Security Now 975 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

0:00:00 - Leo Laporte
It's time for security now. Steve Gibson is here, of course. As always, there's a ton to talk about. We will, in just a little bit, talk about the scientific response to the European CSAM proposals, those proposals that break internet encryption. We'll also talk a little bit about three new zero days in Google Chrome, what happened to Google search and why AI is not the answer. And just how long can an unprotected XP machine live on the internet? The answer will surprise you. It's all coming up. Next, on security Now podcasts you love from people you trust. This is Twit. This is Security Now with Steve Gibson, episode 975, recorded Tuesday, may 21st 2024. 312 scientists and researchers respond. It's time for Security Now, the show where we cover the latest security news, privacy information, talk about hacks and hackers and, you know, just kind of shoot the breeze with this super intelligent human being we call Steve Gibson.

0:01:19 - Steve Gibson
Hi Steve, and continue to justify our existence apparently Without Security.

0:01:26 - Leo Laporte
Now there's no justification, oh yeah.

0:01:29 - Steve Gibson
So, okay, we're going to have some fun this week Not that we don't always. We're going to examine which browser has had a very rough week and why. Which bodily fluid should you probably not drink, despite google's recommendation to the contrary? Okay, I know, it's freaky. And also, how can you tweak your browser so that you will be avoiding those recommendations in the future? What happens when a windows Windows XP machine is exposed to the unfiltered Internet? Duck and cover comes to mind. How did a pair of college kids get their laundry washed for free? And what do we learn about that from the latest, actually quite thought-provoking response to the EU's proposed child sexual abuse regulation, this time from their own scientific and research community. Thus the title of this podcast 312 Scientists and Researchers Respond Awesome.

0:02:50 - Leo Laporte
And four out of five doctors agree that this is the only thing you should be doing on a Tuesday afternoon. All right, that's right. All right To justify your existence. We will get to all that. I can't wait to hear the Washington machine story. I saw the headlines of that and I thought, oh, Steve has got to cover this. Yeah, yeah, yeah.

Very interesting, very, very interesting. Hey, before we go any farther, let me talk about one of our sponsors. Actually, we love these guys. They've been with us for 10 years. What a great product.

The Thinkst Canary Now. Thinkst is an interesting company. They've been for years teaching companies and governments how to break into systems. They're white hat hackers. But everything they've learned from this turned into this amazing honeypot, the Thinkst Canary.

A honeypot that's easy to use. It can be deployed in minutes, can impersonate any device, from a SCADA device to a Windows server, to a Linux box that's lit up like a Christmas tree. It can be anything right. But the key is these things canaries don't look like traps or honeypots. They don't even look vulnerable. They just look valuable. But the minute a bad guy attacks them, boom, you get an alert. You know someone's in our network.

You can use your canaries to create tripwires too. They call them canary tokens that are spread out little files throughout your network. Your thinks canary will kind of monitor these. They can be excel files or pdfs or docs whatever you want with alluring names. Like you, you know employee information, for instance, or customer social security numbers Don't be so obvious. But the minute somebody, an intruder or malicious insider tries to open those files or tries to attack your ThinkScanary, you're going to get the alert that matters. So it's very simple. You choose a profile. You can change it every day if you want. I play with it. It's fun.

Mine's a Synology NAS right now. Register it with the hosted console for monitoring and notifications and then wait. You won't get false positives. But when you get an alert you know someone has breached your network or you've got a malicious insider snooping around. They've accessed your ThinkScanary or the ThinkScanary tokens Boom, they've accessed your Thinks Canary or the Thinks Canary tokens Boom, you got them.

You might have great perimeter defenses, but how do you know if somebody's in your network? This is how Visit canarytoolscom Give you an idea. I mean, a big bank might have thousands of these or hundreds of these. A small operation like ours, a handful of them, let's say you need five. That's $7,500 a year. You get your own hosted console. You get upgrades, support and maintenance. They connect to power and ethernet and they're online.

Right, if you use the code when you order one, if you use the code TWIT in the how did you hear about us box? 10% off the price, and not just for the first year, but forever for the life of your account. You can always return your Things to Canaries within their two-month period a 60-day money-back guarantee for a full refund. So you get plenty of time. But just beware, you're not going to hear from your canary unless you really need to hear from your canary. It's the greatest thing. It gives you peace of mind. You know everything's okay.

I should also point out that in all the time that we've been doing ads for the Thinks Canary, not once, not once, has somebody asked for a refund. These things work and they work so well and you know, once you get one you know you need them. Visit canarytools slash twit. Remember the offer code TWIT in the how Did you Hear About Us box? The Thinkst Canary. Every network should have some ThinkstCanary at canarytools slash twit. We thank them so much for their support of security. Now and now I am prepared for the picture of the week.

0:06:41 - Steve Gibson
So I gave this picture, just a simple caption. Uh what?

0:06:48 - Leo Laporte
it says it all.

0:06:48 - Steve Gibson
Really, you don't you don't mean exactly. You know, I was tempted to give it the caption. I don't think that means what you think it means. And this is another one of those, leo, where you've just got to ask yourself you know, somebody produced this, somebody like created a plate to put on a door which you can only push in order to open the door. Yet, prominently displayed at the top, beautifully engraved and then color-filled, etched in this plate, it says pull.

0:07:32 - Leo Laporte
I think it's for Jedi warriors to practice the force that would be good.

0:07:41 - Steve Gibson
Yes, exactly, you just work on your telekinesis. Wow, Exactly, you just, you know, work on your telekinesis Unbelievable. Anyway, I just got a just a kick out of that. Well, thanks to our amazing listeners, they find these things and send them to us, so I get to share them with everyone.

Ok, so Google's much beloved Chrome browser has had a very rough week. In just one week, the total number of exploited in the wild zero-day vulnerabilities to be patched so far this year jumped from four to seven. Wow, in other words, last week saw three newly discovered Chrome vulnerabilities receiving emergency Chrome patches discovered Chrome vulnerabilities receiving emergency Chrome patches. In their blog last Wednesday, google wrote Google is aware that an exploit for CVE-2024-4947 exists in the wild. This was also separately echoed by Microsoft, who said they were looking into it and they were going to work on fixing this thing too, because, of course, microsoft is also using the common Chromium engine. So this latest trouble is rated as a high-severity zero-day vulnerability which results from a type confusion weakness in Chrome's V8 JavaScript engine. The discovery was made by researchers at Kaspersky Labs when they discovered it being used in targeted attacks.

Now these so-called type confusion bugs we see them arising often. They're more formally referred to as access of resource using incompatible type, which sort of says the same thing. This occurs when code misinterprets data types, which can lead to unpredictable behavior which is putting it mildly that can allow attackers to manipulate program logic or access sensitive information. We've talked about before how the values stored in a computer's registers or in memory might either be the actual data itself or often can be a pointer to some other data, and the use and manipulation of pointers is wow. I mean, it's very powerful, but also very dangerous, because the pointer can potentially point to anything. So it's not difficult to imagine what would happen if some data that the program was storing, especially if it's data that an attacker is able to manipulate, like, for example, the length of the data they've just sent could be mistakenly treated by some buggy code as a pointer, in which case the attacker can control what the pointer points to and thus increase the amount of mischief that they're able to get themselves into. In theory, that would allow an attacker, for example, to do exactly the sort of things that we see happening.

So, as we've observed before, google understandably sees no upside to revealing more details of their flaws, you know, beyond confirming the reports of them being used in attacks and that they're now fixed. So you know? They say, you know, update your Chrome and you'll be OK. You know, you know, and you know. All they say is access to bug details and links may be kept restricted until a majority of users are updated with a fix. And, of course, google knows that by the time everyone is updated, the world will have moved on and won't care about some old bug that's since been fixed in Chrome. So they sort of say, oh, we're not going to tell you until later, and later never comes. However, you were just talking about the thing's canary, and this article talks about this.

Because, or this event, because one thing that comes very clear is that network monitoring has become crucial. The way and reason Kaspersky is able to discover such attacks is that their customers are running Kaspersky's endpoint security solutions, and those solutions are feeding the intelligence that they collect back to Kaspersky's mothership for monitoring and interpretation. So when one of Kaspersky's customers is targeted, red flags go up at Kaspersky Central. Ok now, as I said, there were three this past week. The other two actively exploited Chrome zero days patched this week are 4671 and 4761, which also double as a test for dyslexia. 4671 is a use after free flaw in Chrome's visuals component, whereas 4761 is an out-of-bounds write bug in, once again, the V8 JavaScript engine. And it's worth noting that four out of the seven zero-day bugs Chrome has patched so far this year have all been located in Chrome's V8 JavaScript engine. This is not necessarily the JIT, the just-in-time compiler portion, but recall that the observation has been previously made that the overwhelming majority through time of bugs in the common Chromium core were being found in V8's, in the JIT, the just-in-time compiler portion of V8's JavaScript engine. This is what led Microsoft to explore disabling Edge's just-in-time compilation under the theory that a modicum of speed could be sacrificed, especially given how much faster our processors are today than when this was first implemented back, when, you know we, they really did need all the speed they could get. Now it's like well, you know, the processors are sitting around doing nothing most of the time anyway. So how about trading off some speed in return for cutting serious vulnerabilities by more than half?

Toward the end of last month, microsoft explained that the so-called enhanced security for edge setting that they have in their browser, they wrote Microsoft Edge is adding enhanced security protections to provide an extra layer of protection when browsing the web and visiting unfamiliar sites. That's the key word. The web platform, they wrote, is designed to give you a rich browsing experience blah, blah, blah using powerful technologies like JavaScript. On the other hand, that power can translate to more exposure when you visit a malicious site. That power can translate to more exposure when you visit a malicious site. With enhanced security mode, microsoft Edge helps reduce the risk of an attack by automatically applying more conservative security settings on unfamiliar sites and adapts over time as you continue to browse. They wrote protection and arbitrary code guard. When combined, these changes help provide defense in depth, because they make it more difficult than ever before for a malicious site to use an unpatched vulnerability to write to executable memory and attack an end user. So Microsoft wound up with a hybrid solution where additional meaningful protections, which will take a modest toll on performance, are being selectively enabled when visiting unfamiliar sites. But this allows Edge running on, you know, for example, outlook 365 or Google properties, to race ahead at full speed with those extra protective guards disabled. And you know, given Chrome's past week of three newly exploited in the wild zero days and the fact that we appear to be unable to secure our web browsers. I think Microsoft's tradeoff makes a huge amount of sense. I think Microsoft's tradeoff makes a huge amount of sense.

