Transcripts

Security Now 993 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show
 

0:00:00 - Leo Laporte
It's time for security now. Steve Gibson is here, the man we trust with the information you need to stay safe these days. We're going to talk about the weird thing that Kaspersky antivirus did on its last day in the United States, why you should worry if you're one of 106 million US individuals whose information was, yes, once again leaked online and Google takes a big step forward with passkeys. All that and more coming up. Next, on Security Now Podcasts you love From people you trust. This is Twit. This is Security Now with Steve Gibson, episode 993. Recorded Tuesday, september 24th 2024. Kaspersky exits the US. It's time for Security Now, the show where we cover the latest security news with this cat over here to my right, mr Stephen Tiberius Gibson, your host at the Gibson Research Corporation. Hello.

0:01:07 - Steve Gibson
Steve. Hello, leo, good to see you.

0:01:09 - Leo Laporte
We're looking at each other like the Brady Bunch. There he is.

0:01:12 - Steve Gibson
Welcome back. Micah held down the fort for you for a couple weeks.

0:01:16 - Leo Laporte
Thank you, micah, thank you we had a good time.

0:01:19 - Steve Gibson
Yeah, learned some things. I did not want to forget to tell you that one of our pieces of news is that peter hamilton is back, oh good, with the first of a duology, so we're not doing anything until he gets the second one done yes, because we've learned that lesson.

Oh, you start the first one and then it goes well, it's not over, but you're gonna have to wait a year oh my god, you get all wound up and you got all this backstory and then, a year from now, it's like okay, who is that? What? What did he do?

0:01:51 - Leo Laporte
you know, because you just you know there's a lot of detail forget stuff but, and I did hear you talking about the uh micah, about the baba verse and and book five which came out, and I got it just uh, just in time for my trip, and that's oh.

0:02:04 - Steve Gibson
And he's. In fact he was not generally a sci-fi person, he explained, but I guess the Babaverse is so fun and sort of lightweight that it fits with his. You know, whatever he's doing.

0:02:17 - Leo Laporte
It's a starter drug for sci-fi, craft weaving and cooking and stuff.

0:02:20 - Steve Gibson
Yeah, exactly stuff. Yeah, exactly anyway you probably. At the other end of the spectrum is peter hamilton, where we know far more than we ever wanted to know about the commonwealth oh yeah which is the background for what happens in pandora's star and then later, all that dreaming void business. Are we?

0:02:38 - Leo Laporte
back in the commonwealth.

0:02:39 - Steve Gibson
I hope this is a whole new deal now we're we're way, way in the future. So I'm sure people are going to be very altered and all kinds of cool stuff that Hamilton comes up with. And this is the result of a mass migration, exodus from Earth and colony. Ships go out and one of them finds the right place and sends a message out to all the other ones who says, hey, I've we found the right place. Everybody come on over here and but apparently by the time that those other ships get there, things are not so good anymore yeah, and so we don't know what's wrong, but apparently there's like the overlords and bad people are not happy.

And anyway, lord knows what he's cooked up, but I'm excited about it. And I did say, if there are any of our listeners who are willing to like get all ramped up and then hit the cliffhanger at the end of book one, I'd love to hear what you think without any spoilers. But I'm not going there until I can read both at once, and you know, I think the first book is 993 pages or something oh my gosh no Again.

It will hold open a door with very strong springs. So that's what you can count on, Peter for he's our favorite sci-fi author.

0:04:00 - Leo Laporte
We do recommend that, if you're going to start with Peter F Hamilton, you start with the single volume Falling Dragon, right? Yes, that's the easy one. It's well, beautifully written and he's really good at hard sci-fi but excellent characterization.

0:04:14 - Steve Gibson
It's got the best surprise ending too.

0:04:15 - Leo Laporte
It's really good, it's like ooh, and then you can start getting into the much longer the Dreaming Void. Not my crazy, not my favorite.

0:04:24 - Steve Gibson
No longer the dreaming void. Not my crazy, no, my favorite, you know. Yeah, especially the last one. The last one was like wow, did you, did you promise somebody to do nine massive novels and you just ran out of stuff after number eight and so you just said well, we're gonna keep on going this does happen.

0:04:40 - Leo Laporte
This does happen, yeah. So what are we talking? Uh, I can guess, but I'm gonna let you, uh, tell us what we're talking about this week. That's right, we're here to do a podcast. I almost forgot.

0:04:52 - Steve Gibson
This is Security. Now number 993. And our longtime listeners are saying well, thank God, we're not ending at 999 because, you know we're not, but in six episodes we're going to be. In six episodes we're gonna be there. That's gonna be very cool. It's amazing isn't it?

0:05:08 - Leo Laporte
you know, twit 1000 is next week. Wow, not this sunday, but a week from sunday yeah, wow, very cool yeah so you're we're gonna find out if your four digit stuff works.

0:05:17 - Steve Gibson
I think it will, because you've always had a leading zero. So that's.

0:05:21 - Leo Laporte
You know, I must have been prescient.

0:05:23 - Steve Gibson
I was very impressed when I saw that. I thought did he really think 20 years ago that he was going to need four digits?

0:05:33 - Leo Laporte
I was thinking that two would be fine.

0:05:39 - Steve Gibson
Anyway, today's title is Kaspersky Exits the US, but by popular demand and I didn't talk about this last week actually, I didn't have enough information to talk about it last week, but by popular demand I want to talk about the technology and the supply chain aspects of the very powerful uh event that happened, involving exploding pagers and walkie-talkies what a story. Also, we've got the question is Ford Motor Company planning to listen in on their occupants? Some of their recent patent filings would suggest that, but I want to help put that in perspective. We've got the highly personal data of 106 million plus individuals having been found unprotected online. So again, like another NPD style breach, big news for Passkeys, making a huge step forward in the industry a huge step forward in the industry.

And is there a serious 9.9 level unauthenticated remote code exploit in Linux? Probably is, and we're going to find out in two weeks, but we'll share what's known today. Also, we've got more Credit Bureau freezing insanity. A little bit of question from our listeners about Drobo versus Synology, an update on my email adventure, a question about Wi-Fi security with and without a VPN, obtaining CPE credits from listening to security now, as many of our listeners do, and a defense for Microsoft's own Defender, xdr endpoint security. We've been talking about CrowdStrike. One of our listeners says, hey, xdr is worth looking at too. And then, what mess did Kaspersky make?

0:07:36 - Leo Laporte
leaving the.

0:07:37 - Steve Gibson
US market last week and what are the wider implications for the Internet's future. So I think, a lot of interesting stuff for us to look at and talk about this week and, of course, we've got, as always, a great picture of the week. I have it ready, I have it ready for you, steve.

0:07:56 - Leo Laporte
But first, our first sponsor of the show, if you don't mind, aci Learning. Our great friends at ACI Learning. They're the folks behind IT Pro. We talked about them for years Binge-worthy video-on-demand IT and cybersecurity training. With ITPro you get certification-ready access to their full video library. I mean, getting into IT means getting a cert. Really that's the best way to get that first job. But with IT Pro you can also keep getting certs, recertify, learn. More more than 7,200 hours of training and it's up to date every one of them, because they've got all those studios running Monday through Friday, nine to five, creating new content.

Tests change questions, change, software changes and IT Pro at ACI Learning is always up to date. The premium training plans also include practice tests, which are fantastic. I'm a big believer in those. Make sure you're ready to take the real test before you pay for the exams. They also have virtual labs, which help facilitate hands-on learning. But and here's a little secret tip are a real boon to MSPs and others who want to test configurations on their Windows servers without actually putting them on the Windows servers.

A great way to learn, a great way to try before you install ITPro from ACI Learning. It is a great tool, but it also makes training fun, because all their training videos are produced in an engaging talk show format. All their trainers are experts in the field, actually working in the field. But more importantly, even than that, they have the expertise, but they also have the passion, they care, and that's what makes it truly engaging, truly edutaining, as they call it. Take your IT or cyber career to the next level. Be bold, train smart with ACI Learning.

Visit goacilearningcom slash twit. If you use our code there's a new one, by the way, make a note of this If you use our code SN100 at checkout SN100 at checkout you'll save 30% on your first month or first year. If you subscribe for a year of IT Pro Training, that's a lot of savings 30% off your first month or first year of IT Pro Training. When you visit goacilearningcom slash twit SN100, that's a brand new one at checkout Goacilearningcom slash twit. We thank him so much for supporting the, I think, very important work Steve is doing here at security now and, of course, among the most important things that you do, steve the picture of the week so I gave this one the caption.

0:10:35 - Steve Gibson
What event could have prompted the addition of this sign?

0:10:42 - Leo Laporte
parking available in empty spaces only.

0:10:47 - Steve Gibson
You know I, because what you really want to do is to try to park in an occupied space. I I yeah, yeah, yeah, he's right, I don't know now I have had some feedback from our listeners who saw this already. My morning's mailing to just shy of 9,700 Security. Now listeners went out over the course of 30 minutes this morning and a couple of them said you know, it looks like this is kind of a park or something. I mean you can kind of see behind the sign.

0:11:21 - Leo Laporte
Oh, you could park like on the grass.

0:11:23 - Steve Gibson
There's some non-marked, like some areas which are not spaces, and so maybe people were kind of parking on the lawn or whatever, and I actually think that was probably likely Never put it past them, but I thought this was funny nonetheless, and so we do try to put a little humor for our picture of the week when we can get it, and in fact we're going to need some humor.

Uh-oh, uh, talking about our first topic, um, which, which is not at all funny, I'm just saying to you know, balance, this topic, um, many of our listeners wrote last week to say, steve, I hope you're not going to shy away from the topic of the exploding pagers which happened in the possession of predominantly largely members of Hezbollah last week Actually, it was last Tuesday, as I said, shortly after the news of these exploding pagers broke, I started receiving notes from our listeners saying that they were looking forward to my talking about this today. And, as always, what most interests me and what is also the proper focus of this podcast, is the technology and the facts to the degree that either are known, behind what happened. You know, this is not a podcast that will examine or comment upon the politics or the morality even of what occurred. That's not what we're here for, and we've had hot topics occur in GRC's news groups and forums from time to time. When that happens, I note that there are ample other places on the Internet for such discussion, if that's what one is seeking, but that's not here. You know, this is about technology. So I spent some time coming up to speed about what was known and I had the advantage of having been able to wait nearly a week for the dust to settle, almost literally, and for the various news reporting and investigative bodies to dig into the backstories and report their findings. As it happens, I found exactly the sort of background and technical coverage that's appropriate for this podcast over on the CryptoMuseumcom site.

Of all places, here's what they wrote they and they dedicated a page to this event. They said on September 17th 2024, thousands of pagers of the Lebanese terrorist organization Hezbollah exploded more or less simultaneously. Around 5,000 pagers had been obtained by Hezbollah shortly before the incident, 4,000 of which exploded that day after receiving a specially crafted message. In the incident, at least 12 people were killed and around 2,750, that is 2,750, were injured. A day later, more than 400 handheld radios, walkie-talkies used by Hezbollah also exploded.

Although there was no direct proof, they wrote, it was widely speculated that Israeli services were behind the attack. The AR-924 pager from the Taiwanese manufacturer Gold Apollo is intended for use on local infrastructure in the 450 to 470 MHz UHF radio band and does not depend upon the public switched telephone network network. Hezbollah used these pagers for security reasons, as they were apparently afraid that their communications via public networks could be intercepted or cut off. It seemed they wrote that the pagers had been manipulated somewhere in the supply chain between Taiwan and Lebanon or that a special fake company had been set up by an intelligence service to supply manipulated devices to Hezbollah. Experts believe that Israeli intelligence services managed to manipulate the firmware and added a small plastic explosive device.

The Taiwanese manufacturer Gold Apollo denied that the devices were supplied by them and suggested that they might have been supplied by a Hungarian company, bac Consulting. Bac had purchased the production rights and the use of the brand name for certain regions and later produced their own pagers under the Apollo brand. A specially crafted message was sent to the newly purchased devices, which triggered a small plastic explosive device that was hidden inside its enclosure. According to the German newspaper Welt, the explosive RDX had been integrated into the batteries. Explosive RDX had been integrated into the batteries. In addition, the markers that are normally present in plastic explosives to reveal them in an x-ray scan were said to have been omitted. Other sources report that the explosive known as PETN was used. Rdx and PETN are the main ingredients of the plastic explosive Semtex.

