Security Now 976 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

0:00:00 - Leo Laporte
It's Cybersecurity. Now. Steve Gibson is here. We have lots to talk about. He's going to give you his take on Windows 11 new recall feature. That's the 50 gigabyte privacy bomb you've heard about. Also, when is a VPN not a VPN? Can you really replace surface mount chips? Are vertical tabs finally coming to Firefox and a new way to contact Steve directly? It's all coming up. Next, on Security Now Podcasts you love From people you trust.

0:00:36 - Steve Gibson
This is.

0:00:37 - Leo Laporte
Twit. This is Security Now with Steve Gibson, episode 976. Recorded Tuesday, may 28th 2024. The 50-gigabyte privacy bomb. It's time for Security Now. Yay, we wait all week for this, don't we kids? And here he is appearing magically like a wizard in a puff of greasy smoke. What are you sucking your thumb for? Steve Gibson of GRCcom? Hi Steve, hey Leo, great to be with you again. I called them kids, not you.

0:01:15 - Steve Gibson
As I knew who you were talking about. We are beyond. You know we're discussing things that happen when you're no longer a kid.

0:01:25 - Leo Laporte
Which they didn't really tell you about when you were kids. It's like you old people that's never going to happen to me we were talking back really about tinnitus ringing in your ears. Do you have that? No, you were smart.

0:01:40 - Steve Gibson
I said no too quickly. Right now, if I concentrate I can hear probably that nine kilohertz very faintly in the background.

0:01:51 - Leo Laporte
Okay.

0:01:52 - Steve Gibson
Yeah. That's not bad, yeah, yeah so it's not bad.

0:01:56 - Leo Laporte
I hear it. It's very predominant, very persistent on this show too, I'm sure is. I'm doing this new FDA-approved process that uses electrodes on your tongue while you're listening to something I'm not sure what in your ears. I'm going to get fitted for that a week from Thursday. I'll let you know if it works.

Yes, on your tongue it feels like pop rocks kind of fizzy yeah, that's what people report a little tickling. Yeah, yeah, I can take that and they tune it. They can say if they told me, they say, if it's really bothering you, we can turn it down, all right, but I want all the uh, I want all the pop rocks personally, you all you want to get the full dose treatment, whatever.

0:02:37 - Steve Gibson
It's driving me crazy at this point. I really need to really cool to see if it yeah I hope so anyway, what's on the scent? Of people got yeah, it's that well. That's why I'm doing it?

0:02:45 - Leo Laporte
I, I hope so. Anyway, what's on, the 80% of people got helped by it. Yeah Well, that's why I'm doing it. I mean, it's not cheap, but I thought, if 80%, if it works for 80%, maybe I should try it. Yeah, yeah, watch, I'll be the one in five that doesn't Okay, so we are closing in on 999.

0:03:01 - Steve Gibson
Yay and the.

0:03:03 - Leo Laporte
Bad news, bad news for you Good news for the rest of us. Right, you have to keep working.

0:03:09 - Steve Gibson
We've got another great, fun episode here. Today's episode is titled the 50 Gigabyte Privacy Bomb, which we will be discussing at length, but we're first going to talk about why Google's AI overview is fundamentally impossible for them to do today, and we're going to look at the latest news on how to suppress it. As you would expect, you know, lots of people are coming up with various ideas and there are some cool solutions. Also, I just thought I would bring up the fact that LastPass has announced something that is maybe 10 years too late. So thanks. And also, why and when is a VPN not a VPN? Are eMMC chips really impossible to replace, as I kind of offhandedly said last week? So we have a listener who takes issue with that.

Uh, our vertical tabs finally coming to firefox. Everyone wants them. No one seems to be able to get them, at least not natively. Uh, also, what does one well-informed listener think about the fritz box network appliance which came up last week? Um, what is the worst thing that could be done with four digit pins? We have a listener who explains his firsthand experience with that. And were we guilty of windows xp abuse by exposing it to today's internet? Apparently someone feels we should have been a little kinder and gentler Also. Yes, how can SecurityNow listeners now send email directly to me? Grc's new email system is alive and after looking at all of that, we're going to examine the latest crazy idea from microsoft, which deliberately plants 50 gigabytes of privacy bomb right in the middle of all windows 11. Pcs, where we'll be marching out, are often used, sometimes overused. What could possibly go wrong?

0:05:24 - Leo Laporte
so you're saying we're not talking little boy, we're talking fat man on this one we're we're talking.

0:05:31 - Steve Gibson
Could we have done anything that more delights chinese attackers?

0:05:36 - Leo Laporte
oh great, oh good. Oh, that's exciting. All right, we'll get to all that in the world famous picture of the week of the Week. Picture of the Week. Actually, I'm glad you chose the one you chose, because there are far worse ones.

0:05:51 - Steve Gibson
Don't do cockroaches. Okay, good, all right.

0:05:53 - Leo Laporte
All right, all right, we'll talk about that in just a little bit. First, though, this portion of the show brought to you by Collide. We love these guys. You know we talked about them for at least a couple of years on security now, but you probably heard the recent news that Collide K-O-L-I-D-E was just acquired by 1Password, and you know, while sometimes an acquisition can be nerve-wracking, this is a match made in heaven. Both companies focus on the same thing. They're leading the industry and creating security solutions that put users first Collide.

For over a year, collide Device Trust has helped companies that use Okta to get that second part of the authentication done right. Okta makes sure that the person is who they say they are. Collide makes sure that the only known and secure devices can get into your network, and that's really an important part of it, isn't it? And they're still doing that. This is to reassure you that being part of 1Password just makes it better. It just makes it better. So if you've got Okta and you've been thinking about trying out Collide after hearing us talk about it, please go ahead.

Now is a great time. It's very easy to get started with. Collide comes with a library of pre-built device posture checks, so the stuff that you know, you absolutely know you would want, is the operating system up to date, is the browser up to date, is their Plex server up to date? You know that kind of stuff. But you can also easily write your own custom checks for just about anything you can think of. So your particular solution, you know it's completely custom to your particular situation. Plus and I love this you can use Collide on devices without MDM, which means you can now use it with your Linux fleet contractor devices, even all those stray BYOD phones and laptops on your network. All can be set up to use Collide. And now that Collide's part of 1Password, it's only going to get better. Please check it out.

Collidecom slash security now. There's a great demo on there. They'll explain it all. K-o-l-i-d-ecom slash security now If you're using Okta. This is the second part of that very important equation. Collide dot com slash security now. We thank them so much for their support of Stephen Gibson and security now. Picture of the week time.

0:08:21 - Steve Gibson
So yes, I gave this snapshot of Google's brilliant AI overview. The caption don't you just hate it when the cheese slides off the pizza? Apparently, some people do. That's a real problem, you know, Leo, especially on the space station. It's a real problem, you know, Leo, especially, you know, on the space station. Fortunately, Google AI overview has the obvious answer, and again it's. You know why. You know, of course, this is what it would suggest. So the question that prompted this was cheese not sticking to pizza. Sticking to pizza. Ai overview jumps in and says cheese can slide off pizza for a number of reasons, including too much sauce, too much cheese or thickened sauce. Here are some things you can try mix in sauce. Mixing cheese into the sauce helps add moisture to the cheese and dry out the sauce. You can also add about one-eighth cup of non-toxic glue to the sauce to give it more tackiness. Mmm, yum, yum, oh, that's right. Yes, oh, and it's not like some. It was like last week we had two quarts of urine. You were supposed to. Yes.

Not just drink urine, but how much you should be consuming. And here you know you don't want to overdo the glue Never. So it's only one-eighth of a cup.

0:10:01 - Leo Laporte
You actually could do this with non-toxic Elmer's glue or something like that. You could do it. Absolutely Not sure I would recommend it.

0:10:07 - Steve Gibson
You know, kindergartners are eating that stuff. Yeah, what?

0:10:10 - Leo Laporte
the heck Sure.

0:10:11 - Steve Gibson
Okay. So it turns out that this latest AI hallucination is based upon an eight-year-old Reddit posting which was posted as a joke on Reddit and, of course, all of the other humans there knew that it was a joke and thought that was kind of funny. The guy wrote to get the cheese to stick, I recommend mixing about one-eighth cup of Elmer's glue in with the sauce. It'll give the source a little extra tackiness and your cheese sliding issue will go away. It'll also add a little unique flavor. I like Elmer's school glue, but any glue will work as long as it's non-toxic. Now, of course, google's bot came along and scraped that up and thought hey, there's an idea.

Let's hold on to that until someone asks why their cheese is not adhering can of worms, which Google's new AI overview would probably tell you to eat. Nbc News picked up on this trouble and offered some additional depth that I want to share, since it's really not that funny. Their headline under artificial intelligence was glue on pizza two footed elephants. Google's AI faces social media mockery. And then they said as their, as their, their subhead. A Google spokesperson said the company believes users are posting responses to uncommon questions on social media. Okay so NBC said.

Social media has been buzzing with examples of Google's new experimental and they have that in air quotes artificial intelligence tool going awry. The feature which writes an AI overview response to user queries based on sources pulled from around the web has been placed at the top of some search results, but repeatedly, social media posts show that the tool is delivering wrong or misleading results. An NBC News review of answers provided by the tool showed that it sometimes displays false information in response to simple queries. Nbc News was easily able to reproduce several results highlighted in viral posts online and found other original examples in which Google's AI tool provided incorrect information. For example, an ABC News search for how many feet does an elephant have resulted in Google AI overview answer that said Elephants have two feet, with five toes on the front feet and four on the back feet.

Oh my God, some of the false answers verged into politically incorrect territory. An ABC News search for how many Muslim presidents in the US, the results of which were first posted on social media, returned a Google AI overview that said Barack Hussein Obama is considered the first Muslim president of the United States. Obama, however, is a Christian. Oh yeah, google said this overview example violated its policies and that it would be, oh, taking action. I know what action they should take, leo, and it's not the one they're going to take. Apparently, a Google spokesperson said in a statement okay, so this is Google quote. The examples we've seen are generally very uncommon queries and are not representative of most people's experience using search. The vast majority of AI overviews provide high quality information with links to dig deeper on the web. We conducted extensive testing, you know we spared no expense.

