Security Now 995 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show

0:00:00 - Leo Laporte
It's time for security now. Steve Gibson, our guru of security, is here with some surprising news. Turns out, meta hasn't been bothering to hash its passwords for some time. Paypal's about to sell your purchase histories. Steve explains how to stop that. And then, finally, we're going to explain this whole kerfuffle over Manifest V3, this whole kerfuffle over Manifest V3, the inability to use uBlock Origin with Chrome, and a little download that will keep you using uBlock Origin at least for another six months. All that and a whole lot more coming up next on Security. Now Podcasts you love From people you trust.

This is twit this is security now with steve gibson, episode 995, recorded tuesday, october 8th 2024. You block origin and manifest v3. It's time for security now, the show where you get together and talk about your privacy, your security, your well-being online with our well-being professor, dr steve gibson actually, because we're going to mention vitamin d briefly today, uh-huh it is a bit of a well-being podcast lisa's doctor said I want you to do at least a thousand.

I use, I do five thousand daily. I said we'll just use mine. That's what you said. Make sure it's a good provider. Uh, but uh, he says and, and, and. Because she's a menopausal woman, calcium and vitamin d are very important, in fact, for those of us who no longer our skin, no longer manufactures vitamin D from the sun, and because we're told don't go in the sun, whatever you do.

0:01:56 - Steve Gibson
Or we'll be scraping things off of your skin later in life.

0:02:00 - Leo Laporte
I'm going to the dermatologist at the end of the month. I asked my doctor. I said do you think this is a problem? He took a picture with an iPhone with a special lens on it. He said let's get our camera in. It was an iPhone, but it had a special lens on it and they took a picture like that and sent it to the dermatologist. Got a call the next day from the nurse. She said it's not cancer, but we would like to see you. Okay, I think I'll be getting scraped at the end bring your wallet.

Bring your wallet. Steve what's coming up today on security.

0:02:34 - Steve Gibson
Okay, so uh, we've got some follow-up on something we talked about several years ago, about meta having been found not to be bothering to hash their login, their users login passwords, which is just like what in this day and age? Really, it's unbelievable. Yes, also, paypal is going to begin selling its users purchase histories. Unless we turn that off, however, leo, because you and I are both in california, we don't have to turn it off anyway. We'll be talking about that. There's also two other states that all are not don't have to opt out. They are auto opted out. We have broken we meaning bad guys broken 2021's record for the maximum DDoS size.

0:03:34 - Leo Laporte
Not a good record.

0:03:36 - Steve Gibson
Not a good record. It didn't last very long, but, boy, if those wires could melt, this would have melted them. It's also National Cybersecurity Month. When was the last time you updated your router's firmware? North Korean hackers there's more news about these guys successfully posing as domestic IT workers. Also, we're going to pose and answer the question why would a security-related podcast ever talk about vitamin D? Also, what's another way? The recent Linux cups vulnerability has been found to be weaponizable. Oh boy, what's the secure consumer Wi-Fi router of choice today? Oh, that's a listener question that we're going to answer.

0:04:23 - Leo Laporte
I have an answer too, which is what we use, but keep going, okay, yeah.

0:04:27 - Steve Gibson
And also what should be done to further secure it after its purchase and recent troubles with Gore Hill, our good friend Gore Hill. You know if John Dvorak wrote software? That would be Raymond Hill, raymond's a little cranky, just a little cranky, yes, so recent troubles with him he's Ublock Origins' dad and specifically it's a light edition have shined some light, and I don't know if you would say shown. Is that shown? Some light has shone. Has shone some light, and I don't know if you would say shown, is that shown?

some has shone, has shone, has shone some light on chrome's coming content blocking add-on restrictions. It turns out I've discovered a way of postponing the inevitable. Oh good, at least you get till next summer. Uh, we're going to look deeply at what's going on and what can be done. Oh good, and since fully half of the podcast is going to be that rather entertaining discussion, we'll move our ad inserts appropriately.

0:05:37 - Leo Laporte
Well, I'm very interested in this Manifest V3. It feels like Google doesn't want you to run an ad blocker. I wonder why it feels like Google doesn't want you to run an ad blocker. I wonder why, but you know it would be a reason for me to abandon Chrome. Frankly, if I can't run uBlock Origin, Yep, I don't want to go out on the web without it. All right.

0:05:58 - Steve Gibson
It's going to be a good show plus a picture of the week. I haven't seen it. It's already had some great feedback. Already had some great feedback. I uh, uh again. I'll just note to all of our listeners that uh, 10, 100 and some odd of our listeners received the show notes, the picture of the week.

0:06:14 - Leo Laporte
Yeah, last night I'm sitting there watching a movie with lisa.

0:06:18 - Steve Gibson
She said, oh, the show notes are here, so apparently lisa subscribes too yeah, well, la Laurie has been bugging me for years to start sooner so that I'm less in a froth and a panic. That's what I told her.

0:06:33 - Leo Laporte
I said this is the new Steve Gibson.

0:06:35 - Steve Gibson
Yes, this is probably the married podcaster Awesome.

0:06:41 - Leo Laporte
Well, we love our wives and, thank goodness, they're keeping an eye on us. So our picture of the week coming up in just a bit, plus the bulk of the show. But before we get started, steve, I'd love to mention our sponsor for this segment of Security Now, and a company you know well. Both of us switched to Bitwarden not so long ago. Long ago, the open source password manager, which offers a cost, effective in many cases free solution that could dramatically improve your chances of staying safe online. That's more important than ever. Right now.

We're in the middle of prime days uh, cyber monday's coming up, black friday, a lot of holiday shopping and this is when the bad guys come out in force, trying to spoof you, trying to get you to enter your credit card information, your contact information, your passwords, in what looks like real websites, but they're not. They're phishing sites. They're spoofing you. This is where bit warden is so wonderful. In fact, they've just announced the expansion of this inline autofill that they do. You know where they they? Uh, they automatically fill in your password, of course, but now they can also. They have cards, credit cards in there, identities you know, addresses and so forth, even pass keys, and by expanding this capability. They're protecting you because the autofill will only work if you're on the actual site, not a phishing site, not a spoof site. So this is huge.

Now, look, I know, if you listen to security now you're probably already using Bitwarden. You're certainly using a password manager. But I tell people who watch this show all the time, your friends and family probably aren't right. This is something we all suffer with. Where you're over at your aunt's house or your sister's house or your brother's house and they say, oh yeah, I don't need a password manager, I have a. I remember my password perfectly. It's my dog's name, my mother's maiden name and my zip code. And you go what do you? You use that every. Yes, what do you? No, don't worry, I add a. I'd add one to it every once in a while just to throw the bad guys off. No, you need a password manager. And then they say, oh, I don't want a password manager, it's too complicated, too hard to use, too expensive.

Let me tell you something Bitwarden is awesome, whether it's at home or at work. In fact, for our individual user, it's free for life because it's open source. It's free forever. Unlimited passwords, unlimited platforms iOS, android, mac, linux, windows, everywhere, pass keys, hardware keys like the YubiKey all for free, forever, because it's open source. But it's also great for business. For instance, does your business use SSO? You get unparalleled SSO integration and flexibility with Bitwarden. You can quickly and easily safeguard all your business logins using your single sign-on security policies your policies. Bitwarden is fully compatible with SAML 2 and OIDC and Bitwarden makes the integration super smooth with your existing solutions, so you don't have to change anything. It's fantastic. Your existing solution, so you don't have to change anything. It's fantastic.

Thousands of businesses, including some of the world's largest organizations, trust Bitwarden to protect their online information Because Bitwarden is open source. That code can be inspected by anyone and is regularly audited by third-party experts. I think that's why anything with crypto should be open source because you want to make sure there's no back doors, there's no errors, that you know they're doing it right and bitwarden does it right. Switching to bitwarden is easy. It just takes a couple of minutes. They support importing from most password management solutions and if it's uncle joe, they will help him change all of those lousy passwords he's been using for years with long, strong, unmemorable passwords that he only uses once per site. It makes it very easy.

So what are you waiting for? Get started with Bitwarden's free trial of a Teams or Enterprise plan for your business or, as I said, get started for free across all devices as an individual user at bitwardencom slash twit. Bitwarden does everything I want for free. I pay 10 bucks a year to be a premium user just because I want to support them. This is an open source project you will want to support and you'll want to use bitwardencom slash twit. And please tell Uncle Joe bitwardencom slash twit. It's free, joe, it's free, it's freecom. Slash twit and please tell uncle joe bitwardencom slash twit. It's free, joe, it's free. All right, I'm ready.

0:11:19 - Steve Gibson
Steve picture of the week time we didn't talk about this before, uh, but and I assume you have not yet seen it I have just seen the headline modern product packaging can be a challenge.

0:11:30 - Leo Laporte
Yes, all right, so okay, okay, okay, now, together, we'll look at this together. I'm sorry, it's hard, not to hard, not to laugh here. Wait a minute, let me get.

0:11:47 - Steve Gibson
You're supposed to laugh.

0:11:48 - Leo Laporte
That's the whole point okay, yeah, uh, you have a pair of scissors and you have those horrible blister pack.

0:11:55 - Steve Gibson
Oh my god and you know I I'm surprised there's not blood on the table. I know they're just awful, yes, yes. So for the those who are not, who don't have the advantage of seeing the picture of the week from the show notes, this shows that some hapless individual used a pair of scissors to open their Logitech corded mouse.

Their logitech corded mouse, no unfortunately where they chose to cut across the package with their scissors, cut the mouse's tail, that is, its cord. Uh, a number of people have replied and said well, that's one way to get a cordless mouse not the right way and not the right way. No, anyway it's just.

0:12:41 - Leo Laporte
This is a great picture because it's probably from a real person, because who hasn't done this right?

0:12:47 - Steve Gibson
this is just actually several people wrote and said, yeah, I've done something like that. It's like they. I mean, they really are awful sometimes they like they. They will hide the instructions for using the thing inside, so when you cut across it you're like cutting the instruction manual in half.

I mean, it's just, it's. It's very convenient for high, high volume packaging, but all of the burden is transferred to the user who, as, as we said, you know you have to like. What I do is I carefully cut around the perimeter, yet then you've got to watch out that you don't get stabbed by the sharp edge of the packaging that has been, you know, cut from by by the scissors. It's just bad. So anyway, uh, thank you. One of our listeners sent this to me. The all the pictures of the week are listener uh sourced, so I I very much appreciate them we're gonna fix this.

0:13:43 - Leo Laporte
Lower Benito, it says Wednesday and it is not Wednesday. It is not so if anybody's watching and saying oh my God, it's Wednesday, no, it's not, but it is the 8th.

0:13:58 - Steve Gibson
It is the 8th, yes, in Ireland have fined Meta 101 million US dollars for their storing of hundreds of millions of user passwords in plain text rather than hashing them, which, of course, as we know, provides both breach and internal employee abuse protection. Ours first reported this conduct and we talked about it five years ago, back in 2019. And at the time, ours used the headline Facebook apps logged users' passwords in plain text because why not? With the subhead unencrypted user credentials stored on Facebook's internal servers as far back as 2012. This sort of shows a problem in general that we see occurring in all different sorts of places, because our technology, the way technology has been implemented, is opaque, and you know, I mean it's true everywhere, right? Like you know, we don't know the plastic that our seat cushions are made of and whether it's outgassing carcinogens. We just hope that they aren't. But you know, how do you know? And we have no idea who is responsibly storing our credentials. We only find out that they haven't been when a breach occurs and all the passwords and and there, and you know, are in plain text and not hashed. Anyway, back in 2019, when we talked about this, facebook said Facebook has mined a lot of data. I'm sorry, not Facebook, ours. Ours reporting said Facebook has mined a lot of data about its users over the years Relationships, political leanings and even phone call logs and it now appears Facebook and this this is in 2019.

May have inadvertently extracted another bit of critical information users' login credentials stored unencrypted, meaning unhashed on Facebook servers and accessible to Facebook employees. Brian Krebs reports that hundreds of millions of Facebook users had their credentials logged in plain text by various applications written by Facebook employees. Those credentials were searched and here's the point that the numbers are just staggering. Those credentials right App login credentials stored in plain text, krebs reported at the time were searched by about 2,000 Facebook engineers and developers more than 9 million times, according to a senior Facebook employee who spoke to Krebs. The employee asked to remain anonymous because they did not have permission to speak to the press on the matter.

