Security Now 980 transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show
0:00:00 - Leo Laporte
It's time for Security Now. Steve Gibson is here Lots to talk about. The Commerce Department in the United States bans the Kaspersky antivirus. Steve talks about why and whether it's a legitimate problem. We hear from a security researcher who is having trouble getting into the United States. Maybe you could help and then we'll find out why every once in a while it's a good idea to have a bad password generator. All that and more coming up next on Security Now Podcasts you love.
0:00:32 - Steve Gibson
From people you trust.
0:00:34 - Leo Laporte
This is Twit. This is Security Now with Steve Gibson, Episode 980, recorded Tuesday, June 25th 2024. The mixed blessing of lousy PRNG it's time for Security Now. Yeah, the show you wait all week for. Let's just make that your tagline. We wait all week for Tuesday. If it's Tuesday, it must be Stephen Gibson Day.
0:01:06 - Steve Gibson
Hello, Steve Gibson, my friend it's great to be back with you as we close out the first half of the year and I have to say it was a little poignant Well, not poignant. It was very clear to me that we are closing in on episode 1000, crossing the infamous 999, when I wrote 980, wow, I know, we're getting, we're getting, we're getting there, holy moly, yes, um, okay, so we, I I just have to say and I I assume you haven't seen it yet because you haven't fallen off your ball that we have one of my favorite pictures of the week in a long time. So that's coming up, but I think, a great episode, one with some interesting lessons, the mixed blessing of a lousy PRNG and I realized when I was using you know PRNG, that some of our listeners might what a pring. Of course we know that's a pseudorandom number generator.
0:02:11 - Leo Laporte
Do you think Pringles were named after pseudorandom? No, probably not.
0:02:15 - Steve Gibson
That's it exactly. This is the audience they were targeted at, because we all sit around eating Pringles. Yes, but we're going to answer some questions, as we always do, before we get to our main topic, which is how long did it take for Windows' recent horrific Wi-Fi flaw to become weaponized? Oh and, oh boy. Is there a new twist on this Wi-Fi flaw too? What are the implications of the US Commerce Department's total ban on Kaspersky, which will be coming into effect?
0:02:51 - Leo Laporte
in a few months Wow.
0:02:53 - Steve Gibson
Yeah, how is the Kremlin reacting to that? And who cares? But still, why would an EU privacy watchdog file a complaint against Google over their privacy sandbox, which is all about privacy, as the name suggests? When is an email tracking bug not a tracking bug? What can this podcast do to help a well-known security researcher present his work at DEF CON and Black Hat this summer? What's another near certainty for Microsoft's actual plan for recall? This is something else that occurred to me that I think everyone's going to go. Oh, of course, like the first time. I had that thought a couple of weeks ago. And what two mistakes maybe not only two, but at least these two have I been making on this podcast? And finally, why might a really bad password generator wind up being a good thing, a mixed blessing, as it were?
0:04:01 - Leo Laporte
Yeah, I'm trying to think of why it could ever be a good thing as it were.
0:04:08 - Steve Gibson
Yeah, I'm trying to think of why it could ever be a good thing and, more importantly, what lessons do we learn about cryptography overall from from that? So yeah I think, leo, we may actually have a good podcast.
0:04:18 - Leo Laporte
Finally, well, after 980 attempts, I think it's good. I think we got the hang of it and this might be.
0:04:26 - Steve Gibson
This might be something where people come, come away thinking you know, that was okay they're doing all right, these kids.
0:04:32 - Leo Laporte
Yeah well, let me tell you, before we go much further, about our first sponsor of the show, and then we can get into.
0:04:38 - Steve Gibson
I do have a penguin in my face, I should note I'm sorry, that's rude, how rude.
0:04:45 - Leo Laporte
How rude. I put a Linux penguin in your face. That's sorry, you shouldn't go there you go right here. Let me put him kind of off to the side, but just a little reminder that if you're using Windows. You don't have to.
0:05:01 - Steve Gibson
We should all actually be using that's right I found out what that was. The thought that windows may may cement that further.
0:05:09 - Leo Laporte
Oh boy, I found out what that was. Uh, remember before the show windows kept saying restart, restart, restart, yeah, yeah. And then I was getting a uac from 8-bit solutions turns out that's the azure provider that bitwarden uses. So that was bitwarden asking me to update itself, basically.
0:05:28 - Steve Gibson
Oh interesting.
0:05:29 - Leo Laporte
But you know I have to say from a security standpoint you don't want to see another name show up when you're reinstalling something. That means you have to go out and look it up and figure out why it wants to do that.
0:05:42 - Steve Gibson
Well and Leo, why is it only 8-bits? I would think, what is this from the 80s eight bit?
0:05:48 - Leo Laporte
solutions, what you wouldn't see it on a platform, on a 6502 or something that's very odd. Yeah, that's a good point. I don't know well. Anyway, now I'm going to install it because I've, I've, you know 128 bit solutions, I'd be inclined to trust it more, more bits is better.
0:06:04 - Steve Gibson
Is it always better? That's right, baby. If we learned anything in crypto, it's the more bits you got, the better.
0:06:10 - Leo Laporte
That's what did you call that Padding of some kind, right, I can't remember you had a good name for it Password, perfect paper, password, haystacks, or something right, was it haystacks?
0:06:26 - Steve Gibson
Well, the haystacks is an interesting idea, but that's different than that's a different.
0:06:28 - Leo Laporte
Okay, anyway, enough of that, enough fall to raw. Let's talk about our sponsor. Delete me, and I know a lot about delete me because we use it. Uh, we started using it when, uh, a malicious oh, I'm gonna call him a bad guy Decided to pose as my wife, the CEO of the company, and send a text message to all our direct reports saying I'm in a meeting right now. I need you to immediately buy $1,000 worth of Amazon gift cards and send them this address Now. Our employees are a little smarter than that. But what really chilled me was not only did they know Lisa's name and the company and her phone number so they could impersonate it, they knew her direct reports, they knew their phone numbers, and that was scary.
Delete me, delete your personal information off the internet. And who is the number one problem here? Data brokers. And until they make a comprehensive privacy law in the US, which they still haven't, those data brokers are legal and run wild. If you've ever searched for your name online, you know how chilling this is. Almost all your personal information is right there for anybody to see, and it's not just you. If you're a business, it's your company. If you're a father or mother of a family. It's your family right.
Delete Me helps reduce risk from identity theft, cybersecurity threats, harassment and more. Where do they get that information? Data brokers Delete Me Now. Once you sign up for Delete Me, their experts will find and remove your information from the data brokers. And if you're doing the family plan, you can assign a unique data sheet to each family member, tailored to them, with easy to use controls. Account owners can manage privacy settings for the whole family.
And here's this is really important. After they do the first initial delete, they will continue to scan and remove your information regularly. I'm talking addresses, photos, emails, relatives, phone numbers, social media, property value. You name it, it's out there and it's available to the highest bidder. You don't even have to be the highest bidder. They sell it cheap. Protect yourself, reclaim your privacy. Visit joindeletecom. That's what we use. The offer code is twit. You're going to get 20 off when you do that. Join, delete me dot com. Slash twit promo code. Twit for 20 off. All right, I am uh prepared to show you the picture of the week as soon as you say so it is a fave, I haven't looked at it yet, you know it's one.
It's just quick visual, simple fun okay, um, do you want me to show it and then you describe it? Is that how you? How you want to? I'd really well, okay, yes, I would be good, all right, so I have to figure out how to show it first there, there it is. You know, it's funny. My thing is moving around all the time and I don't sometimes my. Now it's this laptop, so it's just going to take me a second. Why don't you set it up anyway?
0:09:44 - Steve Gibson
Okay, so anyway the picture. And I should note, leo, that 4,330 subscribers to the Security Now mailing list received this three hours ago.
0:09:49 - Leo Laporte
Oh, so they're already up on it. They know all about it.
0:09:54 - Steve Gibson
Yeah, and the email contained a thumbnail which a bunch of them clicked in order to see the full-size image. So, anyway, I gave this the title. Correlation is Not Causation.
0:10:07 - Leo Laporte
That's a very important concept that people need to understand. It absolutely is.
0:10:12 - Steve Gibson
Yes, and we have a cute little. I'm not sure what he is kind of a dog, but a small dog that's been leashed to a Isn't it wonderful he wants to get away badly.
He's looking at his master saying, hey, what about me? Why am I stuck here? So he's tied up to this. What would you call that? A bollard? A bollard, yes. However, something in the past has whacked this bollard off to the right, so that it's it's a leaning bollard, and if you didn't know better, you'd think that this was mighty dog, uh, and that in trying to join his owner, he had, you know, tugged at this thing and yanked it almost out of the pavement. Anyway, I would commend our listeners to go find today's picture of the week, because it is, it's a goodie, a lot of fun, and thank you to whomever it was who sent it to me. Okay. So last week. Send it to me, okay.
So last week we opened with the news that the previous week's monthly Windows patch fest had quietly closed a remarkably worrisome flaw that had apparently been sitting undiscovered in every Windows native Wi-Fi network stack since the last time Microsoft poked at it, and there's been no definitive statement about this, because it appears that even Microsoft is quite freaked out by this one. A listener of ours, stephen CW, sent a relevant question. He said Hi, steve, long-time listener, our corporate IT group vets Windows patches, thus delaying them In the meantime, does turning off the Wi-Fi adapter prevent the attack you described? Okay, now, given the havoc that past mistakes in Windows updates have caused for corporate IT especially, remember a couple years ago when Microsoft kept wiping out all printing capability enterprise-wide, you know about like once a month they would do that. I suspect that many organizations may have adopted a weight and test to avoid subjecting their users to such mistakes, and it's typically the case that, even though 50 to more than 100 flaws may be fixed in any given month, nothing is really happening. That's highly time sensitive, but that's not the case with this month's revelations.
