Security Now 988 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show

0:00:00 - Leo Laporte
It's time for security now. Steve Gibson is here. We've got a very big show for you 90, count them. 90. Fixes on Patch Tuesday last week. Steve will count them all. No, he won't. 99 fixes on the wall no, he's going to talk about a few of them. We've got a great picture of the week that explains how RAID works, sort of An update on the certificate revocation issues, and then, finally, a look at the biggest data breach we think of all time how to find out if you're part of the NPD breach and what to do about it coming up. Next, on Security Now Podcasts you love.

0:00:40 - Steve Gibson
From people you trust. This is Twit from people you trust.

0:00:47 - Leo Laporte
This is Twit. This is Security Now with Steve Gibson, episode 988, recorded Tuesday, august 20th 2024. National Public Data. It's time for Security Now. The show we cover the latest security news. Oh, there's a few little tiny stories to talk about with this guy Happy birthday to us. It's our birthday.

0:01:11 - Steve Gibson
Happy birthday to us. Wow, happy birthday, happy birthday. Happy 19th birthday to us.

0:01:20 - Leo Laporte
That's singing Steve Gibson everybody.

0:01:22 - Steve Gibson
Yes, sir. The security cowboy, it was August 19th 2005. Wow, we are all security virgins and we stepped into this not having any idea. You weren't. We had to scrape off our shoes.

0:01:37 - Leo Laporte
Yeah, you weren't a security virgin, but we were all podcast virgins because it was the very earliest days of podcasting.

0:01:44 - Steve Gibson
Well, let me just say I'm way less virginized than I was back then.

0:01:49 - Leo Laporte
You know a lot more.

0:01:51 - Steve Gibson
Oh goodness, yes, yes, and now of course, I'm beginning to believe my own PR on this because, wow, after today, oh goodness, when our listeners go and check for their own personal data, oh, I already did this you're there, leo, as I'm sure you know. I'm there, my wife is there, everybody I've looked up is like this is a bad one, so what are we?

talking about, about, steve, we're talking about today's podcast of course had to be titled National Public Data, which the press, you know, in their typical hyperventilation, thought that it was 3 billion people and I thought, wait a minute, what is the current carrying capacity of the earth?

0:02:42 - Leo Laporte
Well, it's more than 3 billion, but they still that seems.

0:02:45 - Steve Gibson
Yeah, yeah, that's that says that people who you know, who've never held a phone, are or gone to the internet or somehow have their social security numbers up. They don't even have social security numbers up on the internet. No, it's three billion, actually just shy of 3 billion, 2.9 billion records, which pretty much tells an individual's history over the last several decades. Anyway, we're going to get to that and have fun with that. We've got a bunch of stuff. We've got, of course, because yesterday was our birthday, our 19th birthday. We are now with Podcast 988, and, fortunately, no end in sight. In another 11, we'll be at 999, and we're just going to seamlessly cross over into four digits.

I will have to do a little tweaking of my software, as I mentioned several years ago, but we're not going to stop. So year 20, here we come. We're going to have some interesting update on the topic that's sort of been a running theme for a while and it's probably going to be one next week, but in a different sense which is this challenge of certificate revocation, which is important, which is why it's gotten so much of our time and so much of the industry's time and attention. Something happened, leo, at 2 am this morning, which we're going to be talking about and explaining and also what it means. And also there's one last piece that I haven't talked about, which we're going to nail down. So there's that. Also. We've got the six zero days which were discovered, episodes of the 1980s famous computer cafe radio show. Were you ever on that show? I wasn't, but we get to hear Bill Gates before his voice changed. So that's going to be fun.

We also have the third release, third and final I should say, of Is Boot Secure. A quick note on GRC's email, how that's going, which is to say really well, and some listeners' feedback. Then again, to no one's surprise, because I imagine our audience has already heard about this, but we're going to take a deep dive into the background meaning and impact of the largest personal data breach in history and show everybody how they can find themselves and all their personal information online. We're going to talk about what to do about that and what it means for the future. And, as if that wasn't enough, oh Leo, we have a picture of the week. This has got to be on the geek rating scale. It's off the scale. Probably Most people would look at this and go what are these nerds?

0:05:55 - Leo Laporte
talking about.

0:05:58 - Steve Gibson
Why have they fallen off their chair in laughter? Because it's very much on the inside. Because it's very much on the inside. But I had someone already respond say this is definitely among the top five you've ever done.

0:06:11 - Leo Laporte
Wow, oh, I haven't seen it yet. Great, We'll see it together for the first time.

0:06:17 - Steve Gibson
Oh, so clever I just. Whoever this genius was, who did this? It's like hats off.

0:06:22 - Leo Laporte
Very nice. All of this still to come. In just a minute We'll get the picture of the week on security. Now 988, as we gradually head toward 999 and beyond. We are drifting under power. I love it. I love it Our show today, brought to you by Bitwarden.

It's a perfect sponsor for this show because, of course, having a password manager is a must. In fact, I'm going to guess that almost all of you, if you listen to Security Now, use password managers. So this message is as much for you to tell your friends and family about as anything else. Bitwarden is open source. It's a password manager that is on every platform, lets you host if you want your own vault or you can let them do it, because it's open source. It is, I think, easily the fastest moving password manager, with the latest features, including pass keys, support for hardware keys and, because it's open source for individuals, free with all of those features unlimited passwords, unlimited devices, pass keys and YubiKeys forever, free, forever. But I also want to tell you about the enterprise versions, because actually that's what supports Bitwarden and the development on Bitwarden, the password manager, with a cost-effective solution that could dramatically increase your chances and your company's chances of staying safe online For businesses.

Bitwarden has just announced its new collections management settings. These are even more granular, more detailed admin settings. It lets owners you choose how much or how little access admins have to everything in the vault. The setting can be set up so that users can create and delete their own collections. This is great if you want your users to have their own kind of password vault for their personal stuff Admins can't see in it. It's useful also for a policy of least privilege. So if the three guys in IT have the keys to the S3 bucket and you want to keep that to them on them alone, you could do that with collections and other possible setup. Full admin control for everything. But point is you have control now With these new settings and a new can manage permission. You choose how access control and sharing works in your Bitwarden organization.

I think it's important to mention that because I think when I say it's open source and free forever to individuals, people think oh, it's a consumer product and it's not. I mean it is, but it's also a great enterprise solution. Bitwarden empowers enterprises, developers. They have a secret system that is going to keep you from accidentally putting your API keys and your secrets in your GitHub. And, of course, it's a great way for individuals to safely store and share not just passwords, but all sensitive data my passports, my social security number, my driver's license all stored images too within the Bitwarden vault.

With a transparent, open source approach to password management, bitwarden makes it easy for users to bring robust security practices to all their online experiences. And if you've got friends and family who don't use a password manager and they say, oh, I don't want to pay for it, remind them it's free for life. Now I pay for the premium version 10 bucks a year just to support them. And if you're a business, you can try Bitwarden's free trial of a Teams or Enterprise plan and really see what it can do for your business. Of course, it's always free across all devices as an individual user. Check it out. This is the password manager I use, the one Steve uses, the one we can confidently recommend bitwardencom slash twit. I love it that it's open source. That's huge for me, in fact. Fact, it's vital. Bitwardencom slash twit. We thank him so much for their support of security. Now, okay, steve, let's uh, let's get that. I'm I'm pulling up the picture of the week even as we speak just do you want to?

describe it a little bit. Oh yes, go ahead and Go ahead and I'll pull it up. Okay, I don't want to break the surprise Should. I look at it first. Yeah, you should look at it. I will look at it and then you can describe it. Okay. So this is me. I haven't looked at it yet. This is how we're going to look at it together. I'm going to scroll it up now. If water coolers were Ray to Rays Okay, now I'm ready to show it. That's so good. That's fantastic.

0:10:58 - Steve Gibson
That is really great, okay as you said, I gave this one the caption if water coolers were Ray to Rays.

0:11:03 - Leo Laporte
I apologize, I'm mirroring that. Let me fix that. Go ahead, keep talking.

0:11:07 - Steve Gibson
Okay, so anyway, it looks fine for me yeah.

0:11:10 - Leo Laporte
Okay, well, it's just me then. Okay, good yeah.

0:11:15 - Steve Gibson
We have your standard water cooler, which is the water cooler with the big jug of water on top, and that's labeled standalone water on top and that's labeled standalone. There are seven frames here to represent all the various configurations of mass storage, redundancy and management. The second one is labeled a cluster, because that's two water coolers, each with its water jug on top. The third one is labeled hot swap, where of course we have one water cooler with its jug on top and, as you often see, next to a water cooler, another jug standing by its side waiting to be swapped in to replace the first jug when it's emptied. So that's the hop swap configuration. Now for for raid one we've got. Somehow this guy has has managed to.

0:12:17 - Leo Laporte
They were having a lot of fun in the office.

0:12:19 - Steve Gibson
Oh my god, yes, two jugs side by side feeding into one water cooler. So they're next to each other, kind of pushed apart a little bit because they won't actually fit completely vertically. But that's the RAID 1 configuration. Raid 5 is three full-size water jugs, similarly arranged. Somehow he's managed to get all three feeding into the top of one water cooler. Thus RAID 5. Now, of course, we have two other RAID configurations. Raid 0 is the one shown on the bottom. That, of course, raid 0 is concatenating two drives, whereas, as we saw, raid 1 is also known as mirroring. So that's why RAID 1 had the two jugs side by side, while RAID 0 has one jug feeding into the next jug. So they're stacked on top of each other, two jugs feeding down into a single water cooler. And then finally, of course, the RAID 0 plus 1 is the combination of 1 and 0. So we've got two jugs side by side, with two jugs above them feeding down into them, above them feeding down into them.

Anyway, it's just, one of our listeners sent this to me. I glanced at it and I thought, oh, this is so good, and actually I had this around the middle of last week. So I share it because I loved this picture so much that I shared it with the gang over in the news group, and one of our active followers contributors over there ran it through some sort of AI generative thing which significantly cleaned it up. It made the text much more legible than it was and kind of cleaned up the pictures a lot, so I was very appreciative of that pictures a lot, so I was very appreciative of that.

