Security Now Episode 847 Transcript

Leo Laporte (00:00:00):
It's time for security. Now, Steve Gibson is here. Lots to talk about the 0-day windows exploit that we just found out about. Schrodinger's cat plays a visit. <Laugh> we'll also find out why 37% of the world's smartphones are vulnerable and how many of those are gonna get fixed. And then Steve is, is gonna explain something we talked about last week, and I think he changes his mind by the end of the show. It's all coming up next on Security Now.

New Speaker (00:00:32):
Podcasts you love, from people you trust.

Leo Laporte (00:00:35):
This is Security Now with Steve Gibson episode 847 recorded Tuesday, November 30th, 2021 Bogon Begone. This episode of security now is brought to you by E set. Nobody wants their organization to be patient zero in a cyber attack. Right now, E set protect complete is 20% off and you can try it before you buy. Get your free ESET business trial, and an interactive demo at business.eset.com/twit and by Plex track the powerful yet simple security management platform that helps you get the real cybersecurity work done with PlexTrac. You'll streamline your assessments, analytics, and reporting. Visit plextrac.com/twit to get your free month. And by ITProTV, start your it career today by getting educated and certified for the big companies looking for it professionals, right now. Visit ITProTV slash security. Now for an additional 30% of all consumer subscriptions for the lifetime of your active subscription. When you use the code SN30 at checkout. It's time for Security Now. Yay. You've been waiting all week. You're very patient, but here we are Tuesday again, and here he is straight, fresh and ready to go straight from the con keyboard where he has been typing, typing, typing. Mr. Steven Tiberius Gibson. Hello, Steve.

Steve Gibson (00:02:08):
I actually have been, hello, Leo.

Leo Laporte: I know you have.

Steve Gibson: I worked all through the Thanksgiving holiday and weekend. Wow. Until until something happened that really almost never happens. I'd literally hit the wall on Sunday around two or 3:00 PM. And I, I posted a note to the spin right group and I said, okay <laugh> I can't work anymore. Wow. And so, yeah. But I've been heard of so interested in what's going on. I talk about it a little bit later in the podcast. So we have a really fun podcast, I think 847 for this last day, the final day of November bogans be gone. <Laugh> yes. And everyone will understand by the time we're done what bogans are to be gone. Oh, good. May maybe. But we've got lots to talk about. We're gonna note that the new edge browsers <laugh> unbelievably named super duper secure mode.

Steve Gibson (00:03:14):
Yes. Because you know, Microsoft certainly wouldn't want S us with anything less than super duper security has been deployed kind of quietly, but we can all enable it. It's not on by default. So our listeners are gonna wanna know all about that. We also have more than one third, 37% of the world's smartphone, all vulnerable to audio monitoring and flaws courtesy of their media tech firmware in their media tech audio processing DSP. We're gonna talk about that. We've got an important reminder about clicking links in email and wonder how that can still be a problem. It still is. And the entire predictable evolution of a windows 0-day vulnerability, which is latent no longer. Unfortunately, we have some interesting closing the loop feedback from our terrific listeners. I've got a sci-fi book update, then we're gonna take another and much broader look at the recent efforts clean up I P V four. But this time from the perspective of those who are working to do so and I understand their position. So, you know, we talked last week about this crazy idea consequence as a consequence of the the I ETF's proposal to, to claw back, essentially most of the, the local net 1 27 network. It turns out that's just the tip of the iceberg. So I, I think a really fun podcast for our listeners.

Leo Laporte (00:04:58):
I can't wait. I'm excited. I, as always, I look forward to this all week long. Oh, and a picture. We got a picture, a picture, we got a picture <laugh>. But before we do that, let's let's talk a little bit about our sponsor of the hour E set. And, you know, I've been talking about E set for more, I think more than 10 years now, they're the global leader leaders in cyber security. And in particularly one of the things I love about E set and you'll hear it all the time on this show is their commitment to research. We quote them from time to time about their security research and three times a year, they put out something which I think you've mentioned in the past the E threat report. Mm-Hmm, <affirmative>, that's a 40 page plus report. It's free.

Leo Laporte (00:05:43):
You can get it from S special site. We live security.com. If you look for threat report, you'll find it. It's filled with a fascinating stats and insights that are more than just interesting things. You can, you know, act upon things like topics like info Steelers, and of course, ransomware, stalker wear. And more, these are the evolving threats in our day to day lives these days. And if you are a business and you are worried as you should be that your employees and your business will be the target of these, there is a way of detecting 'em that you need to know about a dynamic approach to detection. That's better than conventional endpoint protection. It doesn't rely on for instance, virus signatures to be distributed because by the time those virus signatures come out, you know, and on 0-day, your long gone, it's also faster.

Leo Laporte (00:06:39):
And it's more precise than typical endpoint protection. It's called E's dynamic threat defense. And it really is the answer to this very, you know, important proactive need to protect yourself against modern threats. What happens? Well, so many of these threats come in over Theran of through email attachments, right? Files somehow that come into your system. So what he says dynamic threat defense E D TD does is whatever it sees a file like that it, it throws it up into the cloud, a cloud-based sandbox, which they used to detect, isolate and, and protect you from new and never before or seen types of threats, documents get sent up their scripts, everything installers, executables, of course, what happens is they run them in the cloud in that sandbox, not in your system, not in your network. So you're safe, it's outside, down the cloud. And then they analyze it with they do code analysis.

Leo Laporte (00:07:37):
They do deep of the sample. They look at at the memory, what it's doing in memory, they use machine learning AI to really detect based on behavior a 0-day, cuz no one knows about it yet. Right? That's the definition of a 0-day it's happening and it ha no, but he's has a defense yet. Well, you do EDTD. It can allow or block a file in minutes. So before you get that attachment, it will analyze it. We use it, it will analyze it. And it makes me feel a lot better. Cuz as much as we'll tell employees, don't open attachments. Be careful. It still happens. It still happens. And so this is a way to find those attach, you know, almost instantly, no extra demand on your system, resources, no risk to your network. And this is something endpoint detection just can't accomplish often by the time an endpoint program sees it.

Leo Laporte (00:08:31):
It's too late. Look, no one wants their business, their organization to be patient zero in a cyber attack. If you're looking for, or world class ransomware protection, malware protection, you're gonna want E's dynamic threat defense. It comes with E protect complete. The bundle of does include endpoint security as well. You don't wanna give look, all security is multi-layered right. You don't want to give that up. This is just an addition to that. You also get, I think this is great full disco, encryption and advanced security for Microsoft 365. I know a lot of you use that. It'll close the gaps in the built in protection right now. E protect complete 20% off. You could try before you buy, get a free business trial and an interactive demo at business.com/eset and you'll save again 20% on E protect complete this a limited time offer though. So don't wait business study.com/twit. This is really innovative, great protection. The con you need, we all need, we use E business studies.com/twit. We thank you so much for supporting us here at security now. And you support us when you use that address to make sure you do that. You know, I know you could just go to e.com, but please go to please just let 'em know that you heard it here: business.eset.com/twit and now the kitty cat of the week.

Steve Gibson (00:09:55):
<Laugh> so I never thought

Leo Laporte (00:09:57):
You'd be doing cat

Steve Gibson (00:09:57):
Pictures, Steve, this only these particular cat pictures when they involved the nature of the universe. <Laugh> I, I can't explain this. It looks like a lost cat flyer, you know, Xerox that was use some masking tape and stuck up on a telephone pole somewhere. The confusing thing is that, and we have of course the picture of the cat and it explains please return dead and alive to Irwin Schroer, to contact Schroer, Catman, gmail.com. This is

Leo Laporte (00:10:41):
Probably a real address that's

Steve Gibson (00:10:43):
Hyster thing. Oh, it is pretty good. So, anyway, as you said, maybe this was posted in a college town has to be over by, over by the physics department. Yes. So we don't want the cat dead or alive. We want it in both date simultaneously unknown until it is observed whether the cat is in fact alive or dead either way or actually both ways we want it returned. Okay. So super duper secure mode we previously discussed the experiment micro off was conducting with their edge branch of the chrom browser in recognition that a disproportionate percentage of security troubles arise from the most extreme measures being used to push browser performance to the limits and the recognition that underlying system processor performance has advanced so far recently that pushing the browser so hard that like it breaks, maybe producing, diminishing an even negative returns in terms of security.

Steve Gibson (00:11:56):
So Microsoft began experimenting with do, do, do super duper secure mode for edge, which deliberately pulls back on the most historically troublesome performance optimization in favor of improved security. Of course we're talking about it today because without any B who Microsoft recently quietly added super duper secure mode to edge, we all have it already. It appeared in 96 to 0 10 59, and I noticed I'm already at 34 or something. It's currently disabled by default to enable it as I did, you'll need to open edge and then put edge colon slash slash setting slash privacy into your URL. That'll take you to the proper page. Then you gotta scroll way down to the security section at the bottom of that section on the right is a switch, which you need to flip to the on position cuz mine was off. And then, then you can choose between balanced or strict where balanced is the default. I of course switched to strict under balanced. It says as security mitigations for sites, you don't visit frequently. Most sites work as expected block security threats. If however you choose strict, as I did, it adds security mitigations for all sites, parts of sites might not work. And I really don't know why that is, but okay. Blocks security threats because this isn't

Leo Laporte (00:13:53):
Disabling some of like no scripts would do disabling JavaScript that would break

Steve Gibson (00:13:58):
Sites. Oh, that's good. Like good night. That's why we all finally had to give up on no script. Was it like I just had, I had to turn it on so often that I was like, what's the point any longer? You know, but this does

Leo Laporte (00:14:10):
Disable. Is am I correct in saying Justin time JavaScript

Steve Gibson (00:14:14):
Compilation? Is that exactly? That's the thing that they said was a problem. Yes. Just in time compilation, that's the JIT J I T from the V8 processing pipeline. And for example, it also enables Intel's control flow enhancement technology, C E T, which is a hardware based exploit mitigation that provides enhanced. Now based upon evidence from historical exploits, it's believed that this will significantly reduce the browser's attack surface. Microsoft describes super duper secure mode as quote, a browsing mode in Microsoft edge where the security of your browser takes priority, providing you an extra layer of protection when browsing the web. And oh, and the one last thing, the other option there is exceptions. You can, I, if you were running in strict as I am now and something did not work, you could add that as an exception, but, but really in fairness, balanced is probably the right thing for most people.

