Security Now 997 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show

0:00:00 - Leo Laporte
It's time for security. Now. Steve Gibson is here. We have things to talk about. Did Chinese researchers really crack RSA? This might be a problem of headline confusion. The DOD is being sued by DJI over their drone ban and a look at the new plan to allow you to move your passkeys from one place to another. All of that's coming up and a lot more. Next on Security Now Podcasts you love from people. You trust this is.

Twitter. This is Security Now, with Steve Gibson, episode 997, recorded Tuesday, october 22nd 2024. Credential Exchange Protocol. It's time for Security Now, the show where we cover the latest security news privacy issues, breach news, exploits, cves and science fiction Not necessarily in that order, and a little bit of a health, a little health thrown in, just yes yep, yep for this guy right here, mr steve gibson of the gibson research corporation hey, steve leo, we are at 997.

0:01:21 - Steve Gibson
Yes, the. It hadn't occurred to me until you know. We got close enough there for to be obvious that 999 is on election day. Oh, that's appropriate, holy cow, it might have been the end of the podcast we'll drive off the cliff together had it not been clear that no, we're gonna sail on through it and uh, keep dealing.

It still might be if I move to new zealand suddenly, but I don't think that's gonna well, kevin rose, I I heard him talking to you long time ago like I mean a surprisingly long time ago, saying that he was like pushing his visa along.

0:01:59 - Leo Laporte
If you've got millions, as kevin does, it's good to have a hidey hole. And the billionaires? Apparently they did think New Zealand was a place to go, although their government has changed and they're maybe not quite as well organized as in the past.

0:02:16 - Steve Gibson
Welcoming with open arms. Yeah, okay. So here we are at the 22nd of October. Here we are at the 22nd of October and, as planned, we are going to talk about the Credential Exchange Protocol which was announced eight days ago during the FIDO Alliances Conference held a little bit south of me, actually in Carlsbad, southern California, southern California.

At first when I saw the spec, I thought, oh well, there's not enough here to talk about because it's kind of more of an outline. Actually, we'll have some fun with what the spec doesn't say in a minute. But when I got into it more I realized that the meat of it was present and there's enough to make it the podcast. So I first renamed the podcast Credential Exchange Protocol Preview, thinking that that's all we were going to be able to do. But no, we're going to be able to cover it. But oh, we've got. And I should also say that I was hoping that this week I would be able to share more feedback, because I'm getting just so much great listener feedback to securitynowatgrccom from those who have registered their incoming email with GRC's email system that I was wanting to share it. But oh, is there some amazing news that we have? It just took up too much room.

0:03:54 - Leo Laporte
Do you remember for a while we would alternate news episodes with Q&A episodes, but there is just too much going on in security these days.

0:04:03 - Steve Gibson
Yeah, there is. So we're going to answer the question we touched on it last week, but I wanted to give it a little more attention whether Chinese researchers did successfully break RSA encryption, as all of the tech press headlines covered. What did they do? Also, what next level terror extortion is being powered by the NPD breach data? I actually had a buddy of mine send me something that he received and it's worth talking about. Also, the EU is apparently going to be holding software companies liable for their lack of security.

In other words liable for damages arising from software in a no-fault fashion, meaning even if they weren't aware of the problem. So that's a sea change for the software industry. Also, Microsoft lost weeks of security logs. How hard did they try to fix the problem? The Chinese drone company DJI has sued the DOJ over its ban on DJI drones, which is interesting. Also, it turns out that the DOJ wishes to acquire deep fake technology to create fake people complete with identities, and this is where it's like what could possibly go wrong. Also, Microsoft has bots pretending to fall for phishing campaigns and then leading bad guys to their honeypots, which is diabolical and brilliant. Yes, so I just love this feedback that I did manage to squeeze in before we take a look at this operation of the FIDO Alliance's forthcoming credential exchange protocol which, as we know, the whole goal of it is to create passkey collection portability among passkey providers. So another jam-packed, I think really interesting episode for our listeners.

0:06:27 - Leo Laporte
Yeah, I don't know about you, but I the. The new pig butchering scam is not just to say hello, although I still get those, and I got one with a picture of a chinese girl saying you, you remember meeting me and would you? So I get those, and of course immediately. But the latest ones and I think these are probably very effective Lisa started getting them too are job offers. They're headhunters, and now I obviously am not looking for work, but I think if you're a young person looking for work, you might very well fall for these Yep. So I am thinking that no headhunter is going to text message you cold and say we have a job we think you'd like. Uh, if you do get that text message, I would really think twice before responding to it, because it's probably just pig butchering. It is for me.

0:07:14 - Steve Gibson
I know, because nobody's trying to hire me and anybody who hired me would regret it pretty quickly. Yes, when is that? Either one of us, steve, we're not well we're not well suited to being employees either.

0:07:29 - Leo Laporte
one of us are we uh. We will have the picture of the week and the meat of the matter coming up in just a little bit, but first a word from our sponsor, the great folks at threat locker. You've heard steve talk about, uh, zero trust. I think was Google was the first to really kind of start promoting this idea of just because somebody's in your network doesn't mean they're trustworthy, that you really should have a deny by default approach to access. If zero day exploits and supply chain attacks are keeping you up at night and if you listen to this show, I know they are, worry no more.

The best way to harden your security with ThreatLocker. Worldwide companies like JetBlue, for instance, trust ThreatLocker to secure their data and keep their business operations flying high. So imagine taking a proactive this is the key deny by default approach to cybersecurity. In other words, you block every action, every process, every user, unless specifically authorized by your team and the user doesn't get blanket permissions. You can completely control what that user can do. Threatlocker helps you do this and provides a full audit of every action for risk management and important for compliance as well. They've got a great support team 24-7, us-based. They will help you get on board, start it up and, of course, beyond.

So here's how you stop the exploitation of trusted applications within your organization. Yeah, the application is trusted, but is the person using it trusted? Here's how you keep your business secure and protected from ransomware, and one of the features of this is so cool they call it ring fencing. Organizations across any industry can benefit from ThreatLocker's ring fencing by isolating critical these are the most important trusted applications from unintended users or weaponization, limiting attackers' lateral movement within the network. This works really well. Threatlocker's ring fencing was able to foil a number of attacks that just were not stopped by traditional EDR, most notably, that 2020 cyber attack on SolarWinds Orion. Companies that were using Orion got burned unless they were using ring fencing. It worked. It stopped it cold. That's exactly what you need.

Threatlocker works for Macs, too. Get unprecedented visibility and control of your cybersecurity quickly, easily and, by the way, price it because it's very cost effective as well. The way. Price it because it's very cost effective as well. Threat locker zero trust endpoint protection platform offers a unified approach to protecting users, devices and networks against the exploitation of zero day vulnerabilities. This is zero trust, done right. Get a free 30-day trial and learn more about how threat locker can help mitigate unknown threats and, at the same time, ensure compliance. Visit threatockercom. It's a great company with a really interesting product that really works, threatlockercom. And it's surprisingly affordable too. I could even afford it, threatlockercom. We thank them so much for supporting security. Now, steve, I am prepared to demonstrate, to show to the world the picture of the week.

0:10:47 - Steve Gibson
I'm scrolling up now a useful analogy about the whole zero trust. Yeah uh, change is just the that the evolution in thinking about how a firewall should work that the first firewalls were open and they blocked known problems and it became pretty quickly clear that that was the wrong strategy. Right, we needed to be closed by default for everything and then selectively open ports.

0:11:19 - Leo Laporte
White list instead of black list. We knew we wanted Yep. Yep, it's really cool and it's such a simple concept and yet it's so. Yep, it's really cool and it's such a simple concept and yet it's so effective. Yeah, yeah, all right, you have a title for the picture of the week.

0:11:31 - Steve Gibson
So, yes, I gave this picture the caption. Generic accessibility requirements may not always produce an appropriate outcome.

0:11:47 - Leo Laporte
Oh, my God.

0:11:51 - Steve Gibson
So what we have is a warning sign that says hot surface, do not touch. And, due to the need for unsighted people to be able to read the signage, also below it is Braille, which, of course poses a problem for a hot surface warning sign.

Now this sign actually has an interesting history because once again, the email for today's podcast I was able to. I got everything wrapped up at the end of the evening and sent the email out last night. So at this point I think it was 11,314 recipients of the show notes, the summary of the podcast and a thumbnail of this picture that you could click on to get full size. They all received that last evening, so I'll just remind our listeners that that's available to anybody who wants to subscribe to the Security Now list. A couple people said I know what that's supposed to be, but that's not actually Braille. Ah, and so I know why. This actually came from a listener who submitted a photo of this sign. Well, a sign which had this it said hot service, do not touch. And then it actually had a line of true Braille along the bottom. The problem was it was a photo taken off axis in bright sunlight, so it was washed out and it had like a big, you know, shining reflection of the sun on it.

It was probably pretty hot actually it did make a great standalone photo. So I have this really cool perspective correction software. So I fixed the perspective and it looked fine, but it still didn't look great. So I thought I wonder if AI can come to my aid.

0:13:53 - Leo Laporte
This is AI-generated.

0:13:55 - Steve Gibson
Yes, Wow, so I and ChatGPT now has an image facility.

0:14:02 - Leo Laporte
It didn't used to be able to do text at all.

0:14:04 - Steve Gibson
This is remarkable, you know so I said, uh, could you take a sign and like in, like, improve the contrast and make it more legible, or something like that? And it said, yeah, happily. And so I thought about it for a minute and it came up with a completely different sign and I mean it, it was like.

I mean, it was like as if I'd said here's an idea. Run with it, which is not what I said at all, but I've learned from my friend that it really helps to be polite. So I said, wow, that's really great.

0:14:43 - Leo Laporte
But could you make it look a?

0:14:44 - Steve Gibson
lot more like the original one that I uploaded. Oh sure, I'd be happy to do that.

0:14:49 - Leo Laporte
And it did.

0:15:02 - Steve Gibson
Well, no, and I got this, which is stillished by what I'm seeing this AI stuff can do. I'm not a super experienced SQL coder, nor do I really program in PHP, but over the weekend there was a chunk of code that I got from that is in the email system that I'm using. And you know, I mean, as we know, once you understand procedural languages, they all pretty much look the same. You need to know how you do not equals, which varies from language to language. And you know, do I put semicolons at the end of each line or not? That kind of stuff. But so I could see what it is doing. But it was, it was doing late binding to prevent against injection attacks, and I wanted to know how much of what it was doing I could reuse for a subsequent query without having to do all of the early stage setup. So, yeah, and again, in pre-AI, I would have you know, googled right for like I don't know half an hour poking around getting an understanding of each of these statements and exactly what context they require and how much they leave behind, and blah, blah, blah, blah. I thought, okay, I'll just ask ChatGPT, because it also now has an explicit coding assistance. They call it Canvas.