0:14:31 - Leo Laporte
I love Gumby's suggestion that in this case RAID stands for a redundant array of inexpensive.

0:14:36 - Steve Gibson
Dasanis. Okay, thank you very much. Okay, so a contributor over in GRC's news groups posted some terrific observations following from last week's discussion of revocation. Andrew wrote I have a sneaky suspicion that Steve's long-term plan for revokedgrccom is going to ferret out what software is swimming the waters in this space naked, shall we say. Now he was addressing my plan, which I had shared there, which was to back GRC servers away from the use of OCSP online certificate status protocol to see what happens. And at 2 am this morning the last received and stapled OCSP status which my revokedgrccom site had received from DigiCert a week ago. So it had its one-week life. It expired at 2 am this morning. I will share what happened after that in a minute, but let's first examine one last feature of OCSP that we have not talked about yet during this go-round of talking about revocation, and work out OCSB's Achilles heel, which is what made it impractical to require at scale.

Okay, so, as we all witnessed in the last two weeks, when GRC's revokedgrccom site began stapling an OCSB status that loudly stated its certificate had been revoked, and you know, no one's browser, as we saw, would then show the page which suggests that OCSP appears to be working better than anything else ever has so far. But, as we also learned, the CA browser Forum now plans to make OCSP support optional and to switch back to requiring the use of, or requiring certificate authorities to publish certificate revocation lists, thus making them mandatory. So at the time last week, I replied to Andrew. Last week I replied to Andrew. I wrote. If the industry has inexplicably chosen to abandon the system that all browsers are currently using with 100% success, as was just demonstrated with GRC's OCSB stapling working perfectly everywhere then okay, we'll start testing the replacement system, that is, certificate revocation lists, to see how well it does. Andrew added, with browser providers like Google, mozilla and Apple providing the CRL important bits as a centralized service with rapid update to their browsers in the field. He said it sounds like insanity. Okay, to which I replied I 100 percent agree. If let's Encrypt and the rest of the CA browser forum are suddenly so worried about web privacy due to individual browsers reaching out to query certificate authority OCSB services, then we'll start a countdown on the mandatory support for CRLs. Okay.

So the final piece that I've not discussed at all. I may have mentioned it, but I'm not sure, though we did cover it in depth back at the time, 10 years ago, when we first talked about all this is known as OCSP, must staple. So here's the problem that solves. A web server obtains a web server TLS certificate signed by its certificate authority right. That's what they all do, and the whole point of signing is that not a single byte of that certificate can be changed or its signature will become invalid. This means that when that web server wishes to include that certificate authorities recently received OCSB assurance about the certificate's validity or its lack thereof. Whatever the case may be, the certificate authority's signed OCSB status can only be appended to the certificate. It cannot in any way modify or be incorporated into the certificate right, because that would break the certificate signature. So that's why the term stapling has been adopted, since stapling is such a good analogy. So the problem is stapling an up-to-date OCSP status to a web server's certificate is optional.

If a bad guy gets hold of a valid web server certificate, they'll gladly staple any OCSP good news to that certificate every time they send it out to a web browser right, since that, as we know, that prevents browsers from looking any further If they've got a valid stapled good news OCSP certificate. Or even, as we saw last week with GRC sending out a bad news. Ocsb certificate contains bad news. As I said, as GRC's revoke site certificate did last week, no bad guy would continue stapling that bad OCSB revocation news to their fraudulently obtained TLS web server certificate. Instead, they'll remove any stapling and hope that no one's browser checks the current validity of the certificate by querying the certificate authority's OCSP service or their CRL their certificate revocation list directly themselves. And so far as we know, browsers no longer make their own queries to OCSP on their own. Actually, there's one exception standing out, but we'll get to that. Okay.

So to prevent a stolen certificate from not having an OCSP response stapled to it, it's possible for a website that wants the best security for itself and which always intends to staple and can commit to stapling, to ask its certificate authority to include a flag built into its TLS certificate, which is known as OCSP must staple, since that must staple flag becomes an integral part of the signed certificate itself. It is immutable and, once issued, can never be changed, and the presence of that flag in any certificate that's received by a browser is an assertion that this certificate must only be honored and trusted if and when it's accompanied by a current and still valid OCSP assertion to that effect. Talking about an updated status for the certificate, an OCSP statement must be stapled to the certificate or it must not be trusted. So that solves the problem of the bad guys choosing not to staple any bad news to their stolen certificate and just assuming as they can, certainly for Chrome and most other browsers that the browser not need to make a second query because they're being told, if there isn't a stapled assertion from a recent you know currently unexpired assertion, that they cannot trust that certificate. Specifically to deal with that case, in my reply to GRC's news group I wrote let's encrypt and all other CAs following the CA browser form can mandate that they will be setting the OCSP must staple requirement in every certificate they issue after some date certain, and that will force all web servers to support stapling and to staple. So what's the problem with that, with enforceable stapling, which we haven't had until we bring the OCSP must staple into it, with enforceable stapling after the stapling mandate were to take effect if it was going to. But we already know this is not the direction the world has gone. But why not? Every certificate will have OCSP stapled to it within 397 days once all pre-mandated certificates will have expired. So the entire industry would move there within the maximum lifetime of a web browser certificate, which is now 397 days.

And the big win for privacy, which let's Encrypt, is saying they're all worried about all of a sudden. The big win for privacy is that with a fresh OCSB response stapled to every certificate, browsers can and will be inhibited from making their own queries for OCSB status, because it's right there on the certificate. So they'll be sped up and they have no reason to ask any further. Thus we have fast revocation notification with zero privacy risk, since browsers will get their updates from the server's cert. Zero performance overhead for the same reason, no need to ask anyone else or look any further and reduced load on CA's OCSB services, since only the servers they've issued certificates to will be querying them, not everyone's browser all over the place that are relying on those certificates. Those certificates and that querying interval can also be readily changed by the CA. Simply by changing the OCSP's response, lifetime Could be made longer, could be made shorter, whatever I mean on an ongoing basis. It's a sort of beautiful system. So why isn't that what's being done?

After not coming up with any answer that I liked, I did some digging in the CA Browser Forum's documents. In the discussion surrounding that CA Browser ballot measure SC63 that we discussed briefly last week, the adoption of which was nearly unanimous everybody's for it I found this couple lines of text Quote independent of usage statistics, relying parties cannot consistently depend on OCSB stapling for security unless responses are stapled on all connections Okay. Further, even if the web server ecosystem had improved support for OCSB stapling and we could require the use of the must staple extension, we'd remain dependent upon robust and highly reliable OCSB services, which have been an ongoing ecosystem challenge. So what they're saying is that they recognize that the use of the must-staple extension, which does solve this problem and the privacy problem and the load problem, it also creates a dependency I mean a serious dependency upon OCSP services being available and they're saying so far they've not been highly reliable. I actually found a piece of intelligence from a project that Mozilla did showing that their browser gets 7% failures on OCSP queries. So that's not good, okay, so that's not good, okay, anyway. So that set of lines in the ballot measure gave me a clue. So, as I said, on the one hand, what they appear to be saying is all experience to the contrary. Unfortunately, when we looked at this 10 years ago, things sort of were like this, and it doesn't seem that that much has changed in the intervening 10 years since we last looked at this. They're suggesting that OCSB must staple, cannot be used, because the robustness of OCSB services has never been sufficient and still isn't today. Still isn't today.

So, thinking about this one thing that the plain vanilla certificate system offers, the one, you know, just anyone other than between the client and server, which after all is connecting to the server, wants to make a connection. The connection works. Part of the handshake is the certificate exchange which the browser verifies, so there's like zero overhead in that and no other requirement for any other real-time communication. The server has a signed certificate. The client locates the server by its domain name using hopefully secure enough DNS, and during the client's connection to the server the server provides its certificate to prove its identity at that domain name. It's an elegant system and it is minimal. Of course, the one place this beautifully minimal system falls down completely is when the certificate it's sending, which was signed and has got lots of life left in it, can no longer be trusted. There's no way for the browser to know that within this minimal system that we originally had In the absence of any other facility. Thatpt will be a maximum of 90 days, or a maximum of 397 days for traditional now annual web browser TLS certificates.

If our goal is for this otherwise simple and elegantly minimal system to deal with the need to revoke certificate trust before the certificate's natural end of life, we're going to need to add something else, and what we see is that the industry has been struggling from the beginning to come up with a solution that works well for everyone. None of GRC's servers have had any problem with OCSB stapling and I frankly doubt that anyone's would a problem, whereas Mozilla is probably referring to brief outages in their browser trying to do OCSB lookup on the fly, which you know it might be off now but on again in five minutes. Who knows if they're like. If the, if the CA are using stapling now had must staple in their certs. But if they were for some reason, if all of those servers were for some reason unable to obtain an update from their certificate authority during that last day of the OCSB assertion's lifetime, they would effectively go offline. They would effectively go offline because, with OCSB must staple in their certificate, no web browser would trust their expired stapling.

Every affected website would look like GRC's deliberately revoked site. Looked after our podcast two weeks ago. That's not good. Browsers have given up their own checking of OCSB for performance reasons and they've been absolved of any guilt by stating their concern over the privacy of their users, although you know that doesn't seem like such a big problem. But okay, so they rely upon stapling to do the work for them when stapling is present and they do nothing when it's not present. But that means that any certificate that does not use must staple will always be vulnerable to long-term abuse if it's stolen.

As I said, since no illegitimate server would include a negative OCSB response which would cause all current web browsers to default to. If a negative response was there, it wouldn't work. But not including a stapling would cause all current web browsers to default to trusting the malicious website. And the industry cannot improve certificate revocation and user privacy by moving to must staple, because a DDoS of the apparently still not very robust OCSP service, which would have then been a requirement for all a certificate authority's customers, would example that some certificate authority well, the CA browser forum said we're moving the entire industry to must staple.