Steve Gibson (00:15:25):
I'm hoping that once they gain confidence in this is presumably the reason that little switch that you had the first turn on to turn any of this, to enable any of this. Once they gain confidence, maybe they'll flip it on by default because it does make sense if you, if in fact strict mode actually breaks some things. And again why I wouldn't, if it's just turning off optimizations. Okay. But the idea of watching where you go and like, for example, obviously, you know, after a while Google is going to get, go into, you know, open mode and the, the things you do most often will be automatically added to the, okay. You know, we, we, we trust this and it makes sense for a site you've never bef that edge has never, before seen you visit to, to be automatically in strict mode. Maybe you'll never come back, but you know, if it's somewhere you've never been before, let's, you know, have a, let's keep the shields up until we have some reason to, to trust the site.

Steve Gibson (00:16:35):
So I really like the logic behind balanced, but I imagine our listeners wanna be in strict mode and, and you know, I'm just not seeing a performance problem on any pages I visit. Our machines are so blazing fast now that I, I like this concept if in fact half, I think it is no it's 45%, 45% of all security vulnerabilities are that were found in the V8 JavaScript and web assembly engine were related to JIT to the adjust in time compiler, half of them ver nearly. So, you know, turn it off <laugh> if, unless you have like something where you absolutely have that performance, turn it off. And if you do have sites, like, I don't know, you know, web-based gaming or something where you're where notice not having JIT creates a lag, put that site in as an exception and it will be, it will be fully trusted and run with full optimization.

Steve Gibson (00:17:43):
That's that's otherwise the most difference would make it just be performance. Right? I mean it's yes. Yeah. It probably shouldn't break anything. I, yes, I, and, and it'll be interesting to see, just gain more experience. Yes. If it actually, that I, I would ask our listeners if you know, who, who often send me notes, if you run strict and something, shoot me a tweet. Yeah. I would love to know like what this broke, right? Because this idea of half of the bad problems being, being shut down by backing off on crazy performance optimization, I would say it's time for that. Yes. So Bravo moving forward, they plan to include support for AR for arbitrary code guard in this super duper secure mode. ACG they explain is another security mitigation that would block attackers from loading malicious code into memory. Hmm. That sounds like a good thing.

Steve Gibson (00:18:51):
I'll take two, please. <Laugh> the Android and Mac OS editions of edge will soon also be obtaining these new vulnerability mitigations. And you know, you, you, you, you put the screenshot on screen Leo that shows that I immediately flipped the switch set strict mode, and didn't even bother putting GRC as an exception, cuz I don't have any JavaScript on my site. So, you know, there, there's nothing there to optimize just in time. It's never a time. And I don't think like, you know, we need the performance at the expense of security, right? And so I think this was really a smart thing. This is probably the best thing Microsoft has given back to Miam. And it would be nice to see if, if you know, it ends up getting adopted by the other browsers. Meanwhile, we learned that 37% of the world's smartphones are vulnerable.

Steve Gibson (00:19:45):
Chips by media tech are installed in roughly 37% of the world's smartphones and checkpoint research recently went to all the trouble of reverse engineering, the firmware of those proprietary chips. And this is another like, you know, we, we talked about this before. I, I, I take my hat off to these cut companies that are willing to go to such, such extreme, to invest so much time and trouble in reverse engineering, proprietary stuff that a huge percentage of the world is using. And it feels wrong to me that, that the bar has been set so high. The idea that some media tech company can create a proprietary DSP and say, oh yeah, don't worry. It's secure. Trust us. And 37% of the smartphones in the world adopt it. And then it turns out to be a, a vector that is seriously putting all of those devices at risk.

Steve Gibson (00:21:05):
And the only way we know about this is that a, a, you know, a, a Robin hood security company comes along and says, okay, well shoot, th this is gonna be hard, but we're gonna do it. They published a highly detailed technical report, which showed that malicious apps installed on a device would be able to interact with I media tech based audio driver. Okay. Dev you know, apps and do interact with audio drivers, but such apps could send maliciously crafted messages via that audio driver that all apps have access to, to the media tech firmware, to gain control over the driver and steal any audio flow going through the device, turning it into a spy you know, a spy device for more than one third of the world's smart phones. And since the media tech subsystem is deep in the system, exploitation of the vulnerability also allows audio from phone calls, WhatsApp calls, browser videos, and video players to be recorded.

Steve Gibson (00:22:24):
Basically the audio in the device, the fact that media tech chips are installed on roughly 37% of the world's smartphones means that this creates a massive attack surface for any malicious app and malware creator devices from Yami oppo real me and vivo are all know own to use media tech chip sets. And that's probably, you know, a fraction of the total three issues were patched last month in October. And a fourth issue will be patched. Next month. Checkpoint explained that the media tech chips contain a special AI processing you unit. You know, it doesn't everything now. Yeah. The APU and an audio digital signal processor, a DSP to improve media performance and reduce CPU usage, but both the APU and the DSP use custom microprocesor architectures, which makes the media tech DSP a unique and talent and challenging target, as I've said for security researchers, right?

Steve Gibson (00:23:37):
I mean, it's not just, it's not an arm processor that, that, that where they can dump the firmware and run it through a decompiler and see, and check it out. No, they had to like reverse engineer the processor, but they did. They grew curious about the degree to which the media tech DSP could be used as an attack factor for threat actors. So they managed to reverse engineer the audio processor and discovered a handful of security flaws. The flaws can be updated. This is the good news with firmware. So keeping Android devices current continues to be as important as ever. And while the chips remained a proprietary mystery, the likelihood of their ex exploitation remained low. Unfortunately the flip side of us finding out that there's a big problem with them is that checkpoints write up is ex necessarily extremely detailed. I mean, you know, if they, if they're gonna go to all this work to do all this, then they want some credit for it.

Steve Gibson (00:24:47):
Unfortunately, this means that there is now a readily available roadmap to any technically competent misre who might want it. You know, and, and it's got topics like classic heap overflow in the audio D P task message a to D share me message handler don't. You know, we also have classic heap overflow in the init share mem core function and an improper validation of an array index in the audio DSP H w open op function. In other words, checkpoint has documented the problems that nobody knew not only about, but how to exploit and they've exploited them. And they've doc, that's all out in the public. Now I know. Yes. And the problem is that off brand or unmaintained smartphones are, are less likely to ever obtain updates to their media tech firmware. You know, they just won't be available. Their manufacturers made the phone, sold the phone and moved on to something else.

Steve Gibson (00:26:01):
So those original vendors won't ever bother to, you know, even if their users to update. So on top of the already overwhelming number of known and never to be patched vulnerabilities that are still accumulating from the past checkpoint has just carefully uncovered and documented another handful nice that we know, but really it puts 37% of phones from, you know, non-mainstream manufacturers at further risk. And in this case, turning them into spy devices. And you've gotta know that there are, you know, major state level actors that are looking at this thinking, oh, let's add this to our war chest. You know, we'll, there may be some dissident somewhere. That's got a ya, an old yame phone that you know, they're careful not to load anything into, but it turns out they've got a bug that they can't get rid of boy. You know, and again, Leo, as you and I have been saying now, you know, stick with the mainstream, you know, Google pixel, Samsung, apple iOS devices you know, or obsolete your phone and, and stay current it as often as you can checkpoint.

Steve Gibson (00:27:25):
I mean media tech has responded. They were good. They've patched their firmware. They'll be providing the firmware to the OEMs that are using their chips to be incorporated into new devices. But we don't have a channel now for moving backward in time at this point. And, and, you know, reliably fixing the devices, which are, as we know, are handheld computers. So it's a little worrisome. Okay. Huh? We have the rat dispenser. <Laugh>, it's probably worth no with worth taking just a moment to reinforce the need to never. And I mean really never click to open an attachment received in an email, any email even it's from, even if it's from your mom. Okay. Now cybersecurity X experts from HP said they discovered a new strain of JavaScript malware that criminals are using as a way to infect systems and then deploy dangerous remote access Trojans.

Steve Gibson (00:28:37):
In other words, the, you know, remote access Trojan rat R a T thus the rat dispenser, but I put Leo cybersecurity experts from HP in quotes because well, try going to, and I'm serious threat research.ext.hp.com. Okay. The HP Wolf secure and you got there somehow. They must have just fixed this. Oh, it was broken <laugh> oh yes. Look, look at the, at, at, in the show notes, I've got the, the TLS certificate that both Firefox and Google were displaying this morning. I had to fight my way through in order to get there. Keep your, keep your, keep your sights up to date kids. Yeah. Wow. Yeah. Let me see, why is it working for you? Threat research. Let me I

Leo Laporte (00:29:41):
Mean, they may have just fixed their certificate. Let me look at their certificate here.

Steve Gibson (00:29:47):
Yeah. It came right up now. Yeah, they fixed that's. Yeah. Annoying. <laugh>. Okay. So I can't, I, I that's, you know, someone must have told them probably be cuz they were in the news, but this morning I got both Firefox and Chrome refused. And what I couldn't understand was that the certificate that they were serving expired on March 18th, 2021.

Leo Laporte (00:30:18):
Yeah. So this is from March 15th, 2021. So they got a new one, but then maybe they didn't apply it. It goes through the 20, 22. They maybe they forgot or I don't know.

Steve Gibson (00:30:34):
Right. So they were on, so they got

Leo Laporte (00:30:36):
Certificate. They probably didn't install

Steve Gibson (00:30:38):
It on the same cycle, but Leo, but the site

Leo Laporte (00:30:41):
Have been down since last March.