According to the Taiwanese manufacturer of the pagers, their Hungarian license holder, bac Consulting, could be involved in the rigging of the devices. The company was founded on May 5, 2022, and reported 2023 annual income of €549,000. It's possible that it was a shell company created especially for the purpose of selling rigged equipment to certain parties. A day after the incident, a representative of the Hungarian president, viktor Orban a representative of the Hungarian president, viktor Orban told the press that the pagers had never actually been in Hungary and that BAC merely acted as an intermediary. When reporters visited the company at its registered address, seen the BAC director since the pager attacks of September 17. She had reportedly been placed under the protection of the Hungarian security services. In addition, the Bulgarian authorities started an investigation into a company that they thought might have facilitated the sale of the pagers to Hezbollah. Although the name of that company was not disclosed, bulgarian media revealed it was Northa Global Limited in Sofia, bulgaria.

A day after the incident with the Apollo pagers on September 18th, a similar thing happened to the two-way handheld radios that were also used by Hezbollah. In this case, it involved the IC-V82 handheld radio, a 20-year-old model from the Japanese manufacturer ICOM. The IC-V82 works in the VHF amateur radio band, which ranges from 144 to 146 MHz, optionally 136 through 174. The ICOM ICV82 is a straightforward two-way radio of the kind that are also used by amateur radio operators. It was discontinued in 2014 and should no longer be available on the market. Icom stressed that the devices that had been supplied, that the devices had not been supplied by them. It's known, however, that counterfeit ICV82 radios you know, not manufactured by ICOM are widely available. Counterfeit radios are commonly produced in China and are difficult to distinguish from real ones. They're available from electronic stores in Asia and come with original packaging.

In the case of the exploding ICV82s, it was not the battery that exploded, but their front top. Apparently, an explosive device had been placed inside the radio, close to the microphone speaker, which is the part that's closest to the face when the radio is operated. This suggests that it was the intention to cause maximum potentially lethal harm to the user. In Bulgaria, an investigation has been launched into a company in Sofia that might have been involved in the supply of the counterfeit ICV82 radios from Asia to Hezbollah. This is the same company, northa Global Limited, that might have been involved in supplying the AR924 pagers. The number of radios around 450, is smaller than the number of exploded pagers, which was around 4,000. But since the radios are physically larger, they carried more explosives and were therefore more damaging.

It's currently unclear how and when the handheld radios were manipulated and how they were retrigger triggered remotely, but they wrote. We can make a few educated guesses. The radio features CTCSS and DTCS, two techniques to selectively open the radio's noise-canceling squelch system using analog or digital tones. It's possible to fit an optional DTMF, you know, touch tone code or decoder, which can be used to activate the pager function of the device by sending it a three-digit DTMF digit sequence user ID. It's likely that a unique combination of the above techniques was used to trigger their synchronized detonation. Of the above techniques was used to trigger their synchronized detonation.

Okay, so we have an example of a seriously well-planned, well-coordinated and breathtakingly real-world physical supply chain attack. The article said authoritatively and I've seen it in several other places that the 5,000 pagers that had been recently it was 5,000 pagers that had been recently ordered and received. There's been no exact reporting of the elapsed time between the 5,000 pager order and their delivery. But if Israel was somehow able. Well, first of all, if Israel was behind this and if whoever was behind it was somehow able to do this without extensive pre-order preparation, then it's even more impressive, given the evidence of this attack's sophistication and what we know of the time that would be required to implement and test a fully functional pager incorporating specialized firmware with secret code recognition to trigger a custom detonator, probably along with an additional power transistor to supply the current for the detonation, which would require a custom circuit board. There's no way this could have been done overnight, or even close to overnight. If it were, it would be quite astonishing.

The Gold Apollo SR924 is a ruggedized device with a rechargeable 85-day battery life. As such, it is particularly well suited for rough use in the field. I suspect and this is entirely by conjecture it's more likely that Hezbollah's choice of pager was known ahead of time. You know from previous contact with them in the field, since this pager model has been available for years. That would have given someone presumably someone with ties to Israel given someone presumably someone with ties to Israel time to replace the original guts of thousands of these devices with their own, at which point they would have been standing by and patiently waiting for Hezbollah to place their order, and the same must have been true for the next day's handheld radio attack. You know, this is another of those situations where we're ever unlikely to have all the facts, since, you know, those who have all the facts stand nothing to gain by leaking anything more.

In some other reporting by Vox, charles Lister, a senior fellow at the Middle Eastern Institute, was quoted saying quote what we've seen over the past two months shows that Israeli I'm sorry, israel and its intelligence apparatus have completely infiltrated the most sensitive echelons of the entire axis of resistance, of the entire Axis of Resistance.

Charles' reference to the Axis of Resistance is the informal name for Iran's network of proxy militias throughout the Middle East, he continued. It was only a year ago that the reputation of Israel's intelligence services took a major hit with their failure to anticipate the October 7th attacks, despite abundant signs that Hamas was preparing for a major operation. It's worth noting that, while the operations in Lebanon and Iran were likely carried out by Mossad, israel's foreign intelligence service, israeli-occupied Gaza is the responsibility of the Shin Bet, the domestic security service. The Shin Bet official responsible for southern Israel and Gaza resigned over that failure, as have two senior military intelligence officials. While October 7th damaged the reputation of Israel's vaunted spy services, they've now restored that notion of deterrence based on fear and the notion that Israel has eyes everywhere. I left a link in the show notes to the page that I found at cryptomuseumcom for anyone who's interested in learning more, though that's pretty much everything that they had to report.

0:25:52 - Leo Laporte
I think it's important to kind of emphasize that this must have been years in the making and that they are you know, this isn't the kind of thing that's going to happen all the time to us, to other people that this must have been, this is a major effort that may have been as long as a decade in the making. So you're not going to see this decade in the making, so you're not going to see this. I hope we're not going to see this happening all the time, because that would make everybody very nervous about their devices.

0:26:23 - Steve Gibson
Yeah, it was interesting that they managed to get a hold of plastic explosive that was specifically lacking the markers. That would have made this obvious in any sort of an x-ray.

It would have made this obvious in any sort of an X-ray and you know, this is, you know, from a technology standpoint, custom firmware would have been necessary, which would have meant that you had to have the source code for the original device's firmware or maybe you know, suck it out and reverse engineer it and then edit it in order to incorporate secret code triggering you. Also, we know how software goes. You never want this to go off by mistake. That would be a disaster. For one thing, you would tip your hand If one blew up. Then nobody would you know throw all the rest of them in the river.

0:27:15 - Leo Laporte
They were carrying explosives in their pocket for months, right, yes, and unwittingly, I mean, it's kind of a.

0:27:22 - Steve Gibson
I mean I don't want to admire it too much, but with some grudgingly admiration for what an amazing operation this was and it is an example of a of a classic supply chain attack, because you know these, these essentially off-the-shelf pagers were purchased by a specific organization middleman right yes and and the, the, the pagers specifically sent to that specific organization were intercepted and swapped out.

And so you know, people will say, yes, but there were innocent people who were also hurt, and that is absolutely true, and that's an unavoidable consequence Including children at least several children. Yes, it's an unavoidable consequence of the bluntness of this, because you're not in a position where you're looking at your enemy through a sniper scope. I mean, and I'm sure at some level, israel and Israeli intelligence services were holding their breath that they would get the outcome they were seeking, which was a highly targeted event.

0:28:41 - Leo Laporte
Well, remember that the CIA at one point was accused and I think it was true of sending booby-trapped cigars to Fidel Castro. At least they thought about doing that. It made a great story, even if it wasn't true, you know, this is the kind of spycraft you read about in novels or in movies. Yeah, uh it the the fact that this worked, and worked so effectively, is is yeah, nobody wants to call this a spectacular success.

No, because it's horrible, yes, but uh you have some grudging admiration for the ability to pull this off and and the real point of it, as with all terrorist acts, is to terrorize and to make people say, hey, I wonder if my pager is okay. I wonder if, am I safe? Do they know where I am?

0:29:26 - Steve Gibson
And there now is reporting that the upper echelon of Hezbollah is no longer using any technology, that they are having to meet face-to-face and so that significantly cripples their communications infrastructure.

0:29:41 - Leo Laporte
And that's why they were using pagers, because they decided that phones were compromised and they couldn't use those anymore. So you get the feeling this has been planned for many years over a long period of time. Yeah, very interesting story for a long period of time.

0:29:58 - Steve Gibson
Yeah, very interesting story. So the headline was Ford Seeks Patent for Tech that Listens to Driver Conversations to Serve Ads and at that point you just turn the car off and get out. But okay, the record, the publication. The record published a piece two weeks ago that I did not have the chance to get to until now, but it's too important for us to miss in this podcast and I've got some backpedaling to do after we laid the foundation for this. The record's headline makes it very clear where we're maybe headed, reading quote as I said, ford seeks patent for tech that listens to driver conversations to serve ads. Apparently, they want to listen in on the conversations being held inside the car in order to present advertisements on the system's entertainment system. So the record says this. They write Ford Motor Company is seeking a patent for technology that would allow it to tailor in-car advertising by listening to conversations among vehicle occupants, as well as by analyzing a car's historical location and other data, according to a patent application published late last month.

The patent application says, quote In one example the controller may monitor user dialogue to detect when individuals are in a conversation. The conversations can be parsed for keywords or phrases that may indicate where the occupants are traveling to. The tech labeled as In-Vehicle Advertisement Presentation will determine where a car is located, how fast it is traveling, what type of road it is driving on and whether it is in traffic. It will also predict routes, speeds and destinations to customize ads to drivers. The application said the system could pull audio from quote audio signals within this is from the patent application, audio signals within the vehicle and or historical user data selecting a number of the advertisements to present to the user during the trip. Unquote. By monitoring dialogue between vehicle occupants, the ad controller system can determine whether to deliver audio versus video ads, providing ads to drivers as they travel. Quote through a human machine interface of the vehicle. The patent application said OK, so hold on a second. The ads can be audio. So what? Your car interrupts during a pause in the conversation to helpfully comment with something like excuse me, but I heard you mentioning that you were hungry and we know from your past travels that you like burgers. There happens to be a highly rated burger joint just around the corner. If you're interested, take a left at the signal. Wow, if that's the case, I doubt that I'm ready for this brave new world. The article continues quote such systems and methods provide maximum opportunity for ad-based monetization, said the patent application. Quote. These systems and methods may use knowledge of vehicle destination prediction to provide more relevant advertisements, for example, if a user is going grocery shopping, merchandise purchasing, etc.

The patent application does not describe how the collected data would be protected. The technology would be primarily software-based and would require no new hardware, according to the application. Ford filed the application in February and it was published on August 29th. Contents of the application were first reported by MotorOnecom. Ford has since defended the patent application with a Ford spokesperson saying, quote Submitting patent applications is a normal part of any strong business, as the patent process protects new ideas and helps us build a robust portfolio of intellectual property.

Unquote. Now, that is certainly true. Many patents are defensive and are primarily meant to beef up a portfolio for mutual agreements among competing manufacturers within an industry. Ford's statement continued saying, quote the ideas described within a patent application should not be viewed as an indication of our business or product plans. And in a follow up statement, ford said quote it will always put the customer first in the decision making behind the development and marketing of new products and services. Ok, so there's hope the system could all could call data, the article says, from third party applications or set up screen input preferences to predict the number of ads a driver should be served. Application said, noting that whether a vehicle owner is making a long drive versus a trip to medical care facility would be considered by the system. That's right, because what we really want is our car reporting to our insurance companies that we've been spending a lot of time at medical facilities.