No, I would not think they would have permission and of course, I recall this from when we talked about it five years ago, because that facebook has spent these five years, these past five years, quote investigating this. What five years? A heading in ours reporting? They now said meta investigated for five years, you know, but, as I said, this seems to me the term investigated Five years. They've got 2000 engineers who have time to search through their own customers passwords. You'd think they'd have some time to do some investigating of how they're like. Why aren't they hashing anything? How could this, how could this take? Five years is beyond me. If anything, over that course of time, whatever trail there was would have only grown more stale year after year as people who knew the details became less accessible and probably more forgetful, whether conveniently or not. So this feels a lot like Facebook dragging their feet internally and not wanting to give any final result from their investigation.

But in any event, now ours reports that Graham Doyle, ireland's deputy commissioner of data protection, says, quote it is widely accepted that user passwords should not be stored in plain text, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind that the passwords the subject of consideration in this case are particularly sensitive, as they would enable access to users' social media accounts. And, of course, the other thing we know, unfortunately, is that anybody who is still not using a password manager and while the percentage of internet users who today are using password managers has been going up significantly, still it's a minority, and we know, then, that there's a high incidence of password reuse, so passwords stored in plain text can be used as a starting point for guessing the reuse of those credentials elsewhere. Anyway, ireland has been investigating the incident since Meta disclosed it, and their Commission of Data Protection, which is the lead European Union regulator for most US Internet services Union regulator for most US Internet services finally imposed a fine of one hundred and one million dollars, that's ninety one million euros, this past week. So we can add that to the pile of fines that Facebook has incurred since the EU has been levying fines. Now, I have to say, $101 million is not much compared to the more than $2.23 billion that's 2 billion euros for violations of the General Data Protection Regulation, the famous, or infamous, gdpr, which went into effect in 2018. So that amount includes last year's record $1.34 billion, which is 1.2 billion euro fine, which Meta is now appealing. So I presume though I haven't looked into it since it's not, frankly, that interesting that these fines and we talked about them at the time are due to Facebook storing EU citizen data outside the EU, likely in US-based data centers. In any event, this is all a mess and demonstrates that you know, as an industry. We're still trying to figure out how to do all this stuff so that everybody is happy and we're not there yet.

Okay, now, um, we have an action item opting all of their customers, their users, into merchant data sharing. Notice warning of a forthcoming change to their privacy statement, which will become effective at the end of November, on November 27th. The amendment says under notices slash issued data September 23rd, 2024. Amendments to the PayPal privacy statement becoming effective November 27th. And PayPal clearly explained we are updating our privacy statement to explain how, starting early summer of 2025, so not till next summer we will share information to help improve your shopping experience and make it more personalized for you. The key update to the privacy statement explains how we will share information with merchants to personalize your shopping experience and recommend our services to you. Your shopping experience and recommend our services to you. Personal information we disclose includes, for example, products, preferences, sizes and styles. We think you'll like Information gathered about you after the effective date of our updated privacy statement, november 27, 2024,. Privacy statement November 27th 2024, will be shared with participating stores where you shop, unless you live in California, north Dakota or Vermont. For PayPal customers in California, north Dakota or Vermont, we'll only share your information with those merchants if you tell us to do so. No matter where you live, you'll always be able to exercise your right to opt out of this data sharing by updating your preference settings in your account under Data and Privacy.

Okay, now TechRadar carried the news of this by writing another week. Another online service silently changing its data collection and sharing practices by default. Now I will argue and I'll talk about this in a minute that PayPal is in a different category. But OK, they said. Techradar said that the good news is that you still have time to opt quote. Help improve your shopping experience and make it more personalized for you, right? Yeah, another way for PayPal to generate revenue. We understand the new policy will not just come at the detriment of your privacy, even if you're using the best VPN apps.

But PayPal will start gathering data as early as November 27th, 2024, which is interesting, so right. So they're going to start, they're officially going to start accruing all of the things that their purchasers, their users, do the purchase through PayPal, so I guess, so that there's a nice chunk of it available to offer when they officially start releasing it and, obviously, selling it this coming summer. Do other credit card companies do this? I mean no, no, no, credit card companies don't have access the way PayPal has with the merchant sites where they're present merchant services, and all they get from me is the minimum amount of information required to to to to to transact the, the credit card purchase Nothing, no other information. But PayPal has an information sharing agreement with their merchants as part of all of this.

Anyway, techradar said users appear to be opted in by default, which may be an issue under some privacy regulations like GDPR. After coming across some US-based accounts complaining about this on Twitter, we decided to check, writes TechRadar. If that was the case also for people in the UK, writes TechRadar. If that was the case also for people in the UK, when we accessed privacy settings, the option was automatically toggled on.

It's also important to bear in mind that the policy changes will not apply in the same ways across all jurisdictions and users. For instance, in the UK, the new data sharing is set to be enforced on October 10th, 2024, which you know in two days after tomorrow. A policy update dated July 8th clarifies that for the UK market, quote merchants are permitted to share customer personal information provided to them by PayPal with their service providers. We suggest checking your profile settings as soon as possible to reverse the change if you don't wish your data to be shared. Okay now, I had to read that last part twice. In the UK, paypal will be sharing its users' shopping histories with merchants and, in turn, those merchants will be permitted to share this personal information provided by PayPal with the customer's service providers. So UK-based ISPs who are not PayPal merchants will nevertheless obtain this information indirectly through the merchants who are. Oh, this is disgusting it is terrible.

It's unbelievable. And note that all of these information sharing activities are pretty much guaranteed to be for pay arrangements, right. Paypal is unlikely to be sharing this valuable information with their merchants for free, or if it. If it is for free, then it represents an additional inducement for a merchant to offer PayPal payment. You know the pitch would be offer PayPal checkout and, as an added benefit, we'll provide you with the detailed buying histories of the people who come to your website. So, as it happens, the people who participate in discussions over in GRC's think tank news group know, because I was discussing the pros and cons of it there, that I had recently been considering reducing software purchase friction by adding PayPal checkout to GRC's e-commerce system.

0:29:52 - Leo Laporte
Yeah, a lot of.

0:29:53 - Steve Gibson
Europeans prefer it. Yes, I decided not to in the interest of remaining with a single universal credit card solution. Since I've been using that for the past 25 years, learning of this, I'm certain that I made the right decision, since I would feel uncomfortable using a payment solution that defaults to profiling its users purchasing, since I mean, that's deeply confidential information. And now, I have to say, I use PayPal myself, but fortunately I'm in California and while the nanny state nature of California does occasionally annoy me and interfere with my choices, in this case I was glad to find that indeed, that information sharing switch that almost everyone else will find is on by default was off for me. For anyone who uses PayPal, after logging in, go to settings, which is a gear icon in the upper right If you're using a web browser. Under data and privacy, you'll find the section manage shared info and within that section you'll see personalized shopping. If you select that option, you'll be presented with some description and a big switch. And a big switch and it says let us share products, offers and rewards you might like with participating stores. And then it says and then there's a big switch. Mine was off because I'm in California. Other people will find there's on Starting early summer 2025, we'll be building more personal experiences for you. You can opt in and out of sharing at any time by adjusting this setting. And then there's a link how personalized shopping works. If you click that, I have pictures of all this in the show notes. It shows, it says says how personalized shopping works. We're on a mission to help you find the most relevant products and styles. And it says we'll share recommendations with participating stores based on your shopping history and preferences. Your info helps participating stores show you products, offers and rewards you might like. So, yes, yet another privacy invasion. This is a new section, an option that no PayPal user will have seen before.

Techradar explained that in the US, only residents of California, north Dakota and Vermont will find this turned off by default, with it being on for everyone else, including those in the United Kingdom, underneath that big switch. You know I explained what it says and so you know. I know how this audience, the audience of this podcast, feels about internet privacy, since I've long enjoyed plenty of two-way communication with our listeners, first through Twitter, now through email. So I wanted to be sure that everyone using PayPal in the United Kingdom, probably elsewhere in the world and in the US who does not reside in those three states, knew about PayPal's user purchase data sharing plans in time to preemptively say gee thanks, but no thanks. So flipping that off any time before the end of November will prevent PayPal from ever starting to do this.

So, having said all that, I do also want to acknowledge that both this past Sunday, two days ago, and also the Sunday before, paypal did very clearly notify me through email of these pending changes in a completely above board fashion. In the identical email that I received on those successive Sundays, they wrote our updated privacy statement outlines how we'll use info collected about you after November 27th 2024 to inform participating stores about what products, offers and rewards you might like and that defaulting to opt in, defaulting to opt in, we'll see most people simply glaze over, delete that email without pursuing it, because you know we're constantly getting updates about this or that you know privacy statement being amended. In fact, during my walk yesterday evening with Lori, I mentioned this to her and she just said yeah, I don't ever read those. I said yeah, no one does Right.

0:35:09 - Leo Laporte
Yeah, that's why I mean you read your email. Most people go oh, it's just more solicitations, I don't need it, Right.

0:35:39 - Steve Gibson
Exactly To me. This feels extra troublesome because this is a service that I have used simply because I recognize. You know how I see how glad I am when some random merchant I'm going to allows me to pay through PayPal because it is the lower friction transaction. Unfortunately, paypal realized wow, you know, look at all this information that we're getting about the people who use our service. We could be making some extra money by selling that, and so, unless we say no, thank you, that's what they're going to begin doing, though I know our listeners want to know and leo, you should see all the comments in youtube.

0:36:22 - Leo Laporte
Paul reed, I turned it off. Thanks, steve. John regan, I just turned mine off too. Uh, let's see vegita. I received the email today but skipped it until your story. I mean people, thank you, steve is, I guess, the general sentiment, because yeah, who reads those emails? Yep, do you want to take a break? Is that what I sense from you? Yes, oh yeah, I would like to take a break right now. Well, good news, steve, because we have sponsors and they want to tell you about their product. Okay, and, by the way, I just want to tell you we their product. Okay.

And, by the way, I just want to tell you we're not like PayPal. We know nothing about you. We can't know anything about you. This is an RSS feed that goes to an IP address that we don't know who it is, so don't worry about it. We're not ever going to. We couldn't collect that kind of information unless you join the club, and then we don't need to because you're giving us seven bucks a month, right, our sponsors. The reason our sponsors are here is not because we're giving them information about you, but this is the old-fashioned way. They figure you're listening to security. Now you'll probably be interested in our product. That just makes sense, right? Like Melissa, the data quality experts since 1985. I mean, we've been doing this show a long time, but they've been doing that even longer.

Whether you need the full white glove service or just the nuts and bolts, melissa is the best way to keep your data up to date for your enterprise. Melissa's helped over 10,000 businesses worldwide harness accurate data with their industry-leading solutions. In fact, they've processed over $1 trillion with a T addresses, emails, names, phone records. And it's easy to use because Melissa offers integrations and apps in the platforms you're already using the spreadsheet editors like Microsoft 365, google Sheets. Do you use Dynamics 365? You can have Melissa just integrate right into it. S3, stripe, shopify All of this makes it really easy, and it's important to do this because you don't want to send products to the wrong address, you don't want to call a person by the wrong name and it's really easy to ask, and you want to get it at like, right there at the data entry level, whether it's your customer service rep or your customer herself. You want to make sure that your data is clean, is standardized, and you can do it with the popular platforms you're already using. That helps improve ROI. It improves your business efficiency and, yeah, your customers love it, because they don't like to be called Mr when they're Miss right. Elevate the customer experience.

Be sure to check out Melissa's marketplace too. They've got a whole marketplace, on-demand access to premium third-party data which you can use to improve campaign performance, enhance data visualization, drive better business decisions. I mean some of the things you can choose from consumer, property, owner and business contact data by industry, location, job title, 400 other attributes. There's a global address database. Of course. There's a US database, a master list of 200 plus million verified USPS addresses, coverage for more than 40 countries. They've got USPS carrier, route and boundaries, zip code data, parcel boundaries, location data for the US and Canada, and go on and on. The marketplace is big, so you can have the data, additional data, that you need to so you can better serve your customer.

This is good too. You know how, exactly how much it's going to cost. Because Melissa offers transparent pricing for all its services. You don't have to guess when you're estimating your business budget. And because you listen to security. Now I know you're very aware of the whole idea of data security privacy. Melissa's services use secure encryption for all file transfers and an information security ecosystem built on the iso 27001 framework. They adhere to gdpr policies, they maintain sock to compliance. They know this data is valuable and they make sure they keep it safe. Look, this is a great company. They've been doing it for a long time and they can even get you started with 1,000 records cleaned for free right now at melissacom M-E-L-I-S-S-A melissacom. We thank them so much for their support of security. Now, we thank you for supporting us by using that address and going there and that way they know you saw it on Steve's show. Now let's hear about that DDoS record. What was?