Steve Gibson (00:30:43):
Correct. It could not have been offline for 10 months. No. So somebody something weird.

Leo Laporte (00:30:49):
They, it was a what do they call that? A regression

Steve Gibson (00:30:53):
<Laugh> yes, we do call it a regression. It was, it was definitely that. Yeah. Okay. Anyway, HP explains cuz they do have good researchers. He they said that's embarrassing. That is, oh God. Yeah. I mean, and it's why I took a screenshot of it. It's like what? Embarrassing. And then I thought maybe Firefox. So I went over to Chrome and Chrome wouldn't showed it either. Whoopsie. Yeah. Yeah. Anyway, threat actors, they said are always looking for stealthy of delivering malware without being detected in this article. We describe how attackers are using an evasive JavaScript loader that we call rat dispenser to distribute remote access Trojans and information Steelers with only. And this is what's really amazing. An 11% detection rate, meaning one out of 10 gets flagged one out of 10 instances, an 11% detection rate rat dispenser appears they wrote to be at, at to be effective at evading security controls and delivering malware.

Steve Gibson (00:32:06):
In total, we identified eight malware families distributed using this malware during 2021, all the payloads were rats, remote access Trojans, designed to steal information and give attackers control over victim devices. As with most attacks involving JavaScript. Malware rat dispenser is used to gain an initial foothold on a system before launching secondary malware that establishes control over the compromised device. Interestingly, they said our investigation found that rat dispenser is predominantly being used as a dropper in 94% of samples analyzed, meaning the malware doesn't communicate over the network to deliver a malicious payload. In other words, you know, it just, it, it it, it incorporates it, the variety in malware families, many of which can be purchased or downloaded freely from underground marketplaces and the preference of malware operators to drop their payloads suggest that the authors of rat dispenser may operating under a malware as a service business model.

Steve Gibson (00:33:24):
Wonderful. Okay. So the infection chain begins with a user receiving an email containing and I read this and I just like, really, this is still happening. A malicious attachment. It's the classic double five extension. You know, something like order information dot, text dot JS, you know, which we've all known about for how long yet it still works. It still isn't being displayed properly. It still being handled by our email agents. So the unwiting user simply needs to double click the file to run the malware. What I wanna know is how is it that any of today's email clients will run such a file with a simple, with a simple double click this morning. I just had to promise my first born child to view this report from HP because their once legitimate TLS certificate had expired. You know, I had this like with a warning warning, do not do not trust the site.

Steve Gibson (00:34:34):
Oh God, go, go, go back now. And it's like, no, I looked at the URL. No it right. And it's like, you know, and then I pressed advanced and it said, are you sure you're advanced? Yes <laugh> okay. Do you have any children? Will you, are you planning to, can we have them right? Oh my God. But no, you know, dot text dot JS. Oh, wonderful. Run the code. Oh gosh. You know what is happening? Yeah. We've got, we clearly have our priorities backwards. Yeah. Oh my God. So HP notes that network defenders can prevent infection, you know, like at the enterprise level, by blocking executable file attachment file types from passing through their email gateways, for example, JavaScript or VB script, what a concept defenders they said can also interrupt the execution of the malware by changing the default file handler for JavaScript files only allowing digitally signed scripts to run or disabling windows, script host, you know?

Steve Gibson (00:35:46):
Okay. But I ask why any of that is even necessary. It won't protect anyone outside of those enterprise boundaries. Right? The standard default is you click on something dot JS. We don't care where it came from. We don't care how it got into your system. You want it, you got it. It's crazy. When the malware runs the JavaScript decodes itself at run time, because of course it's all heavily obfuscated. It's just a bunch of, you know, slash hex codes that behind some evals add that writes a VB script file to the temp folder, using command dot XE, to do this command dot XE pro the process is past a long chain argue parts of which are written to the new file using the echo function. Then the VB script file runs to download, oh, the, it is downloading the malware payload from so from somewhere, if it was downloaded successfully, it's executed and the VB script file is deleted.

Steve Gibson (00:36:57):
So it's like, you know, we got what we wanted now delete this again. How, how can it be that you're not allowed to visit a site whose certificate has expired yet? Click on a link in email, run some code, no problem. The initial JavaScript download oor is obfuscated and contains several eval functions. As I mentioned, one of the eval calls is a function that returns a long string, which is decoded by another function. And it's clearly effective since only as I said about one out of every 10 instances. Well wait, a 11%. That's one out of nine are now being de detected. After many months of successful exploitation. Over the past three months, HP said the malware had been used to drop at least eight different rat strains, such as St. T rat Ws, H we know what that stands for rat add wind form book Remco Panda Steeler, goo loader, and ready. <Laugh> love the name. So as I started out, yeah, the ready rat, as I started out saying, it's worth just refreshing the, of the prohibition against ever clicking on anything that has received an email really. I mean, it's, the, these guys are clever. They're going out of their way to avoid the protections, built into our systems. It's, it's dispiriting that it is still possible to do this today, but it is.

Steve Gibson (00:38:45):
And Leo, I'm gonna take a sip of water. I, we have a long chunk at the end of the podcast. So

Leo Laporte (00:38:52):
I Don don't want you to get dispirited. My friend that no, no Siri, we're gonna, we're gonna make sure you get fully hydrated and never dispirited our show today brought to you by, you know, actually what's dispiriting is if if you're on the the red team and the blue team just ignores you or doesn't understand it, or doesn't fix the problem, that's dispiriting. I we've got a way to bring the red team and the blue team together. It's Plex track the purple teaming platform. I don't even know if you've thought about a purple team, but for those of you who have building a dynamic purple team is I think a kind of an important an conduit between the research, your red team is doing the pen testing, the assessments and the remediation your blue team is doing. If you're working to mature your security posture, but you're struggling with automation and effective collaboration between teams.

Leo Laporte (00:39:53):
We've got a great solution for you that the red team and the blue team loves it's PlexTrac, P L E X T R A C. It's a powerful but easy to use cyber security platform that centralizes everything, all your security assessments, your pen test reports, your audit findings, your vulnerability tracking. It transforms the risk management life cycle of allowing security teams to generate better reports faster with less effort. You're gonna, I'll tell you why, but you're gonna love this aggregate visualize analytics. Sometimes the visualization is key. Maybe not so much for the blue team, but for the C-suite up there, you know, the board, they, they like to see the pictures and then collaborate on remediation with the blue and red teams. In real time, enterprise security teams can use Plex track to automate your pen tests, your security assessments, your incident, response reports, and much more automation means you spend less time pressing buttons and more time doing the work.

Leo Laporte (00:40:51):
And you know, the reports. I know, I always think of Barney Miller, you know, wo Jo ho, it's sitting, he's probably too old to too dated of a reference, but you know, there's a cop comedy and the poor guy could barely type it. He would sit at his typewriter, writing his reports, one finger at a time. And I always think of that. You know, that's the, you didn't get in this business to write reports. So wouldn't it be nice to have a system that automates that gives you the ability to create templates automatically populates them, generat analytics and so forth. Automation keeps the red, blue and purple teams focused on getting the real security work done, cuz you're gonna get precious time back in your day. You're gonna improve employee morale with Plex track. It's got nine modules. I'm not gonna go through all nine, but I'll give you a, a couple of ideas about what this can do to address the pain points on, on all your security teams.

Leo Laporte (00:41:43):
For instance, module one, the runbooks module that can facilitate tabletop exercises, red team engagements, breach, and attack simulations and pen automation. It improves communication and collaboration. It can upgrade your program's capabilities by making the most of every team member, every tool that's the runbooks module. The analytics module lets you visualize your posture so you can quickly assess and prioritize creative, more effective workflow. You can map your risks to frameworks like Mir attack to create a living risk register. This is such a great way to do it. Whether you're a small to medium size security consultancy, a full scale MSSP or a large enterprise, no matter what your size security teams of all sizes and all specialties will work more effectively and efficiently with PlexTrac. PlexTrac is the premier cyber security workflow management and reporting platform for every professional from practitioner to CISO, there's truly a PlexTrac for every security team.

Leo Laporte (00:42:41):
I don't even know if you're trying to automate this stuff. Maybe you're using off the shelf tools that are designed just in for general purposes. This is designed for the work you do. One more module, the reports module. You're gonna love this because code samples, screenshots videos can be with one click added to the findings. You can import findings from all your scanning tools. So again, much faster, less, less typing. You can export to custom templates with a click of a button. So the next time it'll go even faster. You gotta book a demo. You've gotta see this in action. Try Plex track free for one month, see how it can improve the effectiveness and efficiency of your security team. All you have to do is go to PlexTrac.com/twit to claim that free month PlexTrac. PLEXTRAC.com/twit.

Leo Laporte (00:43:32):
I think you know that I think this is such a great solution. You would at least owe it yourself and your teams to take a look at it. PlexTrac.com/twit. We thank them so much for supporting security. Now they knew they came here. They knew the red teams, the blue teams, the purple teams. They listen to this show, perfect place to let everybody know about Plex track Plex. And you do the us a favor and use that address. So they know the Plex track says, oh yeah, it worked Plextrack.com/twit. It really does work back to Steve Reno.

Steve Gibson (00:44:06):
Okay. So we have an entirely predictable 0-day windows exploit. <Laugh> right.

Leo Laporte (00:44:15):
A of course <laugh>

Steve Gibson (00:44:20):
I'm sorry. I shouldn't laugh. I shouldn't laugh. I know. It's just, it's just so sad cuz I know this again, our listeners will be right there with us, right on schedule Cisco's Talos group discovered the active exploitation of a 0-day elevation of privilege vulnerability in Microsoft windows installer. This vulnerability allows an attacker with a limited user account to elevate their privileges, to become an admin. The vulnerability affects every version of Microsoft windows, including fully patched windows 11 and server 2022 talls detected malware in the wild taking advantage of this vulnerability. What was entirely predictable about this? Huh? We've been tracking this one for some time. Microsoft was first informed of the fundamental underlying problem by security researcher, Abdel, Hamed NAII who discovered this elevation of privileged vulnerability and worked with Microsoft to address it. However, when the Siri examined Microsoft supposed patch for this following this month's patch Tuesday, he discovered, oh, what do you know?