Okay, so this next piece the fact that Leo has been driven to a paid search solution I think says important things about what has happened to search. We're going to see some additional evidence of that. One of the things I most loved about the early Google search was its search results, cleanliness and simplicity. They were remarkable not only because they were relevant. I mean, it was astonishing back then. Anyway, I'll come back to that in a second.

Everyone knows that my current project is implementing a state-of-the-art email system for GRC. I hoped to be able to announce this week that the subscription management front end was ready for the world, but it needs some additional testing, so that'll be next week's announcement. I wrote GRC's first email system back in the late 1990s and it sent, over the course of its life, a grand total of 11 mailings. To my surprise, last week I stumbled upon the archive of those 11 emailings and the second one, dated April 2nd not April Fool's Day, fortunately over 25 years ago, read We've all experienced the problem.

The automated search engines like AltaVista return 54,321 items. Quote, in no particular order. Unquote. It actually used to say that you know, many of which, unfortunately, were porn sites. But the human-indexed search services of the time, like Yahoo, I wrote often cannot find what you want because they're only able to index a small fraction of the entire web, since they're being indexed by people. So you're left with the uneasy but probably accurate sense. I wrote that what you want is out there somewhere, but you're no closer to finding it.

Then I said the truly amazing new solution. A couple of extremely bright guys at Stanford University solved the web search engine problem once and for all, creating the last search system you will ever need. And then I provided a URL that at that time no one had ever seen HTTP colon no S. Back then, http colon slash, slash, googlecom.

And I wrote what's their secret? They use Linux-based web robots to explore and index the entire web, but then they determine the quality of each resulting link based upon the quality of the other sites that link into that site. So the only way a site can be highly rated under Google is if other highly rated sites have links pointing into it. I wrote it's brilliant. This simple concept works so well that every single person I've told about Google has switched permanently to using Google as their web search engine of choice. It really is that good, I said, and of course it's free, so give it a shot yourself. And then my email ended with a link to, again, googlecom, which 25 years ago, when I sent this mail on April 2nd of 1999. That's pretty impressive. No one had ever heard of. That's great. So I thought I got such a kick out of 1999.

That's pretty impressive no one had ever heard of. So I just I thought I got such a kick out of that. So, you know, what was fun for me was that 25 years ago, google had just appeared on the scene and there was barely a scene for Google to appear on. So this, really, you know, it was life-changing news that I was able to share with GRC's email list subscribers, and way back then there was no downside to Google. But it's been 25 years and oh how times have changed.

As I said at the start of this, the fact that you, leo, have been driven to a paid search solution says some important things. My own personal annoyance is that I never I mean literally I never want to watch a video to receive an answer to whatever question I might have put into search, to whatever question I might have put into search. Yet Google promotes videos to the top of their search results, not because they provide the best answer, but because Google owns YouTube. Now, exactly, yeah, I'm writing my forthcoming email system subscription management front end because I'm very picky about exactly how I want it to work and how I insist that GRC treats its visitors, but I have no interest in reinventing the wheel when I have nothing to add. So I'm using an existing SQL database driven mailing engine on the back end to actually deliver the mail.

The other day, I wanted to bring up the pages of documentation on this package's API, so I entered its full, proper name, properly spelled, into Google Search and I tried it again just now to be sure. And I tried it again just now to be sure. What I received in return, which filled the entire page vertically, thus requiring me to scroll, was four sponsored results for commercially competing products or services. Oh, wow, and this was not because, as I originally wrote 25 years ago, those four alternative solutions are objectively better, but because they're paying Google to appear first. Right?

0:23:12 - Leo Laporte
They're ads, yeah that's right.

0:23:15 - Steve Gibson
Anyway, I know that none of this comes as news to anyone here, but I wanted to lay that foundation since, against this background, a piece of disturbing news about Google's latest degeneration caught my eye when bleeping computer brought their readers up to speed. Bleeping computers headline Sunday, two days ago was frustration grows over Google's AI overviews feature comma. How to disable, they wrote. Since Google enabled its AI-powered search feature, many people have tried and failed to disable the often incorrect AI overviews feature in regular search results. Unfortunately, you can't. However, there are ways to turn it off using the new web search mode, which we explain below.

Ai overviews, also known as search generative experience and I might change it to degenerative, but we'll get to that later is Google's new search feature, they wrote, that summarizes web content using its in-house LLM large language models. Google says AI overviews appear only when the search engine believes it can provide more value than traditional links. When you're signed into Google and search for general topics like how to install one of Windows 11 recent updates, google AI will rewrite content from independent websites and summarize it in its own words. They said. This feature may sound good in theory, but Google's AI integration has several quality issues, including causing a slight delay as it generates the answer and, even more problematic, sometimes displaying incorrect information.

For example, when searchers asked how to pass kidney stones quickly, google AI overviews told them to drink two quarts of urine. What I have a snapshot of the tweet from May 5th. What it reads it shows the person Every 24 hours yes, how to pass kidney stones quickly? And the answer is drinking plenty of fluids such as water, ginger, ale, lemon, lime soda or fruit juice can help pass kidney stones more quickly. Period. Next sentence you should aim to drink at least two quarts and it has helpfully in parens two liters of urine every 24 hours, and your urine should be light in color.

0:26:14 - Leo Laporte
Okay, thank you AI.

0:26:16 - Steve Gibson
Holy cow, thank you so much. Now, this was May 5th and it noted that AI overviews are experimental. This was the week before this was formally released, and I just so loved the comment of the guy who posted this, who asked the question. He wrote in response to this perfect, ready to go ship it out. Oh my God.

0:26:41 - Leo Laporte
I know Wow oh my God, I know.

0:26:43 - Steve Gibson
Wow, you know so. Bleeping Computer said. Although it was initially released as an opt-in search labs experiment, google recently began rolling out AI overviews to everyone in the United States, whether they want it or not, with other countries to soon follow or not. With other countries to soon follow. Google says that AI overviews cause people to quote use search more. And well, yeah, because they don't get the answer the first time, they got to use it. Some more. I don't think I want to drink pee. Thank you very much. Yeah, got any other ideas? So bleeping computer continues.

That doesn't even seem to be the case on many Google support forums. That is where people are more. Be the case on many Google support forums. That is where people are more satisfied their results, for example. Quote I'm finding the results very repetitive, often wrong, and they don't at all match what I'm looking for. But they take up so much space and feel in the way I just want them to go away. Unquote. Feel in the way, I just want them to go away. Unquote.

Another user posted over on Google forums every single result I've received from the AI overviews has been incorrect. I'm more capable of misinterpreting internet articles on my own. I don't need any help. I don't need any AI to help me, and I can probably get at least slightly closer to actual understanding than the AI because I actually have cognitive processes. So Bleeping Computer wrote. As the posts on Google forums suggest, early feedback on Google AI overviews has been negative, with people finding the feature unnecessary and often misleading. Unfortunately, there's no way to disable it now that it is out of search labs, and Google has quickly locked support threads for many people asking how to do so. So, whoops, you're not even allowed to ask anymore. Wow, as the Google search we all fell in and they said, as the Google search we all fell in love with 26 years ago no longer exists, now filled with endless features, sponsored search results and shopping results. The company recently introduced get this, leo a new web search option to return the old search field. Wait, what? I thought that Google was web search.

0:29:20 - Leo Laporte
Yeah, what are they talking about what?

0:29:22 - Steve Gibson
Right. Much of the tech press has gotten a big kick out of the fact that Google's default search results have become so cluttered and congested with their commercial crap that even they, google, no longer consider it to actually be web search. Okay, google search results list a series of search result filters in a line underneath the search field. They typically read all then images, shopping, videos and news, and after that are three vertical dots and a more menu item which drops a menu containing additional filters, one of which now is web, and selecting that filter, sure enough, dramatically cleans up the results. What bleeping computer posted was a way to cause that web mode filter to be selected by default. The normal search URL is forward slash search, then the question mark separator, then Q equals. You know, q for query, q equals and the search phrase. But adding the magic incantation UDM equals 14 after the forward slash search question mark and then joined with an ampersand to the Q equals clause, causes the search to default to web and you get much cleaner results every time. And since this disables a large collection of Google's default search enhancements, including its new and still apparently troublesome AI overview, at no point will Google AI suggest that you drink urine At least, yeah, the AI won't. So I have not encountered this default web search trick anywhere else. So I placed a link to Bleeping Computer's write-up in the show notes and, for ease of access, I've also made this GRC's shortcut for the week. So for this podcast 975, it's grcsc slash 975 will take you to this article at bleeping computer If you're, if you want to see them explaining how to do this, and you do need then to get into your browser and tweak that like to add a custom search technique and then select that as the default.

Select that as the default. But if you want to keep using Google and you want to return to simpler times, you are able to get the web search results and you can quickly see for yourself how much better it looks just by going, you know, under those three dots and more and selecting web and you get, you know, a cleaned up page. So I'll just say, as an aside, what a mess you know. The fact that this generation of AIs hallucinate very convincingly and with great authority makes this AI overlord I mean overview quite worrisome. We absolutely know that there are many people who will suspend their own critical thinking, or what used to be called common sense in favor of accepting truths provided by external sources. Perhaps Google feels that the internet is already so full of crap that creating intelligent appearing overviews, you know, won't further hurt anything, you know. I just hope their AI improves quickly.

0:33:11 - Leo Laporte
I think there's actually a story behind all this. We'll talk about it tomorrow. On Twig it's unknown. Obviously Google's not talking, but a number of people from Google have said you know, Google has just panicked. In the same way, they panicked when they thought they were going to lose to Meta and created Google Plus. They panicked thinking they were going to lose the farm to AI. And, of course, panic is not a good way to create new features and it feels like that they're just throwing stuff up against the wall at this point, especially something this complicated, leo.

0:33:43 - Steve Gibson
this stuff is so complicated at this point, especially something this complicated, leo. This, this stuff is so coming. You know, arguably there are most people don't know how ai works, right, it's like well, it started sounding conscious, so I don't know how it works myself. It's kind of a mystery exactly, I mean the ai reacher, the ai researchers are like what.