Everybody has that in their certificates, all the old certificates that you know. A year goes by, all the old certificates that didn't have the must stable bit got renewed and now they have the must stable bit. Stapling is now the thing we do. Revocation is wonderful. All it would take and it doesn't take much imagination at this point to imagine that it would happen, baby is a one-day DDoS on some CA's OCSB service. All of the staplings that were trying to refresh themselves would not be able to get updated. Their attestations of the certificates still being trusted would expire. But because Must Staple was in the certificate, no web browsers would trust them and there would be a growing as the days went by. But it would start after a day growing mass outage of all the servers that were trusting, of all the servers that we're using that given under attack CA.

So it's clear that by adding an online facet to this, no matter what we do, we have a problem. I believe that this explains why we're not seeing OCSP going any further. You know, unless it's stapling is mandatory, it can be bypassed simply by not including a stapled certificate, no-transcript. So where are we left? Certificate revocation lists so where are we left? Certificate revocation lists, imperfect as they are are less online than OCSP, which, after all, ocsp stands for Online Certificate Status Protocol. Internet online is not something that can be made to work. Its strength is also its failure.

Okay, so, as I mentioned last week I think I just sort of mentioned it in passing that I was thinking about maybe what would happen if I deliberately blocked all GRC access to DigiCert's, always online for me OCSB service.

I did that. Before I did that, I double checked that my certs did not for some reason have OCSB must staple enabled, or I would have you know, put myself created the same outage. I was just talking about the last received OCSB status from DigiCert which, for the revokedgrccom site, was set to expire around 2 am this morning. I did it a week ago and, sure enough, when I checked this morning, grc's revokedgrccom server was no longer stapling that expired OCSB status to its thoroughly revoked, that expired OCSB status to its thoroughly revoked. There it is, leo to its thoroughly revoked TLS certificate. And what do you think happened? Yep, oh boy. Every web browser other than Firefox has resumed showing the revokedgrccom website. Chrome loves it, safari loves it, edge proudly shows its page. Everyone's happy with the site, despite the fact that its certificate was revoked 21 days ago, every web browser except Firefox is once again completely happy with the site.

0:39:08 - Leo Laporte
Well good on Firefox. Why did Firefox not?

0:39:11 - Steve Gibson
Because if you go Leo in Firefox, you could do about colon preferences, pound sign privacy, Downsign privacy or open Firefox and go to settings and then privacy and security on the left under the main topics. Then scroll about two thirds of the way down and you will find a checkbox which, to their endless credit, is enabled by default. It says query OCSB responder servers to confirm the current validity of certificates.

0:39:52 - Leo Laporte
And there it is, it's revoked.

0:39:55 - Steve Gibson
Firefox is revoked and if you go into settings, privacy and security, scroll two-thirds of the way down, you'll see OCSB querying is enabled To verify because, since it was on mine, I installed Firefox in a Virgin Win 10 VM this morning the first time it was installed. Sure enough, it was enabled by default and there it is Query OCSB response servers. If you turn that off and refresh, the revoked page comes right up.

0:40:32 - Leo Laporte
You're right, so let's keep that on. Yes. And what's funny is, despite all the concerns, I didn't notice anything slow with Firefox. It works fine, right yeah.

0:40:44 - Steve Gibson
Yeah, and we've always had it on. Now I don't know what percentage of servers were stapling. Mine always was. Mine isn't. Now Neither GRCcom nor WWW, nor Revoked are stapling, because I'm preventing those servers from obtaining.

Unfortunately, in my version of IIS you're unable to disable that through configuration. So I actually used my host's file. I just blackholed ocspdigicertcom and my servers were no longer able to obtain that status. I just set it to 127.0.0.1, you know the local host IP.

So the reason for all this we've now proven is that the revoked dot grccom server is not stapling its negative OCSP response, you know which said oh, by the way, this site's certificate the one I've just been stapling, you know, has been revoked. It's not saying anything now, and so, in the absence of either a positive or negative OCSP status, all browsers other than Firefox trust the revoked but otherwise valid certificate. In other words, here we are 21 days after that certificate's revocation, presumably revoked. It may have been revoked for administrative reasons or because somebody stole it. We know that's not the case here, but I'm simulating that Somebody, a bad actor, could have stolen any other site's certificate and the site could have known about it, immediately revoked it with its certificate authority. Chrome could care less. Chrome doesn't know, and we've had three weeks of this, right now that's not an accident.

0:42:51 - Leo Laporte
That's google assertion, as they have always asserted that the whole system's broken, so they're just going to ignore it well.

0:42:58 - Steve Gibson
We know that for ev certs that they do some special looking, and even Apple with iOS and presumably macOS EV certs they care about, so they maintain some sort of a certificate revocation list. Grc certs 10 years ago were EV, so I was seeing that treatment. But, like a lot of the rest of the world, when all the browsers stop giving you any special treatment, you're just throwing your money away to have an EV cert. So I switched back to domain validation certs, which is where the web is going in, correctly, refusing to show the pages being served under the guise of this very well revoked TLS certificate. We'll see what happens. I don't think this is going to change because it's not an EV cert. Neither Chrome nor Apple are giving this any special attention and the entire revocation system. We are now seeing it function the way it really does, which is only if you ask the authorities OCSB server directly do you get an answer, and Firefox is the only browser that does that.

0:44:25 - Leo Laporte
Wow, truly amazing. You want to take a break? Yep, thanks, because Patch Tuesday, there's a lot to talk about 90 security vulnerabilities.

0:44:39 - Steve Gibson
Oh man, yeah, wow, but Leo, these are the last 90. Oh, they found them all.

0:44:45 - Leo Laporte
Oh, thank goodness, this is it. Yes, no more patch Tuesdays. They're canceling September. It's all fixed, nothing to fix.

0:44:50 - Steve Gibson
Nice.

0:44:51 - Leo Laporte
It's all. It's working perfectly. It's about time.

0:44:52 - Steve Gibson
Working perfectly. It won't boot, but it's working perfectly.

0:44:59 - Leo Laporte
You know that's the secret Super-duper Snapdragon Windows co-pilot developer's machine. I thought it was going to come last week, but I'll ask Richard about it tomorrow. But I guess I'll be running Windows 11 in here too, so that'll be fun, that'll be interesting. I'll be able to patch Tuesday along with the rest of you. Meanwhile, let's talk about our sponsor for this segment on security Now Vanta.

Whether you're starting or scaling your company's security program, it is very important to demonstrate top-notch security practices. Establishing trust with customers is more important than ever. It's not just people listening to Security Now. Everybody's kind of aware about this kind of thing, but that's why you need Vanta. Vanta automates compliance for SOC 2, for ISO 27001, and all the rest, saving you time and saving you money and helping you build customer trust. Plus, you can streamline security reviews. You'll love that, automating questionnaires and demonstrating your security posture with a customer-facing trust center. It looks sharp, it's really nice and it's all powered by Vanta AI. It's not a surprise. Over 7,000 global companies like Atlassian, flowhealth, quora and many, many more use Vanta to manage risk and prove security in real time.

V-a-n-t-a Get $1,000 off Vanta right now when you go to vantacom. Slash security now. That's V-A-N-T-A. Dot com slash security now $1,000 off. Every company these days needs Vanta, vantacom slash security now. We thank him so much for supporting security now and we thank steve gibson for doing this great job he does every tuesday. We now stream live to everywhere, including steve's favorite platform, xcom. Kidding, kidding, but we do have hundreds of viewers every time we do this on x. So we welcome you. Youtubecom slash twit slash live. Twitchtv, slash twit uh. Facebook linkedin, xcom. Of course, our club twit discord and kick. Seven different ways to watch us live every Tuesday right after Mac break, weekly, about two to 5 PM Pacific, five to eight Eastern time, 2100 UTC. Make sure you watch live, but even if you do subscribe, cause you're going to want that library, right? Steve of great security Now episodes 19 years worth download them all collect all 988.

0:47:49 - Steve Gibson
worth download them all. Collect all 988. Yeah, and and you know we don't mention often enough and our newer listeners probably don't know that that back then uh, we were sort of still in the early knowledge dump phase of the podcast. Uh, I did a series, several series. One of like five or six was how the internet works, and then there was the other one was how CPUs, like you know, how computing technology works, and we've had many people who've like created, you know, like box sets of those I mean like they're.

0:48:24 - Leo Laporte
Steve's premise was you need the foundational knowledge before you can understand what we're going to be talking about. So, yeah, I mean that was, I don't know, in the first hundred episodes, I think. But it's all there at twittv, slash SN. You can go back, back, back, back, all the way.

0:48:38 - Steve Gibson
Got to dig, got to dig back a little ways.

0:48:41 - Leo Laporte
People have written scripts to scrape it and all that stuff. We don't make it that easy, I understand, but uh, I don't know if I could find those scripts.

0:48:49 - Steve Gibson
I'll dig them up, otherwise you could just download and then, of course, we have the ever favorite portable dog killer episode.

0:48:56 - Leo Laporte
Yes, which was our our, weirdly enough, our christmas episode for many years no animals were hurt during the production. There's a lot of history in this show. I told you that Burke brought in the modern day version of this. It looks like a birdhouse. You're supposed to hang it on your fence If you've got a neighbor's dog that barks. It senses the barks and sends out a tone that only dogs can hear, just like your portable dog killer. But it's disguised so your neighbors don't know why your dog suddenly goes.

Ah what was that? All right, on we go.

0:49:36 - Steve Gibson
It's like putting a secret bark collar on your neighbor's dog. It's kind of like that.

0:49:42 - Leo Laporte
That's exactly what it is. When they bark, they go.

0:49:45 - Steve Gibson
Ooh, I don't like that All right, okay, so Patch Tuesday. Last Tuesday was August's Patch Tuesday for Microsoft and, just so everyone knows, I was not serious about all the bugs being found, because that doesn't seem to be a problem that Microsoft has of worrying.

