Security Now 994 transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show
0:00:00 - Leo Laporte
It's time for security now. Steve Gibson is here the full story about the remote code execution on Linux he talked about last week. We now know what it was. It's not as serious as it seemed, but it could potentially be a problem for a lot of people. What social media platform is now in Roscomnanzor's crosshairs? We'll tell you. You should update VLC. There's a big flaw in it. And Steve takes a closer look at the security and recall and the things Microsoft has done to make it safer. Can you put lipstick on a pig? Maybe you can. Next on Security Now Podcasts you love from people you trust.
This is twit. This is security now with steve gibson. Episode 994, recorded tuesday, october 1st 2024, recalls re-rollout it's time for security now the show we cover your security, your privacy, your science fiction reading online with this guy right here, mr steve gibson of grccom and leo.
0:01:16 - Steve Gibson
We actually do have actually a little bit of sci-fi from john selena uh jammer b, famously known as jammer b.
0:01:25 - Leo Laporte
You know, jammer b, as of course was our studio manager, has since retired and I know he's watching right now. I have a little jammer b corner in the studio. The very first time I met him he brought me that telephone, you know the one with a hello central, give me. You know the thing you hold to your ear. And then the last time I saw him he gave me the macintosh, the original mac 128k, and he had set it up so it would run. And he texted us and said if leo runs load runner in the background, it's got a great active screen that he's actually playing load runner right behind you. So john is, even though he's not in the studio, he is memorialized in the hardware behind me. He's also memorialized in one other way. I have him saying hey, because he used to. Anytime somebody sweared I don't think it happened on this show very often, but he would get all upset, so he recorded this for me your own personal FCC, yeah, hey.
That's nice. What's coming up this week on Security Now?
0:02:28 - Steve Gibson
We have the full story about the Linux remote code execution flaw, which we previewed with some unknowns and questions and a little skepticism. But you know why was there controversy? We're going to find out their controversy. We're going to find out. Uh, we're going to look at what bad stuff can happen if a domain escapes one's control. Even briefly, what social media platform is now in russia's cause? Uh, ross, come on ross crosshairs, uh, the need to update VLC, the very popular Videoland media player.
Oh, I used that To resolve a potential remote code execution flaw there Okay. Tor and Tails have some news. Telegram has some news. Also, we've got some interesting info from Baba Versus, author, and, as I mentioned, some feedback about Peter Hamilton's latest novel from none other than jammer B also. Uh, a listener provided some information I didn't know I needed until he offered it, about getting windows to stop re-asking to set up an already set up system it's when it it's like what I I already went through this before anyway, turns out you could turn that off and microsoft is re-rolling out recall.
Have they actually addressed the valid concerns or is this just more lipstick on a pig? Today's episode is recalls re-rollout for October 1st. Once a pig always a pig, that's right.
0:04:14 - Leo Laporte
Not much you can do to make it less of a pig, but we'll see.
0:04:18 - Steve Gibson
I'm not suggesting anyone that listens to this podcast is going to be excited, but we're going to take a look at it and see how much they should be forgiven for what they first tried to foist off on the industry. And oh, we've got a great picture of the week, so I only see the title.
0:04:34 - Leo Laporte
I haven't seen the picture. It's in front of me. I will. We'll see it together, shall we? And just sounds good. Yeah, except for those of you who cheat and download the show notes ahead of time, which you can get at GRC.
0:04:45 - Steve Gibson
Actually, the mailing to all of our listeners went out last night.
0:04:56 - Leo Laporte
This is the first time in 19 plus years that.
0:04:56 - Steve Gibson
I had the podcast actually finished on Tuesday. Did you have a hot date or something? I just started early and everything kind of came together. So, those people who have chosen to sign up for the Security Now mailing list got. In fact. One person wrote back and said hey, this is great, I can read it. So I'll have an idea what you guys are talking about.
0:05:15 - Leo Laporte
Prepare for the show the night before.
0:05:17 - Steve Gibson
That's a good idea. Do your homework, that's right.
0:05:20 - Leo Laporte
Well, and we are sitting here in Petaluma, california, rapidly approaching 100 degrees. It's 96. And I will ring this bell when we get to 100. Oh good, just some old-fashioned radio fun. Okay, our show today. We'll get to the picture of the week and the rest of the show in just a bit, with Mr Gibson, our show today, brought to you by Vanta.
Oh, whether you're starting or scaling your company's security program, it's so important that you demonstrate top-notch security practices. That's how you establish trust with your customers and everybody you work with. And, of course, establishing trust these days is much more important than ever. Vanta automates compliance you should love those two words For SOC 2, for ISO 27001 and more Saves you time and money and, of course, helps you build customer trust. I love that. Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with their really nicely designed really it's really well done customer-facing trust center. And, of course, this is all powered behind the scenes by Vanta AI.
7,000 global companies use Vanta, like Atlassian, flowhealth, quora. They use Vanta to manage risk and to prove security in real time, which now is more important than ever. You can get $1,000 off right now $1,000 off Vanta when you go to Vantacom slash security. Now that's V-A-N-T-A as in Vanta Black right V-A-N-T-Acom slash security now $1,000 off. We thank Vanta so much for their support of security. Now we thank you for supporting us too by uh, going to that site. And then you know, you saw it here vantacom security. Now that's the most important part. All right, steve, I am ready. I am going to scroll up on the picture of the week and we will. We will look at it together. Are you ready? Electrician wanted. We will look at it together. Are you ready?
Electrician wanted I don't get it, but it's funny. Oh, there's more Experience required this time. Okay, maybe you better describe.
0:07:51 - Steve Gibson
That is pretty good. The caption caption makes it steve, yeah, so, uh, okay. So what we have is a. A green wall in an inset is some sort of an electrical, presumably high tension, wiring situation.
0:08:02 - Leo Laporte
The door. You can see the wires hanging out there.
0:08:05 - Steve Gibson
Yeah, the wires are clear and the door's been left ajar, apparently as a consequence of what recently happened. Now, imagine it's really as good if somebody was wearing hard-soled shoes and they exploded. Well, the shoes, the soles of the shoes, would keep the ground at its original color, where they were, but you'd get this singed. Look like everywhere around.
0:08:37 - Leo Laporte
Basically, the guy exploded in a puff of greasy black smoke and that's all that's left, holy cow.
0:08:47 - Steve Gibson
So, yes, they're looking for a new electrician because we can see what happened to the last one Not good and they're saying you know, make sure you know what you're doing. If you walked up to this panel looking down and seeing the remainder of this guy's shoes the previous electrician you'd be very careful with which wires you touched.
0:09:11 - Leo Laporte
Very nice, I like it. Well done Steve.
0:09:14 - Steve Gibson
Hey, thanks to our listeners, they're out scouring the internet, finding these goodies and in some cases they're like walking past something. Oh, this would be a perfect picture for security now Always be thinking, and they take the pictures themselves and send them in.
Always be thinking. Picture of the week. Thank you, thank you, thank you. So we have news of that somewhat controversial, unauthenticated, meaning you don't have to log in or do anything.
Linux remote code execution vulnerability, which we discussed last week. Simone Margretelli began his widely anticipated and still clearly annoyed expose, which he posted late last week by writing Hello friends, this is the first of two, possibly three. If and when I have time to finish the Windows research write-ups, we'll start with targeting GNU Linux systems with an RCE, and we know that's remote code execution. As someone who's directly involved in the CUPS project said, quote from a generic security point of view, a whole Linux system as it is nowadays is just an endless and hopeless mess of security holes waiting to be exploited. And he ends the quote and he says well, they're not wrong. While this is not the first time I try to more or less responsibly report a vulnerability, it is definitely the weirdest and most frustrating time, as some of you might have noticed from my socials, and it is also the last time. More on that later, but first Okay. So first to interrupt him for a minute.
That acronym CUPS is the abbreviation for the Common Unix Printing System. It's a modular printing subsystem for Unix-like computer systems, including Linux. So the Hacker News reported on what Simone Margretelli revealed by writing as follows. They said a new set of security vulnerabilities has been disclosed in the open printing common Unix printing system, cups, on Linux systems that could permit remote command execution under certain conditions. Remote command execution under certain conditions. Security researcher Simone Margretelli said quote a remote, unauthenticated attacker can silently replace existing printers or install new ones IPP URLs with a malicious one, resulting in arbitrary command execution on the computer when a print job is started from that computer. So Hacker News said CUPS is a standards-based open source printing system for Linux and other Unix-like operating systems, including Arch, linux, debian, fedora, red Hat, enterprise, linux, chrome OS, freebsd, netbsd, openbsd, opensuse and SUSE Linux.
0:12:29 - Leo Laporte
I think CUPS is also used on macOS.
0:12:32 - Steve Gibson
Oh, yes, right, yeah, yeah. Simone identified four vulnerabilities, they wrote, which have received CVE designations. A net consequence of these shortcomings is that they could be fashioned into an exploit chain that allows an attacker to create a malicious fake printing device on a network-exposed Linux system running CUPS and trigger remote code execution upon sending a print job. Network security company Ontinue said quote the issue arises due to improper handling of new printer available announcements in the CUPS browsed component, which is a service as we'll see here in a minute, combined, they wrote, with poor validation by CUPS of the information provided by a malicious printing resource. The vulnerability stems from inadequate validation of network data allowing attackers to get the vulnerable system to install a malicious printer driver and then send a print job to that driver, triggering execution of the malicious code. That driver triggering execution of the malicious code. The malicious code is executed with the privileges of the printing user, not the super user. Root. Red Hat Enterprise Linux in an advisory said all versions of the operating system are affected by the four flaws but noted that they're not vulnerable in their default configuration. It tagged the issues as important in severity, given that the real-world impact is likely to be low. Red Hat writes, quote by chaining this group of vulnerabilities together, an attacker could potentially achieve remote code execution, which could then lead to theft of sensitive data and or damage to critical production systems. I would argue, if you're installing a malicious driver it can probably do worse than that. But you know that's Red Hat wanting to sort of tamp this down a little bit, and there was arguably, you know it had some need of some tamping.
Cyber security firm Rapid7 pointed out that affected systems are exploitable either from the public internet or across network segments, only if UDP port 631 is accessible and the vulnerable service is listening.
Palo Alto Networks has disclosed that none of its products and cloud services contain the aforementioned CUPS-related software packages and therefore are not impacted by the flaws. Patches for the vulnerabilities are currently being developed and are expected to be and remove the CUPS-browsed service if it's not necessary and block or restrict traffic to UDP port 631. Benjamin Harris, ceo of Watchtower, said in a statement shared with the Hacker News the embargoed Linux unauth RCE vulnerabilities that have been touted as doomsday for Linux systems may only affect a subset of systems. Given this, while the vulnerabilities in terms of technical impact are serious, it is significantly less likely that desktop machines and workstations running CUPS are exposed to the internet in the same manner or numbers. The typical server additions of Linux would be. Satam Narang, senior staff engineer at Tenable, said these vulnerabilities are not at a level of a log for shell or heartbleed, he said, quote. The reality is that across a variety of software, be it open or closed source, there are countless number of vulnerabilities that have yet to be discovered and disclosed.