Steve Gibson (00:45:37):
Microsoft had merely patched against the proof of concept that he had provided rather than addressing and repairing the underlying flaw to demonstrate that NAII then published proof of concept exploit code on GitHub on November 22nd, eight days ago, which works despite the fixes implemented by Microsoft because Microsoft didn't fix the problem. They just broke his proof of concept. The code in a Siri released leverages the discretionary access control list. The so-called DLE for Microsoft edge elevation service to replace any executable file on the system with an MSI file, which you know is a Microsoft installer. You know, a setup installer file allowing an attacker to run code as an administrator to gain full control over promised system, including the ability to download additional software, modify, delete, or exfiltrate sensitive information stored on the machine, independent security researcher, Kevin Beaumont, you know who tweets as Gossi the dog tweeted can confirm this works local PR esque tested on windows 10 21 H two and windows 11.

Steve Gibson (00:47:00):
The prior patch Ms. Issued didn't fix the issue properly. Nasi noted that the latest variant of this 2021 41 37 9, which was the CVE assigned to this is more powerful than the original one. And that the best course of action would be to wait for Microsoft to release a security patch for the problem due to the complexity of the vulnerability. Apparently, you know, this is not something that even the, the, the zero patch guys can offer a quick fix for because he says there's a great likelihood of breaking something. So what do we have a security researcher responsibly and privately a serious problem to Microsoft, including a proof of concept demonstration. Microsoft responds not by fixing the problem, but by breaking the security researcher's proof of concept, claiming that the problem has been fixed annoyed, the security researcher, then publicly posts another proof of concept to demonstrate that Microsoft actually fixed nothing somewhere. This is seen as good news as malware authors, jump on this now public and well-documented unpatched vulnerability in windows using it to obtain admin rights on windows machines. We're all now living with the con consequences of Microsoft's deliberate de-emphasis of windows pre-release testing, which has been much talked about here and over on windows weekly. Unfortunately it appears that post-release vulnerability patching has also been deemphasized wow. And Cisco found this being used.

Steve Gibson (00:48:57):
Maybe we'll get an emergency fix. Maybe we wait till December's patch Tuesday. Unfortunately, this being the 30th and tomorrow being the first December is one of those of 20 21, 1 of those months where the patch Tuesday is like halfway through the month, right? It's on the 14th. So it'll be waiting as long as we possibly could be. Okay. not much else how not much else of interest happened. And as I said, I'm gonna talk a lot about the the be Godness of bogans shortly. I did wanna provide those listeners who may not have been tracking the frontiers saga as I certainly have been with an update. The, the first of 15 next books <laugh> in Rick Brown's third, 15 book story arc launched on Thanksgiving. Actually it was came out on Wednesday of last week, the day before Thanksgiving titled fringe worlds that that is, this se sequence will be fringe worlds.

Steve Gibson (00:50:10):
Rick, as I mentioned before, see, spells his name R Y K is no fan of Kindle unlimited feeling that it doesn't fairly reward authors for their work in his announcement email. He said that the book would not be on Kindle unlimited, but we be what would be for sale for $3 for at least a few months after which he would then put it on Kindle unlimited. And I would have happily paid $3 for all the hours of pleasant, relaxation I obtained from his writing, but I just checked and there, it was on Kindle unlimited. It's kind of hard to find. So I put a link to it in the show notes for anybody who is, has been following along and reading the first 30 books as I have of the frontiers saga I'm at this moment, finishing up my complete reread of Rick's first 30 books, I'm on the last one of the first 30.

Steve Gibson (00:51:09):
But then I plan to finally see what the Baba verse series is all about. Our listeners are huge fans of this Baba verse. So that'll be what I do next. However, I have to confess that my recent reading progress has been really retarded because I have truly become fully engaged in the work on spin. Right. I go to sleep thinking about it. I awaken thinking about it and I'm thinking about it right now. <Laugh> good, man. Everybody's very happy to hear that. I know that's excellent. Yeah, that's all I wanna do because I'm becoming very excited about what it is becoming. I, I won't go into detail that I did go into detail in my posting to the group, cuz I, in this last week I ended up developing and I'm gonna try not to go into detail a, a heuristic system for statistically determining which interrupt request lines, specific controllers and, and adapters were using after we learned that they were relying and that I couldn't rely on what they were saying.

Steve Gibson (00:52:28):
It was necessary to yet. You know, everybody else would say AI, well, it's not AI, but you know it works apparently. So anyway, it's a big challenge. I'm having a ball. But you know, I I, I guess I'm becoming excited about what it's becoming. It's for one thing it's guaranteeing me highly engaging full employment for the next several years. As I publish successively, more capable versions. When I watch its new benchmarks run the non four of performance, that is very clear in the, as the numbers flash on the screen across both spinning and solid state memory surfaces is well it's bracing. I mean, if, if most people probably won't appreciate what that means, but if you are reading successive 64, wait, no, thir 32 megabyte blocks from a spinning hard risk disc and they are end end. They ought to have the same timing or be slowly slowing down as you move gradually toward the center, like toward the center of the disc.

Steve Gibson (00:53:57):
That's not what I see. I see clear timing changes, which mean that there, that there's a problem there that the drive had to pause and work on for a while. And what's what really surprised us was when we did the Reed speed benchmark. And we saw that our solid state Ram was not behaving. Like we would expect solid state Ram it's behaving like a bunch of leaky buckets. And in fact, as we know that exactly what it is, so I cannot get, I cannot wait to get to the point where spin right will have the ability to zero in on spots that it has discovered are reluctant to be read. In the case of solid state memory, what's happening is the electrostatic charge of individual bits are leaking, losing their certainty, thus requiring more work and time to be read spin, right, will be able to detect that and selectively rewrite just those leaky trouble spots to recharge them before any data is lost.

Steve Gibson (00:55:06):
And if there's any actual media damage spin, right? We'll demonstrate that to the media's controller, enabling it to relocate the data, to keep it safe. And there's a lot of work yet to be done before. We'll be there. I love the work. I need to get version 6.1 out to satisfy the immediate needs of everyone who has it while I keep working then spin right needs to be moved away from dos over to the on time, RTOs 32 kernel for operation on either bios or U E I, then native drivers for USB and N Vme need to be added to that environment. But I have all, all of the work I've been doing, basically rewriting spin write is in preparation for that. Those will just be drop in now, thanks to the, the fact that I've got this object-oriented IO system, which is now up and running and is proven. And at that point like when that's done, I'll be in a, in a, at a place where we can, can finally start to develop an, an entirely new media surface analysis system. So yeah, if I sound excited, you know, it's true. <Laugh> good. We're excited too. That's great. Yeah. and with any luck, they'll still be a podcast here, so I'm, I'm doing, I'm going as fast as I

Leo Laporte (00:56:28):
Can take your time. It's okay. Just don't get distracted focus, focus, focus.

Steve Gibson (00:56:33):
Well, I, I did. I, I literally, I, I, I, I saw, I, I induced a problem on Sunday where I forced ATA drives to be reckoned as IDE in order to verify a code path that wouldn't otherwise be used, but could be. And, and, and the, this, this tricky part of spin, right, which drive, which figures out, which bio identifiers are connected to which hardware drives it failed to it's called the associator cuz it, so associates them, we need to know which, which items have already been found for, for direct spin ride access, and which ones will still have to go through the bios. I can't, I, I can't, if I don't associate them, then they'll show up as both a bio accessible drive and as something that spin right. Can access and that'll just be confusing to users. So, you know, spin right. Is maintaining the same ease of use it has always had.

Steve Gibson (00:57:38):
And I'm taking responsibility for making that, you know, for holding outta that ease of use. Anyway, when I, I, when I forced ATA drives to be recognized as IDE the associator didn't function and, and I looked at it and I just thought, okay, <laugh> I, I I'm out. I'm, I'm done. I've hit the wall. I, I went home early at like three and Laurie said, yo, honey, you're home early. I, yeah, I'm, I'm I'm I ran outta steam, but it's fine. Yesterday morning, I sat down, looked at the problem and solved it just one before I sleep, before I started working on the podcast. I'm curious

Leo Laporte (00:58:16):
Cuz when I don't do any real programming, but I, I like these programming problems. Well, you're

Steve Gibson (00:58:21):
About to do the whole of code. Yeah, yeah. The advent of

Leo Laporte (00:58:24):
Code. So what I've noticed and I've, and, and as a warmup, I was just doing previous years for the last few days. And, and what I noticed is if I can't, I'm looking at something and I just, I don't know what's wrong or I can't think of how to solve it. If I go to bed, I will think about it. It processes and I'll wake up and go, okay, does, so you're saying that's what I happen. Kind of. Yep. Or just getting, just getting some rest.

Steve Gibson (00:58:49):
No, but, but I do know that phenomenon, a few days ago in the shower, I realized there was a way to further improve the code that I was, I have a theory

Leo Laporte (00:58:59):
About this. Cause I, I always come up with the best stuff in the shower. I think the heat <laugh> yeah. Of the shower gets the blood vessels going or something and relaxed. And you think better in the shower cuz you're right. Always wear the best ideas. Yep.

Steve Gibson (00:59:16):
Dunno why that's strong. Thus. Yes. Our, our, our water company in Southern California is saying, you know, Steve, there is a drought on and we realize you and you're looking for some good ideas, but really stop. Is there enough? Is nowhere else you,

Leo Laporte (00:59:29):
You isn't that TAs Ory came up with a solution. This shower, I seem to remember, right? Yes. Way back when from Google's project zero. Indeed. He did. So it's, it's a, it is a real phenomenon.

Steve Gibson (00:59:40):
I don't understand. So, and as well, known to programmers the world over,

Leo Laporte (00:59:44):
I love it though. Going to sleep cuz as I'm drifting off, the problem will be going around in my head. Yep. And it just, somehow my brain just keeps working on it, I guess all night. And in the morning, Bing pops right here it is.