And so I went there and I copied the statements that I wanted to understand in detail, I removed some of the superfluous stuff and I pasted it in. And I said I pasted it in, I said, could you explain to me, if I want to make another query of the same sort, what this all does and how much of it I need to, how much of it does not need to be repeated? I'm just astonished. It's really remarkable. Now, I mean, it was a course that it just dumped out, where every single statement it explained what it was doing and then answered my question, which was, of all of that, how much was set up that I did not need to repeat when I wanted to reissue the query with a couple different parameters, I mean, and I just thought, okay, this actually I mean now, you know I'm not asking it to help me with my assembler code because I'm, you know.

0:18:04 - Leo Laporte
I'm a fish in water. It might be able to, though, Steve. I'd give it a little test just to see.

0:18:09 - Steve Gibson
No, it's not even interesting, but here I mean it really. You know, this was where I wanted a quick answer without in-depth studying, so like without going and spending the time to dig through all of the individual definitions I've used it for regular expressions and it's very good at interpreting regular expressions.

0:18:34 - Leo Laporte
Oh, that would be good too, very much like SQL queries. But I think the key with AI is you have to know what its limits are. It really doesn't work by itself, but when in conjunction with a human, it can be very useful. You just have to know what you're doing and know what its limits are, and not say that it's going to take over the world.

0:18:52 - Steve Gibson
I used a script a couple months ago. Again not a language that I spend all my time in, and it gave me something that looked good and did not work, but I saw where the error was and I thought okay, and then I was able to fix it.

0:19:08 - Leo Laporte
Yeah, it's a starting point.

0:19:10 - Steve Gibson
Anyway, I have to say, for some things it's a time saver, and I'm normally not looking to save time, but in this case it's like, okay, I just want to get this out of my way, so okay. So I know from having created and written InfoWorld Magazine's Tech Talk column for eight years that the way things work in publishing, the authors of columns and news articles have absolutely no control over the title given to their work. Why that is true is something I've never understood. I complained about it back then when I was writing the column and I was told no, you don't do that, we do that. And it's like okay, so it's just the way it is. And, as I said, I can't begin to tell you how many times I was distressed to see the headline one of my carefully thought out and crafted columns was given after it left my control and, headed to the printer, turned out to have. You know it, often, I kid you not, the headline bore no relationship to what I had written and it was just so annoying. And with that understanding, I can forgive the well-meaning author of a piece that appeared last Monday, the 14th, in CS Online. The headline of that piece could not possibly have been any more misleading than it was. So I can only imagine what its author thought when they saw it in print. The incredibly provocative headline in question read quote Chinese researchers break RSA encryption with a quantum computer. Did that happen? No, it didn't even remotely close to happening, and there's no way to characterize what did happen as having broken RSA encryption. You know, breakage in cryptography has a very specific bone chilling meaning. And this isn't it, and this isn't it OK. So, fortunately, to regain some sense of order to the universe, one only needs to read past that deliberately fictitious headline to the first sentence of the actual article, which says quote A research team led by Shanghai University's Wang Chao found that D-Wave's quantum computers can optimize problem solving in a way that makes it possible to attack encryption methods such as RSA. Now, not nearly as catchy as quantum computers have broken RSA's encryption protection. Unfortunately, you know, as I said, the truth of the discovery makes for a much less exciting headline.

Through the years of this podcast, we've talked a lot about the strength of RSA encryption, which lies entirely in the still surprisingly and thankfully intractable challenge of factoring extremely large and when I say extremely large I mean humongous numbers into their two prime factors the basis of RSA's extremely clever system is that we first choose a very large, as in 4096-bit large, huge prime number at random, which turns out to be easier than you might expect. There's lots of them out there. That's our private key. Then we hide that private key by choosing another similarly large, 4096-bit prime number and then multiply those two primes to obtain a 8192 bit. You know, 8192, two times 40, 96 bit product. The product of those two primes is the public key, inside of which is hidden the private key, the private key. So if it were possible for some computer system to factor that even more massive 8192 bit public key, then that original private key that was hidden inside the public key could be revealed and RSA's protection would then actually be in trouble. And we use this encryption everywhere. So, yes, it would kind of be the end of the world.

The Chinese researchers explained in their paper. They said, quote using the D-Wave advantage, we successfully factored a 22-bit RSA integer demonstrating the potential for quantum machines to tackle cryptographic problems. That's all they said. We successfully factored a 22-bit integer, factored a 22-bit integer. So you know, newsflash, quantum computers can be used to factor integers, very small integers at this point and, if memory serves, the last time we looked at this a few years ago, other researchers were announcing their breakthrough by factoring a much smaller number. It's like, I think it's like they factored 13 or 11 or something. I mean like the number 13 or 11. So 22 bits, that's a much bigger number.

I have no doubt that this represents a significant discovery and, yes, another breakthrough in the application of quantum computer technology for breaking cryptography. But at today's strength, where the public key that needs this, the thing that needs to be factored in order to retrieve the private key hidden inside it, 8,192 bits is what you would need to factor. So the practical RSA factorization protection offered by the factorization problem. And in fact, what they do is believed to be completely intractable by quantum computing technology, and we talked about this before. In the case of, for example, the Signal messaging application, they're already quantum safe. But because these new quantum safe algorithms are still new and unproven, signal took the belt and suspenders approach of using both the old and time proven as well as the new and hopefully safe but still not yet time proven algorithms at the same time. In that way, signal's users are already protected, because the possibility of some true breakthrough in the use of quantum computers is there. But even if that happened, we would still have the fallback of traditional crypto. So even if quantum computers were able to crack one family of crypto, they're using both new and old.

So anyway, I got swamped with email, not surprisingly, from our listeners who saw this headline, and of course it got picked up and echoed around the industry. Oh my God, you know, the Chinese quantum computers researchers have broken RSA crypto. No, didn't happen. You know this still. I mean, this is the way it's going to go right. It's going to get chipped away at. Next generations of quantum computers will be able to increase the strength of this, increase the strength of this. Hopefully we will have moved, we will have migrated to post-quantum technology by that time, and so, when it eventually does happen, nobody will be using this technology any longer. So it's certainly foreseeable that that's the case. Okay now, this happened over the weekend.

A buddy of mine forwarded a scam PDF that had arrived in his email. But the opening line of this particular scam is what caught my attention and thus made it into today's podcast. Thus made it into today's podcast, although his email name, his email account, does not have any aspect of his name in it. The PDF was correctly addressed to him with his full, correct first and last name and I'm going to read like the first third of it to give you a sense for it. So it was addressed to him, you know, first name, last name, comma, and it read I know that calling. And then it had his accurate phone number, area code, phone number. So I know that calling and there's his phone number, or visiting you at, and then it had his full current residential street address would be an effective way to contact you in case you don't act. Don't try to hide this, you have no idea what all I can do in. And then his city of residence. I get this exact email daily.

Okay, I had not seen it before.

0:30:38 - Leo Laporte
And it's a PDF that's attached to the email.

0:30:40 - Steve Gibson
I'm not sure why that is either it's a pdf that is attached to this. Um, he was terrified, and you know, and then, and then it goes on with your, the, the standard. You know, uh, how horrible you are. What all of your videos that you've been watching it recorded and blah, blah blah.

But but what? What's me? What stood out? And it finally ends up telling him that the only way to prevent this from being sent to all of his friends and family and contacts and social media accounts all of which this cretin alleges to have is to pay $2,000 to a Bitcoin address.

0:31:25 - Leo Laporte
I was actually making fun of it because our uh uh local newspaper, the santa rosa press democrat, had a. Three santa rosa residents have been fooled by this scam. I thought doesn't everybody get these emails all the time? I mean, you don't get these, I get them all the time. I I've never seen this here's one, I'll show you. I'll show you, I can show you, because the address is an old address. I suspect this whole thing now is prompted by, maybe, the NPD leak.

0:31:57 - Steve Gibson
I don't know. That's exactly where I'm headed with this.

0:32:00 - Leo Laporte
Yeah, here Let me show you mine. I mean, this is, and you could see, because look at the email address ShaunaNellyXDFT, it's a completely fabricated email address, right? Yep, this is I can show this because it's not my current address Right, and this is exactly what you're talking about. That is the email. Yep, I get this daily, steve.

0:32:24 - Steve Gibson
Okay, I had never seen it. I had never seen it, he had never seen it. And and the, the, the, the, the for. So all of this data is now public and I guess you know, for me, what really yanked my heartstrings is the idea of how many people are truly going to be terrorized by this. And again, obviously you're not, leo, but I am absolutely sure that when people get this for the first time and they see their name, their phone number, their physical address, which they see I mean they don't know about the national public data breach they still imagine they have this illusion of privacy, that like they have any privacy now it's a delusion in the online world.

Yeah, and so they don't get it that this is some cretin, you know, in russia or north korea, who knows absolutely nothing about them, that has no ability to physically intimidate them at their residential street address, which they do have as a consequence of these data breaches. Anyway, I just think that I'm glad that the newspaper is talking about this.

0:33:55 - Leo Laporte
We should all be yes.

0:34:00 - Steve Gibson
I really think that it would be a public service announcement to make sure that everyone understands that this is where we're headed, that our data as a. I suspect that the NPD breach was an example of this.

0:34:19 - Leo Laporte
This is probably from Street View Google Street View, I would guess this picture.

0:34:23 - Steve Gibson
Oh, so it actually even had a picture of your property.

0:34:26 - Leo Laporte
Yeah, yeah, those online tips about covering your camera aren't as useless as they seem, wow. So here's the giveaway to me. This is the same verbiage that's used in when chinese scammers say I have your iphone and you better take it off. Find my ip. They also use this line. You have no idea of what I'm capable of in your town, in Petaluma, and that, to me, is a little bit of a giveaway. I'm going to say these are Chinese scammers and this is the same bunch of people who do a bunch of this kind of pig butchering stuff. It's really too bad. And, yeah, I really fear for people like my mom, older people yeah, exactly somebody who, who, who's not, who's never seen it before?

0:35:11 - Steve Gibson
who again? Who has this illusion of a, of a private?