0:16:32 - Leo Laporte
Oh well, that's OK then.
0:16:34 - Steve Gibson
And that's why we're not ending at 999, folks Countless. We can count our episodes, but we cannot count the vulnerabilities. Amazing, we cannot count our episodes, but we cannot count the vulnerabilities. Amazing. He said security research is vital to this process and we can and should demand better of software vendors. Unquote. So you know that's Tenable's stance on this. Okay, so this is sort of what we expected, right? Right, if it was a four alarm fire emergency, there wouldn't have been that controversy surrounding it. That was evident when we talked about this last week. In this instance, yes, there are problems and yes, they need fixing, but we've seen plenty of CVSS 9.8s and this collection doesn't rank up there with those 9.8s and this collection doesn't rank up there with those. And for his part, simone still seems to be smarting over the backlash from his trying to get everyone's attention when he didn't feel that developers were taking it seriously enough.
At the end of part one, which is what I shared the beginning of of his detailed write-up and I skipped that because it's just detail and I've got a link to it in the show notes for anyone who wants it. Anyway, he summed up part one by writing. You will maybe be thinking now quote wow, that's a lot of stuff to read code, rfcs, pdfs, the forgotten standards. This research must have been so tiring, unquote, he said, started when, on September 5th, after confirming my findings, I decided to open a security advisory on the Open Printing Cups Browsed Repository and do what, to me, was the right thing to do responsible disclosure. I won't go into the details of the initial conversation or the ones that followed. You're free to read them if they will ever open any of the threads and you're willing to read 50 plus pages of conversation or not and make your own opinion.
While the research only took a couple of days, this part took 22. And this part was not fun. I will only say that, to my personal experience, the responsible disclosure process is broken, that a lot is expected and taken for granted from the security researchers by triagers that behave like you have to quote, prove to be worth listening to, unquote, while in reality they barely care to process and understand what you're saying, only to realize you were right all along three weeks later, if ever. Two days for the research, 249 lines of text for the fully working exploit, 22 days of arguments, condescension, several gaslighting attempts, he said dissension. Several gaslighting attempts. He said friends, the things I've read these days you have no idea more or less subtle personal attacks, dozens of emails and messages, more than a hundred pages of text in total, hours and hours and hours and hours and effing hours, not to mention somehow being judged by a big chunk of the InfoSec community with a tendency of talking and judging situations they simply don't know. Let that sink in for a moment. What the actual F? And we're not talking about time spent on fixes.
While I was impatient and throwing a tantrum on Twitter, the actual fixes, or part of them, started being pushed much later. The vast majority of the time has been spent arguing whether or not these were issues worth considering. While I was trying to report that there's something bad that should be addressed ASAP, the devs were being dismissive and pushing other code, also vulnerable for other functionalities, instead of fixing because I dared to criticize the design of their software, while at the same time I was trying to reach out privately to de-escalate and assure whoever was getting offended that my intent was not adversarial To the people. That more or less directly questioned my integrity, accused me of specularization and of spreading FUD on my socials.
I don't do this for a living. I don't need CVEs to get a job or to prove how good my Kung Fu is or any attention other than what my projects and research already provide. I don't play InfoSec Influencer like many. My mission was to interrupt the triage's focus until they reprioritized. When I saw what I thought was pretty serious was being dismissed, as an annoyance, I used the only platform I had, plus a pinch of drama, as a tool to have them effing reprioritize, and it worked Wonderfully. More fixes happened after two weeks than with all the arguing and talking before.
So don't hate me, hate the system that forced me to do that in order to be taken seriously. And you know, leo, he's got a point. You know, I mean we've talked about the downside of the whole open source environment is that it's all volunteers, right? Well, mostly volunteers there are. You know, like Red Hat is able to employ people professionally to maintain and manage things, but there are people who are busy. If, in fact, there's the load of defects that I mean Linux apparently has them just as much as Windows does that need to get fixed, then it is a matter of priority.
0:23:12 - Leo Laporte
There is triage.
0:23:13 - Steve Gibson
There has to be. Yes, exactly, and, leo, you can imagine how many less qualified individuals are in fact reporting specious things that are actually not problems.
0:23:30 - Leo Laporte
In fact.
0:23:30 - Steve Gibson
That's why last week I went to dig into who this guy was and we saw that okay, he's got some cred behind him.
He's been active for a decade and is responsible for finding lots of problems. So he's not nuts. But they don't know that when they're busy, you know dealing with a lot of reports that probably are less credible, so you know his position, I think, is understandable. Our takeaway is that some unlikely to be exploitable yet important flaws were indeed found and they will be fixed in future editions of Linux and BSD code in their common CUPS subsystems, and the open source ecosystem is better today for his willingness to push, even though those who were pushed did not appreciate being pushed, because I'm sure that other people were reading his social media postings and then saying to the devs hey, what about this? Is this really so bad? So you know he used what influence he had in order to try to make them do what he wanted to.
0:24:47 - Leo Laporte
He's a little annoying. Yes, nobody appreciates having that done to them, and some of that is you know. Yes, nobody appreciates that. Unfortunately, people who are attracted to this business often lack certain social skills, shall we say, and he sounds like exactly the kind of nerd geek that we run into all the time, who's very literal, really takes it seriously and doesn't know how to apply social grease. A little social grease would have gone a long way here. Perhaps Is it as bad as he's painting it.
0:25:26 - Steve Gibson
Okay, so maybe Reports are that there are more than 100,000 instances of that particular vulnerable service exposed on the public internet.
0:25:46 - Leo Laporte
Yeah, because I have CUPS on all of my machines, including my Macs. Yes, but I don't have the browser installed right. Is that the key?
0:25:52 - Steve Gibson
Well, even if you did and there are, I think it's Linux Mint does have it running by default. So there are Linuxes that have it running by default, but you're behind a NAT router. Anybody in a home network behind NAT is going to be safe. Because it's not going to, that UDP port 631 will not be publicly exposed. Okay, so a really nice summary of this was just posted in Risky Business News, which summarized this, and they added a bit of additional interesting details. They wrote threat actors are scanning the Internet for Unix systems that are exposing their printing ports in an attempt to exploit a set of four vulnerabilities in the CUPS printing component. The vulnerabilities were discovered by Italian security researcher Simone Margretelli earlier this year and were disclosed at the end of last week. They impact CUPS, the common Unix printing system, an open source component to allow Unix systems to print, to function as print servers. The four bugs are part of an exploit chain that can allow an attacker to deploy a malicious printer, having the printer indexed by a victim's CUPS server, plant malicious code on the CUPS server inside a PPD file and have the malicious code from the PPD file executed when a user launches a print job via the attacker's malicious printer. The exploit chain is, in this order, cve-2024, 47176, 47076, 47175, and 47177. Besides Margretelli's write-up explaining how the four bugs work, other analyses on the four are also available, which suggests the credibility of this. Via Akamai, rapid7, elastic, tenable, qualys, datadog and Aquasec.
The bugs received a lot of attention and were extremely overhyped over the past week after Margaret Telly posted about them on Twitter before patches were released. Let's just say and this is risky business news writing let's just say they're not as bad as they were made out to be. They don't impact all Linux distros, only a few actually. They're only exploitable within very limited scenarios and the 9.9 CVSS score should have been lower. Yes, they're bad bugs that are easy to exploit, but they're not the Linux world-ending kind like Heartbleed, for example. But regardless of their severity and all the weird conditions needed to exploit the bugs, threat actors don't care. After margaret telly and others published proof of concept code at the end of last week, threat actors began scanning the internet for udp port 631, which is the port show, dan and things like that, to do that right.
Yes, Well, and their own scanners.
0:29:06 - Leo Laporte
And they can run a scanner.
0:29:08 - Steve Gibson
Our guy, Marcus Hutchins, was the one he posted that. He scanned the net himself and found over 100,000 instances.
0:29:21 - Leo Laporte
You could use Nmap or something like that too Exactly.
0:29:24 - Steve Gibson
Yeah, and there are now high-speed scanners that do parallel scanning on maps.
So they wrote if this port is exposed on the internet, then bad things are going to happen to your Cup server in the coming days. And they finished, even if Cup ships disabled by default on most distros. According to Shodan, there are currently over and they quoted 75,000 systems running cups exposed over the internet, which is quite an attractive piece of pie if you're an attacker. Other scans had these numbers at over 107,000, but they can be even bigger than this. Mitigating the vulnerability should be pretty easy Just disable, remove or update CUPS. You should not be running that anyway. They said Okay.
0:30:17 - Leo Laporte
So yeah, interesting. Yeah, he seemed a little whiny, and publishing a proof of concept so early is also problematic, right?
0:30:28 - Steve Gibson
Yes, I would argue yes, that the patches are not out yet. They're still happening and, as a result of him jumping up and down and screaming, it brought a lot of attention to this and proof of concepts are immediately deployable by people who are scanning. So, unfortunately, the upshot of this is that people will get hurt, given that those are true instances of CUPS which are exposed on port UDP631. As we know, there's a lot of port reuse on the internet, so it could be some other type of service, that is, that is listening or you know who knows what, but still likely a bunch of systems are going to be hurt and that's unfortunate. You know that is a sad consequence of the way we're doing things now, but it's also foreseeable, right? I mean, you know some guy, as you said, who is impatient and clearly pissed off about the way he feels he was treated by the devs not escalating this to the degree he wanted it escalated.
0:31:41 - Leo Laporte
Then you know let's lose too soon and the result is not what he would have chosen in the beginning this is a big problem in open source is that we have a lot of people with limited social skills for a variety of reasons. Some of them are neurodivergent, some of them are just jerks, and we all have to work together and not everybody's good at working together.
0:32:06 - Steve Gibson
Well, Leo, it's a microcosm of the Internet.
0:32:10 - Leo Laporte
Yes, we're humans.
0:32:11 - Steve Gibson
Where don't you find that? On the Internet? Exactly good point, it's just humanity.
0:32:17 - Leo Laporte
Yeah, software requires an unusual amount of collaboration, especially open-source software, more than we're maybe all used to, and it really does require checking your ego at the door.
0:32:26 - Steve Gibson
Generation, especially open source software, more than we're maybe all used to, and it really does require checking your ego at the door. I mean, one of the things that I have found that's worked best for me is like just putting the software out there and asking the people and as has happened over in GRC's news groups find my problems, find the things I screwed up, find the things that I didn't get right. You know, I know how to use it, so it works for me. So, and you know, sure enough, these guys are wonderful about finding stuff that I didn't get right and I don't care. I mean, all I want to do is have the result be the best it possibly can be. My ego is way down the list of things that I'm concerned about. I just want to be able to offer the best software I can.
