Security Now 978 transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show
0:00:00 - Leo Laporte
It's time for security. Now. Steve Gibson is here. He has a rebuttal to Microsoft's rebuttal to last week's accusation. All about Microsoft, recall. He still says it might want to hold off on that one. Apple gets a password manager. Is it good enough for government work? We'll also talk about the use of AI and coding. Is AI going to kill the future of code and what Microsoft did when they had a little error? That's ended up becoming a very useful tool to go after bad guys. It's all coming up. Next on Security Now Podcasts you love From people you trust.
0:00:45 - Steve Gibson
This is Twit.
0:00:49 - Leo Laporte
This is Security Now with Steve Gibson, episode 978, recorded Tuesday, june 11th 2024. The rise and fall of codemicrosoftcom CodeMicrosoftcom. It's time for Security Now, the show you wait all week for. As Steve says, it's Tuesday, it must be Steve Gibson, hello Steve.
0:01:14 - Steve Gibson
Hey Leo, we were out walking with some friends around the neighborhood yesterday and there's like three long legs of our community and after doing two of them, we all started down the third and I said, well, no, it's podcast night. I got to get back to working on the podcast. I love it. So I got the walk was cut short and Laurie had been pushing me to start earlier on Mondays because I was. I would be trying to get work done through the mornings but invariably it would creep into the afternoon and then I'd be like, oh shoot, I should be further along. So now I'm just not even trying to get anything done on Monday except work on the podcast. Now that's the driving force. We're seeing the result of that today, because we have 24 pages of show notes as a consequence of me having gotten an extra early start yesterday. Now, normally the people who listen to us at 1.5x do so because I kind of plot along. There'll be no plotting today because we have a lot of ground to cover. So if you are hearing me at 1.5x and wondering why I seem to be going a little faster than usual, you might want to consider dropping down to 1x and hearing it at normal speed.
We got a bunch of things to talk about on today's podcast 978 for Patch Tuesday and I am for Patch Tuesday and I am mourning the fact and, if one of our listeners is listening, someone tweeted me a couple weeks ago a picture of a pipe that just had patches all over it like crazy and silver like screw-on straps and it looked like this thing was on life support. I thought that is the most perfect picture of the week for Microsoft Patch Tuesday, but I don't know what happened to the picture. We don't have that, so maybe, if the person is listening, you can send it to me again, because and I'll hold it for July's Patch Tuesday we're going to talk about something really interesting, which is I titled this the Rise and Fall of CodeMicrosoftcom, which everyone would recognize as a subdomain, the code subdomain of Microsoftcom. But what they essentially? The way what happened started was with an architectural failure, the scope of which I can hardly grasp. I have no idea what's going on up there in Redmond, that that what I will describe could have happened, but it did. But they turned it around. I mean, they still have some problems to solve, but they managed to repurpose this mistake into something that ended up creating a ton of intelligence for them.
Collecting a ton of intelligence Anyway, we're going to have a lot of fun with that. A ton of intelligence Anyway, we're going to have a lot of fun with that. But first we're going to talk about how Microsoft has responded to the tidal wave of criticism that they've received over recall. And what about Google? Who else recently lost control of their data? Apple devices will be getting a password manager. What? What about iCloud? I thought we already had that. Is that a drone recording a wedding? Or is that the Chinese Communist Party surveillance device?
Ai today and their choice of language. And if AIs can code, which they seem able to do, then what's the career future for programmers? We have some feedback on that. Also, why has the Linux kernel project suddenly begun spewing CVEs in great number? Will we be able to order pizza in the future, or should we just give up now? Or maybe order all your pizza today and, you know, freeze it? What did one listener discover when he attempted to register his new PassKey devices across the Internet? And, as I said, how did a stunning mistake at Microsoft turn into a gold mine of attacker intelligence? So, not a slow podcast today for the second podcast of June.
0:05:59 - Leo Laporte
We know Microsoft never makes any mistakes.
0:06:02 - Steve Gibson
Oh, leo, wait till you hear this one. Oh I, just when I read this, I thought and this is from them, this is their own blog posting. Somebody confessed this, which I first of all I thought, oh uh, but like, really, well, anyway, I will get there, we'll get there it's stunning.
0:06:21 - Leo Laporte
I know we got 26 pages, so let me hurry up here and tell you about our first sponsor of the show today, a wonderful company I've been using for some time, mileyo Photos. This is, I think, their first time on Security. Now. Now, because it's Security, now I want to tell you a little bit about Mileyo Photos. It's a photo storage, actually document storage photos, videos and documents that backs up everything you've got, puts it on every device you have, but, most importantly for you our SecureNow listeners is absolutely secure. It does not use the cloud. If you don't want it to, and if you do, it's up to you it encrypts it. Steve calls it pre-egress encryption. We'll call it pre-internet encryption. For the purposes of this, many of us rely on our clouds right for digital day-to-day many apps and services, but they're just not protecting our data as we should.
It's one of the reasons, one of many reasons I am a Mileyo Photos Plus user. I have according to this this is Miley 211,274 images and 211,000. And does it bog down? No, it is a place to store them. It's automatically doing face recognition. I say who everybody is. At first you know that's my wife, that's my kids, and so forth, and then it goes through all the rest of the images, matches them beautifully. I also tell it a few things about location, but then it finds it says pictures of churches, pictures of churches near an ocean, pictures of fish, pictures of fish coming out of the river. It's amazing. It is the best photo categorization tool ever.
Miley of Photos Plus gives you a single consolidated library for photos, videos and other files on your Mac, on your PC, on your Android, on your iPhone, everywhere, and I have it everywhere. It's smart too. You could say I just want thumbnails on this one, I want originals on the one with the biggest drive and, of course, when you download from the thumbnail, you can download the original at any time. You could do some editing in there. It makes it effortless to curate, to protect, to organize and sync your files from anywhere. Even social media pulls in, from Instagram, from Facebook.
I got all my photos off of Google. I did Google takeout on my Google photosos. Myleo Photos Plus automatically imported it and then de-duped it. You may say well, 211,000 photos, leo, you must have duplicates. No, not one, because MyLeo has the best de-duping and the best part of it is the files stay on my local devices, not on distant servers. Now there is a MyLeo Photos for Synology, so I actually do have MyLeo Photos copying to my NAS for backup, but you don't have to. In fact, myleo Photos even supports your existing folder structure, but it does make it much easier to search, curate and organize your media across all devices.
It's a privacy-first storage solution that keeps your data local, easy to access, but also ensures you never lose a file. They do have cloud backups. It will work with Google Drive or Microsoft's cloud or your network attached storage, but they're entirely optional and before it ever goes up to the internet, myleo Photos Plus automatically encrypts your data so that no one can see it, but you Even the platform's powerful AI capabilities all that categorization entirely on device. You're not getting data mined and you know there are companies now who are saying oh yeah, by the way, if you use our cloud, we own your photos Adobe, not Miley, though, because you're not using their cloud.
Your photos are your photos. You could tag, you could search for photos using face recognition amazing object recognition dogs, cats, but also schnauzers. It really narrows it down. You can use metadata like date and location, and none of it is shared unless you want it to be. You've got to love this. It is the most amazing app. So here's my photos. I could prove 211,000. I can look at my local sync policy. So wherever I want optimized quality or original quality, I can also and I love this send it to my family history. They support family search.
This is a free service. It supports the LDS library so you can easily get stuff up there. It supports all the photo formats. It does location. In fact, I can even pull up a map of where all my photos have been taken. 46,000 photos have GPS out of the 211,000, and I can pop, jump right to that location. I can just go on and on.
This is the best tool ever. Not just photos. It does OCR on documents. It takes videos to most important for you the security. Now listeners, it's privacy. First. Get it today. Miley O photos plus. To help you get started, we've got a great offer. Your first month is free. It's $99 for your first year of Miley O'Photos Plus. By the way, I immediately subscribed because I thought this is too great, but we've got a special deal right now. Your first month is free at myliocom slash twit. You've heard me talk about this. I suspect I can go on and on. This is one of the deepest pieces of software I've ever used and it gets better. Day by day they add new features. There's no way I could tell you everything you can do in one ad. Check it out, it is amazing. Mileyo Photos at MileyOcom slash twit. I don't know how to recommend it more entirely and wholeheartedly. It is amazing. It's where I store everything. Now All right back to speaking of photos. Your picture of the week, steve.
0:12:13 - Steve Gibson
So we've had endless fun with these bizarre pictures of, like a gate blocking a path where there's, like, open grass on either sides of it. It's like what, what, like what, just just just like. What were they thinking? Anyway, somebody had fun, uh, over the microsoft recall issue, uh, and actually relative to their most recent uh update, this is titled Microsoft Recall, and then it shows us one of the pictures that we've shown before a bright yellow gate in the middle of a walkway, but, you know, with actually some it looks like there actually is footpath traffic on either side because the grass is, you know, padded down and a little brown. Anyway, at the bottom it says, referring to this gate don't worry, it's encrypted.
Oh no, yeah, right, right, and we'll have. Well, actually, right now, last Friday, mary Jo Foley yes, right, our Mary Jo of Windows Weekly fame. She tweeted Microsoft, bowing to growing security centric criticism, is making some tweaks to its coming Windows 11 24 H2 recall app. The first copilot plus PCs are still on track to start shipping June 18th. Ok, now today's June 11th, so that's one week from today, folks. And she said, and the tweaks are slated to take effect by then too. Okay, so she was referring, of course, to a Microsoft Windows blog. That is when she said Microsoft, bowing to Security Center concerns posted by the corporate vice president for Windows Plus devices. So it appears that Windows Plus devices are a category, so that would presumably mean Copilot Plus.
Anyway, this guy posted under the title Update on the Recall Preview Feature for Copilot Plus PCs and, as Mary Jo noted, this is clearly in response to the security industry's reaction over the previous three weeks to the privacy implications that would be present. My contention is and I'll be echoing this a couple other times today in any system that aggregates for all time everything a user does on their PC Okay, and I'll have a little more to say specifically about that in a moment, but first let's hear from Microsoft, since a lot of the danger recall represents is reflected by Microsoft's attitude toward recall, I want to share this VP's entire post. It's not very long, but it's important that their attitude be seen. So bear with me at the start, since it's pure Microsoft marketing speak. Anyway, everyone will recognize it as such. He wrote. Today we're sharing an update on the recall feature in preview for Copilot Plus PCs, including more information on the setup experience, privacy controls and additional details on our approach to security. On May 20th, we introduced Copilot Plus PCs, our fastest, most intelligent Windows PCs ever.