Steve Gibson (00:59:58):
Yep. So we have some fun feedback from our are listeners David Wright, he, he tweeted another month. Another Microsoft balls up windows server updates. This month kick exchange in the teeth. Some part of the update doesn't have the correct privileges. So a certificate doesn't get updated and you can't access exchange con troll panel or OWA, et cetera. Afterwards, that was a great start to Monday morning. After updating over the weekend, everything seemed to go through smoothly. He said Peren mails going in and out after the update, but only through automated SMTP. Once the users started coming into work, things went downhill. So yes, David there's a, there's a tweet from the field. Bob Thomas said at S G GRC. Any word on Microsoft plans on fixing network printing. I can't print any other way. I got notice to update and it was horrible. No. And I could not tell which update of three was responsible until all uninstalled and then the printer printed POed at Microsoft.

Steve Gibson (01:01:14):
And I assume Bob meant that he had no choice other than the print over a network. There's news that the promised fix for printing has released into broader testing. And assuming that all goes well, it should be December 14th. So fingers crossed, I think probably by the year end, we're gonna get printing as a Christmas present from Microsoft, Rick Neiman tweeted in Microsoft's defense regarding Java script in a sell they're playing catch up to Google who has had JavaScript based Google apps script in sheets for a long time. Microsoft needs to replace VBA with something current. But yes, I hope they can secure it. Don Edwards tweeted. Hi Steve, happy Thanksgiving is the I ETF going to allocate the 0 0 0 0 address space as well. He says windows uses 0, 0, 0, 0 in the host's file in the same way it uses 1 27 1 what could possibly go wrong?

Steve Gibson (01:02:21):
And I think maybe Don meant the routing table because if you do a print route, you will see 0 0, 0, 0 is also locked down. <Laugh> someone who's Twitter, a name currently, he tends to change it. He's <laugh> it's four 18 colon Tre. And of course those with a long memory, we will remember that there are some bizarrely named HTTP errors. There's the 4 0 4, which is, you know, page not found anyway, four 18. I, you know, Gary reminds us is tread. Anyway. He was replying to at Nick's craft and he, and, and Gary said, it appears you have a copy of spin. Write by at S G GRC relabeled as Norton disc doctor <laugh>.

Steve Gibson (01:03:21):
How did that happen? <Laugh> well, we know the story don't we? Yes, we do it. I mean, it was, they stole it and it was such a clone that it even looks the same, so much, so much so that Gary who owns spin. Right. And is one of our tester looked at it and said, how do you have spin? Right. Labeled Norton dis doctor <laugh>. Well, now we know, I wonder that's right. No, they don't sell that. I think they haven't sold. Oh no, no. In fact they abandoned it like maybe after a year because their own tech support. So since they hadn't written it, their own tech support couldn't support it. Oh. And so we were getting support calls from people with Norton disc doctor saying, yeah, Norton Norton told us to call you because you know, we got Norton utilities and now it has spin right.

Steve Gibson (01:04:15):
Built in. I said, no, it doesn't <laugh> they approached you. Right. They wanted to buy it. Yes. And it was not Peter's fault for the record. I want everyone to know Peter Norton is a nice guy. It was Ron poner. Who was the heart of darkness. Legendary heart of darkness. Yes. Yes, yes. And, and so Peter and I went to lunch with Peter, having the instructions to get spin right from Steve and, and he paid me a great compliment. Peter did. He said, you know, Steve, when I heard you were low level, reformatting hard drives on the fly, <laugh> he? And he said, cuz he was in Santa Monica. He said, I thought I was gonna look to the south down there toward Irvine and see a mushroom plow because you can't, you know, really you're nuts, but apparently you managed to do it somehow. And it's the number one most requested feature in Norton utilities is everybody wants spit.

Steve Gibson (01:05:14):
Right. And they don't wanna have to buy it again. And they wanna like, don't have to buy it from you and buy Norton utilities from me. So we just wanna buy, spin right from you. And everybody will be happy. I said, except me Peter. I said, unless you're willing to pay a ridiculous amount of money. I'm not selling. And he, he said, well, how, how we're ridiculous. I said, really ridiculous. Let's like, we're not even gonna talk about it. And he said, really you're sure. I said, I'm sure. So we went back and met with Ron poner and we walked into Ron's office, Peter and I, and Ron said, so we got a deal. And Peter looked like, like the dog that had been bad. I mean, he was, he was like, he, he didn't do it. And I, and I, and he, Peter said no.

Steve Gibson (01:06:01):
And Ron said, why not? You know, cuz I mean they figured they were on top of, of the world. And how could this little weenie, why would you turn that, that down? Yeah. Yeah. This little guy who was trying to, you know, scratch together some, some coin and anyways saying no was the best decision than I ever made. So, you know, again, they ended up abandoning it and it's in fact today is Greg my support guys. Yeah. 31 year anniversary with you working with me. Holy cow. That's kind of a legend and Sue is several years before that. So, and both of them. Yep. You keep the good ones. That's the point more than yeah, I had two <laugh> what was at your peak? How big was this spin right? 23. Yeah. I remember we had 23 people cuz on black Monday as they called it, I reduced us from 23 to 12 by lunch.

Steve Gibson (01:06:59):
Wow. That's not a fun time. It was not good. No, no anybody's ever owned a business notice that's the, the absolute worst part of any business. Yeah. But I'm sure relief in afterwards, you know like it had gotten out of control. Yeah. And they didn't think I was in touch with what was going on. I remember one of them at the back in our group at what we were, we met at lunch and I, and actually actually his name was Richard. He said, who's next? And I said, I heard that Richard. I said, and I said, now guess who you and they called them. They called themselves the survivors. And, and I said, look around. I said, I know you guys all think I haven't been paying attention. What's going on here? That I've, I've been busy, you know, coding. I said, and you probably haven't stopped to think about this, but look around at, who's not here listening to this now and ask yourself if I made a single mistake.

Steve Gibson (01:07:56):
Oh, wow. And they hadn't thought about that. Yeah. They were, you know, too concerned about their themselves understanding, but they yeah, of course. And they started like thinking, oh, he's gone and she's gone. And that nightmare gossip is no longer with us <affirmative> and so forth. And, and they, you know, they understood. And that was the last time that happened. A attrition, the rest was attrition. Yeah. Yeah. The rest was attrition and I, and all, you know, I, and then the internet happened and you know, I didn't need them because, you know, I need Greg to talk to customers and Sue to help do the books and keep the, you

Leo Laporte (01:08:35):
Still had people designing box covers and writing manuals and all that stuff. You don't need that anymore. Yeah. Yeah. Yeah.

Steve Gibson (01:08:43):
So Kevin mix my final tweet, he said, hello, Steve. As I listened to SN 8 46, of course, that was last week. I had to pause and pull up the I ETF draft for the 1 27 slash eight uncast proposal as a frequent reader of RFCs from my day job as a network engineer, I often find myself checking the authors section at the bottom to try to glean some insight into their motivations, by seeing which companies or organizations they're associated with in the draft proposal you referenced. And he has the link. All of the authors referenced the I P V four uncast extensions project. Google led me to this GitHub page and I have a link of the show notes and, and he provided it. So it looks like this is a longer term effort. These gentlemen are working toward professionally speaking. I would not wanna be assigned and address out of this pool.

Steve Gibson (01:09:51):
If it were released to the RS for uncast use that's the regional internet registries. He says, as I imagine there would be some hosts or even entire ISPs that would never implement this standard, ensuring that any services hosted on those ISP on those IPS would have flaky connectivity at best one who of an understatement in the had ability and IOP interoperability section of the draft gave me a bit of a chuckle. And he said, he, he then quoted it since deployed implementations, willingness to accept 1 27 slash eight addresses as a valid uncast address varies a host to which an address from this range has been assigned may also have a varying ability to communicate with other hosts. So an understatement indeed, which leads us into today's discussion of the broader goals of the I P V four cleanup project. Mm.

Leo Laporte (01:10:58):
Well, I'm ready to go. If you are ready to get ready, we shall take a little break and ger our loins for what is

Steve Gibson (01:11:06):
This bygones be gone?

Leo Laporte (01:11:08):
Bogans, bogans, BOS, bogans. Begon bogans be gone. All right. I'm fascinated. Can't wait. I have not read ahead. I always, I try not to read ahead cause I want, I wanna listen to it fresh. You want gasp, but the appropriate time I wanna gasp, but the appropriate exactly. Our show today brought to you by it. Pro T V. And I think many of you who listen to this show are already, it pros it pro TV is a great place, whether you're a seasoned it professional or someone looking into getting your first job in it, it pro TV is the community emphasize community that you need. Tim and Don good friends who created it pro to TV did it because, well, they wanted to scratch their own it. They were it trainers, but they thought there's gotta be a better way than the traditional classroom setting and the, and frankly expensive fees you pay and all the materials you buy in all of that, it pro TV is that solution.

Leo Laporte (01:12:10):
It's a creative and fun way to advance your career. And it's just, if you like listening and watching to what we do, that's kind of the idea. They have seven studios operating Monday through Friday, all day in their Gainesville, Florida headquarters, creating new content. Why do they do so much? Well, there's a lot to cover, but also things change new versions of the program. New versions of the tests, new tests entirely Microsoft is abandoning MCSE. They've got now these Azure asserts. So that means all new training, but the thing is with it pro TV, all of their great entertainers, they're experts in the field who know how to teach with those studios operating cranking away, seven studios, five days a week. They are able to create lots of very UpToDate content. Everything they do goes from studio to library in 24 hours. It's very fresh.