What I saw and mentioned last week at GitHub did not make any sense to me, since it appeared to be too high level. Remember, I mentioned in passing that there was already an exploit on GitHub. Well, since then, someone else appears to have found a way to overflow the oversized 512-byte buffer which Windows Wi-Fi driver provides for SSIDs. But that's not this problem. He wrote thinking that this was the critical 30078 CVE. He initially wrote CVE 2024. 30078 describes a vulnerability in the way Windows handles SSIDs. You know, service set identifiers in Wi-Fi networks. Windows has a buffer for SSIDs up to 512 bytes long, which exceeds the Wi-Fi standard by sending chunked frames to increase the SSID size beyond 512 bytes, a buffer overflow can be triggered. He says this exploit leverages this vulnerability to cause a buffer overflow by creating and sending Wi-Fi beacon frames with oversized SSID fields. Okay, so that's a problem.
But then he realized that he had found a different flaw from what Microsoft patched. So in an update he subsequently added he said, info this repo does not seem to be hitting the same bug as in the stated CVE. New information has come to my attention thanks to Farm Poet. The CVE-2024-30078 vulnerability is in the function .11 translate 802.11 to Ethernet endus packet and I should say that, absolutely based on that function name, that makes total sense. And he said, of the native Wi-Fi Windows driver nyfisys, where a very specific frame needs to be constructed to get to the vulnerable code path which, as he said, his code, his current code, does not. So he said I'm working on it. I've identified the changes in the patched function and I'm now working on reversing to construct the relevant frame required to gain code flow into this segment. Ok, so we have this guy publicly working on a public exploit for this very worrisome flaw and we're about to see why it turns out, this is a lot worse than it first
seemed. Meanwhile, it may be that anyone who has a spare $5,000 may be able to purchase a working exploit without waiting for a freebie on GitHub. The online publication Daily Dark Web believe it or not, there is such a thing writes a threat actor has announced the sale of an exploit for CVE-2024-30078, a remote code execution vulnerability in the Wi-Fi driver affecting all Windows Vista and later devices. In their announcement, the threat actor details that the exploit allows for remote code execution over Wi-Fi. Get a load of this though Leveraging compromised access points or saved Wi-Fi networks. I'll get more to that in a second. The exploit reportedly works by infecting a victim through Wi-Fi router-based malware or simply by having the victim's device be within range of a Wi-Fi network they've previously connected to. The exploit code is offered for sale at $5,000 US, with the price being negotiable. The seller also offers to develop custom solutions tailored to the buyer's needs. Anastasia, the new owner of the forum, is listed as the escrow for this transaction. Interested parties are instructed to post patched
files. The change that Microsoft made to repair the original driver's defect can be readily found. This is what the guy on GitHub is already doing. But the really interesting attack vector that had not occurred to me when we first talked about this last week, but obviously has occurred to the author of this $5,000 for sale exploit, is the idea of infecting vulnerable consumer routers or corporate wireless access points, which might well be, you know, half the world's circumference away. In other words, if a vulnerable Wi-Fi router is available anywhere in the world, it could be infected with knowledge of this critical Windows flaw so that any unpatched Windows Wi-Fi laptop within range of that router could be compromised, and that would be a very remote attack. It's clear that the only reason Microsoft was able to get away with labeling this flaw as only being important with a CVSS of 8.8, instead of critical with a CVSS of 9.8, or maybe even 10, is that it required a nearby attacker. At least, that was the theory, but in reality all it requires is a nearby hostile radio and thanks to the historical vulnerability of consumer and enterprise routers, that's not a high
bar. The observation here is that a maliciously infected router may not be able to attack the machines connected to it by wire because there are no known exploitable vulnerabilities in their wired Ethernet network stacks, but that same router may now be able to successfully attack those same or other machines within its wireless reach, thanks to the known presence of a, by Microsoft's own assessment, readily exploitable, low complexity, highly reliable, likely to succeed, flaw that exists in any Windows machine since Vista, which has not yet received the patch that first appeared only two weeks
ago. So to answer Stephen CW's question about whether turning off you know, disabling the Wi-Fi on a machine would protect it, the answer has to be yes, everything we know, although I have to say I looked around and, as I said, microsoft is oddly mute on this whole thing. Normally you would expect them to say mitigation, disable Wi-Fi. But maybe they presume so many people are using Wi-Fi that you can't really call it a mitigation If, like, taking the machine off the network is what it takes to mitigate the problem. So they're not suggesting that. But yes, everything we know informs us that turning off Windows Wi-Fi adapters will completely protect any unpatched machine from the exploitation of this vulnerability.
0:21:01 - Leo Laporte
But you could also remove the machine from the exploitation of this vulnerability, yeah, but you could also remove the machine from the internet entirely, air gap it, and that would good be good too, I mean. Or, leo, I had something.
0:21:14 - Steve Gibson
It just hit me, turn it off yeah, that'll fix what a concept that's right.
Pull the plug, shut it down, you're. Anyway, I wanted to conclude this week's follow-up on this CV by making sure everyone understands that the addition of this remote router extension to this vulnerability really does change the game, for it of thousands of routers have already been, and are, taken over and are being used for a multitude of nefarious purposes launching ddos attacks, forwarding spam email as proxies to probe the internet for other known weaknesses, and on and on. So the bad guys are going to realize that by updating the malware that's already within their compromised router fleets, they'll be able to start attacking and hijacking any Windows machines that have not yet been updated, that have their wireless turned on, and, for whatever reason, history tells us that there will be many such machines. Updating seems to be a slow process and, for example, stephen CW acknowledged that his corporate IT people they're waiting now because there's been too much history of updates destroying corporate IT functioning, so they're taking a cautious process. You know corporate IT functioning, so they're they're taking a cautious process. Anyway, it's going to be interesting to see whether bad guys, how long it takes bad guys to leverage the idea of of pushing this flaw out to the routers and seeing if they can remotely grab wireless machines. Seeing if they can remotely grab wireless machines.
I'll share this piece of news, this next piece, and interject some of my thoughts along the way. And, leo, I know you reacted a little bit as I did and I'm of two minds, so it creates for some interesting dialogue. Last Thursday, kim Zetter, writing for Zero Day, posted the news. The US government, which did it on the same day, the US government has expanded its ban on Kaspersky software in a new move aimed at getting consumers and critical infrastructure to stop using the Russian company's software products, citing, of course, national security concerns. The ban, using new powers granted to the US Commerce Department, would prohibit the sale of Kaspersky software anywhere in the US and would also prevent the company from distributing software security updates or malware signature updates to customers in the US. In other words, they're being cut off. Signatures, they explain, or Kim explains, are the part of the antivirus software that detect malicious threats. Antivirus vendors push new signatures to customer machines, often on a daily basis, to keep their customers protected from new malware and threats as the vendors discover them. Without the ability to update the signatures of customers in the US, the ability of Kaspersky software to detect threats on those systems will significantly degrade over time. The US Commerce Department announced the ban on Thursday after what it said was a and quote extremely thorough investigation unquote but did not elaborate on the nature of the investigation or what it may have uncovered, if anything.
Us Secretary of Commerce Gina Raimondo told reporters in a phone call quote given the Russian government's continued offensive cyber capabilities and capacities to influence Kaspersky's operations capacities to influence Kaspersky's operations we have to take the significant measure of a full prohibition if we're going to protect Americans and their personal data. Russia, she said, has shown it has the capacity and, even more than that, the intent to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans, and that's why we're compelled to take the action we're taking today. Wow, okay. So in other words, we don't like their zip code, so we're going to deny a company against whom we have no actionable evidence of wrongdoing all access to the American market because, being a Russian company, they could be forced to act against us. And, as I said, I'd say that I'm evenly divided on this. I'd say that I'm evenly divided on this. Through the years, we've covered countless instances where Kaspersky has been hugely beneficial to Western software and to Internet security globally. Thanks to their work for the past many years, the world is a safer place than it would otherwise be. So to say we don't like where you live, so we cannot trust you, is a bit brutal, but at the same time it is also understandable, because, being in Russia, it's possible that their actions may not always reflect their values, and it's not as if operating within a state where we democratically elect our representatives is all that much different. Right After all, in the US we have warrant canaries is a method by which a communications service provider aims to implicitly inform its users that the provider has been served with a government subpoena, despite legal prohibitions on revealing the existence of the subpoena.
The warrant canary typically informs users that there has not been a court-issued subpoena as of a particular date. If the canary is not updated for the period specified by the host, or if the warning is removed, users might assume the host has been served with such a subpoena. The intention is for a provider to passively warn users of the existence of a subpoena, albeit violating the spirit of a court order. Not to do so while not violating the words the US, our courts are able to say we demand that you turn over information within a certain scope and, by the way, you're legally forbidden from disclosing that we've asked and that you have complied. So it's not my intent to pass moral judgment here. I'm just saying that what we see is unfortunately. You know all nation states will act to protect their interests and that their client citizens have little choice other than so.
Kim's piece continues to provide specifics One senior commerce official said on background, in terms of specific instances of the Russian government using Kaspersky software to spy, we generally know that the Russian government uses whatever resources are available to perpetrate various malicious cyber activities. We do not name any particular actions in this final determination, and that's right, because these days, as we know, belief is all that's needed. Kim writes. Effect on July 20th. Sellers and resellers who violate the ban could be subject to fines from the Commerce Department and potentially criminal action. In addition to the ban, the Commerce Department also put three Kaspersky entities on its trade restrictions and entities list, which would prohibit US-based suppliers from selling to Kaspersky, though it's unclear if Kaspersky currently has US suppliers. A Kaspersky spokesman, in a statement to Zero Day, accused the Commerce Department of making its decision quote based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation Right.