Yeah, we had conducted expensive testing before launching this new experience to ensure AI overviews meet our high bar for quality. Where there have been violations of our policies, we've taken action and we're also using these isolated examples as we continue to refine our systems overall. Nbc writes it's difficult to assess how often false answers are being served to users. The responses are constantly shifting and on social media it's difficult to tell what is real or fake. Some Google users have created workarounds to avoid the new AI overview feature altogether. Ernie Smith, a writer and journalist, quickly built a website that reroutes Google searches through its historical web results function, which avoids the AI overview or other information boxes. That prioritizes some results over others. Adding UDM equals 14 to Google search URLs strips the new feature from results. Smith told NBC News that his new website has quickly gained traction on social media, surpassing the traffic of his entire decade-old blog in just one day, smith said in a phone interview. Quote I think people are generally frustrated with the experience of Google right now. In general, the average person doesn't feel like they have a lot of agency. A Google spokesperson said the company believes users are deliberately attempting to trip up the technology with uncommon questions. Some deeper dives into why the answers have gone awry suggest that the tool is pulling from surprising sources. A 404 media reported that a Google search query for and here it is cheese not sticking to pizza pulled an 11-year-old Reddit comment that jokingly suggested mixing Elmer's glue into the sauce. Even though Google has now removed the AI suggestion from searches for cheese not sticking to pizza, according to an NBC News search, the top result is still the Reddit post with the comment about Elmer's glue highlighted. A Google spokesperson quoted that queries like quote cheese not sticking to pizza are not searched very often and are only being noticed because of the viral posts about wrong answers on social media platforms like X, of which there are many. The same issue with an old Reddit comment also occurred in a search for how to rotate text in MS Paint, referring to the Microsoft Paint application. The top Google search result viewed by NBC News redirects the reader to a sarcastic Reddit comment that says to press the flubble gorp key on your keyboard. They note this key does not exist. This example was originally posted on social media.

Despite Google's assertion that the tool is working well for many users, mistakes of the AI overview are continuing to gain visibility and hype. Some of the answers that have been posted online seem to be fake, indicating that the trend has shifted from authentic errors to a new meme format. Okay, so a couple of comments. First is I think it's clear that it's wise to be extremely skeptical now about anything we see online in general these days, and not only Google AI overview results that we receive, you know, but just as much any reports of bizarre and wonderfully wrong results. Every time I've encountered one of these reports, like I've been sharing, I've immediately worked to verify its authenticity as much as I can, since there's clearly some strong motivation to invent non-existent, high-profile you know, funny failures, but you know, here's NBC News, who themselves searched for how many feet does an elephant have? And was told too.

My other observation is that I hope Google truly understands that there are two fundamental reasons why they're getting into trouble with AI overview. The first reason is how powerful and potent this would be if it were possible. It would be truly amazing. But that's coupled with a second reason, which is that what they are attempting to do is not even remotely possible Not yet, not today, not even close. Now.

I make no claims to being an AI expert, but we've all been paying attention and our intelligence is not artificial. We know that the current level of AI development definitely falls short of comprehension. As their name suggests, are capable of mimicking the output of an intelligent species whose actual intelligent output was used to train them. But, as we're finding out, there's a world of difference between seeming and sounding intelligent and actually being intelligent. So here's the problem. So here's the problem.

Google is attempting to use automation to create an accurate, factual summary overview of what the web contains without understanding the content. That this can never work. It is not possible to create an accurate summary of content for which there is no comprehension. Ai Overview doesn't know that glue should not be mixed with tomato sauce, because AI Overview doesn't actually know anything at all. Yet to do the job Google has given it, it must comprehend the content that it's accessing. What Google appears to have completely missed here is somewhat astonishing. I think you know it's that the job of displaying pages of links resulting from keyword matches is entirely different from attempting to extract truth and knowledge from the content behind those links Keyword matching and link ranking. They know how to do Truth and knowledge extraction. No one knows how to do Not yet, not today, but unfortunately that has not stopped Google, and it should have.

Okay, and this brings us to the perfectly named website, udm14.com, which our prolific Twitter poster, simon Zarafa, tweeted to me. Thank you, simon. Recall that when the string udm equals 14 is included, you know, appended to a Google search query, it serves as a shorthand asking Google to return its search results in what they term web search mode. Among many other things, their AI overview system is not consulted in that case. From that page at UDM14.com, I discovered another site named 10bluelinksorg. Of course, 10 blue links is reminiscent of what google was, you know, decades ago, back when I first discovered it, and and and sent that second email from grc's first email system out back then, when no one had ever heard of Google. 10bluelinks was what you got on the page. So 10BlueLinksorg, which, with just a few clicks of the mouse, allowed me to instantly and as permanently as I want switch my default Google search to Google Web Mode search in Firefox, for example, for Firefox on Windows or Mac OS.

The instructions are just you visit 10bluelinksorg, then you right-click in the address bar and you get a drop-down menu which is enhanced by this site. At the bottom it says add Google Web. So you click on that, then you open the hamburger menu in the top right corner, choose settings and then click on search on the left and then in the default search engine you will now have a new entry, google Web, which you then select and you're done. Now Firefox will use by default, until you change it, this Google Web mode search for all your browser searches. You know, and when I first read the instructions I thought what? But sure enough, you just go to this website and it adds this cool option in the drop-down menu from right-clicking in the address bar, the URL field, and then allows you to make it your default. They've got instructions for Chrome on Android, chrome on iOS, chrome on Windows or Mac and Firefox on Windows and Mac. So anyway, again, I commend our listeners. 10bluelinksorg. It's a very cool site.

0:25:01 - Leo Laporte
You don't actually get the overview on your Google search, do you?

0:25:07 - Steve Gibson
Actually, I don't think I've ever seen one yet.

0:25:11 - Leo Laporte
So what happened was it was part of Google's experimental labs. You could turn it on there and then, briefly, they made it default, and that's when they got in all the trouble. It's turned off now, I believe.

0:25:22 - Steve Gibson
Oh no kidding, I see it's still in labs.

0:25:24 - Leo Laporte
Yeah, I don't think anybody's actually getting it, and so they backed out almost immediately. Yeah, yeah, they said, oh whoops, but google keeps doing that. It's amazing. I don't know why I don't. It's amazing. They just keep happening to them, but I don't, I don't think anybody's getting that. Uh, now, unless you turn it on specifically interesting.

0:25:47 - Steve Gibson
So so the so. So I don't know if udm 14 is different than that?

0:25:52 - Leo Laporte
I think it is because then I think you also don't get the knowledge graph and the correct suggested links and all that stuff.

0:25:59 - Steve Gibson
So it's still worth doing that, yeah and all of the image search stuff and all the other junk. Yeah, so the UDM-14, which is to say invoking the Google Web Mode search one way or the other, it definitely cleans that up and suppresses all that.

0:26:17 - Leo Laporte
I stopped using. Google Search a year ago, so none of this affected me, but I use Kaki. I pay for it because I don't want ads and I think it's compromising.

0:26:30 - Steve Gibson
uh it's just terrible. Yep, well, it has. It has compromised, google search right I mean it's completely skewed. It's completely skewed what they return. So, yeah, okay. So a piece in bleeping computer caught my eye, mostly because of how pathetic the announcement seemed. Bleeping computer caught my eye mostly because of how pathetic the announcement seemed. Bleeping computer's headline was last pass is now encrypting urls in password vaults for better security. To which I respond gee, what a great idea finally bleeping computer wrote last.

Pass announced it will start encrypting you maybe not even quite yet, so it's not just to protect data from external threats. Lastpass says that, due to restrictions in processing power in 2008, when that system was created, its engineers decided to leave those URLs unencrypted, lessening the strain on CPUs and minimizing the software's energy consumption footprint. That's right. It was good for the planet, everybody. What a crock of you know what. But let me finish just another two lines from Bleeping Computer's piece. They said, with most of the hardware performance constraints of the past now having been lifted, LastPass can now start encrypting and decrypting those URL values on the fly without the user noticing any hiccups in browser performance, while enjoying ultimate data security. Lastpass says this is being done to enhance user security and comply with the company's zero-knowledge architecture. Everybody else does this right.

0:28:45 - Leo Laporte
I mean I know Bitwarden does I think everybody does this right. I mean I know bit warden does, I think everybody everybody else.

0:28:49 - Steve Gibson
So you know, okay, it's true that the world was very different back in 2008 when joe segrist designed the original last pass architecture, and I would believe that, since the URLs the user was visiting were needed for on-the-fly matching, and since their privacy again back in 2008, didn't seem like a big issue. Joe would have consciously and deliberately chosen not to keep them encrypted, especially given that everything else in there was. So his not encrypting the URLs at the time was obviously intentional, but that was 16 years ago 16 years ago, and the flow of time really does impact what we would term best practice today. Back then, most web sessions were only briefly encrypted during login, after which the connections dropped back to plain old http and, as we know from fire sheep, the now logged in session, we're completely exposed to the Internet, allowing those sessions to be impersonated easily. That would no longer be considered best practice today, and no one does that anymore. So as times change, what's considered reasonable changes along with it along with it. But computers have been plenty powerful, for the past decade at least, to handle on-the-fly URL decryption without introducing any discernible pause or overhead.

Back when we were talking about this, I noted that it would have been possible to keep the user's vault encrypted on disk and only decrypt it in RAM. That was the decryption event. That would have been one time only, during browser launch, when the extension was coming to life. It would have decrypted the on-disk storage into RAM, where it could then access it easily on the fly, but what was actually stored in the computer and was available potentially to be stolen would have been kept fully encrypted. So there have been ways to offer vault encryption at rest without any problem for a long time.

I suspect that the real problem is and we talked about this at the time LastPass's parent LogMeIn was purchased by a purely financial private equity firm back in 2019. For what? Four point some billion dollars I mean a ton of money and that new parent did not love it for anything more than the cash flow it could produce. In any event, for anyone who may still be lingering with LastPass, I just wanted to note that, for what it's worth, your vault stored URLs on your machine will now finally be encrypted at rest. So good on you and Leo, let's take a break. Good on you. Yes, I'm going to share a piece of feedback that will lead on to our next bit of news.

0:32:20 - Leo Laporte
All right, but first a word from our sponsor, delete Me. This episode of Security Now brought to you by Delete Me, which we use because it's a security issue for businesses as well as individuals. Have you ever searched for your name online? Oh, it's painful. I actually don't recommend it, unless you don't believe me. You could search for it and you will be amazed at how much of your personal information is out there, and this is an important issue for everybody.

I said businesses because we use it for our management, because, well, lisa was impersonated and scammers contacted her direct reports. They knew her, they knew her direct reports were. They knew her phone number. They knew their phone around. They know that data brokers. You know that they're collecting this stuff like crazy. Now you can go to each individual data broker there are hundreds if you knew them all and say take my stuff down. Problem is, data brokers immediately start repopulating after you do that, because they're still getting all that information from your ISP, from your advertisers, from everybody. Right, it's just floating around.

Delete me is the way to get rid of it, and not just for you, but for your family too. Yeah, they have family plans. Now you have to be an adult to sign up for Delete Me, but as the adult account manager, you can assign a unique data sheet to each family member. You could tailor it to them with easy to use controls so you can manage privacy settings for the whole family. It reduces the risk of identity theft from cybersecurity threats like those fake text messages that Lisa did not send out, harassment and a lot more. Delete Me's experts will find and remove your information from hundreds of data brokers, but then they continue to scan and remove information regularly, including I mean everything addresses, photos, emails, relatives, relatives yes phone numbers, social media, your property value and a lot more.