And speaking of tattletales, a Ford patent filed in July proposed technology that would enable vehicles to monitor the speed of nearby cars, photograph them and send the information to police. Amazingly, the idea sparked a backlash from privacy advocates, you know, but that kind of thing is no concern to the US Patent and Trademark Office. That's not what they focus on. The application pointed to how application last October, after a firestorm of criticism over its plans for a system that would commandeer vehicles whose owners were late to pay and allow the cars to repossess themselves. That patent application said that the technology would allow self-driving cars to automatically head to repossession lots, while standard vehicle lenders would be able to permanently lock cars and cripple steering wheels, brakes and air conditioning in order to pressure delinquent drivers into paying. So you really have to wonder what they're thinking. If nothing else, the communications available thanks to the Internet means that if this ever happened just once to someone anywhere, it would make headlines and you'd have to imagine that Ford spokesperson said about patents not necessarily implying future product plans. That is really true.

While patents certainly can indicate a company's future direction, they do not necessarily do so. For a massive company like Ford that has an entire division of in-house patent attorneys, their job is to emit patents more or less continuously, so they'll have members of their patent squad regularly attending product planning and brainstorming meetings, taking notes and turning random comments into patents. Some random employee may have quipped at some point during a brainstorming meeting that once they've got the self-driving technology figured out, it would be possible to eliminate the need for tow truck repossession by having their cars start themselves in the middle of the night and drive themselves to the local repo lot. While everyone was laughing at that idea, the weenie from the patent department was taking notes to get that idea captured and filed. It's like ooh, that's a great idea, let's patent it. So again, it's a far cry from actually suggesting that that's what Ford's cars are ever going to actually do.

0:39:28 - Leo Laporte
I think it's really important to say that On MacBreak Weekly, we are regularly challenged with the idea of talking about the patents that Apple has filed, regularly challenged with the idea of talking about the patents that Apple has filed, and often they're not, you know, with any intent to release a product, but just for a variety of reasons. You could even in fact, ford should probably say this make the case that, well, we're doing this defensively so that if anybody tries to do it, we can stop them saying no, we have the patent on that, and you better not. And nobody should, and nobody should. Yeah, I mean seriously. No, we have the patent on that, and you better not. And nobody should, and nobody should. Yeah, I mean seriously. Uh, although I have to point out, uh, you remember when apple was in the car business, briefly, 10 billion dollars later, uh, the a lot of what the consideration was was for autonomous, driverless vehicles where you're in a living room, and how they could, how they could turn that living room basically into a mobile ad platform and uh, you can.

0:40:22 - Steve Gibson
You can see that probably ford's thinking along those lines, as are so many companies and I, and while I was doing a little bit of research on this, leo, it turns out that youtube is planning to show ads when you pause the videos.

0:40:35 - Leo Laporte
Oh yeah, they do now, yeah and so is hulu. It's a pop up, it's just a pop-up. This is hey, you paused it. Why don't you go get a dr pepper? Ads everywhere. Remember the philip k dick short story where ads were everywhere.

0:40:50 - Steve Gibson
We thought at the time oh, that'll never happen oh, or any of the sort of dark sci-fi that you see, sure.

0:40:59 - Leo Laporte
Blade Runner Ads on every surface.

0:41:01 - Steve Gibson
Yes, holograms are jumping out at you, soliciting everything.

0:41:06 - Leo Laporte
Exactly.

0:41:07 - Steve Gibson
We are headed there, Leo.

0:41:09 - Leo Laporte
Speaking of ads, oh, let's do one right now. We at least tell you that it's an ad. We tell you it's coming.

And it's actually relevant to what you're probably interested in. It's almost always relevant to what in fact. In this case, absolutely. It's one of our longtime advertisers. I'm a big fan of them. The folks at Thinkst Canary are sponsors for this segment of security. Now, what is a Thinkst Canary when it's at home or in your office or under your desk or in your network? It's a honeypot. We've talked about honeypots before. In fact, we interviewed Steve Belevin and Bill Cheswick in search of the Wiley hacker. Actually, I think it was Belevin who wrote, or maybe it was Cheswick. No, it was Cheswick who wrote the first honeypot and I remember talking with him about it and he said, yeah, it was Cheswick who wrote the first Honeypot and I remember talking with him about it and he said, yeah, it was really hard to do back in the day.

Things Canaries are really easy. You can deploy them in minutes and these Honeypots have basically a web page with all different kinds of things. They can be an SSH server, a Windows server, a Linux server. Mine's a Synology NAS and it's easy. You could change it in minutes, but they really look like the real deal. My Synology NAS has the actual DSSM7 login page, exactly the same. It even has a MAC address that could be coming from Synology. That's really good the thing about Thinks Canaries they don't look like they're vulnerable, they look valuable. They look like something a bad guy would want to attack with. For instance, one of the things you can do with your Thinks Canary is set lures Canary files, tokens that live on your network, pdf files that say employee information or payroll information, or Excel spreadsheets or document files except they are actually tripwires that you've put all over your network so that if someone's accessing your tripwire or your lure files or brute forcing your fake internal SSH server or NAS box, you're going to get an immediate alert from your ThinkScanary saying you've got a problem. And you don't get false alerts, only the alerts that matter. So here's how it works you sign up for your ThinkScanary, you're going to go to the console and you're going to choose a personality, a profile, register it with the hosted console. You're going to get monitoring and notifications and you're going to get them however you like them email, text messages, they support web hooks, syslog, you know any way you want. Basically, then you just wait and most of the time I know it's true with our canaries you don't hear anything but an attacker who breaches your network or a malicious insider. Any other adversary wandering around your network makes themselves known by the accessing. That Thinks Canary, that honeypot, they can't resist it. It looks so juicy and tasty. So get your Thinks Canary by visiting canarytoolstwit.

I'll give you a pricing example. You know your big operation. You might have hundreds of them spread out all over the globe. For a little place like ours, maybe a handful, say five, $7,500 a year. Five things to Canaries. You get your own hosted console. You get your upgrades, your support, your maintenance. And I'm going to make it even a better deal because if you use the code TWIT, t-w-i-t and the how did you hear about us? Box, that's good for us because then they know you heard it on Twit, on Security Now. And it's good for you because you're going to get 10% off the price of your Canaries, not just for the first year but for life, for as long as you're a user.

Here's another thing that will reassure you. You might say, well, I don't know who are these guys. I don't know if I need this. You do Trust me. You do want to see some actual testimonials from very big companies and CISOs and CIOs in some of the biggest companies in the world.

Go to the website canarytoolscom, canarytoolscom and you'll see all the love for the Thinks Canaries. But if you're still skeptical, be reassured, because you can always return your Thinks Canary. They have a two-month, 60-day money-back guarantee full refund, full refund. Now I got to point out we've been offering these ThinkScanaries and this refund for I don't know seven years, almost a decade. In all that time, the refund guarantee has never been claimed, because once people get their ThinkScanary, they go. How did I ever live without this thing? On average, bad guys who get into your system wander around for 91 days before detection. You can't let somebody wander your network for 91 days without detection. You need a ThinkScanary. Visit canarytoolscom, enter the code TWIT in the how Did you Hear About Us? Box for that great discount, and don't forget 60-day money-back guarantee canarytoolstwit. The guys who designed this are really good and they made something that everybody needs, canarytoolstwit. We thank them so much for supporting Steve and the important work he does here at Security.

0:46:21 - Steve Gibson
Now, speaking of breaches there's another one Just when you thought it might be safe to unfreeze your credit reporting.

0:46:29 - Leo Laporte
Never.

0:46:29 - Steve Gibson
Never. I'm joking, I know you know that it will never again be safe for anyone to unfreeze their credit reporting.

0:46:38 - Leo Laporte
That's true.

0:46:44 - Steve Gibson
That ship has unfortunately sailed and sunk, following the national public data breach. It's difficult to imagine that anything could be worse, and I don't know that yesterday's news is worse because there's no evidence that the bad guys got their hands on this latest trove of treasure, but it was publicly exposed, unencrypted and unprotected by any password for some length of time. So we don't know. Yesterday, cyber news headline was one-third of the us population's background info is now public good news is they already knew all this stuff from the last breach right so that's right, I'm not going to get too worried about it so they wrote mc2 that's the number of the company.

Mc2 data and similar companies run public records and background check services. These services gather, compile and analyze data from a wide range of public sources, including criminal records, employment history, family data and contact details. Data brokers right, yes, exactly yes. They use this information to create comprehensive profiles that employers, landlords and others rely on for decision-making and risk management. Websites that MC2 Data operates include PrivateRecordsnet, private Reports, peoplesearcher, the PeopleSearchers and PeopleSearch USA, they wrote.

Despite dealing with staggering amounts of sensitive data, it is not always kept secure. Cyber news research reveals that the company left a database with 2.2 terabytes of people's data, passwordless and easily accessible to anyone on the Internet. What was likely to be a human error exposed 106,316,633 individual records containing private information about US citizens thus one-third since we have about 330 million people here, which raises serious concerns about privacy and safety. Estimates suggest that at least 100 million individuals were affected by this massive data leak, as the data of 2,319,873 users who subscribed to MC2's data services was also leaked. So we know who was pulling all this data and all the data that was available to be pulled. The leaked data included names, email addresses, ip addresses, user agents, encrypted passwords, partial payment information, home addresses, dates of birth, phone numbers, property records, legal records, family relatives, neighboring data and employment history. Now, the good news is, I looked over the data and I didn't see any reference to Social Security numbers, but on the other hand, that's already out there from NPD, Right? So, ok, there is, however, plenty of2 leak data could be merged with the NPD breach data to create an even bigger, more comprehensive database. So basically, you know, lock your data, freeze your credit and just stay home because it's bad out there. I don't know. Anyway, for what it's worth, there were no Social Security numbers, but still, if this could be merged into an even bigger breach, okay, this next piece of news is significant.

Last Thursday, google Chrome's project manager blogged under the headline that I thought was underhyped. The headline just said sync passkeys securely across your devices. Ok, that doesn't really say what I would think Google should be saying, because we're talking about having the world's leading web browser by, you know, leading by a large margin and presumably other Chromium based browsers to now natively supporting pass keys built into the browser. Here's what Google posted under that underhyping headline. They said in addition to Android devices, you can now save pass keys to Google password manager on desktop. Signing into your favorite sites and apps on any device should be as quick and easy as unlocking your phone. That's where PassKeys come in. They're safer than passwords and easier to use, letting you use your fingerprint, face or screen lock to securely sign into apps and websites, moving us one step closer to a passwordless future. Until now, you could only save passkeys to Google Password Manager on Android. You could use them on other devices, but you need to scan a QR code using your Android device, using it as the authenticator. Today we're rolling out up this is written last Thursday right Today we're rolling out updates that make it even easier to use passkeys across your devices.

You can now save passkeys to Google Password Manager from Windows, mac OS, linux and Android, and under Chrome OS, which is currently available for testing in beta. Once saved, they'll automatically sync across all your devices, meaning all your instances of Chrome right where you're signed in, making signing in to other websites as easy as scanning your fingerprint. To let you create passkeys and access saved ones across your devices, we're introducing a new Google Password Manager pin. This pin adds an additional layer of security and I'm glad for it, to ensure your passkeys are end-to-end encrypted and cannot be accessed by anyone, not even Google. When you start using, passkeys are end-to-end encrypted and cannot be accessed by anyone, not even Google.

When you start using passkeys on a new device, you'll need to know either your Google password manager pin or the screen lock for your Android device. These recovery factors will allow you to securely access your saved passkeys and sync new ones across your computers and Android devices. You can set up a six-digit PIN by default or select PIN options to create a longer alphanumeric PIN. You can already create passkeys for popular sites and apps such as Google, amazon, paypal and WhatsApp, and since Google Password Manager is conveniently built into Chrome and Android devices, you can get started today without having to download any additional apps. So it is built into your browser. That started today was a link to passwordsgoogle, so anybody who's interested can open Chrome and head over to passwordsgoogle to enable, configure and start using Chrome's built-in Passkey solution.

0:55:18 - Leo Laporte
And I did note that, with the addition of a pin which can be a passphrase, that is the missing feature which Squirrel always had, which enabled you to securely use essentially the same kind of public key authentication which Squirrel was built around, uh, securely on your desktop. So, steve, poor, there's just constant reminders of how it was done right at one time. And yeah, yeah, well, the market, but leo to have pass keys in chrome.

