Security Now 990 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
00:00 - Leo Laporte (Host)
It's time for security now. Steve Gibson is here and, of course, as always, there's lots to talk about how many customers did CrowdStrike lose, if any, and why? Steve says I'd still be a customer. We'll also talk about Telegram's founder, owner and CEO arrested in France with what many are seeing as an attack on encrypted communications. But Steve's going to do a deep dive on telegrams and I'm going to put this in air quotes encryption. He says no, it's not really All that and more coming up next on Security Now Podcasts you love.
00:40 - Steve Gibson (Host)
From people you trust.
00:43 - Leo Laporte (Host)
This is.
00:42 - Steve Gibson (Host)
Twit.
00:43 - Leo Laporte (Host)
From people you trust. This is Twit. This is Security Now with Steve Gibson, Episode 990, recorded Tuesday, September 3rd 2024. Is Telegram an encrypted app? It's time for Security Now, the show where we talk about your security, your or privacy, and what's going on in the world around us with this cat right here, Mr Steven Tiberius Gibson, the host at GRCcom. Hi, Steve Yo Leo.
01:16 - Steve Gibson (Host)
How are you? I'm looking at these episode numbers and it's getting pretty exciting, we're inching up. And thank goodness I let everyone know a long time ago that it wouldn't be over, Otherwise it'd be really sad.
01:29 - Leo Laporte (Host)
Oh yeah, see, aren't you glad now 9-9-0-9-9-1. The countdown? Oh, not good, it'd be so sad. Yeah, so now it's a countdown to nothing.
01:39 - Steve Gibson (Host)
Yeah, well, no, actually, I was telling the truth a long time ago when I said, oh, I'm gonna have to rejigger my technology to handle four digits, because you know, back when I wrote it we had one and then maybe two. But I thought, oh, we're never gonna need three, but what the heck?
01:59 - Leo Laporte (Host)
I'll just we could do. We could do hex no, no, no.
02:02 - Steve Gibson (Host)
We're going to go 999. That'll be a celebration that's sometime in November, and then we're going to go right on into the four digits. However, I'm really sure we won't need five.
02:15 - Leo Laporte (Host)
That's not going to happen. I think you're safe on that. I think we're safe. Both of us will be just a memory.
02:19 - Steve Gibson (Host)
Okay, so lots of interesting stuff to talk about, as I know you've been talking about, but we haven't talked about it. You touched on it here and it had just happened for last week's podcast and I didn't know what was going to happen, but Telegram's founder, owner and CEO has been arrested in France, so we're going to look at what that means. Also, one year after Microsoft began offering free cloud security event logging, how's that going? Also, to no one's surprise, CrowdStrike is losing customers, but how many Microsoft, on that topic, is going to meet with CrowdStrike and other vendors to discuss new solutions? We'll talk about that. Also, that Yelp is not happy with Google. You know, did or does Google put their thumb on the scale? Yelp thinks so when do you go to purchase yourself some DDoS when that's what you want?
03:24 - Leo Laporte (Host)
Like a cup of DDoS.
03:26 - Steve Gibson (Host)
Yes, how about sending a telegram? And Chrome exploits are becoming more rare and difficult to find. So Google has upped the ante. And Leo, believe it or not, the Cox Media Group is still promoting. Group is still promoting. They're incredibly I mean just astonishingly privacy invading so-called active listening capability. We're going to revisit that. Also, how about secretly having foreign agents doing all of your work for you? What could possibly go wrong with that? And the reason this podcast is titled is telegram an encrypted app is because that was the title given to the recent posting by our favorite johns cryptographer, matthew Green, who has become increasingly annoyed by Telegram's claims of being an encrypted messaging platform. So he finally asks the question is Telegram an encrypted app? We're going to look at that and answer the question.
04:42 - Leo Laporte (Host)
That was a great blog post actually A little surprising. Yes, yeah, he was a great blog post actually.
04:44
I really, uh, a little surprising, yes yeah, he did a great job yeah uh, and we've been talking, as you mentioned, we've been talking a lot about pavel durov's arrest, uh, since it happened a week ago and, um, yeah, it's a. It's a quite a story, but we will get to that in just a little bit, but first, how about a word from our sponsor? Would you, would you mind? All right? Oh no, please, a little a little talk. But first, how about a word from our sponsor? Would you mind? All right? Oh no, please, a little talk for you from our sponsor, bigid.
05:11
I hope you know the name BigID. They are the leading DSPM solution, that's Data Security Posture Management, and BigID is where Data Security Posture Management is done differently. Bigid seamlessly integrates with your existing tech stack and allows you to coordinate security and remediation workflows. You can uncover dark data, identify and manage risk, remediate the way you want and scale your data security strategy, take action on data risks, annotate, delete, quarantine and more based on the data, all while maintaining an audit trail, which is great for compliance With BigID's advanced AI models. You can reduce risk, you can accelerate time to insight and you can gain visibility and control over all your data. You know BigID has some big customers who have even bigger data.
06:03
Bigid equipped the US Army. Imagine who has more data in more disparate places than the United States Army. Big ID helped them illuminate dark data, accelerate cloud migration, minimize redundancy and automate data retention. Pretty big job, but they were able to do it. The US Army Training and Doctrine Command quote is this Get ready. This is a direct quote. The first wow moment with BigID came with just being able to have that single interface that inventories a variety of data holdings. I've never seen a capability that brings this together like BigID does. They see your data everywhere, inside zip files and all kinds of databases and all different cloud and on-prem locations and every little closet nook and cranny.
06:53
By the way, bigid is going to be at their big CISO Digital Summit October 17th, 11 am Eastern Time, and you don't have to be there. You can watch it online. Set it around the next era of data security. This virtual summit will feature deep dives into the latest data security practices and technologies. They'll explore everything from DSPM to AI. Ai is a big part of this, because if you want to use AI in an enterprise or in the army, you got to know what to train it on and what not to train it on. Right, not all not all the data is the same and they'll talk about dlp and beyond, with expert-led panel sessions and interactive discussions with your peers. They have a great lineup of speakers, a keynote from the head of cyber security and compliance at denny's, and you can get two cpe credits and a raffle entry just for attending. So make sure to tune.
07:44
Strengthen your organization's security posture in an ever-evolving digital landscape. This is going to be a great event Again October 17th. Put that in your calendar, put a pin in it, 11 am Eastern time for this incredible panel. Start protecting your sensitive data wherever your data lives. Bigidcom slash security now. Lots of information there. You get a free demo on how BigID can help your organization reduce data risk and accelerate the adoption of generative AI. That's BigID B-I-G-I-D, b-i-g-i-dcom slash security now. Also, I said there's lots of information. There's a free new report right there on the site that provides valuable insights and key trends on AI adoption challenges and the overall impact of Gen AI across organizations. It's all there for you. It's free. Bigidcom slash security now. Please check it out. Bigidcomcom security now. We thank big id for their support of this fabulous show and the great work that steve does. I am ready with a picture of the week.
08:54 - Steve Gibson (Host)
This is a goodie, so I gave this one. I gave this one the caption when the universe is suggesting that you should take the stairs. Listen, oh dear, because we have what appears to be a not that well-maintained kind of grungy elevator interior and it's got some instructions over the panel where you push the button for which floor you want to go to. It says if elevator does not move, do a small jump. It should move after now again. Uh, if you get into an elevator and you see that signage, the stairs really are looking better. Good thinking, yes. So yes, you know, and I don't know. There's some signage off to the right. There's something about a guy with a mask. It looks like delivery drivers must wear something, or their own. And it says and have temperature, blah, blah, blah, so like have their temperature taken, or something. And then down below it says um, and then I see clos and then ele, so like maybe you must, what? Manually close the elevator doors or something.
10:16 - Leo Laporte (Host)
You must close elevator doors before pressing a button.
10:19 - Steve Gibson (Host)
That would be good, unless you want a good view, as you, or just jump up and down and that'll get the elevator going.
10:27 - Leo Laporte (Host)
That's a joke. Do you think it's a joke?
10:29 - Steve Gibson (Host)
no, I think it's like there's, this is I again. You get in, you see the sign and you get out and you just and I said so, that's why the caption when the universe is suggesting that you should take the stairs- listen, yeah, because yeah, that's anyway, thanks you.
10:49
I I will thank endlessly our listeners. We've got some goodies in the queue, so another great picture of the week, okay, so I gave this week's lead story the title telegram puts end-to-end privacy in the Crosshairs, because I think that's probably what's ultimately being tested here At the time, as we said at the time of last week's podcast, the news was that Pavel Durov, the founder also owner and CEO of the Telegram instant messaging system, had been detained in France after he flew into and landed in French territory on a private jet. Next, we learned that his status had changed from detained to formally arrested and then last Wednesday he was released on 5 million euros bail and is banned from leaving France, since he's now facing charges over his responsibility. This is what they're alleging for the many illegal and, in some cases, abhorrent things that Telegram's users have been found doing, in light of there being no content moderation, mediation, anything within Telegram of any kind, and they're holding Pavel responsible for that. And, of course, the reason this is intensely interesting is that, especially to this audience, is that it brings us back to the big and still unanswered question of how the world is ultimately going to deal with end-to-end encrypted messaging and whether governments are going to allow their citizens to hold truly private electronic conversations without any form of content moderating oversight.
12:45
Case of Telegram. The charges which French authorities have levied against Pavel include being complicit in running an online platform that allows sharing of CSAM, which, as we know, is the abbreviation for child sexual abuse material. Also drug trafficking, fraud and money laundering, as well as not cooperating with authorities when required to do so by law. Cooperating with authorities when required to do so by law. Now the French news outlet Le Monde reported that France's police the police office that tackles violent crimes against children issued a warrant for his arrest and in a LinkedIn post that was later deleted, that office's secretary general said that quote at the heart of this case is the lack of moderation and cooperation of the platform, which has nearly one billion users in total, though not all in the EU much fewer than that, particularly in the fight against, they said, pedo-criminality, and the EU arm of Politico reported that the specific incident that was cited in the arrest warrant was Telegram's refusal to identify a specific user after being served with a judicial request. Politico wrote after viewing a document related to the warrant. Quote the warrants for Pavel Durov and his brother, nikolai, were issued after an undercover investigation into Telegram led by the cybercrime branch of the Paris prosecutor's office, during which a suspect discussed luring underage girls into sending quote self-produced child pornography unquote and then threatened to release it on social media. So you know, creep release it on social media. So you know, creeps are on Telegram, okay. According to the document, the suspect also told the undercover investigators that he had raped a young child. Telegram did not respond to the French authorities' request to identify the suspect.