0:34:04 - Leo Laporte
Yeah, anyway, as you say, I don't use Google anymore, so I have missed this entire drama. You know, for a while I did use something called Neva that had AI summaries at the beginning, but they were always footnoted and I never found them to be wrong. It was done, uh, cleverly. But what I use now, kagi k-a-g-i, which is a paid search tool, um, doesn't do that.

0:34:30 - Steve Gibson
I think people have realized that these ai summaries are not that useful and just give me the results and think of the good that could be done, leo, if it, if we ever got to a point where all of the chaff could be separated and, instead of getting nonsense from an Internet search, no matter who does it, you actually got rigorous truth. That would be something.

0:34:58 - Leo Laporte
Well, but let's also be fair to Google. Part of this is because the Internet is full of crap.

0:35:04 - Steve Gibson
Exactly of Google. Part of this is because the internet is full of crap. Exactly.

0:35:09 - Leo Laporte
I mean, if you're trading your AI on crap, you're going to you know crap in, crap out, and even Google search can only reflect what it's you know the search contents, and if it's garbage, everybody's trying to game Google. It's going to reduce the search results anyway. So it's yeah, it's a mess right now. It's just a mess. Okay, so we're going to talk about search results anyway. So it's a mess right now. It's just a mess.

0:35:26 - Steve Gibson
Okay, so we're going to talk about putting Windows XP on the Internet after we take a break. And wow, as I said, the result is duck and cover.

0:35:37 - Leo Laporte
All right Time to talk about our fine sponsor for this segment of Security. Now, one big thing. This is actually a problem we've come up against and I think any medium business that's focused on its growth is going to come up against this which is a huge, vast number of conflicting in some cases AI and privacy regulations that you somehow have to make your way through. The world's changing Privacy and AI compliance is not going away. It's here to stay. But regulations, not just in the US but around the world, are in constant flux. There's always something new, and organizations are now being forced willy-nilly to embrace concepts like privacy by design, transparency, purpose limitation, data minimization, data subject rights. It's all of this stuff, whatever your size, applies to you Now.

If you're a mid-size, high-growth organization, you've got enough to do just to focus on what you're doing. Stick to your knitting and growing. You don't have the volume of work to keep a full-time privacy and AI team busy, nor can you reasonably attract the talent you need, because you can't compete against all the big guys who are taking all the talent off the market. But this is what's so great about One Big Think. One Big Think does the services of a data protection officer for you With One Big Think services. You're guided by an experienced executive. You gain the capacity and the abilities of a data protection officer. Dpo is an enterprise security leadership role responsible for overseeing data protection strategy compliance and implementation To make sure that you're compliant with all of these new regulations GDPR, yeah, but also California's CCPA, the CPRA and so on.

One big think will give you expert knowledge of data protection law and practices. We'll give you somebody with a broad and deep information, privacy, compliance and data processing skill sets across many industries Somebody who's really in the know. You'll get complete understanding of. This person will have a complete understanding of IT infrastructures, technologies and technical and organizational structures in your industry. Right that they have to be useful. They also have excellent management skills, which is nice. The ability to interface easily with internal staff at all levels. You're getting, at a much reduced cost, exactly what you need an AI expert and a DPO. One big thing is AI compliance service is designed to integrate with your organization's privacy program and provide the required governance, compliance and assessment activities under these regulations.

Look, you don't have time for this. You don't have a position you could fill, really, but you could help. You can get it done. One big thing can help. They'll even help you raise awareness of, and train staff on, regulatory requirements and issues in AI and privacy, so that everybody's on the same page. Well, you know you need this and you're also going, if you're like me. Well, how am I going to do it? It seems impossible. You need One Big Think To learn more about how to give your organization sustainable privacy and AI compliance. Go to OneBigThinkcom. That's the number one B-I-G-T-H-I-N-Kcom OneBigThinkcom Help is out there. Give them a ring. Go to the website. Find out more. Onebigthinkcom. You don't have to go it alone. All right, we're not alone, as long as we got Mr G here here. Help us out with the world at large.

0:39:27 - Steve Gibson
Steve so, under the topic of how things have changed, pc gamer published an enlightening article titled a windows xp machine's life expectancy in 2024 seems to be about 10 minutes before even just an idle Internet connection renders it a Trojan-riddled zombie PC. They wrote how long do you think it takes an unprotected Windows XP box to fall foul to malware? To be clear, this is a machine sitting idle, no internet browsing required, just connected to the internet. One YouTuber, eric Parker, decided to find out Using a virtual machine. Parker set up a Windows XP instance and configured it to be fully exposed, with no firewall and no antivirus software, just like the good old days. Okay, now just to remind everybody, even though XP always had a built-in firewall, it wasn't until Service Pack 3 that the firewall was enabled by default. Wall was enabled by default, like by the installation of that service pack or installing XP that included SP3. After that point and of course you know, thanks to the tyranny of the default, very few earlier pre-service pack 3 Windows XP machines were protected out of the box. Pack 3 Windows XP machines were protected out of the box, and I remember those days. Remember that there was a big third-party market for firewalls Zone Alarm was the one that I found and liked a lot, based on the way it operated.

So Microsoft wanted to add a firewall to their Windows client platform, but they also didn't want to, you know, blatantly. They'd already, you know, had a lot of problems with antitrust. They didn't want to just go obsoleting a whole class of software immediately. So they put it in, but they didn't turn it on. Okay, so PC Gamer continues.

So how long exactly does it take for malicious software to appear on the PC? Parker returns to his PC you know his virtual PC. 10 minutes later, and, sure enough, there's something nasty running in Task Manager called ConHoz, running in task manager called Khanhaz, c-o-n-h-o-z, or maybe it's H-O-Z, h-o-zexe, a known Trojan. He terminates that process and leaves the machine running. Within just a few more minutes, a new user has been added, plus a number of new processes, including an FTP server. So yeah, within 15 minutes, that's multiple malware processes and an entirely compromised machine, with the bad guys having already created a new admin account and an FTP server running locally. Parker then traces the malware's communication to yep, you guessed it the Russian Federation. He speculates that the bad guys might be trying to set up a botnet, you think, or spam email server from his compromised machine. Further investigation reveals even more malware, including another Trojan and a rootkit. A malware byte scan then reveals the full horror, with eight nasties actually running, including four Trojans, two backdoors and a couple of adware apps, in other words, and, of course, an FTP server.

The machine is already a complete and utter zombie, and they said anyway, it's a fun watch as Parker observes his virtual XP machine being ravaged in real time and a reminder of what's bubbling away behind the firewalls and malware protections on all of our PCs. He says. Sniffing through your running processes in Task Manager used to be something of a regular ritual for the well-informed. Now it's not really necessary. Famous last words and all that Indeed they write. It just goes to show how effective those machines are. That we can all be connected to the Internet now 24-7 and not give this stuff much thought. It's dangerous out there. Boys and girls, be careful. They conclude.

They conclude OK, now I would. I love that I would edit that just a bit to observe that this vividly shows what's right now pounding away at the outside of our stateful NAT routers, those vital pieces of hardware. All of our networks are blessedly perched behind. More than any other single thing. It's the godsend of NAT routing, which placed a stateful hardware firewall filter between our internal net lands and the increasingly wild and woolly internet, that have made it possible to use this crazy global network with any hope whatsoever of remaining safe.

Presumably I don't know what eric's history is, but presumably the ip that his xp machine appeared on wasn't, for any reason, particularly high profile, right, it was just some random guy, and there's just that much crap hitting each of our IPs regularly enough that you know, and who knows, was it all the same attacker who said, oh my goodness, we just found a new victim, you know, let's get it. Or different attackers who were, all you know, randomly scanning the internet and happened to lock onto this XP machine? I mean, I'm I have to say I'm tempted to do this because this would sound like fun, except you gotta be so careful, um, and it would be so easy to make a mistake. So you know, if you do want to uh, replicate what, what Eric did, then you know, really, really really be careful. For anyone who's curious to see Eric Parker's YouTube video described in this article, I posted the link in the show notes so it's easy to find, and also when I was there looking at it. I noticed that since then and this got a lot of attention he's done the same thing to Windows 2000. So I didn't make time to dig in and see if 2000 was similarly vulnerable.

Okay, techcrunch reported that, thanks to the discovery made by a pair of curious students at the University of California at Santa Cruz at the University of California at Santa Cruz, who, to their credit, did try to do the right thing by attempting to report the flaws they'd uncovered in the control software of their shared university washing machines, as TechCrunch headlined their story, quote two Santa Cruz students uncover a security bug that could let millions do their laundry for free. Ok, so the company behind these widely deployed machines is called CSC ServiceWorks, which is an unfortunate name because the service doesn't work so well. The two UC students, alexander Sherbrooke and Ayakov Trenenko, discovered flaws that allow anyone to remotely send commands to laundry machines run by CSC, which allows them to initiate laundry cycles without paying. It appears to be another instance of a company that should really not be putting their equipment on the internet, yet doing so anyway. Like your typical college student, alexander was sitting on the floor of his basement laundry room in the early hours one January morning earlier this year with his laptop, he was bored waiting for the spin cycle to finish on his last load, woke up with a loud beep and flashed push start on its display, indicating the machine was ready to wash a free load of laundry. And this was despite the fact that Alexander's current laundry system balance was zero dollars. Since students will be students experimenting further, they said they set one of their accounts to reflect a positive balance of several million dollars in credit and, sure enough, their CSC Go mobile app reflected this balance without complaint.

As I said, the company behind this, csc ServiceWorks, a large laundry service company which boasts a network of over 1 million laundry machines installed in hotels, university campuses and residences across the United States and Canada, oh, and also Europe. You would think that such a firm, that's using internet and smartphone technology to replace coin-op machines, might have someone on staff to field trouble reports, but there's no indication of that, since CSC ServiceWorks does not have a security page for reporting security vulnerabilities. Alex and Ayakov sent the company several messages through its online contact form in January, but heard nothing back from the company. Even a telephone call to the company got them nowhere either. Finally, they reported their findings to the CERT Coordination Center at Carnegie Mellon University, which, as we've discussed, provides a means for security researchers to disclose flaws to affected vendors and provide fixes and guidance to the public. Even that failed to evoke any reaction from CSC. Failed to evoke any reaction from CSC.