0:50:04 - Leo Laporte
Well, this will go on for years.

0:50:05 - Steve Gibson
Are we going to hold Patch Tuesday this week or not, or this month? No, they're having it Okay. So it's become sort of standard for the second Tuesday of the month for Microsoft and for many other publishers who also appear unable to ever get the important bugs out of their code. In this month's installment of trying some more, microsoft released updates to fix at least 90 security vulnerabilities in Windows and their other software and their other software, which included a startling six zero-day flaws that were, or maybe are still being, actively exploited by attackers. Flaws were found and fixed in Officenet, visual Studio, azure, copilot, microsoft Dynamics Teams, secure Boot and, of course, windows. Among the six zero days fixed this month, half of them, thus three, are local privilege escalation vulnerabilities which, when we talk about them, they are severe in as much as they really enable an existing attack to be made much worse by giving somebody who's already managed to get inside a machine the system-level root privileges that they need in order to get up to much more mischief. They need in order to to do, you know, to get up to much more mischief. So we know little about these, although you can bet that would be.

Attackers are hard at work Reverse engineering the changes that Microsoft shipped in order to figure out what was going on before and put them to nefarious use for systems that haven't yet been patched when they're already able to get in. There are, however, some worse problems A remote code execution vulnerability when Microsoft's Edge browser is operating in Internet Explorer mode. Although IE mode is not enabled by default in Edge, thank goodness, the fact that this is or was being actively exploited, like today, suggests that there are occasions where an attacker can arrange to either enable it somehow or has identified a user or an organization who has enabled this, probably because they've got some very backward compatibility need back to the last version of IE. So turning that on and using it makes Edge look like IE, and I'm trying to think why I did that. The other day there was something I was doing forensically it might have been back when I was messing with the cookie system again but I had some need to do something with IE mode in Edge, and you know they don't make it easy, but there are people who do need it, and so the problem is, if you're using it, there's a remote code execution vulnerability, believe it or not. So it's good that it's not on by default.

Another zero day is a bypass in their mark of the web which we've talked about extensively before security feature which causes Windows to be far more mistrustful of any files obtained from the Internet. As we've seen in the past, however, this MOTW bypass is always used as a part of a larger exploit chain. But its bypass does enable something to be done that was supposed to be impossible and it's not in the user's best interest, whatever that was, and it's not in the user's best interest, whatever that was. This month's third and final zero day is running VBA macros in Microsoft Project. So you know Project has been a source of lots of problems. So Microsoft just puts up a note and says are you sure you want to run a macro? By the way, did you know? One is running or wants to and many people go what who's doing that? No one is running or wants to and many people go what who's doing that? So those are the six zero day flaws out of the total kettle of 90. And they were under active use a week ago when Microsoft patched them. Hopefully you know again.

We know that patching in a timely manner is something that has bitten enterprises in the past. So some enterprises are reluctant to do so because they don't want to have apps that they depend upon stop working. This is an instance where, depending upon your profile, you may want to get caught up with updates. Sounds like it would be a good idea. And, leo, I mentioned that you caught my attention at the end of MacBreak Weekly, which I was listening to as we cross over into this show, thanks to a listener of ours, larry Denniston, who brought this to my attention. I have some news that might be of interest to both our old-timer listeners and our younger audience, who may have heard the names of these people you know, who in many cases grown to become somewhat legendary within the PC industry that we all love.

Audio tapes of a mid-80s, 1980s technology radio show, which was known as quote the famous computer cafe, were found earlier this year by an archivist who restored and digitized them. Yesterday, monday, the Internet Archive posted they wrote a previously lost cache of celebrity and historical interviews from a long, dormant radio show have been discovered, digitized and made available for all. The Internet Archive is now home to 53 episodes of the Famous Computer Cafe, a 1980s radio show about the new world new at the time of home computers. The program included computer industry news, product reviews and interviews and aired from 1983 through 1986 on radio stations in Southern and Central California. The creators of the famous Computer Cafe saved every episode on reel-to-reel tapes, but over the years the tapes were forgotten and ultimately lost. Earlier this year, archivist Kay Savitz recovered several of the tapes in a property sale and, recognizing their value and worthiness of professional transfer, launched a GoFundMe to have them digitized and made them available at Internet Archive with the permission of the show's creators.

While full-time capsule descriptions of 1980s technology news, the most exciting aspect of the show has been the variety and uniqueness of the interviews they wrote. The list of people that the show interviewed is a who's who of tech luminaries of the 1980s Computer people, musicians, publishers, philosophers, journalists. Interviews in the recovered recordings include Timothy Leary, douglas Adams, of course, hitchhiker's Guide to the Galaxy fame Bill Gates, atari's Jack Tramiel, apple's Bill Atkinson and dozens of others. The Recovered shows span November 17, 1984 through July 12, 1985.

Isn't that cool. So for ease of access, I've made this GRC's shortcut of the week for this episode, which this episode is 988, so if you go to grcsc, slash 988, that will jump your browser to the Internet Archive's blog posting, which includes a link to a Google Docs spreadsheet listing all 53 recordings, who's on them, and then their direct links to their archive page at the internet archive.

0:59:04 - Leo Laporte
So very neat stuff. Yeah, I, you know I wish I had archives of uh all of the shows. Uh, we did vorak and I and so forth. It's great that they saved uh so many of them, um, and it's great that they were saved. The problem with those reel-to-reels is they're going to die in a few years.

0:59:24 - Steve Gibson
Yeah, you get cross-wrap, imprinting and heat and humidity and in many cases the magnetic coating flakes off of the plastic backing.

0:59:37 - Leo Laporte
So kudos to Kay Savitz and to the Internet Archive for preserving and distributing these. That's really great.

0:59:44 - Steve Gibson
Yeah, a quick follow-up on GRC's newest is boot secure freeware. Last Wednesday I posted release two which added keyboard accelerators and tool tips to the buttons and I fixed a non-critical misreporting edge case. Then Relace 3, later that same day, last Wednesday, it added a silent option which causes isbootsecure to fully suppress its user interface. So it runs silently on any Windows machine. It examines the machine and immediately exits with an exit code. That entire enterprise's inventory of PCs to ascertain their boot time status, and not just you know do they have a mistrusted platform key or not, but you can quickly see whether those machines are booting with secure boot enabled or not. So it returns a status zero through seven which encompasses all the various things that it might find. And with that finished I got back to like watching Spinrite run while it works. So that's going to be fun and I'm also very pleased to report the GRC's email system is working very well. Report the GRC's email system is working very well. I sent out 8,443 announcements about this podcast a couple hours ago. Only five were bounced as undeliverable for some reason. So you know five out of 8,443, I'm delighted with. I did also want to mention that and I'm sure some people have found out for themselves that I finally started last week bouncing any email, any incoming email which had not been registered with GRC beforehand. Anything that is sent to securitynowatgrccom, rather than being redirected into a separate folder where I'm able to monitor it, as I had been, is now bouncing back. For the first couple months I just wanted to help people who were sending things through, so I would collect a bunch and then just send them back a notice explaining that well, this would have gone into our you know like bounced into our spam and never be seen or sent back. So you know, please figure out like why Mostly people registered one account and then sent from another. Like I could see their account name registered with ProtonMail but they were sending from iCloudcom. So it's like okay, you need to send me from the one that you registered, or that's not going to work. And I also did get some complaints from people who look around for the email address to send to and they are pissed off when they can't find it anywhere. I understand the annoyance, but I want to keep this more or less just between us. You know I'm not advertising the security now at GRCcom account anywhere on GRCcom site. It's just for you know us insiders. So security now at GRiders. So security now at GRCcom. You're not going to find it written down anywhere.

Michael French said Hi, steve, I'm stumped on how to get information through Wi-Fi firewalls that block everything except HTTP on port 80 and HTTPS on port 443. I run an open VPN server at home in Alabama on TCP port 443. So right, it just looks like a web server, he said, but some firewalls outside of my home still block my communicating with it. After only a few seconds of operation, presumably from their implementing deep packet inspection, he said. I just returned from Europe and found that all the countries I visited UK, the Netherlands, belgium and France have rigged their Wi-Fi firewalls to block everything except HTTP and HTTPS. I would sure appreciate your suggestions on how to get communications through these over-restrictive Wi-Fi firewalls. Thanks, mike.

Okay, so this was an interesting puzzle. It cannot be deep packet inspection unless Michael had been installing and trusting a certificate from the various access points he was using, which I'm sure was not the case. Any TLS connection being made to port 443 will be 100% opaque to anyone monitoring the packets. They'll see what looks like a normal connection to a remote web server with a back-and-forth handshake, but only from the outside. They will have no way of knowing what's going on inside.

My best guess about what might be going on comes from Michael's comment that he's getting disconnected after only a few seconds of operation. So first of all I should say I'm wondering why it's consistent, why his experience is so consistent in the UK, the Netherlands, belgium and France. I mean, that's a little suspicious to me that he's seeing the same thing from so many different places. It makes me think it's something more about what's happening at his end. But although persistent HTTP connections between a web browser and web server can be made and sustained, even then they're usually dropped after all, pending queries and replies have been exchanged, it's unusual for a passive and unused connection to be maintained, connection to be maintained. So it might very well be that these Wi-Fi access points are watching the flow of traffic and are deliberately dropping any connections that go idle. Doing that would not interfere with normal web browser use, while it would be an effective way of blocking other web-like traffic, such as an HTTPS VPN. So that's my thought, mike, about what might be going on. The problem is the VPN doesn't look, even from the outside. The flow of packet traffic. Even from the outside the timing of them and decide this doesn't look like a web server and a web browser. We're gonna. We're gonna bail.