14:41
As we've often observed, telegram is the most combative of all the major social media platforms in their attitude and approach to content moderation and lawful assistance requests. I mean, that's like one of the selling points, and it paints this as a clear benefit in its own FAQ, which explains that its distributed architecture is used to confound court orders. Telegram unabashedly boasts. So here's from their FAQ. They said, quote Telegram uses a distributed infrastructure Cloud.
15:21
Chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from differing jurisdictions are required to force us to give up any data. Thanks to this structure, we can ensure that no single government or block of like-minded countries can intrude on people's privacy and freedom of expression. Telegram can be forced to give up data only if an issue is grave and universal enough to pass the scrutiny of several different legal systems around the world.
16:13
To this day, we have disclosed they're saying zero bytes of user data to third parties, including governments unquote. To third parties, including governments unquote. Their terms of service do state that illegal pornographic content is not allowed on its publicly viewable areas, but that doesn't stop people from doing that. Its FAQ says it will only take action on illegal content in these areas, which comprise sticker sets, channels and bots. However, telegram assures its users that quote all Telegram chats and group chats are private amongst their participants. We do not process any requests related to them unquote. So, in other words, within any private groups, which may include up to 200,000 people, anything goes without any supervision and with an explicit guarantee of technically imposed privacy.
17:15
So it should be no surprise that many investigations have found child abuse material for sale on Telegram. However, there are some interesting details here. It's an example of an instance where the details matter and where encryption may not mean what its users imagine. This is why today's podcast topic will address the interesting question of whether or not, and to what degree, telegram is actually an encrypted app and exactly what that term means. Our longtime listeners may recall that I've never been impressed with Telegram's encryption from day one, because it's a perfect example of what we all know should not be done. Telegram uses a homegrown cipher that a couple of guys just made up his brother, pavel's brother, right, yeah?
18:13
it's like okay you know it's and it's got some wacky name I'll get to it later but it's like the information garbling protocol or something. It's like what? And literally Matthew says WTF, he's like whoa. Anyway, they did this well after the world had learned how to do encryption correctly. So, as we've said a long time ago, nobody needs another cipher, nobody needs another hash. Those building blocks are in place. They've been time and academically and in the wild tested. They work, they're solid. So don't just go gluing some together in some weird arrangement and say, you know, we dare you to break it. You know, and of course, you know, the fact that they've offered a large cash prize to anyone who could break it does not change the fact that it's, you know, it's not based on any sound formal design or tested cryptographic system, profound formal design or tested cryptographic system, you know.
19:29
So, anyway, we're going to take a far closer look at Telegram at the end of today's podcast since, as I said at the top of the show, johns Hopkins cryptographer Matthew Green just posted an intriguing piece titled Is Telegram Really an Encrypted Messaging App? Ok, but be that as it may, telegram does offer one important feature that makes it unique among all of the private messaging systems, whereas Telegram, as I noted earlier, can comfortably provide privacy for 200,000 members of a large group. Apple's iMessage groups are limited to 32 participants, signal groups are limited to 1,000, and WhatsApp's variant of Signal limits group size to 1024. It turns out that implementing true end-to-end encryption across large groups with many participants is not trivial, but what much of the media misses is that, as we'll see, telegram doesn't actually do that. So their unique value proposition is to provide large groups with unmoderated communication and certainly some degree of privacy.
20:47
Telegram describes itself as a cloud-based messenger that provides quote, seamless sync, unquote, across devices. But to do that it needs to have access to the content of those messages, and we know that because Telegram themselves can access the content of conversations. So it certainly could invest in moderation if it chose to. It chooses not to. Nbc News reported that child safety groups in the US, uk and Canada all get short shrift from Telegram when they report CSAM on the platform and, for example, this is in contrast to an app like Signal, which also espouses and has the technology to actually enforce privacy-first values. Signal's built its app so that its technology implements those values as much as possible while still enforcing privacy. So, although Signal collects no content from its users and only minimal metadata about how they use the service, signal is able to and will respond to law enforcement requests, but only to the extent of providing account creation dates and the date an account last accessed Signal least.
22:27
Signal is not openly combative and can honestly say that it has wholeheartedly cooperated with court orders, to the limit of its ability and technology. When Telegram says that it's not true, okay, so what of Pavel Durov? This may just be a shot across the bow, and it might wind up being good for Telegram's business model to see their founder and CEO being detained and tried for his refusal to comply. Since Telegram currently has only 41 million users in the European Union, this falls short of the 45 million user threshold that would subject it to the EU's Digital Services Act. With Telegram not categorized as a very large online platform, it's not subject to the EU's stricter transparency and content moderation rules. However, the Financial Times recently reported that the EU is now investigating Telegram for misrepresenting the total number of EU users in order to fall below that 45 million user threshold. Yeah right, well, I'm shocked. Last February's claim that they only have 41 million users within the EU is going to be carefully examined for its veracity.
23:48
Now, the one thing that this gives me the occasion and I think it's important to observe before we move on and we'll be coming back to what Matthew Green said in a minute is that both of today's major mobile platforms iOS and Android manage their client apps with an iron grip. They do this to enforce both security and control over these client apps, and we spent a lot of time through the years talking about all of the ins and outs and mechanisms for this. So, for example, something close to home here, the reason Spinrite boots directly over its users' hardware and brings along its own minimal OS is because it cannot obtain the direct hardware access it requires from within any operating system environment. But nothing like that exists for our mobile operating systems. None of the various messaging platforms are able to obtain anything approaching direct access to the platform's underlying hardware. So we should always be mindful of the fact that the OS runs the camera, runs the screen and runs the virtual keyboard, and that access to those resources is granted to the applications that are running. That's why we're able to seamlessly switch among applications without any application being able to prevent that.
25:29
Apps are powerless clients of their mobile platform OS. So a messaging app such as Signal, whatsapp, telegram or iMessage may be as clever as it wishes with how the content that it communicates is encrypted and decrypted, but everything that is eventually communicated to and from its users passes through the control of the OS, and that OS is always able to see everything that's happening in the clear without any form of obfuscation or encryption. I think we need to hold on to that, because it's easy to get focused on the ins and outs and specifics of any given messenger, but our mobile OSs have an iron grip over all of these messaging apps, the decrypted content coming out of the app and onto the device's UI surface and going in the responsibility for the content that's passing through their control before it's encrypted or after it's decrypted. But the truth is that the vendor of the underlying platform Apple or the supplier of an Android OS is in the unique position to monitor what's going on before it's turned over to any messaging app and to similarly inspect what its client apps decrypt before it's presented to the user. Now we know we've talked about this too. I mean, this is a difficult subject. We know how adamantly the platform vendors want to stay as far away as possible from taking any responsibility for what their users and their client apps do, and I know that we all want to retain the total privacy that we're currently being assured we're receiving, but Pavel Durov's arrest and indictment by French authorities shows us that we should probably regard the privacy we're enjoying today as fleeting, since no government wants to be completely blind to the conduct of its citizenry.
28:30
Okay, so to set the stage for some news, recall that five months ago, last April, the US Cyber Safety Review Board released a rather scathing report which squarely placed the blame on Microsoft for the nation-state-linked intrusion into Microsoft Exchange Online. State-linked intrusion into Microsoft Exchange Online, which led to the theft of about 60,000 US State Department emails. That previous summer, the CSRB report stated that the breach quote was preventable and should never have occurred. Unquote. The report elaborated that a series of operational and strategic decisions by Microsoft pointed to a corporate culture that deprioritized investments in enterprise security and rigorous risk management, despite the central role the company plays in the larger technology ecosystem. The CSRB urged Microsoft to publicly share its plans to make fundamental security-focused reforms across the company and its suite of products. The board also recommended that all cloud service providers and government partners enact security-focused changes.
29:37
Okay, so among the criticism that was heaped upon Microsoft last year was that it was charging extra money for zero-cost features such as security logging. That would have gone a long way had more of the government entities been using them to help detect the early states of the various intrusions its users and customers have been experiencing. The tech-savvy senator Ron Wyden said at the time quote Unfortunately, as Microsoft's $15 billion-plus cybersecurity business grows, microsoft's incentives are not to deliver secure operating systems and cloud software to its customers, but to deliver insecure products and upsell them on cybersecurity add-ons. It should not have taken multiple disastrous hacks of federal systems for Microsoft to make essential security features standard for government customers. But better late than never. Unquote. So we're talking about this today now because, one year later, evidence is emerging of the effect the beneficial effect of something as simple as free security logging.
31:04
Last Tuesday, the publication Cybersecurity Dive posted a report titled CISA Officials Credit Microsoft Security Log Expansion for Improved Threat Visibility. They wrote. Greater access to Microsoft event logs is paying off for US government agencies and critical infrastructure providers, which have gained greater visibility into their network environments. The cybersecurity infrastructure security agency said Saturday you know CISA, cisa Microsoft expanded free access to security logs in 2023 after a state-linked threat actor stole thousands of emails from the State Department after gaining access to Microsoft Exchange Online. Jeff Green, cisa's Executive Assistant Director for Cybersecurity, confirmed via email quote yes, microsoft has expanded access to the logging elements that were used by the State Department to detect the 2023 compromise to a vastly larger set of customers, including all federal agencies and numerous critical infrastructure organizations. These new logs are being used by organizations today to detect threats. Green added, cisa will continue to work with Microsoft and other companies to ensure that their products are secure by design and that Microsoft lives up to the commitments it has publicly announced around improving the security of its products following the 2023 compromise.
32:46
The win for the US government comes as CISA, along with the FBI, national Security Agency and a group of foreign cybersecurity authorities led by Australia, released a best practices guide for event logging last week. The new guide is part of an effort to combat sophisticated threat activity from state-linked threat groups such as Volt Typhoon. The group uses living-off-the-land techniques to disguise its threat activities using normal security tools that won't trigger alerts when moved around computer networks. Security researchers at ReliaQuest have been tracking a ransomware actor known as Medusa, which is also using living off the land techniques in multiple attacks. Alex Capraro, cyber intelligence analyst at ReliaQuest, said via email quote by implementing the best practices for event logging and threat detection outlined in this guide, organizations can enhance their ability to identify and mitigate malicious activities, thereby protecting their network's, devices and data from compromise.