Today, months later, despite having tried to do the right thing, the glaring vulnerability remains open. In following up on this, even TechCrunch failed to get anywhere. Techcrunch wrote quote it's unclear who, if anyone, is responsible for cybersecurity at CSC, and representatives for CFC did not respond to TechCrunch's request for comment. Unquote. Okay, so it seems to me that what might finally arouse CSC's attention and apparently the only thing that will arouse CSC's attention, and apparently the only thing that will may be a sharp and sudden drop in cash flow revenue as word of this spreads across college campuses in the US, canada and Europe. It's just the sort of hack that's pretty much guaranteed to become quite popular.

Having waited longer than the customary 90 days after attempting to report the the, their discovery and findings, alex and Ayakov have now started to reveal more about their discovery. They decided to disclose their research in a presentation during UC, the UC University's Cybersecurity Club meeting earlier this month. They explained that the vulnerability is in the API used by CSC's mobile app, csc Go. In the normal case, someone needing to do the wash opens the CSC Go app to top up their account with funds, then pay and begin a laundry load on a nearby machine. Laundry load on a nearby machine. But Alex and Ayakov discovered that CSC's servers can be tricked into accepting commands that modify their account balances because security checks get this are only performed by the client app on the user's device. I know and anything sent to CSC servers are fully trusted. Oh my.

0:53:04 - Leo Laporte
Including things like I have a million dollars in my account, correct?

0:53:10 - Steve Gibson
Correct. This allows fake payments to be posted to their accounts without ever putting any real-world funds in the accounts. And Leo, it's worse. While Alex was sitting on the floor of the basement, he was analyzing the network traffic while logged in and using the CSC Go app, and he discovered that he could circumvent the app's security checks to send commands directly to CSC's servers. Alex Anayakov said that essentially, anyone could create a CSC Go user account and send their own commands using the API. Get this because the servers are also not checking whether new users even own their email addresses. The researchers tested this by creating a new CSC account with a made-up email address. So not only mistakes, but also really crappy overall system design. Here was the comment that surprised me CSC quietly wiped out the student's spoofed account balance of several million dollars after they reported their findings. But the researchers said the bug remains unfixed and it's still possible four months, five months later for users to freely give themselves any amount of money.

Ayakov said that he was disappointed that CSE did not acknowledge their vulnerability. He said quote I just don't get how a company that large makes those types of mistakes then has no way of contacting them. He said worst case scenario people can easily load up their wallets and the company loses a ton of money. Why not spend a bare minimum of having a single monitored security email inbox for this type of situation? Unquote. But of course, even that's not the point. If the company zeroed the student's demonstration multimillion-dollar account balance, that shows that someone somewhere within the company did receive the message and does know that there's a problem. Know that there's a problem.

My guess is that we have become so accustomed to the way a mature, security-conscious company goes about handling such matters that we don't know what to make of a company that chooses instead to bury its head in the sand. You know, but we should remember that it wasn't so long ago that most companies acted this way. They would freak out, raise the drawbridge, switch to internal power and say nothing publicly, while they scurried about behind the scenes trying to figure out what to do. While they scurried about behind the scenes trying to figure out what to do, we've learned that's not the enlightened way to act with regard to Internet security vulnerabilities, but it does stand to reason that those who are not actively involved in this arena might not still be up to speed on today's etiquette.

0:56:52 - Leo Laporte
Hey, we're laundry guys. What do we know about the internet? You put in a quarter, you wash your laundry. This just shows you, though. It's really good for students to have to do their own laundry, because that enforced period of boredom can really lead to some creative results. That, and a lack of quarters I love it yeah, we actually leo I have to confess back.

0:57:15 - Steve Gibson
You know, when I was myself at berkeley, uh, we had coined up, yeah, washing machine tie a string to the quarter and pull it back well, actually there was a screw hole in the back of the of the of the quarter accepting add-on to the washing machine and it didn't take long before and I'm not saying who an enterprising student figured out that if you took a coat hanger I've talked about how handy that coat hanger how coat hangers are like they are the perfect type of stiff wire.

You could cut off a length and put a little hook in the end, snake it through the hole, and then you could reach in, hoping not to be electrocuted by the way and grab, you know, find the arm that gets pulled when the quarter is put on the little slider and pushed in, and give it a few tugs and what do you know? The washing machine would start right.

0:58:18 - Leo Laporte
Unbelievable it is a good thing.

0:58:19 - Steve Gibson
I'm not in college, you know.

0:58:21 - Leo Laporte
You know this day and age honestly, there's a subtext here that maybe csc goes. Yeah, so the students are ripping us off. What's? What else is new? As long as we get most of the money, we're fine. What else is new?

0:58:34 - Steve Gibson
And exactly as you said, they're in the washing machine business Right. They probably contracted out to the lowest bidder to make themselves an app to put these machines on the Internet. And that guy is gone, long gone, so they probably have no idea what to do. You know they're able to monitor account balances and zero them when they get set to a million dollars, but other than that, eh.

0:59:01 - Leo Laporte
So we had an intern for a while back in the BrickHouse days the wonderful Jeff Needles. You may remember him. I do remember him. He was a fun guy, and he said I'll write a sales system for you, fun guy. And he said I'll write a sales system for you. And so he wrote up a whole sales database system for us that we started using for every ad sale and so forth. And then he left.

He got a better job, I think he went to that video company that he was so enamored of and we said well, can we give you a contract to maintain? He said no, no, no. And he's like we have this blob of software which breaks. Well, let me put it this way If two people try to use it at the same time, boom, it's dead. So it breaks all the time. But it's not really worth it for us to redo it. We just hired some guy who kind of looks at the code and pokes at it once in a while and we just limp along with it. I think a lot of companies are like that. I don't think that's at all unusual.

I mean it's not a security issue because it's not public-facing in any way. Right?

1:00:10 - Steve Gibson
When I released Spinrite 6.1, we made a decision that we would no longer maintain upgrades of Spinrite from before 6.0 because it's been 20 years, right, and you know we've been more than generous for decades. Yeah, anyway, sue was greatly relieved because she was using what we call Dino, which actually was a dinosaur. It was the original GRC Novell Network database that was written in FoxPro by my second employee, who was a truly gifted coder. He went into writing gaming stuff. His name is Steve Rank and neat guy. It's running today, and so it was only a few weeks ago that I said, hey, I bought Spinrite 3.1 in 98, I think it was and so she would look it up in Dino and say, oh, sure enough, here you are.

1:01:30 - Leo Laporte
Yeah, Well, you know we. Just the way it works here is when somebody is going to go use the sales system, they send out a company wide beacon on Slack. It says everybody out. It's funny. I mean, I think every company has something like that. This is just normal, it's the way it is, and technology moves so fast.

1:01:49 - Steve Gibson
It's what kept IE from ever dying. So many enterprises had written internal stuff that was dependent upon specific quirks and operation of Internet Explorer that there was like no, no, no, you can't take our IE away from us.

1:02:05 - Leo Laporte
Jason Snell earlier in MacBreak Weekly said do you think that this is the beginning of a transition for Microsoft away from Intel towards Qualcomm and ARM chips, for Microsoft away from Intel towards Qualcomm and ARM chips? And I said, as long as there is one shopkeeper down one lane in jolly old England still using an Intel PC, Microsoft will support it Absolutely. Intel will never die. That's not how Microsoft's constituted Right.

1:02:34 - Steve Gibson
And Apple has gotten in trouble for terminating. Apple's the opposite Right. They don't care yeah.

1:02:39 - Leo Laporte
Yeah, legacy lives. All right, I take it you'd like a little break here. Have some hydration and while I tell you a little bit about our sponsor a name you will know, a name we know we love ESET, your digital guardian. Eset, your digital guardian, eset. With ransomware, data breaches, cyber attacks on companies becoming increasingly prevalent in the world, you got to have proactive security in place, ready to stop threats before they happen. We all know, once they happen, you want to stop it before they happen. We all know, once they happen, you want to stop it before they happen. You know, on average, it takes 277 days to nine months really to identify and contain a security breach. During a breach, time is your enemy. It's important to act fast With ESET's MDR, your managed detection and response service that brings threat management right to your doorstep, tailored to fit the size of your business or your current cyber security needs. Eset MDR, you'll enjoy 24-7 cyber security coverage with a potent blend of AI driven automation and human expertise, bolstered by cutting-edge threat intelligence and with professional support backed by ESET's teams of renowned researchers we talk about ESET research all the time on this show.

Resolving issues becomes suddenly a manageable task. Let ESET MDR help you save time, resources and money. That's what we do. Eset's been a partner on our servers, I think, certainly since we moved here, maybe even for longer than that. Go to business yeah, it is, it has been Go to businessesetcom slash twit. Now Optimize your security. Do what we do. Use ESET's Managed Detection and Response Service, eset M-D-R. Thank you, eset, for your longtime service to us to keep us safe and for supporting security now with your ad dollars. We appreciate that too. Now back to the fun and games with Stevie Gibson, little Stevie Gibson.

1:04:50 - Steve Gibson
Okay so many of our listeners forwarded tweets from Bernard Nethercliffe, who is a Voyager follower and an enthusiast. Last Thursday, on the 16th, bernard tweeted Fingers crossed this looks like Voyager 1's science data is due to resume Sunday, 11-48 UTC, commands going up Friday. So he's saying commands were being sent on Friday to switch from just sending data back, as they had been, to actually switching over to sending science back, meaning the output of the Voyager 1's surviving sensor arrays. Then, sunday, on the 19th, two days ago, bernard followed up with. Voyager 1 has just returned to science mode at a data rate of 160 bits per second for the first time in six months. So, yes, incredibly I mean, it really is incredible Voyager 1 is back online after having had its programming updated to literally work around a bad patch of memory. What an amazing piece of technology and, wow, brilliant. And also to our listeners, thank you all of you who tweeted that, making sure that I knew. Okay, haku. Hello, steve, longtime follower and big fan of SN. Keep up the great work.