Doug white said aloha steve listened to the Tuesday podcast. I thought I'd mentioned something when it came to transferring DNS. I switched over to Hover from GoDaddy something I put off for years and wanted to mention that the DNS server entries after the transfer to Hover still pointed at the GoDaddy DNS servers. I had to look to find the Hover DNS server names and replace the GoDaddy entries in the Hover settings. I'm guessing it's so that everything still works after the switchover, but I wasn't alerted to the fact that I'm aware of that. I needed to make that change.

Cheers and I'm sure that Doug's correct that in switching his domain registrar from GoDaddy to Hover, hover would have examined his previous registrar's domain name server entries and would have deliberately left them unchanged, copying them into his relocated registration at Hover relocated registration at Hover. Eventually, presumably, godaddy could be expected to suspend their support for his DNS once his registration had been relocated. So this would have probably eventually come to light like stuff would have stopped working for him. So, after moving to a new domain registrar, the point he's making and it's a good one, which is why I wanted to share it. You'll want to make sure that it's registered name server records are pointing where you intend to have them be pointing, which is probably to the DNS server offered by that registrar.

Scott asked Preparation needs to be 30 days, or a year, or a week? If seven days is enough time to catch a revocation, just expire the cert that quickly. Revocation, he says, only really seems like it makes sense if it's instant. So what I believe we've clearly seen now is just how much all of this revocation and certificate life business involves a tradeoff. Let's Encrypt has been automated from day one, but they chose 90 days for their certificates when they could have chosen seven days. Why? One advantage to 90 days, especially when they were starting out in the beginning, was that it would significantly reduce the load on their certificate issuance and delivery infrastructure by a factor of nearly 13 between 9 and 70 days. But it's true that so long as a network outage or attack would not hold, let's Encrypt off the instead of DigiCerts 397-day life certificates. I would want as much life per certificate as I could get you know, just for the safety margin that that provides.

Because one thing that has happened to our industry is that you're no longer very effective on the web if you don't have a valid TLS certificate. You know, browsers, actually you can. Depending upon which one, you can normally force them past an expired cert. You know, I'm sure that you know those of us who surf to less often visited sites will sometime encounter a site that says, oh, this can't be trusted, the certificate expired. If you look at it, it expired yesterday. So it's like, okay, you know the guy who's in charge of that is on vacation, or you know it's an unimportant server that you know hasn't come to the person's attention yet. So it's like okay, fine. And then you push past all these warnings and bewares and cautions and then you get to the site anyway. But still, as I said, you're going to see your traffic fall off for sure if your site starts serving an expired certificate. And in a final, different twist, on expiration.

Brandon Faust sent a very short note. Brandon Faust sent a very short note. His email just said will it boot on 6-2-2031? And he sent me a picture of his Dell something computers UEFI platform key where it shows it it's not one of the bad ones. It's issued to Dell Inc. Platform key issued by Dell Inc. Platform key, and it says valid from 6-1-2016 to 6-1-2031. So he says what about the next day, 6-2-2031? So he is wondering what happens on June 2nd, seven years from now.

And the answer is that in this instance, the date does not matter. It would be up to someone deciding whether or not to trust the root certificate based upon its date, and it's the UEFI firmware that's using this platform certificate to check the signatures of the other signatures. So it's the root and it assigned other certificates in its database. So distrusting the platform key root certificate would require a deliberate act within the UEFI firmware, which is not something that it cares about or would do. So the only reason we have a not valid before and not valid after date is because certificates have to have them in order to be valid certificates, so they just put something in there. As it is, it's a 15-year certificate, so they weren't in any hurry to expire it. Year certificate, so they weren't in any hurry to expire it. Okay, and Leo, let's take a break and we're going to talk about oh boy, the clearly most worrisome data breach that we have had yet.

1:15:01 - Leo Laporte
All right, Steve, we're going to get to the big, big story that everybody's been talking about the national public data breach, For good reason. I'm really curious what you have to say about this, because there's quite a bit of kind of back and forth controversy over, well, exactly what was revealed. There seems to be a lot of errors in the data. Troy Hunt had a long post. That made me more confused, frankly.

1:15:26 - Steve Gibson
That's what we're going to share. Actually, I've edited Troy's post in order to bring his information to us.

1:15:31 - Leo Laporte
And obviously, you found the Pentester site, which is a great way to find your data and my data and everybody else's data. Yeah, as soon as I entered my name and it didn't need much you know my birthday, that's all you needed you found my father's information, my addresses. It was this is everything that these creeps at National Public Data were selling. Now it's free, Congratulations.

1:15:56 - Steve Gibson
GRCSC slash NPD. For those who are listening live. Grcsc slash NPD. For those who are listening live. Grcsc slash NPD.

1:16:04 - Leo Laporte
National Public Data and we will get to that in just a bit, but first let's talk about our sponsor for this segment on security now, and actually our next sponsor is very appropriate and you'll want to stay tuned for that one too Our show today brought to you by ThreatLocker. This is a great solution. I talked to these guys. What a fantastic zero-day fix for you. You know what airline didn't go offline JetBlue. You know why they use ThreatLocker to secure their data and keep their business operations flying high. If zero-day exploits the supply chain attacks are keeping you up at night, that means you're the one in charge. Good, Good news. Sorry, but you don't have to worry anymore because you can harden your security with ThreatLocker. That's what JetBlue did. That's what so many companies do.

Imagine taking a proactive deny-by-default. This is why it works. Deny by default this is why it works. It's zero trust. Deny by default approach to cybersecurity. In other words, you're blocking every action, every process, every user, unless explicitly authorized by your team. You know that solution really works and ThreatLocker helps you do it. They provide a full audit of every action. So you've got great risk management and great compliance. You know exactly what's been going on. Their 24-7 US-based support team fully supports onboarding and beyond, so you'll get it up and running fast and easy and you won't have to take your planes out of the sky or whatever it is. You're up to Stop the exploitation of trusted applications within your organization and keep your business secure, protected from ransomware. We've talked about zero trust before. This is the way to do it.

Organizations across any industry can benefit from ThreatLocker's ring fencing. That's a really cool technology that isolates critical and trusted applications from unintended uses or weaponizations. It limits attacking lateral movement within the network. Threat lockers ring fencing. In fact, it's been proven in practice. It was able to foil a number of attacks that were not stopped by traditional EDR. Among them, the 2020 SolarWinds Orion attack, completely foiled by ring fencing.

For the companies using ThreatLocker, Get unprecedented visibility and control of your cybersecurity quickly, easily, cost-effectively. Threatlocker's zero-trust endpoint protection platform offers a unified approach to protecting users, devices and networks against the exploitation of vulnerabilities, even especially zero-day vulnerabilities. That's the beauty of this Get a free 30-day trial 30 days that you can sleep like a baby. You're going to want to extend that time, I think. Learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. These guys have nailed it. Visit ThreatLockercom for more information. You remember that name now ThreatLockercom. This is the solution to the problems besetting your industry today, ThreatLockercom. All right, Steve, we are really ready for this one. I'm all ears and, as you told us earlier, before the show, you emailed me. You said if you've got Delete Me on the show today, this would be a good day to have them. We will. We'll follow up with a special offer from Delete Me.

1:19:39 - Steve Gibson
So stay Me. There was something that surprised me I think it'll surprise our listeners too which is an observation that Troy Hunt made. Troy, of course, is famous for his have I Been Pwned? Hibp site, and so we'll talk about that. I was very impressed, but before we wrap up today's podcast and I mentioned this already just before you told us about ThreatLocker, leo I'm going to provide everyone listening with a URL for a searchable online database containing the records from this breach.

You enter, or at least a subset of them, but the ones that make sense. You enter your first and last full legal name, your state of residence, for example a nickname doesn't work your state of residence and the year of your birth, and you'll be and I mean every one of our. You know US, canadian and UK, apparently, as we'll see, that seems to be where this list is most focused will be immediately presented with a list of all the people who share your name, state and date of birth. You'll find that the list is sorted by middle name or initial, if you have one, and you'll almost certainly find yourself listed there, often redundantly, many times at different physical addresses, all which will be familiar to you because they will be correct, often with your telephone number and always with the correct last two digits of your otherwise redacted full social security number.

1:21:28 - Leo Laporte
That's what scared me and they were correct. They were correct.

1:21:33 - Steve Gibson
This is as real as it gets, and for that reason, I'm going to start out this week with the main takeaway from what we're going to be describing which is probably accurately by those who would know they're describing it as the largest data breach in history. I would argue that it is clearly the most critical to people data breach we've seen so far, and the takeaway is we've spoken previously a number of times about the need to freeze credit reporting at the three primary credit reporting agencies. If that previous coverage was still insufficient to motivate you, your friends or your family to take the steps to do so, then if this one doesn't do the trick, I'm pretty sure nothing ever will, because this is the pay dirt, unfortunately, for the bad guys. So naturally, this has been a big headline grabber. The Verge's coverage was headlined the Weirdest 3 Billion People Data Breach Ever. Bleeping Computer covered this under their headline.

Hackers Leak 2.7 Billion Data Records with Social Security Numbers. Brian Krebs' piece was titled NationalPublicDatacom hack exposes a nation's data. And if it wasn't too long to be the title of today's podcast, leo, I so much would have loved to use the start of National Public Data's own admission, which read there appears to have been a security incident.

1:23:24 - Leo Laporte
Gee you think Talk about understatement. Wow, holy cow.

1:23:29 - Steve Gibson
Yeah. So, from across all the coverage, the person who's probably better suited than anyone else to put all of the pieces together while providing some perspective from his years of involvement with exactly these sorts of incidents, is, as we mentioned, the known to us as have I been pwned Troy Hunt, and indeed Troy's coverage is the best I've seen anywhere. He titled his write up inside the Inside the Three Billion People National Public Data Breach and he wrote, which I've edited for the podcast. He said I decided to write this post because there's no concise way to explain the nuances of what's being described as one of the largest data breaches ever. Usually it's easy to articulate a data breach A service. People provide their information to have had someone snag it through an act of unauthorized access and publish a discrete corpus of information that can be attributed back to that source. And I should mention and you'll hear this throughout Troy's posting he's really focused on attribution, with no clear way to attribute it back to its source.