0:41:00 - Steve Gibson
the old record, oh baby. Last Friday, cloudflare disclosed that it had broken yet another record in fending off the largest DDoS attack ever seen on the Internet. Though the attack was brief, it lasted only 65 seconds from start to finish. During those 65 seconds, cloudflare's infrastructure was hit by an attack that peaked at 3.8 terabits per second. Whoa, 3.8 trillion bits per second.

0:41:39 - Leo Laporte
so don't be reassured by the briefness of this. That just means they were testing it right.

0:41:45 - Steve Gibson
Yes, and they test the weapon before they pointed at somebody yes, and what was interesting to me because I saw the, the graph of this was how steep the leading and trailing edges were. You know, I've seen a lot of DDoS attacks myself, and generally they sort of ramp up to full steam and then they sort of fade out over time, you know, as the different agents get the news of where they should be attacking. This attack had really surprisingly sharp edges. It came on, went like right at full strength, 3.8 terabits per second. It went for 65 seconds and then it just shut itself down. So to me that was really interesting. Maybe there's a new way these are being staged, where, for example, the the instructions go out to at this time, launch an attack at this target. Yes, now you've got it on screen and that that is a that's an on off switch.

That's incredible really interesting. Yeah, look at that 2.1 billion packets per second.

0:42:59 - Leo Laporte
They're coming from commandeered machines, from routers, I mean, it's not just from one guy's machine, obviously.

0:43:07 - Steve Gibson
That's also interesting here. So I'm definitely oh no, that's not one guy at all.

0:43:15 - Leo Laporte
Yeah.

0:43:15 - Steve Gibson
Because you can't. So the way Cloudflare, the only way Cloudflare is able to fend these off, and it literally the target of the attack was not affected by this, which is astonishing, mind boggling, you have to think, in terms of Cloudflare's ability to absorb the attack. They're literally absorbing it so that none of their conduits are saturated by that packet rate or that bit rate, so that valid traffic to the target of the attack is still able to get through CloudFlare's infrastructure and reach the servers that it's protecting. That's a heck of an ad for CloudFlare. Well, yeah, and in fact I was going to share their disclosure of this. But was it was marketing speak? It was them bragging, it's like okay, well yeah, you know you do.

I. I'm not saying you don't deserve to brag, but I'm not going to read your advertisement. So, um, uh, in the last month, cloudflare which is no stranger to DDoS attacks because it's one of the services they offer has fended off over 100 of these so-called hyper volumetric layer three and four DDoS attacks, many of which exceeded two billion packets per second packets per second. Now, these so-called hyper volumetric layer three and four DDoS attacks have been occurring since the start of September, and their targets have generally been customers in the financial services, the internet and the telecommunications industries, who are hiding their servers behind Cloudflare specifically in order to remain on the air, despite what would otherwise be wire melting attack levels. This recent record breaking 3.8 terabits per second attack broke the previous record, which had been set nearly three years ago, in November of 2021. That attack peaked at 3.47 terabits per second, this one being at 3.8. So you know, we're sort of reaching. You sort of feel like there's a ceiling, maybe that we're beginning to hit, reaching. You sort of feel like there's a ceiling, maybe that we're beginning to hit, and that one, that November 2021 attack was blasting an unnamed Asian-based Microsoft Azure customer, trying to blast them off the net.

The attacks are using UDP packets aimed at a fixed port, and, though there wasn't any reporting about this, it turns out that DNS reflection attacks are like what a lot of these DDoS services are using. The problem is, and that is to say, well, udp packets bouncing off of DNS servers. The reason is DNS servers are one of the most prevalent servers that need to be publicly accessible in order for their services to be offered. So they're out there. So the floods were originating from Vietnam, russia, brazil, spain and the US Vietnam, russia, brazil, spain and the US.

Cloudflare said that the high bitrate attacks likely originate from a large botnet comprising infected Asus home routers that have been exploited using a recently disclosed critical flaw, which is C 2024 3080 and that's got a cvss of 9.8, which, yeah, that's up there according to statistics shared by census. You know that's c-e-n-s-y-s, which is, uh, it's a new internet vulnerability apprising service. It's like Shodan their IPs have reverse DNS that points to their domain, and I'm seeing GRC's network being probed by census all the time. That's how I know it's census is that they're, you know. They identify their probes, identify them, uh, you know.

0:48:00 - Leo Laporte
And they're looking for the, the vulnerability there.

0:48:03 - Steve Gibson
Yes, yeah, exactly in. In, in the same way that the probes that that my own shields up port scanner sends out.

They they have reverse dns set to shields up dot grccom. So people who care know that it's a benign half-open TCP probe, that it doesn't actually connect to anything. Anyway, census said of this 9.8 ASUS flaw, a little over 157,000 ASUS router models were potentially affected by the vulnerability when they did their scan in June, june 21st of this year of 2024. And with a majority of those devices located in the US, hong Kong and China. So DDoS isn't going away. It's not going to go away. It is a you know.

We've spent a lot of time over the years talking about DDoS attacks, the you know why they happen and why they are unblockable. For a long time I was in like in the early days, I was lobbying for ISPs to filter the packets leaving their networks egress filtering, as it's called because we had bots that were spoofing their source IPs in order to cause packets to bounce off of some server and go to the target. And I said, hey, this problem can all be solved if ISPs just won't let these bogus packets that should never originate from within their networks leave their network. Well, that was then. What's happened is now we have these layer three and four attacks, which are very often HTTP queries, uh attacks which are, uh, very often uh http queries. So they're they're not spoofing their ip, because if you've got hundreds of thousands, it's a million asus routers.

0:50:06 - Leo Laporte
Yeah, hey, it's me. What are you talking about doesn't matter, it's so, so it's so.

0:50:10 - Steve Gibson
So now the the packets leaving are valid and they are. They're like making very expensive queries of servers that are heavily script-laden and take a long time to respond. So it's a server CPU exhaustion where they just can't generate that many high-cost pages.

0:50:35 - Leo Laporte
Now you mentioned the abrupt on on and off profile of this attack. Yeah, that's interesting because that means you've got a command and control server that can trigger all of these routers instantly.

0:50:49 - Steve Gibson
Yeah, and that's why I'm thinking maybe they are time synced and the command is on at 3 PM.

0:51:02 - Leo Laporte
Yes, yeah, your site was down briefly this week.

0:51:04 - Steve Gibson
I was wondering if, if you were hit by ddos, or it was just it was. It was, um, it was a sunday morning. It started a little after like about 9 15 and lasted for an hour, and it was a flood attack. And you know, I just, I actually I was working on the podcast and so I just and I said, laurie, we're, you know, grc's down, and she said, oh no, what are you going to do? I said, well, I've got Google Docs open. I'm working on Tuesday's podcast.

0:51:29 - Leo Laporte
The answer is nothing. Steve does not negotiate with terrorists. Just so you know.

0:51:34 - Steve Gibson
Well, and it takes nothing to knock me off the net. I'm not protected, I'm not hiding.

0:51:44 - Leo Laporte
I don't have Cloudflare. Have you thought of becoming a Cloudflare customer? No, you're not mission critical. It's not worth it.

0:51:52 - Steve Gibson
Well, and I'm offering a lot of services for free, and if I start doing things that cost me money, then the whole tradeoff between what I can choose to do and what doesn't make sense begins to change.

0:52:08 - Leo Laporte
So we do have our servers are behind. I'm not going to be specific about what we do, but we are behind DDoS protection. Of course that's one of the things Club Twit pays for. We do have some revenue and so we're able to do that. Does Cloudflare not offer some sort of free tier? I believe they do, but I don't know if it includes DDoS.

0:52:31 - Steve Gibson
So the other thing is that my bandwidth is complex because I'm sending out shields, up packets I've, I've got, uh, I'm using dns in order to do version checking for all of the freeware that's able to check for different versions, um, and it just makes life more complicated. I I believe in keeping it simple where I can and and you know it's. You know we're mostly on the net and when we're not it's not mission critical.

0:52:58 - Leo Laporte
That's what I tell my staff. They say why don't you have generators? Because we're not mission critical. If we're down for an hour or two, no one's gonna die, although, uh, you know, since we closed the studio, I no longer have anywhere to put my server. It used to be running in the studio, so my website, leofm, has been down, as have been the Minecraft servers, and I think what I'm going to do is use Cloudflare Pages to host my website, because then you get all those benefits. It's completely free. You get all those benefits. It's a little tricky to set it up. I've been trying for three months to do it, but as soon as I figure it out, I will do it. Cloudare is pretty impressive service, I have to say.

0:53:37 - Steve Gibson
I will I like them and you know, and uh, I think microsoft has a service, akamai has a service I mean there are, there are a lot of companies that do this, yeah, yeah, yeah.

0:53:46 - Leo Laporte
They have to have a lot of bandwidth, right?

0:53:49 - Steve Gibson
that's well, and so you. So what they have to have is geographic spread. Yes, because that. So the idea is that there are these bots scattered all over the world, which means they're entering yes is high. The local amount of bandwidth is lower than Cloudflare's bandwidth at that location, and that's the key. Is that no part. So Cloudflare is so spread geographically that, even though the total attack is huge, there's no saturation. No point of saturation. There's no saturation, no point of saturation. Cloud Flare's technology allows them to identify and block the attack at all of the different points across its infrastructure before the routing concentrates the attack down to the server where it's being targeted. Perfect, and that's that.

0:54:54 - Leo Laporte
That's why it's often CDNs that do this Key to them.

0:54:57 - Steve Gibson
Yes, exactly, you need a big content delivery network, style protection, and I've got a wire, I've got a 100 base T connection.

0:55:11 - Leo Laporte
GRSI isn't in 30 countries all over the globe and every continent. No, I don't understand why not.

0:55:18 - Steve Gibson
Okay. So, speaking of these ASUS routers, I use an ASUS router for Wi-Fi service at my place with Lori, and even if that router were not safely perched behind a separate PFSense firewall appliance which connects it to the internet, the last thing I would ever do would be to open a publicly accessible remote admin portal or or media server, or file server or any of that nonsense which consumer routers now offer, as you know. Bullet points for themselves.

0:55:58 - Leo Laporte
And a lot of people do it. They put their Plex server on the network or whatever.

0:56:02 - Steve Gibson
Yeah, like some poor clown at LastPass.

0:56:05 - Leo Laporte
Yeah.

0:56:09 - Steve Gibson
So I'm sure that listeners of this podcast have similarly protected themselves, but the census survey reveals that around 157,000 other ASUS owners may not have been so circumspect. So, seeing this story, I checked in with my router, which I hadn't for a while. I don't have automatic updates enabled, although the ASUS allows it, since my network has other security provisions like Galore, but it turned out that when I checked, my router's firmware was a bit behind. It was running version 3.004, and 3.006 was available. Well, that's not too behind. I have no trouble with the router, but updating always makes sense and also having layers of security is always a good thing, so the more the merrier. Since this month of October is National Cybersecurity Awareness Month, let me take this occasion to suggest that everyone listening just take a moment to check their router's firmware to see whether there's an update available beyond what's running now. I'm glad I did, and I would recommend that everybody turn on automatic firmware updating, since that's a feature that is now available in consumer routers and it just makes sense.

0:57:39 - Leo Laporte
Should only have it off if you're Steve Gibson and you know what you're doing.

0:57:45 - Steve Gibson
I would, or, essentially, if you're willing to take responsibility for it being off, and you know what that means, and the idea of having your router updating itself for some reason makes you queasy, and I don't think it should. So we've recently been looking at the growing problem of spoofed identities by remote workers. Week is that more than a dozen blockchain companies have inadvertently hired undercover North Korean IT workers. Because that's what you want in your cryptocurrency companies. Wow, you know. We wonder what is the problem with these blockchain companies? Why can't they get their security right? Well, according to a Coindesk investigation, these companies include well-established blockchain projects such as Injective, ZeroLend, Phantom, SushiSwap, Yearn Finance and Cosmos Hub.

0:58:59 - Leo Laporte
Well-established brand names in the crypto space.