0:31:00 - Leo Laporte
I mean, I feel bad for Eugene Kaspersky. Everybody loves him, yes, but why not? I mean, we don't have to have it right. Right, they banned Huawei phones.
0:31:10 - Steve Gibson
I mean, Right, I mean, this is what we're beginning to see happen, right, it's too bad. Happen right as, as we, as we choose sides and we, you know, pull the pull the bridges, the, the, the draw bridges up that you, that of of global commerce that used to interconnect everyone. So, anyway, they apparently think they have some legal standing. Uh, this spokesperson said we will continue to defend ourselves against actions. That's our reputation and commercial interests.
So okay, now as a little bit of background, the Department of Homeland Security had previously issued a directive in 2017 banning federal government agencies and departments not consumers, and like everybody now, which is what is about to happen, so this was in 2017, just federal government agencies and departments from installing Kaspersky software on their systems. Dhs had also not cited any specific justification for its ban at the time, but media reports citing anonymous government officials back then cited two incidents and we talked about them on the podcast. According to one story, an NSA contractor developing offensive hacking tools for the spy agency had Kaspersky software installed on his home computer yeah, we reported this story.
0:32:39 - Leo Laporte
Remember, remember this. Yes, yes, this was those NSA tools.
0:32:44 - Steve Gibson
Right. He was developing these NSA tools, and the Kaspersky software detected the source code as malicious and extracted it from the computer. As AV software often does, they quarantined it.
0:32:59 - Leo Laporte
Yeah.
0:32:59 - Steve Gibson
Well, they'd actually sent it to Kaspersky.
0:33:02 - Leo Laporte
And that's what all antiviruses do they quarantine it and send it in.
0:33:06 - Steve Gibson
Exactly To the home office, which in this case was in Moscow. That was the eternal blue leak.
Yes. So a second story claimed that Israeli spies caught Russian government hackers using Kaspersky software to search customer systems for files containing US secrets. So OK, you could install Kaspersky, as you can many other tools. You know Mark Russinovich's PS Exec is a favorite tool for bad guys to use, but you know its intention is benign. So Kaspersky, for their part, denied that anyone used its software to explicitly search for secret information on customer machines and said that the tools detected on the NSA workers machine were detected in the same way that all AV software is designed to detect malware on customer machines.
0:33:59 - Leo Laporte
Cause it was malware. Because it was malware, it really was malware, right right.
0:34:04 - Steve Gibson
Exactly, they were developing NSA malware for the NSA, and you know, it's funny too, because it's a little reminiscent of the Plex breach, which, of course, is the way LastPass got themselves in trouble. You have some, you know some third-party contractor using your tools at home on their home machine, where they've got you know AV software installed Right. It's like whoops, whoops. Not quite secure by and other commercial software sellers that had contracts with Kaspersky to sell computers with Kaspersky AV software pre-installed on those systems subsequently announced they would no longer install the software on computers they sold. This didn't, however, put an end to existing customers using Kaspersky software or prevent new customers from purchasing the software on their own, or prevent new customers from purchasing the software on their own. Today's ban is designed to convince those customers to stop using the software as well and get this. Commerce Secretary Raimondo told reporters, when Americans have software from companies owned or controlled by countries of concern such as Russia and China integrated into their systems, it makes all Americans vulnerable. Those countries can use their authority over those companies to abuse that software, to access and potentially exploit sensitive US technology and data, and I'll just note that the United States is no different in that regard. It's just that we're here and they're there.
We've covered the news that China's government is similarly urging its businesses to stop using Windows. You know, we clearly have a new cyber cold war heating up and, unfortunately, choosing sides and cutting ties is part of the process. So, anyway, it's unfortunate, leo, that a product that many people use is not going to be available At the same time. I guess it feels to me like Kaspersky's employees should have seen the writing on the wall. They've seen the tensions between the US and Russia heating up. It's easy for us to say, well, they could have left Russia, but they probably love Russia as much as we love the US. For most of them, it's easy for us to say, well, you know they could have left Russia, but they probably love Russia as much as we love the US. So you know, for most of them, it's just a job.
0:36:45 - Leo Laporte
And I mean Eugene Kaspersky, was trained at the KGB technical school and did have a job in the Ministry of Defense when he founded Kaspersky Antivirus.
0:36:57 - Steve Gibson
So there are deep connections to the russian government and the gru um so, and I would note also that av software in particular has a very intimate relationship with with an operating system. It is in the kernel, if it is absolutely true, and this is the kind of thing that keeps the military mind up all night. Here we have a Russian company that has an active connection to all of the customers' machines in the US, and it's not a text editor, it's running a driver in the kernel.
0:37:42 - Leo Laporte
This ain't TikTok, this is something else, yeah.
0:37:45 - Steve Gibson
If it did want to get nasty in an instant, it could take over all of the machines where it's installed.
0:37:56 - Leo Laporte
And that's why it's been banned on government machines for a long time.
0:38:00 - Steve Gibson
Since 2017.
0:38:01 - Leo Laporte
So I mean, yeah, it makes sense. I mean I feel bad for Eugene. Part of the reason people are upset is everybody loves Eugene Kaspersky. Dvorak used to recommend Kaspersky all the time. He loved it, but mostly because he used to hang with eugene and drink vodka during complex. So but honestly, there are plenty antiviruses out there. I one could argue you don't even really need an antivirus.
0:38:30 - Steve Gibson
I was gonna say and you and you and I, leo, and my wife and everyone I have any influence over no longer uses any. We just use windows defender and, believe me, it apparently is doing the job, because it sure is a pain for me, oh yes let's take a break.
0:38:46 - Leo Laporte
Oh, what a thought, my goodness. Um, yeah, okay, good, okay, yeah. Let me just pull the copy up here. I don don't know, I'm a little off today.
0:39:01 - Steve Gibson
Well, I'll just note, while you're doing that, that the Kremlin has extended the duration on its ban on Russian government agencies and critical organizations using IT services from unfriendly countries. That's exactly what's going to happen and that ban will enter into, in fact, the extension on January 1st, so that was when the previous one was going to expire. And you know we still don't like each other. So you know you can't use those nasty Windows computers.
0:39:31 - Leo Laporte
I mean in a perfect world. I mean I often think that the best way to keep from going to war is to having economic dependency on each other yes, yes.
0:39:44 - Steve Gibson
That's why it's like it makes no sense for us to be upset with china.
0:39:47 - Leo Laporte
Everything we own right comes from china right um, and and as a result, china's less likely to, you know, screw with us. So but maybe not who knows it like?
0:39:59 - Steve Gibson
why are they messing with Taiwan, where the chips come from?
0:40:02 - Leo Laporte
That seems they're out of their, they're out of their mind. But see, that's more of a, that's more. This is a problem. That's not a rational thing, that's more of an emotional thing, just like Russia invading Ukraine because it used to be part of China and and so we want it back. But that's emotional, it's not rational, clearly. Uh, all right, let's talk about, uh, our sponsor for this particular portion of the show, and actually it's very timely, because if that NSA contractor had been running one password on his machine, he wouldn't have had this problem.
Every business should be using one password's extended access management. Let me talk about this, and I think you're going to recognize an old friend here. In a perfect world, end users would only work on managed devices with IT approved apps, right, apps that are up to date, apps that are clean, apps that are secure. Unfortunately, it doesn't work that apps that are secure. Unfortunately, it doesn't work that way. As you well know, in your enterprise, everyday employees are bringing in BYOD, their personal devices and unapproved apps that aren't protected by MDM or IAM or any other security tool. There is a big gap between the security tools we have and the way they actually work, and this is where 1Password really can get involved. They call it the access trust gap and they've created the first ever solution to fill it 1Password extended access management. It secures every sign-in for every app on every device. Now, of course, you know 1Password is a password manager. It includes that it's the password manager, probably close to number one password manager, now certainly well-known and well-loved in enterprise. The device trust solution you also have heard of, because it's Collide. Now you remember we were talking about Collide for a long time and then we said Collide got purchased by 1Password. So this is now the alliance of 1Password and Collide. This is the resulting tool and what a great idea.
The 1Password Extended Access Management. It cares about the user experience and privacy, which frankly means it can go places. Other tools can't like personal devices, contractor devices. Other tools can't like personal devices contractor devices. It ensures that every device is known and important, healthy, and every login is protected. So stop trying to ban BYOD or shadow IT. Start protecting them with 1Password Extended Access Management. Check it out at 1passwordcom. Slash security now Two names you know and love together at last and now really making a tool that everyone should have. That's 1passwordcom security. Now the one is a number one. Thank you, 1password. This is a perfect idea, I idea. Glad it's here now on with the show.
0:43:03 - Steve Gibson
Glad you're here, steve okay, so uh, I saw a short blurb in the risky business newsletter and all it said was sorry, when you say risky business, I think of Tom Cruise in underpants.
Yeah, I know, okay, always, Always Okay. So it just was a short blurb. It said Google Chrome complaint and it read European Privacy Organization NOYB and it's not capitalized, so NOYB, I don't know. Noyb, it's Austrian. So Neub, I don't know. N-o-y-b, it's Austrian has filed a complaint with Austria's data protection agency against Google for its new privacy sandbox technology. N-o-y-b says Google is tricking users to enable privacy sandbox by falsely advertising it as an ad privacy feature. Of course, my reaction to that was what? So I dug a bit deeper. I went over to the NOYBEU website and found their article with the headline Google Chrome agree to privacy feature it has in quotes, but get tracking okay. So their piece begins with after years of growing criticism over invasive ad tracking, google announced in september of 2023 that it would phase out third-party cookies from its chrome browser. Wait.
0:44:37 - Leo Laporte
Wait a minute. Nyob stands for none of your business. That's really good In German, I guess, maybe not. No, it's English. Really, it's the European Center for Digital Rights. Noyb, that is perfect.