0:33:14 - Leo Laporte
And, as Kira points out in our Discord, it's not just Simone's ego that might have gotten in the way there might have been some other egos too, yeah, and some other egos too, yeah, well, again the devs are.
0:33:26 - Steve Gibson
You know, it's probably difficult for us to imagine how busy they are and the fact that there are probably many other people saying that they found this or that wrong, which just isn't. Yeah, it just isn't. And you know, in fact, in the in the early days of working on Spinrite, I would have gone insane if I didn't have GitLab just to hold all the stuff, all the reports coming in, and I just take a deep breath and just go to the next one and take a look at it, see if I could recreate it. Often it's like, oh cool, someone found something and I would fix it. Sometimes I just could never make it happen and so we wait to see if anybody else could. So I mean, it really is a process.
0:34:13 - Leo Laporte
Yeah, and imagine what it was like before we had Git. And there are still open source projects who use email for their pull requests and things like that, and that's hard. That's really not.
0:34:26 - Steve Gibson
Yeah.
0:34:27 - Leo Laporte
Do you want to take a break now or do you want to keep going?
0:34:30 - Steve Gibson
Let's take a break. That's a perfect time. And then we're going to talk about what happens if an enterprise briefly loses control of its domain. Well, that's not good. I can tell you. It's worse than you would think. It's not good yeah.
0:34:46 - Leo Laporte
All. It's worse than you would think. It's not good. Yeah, all right, we'll talk about that in just a little bit.
Our show today brought to you uh, by bed warden, the open source password manager that gives you a cost, effective in many cases free solution that can dramatically improve your chances of staying safe online. Everybody who listens to this show uses a password manager, right? I hope Maybe you're using more sophisticated, you know, one-time pads or something, but for the most part, a password manager is kind of your number one tool in your security toolbox, right? It makes sure that you don't reuse passwords ever, not even once that you use long, strong, unmemorable passwords. The password manager makes sure you don't have to remember it. And open source is nice because you know there's nothing going on behind the scenes. That's Bitwarden. I love it If your friends and family aren't using it, and I can almost certainly say that most of us have members of our family no names.
Say that most of us have members of our family no names who just go oh no, I use my dog's name and my birthday. That's perfectly good. No, no, and the holidays are coming. We've got Prime Day in a week. We've got Black Friday, cyber Monday, security. Online shopping now really becomes important, right? You know, as soon as the holidays come out, the bad guys come out too.
Bitwarden is doing everything it can to keep your family, your friends and you from being phished. They have expanded their inline autofill capabilities within the Bitwarden browser extension. Not only for passwords, now they use cards so that's good Identities and pass keys. And the reason you want this is the autofill is smart. It will not autofill on a phishing site. It will only autofill on the actual site you're supposed to, so you won't be giving your credit card to somebody else even though that site looks exactly like the real deal, because Bitwarden knows better. This enhancement protects us all. It means you're going to have a more secure interaction with web forms, that when you fill in payment details or contact info and so forth, you're not going to give it to somebody a bad actor. You're going to only give it to the people who deserve it.
With Bitwarden, you get also. There's so many good things for the business. So Bitwarden is open source. That means you can use it free forever as an individual. You can, even if you don't say I don't trust anybody with my vault. You can self-host your vault all of that stuff as an individual Free forever, unlimited passwords, pass keys, hardware keys like the YubiKey. But for business it's also great. For instance, unparalleled SSO integration and flexibility. Single sign-on is huge in business. You can quickly and easily safeguard all your business logins using your single sign-on security policies, fully compatible with SAML 2 and OIDC. So you know, sometimes people say, oh, I don't want to use a pattern manager because we're using SSO. No, bitwarden ensures a smooth integration with your existing solutions. You get it all. Thousands of businesses, including some of the world's largest organizations, trust Bitwarden to protect their online information.
The Bitwarden open source code is right there on Git, actually GitHub. Anyone can inspect it. It is always regularly audited by third-party experts and what's cool is you can also submit pull requests. For instance, nextin.
One of our listeners said you know Steve talks a lot about memory, hard password key, derivative functions. We really ought to have sCrypt and Argon in Bitwarden. So he submitted it. Bitwarden went over with him and they looked at the implementations. They decided this is a great implementation of Argon2 and they added it. And now, unlike other password managers, you can use PBKDF2 if you want, but you can also use Argon. That's what I did. I switched immediately, and that's where open source is great. It's not just that company, it's everybody pulling together to make life better.
Switching to Bitwarden is easy. It'll only take minutes, no matter what password manager you use. You can import directly from most password management solutions and on the others it's easy to export and import into Bitwarden. There's no reason to be paying more for less. Get started right now with Bitwarden. They have a free trial of a Teams or Enterprise plan for businesses, or free forever across all devices as an individual. Bitwardencom slash twit. This is how it should be done. This is a really great product done right. Bitwardencom slash twit. We thank them so much for their support of security now and our great friend Steve Gibson, who works his butt off to keep us secure. Thank you, steve. I appreciate it.
0:39:27 - Steve Gibson
So the news last week was that EtherFi, a so-called DeFi, as we're calling it now, a decentralized finance platform was the target of a DNS hijack after threat actors took control of its Gandhi account so Gandhi is their domain registrar.
On September 24th, by abusing Gandhinet's account recovery mechanisms and there's no clear detail on exactly how that was done bad guys managed to switch EtherFi's registered name servers over to those that they controlled. Ooh, that's not good. That's not good. Since EtherFi received account recovery notification, within three hours, the changes had been reverted and EtherFi's account had been successfully locked to further prevent tampering. Okay now, what I found interesting was that, in this reporting, everyone appears to be breathing a sigh of relief, but a lot can be done immediately upon the takeover of a domain. For example, valid web server domain certificates can be immediately obtained from any registrar, since, you know, from any certificate authority. Rather, since proof of domain control is all that's required All that's required, and due to the fact that, as we well know, certificate revocation is a myth, those certificates will remain valid throughout their two-year life or more.
0:41:16 - Leo Laporte
That's a little longer than three hours.
0:41:18 - Steve Gibson
Yes, yeah, exactly. Not only can those certificates be used to host a spoofed website, if a victim's traffic can somehow be rerouted, but those same certificates can be used to sign spoofed email from the victim domain and it will pass right through all SPF, dkim and DMARC validation. So my point is it's likely that for commercial entities owning valuable domains, security is more important at their domain registrar than any other single place. I know that many of our listeners of this podcast have their own domains. If you were only to use multi-factor authentication in one place, I would choose authenticating to your domain's registrar and doing anything possible to limit anyone else's ability to perform malicious account recovery. It's a little bit like freezing your credit preemptively because you don't want bad guys to be able to apply for credit in your name.
I think I have one account over at Gandhi, I have nothing left at Network Solutions, but I'm all over at Hover and I've got second-factor authentication set up in both of those locations. And I smile every time I have to put my six-digit code in, because I absolutely want to know that they're going to make sure that it's me, because, again, the last thing you want is your domain to get hijacked and recall how LastPass suffered that first security event and then told us and thought that everything was fine. But then later the bad guys were able to use some of the information they had gleaned from that first attack to launch a deeper and much more destructive event. You know that sort of thing might well plague these EtherFi folks in the future. It may not be all over, you know. They think everything's been buttoned up, but you know that brief name server switcheroo may have provided the bad guys with everything they were actually after.
0:43:39 - Leo Laporte
So if you're a bad guy, time is of the essence.
0:43:43 - Steve Gibson
Make sure you get it all done fast and you can imagine that they were probably poised, knowing that they wouldn't have it for long. But the moment they got the name service switch they jumped on it and probably issued certs at a bunch of different CAs, who knows?
0:43:59 - Leo Laporte
Wow, Okay, Ross come nonzor, we're supposed to say it together. You ready, you ready, what's wait? A minute, okay, I it's hard with zoom. One, two, three ross come nonzor. How about this?
0:44:30 - Steve Gibson
That's good, we'll just put that over.
0:44:33 - Leo Laporte
You're in charge of saying that from now on, I'll be in charge from now on. That's good, that's really a good voice too.
0:44:39 - Steve Gibson
Turns out that the social media platform Discord is on the way to being banned in Russia, our favorite Russian.
0:44:49 - Leo Laporte
That's where all of our club Twit members live.
0:44:52 - Steve Gibson
Yeah, Our favorite Russian internet watchdog, Leo. What's their name? That's them. They've just added Discord to their registry which is the first step in formally blocking access to a service within Russia's borders. What did they do to get that? They're just. You know they're not toe in the line. They're not sufficiently obedient, they're not under. You know they're not sufficiently obedient, they're not under the Kremlin's control, so the Kremlin doesn't want them loose.
Wow, just a note for users of the extremely popular VLC Video LAN player. The project just released a patch to repair an integer overflow vulnerability via a maliciously crafted MMS stream. I don't use VLC to receive MMS streams but although no one had ever created a remote code vulnerability execution, we know that the possibility of that being done cannot be ruled out. If you are using VLC media player anywhere from 3.0.21 or later. That problem has been resolved. That problem has been resolved. Also, we've had lots of fun in years past looking at the Tor project, actually the technology of it, which is so cool because it implements a unique privacy preserving, so-called onion routing technology. For those who have joined us more recently, I'll just briefly recap that the Tor system wraps an outbound internet packet in multiple successive layers of encryption, where the private key used to decrypt each successive layer is only known to the specific router to which that onion packet will be sent. So, after wrapping the outbound packet multiple times, the sender sends this multiply-wrapped onion to the first router, which is only able to remove the outer layer of encryption to reveal the address of the next onion router in the sequence. It cannot determine that that is it. The first router cannot determine the packet's final destination nor its contents, because that's still hidden by multiple additional layers. Because that's still hidden by multiple additional layers, and although that first router knows the sender's IP, since it just received a packet from that IP, the second router that receives the forwarded packet does not know the sender's IP, it only knows the IP of the first router. When that onion reaches the second router, it, and only it, is able to decrypt and remove that layer of the onion, thus revealing the IP for the third router in the sequence. And that second router only knows the IP of the first router and the third router and the third router, neither the originating IP nor the destination IP. So every hop along the way we have protection of the sender and also protection of the destination, until you get to the final router. Once the third router receives the onion, um, once the third router receives the onion, only it is able to remove what um, uh, uh. Only it is able to remove that, that final layer, to reveal that the packets actual contents and its true destination. And it has no idea whatsoever who originated that packet. Since that's three hops back and Onion routers are all about preserving anonymity is to give Internet users something that is completely lacking from the Internet's normal point-to-point routing scheme, which is a high degree of anonymity for the sender. When we talked about how the Internet works, typical packets have a sending IP and a receiving IP. Packets have a sending IP and a receiving IP, and so there's nothing anonymous from a standpoint of IP addresses. Those are typically known endpoint to endpoint Okay. So the other component here is the privacy-centric OS project, tails.