Leo Laporte (01:13:02):
Everything's divided in 20 to 30 minute chunks. So it's easy to watch a little bit during your lunch break. They really wanna make it convenient and easy to learn. You can watch 'em do it live too. If you do. There's a live chat room as well, which is always fun. It pro TV is the official training partner of comp Tia. So they, the best comp Tia training. Those are the certs. A lot of people start with the, a plus and security plus and network plus SEARCHs if you're looking for something specific, they've got transcripts for everything and you can search them. And that makes it easy to jump into the information you need fast. We just finished AWS month, you know, end of the month at it pro TV. There's a lot of stuff you can check out the webinars at it, pro.tv/webinars to see any that you missed on demand and to see what's coming up.

Leo Laporte (01:13:50):
I don't think they've announced a month a subject for December, maybe cuz it's probably a slow month. So you can just the normal coursework that you would do anyway, or listen to Don's great techn NATO podcast with it professionals. And I mean there's lot, always lots to do at it. Pro TV, start your it career today by getting educated and certified for the big companies, looking for it professionals now, or to start your own business really. I mean the world needs more MSPs. Believe me more it folks to help us out visit it pro.tv/security now, and you'll get an additional 30% off all consumer subscriptions for the lifetime of your or active subscription. Just use the code SN 30. This would be a great gift to yourself and give it to yourself for Hanukkah or a friend. If you know, somebody wants to get into it 30% off, as long as you stay active, that that could be forever with the offer code, SN 30 it pro.tv/security.

Leo Laporte (01:14:49):
Now it pro build or expand your it career and enjoy the journey. Great folks doing a really bang up job of, of getting people ready for the it world and keeping people in the it world up to date. You need to do that. Of course it pro.tv/security. Now use that address, you know, right. You know, the drill. So Steve gets credit and Q I T pro TV for another great year we've been together for, I dunno, seven, eight years now since they started 24, 20 13. Yeah. All right. Now let's get, let's go bonkers about

Steve Gibson (01:15:25):
Bogans, bonkers about bogans. Okay. And bogans is a real thing. It, if you I, I appreciate that you did not put it into the Google machine. Had you done so you'd have found out what they were no spoilers. Nope. Before we begin, since we're necessarily gonna be talking about network addressing, I wanna make sure everyone's on the same page about the nomenclature for describing I P V four network. Okay. One of the many brilliant innovations made by the designers of the Internet's routing architecture was this idea of dividing the 32 bits of I P V four, address space into a network number and the number of a specific machine machine within that network. So when, for example, we talk about the 10 network. We mean, N a I P whose first left most eight bits or also called an OCTE of network address is 10.

Steve Gibson (01:16:32):
And that means that all the machine genes within that network, their IPS begin with 10. And then the, the other 24 bits differ the clearer and more formal way of describing it is to say 10 slash eight, where the eight refers to the number of bits counting from the left, which will be to designate the network number. And the rest of the bits to the right will be used to designate a specific machine within that network. So last week I preface our discussion of the I E TF stated intention to redefine the entire currently UN Roundtable 1 27 slash eight network into two pieces to cut it in half wed, have 1 27, 0 slash 16, which would remain unable and be used as a local net, which contains the default local host IP of 1 27 0 0 1 plus 65,535 other 1 27 0 IP, the rest of the 1 27 slash eight, which would run from 1 27, 1 slash 16 through 1 27, 2 55 slash 16 would be newly made available to the IA N a and the re regional internet registries as blocks of newly Roundtable.

Steve Gibson (01:18:14):
I P V four addresses. And the feeling is that's a useful amount. That's more than 16 million addresses. Okay. But it turns out that this I E TF draft proposal is only the tip of the iceberg. And since our discussion of this bit of an iceberg drew so much interest and response last week, it was kind of overwhelming. I decided that while we were on the topic, I oughta share the rest since there's more so we need to talk about, but bogans by definition, bogans are IP packets having unreadable source or destination IPS, which should therefore never appear on the public internet. We have a formal and fun definition of bogans over on Wiki EDIA, which explains the term Bogan stems from hacker jargon, with the earliest appearance in the jargon file in version 1.5 0.0 dated 1983, it's defined as the quantum of BOGOs or, or the property of being bogus.

Steve Gibson (01:19:34):
Yeah. Yeah. That makes sense. Yeah. A Bogan packet is frequently bogus both in the conventional sense of being forged for illegitimate purposes and in the hack sense, rights, Wikipedia of being incorrect, absurd, and useless, you know, it can't be on the public internet. <Laugh> these unused IP addresses are collectively known as a Bogan, a contraction of bogus log or a log on from a place, you know, no one can actually log on from <laugh>. So that makes sense. A bogon, a bogus, yeah. Log on. Yeah. A bogus log on a bogon. And just for the record, despite the similarity in sound bogans should never be confused. Vogan Leo Gans are of yes. Vogan are of course the distasteful alien race created by Douglas Adams for his Hitchhiker's guide to the galaxy. As we learned in his first novel, Vogan take on very large construction projects and specialize in demolition.

Steve Gibson (01:20:47):
And as you reminded us at the beginning of the podcast, there are also very, very bad poets. <Laugh> okay. Oh, and just for the record, I was thinking about this and dare I say, in the shower, they are also, these boons should also not be confused with bun ons, which, you know, what's that because Bunns were the aliens in the star Trek movie that my junior high best friend and I, and our group created an eight mill or super eight millimeter not widely seen, but okay. No. Yeah. His, his, his sister Scott's sister had a huge collection of stuffed bunny rabbits. And so of course we used stop frame animation. Oh, how funny to bring the bunny rabbits to life. So of course they were, the bun ons were the aliens. Absolutely. And, and our, our longtime listers will remember that we, at one point in this, cuz there was an audio track, we needed the very threatening bun ons to address the, the captain of the enterprise saying we are the bun ons, surrender your ship or be destroyed <laugh>.

Steve Gibson (01:22:08):
And so I, I came up with the idea that, of recording that on a reel to reel tape deck and then reversing the tape so that it would play backwards. And if you play that backwards, you get SNA Bunani yo aro, your NES <laugh>. So we, then we then recorded Yosha Bero Sana, Banani your NES. And we reverse that in order to get a very wonderfully alien sounding. We, ya, the Bonns so end your ship or be, be showing, oh, that's clever. Very clever. It worked. Yeah, it worked. So yes, we were clever little <laugh> little pre hackers. What grade was this? This was eighth grade. Wow. Before high school. That's cute. That's really cute. Well, and of course we had to have a battle between the, it was, I think we I'm sure we had a a, a, a cling on battle cruiser and the enterprise.

Steve Gibson (01:23:16):
So Scott put up some black construction paper, which he poked a whole bunch of little tiny holes into and then back lit it with lights so that we had stars and the two ships were hung from black thread and every so often he would like move one and it would like shake and then the other one would shake and then the other, the first one would shake. And then, then, so that was what was recorded on this eight millimeter film. Then we took a, a a pin and carefully scratch the emotion on the back in order to create Faser strikes from one, one ship to the other in order to, you know, add our special effects. So yeah, it was a, it was a, <laugh> quite a project. What fun. We always wonder what happened to it. We sort of lost track of, of, of the film anyway.

Steve Gibson (01:24:13):
Who was I last week before introducing the local host 1 27 8 network, we talked about the concept of now non route networks by reminding everyone of the most common non Roundtable private networks that most of us probably have remember 1 90, 2 68, 0 something. So that would be 1 92 0.680 slash 24. Since all of the leftmost 24 bits are the network. And then you have one bite, the last number to specify the machine on the network, but net gear and some other routers default to 1 90, 2 68, 1 slash 24, for whatever reason. And of course these are both small pieces of the larger 1 92, 1 60 slash 16 network. All of which was set aside by that original RFC 1918. And as we know that RFC also defined the 10 slash eight and the 1 72 16 slash 12 groups to be SIM set aside non ratable networks to be used to number the machines inside of private lands.

Steve Gibson (01:25:35):
So all of the IPS within those ranges are by definition bogans, but there are also other longstanding set asides. They too have come under the scrutiny of a group which has, has been founded and calls themself the I P V four cleanup project. And they're quite serious before we consider what they have to say. Let's take a look at these other Bogan addresses, the original RFC 33 30, which was dated September 2 0 2 was later obsolete by RFC 57 35 in 2010 to reflect few changes. And both RFCs were titled special use I P V four addresses in the abstract of this thing. It says this document describes. And again, again, remember originally in oh two and then updated in 2010. So still 11 years back, this document describes the global and other specialized I P V four address blocks that have been assigned by the IA a the internet assigned numbers authority. It does not address I P V four address base assigned to operators and users through the regional internet registries, nor does it address I P V four, address space assigned directly by IA N a prior to the creation of the regional internet registries. It also does not address all allocations or assignments of I P V six addresses or autonomous numbers.

Steve Gibson (01:27:26):
So here's how they start in describing like the, the whole intent here and its brief throughout its history. They said the internet has employed a central internet assigned numbers, authority. I a N a responsible for the allocation and assignment of various I needed for the operation of the internet that was specified in RFC 1174. In the case of I P V four, address space, the IA N a allocates parts of the address space to regional internet registries, according to their established needs. These R I are responsible for the registration of I P V four addresses to operators and users of the internet within their regions on an ongoing basis. The IA N a has been designated by the I E TF to make assignments and support of the stand, the internet standards process <laugh> and the internet internet standards process was documented in RFC 28, 60 section four of that document describes that assignment process, small portions of the I P V four, address space have been allocated or assigned directly by the IA N a for global or other specialized purposes.

Steve Gibson (01:28:48):
These all allocations and assignments have been documented in a variety of RFCs and other documents. This document is intended. This the one that we're talking about now, 33 30, this document is intended to collect these scattered references and provide a current list of special use. I P V four addresses. This document is a revision of RFC 33 30, which it obsolete its primary purpose is to reflect the change to the list of special IPV four assignments. Since the publication of RFC 33 30, it is a companion to RFC 51 56, which describes special I P V six addresses. In other words, this document, this RFC is the, you could call it the Bogan Bible. Okay. So what are the Bogan address blocks? First one zero slash eight, which is to say, you know, zero, zero.zero/eight, N I P whose first, OK. Is zero addresses in this block. The RFC says, refer to source hosts on this, in other words, the current network.