0:44:52 - Steve Gibson
None of your business. Okay. So this guy's saying they, after years of growing criticism over invasive ad tracking, google announced it would phase out third party cookies from its Chrome browser. So this is already misleading because, while it's true that Google has been using the same ad tracking that the rest of the advertising and data aggregation industry uses data aggregation industry uses, the growing criticism has been over the entire industry's use of ad tracking, not just Google's. You know, as we've been carefully covering here, what Google is hoping to do with their privacy sandbox is to change the entire model of the way advertising and its user profiling operates by inventing an entirely new way for a user's browser to intelligently select from among available advertisements that are seen at websites. And we've already heard from one of our listeners whose job it is to implement the server-side technology of a major website, that the rest of the non-Google industry is massively pushing back against Google's attempt to end tracking. Google really is trying to end tracking and the rest of the community says, no, we like tracking, we don't want you to take it away.
Okay, so the beginning of this article. I'll just share the beginning. It reads after years of growing criticism over invasive ad tracking, google announced in September 2023 that it would phase out third-party cookies from its Chrome browser. That part I already read. Since then, users have been gradually tricked into enabling a supposed ad privacy feature that actually tracks people. Okay, it doesn't. While the so-called privacy sandbox again in quotes from him is advertised as an improvement over extremely invasive third-party tracking, which it is. The tracking is now simply done within the browser by Google itself, which is not true. To do this, the company theoretically needs the same informed consent from users. Instead, google is tricking people by pretending to turn on and add privacy feature, and OYB has therefore filed a complaint with the Austrian Data Protection Authority.
Ok now, the article goes on at length and it never gets any more accurate, so there's no point in dragging everyone through it. It's full of misconceptions and an utter lack of understanding of what Google is trying to do. Google's privacy sandbox system explicitly does not track users, which is precisely why the rest of the well-established tracking industry is freaking out over it and scurrying around trying to come up with alternative tracking solutions. This, no YB is a privacy watchdog agency, as I said, based in Austria. I looked around their site and they appear to gauge their value to the world by the number of complaints they're able to file per day. They're complaining about everyone and everything, so they're kind of like a rabid version of the IETF. You know, like the IETF, they are never going to be happy with anything short of complete and total, legally and technically enforced Internet anonymity, and in a perfect world that would be great, but, as we know, that's unlikely to happen.
You know, giving the author of this the most sweeping benefit of the doubt possible, the only thing I can imagine is that he confuses hopefully not willingly. He confuses tracking with profiling. Those two words are different and so is what they mean, you know. Perhaps he sees no difference. Perhaps he doesn't consider Google's privacy sandbox to be, you know, the ad privacy feature that Google does. We're told that websites which are able to offer identification of the viewers of the ads they display, or at least some reasonable assurance of the relevance to them of the ads, can double the revenue from their advertising. The problem, therefore, is not Google, who's been working long and hard to find a way to do this without tracking. The problem now is becoming websites and their advertisers who are refusing to change their own thinking. It's challenging.
0:49:57 - Leo Laporte
By the way, you said IETF. Pretty sure you didn't mean the ietf, you meant eff, because I don't think the ietf, of course no thank you, thank you, thank you, leo. You just saved me from receiving a thousand emails the ietf, the internet engineering task force, is not at all. It cares about this at all. Thank you you so much. I just thought I'd bet you.
0:50:20 - Steve Gibson
Yes, not the I. I have a couple of errata coming up, so we've just reduced.
0:50:25 - Leo Laporte
I'm trying when I can. Sometimes I miss it, I don't know. Thank you, so there you go.
0:50:30 - Steve Gibson
The EFF Exactly. Thank you. But speaking of tracking, after last week's podcast, as planned I finished the implementation of GRC's subscription management front end and turned to the email sending side. I designed a layout and template for the weekly podcast announcements I plan to start sending, and Saturday afternoon, us Pacific time, I sent the first podcast summary email to this podcast's 4,239 subscribers, and then this morning, about three hours before actually we started an hour later than usual, so about four hours before this podcast began. Four hours before this podcast began, I sent a similar summary of today's podcast to 4,330 subscribers. The list had grown by about 100 over the past week.
So email is starting to flow from GRC and everybody who has subscribed should have it. If you don't find it, check your spam folder because it may have been routed over there. Rob in Britain said Hi, steve, as Apple broke their IMAP message read flag a while back, I've been using the Blue Mail app to get my mail. Blue Mail includes a tracking image detector and guess what? It flagged your email message as containing one. As a Brit, the irony of a security podcast tracking me does not escape me. Okay now, rob was one of a couple of people who replied with a what the when their email clients reported that a so-called tracking bug was present in their email from me, and since that's what their client calls it, it's natural for concern to be raised. So I wanted to correct the record about when an email bug is tracking someone and when it's not. The TLDR is it's not tracking you if it's a bug you indirectly asked for and if it's only linked back to whom you asked from, linked back to whom you asked from, the confusion arises because our email clients have no way of knowing that this incoming email is not unwanted spam, and that makes all the difference in the world about the purpose and implications of the bug. Because if it were an unwanted spam email as opposed to email everyone has been clamoring for, you would definitely not want your opening of that email to send a ping back to the cretins who are despoiling the world with spam. But in this case no one is being tracked because the image link points only back to me, back to GRC, the source of the email that was sent to you, which only those who jumped through some hoops to ask for it in the first place would have received.
Also, unlike pretty much everyone else and against the advice of some well-informed others, I, grc, am sending the email myself, not through any of the typical third-party cloud providers that most organizations have switched to now using. As a consequence, the email address our subscribers have entrusted to me will never be disclosed to any third party and, as I noted, that single pixel bug is only coming back to me to allow me to obtain some statistics about the percentage of email I send that's open and viewed, and I've learned some interesting things thanks to that little bug. For example, half of our listeners well, I guess I already knew this already half of our listeners are using Gmail, but I did not know that fully one quarter of our listeners are using Mozilla's Thunderbird as their email client. I thought that was interesting. So basically, three quarters of everybody who has listed for email and received and opened their email from me the last two that I've sent three quarters are either half of them are half of the total is Gmail and the other one quarter is Mozilla's Thunderbird one quarter is Mozilla's Thunderbird. I'll also note that, as regards this bug, the SecurityNow emails contain a link to the full size picture of the week and the show notes and GRC's SecurityNow summary page all in the email back to GRC so it's not as if anyone who receives these emails from me and clicks any of their links is being stealth. Also, I chose to embed a reduced-size picture of the week as a visible it's about 250 pixels wide thumbnail image so that the email would be self-contained and complete. I could have linked back to GRC for the retrieval of the thumbnail. When viewed In that way, I would have obtained the you got a tracking opened by its recipient.
Anyone who thinks that describes the weekly podcast summaries they signed up for will be glad that every one of my emails contains a very clearly marked unsubscribe link and, of course, it has immediate effect. There's none of this. Please allow two weeks for your unsubscribe to be processed nonsense. I've seen that from other you know major mailers and I just think, wow, aren't you using computers, wow, aren't you using computers. Anyway, my work after today's podcast will be to automate the sending of these weekly podcast summaries. At the moment, sending a new email to a list is not difficult, but it does involve a large number of steps and decisions which are redundant week from week. So I want to take a bit more time to build some infrastructure to make it simple and mistake proof and, leo, I wish I had you. Are you nearby?
0:57:57 - Leo Laporte
No, I'm coming. He can see me. I know he knows I'm coming, yes.
0:58:16 - Steve Gibson
I do. I tweaked my knee, oh God. I heard about going up into the attic or something. Yeah, I'm not used to run. Yes, I do, I tweaked my knee, oh God. I heard about going up into the attic or something.
0:58:24 - Leo Laporte
Yeah, I'm not used to stairs and I fell up.
0:58:31 - Steve Gibson
I didn't fall down and so it hit the front of your knee on the. Yeah, it hit my knee. Oh, it'll get better. And, of course, stairs to an attic are probably not padded or carpeted.
0:58:40 - Leo Laporte
Not good stairs, oh, no, oh no, so there are two things.
0:58:44 - Steve Gibson
We needed to take a break because we went a long time before our second one, that's what I thought, and you need to hear this next thing, because this is from Orange Psy Orange Psy.
0:58:56 - Leo Laporte
Yes, the security researcher and you sent me a note about this and I know what you're going to say. So, yeah, let's pause. All right, I am here and we will pause, and then we will talk about Orange Psy, but first, no sighs, only pleasant smiles for our sponsor, milio. I love Milio. It's solved and I suspect this is how Miley came about. It scratched somebody's itch, but it sure scratched mine.
I have, and I bet you do too, lots of photos. I have more than 200,000 photos, lots of documents, lots of videos, and I had no good way to organize it. When Google bought Picasso and put them out of their misery, it was the end of the line for what I was using to keep things in order. And, yeah, sure, I used Google Photos, but it really kind of made me queasy to put all of my stuff up in the cloud. Miley was the solution unbelievable solution, and what I love about it is I can organize my photos, I can have them on all my devices and, if I want, I don't need to use the cloud or I can use Steve's technique of pre-internet encryption. Uh, miley uses strong encryption. We'll encrypt all your data and then store it on your choice of cloud. They even have their own Miley cloud. But between encryption and the ability to put it on every device, it's just solved all my issues. And I haven't even scratched the surface of what Mileyo will do. Mileyo automatically does face recognition. So if I have pictures of Steve and Lisa and my family and so forth, I will say that's Steve, that's Lisa, and then it goes through all the rest of the photos and amazingly accurately finds them all In the background, not going to the cloud on device Does the same thing automatically with pictures of pets, dogs, cats, even fish, mice, gerbils. It can tell different mountains, rivers, streams. It organizes it all automatically, automatically. It lets me curate it. I can share it if I want to.