0:35:17 - Leo Laporte
don't know what the modern world is, you know? Yeah they don't. Yeah, it's very sad. Well, I guess we should. It's too bad. I don't do the radio show anymore. I made a habit of talking about these on the radio show, hoping to reach a general audience.

0:35:33 - Steve Gibson
And obviously you were in touch then with that kind of audience and I'm sure you understood. I mean they called up and said, oh my God, and I mean so this is what people are going to do when they see this and like, there's their phone number and their street address. If you read it, it's terrifying. Yes, it is, it is, and there's no need to read it because a lot of people have seen these before, but it is, it is absolutely. You go through this. It is and you and again, it is terrifying. So I had never seen all of that information.

0:36:14 - Leo Laporte
Been keeping tabs on your pathetic existence for a while now. It's just your bad luck I discovered your bad deeds.

0:36:22 - Steve Gibson
Yes, and I've got footage of you doing filthy things in your house. Nice setup, by the way yeah, you know I mean it's if, if somebody read this, they would and and again and they, and they didn't know better yeah, that's the problem.

0:36:39 - Leo Laporte
Unfortunately, this is the world we live in now. Uh, that's what's really sad about this. These are this is just one of many somebody's saying.

0:36:48 - Steve Gibson
They sent it as a pdf to evade uh emails that's what I was sort of thinking, except that I thought all email stuff is now opening pdfs now and looking inside, so I don't know. Um, we're half an hour in leo, let's take a break, and then I'm gonna. We're gonna talk hour in Leo, let's take a break, and then I'm going to. We're going to talk about what the European Union just did and it's big news for software product liability.

0:37:15 - Leo Laporte
Yeah, I feel like we've heard this. We heard it was coming. I feel like we've talked about this before.

0:37:19 - Steve Gibson
Well this landed and wait till you hear what they're going to try to do. Oh baby, it's such a big deal I can't believe it's going to happen. I mean, it's too big a change.

0:37:33 - Leo Laporte
Good. Well, while we're getting ready for that, let me tell you about our sponsor for this segment on security now, a little company called Flashpoint, you know about.

0:37:43 - Steve Gibson
Flashpoint. Sorry, leo, I'm going to need to stop you real quick. I have to make a handoff with Anthony, so Anthony's going to join the call and he's going to come in and do stuff, okay.

0:37:49 - Leo Laporte
No problem, because I have to step away and do something else. No problem, there he is. I have these delicious Japanese snack crackers, snack crackers. You can continue now, so so.

0:38:00 - Steve Gibson
I'm very crunchy. He's going to be doing the lower thirds and stuff, so go for it.

0:38:05 - Leo Laporte
Are they soy coated? They're rice, baked rice. I love them. They're just as Love them. Yeah, they have wasabi sometimes. Love them. I know I love them too much. They're good for you, right? No, okay, here we go, this episode of Security Now brought to you by flashpoint.

Now, for security leaders, 2024 has been a year like no other. If you listen to this show, you know that right, cyber threats and physical security concerns have continued to increase. Now there's geopolitical instability, adding a new layer of risk and uncertainty. Let's talk numbers. Last year this blew me away when I saw this there was a staggering 84% rise in ransomware attacks. That's almost double A 34% jump in data breaches, and that's probably underreported. The result trillions, trillions of dollars in financial losses and threats to safety worldwide. Now I know you listen to this show because you want to keep up on this stuff.

I've got another solution that's really great. It's called Flashpoint. Now you figure, a government has intelligence agencies, right? That's why we have intelligence agencies to keep their ears to the ground, to keep an eye on what's happening, so that we can get advanced warning. What about businesses? That's what Flashpoint does. Flashpoint empowers organizations to make those mission-critical decisions to keep their people and assets safe. And it does it by combining cutting-edge technology with the expertise of world-class analyst teams. And now with Ignite, which is Flashpoint's award-winning threat intelligence platform, you get access to everything you need critical data, finished intelligence, you get alerts and analytics all in one place. It helps you maximize your existing security investments and it saves you money. Some Flashpoint customers avoid half a billion dollars in fraud loss every year and have a 482% ROI in just six months. No wonder Flashpoint earned Frost Sullivan's 2024 Global Product Leadership Award for unrivaled threat data and intelligence.

I didn't know this category existed, steve, until I talked to these guys. It's really cool. Let me give you a quote from I can't say the name of the financial institution. You would know the name. He's the SVP of cyber operations at a large US financial institution. He said quote Flashpoint saves us over $80 million in fraud losses every year. Their proactive approach and sharp insights are crucial in keeping our financial institutions secure. They're not just a solution, they're a strategic partner helping us stay ahead of cyber threats. Information is everything in this right. It's no wonder Flashpoint is trusted by both mission-critical businesses and governments worldwide. Yeah, governments even use Flashpoint To access the industry's best threat data and intelligence. Visit flashpointio today. Flashpointio the best data for the best intelligence to keep you safe. Flashpointio what an interesting business. I had no idea that these businesses, that this even existed, but it makes sense, right? Governments have intelligence agencies. Business needs it too, as I know why you listen to this show. Same thing, right.

0:41:51 - Steve Gibson
All, right, on we go, mr Gibson. Okay, so, as our longtime listeners know, one of this podcast's longest standing observations has been over the distortion in the software industry created by software license agreements that universally disclaim any and all responsibility for any consequences of the use and operation of the software. The wheels don't fall off of cars which we drive only because it would be the end of any automaker whose car's wheels did fall off, because you know the rigid enforcement of product liability would end that company's existence overnight. But that has never, bizarrely, been the situation in the software business, where software users have no choice other than to contractually sign away all of their rights in a software license agreement in return for the privilege of using the software, regardless of its quality. It's like you know, hey, if you don't want to use it, fine, don't sign this, but if you agree, then you know we're not making any representations about the product's quality or its fitness for any particular purpose. That language is in all of those license agreements. So our listeners also know that. I 100% understand that mistakes happen and that the perfect operation of a complex software system can be impossible to achieve. A complex software system can be impossible to achieve but at the same time, through the years of this podcast, we've examined instance after instance of the consequences of deliberate policies, not mistakes, that can only be characterized as enabling continuing egregious conduct on the part of some software producers. This conduct, and the policies that enable it, are explicitly protected by the license agreements under which software is used, and I've also often wondered here when and how this will change, because it feels like it's wrong the way things are today. Well, change may be coming.

I don't know what to make of this next piece of major, earth-shaking news, because the changes that the European Union proposes to make in its product liability laws to explicitly include software liability while at the same time eliminating software licensing exemptions, seems too radical to actually occur. But it has actually happened. So, anyway, time will tell, and the fact that this is moving into law certainly means something, even if it doesn't happen immediately or at full strength, and I should note that it doesn't come into effect for 24 months, so that gives some time for something to happen. I'm not sure why they installed this two-year time delay, but we're going to find out, okay. So let's back up a bit and explain what's in the works. So let's back up a bit and explain what's in the works.

The first clue that I had about this was from the first news item in the Risky Business most recent newsletter. Here's what it describes, and listen to this carefully, because this is it they wrote the European Union has updated its product liability law to cover software and associated risks like security flaws and planned obsolescence. Eu's oldest directives and will provide consumers with the legal tools to hold companies liable in court if they sell defective products. The biggest change to the old directive is the addition of software products to the list of covered goods. Companies that sell or want to sell in the EU will have to make significant changes to how they are currently doing business if they have failed to invest in proper software development and cybersecurity practices.

The new directive extends liability to vendors for software that contains security flaws Wow when those flaws lead to any damage to consumers. This includes both physical damage caused by defective or insecure software, but also material damage such as loss of functionality and features, loss of financial assets and others. The directive also classifies the lack of a software update mechanism to be a product defect and makes the vendor liable. Software vendors are also forbidden to withhold information about a software update's negative impact. The only exemption in liability coverage is when the software update requires the consumer to manually install an update, but generally the directive sees vendors liable as long as they have control over their product after a sale. The directive also extends liability to vendors who use any type of planned obsolescence system to artificially reduce the lifespan of their products. And I have to say, some of this read, like you know, touching on the a certain period or an update that degrades a software's performance. This is totally aimed at Apple.

Yes, that's hysterical In order to entice users to move to a new service tier or product, companies can also be held liable for misleading consumers about a product's durability, repairability or expected lifespan. The directive requires victims to prove a product's defectiveness, but it also adds a new legal mechanism to force vendors to make required evidence available. The new rules exclude free and open source software from its requirements. The new directive was approved earlier this year by the EU Parliament and earlier this month by the EU Council. It is set to go into effect in 24 months, in the fall of 2026. Okay now, I trust Catalin's reporting, but I needed to see this for myself and our listeners need to hear this. So I found the 63-page document from the EU and I've got the link to it there in the show notes at the bottom of page five, leo, and as far as I can see, he did not get anything wrong. Okay, so I'm just going to pick and choose a couple of paragraphs from the whole document to give everyone a taste of this. After a bit of explanation about how and why the very old previous directive is no longer useful, this new directive explains that, rather than attempting to edit and amend the old one, it is being replaced in its entirety by this new directive. And that brings us to paragraph six, which says in order to ensure that the union's you know, european Union, the union's product liability regime is comprehensive, no fault liability for defective products should apply to all movables, including software, including when they are integrated into other movables or installed in immovables. What is a movable? You mean like a phone, a car? They actually describe it I think it was earlier, but they were saying including software, which is what I keyed on Right someone for an injury, even if you were not negligent or at fault. For example, if you own a dangerous animal and it hurts someone, you're responsible for their injuries, even if you didn't mean for it to happen. Okay, so it's clear that, from the standpoint of a software publisher, unintentional damage will not waive their liability under this new directive for any damage it may cause.

Paragraph 13 explains products in the digital age can be tangible or intangible. Software such as operating systems, firmware, computer programs, applications or AI systems and, by the way, ai also figures heavily here is increasingly common on the market and plays an increasingly important role for product safety. Software is capable of being placed on the market as a standalone product or can subsequently be integrated into other products as a component, and it is capable of causing damage through its execution. In the interest of legal certainty, it should be clarified in this directive that software is a product for the purposes of applying no-fault liability, irrespective of the mode of its supply or usage and therefore, irrespective of whether the software is stored on a device accessed through a communication network or cloud technologies or supplied through a software-as-a-service model. Information is not, however, to be considered a product. A product liability and product liability rules should therefore not apply to the content of digital files such as media files or e-books, or mere source code of software.