One question following SN 973 VPN attack topic. We discussed this internally in our IT security consultant bubble and one of our network guys mentioned that he would expect VPNs to use the internal firewall as soon as the VPN started to block all outbound traffic that's not tunneled via the VPN. Therefore, there would not be a possibility to route some traffic around the VPN, since the traffic would be blocked right. What do you think? Is this an actual fix? He says we're all about to research if and when which provider does use this technique. Thanks for making my car drives a lot more interesting, and have a nice week to 999 and beyond. Okay, so Haku makes a great point, which is that VPNs could arrange to prevent this sort of simple routing table driven attack. But what the researchers found was that what could be done often was not being done in practice, and I remember they mentioned OpenVPN. One of the problems is OpenVPN is open source and cross platform. So what is cross platform is using the routing table to manage rerouting. But if you're running OpenVPN on a Windows machine, the local firewall aspect is not cross-platform, so that's not something I mean. Whereas other platforms may also have local firewalls, they've all got their own, and Windows is certainly not compatible with anything over in the Linux world or Mac. So what they found was that many popular VPNs in widespread use today were true victims of the attack which we talked about two weeks ago what Haku's networking guy suggested, which was that a VPN could arrange to dynamically manipulate the machine's local firewall rules to block all other outbound traffic not bound to the VPN server IP and port could indeed be done. So let's hope that the popular VPN providers are being asked about. You know their susceptibility to this particular form of simple routing table attack and then do take the effort to revise their solutions if necessary, and I'm glad, for example, that this came up and that Haku brought it up to his tech guys and that they're going to do some research to make sure that they're not vulnerable.

214 Normandy wrote. Hi Steve, I know you've been using the NetGate SG1100 as well as the four port Protectly vault as well as the four-port Protectly vault. I'm starting to see reports that the EMMC in the SG-1100 is starting to wear out for folks. He said I ran their suggested commands and he provides a link to their documentation to check the EMMC and it says that my EMMC is end-of-life expected already. He says no big deal. I'll move on and try the four-port Protectly vault instead, hoping you can confirm that you are still happy with your Protectly. Thanks, bob. Okay, so this came as news to me so I wanted to share it for any other NetGate SG1100 users who may have followed my advice and my choice about that beautiful little NetGate appliance.

The EMMC is non-volatile memory that's soldered directly to the motherboard and cannot be replaced. Directly to the motherboard and cannot be replaced. I presume that the problem is the logging and status updating that is constantly churning away in the PFSense firewall. It's constantly writing logs to the file system and eMMC memories do not have huge amounts of excess endurance. They're meant more for embedded solutions that are not churning constantly. I still have a trusty SG1100. I mean, it's what? Right now the bandwidth for this podcast is passing across my SG1100, you know, and it's been giving me no trouble ever since I replaced its power supply Remember that it was glitching and it turned out to be the power supply that was the problem. But it is sobering that it will have a lifetime limit due to the failure of an eMMC memory that cannot be replaced. Bob also asked about my other favorite PFSense hosting device device, which is the four port protect Lee vault. That's what's running pfSense at my place with Laurie and, yes, I'm still utterly happy with that choice too, and in fact I have another of those standing by ready for deployment here if the SG 1100 should ever die, which unfortunately no longer seems as unlikely as it once did. You know, just giving it power apparently won't be enough in the long run, which is, you know, quite disappointing.

Ok, I have an important and interesting message from a listener who requested anonymity. He wrote Hello, steve, I've been a listener of security now for years, perhaps even a decade, a member of Twit, a website with a significant audience of approximately 1 million visitors per day. Like many other websites, we rely heavily on advertising. Okay, and yeah, you can imagine, with that sort of website traffic, what sort of revenue their site is able to generate from all those eyeballs being confronted by ads. Anyway, he continues. Similar to your sentiments, I am enthusiastic about the Google privacy sandbox and its potential to enhance privacy compared to traditional cookies. However, the advertising industry is pushing back against this initiative. As you're aware, ad companies profit by constructing user profiles and serving targeted ads. With the advent of the Google Privacy Sandbox, their revenue streams are threatened, as user profiles will no longer be available and ad selection will be handled by the browser itself. Consequently, they're resisting this change their strategy.

Now we're hearing from a listener of ours who is over on the implementation side of all this. He says their strategy involves persisting with the current model of tracking users across websites. Several alternatives to third-party cookies have emerged and are rapidly gaining traction. Some utilize first-party cookies through CNAME redirection, such as and he cites the site that offers the service, first-idfr, while others leverage ISP data to identify users based on their internet connection. And then again, he says, like utiqcom. Additionally, there are methods involving email or phone numbers for cross website identification, like liver ramp, l, I, v, e, r, a, m, pcom.

He said I've been tasked. He said I've been tasked with implementing these solutions and I anticipate that a majority of websites will follow suit, as a few big websites in France already have. This is because the CPM meaning you know the amount of money they get for ads using the Google Privacy Sandbox is lower. Lower, resulting in reduced revenue for website owners compared to more precise tracking solutions. Furthermore, these newer tracking methods are perceived as being more reliable than traditional third-party cookies. Regrettably, I fear that this development may exacerbate privacy concerns in the future. Currently, it's possible to clear or block third-party cookies, but it will be considerably more challenging to mitigate these new tracking solutions based on first-party cookies, isp connections or email and phone numbers. I believe it's crucial to inform your audience about this trend. It's already underway and I doubt Google can do much to counter it. I prefer to remain anonymous to avoid potential repercussions from my employer.

Okay, so first of all, I thank our listener for this view from the trenches. It is disappointing, but unfortunately not surprising. It was the subject of our Unforeseen Consequences podcast back on February 6th of this year. Here's the way to think about this year. Here's the way to think about this. Third-party cookies enabled tracking of users based only upon the ads that were being shown and the original ability of advertisers to plant cookies into browsers along with their ads, and for those cookies to later be returned when ads were placed on other websites. This allowed advertisers to follow users around the Internet, since the user's browser would quietly send back whatever cookies it had previously collected for the same advertiser.

The key point of this original tracking model is that it did not in any way involve the website. It operated completely separate from the website, and this is crucially what's in the process of changing now, and it's being driven by the universal change motivator, namely money. What's changing is that websites are now beginning to collude with their advertisers specifically to facilitate tracking. Why? Because advertisers will pay websites more for the ads they're hosting if they collude with them to facilitate tracking which better identifies their visitors. Our listener wrote currently, it's possible to clear or block third-party cookies, but it will be considerably more challenging to mitigate these new tracking solutions based on first-party ISP connections or email phone numbers. It's actually worse than that. The bad news is that if websites are willing to collude with third-party advertisers, there is nothing whatsoever we can do about that.

Anything a website knows about you will now be shared with third parties in many cases, as we recently saw with Microsoft, which was forced to disclose this due to the GDPR. I think it was what? More than 700, was it? Or 500, and some odd, I don't quite remember, but a phenomenal number. You know many, many hundreds of individual third parties. They were confessing they would be sharing anything they had about their visitors with. We talked about websites beginning to want their visitors' email addresses and, leo, you pointed out that even if we give them our throwaway email, if we always give them the same one, it still identifies us as efficiently as if we were using our primary email.

Money is the great motivator. We saw what the ability to extract extortion payment by cryptocurrency did for the ransomware world it exploded overnight. Cryptocurrency did for the ransomware world it exploded overnight. Websites are now being shown how to make more money by asking their visitors more about themselves, so that they are then able to turn that information over to their advertisers. How many are going to see this as a problem? I would venture probably not that many. So what was once tracking being done without website assistance is evolving into collusion between websites and their advertisers. You know, pay us and we will tell you everything we know about our visitors. I think it's clearly inevitable and there's Nothing we can do about it. As with most things which are abhorrent but invisible, as tracking always has been, most people will have no idea it's going on and I suspect that many wouldn't care anyway.

1:20:33 - Leo Laporte
And this is, by the way, exactly what's happening to podcasts as well. The difference is we don't have any information to collude with advertisers, and when they do ask us to put tracking pixels in or beacons of some kind, we just say no and we try to constrain that and it hurts us. This is a reason why most advertisers now move to places like Spotify, because they can get that information. We're kind of out of luck.

1:21:02 - Steve Gibson
They want it.

1:21:03 - Leo Laporte
Yeah, that's why we want people to join the club, because ad support is just not going to do it in the long run.

1:21:11 - Steve Gibson
Kevin Van Haren tweeted. I'm not sure anyone's mentioned this to you yet, but Bitwarden's passkey implementation is available now. I was able to create a passkey for a site on my iPad, go into work and use that passkey from my Windows computer without issue. When I went to add a passkey to the account on the iPad, bitwarden popped up automatically asking if I wanted to create the pass key in Bitwarden. So yes, we had heard that support was in beta and coming soon, but I hadn't noticed that Bitwarden support for mobile was out of beta. That's great news and, as we all know, bitwarden is a sponsor of the Twit Network and we're very glad they are. Robert Harder tweeted regarding pass keys. Help me out here. I feel like you and Leo are missing the point and, leo, it's actually more my fault than yours, so you know.

1:22:12 - Leo Laporte
Oh, I'm good at missing points. Go right ahead, he said or or am I?

1:22:15 - Steve Gibson
he said I thought pass keys were here to say, hey, this device has already logged in properly, so let's make future logins super easy but also secure. So that would mean I don't. He says I don't want my pass keys to be exportable. If I ever want to log in on another device or OS or ecosystem at all, I want to prove that it's me all over again with. Whatever way I do that on that website, hopefully with multi-factor authentication. Only then is that device and that device only secured and proven. It's a nice bonus that Apple or Microsoft or Google have internal synchronizing for their own ecosystems, but only if it's really really, really securable. Generally speaking, having passkeys exportable is as bad as fire sheep days when grabbing someone's session cookie gave an opponent 100% impersonation of a victim. Yes, no, thanks, no. Listen from episode one, rob. Okay.

1:23:36 - Leo Laporte
Rob misunderstood.

1:23:38 - Steve Gibson
So I think Robert makes a valid point, although entirely different though, although well, okay. So I think Robert makes a valid point, although entirely different though, although well, okay.

1:23:46 - Leo Laporte
so Look, pass keys are being proposed as a password replacement. Passwords are not specific to the device you use, nor should pass keys be. It's the same thing.

1:23:58 - Steve Gibson
So, okay, another, entirely different way to think of passkeys is the way he does. Yeah, but it's not right. Okay, in that case, the existing username and password login is used one last time on each device, which then receives a passkey to forevermore authenticate that user and device to that website. Okay, I could see that as a workable model, but here's the critical factor, and this is what you're alluding to, leo.