Tails is an operating system which is bootable from a USB thumb drive. The Tails website bills itself as quote your secure computer anywhere, and it explains the OS's purpose writing to use Tails. Shut down your computer and restart it with your Tails USB stick. Instead of starting Windows, mac OS or Linux, you can temporarily turn your own computer into a secure machine. You can also stay safe while using the computer of somebody else. Tails is a one and a half gigabyte download and takes about half an hour to install. Tails can be installed on any USB stick with eight gig minimum.
Tails works on most computers less than 10 years old. You can start again on the system's original operating system after you've shut down Tails. So you know, you pull it out and reboot and the system comes back normally. They said you don't have to worry about the system having viruses because Tails runs independently from the other operating system and never uses the hard disk. But Tails cannot always protect you if you install it from a computer with viruses or if you use it on a computer with malicious software like key loggers. So don't do that. Tails always starts from the same clean slate clean state and slate and everything you do disappears automatically when you shut down Tails. Without Tails, almost everything you do can leave traces on the computer the websites you visited, even in private mode, files that you opened, even if you deleted them, passwords, even if you use a password manager, and all the devices and Wi-Fi networks that you touched. On the contrary, they said Tails never writes anything to the hard drive and only runs from the memory of the computer. The memory is entirely deleted when you shut down Tails, erasing all possible traces.
Okay, why are we talking about this? We're revisiting these two important projects today because last Thursday, under the blog headline Uniting for Internet Freedom, tor Project and Tails joined forces. They announced their merger. The two projects realized that there was a great deal of duplicated effort with managing and fundraising and operational overhead. The Tor blog said this. They wrote today.
The Tor project, a global nonprofit developing tools for online privacy and anonymity, and Tails, a portable operating system that uses Tor to protect users from digital surveillance, have joined forces and merged operations. Incorporating TAILS into the TOR project structure allows for easier collaboration, better sustainability, reduced overhead and expanded training and outreach programs to counter a larger number of digital threats. In short, coming together will strengthen both organizations' ability to protect people worldwide from surveillance and censorship, countering the threat of global mass surveillance and censorship to a free Internet. Tor and Tails provide essential tools to help people around the world stay safe online. By joining forces, these two privacy advocates will pool their resources to focus on what matters most, ensuring that activists, journalists and other at-risk and everyday users will have access to improved digital security tools. In late 2023, tails approached the Tor project with the idea of merging operations. Tails had outgrown its existing structure. Rather than expanding Tails' operational capacity on their own and putting more stress on Tails' workers, merging with the Tor project, with its already larger and established operational framework, offered a solution. This is so great.
0:54:41 - Leo Laporte
This is so great. This is so great.
0:54:42 - Steve Gibson
This is really good and makes them both stronger. They finished saying this solution is a natural outcome of the Tor project and Tails shared history of collaboration and solidarity. 15 years ago, tails first release was announced on a Tor mailing list. Tor and Tails developers have been collaborating closely since 2015. And more recently, tails has been a sub grantee of Tor. For Tails, it felt obvious that if they were to approach a bigger organization with a possibility of merging, it should be the Tor project. The team lead for Tails OS said running Tails as an independent project for 15 years has been a huge effort, but not for the reasons you might expect. The toughest part wasn't the tech. It was handling critical tasks like fundraising, finances and human resources.
And dealing with people, exactly those pesky critters after trying to manage those in different ways. He said I am very relieved that tails is now under the tour project's wing. In a way it feels like coming home oh, that's such a good thing.
0:55:57 - Leo Laporte
So have you used tails, do you? Uh? I mean, I've read about it for years and I've talked about it in the past.
0:56:03 - Steve Gibson
I just my use case. You know I just don't have a use, but you have to be very adamant about not wanting.
Yeah, I once talked about the danger. I mean, I can't even imagine logging into one of those held hotel business centers computers and doing anything that mattered there, because it's like, uh no, now of course you and I are always carrying multiple computers around with us, so it's not like we have to use somebody else's. But you know, in a pinch, if you were to stick a usb drive in and reboot the machine with your own clean OS, that's probably as good as you can do.
0:56:46 - Leo Laporte
Microsoft used to offer and they stopped it a version of Windows that would erase itself on reboot.
0:56:53 - Steve Gibson
Every time fresh version, and I know a lot of business centers used it and you know there were some add-on packages back in the day I remember that's right yeah, like sometimes libraries would use them exactly where where somebody would log on, they could use the system you know and any changes that they made would be completely reverted. Basically, it would just, it would reset all of those changes and always have the system back in a given state.
0:57:24 - Leo Laporte
Thanks, sirex, that's it. Steady state was a Microsoft product Steady state yes. What a great idea. Why did they stop it? God knows, because it's Microsoft.
0:57:34 - Steve Gibson
Well, you can't run, recall, in a steady state. We'll get to that in a moment, yeah.
0:57:39 - Leo Laporte
That's right.
0:57:41 - Steve Gibson
Also, one last little bit of blurb here. As we noted, a few weeks ago, telegram's founder and owner, pavel Durov, was first detained, then arrested in France after authorities decided to hold him directly responsible for the many abuses known to be flourishing within the totally unmoderated and unfiltered protection of Telegram's service. Well, france's strategy appears to have worked, since Telegram recently made some waves by amending its privacy policy and agreeing to comply with court orders requiring it to share its users' phone numbers and IP addresses with law enforcement. So Telegram's cooperation will now extend to various criminal investigations, expanding beyond their previous limit of only helping in terror-related offenses. And, as you might imagine, the exodus has actually been something to behold. I saw a couple articles saying that the bad guys were jumping ship in large numbers. So good riddance.
0:58:56 - Leo Laporte
Yes, that's exactly what we want and I'm glad to hear it, because I like Telegram and I would like to use it without feeling bad about it.
0:59:04 - Steve Gibson
Yeah, and I would argue that, as long as you're, I mean okay. So we know that we have privacy absolutists, right, who absolutely feel that zero consequence of using the Internet in any way they choose should be their right. Unfortunately, they're using somebody else's platform. I mean we've talked about it For example, employees in a corporation. What you do on the company network with the company computer is the company's property and the company has some responsibility for. So you know, as we've said, it'd be a good thing to have a little sign posted on the top of the computer screen saying remember, what you do on this network should not be considered private. You know, it's not your network, it's your employer's network, anyway. So, yes, goodbye, really really bad cretins from telegram, we will not miss you yes, we will not, not at all uh, so I've got some feedback to share.
Leo, why don't we take one more break? Uh, we'll. We'll get into the feedback before, uh, and then, on the other side of that, uh, we'll talk about, uh, the recall or the re-rollout of recall, and yzf donor reminds me, that there is uh still a commercial program called deep freeze that does what steady state does ah right, remember that. Yeah, not free, and they're still around that's good to know.
1:00:37 - Leo Laporte
Yeah, I'm glad to hear that, although you know, I think I think Tails Benito, our producer, says the reason Windows stopped doing it is because they can't show you ads if you keep erasing it every time. Yeah, that might be. Tails might be the right way to go on that one, our show today, brought to you by Delete Me. Ah, yes, if you've ever searched for your name online and you notice how much of your personal information is right there for anybody to see and, of course, that's a data broker. And worse, there's been another breach of data. There's two different breaches of data brokers leaking out everything. Maintaining privacy is now job one, not just for you, but for your family as well, and the best way to do it is Deleteme. Deleteme now has family plans so you can ensure everyone in your family feels safe online. And, of course, every business should be using Deleteme, especially for management, because that information that's published online about your managers, your CEO, and it can be used by bad guys for deep fakes, to impersonate, to spearfish. This is more than just privacy. This is cybersecurity, this is identity theft, this is how you protect yourself from harassment and threats, and more. Delete me and I know. I know because we use delete me, particularly for Lisa, our CEO, because we think it's really important, not just privacy but for security, that people don't know her phone number, her direct reports. They've been using that for phishing, for spear phishing. It's terrible. Delete me works. Their experts will find and remove your information from hundreds of data brokers. They know them all. This is important because there's new ones every day, right, it's such a lucrative business and Delete Me keeps on top of it. And for your family, you can assign a unique data sheet to each family member, tailored to them, so you can say well, you know she doesn't want her Instagram account deleted, that kind of thing. So you can make sure, with easy-to-use controls, that kind of thing. So you can make sure, with easy to use controls, that you can manage the privacy settings for the whole family and match their own unique needs. And here's the best thing about delete me, the thing that really made a difference for us it will continue to scan and remove your information regularly because these guys, they're cockroaches. They just repopulate it Even after they take it down. We're talking addresses, photos you wouldn't believe what's on there Emails, relatives' names, your phone numbers, your social media, your property value and on and on and on. Protect yourself, reclaim your privacy.
Go to joindeletemecom slash twit. When you use the offer code twit, you're going to get 20% off. Mecom slash twit. When you use the offer code twit, you're going to get 20 off. Join delete mecom slash twit. This is a really good service service we use, we recommend, and it really is something that pretty much everybody needs. Until we pass a law, federal law, against these data brokers, at least there's delete me, join. Delete mecom slash twit. The offer code twit gets you 20 off. Thank you, delete me for your, your support of Steve's work here at security now, and you support us by going to that address Join. Delete me dot com slash twit.
1:03:52 - Steve Gibson
Steven. So when our listeners wrote hello, I'm a longtime listener and a much longer time developer. Currently I write mostly for mobile and have apps on the Android Play Store. From time to time I receive emails from and he has in air quotes companies that want to buy my app and my he says not many users. But yesterday I received something new. This guy wants to rent my account to publish his own junk. As you can see, he doesn't value my reputation much. And then this this our listener, george, enclosed the note I've redacted some things. So the email that he received to his gmail account said uh, good day, green spot. This is by tom gaming hub. We are reaching out to partner with google play console account owners for a lasting collaboration to publish our app. Our compensation plan includes $70 for each app upload. Oh, now.
I know it's a scam, okay $10 for each app update and $50 every seven days while the app is on your account. Wow, if you're interested in collaborating with us, please contact us via WhatsApp at and then they gave their WhatsApp number yours sincerely, bytomgaminghub. What occurred to me is that two years ago, in 2022, cory Doctorow brilliantly coined the term enshitification. His use was intended to be aimed at online products and services decline in quality. Initially, vendors create high-quality offerings to attract users. Then they degrade those offerings to better serve business customers and finally degrade their services to users and business customers to maximize profits for shareholders.