The genealogy site run by the LDS Church, which is a great genealogy. It's the genealogy site, so it's a great genealogy tool. It even can pull photos from other sources that I haven't had in my library instagram, facebook. It even will take google takeout from google photos, download them all and here's the best part, with my leo photos. Plus, it eliminates all the duplicates. So when I say I have 200 000 photos, I have exact. I have 200 000 unduplicated, unique photos and, the best of all, all the files stay on your devices, not on somebody else's server. It supports your folder structure, so it makes it easier to search, curate and organize your media across all devices.
Privacy first. Cloud backups are entirely optional, but if you do choose to use them, as I said, it automatically encrypts the data for extra security. Miley of Photos Plus is amazing, and all of the AI, all of the categorization, is done entirely on device. Nothing is uploaded, nothing can be data mined. You can tag and search for photos using all of the above. You know face object recognition metadata. It takes all the metadata from my camera. It supports every feature I've got in my camera. It supports every file format and all of it's private on device.
Put privacy first with Miley O Photos Plus. To help you get started, we've got a special offer on your first month free. Then it's $99 for your first year of Miley O'Photos Plus. I paid for it immediately after I tried it. Don't miss this great deal. Now, though, sign up and get your free month at our exclusive address myliocom slash twit. It's hard for me to tell you all of the things it can do because there's so many. You will be impressed. You will say hey, scratches my itch too. M-y-l-i-o. Myleocom slash twit. Trust me, I know you've been looking for this. It's here. Myleocom slash twit. Okay, now back to the show. We go, mr G.
1:03:18 - Steve Gibson
Okay, now back to the show we go, mr G. So I got an email with the subject seeking assistance for Black Hat USA visa issue and when I saw that this was from Orange Sai, whose name should be familiar to all of our longtime podcast listeners, I thought really that one. I mean that, orange Sai. So the email reads hello, Steve Gibson and Leo Laporte. My name is Orange Sai, a security researcher from Taiwan, while I'm not a listener of the show. Jonathan Li-Chu, a friend of mine, says you featured my work and spoke about my name many times on the show. I've won the Pwn2Own Championship and Pony Awards several times, as well as having been the researcher behind impactful research such as Exchange Server RCEs, exchange server RCEs mentioned in SecurityNow 809, 819, 833, 844, 916 for proxy logon and proxy shell, samba RCE, securitynow 857, facebook RCE, securitynow 795 for mobile. Iron RCECE. Ssl VPN RCE is a security nine eight, 14 for FortiGate and pulse secure and the recent PHP RCE. In other words, yes, we know orange side quite well. On the podcast he says I come to you with a plea for support from either you or your listeners. I've been accepted to speak at black hat USA this year, unfortunately, with a plea for support from either you or your listeners. I've been accepted to speak at Black Hat USA this year.
Unfortunately, due to United States border control, I've been unable to enter the country the past few years. I was wondering if you or your listeners had any connections that would be of assistance in this. Here's a brief intro to give you some of the context. I've previously traveled to the US seven times through ESTA, the US Visa Waiver Program, and have presented in person at DEF CON and Black Hat USA many times without any issues. However, after I reported several critical vulnerabilities to Microsoft in 2021, my ESTA was rejected. My guess is because one of my reported bugs has a collision with a China APT group. I believe this may have resulted in me being flagged by the US. Since then, I've been unable to enter the United States to present at DEFCON and Black Hat USA in person. In 2022, I tried applying for a business tourist visa at the embassy. However, the consular officer couldn't decide and my application had to be sent to DHS for further administrative processing. After several months of review, I never got a response and missed the 2022 DEF CON Black Hat USA dates. This year, I submitted my latest research and was accepted by Black Hat USA in May of 2024, so last month To catch up with the visa this time. I reapplied for the B1-B2 visa in January and had the interview on March 19th. However, three months have passed and there's still no update.
As a security researcher, I try to do the most impactful research and I'm keen on having my research seen by the world, especially at the top hacker gatherings like Black Hat USA. I'm currently seeking all the help I can get to break through this situation. I hope this gives you a better understanding of the situation I'm facing. This has been a long and troubling issue for me. If you have any advice or guidance to offer, it would be greatly appreciated. Here's my contact information in case anyone needs it. Thank you, orange sigh. Wow, okay, so this is great if we could help, and by we I mean everyone listening. So the moment I saw his name, you know, as I said, my eyes opened wide because, of course, we recognized him from all the times we've talked about his many significant contributions to the security of this industry and its software systems. I don't actively maintain the sorts of contacts that he needs for this, like with the State Department, but I I'm always surprised and flattered when I learn about the roles of many of the people who are listening to this podcast and who consider it to be worth their time. So I'm sharing Orange Cy's plea in the sincere hope that we do have listeners here who may have the connections required to solve this problem for him. This year's DEF CON and Black Hat USA conferences are being held near the start of August, and today is our last podcast of June, so we only have a month to go.
I wrote back to Oren Tsai to tell him that I would be honored to do anything I could to help by giving his situation a larger audience. I also asked how someone who was in a position of authority might contact him if they needed further clarification. He replied Hi, steve, thank you for your response. I really appreciate your help. My only concern comes via a friend, in that the US government can be very sensitive to and he has in quotes media pressure and there have been cases where this has led to a permanent ban on entry. Although security now is not traditional media, I still hope that when mentioning my case, it can be done in a neutral manner.
When seeking help, please ask listeners to do so in their personal capacity rather than representing me, the media or any other sensitive entities. So anyway, I, speaking for myself, would ask anyone you know to heed that. You know, if you're in a position to help, please, you know, understand and be, as you know, be gentle when you do. If you. Oren Tsai, a security researcher from Taiwan. I really want to go to the US to present my latest research at Black Hat USA 2024 in person. If you have any suggestions, please feel free to email me at orange, at sign chrootorg. Thank you. So with that, I'm leaving this hand in the hands of our wonderful listeners. You know, please don't do anything If you are not the right person. I would hate to make matters worse, but if you are the right person or have a sufficiently close relationship with someone who is, then it would be wonderful If we were able to help him. His years of past work have shown that he is exactly the sort of security researcher whose work should be encouraged. Mark Zip sent me a note. He said hi, steve.
Seems to me that an overlooked problem with recall is and this was interesting is third party leakage. Listeners to security now may lock down their machines and opt out of recall, whereas the people with whom we interact may not. If I write an email to a friend, their recall instance now knows of our correspondence. We can think of other leakage easily. For instance, people frequently share passwords via email. More examples should be easy to imagine. Okay, so first of all, I think Mark makes a great point.
Many people who've been critical of recall have likened it to spyware or malware. You know that's now being factory installed Through our first podcast about this, you know well, I should say, although our first podcast about this was titled by me, the 50 gigabyte privacy bomb, I have never characterized recall as spyware or malware, because both of those things require malicious intent and at no point have I believed or do I believe that Microsoft has ever had a shred of malicious intent for recall. I've seen other commentators suggesting that the entire purpose of recall is to eventually send the collected data back to Redmond, you know, for some purpose. I think that's irresponsible nonsense and it's a failure of imagination. For one thing, microsoft knows that in today's world they could never do that without being found out immediately. We are all now watching them too closely, and besides, why would they? The details of some grandmother's management of her Canasta group is nothing that Microsoft cares about, but that's not to say that there would not be some value to having the AI residing in grandma's computer be aware of her interest in Canasta, if Windows continues to evolve or maybe devolve into an advertising platform which would be unfortunate but seems likely based on the way it's going Microsoft, think about this. Microsoft would be crazy not to use their Recall AI's digested history and understanding of its machine's user to improve the relevance of such advertising. And, as we know, this could all be done locally on the machine, much as Google's Privacy Sandbox will be doing in the user's web browser. In this case, the Windows OS itself would be pulling the most relevant ads from the internet for display either in Windows itself or in their Bing web browser. So we now have one declared and two undeclared, but obvious uses for recall, and none of these applications for recalls data requires it to ever leave its local machine environment. The concern Mark raised about third-party leakage, I think, is a good one. It probably hadn't occurred to most of us that not only would our own machines be recording our every move, but that all of our personal interactions with any others would also be captured by their instances of recall.
Last week we quoted Matthew green on the topic of Apple's cloud compute design. He wrote TLDR, it's not easy and he said building trustworthy computers is literally the hardest problem in computer security. He said honestly, it's almost the only problem in computer security. But while it remains a challenging problem, we've made a lot of advances. Apple is using almost all of them. So that was Matthew talking about Apple's cloud compute. But the point being, building trustworthy computers is the hardest problem we have. So in Apple's case, they have the comparative luxury of housing their cloud compute infrastructure in data center facilities surrounded by strong physical security. Even so, the architecture Apple has designed does not require its physical security to hold in the presence of an infiltrating adversary, but they have physical access security nevertheless. But they have physical access security nevertheless. That's something Microsoft does not have with their widely distributed Windows workstations. Grandma always leaves her CoPilot Plus PC open, locked in and unlocked, just like her back door. So Microsoft's challenge is greater than Apple's, which Matthew Green has just made clear is already the hardest problem in computer security and, as we've seen with last week's revelation of a supercritical Wi-Fi proximity remote code execution flaw that's apparently been present in Windows forever, at least since Vista. Been present in Windows forever at least since Vista.