That model only works in a world where every website allows for any number of passkeys to be registered to any single web account, pass keys to be registered to any single web account and, as we've been saying in the last couple weeks, it is apparently the case that any number of pass keys can be registered to any single web account, maybe without limit. That's the question Where's the limit? So you know, if at some point a website were to reply, we're sorry, but you've reached the limit of pass keys that can be assigned to your account. If you wish to add another, please review and remove some that have already been added. You know, we don't know if that's ever going to happen, but we know that it could. And the experience that kevin just reported of creating a single passkey with bitwarden on his ipad, then having bitwarden later log in for him using the same synchronized passkey under windows. Well, that's pretty slick.

1:25:41 - Leo Laporte
So yeah, I think just misunderstands what passkeys are all about. He's thinking they're like session cookies, which is the problem FireSheep had. Passkeys are not as easily accessed as cookies. I would hope they're better secured than that.

Well, they're public key crypto and so they're not at all the same and, furthermore, they're being proposed as a replacement for passwords. So that's not what he's just described. He's describing a replacement for session cookies. That's not what pass keys are. So I think he just misunderstands what pass keys are. They are a replacement for passwords and, as a result, are not tied, or should not be tied, to a specific device. And you're right A password manager can be, and probably should be, the person who holds your pass keys, just as they are the people who hold your passwords.

1:26:32 - Steve Gibson
Yeah, Okay, Spencer Webb he tweeted enjoyed the eLORAN discussion. I know the guy at Gursa Nav. We had discussions about some projects a few years back. When the USG turned off Loran, I thought it was incredibly stupid. It does work indoors and in caves and without an ionosphere. And yes, you can read into the above some interesting scenarios. Remember to feed your antenna, Best Spencer. He's probably a ham. I think that's a ham. Remember to feed your antenna, Best Spencer.

1:27:03 - Leo Laporte
He's probably a ham. I think that's a ham.

1:27:05 - Steve Gibson
He is, he is.

1:27:06 - Leo Laporte
Spencer is a serious radio guy. That's what I thought.

1:27:09 - Steve Gibson
We often exchange notes when something about radio comes up. I remember back in the days when you had to hold your iPhone in the proper way, he and I were having some conversations about antenna science, so anyway, it was nice to have him add to the E-Loran discussion. I think it's clear that having a system that's fundamentally terrestrial has many applications, even when GPS is working well. Oh, this is interesting. Dr Brian of London tweeted I integrated Passkeys into my own site as a security, as a secondary log. Sorry, I'm screwing up this. I integrated Passkeys into my own site as a secondary login system, which in some cases is easier to use, especially on mobile devices, than the primary method, which is cryptographic signing of a challenge with either a browser plug-in wallet or something using QR codes that looks like Squirrel to prove ownership of personal keys. So okay, what he's saying is he has a website and he rolled his own fancy login system, which he's had for some time. But then he decided, hey, pass keys is a standard, I'm going to add that to my site. So he said to this I added the ability to associate one or many keys with an account and add, delete, rename them One little gotcha which you probably only learn when implementing this. He said I store on my server a list of all public pass keys and every time I get a login request from a client I could send every public key I have and the client would figure out which, if any, it holds. But in reality I don't do that. I associate each of the public keys with a username. This is part of my primary system anyway but that username is the only thing I hold. I don't have emails or passwords. He said I use that username to filter the list of public keys I send back to the client, which then figures out if the user's device has any of them. He says it works nicely with Apple Passkeys and other Passkeys which already sync across multiple devices nicely. So basically, he's saying he rolled his own server side pass keys implementation. As a consequence, he has a bunch of accounts and each of those accounts has pass keys. He could send all of the public keys to the client, which would then say oh, I found a match which would tell him who it was that was wanting to log in. But instead he asks them for just their username, which allows him then to filter from all of his public pass keys only those associated with that user and send those back in order to give it a chance to log in with a pass key. So, anyway, we have users who are implementing passkeys on the server side, which is also very cool.

Or rather, listeners, sean Merrigan said remember that it was Sean? Oh right, okay, first of all, sean was the guy with the old Loran receiver which woke up when eLoran was turned back on late last year. Anyway, he heard us talking about him last week and he followed up with a bit of more interesting information. He said, to close the loop on this, my location is Edmonton, alberta, canada. Okay, that's where he is, canada, okay, that's where he is. He said the three Eloran stations that are currently testing are Fallon Nevada, georgia, washington and Havre, montana. So he's receiving signals from those three locations. He says this is my best information. Currently my old Astron 2100F is showing 2.8 times e to the negative 12 seconds offset from GPS. Again, 2.8 times 10 to the negative 12 seconds offset from GPS. So, yeah, lots of accuracy in Loran available timing data and really it sounds like, once it's turned back on all of our clocks that used to synchronize on.

WWVB ought to be. Oh, that's cool.

1:32:10 - Leo Laporte
Because, you know that's not very reliable, that whole WWV syncing and they wanted to turn it off for a long time.

1:32:17 - Steve Gibson
Yeah, yeah, oh clever Talk about range. That's really cool range. Yeah, yeah, oh, clever Talk about range. That's really cool range. Oh, marcus Daghall tweeted Hi, steve. While looking at the pin heat map graph, the number 1701 seems to be more prevalent than its surrounding numbers, which I love because we know what that is.

1:32:40 - Leo Laporte
Star Trek NCC 1701. Exactly, that's a good pin NCC 1701.

1:32:47 - Steve Gibson
That is great Ed Ross tweeted regarding Big Yellow Taxi. He said presumably that system helps in situations where quote you don't know what you've got until it's gone Paradise put up a parking lot, and that was your observation last week. Yes, Reini, and I can't even begin to pronounce this guy's last name. He's in Spain, h-e-i-j-d-e-n-d-a-e-l.

1:33:18 - Leo Laporte
It's a Dutch name Reini Reini, reini, reini, perfect. Thankijendael, eijendael, eijendael, perfect. Thank you, leo.

1:33:28 - Steve Gibson
So he wrote as many. I started the FIDO1 journey with YubiKey, but even then I was splattered by the messy software support implementation guides, by the messy software support implementation guides, and it was at that level that I thought it was a no-go for regular users. Slot selection, h, mac keyboard emulation, all cool, a bit too cool. But when Fido 2 came along, we had to switch tokens anyway, and I switched, switched to token two, a Swiss-made token that manages selective key removal up to 300 keys and enforced pin complexity all for a better price than the Yuba key, all for a better price than the YubiKey. Furthermore, I needed TOTP for two-factor authentication. That would work as a standalone device when traveling and even that is in their device. I just don't understand why YubiKey is still pushed as the de facto standard. What do you think Now? He included in his note a link, and it's in the show notes at the top of page 15. And he finished saying and Leo, I should mention, I have two on order now.

1:34:54 - Leo Laporte
Yeah, I think I'm about to buy some.

1:34:55 - Steve Gibson
Yeah, Yep. He said keep up the good work. By the way, I silently suspect that you were hired by the UK government to write their specs for them. And, of course, he's talking about the fact that we talked about the requirements that the UK had for their consumer IoT devices, and it did actually sound like they'd been listening to this podcast.

1:35:20 - Leo Laporte
They sure did. Yeah, yeah, and it did actually sound like you know they've been listening to this podcast.

1:35:22 - Steve Gibson
It sure did. Yeah, yeah, okay. So I needed to let all of our listeners know about these Token 2 pass keys dongles. They look fantastic and supporting 300 pass keys, individually manageable and deletable, with both USB A and C connection options, they look fantastic.

I will certainly admit to feeling some proprietary intellectual connection to YubiKey as the guy who happened to come along at the right time and had the perfect audience for them with this podcast, but that's the limit of it.

I would like them to succeed in the long term, but that requires them to keep up in what has obviously become a very competitive market. The huge advantage they've been enjoying is having been first, and that's a big deal. But to remain first they need to remain competitive, and we've all been scratching our heads over why they would still have a 25 key limitation when such limitation pretty much relegates them to the enterprise or password manager unlocking role. To be a consumer's primary passkeys container requires that they be able to retain and selectively manage hundreds of keys. So I'll say it again these Swiss-made Token 2 dongles look fantastic, and I should note that Yubiuba Key has since announced a new key and I don't remember the number. It might be 200, but even now, it doesn't appear to still be 300, or maybe 100. Anyway, the bad news is, unfortunately these guys are in Switzerland and the one we want is currently sold out.

1:37:23 - Leo Laporte
But it says June 17th shipping, so that's not so bad.

1:37:26 - Steve Gibson
Oh, that's good. Yeah, that's good, although shipping unless you choose postal mail, which they discourage is twice the cost of the dongle. So, okay, anyway, the way I know that is that I've ordered two and they're on the way. So, anyway, thank you very much, reini, for providing a direct, a direct link to the token to page which, as I said, is in the show notes. Uh, also another listener, andreas, in germany, also pointed to the Token2 solution which, by the way, is FIDO, fido2 with WebAuthn, totp, usb and NFC, and it really does look very slick.

1:38:12 - Leo Laporte
Clearly they put a fairly potent chip in there. So when it says 300, that could be 300 passkeys.

1:38:19 - Steve Gibson
It is 300 FIDO2 WebAuth pass keys.

1:38:25 - Leo Laporte
oh wow 300 is probably a good start. I don't, at least for a while, yeah yeah okay and leo let's.

1:38:33 - Steve Gibson
I think we're at our last break. Yes, we are. Um, we should do that. And then we're gonna go into what 312 scientists and researchers think about the latest iteration that the EU is still trying to work on here to protect the children. And actually they end up with an observation that I don't think we've yet seen, which is really good.

1:39:01 - Leo Laporte
All right, yeah, there are some surprises here Coming up, but first a word from our sponsor, miley. I love Miley, I use Miley Miley is my well. Initially they call it Miley Photos. It's a photo organizer, but it turns out it's also video and documents, and they have OCR built in. They have automatic tagging built in. They have face recognition built in all without going to the cloud. All private on device, free for the first device, so you could try it out free right now on your PC, mac, ios or Android device.