0:59:03 - Steve Gibson
All happily employing North Korean IT workers. Wow, in every case, the workers passed checks using fake IDs and fake job histories. Using fake IDs and fake job histories, and you know, aside from being an obviously bad idea for any cryptocurrency company to allow an agent of a foreign government inside your sensitive organization, it also happens to be completely against the law in the US and any other companies that have North Korea under sanctions, which include you, can't hire anybody who's from North Korea. Wow, I guess that's a consequence of everything going virtual. Unfortunately, you've got virtual employees now and Korean may be their first language. Yikes.

0:59:55 - Leo Laporte
By the way, I wanted to mention this. I know you're very interested in bitcoin. We covered it, you had some and so forth, uh, and there's always been a question about the person who invented it. You did a couple of really good pieces on satoshi on the mathematician or group involved behind it, satoshi nakamoto.

No one knows who that is, or if he's or they are still alive, but I'm very curious. Tonight there will be a documentary coming out on HBO by the same guy who kind of blew the lid off Q Remember the whole Q thing. Colin Hoback is purporting that he knows who Satoshi is and he will reveal it in this documentary on HBO tonight. So I'm very curious what that's going to be and I guess that's where I'll be tonight watching that show. We made some millionaires, yeah, and you know, lately, with the news of this, some of the very earliest Bitcoin wallets have been opened and transferred out, and so there is some thinking that maybe he did come upon the true. I mean, so many people have done this, including Newsweek announced incorrectly who Satoshi Nakamoto was. It could just be another one of those, it could be an Al capone safe or it could be really a big story wasn't there some guy they outed and he kept saying over and over I'm not him, please, I'm not here.

Some poor japanese guy named satoshi newsweek put it on the cover. That was not a good. They never I don't think they ever was it retracted it even. It was just terrible. Anyway, uh, I'll let you know next week what. What I think it's cool.

1:01:41 - Steve Gibson
I will make, I'll make a point of watching it. It might be worth watching. Yeah, yeah this guy.

1:01:45 - Leo Laporte
He absolutely figured out who q was. So, uh, and it was a really good documentary. This one's called money electric the bitcoin mystery nice.

1:01:54 - Steve Gibson
So chris said hi, steve, I'm a long the Bitcoin mystery Nice. So Chris said hi, steve, I'm a longtime listener to security now, but last week I was hiking in the White Mountains. Oh, as I was hiking in the White Mountains, he said it occurred to me that there's one episode of this podcast that literally changed my life, and that was the vitamin D episode. Me too.

I think yeah, and actually many of our listeners have said the same. He said 10 years ago I would listen to podcasts while lying in bed suffering from debilitating back pain. My doctor had prescribed a big bottle of opioids and I was desperate for an alternative. When I heard you and Leo mention vitamin D and your past episode, I went back to the archive and listened to the vitamin D episode, then went to my doctor and made him test me. My vitamin D level was extremely low. I started taking 4,000 IU daily and over the course of a year I threw out the pain meds and started to feel much better. I would likely be bedridden and addicted to painkillers rather than hiking in New Hampshire had I not started taking vitamin D. I think it's been a couple of years since I heard you mention vitamin D on the podcast, so I want to urge you to remind people about that episode and your vitamin D page, in case there's anyone else out there facing a similar situation.

1:03:30 - Leo Laporte
And this would be the place where I would mention that neither Stephen or I are medical doctors and that we, you know, this is, this is not medical advice.

1:03:38 - Steve Gibson
I, yes, I have in the show notes. I should that I I said everyone should keep in mind that I have no formal medical training of any kind. I'm a self-taught health hobbyist.

1:03:48 - Leo Laporte
Which should say something right there. And and Chris's story, while amazing, is purely anecdotal Absolutely. However, the good news is vitamin d as a is not toxic, so at worst, you're throwing money away, right.

1:04:03 - Steve Gibson
Well, it is toxic at extremely high doses. A lot of it you have to take a lot. Yeah, so it was our audio podcast, our all actually it was an audio only podcast leo 209, recorded on August 13th of 2009. And at the time, I had been spending a lot of time researching health and nutrition. I would take something you know, a vitamin or a mineral and read one or more entire books about it, cover to cover, and I have to say that that research, which was done 50 years I'm sorry, done 20 years ago, before I turned 50, it's had a profound effect upon the lives of myself, my family and my friends.

I have no way of knowing whether I would feel as fantastic as I do today if I had not been consuming a wide range of supplemental nutrition for the past 20 years. You know, we'll never know, but I do know that there's still a lot more that I want to accomplish, so I'm going to keep doing what I've been doing since, if nothing else, it certainly doesn't appear to be hurting. However, I know that for many people, consuming lots of supplements may not be practical for a number of reasons. Many dislike taking pills, they can upset stomachs and there's an added cost, of course, above one's normal diet, and for that reason I've been extremely selective, like down to one about I keep begging Steve to tell me what else he knows, but he won't tell me. I've been extremely selective, like down to one about.

1:05:37 - Leo Laporte
I keep begging Steve to tell me what else he knows, but he won't tell me.

1:05:44 - Steve Gibson
So I've been selective about what I shared of my research. I mean, leo, there's just there's some fascinating things, but anyway, I felt compelled to steal an early episode of Security Now to explain what I'd learned about vitamin D. What you will find our listeners who don't already know will find in that podcast is an explanation of the science and the biochemistry of vitamin D, why it's not actually a vitamin and the many reasons why it's so crucial to human health. And, interestingly, this was done in August of 2009. The spring following that podcast so the spring of 2010, I started receiving notes from many of our listeners who separately, individually, reported that for the first time in their lives, they and their family, who had started taking a useful amount of vitamin D, had sailed through the winter months without so much as a sniffle. And years later we saw an example of vitamin D's powerful benefits for our immune system during the world's struggle with COVID-19. Multiple studies revealed and again we know that correlation is not causation, but there was a strong correlation shown between people's vitamin D status and their COVID outcomes.

So, anyway, the reason I chose to talk about vitamin D is that only micrograms of it are required. It's extremely potent, so that means that a useful daily dose of 4,000 to 5,000 IU is delivered in a little tiny, easy-to-swallow capsule of olive oil or, as I like to refer to them, little drops of sunshine. And vitamin D is also very inexpensive About a year's supply is $15. So, anyway, I just thank you, chris, for bringing and putting this back on everyone's map. Again, I'll say I have no formal medical training. I'm just curious about the way my body works and I feel a little guilty that there's so much more I could share. But I am self-confident.

1:08:12 - Leo Laporte
Can we have a little private chat sometime and you can tell me what else I should be doing?

1:08:18 - Steve Gibson
Well, two of my very best friends, my high school buddies, are MDs and they're always saying okay, steve, what should we be taking?

1:08:28 - Leo Laporte
Because, of course, mds are not trained in nutrition. Well, I do C because of you, and mega doses of C. You do more than I do, but I do three grams a day.

1:08:37 - Steve Gibson
Yeah, that's not enough, but it's better than none. It's a lot. Here's an example, leo. There is an enzyme, l-glulano-lactone oxidase. Yes, of course I know, we know the chromosome on the human genome which codes for the creation of that enzyme.

If that enzyme were being created, our livers would be synthesizing, based on our weight, around 20 grams of vitamin D a day. And what? Yes, and here's the other weird thing is all the other animals in the animal kingdom. They make it. Yes, except guinea pigs, some fruit bats and a couple primates that we're very closely related to. But the dogs and cats that people have as pets, all the animals in the zoo, everything is synthesizing their own vitamin C because it's so important. And the other thing is that our liver, our livers, are trying to make it the first five steps of the synthesis process. It's a six step process. They're all present and working, but the lack of that one enzyme causes it to fail, and and and. If you inject that enzyme into someone, they suddenly start producing vitamin d, until the enzyme ends up being being being destroyed over by vitamin c.

1:10:12 - Leo Laporte
Yeah, we're talking about c now. We talked about d now, so so I put I have a liquid vitamin c, that's three grams per capful, and I put in my, that's I mean my beverage. But maybe I'll do a couple of those then it's absolutely.

1:10:25 - Steve Gibson
You think I need 20 grams of I take 10. I take five in the in the morning and five in the evening. Okay, it's water soluble, so it doesn't stay with you, it just goes right.

1:10:34 - Leo Laporte
That's why I do it in here in this, because it's titrated so I'm sipping all day, so I'm kind of a constant flow of C. Because it does it goes right through you, it doesn't.

1:10:44 - Steve Gibson
That is a good thing, yeah, and I know there's lots of people who say, oh, supplements don't do anything, it's just a scam to take your money. It okay, I get it and, as I said, I'll never have any proof that I wouldn't be in the same condition I am in if I hadn't been doing this.

1:11:01 - Leo Laporte
We don't know if you'd be exactly as you are today, having never taken a supplement at all. There's no way of knowing that. By the way, maybe and they're suggesting this you and I can get together, we do this little Friday off the cuff kind of broadcast where we could talk about the other things that you recommend, If we had big disclaimers the problem is I, I would have to spend so much time researching it and getting back up to speed.

1:11:27 - Steve Gibson
I mean, I think the, the, the, the one of the things our listeners like about this podcast is that, you know, I'm deeply researched. I, I spend a lot of time putting it together and, um, may, I may get around to it. I get. I mean, I get around to doing something more.

1:11:44 - Leo Laporte
The invitation's always here, thank you. So you know we have this Fridays. I do kind of oddball thing. I'm going to do coffee again. We did a coffee thing. It was a lot of fun. It cost me huge amounts of money on coffee equipment. Do you want to take a break? Yeah, let's do it. Okay, perfect, and then we will go on and talk about cups, and I am still very interested in the recommendations for the best routers. That'll be something we're going to get there too, of great interest. But before we go much farther, it would be a good time to talk about our sponsor for this section of Security.

Now, threatlocker. That's a great name, isn't it? What does ThreatLocker do? It protects you with a zero-trust solution that's easy to implement. If zero-day exploits and supply chain attacks keep you up at night and lately after listening to Security, now I definitely have a hard time sleeping Tuesday nights. Worry no more. You can harden your security with ThreatLocker, and the companies that do really are happy about it. Companies like JetBlue, for instance, trusts ThreatLocker to secure its data to keep its business operations flying high, unlike some other airlines might have been using a different solution that didn't work so well. Imagine no names.

Imagine taking a proactive this is what's cool about Zero Trust deny by default approach to cybersecurity. That means you're blocking every action, every process, every user, unless explicitly authorized by your team. That's what Zero Trust is all about, and Threadlocker does it. It makes it so easy to do this. It provides a full audit of every action so you can go back and see, for risk management and compliance purposes, exactly what your permissions were. They have a very good, 24-7, us-based support team, so they're there to support your onboarding and, of course, beyond. It really gives you the opportunity to stop the exploitation of applications, even trusted applications, within your organization and keep your business secure and protected from ransomware. I think the first time I heard about Zero Trust was Google, which has embraced this company-wide. This is a really good way to protect yourself.

Organizations across any industry can benefit from ThreatLocker's ring fencing by isolating critical and trusted applications from unintended uses or weaponization, limiting attackers' lateral movement within the network. Threat lockers ring fencing works and we know because it was able to foil a number of attacks that were not stopped by traditional edr. I'll give you an example the 2020 we talked about it several episodes on security. Now the 2020 cyber attack on solar winds, orion right companies that used ring fencing from threat locker it was. The attack was foiled. By the way, threat locker works for max too.

Get unprecedented visibility and control of your cyber security quickly, easily and cost effective. Threat lockers zero trust endpoint protection platform offers a unified approach to protecting users, devices and networks against the exploitation of zero-day vulnerabilities. It really works. Get a free 30-day trial. You'll see how easy it is to implement and how powerful it is to protect you. You'll learn more about ThreatLocker, how you can use it to mitigate unknown threats and, by the way, to ensure compliance. Visit ThreatLockercom. That's ThreatLockercom. That's ThreatLockercom. It does exactly what it says it does. Threatlockercom. Security starts and finishes at the endpoint, and zero trust is the way to do it. Threatlockercom Okay. Now, steve, on we go.