Whatever solution Microsoft finally implements will need to be something we've not yet seen them successfully accomplish. Let me say that again because I think it's really important and it's exactly the right way to think about this Whatever solution Microsoft finally implements to protect its recall data will need to be something we've not yet seen them successfully accomplish. What everyone else other than Microsoft clearly sees is just how much having recall running in a PC raises the stakes for Windows security, but so far we've seen zero indication that Microsoft truly understands that this is not something they can just wave their hands around and claim is now safe for them to do because they said so. What's not clear is whether they'll be able to use the hardware that's already present in those co-pilot plus PCs to implement the sort of super secure enclave they're going to need. And this is to your point, leo, you made a couple weeks ago about. You know that's really being what's necessary, and that makes it even more doubtful that they'll be able to securely retrofit the inventory of existing Windows 11 hardware to provide the required level of security. It may take new hardware. Apple has only managed to do it for their iPhone handsets because their hardware architecture is so tightly closed Windows has never been, since it's an OS designed to run on third-party, oem hardware. So, for example, the phrase secure boot is an oxymoron, since secure boot bypasses are continually surfacing. I realize that I'm spending a great deal of time on recall. I realize that I'm spending a great deal of time on recall.
This is now the fourth podcast where I've given it some significant discussion and of course, for the first two podcasts it was our main topic, but given the security and privacy significance of Microsoft's proposal, it would be difficult to give it more time than it deserves. And finally, I have two pieces of errata. The first came from someone who wanted to correct my recent statement about the duration of this podcast. He noted that since we started in 2005, we are still in our 19th year of the podcast, not, as I have been erroneously saying, in our 20th year. So in two months we will be having our 19th birthday birthday, not our 20th birthday.
He said, quote the reason we listen is that we know you care about getting the details right. I'm glad that comes through. Yes, so I'm happy to correct the record. And the second mistake several of our astute listeners have spotted is that I've been erroneously saying that the big security changes in Windows XP, that the big security changes in Windows XP its built-in firewall being enabled by default and its users' access to raw sockets being restricted came about with the release of XP's final Service Pack 3. That's wrong. It was the release of XP's Service Pack 2, where Microsoft finally decided that they needed to get more serious about XP's security and made those important changes. So a thank you to everyone who said Steve, I appreciate the feedback Always Wow.
1:20:39 - Leo Laporte
That's a deep cut. I mean, have you talked about that in a while?
1:20:44 - Steve Gibson
yeah, last couple weeks actually all right it's a long time ago. You're you can be excused for not remembering the exact details and I think the reason I'm I was getting hung up on it is that I have had occasion to install some windows xps way later and of course, after it, I always install service pack three, which was the last service pack, in order to bring it up, to bring it current.
1:21:13 - Leo Laporte
But I do remember when they it was a big deal when they built a firewall into service pack two. That was like, in fact, I think we pretty much said don't use XP until service pack two comes out. I think we pretty much said don't use XP until service pack two comes out. Basically, it was a much needed service pack, as I remember. Yep, all right Well you're forgiven.
1:21:35 - Steve Gibson
I'm always happy to correct my mistakes. That's good.
1:21:41 - Leo Laporte
Let us talk about something very important, our sponsor for this hour, and then get to the uh, pseudo random number generator, or pringle as I call it. Uh, hell for the pringle from hell, although if I'd only used it I would be in heaven. So that's why it's a double that's true.
1:22:01 - Steve Gibson
Yeah, you would be a little richer.
1:22:02 - Leo Laporte
Yeah.
1:22:03 - Steve Gibson
As opposed to a little richer.
1:22:04 - Leo Laporte
Did you see it peaked at $67,000 a Bitcoin.
1:22:09 - Steve Gibson
Thanks a lot.
1:22:10 - Leo Laporte
Leo, don't do the math, says he. Who? Formatted his hard drive 50 of them would be worth what? $3 million Almost?
1:22:19 - Steve Gibson
$4 million North of. Yeah, that hurts.
1:22:24 - Leo Laporte
It's just money, Steve.
1:22:25 - Steve Gibson
money doesn't buy't buy I'll just have to earn it the old fashion way, yeah there you go.
1:22:30 - Leo Laporte
Uh, let's talk a little bit about the thinks canary, because this is such a cool product. They've been advertising on this show almost exclusively for almost a decade now and, uh, we brought them a lot of customers. Maybe you're one of them. If you are, maybe you've even tweeted your love for the ThinkScanary, in which case you're at the canarytools slash love page, like the CTO or is it the CISO of Slack and so many other well-known people would say. You know you could have perimeter defense, fine, all fine and dandy, but do you know if someone's penetrated your network? And how do you know? And, more importantly, do you know in a timely fashion? That's what the ThinkScanary does.
Thinkscanaries are honeypots. Basically they're about the size of external USB hard drive. They're tiny little things. They have two connections one for Ethernet, plug it into your network, one to the wall, give it some power and bing bada, bing bada, boom, you got a honeypot. And, man, these honeypots could be anything. Mine's a Synology NAS, just because I you know I could make it other things, but I'm just lazy. But it's easy to do. You just go to the console. You can choose from a Windows server, a Linux server, an IIS server, ssh. You can make it a Windows server, a Linux server, an IIS server, ssh. You can make it a skated, literally make it a skated device. If you're worried about the Israeli army hacking your centrifuges, hey, this is what you need. The thing is, once you set it up, it doesn't look like a honeypot, it doesn't look vulnerable, it looks valuable and that's the key.
You can also use your ThinkScanaries to set up tripwires. They call them canary tokens Little files. Put them anywhere on your network. They could be PDFs or DocX or XLS. I have a number of Excel spreadsheets saying things like employee passwords, employee information, that kind of thing, things that the bad guys who penetrate your network go ooh and they open them. And now, as soon as they open them, you get an alert. Only the alerts that matter, only the alerts that tell you someone's in my network.
On average, people don't learn about prowlers inside their network for 191 days. They can do a lot of damage in that time, whether it's a malicious insider, an evil maid who's in there, or it's somebody who penetrated your defenses and is now wandering around, and they're very good at hiding their tracks. They kind of sniff here and there. They're looking for valuable things. They can exfiltrate customer information, embarrassing emails, that kind of thing. They're also looking for where you keep your backups so that when they do trigger a ransomware attack they know your backups are encrypted too. That kind of thing. They're nasty.
But the Things Canary detects them, whether it's accessing lure files or brute forcing your fake internal SSH server. As soon as they do that, your Things Canary will immediately tell you you've got a problem. You can do it. Email text, slack, syslog. You've got your own hosted console. They have an API if you want to add it to other things and pretty much any way. You want to be notified SMS, of course. Text. Then you just wait. Push notifications, web hooks Then you just wait.
Attackers who breached your network, malicious insiders and other adversaries inevitably will make themselves known by trying to attack your Thinks Canary or those Canary tokens. Then you can route them, rouse them from your network. Visit canarytoolscom Now. Some big operations might have hundreds of them. Small places like ours might say have five. Let's say five. Five Thinks Canaries, $7,500 a year, you get five of them.
Small place like ours might say have five. Let's say five, five ThinkScanaries. $7,500 a year, you get five of them. You get your own hosted console. You get your upgrades, support your maintenance and if you use the code TWIT in the how did you hear about us box, you're going to save 10% off on your ThinkScanaries for life.
Now, if you're at all concerned, good news you can always return your ThinkScanaries within two months. You got 60 days for a 100% money back refund. But I have to tell you, during all the years Steve and I have been talking about ThinkScanaries on this show, no one has ever asked for a refund Not one, not one that tells you something. Once you get these thanks canaries in your network, you're gonna go oh, how did I live without them? Visit canary. C-a-n-a-r-y dot tools, slash twit. The offer code twit in the how did you hear about us box gets you 10 off for life. Canary dot tools slash twit. Don't forget the offer code TWIT and we thank Thanks to Canary for supporting the good work that Steve does here. Steve, let's talk about PIRGs.
1:27:17 - Steve Gibson
Yes, leo, you may think it was bad. It's worse than you could have imagined Great. It's worse than you could have imagined Great. So, yeah, the mixed blessing of a lousy pseudo random number generator. Or when are you very glad that your old password generator used a very crappy, pseudo random number generator number generator? So today I want to share the true story of a guy named Michael who, after generating 43.6 Bitcoin, lost the password that was used to protect it. With Bitcoin currently trading at around $60,000 US for each coin, that's around $2.6 million worth of Bitcoin waiting for him at the other side of the proper password. Unlike many similar stories, this one has a happy ending, but it's the reason for the happy ending that makes this such an interesting story for this podcast and offers so many lessons for us. Okay, now, by pure coincidence, the story was recently written up by the same guy, kim Zetter, who wrote that piece about Kaspersky for Zero Day that we were discussing earlier.
Kim's story for Wired is titled how Researchers Cracked an 11-Year-Old Password to a $3 Million crypto wallet. He wrote Two years ago, when Michael and he has that in air quotes Michael wants to remain anonymous Two years ago because now Michael has a lot of money and he would rather just keep it to himself. Two years ago, when Michael, an owner of cryptocurrency, contacted Joe Grand to help him recover access to about $2 million worth of Bitcoin he had stored in an encrypted format on his computer, joe turned him down. Michael, who's based in Europe and asked to remain anonymous, stored the cryptocurrency in a password-protected digital wallet. He generated a password using the RoboForm password manager and stored that password in a file encrypted with a tool called TrueCrypt. At some point, that file got corrupted and Michael lost access to the 20-character password he'd generated to secure his 43.6 Bitcoin, worth a total of about £4,000, or 5,300 back in 2013, when it was generated and stored.
A lot more now, baby. That's right. Michael used the RoboForm password manager to generate the password but did not store it in his manager. He worried that someone would hack his computer to obtain the password. Reasonable concern.
Joe Grand is a famed hardware hacker who, in 2022, helped another crypto wallet owner recover access to two million dollars in cryptocurrency. He thought he'd lost forever after forgetting the PIN to his Trezor wallet, which is a hardware device. Since then, dozens of people have contacted Grand to help them recover their treasure, but Grand, known by the hacker handle Kingpin, turns down most of them for various reasons. Grand is an electrical engineer who began hacking computing hardware at age 10 and, in 2008, co-hosted the Discovery Channel's Prototype this show. He now consults with companies that build complex digital systems to help them understand how hardware hackers like him might subvert their systems. He cracked the Trezor wallet in 2022 using hardware techniques that forced the USB wallet to reveal its password, but Michael stored his cryptocurrency in a software-based wallet, which meant none of Grant's hardware skills were relevant.