34:00
Have so many problems and come under so much pressure before it made something that costs it virtually nothing free because it was making money from selling something that it's no longer making money from. But really, I mean, anyone who's got any experience with IT security understands and has, I'm sure, used logs to find out what's going on. I think the first instance where I saw logging being used to a level that at the time I thought was a little over the top was about 25 years ago. Mark Thompson, my friend whose site is analogxcom, leo and I know Mark, he's been a friend of ours for decades.
34:51 - Leo Laporte (Host)
Is he still doing his analogx?
34:53 - Steve Gibson (Host)
Yeah, he's still busy doing stuff. Leo, you know Mark made a comment about I think it was. We were talking about something, and he made a comment that he that he was logging something and I thought I mean it was like logging how, like how long his toothbrush takes to charge, or something. I mean it was like what and but what do you know? You know turns out that that was useful somehow, but and I know that over time I've increased the amount of logging I'm doing and sure enough some. I mean I guess the point is you don't know what. You don't know until you wish you knew.
35:40
And if you've got it like if everything is being logged, then you may have to do some log processing. You know, and I roll logs over monthly and zip them down because the logs tend to compress massively down to things that are much smaller. I find myself going back and looking through logs to obtain information that I wasn't specifically thinking that I would need. But you know, if you log it it's going to be there when you need it. So anyway, the idea I'm not at years ago that hard drives were expensive and you know you didn't want to log everything. Oh, think of all the space it would take. Now, you know hard drives, data storage is just, it's free, so why not log? And on that note, leo.
36:43 - Leo Laporte (Host)
Log everything, log everything.
36:45 - Steve Gibson (Host)
Why not take a break to tell us about our sponsor? And then we're going to talk about CrowdStrike and how they're doing with their customers.
36:53 - Leo Laporte (Host)
Gladly, steve. Our show today brought to you not by CrowdStrike, although they were a sponsor for a long time and I thought the world of them, I hope they're still do Leo.
37:11
I would not have left them after this. There you go, there you go. That's a uh kind of a tepid endorsement. That's an endorsement nonetheless uh, our show today, brought to you by threat locker. Now this is a company you definitely want to keep threat locker.
37:20
So here's the question do zero day exploits and supply chain attacks keep you up at night? Mm-hmm, worry no more. You can harden your security with ThreatLocker. Threatlocker is zero trust, done right, and you know you may remember a few weeks ago that a number of airlines struggled a little bit after a big security thing, not JetBlue Struggled a little bit after a big security thing, not JetBlue. Jetblue trusts threat lockers to secure their data and keep their business operations flying high, which is a good thing, because I'm flying JetBlue a day after tomorrow.
38:02
Imagine taking a proactive this is zero trust a proactive, deny-by-default approach to cybersecurity, blocking every action, every process, every user, unless authorized by your team. That's security made simple. Threatlocker lets you do this and, and just as important, provides a full audit for every action that helps you with risk management and compliance. Their 24-7 US-based support team fully supports your onboarding and beyond. So don't worry about getting started or continuing. It's easy as it can be. Stop the exploitation of trusted applications within your organization and keep your business secure, protected from ransomware Organizations across any business. Any industry can benefit from ThreatLocker's ring fencing that's what they call it ring fencing by isolating critical and trusted applications from unintended uses or weaponization and limiting attackers' lateral movement within their network. Threatlocker's ring fencing has a really great track record. They were able to foil a number of attacks that were not stopped by traditional EDR. You may remember us talking a few years ago about SolarWinds Orion. That attack the 2020 SolarWinds Orion attack was foiled by ThreatLocker's ring fencing. And yes, threatlocker works for Macs too. Get unprecedented visibility and control of your cybersecurity quickly, easily and cost-effectively.
39:25
Threatlocker's Zero Trust Endpoint Protection Platform offers a unified approach to protecting users, devices and networks against the exploitation of zero-day vulnerabilities. And that's got to be good. Get a free 30-day trial. Learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. Visit ThreatLockercom. It's a great name, isn't it? For a zero-trust solution. Threatlockercom Dot com. Lock those threats up with threat locker. All right, mr G?
39:58 - Steve Gibson (Host)
OK on, we go with the show.
40:01
So far, crowdstrike reports that it expects to lose around sixty six zero million dollars in net new annual recurring revenue and subscription revenue in the aftermath of its technical outage. Now I don't have a good sense for what that represents as a percentage of total revenue, but it does not sound like much because CrowdStrike is you know it's the big player in this EDR, the endpoint detection and response market. So you know, nevertheless, crowdstrike is endeavoring, as you would expect them to, to retain customers by offering various discounts. Their CEO, george Kurtz, denied rumors that the company was losing customers to rivals, but of course that will happen to some degree. After the so-called CrowdStrike outage, which has now been named Although, as I said, I'm sure I would be staying unless I was in some way otherwise unhappy, because the changes they've made since have seemed solid. We know we talked about last week how george uh went to uh the, the, uh the the pony award and accepted like the biggest mistake ever in history award like in person, whereas other companies, like microsoft, has just blown it off.
41:31
You're not going to get anyone from microsoft there, so that was impressive and I mean a broken bone is always stronger when it heals right.
41:40
They've really. Yeah, I mean you could have an employee that screws up and like over and over and over and refused to learn a lesson, in which case, OK, fine, we're going to have to let you go. But you know, it's possible also to learn a lesson, and I'm sure they've. You know this really sunk in. You know, george said that he's putting that award in the lobby so that all the employees have to look at it.
42:06 - Leo Laporte (Host)
That's a good idea. That's a great idea.
42:08 - Steve Gibson (Host)
When they come into work every morning.
42:10 - Leo Laporte (Host)
We don't want another one of these, okay.
42:12 - Steve Gibson (Host)
Yeah, yeah. So, for what it's worth, both Sentinel One and Palo Alto Networks have claimed that they've been fielding calls from soon to be X CrowdStrike customers over the past few weeks. Again, I don't doubt that for a moment, but to me it doesn't seem like that. Many are leaving and we actually I sent the email for this podcast out early today, because I started working on it really early yesterday and got it, and so got it finished earlier this morning than I normally do and notified about 8,900 of our listeners of the contents. We have a listener who works at CrowdStrike and he already sent me some feedback and said for what it's worth. And he already sent me some feedback and said for what it's worth, we're doing fine. And so you know, I'm sure they are.
43:14
And on that note, interestingly Microsoft will host a Windows Endpoint Security Ecosystem Summit. Their announcement said at their Redmond Washington headquarters. Their announcement said Microsoft, crowdstrike and other key partners who deliver endpoint security technologies will come together for discussions about improving resiliency and protecting mutual customers' critical infrastructure. They said our objective is to discuss concrete steps we will all take to improve security and resiliency for our joint customers. The CrowdStrike outage this is Microsoft's phraseology in July 2024 presents important lessons for us to apply as an ecosystem. Our discussions will focus on improving security and safe deployment practices, designing systems for resiliency and working together as a thriving community of partners. We're all happy here to deliver more secure and reliable technology for all.
44:36
It's expected that the Windows Endpoint Security Ecosystem Summit will lead to next steps in both short and long-term actions and initiatives to pursue, with improved security and resilience as our collective goal. We will share further updates on these conversations following the event. Here are further updates on these conversations following the event. So I would imagine that the government representatives are invited, as a means of showing that something is being done to keep anything like this from ever happening again, surprisingly, to discuss new ways of building these EDR products so that they can still get their job done while relying more on safer user mode code and less on proprietary kernel drivers.
45:29 - Leo Laporte (Host)
That's the key, isn't it? Keep them out of ring zero. Yeah, give them an API, give them an.
45:33 - Steve Gibson (Host)
API.
45:33
Yeah, and it's really. It's well okay. So it's difficult to do. That is, essentially Microsoft would have to provide hooks all over the place, which the various EDR vendors now use. That is, they install a driver and when the system's booting up they go and hook a whole bunch of Microsoft's APIs themselves. And by hook I mean, essentially the idea is that they re-vector the API service which the OS publishes so that any client running on Windows actually calls into this driver, the proprietary third-party driver, which examines the call, decides what it thinks about it and then, if it looks okay, forwards it to Windows, to the Windows kernel, where it would have normally gone directly to.
46:45
So this, it's a so-called it. Basically it's a comprehensive filter like wrapping around the Windows OS. So you know Microsoft doesn't want to offer that. I mean, and this is why it's been so limited so far. There are some things, yes, that you can do. You know AV vendors have some hooks they could use, but nothing like the degree of low-level access that is really necessary to monitor the behavior of things that are trying to use Windows. So it's going to be.
47:24
I mean, it's an interesting dance and of course Microsoft is marketing the crap out of their own solution. You know Windows Defender for Enterprise and everything, because it's like, well, if you just used ours, you wouldn't have had a problem. It's like right, Nor would we have had the functionality. You know, we heard from many users who are using CrowdStrike who said this thing saved our bacon a number of times. So, yeah, we weren't happy that we all had to get up at 1 am in the morning and work all day and lost a day of productivity, but you know we're sticking with them. So, anyway it is.
48:01
It is certainly the case that and we we expected right that Microsoft would be holding a meeting of with with the vendors and say, okay, what, what do we do about this? And of course, microsoft had response, some responsibility to many people were saying why didn't windows, like safe boot, fix this? Why wasn't it possible to identify the source of the trouble and then say, okay, well, we're going to bring you back up, but you're not going to have your EDR solution enabled until you, you know, roll it back somehow. So Microsoft's resilience, the core Windows resilience, could have been much higher than it actually turned out to be. So, yeah, lots of things for everybody to fix.
48:48
I just want to note in passing, that Yelp has filed an antitrust lawsuit against Google. It seems, leo, that Google has reached the size that Microsoft once did back in those days, and you know their behavior is being viewed as a little aggressive by an increasing number of entities. In this case, yelp is alleging that Google has a monopoly over the search market no surprise there which it is abusing to promote its own review business, which, of course Yelp is a famous reviewer.
49:28 - Leo Laporte (Host)
Yelp's been, by the way, whining about this for decades. They went to the EU. That's one of the reasons the EU investigated Google in the first place. So, it's nothing new. It's interesting they're taking a direct approach now.