Ok, so Corey didn't define the term to be used more broadly, but it's so tempting to also use the term to describe what we are all feeling overall about the just sort of the general decline in the quality of the Internet's service as a whole, so that that term comes to mind when we see low quality apps attempting to pay their way into the accounts of higher quality apps as a means of writing their reputations. The only reason somebody would pay to have their app offered within someone else's account would be because the value derived from advertising there would be more than the cost of doing so. Of course, the overall result is the gradual enshitification of the platform as a whole, as the valuable reputation of developers is cashed out and watered down to no longer carry the value it once did. Our listener, who shared this, was clearly unmoved by the offer, but it is foreseeable that many others would jump at the chance to obtain some additional income from monetizing whatever loyalty their name may have earned. I don't know, leo. That's terrible.
1:07:51 - Leo Laporte
It doesn't sound. It seems like there's got to be more to this. I mean there's some they want to put malware on people's. I mean 70 bucks.
1:08:01 - Steve Gibson
Yeah. There's something going on here and it would probably be 70 would be all the person would ever see. Maybe they would never see. You know 50 per week you know ongoing revenue.
Yeah, yeah, yeah, bad, um, okay, uh, he's uh. Another listener yeah, bad, okay. Another listener, marv, said Hi, steve, I wanted to give some feedback on the availability of Not Till we Are Lost, babaverse Book 5. He said After hearing you mention it was published this month, I've been waiting for the Kindle edition on Amazon and waiting, and waiting for the Kindle edition on Amazon and waiting and waiting. It turns out we Kindle readers will have to wait a few months due to the author, dennis Taylor's agreement with Audible, and so this was signed. Marvin Rhodes, Senior Network Security Engineer. Anyway, so he linked to Dennis's FAQ where Dennis asks the question and answers it. Where's the Kindle version? And Dennis wrote Audible likes to have an exclusivity deal with its authors. During negotiations they'll try for up to a six-month gap before the text versions are produced. The inducements to the author are Audible pays for the narrator, audible pays for the cover, audible does the marketing. Audible offers a much larger audience. Audible is also responsible for about two-thirds, he said, of my total income.
1:09:46 - Leo Laporte
Yeah, I think you don't make much on Kindle. That's probably part of it, right, right?
1:09:50 - Steve Gibson
He said so they are by definition my primary publisher. He said fortunately my agent, who's a bit of a pit bull, has kept the exclusive period down to four months. The Pitbull has kept the exclusive period down to four months, so the text version for the current contracts anyway will always come out four months after the audible version. And while I was there on his page, I read the rest of Dennis's FAQ and his irreverent personality, which so many of us have enjoyed in his novels, shows through clearly. Which so many of us have enjoyed in his novels shows through clearly. Two additional FAQ entries which also provide some additional interesting background are Where's the EPUB or other version? Answer he said Amazon only lists your work in Kindle Unlimited. If you go exclusive with Amazon for the electronic version, that means no EPUB or Kobo or Google Play version. Before you ask KU, kindle Unlimited is probably about 25% of my non-audible revenue. Oh, wow, and that's yeah, he says. And that's still a serious chunk of change. See below for discussion of fiduciary greed.
1:11:07 - Leo Laporte
So you know what? I just always assumed that Audible I mean Kindle Unlimited was a bad deal for authors, like they would get a nothing or a penny or something. So that's actually encouraging. It's a quarter of his revenue.
1:11:24 - Steve Gibson
And we know from previously looking into this and I'm sure you'll remember this how far you read in the book is actually tied to the. They actually get paid per page that you're reading.
1:11:38 - Leo Laporte
It's pretty hard not to finish a Babaverse book. I'm just going to say I don't know about the new one, but boy, the first four were page turners. They were so good. And I listened to them on Audible. He's got the best reader ever. They were great. Right Now you read them on Kindle, right?
1:11:54 - Steve Gibson
Yes, I do, because I like actual text. He said when I originally self-published outland, I initially went wide kobo, epub, google play, etc. If I made so much as a penny from any of those other channels. Oh, I don't remember it he said when I switched to amazon exclusively and kindle unlimited, my Amazon revenue went up about 20%.
1:12:21 - Leo Laporte
Well, I think you get some credit for promoting the Boba Burst books. I think maybe he didn't know, but Steve's recommendation was a big part of this.
1:12:32 - Steve Gibson
We know that it was a huge hit among our listeners. Oh, such a good book. So that's why I wanted to circle back and mention this. He said my revenue, my Amazon revenue, went up about 20%, so there's literally no inducement for me to consider going wide with my novels. And then he says question, so it's all about money? And he says the answer is oh, hell, yes.
Yeah good for him. He said this writing thing isn't a hobby and I'm not independently wealthy. I have to pay a mortgage. Me and my family have grown accustomed to eating regularly and I'd like the bank to not take my car back. He said I literally quit my day job so I could write full time, which means I can produce books a lot more quickly, but also means I have to be concerned about the financial aspects of my job. So when they wave a wad of bills under my nose, I pay attention. Sorry, that's just the way it is.
1:13:42 - Leo Laporte
I so understand how he feels about that, because people do the same thing to us. They assume that I'm doing this for fun, which I am. Just because you like something and you're good at it doesn't mean you shouldn't also get paid for it. And it really annoys a lot of people that we have a club, for instance, it charges seven bucks, or that we run ads. That's, this is life. Be a grown-up, you know we got to get paid. We pay steve I'm.
I mean, I'm sure you love doing this and you would do it for free I have a wife but I would never ask you to, because you deserve to get paid to do this, and so does Dennis Taylor. Good on him for being honest about that.
1:14:29 - Steve Gibson
Yeah, I like that and I thought everyone would get a kick out of his personality showing through. Listener. Ben shared a welcome tip. He said hi, steve. He said hi, steve. I recall multiple complaints of Windows 10 asking to be backed up every time there's some sort of update, when many of us already have our own backup solution. I've heard Paul complaining about this too. He said today I decided to see if there was a way to disable. This Turns out there is to see if there was a way to disable. This Turns out there is. Under Settings, system Notifications and Actions, you're able to uncheck the option. Quote Suggest ways I can finish setting up my device to get the most out of Windows. And apparently, even after you have finished setting up your device, it leaves it checked on. So settings, system notifications and actions and then uncheck. Suggest ways I can finish setting up my device to get the most out of Windows. And with any luck, that's never going to happen again no more suggestions.
1:15:39 - Leo Laporte
Thank you, windows, goodbye, yeah, so Ben suggestions.
1:15:41 - Steve Gibson
Thank you, windows goodbye. Yes, so, ben, thank you, thank you. Thank you, you know I had never looked and I had no idea that such an option was available. You know, and I'm also plagued by it incessantly promoting its own solutions and asked me why would you like a second keyboard? No, I've got. I've got. One is all I need I need. Thank you, I told you that, like you know, three times already, I keep telling you that God, so you know. It occurred to me that that might be a nice addition to the next release of GRC's in-control freeware. So I've made a note of that in the project. So if I ever return to it, I can see about adding that. Because you know how, would you like Windows to stop bugging you to like one drive?
1:16:26 - Leo Laporte
Yes, Stop bugging me, so settings system notifications, notifications and actions, and then yeah systems, notifications and actions.
1:16:35 - Steve Gibson
Probably one of those little switches down there there's sure, a lot of them.
1:16:38 - Leo Laporte
Notifications from the app store no Print cleanup notification. I don't even know what that is. Notifications suggestions no, here it is. Setup. No Security and maintenance, no Additional settings. You have to really dig because show Williams Windows welcome experience. That's it. After updates nope, there it is Nope. And I don't want tips and suggestions either, so I just turned everything off.
1:17:04 - Steve Gibson
You know, I got a piece of email and unfortunately it got lost in the pile. But one of our listeners had a brilliant suggestion. He said Steve, why don't you use Windows Server 2022?
1:17:22 - Leo Laporte
as your desktop, because it doesn't have any crapware on it. Exactly, yeah.
1:17:26 - Steve Gibson
And as an MSDN developer, you have it, I already have it, yeah. So it's like that's just a brilliant suggestion.
1:17:33 - Leo Laporte
So yes.
1:17:34 - Steve Gibson
Instead of all this, you know, oh my God, those flipping tiles.
1:17:39 - Leo Laporte
and Well, they wouldn't dare do this to businesses, solitaire and all that crap, right? So they don't turn it on on the business stuff, right?
1:17:47 - Steve Gibson
No, Amazing Listener Matt wrote get a load of this. One More Experian woes. Hi Steve, because you mentioned some questionable security practice with Experian questionable security practice with Experian. I thought I'd mention that I'm inadvertently the email of record for someone else's Experian account.
He said I was an early Gmail adopter and have the Gmail address of my first initial last name at gmailcom. I routinely get messages to others in the world who share my first initial and same last name. Occasionally, someone will sign up for services and enter my email address by mistake, forgetting to add whichever qualifiers distinguishes their email from mine. He said it's usually harmless. But someone recently signed up for an Experian account with their information and my email address, he said. Now I receive email messages every time they have a credit alert. He said conscious organizations have a single-click opt-out for messages, but for me to turn this off I have to log in to Experian as that user. This wouldn't be a problem because I could easily reset the account password as I own the email address behind it, but I don't want to be exposed to any more of their personal details than I already am, he said. It seems Experian doesn't bother with an email verification loop.
All they have to do Exactly when setting up accounts, or at least they didn't when this person set theirs up Unbelievable.
1:19:50 - Leo Laporte
Oh, my goodness.
1:19:51 - Steve Gibson
At this point it's not even clear how they could go about untangling that mess.
We've looked extensively at how, due to the universal presence of the I forgot my password links, the security of our email is really what all of our login security comes down to. Usernames and passwords and even multi-factor authentication are really only just log on accelerators, since everything ultimately falls back to email. So in this case, we know what happens when this account owner forgets their password and attempts to use the I forgot my password loop. You know so that confirmation email lands in Matt's inbox because they always had it wrong on their account.
And now they can't get back in and they can't confirm that they lost their password.
1:20:53 - Leo Laporte
That's the other side of it is, meanwhile there's somebody who's going. I never get anything from Experian. How do I get in? But the thing is, experian makes it easy to create multiple new accounts, like almost every time you go. If you want to do a credit freeze, you just create a new account with your last four of your social and your email, and so that's. All that happened is that person has abandoned that account and opened another one. Meanwhile it's still active. Wow, wow, terrible, horrible.
1:21:22 - Steve Gibson
Edward McDonald said. Hello, Steve. I recently updated to iOS 18 and saw where Apple now has an app for their password manager. I wondered your thoughts on it versus some of the other password manager software like 1Password. Thanks, Ed. Okay, since I'm personally hanging back with older Apple hardware, iOS 18 is not an option for me at the moment. But when we talked about this back at announcement time, what I recall was that what Apple was doing was mostly just pulling together what they already had for password management, which was kind of buried and scattered around within iOS. They were pulling it all into one place and giving it a more formal UI presence. So the presence of passkeys and the need now to manage them increased the need for iOS's password management to be somewhat more explicit. So the value of any third-party password manager, whose primary benefit would be much wider cross-platform, cross-ecosystem credential synchronization, is neither changed nor diminished with these recent changes to iOS 18.