This time. He considered brute forcing Michael's password, writing a script to automatically guess millions of possible passwords to find the correct one, but determined this wasn't feasible. Right, you know 20 characters, upper and lower special cases numbers and so forth. As we know, 20 characters. That's strong security, believe me, I know. He briefly considered that's right, leo. He briefly considered that the RoboForm password manager Michael used to generate his password might have a flaw in the way it generated passwords which would allow him to guess the password more easily. Grand, however, doubted such a flaw existed. Michael contacted uh-huh the plot thickens. Michael contacted multiple people who specialize in cracking cryptography. They all told him there's no chance of retrieving his money. But and I should mention, they should have been right. Right, they, you know. Joe Grand should have been right. All these crypto specialists should have been right. Last June, he approached Joe Grand again, hoping to convince him to help, and this time Grand agreed to give it a try.
Working with a friend named Bruno in Germany who also hacks digital wallets, grand and Bruno spent months reverse engineering the version of the RoboForm program that they thought Michael had probably used back in 2013 and found that the pseudo-random number generator used to generate passwords in that version and subsequent versions until 2015 did indeed have a significant flaw. And let me just say, calling it a significant flaw is like you know, I don't know what it's understatement Noon daylight or something I mean. Okay, the RoboFoam program unwisely tied the random passwords it generated and I should explain. I've dug down into the technology. I'm going to go into the kind of detail that our listeners want after I'm through sharing what Kim wrote. So he wrote the RoboForm program unwisely tied the random passwords it generated to the date and time on the user's computer. It determined the computer's date and time and then generated passwords that were predictable. If you knew the date and time and other parameters, you could compute any password that would have been generated on a certain date and time in the past. If Michael knew the day or general time frame in 2013 when he generated it, as well as the parameters he used to generate the password, for example, the number of characters in the password, including lower and uppercase characters, figures and special characters and by figures I guess he means numbers and special characters this would narrow the possible password guesses to a manageable number. Then they could hijack the RoboForm function responsible for checking the date and time on a computer and get it to travel back in time, believing the current date was a day in the 2013 time frame when Michael generated his password. Roboform would then spit out the same passwords it generated on the days in 2013.
There was one problem Michael could not remember when he created the password. According to the log on his software wallet, michael moved Bitcoin into his wallet for the first time on April 14, 2013. But he couldn't remember if he generated the password the same day or sometime before or after that. So, looking at the parameters of other passwords he generated using RoboForm to generate 20 character passwords with upper and lower case letters, numbers and eight special characters from March 1st through April 20th 2013. It failed to generate the right password. So Grand and Bruno lengthened the time frame from April 20th out to June 1st 2013, using the same parameters. Still no luck.
Michael says that Grant and Bruno kept coming back to him asking if he was sure about this or that parameter that he'd used. He stuck to his first answer. Michael said they were really annoying me because who knows what I did 10 years ago. Anyway, he found other, michael said. I thought oh my God, they're going to ask me again for the settings. Instead, they revealed that they had finally found the correct password no special characters and it was generated on May 15, 2013 at 410.40 p. Gmt. Grand wrote in an email to wired quote. We ultimately got lucky that our parameters and time range was correct. If either of those were wrong, we would have continued to take guesses and shots in the dark and it would have taken significantly longer to pre-compute all the possible passwords.
Kim then provides a bit of background about RoboForm writing. Roboform, made by US-based Cyber spelled with an S Systems, was one of the first password managers on the market and currently has more than 6 million users worldwide. According to a company report, in 2015, cyber S-I-B-E-R seemed to fix the RoboForm password manager. In a cursory glance, grand and Bruno could not find any sign that the pseudo-random number generator in the 2015 version used the computer's time, which makes them think they removed it to fix the flaw, though Grand says they would need to examine it more thoroughly to be certain. Wired that it did fix the issue with version 7.9.14 of RoboForm released on June 10th of 2015, but a spokesperson would not answer questions about how it did so. In a change log on the company's website, it mentions only that cyber programmers made changes to quote increase randomness of generated passwords unquote but it doesn't say how they did this. Cyber spokesman, simon Davis says that RoboForm 7 was discontinued in 2017.
Grant says that, without knowing how cyber fixed the issue, attackers may still be able to regenerate passwords generated by versions of RoboForm released before the fix in 2015. He's also not sure if current versions contain the problem. He said quote I'm still not sure I would trust it without knowing how they actually improve the password generation in more recent versions. Kim writes with the early versions of the program before the fix. It doesn't appear that Cyber ever notified customers when it released the fixed version 7.9.14 in 2015 that they really should regenerate new passwords for critical accounts or data. The company did not respond to a question about this. If Cyber did not inform customers, this would mean that anyone like Michael who used RoboForm to generate passwords prior to 2015 and are still using those passwords may have vulnerable passwords that hackers can regenerate. Grant said quote we know that most people don't change passwords unless they're prompted to do so. He added that out of 935 passwords in my password manager he said not RoboForm 220 of them are from 2015 and earlier and most of them are for sites I still use unquote. Them are for sites I still use unquote, depending on what the company did to fix the issue in 2015,. Newer passwords may also be vulnerable? We don't know.
Last November, grant and Bruno, having earned their reward, deducted a percentage of Bitcoin from Michael's account for the work they did, then gave him the password to access the rest. The Bitcoin was worth $38,000 per coin at the time. Michael waited until it rose to $62,000 per coin and sold some of it. He now has 30 Bitcoin now 3 million, and is waiting for the value to rise to $100,000 per coin. Michael says he was lucky that he lost the password years ago because otherwise he would have sold off the Bitcoin when it was worth $40,000 per coin and missed out on a greater fortune. He said quote my losing the password was financially a good thing. Unquote.
1:41:49 - Leo Laporte
Yeah, that's how I feel Now. You can never recover yours, but if I ever remember my password, why? It's just been a long-term savings account.
1:41:59 - Steve Gibson
Okay, so, but a bad PRNG, ooh they're always bad, aren't they?
1:42:05 - Leo Laporte
That's what the pseudo means.
1:42:08 - Steve Gibson
Oh well, leo, wait for this. Oh my God. First of all, roboform is probably a well-known name to everyone, even those of us who never had occasion to use it. I'm in that camp, you're in that camp.
1:42:24 - Leo Laporte
I think I used it back in the day, though I mean many years ago Because it was the only. It was the first one. Yeah, yes.
1:42:32 - Steve Gibson
Yes, okay, but since this podcast has been going since 2005, we've covered the span of time that RoboForm was apparently using a horrific password generation scheme. One of this podcast's early and continuing focuses has been on the importance of the strength of pseudo-random number generators used in cryptographic operations. So I was quite curious to learn more about what exactly Grand and Bruno found when they peeled back the covers of RoboForm circa 2013. And I was reminded of a line from the sci-fi movie Serenity where our villain says to Mel it's worse than you know to which Mel replies it usually is Believe it or not. Whenever the user of RoboForm version 7.9.0, and probably my theory is even version 1, but we'll get to that in a minute but definitely 7.9.0, which was released on June 26 of 2023, whenever the user pressed its generate password button, roboform up until its repair two years later with 7.9.14, simply took the Windows Systems Unix time, which is the number of seconds elapsed since January 1, 1970, and directly and deterministically used that time of day to produce the user's password. Time of day to produce the user's password. Roboform didn't even take the trouble to create a unique per-system salt so that differing installations would produce differing bad passwords. This meant that if two users anywhere were to press the generate password button within the same one second interval, if they were using the same password parameters, identical passwords would be generated. Grand and Bruno discovered something else when they opened up RoboForm. The designers of this password generator that should really just be called a time scrambler realized that if a user happened to press the generate password button a second time within the same second, the same password would be generated. To cover up this flaw, they subtract a fixed amount of time from the system time for repeats. What an utter disaster.
One thing we don't know is for how long roboforms password generator was this horrific before it was changed. I originally wrote before it was changed. I originally wrote before it was fixed, but we don't know that it's been fixed. We don't know how it was changed, or we don't know why it was changed, but I have a theory about that. My theory is that this must have been the original implementation of RoboForms password generator. The reason I think that is that by 2013, no one would have ever designed such a horrifically lame password generation scheme, such a horrifically lame password generation scheme. This had to have been a very early password generator, created back in the late 90s or early 2000s, before there was much awareness of the proper way to do these things, and then, following the well-understood property of software inertia, 10 to 15 years went by without anyone at RoboForm bothering to think about it again, because it was, after all, noticed and apparently fixed it. We don't know how, but at least changed it.
Grant and Bruno note that something did finally change in 2015 with 7.9.14. But since RoboForm is both closed source and closed mouthed, we have no idea what may have precipitated the change, nor what the new algorithm was changed to. So I'm put in mind of Bitwarden, the password generating sponsor of this network, where we can know anything we want to know about its innards. First, because if we asked, we'll be told. Secondly, because it's probably openly documented. And thirdly, because the source code of the solution is publicly available, none of which is true for RoboForm.
The final note that's worth repeating is the point that Grand highlights. Regardless of their apparent complexity, we now know that's an illusion. It's just the scrambled time of day and date, without even having any per-system salt, which means that all user scramblings are identical for all owners of RoboForm, probably from the beginning its first release through 2015. Therefore, any passwords that were ever generated by RoboForm presumably until version 7.9.14, can be reverse-engineered, and the set of possible passwords can be further narrowed by the degree to which their approximate date of creation is known, even if the format of the password is not known. There are a limited number of choices available for upper and lower case, special characters, numbers and length.