1:15:35 - Steve Gibson
Shane Overturf, an IT consultant who listens to the podcast, said Steve, you've already seen this article by Akamai regarding the CUP's vulnerability, but in case oh, he said you've probably already seen, but in case you haven't, I thought it would be of interest to you and he gives me a link. And he said while it's true that most people aren't going to be exposing the port 631 to the Internet, this is the CUP's vulnerability that we talked about last week and I and I can't think of a valid reason to expose it it's apparent that there are a fair number of those who do have it exposed. The Akamai article shows how trivial it is to leverage this vulnerability into a much more serious and widespread attack. He said something you alluded to in the last podcast, so for the devs to dismiss it as not so bad seems to be a dangerous attitude. Looking forward to security now, he says, boldly going where no man has gone before, to 999 and beyond. So I'm glad that Shane brought this to my attention Last week. I did note in passing that a handful of other security researchers had also examined the CUP's vulnerability, but I did not bother to dig into them. Akamai's findings are a bit chilling because they note that the presence of the CUPS browse service, which is the thing that listens on port 631, allows it to be used in amplifying reflection attacks. They gave their write-up the title when CUPS Runneth Over the Th threat of DDoS, akamai wrote.

Akamai researchers have confirmed a new attack vector using CUPS that could be leveraged to stage distributed denial-of-service attacks. Research shows that to begin the attack, the attacking system only needs to send a single packet to a vulnerable and exposed CUPS service with Internet connectivity. The Akamai Security Intelligence and Response Team, sirt, found that more than 198,000 devices, so just shy of 200,000 devices, are vulnerable to this attack vector and are accessible on the public Internet. Roughly one-third of those 34% of those could be used for DDoS abuse. They said 58,000 plus. Of the 58,000 plus vulnerable devices, hundreds exhibited an infinite loop of requests. The limited resources required to initiate a successful attack highlights the danger. It would take an attacker mere seconds to co-opt every vulnerable CUP's service currently exposed on the Internet and cost the attacker less than a single US cent on modern hyperscale platforms. While reviewing the technical write-up about the vulnerabilities, we discovered that another attack vector was not discussed DDoS.

Ddos continues to be a viable attack vector used to harass and disrupt victims across the Internet, from major industries and governments to small content creators, online shops and gamers. Although the original analysis focused on the RCE, the remote code execution, which could have a more severe outcome, ddos amplification is also easily abused. In this case, the problem arises when an attacker sends a crafted packet specifying the address of a target as a printer to be added. For each single packet sent, the vulnerable CUPS server will generate a larger and partially attacker-controlled IPP HTTP request directed at the specified target. As a result, not only is the target affected, but the host of the CUPS server also becomes a victim, as the attack consumes its network bandwidth and CPU resources. We should note that many of these identified machines were running get this on very old versions of CUPS, such as version 1.3, which was initially released in 2007.

Some organizations to leave machines running on extremely outdated hardware and software, and it is unlikely that such devices will be updated anytime soon. This presents a prime opportunity for malicious threat actors. They can take advantage of the outdated hardware for DDoS amplification or, given the RCE in this scenario, build botnets for many purposes, including DDoS amplification. Or, given the RCE in this scenario, build botnets for many purposes, including DDoS. So yes, as we say, vulnerabilities and exploits never get worse, they only ever get better.

Oh, and to the issue of consumer routers, a listener who requested anonymity wrote Hello Steve, I've been listening to your show for a few years thanks to the recommendations of my former co-worker.

I am following more than I could at first and think I catch the general gist but still miss significant bits of the technical know-how. But still miss significant bits of the technical know-how. Could you please recommend what is the most secure out-of-the-box residential router for non-technical folks, please? I want to replace my parents' router for multiple reasons, primarily since I can no longer access the online admin portal to update the firmware, which is HTTP, and concerns about TP-Link on the back end. I've heard suggestions such as use PFSense, but I've also heard that it would be easy to misconfigure something. I'm in a non-technical role and I might be able to follow a YouTube video potentially, but I'm concerned about missing configurations. Would greatly appreciate it if you or the community could please recommend a budget-friendly residential router that is secure by default without needing end user configuration. Thank you, and then she finished. I'd appreciate not having my name mentioned on the show.

1:22:22 - Leo Laporte
I think that's really a great question because you're a sophisticated user, you can run PFSense and maybe many of our audience members are, but I think it's. For instance, people say why don't you host your own password vault and I'm not an expert on this, bitwarden is. I let Bitwarden do it and I think it's even though it's not trust no one, it's safer to do that. If I wish I had your skills, but I don't. So it's appropriate, I think, for somebody to say well, what's a safe, effective solution that doesn't require a lot of tweaking and fiddling and knowledge.

1:23:00 - Steve Gibson
Right, and that's exactly the case. And I liked this listener's question because I believe that today's mainstream consumer routers are all going to be secure by default. That's good news and, you know, after enabling automatic firmware updates, which today's routers have, that will keep themselves updated in the event of anything significant happening. Now, having said that, disabling UPnP and WPS, which are the two things that are generally enabled by default, that's a good idea too. But my point here is that consumers primarily get into trouble when they enable the additional extra fancy features that are being promoted to sell these routers today. You know things like remote WAN side admin or any sort of internet accessible media file or other types of servers, a media server, a file server or anything like that. We've seen over and over and over there is no safe and secure way to do any of that. There are secure ways to accomplish those things, but they're more complex. They're more complex because more complexity is required to do those things securely. So in other words, don't do them at all unless you're going to do them the right way. Don't just flip a switch in your router to turn that stuff on. That's where you get into trouble. So you know, in this case, our listeners' parents who she's getting this router for. They don't need any of that crap. They need a NAT router and you know NAT is secure unless you do something to make it insecure. Unfortunately, upnp can make it insecure and WPS can make it insecure. They just need a generic Soho, you know, small office home office NAT router.

I'm partial to Asus and I don't think I'd look any further than that, since something in Asus's line would likely be a good match. You know, I just looked at Amazon last night because I was curious. There's a nice looking Asus Wi-Fi router for $66. You know. So that's definitely budget friendly and the Asus firmware supports disabling WPS and UPnP. It offers isolated Wi-Fi guest networks so that you can put your guests and your IoT devices on a network isolated from the rest of the intranet. Also a listener of ours, michael Horowitz, maintains a terrific website over at routerurityorg. All just one word R-O-U-T-E-R-S-E-C-U-R-I-T-E I'm sorry I-T-Y RouterSecurityorg, and I recommend Michael's site without reservation for any additional router security research someone want to do.

1:26:33 - Leo Laporte
To his short list. I think this is exactly what I've recommended for years. Yep, I used to have a five-step thing I did on the radio show and this you know before you use any wireless router, change the password, the administrative password, change the default SSID, turn on WPA2 encryption, as you said, turn off WPS and turn off UPnP, and you're pretty good right there. He has some other things to do, but like look for port forwarding and make sure that that's not turned on and of course-.

But again, it won't be by default Right right, and I do think that that recommendation that we make nowadays, which is turn on auto updates and make sure it's doing that, has become more and more important. Stacey Higginbotham, for a long time our IoT expert, said don't buy any IoT device that will not automatically wirelessly update, because you're going to need updates. There is no device that's perfect, and if you turn those updates, if it has the updates in the first place and you turn them on um, that's a.

1:27:39 - Steve Gibson
That's pretty good, you agree I think that's right and so. So I guess the main thing I wanted to say was that that when you know we talked about that, the the asus a 9.8 uh cvss problem, well, that was because somebody turned on one of those extra features. That's where you get into trouble. An out-of-the-box ASUS router is a strong NAT router. It's going to be fine.

1:28:10 - Leo Laporte
And if you turn on automatic updates, you wouldn't have had that problem either. Right, right, that would automatically fix it. The other thing I love about Asus is they use their own customized version of DDWRT, which is an open source router firmware. You can put DDWRT on your Asus router as well, and that's nice because, again, open source means there are a lot of eyes looking at it, a lot of people working at it and a lot of fixes out there. Yeah, I agree with you on Asus. We use Ubiquiti. We've always used Ubiquiti as a kind of a prosumer home system here.

1:28:42 - Steve Gibson
Yeah, michael, likes Pep something, but it's like a $300 router and he thinks it's more secure. Synology makes excellent routers too, by the way. Yes, Synology's got some nice routers if you want to pay them I honestly.

1:29:01 - Leo Laporte
All the good routers, including asus now, are well over 200 dollars. 300 is not an unusual amount of money used to be. You could buy a 59 links this router. That route is pretty much shut down, as it should well, and the reason is they've generated a lot of them.

1:29:16 - Steve Gibson
Are all these fancy gaming things?

1:29:18 - Leo Laporte
and they've got quality of service. 18 antennas.

1:29:21 - Steve Gibson
And yeah, I just think there's a lot of stuff you're paying for that most people don't need, and I would say that our listeners' parents who just need something for their home. I'd spend 66 bucks for that bottom of the barrel.

1:29:39 - Leo Laporte
Asus. Does Asus have a $66 router? Yeah, that's good to know. The other thing, I would add we often come across this on the Tech Guy is that larger installations, bigger homes, mesh systems are often a good way to go, and Eero makes a very good, very easy toto-use mesh system with excellent security as well. So if you do need more, sometimes a single ASUS in the middle of the house isn't enough to get to the corners.

1:30:04 - Steve Gibson
And what do they call it? Ai mesh? Asus has a whole, a very mature mesh technology.

1:30:10 - Leo Laporte
Actually, that wouldn't be bad either. I haven't tried them, but I'm sure it's good. Asus is good.

1:30:15 - Steve Gibson
Okay, we're at our main topic uBlock Origin and Manifest v3. Why don't we take our last break and then we will do this unbroken.

1:30:26 - Leo Laporte
Which was the name of Kevin Rose's as you may remember, kevin Rose's hacker podcast for a long time the Unbroken. So the Unbroken returns in just a moment. But first a word from our sponsor for this segment of Security, now Flashpoint. There is a. You know, it's really interesting. There is kind of a common thread running through most of our sponsors they want you to be secure and, honestly, it's not a surprise for security leaders.

This has been a year like no other. All you had to do is listen to security now to realize that cyber threats, physical security concerns continue to increase. And now we've got geopolitical instability, wars adding a new layer of risk and uncertainty, plus a major presidential election coming up in a month. I mean, we're in crazy times. Let's just talk some numbers here. Last year, there was a staggering 84% rise in ransomware attacks. Let me say that again. Last year ransomware went up 84%. That's almost double A 34% jump in data breaches. And you know both of those could kill your company trillions of dollars in financial losses and threats to safety worldwide.

So what is this flashpoint? Well, flashpoint empowers organizations to make mission critical decisions that will keep their people and assets safe. Governments have this. It's called intelligence right Governments have intelligence agencies going out there figuring out what's going on. Your company needs an intelligence source that will tell you what's going on. By combining cutting-edge technology with the expertise of world-class analyst teams, and with Ignite Flashpoint's award-winning threat intelligence platform, you get access to the critical data you need finished intelligence, alerts, even analytics, all in one place. You can maximize your existing security investments by knowing ahead of time what you need to do. Some Flashpoint customers have avoided half a billion dollars in fraud loss annually and have a 482% ROI in six months. Flashpoint is the intelligence you need to act intelligently. Flashpoint earned Frost and Sullivan's 2024 Global Product Leadership Award for unrivaled threat data and intelligence.

One SVP of a law. I can't tell you the name of the big financial institution in the US. He's the SVP of cyber operations. I can't tell you the name of the big financial institution in the US. He's the SVP of cyber operations. But this is a direct quote. Flashpoint saves us over $80 million in fraud losses every year. It pays for itself. Their proactive approach and sharp insights are crucial in keeping our financial institutions secure. They're not just a solution. They are a strategic partner helping us stay ahead of cyber threats.

You need this information. You need this intelligence. It's no wonder Flashpoint is trusted not just by mission-critical businesses but by governments worldwide. It's that good. So find out more about the industry's best threat data and intelligence. Visit flashpointio today. Remember the name Flashpoint? Go to the website flashpointio. This is what you need to stay safe in the modern world. It's great you're listening to Security Now. I think we go a long way towards providing you the information you need, but your company needs even more, and that's why you go to Flashpointio. We thank them so much for support. They're believers in Steve, believe me. They believe in what Steve's up to and you support us, by the way, by going to that address and taking a look. Flashpointio dot I o. So this is a subject I've been very interested in for some time, because google's move towards manifest v3 seems to be very self-serving and maybe enough for me to abandon using chrome well.

1:34:30 - Steve Gibson
we talked about it before and it is the case that it's more secure, but it comes at the cost of neutering features of the add-ons that many of us have come to rely on A beneficent side effect. One might say it's been several years since we talked about this. You know the web browser content blocker that's heavily favored by the Internet's more tech savvy users. It's what many of the listeners to this podcast and you and I, leo, are using. I have it installed everywhere possible and I've often commented when I see unfiltered websites like other people are using a browser.