Copilot Plus PCs have been re-imaged from the inside out to deliver better performance and all new AI experiences to help you be more productive, creative and communicate more effectively. One of the new experiences exclusive to Co-Pilot Plus PCs, thank God is Recall, a new way to instantly find something you've previously seen on your pc. To create an explorable visual timeline, recall periodically takes a snapshot of what appears on your screen. These images are encrypted, stored and analyzed locally using on-device AI capabilities to understand loosely termed their context. Okay, he says. When logged into your Copilot Plus PC, you can easily retrace your steps visually, using recall to find things from apps, websites, images and documents that you've seen operating like your own virtual and completely private photographic memory. You're always in control of what's saved. You can disable saving snapshots, pause temporarily, filter applications and delete your snapshots at any time.
As ai becomes more prevalent, we're re-architecting Windows. Okay, really Like there are dialogues from Windows 95 that pop up every so often in Windows 11. So right, all we've ever seen is some, you know, paving over the previous pavement, which was over the pavement before that, and so on. So okay, so okay. Re-architecting Windows to give customers and developers more choice to leverage both the cloud and the power of local processing on the device, made possible by the Neural Processing Unit, the NPU. This distributed computing model offers choice for both privacy and security choice for both privacy and security. All of this work will continue to be guided by our Secure Future Initiative, sfi.
Our team is driven by a relentless desire to empower people through the transformative potential of AI, and we see great utility in Recall and the problem it can solve. We also know for people to get the full value of the experiences like recall, they have to trust it. That's why we are launching recall in preview on Copilot Plus PCs to give customers a choice to engage with the feature early or not and to give us an opportunity to learn from the types of real-world scenarios. Okay, so, under the subhead of listening to and acting on customer feedback, he wrote, with that in mind, we are announcing updates that will go into effect before the recall preview ships to customers on June 18th. So like, as Mary Jo said, right now, before next week, the setup experience of Copilot Plus PCs to give people a clearer choice to opt in to saving snapshots using recall. He said, if you don't proactively choose to turn it on, it will be off by default. So that's a big change and that matters.
The flip side is how much does it really matter? You know, we've seen how persistent, seductive and eventually forceful Microsoft can be when they want to push their users in a certain direction. It's not that difficult to imagine that, while the user might need to switch it on, microsoft will not be cautioning the user about the system's inherent dangers. Rather, they will be promoting the benefits and touting encryption, locality, security and all the rest. I believe the upshot will be that users will turn it on, if nothing less just to see what it's about, because microsoft will be making it very appealing, but still, if nothing else, having people turn it on probably gets them off the hook when things go wrong, after all. Well, we didn't ship it with it on, you turned it on and it's like yes, because you told me to. Okay, anyway.
Second, windows Hello enrollment is required to enable recall. In addition, proof of presence is also required to view your timeline and search in recall. Okay, so these are all good things, right. They've created additional hurdles, barriers, requirements in order to gain access to this. And I'll just note through the front door, like gain access the way you're supposed to. They're not talking about gaining access the way you're not supposed to. We'll see how that turns out. And third, he said we're adding additional layers of data protection, including just-in-time decryption protected by Windows Hello, enhanced sign-in security. So recall snapshots will only be decrypted and accessible when the user authenticates, on the other hand. Okay, anyway. Finally, he said in addition, we encrypted the search index database, which wasn't originally decrypted. So finally, he says secure by design and secure by default, in line with Microsoft's SFI. That's the secure initiative thing.
Principles before the preview release of recall to customers we're taking steps to increase data protection customers. We're taking steps to increase data protection. Copilot Plus PCs will launch with just-in-time decryption, protected by Windows Hello enhanced sign-in security. So recall snapshots will only be decrypted and accessible when the user authenticates. This gives an additional layer of protection to recall data, in addition to other default-enabled Windows security features like SmartScreen and Defender, which Windows Defender was so slow to recognize that the InfoStealer had already successfully exfiltrated the user's entire recall history before Defender woke up and shut it down. So again, the problem is Microsoft's heart being in the right place doesn't help anybody, because Windows, as we know it's not an exaggeration to say riddled with vulnerabilities, because more than 100 are being fixed today in today's Windows update.
Okay, anyway, he said we also know the best way to secure information on a PC is to secure the whole PC itself. Right, because that's been going so well. And he said we want to reinforce what has previously been shared from David Weston, vice president of enterprise and OS security, about how Copilot Plus PCs have been designed to be secure by default and share additional details about our security approach. You know, in other words, unlike all of our previous Windows systems, which really weren't all that secure, even though we've always told you they were, but oh, baby, this time we really and truly mean it, not like all those previous times.
So he said some notable examples of security enhancements include all copilot plus PCs will be secured core PCs bringing which you know, doesn't matter if the Windows that runs on it isn't secure but, he said, bringing advanced security to both commercial and consumer devices. In addition to the layers of protection in Windows 11, secured core PCs provide advanced firmware safeguards and dynamic root of trust measurement to help protect from chip to cloud, and that's a new phrase that Microsoft is using from chip to cloud, and that's a new phrase that microsoft is using from chip to cloud. But you know from what? Cradle to grave? Yeah, that's right.
Also, microsoft pluton security processor will be enabled by default. Oh goody keys, making them significantly harder to remove from the device, even if a user is tricked into installing malware or an attacker has physical possession of a PC. Again, unfortunately, making sure that a buggy operating system isn't altered before it boots or while it's booting doesn't help you once the buggy operating system is running. But at least it didn't get compromised before it booted. Who cares? Anyway, he said, all Co-pilot Plus PCs will ship with Windows Hello enhanced sign-in security. This provides more secure biometric sign-ins and eliminates the need for a password. Because, yeah, who wants those passwords when you can smile at it?
Okay, under the headline protecting your privacy on CoPilot Plus PCs we have in our early internal testing we've seen different people use recall in the way that works best for them. Blah, blah, blah. I'm going to skip all this because we don't have a lot of time, and this is just all same stuff. He's basically saying okay, we heard you. We're going to turn it off by default. We're going to seduce people to turn it on, but if they do, it's their fault, not ours, because after all, they were the ones who turned it on. And oh, baby, you know this is the most secure thing we've ever made.
0:27:13 - Leo Laporte
So again as.
0:27:14 - Steve Gibson
I said, we've always told you that. Remember Bomber jumping around on stage about Windows XP, which turned out to be the worst security of any operating system to date that they'd had anyway. So basically they're saying we heard you and here are all the reasons why we're going to keep doing what we were doing, except we're going to turn off by default as our get out of jail free card. Get out of jail free card. So anyway, we know that users will be impressed by the sounds of all this security and I have no doubt that users are going to want to have the power that this provides. Don't get me wrong. I mean, I get it.
This is a seductive feature and that's part of why this is a double-edged sword, you know. Make no mistake about it. This is powerful, but it's because it's powerful that it's also so dangerous and brings the potential for great harm. Will that harm come to pass? Well, we'll be here to see. I should also note that I've been asked by a number of our listeners whether I would consider creating some sort of utility that absolutely positively guarantees that recall is not running on a machine. We'll see how all this goes, but I am inclined to do so, and if so, I know what I'll call it, and.
0:28:51 - Leo Laporte
Leo, I will make sure you're not sipping coffee when I reveal its name. Okay, I put the coffee down, okay.
0:28:55 - Steve Gibson
Because, yeah, and you'll have to center yourself over your ball because you're going to love this one. Anyway, we'll see how it goes. Kevin Beaumont also weighed in on Microsoft's revised explanation. He posted this on Mastodon. He said obviously, I recommend you do not enable recall and tell your family not to enable it too. It's still labeled a preview and I'll believe it is encrypted when I see it.
There are obviously serious governance and security failures at Microsoft around how this played out that need to be investigated and suggests they are not serious about AI safety, and I think that raises a really good point. It's like you know. They announced this and we saw Satya jumping up and down talking about how great it was going to be, and the entire security community had a collective meltdown. So that tells you something about, like why they need to have this in people's machines, which again comes back to my theory about what they're actually planning, which is that this will be used to train a some sort of high power local assistant. And again, I get it. I mean that would be so cool, but they've never demonstrated their ability to do anything like this safely. I should mention that Google, with their Chrome OS, is also in on the store everything that happens for possible later use bandwagon. Everyone can sense that there's huge potential here somewhere, so no one wants to be left out.
Last week, john Solomon, google's VP in charge of the Chrome OS, said that their so-called memory feature okay, they maybe talked to Apple about naming things. That's what they're currently unofficially calling it is different from recall. Okay, but then he describes recall. He says, because users will have control of how and where the memory feature works. Uh right, just like recall will offer. So not so different from recall. And after all, if you turn it off then you're not going to get it. So people are not going to turn it off, they're going to have it on if they want it and then suffer the consequences, if there are any. Anyway, google apparently already wants to distance itself from the stink surrounding the announcement of recall.
The New York Times on the topic of is it possible to keep secrets? Last Friday, 270 gigabytes of data belonging to the New York Times, which I'm quite certain the New York Times wanted to keep secure and secret and which those in charge of securing it were absolutely and positively certain was completely secure until it wasn't. You know, just like Microsoft is absolutely and positively certain they're going to secure their users' recall data until they don't. In the case of the New York Times, it got loose. An unknown threat actor leaked the New York Times source code as in all of it all 270 gigabytes of it after one of the company's IT guys apparently left a private GitHub access token in a public code paste token in a public code paste. The leaked data includes the source code of the company's entire public website, mobile apps and even, for those who are interested, its Wordle game.
The 270 gigabytes of data being made available on the dark web is mostly unencrypted. The hacker posted quote basically all source code belonging to the New York Times company 270 gigabytes. There are around 5,000 repos. Out of them, less than 30 are additionally encrypted. I think he said 3.6 million files total uncompressed tar, and I have a picture in the screen in our show notes, of the screen that was posted on the dark web with the series of links, so that you too can download 270 gigabytes and find out what the New York Times coders have been up to. The lesson here is that, unfortunately, mistakes happen. In fact, leo, were we to rename this podcast, it would be Mistakes that Happened.
0:33:59 - Leo Laporte
Yes, that's the whole show right there, you know, yeah, we've seen.
0:34:03 - Steve Gibson
we've seen stories of valuable exposed credentials sitting unnoticed for years, right where, like like, some hacker came along and saw that a credential had been posted publicly but nobody noticed it until now. One real concern for the future against the background of mistakes happen is that there may soon be, if there aren't already, malicious AI-driven bots scanning and rifling through the Internet looking for any fresh mistakes of value that anyone may have made. The point is, our world is changing right underneath us right now, and I'm not sure the good guys are winning. You know, this whole thing feels somewhat asymmetric, right? Because I mean, as we know, security is about a series of links and we keep seeming to add more links to the chain, any one of which, being defective, can break the entire strength of the chain. Again, it feels like an asymmetric fight that we are not clearly winning at this point.