Protect yourself, reclaim your privacy by going to joindeletemecom slash twit, use the code TWIT and you're going to get 20% off. That's a great deal. Joindeletemecom slash twit Offer code twit for 20% off. If you listen to the show, you know exactly how bad data brokers are. Fortunately, there's a great tool to fight them Delete me, joindeletemecom slash twit. We thank them so much for their support of steve and security. Now you know, I don't think we're ever going to get any data brokers advertising on this show. I'm just guessing.

0:34:57 - Steve Gibson
I'm just guessing, but all right uh, yeah, that would be a difficult uh I know I wouldn't do it.

I wouldn't do it so, uh, I'm going to take one piece of listener feedback out of sequence ahead of the pack because of the PS that Andrew included, which I'll get to in a second. So this is from Andrew Gottschling, who said hey, steve, I wanted to provide some feedback to Haku's comment on VPNs and firewalls. It's probably not an option for many, if not most, corporate users. This is because many corporations these days and all of the ones I've worked for thus far utilize split tunneling on their VPNs to reduce bandwidth usage for high bitrate communications that are common, for example, voice and video calling on Teams or Slack. Therefore, simply blocking all traffic from leaving on anything other than the VPN interface unless it's to the VPN concentrator would not be feasible in these cases, especially in the case of something like Slack, which runs in AWS and their IP range is very dynamic. Love the show. Thanks for all you do, andrew. So Andrew is exactly right, and this could be a problem with any VPN that insists upon forcing all of the system's traffic through its tunnel and its tunnel alone. The problem we're running into sort of more broadly is that we're tending to use the term VPN generically, like there's only one sort of VPN.

You know, a VPN only does one thing, you know, as if they're all created equal, but that's not the case. For example, the VPN that a typical roaming consumer in an Internet-equipped cafe, airport or hotel might want installed on their laptop would be a VPN that proactively refuses to allow any packet traffic in or out of that machine that does not travel through its tunnel. What such a consumer will want is full protection. This is contrasted against, for example, an IP and IT managed enterprise setting where a great deal of attention has been paid to exactly which traffic flows, where, for example, headquarters might have several satellite offices located elsewhere in the world which need to participate on the same corporate network as if they were, you know, attached. And since that traffic cannot safely be exposed to the internet, static VPN tunnels would be established to securely interlink the satellite offices, no matter where they were. In this case, only the traffic that's bound for network addresses at the other end of a VPN tunnel would be routed there, with all the other local traffic allowed to have contact with the internet directly.

So you know, these are all just differing applications for private virtual networks where, you know, that's sort of a generic umbrella term. The common factor is that traffic is being encrypted and decrypted as it flows between one or more local and remote IP addresses, and part of what's so cool about VPNs is that they are you know, v stands for virtual. You know they really are a virtualizing technology that is very flexible and very powerful. Now, as I said, I chose Andrew's note because it arrived Leo via email addressed to securitynowatgrccom, and Andrew ended his note with a PS, which read PS. This new email system is real, all caps slick. Glad to get rid of Twitter.

0:39:27 - Leo Laporte
You have set something up, haven't you?

0:39:30 - Steve Gibson
What email system you ask. Well, since you asked, it's GRC's new email system. Excellent, I finally have the long-awaited email announcement for GRC which features for this podcast a simple means for our listeners to send feedback and thoughts to me through spam-proofed email. As I mentioned last week, grc has been without any form of subscription email news system since I shut down the first system, which I wrote 25 years ago, back in 1999. Years ago, back in 1999., the completion of Spinrite 6.1 created my need to announce it to 20 years worth of Spinrite 6 owners, and it would be nice to be able to send news of new things I create to those who would like to know of them. For example, I do have plans to revisit Validrive, which has turned out to be extremely popular. I've got a list of things I want to do for Validrive 2.0. That'll just be a little quickie update, but very useful. And, of course, grc's DNS benchmark, which continues to be the most popular download we have, could use a bit of attention as DNS servers come and go. So that's on the side of sending email out.

What about receiving feedback from our listeners? Just yesterday I received a very useful DM tweet from someone who said he created a Twitter account just so he could send me that tweet account, just so he could send me that tweet. And, as we know, many of our listeners have had to do so. On the one hand, I'm deeply honored that our listeners are as interested in engaging as so many are. I'm blown away by that. But on the other hand, I'm horrified that the bar has been set so high by the need to join any social media service just to send me some thoughts or a link to something that might be of interest to our listeners, especially when everyone already has email. Email is the obvious common denominator.

And now, before I go on, just for the record, allow me to reiterate one last time, because I know there are still some people who need to hear this. This has absolutely nothing whatsoever to do with Elon Musk's ownership of Twitter Really nothing. I could care less, for one thing. I am barely a Twitter user. Could care less, for one thing, I am barely a Twitter user. When I start working on each week's podcast, I check in with Twitter to collect all of the tweets I've received since my previous check-in the week before. I don't even look at it during the week. I scan through those, replying when I can, and that's been where our listener feedback has mostly come from every week. As everyone knows, I've never followed anyone on Twitter, so I've never used it the way it was intended to be used. As a consequence, I'm not directly aware of what may have changed after Elon's reluctant purchase of Twitter, other than things I've heard secondhand, so I could care less. I just want to lower the bar for all of our listeners, and everyone has email. The normal downside of asking people to share their email addresses is that the implied trust might be abused. I think everyone knows that will never happen with me. Until this past weekend, I've not had a workable means for receiving incoming email from our listeners. Now I do.

Grc now has the subscription management front end of its new email system up and running. It's what I've been developing for the past few weeks and, of course, it's all written in Assembler, because that's just where I'm most comfortable. It's now possible for anyone who wishes to to optionally subscribe to any one or more of our three mailing lists. One is aimed at our commercial product owners, one is aimed at general GRC news of products, freeware services, etc. And one is intended for this Security Now podcast, which has become a significant part of my life through these past 20 years. But and this is crucial you do not need to be subscribed to any of these lists to be able to send email to securitynowatgrccom.

There's no requirement for anyone to subscribe, although, of course, everyone's welcome to if they wish. Here's the requirement to, if they wish, here's the requirement. The email address from which you are sending email to me does need to be known to the system. So here's how you register. At the top of every GRC page in the pages header, is a little white envelope with an email subscriptions link. There's also a link under the home menu and, as you expect, it's also just grccom slash mail. So you go to grccom slash mail and enter the email address you wish to register with GRC. Grc will send an email to that address containing a link back to your own subscriptions page.

Here and, as you'd expect, everything defaults to unsubscribed. I don't ever want to send anyone any email they don't want to receive. But if you wish, you can optionally provide your name and join any of the three lists shown there. Then, either way, click the update subscriptions button and your confirmed email will then be known to GRC. From that point forward, you can simply address anything you wish to the email address securitynowatgrccom. No exclamation point or hyphen or anything, just securitynowatgrccom.

When that email arrives at GRC's server, the sender's address will be looked up and, if it's known to the system, the email will be accepted and will appear in my security Now account inbox. If email you send to security now at GRCcom is rejected and bounces back to you as undeliverable, you'll know that something went wrong somewhere. So that's the front end system. The back end is the part that contains the subscriber database and actually sends email to the lists. I should mention, at this exact moment, due to a limitation that the back end had, this new system is unable to accept email addresses containing plus signs, which I'm sure our listeners would like to use. The back end has been fixed, but I haven't updated my code yet because it just happened yesterday and I haven't. You know, I've been working on the podcast, so that'll be the first thing I do later today. And as for the back end, all I have running and tested at this point is the subscription management. So please do not be surprised when you don't immediately start receiving email from me. It's not you, it's me.

Since the industry has become so spam sensitive, I plan to proceed with caution to be very sure that any bulk email I send meets all of today's anti-spam technical and legal requirements, and there are many. So it will likely be another week or two before email begins to flow, while I hope to be able to send weekly podcast summaries and links and the other two lists will always be very, very low volume, I think. Over the eight-year life of the previous email system I send a total of 11 pieces of email, so you know no one's going to get spammed. You'll be wondering what's going on. If you weren't listening to the podcast, you would wonder where I went. But today the new incoming email system filters in place and I frankly I have no idea what will become of my use of Twitter. It's trivial for me to tweet the weekly summary of the podcast. You know, a link to the show notes and the picture of the week. My ambition is to deliver the same thing via email, but I'll be doing that somewhat cautiously as we see how it goes.

And I should note that I've recently noticed a significant uptick in spam to my Leo, as you always mention my Open DM channel. You know I got one this morning. Hello, my sister saw your profile while browsing X on my phone and she's interested in you. And then I have a link eyqyh571.xyz. Oh, I know them, they're great. Yeah, that's right. Open the link to complete the registration and she will take the initiative to call you that. I've got four different emojis and, by the way, the emojis differ every time I receive this, although the text is always the same and it says remember to say hello to her. She's very shy, right, and she's also going to be very lonely in this case. So, anyway, if the spam becomes a lot worse, I'll likely be forced to abandon open DMs. So the establishment of this alternative channel is coming at an opportune time.

The bottom line is I'm very excited to finally be adding this long missing piece of GRC's infrastructure. It's been crazy that we've had no means of announcing new stuff, and once the dust settles from that, I'll begin sending out the news of SpinRite 6.1 to all 6.0 owners. So very pleased. Okay, so some. Closing the loop feedback. A listener Hatcher okay, so some. Closing the loop feedback. Um, uh, a listener hatcher, blair, said hi, steve and leo. He said he described himself as a medium-time listener and huge fan of the work we do he said I hope this is medium.

0:50:03 - Leo Laporte
I'm happy with medium, that's fine, a medium-time listener, exactly.

0:50:07 - Steve Gibson
So that's what he came around maybe 10 years ago, something like that. Yeah, something like that Jumped in about halfway along, yeah. So he said I hope this is still the appropriate place to contact you, as I made a Twitter account just for this. So, bless you, hatcher, in the future you can send email to securitynowatgrccom. Anyway, he said I just listened to SN975, and I wanted to thank you for alerting me to the web search option in Google. So again and I'm glad you pointed this out, leo not just to remove AI overview, but to clean up the pages significantly. He said I wanted to make it my default search option, but you cannot add the search engine to Chrome or edit the Google search engine in Chrome settings. However, you can create an extension which adds a web search engine and make it the default.