Steve Gibson (01:30:14):
So it's a self referential network and they said address zero zero, zero.zero/ 32. Meaning exactly that IP may be used as a source address for this host on this network. Other addresses within the zero slash eight may be used to refer to specified hosts on this network. So that's a, an interesting set aside, right? That, that says that the, an IP whose first OCTE is zero. I is a self reference. That is, it's kind of like a wild card, always referring to the, the, the, the network on which this host resides and zero to 0, 0, 0. That IP refer is also referring to this device. And sure enough, if you put in a route print, you will like a under windows, you'll get, you'll see, zero to 0, 0, 0, matching exactly to the, the, the interface on which this machine, the network interface of that machine. So there is another what is it?

Steve Gibson (01:31:34):
24 bits. So that's 16 million IPS tied up in the zero slash eight network. Then we have the 10 dot that we've talked about, you know, the 10 slash eight for, for local networks and documented in the I in, in this RFC, we have 1 27 slash eight, that entire block set aside for loop back then we have another one that's interesting, and people who've been paying attention may have noted or may have seen this IP like and thought, what the heck where'd that come from? And that's 1 69 0.25, four slash 16. That's the so-called link local block that's that's described in RFC 39, 27. And it's allocated for communication between hosts on a single link hosts obtain these addresses by auto configuration, such as when a DH EP server cannot be found. And if anyone has ever like turned on a windows machine that like that has its land adapter enabled yet.

Steve Gibson (01:32:49):
No, no, no. Wifi set up and no cable plugged in. You may notice that that land adapter will be given an IP 69, 2 5 4 something, something that is the sort of an auto configuration. If windows doesn't see anything else, no has no other way of getting an IP. Isn't, hasn't been configured as a static IP, but it's set for obtain IP address automatically. That's what gets used something from that block. We also have, as we've mentioned, the another one of the RFC 18 19 eighteens of the, the 1 72 16 slash 12, and also 1 92 slash is a, is a block reserved for I E TF protocol assignments 1 92 slash 24. So that's, that's 1 92, 0 0, where the last bite is then the, the machine on the network. And the RFC says at the time of this writing this document, there's no current assignments, allocation policy for future assignments is given in our, you know, then they talk about the, the assignment policy.

Steve Gibson (01:34:13):
But that is to say 1 92, 0, 0 dot anything or another. In other words, 1 92 0.00 slash 24. Well, that that's not a big network, right? That's got 256 machines maximum never been allocated. And if you had some clever use for it, it's probably safe to do that. Then there's 1 92, 0 2 slash 24. They find as test net one, they say this block is assigned as test net one for use in documentation and example code it's often used in conjunction with domain names, example.com or example.net in vendor and protocol documentation. So they're not legitimately on the internet and they've never been assigned, but it's a slash 24, right? So only eight bits worth of, of machine. So it's only it's only two a of 56 IPS. There is 1 92, 8 8, 9, 9 slash 24, which is to say 1 92, 8, 9, 9 do anything. We don't see that often this block is allocated for use as a, an IP six to IP four relay any E cast for those relay, any cast addresses, which are described in RFC 30, 68.

Steve Gibson (01:35:45):
And they said in contrast with previously described blocks packets destined to addresses from this block do appear in the public internet. And then they, the R F C 30 68 section seven describes operational practices. Okay. But again, not a big block, only eight bits of machine. We also have a, the other private land, 1 92 0.16, eight slash 16. We were just talking about that. That typically is what we have on our, on our routers. Although we use it with a zero dot something and a one dot something, there is a 1 98, 18 slash 15. So they say this block has been allocated for use in benchmark tests of network interconnected devices, RFC 25 44 explains that this range was assigned to minimize the chance of conflict. In case a testing device were to be accidentally connected to part of the internet packets with source addresses from this range are not meant to be forwarded across the internet.

Steve Gibson (01:36:59):
Again, a bogon range of IPS. Let's see it's 15 bits. So that's gonna be 32,000 IPS, not a tiny level, but you know, not up at the 16 million level 1 9, 8, 5 1 100 slash 24. That's another block of 2 56 IPS designated as Testnet two and 2 0 3 0 1 3 slash 24 is Testnet three. So those are small blocks, you know, not of particular interest, but they are reserved. Now we come to the two biggies 2 24, 0 0, 0, or I should say 2 24 slash four. Okay. Now think about that 2 24 slash four. That means that 28 bits, because four plus 28 is 32, 28 bits in the 2 24 network are machine names. So, okay. So 24 bits is 16,000,025. Bits is 32,000,026. Bits is 64 million. So that's 256 million IPS sitting underneath 2 24. And the RFC says this block formerly known as the class D address space is allocated for use in I P V four multi-cast address assignments.

Steve Gibson (01:38:50):
The IA N a guidelines for assignments from the space are described in RFC 31 71. So 2 24 slash four is sitting on a huge number, 256 million IPS. And two 40 is the last 1, 2 40 slash four, also a slash four formally known the class E address space is reserved for future use. And they say the one exception to this is the limited broadcast destination of, and any network engineers know about 2 55, 2 55, 2 55, 2 55. The very last IP in the 32 bit I P V four space is a broadcast addressed, meaning that all, all devices on the network receive, things sent there. Okay. There's no way we can mess with the three private and the widely used RFC nine 18 networks. You know, they're clearly safe, 1 69 0.2 54 slash 16 there that that one is safe too. You know that's one that is used for auto configuration. And as I mentioned, anybody who's ever turned a network adapter that's attached to nothing.

Steve Gibson (01:40:20):
Windows chooses an, an address there, presumably it will emit an, an, a packet asking if anybody else listening has that IP. And if someone responds, yeah, I do. Then we, windows will choose a different IP and reissue an a until it finds one which nobody responds to, and then it'll settle down and use that IP. That is kind of a cool way that a bunch of machines without any kind of a central arbiter, you know, no DHCP server, for example, would be able to all obtain unique IPS on a large network. And again, that's a slash 16. So it's 64,000, you know, 64 K 65, 5 3 6 IPS. The zero net is interesting. It's a CLA it's a slash eight. So it's taken 16.7, 7 million I P V four S remember 1, 2 56 of the entire I P V four space out of service. The three test nets are all slash 24 S they're not bothering.

Steve Gibson (01:41:30):
They're not worth bothering with the, the 1 98, 18 slash 15 does set aside and tie up 32 K IPS, ostensibly for use in benchmark tests of network, interconnected devices. As this thing says, I've never run across it, but, you know, that was sort of difficult to appraise. So aside from the zero net, this leaves us with the two monster all allocations that we have not yet talked about in detail. We did talk about reassigning most of 1 27. So we have 2 24 slash four, which has been set aside for the U for use in I P V four multicast and two 40 slash four, which the RF, a RFC simply states has been reserved for future use. Let's set, that's sitting on a huge allocation, which brings us to the I P V four cleanup project under, and, and this is a page over on GitHub where they're organizing and running things under about. They describe themselves briefly in a sentence, the I P V four unicast extensions project making class E the two 40 slash four zero slash 8, 1 27 slash 8, 2 25 slash eight through 2 30, 2 slash eight, generally usable add a 419 million new IPS to the world and fixing various other slightly broken pieces of the I P V four world.

Steve Gibson (01:43:30):
Okay. So NNO is N a N OG the north American network operators group and their NNO list serve is pretty much where most of the internet evolves Thursday before last on November 19th, a well known guy by the name of John Gilmore responded at some length to a nano posting. John one of the people in the I P V four cleanup project is one of the founders of the eff, the electronic frontier foundation, and was also just a few weeks ago, kicked off the board there and reasons we do not know that's right. We talked about that. Yeah. Right. he created the cipher punks mailing list and co-founded Cigna solutions. He also somehow the alt.star hierarchy in Usenet and boy, what a sewer that place was. Thank you, John. <Laugh> back in the day, he's kind of a libertarian. I think I, I get that the feeling, you know, yes. He is, he describes himself as a civil libertarian, and Leo you'll remember this. He once famously equipped that quote, the internet interprets censorship as damage and routes around it. Mm-Hmm <affirmative> Uhhuh <affirmative> mm-hmm <affirmative>. So I guess he's something of an idealist as well. Anyway, Stephen backer, B a K K E R a network engineer of some re reput himself posted to which John responded Steven posted the ask is to update every IP stack in the world, including validation, equipment, retirement, reconfiguration, et cetera.

Steve Gibson (01:45:34):
And John took this in good spirit and appeared unruffled. He makes a number of valid points while presenting and stating a well thought out case for hugely reducing the Internet's current Bogan bloat. So I felt it was worth hearing John out. The purpose of the preamble was to create a foundation and context for understanding John's reply. Here's what he wrote. He said in response to Steven backer's, the ask is to update every stack in the world. He says, this raises a great question. Is it even doable? What's the risk? What will it cost to upgrade every node on the internet and how long might it take? He said, we succeeded in upgrading every end node in every router in the internet, in the late DS and early two thousands. When we deployed cider C I D R you know, meaning that were net networks would no longer be strictly class, a class B class C, meaning slash eights slash sixteens and slash 20 fours.

Steve Gibson (01:46:51):
But rather that boundary could be variable. He said it was doable. Of course, let's also remember that was back in the late 1990s, when a lot was doable that you could argue. You know, I, you know, we didn't all have little IP stacks in all of our plugs and light bulb widgets around our homes. Back then he said it was doable. We know that because we did it. And if we hadn't done it, the internet would not have scaled to world scale. And that's certainly the case. If you couldn't arbitrarily divide address spaces down, if you had to allocate in you huge chunks, he said, so today, if we decide that uncast use of the 268 million addresses in two 40 slash four is worth doing, we can upgrade every node. Okay. Maybe, but that's what he said. He said, if we do, we might as well support uncast on the other 16 million addresses in zero slash eight and the 16 million in 1 27 slash eight.