So if someone were determined to crack into something that was being protected by a password that they had reason to believe had been generated by roboform and they had some idea of when, such as the date of the protected account's creation, it's not a stretch to imagine that it could be done. Sure, I would put the chances of this actually happening being done as extremely remote at best, but anyone who was using RoboForm back then, who may have never had the occasion to update their password since, should at least be aware that those passwords were simply generated by scrambling the time of day and with a resolution of only one second. There are not a cryptographically strong number of seconds in a day, and while I don't want to throw shade on RoboForm's products of today, which might be excellent, given the history that has just been revealed, roboform is certainly not something I could ever use or recommend, especially when there are alternatives like Bitwarden and 1Password, which are hiding nothing and RoboForm is hiding everything. And this brings me to the final and most important point and lesson I want to take away from this, which are hiding nothing and RoboForm is hiding everything. And this brings me to the final and most important point and lesson I want to take away from this Way back when I, in this podcast, first endorsed LastPass, I was able to do so with full confidence and, in fact, the only reason I was able to do so and did was because the product's original designer, joe Segrist, completely disclosed its detailed operation to me.
It was the 21st century and Joe understood that the value he was offering was not some secret crypto mumbo jumbo. That was 20th century thinking. Joe understood that the value he was offering was a proper implementation of well-understood crypto that was then wrapped into an appealing user experience. The value is not in proprietary secrecy. It's in implementation, maintenance and service. As we know, many years and ownership changes later, lastpass eventually let us down. I hope Joe is relaxing on a beach somewhere because he earned it he is.
So the lesson we should take from what can only be considered a RoboForm debacle is that something like the design of a password generator is too important for us to trust without a full disclosure of the system's operation and its subsequent assessment by independent experts. Any password generator that anyone is using should fully disclose its algorithms. There's no point in that being secret in the 21st century. It doesn't necessarily need to be open source, but it must be open design. No company should be allowed to get away with producing passwords for us while asking us just to assume those passwords were properly derived just because their website looks so nice. What the marketing people say has exactly zero bearing on how the product operates. It's obvious that we cannot assume that, just because a company is offering a fancy looking crypto product, that they have any idea how to correctly design and produce such a thing. There's no reason to believe that there are not more RoboForms out there.
1:53:02 - Leo Laporte
What's the best way? I mean software, random number generators are pseudo because they repeat eventually, right?
1:53:11 - Steve Gibson
Remember that the first thing I started doing, the first piece of technology I designed for Squirrel and I talked about it on the podcast was I created what I called an entropy harvester. It was harvesting entropy from a range of sources. It was pulling from Windows' own random number generator and network received network packets, dns transfer rates. All the noise that I could was constantly being poured into a hash that that squirrel was churning, and the idea was to to that to create something unpredictable. Unpredictability is the single thing you want, and so the idea was that I mean like almost immediately, squirrel's pseudo-random number generator would just have so much noise poured into it, all of that affecting its state, that there would be no way for anybody downstream to have ever been able to predict the state that squirrel's pot of entropy was in at the time that it generated a secret key.
1:54:35 - Leo Laporte
Right, galea is reminding us that Cloudflare uses a wall of lava lamps to generate their random numbers. But it's not the seed you're generating Because, as I remember, with software random number generators, if you reuse the same seed, you'll get the same sequence of numbers.
1:54:55 - Steve Gibson
It'll repeat eventually right, those are old pseudo random number generators.
1:55:00 - Leo Laporte
That's not how we do it anymore, right, okay, and I do remember you saying the best way to do it would be use a capacitor was that right?
1:55:08 - Steve Gibson
um, actually a diode. A diode that's first a reverse bias diode. Uh, that where you, you put it just at the, at the, at the diode junctions, breakdown voltage and what happens is you get completely unpredictable electron tunneling across the reverse biased junction to literally create hiss. If you listen to it, it is hiss Right, and it is truly, it is quantum level noise, wow.
1:55:42 - Leo Laporte
That would be the best way. You think as good as it gets.
1:55:46 - Steve Gibson
That is what all of the true random number generators now do is a variation on that. They actually do some post-processing because the noise can be skewed, but it is utterly unknowable.
1:56:01 - Leo Laporte
This is actually a fascinating problem, problem in computer science, because, uh, you know, might say well, is a coin flip random? Well, it is with a perfect coin, but no coin is perfect. Uh, a roulette wheel is random with a perfect roulette wheel, but there is no such thing, they all have biases.
1:56:21 - Steve Gibson
I was asked in 1974 to design a little machine that some people would take to Las Vegas and it was going to be operated with toe switches because it could not.
1:56:38 - Leo Laporte
That's the eudaimonic pie. This was in Santa Cruz, right? There's a book about this. Actually, it was close to Santa Cruz.
1:56:44 - Steve Gibson
Right, there's a book about this. Actually, it was close to Santa Cruz.
1:56:47 - Leo Laporte
Yeah, there's a famous book about this. Have you read the Udemonic Pie? No, well, they got caught, but they made a lot of money.
1:56:58 - Steve Gibson
Yeah, and what they were doing was they were recording at least in the case of the guys who asked me to develop this thing, they were recording roulette wheel results, because no roulette wheel is perfect and, believe it or not, they had this thing running already and they were using a wire recorder to to record tones that their their toes were generating, and they wanted me to do a solid state version for them.
1:57:30 - Leo Laporte
They wore computers in their shoes to basically solve roulette and they won a lot of money. And because no people are used to people counting cards and blackjack. But everybody in vegas, vegas, assumes a roulette wheel can't be beat. Well, it can. If you haven't read this book, you've got to read it. I wonder if it's the same guys. Very interesting story. The eudaimonic pie and I'm pretty sure that they were in Santa Cruz area.
1:58:00 - Steve Gibson
Well, that would be the right physical area, because I was in Mountain View, which is just over the hill and it was a tow computer.
1:58:06 - Leo Laporte
Wow, yep, wow, how fascinating is that. So, yeah, maybe someday, maybe if you've got a little you know a slow week I know there's never a slow week on the show you could talk a little bit about random numbers and why they're pseudo and why you know how to. How it's a challenge, it's not a not, it's a non-trivial way to to generate those with computers and crucially important.
1:58:36 - Steve Gibson
it's funny because we we think about crypto as solving all the problems, but but I'm not sure I can think of an instance where you don't need something random when you're choosing a private key for a public key. Crypto you need high-quality random numbers and we've seen failures of that where, for example, studies of the private keys used on web servers have turned up a surprising number of collisions of private keys because they were all getting their key shortly after turning on a version of Linux that hadn't yet had time to develop enough entropy. It hadn't warmed up its pseudo random number generator enough.
1:59:24 - Leo Laporte
I think that you were. I can't believe you've not heard the book. The book focuses on a group of university of california, santa cruz physics graduate students who, in the late 70s and early 80s, designed and miniaturized computers hidden in specially modified platform, sold shoes to predict the outcome of casino roulette games.
I think I think you were on an unwitting. Uh, you didn't do it though. Right, I didn't do it, you didn't do it, but they found somebody to do it. Wow, what a story. Uh, that may also be the one of the first wearable computers.
Ironically, steve Gibson, you see, he, he has a history in this business. He knows what he's talking about. That's why we listen to him with such rapt attention. Steve does security. Now every Tuesday we try to start right after Mac break, weekly around 1.30 pm. This often bleeds over to about 2 pm Pacific, that's 5.m eastern, 2100 utc.
We do stream it live. If you're just so impatient to get your security now fix, you can't, you can't wait. You go to youtubecom, slash twit, slash live and you can catch the live stream. But of course, we have on-demand versions because it's a podcast. Now, steve has some interesting versions that are unlike anything else. He has the 64 kilobit audio. I would say that's the canonical version. We have that at our website as well. We have video which is absolutely not canonical. But you have something even weirder, which is 16 kilobit audio, which sounds a little bit like Thomas Edison on a recording disc, which sounds a little bit like Thomas Edison on a recording disc, but it's got the virtue of being a very, very small file size. Now Elaine Ferris, who is a court reporter and a transcriptionist, then takes that file and types it up. So Steve also has a full human-written not AI-generated transcript of each show of all 980 shows. Those are all on his website, grccom. He also has his show notes there in the picture of the day and all of that stuff.
Now if you go to GRCcom slash email, you can sign up to get that stuff in the mail automatically. But you don't have to. In fact, the default is off. It just basically approves your address so that you can email steve after that. So that's a new feature that steve's added. You hear him talk about it on the show.
Uh, he also has and I think you might have heard him talk about this as well a little thing called spin right 6.1, the world's best mass storage performance, enhancer, maintenance and recovery utility. Did I get it all? I think I did. Well done, yes, and it is well worth it. It's Steve's bread and butter, so you support him when you buy it and of course, it's pretty much a lifetime license. I mean, he's very lenient with all of that, so go on in there. If you already bought one, you can get an upgrade to 6.1. There's lots of other free stuff there Shields up, and I really think this Valid Drive program is very important. It validates the actual that the USB key that you purchased on Amazon actually has the amount of data it says it does. Lots of them don't. Valid Drive will let you know.
Our site is twittv slash SN for Security Now. That's where you can download the show. There's a YouTube channel with just the video. There's audio too, but I mean the video versions are on YouTube, and that's nice for sharing. If you say, oh, I've got to send the boss this clip, oh wow, just clip it on YouTube. Youtube makes it very easy. You can send it to them, and everybody has access to that. The best way to get the show, though, is to subscribe, so you get the show automatically. You don't have to even think about it, and then, whenever you're in the mood for a Security Now episode there, it'll be on your device. Just search your favorite podcast client for Security Now, or go to twittv slash SN. We have some links there, steve, wonderful week. Thank you so much and we'll see you next Tuesday on Security Now Be seeing you in July my friend Be seeing you Bye.