I made a simple Chrome extension that makes web search the default option when searching from the address bar. This extension is not and cannot be published on the Chrome web store, because I use the domain https, colon slash, slash, googlecom and would need to have ownership of that domain to publish the extension. Although it's not on the web store, it is on my GitHub for anyone that wants to clone the repo and install it for themselves. A warning to anyone who wants to install the extension. He said it is bad. I don't know what he means. He says all the extension does is make the default search, you know, and then he shows a search query with the you know ampersand UDM equals 14. He said there's no localization, support or option to enable or disable the extension in the UI. If you end up sharing this on the show here I am doing that. He said, feel free to share the repo and anyone who wants to contribute is welcome to. Anyone is also welcome to use anything on the repo for their own purposes if wanted. I did a bit of Googling and making a similar extension should be possible in Firefox. It might even be easier, as Mozilla seems to have much better documentation than Google. Keep up the great work and looking forward to episodes nine, nine, nine through infinity, says Hatcher Blair. So I've got a link to his his uh get re uh GitHub repo in the show notes and just another piece of work along the lines of the 10 blue linksorg that we talked about earlier.

You know this one from one of our listeners and, as I said, I'm sure that this will be, you know, very popular. Uh, moving forward, um, defensive computings. Michael Horowitz wrote to say Steve, a fun story. I recently got a fairly standard scam email message claiming my computer had been hacked and asking for Bitcoin as proof of the hack. The bad guy told me my password, but I use a different password everywhere, have for years and years. So the revealed password told me the service that had been hacked and I logged on to it and changed that one password. It had a stored credit card but fortunately that had expired. He says it's rare to actually experience firsthand, up close and personal, the benefit of never reusing a password. So you know, thanks for sharing, michael. I think that's very cool.

You know, as I've been perusing the email domains of our listeners who've been subscribing to GRC's new service since I announced the email system on Twitter yesterday, I've seen many gmailcom email domains, but also, as indicative of the listeners, we have many personal domains, as we've discussed.

Unfortunately, there's no good way to hide from tracking when websites are willing to trade their visitors' privacy for cash by colluding with advertisers and other data aggregators. Not even a personal domain will help with that, but it can be very useful for tracking down personal information leakage. I established a unique email address for the dealership that services my car. So when I started receiving unwanted spam from some auto-related source, from that one email address that I had never shared with anybody else, I knew who had leaked it. So, yeah, even though it won't help for tracking, it is a little bit satisfying just to be able to say, uh-huh, I gotcha. And of course I'm then able to retire that email address if the spam becomes annoying. And when they wonder why they're unable, when the when the dealership can't send me email, I say, oh yeah, I changed that because you guys sold my address to a third party, you know commercial entity. So here's the new one, and I imagine, leo, that you at leovillecom oh, it's unusable, yeah why?

oh yeah, leo is unusable.

0:55:33 - Leo Laporte
Well also I imagine oh no, I don't even use that. I mean I do, but I don't. I have lots of solutions around this right similar to yours, but not right. Um, you have to. I have many addresses. You know I can't use Laporta Gmail anymore. That really went downhill fast. But no, what I do now when I sign up for something is I use I actually don't use those unique passwords, that unique email addresses, that Bitwarden and Fastmail do. I just make it the name of the company at a particular address that I haven't used before. You know that I use exclusively for that and you have a catch-all so that everything Right.

0:56:10 - Steve Gibson
I haven't used before. You know that I use exclusively for that and you have a catch-all so that everything comes in Right I don't have to worry about that Fastmail.

0:56:15 - Leo Laporte
I have about 10 domains or 15 domains that get email at Fastmail. It all goes in the same inbox and then I can do sorting based on the address it thinks it's going to and stuff like that. Look, spam is a mess. It's just a mess out there, leo.

0:56:31 - Steve Gibson
It's terrible yeah, well, and and as somebody facing the the task of sending, well, yeah, subscription email, yeah, you know, I mean, that's the biggest issue it's not that we're getting a lot of spam.

0:56:44 - Leo Laporte
It says really hard to send email on now that Google will not accept email if it doesn't have DKIM, SPF and DMARC authentication. They just won't even accept it. So it's gotten real. That's where it's really. It's much harder. Deliverability has gone downhill.

0:57:00 - Steve Gibson
Yes, yes, and in fact in my instructions, as does everyone, I say if you don't receive the confirmation email, you know look around for it, you know check your spam folder or wherever it might have gone.

0:57:15 - Leo Laporte
That's a must also. Yeah, I think Google loves this because it means that they eventually they hope everyone in the world will use Gmail and that'll solve it, sort of.

0:57:26 - Steve Gibson
Oh, you mean from Gmail to Gmail? Yes, wonderfulmail, yes wonderful that solves it.

0:57:31 - Leo Laporte
Yeah, as long as everybody's using gmail, we can get rid of spam. We can authenticate. It's just your it's. It's our fault for not using gmail.

0:57:40 - Steve Gibson
That's google's attitude that's google's attitude so elliot anderson tweeted hey, steve, one extra way to avoid Google's AI search. He says don't sign in. He says I've never seen any of that AI nonsense. I have a different browser profile for signing into Google and I clear it whenever I'm done with whatever Google account management I need to do Okay. So I can't speak to that myself. I don't do Google account management and, like you, Leo, I've never run across that, and now we learn from you that it's gone.

0:58:16 - Leo Laporte
Yeah, it's gone. You won't anymore. It's still a crappy search, but at least you won't see an AI overview.

0:58:22 - Steve Gibson
Yes, exactly Telling you to eat glue. Steve Murray said Steve, just FYI, you can replace soldered motherboard components like EMMC RAM. He says a ton of YouTube videos cover it. He says the hard part is doing it in an economically viable way. If not doing it DIY, Okay.

Just because it's on YouTube doesn't mean it's possible. I would argue that the hard part is doing it at all. I've been soldering electronics literally I'm not kidding since I was four years old. I still recall my dad's big honking soldering iron. It was about three quarters of an inch in diameter and 18 inches long, with a wooden handle. It was nothing like what we have today. This thing took about 30 minutes to come up to temperature, at which point you could push its tip through a solid steel plate. And while growing up, my standard Christmas present was a Heath kit, which I would receive every Christmas Eve. Oh, that's so cool. I would open it on Christmas Eve and it would be fully assembled by Christmas morning. That's so cool.

Since I had no interest in sleeping with an unfinished kit in front of me no wonder you're a geek. Now I get it oh and I remember, leo, the VTVM, the vacuum tube voltmeter that I built I must have. Let's see, I was still living on Overhill in Orinda and I left Sleepy Hollow Elementary in the middle of the fifth grade. So I was what? Eight, I guess? Wow, and you know. And Dad, one Christmas was a shortwave radio receiver, holy cow. One Christmas, you know all Heath kits.

1:00:26 - Leo Laporte
Was he an engineer? Is that why he really encouraged this?

1:00:32 - Steve Gibson
Yeah, he had his master's in engineering from Berkeley, okay, but mechanical engineering, not electrical engineering, right, but there's a lot of overlap, sure. And you know, he set me up with a battery and knife switches and light bulbs, because I just had to understand how all this stuff worked. That's so great, anyway. So while, yes, technically I agree that it's possible to remove and replace today's modern high-density surface mount components, doing so because I have is neither fun nor easy.

1:01:09 - Leo Laporte
And it's really easy to screw up the substrate, the motherboard right oh so easy?

1:01:15 - Steve Gibson
Yeah, Especially when they're surrounded on all four sides with a forest of tiny pins on half mil centers, or when it's a BGA, which is a ball grid array chip with its myriad connections underneath the chip itself. I'm sure anybody who's looked at a modern motherboard or circuit board you see this chip sitting there with no obvious connections to it. It's because there are little dimples on the underside of the chip, little dimples on the underside of the chip. You've got to heat the whole thing up in order to melt the solder of them all at once in order to pull this thing off the circuit board. Anyway, the reason there are a ton of YouTube videos is that it's actually not possible to do.

1:02:08 - Leo Laporte
It makes for an excellent YouTube video is a great it'll hold you on the edge of your chair.

1:02:13 - Steve Gibson
Is it going to come off? Is it going to come off?

1:02:16 - Leo Laporte
you know, just because you see somebody doing it on youtube does not mean you can do it or anyone.

1:02:23 - Steve Gibson
Yes, or even that is able to show me how to uh create a recipe which I am unable to reproduce. So the fact that Hank is able to do it doesn't mean that I can't.

1:02:36 - Leo Laporte
No, I watch with wonderers myself.

1:02:42 - Steve Gibson
Sylvester said replying to at Firefox. He said at S-G-G-R-C, vertical tabs are coming. So his tweet sent me off looking and I found a posting by Martin Brinkman over at GHacksnet. Martin wrote Mozilla released a Firefox nightly test build recently that includes support natively for vertical tabs. This new functionality is not available in regular Firefox nightly builds, but there's a way to get that build and test it for yourself.

Native vertical tab support is a highly requested feature. It is placed third currently on Mozilla's Connect website, just behind native tab grouping and the restoration of progressive web app support in Firefox. Vertical tabs, he says, move tabs from a horizontal bar at the top of the browser to the side. It enables better drag-and-drop support, sorting hierarchical views and better use of space on widescreen monitors or sites that limit their width. Firefox would not be the first browser to support vertical tabs. Several browsers, including Microsoft Edge, brave or Vivaldi, support vertical tabs already and he says, with Vivaldi taking the cake when it comes to customization options.

There's always been talk of in producing vertical tabs in Firefox. The last time was in February of 2022 when Mozilla looked into the matter. Okay, so I don't understand this. Vertical tabs are such an obvious improvement for modern web browsing that it is difficult for me to understand what's taken so long. Fortunately, I've had vertical tabs in Firefox thanks to the browser's sidebar that can be used to contain browser tabs. I use the add-on tree style tabs, which works wonderfully, and then I tweaked the browser's UI, the CSS style sheet, to hide the tabs across the top, which are still there. So, although I found a solution to place tabs to the side, you know where they should have been immediately moved once our screens moved away from their original four by three aspect ratio. You know it'll be wonderful for Firefox to offer them natively, so let's hope that happens because, like, what's the problem? It's just so obvious.

1:05:29 - Leo Laporte
You raise an excellent point. We have wide, wide screens. There's lots of yes on the left. I hadn't really thought about it that way.

1:05:36 - Steve Gibson
Yeah, yes, exactly, and, and many sites no law. In fact, my site looks weird because it's it it has. It sets the the width to 85 of the window, which, on today's browsers, is wrong. So as I'm rewriting pages, I'm changing the way that works. As a consequence, there's a lot of empty space on the sides, so yeah, anyway.

1:06:03 - Leo Laporte
Yeah, I put my dock on the left for that reason on my Mac Right, yeah.

1:06:08 - Steve Gibson
And we're at an hour in leo. Let's take our third break.

1:06:11 - Leo Laporte
Let's go to work let me do some work while you relax it's my turn, coffee the world's largest mug of coffee.

Hey, you're gonna like whoa, this portion of the show brought to you by bit warden. You know who's's been encrypting URLs since day one? Bitwarden, of course, because Bitwarden is the only password manager I recommend and use. It's open source, which means it's better. It's just better you can verify, or experts can verify, that it's doing what it says it does. It also means people can add to Bitwarden.