A developer or producer of software, including AI system providers, should be treated as a manufacturer, and this is followed by paragraph 14, which fully exempts open source software. It reads free and open source software, whereby the source code is openly shared and users can freely access, use, modify and redistribute the software, or modified versions thereof, can contribute to research and innovation on the market. Such software is subject to licenses that allow anyone the freedom to run, copy, distribute, study, change and improve the software. In order not to hamper innovation or research, this directive should not apply to free and open source software developed or supplied outside the course of a commercial activity. Since products so developed or supplied are, by definition, not placed on the market, developing or contributing to such software should not be understood as making it available on the market, should not be understood as making it available on the market. Providing such software on open repositories should not be considered as making it available on the market, unless that occurs in the course of a commercial activity. In principle, the supply of free and open source software by non-profit organizations should not be considered as taking place in a business-related context, unless such supply occurs in the course of a commercial activity. However, where software is supplied in exchange for a price or for personal data used other than exclusively for improving the security, compatibility or interoperability of the software and is therefore supplied in the course of a commercial activity, this directive should apply.

Then we have the question of products that are enhanced by or dependent upon external services. No-transcript. Paragraph 17 says it is becoming increasingly commonfault liability to such integrated or interconnected digital services, as they determine the safety of the product just as much as physical or digital components. Those related services should be considered components of the product into which they are integrated or with which they are interconnected, where they are within the control of the manufacturer of the product into which they're integrated, or with which they are interconnected where they are within the control of the manufacturer of the product. Examples of related services include the continuous supply of traffic data in a navigation system, a health monitoring service that relies on a physical product sensors to track the user's physical activity or health metrics, a temperature control service that monitors and regulates the temperature of a smart fridge, or a voice assistant service that allows one or more products to be controlled by using voice commands. Internet access services should not be treated as related services, since they cannot be considered as part of a product within a manufacturer's control, and it would be unreasonable to make manufacturers liable for damage caused by shortcomings in internet access services. Nevertheless, a product that relies on internet access services and fails to maintain safety in the event of a loss of connectivity could be found to be defective under this directive.

And finally, I was thinking about the exclusion that is always present in license agreements, which, as we know, has been a hobby horse of mine. This addresses that directly. Paragraph 56 of the legislation says the objective of protecting natural persons would be undermined if it were possible to limit or exclude an economic operator's liability through contractual provisions. Therefore, no contractual derogations should be permitted. For the same reason, it should not be possible for provisions of national law to limit or exclude liability, such as by setting financial ceilings on an economic operator's liability. Okay now, not being trained in the law, I cannot render any opinion about the eventual impact of what the European Union has just done. But I can read, and what should be abundantly clear is that a sea change of some sort is coming to the product liability side of the software industry, at least as it applies in the European Union, even if this is met with a great deal of industry pushback and it's difficult to imagine that it won't be it appears that the past half century of software publishing operating with impunity in a world without accountability or consequences may be approaching its expiration date.

Over the past 50 years, software and the Internet have gradually grown to become truly mission critical, but many older aspects of the way things have always been done have remained in place due to, you know, inertia and no immediate forcing of change. Newer tools have been created that you know could enable software to be and we've talked about this significantly more robust than it is today, but programmers still choose to recklessly code in crazy, unsafe and unmanaged languages like C and Assembly. Imagine that. See an assembly. Imagine that We've seen reports of major projects being deliberately recoded in fast and safe languages which will at least be able to deal with ridiculously persistent errors, such as use after free, that keep causing problems and continue to plague today's code.

But these deliberate and expensive recoding efforts remain. You know they are far and few between exceptions. It needs to become the norm. So it may be that legislation such as the EU has just put into place, having a 24-month grace period before it goes into effect, will up the ante and finally induce serious consideration of how future coding should be accomplished to reduce the incidence that might subject its publisher to warranted product liability claims. And you know I just dissed two of my favorite languages. So let me be clear it is entirely possible to write safe and secure code in C or assembly. Of course it's just far more expensive to really do so.

You know the flight computers controlling both the American shuttle program and the two Voyager space probes. They were hand-coded in assembly language and they both proved to be extremely reliable accomplishments. It all boils down to economics.

1:00:42 - Leo Laporte
It's expensive.

1:00:43 - Steve Gibson
We know that I write everything in assembly language and that none of what I produce has ever had a problem with bugs. I rarely revise my final product other than to add new features, but I also have the unusual freedom of not having a boss and, more importantly, not writing under any sort of delivery deadline. That's not a luxury most of the world's coders enjoy. So for nearly everyone else, the thing that makes the most economic sense is using next-generation memory-safe languages. That's the only strategy that makes sense for keeping uncaught errors from turning into exploitable security vulnerabilities. So I'm going to be keenly interested to see what comes of the EU's new software liability legislation. I mean, it is a big deal.

1:01:38 - Leo Laporte
It's coming here too, but this is part of the Biden administration's national cyber strategy they announced last year with software liability, and that's for security reasons as much as for liability reasons.

1:01:50 - Steve Gibson
Well, look at the problems we've had. Like Microsoft doesn't update that one old tenant and China gets in and is in the US government agency's email.

1:02:06 - Leo Laporte
I mean, I'll never forget the first shrink wrap license I saw, which was probably for an Atari 800 in the 80s, and reading the lines, we make no warranty that this software is usable, for anything will do. Anything is going to do what we say it's going to do. It's not our fault, complete disclaimer of all responsibility.

1:02:26 - Steve Gibson
I was kind of blown.

1:02:26 - Leo Laporte
I was like wow, really astonishing yeah, but I understand uh, people don't have the confidence in software and they never have, didn't the dod uh adopt ada as an attempt to make a have a secure programming language that would be reliable. And what happened to that initiative, I don't know. People were still programming in.

1:02:49 - Steve Gibson
COBOL at the time, at the time, yeah.

1:02:51 - Leo Laporte
Ada was supposed to be memory safe, memory hard. It was very strongly typed. I think programmers didn't like it because it was so strongly typed it required a lot of boilerplate code and they didn't really like doing that. That was my sense of it, but for whatever reason I don't think it's widely used anymore.

1:03:11 - Steve Gibson
No, I think there's no question that we have so much computing power now that we can afford to sacrifice some strict level of efficiency in trade for security in trade for using a language that protects the programmer.

And if I were counseling people and I know we have listeners in college and at high school level who are wondering what they should do I would not. Everyone argues that learning assembly language, for example, which is basically machine language, using mnemonics to make it more intelligible, is useful to really understand what's going on down at the hardware level in the computer, and I can't argue with that. But if you want to get a job and you want to be on secure, safe computer programming, I think that's where we're going to head. I mean, initiatives like this are going to change Again. It's about economics that's the driver and a lot of inertia too, and we know that. You know the only way I'm going to quit programming and assembly is when I'm buried.

1:04:49 - Leo Laporte
Yeah, and you know people are mentioning in the chat room Rust, which is memory. Safe Rust is what immediately comes to mind Strongly typed Rust is what immediately comes to mind.

1:05:00 - Steve Gibson
Yeah, yeah, yeah.

1:05:01 - Leo Laporte
But there are other choices out there. I mean, this is definitely a movement among coding People who write languages are definitely working on this.

1:05:10 - Steve Gibson
And you know, one of the things that we see, leo, is these changes occur slowly, and so the industry's been dabbling around these things, and it all began in academia, where all kinds of wacky languages exist to explore the idea. It takes a long time for them to actually move from there into production, and you have to have people who know them. So I would seriously look at Rust or another language that's entire purpose is security, because programming secure applications is coming.

1:05:50 - Leo Laporte
Yeah, good, it's about time.

1:05:56 - Steve Gibson
Bleeping Computers headline was Microsoft warns it lost some customers security logs for a month. Oops and TechCrunch reported under the headline. Microsoft said it lost weeks of security logs for its customers' cloud products. And since going to the source is usually best, I tracked down Microsoft's own report of this. Under the section of that titled what Happened, they wrote this is Microsoft who wrote.

Starting around 2300 UTC on September 2nd, a bug in one of Microsoft's internal monitoring agents resulted in a malfunction in some of the agents when uploading log data to our internal logging platform. You know okay, no one knows what any of that means, but sounds good. This resulted in partially incomplete log data for the affected Microsoft services. This issue did not impact the uptime of any customer-facing services or resources. It only affected the collection of log events, which you know we call putting a good face on it. They said. Additionally, this issue is not related to any security compromise, except as it would have been nice to have logs so you could detect security compromises, which you can't detect if you don't have logs.

But the next sentence is the one that got me. The issue was detected on September 5th. Following detection, our engineering teams began investigating and implemented a temporary workaround to reduce the impact of these failures, beginning on September 19th. Now, ok, those dates caught my eye. They say that the issue was detected on the 5th of September and that their engineering teams began investigating and implemented a temporary workaround to reduce the impact of these failures, beginning on September 19th. In other words, two weeks lapsed between their initial detection of this issue and their beginning to investigate and implement a temporary workaround. It sounds as though logging is not an urgent priority for them, though, after all the problems they've had surrounding a lack of logging for their customers, one would really imagine yes, not Okay. Dji sues the DOJ. The DOD.

1:08:51 - Leo Laporte
The what the DOD, not the DOJ? They're suing the Defense.

1:08:56 - Steve Gibson
Department. Oh, you're right, you're right. The Department of Defense Sorry, yes, yes. So DJI, the Chinese manufacturer of what are arguably the best small consumer drones yeah, I have, everybody does, yeah has sued the United States Department of Defense over the DOD's listing of them as agents of the Chinese military. Reuters news service carried the news, which contained some interesting details. They wrote Washington October 18th Reuters.

China based DJI sued the US Department of the US Defense Department on Friday for adding the drone maker to a list of companies allegedly working with Beijing's military, saying the designation is wrong. That is, dji is saying the designation is wrong and has caused the company significant financial harm. Yeah, no kidding, yeah, no kidding. Chinese military company. Unquote, saying it quote is neither owned nor controlled by the Chinese military. Unquote, being placed on the list, they write, represents a warning to US entities and companies about the national security risks of conducting business with them. Dji's lawsuit says because of the Defense Department's quote unlawful and misguided decision. Unquote, it has, quote lost business deals, been stigmatized as a national security threat and been banned from contracting with multiple federal government agencies. Yeah, that would happen. Unquote. The company added. Us and international customers have terminated existing contracts with DJI and refused to enter into new ones. Dji said on Friday it filed the lawsuit after the Defense Department did not engage with the company over the designation for more than 16 months, saying quote it had no alternative other than to seek relief in federal court. It had no alternative other than to seek relief in federal court.