49:39 - Steve Gibson (Host)
Yes, and it's certainly true that, as we know, controlling search is an incredibly powerful place to be Right. You know, we view the Internet through what our chosen search engine reveals to us. And I've spoken of her before. My wonderful Luddite realtor friend thought that Google was the internet. She didn't understand when she went to the Google that it wasn't the internet.
50:10 - Leo Laporte (Host)
Yeah, it's like that's. She was actually more insightful than we might realize. Yeah, I tried, oh no.
50:16 - Steve Gibson (Host)
Judy, that's not the way. Just, you might realize yeah, I tried. Oh no, judy, that's not the way. Just go away, steve. I know what I'm doing.
50:21 - Leo Laporte (Host)
How do I find it if it's not on Google? That's right Doesn't exist.
50:25 - Steve Gibson (Host)
Good luck. So anyway, of course, there's a reason why SEO search engine optimization is a booming business, but it matters if you're on the first page of Google's results or the second or where. Okay, so everyone seems to be piling on Telegram this week and it's, you know, not, as if they probably don't deserve more attention.
50:48
And in today's internet threat landscape, you know that's what's going to happen on any large unmoderated social network called DDoS as a Service, so add the S-A-A-S on the end DDoS as a Service. In a posting last Thursday titled DDoS as a Service the Dominating Phenomenon on Telegram, jacob Abram wrote. He said in today's digital landscape, distributed denial of service attacks have become one of the most powerful tools in a cyber criminals arsenal. Platforms DDoS for Hire services and Botnet for Hire networks can disrupt online services, extort businesses and even advance political agendas. At falconfeedsio, our latest research reveals a staggering 3,529 DDoS incidents occurred in Europe during just the first half of 2024, making up 60% of the total cyber attacks. We analyzed.
52:29
The rise of DDoS as a service on platforms like Telegram is a significant contributor to this alarming trend. Telegram is a significant contributor to this alarming trend. Telegram has emerged as a hotbed for cybercriminals looking to offer DDoS as a service. On various Telegram channels and groups, vendors openly advertise a range of DDoS attack services at different price points, making it alarmingly easy for even those with minimal technical expertise to hire a DDoS attack. Telegram's encryption and anonymity features create an ideal environment for these illegal activities to flourish unchecked. Our research, they wrote, has identified over 140 Telegram channels and groups actively offering these services, with 80% of them being currently active and trading these services primarily through cryptocurrencies.
53:29
This trend underscores the growing accessibility and anonymity of DDoS attacks, posing a significant threat to businesses and individuals alike. So-called basic attacks are available for as little as $10 per month, and the power and cost scales upward, with more sophisticated attacks being prolonged, with high intensity costing as much as thousands of dollars, with high intensity costing as much as thousands of dollars. Price lists are often displayed on Telegram channels, with discounts available for repeat customers or bulk orders. Oh my God, this availability and accessibility has turned DDoS into a commodity available to anyone willing to pay. And again, where are these services to be found?
54:20 - Leo Laporte (Host)
on telegram okay, you no longer even need the dark web read that whole news story again, replacing telegram with the internet and channels with web pages. It's the same story, so I don't understand what the point is. Yeah, you can also get all of that stuff on the internet. Getting rid of Telegram won't solve that problem.
54:46 - Steve Gibson (Host)
Well, I'm not aware of any website that you just go to on the internet.
54:50 - Leo Laporte (Host)
Oh, we've shown them.
54:52 - Steve Gibson (Host)
Well, that's the dark web which is very difficult to get to. You have to have Tor, you've got to have onion addresses.
55:00 - Leo Laporte (Host)
So it's making this so easy, that that's the problem.
55:03 - Steve Gibson (Host)
Yes, and, as we know, ease of access really changes the whole threat landscape.
55:10 - Leo Laporte (Host)
We'd like to keep attacks away from the unwashed masses. We only want people who know what they're doing to attack $10, Leo.
55:18 - Steve Gibson (Host)
The bar of entry is really low.
55:20 - Leo Laporte (Host)
It's pretty easy, yeah, yeah.
55:23 - Steve Gibson (Host)
Okay. So last Wednesday, google announced that it would be increasing, in some cases by as much as a factor of five, the reward bounties it would be offering for the responsible disclosure and discovery and then disclosure you know, reporting to them privately of Chrome exploits due to the increased difficulty which is good news for everyone of exploiting Chrome. So that's all good news for the world's number one web browser. So that's all good news for the world's number one web browser. Google said they wrote time flies. Believe it or not, chrome browser turns 16 this year, which means you and I have been doing this podcast really old, longer than Chrome has been around.
56:15 - Leo Laporte (Host)
We were three years into this before Chrome happened, happened I should go back and find that episode where you do the story and now google has announced it's going to release its own browser.
56:23 - Steve Gibson (Host)
That would be interesting yeah, I mean remember we were talking about ie6. That's true back. That's a good point beginning you know and like firefox 4 or something we're almost as old as Google itself.
56:36 - Leo Laporte (Host)
to be honest, We've been around a while.
56:40 - Steve Gibson (Host)
I do remember when a friend of mine said, hey, because we were all using AltaVista, that was the best search engine that there was then. And he said, hey, some Stanford guys came up with something. Check this out. It's got a strange name, it's Google. It's like what.
56:56 - Leo Laporte (Host)
I remember when Dvorak would use that as a litmus test to see if you were really a geek. He would say what search engine do you use? And if you said Excite or AltaVista, he'd go or Yahoo, or something or Yahoo. If you said Google, he'd go. It doesn't work anymore.
57:12 - Steve Gibson (Host)
No, no, no, my realtor is using Google.
57:16 - Leo Laporte (Host)
So it's the internet, that's right.
57:18 - Steve Gibson (Host)
Okay, so. So 16 years old and their VRP, which is their vulnerability rewards program, to their credit, is turning 14. So it only took them two years. Google was two years old when they decided, you know, we should start rewarding people for finding vulnerabilities in Chrome. So that's good, Google posted.
57:42
As Chrome has matured over these years, finding the most impactful and exploitable bugs has become more challenging. At the same time, new features are frequently introducing or, sorry, new features are frequently introduced into Chrome that may result in new issues which we also want to encourage being reported. Therefore, it is time to evolve the Chrome VRP rewards and amounts to provide an improved structure and clearer expectations for security researchers reporting bugs to us, and to incentivize high quality reporting and deeper research for Chrome vulnerabilities, exploring them to their full impact and exploitability potential. In this blog post, we'll explain how we've moved away from a single table of reward amounts for non-mitigated bugs and separated out memory corruption issues from other classes of vulnerabilities. This will allow us to better incentivize more impactful research in each area and also reward for higher quality and more impactful reporting. Now I should mention that, reading between the lines, what they're sort of saying is we're willing to pay if you're willing to do more work after you find a problem. In other words, a lot of people have been saying, hey look, I made Chrome crash, pay out. And now Google is saying, well, okay, if you just make a crash, this is how much you get. But if you're willing to go deeper and do more of our work for us post-crash, then we're willing to make it worth your time and that makes sense to me. I mean, that's good, because wait till you hear what you can earn if you go all the way here.
59:42
So they wrote, we've remodeled our reward structure for memory corruption vulnerabilities into the following categories with demonstration of remote code execution, they said report clearly demonstrates remote code execution, such as through a functional exploit, and that's the big money. Or high-quality report demonstrating controlled write, where a report clearly demonstrates attacker-controlled writing of arbitrary locations and memory. Third, high-quality report of memory corruption report of demonstrated memory corruption in Chrome. That consists of all the characteristics of a high-quality report. And finally, baseline is their minimum, they said a report consisting of a stack trace and proof of concept displaying evidence that memory corruption is triggerable and reachable in Chrome. So right, different levels, you know different bar settings that they're asking you to jump over. And they said while the reward amounts for baseline reports of memory corruption will remain consistent, we have increased reward amounts in the other categories, meaning where you're willing to go, do more work and give us more, with the goal of incentivizing deeper research into the full consequences of a given issue. The highest potential reward amount for a single issue is now $250,000, a quarter million dollars.
01:01:31 - Leo Laporte (Host)
That's enough to live on for a few months.
01:01:33 - Steve Gibson (Host)
Yes, it is For a demonstrated remote code execution in a non-sandboxed process. If the RCE in a non-sandboxed process can be achieved without a renderer compromise, it is eligible for an even higher reward to include the renderer RCE reward. So you can get them both. So I've got a link in the show notes. I'm not going to go into any finer detail here, but anyone who's interested for in more detail can follow the link. It's to Google's bug hunters posting and I think it's a good move and good news that, since Chrome is becoming more difficult to exploit, the payouts are increasing, you know, commensurately.
01:02:26
This may also be the first time and I really give them credit for this, leo the first time I've ever anywhere seen a software publisher actually say they wrote this quote. At the same time, new features are frequently introduced into Chrome. That may result in new issues which we also want to encourage being reported anyway. You know anyone who's been following this podcast for more than a few months will think yeah, of course, but we talk about this all the time Like Microsoft won't leave Windows alone, so they're never getting the bugs fixed. They're introducing as many every month as they're fixing, so it's just rolling forward.
01:03:13
But for them to admit it is a pretty big deal.
01:03:15
Yes, who's ever actually heard any publisher say that? So props to google for that. Yeah, um, okay, uh, yikes, uh, believe it or not, leo, when I encountered this next bit of news, I thought I was experiencing deja vu. The summary was titled CMG's Active Listening and it read after media companies and device vendors spent a decade telling customers that microphones baked into their devices are not secretly recording audio A leaked pitch deck from the Cox Media Group, cmg is advertising a new service that can show ads to users based on what they've said near microphones what they've said near microphones. Google kicked CMG from its advertising platform after 404 Media acquired the slide deck and then asked Google to comment. Okay, now, when I read that it was ringing some bells, I went to GRC's Security Now page and entered Cox Media Group into the search bar in the upper right of all of GRC's pages. The first link and summary that appeared was from our podcast number 970, I'm sorry, 953. That was the last podcast of last year, dated December 21st of 2023. And that podcast was titled Active Listening.