One of our listeners, quexon, did that A while ago. We were talking about how PBKDF2 wasn't the best way to hash passwords, but there are two memory-hard solutions sCrypt and Argon2, and it would be so much better if password managers offered it. Well, quexon took us at our word, did a pull request to Bitwarden, developed both sCrypt and Argon2. After consultation with Bitwarden, they decided to release the Argon2 implementation and now we have Argon2 and Bitwarden. That's why open source is great for a password manager. They have a secrets manager for developers. Who I've done it we've all done it inadvertently push our secret keys to GitHub when we do a commit Not anymore with Bitwarden. Bitwarden just now announced they've always had PassKeys support not always, but for a very long time, but they just announced that they support PassKeys now on their browser extensions and on their mobile apps. Now, that's great because it now means when you set up a passkey on any of your devices and Bitwarden works on them all Mac, windows, ios, android, linux, everything. Whenever you set up a passkey, it's now part of your Bitwarden vault and it's available everywhere you use Bitwarden, including in the browser extensions. That is fantastic. Passkeys on mobile are now official in iOS and they're in open beta on Android. So if you're on Android, look for the beta of Bitwarden and, of course, we'll keep talking about it.

This is the important month because World Password Day began the month May 2nd. At that time, bitwarden did a survey. This is eye-opener, although not surprising, I think, for anybody who listens to this show. Opener, although not surprising, I think, for anybody listening to this show. They surveyed 2,400 people US, uk, australia, france, germany and Japan. They found that 31% of their respondents.

In the US, almost a third reuse passwords across sites. We know how bad that is right. We also know why they do it because they're not using a password manager. 42% incorporate personal information in those passwords your birthday, your dog's name, your mother's maiden name which really raises some serious concerns about people's password strength and security. When you use Bitwarden, it generates unique passwords for every site. They're long, they're strong. I mean they can be long, 64 characters, more if you want, as long as the site will allow it and you don't have to remember it, bitwarden does so. There's no reusing passwords. There's no using personal information in your passwords. You don't need to.

58% of respondents continue to use their memory to keep track of passwords. As you say, steve. What could possibly go wrong? 34% are writing it down pen and paper. That's not so bad at home, but 34% do it at work, which means you know. If you look under the blotter, oh look, here's all of Joe's passwords or maybe even in a post-it note on the side of the screen. If you're a business, you should worry. Nearly half a quarter of the respondents said yeah, our workplace security habits are pretty risky. 45% said they're storing passwords insecurely, 44% using weak credentials. It's worse at work. You know why? Because they don't care. This is your business, not theirs. These findings mean there is a lot of room for improvement and if you are running a business, you need to look at Bitwarden.

I've always said Bitwarden is great for individuals, free forever because it's open source. Unlimited passwords, yubikeys, passkeys all of that free. Now I pay for the premium 10 bucks a year because I just want to support them. But they also have a business plan. They actually have several business plans. They empower enterprises, developers and individuals to store and share sensitive data, not just passwords. I have all my documents in there too safely. With a transparent, open source approach to password management, bitwarden makes it easy for users to adopt robust security practices everywhere. That's what you want your employees to do. That's what you should be doing. Get started right now with Bitwarden. They have a free trial of the Teams or Enterprise plan. Or, as I said, if you're an individual, get started for free across all devices.

Bitwardencom slash twit If you're a Bitwarden user, because it's open source, there are a number of Bitwarden servers you can use as an individual so that you can host your own vault. You don't even have to use a centralized storage for the vault, but of course I do, because I figure Bitwarden is going to do a better job securing it than I am. But you don't have to and that's great. Bitwardencom slash twit. B-i-t-w-a-r-d-e-n. It's the only password manager I use. It's the one you should use and Steve's nodding. Thank you, steve. Bitwardencom slash Twit. Thank you, bitwarden Good job. Keep up the good work.

1:11:38 - Steve Gibson
Steve so Tal in Israel. He said Back at episode 970, you read a listener's feedback about a SOHO router that requires you to press a button on the router in order for configuration changes to be applied. We've talked about this is now recommended behavior for future routers in order to minimize the ability of attackers to do a purely electronic, non-present change of configurations. You know, non-present change of configurations. Anyway, he said that. He said yeah, he said he said that he's speaking of the listener feedback said that a well-known router manufacturer named Fritzbox has been creating such routers where configuration changes require the press of a button on the router. I've been looking for a new router, as my old Xiaomi router stopped receiving updates in 2021. Xiaomi is notoriously known for not providing many updates to devices after they've been sold. Also, that router was always underpowered, dropping Wi-Fi little, and it seems the company who manufactures them is very security aware and the performance of them is very good. I was happy to discover an Israeli seller and bought the Fritzbox 5530, which seems to be what's most suitable for me. After I've been using it, I think it's the best router I've ever had. It does not even break a sweat with multiple video streaming and downloading and anything else I do, and I think it can serve as an example of how SOHO routers should be. First, it comes with automatic updates turned on by default. Second, both wireless key and router admin passwords are randomized when you get one, and if you reset it to factory default, those passwords will be reverted back. There's a very durable sticker on the bottom of the router with them, so you should not worry about losing them. Changing some configurations, like DNS, will require you to go and press a button on the router, but since it can also serve as a telephony hub, if you have a phone directly connected to it, you can pick it up and dial some number it tells you to dial in order to apply the configurations. Or you can define an authenticator app and then use the six-digit token to apply changes. Other nice things it supports, by the way, that's a cool feature, right, because now you've got a way where you don't have to physically be present, but you do have another authentication token that is changing dynamically to prevent someone from making changes electronically. That's something we hadn't talked about. That's brilliant, and he says he says fourth, other nice things it supports is DNS over TLS, so your ISP will know nothing of your DNS queries. And he says I use both Google and Cloudflare open DNS resolvers, which I trust way more than my ISP provider. And finally, fifth, fritzbox is well known for supporting their devices for a long time. He finishes it has so many other features where you can definitely see that security awareness went into the design.

So whoever mentions Fritzbox in episode 970, thank you. Unfortunately, he said I could not find your name in the transcripts. Well, okay, since this is all about listener feedback, I wanted to keep this thread alive by sharing this listener's very positive experience with Fritzbox. I brought up a site web search of GRC some time ago, so I went to GRC and put Fritzbox into the search field at the upper right of every page. That brought up all of our mentions of Fritzbox through the years, as well as some comments over in GRC's forums. The listener who tweeted the news to us in episode 970 used the Twitter handle NDOM91. So we still don't know his name or who he or she is, but thank you again for the mention and thank you, tal, for sharing your impressions.

I went over and looked at their lineup. It's a German company. They've got, fortunately, an English-language website and it is very impressive, I have to say I especially liked the integrated DOCSIS 3.1 cable modems and routers. They have several devices, yes, and I've been sort of unhappy with domestic cable modem suppliers. They really don't seem to be doing a great job. This German firm really does seem to have their act together. So if we ever get fiber in our area, they also have an integrated fiber modem router. I might take a look at that. And they're all Wi-Fi 6 and even 7. So they're keeping up to date with the standards. Yeah, look at that thing. That's just beautiful.

1:16:57 - Leo Laporte
Yeah, it really is.

1:16:57 - Steve Gibson
And somehow they're doing a good job without lots of antennas sticking out everywhere.

1:17:02 - Leo Laporte
Yeah, well, I think the antennas are a marketing thing, aren't they?

1:17:06 - Steve Gibson
Yeah, exactly, oh, this is cool, yep, and there's a Wi-Fi 7 enabled cable modem router that you've got on the screen, yeah, and with Zigbee on board so you can control your smart home.

1:17:18 - Leo Laporte
Well, these are nice. This is really nice this is for LTE, so you can use mobile broadband. They are solid looking devices, Of course you got to make sure that your cable company will support their modem.

1:17:28 - Steve Gibson
Yes, that's a thought I had. Is that the Cox? Does you know? They make a point of saying, well, these are the ones we support.

1:17:35 - Leo Laporte
Yeah, this is the one I would get, though, if I interesting 3.1, wi-fi 7.

1:17:43 - Steve Gibson
And apparently really strong, as he said. You know, they're not like they didn't cheap out the processor and and ram I like that. Yeah, look at that okay, fritz box and a telephone system. It does telephony built in too oh yeah with decked base station for cordless telephony.

1:18:05 - Leo Laporte
Wow, wow, they put everything in here, but the kitchen sink. Oh, wait a minute, here's a kitchen sink. Oh, no, at least he's a kitchen. Uh, wow, it's. And their uh operating system is called fritzios. No, fritz, always too bad. It's not fritos, it's so close to Fritos, I want to get it. Yeah, very interesting. So it's not. You can't put WRT or something else on there. This is their.

1:18:37 - Steve Gibson
No, I don't think you, but I would bet that they've got a beautiful looking. You know, built in router.

1:18:42 - Leo Laporte
It's made in Germany, so it's got to be good. Look at that, yeah, wow.

1:18:49 - Steve Gibson
Okay, okay. So Richard Green in Lethbridge, alberta, canada. He said his subject was four digits pin in a corporate environment. Okay, get a load of this, leo. I said hi, steve, absolutely love the show. Thanks for doing it. I thought you might enjoy this story.

I'm a physical security installer, as in physical alarm systems, and I was asked to do a system audit and upgrade on a major chain grocery store. So we came out and gave everything a physical checkup and upgraded their equipment. We then asked for their list of current users so we could verify and remove any old and unused alarm disarming pins. At first they didn't want to do this and I figured it was a corporate policy, but then they relented and started printing off pages of names and pins, pages and pages of pins. Apparently some higher up decided it would be a great idea to have every manager, assistant manager or anyone else of importance nationwide programmed into every store's alarm system, just in case they might travel. We started out, of course, with 10,000 possible pins, but their list was nearly 7,000 pins long. This meant that any random guess would have a 70% chance of disarming their alarm system at any facility. He said I flat out refused to be the guy to set up a system that was so insecure. Luckily for me, they finally relented and we only added about 60 6-0 user pins local to our region. I wouldn't have believed it had I not seen it for myself. Amazing.

So, richard, thank you for sharing that horror story from the field. Uh, it's helpful, I think, just to see like the way things are actually being done out there in the real world. You know, way far from the ivory tower, manuel schumerger, uh, schumerber in St Louis, he said Hi, steve, I noticed that the UDM value just selects from the menu of search options. 15 is attractions, 12 is news, 14 is web and so on. I also noticed that an easier way for me to get to the simpler web results is to just select from the menu of offerings below my search phrase. I select the more drop down and then web and he says thanks for the lowdown on search. So I just wanted to thank Manuel for demystifying the magic 14 of the UDM value. I didn't spend any time digging around and I'd been wondering where the 14 came from. You know why was it UDM 14? And yes, it is certainly possible to select the web menu item from Google's already displayed results. Already displayed results. But the various hacks that are emerging allow us to get those same web-only results right from the start with our browser's default search.