Amid strained ties between the world's two biggest economies, the updated list is one of numerous actions Washington has taken in recent years to highlight and restrict Chinese companies that it says may strengthen Beijing's military. Many Chinese firms are on the list, including aviation company AVIC, memory chip maker YMTC, china Mobile and energy company CNOOC. Dji is facing growing that Customs and Border Protection is stopping imports of some DJI drones from entering the United States. Citing the Uyghur Forced Labor Prevention Act, dji said no forced labor is involved at any stage of its manufacturing. Us lawmakers have repeatedly raised concerns that DJI drones pose data transmission, surveillance and national security risks, something the company rejects. And finally, last month the US House voted to bar new drones from DJI from operating in the US. The bill awaits US Senate action. The Commerce Department said last month it is seeking comments on whether to impose restrictions on Chinese drones that would effectively ban them in the US, similar to proposed Chinese vehicle restrictions.

Ok, so we've talked about this previously, so this is one of those situations, I think, where it's entirely possible to see the logic being applied by each side of this argument. It cannot be argued that nothing could ever make a more perfect spying device than a camera-equipped flying drone. They are, by by definition, flying cameras, and DJIs are among the best. We previously talked about how DJI drones are being actively used within military bases in the US and even on secret military bases, and DJI drones receive software updates. So it's theoretically possible for again theoretically for the Chinese government to order DJI, a Chinese manufacturer, to alter their firmware so as to turn their drones into active spying cameras. And whether or not it's fair, theoreticals are what keep our military planners and our generals up at night.

The only way I can see for this to work would be for DJI to essentially create a wholly separate US version of DJI. As an independent US-based division, dji China could produce the drone chassis and all the hardware, which is where the majority of the cost and value lies. The sole exception would be the drone's circuit board, which would be manufactured using US known components in the US which have been sourced for that purpose and that US DJI drone control board would then be flashed with firmware that had been audited and inspected by technical representatives of the United States. Dji would need to establish camera footage uploading cloud servers in the US without any ties to China, and the only connection would be the receipt of brainless drone chassis from China. This would all obviously represent a huge burden and a cost for DJI, but I can't see reaching any other compromise. It's not strictly fair, but the danger, even if only theoretical, is so great that I think DJI will need to consider some sort of a solution along these lines you know if they want to keep the US market.

Unfortunately, you know, we're a big market for them and tensions are on the rise between the US and China, and not without cause. I mean, how many times, leo, have we talked about Chinese-sponsored cyber attacks on the US inside the US? And so, of course, tensions are going to be high and presumably we're giving as well as we get.

1:16:03 - Leo Laporte
Right. I'm sure the Chinese would have no hesitation banning US drones in the Chinese market if such things existed. That's one of the reasons we don't make them in the US.

1:16:13 - Steve Gibson
And remember that historically, china has been very unfair to US importers. Well, you know one of these reasons.

1:16:23 - Leo Laporte
The drones took off shortly after the iPhone came out. I remember going to CES and seeing my first drones in the parking lot of CES in the late 2000s, 2008 or 9. And the reason was we taught Chinese manufacturers how to make all these components. They started making them in quantity, like accelerometers, and then started putting them in their own products, and I mean that's ideally how things should work. Frankly, it's really it is. It's a real shame. Those DJI drones are amazing. They just released a brand new one that's at $200 and impossible to crash. I mean it's just, it's very. But I also completely understand the concern because you're right, these would be perfect spy vehicles yeah.

They don't normally upload to the cloud. I mean you could disable that feature. That's not critical to their functionality. I don't know if that would make it better.

1:17:21 - Steve Gibson
Well, and of course the problem would be they could do it anyway.

1:17:26 - Leo Laporte
Yeah, well, because they are internet connected, yeah.

1:17:28 - Steve Gibson
Exactly, in some way arranging to make that verifiably the case. Yeah, it's challenging out the Department of Defense's operations command wanting to acquire sophisticated deep fake. Actually, this is the DOJ this time deep fake capability. No, no, I'm sorry, dod, it is, it is. Dod, I was stuck on the DOJ for some reason.

1:18:03 - Leo Laporte
Well, all the DOs. They all overlap a little bit, so I understand that. All right, we'll get right back to this fascinating topic in just a moment, but first a word from our sponsor for this segment on Security. Now Lookout. I always want to go Lookout, lookout, lookout. And when you listen to this show, you might be saying, oh my God, look out.

Today, every company is in the business of managing data right, and that means every company's at increased risk of data exposure, data loss. That's what we talk about on the show cyber threats, breaches, leaks, and everybody agrees cyber criminals are getting more sophisticated every day. Modern breaches happen almost almost instantly. It doesn't take a long time minutes, not months at a time when the majority of sensitive corporate data has moved to the cloud, traditional boundaries no longer exist and the strategies for securing that data have fundamentally changed and their lookout, from the first phishing text to the final data grab. Lookout stops modern breaches as swiftly as they unfold, whether on a device in the cloud, across networks, working remotely at the local coffee shop. Lookout gives you clear visibility into all your data, at rest and in motion. You'll monitor, assess and protect without sacrificing productivity for security, and with a single unified cloud platform Lookout simplifies and strengthens reimagining security for the world that we'll be today.

Visit Lookoutcom right now. Learn how to safeguard data, secure hybrid work and reduce IT complexity. That's Look lookoutcom. Thank you, lookout, for supporting the good work Steve does here at Security Now. Thank you for supporting us. If they ask, say hey, I heard it on Security Now with Steve Gibson, lookoutcom. Back to you, steve.

1:19:59 - Steve Gibson
The Intercept reports that our US Department of Defense is in the market for sophisticated deep fake technology. The Intercept's headline was the Pentagon wants to use AI to create deep fake Internet users With the subhead. The Department of Defense wants technology so it can fabricate online personas that are indistinguishable from real people, and once again, I find the details of this quite interesting. Here's the start of the Intercept's coverage of this. Command is looking for companies to help create deepfake Internet users so convincing that neither humans nor computers will be able to detect their fake. According to a procurement document reviewed by the Intercept, the plan, mentioned in a new 76-page wish list by the Department of Defense's Joint Special Operations Command, or JSOC, outlines advanced technologies desired for the country's most elite clandestine military efforts. The entry reads quote Special Operations Forces SOF, are interested in technologies that can generate convincing online personas for use on social media platforms, social networking sites and other online content. The document specifies that JSOC wants the ability to create online user profiles that, quote appear to be a unique individual that is recognizable as human but does not exist in the real world. Unquote, with each featuring multiple expressions and government identification, quality photos, in addition to still images of faked people. The document notes that quote. The solution should include facial and background imagery, facial and background video and audio layers, and JSOC hopes to be able to generate selfie video from these fabricated humans. These videos will feature more than fake people. Each deep fake selfie will come with a matching faked background quote to create a virtual environment undetectable by social media algorithms.

The Pentagon has already been caught using phony social media users to further its interests in recent years. In 2022, meta and Twitter removed a propaganda network using faked accounts operated by US Central Command, including some with profile pictures generated with methods similar to those outlined by JSOC. A 2024 Reuters investigation revealed a Special Operations Command campaign using fake social media users aimed at undermining foreign confidence in China's COVID vaccine. Last year, special Operations Command or SOCOM, s-o-c-o-m, expressed interest in using video deepfakes, a general term for synthesized audiovisual data meant to be indistinguishable from a genuine recording, for quote influence campaigns, digital deception, communication disruption and disinformation campaigns. Such imagery is generated using a variety of machine learning techniques, generally using software that has been trained to recognize and recreate human features by analyzing a massive database of faces and bodies. This year's SOCOM wish list specifies an interest in software similar to StyleGAN, a tool released by NVIDIA in 2019 that powered the globally popular website.

This Person Does Not Exist. Within a year of StyleGAN's launch, facebook said it had taken down a network of accounts that used the technology to create false profile pictures. Since then, academic and private sector researchers have been engaging in a race between new ways to create undetectable deepfakes and new ways to detect them. Many government services now require so-called liveness detection to thwart deep, faked identity photos, asking human applicants to upload a selfie video to demonstrate they are a real person an obstacle that SOCOM may be interested in thwarting. And, of course, this struck home with me because, as I shared last week, I was asked to hold my ID up next to my head and then move my hand around behind and in front of it while talking to a DigiCert person to verify my liveness.

So, leo, we are nowhere near canvas and we are also a long way from. Mayberry Wow signing up their own operatives and pretending to be domestic job seekers in order to infiltrate US enterprises.

1:25:30 - Leo Laporte
Yeah, I think a lot of this is for social networks. I mean, twitter or X is full of Russian cutouts pretending to be Americans with fairly plausible identities, and I'm sure that we're just trying to do the same thing right back to them. It's inevitable, I guess.

1:25:49 - Steve Gibson
And we live in a society where the things that our government are doing like this, is not top secret. It's like, yeah, well, we put out a requisition saying this is the technology that the Department of Defense needs.

1:26:06 - Leo Laporte
Help us. Yeah, we're going to do this, wow.

1:26:09 - Steve Gibson
Okay, and I just love this next piece. While we're on the subject of things being faked, microsoft is running a massive deception campaign that is providing phishing sites with fake credentials. The credentials lead to Azure tenants for fake companies. So, in other words, microsoft has bots which are reading email to detect phishing. When such phishing is detected, these bots visit the phishing site on purpose, pretending to be actual people who have been fooled by the phishing campaign.

But the phishing victim bots provide fraudulent login credentials which in turn, lead to fake company sites which have been established in Azure cloud tenants. So basically, they're baiting the bad guys that have created phishing sites by leading them to believe that a real person got caught up in this, and then provides their credentials. Microsoft said that threat actors then use the credentials to log into these Azure honeypots in around 5% of the cases, but that's one in 20 and that's sufficient. Microsoft then uses the data that they collect from the honeypots to learn of, discover and document new techniques that the bad guys are using. And they said it takes around 20 days for the threat actors to catch on to the deception and to stop logging into the accounts, but by then, microsoft has collected all the data they need.

1:28:00 - Leo Laporte
Good and waste their time. Waste the bad guy's time? Yeah, absolutely.

1:28:04 - Steve Gibson
So you know, I suppose if this is what they were doing instead of fixing their problem with broken logging for a couple of weeks, I ought to cut them a bit of slack, because this sure seems wonderfully proactive. It's a big company there are lots of people yeah.