And national public data is already the subject of a class action lawsuit. To add yet another variable to the mix and I'll just interrupt to note that Bloomberg Law reported that this first case is Hoffman v Jericho Pictures Inc. Which was a suit that was filed in the Southern District of Florida, and their reporting had a couple interesting little tidbits that I wanted to share. They wrote Jericho Pictures Inc, a background check company doing business as national public data, exposed the personal information of nearly 3 billion individuals in an April data breach. A proposed class action alleges entitled National Public Data on a Dark Web Forum claiming to have the personal data of 2.9 billion people.

According to the complaint filed Thursday in the US District Court for the Southern District of Florida, which said the group put the database up for sale for $3.5 million. If confirmed, the breach could be among the biggest ever in terms of the number of individuals affected. It's unclear exactly when or how the breach occurred, according to the complaint, and the provider still hasn't provided notice or warning to affected individuals as of the filing. The complaint said to conduct its business, national public data scrapes the personally identifying information of billions of individuals from non-public sources, meaning plaintiffs didn't knowingly provide the data to the company. Some of the information exposed include social security numbers, current and past addresses spanning decades, full names, information about relatives, including some deceased, for nearly two decades, and more. According to the complaint, national Public Data did not immediately respond to a request for comment. Public data did not immediately respond to a request for comment. So you know that is other than their post, which says there appears to have been a security incident we're not sure what the hell happened yeah we all.

We're looking, we're looking into it. We'll let you know if, uh if, we think we have something more to share. Anyway, bloomberg said. Named plaintiff Christopher Hoffman, a California resident, said he received a notification from his identity theft protection service provider on July 24th notifying him that his data was exposed in a breach and leaked on the dark web. He accused National Public Data of negligence, unjust enrichment, breaches of fiduciary duty and third-party beneficiary contract. Hoffman asked the court to require National public data to purge the personal information of all the individuals affected. Whoops, well, that's not going to happen. That's their entire life.

1:28:31 - Leo Laporte
It's a little late for that. Anyway, it got out right, yeah, yeah.

1:28:35 - Steve Gibson
And to encrypt all data collected going forward. In addition to monetary relief, he also asked for a series of requirements, including that national public data segment data, conduct database scanning, implement a threat management program and appoint a third-party assessor to conduct an evaluation of its cybersecurity frameworks annually for the next 10 years. Okay, so that's just the first of likely many similar Eight at last count. Oh more to come yeah.

1:29:13 - Leo Laporte
Wow, yeah, of course.

1:29:15 - Steve Gibson
I mean, this is obviously going to happen. Everyone's going to jump in. Okay, so let's see what more Troy Hunt has for us. He continues. He said I've been collecting information related to this incident over the past couple of months, so let me talk about what's known about the incident and what data is circulating and what remains a bit of a mystery. Let's start with the easy bit.

Who is National Public Data, npd? They're what we refer to as a data aggregator, that is, they provide services based on the large volumes of personal information they hold and more. Our services are currently used by investigators, background check websites, data resellers, mobile apps, applications and more. He says there are many legally operating data aggregators out there and there are many that end up with their data in. Have I Been Pwned? For example, master Deeds, exactus and Adapt, to name a few?

In April we, he says, started seeing news of national public data and billions of breached records, with one of the first references coming from the Dark Web Intelligence account, which is at daily dark web. So he quotes a tweet from April 8. In his posting, the tweet is headlined USDOD allegedly breached national public data database, selling 2.9 billion records. In the show notes, I have a picture of this and you know basically which is the standard. We've got something for sale. And in this case, you know they describe it loosely. They give a sample, social security number and a person and a way to verify, a means of looking it up, and they say 200 gigabyte compressed, 4 terabytes uncompressed. And it says includes USA, uk and CA you know Canada and for the price? This is where they're asking $3.5 million for this treasure trove of data. Okay, so Troy says back then the breach was attributed to USDOD a name to remember, as you'll see that throughout this post and he says this first reference to the 2.9 billion number we've subsequently seen flashed all over the press and it's right there alongside the request for $3.5 million for the data. Clearly he says there is a financial motive involved here, so keep that in mind as we dig further into the story.

The image also refers to 200 gigabytes of compressed data. That expands out to four terabytes when uncompressed. But that's not what initially caught my eye. He says Instead, something quite obvious in the embedded image doesn't add up If this data is. Quote the entire population of USA, ca and UK, he says, which is around 450 million people in total. What's the 2.9 billion number we keep seeing, because that doesn't reconcile with reports about nearly 3 billion people with the social security numbers exposed. Further, social security numbers, he notes, are a rather American construct, with Canada having SINs social insurance numbers and the UK having, well, he says, ni national insurance numbers are probably the closest equivalent.

He says this is the constant theme you'll read about in this post, stuff just being a bit off, but hyperbole is often the theme with incidents like this. So let's take the headlines with a grain of salt and see what the data tells us. He said I was first sent data allegedly sourced from NPD in early June. The corpus I received reconciled with what VX Underground reported on around the same time. He said note their reference to the 8th of April, which also lines up with the previous tweet. He said on June 1st, vx Underground tweeted April 8th 2024,. He said on June 1st VX Underground tweeted April 8th 2024, a threat actor operating under the moniker USDOD placed a large data set up for sale on Breached titled National Public Data. They claimed it contained 2.9 billion records on the United States citizens. They put the data up for sale for $3.5 million.

So Troy says in their message that is VX Underground's. They refer to having received data totaling 277.1 gigabytes uncompressed, which aligns with the sum total of the two files I'd received, he wrote. These also mention the data contains first and last names, addresses and social security numbers, all of which appear in the first file, among other fields. These first rows also line up precisely with the post dark web intelligence included in the earlier tweet. And in case you're looking at the data and think that's the same SSN number repeated across multiple rows with different names, those records are all the same people, just with the names represented in different orders and with different physical addresses, typically all in the same city, in other words, multiple rows.

In case six rows all represent one person, for example or I'm sorry, in one case six rows all represent one person, he said, which got me thinking about the ratio of rows to distinct numbers. Being curious, I took 100 million samples and found that only 31% of the rows had unique social security numbers. So extrapolating that out, 2.9 billion would be more like 899 million, he said. This is something to always be conscious of. When you read headline numbers like 2.9 billion, it doesn't necessarily mean 2.9 billion people. It often means rows of data Speaking of which those two files contain 1,698,302,004 and 997,379,506 rows respectively.

1:36:34 - Leo Laporte
Math is hard. Total that's a big number.

1:36:38 - Steve Gibson
For a combined total of 2.696 billion rows. So that's where the headline numbers come from. Right, it's very close. So that's the number of total records in this total data set. He said and in this story there's no question that there is legitimate data in there. From the aforementioned bleeping computer story quote, numerous people have confirmed to us meaning to the bleeping computer guys that it included them and their family members legitimate information, including those who are deceased, and in VX Underground's tweet they mentioned it also allowed us to find their parents and Niblis and nearest siblings.

1:37:29 - Leo Laporte
Yeah, my dad's in here, but I have to say all the data is pretty old.

1:37:34 - Steve Gibson
Right.

1:37:34 - Leo Laporte
Yeah, you can tell it's from an earlier collection, right.

1:37:38 - Steve Gibson
Unfortunately, the data that matters, like Social Security numbers, never changes.

Yeah, so he said, anyway, we were able to identify someone's parents, deceased relatives, uncles, aunts and cousins. Additionally, we can confirm this database also contains information on individuals who are deceased. Some individuals have been deceased for nearly two decades. And then in his posting, troy wrote he said quote a quick, tangential observation in the same tweet the database does not all caps, does not contain it's not my emphasis, that was in Troy's posting the database does not contain information from individuals who use data opt-out services. Every person he wrote who used some sort of data opt-out service was not present. Now, leo, this is such an obvious layup for one of this network's sponsors that now would be a good time to pause.

1:38:55 - Leo Laporte
Should I talk a little bit about our sponsor. Wow, that is. Isn't that something I had? No, idea that it would be that effective let me just go back to npdpentestercom and look for somebody I know who uses. Delete me just see. Oh, oh, very interesting, lisa. You never lived in san diego or ventura, did you?

1:39:29 - Steve Gibson
it's got, uh, somebody by your name, but it's not you wow, and if it doesn't have about 10 records for her, because any, any adult of our age will have left a history behind. You have a bunch.

1:39:44 - Leo Laporte
I have a bunch, but Lisa, who's been using Delete Me for some time, is not in this database. Holy camoly, there is a Lisa Laporte who lives in Ventura in San Diego. I'm sorry, dear, but not my Lisa Laporte, holy. So that's really telling. That's really interesting. This episode brought to you today by Delete Me and I just realized a very good reason why we have been using Delete Me. I have it, my mistake, lisa did. I'm in this database. Lisa is not.

Have you ever searched for your name online? Do you hate how much personal information is available? See, I figured. The reason I didn't do it is because I figured I'm in the public. You don't need NPD or anything else to find out about me, it's all out there. But for a private individual, especially for a manager in a business, for leaders in businesses, this is really important. The reason we started using Delete Me for Lisa is because we were getting phishing texts. That knew Lisa's phone number. That knew her direct reports names, knew their phone number. It really enabled a spear phishing, a very targeted spear phishing attack. That was very credible. So we immediately signed up for Delete Me and you know what? I have proof right here it works.

Maintaining privacy is not just a personal concern. It's a concern for your business. It's a concern for your family, in fact. That's why Deleteme has family plans, so that you can get everybody in your family to feel safe. They have business plans and they even have a breach removal service. I was just looking on the Deleteme page where you can remove your information from data breaches. Deleteme helps reduce risk from identity theft, security threats, harassment and more. It really works, in fact.