01:05:03
After the news that CMG was reportedly doing of what they were reportedly doing and bragging about on their own webpage, which had the URL ending in active listening and overview. They took down the page, but not before the internet archive spiders found and archived the page, and that was Google's shortcut of the week, which is still pointing to the page in question. So GRC dot SC slash nine five three. So GRCSC slash 953, and it's still every bit as unnerving as it was nine months ago. The page starts out saying imagine a world where you can read minds. One where you know this, you know the second someone in your area is concerned about mold in their closet. Where you have access to a list of leads who are unhappy with their current contractor, or who know who, or know who's struggling to pick the perfect fine dining restaurant to propose to their discerning future fiancé. This is a world where no pre-purchase murmurs go unanalyzed and the whispers of consumers become a tool for you to target, retarget and conquer your local market. It's not a far-off fantasy. It's active listening technology and it enables you to unlock unmatched advertising efficiency today, so you can boast a bigger bottom line tomorrow. Do we need a bigger vehicle? I feel like my lawyer is screwing me. It's time for us to get serious about buying a house, no matter what they're saying. Now you can know and act and lower down under the how we do it. They say whether you're a scrappy startup or a Fortune 500, active listening makes the unreachable.
01:07:10
In reach CMG can customize your campaign to listen for any keywords and targets relevant to your business. Here's how we do it. We flesh out comprehensive buyer personas by uploading past client data into the platform. We identify top-performing keywords relative to the type of customer you're looking for. We set up tracking via pixels placed on your site so we can track your ROI in real time. Ai lets us know when and what to tune into. Our technology detects relevant conversations via smartphones, smart TVs and other devices. As qualified consumers are detected, a 360 analysis via AI on past behaviors of each potential customer occurs.
01:08:10
With the audience. Information gathered, an encrypted evergreen audience list is created. Information gathered, an encrypted evergreen audience list is created. We use the list to target your advertising via many different platforms and tactics, including streaming TV, ott, streaming audio, display ads, paid social media, youtube, google slash, bing, search, pay-per-click. Our technology provides a process that makes it possible to know exactly when someone is in the market for your services in real time, giving you a significant advantage over your competitors. Territories are available in 10 or 20 mile radiuses, but customizations can be made for regional, state and national coverage. And then in their own FAQ, incredibly, they actually ask and answer.
01:09:49
Question Is active listening legal? Answer? We know what you're thinking. Is this even legal Thepage terms of use agreement? Somewhere in the fine print, active listening is often included.
01:09:53
Unbelievable Question how does active listening technology work? Answer our technology is on the cutting edge of voice data processing. We can identify buyers based on casual conversations in real time. It may seem like black magic, but it's not. It's AI. The growing ability to access microphone data on devices like smartphones and tablets enables our technology partner to aggregate and analyze voice data during pre-purchase conversations. This back on our radar from nine months ago is that 404 Media that same group that had previously reported on CMG's webpage, which was then quickly taken down obtained the marketing pitch deck that is still, nine months later, being sent by CMG to prospective companies. 404 Media forwarded the deck to Google, who then reportedly kicked CMG off its partner program in response. That, of course, was the right thing for Google to do, but how is it that a massive media group such as CMG is able to, with a straight face, say that consumers are permitting this, making it legal for them because quote somewhere in the fine print, this permission is being given. Unbelievable Leo.
01:11:30 - Leo Laporte (Host)
Yeah, I feel like you know, when this story first broke, when this story first broke almost a year ago, we talked about it. Oops, I don't know what that's doing there. Let's turn that off. That's our Discord doing their thing. We kind of thought, well, this is probably an overstatement on the part of Cox Media Group you know these guys are salesmen and saying, well, we know what people are talking about. Probably. I mean, do you think that Amazon is sending the contents of Echo texts to CMG?
01:12:11 - Steve Gibson (Host)
I don't think so. Maybe it's now we know that Amazon responds to keywords, I mean at least the enable keyword. Maybe it's responding to a broader range of specific phrases, I don't know. I don't know either.
01:12:29 - Leo Laporte (Host)
But I think it's completely possible to say that these guys are just salespeople overselling what they know, Because I've yet to see evidence that they actually I mean, yeah, they probably could get stuff from smart TVs. I doubt there's much Samsung won't sell, but I can't imagine that Amazon or Apple or Google are selling how is Apple?
01:12:55 - Steve Gibson (Host)
No, there's just no. I mean, or apple or google are selling how is apple? And no, there's just no. I mean maybe android devices with some app that has like been installed and asked for permission to access your microphone yeah, but you know when the microphone's accessed, because the light lights up.
01:13:08 - Leo Laporte (Host)
Well, yeah, I mean, we all know we're carrying microphones around, but they're absolutely. It's kind of an unwritten law that you don't record everything and then send it to marketers. Uh, if they get caught doing that, you know that those companies are going to be well, and they're bragging about doing it.
01:13:26 - Steve Gibson (Host)
So, like, how, like I, I don't know.
01:13:29 - Leo Laporte (Host)
I mean, I honestly think this is c, this is cox media group over hyping their capabilities in order to make sales.
01:13:38 - Steve Gibson (Host)
That's what I think, because I don't, and maybe they're and and maybe they're not vulnerable to being held accountable because they're not actually doing it so if someone says like hey, well, you know what is this. It was like oh well, we're not really doing that, we're just telling people we are well, and maybe there are.
01:13:54 - Leo Laporte (Host)
I mean, maybe there are a few devices that they are doing that with, but they're not doing it with the phone in your pocket, they're not doing it with your voice assistant, I'm pretty sure. I mean, if they are, that's a huge scandal. But I think it's much more likely that Cox Media Group's lying, to be honest with you, not lying, overstating their capabilities. How about that? Yes, embellishing, embellishing. I mean what salesperson ever embellishes?
01:14:24 - Steve Gibson (Host)
no, who's ever heard of that nobody I know.
01:14:27 - Leo Laporte (Host)
Would you like me to take a little break here, sir?
01:14:28 - Steve Gibson (Host)
yes, sir, that would be good. I'm gonna. I'm gonna embellish my coffee.
01:14:35 - Leo Laporte (Host)
That's why everybody hates salespeople, right? Lisa, who does all of our ad sales, is very quick to say I am not a salesperson, we're here to help you with your marketing. We're not salespeople, and one of the things I think I'm very proud of is that we pick partners that are good companies with great products. So it's easy. It's not a sales job, it's just we tell you about it, we introduce them to you and you get to decide, like our sponsor for this segment of Security. Now Vanta.
01:15:06
You probably know Vanta. Whether you're starting or scaling your company's security program, you know that compliance is like job one. Demonstrating top-notch security practices right and establishing trust with your customers is more important than ever. Customers are going well. You just heard it in that story. Is Amazon listening to me?
01:15:26
This is why compliance has become a very big deal. Of course, it's also the regulatory environment. Vanta automates compliance for SOC 2, iso 27001, and more, saving you time and money and, of course, helping you build customer trust. Saving you time and money and, of course, helping you build customer trust. Now, with Vanta, you can streamline security reviews by automating questionnaires, demonstrating your security posture with a really nicely designed customer-facing trust center, and it's all powered by Vanta AI, which makes it easier for you. Over 7,000 global companies use Vanta Atlassian, flowhealth, quora. They all use Vanta to manage risk and prove security in real time. Maybe you should be using Vanta. Get $1,000 off Vanta when you go to vantacom slash security now. That's V-A-N-T-A. Vantacom slash security now $1,000 off if you sign up right now. We thank Vanta so much for supporting the good work Steve does here and we thank you for supporting it by going to that website vantacom slash security now. Thank you, vanta. All right, steve, you're back.
01:16:36 - Steve Gibson (Host)
You're on, okay so last week's serious propeller cap pure computer science nerd fest episode was every bit as much of a hit as I hoped it might be. You know it's fun thinking about new things, especially for this audience. But I wanted to take a moment to acknowledge some of the feedback I received from a number of our more technical listeners, who correctly observed that the three layers of Bloom filtering I described last week could not always be guaranteed to be sufficient. Those observations were correct. My goal was to clearly establish the concepts involved, to talk about Bloom filter applications where the filter's inherent tendency to produce false positives would and would not represent any trouble, and then, in cases where no false positives could be tolerated, to introduce the idea of successive layers of Bloom filters where the next successive layer of the cascade would capture and be trained on the set of false positives which had been generated by the previous layer. So those who noted that the third layer might also produce some false positives were 100% correct. A fully realized implementation of this system actually takes the form of a variable depth cascade where successively smaller layers continue to be added and trained until no misbehavior is observed. When the entire corpus of unexpired certificates is fed down through the entire cascade. Eventually, there will be nothing to train the next layer on, since not a single false positive will have managed to make its way all the way down through the cascade. And I guess you know in retrospect I could have explained that last week, but as it was, I felt like it was already a lot for our listeners to take in. And also, for the record, I used one megabit as the number of bits in the first Bloom filter level, which would be addressed by 20 bits taken from the, you know, any candidate certificates hash, from any candidate certificate's hash, purely for the sake of illustration, since that made it much easier to describe and visualize the actual size of the first filter and of each successive filter, as well as the number of bloom layer bits that will be set by the addition of each certificate are all well understood and are determined by a bunch of very fancy math. But you know that was technically irrelevant to our understanding of the overall concept of probabilistic bloom filtering, which you know, and getting that across was the goal of last week's, which we know, and getting that across was the goal of last week's. So anyway, definitely big props to our listeners who said Steve, you do realize that three layers might not always do the job Right, and you know.
01:19:57
Speaking of listeners and their feedback, I got an interesting piece of feedback of feedback. We were talking a couple of weeks ago about the security company who discovered that they had inadvertently hired an actively hostile employee based in North Korea who'd gone to extreme measures to spoof their identity and set up a fake domestic operating location. What happened to one of our listeners is a little different, but I think it's just worth sharing it. He wrote hi, steve, I was interested in the story from SN985 about North Korean hackers posing as US workers and getting hired by American tech companies. I'm currently between jobs, and I got an email from someone claiming to be from Malaysia who found my profile on a job board. This person is proposing a and he has, in air quotes a collaboration wherein I get hired for a remote American tech job. Then he impersonates me and does all the work. I send 85% of the paycheck to him, pocketing the other 15% for myself. He said I don't think anyone's ever approached me to ask for my participation in something so blatantly illegal before, though, if I'm being honest, I was momentarily tempted, since it would be easy money for me and he'd still be making more this way than he could working in his own country. Sounds like a win-win, apart from the whole fraud thing and serious criminal and reputational liability for me he said anyway.