I have, of course. I immediately got Miley of Photos Plus and I have more than 200,000 photos and documents stored in there and it is the best automatic organization I've ever seen. I can import from all the other places I've been sticking photos, like Instagram and Facebook. In fact, the most useful one to me was Google Photos. I can actually do a Google Photos takeout. It can read the takeout files, which is not a de minimis feature. That is something hard to do. I've done by hand. They do it automatically. If you have Miley O's Photos Plus, they'll de-dupe it, which you need to right, because I've been storing photos the same photo in many different places, but this way I've got one kind of canonical copy of every photo. It automatically tags it and it's very detailed tagging. It's just amazing. It's a great way of making sure your data, your photos probably some of the most valuable digital content you have are safe. How do you decide where to store your data? Are your photos and videos safe on the cloud? People ask these questions of themselves. What about duplicates? What about storage space? Can I find what I need when I need it? With so many variables, it's hard to feel like you're in control of your memories and documents that are supposed to be yours, but not anymore. Not for me. I'm an avid user, as are many of the people here at TWIT of Miley of Photos an avid user, as are many of the people here at Twit of Miley of Photos. Miley of Photos is now follow along here.

Private cloud independent platform that helps you consolidate, curate and control all your important photos, videos and files in a single library iOS, android, mac, windows. You can get started for free on one device. Make it the device with a lot of storage, because you're going to put everything in it. You can use it. It does what steve calls pre-internet encryption end-to-end encryption so you can store it on any public cloud. No one can see it except you, because it's encrypted before it even goes up to the cloud. So it supports google drive and microsoft one drive, and I think I cloud I actually use it with my Synology NAS, so my NAS becomes my cloud storage. It never hits the cloud, but I've got everything, every bit of data, backed up three ways to Sunday.

Miley of photos. You can get started for free, but if you sign up for the paid plan you'll get automatic backups. You'll get syncing between devices. Oh, I didn't mention that, but if I put Miley on a new device, I just put it on my Windows PC here it automatically syncs up. You can choose too, by the way. Do you want originals? Do you want thumbnails? You can choose how it stores it. So if you have a smaller storage machine, you can like this. One's only 512 gigs. I'm not going to store all my photos on there. You can say, yeah, uh, you can like this. One's only 512 gigs. I'm not going to store all my photos on there. You could say, yeah, just the thumbnails, unless I want the full photo. I mean, I can go on and on. This thing and I've been known to this thing is fantastic. I am the hugest fan of my leo photos. It integrates now with a great many um uh genealogy sites the lds genealogy sites, the LDS genealogy site so you get free access to that. Myleo is just brilliant.

Take control of your digital assets with MyLeo Photos. The paid plan is $9.99 a month or $99 a year. Stay tuned, I'm going to make it even better. You can do that on all your devices organize, manage, protect an unlimited number of photos and videos on all your devices. Organize, manage, protect an unlimited number of photos and videos on all your devices. I do. I have it on every device. Take control of your digital assets with MyLeo M-Y-L-I-O.

Myleo Photos today. Get started for free with their basic version, or take full advantage of the platform with MyLeo Photos Plus, using our special offer. Now here's the deal 25% off your annual or monthly subscription to MileyO Photos+. To sign up and get 25% off, go to our exclusive address MileyO M-Y-L-I-O. Mileyocom slash twit25. Get it for 25% off. Mileyocom slash twit25. The more I use it, the more I realize what I can do with it. The smart tagging is brilliant. I just feel like I need to tell you about this. It's so fantastic. Try it for free. You find out for yourself. Myleocom slash twit25. Thank you, myleo, for supporting Steve and the good works he does here at Security. Now, all right, steve, let's talk about 200 doctors. Can't be wrong, or something, something like that.

1:44:15 - Steve Gibson
Our listener, robin Van Zahn, in the Netherlands, brought this recently produced letter to my attention. So thank you, robin. The letter opens by introducing itself. The text below is an open letter on the position of scientists and researchers on the recently proposed changes to the EU's proposed child sexual abuse regulation. Now, we're interested in this, of course, because this is all about whether we're going to have backdoors and something is going to be monitoring communications for, you know, grooming and and CSAM material and so forth. So as of the 7th of May, exactly two weeks ago today, the letter has been signed by 312 scientists and researchers across 35 countries. I mean, it is the who's who of security and research. So, and what's interesting, is that there has been some very good you know good faith back and forth here. So you know this is not an open letter that's just being blown off and being ignored.

The EU's regulators and legislators have changed their legislation in an attempt to solve the problems that were earlier voiced. That were earlier voiced. As we're going to see, not only are they not there yet, but there's real good reason to believe. As we probably all know, you can't get there from here. Okay, so it turns out that what scientists and researchers have to say, is quite refreshing because it actually engages science, math, statistics and yes, reality, as opposed to the politician's statements of. You know, this is what we want and what we're preparing to demand. So I want to share what these 312 scientists and researchers collectively assembled and it's not overly long. And, you know, because the devil, as it turns out, is in the details and because there's probably no more important issue on the table at this moment, arguably in the world, than what the EU's political class will finally decide to do about this. And, importantly, as we'll see, this is the technical response to the politicians' responses to the previous technical response and, as I said, what's heartening is that both sides so far appear to be negotiating here in good faith and the politicians are at least listening in good faith, and the politicians are at least listening. So, as we know, for their part, the UK was faced with the same problem and serious opposition to their similar proposal to require all private conversations to be monitored for content. What they did was wisely added the caveat where this can be proven to be technically feasible without compromising security which allowed the politicians to say that they had passed legislation and allowed all the messaging providers to continue offering fully private end-to-end encryption because it hadn't been, and cannot probably be proven to be feasible without compromising security. So win, win, win, win, win. Ok, but the European Union is not there yet. So here's the latest feedback from the EU's technical experts, which is intended to inform the politicians of reality.

The undersigned wrote we're writing in response to the new proposal for the regulation introduced by the presidency on the 13th of March 2021. So 13th of March, right Just a couple of months ago. The two main changes with respect to the previous proposal aim to generate more targeted detection orders and to protect cybersecurity and encrypted data. We note with disappointment that these changes failed to address the main concerns raised in our open letter from July of 2023, so nearly a year ago. Our open letter from July of 2023, so nearly a year ago regarding the unavoidable flaws of detection techniques and the significant weakening of the protection that is inherent to adding detection capabilities to end-to-end encrypted communications.

The proposal's impact on end-to-end encryption is in direct contradiction to the intent of the European Court of Human Rights decision in Podkachev v Russia on the 13th of February of this year. We elaborate on these aspects below Now, just to interrupt here. I tracked down that decision. The case surrounded Russia's FSB, demanding that Telegram turn over the decrypted communications of six individuals who the FSB alleges were involved in terrorism against the Russian state, and refused explaining that, since all of the subjects involved had enabled Telegram's optional end-to-end fully encrypted mode, telegram's default ability to store unencrypted conversation data in their servers was thwarted.

And indeed paragraphs 79 and 80 of the decision of the European Court of Human Rights Back that up. And I skipped all of the earlier paragraphs. Here's what those two paragraphs say 79 says the court concludes that in the present case, the ICO statutory obligation to decrypt end-to-end encrypted communications risks amounting to a requirement that providers of such services weaken the encryption mechanism for all users. It is accordingly not proportionate to the legitimate aims pursued. In other words, yes, the intention is legitimate, but the only way you can do this is by weakening encryption for everybody, and that's not a proportionate response.

And then paragraph 80 says the court concludes from the foregoing and that's all the other paragraphs that I'm sparing everyone that the contested legislation providing for the retention of all Internet communications of all users, the security services, direct access to the data stored without adequate safeguards against abuse and the requirement to decrypt encrypted communications, as applied to end-to-end encrypted communications, cannot be regarded as necessary in a democratic society. Insofar as this legislation permits the public authorities to have access on a generalized basis and without sufficient safeguards to the content of electronic communications, it impairs the very essence of the right to respect for private life under Article 8 of the Convention. The respondent state has therefore overstepped any acceptable margin of appreciation in this regard. So what this tells us is that, separate from whatever political pressures the EU's politicians may be under, when the issues at stake are very carefully and thoroughly examined by the European courts, their decisions never support the application of wholesale surveillance. For the sake of our listener sanity, as I said, I skipped over the first 78 paragraphs, but those paragraphs make it very clear that the courts really do very clearly understand the issues. They clearly understand that the phrase selective backdoors is an oxymoron, that the phrase selective backdoors is an oxymoron.

Okay, so continuing with the technologist's latest rebuttal response to the politician's attempt to modify them. Following their first surveillance proposal, they all wrote and signed Child sexual abuse and exploitation are serious crimes that can cause lifelong harm to survivors. Certainly, it is essential that governments, service providers and society at large take major responsibility in tackling these crimes. The fact that the new proposal encourages service providers to employ a swift and robust process for notifying potential victims is a useful step forward. However, from a technical standpoint to be effective, this new proposal will also completely undermine communications and system security. The proposal, notably, still fails to take into account decades of effort by researchers, industry and policymakers to protect communications. Instead of starting a dialogue with academic experts and making data available on detection technologies and their alleged effectiveness, the proposal creates unprecedented capabilities for surveillance and control of Internet users. Again, the proposal creates unprecedented capabilities for surveillance and control of Internet users. This undermines a secure digital future for our society and can have enormous consequences for democratic processes in Europe and beyond.

So then, they bring up five points. The first the proposed targeted detection measures will not reduce risks of massive surveillance. Risks of massive surveillance, they said. The problem is that flawed detection technology cannot be relied upon to determine cases of interest. We previously detailed security issues associated with the technologies that can be used to implement detection of known and new CSA material and of grooming, because they are easy to circumvent by those who want to bypass detection and they're prone to errors in classification. The latter point is highly relevant for the new proposal, which aims to reduce impact by only reporting quote users of interest unquote defined as those who are flagged repeatedly, and they said as of interest. Unquote defined as those who are flagged repeatedly, and they said, as of the last draft, twice for known CSA material and three times for new CSA material and grooming. They said.

Yet this measure is unlikely to address the problems we raised. First, there is the poor performance of automated detection technologies for new CSA material and for the detection of grooming. The number of false positives due to detection errors is highly unlikely to be significantly reduced unless the number of repetitions is so large that the detection stops being effective. Given the large amount of messages sent in these platforms in the order of billions one could expect a very large amount of false alarms on the order of millions. So they then had a footnote which explains how they draw this conclusion.