I think I maybe should sign up for delete me too. This is kind of a wake-up call. Delete me experts will find and remove all your information from hundreds of data brokers. Apparently, npd is one of them. Now, if you do the family plan, you'll assign a unique data sheet to each family member. It's tailored to them, has easy to use controls so account owners can manage privacy settings for the whole family. Delete me will continue to scan and remove your information regularly. That's really, really important. It's not one and done. You need to continually go out there because they will rebuild your dossier. Plus, again, there's new data brokers who say I don't know anything about that. They collect addresses, phone numbers, emails, photos, relative names, social media, property value and, as we've seen in this breach social security numbers. This is bad news, but you can protect yourself and reclaim your privacy.

Visit joindelete mecom slash twit. I have a feeling, if you go to the website and it's a little slow right now, there are more than a few people doing this right now. Use the offer code TWIT and you'll get 20% off. That's a pretty good deal. Joindelete me dot com slash twit and use the offer code twit for 20 off. Holy cow. Join, delete me dot com. Slash twit. I. I don't want to show this other.

1:43:16 - Steve Gibson
Lisa laporte's uh information on everybody can, everybody can see it, they just go, they just go look for it. Yeah, yeah.

1:43:23 - Leo Laporte
I mean that's what's unnerving and she is not in there. That is really. I'm glad you pointed this out, steve. That's kind of amazing it is. It's it really so? Who said that? Oh, I'm showing it now, isn't it? Let me I don't know, turn that off. Thank you, anyway, that's a remarkable fact that if you were using and it doesn't mean just delete me Presumably any reputable data removal agency, you wouldn't be in this breach.

1:44:02 - Steve Gibson
That's something. Yeah, that's a big deal, that's really huge. Okay so, but the point Troy was also making about all data being absent from those using data opt-out services was interesting. He followed up by writing this is what you'd expect from a legally operating data aggregator service. This is what they do, yeah, well, but a legally operating data aggregator service does honor, delete, deletion requests. So he says it's a minor point, but it does support my claim that the data came from NPD. In other words, if this was all NPD, uh, uh, dark web, uh, data aggregation that didn't actually come from npd, then a data you know, then then then this sort of you know, delete me style, uh, data opt out, wouldn't have had an effect. It did which, which? Which means that it came from some legally operating data aggregator that you know that was breached. Isn't that the?

1:45:12 - Leo Laporte
irony of this. We know it's real because they're legal, so awful.

1:45:18 - Steve Gibson
I know. So he says none of the data discussed so far contains email addresses. Now we should note Troy has a strong email bias because that's what have I been pwned keys on. So he talks about email a lot and it matters to him. He says none of the data discussed so far contains email addresses. That doesn't necessarily make it any less impactful for those involved. Certainly doesn't for me, he says. But it's an important point I'll come back to later as it relates to have I been pwned. But it's an important point I'll come back to later as it relates to have I been pwned. He says so. This data appeared in limited circulation as early as three months ago. It contains a huge amount of personal information, he says, even if it isn't actually 2.9 billion different people. And we know it's not because you know you and I, leo, are represented there 10 times.

1:46:07 - Leo Laporte
Oh yeah, I'm in 20 rows. Yeah, yeah he says, says.

1:46:10 - Steve Gibson
And then, to make matters worse, it was posted publicly last week, um. And then he quotes a tweet. On august 6th, wolf technology group tweeted national public data a service by jericho pictures inc. Suffered a massive breach. Hacker Fenice F-E-N-I-C-E leaked 2.9 billion records. Now notice here, here, like when the techies talk, you get like records. As soon as you know like the non-technical press gets it, it turns into people. It's like no Leaked 2.9 billion records with personal details including full names, addresses and social security numbers in plain text that I linked to through grcscnpd. Even though it politely blanks out, it redacts all but the last two digits of social security numbers. They're all there in the data. This is just for the web display that those are asterisked out.

1:47:26 - Leo Laporte
I can vouch that those two numbers that they do reveal are correct, for me anyway, Exactly, and for me as well.

1:47:32 - Steve Gibson
So he said the breach poses significant risks for identity theft and financial fraud. Jericho Pictures Inc faces potential lawsuits and legal challenges due to the incident. So Troy writes. Who knows who Phineas is and what role they play, but clearly multiple parties had access to this data well in advance of last week, he said. I reviewed what they posted and it aligns with what I was sent two months ago, which is bad. But on the flip side, at least it allowed services designed to protect data breach victims to get notices out to them. Inevitably, breaches of this nature result in legal action which, as I mentioned in the opening, began immediately a couple of weeks ago. It looks like a tip-off from a data protection service was enough for someone to bring a case against NPD. Up to this point, pretty much everything lines up. But for one thing, where is the four terabytes of data? And this is where it gets messy, as we're now into the territory of partial data. For example.

1:48:43 - Leo Laporte
One thing I wanted to ask does it, does this mean this NPD 10 pen tester site bought the data? Where did they get the data? Did they buy it?

1:48:51 - Steve Gibson
it's a good question, although, well, what we do know, uh, is that I think later down here we're going to see uh. It was then posted publicly oh, so it's now that's the worst news is no one has to buy. You don't have to be on the underground everybody's got got it.

It's free, baby. Yeah, yeah, so he says. And this is where it gets messy. We're now into the territory of partial data, for example, and that drives Troy nuts. For example, an 80 gigabyte corpus was recently posted to a popular hacking forum. While it's not clear whether that's the size of the compressed or extracted archive, either way it's still a long way short of the full alleged four terabytes.

Earlier this month, a 27-part corpus of data alleged to have come from NPD was posted to Telegram. The compressed archive files totaled 104 gigabyte and contained what feels like a fairly random collection of data. Many of these files are archives themselves, with many of those containing yet more archives. He says I went through and recursively extracted everything, which resulted in a total corpus of 642 gigabytes of uncompressed data across more than 1,000 files. If this is partial, what was the story with the 80 gig partial from last month? Who knows, but in those files were 134 million unique email addresses.

Now, that's what Troy likes, because he wants to put that into HIBP. He said, just to take stock of where we are, we've got the first set of social security number data, which is legitimate and contains no email addresses, yet is allegedly only a small part of the total NPD corpus. Then we've got this second set of data, which is larger and has tens of millions of email addresses right, 134 million unique email addresses, yet is pretty random in appearance. The burning question I was trying to answer is is it legit? The problem with verifying breaches sourced from data aggregators is that nobody willingly, knowingly, provides their data to them. So I can't do my usual trick of just asking impacted have I been pwned subscribers if they'd used npd before? Usually I also can't just look at a data aggregator breach and find pointers that tie back to the company in question due to references in the data mentioning their service. In part that's because this data is just so damn generic. We have first and last name, address, social security number. Attributing a source when there's only generic data to go by is extremely difficult.

He said the kludge of different file types and naming conventions worries me. Is this actually all from NPD? Usually you'd see some sort of continuity, for example, a heap of JSON files with similar names or a swath of SQL files, with each one representing a dumped table. The presence of a uniquely named CSV file ties this corpus together with the one from the earlier tweet. But then there's stuff like acuity, underscore 10, underscore 1, underscore 2022 dot zip. But I should note it's A-C-C-U-I-T-T-Y Huh. It's A-C-C-U-I-T-T-Y Huh. And so he says could that refer to acuity single C and single T, which I wrote about in November? He says H-I-B-P isn't returning hits for email addresses in that folder against the acuity I loaded last year. So no, it's a different corpus. But that archive alone ended up having over 250 gigabytes of data with almost 100 million unique email addresses. So it forms a substantial part of the overall corpus of data. And then he says the three point six billion gigabyte. There is a it's criminal underscore export dot CSV, dot.

Zip file caught my eye in part because criminal record checks are a key component of NPD's services, he says, but also because it was only a few months ago. We saw another breach containing 7 million rows from a US criminal database, and see who that breach was attributed to US DOD, the same party whose name is all over the NPD breach. I did actually receive that data but filed it away and didn't load it into HIBP as there were no email addresses in it. I wonder if the data from that story lines up with this file. Let's check the archives. He says different file name. But hey, it says different file name, but hey, it's a. Okay. So I should have said before that criminal underscore exportcsvzip file is 36080886 kilobytes. This other one that he filed away before. He says but hey, it's a 3608086 kilobyte file, so exactly the same size. Given the NPD breach initially occurred in April and the criminal data hit the news in May, it's entirely possible the latter was obtained from the former, but I couldn't find any mention of this correlation anywhere. And he said, as a side note this is a perfect example of why I retain breaches in offline storage after processing because they're so often helpful when assessing the origin and legitimacy of new breaches. Right, because the bad guys are aggregating stuff too and, like you know, like the more billions of records they have, the more money they can ask for, even if it's you know if it's really a mutt data breach. Okay.

So he says, continuing the search for oddities, I decided to see if I myself was in there. On many occasions Now I've loaded a breach, started the notification process running, walked away from the PC, then received an email from myself about being in the breach. He says. I'm continually surprised by the places I find myself, including this one. So he says, yep, it's an email address of mine. Yet oddly, none of the other data is mine Not my name, not my address and the numbers shown definitely are not familiar to me. I suspect one of those numbers is a serialized date of birth. But of the total 28 rows with my email address on them, the two unique DOBs put me as being born in either 1936 or 1967. Both are a long way from the truth. He's a lot younger than that yeah, he said he finishes.

a cursory review of the other data in this corpus revealed a wide array of different personal attributes. One file contained information such as height, weight, eye color and ethnicity. The UKtxt file merely contained a business directory with public information. I could have dug deeper but by now there was no point. There's clearly some degree of invalid data in there. There's definitely data we've seen appear separately as a discrete breach and there are several different versions of partial NPD data. He says. Although the 27 part archive discussed here is the largest I saw and the one I was most consistently directed to by other people, that was the one that was posted in Telegram. He says the more I searched, the more bits and pieces attributed back to NPD I found. If I were to take a guess, there are two likely explanations for what we're seeing.