01:21:48
I never responded to the messages so I can only speculate, but I wonder if this is actually how the situation, with no Before happened. I have no reason to believe the sender of the email used his real name or that he's based in Malaysia. It might be more plausible that this message is part of the sort of large campaign that uses an IT mule laptop farm as described in the story. His Gmail address is generic and formulaic enough that I suspect there are many other identities being controlled by the same party. The message itself is so carefully wordsmithed that it doesn't strike me as a personal note from a fellow dev. I also received a follow-up message a week later, which felt more automated than not. He said regardless. I thought you might be interested to see it, since the public reads about the aftermath of these stories, but their onset usually happens behind closed doors. Forwarding the full message here in case you'd like to read it on air. Thanks, signed Parker. Okay, so interesting and intriguing indeed.
01:23:01
Here's the solicitation email that Parker received. The subject was open to a collaboration and it says hi, parker, I hope you're doing well and don't mind me reaching out. I'm Lucas, a full stack developer from Malaysia. I found your profile on and this was on usebraincom slash talent, he said, and wanted to propose a collaboration. I don't currently have any projects that need your help, but our collaboration could be either technical or non-technical. For the non-technical aspect, I'd like your help with entrepreneurial factors for my development work. If we end up getting jobs together and working on them, it would be a technical collaboration.
01:23:54
To keep it short, I'm looking to get well-paid jobs with companies or clients in the US. While this is feasible from Malaysia, they tend to prefer hiring developers from similar time zones. Unfortunately, I'm in GMT plus eight, while the United States is in PT to ET, especially for full-time jobs at companies. They typically don't hire developers outside of the US, so I believe the best way to get US jobs is to impersonate someone who resides in the US. It might sound risky, but it won't be risky as long as we keep this 100% confidential. Besides, I don't mean that I want your identity. I don't mean that I want your identity information. He says have you heard of Upworkcom or TopTal? They're the largest freelancing job markets in the world, where most individual clients in the US look for developers for their projects. There's no easy way to get well-paid jobs, and Upwork or TopTall has a lot of competitive freelancers. However, I'm very confident that I can get great jobs to make decent money.
01:25:17
Here's how it would work. First, you open an Upwork or TopTal account and log into it on your secondary laptop. I connect to your secondary laptop via any desk app and I search for jobs. You receive money into your bank account. Once I finish jobs with clients, you take your commission and send me the remaining. This would be a non-technical collaboration and I would suggest a split of 15 to 20% for you and 80 to 85 for me For full-time jobs at US companies, which obviously makes us way more money than freelancing jobs. I would apply for jobs on LinkedIn and you would crack the interviews. However, I'd say this is the advanced step of a collaboration which should be based on a strong foundation of trust between us. Here's how that would work I apply for company jobs on LinkedIn using your LinkedIn account and get you scheduled with interviews. You crack the interviews and get job offers. I perform day-to-day work on those jobs while you attend the Scrum meetings. He says, parens, I can join the meetings if team members usually return off their cameras.
01:26:39 - Leo Laporte (Host)
If you've ever done Scrum, that's more work than doing the coding. Exactly I would want more money for that.
01:26:46 - Steve Gibson (Host)
Yeah, I had the same thought, leo. And finally he says you get paid into your bank account bi-weekly or monthly and you send me my portion after deducting your commission. This will be a mixture of technical and non-technical collaboration and I would suggest a split of 20% to 25% for you, 75% to 80% for me. Please reply to this email if you want to schedule a call to discuss this further or if you have any other opinion for the collaboration. Best, lucas.
01:27:17 - Leo Laporte (Host)
It feels like it could be real. I mean, I'm sure there is a group of people in other countries, like Malaysia, who can't get work.
01:27:25 - Steve Gibson (Host)
I imagine it. But I'll tell you, leo, my own credibility filter snapped on when I read a sentence like quote for full-time jobs at US companies, comma. Which obviously makes us way more money than freelancing jobs, comma I would apply for jobs on LinkedIn and you would crack the interviews. That sentence, and the rest of the note for that matter, does not strike me as having been written by a non-native English speaker. You know, maybe he was AI generated, okay, but in any case Parker's sense of right and wrong kept him from responding. Since this problem of North Korean infiltrators worming their way into Western jobs is clearly very real with a solicitation as slick and polished, it occurred to me that this might have been some sort of sting operation designed to catch Westerners who would be willing to expose their employers to potential hostile exploitation.
01:28:28 - Leo Laporte (Host)
Right, Actually, in Malaysia many of them speak English and they speak a British English. So crack actually might have been exactly how he would have said it. So yeah, but I don't, but I don't, you know, I mean I wouldn't. If I were Parker, I would not respond, of course.
01:28:44 - Steve Gibson (Host)
Right, well, and this whole, you know, set up a secondary laptop and then he'll log into the laptop, which means he'll have a domestic IP address and is looping through the laptop from wherever. Yeah.
01:29:01 - Leo Laporte (Host)
Yeah, the one thing I would have liked him to do is take the call and just see who's on the other side. Right, yeah?
01:29:09 - Steve Gibson (Host)
but like how it goes, sort of sort of explore it further yeah, but if it were me, I would.
01:29:15 - Leo Laporte (Host)
I would do well, no, no, no, I mean it just feels.
01:29:17 - Steve Gibson (Host)
It feels sketchy, you know, to say the least.
01:29:20 - Leo Laporte (Host)
Wow, what an interesting email.
01:29:23 - Steve Gibson (Host)
Okay, so we're going to talk about what Matthew Green his take on Telegram. Maybe we ought to go a ways before we take our last break.
01:29:36 - Leo Laporte (Host)
Sure, we just took one, okay, yeah, it's up to you.
01:29:39 - Steve Gibson (Host)
So we'll get sort of halfway in and then we'll take our last break. Okay, yeah, it's up to you, so we'll get sort of halfway in and then we'll take our last break, Okay. So Matthew wrote this blog is reserved for more serious things, right, and like he's normally talking about the details of subtle problems found in post-quantum hashing algorithms and things I mean, you know Matthew isn't bothering to talk about, you know, abuse of commercial messaging.
01:30:09 - Leo Laporte (Host)
He's kind of the king of cryptographers from Johns Hopkins. I mean, this guy is very, very he's the guy. If he says it, I believe it. I guess is the bottom line.
01:30:17 - Steve Gibson (Host)
He knows what he's talking about.
01:30:19 - Leo Laporte (Host)
He knows what he's talking about. Yeah.
01:30:20 - Steve Gibson (Host)
So he says this blog is reserved for more serious things, and ordinarily I wouldn't spend time on questions like the above because his blog is titled. Is Telegram an Encrypted App, he says. But as much as I'd like to spend my time writing about exciting topics, sometimes the world requires a bit of what Brad DeLong calls intellectual garbage pickup, namely correcting wrong, or mostly wrong, ideas that spread unchecked across the internet. This post is inspired by the recent and concerning news that Telegram CEO Pavel Durov has been arrested by French authorities for its failure to sufficiently moderate content. While I don't know the details, the use of criminal charges to coerce social media companies is a pretty worrying escalation and I hope there's more to the story. But this arrest is not what I want to talk about today. What I do want to talk about is one specific detail of the reporting, specifically the fact that nearly every news report about the arrest refers to Telegram as an quote. Encrypted messaging app unquote. Encrypted messaging app unquote. This phrase, matthew writes, drives me nuts, because in a very limited technical sense, it's not wrong. Yet in every sense that matters, it fundamentally misrepresents what Telegram is and how it works in practice, and this misrepresentation is bad for both journalists, and particularly for Telegram's users, many of whom could be badly hurt as a result.
01:32:15
So does Telegram have encryption or doesn't it? Many systems use encryption. He writes in some way or another. However, when we talk about encryption in the context of modern private messaging services, the word typically has a very specific meaning. It refers to the use of default end-to-end encryption to protect users' message content. When used in an industry standard way, this feature ensures that every message will be encrypted conversation. Your messages will only be readable by the folks you intend to speak with. If the operator of a messaging service tries to review the content of your messages, all they'll see is useless, encrypted junk. That same guarantee holds for anyone who might hack into the providers' servers and also, for better or for worse, to law enforcement agencies that serve providers with a subpoena. Telegram clearly fails to meet this stronger definition for a simple reason it does not end-to-end encrypt conversations by default.
01:33:55
If you want to use end-to-end encryption in Telegram, you must manually activate an optional end-to-end encryption feature called Secret Chats, for every single private conversation you want to have majority of conversations and is only available for one-on-one conversations and never for group chats with more than two people in them as a kind of weird bonus. He says activating end-to-end encryption in Telegram is oddly difficult for non-expert users to actually do. For one thing, the button that activates Telegram's encryption feature is not visible from the main conversation pane or from the home screen. To find it in the iOS app. He says I had to click at least four times once to access the user's profile, once to make a hidden menu pop up showing me the options, and a final time to confirm that I wanted to use encryption. And even after this, I was not able to actually have an encrypted conversation, since secret chats only works if your conversation partner happens to be online. When you do this from the experience of starting a new encrypted chat in an industry standard modern messaging application, which simply requires you to open a new chat window. Okay, now I need to interrupt for a moment to clarify and explain something that's probably not clear.
01:36:07
There's a world of difference between a messaging app providing true end-to-end encryption and merely having encrypted communications. Matthew doesn't bother to draw attention to this distinction because he lives in the world of encryption, where the phrase end-to-end encryption has a very specific meaning. But it's easy to miss this important distinction. The reason iMessage imposes a 32-member limit on group messaging, which I mentioned earlier, which I mentioned earlier, and Signal and WhatsApp both impose around 1K limits is that these services, which Matthew describes as industry standard modern messaging applications, are all actually encrypting every party's message end-to-end individually to every other party. Telegram is incapable of doing this ever. It has no ability to do this under any circumstances. So, while it's true that Telegram's individual connections are always encrypted, it's only when two, and only two, parties are simultaneously online and Telegram's users opt to enable end-to-end encryption for that single, that two-party dialogue, that any truly unobservable conversation ever takes place over Telegram. All larger group chats are being decrypted by Telegram's servers for re-encryption and sending to other Telegram users. Remember that Matt mentioned that industry standard modern messaging applications never get the keys that are being used by end users to exchange messages. Telegram has all of the keys. So obviously this is a crucial distinction.