0:55:32 - Steve Gibson
That's huge, yeah. So now, wherever you're using Chrome, you'll have synchronized pass keys protecting it, adding an additional layer of a pin or a passphrase you know, stronger thanconsuming, I'm sure, in a time and processor-intensive hashing to create a key which then decrypts your store of passkeys. So it's you know you need to provide that pin to decrypt it in order to authenticate. So that's good.

0:56:11 - Leo Laporte
Of course it's a complete lock-in to Google Chrome. It is. So, unfortunately, that is the nature of Passkeys.

0:56:20 - Steve Gibson
at this point it is not, you know, platform agnostic.

0:56:23 - Leo Laporte
You're going to be locked into something.

0:56:27 - Steve Gibson
Yeah, they don't want it to be. To be a potentially serious, as in 9.9, Linux unauthenticated remote code execution vulnerability just broke. It was sent to me this morning by a listener of ours, alessandro Riccardi. So thank you, alessandro. The researcher is not behind. This is not someone we've encountered before, so I spent some time doing a bit of background checking and he's clearly the real deal. His name is Simone Margheritelli. He's based in Rome, italy, and uses the handle Evil Socket, but he's not evil. He has a presence on LinkedIn with more than 500 connections with many projects under his Evil Socket handle. On GitHub, his Twitter handle is, of course, evil Socket and since 2009, he's posted more than 15. Yes, look at that web page, leo. The guy's got five pages of links to his stuff there. It's really impressive. He's posted more than 15,000 times under Twitter and has accumulated more to 42,000 followers. His site is wwwevilsocketnet and he uses the glider from Conway's Game of Life as his icon Wow.

That's impressive that you saw that you that?

yeah, this guy knows what's going on and as and I wrote in the show notes looking over his five pages of projects indexed on his site, although he's been somewhat less prolific the past few years, as I said, this guy is clearly the real deal now. I went to the trouble of doing this bit of vetting because of the potential significance of the claims he's making in his still not public, responsible disclosure. Here's what he just posted and why it might matter. He leads with six bullet points Unauthenticated, meaning you don't have to provide a username and password. Unauthenticated RCE. So we know that's remote code execution versus all GNU Linux systems plus others, and I should note that that also includes BSDs. So the Unixes disclosed three weeks ago.

He wrote full disclosure happening in less than two weeks Per ends, as agreed with devs. Still no CVE assigned. He said there should be at least three possible, possibly four, ideally six. He said still no working fix. Oh and Leo, if you want to scroll down two pages, I've got a link that you could put up on the show of this. Still no working fix.

He said canonical Red Hat and others have confirmed the severity a 9.9, and he said check screenshot. He said devs are still arguing about whether or not. Some of the issues have a security impact. Okay, then he wrote I've spent the last three weeks of my sabbatical working full-time on this research, working full time on this research, reporting, coordination and so on, with the sole purpose of helping, and pretty much only got patronized because the devs just can't accept that their code is crap.

He said responsible disclosure, no more. And there was another link, but I'll explain why I don't have anything more there in a second. He said the writeup is going to be fun, not just for the technical details of it, not just because this RCE was there for more than a decade. Oh boy, if your software has been running on everything for the last 20 years, you have a freaking responsibility to own and fix your bugs instead of using your energies to explain to the poor bastard that reported them how wrong he is, even though he's literally giving you proof of concept after proof of concept and systematically proving your assumptions about your own software wrong at every turn.

1:01:22 - Leo Laporte
This is just insane this guy is italian, isn't he? He said yeah he said.

1:01:28 - Steve Gibson
Just wanted to add for the sake of clarity that I have so much respect for the people at Canonical and that had been trying to help and mediate from the beginning.

I really don't know how they managed to keep their cool like this. This is going to be the write up opening statement. It's an actual comment from the GitHub conversation. I mean, it's not wrong. Dot dot, dot. And he said and yes, I love typing the SH out of this stuff because apparently sensationalism is the only language that forces these people to fix Okay, now, at this point we don't know more.

We do know that an unauthenticated RCE requires something to be listening on the Linux end and accepting packets. It's impossible to say more than that without more information. So we don't know, for instance, what percentage of Linux systems might be vulnerable. Nor, if not all, or why not, the fact that there's some controversy about this, with some distro devs apparently disagreeing, should give us pause and should tamp down any panic. Perhaps the exploitation of this requires, you know the moon to be in a certain phase. We just don't know.

Annoyingly, his Twitter feed is locked, so I've been unable to view the various clues he's dropped. However, I've been able to view the comments and reactions to his postings made by people whose feed is not locked because they follow him. I applied to follow him. I don't know if I've been permitted yet. I've been busy Anyway.

So the comments in that thread are things such as probably and luckily the first to point it out publicly, but not the first that exploited it. It's sad. Or please don't disclose on a Friday, preferably on Tuesday. I like my weekends. So someone else said please don't rush this. Quote all Linux systems, unquote, is a gigantic and diverse attack surface and the vulnerability sounds trivial in hindsight, making it almost impossible to fix without telling the world about it. Yikes, but again, we don't know.

Another comment A vuln impacting all Linux distros with a low attack complexity, going unnoticed for a decade is highly unlikely. Also seen both sides of this, wrote someone working on some unrelated disclosures at the moment, but it's taking a long time to keep all sides happy. Thankfully, other times fixes and CVEs have been confirmed in the blink of an eye. Don't let one bad one put you off. Someone else said Also all Linux systems and others Does that mean Android and BSD? And somebody else replied Says elsewhere in the thread BSD is included. And finally, not to piss anyone off, but I have seen far too many high CVEs that just turn out to be a fringe or quote the devs don't agree with me, so they're dumb, unquote. Anyway, as I said, I put in my request to follow him. If he accepts that request, I'll be able to see more of what he's shown his followers, and in two weeks we'll apparently know more. Either way, this will be interesting, so stay tuned.

1:05:26 - Leo Laporte
maybe a big deal, maybe not yeah, it sounds like he's credible, but it is a lot to say it is. Yeah, I mean, you know some of these comments.

1:05:35 - Steve Gibson
Like you know, low attack, complexity, trivial to execute. Like you know, your microwave is vulnerable. Who knows?

1:05:45 - Leo Laporte
As long as my coffee machine is not vulnerable, I'm okay. Don't mess with my coffee machine, don't mess with that baby and.

1:05:51 - Steve Gibson
Leo, let's do some feedback after we take our third break. We got a bunch of interesting stuff to share from our listeners, Certainly certainly.

1:06:01 - Leo Laporte
Our third break is our sponsor, big ID. You've heard me talk about Big ID. They're the leading DSPM solution. Dspm, you know? Dspm it's Data Security Posture Management, and Big ID is where DSPM is done differently. Bigid seamlessly integrates with your existing tech stack. That's nice. You don't have to start over. It allows you to coordinate security and remediation workflows. You can uncover dark data. You could identify and manage risk. You can remediate and remediate the way you want, plus, scale your data security strategy. This is really a nice tool to have. You could take action on data risks. Did I say nice?

This is a must-have Annotate, delete quarantine and more based on the data, all while maintaining an audit trail. Yeah, and if you're thinking about AI and who isn't these days you will like BigID's advanced AI models, which allow you to reduce risk, accelerate time to insight and gain visibility and control over all your data. And if you ever wonder well, who uses BigID? Well, how about? I don't know who was a big client? The US Army? Who was a big client? The US Army? The US Army? They use BigID to eliminate dark data. You can imagine they've got data all over the place, right To accelerate cloud migration, to minimize redundancy, to automate data retention. Here's a great quote. This is from the US Army Training and Doctrine Command. They say quote the first wow moment with BigID came with just being able to have that single interface that inventories a variety of data holdings. I've never seen a capability that brings us together like BigID does. No matter how your data, even in zip files, bigid can see it. Don't miss.

They've got a big event coming up their exclusive CISO Digital Summit. It's October 17th, 11 am eastern time. You can go. It's virtual, it's centered around the next era of data security. A virtual summit that will feature deep dives into the latest data security practices and technologies, everything from dspm to ai to dlp and beyond, with expert-led panel sessions and interactive discussions with your peers. This is you've got to attend this A great lineup of speakers, including a keynote from the head of cybersecurity and compliance at Denny's. How many stores do they have? I mean? Talk about data that's everywhere. And now you can get two CPE credits and a raffle entry just for attending. So be sure to tune in.

Strengthen your organization's security posture in an ever-evolving digital landscape. Again, that event is coming up October 17th the CISO Digital Summit, 11 am Eastern Time. 11 am Eastern Time. It's easy to get more information, but you just got to go to bigidcom security now Start protecting your sensitive data wherever your data lives. Bigidcom security now you can go there, get a free demo.

See how BigID can help your organization reduce data risk, accelerate the adoption of generative AI safely. Bigidcom slash security now. By the way, a lot of white papers there. They just published a free report, brand new that provides valuable insights and key trends on AI adoption challenges and the overall impact of generative AI across organizations. Big ID is really important because you got to know what are you training it on? Is it appropriate to train it on? Are you? Is it? Is it appropriate to train it on this? Is it, is it compliant to train it on this? This is the kind of thing you got to pay attention to. The big I d makes so easy. Big idcom security now. Find out more. Big idcom security now. We thank him so much for supporting steve and the and Steve and the big work that he's doing here at Security. Now let's close the loop, shall we? Let's do it All right.

1:10:03 - Steve Gibson
So, stephan, he said Hi, steve, I just wanted to post some feedback in regards to credit freeze. I'm not sure why, but credit bureaus need to be forced by law, by local government, provincial, here in Canada, to allow us to freeze our credit. I tried in Ontario and there was no way for me at the moment. Wow, I know.

1:10:26 - Leo Laporte
It's a federal law in the US, but I guess not in Canada.

1:10:29 - Steve Gibson
Yeah, he said under the previous party they had started trying to implement it, but since we changed from liberal to conservative, this law is now in limbo. Could you share this feedback to have your listeners contact their local provincial MP to try and force the change, or if anyone knows where I could go to force the credit bureaus to change this without being forced by law? That would be great. He says it is my credit. Yeah, I should be. You know, I should not be held hostage by credit bureaus.

1:11:03 - Leo Laporte
Thanks, stefan bad rod in our discord says quebec is only the only providence and province in canada now with credit freezes wow, so it is province by province yeah, wow, but that's why it's so good.

It was the same in the US until they made that federal law, and that's the way to do it. Was it state by state? In the US it was state by state, and the reason that was problematic is that in some states I think Maine it cost a lot of money to unfreeze your credit. It was different amounts of money for every state and the federal law in the US made it. They have to offer a freeze and an unfreeze at no cost, and all the credit bureaus do that by federal law. You've got to do that in Canada too. That's shameful.

1:11:47 - Steve Gibson
And, as we know, it ought to be locked by default and then you ought to selectively unlock it for specific lenders. We're not there yet, but that's when you want to permit access, yeah, and something like this NPD breach is like holy crap, I mean it's no longer difficult.

Yes, wow, okay. And while we're on the topic of credit bureaus, a person wanting some anonymity said Stephen Leo. I'm a software engineer in the fintech industry and have been an avid listener of Security Now since I started my programming career in 2005. Thanks for the podcast. I've had a frozen credit report ever since the topic was first introduced.

After the national public data breach, I persuaded my girlfriend to freeze her credit as well, but we encountered a horrifying issue. When we created a new account for her on Experian and logged in, we discovered that her newly created account was linked to someone else's profile. Oh no, he said, that's right. We had full access to another customer's credit history. Oh, my goodness, get this, leo. The sign-up process requires your first and last name, some address details and part of your Social Security number. That's right. However, experience seemed to match only the first three letters of my girlfriend's first name and the last four digits of her Social Security number. Oh wow, this caused her account to be matched with another woman who had a similar first name, though spelled differently by four characters, the last same four SSN digits, and lived in the same state, michigan. But aside from these details, everything else was different Different last name, different previous addresses and so on. After hours of frustrating calls with experienced support where several agents insisted this wasn't possible.

1:13:58 - Leo Laporte
Of course not, it couldn't possibly happen.