This incident got a lot of press due to the legitimacy of the initial dump of Social Security numbers, and the subsequent partial dumps are riding on the coattails of breach hysteria. It appears that NPD may have siphoned up a heap of publicity circulating data to enrich their offering and it got snagged along with the initially released Social Security number data. In other words, he's suggesting that NPD themselves were just sucking up a whole bunch of random crap of much lower quality than their main offering so that they could brag about themselves how many billions of people's data they have, makes perfect sense, and he says. These conclusions are purely speculative, though, and the only parties that know the truth are the anonymous threat actors passing the data around, and the data aggregator that's now being sued in a class action. So, yeah, we're not going to see an incredible, reliable clarification anytime soon.

Addresses his site uses to allow users to look up their own records, and he uses them to inform people with those email addresses when their data has appeared in a new breach, and I thought that Troy's obsessive pursuit of and verification of the exact source of this breach data was interesting. As we launched into this topic, I said before we wrap up today's podcast, I'm going to provide everyone listening with a URL for a searchable online database containing the records from this breach. Now, it's been so exciting that Leo and I have not been able to keep that a secret we keep talking about it.

We keep talking about it. To aid everyone's memory, I made a shortcut for it, which begins with our standard GRCSC, you know, for shortcut, then just slash and NPD. So GRCSC, slash, NPD, of course, for national public data. Using that shortcut will bounce your browser over to npdpentestercom. Pentestercom is a 100% legitimate penetration testing subscription service that can be used by websites to check their site's security. Pentester describes itself as quote we are a cybersecurity technology platform that has sourced the tools, methods and techniques attackers use. Our system allows owners and operators to find potential risks and exposures before the attackers do so. They're just using it. They're using this. They acquired the NPD data, they immediately stuck it in the cloud and have indexed it and are making it available just to draw traffic to their pentestercom site in order to get some new business. So makes sense. Um, uh, uh, okay, so that's all that is. It's just a quick way for anybody to go. You know, grcsc, slash, npd. Tell your friends and family.

Um, when you go there, I say put your full legal first and last name in, because a nickname doesn't do it. You know these records are from various legal documents. You know of the sort that will include one social security number. I did that and, as I've said and as Leo has said, the results took our breath away. The search for me revealed multiple records for every address that had been associated with me through the years, in every case with my correctly associated social security number. And again, I just want to reiterate and make this point to your friends it's important for everyone to understand that what's shown here is just meant to be a proof of presence of everyone's highly personal data within this massive database. Only displays the last two digits of everyone's social security number does not mean that that's all. There is no. Nor that these search fields are all. There is Again, no. Everything about us, our full physical addresses, our various past and present phone numbers, our complete social security number and a massive amount of other, probably very personal data, is all there for the taking. It's just not all being displayed publicly. They redacted it just to be polite.

It's unclear what the exact geographic spread of the population of this database is. From the reporting, it appears to be at least the US, Canada and perhaps the UK, and since this podcast has a global listening audience, we may have many listeners who will not find themselves listed within this. But given what I've seen from poking around at people whose year of birth I know, I would be surprised if all of money is being well spent, because they're apparently not going to find themselves there. So it is my sincere hope that the ridiculously massive scope and scale of this breach I mean when our government's representatives put themselves in here and find themselves there that's going to be a bit of a wake-up call. So I think this is going to shine a very bright light upon this otherwise dark personal data aggregating corner of the internet, and that we might well see some changes made in the laws that have allowed this practice to evolve and thrive.

The data that is out there has escaped already and it will now forever be public. There's nothing that can be done about that now, and it's clearly wrong that it's up to individuals to pay to opt out of this personal data collection process. But Troy's finding that the data and our confirmation that we've had so far that the data of those who had previously done so was conspicuously absent from this breach serves as a true testament to the effectiveness of today's opt-out services. It actually works. So if I were a young person today for whom it is not too late to prevent one's entire personal life and history from being aggregated, sold and eventually leaked out onto the Internet. I would seriously consider adopting paid-for measures today to require all data aggregators to remove any records they already have. Aggregators to remove any records they already have, and then I'd bide my time until the slow-moving legal and governmental system catches up with what's going on.

This event clearly demonstrates that the way things are now needs to be changed.

As for the rest of us, whose last several decades of personal data is now so obviously out in the Internet, flapping in the breeze, all we can really do is tightly lock down all access to our credit histories so that no one can apply for credit in our names.

About this need on April 15th, and at that time I created the GRC shortcut of credit so grcsc slash credit, which will bounce your web browser over to the Investopedia page, which talks about freezing credit and provides updated links to each of the three main credit reporting bureaus where you need to freeze your credit. It may also be that the policies of the credit bureaus will need to change and can be made to change, so that, rather than by default, they are passively allowing anyone to access our credit histories. Unless we take proactive action, it will be incumbent upon them to first obtain our clear, real-time permission to allow a specific individual or entity to have any access. But that's not the way it is today to have any access. But that's not the way it is today. Regardless, we know that any change will be slow and incremental, and it will take time to even get started. So, as this podcast enters its 20th year, it appears that one of our favorite phrases what could possibly go wrong will continue to keep us on our toes for quite some time to come.

2:07:52 - Leo Laporte
And to answer DJ Lookup's question in our Twitch chat no, the data is out there. Delete Me, can't remove it because it's just out there.

2:08:01 - Steve Gibson
Yes, it's not with a broker. The point of the legal aggregator. The legal aggregators will respond, but the bad guys are laughing, they've already got it.

2:08:10 - Leo Laporte
They got it Right. So, as Eric Duckman says, the horse has already left the barn. By the way, I don't know if you saw this. Yesterday Krebs on Security had a piece about how this might have happened, which I thought was quite interesting. His contention, or his story, is that there is a site that was almost identical to the NPD site, called recordschecknet. On that site was a file, memberszip, which had in the clear names and passwords for the site's administrator. So it may really be that they just you know, the second site was created, as apparently was the first, by an Indian website or Pakistani sorry website creation company called creationnextcom, and so it's very possible that they created both the NPD site and the recordschecknet site, for Sal Verini, who's the principal, founded NPD and just left passwords on there because that second site wasn't used. This just came out. I'm a FlightAware subscriber. Flightaware warns some customer's info has been exposed, including Social Security numbers. You just can't win this game, can you? It's bad news.

2:09:44 - Steve Gibson
It really is all around. That's why I think that I mean the only thing we can do is keep our credit frozen.

2:09:51 - Leo Laporte
Yeah, and the good news is thanks to federal law, it is free to freeze and unfreeze your credit report at all the major reporting bureaus. They don't want you to do that. That's how they make their money is selling your data. You want that. So mine are all frozen and I know yours are, and we've recommended that for a long time. So you've got that great URL grccom slash freeze. If people want to learn more.

2:10:15 - Steve Gibson
Slash credit. I'm sorry, say again grccom or grcsc slash credit.

2:10:22 - Leo Laporte
Sorry, grcsc slash credit. And yeah, it'll take you a few minutes, it's not hard to do. I do want to mention a few things before we wrap this up. First of all, thank you to our club twit members who made this all possible. And if you're not yet a member of club twit, I encourage you to support Steve's work and the work we do at all of our shows by joining. It's only seven bucks a month. You get ad free versions of all the shows. You also get access to the Club Twit Discord, which is a club filled with smart, interesting people, your fellow club members. But you also get the good feeling to know that you're supporting the work we do here at Twit. And oh, by the way, one of the things we're going to do for the club members but anybody who wants to join is we're having a photo walk in New York City September 7th. We'll have a meetup on Saturday afternoon, 3 to 5 pm at Bryant Park. Come by, say hi, look for the giant crowd. I'll be somewhere in the middle of that. And then at 5 pm, sharp Joe, one of our Club Twit members, has taken us all on a photo walk. That'll start at Grand Central Station. So that's going to be a lot of fun. I'm looking forward to that. Thank you, club Twit members for your support in making this all possible.

Steve's website is grccom. That's where the Gibson Research Corporation, that's where you'll find his bread and butter, spinrite. Spinrite 6.1 is out. It's the world's best, most useful mass storage, maintenance, recovery and performance enhancing utility. If you have storage, you need Spinrite. Go there and get a copy, grccom. He also has a lot of freebies, including valid drive, to validate that you actually got what you thought you got when you bought that USB drive, thumb drive on Amazon. Really useful tool, lots of great stuff. What's the most recent one you just did? It Is boot secure. Is boot secure? Just to see if you're using one of those, do not trust boot certificates.

2:12:28 - Steve Gibson
And if your BIOS is configured for BIOS or UEFI, and if UEFI, if you've got secure boot enabled at all. So it gives you all the different variables.

2:12:38 - Leo Laporte
I turn it off on all my Linux machines. It just makes it easier. So I know I'm not. He also has a copy of the show 64-kilobit audio. That's kind of the standard version. Steve has a unique version 16-kilobit audio. That's kind of the standard version. Steve has a unique version 16 kilobit audio for the bandwidth impaired and human written no AI here. Transcriptions of the show going back all the way, and thank you, elaine Farris, for doing those. So if you want to read along while you listen or search, those are very, very useful. Show notes are there as well.

Grccom we have a copy of the audio, 64 kilobit audio at our website, along with video. Twittv, slash, sn. There's a YouTube channel dedicated to security. Now, Best way to get it though, subscribe in your favorite podcast client so you get it automatically. As soon as we're done on Tuesday, then that way you can save it. Add it to your collection. Soon as we're done on Tuesday, then that way you can save it. Add it to your collection, put it up on the shelf so you could admire all 988 copies. Burn a CD or two, let's see. We will be back here next Tuesday right after Mac Break Weekly, about 2 pm Pacific 5 pm. Eastern, 2100 UTC. We stream them. Seven streams our club twit discord. Youtubecom slash twit. Twitchtv slash twit kick. Facebook linkedin xcom watch us live, but make sure you download it, even if you watch us live, and then we will be right back here next tuesday with Mr Steve Gibson. Thank you, steve.

2:14:11 - Steve Gibson
Thank you buddy, Till then Bye.