They could do two things at once. They could do two things at once, maybe three. Justin Long wrote saying hey, steve, after listening to your coverage of BEMI, the technology behind BEMI seems solid. However, I would never even tell a user about this, let alone have them rely on it. It is the kind of thing that gets simplified down to. It's easy Just look for the logo and you'll know it's safe. My fear is that the scammers will start including logo files in the body of the email with you know, verified by BEMI next to it. Then, as he said, as an example, gary in accounting sees a logo and thinks it's safe to click on it. In my opinion, he writes BEMI doesn't do anything to help the problem. If anything, it provides a false sense of security to most risky users. He said thanks for everything you do. This podcast helps me every episode, justin.

1:29:18 - Leo Laporte
This was my exact concern as well. Is that? How do you know it's real?

1:29:22 - Steve Gibson
And, for the record record, I completely agree with justin. Yeah, I like the idea of having grc's logo appearing in those boxes where anyone's bemi logo might appear and while, as we saw last week, it could be quite a royal pain in the butt to get it to happen. Uh, for grc's weekly podcast mailings and for our other, much less frequent, software update mailings. For the moment at least, if only, as ever, be is just an opportunistic logo, a way for those who care enough to make it happen, have their corporate identity represented in the inboxes of any recipients whose clients will do so, and nothing more. And the reason that I believed these BEMI guys created all of this almost nutty, seeming over the top security and authentication is that is that anything we do moving forward and this comes back to what language should you now learn? Anything we do moving forward should be as secure as we can make it. As I noted toward the end of last week's exploration of BEMI, our industry has continually set the bar too low out of a fear of low adoption. From setting the bar too high. We could argue that FIDO, the first FIDO which absolutely positively required hardware tokens, separate physical dongles, it never got off the ground because that bar was set too high and it turned out FIDO was wrong. The world did not rush to go buy tokens for this. But as soon as they loosen that up and allowed our smartphones and biometric login computers to also be FIDO clients, then suddenly we got passkeys and it actually happened. So I mean there really is something about that. But in the case of email, I'll be happy for GRC to get the credit for having an officially approved BEMI logo for those providers who care. But otherwise I agree and, leo, I agree with your point too is that it's just a little. It's asking too much to put too much behind it At the same time our second listener, kevin DeSchmidt, wrote.

He said oh, and he's currently the head of technology at Cure International but was earlier at Valimail, who is one of the participants in this whole BEMI effort, so he is well acquainted with BEMI. He sent a sample and wrote this is how MasterCard emails appear in my Google Workspace email. He said notice the blue checkmark and the text when hovering over it. And sure enough, in his case there is a little blue seal with a checkmark and if you hover over it you get a little pop-up that says the sender of this email has verified that they own MasterCardcom and the logo in the profile image. And then it has a highlighted link labeled Learn More, and if you click on it, you have Bemi explain to you.

So Google is surfacing more than just the logo, which, as we've often seen, can just be a website's favicon you know, it just pulls the icon from there, but here Google is showing a little blue checkmark. So we'll see where this goes. And that's it for feedback. As I said at the top of the show, I had initially planned to have more, but there was so much cool stuff to talk about that gets us to this point where we need to talk about credential exchange protocol that I didn't really have any time for more. So, leo, let's take our last break, okay, and then we are going to look at how it's being made possible for providers of passkeys collections collections of pass keys to move them between environments excellent uh, we will get back to this most important topic of the credential exchange protocol in just a moment.

1:34:18 - Leo Laporte
You know, steve, the whole point of the question and answers is just to get your thoughts on things. So, as long as you know, I mean the whole show, oh, but leo, there's so many good ones that I couldn't include.

I know we love our. We love our beautiful community. They really are an amazing group. Uh, if, if you are in the security now community, thank you. If you're not yet a member of club twit, please join. We would love to have you in the the $7 a month you can add free versions of this show, all the shows content, additional content that's exclusive to the club, access to the Discord, but mostly what you're doing is you're making sure that we get to keep doing this show and all the shows that we do. It does not go into my pocket. It goes to our incredible staff and the equipment and all of that stuff. It's not cheap to do this. It's gotten cheaper. We've tightened the belt, but we need your help too. Twittv slash club twit.

If you are interested, our show today brought to you by another one of our favorites, steve Bitwarden the open source password manager offering a cost-effective solution free in many cases that can dramatically improve your chances of staying safe online. I think everybody listening to Security Now is probably pretty clear that a password manager is crucial to staying safe online, but I also think a lot of you probably have friends and family who persist in making up their password based on their pet's name and their birthday and their mother's maiden name or whatever. Plus, they reuse that again and again everywhere. We know how dangerous that is. Get Bitwarden. Get them to get Bitwarden Free forever for individuals because it's open source, so at least they don't have the excuse. Well, I don't want to spend any money on this.

1:36:06 - Steve Gibson
No, you don't have to.

1:36:08 - Leo Laporte
It's free, and now's a good time to get them using it, because the big holiday shopping season is here, right, we just had Prime Days, we've got Black Friday, cyber Monday. People are going to be going online and buying stuff and the bad guys know that, so the phishing schemes come out in droves. Peak security is a must-have for your online shopping, and Bitwarden has helped you with the expansion of their inline autofill capabilities within the Bitwarden browser extension. They've had this for pretty much forever. Where your browser extension, the Bitwarden browser extension They've had this for pretty much forever where your browser extension, the Bitwarden browser extension, fills in the password on the login page. Now that's very helpful because it won't do it on a phishing page. It knows that's not the right page, so it won't do it. Well, now you can add to that capability credit cards, charge cards identities and pass keys with the same kind of protection. It benefits everybody. Gives you a more secure interaction with web forms. You'd be much less likely to get phished for your payment details, your contact info, your addresses and more.

This is so important I just I wish I could get everybody just use Bitwarden and for business. It's not free, but it's worth it. It's very affordable and you get all the features you would want in business, for instance, unparalleled SSO integration and very flexible. You can quickly and easily safeguard all your business logins using your single sign-on security policies fully compatible with SAML 2 and OIDC. Bitwarden will integrate beautifully smoothly with all your existing SSO solutions. This is a very easy upgrade to your security.

Thousands of businesses, including some of the world's largest organizations, trust Bitwarden to protect their online information. The Bitwarden open source code can be inspected by anybody. It's on GitHub, you can. It's regularly audited by third-party experts, so you know it's doing exactly what it says. Switching to Bitwarden is easy. It just takes a couple of minutes. They support importing for most password management solutions. So if you already have a password manager, it's easy to switch to try Bitwarden. You can do both. By the way, before I moved to Bitwarden, I had several. In fact, I still do have several password managers running and it's very easy to go back and forth, but the one I use day in, day out is Bitwarden. I just love it.

Get started with Bitwarden's free trial of a Teams or Enterprise plan or get started for free, forever, unlimited passwords across all devices iOS, mac, windows, linux, android as an individual user. It's free forever. It supports pass keys, hardware keys, those FIDO keys you're talking about bitwardencom slash twit. We use it, we love it, we recommend it to everybody, especially those friends of yours who are still putting their passwords on post-it notes on the side of the screen Bitwardencom slash twit. Thank you, bitwarden, I know you're doing important work and thank you for supporting the important work that Steve Gibson is doing here on security. Now, all right, let's talk about since we're talking about passkeys passkey portability.

1:39:29 - Steve Gibson
So I should caution everybody that all we have so far is an outline of the protocol. The most recent version of the specification still has a long way to go before it's ready for the world. For example, what I found in the most recent documents looks like and I put a sample of it, a snapshot, in the show notes. In section four, under usage guidelines, it says offer guidelines for using the CXF format to import and export credentials securely what programmers call a stub.

That's right, and then 4.1, importing credentials. Explain the steps and considerations for importing credentials using the CXF format and, not surprisingly, 4.2, exporting credentials says provide instructions for exporting credentials to the CXF format. They're very organized.

1:40:21 - Leo Laporte
In other words, we know what we're going to say, provide instructions for exporting credentials to the CXF format, and so on. They're very organized.

1:40:25 - Steve Gibson
They know what they want. We know what we're going to say, but we haven't gotten around to saying it yet, and I don't even know if they've gotten around to working out the details yet. That's the key. In other words, we have an almost comical lack of meat on this particular bone, on this particular bone. I have no doubt, though, that the various participants are all rowing in the same direction and that they fully intend to turn this into an actionable specification document at some point, but at this moment, what we have is evidence mostly of good intentions. Have is evidence mostly of good intentions. However scant though it may be, there is enough here to piece together a coherent picture of the system's operation. We're far short of having sufficient information to create a working implementation. I don't even know if that exists yet, but we're going to be able to get a feel for how the system works.

Okay, so let's begin with the news coverage Wired offered eight days ago. This is what we've clued us into. It last Tuesday, and it happened the day before, on October 14th, which was the day of the big FIDO Alliance Authenticate conference held in Carlsbad, california, conference held in Carlsbad, California. Wired wrote the password-killing tech known as PassKeys has proliferated over the past two years, developed by the tech industry association known as the FIDO Alliance as an easier and more secure authentication alternative, and although superseding any technology as entrenched as passwords is difficult, new features and resources launching this week are pushing passkeys toward a tipping point. At the FIDO Alliance's Authenticate Conference in Carlsbad, california, researchers announced two projects that will make PassKeys easier for organizations to offer and easier for everyone to use. One is a new technical specification called Credential Exchange Protocol, cxp, that will make PassKeys portable between digital ecosystems, a feature that users have increasingly demanded. The other is a website called Passkey Central where developers and system administrators can find resources like metrics and implementation guides that make it easier to support for Passkeys on existing or easier to add support for Passkeys on existing digital platforms. Easier to add support for pass keys on existing digital platforms. Andrew Sikiar, ceo of the Fido Alliance, told Wired. Quote to me both announcements are part of the broader story of the industry working together to stop our dependence on passwords. No-transcript. Cxp comprises a set of draft specifications very draft developed by the FIDO Alliance's Credential Provider Special Interest Group. Development of technical standards can often be a fraught, bureaucratic process, but the creation of CXP seems to have been positive and collaborative. Collaborative Researchers from the password managers 1Password, bitwarden, dashlane, nordpass and Enpass all worked on CXP, as did those from the identity providers Okta, as well as Apple, google, microsoft, samsung and SK Telecom, which is all what we want, they said.