Vern Mastel in Mandan, north Dakota oh, I got a kick out of this. The subject was SN975 Windows XP test. He said the Windows XP report is misleading. The test was not fair. What Parker did was test a 1935 Chevrolet sedan on a modern eight lane superhighway at rush hour. He should repeat the test with a new out of the box configuration Windows 10 or 11 machine on the same, no router, open Internet connection. That would be very interesting. That would be very interesting. Vern said Windows always has come out of the box with everything, that's all caps turned on.

I claim that the biggest holes in that test XP machine were Windows file and print sharing and Windows remote desktop. Both are wide open. In a fresh Windows XP install. Such a machine should be dead meat on today's Internet. So that begs the question what ISP was used for the test when XP was new in 2001,.

Isps did not do any active protocol blocking. Isps did not do any active protocol blocking Windows. Netbui, slash, netbios ports 137, 138, 139, and 445, along with many others, were open to the world, for example, with file and printer sharing turned on the default, you could see and easily access other Windows XP machines in the vicinity. You could see and easily access other Windows XP machines in the vicinity. For many years, when I set up a new Windows XP machine on the networks I administrated, I spent an extra hour changing network and system settings to close security holes and shut down or remove the many unneeded features. Now things are pretty well locked down at the ISP level. Old LAN protocols are blocked by default. You cannot run your own mail server out of your house, and other server protocols like FTP are monitored or blocked outright. Properly configured XP is slash was a stable, reliable and reasonably safe version of Windows.

Okay, I agree with everything Vern said, except for his thesis that this was in some way not a fair test. I have a problem with that characterization only because it wasn't meant to be a test of fairness. It was a test of reality, or perhaps a test of yesterday's reality versus today's reality. And of course, everything Vern noted about the way he would first spend his first hour with any new Windows XP machine was the reason I created the Shields Up port probing facility. It was precisely because these early machines from Microsoft were such a disaster on the Internet. That said, I also agree with him that it would indeed be interesting to place a currently fully patched Windows 10 or 11 machine directly on the net to see how it would fare. You know, direct exposure to the Internet. Given that all Windows machines have a very competent application-driven firewall that is up and running before the rest of the vulnerable networking behind it comes to life, I would expect it to do well.

But in any event, parker's whole point was to get some sense for the malicious crap that is circulating out on the internet right this moment. We're all so well insulated and so well shielded behind our NAT routers and firewalls that it's possible to sort of forget just what's out there constantly pounding away at those defenses. These defenses that we have today are absolutely not optional. Not optional, okay. And lastly, jeff Smock says as his subject I offer you my very own first law of cloud data security. He said forget about all the bluster and jazz hands the cloud service providers give us regarding the security of our data. He says. Here is the simple truth, quote the security of cloud data is inversely proportional to its potential value as perceived by a hacker or rogue. Staff member. So, yes, the more they want it, the bigger problem we're going to have keeping them from it. So I completely agree with that characterization. And, leo, let's take our final break. And then we're going to talk about the 50-gigabyte privacy bomb. I can't wait which Microsoft plans to drop into everyone's lap.

1:28:05 - Leo Laporte
I can't wait. Hey, I just wanted to mention because that Fritz thing got me really excited. I went to the website. It's a German company. As far as I can tell, they do not sell in the United States. Your correspondent was in Israel.

If somebody who's listening tells me where I can get Fritz stuff in the US, and if it's US compliant I'd be very interested. But right now, now it looks like it's uh, it's, I mean it's germany. I wonder why I like, well, we have an fcc, we have. I mean they'd have to get approval in the in the us and but they're germans. How hard could that be, I mean I'm driving.

1:28:42 - Steve Gibson
We're each driving one of their cars, Leo.

1:28:45 - Leo Laporte
I know I like German engineering, okay, but as far as I can tell, I couldn't find anywhere. I could buy it in the US. Wow, I checked and your correspondent was in Israel, which might explain how they could get it. Yes, he was. Yeah, time to talk about our fine sponsor for this segment of Security.

Now, one big thing. This is something that a lot of companies my size middle-sized companies you're focused on growth uh, you, you're trying to do a good job, but you just don't have the resources to comply with this insane net of regulations regarding privacy and ai. Right, but the world has changed. Privacy, ai they're here to stay, and compliance is an absolute must in every jurisdiction. The problem is, regulations around the world are in constant flux. Every state has its own set of regulations and there are new ones every day. An organization like yours is probably forced to really embrace things like privacy by design Rightly so, by the way. I mean, I'm in favor of it. But it's just it's challenging. Privacy by design, transparency, purpose limitation, data minimization, data subject rights. You got GDPR. You got CCPA. It's squeezing you.

So what do you do? Most mid-sized high growth organizations are, you know, you're focused on making a business. You don't have the volume of work to keep a full-time privacy and AI team busy and even if you could, it's almost impossible to attract the talent you need. They're snapped up by the big companies. That's where One Big Think comes in. With One Big Think's services. You're guided by an experienced executive. You in effect get your own DPO. You get the capacity and capabilities of a data protection officer. Dpo that's an executive security leadership role responsible. It might be new to you. I think a lot of companies what? What's the DPO? They're responsible for overseeing data protection strategy compliance and implementation to ensure you know that you are compliant with GDPR, ccpa, all of that.

Illinois Vermont just passed a very good, I think, privacy bill. But that means there's, you know they're getting you in all sides. You need a DPO. Your DPO will have an expert knowledge of data protection law and practices, obviously, but they also have a broad and deep information, privacy, compliance and data processing skill sets across industries, especially your industry. You don't want somebody who doesn't know what you do. They should have a complete understanding of IT infrastructures, technologies, technical and organizational structures. Again, in your biz, in your industry. They have to have good management skills too, because you're dealing, you got to interface with staff at all levels, not just the boss and the board, but employees. This is a very skilled position, but fortunately, one big thing has somebody for you. You'll get an AI expert too. One Big Think's AI compliance service is designed to integrate with your organization's privacy program. They go hand in hand to provide the required governance, compliance and assessment activities under these regulations. They'll even help you raise awareness and train staff on AI regulatory requirements and issues.

Don't be a Google. Do it right. It's in your interest. By the way, one Big Think makes it easy To learn more about how to give your organization sustainable privacy and AI compliance you can afford. Go to OneBigThinkcom. That's all you need to know. The number one Big Think B-I-G-T-H-I-N-K. Onebigthinkcom. You need this, we all do, and thank goodness One Big Think's there for you. Onebigthinkcom Okay, 50 gigabyte pile of nonsense.

1:32:43 - Steve Gibson
Uh-huh nonsense. So since we began the podcast with a general theme of how AI, which is not even close to being intelligent, is being misapplied during these early days, I feel as though a security and privacy-focused podcast like this one ought to take note of the new recall feature that will be part of the next generation ARM-based Windows 11, what's known as CoPilot Plus laptop PCs. First of all, yes, it does appear that ARM processors have finally come far enough along to be able to carry the weight of Windows on their processors, and while having Windows on ARM will certainly create a new array of challenges, like, for example, the lack of specific hardware drivers that only exist for Intel kernels. In the more self-contained applications you know, where drivers are much less used, such as laptops, where power consumption and battery life trumps pretty much any other consideration, it's foreseeable that Windows may finally be able to find a home on ARM. Today, laptop and tablet form factor machines containing Qualcomm Snapdragon ARM processors running Windows 11 have been announced and are, in some cases, available for pre-order from Acer, asus, dell, hp, lenovo, microsoft and Samsung. It's also worth noting that Intel PCs will also be getting CoPilot Plus at some time in the future, but they will need to have a neural processing engine.

Answering the question what makes CoPilot Plus PCs unique? Microsoft writes CoPilot Plus PCs are a new class of Windows 11 PCs that are powered by a turbocharged neural processing unit, an NPU, a specialized computer chip for AI-intensive processes like real-time translations and image generation that can perform more than 40 trillion operations per second. So we have TOPS trillion operations per second. So more than 40 trillion operations per second. So we have tops trillion operations per second. So more than 40 tops. And later Microsoft writes we are partnering with Intel and AMD to bring Copilot Plus PC experiences to PCs with their processors in the future. So potentially everybody's going to be able to get this Okay. So what is recall? Microsoft explains. They said you can use recall on Copilot Plus PCs to find the content you have viewed on your device.

Recall is currently in preview status. During this phase we will collect customer feedback, develop more controls for enterprise customers to managing government, we recall data and improve the overall experience for users. On devices that are not powered by a snapdragon X series processor, installation of a Windows update will be required to run recall. Recall is currently optimized for select languages, including English, simplified Chinese, french, german, japanese and Spanish. This means Recall is able to retrieve snapshots from your PC's timeline based on more sophisticated searches in these languages. During the preview phase, we will enhance optimization for additional languages. Recall can also retrieve snapshots from your PC's timeline based on text-to-text searches in more than 160 languages. Okay, fortunately.

They then ask themselves how does Recall work? To which they reply Recall uses Copilot plus PC advanced processing capabilities to take images of your active screen every few seconds. The snapshots are encrypted and saved on your PC using search or on a timeline bar that allows you to scroll through your snapshots. Once you find the snapshot that you were looking for in Recall, it will be analyzed and offer you options to interact with the content. You options to interact with the content. Recall will also enable you to open the snapshot in the original application in which it was created whoa, really okay. And as recall is refined over time, it will open the actual source document, website or email in a screenshot which, okay, is mind-boggling, but they said this functionality will be improved doing re during recalls preview phase.

So before they let it loose, they they said copilot plus PC storage size determines the number of snapshots that recall can take and store the minimum hard drive space needed to run recall is 250 gig and 50 gigabytes of space must be available. The default allocation for recall on a device with 256 gigabytes will be 25 gig, which can store approximately three months of snapshots. You can increase the storage allocation for recall in your PC settings. Old snapshots will be deleted once you use up your allocated storage, allowing new ones to be stored. Okay, so it's sort of a rolling 90-day window, the most recent 90 days of screen snapshots taken every few seconds. Okay, then they ask what privacy controls does Recall offer? What privacy controls does recall offer? They respond recall is a key part of what makes Copilot Plus PCs special, and Microsoft built privacy into recall's design from the ground up, which of course, we all recognize as standard boilerplate, which we all hope is true, they said.

On Copilot Plus PCs powered by a Snapdragon X series processor, you will see the recall taskbar icon after you first activate your device. You can use that icon to open recalls settings and make choices about what snapshots recall collects and stores on your device. You can limit which snapshots Recall collects. For example, you can select specific apps or websites visited in a supported browser to filter out of your snapshots. In addition, you can pause snapshots on demand from the Recall icon in the system tray. Pause snapshots on demand from the recall icon in the system tray. Clear some or all snapshots that have been stored, or delete all the snapshots from your device.