0:35:22 - Leo Laporte
Pretty much losing, I think would be fair. All right, how about this? You can't recall or recall recall.
0:35:32 - Steve Gibson
Oh no.
0:35:33 - Leo Laporte
No better than that, I mean.
0:35:36 - Steve Gibson
I almost have to do the app, just so I can use this name. It is so good Recall what.
0:35:42 - Leo Laporte
Okay app, just so I could use this name it is recall what okay, I can't wait, it'll be fun.
Let's take a break, okay. Uh, security now is brought to you by delete me with everything we talk about on this show. Uh, it seems pretty clear that privacy is important to you, right? I'm not blowing smoke when I say that, but all you have to do is go out and Google your name, search the internet for your name, and you'll see how little privacy you actually have, and that's probably because of data brokers. The sad thing about data brokers is we still have yet to have a federal law making it illegal, which means it's completely legal for companies, including your ISP, every company you do business with, every site you visit, to share your personal data with these data brokers, and then these data brokers can completely legally sell it on to anybody who has the money, including foreign governments, our own government and attackers bad guys, you know. I know this happened. It happened to us.
Our CEO, you know Lisa reputedly sent out text messages to all her direct reports saying hey, I'm in a meeting right now. I need you to buy some Amazon gift cards for me and send them along to this address, because we want to give them to all the staff for holidays or whatever. Fortunately, her direct reports are smart and didn't fall for it. But it was completely fake and didn't fall for it, but it was completely fake. And the thing that was an eye-opener was whoever these bad guys were. They knew who Lisa was, they knew who her direct reports were, they knew her phone number. They knew their phone number I mean the information they needed to make this scam and it was all available online through data brokers.
We immediately signed up for Delete Me and I believe you should sign up for Delete Me. There is only really one good way to stop this, and that's for you to go out and delete all this data from data brokers. Each data broker has a form you can fill out the law requires it saying take me off your database. But there are hundreds of data brokers. Do you know who they all are? And, worse, as soon as you delete it, then they start repopulating it. Oh, that's you. Oh, we didn't know. We just started building an OCA on somebody else. It turned out to be you again. Well, there you go.
This is a problem for everybody, including everybody in your family. Delete Me now has family plans. Now I should say that, as the adult, you're the one who has to have the Deleteme account. A minor can't have it, but as the adult, as the administrator of your family plan, you can make sure everyone in your family is safe online, reducing risk from identity theft, from cybersecurity threats like I just described phishing, scams, harassment and more. Deleteme's experts will find and remove your data from hundreds of data brokers. Each member of your family can have a data sheet tailored to them so you can easily control what it is that is being deleted, what they should be looking for.
As the account owner, you manage the privacy settings for the whole family and then, as I said, deleteme will not only delete it initially, but they'll continue to scan and remove your information regularly. I'm talking everything addresses, phone numbers, emails, photos, relatives, social media accounts, property value. Protect yourself, reclaim your privacy. Visit, join delete me dot com slash twit. The offer code we have for you is twit T-W-I-T. That will save you 20% off all privacy plans, including that family plan that's joindeletecom slash twit. Don't forget the offer code T-W-I-T for 20% off. This is something we did immediately because it was just obvious we had a problem. If you're a business, you should have Delete Me for all your managers. It's vital to your security. Joindeletemecom slash tweet the offer code TWIT gets you 20% off. All right, steve, let's continue on.
0:39:54 - Steve Gibson
So and I know you'll have something to say about this one, leo During yesterday's Worldwide Developer Conference or the kickoff, apple introduced their forthcoming Passwords app. Now, of course, apple users have long been using their iCloud account to store and sync their passwords among their devices, but what was going on wasn't super transparent, you know. It just worked, but without a clear and clean UI it was. You know it was necessary to dig down into the control app to locate a sub page. So the passwords app that will be included in the next major release of their OSs so that would be iOS 18, macos Sequoia and Vision OS 2, will provide a UI for Apple's storage of this information, will provide a UI for Apple's storage of this information. Now, since this is not ever going to be a cross-ecosystem solution, you know it's Apple only.
0:40:52 - Leo Laporte
It's Windows too.
0:40:57 - Steve Gibson
Yeah, and I heard you say something about iCloud for Windows password app. Anyway, I'll just finish and say that those of us using Windows, linux or Android will likely remain with whatever cross-ecosystem solution we're using today. Yeah, but this move does create an explicit and native password manager for Apple OSs for the first time, and if someone is 100% pure Apple world, it likely offers everything anyone would need. It also incorporates clear pass keys management and a built-in one-time password style authenticator, since I'm currently using OTP Auth as my one-time password authenticator of choice. You know, I'll look at what Apple has to offer once I upgrade my iphone to something that'll run ios 18. I think I'm stuck back on 12 or something right now. But but uh, so, leo, what is what I hear? That you guys using the word sherlocked. Where did that come?
0:41:55 - Leo Laporte
from so way back in the day I mean I think this is 20 years ago there was an app called sher Sherlock that let you find files on your device. It was really good. You could, you know you'd make an index and you'd Sherlock and you could find anything on your hard drive. Then Apple released something it calls Spotlight and Sherlock was out of business overnight. And so, ever after, when Apple introduces a product that duplicates functionality of a third-party product and essentially puts them out of business, we call it being Sherlocked. And there were all I mean, obviously, 1password, bitwarden and other password managers.
0:42:33 - Steve Gibson
There's a Sherlock festival yesterday.
0:42:35 - Leo Laporte
May have been Sherlocked by these passwords, but it was just one of many, exactly yes, Now we've seen Microsoft do the same thing too.
0:42:43 - Steve Gibson
Right, like I was complaining that it took until Service Pack 3 for Windows XP's firewall to be enabled by default. Back at the time, remember, zone Alarm was my favorite firewall and there was a firewall industry for Windows PCs. And then, well, microsoft says you know, we're going to put a firewall in, but don't you worry, it'll be turned off by default. Well, it eventually got turned on. And I was just talking to a friend of mine the other day who was asking me if she needed to be still using McAfee and I said, oh Lord, no. I said you know, windows built in Defender is is really all anybody needs. And I explained that Microsoft does this. They they sort of create the capability, but they don't want to step on anyone's toes, so they sort of ease it into the world slowly.
Microsoft, I would argue, is a little less caretaking about that. They say, yeah, now we're doing that. So anyway, again, it makes sense for this thing to get moved in. So there is iCloud for Windows. How can you use a password manager for Apple under iCloud for Windows? Because I mean, it's just. I thought it was just folders.
0:44:07 - Leo Laporte
Oh, no, no, no. Icloud for Windows lets you do a lot of things, and including, I guess, now access your passwords. Actually, I think that's been around. It is not as elegant as a password manager. And remember, this is going to do passkeys, right. Password manager, uh. And remember, this is going to do pass keys uh, right, but I don't know and they didn't really say. I think the pass keys are hardware dependent, which means it seems unlikely pass keys would make it over to windows, but they might do what they do, what they do now, which is show you a qr code and then the phone that you have the pass key on you'd do the qr code. So you know, is it going to be as full featured as a standalone password manager? Probably not. That's often the case. Well, and and I'm multi-platform.
0:44:52 - Steve Gibson
So yeah, well, you and I won't use it.
0:44:53 - Leo Laporte
I can't. I'm android and windows and linux, but but again a lot of people and you know what I love this because it means a lot of non-sophisticated users will just do it, because it's part of the operating system it's built in.
0:45:08 - Steve Gibson
Yes, and I think the fact that they're showing it as a separate thing, you know, helps to raise people's awareness of passwords and the various aspects of passwords, like passkeys and one-time passwords and so forth. You know it, just you know. It brings it more to light, which has got to be a good thing. I saw some talk a while back about some congressional pushback on Chinese-made drones by DJI. You know those DJI drones are by far the best drone technology around. In advance of the US Senate's planned discussion of the so-called Countering CCP Drones Act, which would limit the use of Chinese-made drones in the US on the grounds of national security, tomorrow, June 12th, DJI will be disabling the ability of users in the US to sync their drone flight data to its servers, and the option to sync US drone data at all will be completely removed by the end of the month. All will be completely removed by the end of the month. So you know DJI is seeing what's going on with TikTok and this general sort of concern over what the Chinese Communist Party is doing with technology that US consumers are excited about, and so I'm sure they don't want to lose this market. So they're saying, OK, fine, we're going to strip this out of our devices, so I don't know what a problem that will be for DJI users, if being able to sync drone flight data to servers is a big deal, but it'll be gone by the end of the month. Okay, Another thing that, Leo, I think you're going to get a kick out of seeing, although you and I are not represented among these statistics.
Slashdata revealed some interesting developer statistics. They recently surveyed 10,000 developers from more than 135 countries. The question put to them was, quote how has AI affected your workflow? Okay, now let me first allow Slashdot to introduce themselves. They wrote if this is the first time you heard about Slashdata, did I say Slashdot, Slashdata? If this is the first time you heard about Slashdata, I'm happy to share a few quick words, writes the person who posted this.
Slashdata is a developer research company. Every quarter, SlashData runs a survey on the global developer audience to measure the pulse of the developer ecosystem and how they feel about new technologies, tools, platforms, the support from developer programs and more. Following the closing of the survey, our expert analysts work to identify key trends and translate raw data into actionable insights that professionals and companies addressing a developer audience can utilize to fine-tune their strategy and address developers' needs and wants. The 26th edition of the Developer Nation survey reached more than 10,000 respondents from 135 countries around the world. Slashdata announces the first two of the six report series that are coming widely available to the world, showcasing and diving into key developer trends for 2024 and beyond. Each report focuses on a specific topic. All reports published under the slate of the Developer Nation will be accessible under freshly launched slash data research space, free access for viewing and downloading.
Okay, so the first two chunks are interesting. The first is how AI has impacted development and the second is the ever popular which programming language do you use? So, first off, AI, they said how developers interact with AI technologies. Has AI taken over the world? Not yet, they write. However, it has already achieved a takeover of all our discussions about the future. Indeed, it has. And, they said, 59% of developers report that they're now using AI tools in their development workflows.
This report investigates the current landscape of developers' work with artificial intelligence technologies and how this impacts their careers. We start by looking at the ways in which developers work with machine learning models, tools, APIs and services, and highlight the key differences between professional and amateur developers. And they go on. So, on the AI front. We first have four broad categories and, Leo, I've got a chart at the top of page nine of the show notes. Four broad categories 59% report using AI in their own development workflows, 25% are adding AI functions into applications and 13% are actively involved in creating AI models. This leaves only 29% whose development work has not yet been touched by AI in any of those ways. Wow, so yeah, Among the 59%, so more than half and fewer than two-thirds, and I'm in that category.