The specifications are significant for a few reasons. Cxp was created for passkeys and is meant to address a longstanding criticism that passkeys could contribute to user lock-in by making it prohibitively difficult for people to move between operating system vendors and types of devices. In many ways, though, this problem already exists with passwords. Export features that allow you to move all your passwords from one manager to another are often dangerously exposed and essentially just dump a list of all your passwords into a plain text file. It's gotten much easier to sync pass keys across your devices through a single password manager, but CXP aims to standardize the technical process for securely transferring them between platforms, so users are free and safe to roam the digital landscape. Importantly, while CXP was designed with passkeys in mind, it is really a specification that can be adapted to securely exchange other secrets as well, including passwords or other types of data.

Christian Brand Identity and Security Group Product Manager at Google told Wired quote In the future. This could apply to mobile driver's licenses, say, or passports any secrets that you want to export somewhere and import into another system. We've got most of the rough edges sanded down with passkeys, but one of the world that passkeys are growing up unquote. The goal of Passkey Central, a resource repository, is similarly to help the ecosystem expand and mature. Product leads or security professionals who want to implement Passkeys for their user base may need to make a business case use to executives to get budget for the project.

The FIDO Alliance is basically aiming to help them with the pitch, providing data and communications materials, and then support their rollout with prefab materials like implementation or rollout guides, user experience and design guidelines, documentation around accessibility and troubleshooting. Fido's Sikhiar said quote we've made amazing progress on passkeys. Usability and user experience are pretty much there, but we do have a punch list and we're actively working on it. Portability is an important feature on that list and while the biggest brands on the planet are now using passkeys at scale, there's a very long tale of companies that haven't gotten started yet, so we want to offer resources and the assets they need to be successful. Craig Newmark, philanthropist.

1:47:27 - Leo Laporte
Do you want me to play the jingle? I can play the jingle if you want.

1:47:30 - Steve Gibson
Craig Newmark, who we all know Philanthropies, philanthropies Thank you, leo. Cyber Civil Defense Coalition provides some funding to advance passkeys. In an interview with Wired, newmark said he believes that passkeys can make a real difference, both for the digital security of individual people and for internet security overall. And of course, we agree with him. Craig said, quote there are a lot of vulnerable systems out there. You need to make it a lot harder for bad actors to defeat password schemes. You need to make everything more secure, and passkeys is part of that. Okay Now, having noted that there was very little meat on this bone, there was some.

The specification we have today has a useful introduction to the problem, an application space that this protocol is expected to fill, and it turns out to be more than just passkey credential transport, as we said, just pass-key credential transport, as we said. So here's how the Credential Exchange Protocol Specification, cxp, introduces the problem. It's just a few paragraphs and a bullet point or two. So they said individuals and organizations use credential providers to create and manage credentials on their behalf as a means to use stronger authentication factors. These credential providers can be used in browsers, on network servers and on mobile and desktop platforms, and often sharing or synchronizing credentials between different instances of the same provider is an easy and common task. However, the transfer of credentials between two different providers has traditionally been an infrequent occurrence, such as when a user or organization is attempting to migrate credentials from one provider to another. As it becomes more common for users to have multiple credential providers that they use to create and manage credentials, it becomes important to address some of the security concerns with regard to migration. So they said currently and we have four bullet points credential provider applications often export credentials to be imported in an insecure format such as CSV, comma separated values.

That undermines the security of the provider and potentially opens the credential owner to vulnerability. Two credential providers have no standard structure for the exported credential, csv, which can sometimes result in failure to properly migrate one or more credentials into a new provider. Third, some credentials might be unallowed to be imported due to device policy or lack of algorithmic capability on the importing credential provider. And finally, because organizations lack a secure means of migrating user credentials, often they will apply device policy that prevents the export of credentials to a new provider under any circumstances, opting to create multiple credentials for a service. In other words, you know, they're just not exportable, which is what we've seen so far. The idea being oh, you know no problem, create one over in the far. The idea being oh, you know no problem, create one over in the Apple world and create another one over, you know, in the Windows world.

So they finish saying in order to support credential provider interoperability and provide a more secure means of credential transfer between providers, this document outlines a protocol for the import and export of one or more credentials between two credential providers on behalf of a user or organization, in both an offline or online context. Using Diffie-Hellman key exchange, this protocol allows the creation of a secure channel or data payload between two providers. Okay, so that introduction paints a picture of a more generalized secret exchange protocol. It's clearly useful and, surprisingly, it's also completely lacking in our industry today. Somehow we've managed to come this far without a universal definition of how the owner of some secrets could move them elsewhere. The fact that this is finally being proposed demonstrates, I think, the arrival of some much-needed maturity. Up to this point, much of our industry has relied upon closed and proprietary ecosystems. That closure was first pried somewhat open by the promise and delivery of competitive open-source software and open development. But the profit motive runs deep and we've seen how shaky some of open source software foundations can be.

The CXP document noted that the name was subject to change, I'd note, for something that's explicitly more generic than credentials. Maybe Secrets Exchange Protocol, for example, would be good. Anyway, so under scope, they briefly wrote. They said this protocol describes the secure transmission of one or more credentials between two credential providers on the same or different devices managed by the same credential owner, capable of function in both online and offline contexts. This protocol does not make any assumptions about the channels in which credential data is passed from the source provider to the destination provider. The destruction of credentials after migration by the credential provider is out of scope as well. Okay, so that's good. They're explicitly keeping this extremely general and it's significant that it can be an offline system.

The spec does sketch an overview of how this protocol would work and frankly, it's nothing special and that's not criticism. Quite the opposite, in fact, because we're past the point where crypto should be surprising. We now have established and well proven ways of accomplishing pretty much anything we need. Okay, so the sketch looks like this the planned recipient of the credential collection is asked to create an export request. So the recipient of the collection is asked to create an export request, which will then be provided to the credential provider right the side, the end which is going to be exporting the credentials. Exporting the credentials, that export request includes the necessary details, including a challenge, the details of the type of information that the recipient wishes to receive, the set of encryption schemes it's able to use and, unless it has access to the credential provider's public key, it will also include and I'll get back to that a little bit later the public side of a Diffie-Hellman key agreement. Okay, now, remember that what Whit Diffie and Martin Hellman invented was this brilliant scheme which allows two parties to exchange public keys in full view of any attackers and, upon receipt of each other's public Diffie-Hellman keys, each is able to construct and arrive at the same shared secret key. It's bizarrely counterintuitive, but it works, and actually I used that system in several places inside Squirrel. But it works, and actually I used that system in several places inside Squirrel.

Okay, so the credential importer uses a cryptographic-grade random number generator to create a unique Diffie-Hellman key pair. It stores the private half internally and includes the public half in this credential export request which it's been asked to generate. If an end user or other authorizing party then approves and provides this export request. The exporter uses the information to create an encrypted payload. Uses the information to create an encrypted payload. What the exporter does is to similarly synthesize its own Diffie-Hellman pair, but it doesn't need to retain any record of it. It will combine its own private half with the importer's public half, which was in the export request, to create a secret, and that creates this automatically shared, what they term a migration key, and it uses that to encrypt the payload using the other parameters that were provided in the importer's export request, that were provided in the importer's export request.

It signs the challenge provided by the importer and includes the public half of the Diffie-Hellman key pair that it just created in the exported response packet. So the exported response packet is then, one way or the other, carried, or through a network provided to the credential importer where you want the credentials to go. That includes, you know, obviously, this blob of encrypted credential data, the signed challenge response and the public half of the credential provider's Diffie-Hellman key pair, which was used to create the shared migration key. The credential importer has been holding on to the secret half of the Diffie-Hellman key pair it generated as part of the export request. So it validates the challenge and I'll explain more about that in a second. Then it combines the secret it's been holding onto with the exporter's public key that was provided in the exported packet. This will recreate the identical migration key which it's able to use to securely decrypt the contents of the exported package.

So what we have is a straightforward application of Diffie-Hellman key agreement, where the two parties created the same shared secret and used it to exchange an encrypted packet containing the user's credentials, and at every stage the entire process was state-of-the-art secure. That is, nobody getting a hold of the packet would be able to decrypt it. Nobody seeing the export request would be able to use that in any way to decrypt the packet when it was coming back to the importer side. That system is absolutely secure. What's currently missing from the specification is well everything else to make it actually go, as we saw, a lot of empty paragraph headings but empty paragraphs. But the overall mechanism is clear and it's been proven and it will work. We have so far no idea what the user experience would be, whether the internet will be used in some way for both sides to rendezvous and automatically exchange the packet, or whether that might only be an option.

It would be possible to do all of this using a USB thumb drive and so-called sneaker net, where you literally go to the side where you want to import it. You say please create an export request. The USB key has that. You take the USB key over to the side that currently has the credentials and you say here's an export request from the importer, please honor it and export my credentials. And that would then add a blob to your USB key. Then you take it back to the original side where you want this to be imported and say here is the packet, and that side would then be able to decrypt that packet and import the credentials. So the gist is that the user asks the credential recipient to create an export request for the credential sender. That export request is then provided to the credential sender, which uses it to prepare an encrypted package. And when that encrypted package is returned to the credential recipient, the residual information which the recipient retained on its side from the original export request allows it to securely decrypt the sender's package.

Now, a well-known characteristic of Diffie-Hellman is any lack of protection from man-in-the-middle attacks. While Diffie-Hellman brilliantly creates a mechanism for secret key agreement between two parties. It has no mechanism for authentication. Nothing I've described prevents an attacker who's somehow able to interpose themselves between the parties from impersonating each end to the other, because, you'll notice, there's nothing special about the ends at this point. They're just sharing keys that they assume the actual other endpoint generated. But it could be something that managed to interpose itself in between. So if that happened, doing that would allow the impersonator to decrypt the package as it moved past.

Now all we know from the specification is that the credential importer will include a challenge for the exporter to sign. That's all it says. That's all we know today. It says you know, that's all we know today. We do know that the signer of the challenge would need to use a private key and that the credential recipient would need to verify the signature with a matching public key. But from where and how does the credential recipient obtain the credential sender's public key? Maybe from DNS? Maybe from some sort of central FIDO registry of CXP users?

2:03:24 - Leo Laporte
Could it be a PGP key at the key PGP key server? Yeah, exactly, it could be something like that.

