like Hands on Macintosh, hands on Windows, the Untitled Linux show are audio only in the public sphere, but we have video of those as well. Special events like Stacy's Book Club we're going to have a next week. We're going to have a watch party for the classic Fritz Lang 1927 film, metropolis, which kind of talked about the future. It's really a fascinating silent film and we're all going to be sitting in our living room, my living room, the LaPorte house, watching the show with our team and you, I hope, club members. You know the thing about the club, to know it's a community of really smart, interesting people talking about things that we're interested in, not just the shows but everything else. We do a lot of coding, talk AI, talk all that stuff. Twittv, slash, club twit. If you're interested, I would love to have you in the club because I know if you listen to the show you're smart, you're cool, you're with it, and we would love to have you in the club because I know if you listen to the show. You're smart, you're cool, you're with it and we would love to have you in the club.

We do this show every Tuesday right after Mac break, weekly. That's one thirty Pacific for thirty Eastern, twenty thirty UTC. The show is streamed for all to see live on YouTube. Youtube dot com. Slash twit and we turn it on right when the show begins and we turn it off right when the show ends. So hit the smash the bell. I saw this it was an answer on Jeopardy the other day. Smash the bell, that's how much it's become part of the common zeitgeist. Smash the bell to subscribe to the channel and you'll get a notification as soon as we turn on the live video. What else do I have to tell you? Oh, you can get the show after the fact. There's a YouTube channel just for Security Now and you can subscribe or go to the website. But you can subscribe and that way you don't have to think about it. You just get it automatically of a Tuesday afternoon. Steve, you're the best. Go back to Rick Brown and your armchair and pipe and I will see you next week on Security Now. See you in.

2:10:38 - Steve Gibson
May In May, wow, yeah, and now will the Apple event change our timing?

2:10:43 - Leo Laporte
No, because this is 7 am. Ooh, okay, pacific, it'll change your timing. It will, I'm going to be in my Jim Jams, my jammies at my house, micah and I all live. It's just a release of a video, but there's a lot of excitement about it. As I know, you are excited, so we'll do that.

2:11:01 - Steve Gibson
I'm interested because it's finally iPads.

2:11:03 - Leo Laporte
Yeah, and we'll talk a lot about it on, of course, my Quick Weekly right before your show. So no, it wouldn't affect your time.

2:11:10 - Steve Gibson
Thanks, steve, okay, next week, bye, bye.

2:11:15 - Leo Laporte
Bye.