0:50:55 - Leo Laporte
By the way, I have an AI that helps me with my coding. Yes, yes.
0:50:59 - Steve Gibson
Yes, so 59% who are now actively using AI tools in their development workflows. 42% almost half are using chatbots to obtain answers to coding questions. This is globally Out of more than 10,000 developers surveyed. 42% are using chatbots to obtain answers to coding questions, 27% are using development tools that have AI assistance built in and 19% are using generative AI to help generate creative assets. If coding was a Monday through Friday, nine to five, job, which I was doing to earn my living, where I was being judged by my own productivity against my peers, then yeah, I'd be quite happy to get quick answers to questions about how to do this or that from a chatbot AI, you know rather than searching around the Internet looking for someone like you know wherever on the Internet.
Stack Exchange is the name.
0:52:15 - Leo Laporte
I was just trying to remember.
0:52:20 - Steve Gibson
Stack Exchange who has posted something similar to learn from. I'd be happy to ask a smart bot. You know what it had found from previously doing essentially the same thing. There's no shame there and it's clear that many coders agree.
0:52:35 - Leo Laporte
I use it instead of flipping through manuals. Yes, almost universally. The stuff that's on stack exchange is useless, but but I still have to. I mean, I don't code enough to remember every, and the language I use is massive common list. So this is in lieu of looking through manuals. It's very useful, yep, very useful yep.
0:52:56 - Steve Gibson
So what's being um, so, so what's going on with the use of programming languages? I have a chart there at the bottom of page nine. The survey revealed that by far the number one language in use today is JavaScript. Oh yeah, that's for sure. Yep web programming. The current total is estimated to be 25.2 million JavaScript coders.
0:53:25 - Leo Laporte
Wow.
0:53:27 - Steve Gibson
With that number having grown by 4 million just over the past year. So 25.2 million JavaScript coders In the number two slot is python at 18.2 million.
0:53:44 - Leo Laporte
there's probably a lot of overlap too.
0:53:46 - Steve Gibson
I mean, nobody uses just one language, so right yeah right, python at 18.2 million, which is just a bit ahead of java of java at 17.7 million. In third place behind those top three three is C++ at 11.6, c Sharp at 10.2, php at a respectable 9.8 million, visual Development Tools at 7.2 million, followed by plain old C language at 6.5. Then, in steadily decreasing numbers, we have Kotlin, go, swift, rust, dart, objective-c, ruby and Lua. And you know, leo, there's no sign of Lisp or assembly language on this chart.
We're old-timers language on this chart. Old timers, what do you? What do you suppose? That means that neither of the two languages which you and I have chosen to use, lisp and assembler respectively, are in the running here.
0:54:52 - Leo Laporte
We're just smarter than the masses. That's all there is to it.
0:54:55 - Steve Gibson
I you know, I think part of it is that we're able to choose the language we most want to code in.
0:55:01 - Leo Laporte
That's right.
0:55:02 - Steve Gibson
We don't have any boss telling us or an existing code base that we're having to maintain in whatever language.
0:55:11 - Leo Laporte
Or colleagues who have to be able to read our code.
0:55:14 - Steve Gibson
Right, yep, yes, and neither of us are part of a team that would think we had lost our minds.
0:55:22 - Leo Laporte
But I also. There are very good modern languages that are on that list either. I think it really comes down to more trends, but also what your business is demanding of you.
0:55:32 - Steve Gibson
Yes, I think I mean that's I mean, for we already know. For decades, coders resumes have listed all the languages that they can.
0:55:41 - Leo Laporte
You know that they're proficient in Any coder should be able to write in any language if they're any good Right.
0:55:48 - Steve Gibson
Or be able to pick up a new one. Yeah, that's what I mean. You can yeah.
0:55:50 - Leo Laporte
Yes, yeah, all the concepts are the same.
0:55:54 - Steve Gibson
And that's where you know a chatbot can help you. Helps a lot, it's like, okay, helps a lot. It's like, okay, that's right. You know I'm not proficient in pearl, but I need to solve a pearl problem, so you know what, what, what, what regex do you, what would, would you expect to use?
0:56:08 - Leo Laporte
I've actually done it may not be right, but it it's a good place to start I've taken some python code that I didn't fully understand, given it to chat gpt and said what would this look like in lisp? And yeah, it wasn't perfect but it gave me a big head start on understanding what that code was doing.
0:56:24 - Steve Gibson
Yeah, yep. So the question is are we going to turn programming over to AIs? Well, eventually, I guess. Well, coding appears to be something that AIs may be able to do, you know, and it makes a sort of sense for code to be something that an AI might do. Well, because, after all, it's talking to a machine. So that begs the question what's going on at the university level with computer science education?
Business Insider published a piece last Monday titled With AI Writing so Much Code, should you Still Study Computer Science? And the subheading was. This New Data Point Provides an Answer. Now I realize that many of our listeners are well past university age, but many will have children, or perhaps grandchildren, who may be wondering whether coding has been lost to AI. So the author of this piece writes One of the most persistent concerns around generative AI is whether the technology will put workers out of a job. This idea is particularly caught on in the context of software coding. Github co-pilot can write a lot of code these days, so is it even worth studying computer science now? That's been a question on the minds of math-minded high schoolers since ChatGPT burst onto the scene in 2022. There's a new data point that helps answer at least part of this question.
Students are still lining up in droves to take computer science in college. Let's take the University of California, berkeley as an example, as this college is at or near the top for computer science, as it was when I was there in 73. First-year applications to UC Berkeley's College of Computing, data Science and Society CDSS. Now, that's not the college I was in. I was in WECS Electrical Engineering and Computer Science but we have CDSS, the College of Computing, data Science and Society. Anyway, first-year applications649 the previous year. So in one year, 48% increase, they said, whereas, for context, the number of first-year applications to UC Berkeley as a whole did not change much from a year earlier. So it was specifically the College of Computing, data Science and Society. This was announced last week by Professor Jennifer Chays, the Dean of Berkeley's College of CDSS, during the Joint California Summit on Generative AI in San Francisco.
Afterwards, business Insider got in touch with an interesting guy, john DeNero, a computer science teaching professor at UC Berkeley, to talk about this some more. Now, he's also chief scientist at Lilt, a generative AI startup, and he was previously a researcher at Google working on Google Translate, one of the first successful AI-powered consumer apps. Okay, so at this point the article quotes this John De Niro guy, and remember he's a teaching professor of computer science at UC Berkeley who's been working with AI at Google and is now the chief scientist at a generative AI startup. So the article continues In an email to Business Insider, john wrote Students quote so this is John speaking students be performed reliably by generative AI at this point and that I expect there will still be a central role for human software developers long into the future. A comp sci professor, teaching professor at Berkeley, who's also deeply steeped in AI technology. The article says De Niro explained that generative AI is currently very good at replicating parts of software programs that have been written many times before.
But what if you want to create something new? This is where smart human coders will still be needed. This makes logical sense, as AI models are trained on data. If that information doesn't exist yet or it's not part of the training data set, the models often get in trouble or, as we say, they just make it up. De Niro said quote generative AI requires a lot of thoughtful human intervention to produce something new and all consequential software development projects involve quite a bit of novelty.
That's the hard and interesting part of computing that currently requires clever and well-trained people. Generative AI can speed up the more mundane parts of software development, and software developers tend to adopt efficiency tools quickly. Unquote. So this applies to what's happening at Lilt, which is building an AI platform for translators. Google Translate first came out 18 years ago. They write and human linguists still have jobs and are relied upon when translations are really important. Google Translate to read a Japanese train timetable, but would you use the app to translate your business's most important contract without having a human expert check it out? Probably not, john said.
Quote. To reliably produce publication quality translations, human expert linguists are still at the center of the process, but by using Lilt's task-specific generative AI models, those experts are much faster, more accurate and more consistent. As a result, more text gets translated at higher quality into more languages. Unquote. And they finish. He expects the same pattern to play out in software development. And they finish. He expects the same pattern to play out in software development. A small team of highly trained human developers will have an even greater capacity to build useful, high-quality software. De Niro finished by adding and so future Berkeley graduates will have plenty of opportunities to use their computing skills to improve the world. Hopefully, some more of them will come to work at Lilt, and I got a kick out of that, because where better to recruit people for your own startup, your classes, yes, then teaching them and, you know, culling from the herd those that you want to have working for you. And, leo, it really does make sense. You know I'm weird, right? I mean, we already know email server from assembly language.
1:04:48 - Leo Laporte
Oh that sounds painful Because it is unbelievably painful. There would be absolutely libraries galore to do that in any higher level language.
1:04:57 - Steve Gibson
And there are none, no one as far as I know, it's not been done in Assembler? Yeah, but I like it and I also spend a lot of. You like it. Yes, I like it. And how many times have I written a super fast sword algorithm of one type or another? I've written them and I've rewritten them because I like it.
It's like it's like somebody who loves, like a woodworker, building chairs. It's like I'm going to make the net. The next chair I build is going to be better than the last one. But but I but you know, I'm doing, I'm coding because I want to, not because I have to.
1:05:39 - Leo Laporte
so it totally makes sense to me that that generative ai could be producing a bunch of the crap code that is has that people have already written, not the new stuff, which is where the fun really is for most people who you know don't like building chairs yes, over and over you can always buy a chair, but there's a satisfaction in building your own, absolutely yeah, yeah, and I would imagine anybody who's in a computer science program I would hope is is there because they enjoy it, because they like it. They're not just there to get a job skill, I mean, that's just, that's a nice side benefit it certainly is nice to be able to spend your life doing something you love. Do something you love, you'll be glad.
1:06:27 - Steve Gibson
Okay. So and this one affects you, Leo, as a Linux person In case any of our Linux users notice and worry about a sudden torrent of CVEs emanating from the Linux kernel project, I wanted to assure everyone that the problem is with the underlying issuing policies and is not reflective of any sudden collapse of the Linux kernel code quality, Linux's kernel code quality. Catalin Simpanou, the editor of the Risky Business newsletter, did some editorializing, but he drew the facts underlying his recent editorial from across the industry. So this is strongly based in what everybody who's looking at this going what the hell is going on is talking about. So I'm explaining this beforehand, since I wanted everyone to understand that this is, you know, not just one grumpy guy's opinion. Here's what he wrote last Wednesday Wednesday he said in February of this year, get this, the Linux kernel project was made an official CVE numbering authority. That's called a CNA, a CVE numbering authority with exclusive rights to issue CVE identifiers for the Linux kernel, to issue CVE identifiers for the Linux kernel. While initially this looked like good news, he wrote almost three months later this has turned into a complete and utter disaster.