I agree they just sort of gave you an icon for it.
1:22:46 - Leo Laporte
Yeah, and honestly, it's a very secure system, really well implemented, I think. Right, yeah, the only drawback is it's not exactly cross-platform. You can use it on Windows, but I don't think there's any way to use it on Android. But, yeah, if you're all Apple, why not?
1:23:04 - Steve Gibson
A listener named E asked about our mailing solution. He said hi, Steve, we run a self-coded email system for doing weekly mail shots. We would like to shift to third-party code while remaining self-hosted. Recently, when you described your modernization effort on your email system, I seem to recall that you bought slash, licensed a system and wrote your own code around that. I looked back at SecurityNow transcripts but I seem to have missed it. Could you put me straight? On this point how We've only plugged it five times. And we're about to do it again.
1:23:43 - Leo Laporte
He ought to give you a cut of all sales from now on.
1:23:46 - Steve Gibson
Well, the problem is he's not charging me enough or anybody enough.
1:23:50 - Leo Laporte
No, it's a one-time purchase. It's only $139, and. I feel guilty, that that's all I paid for this thing. Don't feel guilty, Steve. You've given him tens of thousands of dollars in publicity. You've sold more of this product than anybody.
1:24:02 - Steve Gibson
It is so good. I was so glad to see this question because you know, and actually I've just had a ton of use of it in the last week the more I use it, yeah, and the more impressed I become, you know. Okay, so the system is Nuevo Mailer N-U-E-V-O-M-A-I-L-E-Rcom, nuevomailercom, and, as with anything new and sophisticated, I have to admit it took me a while to fully grok the way it works, but the more I've used it, the more I've grown to appreciate its power. It can be used in a simple production capacity, such as sending out a weekly mailing or, as I would describe it, as an emailing workstation, which is the way I've been using it as I've been shepherding GRC's creaky old email list through today's hyper spam focused email climate. Anyway. So again enuevomailercom. It is just so great. I've gotten to know its author, a Greek author named Panos. His name actually has about 17 more syllables, but Panos is the beginning of it and it's just. I'm so happy with my choice.
I just want to let you know that I received the Spinrite 6.1 upgrade email earlier today in my AOL slash Verizon inbox. It did not end up in my spam folder, he said. I've been a dedicated listener of Security Now, since episode number three, nat routers as firewalls. I'm also a proud Spinrite owner and user and I've successfully recovered priceless files for friends and family. Even as an avid listener, I shouldn't admit this, but I've recovered some of my own files that weren't backed up. Now, after the latest use of Spinrite, my SSD is transferring data like it's new again. So anyway, naturally all of that was music to my ears.
Over the past couple of weeks, but primarily last week, as I just mentioned, I've been working to get 20 years of past Spinrite 6 owners notified of the availability of a no charge upgrade to 6.1. The availability of a no charge upgrade to 6.1. I published. I finished that work on Thursday.
Everything went well, but Microsoft appeared to be unhappy with a level of spam complaints which which or or bounces from emailing to these very old you know 20 years ago email addresses. I have a test list of 53 people from GRC's news groups who volunteered to receive various test mailings while I've been working to bring all this up and get it working On Saturday. So I did the mailing on Thursday mailing on Thursday. On Saturday, a test mailing to that list of 53 bounced back all actually it was six of those people whose domains were handled by Microsoft. So Outlookcom, hotmailcom and Liveca all were rejected from GRC. So I found Microsoft's Postmaster Tools and asked about the block on our sending domain. Their reply the next day, on Sunday, was they had no record of any block. So I did another test mailing and sure enough, none of those emails bounced again.
1:27:52 - Leo Laporte
It's a miracle.
1:27:55 - Steve Gibson
But they did go to the user's junk folders. So even though Microsoft let them through the front door, they sent them into the back room. So I would not be surprised. I mentioned at the top of the show that we're just shy now of 10,000 subscribers to the Security Now list. So last afternoon, slash evening, I sent out the mailing for today's podcast to nine thousand nine hundred and seventy seven or something Listeners. If you don't, if you didn't see it and you're a Microsoft user, look in your outlook dot com, hotmail dot com, live dot, whatever com, or CA, whatever com or ca. Uh, and if you do me the favor of marking it as not junk, that would be great, because at this point I think that's the only way we have of telling microsoft okay, we're sorry. Uh, we're not going to do that again, but we did manage to get out. You know 20 years of email and it's been really fun, leo, to see, see people's replies. Oh, that's so great. They're like Spinrite, you've got to be kidding me.
1:29:05 - Leo Laporte
You're still around. That's still alive. I get that all the time. You're still alive All the time. By the way, I said I would ring a bell when we hit 100 degrees. Oh my we are at 101 here in the Twit Attic studio.
1:29:23 - Steve Gibson
Man, I want to go back.
1:29:25 - Leo Laporte
I want to go back to the Eastside studio. Please. Where's my AC?
1:29:30 - Steve Gibson
All right, Okay, One last piece about sci-fi. This was from John Salina Jammer B. He said Hi, Steve, I understand not wanting to start it, oh, and he's referring to Peter Hamilton's book To start it until the series is complete. That's what I do with Frontiers Saga. I like to read all 15 books back to back. And he said parens, three more episodes, meaning three more books, and I can devour part three. And he said but it's Peter F Hamilton.
He loves Peter F Hamilton he said, I'm halfway through, looking forward to rereading it before part two comes out, enjoying it immensely. I will say it's great to have a book that is hard to put down. I have many things I can be doing with all my free time. I can tell you that getting back into this book is always at the top of the list. And then he signed off. It's a little weird looking in from the outside of Twit. It's a little weird looking in from the outside of Twit, but I will continue enjoying all the content Twit produces. Take care, john.
1:30:49 - Leo Laporte
So thank you.
1:30:50 - Steve Gibson
Jammer.
1:30:51 - Leo Laporte
Yeah, you know what he did the same thing with the last one. He just basically reads it, puts it down when the new one comes out, re-reads the whole thing. He's an inveterate reader. He's, like you, a Kindle guy and he doesn't mind. He likes to pick it up and do it again. And we missed you, Jammer B.
1:31:09 - Steve Gibson
Yep, I think I'm on my maybe my fourth reread of the earlier books of the Frontiers saga. I mean, I kind of know what's going to happen, but the characterization is so good? Yeah, it's just, I mean people re-watch movies because they see them as art, right, I mean like beautiful productions, and this guy can really write.
1:31:33 - Leo Laporte
My only problem is I don't read that fast. And so there's so many things I want to read and I just I don't want to reread something because I think, well, I'm missing something else.
1:31:44 - Steve Gibson
but you know what, john, you convinced me, I'm going to get the new peter f hamilton and I'll just reread I think I'm going to do the same thing I I'm going to, I'm going to read the, I'll read it, and then it's like, fine, well, and we did that with pandora's star right, we read the first one and then it was like. And then when Judas, unchained, finally came out, it was okay, read the first one again. And now we slide right into number two.
1:32:10 - Leo Laporte
I will miss it. John worked for us for almost 20 years. I will miss John's. So funny I would go into the studio and go oh I can't. I want to tell you. I can't tell you Because he'd read this stuff ahead of time. He loves it so much. You know what. I'm going to read it. I'm going to read it, and maybe John will do John's book club, because he always liked Stacy's book club. We could do John's book club and do the PDF. Hamilton. How about that? All right, we're going to talk about recall and Microsoft's made yet more changes, but is it enough? Steve will have the inside story.
1:32:44 - Steve Gibson
Lipstick on a pig.
1:32:46 - Leo Laporte
It's still a pig. Our show today, this episode of Security Now brought to you by ThreatLocker oh, this is. I love ThreatLocker because it makes zero trust easy to do. If zero-day exploits, there's good and bad, there's zero-day and zero-trust, one's bad, one's good, zero-day exploits and supply chain attacks we've been talking about that lately. Keep you up at night, worry no more, because you can harden your security. Make it impenetrable, really with ThreatLocker security. Make it impenetrable, really with ThreatLocker. Worldwide companies like JetBlue trust ThreatLocker to secure their data and keep their business operations flying high. There are some airlines who don't use it and maybe they should have.
Imagine taking a proactive deny-by-default. This is the key of it right Deny by default approach to cybersecurity. You block every action, every process, every user, until and unless authorized by your team. It's magic. Threatlocker helps you do this and provide a full audit as well of every action for risk management and compliance. And you will love their 24-7 US-based support team because they're there to get you on board. They support your onboarding fully and then they stay with you the whole time. So it's easy to implement and it's so effective.
Stop the exploitation of trusted applications within your organization. Keep your business secure and protected from ransomware Organizations across any industry can benefit from Threat Locker's ring fencing that's what they call it by isolating critical and trusted applications from unintended uses or weaponization, limiting attackers' lateral movement within the network. Threat Locker's ring fencing works so well. I'll give you an example. Do you remember the 2020 attack on SolarWinds Orion? Ring fencing stopped it for ThreatLocker customers. Threatlocker's ring fencing foils attacks not stopped by traditional EDR, like that 2020 cyber attack on SolarWinds Orion. Threatlocker works on Macs too, so you're not left out.
I'll tell you what. This is the way to do it Zero trust, zero knowledge. It's perfect. Get unprecedented visibility and control of your cybersecurity quickly, easily and cost-effectively. Threatlocker's Zero Trust Endpoint Protection Platform offers a unified approach to protecting users, devices and networks against the exploitation of zero-day vulnerabilities. It's really the only way to do it. Get a free 30-day trial. Learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance at ThreatLockercom. That's ThreatLocker T-H-R-E-A-T, threatlocker L-O-C-K-E-Rcom. It's the right way to do zero trust, threatlockercom. All right, speaking of right and wrong, it's time to talk about Microsoft's recall.
1:35:52 - Steve Gibson
Still, a pig. Our listener, mike, wrote Leo and Steve. While I can see some value in having a personal AI running from a user-created and selected database, I see far, far more danger in this, both currently and in the future. I believe that it would require a redesigned PC and OS. It could involve partitions or multiple memory devices. It could also involve multiple data-incompatible OSes and CPUs, perhaps running in some kind of sandbox. It must be air-gapped from the Internet and it certainly cannot be connected to an MS account. Authentication would be local only, perhaps with a YubiKey when querying the AI. It would be independent of any Windows lacking security functions. An application running alongside but not actually in Windows, most likely different application for storing and retrieving data as well. Just doodling some ideas, signed Mike. Okay, so that sort of sets things up here. Things up here.