1:14:00 - Steve Gibson
We could still view the other woman's entire credit profile. Eventually, Experian reset my girlfriend's account and on the second attempt, the sign-up process completed correctly with the proper information. Wow, Since the early days, a mess, you know. Thinking about this, I suppose the use of only a few characters of the person's first name, well, or last name, really might make sense if matching against spelling variations was a problem. But what could be the possible reason for not matching against the individual's entire social security number? The user needs to know it and the credit bureau obviously knows it. So why not require a complete match? You know what? Are they afraid that the user cannot enter the entire thing correctly?

I'm at a loss to understand what twisted numbskull logic could suggest that only providing the last four, as if it's like it has to be a secret from the credit bureau. That's why you do the last four and mask the others. Right, it's like you're wanting to prove that you know, but you're not wanting to share it. But when you're creating an account with them to access your credit, you absolutely want to prove to them that you know your entire social security number.

1:15:44 - Leo Laporte
It's insane yeah, yeah, I'm not. It doesn't surprise me in the least.

1:15:49 - Steve Gibson
Wow, unfortunately and these are the people who are, you know, happily giving away our credit data to anybody who asks Right, Niall Davis said hello, Steve, I've been a loyal listener since number one and I love that you're going beyond 999. I have a Drobo 5N that I got many years ago after hearing that you had one too. It seems to still work great. I took my drives out and reran Spinrite 6.1 on each of them without a hitch. I got a Synology DS1522 Plus a year ago and I love it. I know that, with Drobo being out of business, the question that I have is this Should I still trust my Drobo that's upgraded to the latest firmware, or should I just ditch it and get another Synology? Thanks for all. You and Leo. Do Take care, Niall. Okay, so I'm in a very similar situation, Niall.

My first experience with consumer-grade NAS was the Drobo 5N. Was the Drobo 5N, Since it was working well. When my wife and I set up a second nest for ourselves seven years ago, I purchased another identical Drobo 5N for that location. Then my original Drobo 5N died. It had given me many years of service, but something in it went south. I tried another power supply, swapping drives and doing everything I could think of, but it refused to behave. I'd been hearing about Synology and we knew that Drobo would be on the chopping block. So, even though I could still have obtained a replacement Drobo 5N from the supply chain, I decided it was time to switch to Synology. Then, from the supply chain, I decided it was time to switch to Synology, and all I can say about that is that I have never been happier.

1:17:41 - Leo Laporte
I'd agree. I had a Drobo Mini, which I loved, yep, but you know, if you're just using it as a USB drive, that seems like that's probably harmless.

1:17:51 - Steve Gibson
And if it's entirely behind your NAS, so it's not publicly exposed at all, then that would be a factor too, but the N is a NAS and it's intended to be sitting on your network. And it's on mine but not exposed, and I've got all kinds of extra security stuff that your typical consumer doesn't have.

1:18:10 - Leo Laporte
Yeah, as long as it's not visible to the outside world, it's probably okay right, yeah.

1:18:14 - Steve Gibson
So my feeling was the Drobo was fine for a non-power user who's happy with fewer options. But that's not me, that's not you, leo. And after I set up my four-drive Synology to replace the original Drobo 5N, which had died, I purchased another identical Synology for my second location. So now that location has the original, second Drobo 5N, which is still going fine, and a sonology Well. Now you're fine.

The reason I have two is that my wife, who has a lot of letters after her name, some of which are PhD, has her doctorate in applied psychophysiology psychophysiology Seven years ago. She asked me whether there was a way we could set up her clients with a laptop and a two-channel EEG amplifier to facilitate at-home neurofeedback training. As with all forms of real-time biofeedback, neurofeedback is the process of showing a client some aspect of their brain's function that would be better if it were changed and amazingly, it's possible to affect such change just by showing them what's wrong. So I found a fantastic two-channel EEG amplifier from, of all places, bulgaria, and we purchased a fleet of inexpensive, recycled Dell laptops from Amazon. I'm sharing this backstory because all of those widely distributed laptops are running instances of SyncThing which are synced to that second Drobo 5N. That is cool, steve.

1:20:01 - Leo Laporte
That is really cool.

1:20:03 - Steve Gibson
It's still going strong, yep, and it is being used to keep all of the therapy that those laptops are doing synchronized with home base.

1:20:13 - Leo Laporte
And presumably backs up to the Synology or some other reliable drive. Right, you wouldn't want it to be your only source.

1:20:20 - Steve Gibson
So Lori is able to look at a local drive a drive that's local to her thanks to SyncThing and look at all of the logs of the remote sessions that her clients are doing wherever they are. That's neat. So it's very cute to tweak the therapy that a given person is doing and those settings get propagated thanks to SyncThing to their laptop the next time they boot it up and they're automatically using updated therapy settings. So it's really unique and cool. The point is so.

Niall asked should I still trust my Drobo or should I just ditch it and get another Synology? I'm still trusting that original Drobo 5N and I'm hoping it continues purring away until my wife decides she no longer wants to offer this form of remote therapy. Drobo also throws in the towel while its laptop synchronization services are still required. Then I'll move its sync functions over to Synology, which again, I love. I'm, you know, I'm so happy with my Synologies, you know, but if I ever have to do that it would be a pain. So I'm just hoping that the Drobo continues to purr away. I don't ask it to do anything new, I just say you just keep what you're doing and let's hope you last longer than my wife's uh therapy practice people.

1:21:53 - Leo Laporte
I mean, if you use hard drives, you don't often say, oh, I hope this hard drive manufacturer doesn't go out of business in the for I mean it's. If you think of it as a usb drive, that's fine. Then right, yeah, yeah, exactly, as long as you back it up. But you back it up and sync and and sync things. Uh, technology is very secure so it's encrypted in in flight.

1:22:15 - Steve Gibson
Yeah, it is end-to-end encrypted, and boy you know it, it took me a while to like you know. Encrypted, and boy you know it, it took me a while to like you know. Can I really get that? Like how much work it was doing for me. I was like this has to be harder than this, but it's actually not.

1:22:30 - Leo Laporte
You just say here synchronize these things and it goes okay, and it's surprisingly fast.

1:22:36 - Steve Gibson
I mean, that's, it's, it's like wow, I just changed that file and it's already on the other drive. Yes, I abandoned Synology's dual Synology synchronization because if I made a bunch of changes, it sent the entire drive across again, because I monitor my bandwidth and it was like what the heck just happened. It was like multi-terabytes going from point to point. It's like this is dumb, so I shut that down. Now I just use SyncThing, which is running natively on both of my Synologies. So, yeah, it's a win.

1:23:12 - Leo Laporte
Yeah, there's a community distro of SyncThing.

1:23:14 - Steve Gibson
Yes, exactly what I'm using, Yep. So Danny in sunny Scotland. He said FYI, last week's Security. Now email was routed to my junk folder. I'm using Apple Mail, he says, and I have my own domain set up on iCloud. It was fine until last week, so I guess something must have spooked their filters. I know what. In any case, I marked it as not spam. Hopefully their filters will get the message, so to speak. All the best from Sonny Scotland, signed Dan.

1:23:50 - Leo Laporte
It's sunny this year. Wow, he's making a point of that, yeah.

1:23:54 - Steve Gibson
So last week, as our listeners may remember, I asked them any who discovered their weekly security now email going to spam, to please market, not spam. Many listeners, like Dan, noted that they had done so, so I wanted to thank everyone for that. What I've learned so far through this emailing adventure is that, just as with code signing, the earned reputation of the signer is everything. Grc and I'm signing all my email. You know, cryptographically the source, as GRC is unspoofable and we've been, you know, using email for our business for decades and we have enjoyed a spotless reputation since we never have, and obviously never would, actually send spam. But GRC's reputation is now being challenged because for the past several weeks I've been slowly sending out email to GRC's past Spinrite 6.0 purchasers to notify them that they can have 6.1 at no cost and I'm careful not to use the word free, because that race or Viagra, those words.

I can't put any exclamation points in email either. That's bad. So, and in fact, I actually saw one spam filter. I said you are invited to download and it's like, oh, you can't invite anybody either. So it's like, wow, that's what. That's what the world has come to isn't it sad, but?

anyway I've been. I've been slowly sending this out um, and I suppose that from the standpoint um, you know, it would technically be classified as UCE right, unsolicited commercial email, except that I'm trying to give away an upgrade that I and many others spent three and a half years working to create. So I'm not profiting from this. But anyway, you know it's not email from a Nigerian prince, and every email address I'm using is what Spinrite's purchaser used at the time to receive a purchase receipt from us. However, it is also true that I have not bothered any of those people until now, and those addresses date back as far as 2004. And, leo, when I saw this, I knew you'd get a kick out of it. There are addresses with CompuServe account numbers in the list. You know they're like 76294.3276 at CompuServecom. So, anyway, I've been mailing in reverse order from the most recent toward the least recent and I've now progressed as far back as 2008, all the way through 2008, so to the start of 2008. At this point, more than 10% of the addresses are bouncing. Overall, I have to say it's going better than I had hoped. Have to say it's going better than I had hoped.

But when a major ISP like Apple or Google or Microsoft sees GRC sending to many non-existent addresses, they will quite reasonably decide to not bother their current users with email coming in from the same source that is going to a valid address. So they route it into the user's spam or junk folders. There's nothing I can do about that. It's not possible to check people's email addresses ahead of time. I actually ran the list through something called Email Hippo in the UK, which cut out about 20%, I think, but I'm working through the rest Anyway.

So the good news is this will be a one-time, transient problem which we should be on the other side of in a few weeks. Once that's happened, I will have a much smaller but updated and cleaned list that I'll be able to use going forward with much less trouble. Until then, I need to ask for everyone's patience. Greatly if anyone who again or continues to discover their weekly security now email in their spam or junk folder, if they'd mark it as not spam, that would be great, because that is the most effective way of training the isps spam filters that grc is not and never has actually sent out spam, even if it's, even if we are attempting to contact some of our very old purchasers.

1:28:45 - Leo Laporte
I will look in my spam inbox to see if I have anything. By the way, before the show began I said hey, I don't see your show notes because normally they go into my important folder. I realized why, and I don't know, because at the bottom of your uh email it says unsubs. There's an unsubscribe link. Yeah, because it's a newsletter. And, uh, I have a filter that whenever it sees an unsubscribe link, puts the newsletter into a mailing. It doesn't kill it, but it puts it in a mailing list folder because I go, well, it must be a mailing list and I don't want to have it fill up my inbox. So I did find your email in my mailing list.

1:29:27 - Steve Gibson
I can whitelist you so that that doesn't happen in the future. Well, thank you, and I am getting so much good feedback from our listeners, who love the fact that they get this email from me every week it's turned out to be a big win and I can you know you mentioned the unsubscribe link. It was very clear to me that many ISPs are clicking that link on behalf of themselves.

1:29:51 - Leo Laporte
Gmail does that when they see email coming in to a non-existent address.

1:29:55 - Steve Gibson
That's right. They go, oh, and they unsubscribe, and that's wonderful. Subscribe and that's wonderful. I, there's nothing I would want.

1:30:05 - Leo Laporte
Want more than for for for you know email to be unsubscribed when I send to a non-existent address.

1:30:08 - Steve Gibson
That is the that is the perfect solution.

Yeah, and, of course, everything I send has a big, prominent unsubscribe, and in fact I was just reading too. You know, leo, get this. The. The threshold for spam is astonishingly low.

Google's formal policy and a service that I use briefly, postmark they want it to be 0.1%, which is to say, one in a thousand spam complaints is the most you're able to have, and if you go over one in a thousand using Postmark as your mailer, I'm not doing it, I'm going back to using GRCcom, but they will stop you, they will freeze your mailing at that point and say what's the problem here? Google says the same thing, but they don't have a policy exception until point three. The problem is this policy was just implemented uh, earlier this year, announced last october, but most business to business mass mailings are around three percent. So so 10 times the policy violation that Google has set and 30 times the spam level that people are supposed to keep things under. As I said, we're normally at zero and we've always been at zero, but we're getting people who click and in fact I've been annoyed by this gmail ui. When I'm looking at my gmail and I click a bunch of things, I have to be very careful not to miss mark things as spam because google makes it very simple to do that

yeah, yeah, it's gone forever now yeah, exactly, and I don't want to do that because some things I do want to keep receiving and not have them disappear into my spam folder.