Over the past months, the Linux kernel team has issued thousands of CVE identifiers, of CVE identifiers, with the vast majority being for trivial bug fixes and not just security flaws. In May alone, according to Cisco's Jerry Gamblin, the Linux team issued over 1,100 CVEs, a number that easily beat out professional bug bounty programs and platforms run by the likes of Trend Micro's Zero Day Initiative, WordFence and Patchstack. To happen with the Linux team laying out some weird rules for issuing CVEs right from the moment it received its CNA status. We say weird because they're quite unique among all CNAs. The Linux kernel team argues that because of the deep layer where the kernel runs, bugs are hard to understand and there's always a possibility of them becoming a security issue later down the line, he said, direct quote below quote this is the Linux kernel team note due to the layer at which the Linux kernel is in a system, almost any bug might be exploitable to compromise the security of the kernel, but the possibility of exploitation is often not evident when the bug is fixed. Because of this, the CVE assignment team is overly cautious and assigns CVE numbers to any bug fix that they identify. This explains the seemingly large number of CVEs that are issued by the Linux kernel team. Wow, Wow, he says, and AMD issuing hundreds of CVEs with each firmware update.
These projects vet reports to confirm that bugs pose a security risk, before issuing a CVE and triggering responses with their customers, such as inventory asset scans and emergency patch deployments. In other words, CVEs have actual, real-world consequences. They're not just to be used casually, he says. Instead, the Linux kernel team appears to have adopted a simpler approach, where it puts a CVE on everything and lets the software and info security community at large confirm whether or not an issue is an authentic security flaw. If it's not, it's then up to the security and vulnerability management firms to file CVE revocation requests with the Linux kernel team that's responsible for the affected component.
Linux's new CNA rules also prohibit the issuance of CVE for bugs in EOL Linux kernels. You're turning me into a hollow man, All shit. I'm sorry for bugs in EOL Linux kernels, which is also another weird take on security, he said. Just because you don't maintain the code anymore doesn't mean attackers won't exploit it and that people wouldn't want to track it. The Linux team will also refuse to assign CVEs until a patch has been deployed, meaning there will be no CVEs for zero days or vulnerabilities that may require a longer reporting and patching timeline.
1:12:43 - Leo Laporte
I think they do not know what CVE means.
1:12:46 - Steve Gibson
Leo, that's nuts, I mean. It's like if we don't admit that there's a problem, then Google can't start a clock forcing us to fix it. Yeah, so we're not going to issue it for a zero day or vulnerabilities that may take a while to fix. Wow, I mean, you're right. It's like they don't at all understand what CVEs are for. Catalin said the new rules also create a confusing process of validating, contesting and rejecting CVEs. I'm not going to go into all of that, he said, since the venerable Brian Martin did a way better job back in February. Open source securities Bradley Spangler shared a real world example last week of why the entire process of analyzing, validating and revoking Linux CVEs is now a giant cluster F you know what of confusion and frustration Catalin said. We quote him. Quote to say this is a complete disaster is an understatement. This is why CVEs should be for vulnerabilities, should involve actual analysis and should provide that information in the CVE description, as any other responsible CNA would be doing. Unquote, catlin said.
Linux maintainer Greg Crow Hartman tried to justify the team's approach to its new CVE rules but, as expected, this has not gone down well with those in the InfoSec community. Criticism has been levied against the Linux kernel team from everywhere, and there have been some calls for the Linux team to reconsider their approach to issuing CVEs. The new rules were criticized right from the get-go. The likes of Katie Moussouris, valentina Palmiati, ian Coldwater, bradley Spangler, again and again and again, adam Schall, tiberius, the GR security team, the Graphene OS team and a whole bunch more foresaw the disaster that is currently unfolding. And if this isn't bad enough, the Linux kernel team appears to be backfilling CVEs for fixes to last year's code, generating even more noise for people who use CVEs for legitimate purposes. Some describe the Linux team's approach as malicious compliance, after the project was criticized for years for downplaying vulnerability reports and contesting CVEs assigned to its code by other CNAs. This may not be the case, as the new approach has some fans who see its merits, such as forcing more people to upgrade their kernels on a more regular basis, meaning, even if it's not necessary.
Quote the Linux CNA. This is quoting somebody he doesn't say who. The Linux CNA intentionally adopts an overly cautious approach and assigns a new CVE when in doubt. While this may surprise many, it is a perfectly legitimate and entirely honest strategy. In contrast, vendors of proprietary software often tend to take the opposite approach, minimizing the assignment of CVEs whenever possible. Effectively managing the substantial number of CVEs involves understanding your kernel configuration, having a clear threat model and ensuring the ability to update the kernel as needed. I hope that other large projects will eventually adopt Linux's approach. Unquote and Catalan finishes.
Unfortunately, all of this CVE spam could not have happened at a worse time. Just as the Linux kernel team was getting its CNA status, nist was slowing down its management of the NVD database, where all CVEs are compiled and enriched NVD database, where all CVEs are compiled and enriched. Nist cited a staff shortage and a sudden rise in the number of reported vulnerabilities, mainly from the IoT space. Having one of every fifth CVE being a Linux non-security bug is not helping NIST at all right now. So unfortunately, we depend upon CVEs to convey true problems that require remediation of some kind. Having the Linux kernel project spewing CVEs for non-vulnerability bugs really is an abuse of the system.
1:18:14 - Leo Laporte
Yeah, and they're creating a lot of noise which is obscuring the real security issues. Exactly yeah.
1:18:21 - Steve Gibson
Exactly, it has a real potential of just causing people. You know it's crying wolf, right. You're going to end up blunting the effect. What is not blunted, Leo, is the power of our sponsors.
1:18:38 - Leo Laporte
I like your thinking. I like where you're going there, mr G, we'll be back with more of Security Now and Steve Gibson in just a bit. The email bag is next. But first a word from our sponsor. One big think big. The world's changed, I think.
If you listen to the show, you kind of understand privacy and ai compliance. Both are here to stay. The regulations governing all of this are in constant flux. Everywhere in the world, new regulations emerging daily. Organizations are forced to embrace concepts like privacy by design, transparency, purpose limitation, data minimization, data subject rights. This is all well and good.
These are good things, but most mid-sized high growth organizations just don't have the time they need to focus on their job, on their core offerings. They neither have the time nor the volume of work to keep a full-time privacy and AI team busy. And even if they could, it's really hard to attract the top talent. You're competing against Microsoft and Facebook and Google. That's where OneBigThink comes in. With OneBigThink's services, it's the number one big think at onebigthinkcom. With One Big Think's services, you're guided by an experienced executive who becomes your data protection officer. He's got all the capacity and all the capabilities of a true DPO. That's an enterprise security leadership role responsible for overseeing data protection strategy compliance and implementation, to make sure that your company is compliant with GDPR, ccpa, cpra and so forth. The role of the DPO includes expert knowledge of data protection law.
You're going to see why it's so hard to find this person, by the way. You've got to know expert knowledge of data protection laws and practices. You've got to have broad and deep information, privacy, compliance and data processing skill sets across industries. A complete understanding of IT infrastructures, technologies, technical and organizational structures all in the industry, your industry. Organizational structures all in the industry, your industry. And then, of course, you've got to have excellent management skills, as well as the ability to interface easily with internal staff at all levels. I've just written the perfect job listing for your DPO.
Oh, let's throw in some AI expertise as well, right? Well, guess what? That's what One Big Think will do for you. You don't have to hire that person, you've got One Big Think will do for you. You don't have to hire that person, you've got One Big Think. One Big Think's AI compliance service is designed to integrate with your organization's privacy program and provide the required governance, compliance and assessment activities under all these new regulations. They'll even help you train your team, raise awareness and train staff on AI regulatory requirements and issues. This is a role you need to fill. This is a role that's hard to fill until you go to OneBigThinkcom to learn more about how to give your organization sustainable privacy and AI compliance. It's not optional anymore. Let's face it. You've got to go to OneBigThinkcom. That's the number one B-I-G-T-H-I-N-K OneBigThinkcom. They're there, ready and willing to help you so you can focus on your core mission and not have to worry about regulatory compliance. Onebigthinkcom Some ideas. Time has come Now back to Mr Gibson.
1:22:15 - Steve Gibson
Shtay Gibson yes, so GRC's email system continues to mature and I could not be more pleased with my decision to create a more convenient means for our listeners to send podcast feedback. Some listeners have noted that nowhere on GRC's website do I prominently display the email address securitynowatgrccom. That's true and that's also deliberate. It's clearly not a secret, since Leo and I will be mentioning it every week here, but to whatever degree is possible, I'd like to reserve inbound email to that mailbox for podcast feedback. There will be a temptation to send things to me that I already pay Sue and Greg to handle, so I'd prefer not to short circuit our traditional lines of communication. So once again, security now at GRCcom, and I imagine everybody can remember that I did want to let everyone know that after last week's podcast I improved GRC's email registration system to also accept email that's registered against a user's from header. The moment I made that change, all false positive rejections stopped. We haven't had a single one since then. So anyone who may have had initial difficulty registering with private domains fronted by Gmail or some other email anonymization service should no longer have any trouble and may do so. So again, I was a little overprotective initially. That's fixed. It's easier now. Several people have been worried that they haven't ever received a single piece of email from me. They're expecting the flow of weekly podcast announcements, so I wanted to assure everyone that so far I have never sent one. I'm still working to finish up the front end email registration bounce processing, which I expect to complete this week.
I always wondered about the practice of asking people to enter their email addresses twice. I understood that it was to catch typos, and when I designed GRC's e-commerce system back in 2003, that's what I had it do too, but I did that mostly because everyone at the time was doing it. Now I know why the email registration system I have does not do that, and it's somewhat surprising to see how many typos are present in email that cannot be delivered. It turns out that vom is not a valid top-level domain and that the V key is right next to the C key. The good news is that such typos only result in a brief stumble, since this is part of an immediate email confirmation loop, so anyone who doesn't receive a confirmation email returns to try again, and they will probably enter their email correctly, and maybe by typing it more carefully the second time, since I think that asking everyone only once because they receive immediate confirmation is more convenient for most people. I'm going to leave the system as it is. I'm not going to ask everybody to enter it twice. Failures from our email server and holding that information for someone's second attempt when they don't get the first email confirmation, and then come back and try again. There are a surprising number of mailbox unknown or mailbox over quota bounce backs that I would like to be able to present to someone when they retry using an address that just failed for that reason. So once that system is in place, I'll actually begin sending email and the system will be up and running.