Way back when the internet happened, microsoft had ramped up to compete with AOL, compuserve, the Source and other dial-up services. At the time, microsoft had what they were calling MSN, their Microsoft Network. The sudden surging interest in the internet appeared to take Bill Gates and company by surprise. Windows at the time had local area networking with Microsoft's own LAN manager and with third parties such as Novell, but there was really no sort of WAN networking. So they found a TCP IP stack somewhere, hung it onto the Windows that they had and put Windows onto the Internet. The only trouble was the phrase Windows. Network Security at the time was an oxymoron, and that was the motivation for my own initial entry into the world of online security with the creation of Shields Up, to show people that if they had previously shared their C drive on the private LAN, then now the entire world could see and browse around inside their machine's C drive. The sudden appearance of the internet represented a discontinuity in the use of Windows. Microsoft was caught off guard without a good solution, so they shipped what they had, despite the fact that it was a total security disaster, had, despite the fact that it was a total security disaster In the beginning. When Shields Up was born, my web server was showing its visitors the contents of their hard drives in a browsable tree. It was all accessible publicly, which is hard to imagine today, but that was Windows on the internet in the beginning.
So I was reminded of this by analogy, because recall represents a similar discontinuity in the use of Windows. This is due to the fact that having an agent locally storing its user's entire computer usage history in machine accessible form is not something that has ever been done before and it represents a massive change in the system's security profile. It's not sufficient to say, oh, we'll just encrypt it or don't worry, it's protected by Windows Hello. Anyone trained in security knows that none of that is anything but feel-good nonsense. It's salve for the masses.
Just as once upon a time, windows had never needed to have any kind of network security that was required to safely attach it to the Internet, windows has never needed to have any kind of network security that was required to safely attach it to the internet. Windows has never needed to have the kind of local desktop security that's required to allow it to safely accumulate and protect all of its users past activity over time. The good news is these fundamental truths were self-evident to anyone and everyone trained in security, and pretty much all of them started screaming and posting when Microsoft blithely dropped a functioning recall beta into Windows CoPilot Plus. Pcs without any sort of protection, pcs without any sort of protection. Exactly as back in Windows 95, they hooked Windows to the Internet without any preparation. What's different between now and then is that we've lost our innocence.
Today, the world has 30 years of experience with security and with Windows, and even if Microsoft tends to forget that major new features really do need some peer review, the rest of the world is here to remind them and, thanks to the internet, the rest of the world has a microphone. So last Friday, david Weston, microsoft's Vice President for enterprise and OS security, posted a comprehensive update on the state of recall under the title Update on Recall, security and Privacy Architecture. My first reaction to what they have done is to judge, to judge this as extremely impressive. Microsoft clearly has some big guns who could not have been involved in recalls initial design. There was no sign of them then, but they are now, and any reading of recalls new protection system design would have to be prefixed with the statement to the rest of the security industry message received, wow that's great, that's impressive.
1:42:15 - Leo Laporte
Yes.
1:42:16 - Steve Gibson
Now don't read this. As you know me, assuming not, I will now be running recall on my machines don't be confused.
In the first place, only windows 11, apparently, will offer that option, and I'm only now beginning to feel really good about windows 10. Yeah, so you know I'll be recall free for the foreseeable future. Actually, I'll probably be running Windows Server 2022. So I'll be stuck there, happily. But I know that many of our listeners, their friends, their families and others whose security they care about will be running recall, so it's definitely worth updating ourselves on what Microsoft has wrought. Okay, first off, on the all or nothing front, it appears that the option to remove recall entirely, which our listeners will recall we talked about a few weeks ago someone at microsoft said was a bug, not a feature. David is not saying the same. He says, in fact, removing recall entirely is a deliberate feature.
1:43:38 - Leo Laporte
Nice, that's huge, yes, huge.
1:43:40 - Steve Gibson
Yes, you can. Under that that that Windows features and options, there will be a checkbox. You can uncheck it and say update Windows and recall. All trace of it will be gone. So David's posting says under, the user is always in control. He wrote recall is an opt-in experience. During the setup experience for Copilot Plus PCs, users are given a clear option whether to opt in to saving snapshots using recall. If a user does not proactively choose to turn it on, it will be off and snapshots will not be taken or saved. Users can also remove recall entirely by using the optional feature settings in Windows. Ok, now that said, microsoft clearly wants everyone to turn this on.
David's posting shows a screenshot of the recall offer, at least as it stands today, and of course it's all glowing happiness. The screen that comes up has the catchy offer unlock your photographic memory with recall. And it reads if you allow recall to save snapshots, an image of your screen will be saved every few seconds. This will create a photographic memory for you of the apps, websites, documents and images you've seen on your PC. Then we have three benefits articulated here. First easily find what you need. Benefits articulated here First easily find what you need. Scroll through a timeline of your snapshots or describe what you're looking for, even text or images, within a snapshot. Two pick up where you left off From a snapshot. You can seamlessly return to documents, images, emails and webpages as you left them. And three, you're always in control. You choose if and when snapshots are saved and only you can access them. In Settings, you can choose which apps and websites to filter out of snapshots, delete snapshots or change recall settings anytime. The page concludes with the question start saving snapshots of your screen on recall question mark, with the options to learn more or yes, save or no, don't save.
Okay, that all sounds great, and we didn't expect Microsoft to laden their invitation with any concern over the security of the system's stored snapshots. Right, I mean, after all, you know, it says under the third benefit that only you can access them. So okay then, that only you can access them. So okay then. But here's where we get into the part that impressed me and which made it clear that what is now being presented came from some other place entirely than the initial, entirely lame first recall beta preview.
Here's what Microsoft has engineered, after clearly awakening to the fact that there really is an awesome responsibility associated with gathering and locally storing all of this potentially very personal and private data. They highlight three features. First, sensitive data in recall is always encrypted and keys are protected. Okay, that's an easy claim, but then they elaborate. Snapshots and any associated information in the vector database are always encrypted. The encrypted keys are protected via the trusted platform module tied to a user's Windows Hello enhanced sign-in security identity and can only be used by operations within a secure environment, called a virtualization-based security enclave. A virtualization-based security enclave, that's VBS Enclave, and I wish it wasn't VBS, because that sounds like Visual Basic Script, which is anything but rigorous.
1:48:10 - Leo Laporte
Microsoft's a master of overloading, I tell you they constantly do that.
1:48:14 - Steve Gibson
So virtualization-based security enclave. So they they finish this point saying this means that other users cannot access these keys and thus cannot decrypt this information. Second, recall services that operate on snaps and associated data or perform decryption operations reside within a secure VBS again virtualization-based security enclave. The only information that leaves the enclave is what is requested by the user when actively using recall, and third users are present and intentional about the use of recall. Recall leverages Windows Hello enhanced sign-in security to authorize recall-related operations. This includes actions like changing recall settings and runtime authorization of access to the recall user interface. Recall also protects against malware through rate-limiting and anti-hammering measures. Recall currently supports PIN as a fallback method only after recall is configured, and this is to avoid data loss if a secure sensor is damaged. That is the use of a pin. So you have that as a fallback if the Windows enhanced sign-in security cannot be satisfied because of a sensor failure.
Okay, so all that means that Microsoft is using its hypervisor-based machine virtualization to create a fully isolated you know as isolated a container for this information as is possible, without requiring an entirely new hardware design. Microsoft explains what this means under their recall security model and the fact that they actually have a recall security model. That's new too. So they wrote recall snapshots and associated data are protected by secure, virtualization-based secure enclaves. Vbs enclaves use the same hypervisor asation protocols to safeguard that the environment is secure before performing sensitive operations such as snapshot processing. This area acts like a locked box that can only be accessed after permission is granted by the user through Windows Hello can only be accessed after permission is granted by the user through Windows Hello. Vbs enclaves offer an isolation boundary from both kernel and admin users, so no level of normal privilege escalation gets you across that barrier.
Recall snapshots are available only after you authenticate using Windows Hello credentials, specifically Windows Hello enhanced sign-in security. Biometric credentials protect your privacy and actively authenticate you to query your semantic indices and view associated snapshots. And view associated snapshots. Biometric credentials must be enrolled to search recall content. Using VBS enclaves with Windows Hello enhanced sign-in security allows data to be briefly decrypted while you use the recall feature to search. Authorization will time out and require the user to re-authenticate access for future sessions. This restricts attempts by latent malware trying to ride along with a user authentication to steal data.
Okay, so I'll just interrupt to note that none of this was present before. What they released earlier wasn't. You couldn't even call it half-baked, it wasn't even warm. They then repeat the various UI features as privacy controls, sn know, snapshot saving can be stopped and resumed, snapshots can be deleted, private browsing will never be recorded, et cetera. But what really makes the difference here is recalls security architecture, and this is properly where most of their effort has been invested. The core components of the recall architecture Again they actually have a recall security architecture are the following so there's secure settings.
They explain a protected data store used within the, the virtualization based security enclave which stores security configuration data for recall. To make any changes to security-sensitive settings, a user must authorize the actions taken within the enclave to prevent malicious tampering. In addition, the settings are secure by default, meaning if tampering is detected they will revert to secure defaults. So if the system is not sure about anything, it snaps to full security by default. Again, that's proper security design. Also, there's the semantic index. They explain the semantic index converts images and text into vectors for later search. These vectors may reference private information extracted from snapshots. So these vectors are encrypted by keys protected within the virtualization-based secure enclave. All query operations are performed within this VBS enclave.
Then we have the snapshot store that contains the saved snapshots and associated metadata, including any launch URIs provided by apps integrating with recall user activity API. Now I'll get to that in a minute, because my eyes went what Recall user activity API? This is the first we've heard of an API, they said, as well as data like the time of the snapshot, title, bar string, app, dwell times, etc. Snapshot title, bar string, app, dwell times, etc. Each snapshot is encrypted by individual keys and those keys are protected within the VBS enclave. Again, each snapshot is encrypted by individual keys and those keys are protected within the virtualization-based secure enclave, within the virtualization-based secure enclave. Then there's the user experience, the UI experience that users leverage to find things they've done on their PC, including timeline search and viewing specific snapshots. And finally, the snapshot service Background is a background process that provides the runtime for saving new snapshots, as well as querying and processing data returned by the VBS enclave.
Recall's storage services reside in a virtualization-based secure enclave to protect data Keys and tampering from malware or attackers operating on the machine. Recall components, such as the recall UI, operate outside the VBS enclaves and are untrusted in this architecture. Again, somebody really thought this through and they did this right, because the snapshot service, they wrote, must release information requested by a user by design. A key tenant of the design is to reduce the potential for exfiltration of data outside the normal use of the recall system. Processes outside the virtualization-based secure enclaves never directly receive access to snapshots or encryption keys and they only receive data returned limit the impact of malicious queries. The snapshot service is a protected process further limiting malicious access to memory containing the data returned from the query. Outside the virtualization-based secure enclave, protected processes are the same technology used to protect anti-malware and the Windows LSA host from attacks. Lastly, the Recall virtualization-based secure enclave leverages concurrency protection and monotonic counters to prevent malicious users from overloading the system by making too many requests. Loading the system by making too many requests.