I can't imagine, I mean like stuff's jumping up and down and yeah, things are popping up and sliding across the screen and I just I cannot imagine not having you block origin, filtering the mess that the Internet has become.

1:35:40 - Leo Laporte
I mean, we're ad supported. I'm not against ads Ads are vital to the ecosystem but there's ads and then there's ads, and some of this is security the little monkeys jumping up and down with barbells. It's crazy.

1:35:56 - Steve Gibson
So, unfortunately, web browsers are gradually tightening the screws on the freedoms that add-on extensions such as uBlock Origin have traditionally enjoyed and upon which they depend. The Chrome browser's eventual shift from manifest V2, version 2, to version 3 promises to make life much more difficult, if not impossible, for add-ons like uBlock Origin. Mozilla and uBlock Origin the recent trouble between Mozilla and Gorehill in a minute where some 7 million installations of uBlock Origin are currently installed. But let's first look at what's going on with uBlock Origin and the future of the Chrome browser, which has around 37 million installations. The NeoWin site recently published a nice summary with the background titled Ublock Origin Developer Recommends Switching to Ublock Lite as Chrome Flags the Extension. So NeoWin wrote. Google recently released Chrome 127 into the stable channel and the update caused some commotion among certain customers. Those using the uBlock Origin extension, one of the most popular and well-received ad blockers, noticed that the browser now flags the extension with the following message. It says uBlock Origin. This extension may soon no longer be supported. Remove or replace it with similar extensions from the Chrome Web Store. Replace it with similar extensions from the Chrome Web Store, they wrote.

Makers of the uBlock Origin extension meaning Gorehill published an article on GitHub that explained why Google Chrome claims uBlock Origin quote may soon no longer be supported. Unquote. Long story short, they wrote. The message appears due to Google's plans to deprecate Manifest V2-based extensions in favor of Manifest V3. For those unfamiliar, they said Manifest is a set of rules that defines how extensions integrate into browsers and interact with their web pages. Migration from Manifest v2 to v3 has been long in the making. It faced tremendous criticism from users and developers, forcing Google to delay its plans and implement various changes to address the complaints.

Despite multiple changes, manifest V3 still imposes significant limitations on browser extensions, especially content blockers. There is no Manifest V3-based uBlock origin, so the developer recommends uBlock Origin Lite, a pared-down manifest V3 compliant version of the extension. Like uBlock Origin, ublock Origin Lite prioritizes reliability and efficiency, but it has to compromise some features that are now impossible under Manifest V3. There's a dedicated web page that describes the difference between uBlock Origin and uBlock Origin Lite. Since the switch to Manifest V3 cripples the extension quite a lot, the developer does not plan to implement an automatic upgrade in the Chrome Web Store.

Basically, these are separate products. It doesn't make any sense for uBlock Origin the full version to upgrade to the Lite version. Gore Hill's not going to do that. Therefore, users can either stick to it until the bitter end or they write look for manifest V3. Compliant alternatives, such as uBlock Origin will not be automatically replaced by Manifest V3. Ublock Origin Lite. Ublock Origin Lite is too different from uB-block origin according to your own prerogatives. Ultimately, whether U-block origin light is an acceptable alternative to U-block origin is up to you. It's not a choice that will be made for you and we have to say that's sort of a refreshing approach right After we saw Kasparov.

Yes, thank you.

1:41:46 - Leo Laporte
Not Kasparov Kaspersky.

1:41:47 - Steve Gibson
Kaspersky or Kaspersky After we saw Kaspersky just automatically give people a replacement and surprise them thinking that their computers have been infected with malware you like this.

That's right. Anyway, neowind's coverage finishes saying according to the most recent announcement, google plans to finish the migration to manifest V3 by the end of this year, 2024. However, they said, enterprise customers will have the ability to continue using manifest V2, the ones we want extensions for an additional six months. Interestingly, mozilla, the only mainstream browser maker that does not use Chromium I suppose that's true if you ignore Apple browsers, they wrote, does not plan to ditch manifest V2 extensions. In other words, we can stay with what we want. On Firefox, they said. Therefore, ublock Origin will continue working in Firefox and other browsers that do not deprecate V2 extensions. Ok, so, although Chrome is reported to already be deprecating manifest V2 in favor of V3. I just checked and my Chrome is running the full Ublock origin without any complaint. But that night that might not last long, since Google has said it will be finished with this migration three months from now. In Google's own manifest V2 support timeline document, which I tracked down, they wrote on June 3rd of this year, 2024, the manifest V2 phase out begins. V2 phase out begins, they said, starting on june 3rd, which was the date of this announcement on the chrome beta dev and canary channels, if users still have manifest v2 extensions installed. Some will start to see a warning banner when visiting their extension management page. Okay, and everybody can do that. Now Anybody with Chrome go, put up in the URL, put Chrome colon forward slash, forward slash extensions. That informs them that some manifest V2 extensions they have installed will soon no longer be supported. At the same time, extensions with the featured badge that are still using manifest v2 will lose their badge.

So, reading that, I fired up my Chrome which I don't normally have running any longer and went over to Chrome colon slash slash extensions. And sure enough, there it was. Chrome colon slash slash extensions. And sure enough, there it was For uBlock Origin. It said this extension may soon no longer be supported. Remove or replace it with similar extensions, and then a link to the Chrome Web Store and also down below, where it specifically shows the u-block origin little red shield icon and there there's a link to find alternative. Okay, I didn't do any of that and I'll tell you why in a second.

So, um, google said this will be followed gradually in the coming months by the disabling of those extensions. Users will be directed to the Chrome Web Store where they will be recommended manifest V3 alternatives for their disabled extension. For a short time, after the extensions are disabled, users will still be able to turn their manifest V2 extensions back on, but over time that toggle will go away as well. So they're trying to softly force everyone off of V2 extensions but eventually, like by turning them off, then you can go back and turn on if you want to. Then they'll turn it off again, so you can fight with Chrome that way for a while. And they said like any big launches, all these changes will begin in pre-stable channel builds of Chrome, first, beta, dev and canary. These changes will be rolled out over the coming months to Chrome stable, with the goal of completing the transition by the beginning of next year, meaning 2025.

And that timeline document ended with a statement enterprises using the extension manifest V2 availability policy will be exempt from any browser changes until June of 2025. Well, that I thought was interesting. What's this extension manifest V2 availability policy and where can I get one? So I tracked that down. It applies to Windows, mac and Linux builds of Chrome, the desktop versions. Google's description for the policy. Google's, you know the maker of Chrome. Their description of the policy is quote control if manifest V2 extensions can be used by browser, which sounds like exactly what we want. So the details are. They said under the description of this policy manifest V2 extensions support will be deprecated and all extensions need to be migrated to V3 in the future. More information and the timeline of the migration can be found at blah blah blah me found at blah blah blah.

If the policy is set to default or not set, v2 extensions loaded are decided by browser following the timeline above Not quite well written, but fine. If the policy is set to disable that's setting number one V2 extension installations are blocked, existing ones are disabled. The option is going to be treated the same as if the policy is not set after V2 support is turned off by default, meaning you could do it now if for some reason, you wanted to or if your corporation did it to you or something. If the policy is set to enable that setting to V2 extensions are allowed, the option is going to be treated the same as if the policy is not set before V2 support is turned off by default. In other words, you get to keep them. Then they said extensions availability are still controlled by other policies. So we have zero is the default, one is they're disabled, two is they're enabled. And three is that they're enabled for forced extensions only. Chrome's forced extensions, as a reminder, are those that are installed by enterprise policy. They're installed silently, without user interaction, bypassing the normal installation process, and they're not removable by users. So setting this to two sounds like exactly what we want. Sounds like exactly what we want that gives any savvy Chrome user an additional six months of access to their current V2 extensions, not just uBlock Origin, but anything else that you might want which is sensitive to this V2, v3 switchover to this V2, v3 switchover For Windows systems.

This policy can be applied by adding a 32-bit DWORD value to the Windows registry. It can be done by hand or by executing a reg registry file, and you know this is coming right. To make this as easy and foolproof as possible for our listeners, I've created a grc shortcut which will allow you to instantly obtain a three-line, very simple registry file from me. So the shortcut is grcsc slash v2, grcsc slashv2. Grcscv2. That will offer your browser a file to download named v2extensionreg. You can open it in a text editor to verify its contents or to get, if you want to do it by hand, which you're certainly welcome to to get the exact spelling of everything, because that's got to be exactly right. Either way, you can double click on the file to execute it. Since the file has come to you from the Internet, it will carry the mark of the web, which will cause Windows to scrutinize it further, which will cause Windows to scrutinize it further. And since reg files are just text files, I cannot digitally sign that, so I was unable to give it GRC's blessing. So Windows will inform you that the source of the file cannot be verified and ask if you're sure. Once you say yeah, it's okay I know that guy you'll get another pop-up, this time from the registry editor, explaining that running reg files can mess things up and that you should only proceed if you know and trust the source of the file and you're sure you want to continue. If you click yes, your system will have added a policy to Chrome instructing it to continue allowing manifest V2 extensions to run without harassment until next summer.

A cool thing you can do either before or after actually, it'd be fun to do it both is there's a different URL you can put into Chrome, chrome//policy. That will show you any policies that are set in Chrome. I didn't have any before After I ran this registry tweak. Sure enough, there it displayed the policy that was in place, and when I went back to Chrome colon extensions, that warning message about uBlock origin was gone. So Chrome was no longer nervous about me running a V2 extension. And now I get to keep uBlock origin for Chrome Not that I use Chrome very much, but sometimes I do. I get to keep it all, uh, until june of 2025. Yep, and there that is the, the. Are you sure you want to do it?

1:52:53 - Leo Laporte
good, so now I'm safe on windows.

1:52:57 - Steve Gibson
Yep, not so much anywhere else, but no uh, the the same policy is available on mac and linux. Uh, there, they call it a preference and I didn't track down how to set a Chrome browser preference, but it is available on all of the desktop platforms.

1:53:14 - Leo Laporte
Good to know. Thank you, Steve.

1:53:16 - Steve Gibson
That's great, okay. So this brings us back to the question what features does V2-compatible U-block origin sacrifice in the transition to V3-compatible U-block origin light? Because after June of 2025, chrome and all Chromium-based browsers—.

1:53:42 - Leo Laporte
Well, that's the question Do they all have to do it? Like does Brave have to do it? Like does brave have to do it? Does so arc have to do it?

1:53:48 - Steve Gibson
I mean it looks like. It looks like edge is going to be uh, terminating v2 support. Brave I I have learned from one of our listeners appears to be willing to go to some effort to continue with v2 support so I think we'll be a little bit on anyway, pins and needle.

Well, yeah, maybe I mean I it's. I mean, it is pretty core to the chromium architecture. Um, it may be that they're not going to rip out v2, they're just going to, like in chrome, they'll shut it down but leave it there, so Brave may be able to turn it back on. It's just we don't know at this point. Okay, so the questions are what's happening? The uBlock Origin Lite GitHub repository has an FAQ page which answers this question in some detail and actually with lots of technical jargon.

Wikipedia actually offers a more accessible summary. So here's what Wikipedia says. They said in 2023, google made changes known as Manifest V3 to the Web Request API used by ad blocking and privacy extensions to block and modify network connections. Following Google's implementation of Manifest V3 and the end of support for V2, ublock Origin's effectiveness is drastically reduced in Google Chrome and other Chromium-based browsers. Reduced in Google Chrome and other Chromium-based browsers. Okay, and I'll just interject. While this sounds bad and is this is not any failing in uBlock Origin, it's true universally for all content control add-ons under MV3. This is why Google has been met with significant pushback and why, for example, the EFF is apoplectic. Anyway, wikimedia elaborates. They wrote as a result, ublock Origin Lite was created and designed to comply with manifest V3 extension framework.

Ublock Origin Lite differs significantly from Ublock Origin in several key aspects, primarily due to the constraints and design goals associated with MV3. Specifically, it lacks filter list updates outside of extension updates and has no custom filters, strict blocked pages per site switches or dynamic filtering. Non-chromium browsers, they wrote, such as Firefox, are unaffected. Google has been criticized for implementing some of these features due to its dominance in the online advertising market. Gore Hill's FAQ page for uBlock Origin Lite asks and answers this question Question If I install uBlock Origin Lite, will I see a difference from uBlock Origin? And his answer maybe, maybe not. Depends on websites you visit, how you configured uBlock Origin and how you configured uBlock Origin Lite, and he says in short, only you can tell.