1:40:32 - Leo Laporte
We call that I'm going to watch porn button now, so yeah, press the porn button.

1:40:41 - Steve Gibson
It occurs to me that I later talk about how snapshots of the Windows-based Signal app would be a problem.

1:40:53 - Leo Laporte
Oh, because that's in the clear right.

1:40:56 - Steve Gibson
Right, right, I mean, it's what the user sees. Maybe this allows you to say, don't take snapshots of that window. Say, don't take snapshots of that window. And we should also remember that what we see is a graphic user interface, but Windows knows the text behind the actual controls that it's displaying, so it doesn't actually have to be. I mean, mean, I guess it's who knows what it's doing in detail. But my, my point is that while we see graphics, there's actual text which is being mapped into bit mapped fonts, which is then being displayed on the screen. So behind the screens, so to speak, microsoft actually has the raw text which was used to generate the screen.

1:41:49 - Leo Laporte
Yeah, that makes sense.

1:41:51 - Steve Gibson
Okay. So they said Recall also does not take snapshots of certain kinds of content, including in private web browsing sessions in Microsoft Edge and by the way, they only said Edge, but I saw elsewhere that it's any of the browsers that have a well-defined private browsing mode. They do not record that and they said it also treats material protected under digital rights management. Dr know DRM stuff. Similarly, like other Windows apps such as the snipping tool, recall will not store DRM content and they said note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers that data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry. Okay, so we're rolling toward an entirely new capability for Windows PCs where we'll be able to store data which I presume is somehow indexed first, then encrypted for storage and later access and, unless otherwise instructed and proscribed, this system is indiscriminately taking snapshots of our PC screen content every few seconds and is, by Microsoft's own admission, potentially capturing and saving for later retrieval financial account numbers, monetary balances, contract language, proprietary corporate memos and communications and who knows what private things we'd really rather never have recorded, or whatever else the user might assume will never go any further. This is where our much beloved and overworked phrase what could possibly go wrong comes to mind. What could possibly go wrong comes to mind? Does anyone not imagine for an instant that having searchable access to the previous 90 or more days of a PC's screen might be hugely interesting to all manner of both legal and illegal investigators? Corporate espionage is a very real thing. China is moving their enterprises away from windows as rapidly as they can, but you have to know that cyber attackers many of the most skillful and persistent, who seem to be persistently based in China, must be besides themselves with delight over this new prospect that we decadent capitalists in the West are going to start having our PCs recording everything that's displayed on their screens. What a great idea. Screens, what a great idea. If history teaches us anything, it's that we still have not figured out how to keep a secret, and especially not Microsoft.

So what Microsoft is proposing to plant inside all next generation PCs is tantamount to a 50 gigabyte privacy bomb. Maybe it will never go off, but it will certainly be sitting there trying to and just ask yourself whether law enforcement and intelligence agencies don't also think this sounds like a terrific idea. Oh you betcha. With great power comes great responsibility, and here, clearly, there's much to go wrong. Microsoft understands this perception, and so they ask how is your data protected when using recall? They explain Recall snapshots are kept on Coilot Plus PCs themselves on the local hard disk and are protected using data encryption on your device and if you have Windows 11 Pro or an Enterprise Windows 11 SKU, bitlocker, recall screenshots are only linked to a specific user profile and Recall does not share them with other users, make them available for Microsoft to view or use them for targeting advertisements.

Screenshots are only available to the person whose profile was used to sign into the device. If two people share a device with different profiles, they'll not be able to access each other's screenshots. If they use the same profile to sign into the device, then they will share a screenshot history and thus, you know, be able to scroll back to see what the other person has been doing. Otherwise, recall screenshots are not available to other users or accessed by other applications or services. Okay, so all that really means there is they've done the obvious thing right is that they've, you know, they've divided the machine in the same way they do currently. Now you know, with things like apps that you install for only one profile. So okay, that's what Microsoft had to say.

The guys from Ars Technica watched Microsoft's presentation of this last Monday and gave their write-up an impressively factual and neutral headline. They said New Windows AI feature records everything you've done on your PC. And then they said recall uses AI features and I've okay to take to quote take images of your active screen every few seconds. Unquote. So ours wrote. At a build conference event on Monday, microsoft revealed a new AI powered feature feature called Recall for CoPilot Plus PCs that will allow Windows 11 users to search and retrieve their past activities on their PC. To make it work, recall records everything users do on their PC, including activities in apps, communications in live meetings and websites visited for research.

Despite encryption and local storage, the new feature raises privacy concerns for certain Windows users. Microsoft says on its website. Quote Recall uses Copilot plus PC advanced processing capabilities to take images of your active screen every few seconds. The snapshots are encrypted and saved on your PC's hard drive. You can recall to locate the contents you viewed on your PC using search or on a timeline bar that allows you to scroll through your snapshots. Unquote Quotes Ars Technica that allows you to scroll through your snapshots. Unquote quotes Ars Technica. Ars wrote by performing a recall action, users can access a snapshot from a specific time period, providing context for the event or moment they're searching for. It also allows users to search through teleconference meetings they've participated in and videos watched using an AI-powered feature that transcribes and translates speech.

At first glance, the recall feature seems like it may set the stage for potential gross violations of user privacy. Despite reassurances from Microsoft. Despite reassurances from Microsoft, that impression persists for second and third glances as well. You've been doing recently on your PC, which might extend beyond the embarrassing implications of pornography viewing and actually threaten the lives of journalists or perceived enemies of the state. And I'll interject to say, in other words, this puts examining someone's web browser history to shame. How quaint that becomes. Ars continues despite the privacy concerns.

Microsoft says that the recall index remains local and private on device, encrypted in a way that is linked to a particular user's account. Microsoft says recall screenshots are only linked to specific user profile and recall does not share them with other users. Make them available to Microsoft to view. Anyway, blah, blah, blah what I just wrote about that. And it excludes specific apps or websites. Recall won't take snapshots of in private web browsing sessions in Microsoft Edge or DRM-protected content. However, recall won't actively hide sensitive information like passwords and financial account numbers that appear on screen. Microsoft previously explored a somewhat similar functionality with the timeline feature in Windows 10, which the company discontinued in 2021. But it didn't take continuous snapshots. Some obvious similarities to Rewind, a third-party app for Mac we covered in 2022 that logs user activities for later playback, they said.

As you might imagine, all this snapshot recording comes at a hardware penalty. To use Recall, users will need to purchase one of the new CoPilot Plus PCs powered by Qualcomm's Snapdragon X Elite chips, which include the necessary neural processing unit. There are also minimum storage requirements for running recall, with a minimum of 256GB of hard drive space and 50GB of available space. The default allocation for recall on a 256GB device is 25 gig, which can store approximately three months of snapshots. Users can adjust the allocation in their PC settings. As far as availability goes, they conclude. Microsoft says that recall is still undergoing testing. Microsoft says on its website, recall is currently in preview status. During this phase, we'll collect customer feedback, develop more controls for enterprise customers to manage and govern recall data and improve the overall experience for users. Okay, I just should note that the amount of storage recall uses does scale upward with the size of the system's mass storage and presumably the duration of the scroll back increases. Similarly, it'll take 25 gigs when 256 is available, 75 gigabytes on a 512 gig drive and 150 gigabytes from a system with a one terabyte drive of primary mass storage. So presumably, the more storage the system is able to commandeer, the further it's possible to scroll back through the system's display history.

Okay, now, while trying to be objective about this, the first question that leaps into the foreground for me is whether anyone actually needs or wants this. This is a big, you know. I mean, is this a big, previously unappreciated problem that everyone has? Okay, but trying to be objective, first of all, new information about the past 90 plus days of someone's life as viewed through their computer activities and, more than ever before, people's entire lives and their private lives are reflected in what's shown on the screens of their computers. Maybe that makes scrolling back through their recorded lives compelling, I don't know.

But we know from Microsoft that it will be snapping video conference content on the fly and, as I mentioned, the Windows Signal app that goes to extremes to protect the contents of its chats would presumably be captured, unless you're able, as I mentioned before, and they sort of suggest you can tell Recall, don't record specific applications. So you probably want to turn that off or maybe you trust Microsoft and it'll be part of your scroll back. But you know email screens and nearly everything that happens on a PC would be captured and of course that's the point right. But the vast majority of that content will not have been stored on the machine's hard drive ever until now. So, objectively, the presence of recall clearly introduces a new, never before existing liability, and that's what everyone who talks about this sees as a potential for creating havoc where none existed before. So the question, it seems to me, is whether the new value that's created and is returned by recall's scrolling usage history justifies whatever new risk might also be created by its retention of that data.

How useful will having all that actually be? I've tried to imagine an instance where I wish I could look back in time at my computer screen. I suppose I don't feel the need, since I've never had the option. I suppose I don't feel the need since I've never had the option. So if I knew I could scroll my computer screens back in time. I suppose it might be an interesting curiosity, but it really doesn't feel like a feature I've been needing and missing until now. I suppose an analogy would be that the world had no idea what it was missing before the creation of social media, and hasn't that been a big boon to mankind. Now, unfortunately, we seem unable to live without it. Perhaps this will be the same. The bottom line is, I think we're just going to need to live with this thing for a while. We're going to need to see whether this is a capability desperately searching for a need, or whether, once people get used to having this new thing, they start thinking how did I ever live without this? However, one thing that is also absolutely objectively true is that everyone will be carrying around a 50 gigabyte privacy bomb that they never had before. Maybe it'll be worth the risk. Only time will tell.

Oh, and Simon Zarafa posted a tweet from someone who has been poking into recalls storage. He's detective at mastodonsocial, who wrote, can confirm that recall data is indeed stored in a SQLite 3 database. The folder it's in is fully accessible only by system and the administrators group. Attempting to access it as a normal user yields the usual you don't have, you don't currently have permission error. And he said here's how the database is laid out for those curious. And he said, figured you might appreciate a few screenshots.

So I put one in the show notes and, sure enough, it's got a DB browser for SQLite and shows the layout of the table with all of the various components, you know window capture text, index, content, window capture text index, data window, text doc size and relations and all kinds of stuff. So anyway, I guess what this means is that, if nothing else, if that data should ever escape from anyone's PC, it will not be difficult for anybody who gets it to open it up and browse around in it, because it's just a SQLite 3 database. And, leo, you know, I guess you know if search really worked and you were able to search on something that you remember but you didn't write down or didn't record, didn't save, but it was just like right there at your fingertips and bang, it popped up and showed it to you. Uh, I guess I could see that that could be compelling um, yeah, I mean I want to have.