Okay, so it should be completely clear that what we have today is no longer a set of SQL database files containing the user's history snapshots that were found lying around in a user's private directory in that initial public preview release. This is an entirely new ballgame. One thing there that caught my eye was the mention of a recall user activity API. Huh, what's that? Some poking around discovered that this is the means by which it's possible to have recall, return to some past situation and allow the user to pick up from there, skeptical about Windows' ability to do that, since it would have required snapshotting not just the system screen but its entire running context, and that's just not possible or practical in any way. It turns out that this Recall User Activity API is the means by which apps which have been modified to be recall-ready can cooperate with recall to make that sort of rewind to a past state possible For developers under the heading Use Recall in your Windows App. Microsoft Explains, they said, for those who opt in.
By enabling recall and snapshots in settings, windows will regularly save snapshots of the customer's screen and store them locally. Using screen segmentation and image recognition, windows provides the power to gain insight into what is visible on the screen. As a Windows application developer, you will now be able to offer your users the ability to semantically search these saved screenshots and find content related to your app. Each snapshot has a user activity associated that enables the user to relaunch the content. A user activity refers to something specific the user was working on within your app. For example, when a user is writing a document, a user activity could refer to the specific place in the document where the user left off writing. When listening to a music app, the user activity could be the playlist that the user last listened to. When drawing on a canvas, the user activity could be where the user last made a mark. In summary, a user activity represents a destination within your Windows app that a user can return to so that they can resume what they were doing. To engage with a user activity, your Windows app would call user activity dot create session. The Windows operating system responds by creating a history record indicating the start and end time for that user activity. Re-engaging with the same user activity over time will result in multiple history records being stored for it. Okay, so that explains a lot about how this can possibly work. In short, it doesn't Until and unless the apps the user is running explicitly add support for it. I'm sure users will be able to turn back the clock to look at what they were doing and to read saved screens, but jumping back into an app at that point in time will require explicit support from the app. I'm sure that Edge and Office and Microsoft's Windows apps will all offer this and it might, you know, become a competitive feature that other apps will need to remain at feature parity with the things that Microsoft is doing. We'll see how that goes. That I don't want to skip over in the interest of presenting the whole story Under additional architectural properties that are key to security.
For recall, microsoft adds under bound and verified virtualization-based secure enclaves, they said, encryption keys used by recall are cryptographically bound to the identity of the end user, sealed by a key derived from the TPM of the hardware platform there, and are performed entirely within the trusted boundary of virtual trust level 1, vtl1. Under virtualization-based security VBS, they said, the hypervisor provides the secure enclave environment which loads integrity verified code into a confidential and isolated TEE, which is a trusted execution environment. Recall only operates on co-pilot plus PCs that meet the secured core standard and include the following capabilities by default, which are verified by Recall BitLocker on Windows 11 Pro and device encryption on Windows 11 Home. Trusted Platform Module TPM 2.0. Tpm provides the root of trust for the secure platform management of keys used by the secure enclave and additional platform hardening primitives such as unforgeable monotonic counters. The point being they know that the recall data gets stored on the user's hard drive. It will be strongly encrypted at rest. Also, virtualization-based security and hypervisor-enforced code integrity Measured boot and system guard. Secure launch. If a machine is not booted securely, it cannot attest to the system's security state and release keys which can unseal content previously protected, thus mitigating early boot attacks. And finally, kernel DMA protection against peripheral attacks must be present and will be verified before recall will unlock.
And finally, and significantly AI in mind, we have also conducted a set of thorough security assessments of the feature. This includes the following efforts to ensure a thoughtful and secure approach. They have three points. The Microsoft Offensive Research and Security Engineering Team, morse, m-o-r-s-e, has conducted months of design reviews and penetration testing on recall. Second, a third-party security vendor was engaged to perform an independent security design review and penetration testing. Good, good, yes. And third, a responsible AI impact assessment was completed which covered risks, harms and mitigations analysis across our six RAI. That's responsible AI impact RAI principles fairness, reliability and safety, privacy and security, inclusiveness, transparency and accountability. They said a cohesive RAI learn and support document was developed for increasing awareness internally and external. Facing RAI content was published to drive trust and transparency with our customers.
Sql files, as I said, stored in a user's private directory. That it should be abundantly clear that today's recall implementation bears no resemblance whatsoever to the disaster waiting to happen that Microsoft originally proposed. This is why I felt it necessary to give Recall's re-rollout an entire podcast topic of its own. It would not be fair to Microsoft for our opinion of Recall to remain colored by that first impression.
The difference between then and now is so stark that I have no explanation for what that first thing was from, where it came from or who did it first pass proof of concept that some idiot in marketing insisted upon shipping immediately because it was so amazing. You know, yes, it's amazing, but it could also never have been safe and never could be safe unless it was also implemented correctly. Fortunately, the entire security industry rose up and collectively said what the actual F? And got Microsoft's attention. What we have now, what is protecting recalls, aggregated user data, is a seriously well thought out state of the art security architecture, and they're even you know, they've even had it reviewed by outsiders. Now, even given all that, the number one lesson we have learned about security is that there are no exceptions to this rule is that? Only time will tell whether this will be enough, but at least it looks like it now stands a chance yay so bravo to microsoft yeah they, you know, they know they have a potential.
2:09:22 - Leo Laporte
I mean earth changing feature for windows yeah and I can't explain what that first thing was, but we really need to forgive them because they got it right this time that's really uh, you know that's great, that's good news, very nice, and I'm glad that you were able to come on and give it a once over and say, good, not that you will ever run it.
2:09:51 - Steve Gibson
I will never run it.
2:09:52 - Leo Laporte
And why not, if it's really secure.
2:09:54 - Steve Gibson
I mean okay, first of all maybe Windows 12, because Windows 11 is just one of those like Vista. It's one that you or 8, that you just it's one of those like Vista, it's one that you or 8. It's one of those skip over versions.
2:10:09 - Leo Laporte
All right. All right, steve Gibson, you've done it again, as always, brought together a two-hour and 10-minute extravaganza of security news, and we're so glad that you did it and we're so glad that you all joined us for it. You can watch us do Security Now Live if you want. I mean, you don't need to. You can really listen at your own convenience. But if you want to listen live, we do it Tuesday afternoon right after MacBreak Weekly, which is usually about 1.30 to 2 pm Pacific, 4.30 Eastern Time, 20.30 UTC. Of course, we're still on summertime. Once we go to off summertime, it'll be 21, 30 UTC. The streams there are seven of them. I have to put my fingers up because I can never remember them all.
If you're in the club, which I hope you are seven bucks a month for ad-free versions of the shows, access to the Discord, a lot of extra stuff. If you're in the club, you can join us in Discord and watch in Discord. Discord is not designed for streaming video, so it's a mediocre quality. Youtube's better. We're also on YouTube youtubecom, slash, twit, slash live. A lot of people watch on Twitch and I see a pretty active Twitch chat room there. We watch all the chat rooms, by the way. So your thoughts and your comments. I don't put them in the show anymore because so many people complained, but I see them and if I wanted to, I have the capability. So twitchtv, slash twit. We're also in Kik. We're working on Telegram. I'd like to be in Telegram, but right now it's xcom facebook linkedin.
Oh, I lost count. I think I got them all. You can watch live and then you can enjoy it. Uh, if you want, after the fact, by going to the website. Now there's two ways, two places you can get it.
Steve, of course, has a copy of the 64 kilobit audio at his website, grccom, but he also has something we don't have, which is a 16 kilobit version. Sounds a little scratchy, but it's a small file size. So if you're bandwidth impaired or limited, maybe you're downloading on a cell site or whatever. Grccom has that. He also has those transcriptions by Elaine Farris that are great, so you can read along as you listen, and he has the show notes there. Although, if you subscribe to his mailing list and it's easy to do that go to GRCcom slash email, validate your email so you can email him, but you can also check the boxes there. They're unchecked by default, but you can check the boxes there to get the show notes emailed to you, sometimes as early as the night before, and you can see the picture of the week and you can read along as you listen.
All of that is GRCcom. He also has Spinrite 6.1, the world's best mass storage, maintenance, performance enhancing and recovery utility a must-have. If you've got mass storage, you have to have Spinrite latest version 6.1. If you've ever bought it, the upgrade is free. You probably have an email somewhere in the spam folder from Steve. Who's this guy? What? That was a long time ago CompuServe.
Yeah, my CompuServe address. If you don't remember your CompuServe address, it's okay. You still have a way of going to the website and validating that you have the serial number and you can get your upgrade. Yep, but you should buy it because it says bread and butter and it is well worth it. There's lots of other stuff that's not for sale there, like valid drive to check your this, the actual size of the usb key you buy on amazon you might want that and shields, up and on and on and on. All available somebody. Somebody was asking in the chat room for uh oh, what was it? Was it security? Was it trouble in paradise? It was some really old program. Is everything you've ever offered on your website?
2:13:57 - Steve Gibson
some really creaky ones are gone, but most of them are still there, so browse around.
2:14:02 - Leo Laporte
He was like I can't remember what he was looking for Something really old. Anyway, grc GibsonResearchCorporationcom there's a feedback form there as well. There's all sorts of great stuff. We have the 64-kilobit audio on our website, but we also have video. If you want to see how beautiful Steve looks, the gorgeous Steve Gibson, then you can download the video from our website. Twittv. Slash SN for security. Now You'll see a link there at that page for the YouTube channel. There's also a YouTube channel.
Great way to share clips. I think this is one of those shows where Steve says things and you go, my boss has to hear this. My team has to hear this. My mom has to hear this. Something Great way to do that is share clips. Everybody can has to hear this. My mom has to hear this. Something Great way to do that is share clips. Everybody can get to YouTube and they have a little clip thing that lets you just share a bit of it and it helps us promote the show. So please be feel free to do that. There's also, of course, a podcast version you can download. Just get your favorite podcast player and subscribe to security. Now, 994 episodes. They probably have it by now, uh, so uh. However you consume it, I hope you will, and of course, we always look forward all week long to tuesday to see what steve's got for us. Thank you, steve.
2:15:15 - Steve Gibson
Great show, as always, uh I downloaded the new pgf episodes and we're at 999 99999.
2:15:23 - Leo Laporte
Woo-hoo, sunday is Twit 1000. Nice, and Patrick Norton is going to join us. Robert Herron, two of the three people on the original Twit, kevin Rose cannot. He sent us a video but he cannot because he's on a walkabout in the UK so he will be away from all bandwidth. But we will have fun on Sunday for the 1,000th episode. Do you want to do something for the 1,000th? Security now as we begin a new era, the four-digit era? I'll send you a cake. How about that? I don't know what to do. Balloons.
2:16:01 - Steve Gibson
The fact that we're still here is present enough.
2:16:04 - Leo Laporte
It's pretty amazing, pretty amazing, thank. Thank you, steve.
2:16:08 - Steve Gibson
have a great weekend see you. Next see you next bye.