He says it's very possible that the sites you visit do not require any of the filtering capabilities specific to uBlock Origin, while these occur by default in uBlock Origin. In uBlock Origin Lite you will have to raise the blocking mode to either optimal or complete to benefit from cosmetic filtering and scriptlet injection. Furthermore, ublock Origin Lite requires the default mode to be optimal or complete for some advanced filtering capabilities to take effect, while they're enabled by default in uBlock Origin. In general, ublock Origin Lite will be less effective at dealing with websites using anti-content blocking or minimizing website breakage.

Okay, so it doesn't sound like the end of the world for uBlock Origin Lite on Chrome, which Chrome users will at least be able to delay using now, using this policy change until June of 2025. So that's the story with Chrome and all the closely related Chromium-based web browsers. The great news for the 7 million of us who are currently using the full uBlock origin on Firefox is that Mozilla has officially stated that they have no plans to remove support for Manifest V2 from Firefox. And, leo, as you said, you know that's going to put some pressure, I think, on people who really do care about controlling their internet browsing experience.

1:59:23 - Leo Laporte
They should have been using Chrome all, I mean Firefox all along. Anyway, in my opinion, yes.

1:59:27 - Steve Gibson
Agreed, yeah. So the good news is Mozilla has no plans to do the same for Firefox, Okay. However, uBlock Origin is so popular and well-known that a recent kerfuffle between Mozilla and Gorehill regarding uBlock Origin Lite received a great deal of attention online. There's a bunch of tech coverage of it in the tech press. A bunch of our listeners said, hey, what's this about? Can you figure this out? Okay, so you may be thinking did I say Mozilla and uBlock Origin Lite? And if so, why is there a Lite edition of uBlock Origin on Firefox, when Mozilla has said that Firefox's support for Manifest V2 is safe and will never be removed? The reason is that Gore Hill just wanted to release the same add-on feature set for Firefox and Manifest V3 that he had created for Chrome. He wanted to have a uBlock Origin Lite available for both major web browser platforms.

A little over a month ago, Gorhill posted to GitHub that he had received two emails from Mozilla add-ons add-onsmozillaorg, also known as AMO, the abbreviation of that domain, add-onsmozillaorg and he posted the entire content of the emails that he'd received. Posted the entire content of the emails that he'd received. Mozilla add-ons wrote Hello, your extension, uBlock Origin Lite, was manually reviewed by the Mozilla add-ons team in an assessment, performed on our own initiative, of content that was submitted to Mozilla add-ons. Our review found that your content violates the following Mozilla policy or policies. First, consent Specifically non-existent For add-ons that collect or transmit user data.

The user must be informed and provided with a clear and easy way to control this data collection. The control mechanism must be shown at first run of the add-on. The control should contain a choice accompanied by the data collection summary, Depending on the type of data being collected. The choice to send cannot be enabled by default. If data collection starts or changes in an add-on update or the consent and control is introduced in an update, it must be re-shown to all new and update upgrading users for the exact requirements referred to, and then they have a URL for an example of how to provide a consent or control dialog C and another URL. Also, if your add-on is listed on add-onsmozillaorg, the listing needs to include a privacy policy and a summary of the data collection should be mentioned in the add-on description.

2:02:37 - Leo Laporte
You can't blame Mozilla for saying that right. I mean Right, yeah, absolutely, but Gore. Hill probably doesn't want to do that. Well, yes, and so Hill probably doesn't want to do that?

2:02:46 - Steve Gibson
Well, yes, and so point number two they wrote sources. Specifically, sources or instructions are missing. They wrote your add-on contains minified, concatenated or otherwise machine-generated code, concatenated or otherwise machine generated code. You need to provide the original sources, together with instructions on how to generate the exact same code used in the add-on. Source code must be provided as an archive and uploaded. Blah, blah, blah, blah, blah. Okay, and this refers to a bazillion affected versions. It's got, he's got, like I can't even count, like I don't know, like a huge number of affected versions.

2:03:32 - Leo Laporte
Well, that's reasonable too, because there's hidden code in there.

2:03:40 - Steve Gibson
Completely reasonable email listed exactly the same add-on policy failures, none of which applied to uBlock Origin Lite or uBlock Origin for that effect. But that one only showed the oldest of the versions and gave him 14 days to cure the problem. 14 days to cure the problem. The other ones immediately yanked. All of those previous ones, including the most recent one from the add-ons site, the Mozilla add-ons. Gore Hill predictably wrote in the thread. He said, contrary to what these emails suggest, the source code files highlighted in the email have nothing to do with data collection. There is no such thing anywhere in uBlock OriginLite. There is no minified code in uBlock Origin Lite and certainly none in the supposed faulty files. There is a privacy policy link in uBlock Origin Lite's add-on page, meaning these manually reviewed emails were 100% bogus. Were 100 bogus? No like, whoever did this couldn't have actually looked at what was being supplied. They probably assume that every add-on now is doing data collection, and so when they saw that this thing didn't pop up a data collection notification they said oh, it's missing.

2:05:28 - Leo Laporte
Well, it doesn't collect any data. No, whatsoever, zero.

2:05:33 - Steve Gibson
All right, that's not what you block origin does, right? I mean, he's old school, he's, you know, he's one of us said you're collecting data, if I mean.

2:05:44 - Leo Laporte
I wonder if some of the activities of an ad blocker kind of imply that maybe you have to look at this. For instance, you might have to look at the site somebody's visiting to know what extension to enable or there may be. It may be that, in fact, the extension sees the sites that you're visiting, in which case there is a theoretical possibility of data collection right.

2:06:11 - Steve Gibson
Well, that's why he provides the source. Now and we've talked about this Firefox requires that you provide the full source, no minification and instructions on how to build it from scratch, so that it's like yeah, I mean, they've done everything right. Unfortunately, they've accused Gore Hill of using minified code, no ability to build it and data collection, none of which is true. So he doesn't do any of that.

2:06:41 - Leo Laporte
Doesn't do any of that. He doesn't minify code. No, oh, so this was some automated thing that didn't know what the hell I was talking about.

2:06:49 - Steve Gibson
It was completely bogus it was and completely bogus. And the problem is you don't give bogus not to gore hill, to gore hill no, no. So he responds. I don't have the time or motivation to spend time on this nonsense, so I will let amo do whatever they want with ublock origin. Light lord, I will probably publish a self-hosted version which auto updates like how dev build of ublock origin is self-hosted, when I find the time to arrange all that. Okay, so that was his first posting. The following day, on September 5th, someone with the handle Rob W posted in this discussion thread over on GitHub. He said at Gorehill, the review decision looks inaccurate to me. He said at Gore Hill, the review decision looks inaccurate to me. Could you reply to the email to let the original reviewers know that the assessment is inaccurate? What you wrote above in the comment is sufficient. Gore Hill did not reply to that in the thread, but nearly two weeks later.

2:08:02 - Leo Laporte
I don't know who Raymond Hill is. I don't know who Raymond Hill is. I see him as something like Ted Kaczynski in a shack somewhere with a really long beard. Like I said, if.

2:08:13 - Steve Gibson
Dvorak wrote code.

2:08:15 - Leo Laporte
This would be it.

2:08:17 - Steve Gibson
What are?

2:08:18 - Leo Laporte
you talking about. God bless him and we are very grateful and you know I don't blame him for not wanting to engage in bureaucratic back and forth.

2:08:27 - Steve Gibson
That's just exactly it. So two weeks go by and on September 18th, gore Hill posted, starting with Ublock Origin Lite, and it was 2024.9.12.1004. The Firefox version of the extension will be self-hosted and can be installed from the release section. The extension will auto-update when a newer version is available. And then, on September 26th, gore Hill posted that he had changed his mind. He wrote the Firefox version of uBlock Origin Lite will cease to exist.

I am dropping support because of the added burden of dealing with AMOs nonsensical and hostile review process. However trivial this may look to an outsider, it's a burden I don't want to take on, since the burden is on me. I make the decision whether I can take it on or not. It's not something up for discussion, he said.

The burden is that, even as a self-hosted extension, it fails to pass review at submission time, which leads to it having to wait an arbitrary amount of time. To wait an arbitrary amount of time where time is an important factor, when all the filtering rules must be packaged into the extension. And once I finally receive a notification that the review cleared, I have to manually download the extension's file, rename it, then upload it to GitHub, then manually patch the update URL to point to the new version, it took five days after I submitted version 2004.9.12.1004 to finally be notified that the version was approved for self-hosting. As of writing, version 2004.9.22.986 has still not been approved. However often I look at all this, every time I can only conclude the feedback from Mozilla add-ons team to have been nonsensical and hostile and, as a matter of principle, I won't partake in this nonsensical and hostile and, as a matter of principle, I won't partake in this nonsensical and hostile review process.

2:10:52 - Leo Laporte
I can't say I blame him.

2:10:54 - Steve Gibson
It only takes a few seconds to see how this is nonsensical. Keep in mind that this quote was manually reviewed by the Mozilla add-ons team unquote. And then he says quote was manually reviewed by the Mozilla add-ons team unquote. And then he says quote. He quotes them for add-ons that collect or transmit user data. The user must be informed and provided with a clear and easy way to control this data collection. And then he says where is the data collection in this file? And he provides the URL to the JavaScript of his code. Then he quotes them again.

Your add-on contains minified, concatenated or otherwise machine-generated code. Then he says again where is the minification in these files? And then he gives us four URLs to the open source JavaScript of his code. Then he quotes them again. Also, if your add-on is listed on add-onsmozillaorg, the listing needs to include a privacy policy and a summary of the data collection should be mentioned in the add-on description. And he said right, it's always been there, since the first version published on AMO more than a year ago. And then he gives us the URL and he said incidentally, all the files reported as having issues are exactly the same files being used in uBlock Origin for years and have been used in uBlock Origin Lite as well for over a year with no modification. Given this, it's worrisome what could happen to uBlock Origin in the future, given it uses the exact same files.

He says steps taken by Mozilla add-ons team as a result of the nonsensical issues was to disable all versions of uBlock Origin Lite except for the oldest version, first published by AMO on August of 2023. That oldest version is also reported as having the same issues and was set to be disabled by Mozilla add-ons team unless the issues were addressed. He said. Based on that finding those versions of your extension will be disabled in 14 days. So, he wrote, I disabled this version myself to prevent new users from ending up with a severely outdated version of the extension, to avoid a subpar first experience of uBlock Origin Lite. So, essentially, he says it was deemed that all versions of uBlock Origin Lite were having issues, but instead of disabling all of them except the most recent one, they disabled all of them except the oldest one.

This is hostile, considering that whoever installed uBlock Origin Lite at that point would be installing a version of uBlock Origin Lite with severely outdated filter lists along with an outdated code base. He said many issues were fixed in the code base since August 2023. I'm unable to attribute good faith to both the nonsensical review feedback and the steps taken as a result of this nonsensical review feedback, and I am unable to take on the added burden of having to deal with nonsense. This is unfortunate because, despite uBlock Origin Lite being more limited than uBlock Origin, there were people who preferred the Lite approach of uBlock Origin Lite, which was designed from the ground up to be an efficient, suspendable extension, thus a good match for Firefox on Android. From this point on, there will no longer be a package published in the release section for firefox, except for the release one you block origin light. 2024 922 986 if and when it's approved. So then, raymond apparently received some additional non-sympathetic feedback.

Oh boy, about his, uh, about his decision to completely drop Ublock Origin Lite from Firefox, since he finally posted on October 1st last Tuesday Looks like the sentence. However trivial this may look to an outsider, it's a burden I don't want to take on is lost on many who want to have an opinion about all of this. I dropped support for U-Matrix years ago because it had become a burden I could not take on. This is such a case here where the unwarranted delisting of U-Block Origin Lite and the requirement of having to deal with this caused the support to maintain a Firefox version to cross the line into the burden-I-cannot-take-on territory. Amount of burden to take on is a personal decision, not something to be decided by others.

And to add just a bit of objectivity, since Gory Hill has clearly taken a stand on this, here's a sympathetic comment I found six days ago over on Y Combinator, where somebody completely different said I manage a medium-sized browser extension at work. A medium-sized browser extension at work. We also offered it on Firefox, but I have spent the past year struggling to get back into Mozilla Store after a manual review. As far as I can tell, there are maybe two reviewers that are based in Europe Romania. The turnaround time is long when I am in the US and it has been rife with this same kind of simple mistake that takes two weeks to resolve.