2:00:01 - Leo Laporte
Uh, the late gordon Bell passed away last week. He used to wear around a camera. His wife Gwen I knew them both wonderful people had severe Alzheimer's, so he became very aware of the idea of remembering things and I can't remember what he called it the Mehmet or something, but this was 96. This was way before there really was the technology to do this, but it would take a picture every 20 seconds and his theory was I would like to have. I mean, this is not just recall of your Windows desktop, but of everything that you could then search and query. And now there are.

You know, I just bought something called a limitless pin that should come in August. It's a little lapel pin that records all your audio and then feeds it to an AI so you can query it. If things like that. You know, steve and I were talking and he mentioned a router from a German company. I can't remember the name of it. What was the name of that? The name was France. You can see that that might be useful. There are absolutely privacy issues with this. In fact, that limitless pin won't record somebody's voice unless they you get explicit spoken approval to do so, which is very interesting voice printing, so it's doing voice recognition and instead of just being a generic audio recorder but then once they say yes, then it will say steve said, Leo said that kind of thing.

I don't you know what. This is very early days, but you nailed it. There is potentially some use for this, but there's also a downside, many downsides, yeah, and so.

2:01:36 - Steve Gibson
I think it's a trade-off like anything else. Is this so useful that it's worth carrying around the last 90 days, plus of everything that your computer screen showed? And that's the other thing, leo, you're you're not going to want to not record like chunks of your screen, like you. Like you would probably not want to not record. I'm sorry, you would want, you would want to record signal because you'd want to be able to have it. Yeah, exactly, exactly. So the tendency will be to record everything and trust the force. Unfortunately, that's Microsoft.

2:02:21 - Leo Laporte
It's a challenge. I mean, this is really a challenge. I would not turn on recall, partly because of the burden strain it puts on the system. Seems like a bad idea.

2:02:32 - Steve Gibson
Well, yeah, we. I have a feeling that our audience will not be among the first adopters, right, I mean, some will. I'm curious and I and I, as I was thinking about this, I thought I will be interested in hearing, like you know, to hear Paul. Lord knows he's not a pushover. So if Paul Theriot says, hey, this is the greatest thing since you know bananas, sliced bread, you know whatever, yeah, we'll watch what plays.

2:03:03 - Leo Laporte
I mean, you've searched through your, I have searched through your browser history right, I can't remember what was that site and you go through your browser history. That's what browser history does, except it's just recording websites you visit, just the URLs. Might be more useful if recorded the content and then maybe if all your apps did the same and you can see how you can slide into this. Yeah, Content.

2:03:28 - Steve Gibson
There was an app back in the dos days and I've tried to remember what it was. It was it. It it would take little notes, and so you could easily create a little text window and type some text in. Yeah and, and it just went into a big pile.

But as, well as you typed uh, if I think it was a tsr and you would bring it up full screen and it would be this blizzard of little overlapping yeah, like post-its, but then as you type a few characters all the ones that did not contain that substring were not that they disappeared, and it was compelling to be able like anything you thought you remembered you could just type a few characters and it would like whittle it right down. There was x.

2:04:17 - Leo Laporte
Do you remember x? Uh, that was the idea of x was a super fast it was, but that wasn't like what you just described. But the idea was it. It indexes your just like windows does, but faster and better. Indexes everything on your drive and then you type one letter, finds everything that matches that. Two letters, three letters, is that progressive search. So you could very quickly. X was very, very fast. It was very cool. What happened to it. It's still around. I think they went. Uh they.

2:04:45 - Steve Gibson
They became an enterprise tool okay, well, and it's built into windows now, so you know yeah, um yeah, but windows doesn't do it as well as x did.

2:04:55 - Leo Laporte
It was our, it was been the windows, even when x? Uh did it, it was a, it was a search uh, a smart search tool. What was the name of that dos program?

2:05:04 - Steve Gibson
I know exactly what you're talking about yeah, it was, and I've tried to remember it and like instant recall or something like that.

2:05:11 - Leo Laporte
Oh, that sounds familiar. Yeah, no, this is X. That's the wrong X. This is the problem with the word X it's not a good search term.

2:05:21 - Steve Gibson
Not easy.

2:05:22 - Leo Laporte
No, that was a dumb thing for Twitter to get renamed to Not the only dumb thing Elon's ever done. That's interesting. I want to know this instant recall thing. I want to think I think it was written by Phil Katz. Oh well, there you go. Yeah, he was a genius.

2:05:40 - Steve Gibson
The PK zip guy. The PK zip guy.

2:05:43 - Leo Laporte
Yeah, huh, yeah, recall 11.

2:05:52 - Steve Gibson
It was called Recall, just Recall. I think so Wow.

2:06:00 - Leo Laporte
I think so, memory resident. No, it's command line editor and history utility that might be it.

2:06:10 - Steve Gibson
No, this thing was definitely it. It it was little notes, it was not a command line okay, history, that does sound like a look like a dos command line.

2:06:16 - Leo Laporte
Yeah, history, but yeah huh, yeah, somebody will remember and they'll message you on your new email platform. Yay, how do they do that? Again, they go to GRCcom.

2:06:28 - Steve Gibson
Slash mail, slash mail or just GRCcom in there, and then a little white envelope up at the top of the screen. They have to get whitelisted though. Yes, exactly so, grccom slash mail.

2:06:44 - Leo Laporte
Okay, and there it is and I put in my email yep and then I just sent me an email okay, and then I confirmed that that's my email, which no spammer would ever do. So right there, you've eliminated spammers correct, yeah, and so you.

2:07:01 - Steve Gibson
You click on the email that comes is very attractive. And you click on the little button that you get and it takes you to your subscriptions page. Uh, and you can put your name in, if you want, so that I address email to you by name.

2:07:14 - Leo Laporte
Well, there it is there. It is very attractive.

2:07:17 - Steve Gibson
Nice choice of colors, steve well I, I need to think about that. The black on white it looks much better on a white background ah yes, I'm dark mode man, okay, so now you know better than clicking a button in email.

2:07:32 - Leo Laporte
So what I'm going to do is a smart thing, which is copy it.

2:07:34 - Steve Gibson
That's right. I gave you the link and paste it in. I gave you the link, so I know. Yeah, grccom slash manage.

2:07:41 - Leo Laporte
Yeah, that looks good. Okay, and now I can choose if I wish to subscribe, but I don't need to. Oh, look, you can subscribe to security now. Oh, I definitely want product news. Oh, and GRC news. Okay, my name Leo, yes, and I'm going to update my subscriptions, so now I can email you from this address.

2:08:07 - Steve Gibson
Correct, and now, if you get the mail again, you'll see the confirmation that was sent, which is also very pretty okay, look at that also.

2:08:12 - Leo Laporte
You know, let me get out of dark mode so I can enjoy. Yeah it's fresh pretty and beauty of what you're doing here. Of course, I've been in dark mode so long. I have no idea how to get out of it, how to turn it off. How do you turn this off here? I don't know. I think I have to go to system settings and I go let's be light, light mail.

2:08:35 - Steve Gibson
Oh look, how pretty that is, steve gorgeous, I show I, I address it by name. Show you the your email address and which list that you're subscribed to. Nice, very nice. That's all there is to it. And so now you are whitelisted and you can send email to securitynowatgrccom.

2:08:55 - Leo Laporte
And that's where you should do your feedback, go through those steps and you can have a nice conversation, a nice chat with Steve.

2:09:02 - Steve Gibson
Yeah, and I don't know what's going to happen with Twitter. As I said, it's easy for me to post the weekly notes there. You should keep doing that I'm beginning to get a lot of spam, so I guess I don't see any reason for it any longer.

2:09:18 - Leo Laporte
I've been gone more than a year and I don't miss it. Good, good, very nice. Now, while you're at GRCcom, don't stop there. Do that GRCcom slash mail, but you can also find security. Now there he's got the normal 64 kilobit audio file, but he's also got a 16 kilobit audio file because he likes powers of two, and that way you can listen without a big download. You can all do like yes, you do, of course you do, who doesn't, who doesn't? You can also get a transcript there, written by a person, a human named Elaine, who does a great job. Grccom.

While you're there, pick up a copy of Spinrite. 6.1 is out, it's official. You know it's funny. We talked about it for so long and we talked about it for so long and then you released it and it's kind of, but we should say it's out, it's out. You should get it. World's best mass storage, performance, improver maintenance, thingamajig and recovery utility. It does it all. And if you have a hard drive or a storage device of any kind including, by the way, ssds, it actually turns out. It really does a great job with SSDs. Get Spinrite from GRCcom. He's got lots of freebies there, like Shields Up and all sorts of good stuff too, so browse around. You can also get the show from our website. We have the same 64-kilobit audio, but we also have video. You can see Steve's smiling mustache, which, by the way, is getting a little gray. It's getting grayer by the way.

2:10:46 - Steve Gibson
It's getting a little gray. It's getting grayer by the day. Yeah, when that, when the eyebrows go, then you know I know I've been preserving my eyebrows.

2:10:52 - Leo Laporte
I don't dye them, yet it is. It's that's the last to go, isn't it? Yeah, yeah, yeah, uh, hey. Who would you rather listen to? Some callow youth of 26 with jet black hair, jet black mustaches, beautiful eyebrows, or a guy who's been around the block a little bit right Expertise, my friends, that's what he's got.

2:11:16 - Steve Gibson
I am not insecure about my age. Who is? Well, many are, it's all working.

2:11:22 - Leo Laporte
No, you and I are very happy. We're glad we are where we are and that's the only way to be. What else should I tell you? Oh, you can subscribe to the show Easily done Just find your favorite podcast client and search for Security. Now, since we've done 976 episodes, they should all know about us by now.

You can also watch on YouTube. There's a YouTube video. Actually, you can watch us do the show live on YouTube, youtubecom slash twit slash live every Tuesday right after Mac break, weekly roundabout one 30 Pacific, four 30 Eastern, 2030 UTC. We stream it while we're doing the show live so you can watch. Club Twit members can watch what happens before and after because it's continuous streaming in our discord club. It's worth joining. It's a great group, smart people. If you like this show, you will love the people in our club to a discord.

You get ad-free versions of this show and all the other shows we do. You get video for every show, including hands-on macintosh, hands-on windows, the untitled linux show, uh, home theater geeks you get video for those. Normally you just audio right, so you get the video to. You get to participate in our events. We've got Stacy's book club club coming up in a couple of weeks.

Um, it's just and also really it just helps us out. It's it's really about the only way we know of to make up for a huge downturn in podcast advertising in general. It's too bad. You say, well, wait a minute, you got four ads. Yeah, but I was just talking to Lisa. Those ads that's about. It costs about one sixth what it used to cost to get an ad on security now, so you can have four ads, but that's still less than one ad a couple of years ago. So that just tells you something. It's just the way the market is. But your $7 a month makes a big difference. $84 a year. That's all. Go to twittv, slash clubtwit. Join the club. We'd love to have you. Steve, have a wonderful week and I will see you next time.

2:13:20 - Steve Gibson
Will do and I'll see you in June.