Okay, so I got a kick out of this fictional dialogue with an AI, which was titled Ordering a Pizza in 2024. This was shared by a listener via Twitter. There's no indication of the dialogue's origin, but it's definitely worth sharing. So the caller? The caller says apparently in their phone is this Pizza Hut? No, sir, it's Google Pizza Caller. Oh, I must have dialed the wrong number. Sorry, no, sir, it's Google Pizza Caller. Oh, I must have dialed the wrong number. Sorry. No, sir, google bought Pizza Hut last month. Okay, I would like to order a pizza. Do you want your usual, sir, my usual. You know me.
According to our caller ID data sheet, the last 12 times you called, you ordered an extra-large pizza with three cheeses sausage, pepperoni, mushrooms and meatballs on a thick crust. Caller says super, that's what I'll have. Google, may I suggest that this time you order a pizza with ricotta, arugula, sun-dried tomatoes and olives on a whole wheat gluten-free thin crust. The caller says what I don't want? A vegetarian pizza. Google. Your cholesterol is not good, sir. How the hell do you know that? Well, we cross-referenced your home phone number with your medical records. We have the result of your blood tests for the last seven years with your medical records. We have the result of your blood tests for the last seven years. Okay, but I do not want your rotten vegetarian pizza.
I already take medication for my cholesterol. Excuse me, sir, but you've not taken your medication regularly. According to our database, you purchased only a box of 30 cholesterol tablets once at Lloyd's Pharmacy four months ago. The caller says I bought more from another pharmacy. That doesn't show on your credit card statement. I paid in cash, but you did not withdraw enough cash. According to your bank statement, I have other sources of cash. That doesn't show on your latest tax returns, unless you bought them using an undeclared income source, which, of course, is against the law.
The caller says what the heck? Google says I'm sorry, sir, we use such information only with the sole intention of helping you. The caller says enough already, I'm sick of Google, facebook, twitter, whatsapp and all the others. I'm going to an island without the Internet TV, where there's no phone service and no one to watch me or spy on me. Google says I understand, sir, but you need to renew your passport first. It expired six weeks ago, so anyway, yes, if Microsoft Recall does evolve into a semi-smart personal assistant, it better not start offering helpful advice, or maybe people will think about deleting it or using my forthcoming freeware app.
1:29:22 - Leo Laporte
We'll see End all recall. I keep trying.
1:29:27 - Steve Gibson
Nathan. Oh Leo, like I said, I'll just make sure you don't have a mouthful of coffee. Nathan Hartley tweeted I would love Windows Copilot on my work PC, though we have far more local admins who have access to everything that I'm comfortable with. I will wait a bit for my personal PC. Now, of course, Nathan is suggesting that in a corporate environment, having access to a comprehensive history of everything that has been done on a company machine might be useful, but he wonders what access to that information will also be available to local admins, and I think that's another very good point.
All indications are that, in their enthusiasm for this idea, which is understandable, Microsoft failed to give sufficient thought to just how transformative a change it would be for a machine's entire usage history to be captured and stored in detail. We know that enterprise machines are owned and operated by their companies who oversee them and their security, so how does recall fit into that environment? There do appear to be some questions still to be answered. Tom, who's? Tom Lawrence Tech. This was shared via a public tweet, so it appeared in my timeline because he referenced at SGGRC. He said I just had a great conversation with at DR the Nerd about Adam Network, PFSense and their Don't Talk to Strangers system. He said I'll be doing some testing, but for those who want to learn more right now, check out https slash slash adamnetworks and at sggrc, episode 946. And he provided a link. Now, of course, DR the Nerd that would be David Redikop, whom I first met when they were an early advertiser on this podcast, I think right from the get-go, Leo, yeah.
1:31:38 - Leo Laporte
Very early on they were the.
1:31:39 - Steve Gibson
Canada-based Nerds on Site guys at the time and, of course, as we know, david is now part of the team at Adam Networks and I discussed their work during episode 946 and noted that they have some very interesting and very mature perimeter security technology which is definitely worth looking at. Okay, listener John Liptack asks Steve, I've been caught up in Google domains, in the Google domains to Squarespace, dns migration and, due to Squarespace's terms of service, I want to move. However, due to the number of security issues with DNS, as well as your wonderful testing software, I've been unable to find the episode where you give your recommendation for a domain name provider. Can you remind me who you recommend? Thanks, john.
The name John is trying to recall is Hovercom. They are my absolute hands-down favorite domain name registrar absolute hands-down favorite domain name registrar. They were also a Twit sponsor, though that followed my switching to them away from Network Solutions, who was GRC's original registrar, with whom I registered the GRCcom domain back in December of 1991, which was a few months after the domain Microsoftcom was first registered. I could not be more pleased and happy to recommend Hover as the place for anyone to hang their domain. I mean, again, I know that, leo, you and I both have a ridiculous number of domains, just because each one seems inexpensive, and maybe we'll use it someday for something I can't even tell you, like the nonsense I have, oh me too, what the heck.
They're all there at hover. Steve in Tampa Florida sent me a note regarding the Token 2 keys that we've talked about a couple times, he said I just want to let you know that after hearing your mention of the Token 2 keys on the podcast, I ordered two of the T2F2 NFC dual keys. I received them today. I immediately downloaded the Windows app from their website and entered in a PIN. I then tried them with Bitwarden. After entering them in Bitwarden under WebAuthn, I was able to in other words, the pass keys. I was able to log in in every case USB-A, usb-c and NFC using either the web app or an Android phone. Of note is that to activate the key, you need to squeeze contacts together and not just touch the contacts. Regards Steve in Tampa Florida. So that's welcome feedback and I'm glad that those Token 2 keys were not a boondoggle. They really do look like solid solutions. The ones I've ordered were backordered and they've not shown up yet, but I'm not in a huge hurry Now.
Yesterday a listener, bob Grant, wrote through the new email system with some of the best on-the-ground feedback about the current state of Passkey's support that I've seen so far. What Bob had to share was of crucial importance because it clearly dispels the belief that all websites which support PassKeys support multiple PassKeys, thereby allowing multiple physical dongles to be used without restriction. That's not the case. So here's Bob's great reporting. He said Hi, steve, I've always enjoyed trying out the bleeding edge and I've been using Yuba keys for over a decade. So I recently replaced one of my Yuba keys with a Token 2 key from Switzerland to get its 100 passkey support. I then went about registering multiple Yuba keys and my new token 2 keys plus Bidwarden, at multiple sites. For instance, I have five Gmail accounts and two Microsoft accounts I wanted to use with the pass keys. I discovered a few indications that we have a ways to go before this is ready or easy for primetime.
For security purposes, all the hardware keys require aIN to unlock the key for each login to a site. This is as opposed to Bitwarden, which will do it for you while the vault is unlocked or, if locked, can use a biometric authentication which is pretty quick. Further, the hardware token operation requires an initial touch to bring up the PIN prompt, followed by another touch after the PIN to perform the authentication. The token two keys require the FIDO-recommended six-digit PIN, whereas Yuba keys allow for a more convenient four-digit PIN. As usual, security trumps convenience.
Next, I found that a bunch of sites do not follow the FIDO recommendations. Ebay, paypal and Lowe's only allow a single passkey to be registered. This, of course, means you have to use something like Bitwarden that can sync between devices rather than a single hardware key, which is a point of failure. Kayak, linkedin, adobe and Amazon do not allow naming the keys as you enroll them. Linkedin calls them Passkey 1, 2, 3, etc. Linkedin calls them passkey 1, 2, 3, etc. Amazon has the date but not the time the key was enrolled, so there's no way to differentiate unless you enroll on different days. The effect of this is that if you need to revoke a key that is lost, you don't know which enrolled key you should be deleted from the site. All other sites I used allowed naming at creation and some even allow later renaming of enrolled keys.
Most sites allow quite a few keys, but LinkedIn only allows five 5. Surprisingly, amazon AWS seems to only allow FIDO 1 style U2F mode keys, not FIDO 2 for pass key login. Many sites allow keys from one type of device, for example iOS or iPadOS, but not from another. Like Firefox on a desktop, chrome seems to have better support and I think MS Edge has good support, although I didn't test extensively. Chrome allows managing keys you know, token 2 or YubiKey from its settings, security menu within the browser, and so you can list, delete, edit etc.
This all suggests that it's still early days, but I still kind of prefer my Yuba key to my Token 2 key and I'm doubtful I'll get to 100 pass keys anytime soon. The Token 2 is fatter and more bulky and at least feels a little more vulnerable than the Yuba key and at least feels a little more vulnerable than the Yuba key. Also, at one point my T2 stopped responding and prompting for a PIN when I tried to log in, but I was able to use my Yuba keys without a problem. Once I rebooted my laptop the Token 2 key resumed responding. I don't know whether the auth infrastructure would blacklist a key, but I'm going to keep an eye on it. The auth infrastructure would blacklist a key, but I'm going to keep an eye on it. Now, for the record, my guess is that the Token 2 Windows app probably froze somehow and that that's what the reboot cured. And, of course, usb is always because it came along after Windows had already launched and a lot of it had been written. Usb has always been a little bit flaky, so anyway, he finishes. I'd like to see PayPal allow multiple keys so I could switch to using a hardware key for added security, but I'll need to use Bitwarden with PayPal until then.
It's disappointing to me that banks, investment houses and other high-value targets do not currently support passkeys at all. Value targets do not currently support pass keys at all. In fact, most are still using SMS text second factors rather than Google Auth or even the older U2F, which could use keys for multiple factor authentication. Hardware keys can also be used for SSH authentication for more security for your SSH sessions. Each one takes the same type of slot as a passkey and can also store the SSH key info, which allows it to move the public key from system to system. It's easy to see what an uphill battle Squirrel faced when, even given all the support behind FIDO2, its implementation remains spotty and uncertain. So wow, thank you very much, bob. That's some terrific feedback about the current state of passkey support, and all of this does suggest that today's optimal solution, driven by the fact that there are sites which will only accept a single passkey enrollment and you never know when you're going to hit. One would be to enroll one or more, where possible, hardware dongles only for the highest security sites, where that's what you want, but to then otherwise use a cross-platform password manager such as Bitwarden, a sponsor of the Twit network, and use that hardware dongle to in turn unlock Bitwarden if you want more than Bitwarden's biometric unlocking. In that fashion, any site's single passkey support won't present a problem, since Bitwarden is able to present that site's single passkey from any Bitwarden-supported device and now that its support for mobile devices is shipping, it's on all platforms everywhere.
A listener using his initials. Be surprised me. He wrote hi, steve. Thank you for the new email system, since I don't use any social media. Regarding code signing HSM, my friend and I are on top of the development of a hobby software used by only 15 to 20 people. We used to share the code without an HSM. Do you have any idea how we can still have the three developers able to sign the code? Thank you for all your work. Long-time listener and a Club Twit member.