1:32:04 - Leo Laporte
So anyway, Isn't it funny. I would have thought here we are in the year 2024. That spam would have been conquered by now. And in fact it's worse than ever. You don't ever see it because everybody's so aggressively blocking it, but it's more traffic than ever before, isn't it?

1:32:25 - Steve Gibson
And remember, in the early days, Leo, of the podcast Mark Thompson and I were working on, we had some heuristic filtering thing I remember, yeah. And this came up because Dvorak's comment famously I get no spam, I get no spam.

1:32:41 - Leo Laporte
He gets spam now. I'm sure I don't know how anyone could not no spam. I get no spam. He gets spam now. I'm sure I don't know how anyone could not get spam. But thanks to all of these efforts, we maybe don't see as much of it as we did in the past, but we also, as a result, don't see a lot of email from mom either. So I don't know.

1:32:58 - Steve Gibson
Actually, I had a conversation with John just the other day because someone had said to him he had been using MailChimp for his podcast stuff and he was not happy with, I guess, the lack of absolute control over it. And so someone had said, oh, gibson's using this great system, and so he shot me a note, and we talked on the phone for about an hour and I just want to say again this nuevo mailer that I found I am.

It was all the stuff, all the rigmarole I've been going through. For example, I realized that dot me, dot mac and dot I cloud, mac and iCloud were all being blocked because I was sending from spinritenews, which was a domain with zero reputation, and Apple just said who the heck are you? No, and just you know. So it's not that I misbehaved, it's just that they'd never seen me before. And I guess of course that's what spammers are going to do, right, they're going to create. You know, if they damage the reputation of a given domain, they'll just create a new one and start spamming from there. So Apple has a deny first policy like filter out all of the dot me, dot iCloud and dot Mac domains and create a separate list which then I sent through GRCcom, which Apple loved Not so much now, but they did. And anyway, all of this stuff I was doing.

This thing is a workstation for working with email lists and sending it's Nuevo Mailer and this Greek guy. I think he only got like 132 bucks from me one time. It's in PHP, so he and I have been sending code back and forth to each other because I'm sort of in a unique position of having this massive bouncing of the email that I'm sending out so I'm able to look at at and work with him on, like, on improving his, his recognition of the reason for things bouncing. Anyway, I cannot recommend this highly enough. I said the same thing to Dvorak. I said if you've got anybody around who can, who's a PHP developer, you need to be able to run PHP on your server and you have to, and you can use a third party to actually send your mail through. It will connect beautifully so you don't need your own SMTP server. Anyway, it's just, it is a fantastic facility. So I just, you know, I like to tell people when I find a good sci-fi author or a piece of software like you know, like that email archiver that I love also. Anyway, for email, this is it. So you know it won't do everything that you see from GRC, because I wrote all on my own front end but boy, for back end, sending of email and you can do subscriber and double opt-in and all that stuff. I just didn't want to use his because I like to do things, you know my way, but wow, it's really great. Okay, steve P and I must've given him some anonymity, because I think he told me his whole name, but I thought he wouldn't want me to share it. He said hi, steve. Oh yeah, he said hi, steve.

I'd appreciate your latest thinking on the safety or otherwise of connecting to public Wi-Fi. I'm currently oh I know why it was because of medical things he said I'm currently enjoying he has, in quotes an extended stay in a hospital and, as with most public places here in the UK, they're offering free Wi-Fi. However, unlike most, the network here does not require a password to connect. You're briefly taken to a portal and then granted internet access. I seem to remember long ago you touching on this subject on security now, but I'm uncertain if this type of public Wi-Fi network with no password is a risk too far.

I'm using an iPhone and iPad here, typically via the personal hotspot on the iPhone, but this can be restrictive, so I'd like to use the faster free Wi-Fi offered here, but only if it's safe. I've briefly connected to the free network, but I'm still uneasy about this. I'm also using a VPN ExpressVPN to connect. If it's generally a bad idea to connect to public Wi-Fi with no password, does a VPN mitigate the risks somewhat? The ceiling-mounted Wi-Fi access points appear to be branded Cisco, but of course, I have no way of knowing how this is set up in the background, ie client isolation. Anyway, thanks for all you do. 6.1 continues to work well, of course. Regards Steve P. He's currently an inpatient at St Thomas' Hospital, london, although hopefully not for much longer. Okay, so the short version is that the use of any high-quality VPN system, such as ExpressVPN, completely—.

1:38:10 - Leo Laporte
Our sponsor, which we should mention.

1:38:13 - Steve Gibson
Are they still a sponsor? Oh yeah, completely encrypts all traffic inside of the VPN's tunnel, all traffic inside of the VPN's tunnel. It's only decrypted as it emerges onto the internet at the VPN provider's servers. There is no better or more complete protection available for shielding one's traffic as it passes through a Wi-Fi hotspot, whether open or password protected spot. Whether open or password protected, the big upside to the use of a VPN provider is the convenience of being able to use their always present servers. The only possible downside to the use of any big provider is that once the tunnel traffic emerges onto the public internet, it is visible to everyone, and there's always been speculation, but I don't think really any evidence that such places are where national intelligence services might be sniffing around, since overall, it could be expected that traffic emerging or going into a VPN service might be more interesting than just random packets on the internet. But who knows? Interesting than just random packets on the internet, but who knows? So one possible improvement would be to run one's own VPN server at home or office. In that case, not being any big and well-known VPN service, there would be less chance of generic traffic capture. On the other hand, if someone was interested in your traffic. Specifically, that's where they'd be looking for it. So you kind of can't win. And, for the sake of completeness, what about the case of no VPN whatsoever in an open, public Wi-Fi hotspot?

Things are definitely 100% better these days than they were back in the earlier days of this podcast, podcast number 272, recorded October 27, 2010, titled Fire Sheep.

Fourteen years ago, the simple, unencrypted HTTP protocol was still dominant and connections typically only switched to secure HTTPS when credentials were actively being exchanged. But these days, 14 years later, all connections are always encrypted. This makes it far safer to use any open, public Wi-Fi hotspot without a VPN than it once was. Now, it's true that DNS queries are probably not being encrypted, so it would be possible for someone to eavesdrop on your DNS lookups, but the IP addresses you're visiting could also not be hidden, even if what you do there, at the location of the remote IP, would be solidly and well encrypted. So I suppose I'd say today, in a pinch, using open Wi-Fi is not super high risk, though. It's not ultra private, and if you have access to a VPN or overlay network, there's no better time to use it. So express VPN since, since our listener, steve P, has it absolutely used and you should use it without you know, without any further concern.

1:41:39 - Leo Laporte
Point of order. Mr Gibson, yeah, so what he described as a captive portal, uh, in other words, and and you've seen, we've all seen this you go, you, you join a wi-fi network at an airport and you have to go through a login page right technically obviously different than password protected wpa2 password protected, but is it in fact less or more secure? I don't think so.

1:42:03 - Steve Gibson
I would say it's less secure because all it's doing is intercepting your initial attempt to get out and requiring you to click OK to agree to the terms of service Right, which are. You know you're holding us harmless for anything that happens while you're using our wi-fi, you know.

1:42:24 - Leo Laporte
so click yes if you want to, otherwise sorry so if you're, though, on an hospital and they have the password on the wall and you log into a password protected network, that's effectively exactly the same right, correct the issue? Can someone, some bad guy, get onto the network to see your traffic? They could easily get through a captive portal, a password. If they didn't know it, they couldn't get through, but, on the other hand, if it's in a public place, the password is usually publicly posted.

1:42:55 - Steve Gibson
And if a bad guy got a hold of the traffic on the other side of the access point, it's all of the traffic.

1:43:02 - Leo Laporte
I mean it's regular.

1:43:05 - Steve Gibson
Ethernet wired traffic which you can easily sniff.

1:43:07 - Leo Laporte
So a captive portal isn't necessarily better or worse than a password.

1:43:12 - Steve Gibson
It's just a different way of doing it Right, and what you really want is what CEP has access to, which is a VPN Right.

1:43:18 - Leo Laporte
And one of the reasons people often don't want to use a VPN at home is they're also trying to protect themselves from their ISP. Yes, so if you use your home VPN, sure you're private until you get home, and then everything is going up.

1:43:30 - Steve Gibson
That's exactly right. Yeah, that's exactly right. Richard Anthony CISSP wrote. Steve, those of us who use SecurityNow for CPE credits, for certs like CISSP and CEH, need to post proof when we submit credits. Many of us grab a screenshot at the end of a video podcast for proof. We use the end of the video to show that we watched the whole thing. I've been doing this for many years now. I do this on my iPad and show the date time I watched, along with the episode number. Huh, now to maintain our certifications. Many thanks, richard anthony cissp. And so I have no idea whether that could be done, but it could easily be done.

I'm trying to think of how we would institutionalize that just sort of bring it up toward the end while while we're doing the wrap-up yeah, I usually yeah, like that.

1:44:39 - Leo Laporte
If that's there, that's all we need, right? I have that In the past when I was doing it in a studio. I would do that in the last segment of every show because it would have the title in there and it would be the title topic. These no longer have the topics on there.

1:44:56 - Steve Gibson
No but I think the number and the date is probably absolutely sufficient.

1:45:01 - Leo Laporte
And don't forget, over my shoulder there's always a date and time. If you need a date and time stamp, that's actually one of the reasons that clock is always there. Nice, people have asked for that. Yeah, we'll make sure to. I used to always do that. I didn't know that's why I was doing it, but it turned out that was a benefit. Cool. So, benito, just remember that, or whoever is in charge, copy that. How could I do that, anthony, is there a way I could stick a? It's in the captions? Let me go to the generic share.

1:45:34 - Steve Gibson
Yeah, it's in the captions and you can hide or unhide that lower third.

1:45:36 - Leo Laporte
Oh, okay, good, All right, so if Benito's not around, which he always is?

1:45:43 - Steve Gibson
Don't go away, Benito.

1:45:45 - Leo Laporte
For some reason, benito's not around. I will endeavor to remember that at the end of the show Nice. Which is not over.

1:45:52 - Steve Gibson
Another listener, richard Cornell, who is an IT security manager in the UK. He says Hi, steve, A few times in recent SN episodes you've referred to Windows Defender when discussing CrowdStrike. You are correct in saying the free Windows Defender product is nowhere near as feature rich as the alternative enterprise products. However, if you purchase a Microsoft 365 enterprise license, such as M365E5, you get Microsoft Defender XDR, which is every bit as capable as CrowdStrike and the alternatives. Like all these products, it's not perfect, but we've used it for a number of years and it is just as good, with the advantage that it's part of the integrated Microsoft stack. Keep up the good work and onwards to 999 and beyond. So thank you, richard.

I appreciate hearing from someone who has experience with Microsoft's high-end enterprise solutions solutions and as a user of the simple free Windows Defender, I'll certainly admit to a bias towards native solutions as opposed to installing extra stuff outside of the box. Yeah, so that's good to hear. We hadn't heard anybody. We were hearing people saying yeah, I'm sticking with CrowdStrike because it saved our butts a bunch of time. So even though they screwed up, we're not moving. And here's somebody who says, yeah, and you know, microsoft defender XDR works just great too.

1:47:29 - Leo Laporte
I think one of the reasons CrowdStrike had such support was because they had so many sensors distributed so widely globally. But I would imagine XDR has to be the same number, or at least right yeah. Yeah, yeah.

1:47:44 - Steve Gibson
Interesting. Okay, our last break, and then we're going to talk about Kaspersky's somewhat ignoble exit from the US and a little bit about what I think that says about where we're headed in the future.

1:47:56 - Leo Laporte
Subtitled how to mishandle your transition out of a country. All right, let's talk about our last sponsor. Um, often, last is best. In this case, it's certainly one you're going to want to know about experts exchange. Maybe you already know about it, I know I. When they called, I said wait a minute. I I was. I've been using experts exchange for years.