They said given that there has not been any public information on the performance of the detectors that could be used in practice, let us imagine we would have a detector for CSAM and grooming, as stated in the proposal, with just a 0.1% false positive rate, in other words, one in a thousand times. It incorrectly classifies non-CSAM as CSAM, which is much lower than any currently known detector, right? So they're drawing like a best, absolutely beyond best possible case. They said. Given that WhatsApp users send 140 billion messages per day, even if only 1 in 100 would be a message tested by such detectors, there would be 1 identify at least five repetitions using different, statistically independent images or detectors. And this is only for WhatsApp. If we consider other messaging platforms, including email, the number of necessary repetitions that is, you know, repeated hits on a given individual before you raise the alarm, in order to bring down, basically, the rate at which alarms are being raised, you need to raise that number of repetitions, they say, would grow significantly to the point of not effectively reducing the CSAM sharing capabilities, meaning detection would then be effectively neutered.

Then they said second, the belief that the number of false positives will be reduced significantly by requiring a small number of repetitions relies on the fallacy that, for innocent users, two positive detection events are independent and that the corresponding error probabilities can be multiplied. In practice, communications exist in a specific context, for example, photos to doctors or legitimate sharing across family and friends, they said. In such cases, it is likely that parents will send more than one photo to doctors, and families will share more than one photo of their vacations at the beach or pool, thus increasing the number of false positives for this person. It is therefore unclear that this measure makes any effective difference with respect to the previous proposal. Okay, so, in other words, the politicians proposed to minimize false positive detections by requiring multiple detections for a single individual before an alarm is raised, but the science of statistics says that won't work, because entirely innocent photographs of one's children will not be evenly distributed across the entire population of all communicating users. People who have young families and like to share photos of their children frolicking at the beach in their bathing suits will generate massive levels of false positive CSAM detections, because there is massively non-equal distribution of content that might falsely trigger CSAM detection, the scientists explained. Furthermore, to realize this new measure, on-device detection with so-called client-side scanning will be needed. As we previously wrote, once such a capability is in place, there's little possibility of controlling what is being detected and which threshold is used on the device for such detections to be considered of interest.

Proposed legislation involves their attempt the legislator's proposal of attempting to divide applications, that is, you know, like WhatsApp as an application, telegram as an application to divide applications into high-risk and low-risk categories, so that only those deemed to be high risk would be subjected to surveillance. The techies explain why this won't work. They write High-risk applications may still indiscriminately affect a massive number of people. A second change in the proposal is to only require detection on parts of services that are deemed to be high risk in terms of carrying CSA material. This change is unlikely to have a useful impact, as the exchange of CSA material, or grooming, only requires standard features that are widely supported by many service providers, such as exchanging chat messages and images. This will undoubtedly impact many services. Moreover, an increasing number of services deploy end-to-end encryption, greatly enhancing user privacy and security, which will increase the likelihood that these services will be categorized as high risk. This number may further increase with the interoperability requirements induced by the Digital Markets Act. That will result in messages flowing between what was previously low-risk and high-risk services. As a result, almost all services would be classified as high-risk. This change is also unlikely to impact abusers. As soon as abusers become aware that a service provider has activated client-side scanning, they'll switch to another provider. That will, in turn, become high-risk, which quickly, very quickly all services will be high-risk, which defeats the purpose of identifying high-risk services in the first place, and because open-source chat systems are currently easy to deploy, groups of offenders can easily set up their own service without any CSAM detection capabilities.

We note that decreasing the number of services is not even the crucial issue, as the change would not necessarily reduce the number of innocent users that would be subject to detection capabilities. This is because many of the main applications targeted by this regulation, such as email messaging and file sharing, are used by hundreds of millions of users, or even billions in the case of WhatsApp. Once a detection capability is deployed by the service, it's not technologically possible to limit its application to a subset of users. Either it exists in all the deployed copies of the application or it does not. Otherwise, potential abusers could easily find out if they have a version different from the majority population and therefore if they've been targeted aversion different from the majority population and therefore if they've been targeted. Therefore, upon implementation, the envisioned limitations associated with risk categorization do not necessarily result in better user discrimination or targeting, but, in essence, have the same effect for users as blanket detection regulation.

So, basically, these guys are just. You know, they're cutting through these proposals, one after the other, very carefully backing up their statements with, you know, actual data. The second is detection in end-to-end encrypted services by definition undermines encryption protection. They go over this again, explaining why that's a case, and they note. One of the other arguments is and we've talked about this on the podcast the idea of adding age discrimination. Well, they said, introducing more immature technologies may increase the risk, and they note that their proposal states that age verification and age assessment measures will be taken, creating a need to prove age in services that before did not require. So it then bases, they said, some of the arguments related to the protection of children on the assumption that such measures will be effective. We would like to point out that at this time, there is no established, well-proven technological solution that can reliably perform these assessments. The proposal also states that such verification and assessment should preserve privacy. We note that this is a very hard problem. While there is research towards technologies that could assist in implementing privacy-preserving age verification, none of them are currently in the market. Integrating them into systems in a secure way is far from trivial. Any solutions to this problem need to be very carefully scrutinized to ensure that the new assessments do not result in privacy harms or discrimination causing more harm than the one they're meant to prevent. So they conclude saying, with secure paths toward child protection, forward for child protection, and this is really good. They said, protecting children from online abuse while preserving their right to secure communications is critical.

It is important to remember that CSAM content is the output of child sexual abuse. Eradicating CSAM relies on eradicating abuse, not only abuse material. Proven approaches recommended by organizations such as the UN for eradicating abuse include education on content, on norms and values, on digital literacy and online safety and comprehensive sex education, trauma-sensitive reporting hotlines and keyword search-based interventions. Educational efforts can take place in partnership with platforms which can prioritize high-quality educational results in search or collaborate with their content creators to develop engaging resources. We recommend substantial increases in investment and effort to support existing proven approaches to eradicate abuse and, with it, abusive material.

Such approaches stand in contrast to the current techno-solutionist proposal, which is focused on vacuuming up abusive material from are aiming at the wrong target anyway.

So even if you got everything you want by effectively eliminating security and all privacy, it won't actually solve the problem that you're hoping to solve. So I think the problem is that this is like an iceberg. Csam is the tip of the iceberg, that is, the visible manifestation of something that is abhorrent, and because we see it the tip of that iceberg, we want to get rid of it. But these authors remind us that CSAM is the output, it's the result of these abhorrent practices, less so the practices themselves. What I'm heartened by, as I said at the top, is that we appear to be seeing a true, honest, back-and-forth negotiation in good faith between European Union politicians and European scientists and researchers, given that the original proposed legislation was significantly amended after their first round of objections and feedback. It appears the politicians are not understanding what their technocrats are explaining and, of course, we have no idea what's going to finally happen, which is what makes all this so interesting, and it is obviously very important.

2:09:51 - Leo Laporte
So stay tuned, yeah it's so much easier to go after the symptom than the cause.

2:10:00 - Steve Gibson
Isn't it exactly right?

2:10:02 - Leo Laporte
That is exactly right and unfortunately there's huge side effects to going after the symptom that make for more problems, so it's not really a great solution.

2:10:14 - Steve Gibson
And nothing prevents the politicians from wanting to save face or look good by saying we did this.

2:10:20 - Leo Laporte
We fixed it, it's all over. But see, it's not going to be all over, and that's the really, that's the nut of it.

2:10:27 - Steve Gibson
And the best, yes, the most important reminder is that CSAM is the output of the practice, not, you know, not the practice itself, and it's the practice that you want to curtail Right.

2:10:41 - Leo Laporte
Well, good stuff as usual. Uh, you don't you fear. Have no fear to go where angels fear to tread, and that's good, that's good, that's what we want. Uh, you're going to hear it here. Uh, you're going to hear it all.

Steve gibson at grccom. That's where he has his hangs, his hat, that's whererite 6.1 is the world's best mass storage. Now I have to add performance, recovery and maintenance utility and recovery performance utility. It really is a great tool. It's Steve's bread and butter. Go on there and check it out While you're there.

Of course, you can get the show. Steve has the normal 64-kilobit audio version. He also has 16-kilobit audio for the bandwidth impaired and he has great human no AI here human-composed transcripts of the show which makes it easy to search, read along while you listen, and all that GRCcom. He's at S-G-G-R-C on Twitter I guess they call it Xcom now, so if you want to leave him a DM there, you can do that. There's also a feedback form on the website GRCcom slash feedback. We have the show on our website twittv slash SN for security. Now All the episodes are there 64 kilobit audio and our unique form, which is video. We also have video of the show, because who doesn't want to see Steve's smiling face. You can also find a YouTube channel dedicated to the video of the show. Best way to get it, though, is to subscribe, and if you do, you'll get it automatically. Just find your favorite podcast player. Search for Security.

Now, we've been going 20 years, folks. It's there. I promise you, one of the longest running shows on the internet. Now, I should mention that one of the reasons we continue to run is yes, I mentioned advertising dollars are dwindling. You may hear ads on this show, but they are paying half what they used to pay, and, frankly, it doesn't cover expenses anymore. That's why we've come to you and said can you help us out? Simply by joining Club Twit.

Now, we do give you benefits. It's not a donation. You get ad-free versions of all the shows. You get the Discord, where you can chat with all the other great Club Twit members. It's really a wonderful community of people I think it's just it's self-selecting, I guess and it's just really smart, interesting people. You can hang out with them in the Discord. You can hear and see shows that we don't otherwise put out in public, including Stacy's Book Club coming up on the 20th. We also, by the way, have video shows that you can only hear on the Internet, like iOS Today and Hands on Windows, hands on Macintosh, the Untitled Linux Show and so forth.

Club is a good value, but the best value is you're keeping Steve and the rest of the network on the air. You're keeping the lights on the people employed. Seven bucks a month. Twittv slash club twit. If you want to watch us, do it live. We do stream live on YouTube the minute the show starts and then we turn it off the minute it ends. So it's just that period of time the show's on the air. Go to youtubecom slash twit slash live. If you smash the bell then you'll get the automatic notification when we go live. This show is normally live right after MacBreak Weekly, which is roughly 1.30 Pacific, 4.30 Eastern, 20.30 UTC. Again, youtubecom slash twit slash live. Steve, have a great week and we'll see you right back here on Security Now. Next week Will do my friend Till then. Security Now.