01:38:29
Okay, returning to Matthew's explanation, he says, while it may seem like I'm being picky, the difference in adoption between default end-to-end encryption and this experience that is going, you know, having to do four clicks and digging down and hidden menus and turning it on only when the other guy is online, he says, is likely very significant. The practical impact is that the vast majority of one-on-one Telegram conversations and literally every single group chat are visible on Telegram's servers, which can see and record the content of all messages sent between users. That may or may not be a problem for every Telegram user, but it's certainly not something we'd advertise as particularly well encrypted. He said Perenz, if you're interested in the details, as well as a little bit of further criticism of Telegram's actual encryption protocols, I'll get into what we know about that further below. He says so.
01:39:38
Does default encryption really matter? Maybe yes, maybe no. There are two different ways to think about this. One is that Telegram's lack of default encryption is just fine for many people. The reality is that many users don't choose Telegram for encrypted private messaging at all.
01:39:59 - Leo Laporte (Host)
For plenty of people, telegram is used more like a social media network than a private messenger and, by the way, what we talked about this ages ago that was exactly the conclusion we came to right was that telegram is fine, is encrypted enough, or it's not encrypted at all, but that's good enough. I think that was actually the phrase you said good enough messaging Right, yeah, right. So people, as long as you know that and they don't advertise otherwise, that's fine. But unfortunately, they imply that it is encrypted.
01:40:31 - Steve Gibson (Host)
Yes, and even to the point where Pavel. I don't think I have it in the show notes, but Pavel has actively attacked Signal and WhatsApp, deriding their encryption.
01:40:44 - Leo Laporte (Host)
He says? He says, oh, the government has back doors to those guys. Well, the government doesn't need a back door, it's signal jeez, louise.
01:40:53 - Steve Gibson (Host)
Yeah, so um, he said, um, uh, telegram also support, oh, I'm sorry he all he. He was talking about how they use it as a social media platen, uh network. Yeah, more than a private messenger. And he said, getting more specific, telegram has two popular features that makes it ideal for this use case. One of those is the ability to create and subscribe to channels, each of which works like a broadcast network, where one person or a small number of people can push content out to millions of readers. When you're broadcasting messages to thousands of strangers in public, maintaining the secrecy of your chat content isn't important, he says. Telegram also supports large group chats that could include thousands of users. These groups can be made open for the general public to join or they can be set up as invite only. He said. While I've never personally wanted to share a group chat with thousands of people, I'm told that many people enjoy this feature a group chat with thousands of people. I'm told that many people enjoy this feature In the large and public instantiation.
01:42:10
It also doesn't really matter that Telegram group chats are unencrypted. After all, who cares about confidentiality if you're talking in the public square? He says. But Telegram is not limited to just those features, and many users who join for them will also do other things. Imagine you're in a public square having a group conversation. In that setting, there may be no expectation of strong privacy, and so end-to-end encryption doesn't really matter to you. But let's say that you and five friends step out of the square to have a side conversation. Does that conversation deserve strong privacy? It doesn't really matter what you want, because Telegram won't provide it, at least not with encryption that protects you from sharing your content with Telegram's servers. Similarly, imagine you use Telegram for its social media-like features, meaning that you mainly consume content rather than producing it. But one day your friend, who also uses Telegram for similar reasons, notices you're on the platform and decides she wants to send you a private message. Are you concerned about privacy now, and are you each going to manually turn on the secret chat feature, even though it requires four explicit clicks through hidden menus and even though it will prevent you from communicating immediately if one of you is offline?
01:43:43
My strong suspicion, he writes, is that many people who join Telegram for its social media features also end up using it to communicate privately, and I think Telegram knows this and tends to advertise itself as a secure messenger and talk about the platform's encryption features, precisely because they know it makes people feel more comfortable. But in practice, I also suspect that very few of those users are actually using Telegram's encryption. Many of those users may not even realize they have to turn encryption on manually and think they're already using it and this brings me to my next point on manually and think they're already using it. And this brings me to my next point. Telegram knows its encryption is difficult to turn on, and they continue to promote their product as a secure messenger.
01:44:36
Telegram's encryption has been subject to heavy criticism since at least 2016 and possibly earlier, for many of the reasons I outlined in this post. In fact, many of these criticisms were made by experts, including myself, in years-old conversations with Pavel Durov on Twitter and Leo. I'm going to inject something next, but let's take our final break and then we're going to get into what Matthew thinks about the actual technology that Telegram has deployed.
01:45:11 - Leo Laporte (Host)
Stay tuned for Steve's injection. But first a word up with our sponsor, delete Me. Oh man, we are so glad we used Delete Me after that big NPD breach you talked about last week. Holy camoly, if you've ever searched for your name online and didn't like what you saw, well, join the club. I don't recommend it. It's eye-opening and it's depressing.
01:45:44
Maintaining privacy is not just a personal concern. It's a concern for your business, especially for your managers, your c-suite. We had to use delete me for lisa. We wanted to because lisa, her personal information was being used to spearfish our employees, their personal information too, and uh, but with delete me, it's's all gone, and delete me even has a family plan, so you can ensure everyone in the family feels safe online. To delete me helps reduce the risk from identity threat, from cybersecurity threats, from harassment, spear, phishing. It really made a big difference for us and I think every business needs Deleteme for their at least for their management, because you know that information just empowers a bad guy to go after you. Deleteme's experts, when you sign up, will find and remove your information from hundreds of data brokers like NPD. There are hundreds out there and there's more every day, sad to say, because it's a very lucrative business and it's absolutely legal. With Deleteme, you can assign a unique data sheet to each family member that's tailored to them, because you may say, well, the Instagram is fine, but we want to know what's going on in Facebook things like that. With easy to use controls, the account owner can manage privacy settings for the whole family.
01:47:01
Now, once you sign up for delete me and that first removal happens and this is really important because you know, the law requires these data brokers to have a form that says remove my data. And if you knew all, you know 400 of them and you could go to each one individually, you could do that. The problem is they start repopulating it immediately. Delete me continue. First of all, not only do they know who to go to and remove all that stuff to begin with, they continue to scan and remove your information regularly, and that's really, really important. That's why you pay for delete me. Frankly, I mean, we're talking things. Don't do this. But if you searched online for your name, you'd find addresses, photos, emails, relatives, phone numbers, social media, property value and if you were in the NPD breach and I think everybody in the United States was social security numbers too. This is terrible. Protect yourself, reclaim your privacy.
01:47:58
Visit joindeletemecom slash twit. If you use the offer code TWIT, you'll get 20% off. That's join delete mecom. Slash twit. The offer code twit gets you 20% off. It's a shame we have to do this, but until Congress bans these data brokers, this is just something we're going to have to live with. Fortunately, at least we can do this Joindeletecom. You don't really have to live with it. Okay, steve, time for my injection.
01:48:32 - Steve Gibson (Host)
Okay, it was an interjection, but yes, not an injection. I'm going to interject here.
01:48:40
Okay, to note that back in the morning of March 29th 2015, after Matthew first sat down to take a serious, long look at Telegram's encryption protocol and its system, his tweet linked to Telegram's page I've got the link in the show notes for anyone who's interested and the Telegram page is titled Creating an Authorization Key. So he tweets the link and then he says, like seriously, what the F is even going on here. The F is even going on here. Okay, so this is a top cryptographer who understands this stuff, who looks at Telegram's technical document on creating an authorization key and is scratching his head. Okay, so he writes, although the interaction with Durov now he's speaking of the interactions that the security community, including himself, had sometime later that actually in 2016, the next year, he said, although the interaction with Durov could sometimes be harsh, he said I still mostly assumed good faith from Telegram back in those days. I believe that Telegram was busy growing their network and that in time, they would improve the quality and usability of the platform's end-to-end encryption. And remember, when he says that, he means exactly that end to end. And he said which, which is to say that the platform never has the keys. Only the end points, know the keys that are being used to encrypt and decrypt their conversation. That's the key. Telegram only offers that if you jump through hoops and it's never on by default. There is no on, so, because of like, the hoops you have to jump through. So he said um, he's. I believe telegram is busy growing their network and then, in time, they would improve the quality and usability of the platforms and in encryption, for example, by activating it as a default or providing support for group chats and making it possible to start encrypted chats with offline users. You know, those are all things we take for granted, right In all the other state-of-the-art platforms. They all do all of that, he said.
01:51:20
I assumed that, while Telegram might be a follower rather than a leader, it would eventually reach feature parity with the encryption protocols offered by Signal and WhatsApp. Of course, a second possibility was that Telegram would abandon encryption entirely and just focus on being a social media platform. What's actually happened, he wrote, is a lot more confusing to me. Of course, he's being generous, he said. Instead of improving the usability of Telegram's end-to-end encryption, the owners of Telegram have more or less kept their encryption user experience unchanged since 2016. Encryption user experience unchanged since 2016. While there have been a few upgrades to the underlying encryption algorithms used by the platform, the user-facing experience of secret chats in 2024 is almost identical to the one you'd have seen eight years ago. This despite the fact that the number of Telegram users has grown by seven to nine times during the same time period.
01:52:30
At the same time, telegram CEO and sole owner, pavel Durov, has continued to aggressively market Telegram as a secure messenger. As a secure messenger. Most recently, he issued a scathing oh I do have in the show notes a scathing criticism of Signal and WhatsApp on his personal Telegram channel, implying that those systems were backdoored by the US government and only Telegram's independent encryption protocols were really trustworthy. Well, you might argue, the government couldn't understand them, so maybe. Anyway, he says.
01:53:07
While this might be a reasonable nerd argument if it was taking place between two platforms that both supported default end-to-end encryption, telegram really has no legs to stand on in this particular discussion. Indeed, it no longer feels amusing to see the Telegram organization urging people away from default encrypted messengers while refusing to implement essential features that would widely encrypt their own users' messages. In fact, it's starting to feel a bit malicious. So what about the boring encryption details, since this is a cryptography blog, I'd be remiss if I didn't spend at least a little bit of time on the boring encryption protocols. I'd also be missing a good opportunity to let my mouth gape open in amazement, which is pretty much what happens every time I look at the internals of Telegram's encryption. I'm going to handle this in one paragraph to reduce the pain, and you can feel free to skip past it if you're not interested. And you can feel free to skip past it if you're not interested. Okay, now I am going to interrupt Matthew again to note that he has laced his description, which I'm about to share, with asterisk in the paragraph is a point where expert cryptographers would, in the context of something like a professional security audit, raise their hands and ask a lot of questions. Ok, so I'll just I'll say the asterisks as I'm sharing this, and now you know that every time there's an asterisk, this is Matthew saying uh, what, what? Okay, so he writes according to what I think is the latest encryption spec, telegram's secret chats feature is based on a custom protocol called MT Proto 2.0.