Yay, thank you Okay, so this was news to me. In a follow-up note, be sent some links so that I didn't need to track them down myself and, sure enough, reading from the knowledge base maintained by my favorite certificate authority, digicert, under the title New Private Key Storage Requirement for Code Signing Certificates, they write starting on June 1st 2023, industry standards will require private keys for standard code signing certificates to be stored on hardware certified as FIPS 140 Level 2 Common Criteria, eal 4 Plus or equivalent, in other words, an HSM code signing certificate, private key protection. Wow, this is actually troubling reported. The enhanced trust that Microsoft was originally conveying to any code signed with the significantly more expensive EV certs, which have always required storage in an HSM, has been revoked, so that there is no longer any benefit to having an EV certificate for code signing. No one cares. But now the industry has moved to requiring all code signing to be performed inside and by a hardware dongle. It was already a problem that any code signing was becoming a requirement, which is what we've been seeing due to the increasing prevalence of malicious code. The problem is that many open source projects are hobby projects, like that of our listener, which would otherwise not need to be signed. So this general signing requirement was already imposing a burden on developers, but now the stakes are raised even higher, requiring the purchase among themselves for the purpose of defraying and amortizing its cost across multiple users. And it's not as if this is a one-time event, since certificates, are a part of the process, expire and require periodic renewal. The hardware won't need renewing, but an updated certificate will need to be installed. So what I expect will happen is it will start to begin seeing code signing surfers appearing, so that multiple members of a team, distributed physically, geographically, will still be able to share a single HSM dongle among themselves. And when that happens, I sure hope they get their security right, since there will be tremendous pressure from malware authors to also get their malicious software signed by those same code signing servers.
Now, as we know, I wrote such a thing myself as part of Spinrite 6.1's launch, since everyone's Spinrite download is unique and needs to be individually signed. Download is unique and needs to be individually signed, and I commented here a few months ago, when we learned that EV certs were losing their special treatment, that I had apparently wasted my time doing that because my next certificate would not be EV and would therefore not need to be contained within an HSM. It turns out my time was not wasted. After all, everyone who signs code will need to use an HSM to do so as soon as their current non-HSM code signing certificate expired. Wow, yet another tax put on the good guys by malware.
It's unfortunate, and again it is. There's certainly nothing prevents anyone from automating the code signing process, as I found due to Microsoft's pathetic documentation for doing this. For me it was a heavy lift, I got it working. Uh, for me it was a heavy lift, I got it working. It's been surprisingly, which is to say, utterly bulletproof, since I finally finished it.
But and I'm thankful for that, but boy, I'm sure somebody will will do it for linux and open source it, and then code signing servers will be something we start to see, and for what it's worth, be it is possible to rekey a certificate for installation in a second hardware dongle. So if you ended up purchasing two dongles, one for each location, you could still only purchase one certificate key. The process of installing it does not give you any control over it, and this is by design so that it can only get installed in a single device, that it can only get installed in a single device, but it can be immediately rekeyed and then installed into a second device, so at least you won't need to be doubling up on purchases if you have two sets of hardware. But boy, it's very clear. This is what the industry has done, and it's a tax on open source software, and I think it's really unfortunate. Leo.
1:49:49 - Leo Laporte
Yeah, I agree 100%. All right, I want to talk about codemicrosoftcom. I didn't know anything happened to it, but you're going to tell us all about it. I am. But we have one less sponsor break, right? Yes, we have one more. Let's take it now. Yes, we have one more.
1:50:04 - Steve Gibson
Let's take it now. Yes, I said one less. Yes, I kind of meant one left, one left, one left, yes, and a good one, we'll deal with that. And then, oh, baby, wait till you hear what happened.
1:50:16 - Leo Laporte
I am very interested. But first this portion of the show brought to you by Collide. I've talked about Collide with you before. You know that as the company that puts users first, that gets users to be part of your security team. Collide works with companies that use Okta for user authentication. It adds that extra step, the hardware and software authentication, to make sure that your known users are entering with known, secure devices. And maybe you heard me tell you that Collide was purchased by 1Password, kind of a you know a happy surprise. It's big news. Both companies really focus on leading the industry and creating security solutions that put users first.
Different areas passwords versus authentication but you know that's kind of related, aren't they? For over a year, collide Device Trust has helped companies with Okta ensure that only known and secured devices can access their data. They're still doing that. They're just doing it with one password. It's actually a match made in heaven, a real synergy.
If you've got Okta and you've been thinking I really ought to check out Collide and you ought to, this is the best time possible. There's no better time and, by the way, very easy to get up and running with Collide. I've heard people say, oh, is this going to be complicated. No, collide comes with a complete library of pre-built device posture checks all the stuff you know, you want. You know operating system up to date, browsers up-date, that kind of thing. And then it's very easy to write your own custom checks for stuff that's specific to your situation, pretty much anything you can think of. And here's a nice feature you can use Collide on devices without MDM, which means your entire Linux fleet, it means contractor devices and every single one of those BYOD devices, the phones and the laptops in your company. Now that collide is part of 1Password. It's just going to get better. So just to reassure you, this is great news. Check it out at collidecom slash security now to learn more and watch the demo today. That's K-O-L-I-D-E dot com slash security. Now right, what happened to codemicrosoftcom?
1:52:29 - Steve Gibson
so the page I ran across at microsoft and I don't recall how it came to my attention has the intriguing title examining the deception infrastructure in place behind codemicrosoftcom. In place behind codemicrosoftcom. Okay, the deception infrastructure, what? Well, it turns out that the reader is not left to wonder long since this piece starts out. Quote the domain name codemicrosoftcom has an interesting story behind it. Today it's not linked to anything, but that wasn't always true and, as a matter of fact, yesterday I did an NS lookup and the domain and there's no name resolution, so they completely disconnected it. He writes this is the story of one of my most successful honeypot instances and how it enabled Microsoft to collect varied threat intelligence against a broad range of actor groups targeting Microsoft. I'm writing this now, as we've decided to retire this capability Now. That's not the good part. The astonishing part is how this got started. So here's what he wrote CodeMicrosoftcom was an early domain used to host Visual Studio Code and some helpful documentation.
The domain was active until around 2021, when this documentation was moved to a new home was moved to a new home. After the move, the site behind the domain was an Azure App Service site that performed redirection, thus preventing existing links from being broken. Then, sometime around mid-2021, the existing Azure App Service instance was shut down, leaving codemicrosoftcom pointing to a service that no longer existed. This created a vulnerability. This situation is what's called a dangling subdomain, which refers to which, as far as I know, microsoft just made up. Never heard that before. A dangling subdomain, which refers to a subdomain that once pointed to a valid resource but now hangs in limbo Again. Never, limbo is not a term that's something you normally do where you have to just like lean over backwards and get underneath a horizontal bar. I don't know, you know limbo. Okay. So he says imagine a subdomain like blogsubdomaincom that's used to handle a blog application. When the underlying service is deleted the blog engine you might update your page link and assume the service has been retired. However, there is still a subdomain pointing to the blog. What? This is now dangling and cannot be resolved.
Okay, he says a malicious actor can discover the dangling subdomain, except, no, it dangling subdomain, except, no, it's a subdomain of your own domain. So a malicious actor, what do you mean? They can discover it. Anyway, he says, a malicious. This is what he said. A malicious actor can discover the dangling subdomain provision, a cloud Azure resource with the same name and now visiting blogsumdomaincom will redirect to the attacker's resource. What he says now they control the content.
He says this happened in 2021, when the domain was temporarily used to host a malware command and control service. Thanks to multiple reports from our great community, this was quickly spotted and taken down before it could be used. As a response to this, microsoft now has more robust tools in place to catch similar threats. Okay so, first of all, let me just say holy crap and I hope that no one listening to this while driving just lost control of their vehicle, because this is nothing short of insane that that could happen. I'm not trained up on Azure and on how or why it might be possible for a so-called dangling subdomain of Microsoftcom to be casually commandeered by someone not Microsoft by giving their own Azure cloud instance the same name as an unassigned Microsoft subdomain. All I can surmise is that there must be some serious architectural design problems over in Microsoft land for that to ever have been possible. That's just nuts. But in any event, this author continues by posting the rhetorical question how did it become a honeypot, he says.
Today, it's relatively routine for MSTIC to take control of an attacker-controlled resource and repurpose these for threat intelligence collection. Right, like you know, they'll take over some domain that was an existing command and control server and run it in order to, you know, gain intelligence. He wrote. Taking control of a malware command and control environment, for example, enables us to potentially discover new infected nodes. Right, in other words, because the infected machines will be phoning home to the mothership for instructions. So, he says, at the time of the dangling code, you know codemicrosoftcom subdomain, he says this process was relatively new. We wanted a good test case to show the value of taking over resources versus taking them down. So, instead of removing the dangling subdomain, we pointed it instead to a node in our existing vast honeypot sensor network. He says and just for anyone who doesn't know, but everyone does a honeypot is a decoy system designed to attract and monitor malicious activity.
Honeypots can be used to collect information about the attackers, their tools, their techniques and their intentions. Honeypots can also be used to divert the attackers from the real targets to consume and waste their time and resources. Microsoft's Honeypot Sensor Network has been in development since 2018. It's used to collect information on emerging threats to both our and our customers' environments. The data we collect helps us be better informed when a new vulnerability is disclosed and gives us retrospective information on how, when and where exploits are developed. This data becomes enriched with other tools Microsoft has available, turning it from a source of raw threat data into threat intelligence. This is then incorporated into a variety of our security products. Customers can also get access to this via Sentinel's emerging threat feed. The honeypot itself is a custom-designed framework written in C-sharp. It enables security researchers to quickly deploy anything from a single HTTP exploit handler in one or two lines of code all the way up to complex protocols like SSH and VNC. For even more complex protocols, we can hand off incoming connections to real systems when we detect exploit traffic and revert these shortly after.
It is our mission to deny threat actors access to resources or enable them to use our infrastructure to create further victims. That's why, in almost all scenarios, the attacker is playing in a high-interaction simulated environment. No code is run. Everything is a trick or deception designed to get them to reveal their intentions. Substantial engineering has gone into our simulation framework. Today, get this over 300 pseudo vulnerabilities can be triggered through the same exploit proof of concepts available in places like GitHub and ExploitDB. Threat actors can communicate with over 30 different protocols and can even log in and deploy scripts and execute payloads that look like they're operating on a real system. There is no real system and almost everything is being simulated. Okay, so wow, let me just say props where it's due and it's definitely due here. That is some seriously cool technology. Any of more than 300 known vulnerabilities on a machine while retaining the control that the actual exploitation of the vulnerability was designed to bypass. So it looks like a duck and it quacks like a duck, but it ain't no duck. Very, very cool tech, so he continues. Very, very cool tech, so he continues.