I kind of lost track a little bit because there's so many other sites that purported to do the same thing and so forth, but there really never has been anyone as quite as good as Experts Exchange a network of trustworthy and talented tech professionals where you could go and ask questions and not be treated with snark or derision or be patronized, but actually get industry insights and advice from you know of genuine value for people who are actually using the products in your stack. Not only is it better than every other site, it's better than paying for expensive enterprise level tech support. It's it's information from people who know and by the. It's not, and it is really important. It is not AI. Experts Exchange is the tech community for people tired of the AI sellout. Experts Exchange is there to carry the fight for the future of human intelligence, real humans helping you out, human to human. With Experts Exchange, you get access to professionals in over 400 different fields coding, microsoft Azure, aws, devops, I can go on and on Cisco everything that you could possibly be using from other people who are also using it. And, unlike those other places, there's no snark. They're not going to patronize you. Duplicate questions are encouraged, and there's a reason for that. The people who answer questions maybe you, their contributors are tech junkies who love answering questions. In fact, I think it's probably the case it's certainly been my experience that one of the real benefits of becoming an expert at anything is the ability to pass that, the opportunity to pass that information on to somebody else who's also interested. It's its own reward. There are other rewards that get karma points, sometimes CPE credits and more, but the real reward is helping you get that problem solved. One member said hey, I've never had GPT stop and ask me a question before, but that happens on EE all the time.

Experts Exchange is proudly committed to fostering a community, a friendly, helpful community, where human collaboration is fundamental. Their expert directory is full of people to help you find what you need, including, by the way, somebody who's listening right now Rodney Barnhart. He's a VMware V expert and a regular Security Now listener. Ethical hackers like Edward Van Biljon, who is a Microsoft MVP as well, probably could help you out with using a Microsoft product instead of CrowdStrike. There are Cisco design professionals, executive IT directors, cisos, cios, and on and on and on.

Here's another thing If you're considering being a contributor or asking questions on Experts Exchange, you should know that while those other guys betray their contributors by selling their content to train AI models, at Experts Exchange, your privacy is never for sale. They stand against the betrayal of contributors worldwide. They have never and will never sell your data, your content, your likeness. They block and strictly prohibit AI companies from scraping content from their site to train the LLMs, and moderators strictly forbid the direct use of LLM content in their threads. It's for humans by humans. I think you're going to like it. I know I was really glad to rediscover it.

Experts deserve a place where they can confidently share their knowledge without worrying about some company coming along to steal it. To increase shareholder value, humanity you, me, we deserve a safe haven from artificial intelligence. Experts Exchange for humans by humans. I just made that up. That should be their new slogan Join Experts Exchange today and get 90 days free. So they understand that maybe we've drifted off, we've gone into another direction and they want you back. So they're going to give you three months free, no credit card required, nothing. Three months to try it out because they know, once you get a taste of what Experts Exchange can offer, you're never going to leave Experts Exchange 90 days free, no credit card needed.

E-ecom slash twit. They've been around for a long time. They've got one of those three-lettered dot coms. E-ecom slash twit to learn more. Experts Exchange A great place to hang, a great place to get answers to the questions you have. We're so glad to have them as a sponsor. On security now, steve is not an AI. I can vouch personally for that. Unless he's an, unless there are AIs that, particularly like Cabernet Sauvignon, there could be. There might be. All right, let's get on to this Kaspersky thing here.

1:53:08 - Steve Gibson
Yeah. So I started off treating today's main topic as just another news item to which I'd given the title how to Mishandle an AV Antivirus Handoff, and I'm going to still start with that, because what transpired last Thursday is still news. But this is also the perfect segue for addressing what I think is the much bigger and broader issue of what it means that Kaspersky has been kicked out of the US and what this and similar moves mean for our future global technology landscape. So let's start with Bleeping Computer's headline, which read Kaspersky deletes itself, installs Ultra AV antivirus without warning. So ask yourself what you would think if something completely new and totally unknown to you suddenly appeared in your computer and when you went to check on it using the AV system you had purchased and installed, that AV solution was nowhere to be found. Talk about mishandling a transition. So here's what Bleeping Computer reported. They said, starting Thursday, russian cybersecurity company Kaspersky deleted its anti-malware software from customers' computers across the United States, automatically replacing it with Ultra AV's antivirus solution. This comes after Kaspersky decided to shut down its US operations and lay off US-based employees in response to the US government in June adding Kaspersky to the entity list, a catalog of quote foreign individuals, companies and organizations deemed a national security concern. No-transcript. When it happened, in July, kaspersky told Bleeping Computer that it would begin closing its businesses and laying off the staff on July 20 because of the sales and distribution ban. In early September, kaspersky also emailed customers assuring them they would continue receiving quote reliable cybersecurity protection unquote from Ultra AV, owned by Pango Group, after Kaspersky stopped selling software and updates for US customers. However, those emails failed to inform users that Kaspersky's products would be abruptly deleted from their computers and replaced with Ultra AV without warning.

According to many online customer reports, including bleeping computers forums, ultra AV's software was installed on their computers without any prior notification, but with many concerned that their devices had been infected with malware. One user wrote, quote I woke up and saw this new AV system on my desktop and I tried opening Kaspersky, but it was gone. So I had to look up what happened, because I was literally having a mini heart attack that my desktop somehow had a virus which had somehow uninstalled Kaspersky, which had somehow uninstalled Kaspersky. To make matters worse, while some users could uninstall Ultra AV using the software's uninstaller, those who tried removing it using uninstall apps saw it reinstalled after a reboot, causing further concerns about a potential malware infection. About a potential malware infection. Some also found UltraVPN installed, likely because they had a Kaspersky VPN subscription.

Not much is known about UltraAV besides being part of Pango Group, which controls multiple VPN brands Hotspot Shield, ultravpn and BetterNet, and Comparatech, a VPN software review website and just to interrupt here, you got to love that one. The Pango Group controls multiple VPN brands and also runs their own VPN software review site, because why wouldn't anyone go to a site that also publishes multiple VPNs to obtain an objective overview of all available solutions? Apparently, even they cannot decide which VPN is better, so they publish three of them themselves, anyway, bleeping Computer says. For its part, ultra AV says on its official website, on a page dedicated to this forced transition from Kaspersky's software quote if you are a paying Kaspersky customer, when the transition is complete, ultra AV protection will be active on your device and you will be able to leverage all of the additional premium features. On September 30th 2024, casper Ski will no longer be able to support or provide product updates to your service. This puts you at substantial risk for cybercrime. Unquote. A Kaspersky employee also shared an official statement on the company's official forums regarding the forced switch to Ultra AV saying that it quote partnered with antivirus provider Ultra AV to ensure continued protection for US-based customers that will no longer have access to Kaspersky's protections. Kaspersky has additionally partnered with Ultra AV to make the transition to their product as seamless as possible, which is why, on 9-19, us Kaspersky antivirus customers received a software update facilitating the transition to Ultra AV. This update ensured that users would not experience a gap in protection upon Kaspersky's exit from the market.

Okay, now anyone would take issue with the use of the term facilitate. This wasn't a facilitation. This was an abrupt and unsupervised switcheroo. I suppose they felt they were covered by sending that email notification in advance, and I didn't see what the email said. It may have said in the fine print that if you did not want to have your AV and VPN services switched from Kaspersky to the Pango group, you could terminate your subscriptions first. Who knows? You could terminate your subscriptions first, who knows?

What's clear is that, for something as important as a system's antivirus anti-malware protection, users should have been in the loop. A user interface should have popped up explaining that today was the day that Kaspersky was going to be uninstalled and then giving the user the option of replacing it with Ultra AV or uninstalling Casper Ski without replacement. I would bet that did not happen, because Casper Ski almost certainly made a bunch of money selling now with Ultra AV and Ultra VPN. Note that a continuing subscription relationship with these entities implies that Kaspersky also transferred their entire US subscriber database, complete with all billing information, to these Pango Group-owned Ultra AV and Ultra VPN companies. No one thinks this is ideal, but Kaspersky's behavior was at least understandable under the circumstances. Was at least understandable under the circumstances, and I have to say I can't recall a time that there wasn't a Kaspersky.

Consider the beginning of Wikipedia's article about them. Wikipedia says Kaspersky Lab is a Russian multinational cybersecurity and antivirus provider headquartered in Moscow, russia, and operated by a holding company in the UK. It was founded in 1997 by Eugene Kaspersky, natalia Kaspersky and Alexei Dimondryk C Demondrick. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security and other cybersecurity products and services. Kaspersky expanded abroad from 2005 to 2010 and grew to $704 million in annual revenues by 2020, an 8% increase from 2016. I'm sorry, 2016. Though annual revenues were down 8% in North America due to US government security concerns.

As of 2016, yeah, the software was about 400 million users and has the largest market share of cybersecurity software vendors in Europe. So you know they're the real deal. Kaspersky Lab ranks fourth in the global ranking of antivirus vendors by revenue. It was the first Russian company to be included into the rating of the world's leading software companies called the Software Top 100. Kaspersky Lab is ranked fourth in the endpoint security segment according to IDC data. According to Gartner, kaspersky Lab is currently the third largest vendor of consumer IT security software worldwide and the fifth largest vendor of enterprise endpoint protection. In 2012, kaspersky Lab was named a leader in the Gartner Magic Quadrant for endpoint protection platforms. So you know this is not a fly-by-night outfit. I would argue that they have far more cred than Panda, the Panda group, who makes AV stuff no one's ever heard of before. But that's what Kaspersky's users automatically got, and I think this is unfortunate. There's, remember, no evidence of any wrongdoing, but despite the fact that Kaspersky's presence in the cybersecurity world has been nothing but a benefit, their business has been summarily ejected from the US only because they share a country of origin with Putin. So consider these things.

In 2010, kaspersky Lab worked with Microsoft to counteract the Stuxnet worm, which had infected 14 industrial locations in Iran using four zero-day vulnerabilities that were in Microsoft Windows. In May of 2012, kaspersky Lab identified the malware Flame, which a researcher described as potentially the most sophisticated cyber weapon yet unleashed. According to the researchers in Kaspersky Lab, the malware had infected an estimated 1,000 people to 5,000 machines worldwide. The next year, in January of 2013, kaspersky discovered the Red October malware, which had been used for widespread cyber espionage for five years. It targeted political targets like embassies, nuclear sites, mostly in Europe, switzerland and North America. The malware was likely written by Russia-speaking hackers and the exploits by Chinese hackers.

Next year, in February 2014, kaspersky identified the malware mask, which infected 380 organizations in 31 countries. Many organizations that were affected were in Morocco. Some of the files were in Spanish and the group is believed to be a state conducting espionage, but Kaspersky did not speculate on which country may have developed it. Later that year, in November of 2014, symantec and Kaspersky authored papers that contained the first disclosure of malicious software named Regin. According to Kaspersky, regin is similar to QWERTY, a malware program discovered the next year. Regin was used to take remote control of a computer and is believed to have originated from the Five Eyes Alliance. In other words, you know who we regard as the good guys.

2:07:23 - Leo Laporte
Well us the next year in 2015. In fact, huh, guys, well us the next year in 2015.

2:07:27 - Steve Gibson
In fact, huh Us.

2:07:27 - Leo Laporte
Yes us.

2:07:28 - Steve Gibson
In 2015, kaspersky identified a highly sophisticated threat actor that it called the Equation Group. Speaking of us, the group incorporated sophisticated spying software into the firmware of hard drives at banks, government agencies, nuclear researchers and military facilities in countries that are frequent targets of US intelligence efforts. It's suspected to have been developed by the National Security Agency and included many unique technical achievements to better avoid detection. Yet Kaspersky found it. A better avoid detection, yet Kaspersky found it Later that year. In June of 2015, kaspersky reported that his own network had been infiltrated by government-sponsored malware. Evidence suggested the malware was created by the same developers as Dooku and Stuxnet in order to get intelligence that would help them better avoid detection by Kaspersky in the future. Kaspersky called it Dooku 2.0. Discovered software developed by a hacking team and used by 60 governments around the world to covertly record data from the mobile phones of their citizens. The software gave police enforcement a quote. Menu of features unquote to access emails, text messages, keystrokes, call history and other data.