He says you need a privacy policy, where you already have one. You are generating machine. You're using machine generated code and minified code. No, you're looking at the built code, not the included source. We cannot reproduce your source right, that's because you didn't follow the instructions and are in the wrong directory. Oh boy, he says very frustrating, and there were a number of other similar comments An extremely low threshold of tolerance for any sort of incompetence. That's impeding him finally just decided that it wasn't worth his time or energy to fight a frustrating battle.

2:18:14 - Leo Laporte
He doesn't take fools lightly, and God bless him. No, exactly you know what? I don't blame him and God, I'm so grateful that he writes this and gives it away for free. It must be a significant amount of work, yep, and I don't blame him for saying it's just not worth additional effort.

2:18:31 - Steve Gibson
No. So we have the full story Under Chrome. We get an extra six months of the use of full uBlock origin, with the addition of that little policy tweak in Windows, and something equivalent is available on Macs and Linux. Again, grcsc slash v2 will deliver the reg file to a Windows user. Double click on it, say yes a couple of times and you're all set up. I'll finish today's discussion with something you mentioned, leo, at the top, which is you know, we've got an evolving technology in our browser add-on ecosystem. We have not talked about this large and significant question of the ethics surrounding editing received web pages to remove content, any content that the website wishes to deliver and push on its visitors.

2:19:38 - Leo Laporte
That's a very good point. That's a very good point.

2:19:40 - Steve Gibson
Tracking scripts are one thing, but the more controversial removal is that which produces revenue for the site. We know that today there are many websites that wholly depend upon the revenue from advertising to survive, and we need look no further than this podcast's own hosting network Twit to see firsthand the effects of advertising revenue becoming less available than it once was. So I will finish today's discussion by quoting the author of you Block Origin, raymond Hill. Gore Hill says the following on his GitHub page for his original full-spectrum content blocker, ublock Origin. He writes uBlock Origin is a CPU and memory-efficient wide-ups annoying anti-blockers, malware sites, etc. By default using EasyList, easyprivacy, peter Lowe's BlockList, online Malicious URL BlockList and UBO FilterLists. There are many other lists available to block even more Hosts. Files are also supported. Ublock Origin uses the EasyList filter syntax and extends the syntax to work with custom rules and filters. You may easily unselect any pre-selected filter lists if you think uBlock Origin blocks too much. For reference, adblock Plus installs with only EasyList AdBlock Plus filters and acceptable ads enabled by default.

It is important to note that using an A-blocker is not he has in all caps theft. Do not fall for this creepy idea. The ultimate logical consequence of blocking equals theft is the criminalization of the inalienable right to privacy. Right to privacy. Ads, unintrusive or not, are just the visible portion of the privacy-invading means entering your browser when you visit most sites. Ublock Origin's primary goal is to help users neutralize these privacy-invading methods in a way that welcomes those users who do not wish to use more technical means. So we've spent a lot of time through the 19 plus years of this podcast, as this industry has evolved, looking at this issue. If advertisements were visually static and non-intrusive, if they were not planting cookies in my browser and running code in an active attempt to fingerprint me for the purpose of tracking my movements and compiling a list of everywhere I go and everything I do, and if the websites hosting these obnoxious privacy invasions were not actively complicit in this, that I would feel far more sympathetic are plain text that are not blocked by uBlock Origin or any other ad blocker.

2:23:36 - Leo Laporte
They can't because they're first-party. It's part of the content, and so it is possible to have advertising that goes right through any ad blocker because it's not invasive, it doesn't invade your privacy.

2:23:50 - Steve Gibson
And you know I do not believe that where we are today in the year 2024 is where we'll be 10 years from now. If nothing else, we can see how the industry and government are struggling to come to an agreement and compromise. I was disappointed that European regulators forced Google to abandon its significantly privacy-enforcing privacy sandbox technology. The fact that they were forced to give it up because it would have been so privacy-enforcing tells you all you need to know about the state of today's web technology we talked about that on mac break weekly today that that you can't assume governments are going to always act in your favor and in favor of protecting your privacy.

2:24:40 - Leo Laporte
in fact, they may be acting in favor of advertisers' right to invade your privacy, as in this case.

2:24:46 - Steve Gibson
Yes, and we know, content control add-ons do not completely prevent tracking and profiling, but they do mitigate it and they do make the use of the web significantly more pleasant. One thing seems clear If individual end users, the consumers of the ads and the targets of this tracking do not push back within their means against this abuse of our attention and privacy, it's likely to take much longer for it to change. So we're voting by saying no, thank you. You know, fix your technology and you know we won't have a problem.

2:25:27 - Leo Laporte
Cory Doctorow has called the widespread use of ad blockers the largest consumer boycott in history. Almost 50% of people who use the internet now use ad blocking technology, and that's a pretty strong vote against. Now, some people don't like ads, period. I mean, they're really people who will just say I'm I'm not going to listen to an ad, I'm not going to look at an ad, I will block every ad, I don't care what your monetization strategy is.

2:25:54 - Steve Gibson
um, and so I I think there is a percentage of people who just don't like ads well, and websites have the option of sensing that somebody is refusing to look at ads and then refusing to show them content yeah, that's true.

2:26:09 - Leo Laporte
Don't add blockers, try to get around that stuff.

2:26:11 - Steve Gibson
No, yeah, again, you know the, the, the. The controversial thing is that is that that we're editing what our browser is doing right. And you argue hey, why do not? Why do I not have the right to do that? Yeah, I mean, it is to decide what I want my browser to do on my computer your screen, your computer, yep right, um, this is a.

2:26:36 - Leo Laporte
This is a really difficult one, and I do have to point out that a lot of websites have gone out of business this year, including a non-techMore, because there was no way to get around this consumer boycott, that there's no way to make a living. We're faced with that as well. I understand people don't like ads. I don't know what the answer is to this. Our ads are not. They may be intrusive I don't think they're non-intrusive but they do not spy on you and they're not malware in any form. They are just audio, but a lot of people fast forward through them. There's no real way to block them, but they might fast forward through them. I don't know what the answer is, steve, I really don't.

2:27:19 - Steve Gibson
This is a tough one Because we want journalism right, and part of the problem is I mean, ads really are obnoxious. They have discovered that if you turn the volume up, then you know your, your dollar amount goes up. So the moment you see that everyone's going to turn the volume up and then they're competing with each other to see who has the most volume and a lot of them are really obnoxious.

2:27:42 - Leo Laporte
I agree.

2:27:43 - Steve Gibson
I can't watch television without being able to fast forward past the ads.

2:27:47 - Leo Laporte
But, steve, do you want everything to have a paywall, because that's the option. That's a problem too. I mean, that's really the option is that you can't read it unless you pay for it.

2:27:58 - Steve Gibson
So I would have no problem paying for something that I use routinely, that is, for example, the Washington Post, the New York Times, some site, but I'm not a person who is consuming a great deal of focused online content. I'm not reading the New York Times or the Washington Post or any online content in a go back and like like to it constantly. I'm annoyed that that my iPhone keeps offering me news that I can't read because when I click on it I have to be Apple plus or Apple news plus. It's like don't show this to me if I can't. If I can't read it.

2:28:39 - Leo Laporte
So there's the large issue. You live in a small town, I live in a small town. The New York times and the Washington Post are not going to cover our city council meetings, our school board meetings, the initiatives we're voting on in a couple of weeks, because it's not national news. And yet we don't have local newspapers in anymore because there's no money, there's no support, no financial support. So that means we've got an electorate that is, fundamentally, unless they really go out and look on an ill-informed on on the issues of the day. That's a problem too. So I I this is a very thorny issue. I am very. I do want to be clear, though. I'm grateful to raymond hill for you block origin. I use it on every darn computer. I'm not happy that Google is making it useless on Chrome. I hope that Firefox continues to support it and I understand that there is definitely a contradiction in my use of an ad blocker and my making my living through an ad-supported network. I don't know what the answer is. Yeah, through an ad-supported network.

2:29:44 - Steve Gibson
I don't know what the answer is. Yeah, there was some story I was pursuing for this podcast. I went to the site and I saw it briefly, and then it brought up a big blacked-out region and offered me to either subscribe or not and I thought, well, I'd like to get to be able to see if this is something I want to pursue. But I've never been to this site before, I'll probably never be to it again, so I'm not going to subscribe. Anyway, I went up to uBlock Origin. I disabled scripting on the site. It and you saw it, and the site was there because they were using scripting in order to present the this page blackout. And I'm sorry, but I don't have to run script if I don't want to. Thanks to you, block origin making it that simple, right. So you know, I, I appreciate having that control and, uh, you know and and I'm I heard that Firefox is going to be getting vertical tabs soon and so I won't have to have an add on in order to do that. I'll be a very happy one.

2:31:00 - Leo Laporte
stop yell at us if we go uh, if we go club only everything behind a paywall, because that, if, if we have to do that to survive, we might have to right and I know that would make that would make me unhappy, it would make you unhappy. We want everybody to be able to hear this and thank goodness we have people in the club who support what we're doing. We have advertisers support we're doing so that we can offer this for free to anybody who wants to listen, without you don't have to run an ad blocker. There's nothing. Nothing's putting a big X across the screen.

2:31:29 - Steve Gibson
Well, club only would mean no more ads.

2:31:31 - Leo Laporte
So that would be good. Yeah, well, you have that option right now. Seven bucks a month, no more ads. You can do that right now. Well, it was my original plan. I think you remember when we started to it, I didn't want ads, we didn't want ads. We didn't have ads. Well, we didn't have them. But even when I was offered ads, we said no, we want to be listener supported. But the most we ever got was $9,000 a month, which would have supported one show, and we wanted to do more than that. This show wouldn't exist, and I think this show has done some really important stuff over its. Is it 990?

2:32:07 - Steve Gibson
Listeners think so. Thank you very much for the feedback everybody. I appreciate it yeah.

2:32:12 - Leo Laporte
We're really glad we can keep doing this show and we thank you for your support and listening to the ads and, if you can, you know, patronizing the advertisers. Five more to go. Four more to go before 999.

2:32:25 - Steve Gibson
I'm going to have to spend a little time on some technology to handle four digits. You're so funny.

2:32:31 - Leo Laporte
Well, twit's now in four digits and we were I actually when we started it, I think I made room for five, which was very optimistic. I don't think we're going to get to episode 99,999, but who knows? There'll be nothing left of us. We'll worry about it then.

Steve Gibson is at GRCcom. That's his website. That's where you can find Spinrite, the world's best mass storage, maintenance, performance enhancer, recovery utility. If you have mass storage, you need Spinrite, steve's bread and butter, by the way, that's how he makes a living. So if you don't yet have version 6.1, go on and get it. It's free to people who already bought spin right, and if you haven't buy a copy, it's well worth it. Uh, everybody should have spin right.

Uh, you can also get a copy of the show at steve's site, grccom. He has two unique formats the 16 kilobit audio version and transcripts, which are really nice if you want to read along. He also has the show notes there. You can always download them after the fact. And the 64 kilobit audio version of the show website twittv has both the 64 kilobit audio and video. Oh, you want to see steve's smiling face? We offer that for free. Just go to twittv. Slash SN. There is a YouTube channel that's got all the shows, all the video shows. Anyway, it doesn't have that vitamin D episode because that was audio only.

I don't think it does I think it only has the video shows. If you want to see that, you can go to twittv slash SN, and there's a link to the YouTube channel. There's also a link to a couple of podcast clients, but you can use any podcast client to subscribe and get the version audio or video that you prefer, the minute it's available, since Benito polishes it up, so to speak. Benito Gonzalez, our technical director and editor. Thank you, benito, for the work you do to make this available. He's the behind-the-scenes guy and we do thank our club members If you're not yet a member of Club Twit guy, and we do thank our club members If you're not yet a member of Club Twit. Seven bucks a month, ad-free versions of all the shows, lots of extra content, that coffee episode If we can ever get Steve to do a vitamin episode, that'll be in the Club Twit, twittv slash, club twit.

For more, steve, you should sell those giant coffee cups on the website. There would be a market. That thing is huge. If you want to know how you get a, what is it? A quadruple venti latte in a single mug? Yeah, a quinti Quinti. 15 shots? No, no, no, five, five. Okay. Thanks, steve have a great week.

I'll let you know who Satoshi Nakamoto is next week Right-o.

2:35:10 - Steve Gibson
Cool, bye, bye.

2:35:14 - Leo Laporte
Bye.