It's impossible that in standing up a honeypot on an important domain like Microsoftcom, it wasn't possible for attackers to use this as an environment to perform other web attacks, attacks that might rely on same origin trust, meaning they had to make sure that bad guys could not originate their attacks from inside Microsoftcom, because that's where codemicrosoftcom was. You can imagine that everybody knows what Microsoftcom networks are and it would not be a stretch to imagine that there are some enterprises that have whitelisted Microsoft networks. After having to put lots of individual whitelist IPs, some guy just said oh, forget it, let's just whitelist the whole. You know slash 16 or you know whatever Microsoft has. So he said so again, origin of trust. They could not allow the origin to be Microsoftcom. So he said, to mitigate this further, we added the sandbox policy to the pages which prevents these kinds of attacks. So he writes.
We incorporate this data into our security products to enable them to be aware of the latest threats. In recent years, this capability has been crucial to understanding the zero-day and end-day ecosystem. During the log for shell incident, we were able to use our sensor network to track each iteration of the underlying vulnerability and associated proof of concept all the way back to GitHub. This helped us understand the groups involved in productionizing the exploit and where it was being targeted. Our data enables internal teams to be much better prepared to remediate and provides the analysis for detection authors to improve products like Microsoft Defender for endpoint in real time that's MDE. The team developing this capability also works closely with the MSRC, who track our own security issues. When the Exchange proxy logon vulnerability was announced, we had already written a full exploit handler in our environment to track and understand not just the exploit but the groups deploying it. This kind of situational awareness enables us to give clearer advice to the industry better protect our customers and integrate new threats we are seeing into Windows Defender and MDE the domain.
Codemicrosoftcom was often critical to the success of this, as well as a useful early warning system when new vulnerabilities have been announced. Threat actors can often be too consumed with trying to use the vulnerability as quickly as possible than checking for deception infrastructure like a honeypot. As a result, codemicrosoftcom often saw exploits first. Many of these exploits were attributed to threat actors MSTIC already tracks. Okay, so it is very interesting that the announcement of a new vulnerability immediately triggers a mass frenzy. We've talked about this effect before, right, as attackers who are literally everywhere scurry to take advantage of it before machines are patched.
Okay, so the author continues. What happened next? He says the code subdomain had been known to bug bounty researchers for several years, so whenever they would receive a report from someone who believed that they had discovered a critical vulnerability for this domain, these would be closed to let them know they had found a honeypot. We've asked these security professionals to refrain from publishing details of this service in an effort to protect the value we received from it. We've also understood for a while that this subdomain would eventually need to be retired once its existence had become too well known to be of value. That time finally arrived. On April 25th, a sudden uptick in traffic to the subdomain and posts on Twitter revealed that the domain was being investigated by broad groups of individuals. Since this discovery meant that the secret was out and the subdomain had lost its value, we decided to fully reveal the truth and retire the system. I have a chart in the show notes that shows this, where they're basically ticking along at almost nothing and then, over the course of a couple days, the traffic just explodes.
He said the timeline gives an order of events. From our perspective, it's unknown exactly how the full exploit URL of our server ended up in Google search database, but it looks like this and the associated discovery on Twitter slash X culminated in almost 80,000 80,000 we chat exploits in a three-hour period. It's unlikely that Google Crawler would have naturally found the URL. Our current theory is that a security researcher this URL and submitted it for indexing. Ok, so in other words, it's very difficult to keep anything a secret on the Internet. It's easy to imagine that Google would have set up Chrome to feed URLs back to them for bot crawling indexing. That way, users of Chrome are unwittingly providing Google with links to index as a means for assuring that Google bots are able to discover everything, even things that are not pointed to by anybody else, as in this case. In this case, they somehow discovered a secret that Microsoft had been trying to keep quiet for several years.
The timeline showed that in March, the WeChat exploit appeared in Google search results for the first time. On April 15th, a redacted screenshot of an exploit mitigation was posted online and some debate followed as to whether the domain was for the codemicrosoftcom subdomain. Six days later, on the 21st of April, google Trends showed that many people were now searching for the code domains. Three days after that, on the 24th, they start noticing a significant uptick in traffic to the subdomain and finally, on the 26th, they are hit with 126,000 times more requests than average they write. By the 26th of April, we were handling 160,000 requests per day, up from the usual between 5 and 100. Most of these requests were to a single endpoint handling a vulnerability in the WeChat broadcast plugin for WordPress, that's CVE-2018-16283.
This enabled anyone to run a command from a parameter in the URL. Looking at these URLs, we found 11,000 different commands being attempted. Most of these pushed a message by some group or another, stating that the site had been hacked by them. So just ego. This was a simulation, so nothing happened.
Removing these messages gave a clearer picture of the kinds of commands people were entering. Most commands entered were Linux recon commands. These attempted to find out what the system was, what files it contained and, more broadly, what value it was to Microsoft. The next biggest group were running command. These ranged from basics Linux commands like who Am I, but a few enterprising folks went on to run scripts of various languages. Most people who interacted didn't get further than the WeChat exploit. Over the three busiest days, 63 different exploits in total were triggered.
The biggest surprise was that most researchers stuck to HTTP. Only three groups probed the other ports and even fewer logged into the many other services that were available. Some of the best investigation came from a Twitter handle. At simply lurking to on Twitter, slash X, who, after discovering that the system was a honeypot, continue to analyze what we had in place and constructed, first constructing a Rick roll and then a URL that, when visited, would display a message to right click and save a payload. With so much information now publicly available, the value of this subdomain was diminished On April 26th, we replaced the site with a 404 message and are working on retiring the subdomain completely.
However, our ongoing data collection efforts are undiminished. Microsoft runs many of these collection services across multiple data centers. Our concept has been proven and we have rolled out similar capabilities at higher scales in many other locations worldwide. These continue to give us a detailed picture of emerging threats. These continue to give us a detailed picture of emerging threats. So that's the story of the rise and fall of a honeypot which Microsoft inadvertently created but then managed to put to great use and advantage for several good years before its identity finally leaked and was made public, thus rendering it useless. We've also seen how the tip of the iceberg for a honeypot is that it can detect that something is wrong on the network. That's generally sufficient for most purposes, but, as we see, this can also be taken far beyond simple detection with a sufficiently advanced vulnerability simulator to reveal exactly what bad guys will do when they're given more rope to hang themselves. I love it.
2:15:21 - Leo Laporte
Wow, I used to go to codemicrosoftcom all the time to download vs code. I had no idea that they had abandoned it. That is a wild story, wow, yeah and leo.
2:15:34 - Steve Gibson
Again the idea that, like not having something responding to codemicrosoftcom, which used to be hosted by Azure, allowed somebody else to register that. Again, I hope that somebody's looking at this architecture because something is broken, if that's possible.
2:16:00 - Leo Laporte
You shouldn't be able to create a subdomain if the domain is owned by somebody else. That doesn't make any sense. I know I know it's insane. Is it still that way? I mean, should I worry about twittv people getting subdomains on our own? Are you on Azure?
2:16:18 - Steve Gibson
No.
2:16:18 - Leo Laporte
I'm not. What a relief.
2:16:23 - Steve Gibson
No, I mean no one's ever heard of this it's just nuts. It's crazy. So codemicrosoftcom must have pointed to an IP in Azure and something is rotten in Denmark. I've got nothing against Denmark, but like shouldn't you blame the registrar I mean, isn't that?
2:16:47 - Leo Laporte
or the dns resolver, isn't that?
2:16:49 - Steve Gibson
no, no, it's somebody who somehow created their own azure instance and because it was named codemicrosoftcom the name, somehow it glued itself to that subdomain, which they called called dangling, a dangling subdomain. No one's ever heard of a dangling subdomain. Subdomains don't dangle. They made that up.
2:17:13 - Leo Laporte
What a story. Well, at least they got some good out of it, right? I think that's yeah it did.
2:17:19 - Steve Gibson
They turned it around, and the fact that it was in Microsoft and they have some seriously cool tech I mean again what I think must be the case. As I was reading this to our listeners, I was thinking why don't we get the sense in general that Microsoft is this good? I mean, there are parts of Microsoft that are really good. They're smart people. There are parts of Microsoft that are really good. They're smart people. They're buried so deeply down in the infrastructure that you just talk to morons on the surface.
2:17:53 - Leo Laporte
Well, I don't even think it's that. I think it's just so complex that things fall through the cracks.
2:17:59 - Steve Gibson
So David Redikop was in there. Oh Leo, just go to answersmicrosoftcom and you will swim in moron. The most moronic nonsense you have ever seen.
2:18:09 - Leo Laporte
The intern did it. Oh my God, it's the intern's fault. David Redikop, who we were just talking about, is in our Discord. I guess you're a club member. Thank you, david. He said Azure is the authoritative DNS for an Azure tenant. And there's your problem, right there. Right, they've decided we don't need no stinking DNS servers. We'll do it. We'll resolve the domain. We can do that. Steve, you've always been full of fascinating stuff. Today it was no exception. Another great episode of Security Now In the vault 978. Done 22 to go. We can begin a new era. It's 1,000, episode 1,000.
Yay, you'll find Steve at GRCcom. You can email him there, securitynowatgrccom. But do go through the hoops. If you go to GRCcom, click the mail link and you can register your domain so that you can send him email. He also has, of course, spinrite, the world's finest mass storage, performance enhancer, recovery utility, maintenance utility. If you have mass storage you need Spinrite. 6.1 is current and it's there and it's brand new. Get yourself a copy or upgrade if you're already an owner.
Steve also, of course, has copies of the podcast there. Security Now he has the normal 64-kilobit audio, but he also has a 16-kilobit audio version that's for the bandwidth impaired, plus transcripts the smallest version of all, carefully handcrafted by an actual human being no AI here. Elaine Ferris is a natural intelligence. That's all at GRCcom. We have copies at our website of the 64 kilobit audio. Our unique version is the video. Yes, you can see Steve's smiling face. Go to twittv slash sn. You can also. There's a YouTube channel dedicated to the video and you can also subscribe to your favorite podcast player. That way you'll get it automatically as soon as we're done of a Tuesday that's when we record this right after MacBreak Weekly, tuesday afternoons around about 1.m Pacific, 4.30 Eastern, 20.30 UTC. The show is streamed live as we produce it at YouTube, youtubecom, slash twit slash live, so you can watch it there. Steve will be back next week with another thrilling, gripping edition of Security. Now See you then, steve Roger. That Bye.