The next year, in 2016, kaspersky discovered a zero-day vulnerability in Microsoft's Silverlight. Kaspersky identified a string of code often used by exploits created by the suspected author. It then used YARA rules on its network of Kaspersky software users to find that string of code and uncover the rest of the exploit. Afterwards, microsoft issued a critical software patch to protect its software from the vulnerability. Also that year, in 2016, kaspersky uncovered the Poseidon Group, which would infiltrate corporations with malware using phishing emails, then get hired by the same company as a security firm to correct the problem. Once hired, poseidon would install additional malware and backdoors. Later that year, in June, kaspersky helped uncover a Russian hacking group, leading to 50 arrests, and on and on and on.

So not exactly a blight on the cybersecurity landscape. These guys have dramatically improved the state of cybersecurity through its entire history, starting from 1997. Thus, it's no surprise that so many people have rightfully trusted Kaspersky's anti-malware solutions through the years, and actually through the decades, and this was driven by high-quality independent reviews that found Kaspersky's solutions to consistently rank among the best. Kaspersky earned and deserves the trust they've enjoyed, and at no point have they done anything that would call that into question. As I noted earlier, the world is better and more secure for having Kaspersky's beneficial and highly technical participation. At the same time, what the US Department of Commerce decided last April is also understandable. Could Kaspersky Lab be forced to subvert all of the personal computers in the US which are using its software? We know the answer yes, that's possible. Could the KGB plant a rogue and trusted employee into Kaspersky's midst who might subvert their systems without anyone else knowing? Sure, that could happen too, just as Microsoft or a well-placed Microsoft employee could do the same for all of the machines in Russia and China that are still running Windows, and, as a result, as we've reported here previously, both of those countries are also moving away from their dependence upon closed software from the West, most notably Windows, as rapidly as they can.

Across the span of the last 50 years, computing has become personal, to the point that we now all carry communicating computers in our pockets, and those communicating pocket computers are all communicating through an incredibly well-working global network that grew up right alongside and kept pace with this incredible evolution in technology, and across this span of time, most of the world enjoyed relative peace and a great deal of relative prosperity. While technology continued rushing ahead at breakneck speed, everyone was in a hurry to see what could be done, what new value could be created and what personal fortunes might be amassed. National, geographic and political boundaries were ignored in the rush to interconnect everything for maximum value and profit, and the entire world has been truly transformed. But the world remains politically divided, and now, after 50 years of astounding prosperity and technical advancement, we're beginning to witness rising tensions among some of the world's largest political powers. Given how deeply intertwined the world's technologies have become, it's inevitable that these technologies, our software and our networks would begin to fall victim to the rising tides of nationalism.

As we know, russia has even been testing their big Internet cutoff switch, which they can pull to isolate Russia from the rest of the global Internet, just basically running internally on RussiaNet. And I've joked for years about my $5 automated AC outlet as a target, about the absurdity of the West being at odds with the Chinese manufacturers of most of our technology. It's insane. Our homes are filled with internet-connected gizmos and gadgets that phone home to Beijing or other data centers outside of Western control. And in recent news, us Commerce Department is expected to ban the use of Chinese and Russian hardware and software in American smart cars. According to Bloomberg and Reuters, the upcoming ban is the result of an investigation of cybersecurity risks associated with smart cars. The US government fears foreign adversaries may use technology embedded in US cars to hack vehicles, intercept communications or track targets. And so it goes.

The problem is that, in today's current climate of increasing mistrust, the demonstration of risk is all that's necessary to drive policy, and policy drives behavior.

Having the Internet as a single connected global network is an inherent risk, but it's also been unbelievably valuable. At least it has allowed people the world over to have access to markets and opportunities that would have never been available without this incredible global communications network. And yes, communication itself is risky, especially within countries that wish to exert tighter control over what can be communicated. So is the isolation to follow Russia and break this global network into separate pieces, with each piece only shared among those whose goals and motivations are aligned and trusted. If that's what ends up happening, it would be a horrible shame and would represent incredible lost opportunity, especially for those parts of the world that are being so rapidly advanced and lifted up through access to this amazing Internet resource. Kaspersky's ejection from the US is worrisome as a tangible indicator of the changing, politically challenged technological environment that will affect us all. I sincerely hope our various governments don't allow fear to blind them to the fact that communication is always better than isolation.

2:16:55 - Leo Laporte
It's interesting because this is the episode that you talked about the pager attacks, the supply chain attacks and in a way, that's a similar risk with software from an unknown source or a potentially enemy source.

2:17:12 - Steve Gibson
You made the point, leo, about how long ago those pagers may have been set up. Right, we don't know what's in the chips that we've been blithely purchasing, and this is only going to get worse.

2:17:26 - Leo Laporte
We used to think, oh, you know, you could just trust everybody. Now we're learning otherwise and we're setting up perimeter defenses, saying, well, if they're outside the US you can't use them. But we know perimeter defenses haven't been a good solution for companies. For some time They've moved to something called zero trust. For some time they've moved to something called zero trust and I'm wondering if, ultimately, we're not going to have to move to a zero trust kind of attitude on everything that we use as consumers. And this might be up to you, steve, I'm going to put this on you, but we need people like you to come up with ways that we can use stuff but minimize the risk from that stuff, because that's what we're going to have to do. There's nothing that's known safe anymore, and soon we're going to get in the position where we can presume that much of what we use is not safe. So we're going to need a system, a zero trust system, that allows us to somehow control that.

2:18:28 - Steve Gibson
Yes, I guess the question is you know and it reminds me of Ghostbusters who are you going to trust?

2:18:37 - Leo Laporte
I mean we've gone from trusting everybody right and I've often said this is part of this is civilization. You don't. Civilization doesn't exist without cooperation and trust. When you drive down the street, you trust that the guy coming in the other direction at 30 miles an hour is not going to turn into your lane. That's part of being in a civilization, a cooperative environment. But it seems to me that maybe that's not going to work long term with technology.

2:19:02 - Steve Gibson
So I mean it really means that we pull our skirts in and we don't accept. I mean, for example, that every chip in every auto is designed and fabricated in the USA.

2:19:20 - Leo Laporte
Right, but is that enough?

2:19:22 - Steve Gibson
And this was my point about the economy, right, and and is that enough? And this was my point about the economy, the, I mean the. Yes, that's great for nationalism, but we're able to use incredibly inexpensive design. Now, on the other hand, we saw a huge supply chain shortage during COVID, when automobile prices jumped up because we couldn't get the chips that we needed from offshore. And presumably, if they were being manufactured in the good old USA, then there wouldn't have been a supply chain problem, or would there?

2:20:08 - Leo Laporte
What about Ford Right? We live in a world where trust is required, and yet we are rapidly experiencing the erosion of trust, and it's so valuable Leo. It is Having the trust is so valuable, we can't do what we.

2:20:24 - Steve Gibson
It is, it is Without it, it's so valuable.

2:20:25 - Leo Laporte
We can't do what we do without it, can't drive down the street safely without it, you can't go to Starbucks and have a coffee without it. So what do we do? This is an interesting conundrum, I don't think. Saying, okay, you can only use stuff from the US. Clearly that's not the solution, and that's I mean, that's what we did with Kaspersky. But is that the solution? I don't think so. All of our devices are made in China.

2:20:51 - Steve Gibson
Well, and we just forced a high-quality source of cybersecurity out of the US. Nobody gets to use that anymore and so, yes, there are alternatives. There are. You know, there are non-Russia based actors and you know, and some specious claims were made about Kaspersky employees and I was pronouncing the name wrong the whole time.

2:21:19 - Leo Laporte
I don't know Kaspersky, kaspersky Anyway what it really is is sad. We need a chain of trust and we have that system with the certificate systems. We know how to do it and I think maybe that's ultimately what's going to happen.

2:21:37 - Steve Gibson
Well, and look at what Apple is doing with the servers that are coming in from offshore.

2:21:42 - Leo Laporte
So do you trust Apple? I mean bend over and spread them and then apple's going to be the burdens on apple to make sure that those shenzhen factories are not compromised, that those workers are not working for somebody besides apple and us. It's a it's um an interesting world we live in. We are very interdependent. Look at the extra cost that.

2:22:06 - Steve Gibson
Apple's going through in order to know that what they're plugging into their data centers has not had some supply chain compromise.

2:22:14 - Leo Laporte
That is expensive. It's not theater. I hope that that's real. You know what I'm saying. Oh yeah, this isn't merely a marketing term, because more and more we're going to need to trust them. Yeah, well, you know who I trust you, steve Gibson, and that's one of the reasons you're so valuable is because we found somebody we know we can trust and we can listen to on these kinds of very difficult, thorny subjects. So thank you for doing the show and for agreeing to go beyond 999.

2:22:43 - Steve Gibson
Thank you for making it possible. I wouldn't be here without you.

2:22:46 - Leo Laporte
Well, good, we're going to keep doing it right. Grccom is where Steve lives, the Gibson Research Corporation. That's where you can go to find Spinrite, the world's best mass storage, maintenance, recovery and performance enhancing utility. 6.1 is the current version now out and available. Go get it if you don't already have it, and I'll save steve an email. If you ever bought, ever bought, spin right, go get six. One free right. Yep, who does that? Who does that? This guy, this guy, this guy here, this one grccom, while you're there, that's his bread and butter. But there's lots of free stuff, including valid drives.

Uh, of course, I wouldn't set up a network without shields, up and on and on and on, and even this show. Yes, steve has, uh, the 64 kilobit audio version of this show, but he also has a couple of unique formats a 16 kilobit audio for bandwidth restricted folks and human written transcripts, thanks to Elaine Ferris, so you can read along as you listen, or just read, or use it for search. It's very valuable for that. Grccom. Here at Twit we have the 64 kilobit audio, of course, but we also have a video version of the show, which Steve has always wondered why anybody would want that. Wonder no more. How else? Are you going to see the picture of the week, steve? I ask you.

2:24:16 - Steve Gibson
Oh, that's true. There would have never been a picture of the week you see, or we would have been like weird, laughing at a picture that only we could see.

2:24:23 - Leo Laporte
We kind of are anyway. So go to twittv, slash SN for the latest edition and all the previous 900 and what is it? 93 versions of security. Now you can download the audio, and in many cases, not all of them, because we started with video, with audio only, but we do have video on many of them. We do the show every Tuesday right after Mac Break Weekly, so that's roughly 2 pm Pacific, 5 pm Eastern, 2100 UTC. We stream everywhere.

Now I decided unilaterally, I might add to not stream on X anymore and to replace that with Telegram. So you know, I don't know, I just it was a decision on my part. I take full responsibility. So you can watch us on YouTube, you can watch us on Twitch, as long as we, you know, take the copyright exam and pass. You can watch us on Kik, facebook, linkedin, telegram and Discord if you're a Club Twit member.

Oh, if you're not a Club Twit member, I would like to personally invite you to join. It's only seven bucks a month. You get ad-free versions of all the shows. You support this important mission that Steve and I and the entire team are on, and I think there's some good benefits too, but the real reason to do it is to keep the podcast flowing. Advertising only pays for about half of our expenses. We need you to help us with the other half. Twittv slash club. Twit, if you're not already a member. Tomorrow, facebook's Connect keynote is at 10 am Pacific. Mike and I are going to cover that because Facebook is expected to announce some interesting new VR and AR and devices. Yeah, and we want to keep up on what's going on in that world, so tune in a little early. 10 am Pacific, that's 1 pm Eastern, 1700 UTC. On Wednesday, tomorrow, the 25th, right after Windows Weekly and this week in Google and Steve will be back here next week for 994. Yes, sir.

2:26:27 - Steve Gibson
I don't know what's going to happen between now and then, but we'll report on it.

2:26:30 - Leo Laporte
You know there'll be somebody you trust over there to listen to and learn all about it. Thank you, steve. Have a great week. The Hamilton is not out yet, though. Right, the first book is, but not the second, so we're waiting. I am a slow reader so maybe I'll start. Might take a while. Thank you, steve, we'll see you next time on. Security Now Bye-bye, security Now. 

All Transcripts posts