2:03:32 - Steve Gibson
It needs to be some sort of source of you know like authoritative source of public keys so that and that's the one missing piece that way one end would be able to authenticate against you know, would be able to authenticate the other, and that would completely cut out any vulnerability from man in the middle. Okay, so that's the big first part. The other part is the announcement of this Passkey Central website. It's at passkeycentralorg and having read through the site, it's clear that, more than anything else, it's intended to be passkey adoption lubricant. It's taken a few years, but passkeys have matured to the point that if any sort of friction is holding an organization back, now might be the time, I would say, to apply some lubrication. In the early days, anyone could be forgiven for feeling that pass keys were not there yet, or were not ready yet, or hadn't been proven, or might turn out to be another FIDO failure, like the first attempt was, which never achieved critical mass, or even that what we already had was well proven and working well enough, with multi-factor authentication or with password managers that you know make the use of super strong passwords effortless. You know the argument could have been made that you know this problem was solved well enough. The PassKeys Central site and its companion PassKeysdev developer site make a very strong case for PassKeys having arrived and for those who do not get you know busy with its adoption, being left behind At some point, it's going to be regarded as doing it wrong not to have some system for asymmetric key public key authentication.

That's the big difference. As we talked about recently, meta was recently excoriated for storing their users' passwords in the clear without any hashing. Their users' passwords in the clear, without any hashing. The difference between the inherent insecurity of any traditional secret-keeping authentication system, such as static passwords or even one-time passwords which are still asking the server to keep something secret, that difference compared to the extreme security offered by an asymmetric key authentication asymmetric system will probably similarly cause some eyebrows to be raised. It's like wait, you're still using passwords, that's you know they're not secure, no matter how you store their hashes. So the point is I'm here to say it's been a couple of years.

I think it's clear Once this CXP specification happens and we actually see that Apple is willing to allow us to move our collection over between password managers and we're able to aggregate them, passkeys will have made the grade. The benefits of the system have proven to be sufficiently strong that the question has moved from whether to when, and when should be as soon as possible. What are you waiting for? Because there's no longer any rationally supportable argument to be made for waiting any longer.

The PassKeys Central site should now provide sufficient lubrication to help overcome any residual adoption friction. The PassKeysdev site provides sample code in Rust, typescript, java, net, go, Python and Ruby, and Passkey's test sites are available at webauthnio, webauthnme, with Yubico and Akamai also offering test facilities. Once Passkey's credential exchange protocol has been fleshed out, you know, make no mistake, it does still have quite a ways to go, although its overall shape is quite clear. The last piece of the Passkey solution set will have been put in place and, given that all of the major players have signed on to supporting CXP, the last roadblock to further Passkey's adoption, I think it's been removed. Yay.

2:08:37 - Leo Laporte
Yeah, we're there, of course, your squirrel solution, which was similar but better. I mean obviously, unless you get Microsoft to suddenly say hey, you know, squirrel is better than PASCII's has been replaced, but what are the things that PASCII's is missing that you wish it had, that Squirrel had?

2:09:00 - Steve Gibson
Recovery's one right. Well, it worked so differently With Squirrel. You had one secret.

2:09:09 - Leo Laporte
Right, pasky's, every site is a secret. Pasky's are a collection of secrets, so it's so different, it's a very different thing secrets so it's so different. It's a very different thing. Yeah, it's entirely different.

2:09:18 - Steve Gibson
Also, there was a way of there are still some vulnerabilities that if your pass keys got away from you, you're pretty much screwed. Right got away from you, you're pretty much screwed, and Squirrel provided a mechanism for getting that back from recovering from the loss of your secret.

2:09:41 - Leo Laporte
What that means is that Paskies is always going to have passwords as a fallback, I think. I mean, I think that's probably it right Actually.

2:09:49 - Steve Gibson
I think all authentication is always going to have it. I mean, this is a fundamental weakness. Is that you will always say you know the dog ate my homework.

2:09:59 - Leo Laporte
Right, a lot of people don't do passwords. They put in a random string of junk and every time they go to the site they say I forgot, and they rely on their email as password authentication. Yep, anything wrong with that as a?

2:10:15 - Steve Gibson
recovery method and, as I said, passwords need to be regarded as a login accelerator, right, because we always have a fallback of I forgot my password.

So as long as that's there and in fact, that was one of the other things that I built into Squirrel was, after you got comfortable with it and you understood how it worked, you could set a checkbox that put a beacon on your identity and anytime you went to a website with that set, it said please disallow all fallback, and so that if a bad guy got a hold of your email, it wouldn't help them.

2:10:55 - Leo Laporte
Right. So this is a really good example of sometimes the perfect is the enemy of the good, or something like that, which is, you create a perfect system, but maybe good enough is all we need.

2:11:14 - Steve Gibson
I agree. Right now, zenforo, the software that I use for my forums I am a dot release behind because we're using Squirrel there and I haven't asked Rasmus to change to support the next dot. The reason I bring it up is that the next dot release supports passkeys and I want passkeys for GRC's forums Right, because they're what the world is going to use and I mean, and they do work when they work, they work amazing.

2:11:54 - Leo Laporte
It really is a great solution.

2:11:55 - Steve Gibson
It's completely transparent.

2:11:57 - Leo Laporte
Yeah, that's the way it should be. I really like it. It's the way it should be. Yeah, steve Gibson, is the way it should be. As we rapidly approach Election Day, slash 999.

2:12:07 - Steve Gibson
And episode 999, baby.

2:12:11 - Leo Laporte
But the good news for those of you who don't know Steve has agreed to go four digits. We don't know how he's going to do it. It's a mystery right now. He may not know how he's going to do it.

2:12:22 - Steve Gibson
I haven't made the change yet. I need to do that pretty soon.

2:12:26 - Leo Laporte
But we're going to keep going because you know what? This is no time to stop, nope, we need you more than ever. Steve Gibson, if you enjoy the show, join the club twittv slash club twit to support it. Support our sponsors is another way to support it. You can buy the show individually on iTunes. You can buy a onesie, twosie, I think, it's $2.99 a month, I can't remember, it's been a while, but you have to use iTunes to do that or Apple's podcast to do that. In any event, your support by just listening every week is appreciated. Every Tuesday, right after MacBreak Weekly, that's roughly 2 pm Pacific, 5 pm Eastern, 2100 UTC we will go. We're still in summertime. We don't go until standard time until after Halloween, so that all the kids can get their sugar without going out at night, and so we will be on summertime for, I guess, two more episodes than on the third episode. We will move, but UTC does not, so we will then, at that point, be at 2200 UTC. Just a little heads up. You know what. You don't have to memorize all this stuff, but if you want to watch us live, that's what you need.

We are streaming on eight platforms now, thanks to the club and Restream. Restream makes it possible for us to be on YouTube. We see the chat on YouTube too. I have a combined chat Twitch. Great to see you all there. Xcom, I see you as well. We are also on Kik. We're TikTok. I see the TikTok and Kik chats. I can't respond, I think, to some of them, but that's another issue. We're working on that. Linkedin, facebook and, of course, if you're a club member, in our ClubTwit Discord. That's eight different live streams. Right now, there are 698 people watching on those eight nice live streams and we appreciate it, but the vast majority of listeners this is maybe 10 of the total or no, not 10 1 of the total, thank you. Uh, so 99 of you listen.

After the fact and there's a few ways to do that of, of course, you can go to Steve's website, grccom. He has 64-kilobit audio, but he has two unique formats for those who want them. There's a 16-kilobit audio version. It sounds a little scratchy, but it's small okay, so it's for people who pay by the bit. There's also a human written transcription from Elaine Ferris. She does a great job. So that is at GRCcom. While you're there, pick up Spinrite. This is Steve's bread and butter. This is how it makes us living the world's best mass storage, maintenance, performance enhancing and recovery utility. If you have mass storage of any kind, including SSDs, you really should have. Spinrite 6.1 is the current version. It just came out. Go there, get it. Grccom Lots of free stuff there as well. Shields Up is, of course, eternal bestseller. That's the one everybody uses when they first get it.

2:15:28 - Steve Gibson
I just saw that another 500,000 uses had happened.

2:15:31 - Leo Laporte
We're at 107,500,000 something.

2:15:35 - Steve Gibson
It's mind boggling.

2:15:37 - Leo Laporte
And it's a free service. Thank you for providing that, steve, just for testing your router, making sure it's secure. There's lots of stuff there. Go browse around, including if you want to send Steve feedback emails, pictures for his picture of the week. The best way to do that is to go to grccom slash email and get verified. Once your email is in the verification pile, you can send him email at that point. You can also sign up if you want for his newsletters, but the but the box is unchecked. You have to explicitly opt in and say of course it's steve, I want, I want this newsletter, but that's worth it.

You get the show notes and so forth. Steve also has a show notes on his website. We have them at our website, along with a 64 kilobit audio and video twittv slash SN for Security. Now You'll find a link there to our YouTube channel dedicated to security. Now, if you say I really want to share this about memory safe languages with my boss, something like say I really want to share this about memory-safe languages with my boss, something like that, you can do a clip on the YouTube channel. That's really easy to do and it's universal. Everybody can play back a YouTube video. So that's one way to do that.

I think the best way to get the show is to subscribe. It's a podcast and if you subscribe in a podcast catcher, you'll get it automatically as soon as it's available, so you'll always have it and it adds to your collection. You really want to own all 997 episodes. Honestly, it's a great collection, just about this big. The podcast links are all at the website, of course. You can just open a podcast client and search for SecurityNow. I think you'll find it. We've been doing this for 19 years now. If they haven't caught on yet, I don't know what to do. Steve, have a wonderful week. I have started Exodus, the new Peter Hamilton book.

2:17:27 - Steve Gibson
I'm enjoying it too. I'm in.

2:17:29 - Leo Laporte
I'm about a quarter of the way in.

2:17:30 - Steve Gibson
I think yeah it's good it's beginning to come together.

2:17:33 - Leo Laporte
It's in the year. What is it? 35,000? Oh, it's so far out there, way distant.

Yeah, I'm also reading the book five of the Babaverse. I'm reading that too. It's a little confusing. I got to pick one and finish it and go on to the next. Actually, if you're a sci-fi fan actually if you're a sci-fi fan you'll enjoy our Stacy's Book Club. Coming up this Friday, 2pm Pacific 5pm. Eastern Stacy Higginbotham and I will discuss a really interesting brand new sci-fi book by Adrian Tchaikovsky. It's called Service Model. It's about AI driven robots and what happens to the humans when the robots take over. It's quite good. It's old from the point of view of the robot, so that's really fun. Thanks, Steve, have a great week.

2:18:19 - Steve Gibson
We'll see you, my friend, next week. I'm sure we'll have more. Bye-bye 9-9-8. Bye.

2:18:28 - Leo Laporte
Security Now.