01:55:20
Called MT-Proto 2.0. This system uses 2048-bit asterisk finite-field Diffie-Hellman key agreement with group parameters, I think he says, chosen by the server. Asterisk, since the Diffie-Hellman protocol is only executed interactively. This is why secret chats cannot be set up when one user is offline. Asterisk MITM protection is handled by the end users who must compare key fingerprints. There are some weird random nonces provided by the server which I don't fully understand the purpose of. Asterisk and that in the past, used to actively make the key exchange totally insecure against a malicious server, but this has long since been fixed. Asterisk the resulting keys are then used to power. Here it comes the most amazing non-standard authenticated encryption mode ever invented, something called Infinite Garble Extension, ige, based on AES and with SHA2 handling authentication. Asterisk you said infinite garble, infinite.
01:56:50 - Leo Laporte (Host)
infinite garble extension, iggy I honestly, the more I've been thinking about this, the more I think this is actually malicious. That they that this is not ignorance. They know exactly what they're doing. Yeah, I think, yeah and that's, that's.
01:57:07 - Steve Gibson (Host)
That is the point that matthew's come to. Is that that, though, that they know what's going on? Pavel knows this is not actually encrypted and and and I'm sure he's telling governments oh, we can't get in, we can't moderate, this is all super secure, no, anyway. So anyway, he says. Matthew says I'm not going to go further than this. Suffice it to say the telegrams encryption is unusual and I loved it. He said, the most amazing nonstandard authenticated encryption mode ever invented, something called infinite garble extension. Right, anyway, he said, if you ask me to guess whether the protocol and implementation of Telegram secret chats is secure, I would say quite possibly. To be honest, though, it doesn't matter how secure something is if people are not actually using it. So he says, is there anything else to know? Yes, unfortunately, even though end-to-end encryption is one of the best tools we've developed to prevent data compromise, it is hardly the end of the story.
01:58:22
One of the biggest privacy problems in messaging is the availability of loads of metadata, essentially data about who uses the service, who they talk to and when they do that talking. That data is not typically protected by end-to-end encryption. Even in applications that are broadcast only, such as Telegram's channels, there's plenty of useful metadata available about who is listening to a broadcast. That information alone is valuable to people, as evidenced by the enormous amounts of money that traditional broadcasters spend to collect it. Right now, all of that information likely exists on Telegram's servers, where it's available to anyone who wants to collect it. I'm not specifically calling out Telegram for this, since the same problem exists with virtually every other social media network and private messenger, but it should be mentioned just to avoid leaving you with the conclusion that encryption is all we need.
01:59:32
Okay, so there are many useful, wonderful bits among what Matthew wrote. One is that, while Telegram's crypto is bizarre on its face, it's not obviously insecure, but neither has it ever been shown to be secure. Mostly, it's just bizarre. Or, as Matthew put it, what the F? The most important thing for Telegram's users to appreciate is that what Matthew referred to as today's industry standard encrypted messaging apps provide always on end to end encryption by default, while extending that true end to end encryption no matter how many individuals are participating in chat groups. And you know, leo, I didn't think of this when I was putting this down on paper yesterday, but Telegram is actually riding on the coattails of the other messaging apps.
02:00:34 - Leo Laporte (Host)
Oh, we do it too. We're end to end, see.
02:00:37 - Steve Gibson (Host)
Yeah, because Apple and Signal and WhatsApp have established the idea that everything is secure, because they actually are Telegram's just saying yeah, we are too.
02:00:52 - Leo Laporte (Host)
Yeah, us too.
02:00:53 - Steve Gibson (Host)
Yeah, we do that. That's what messaging is Not what they do, not what they do, yep, not what they do Yep. So also remember the last time we talked about iMessage and saw that not only had Apple implemented true multi-party end-to-end encrypted messaging, but that iMessage is also offering true forward secrecy by periodically and continuously rolling its conversation keys. Imessage and Signal offer technology that Telegram has never had and, as Matthew noted, shows no sign of obtaining or even wanting.
02:01:36
It's pretty clear they don't, they don't want, yeah, right, well, and look, they've gone up by a factor of seven to nine. I mean, it's super popular. Why, why, and why complicate that with additional technology? It's like they don't need more encryption, they're, they're able just to claim it. And, of course, telegrams popularity may not really be about true security, right. It's more about subscribing to its channels with a weaker assumption that, well, things are secure here, only because Telegram also has the unearned reputation of being a secure messaging system. You know they're unable to to to offer what the other guys offer with much smaller groups, and it's a benefit that Telegram is able to have these massive hundreds of thousands subscriber broadcasts. They cannot make it end to end encrypted, so they don't. Yet they're, they're getting the benefit of doing so.
02:02:44
Anyway, matthew began, as we know, by posing the question is Telegram an encrypted app? The most generous answer would be that, while it can be forced to provide state-of-the-art end-to-end encryption between two online parties, it certainly is not as encrypted as the general public, its users and the press have all come to assume. More than anything else, its ability to broadcast to very large groups has turned it into a social media platform with an air of undeserved security and privacy. So thank you, matthew Green, for laying it out.
02:03:23 - Leo Laporte (Host)
Yeah, with an air of undeserved security and privacy. So thank you, matthew Green, for laying it out. Yeah, I think that's. I read the piece too. I'm glad you brought it back because it was very interesting and I thought a pretty big takedown of it. Unfortunately, the people most need to read it.
02:03:43 - Steve Gibson (Host)
No, a lot, Never know. This is just for our listeners.
02:03:46 - Leo Laporte (Host)
Yeah, and even our listeners already know this, because we've covered this subject before. I like Telegram Actually, I shouldn't maybe mention this, but right now we're streaming on seven streams, as you know YouTube and Twitch this but right now we're streaming on seven streams, as you know youtube and twitch linkedin, facebook, twitter, discord and kick, and I think we're going to replace kick with telegram because I you know, in fact, I when tele I loved, maybe eight years ago, when it really took off, I thought I want this, everybody to use this, we should, but but we talked about this and it was, as you said, good enough, it's not encrypted, but most of the time, you don't expect that. The standards have changed now, thanks to apple, uh and google, using rcs and google's case, apple and leo encryption.
02:04:37
The podcast, your network podcast, don't need encryption, right we don't want them to be encrypted, we want everybody to see them. Yeah, uh, yeah. So I think, telegram I don't know, you can't, I don't know, we'll see. You know what's cool, though we have 764 people watching on those seven platforms right now, and I think that's a great way to introduce ourselves to a new audience. If you like what you hear, you know, thank Steve Gibson. He's been doing this for almost a thousand episodes now 18, 19 years.
02:05:11 - Steve Gibson (Host)
Closing in on it.
02:05:14 - Leo Laporte (Host)
And it's the best thing. I tell you what. No one's been doing it longer more effectively spreading the word about security than this guy right here. We're very, very grateful to him. And you're right, I'd be really sad if we were counting down, if this was 10, 9, 8, I'd be just terrible. If you like the show, support it. Join the club clubtwit at twittv. Slash clubtwit. Interact with Steve. Buy a copy of spin right. That's his real bread and butter. The world's best mass storage. Performance enhancer, maintenance utility. Recovery utility 6.1 is the current version. It's available from him directly at grccom. That's his website. While you're at grc, of course, you can find lots of great stuff. Steve gives away most of what he writes like a valid drive which makes sure that you got the usb storage you thought you were buying from amazon actually could be used anywhere. Uh, shields up, which I've been using for two decades to test my routers before I go public in control if you don't want microsoft to upgrade windows out from under you.
02:06:22
Yeah, and the new one which I can never remember the name of.
02:06:27 - Steve Gibson (Host)
Is Boot Secure.
02:06:29 - Leo Laporte (Host)
Is Boot Secure. Anyway, go to GRCcom, check it out while you're there. You can get a copy of the show. He has the usual 64-kilobit audio. Also two unique formats the 16 16 kilobit audio for the bandwidth impaired. Yes, that's right, 16. If you want to know what the old days sounded like, listen at 16 kilobits. It sounds like thomas and edison mary had a little lamb. Uh, he also has the text version of the show, the transcriptions written by elaine ferris, who uses those 16 kilobit versions, so that's why we make them. He has the show notes too, and I think a lot of people like to get the show notes as a great kind of pre-c of what we've talked about, the pictures in there, uh, all the links and so forth.
02:07:14
Grccom, we have, uh, the show at our site 64 kilobit audio, but we also have our unique format video. Yeah, we do a video version of this. You don't need it, but if you wanted it, you can get it at twittv slash sn. Uh, you can also uh get a copy from youtube. Actually, if you go to twittv slash sn, there's a link to the youtube channel there, uh, so you can go right there. That's a good way to share. You know, I know a lot of times people hear something go oh I gotta, I gotta get my boss this, or oh, I really should pass this along to my uncle because he's he thinks telegrams, all that. So if you do hear something you want to clip, youtube's really good for just taking that little piece and sending it to him and, who knows, maybe we'll create a new listener by doing that.
02:08:00
You can also subscribe in your favorite podcast player. We have links on the web page for those too. That way you'll get it automatically without even thinking about it. You don't have to click a link or anything. You can also watch us live, as I mentioned, on all those platforms, as 760 people are doing right now. Uh, the easiest way to do that is go to the webpage, twit slash, sn, and you can see the live links. We do it about right after Mac break, weekly. So the time is a little, you know, fungible, but usually around 2 PM Pacific, 5 PM Eastern. That's where we started today, 2,100 UTC of a Tuesday. Thank you, steve, have a great week. Thank you, my friend. I will not be here next week, going on vacation for a couple of weeks. Right, mike will take over, he'll do a great job and I will see you September 24th.
02:08:52 - Steve Gibson (Host)
Yep. I already verified with Micah that he receives the emails that I send.
02:08:55 - Leo Laporte (Host)
Good.
02:08:56 - Steve Gibson (Host)
So he'll have the show notes for next week and the week after, so we're missing you for two episodes right, two episodes.
02:09:03 - Leo Laporte (Host)
I will be back on the 24th, okay.
02:09:06 - Steve Gibson (Host)
Thanks, steve, have a great week.
02:09:07 - Leo Laporte (Host)
See you next time Bye Security Now.