Steve Gibson (01:48:05):
And the other about 16 million reserved for 0.2, BSDS pre standardized subnet broadcast address that nobody has used since 1985. And take, take a hard look at another a hundred million addresses in the vast empty multicast space that have never been assigned by a I a N a for anybody or anything. Adding the address blocks around the edges makes sense. You only have to upgrade everything once, but the 268 million addresses becomes closer to 400 million formerly wasted addresses. That would be worth half, again, as much to end users compared to just doing two 40 slash four. The, so the point he's making there is there is a lot of bogon bloat. And if we're gonna make a change, let's, let's make a cut, comprehensive changed. He says, it may not be worth it to you or to your friends, but it would be useful to a lot of people, hundreds of millions of people who you may not even know, people who didn't get IP addresses when they were free people outside the us and Europe who will be able to buy and use them in five or 10 years, rather than leaving them unused and rotting on the vine forever.

Steve Gibson (01:49:42):
We already know that making these one time patches is almost risk free. Two 40 slash four uncast support is in billions of nodes already without trouble Linux, Android, Mac OS, iOS and Soliris all started supporting U a cast use of two 40 slash four in 2008. Most people, even, most people in NANOG didn't even notice zero slash eight unit cast has been in Linux and Android kernels for multiple years. Again, with no problems to cast use of the lowest address in each subnet is now in Linux and net BS D recently see the drafts for specifics. He says, if anyone knows of security issues that we haven't addressed in the drafts, please tell us the details. He said, there's been some arm waving about the need to update fire walls, but most of these addresses have been usable as unicast on lands and private networks for more than a decade.

Steve Gibson (01:50:56):
And nobody's reported any firewall vulnerabilities to cert given the low risk. The natural way for these uncast extensions to out is to simply include them in new releases of the various operating systems and router OSS that implement the internet protocols it's already happening. We are just asking that the process be adopted universally, which is why we wrote internet drafts for I E T F Microsoft windows is the biggest laggard. They drop any packet whose destination or source address is in two 40 slash four. When standards said two 40 slash four was reserved for what might become arcane, for example, variable length, any cast six to four, et cetera, addressing modes. That made sense. It doesn't make sense. In 2021, I P V four is stable and won't be inventing any new addressing modes. The future is, and all it wants out of 20 of two, 40 slash four is more unicast addresses by following the normal OS upgrade path.

Steve Gibson (01:52:21):
The cost of upgrading is almost zero. People naturally upgrade their OSS every few years, they were place their server or laptop with a more capable one that has the latest OS laggards might take five or 10 years people's home wifi routers break, or are upgraded to faster models, or they change ISPs and throw the old one out every three to five years, a huge proportion of end users get automatic over the net upgrades via an infrastructure that had not yet been built for consumers during the cider transition patch. Tuesday could put some or all of these extensions into billions of systems at scale for a one time fixed engineering and testing cost. We've tested, major routers and none so far require software updates to enable most of these addresses except on the low address per subnet at worst the is P would have to turn off or reconfigure a Bogan filter with a config setting.

Steve Gibson (01:53:36):
Also many Martian addresses. Those are also bogans. Bogon lists are centrally maintained and easily be updated. We have found no ASIC IP implementations that hardwire in assumptions about specific IP address ranges. If you know of any, please let us know. Otherwise let's let that straw man, rest our draft don't propose to change. Sorry. Our drafts don't propose to choose between public and private use of the newly usable uncast addresses. So the prior subject line that said uncast public was incorrect. He said since the Colonel and router implementation is the same in either case, we are trying to get those fixed first. He says there will be plenty of years and plenty of forums nano I E TF. I can I a N a and the RS in which to wrestle the public versus private questions to the ground and make community decisions on actual all allocations.

Steve Gibson (01:54:53):
But if we don't fix the kernels and routers first, none of those decisions would be implementable. Finally, as suggested by David Conrad, there is a well understood process for de Bogan an address range on the global internet, once support for it exists in OSS. Cloudflare used it on one, 1.1, one ripe used it on one 20 eights slash 16, and on two, a 10 colon colon slash 12, an I P V six. You introduce a global BGP route for some part of the range, stand up a server on it and use various distributed measurement test beds to see who can reach that server. When chunks of the internet, can't an engineer figures out where the blockage is and communicates with that ISP or vendor to resolve the issue, rather rinse and repeat for a year or more until reachability is high enough addresses that later end up allocated to private address blocks would never need 100% global reachability, but global testing would still help to a, to locate low volume OS implementations that might need to be updated. Addresses purchased to, to number retail. Cell phones need not be as reachable as one's listed on public facing servers, et cetera. The beauty of a market for IP addresses rather than one size fits all allocation models is that one with different reachability can sell for different prices at different times into different niches where they can be put to use signed John.

Steve Gibson (01:56:56):
And I like his argument. The gist of it is that we have nothing to lose by immediately changing. Some of today's long established. I, I P V four standards, essentially. They're just set aside. I P V four has clearly outgrown its original design, which deliberately incorporated a lot of way waste that once seemed insignificant. You know, that's the only reason you'd give, you know, a university or a project, a slash eight. It's like, here you go, you know, have, have some IPS. But that waste is not insignificant today. IP stack vendors will be for formally notified that the I E TF is changing a bunch of definitions, which affect a handful of mostly unused I P V four space. All that's needed are some tweaks to their OSS. Default routing table engineers simply need clear guidance and specific to do whatever they need to do.

Steve Gibson (01:58:08):
Last week, we noted that F five networks, big IP systems were currently using some of the space under 1 27. That's now slated to become Roundtable, but the entire 1 27 0 slash 16 network remains local and non Roundtable. So all F five, for example, needs to do is migrate those arbitrarily scattered blocks they're currently using, which are outside the lower 64 K IPS down into that range. Once that's done they'll know that if the route ability of 1 27 slash eight should ever change, they'll already be compatible. And there's no reason for them not to change that today, since it will be completely compatible with our current system.

Steve Gibson (01:59:02):
The other thing I appreciate about John's post is his sense of time. Everyone is always in a hurry and 10 years sounds like forever, but it'll be here before we know it. And when we get there, it would be nice to find that 419 million more. I P V four addresses have been widely usable for some time. I think the point is it's entirely possible that it might never happen, but it can never happen if we never make it possible and making it possible is not difficult or expensive. So a different look at the same issue. And I, I think it's one that makes sense. You know, Microsoft will challenge change their routing table, Linux, Mac iOS, a whole bunch of other OSS largely already have have a, and once this is, you know, tested and is, is widespread enough, those new blocks of IPS can be made available. So anyway bogans be gone. <Laugh> I think really, it just, it just says that, you know, we were giving him away like crazy and setting him aside. There just there's been no need to set them aside for quite a long time.

Leo Laporte (02:00:31):
Does, so you amend what you said last week about this being a potential disaster. You think you agree with his point of view that doing this? I mean, isn't it gonna be painful for 10 years?

Steve Gibson (02:00:42):
So last week I wasn't thinking of it obviously the way he is. Yeah. Last week I was imagining that in a year, for example, or six months, you know, like the, I ETF TF was gonna make the declaration and say, everybody needs to change, and we're gonna start handing out those one 20 seven.star. I PS, you know, in 2022 or 20, 20, 23

Leo Laporte (02:01:07):
Wait, 10 years. Right. It'll be a minimum amount of pain because by then we'll all be used to the idea. Correct. And, or fixed all the systems that might be well.

Steve Gibson (02:01:20):
Yeah. I mean, so, so the, the natural turnover in equipment will have rendered these things accessible. Mm. And the other point he made is it's different to be a server on an IP than, than to be, for example, a cell phone on an, on an IP, right. The server, because it's offering services to the entire internet needs to be reachable by the entire internet and an IP that an ISP is given to a cell phone. It, it needs to be reachable to the IP. So, so it's a, it different bar of accessibility. And so the point is, he says, you know, you don't, it's like, yes, the certainly the, the, the two 40 slash four IPS, there's no reason not to use them, except windows needs to get changed. Cuz right now it's stomping on that entire network in his routing table. If you do route print in windows, you'll see 2 40 0, 0, 0 is like, it's got four entries.

Steve Gibson (02:02:26):
It just won't go anywhere. But none of the other OSS do. And we know that Microsoft could change that in two weeks in, in, in December's patch Tuesday. So I, I guess I can see his pull if you're not in a hurry, then, then it makes sense to lift the barrier, make it official and see what happens. But if you don't do that today, it will never happen. And we will then forever be wasting 400. And however many it was I P V four S that could be useful to some people. And as he says, it's easy to say, oh, go use. I P V six, but it's, you know, obviously a lot of people don't want to for whatever reason. So anyway, I wanted to show and share the flip side of this, which is that okay? Maybe it looks like something worth doing again. We're not, no one's being forced to do it, but if we don't allow it to happen, it can never happen.

Leo Laporte (02:03:29):
Okay. I like it. So there we've just changed the timeline. That's really, we're looking at a larger scale.

Steve Gibson (02:03:38):
We, we, we we've said, okay, it's not PR to do it tomorrow. Obviously. Maybe it will happen by itself in 10 years. Right.

Leo Laporte (02:03:46):
Although <laugh> somebody pointed out at the rate, we're going to, I P V six, we should be there in about 500 years. Maybe we should wait till then. <Laugh> exactly okay. <Laugh> this is what I love about this show. I mean, I don't ladies and gentlemen, I don't think there's any other show in the world that you would hear this discussion and hear, explain. I think so clearly. And by the way, you know, kudos to Steve for looking further into this, after talking about it last week, I love it. There's a real benefit to this show. Thank you for doing it. I, I appreciate it, Steve. I hope more people listen to it. There's a couple of ways you can consume it. You can, of course, watch us do it live. I think a lot of people do. I hope you would still download it cuz we don't really count the live views, but if you wanna watch us do it live kinda like behind the scenes, go to live.twit.tv of a Tuesday afternoon, right after Mac break weekly.

Leo Laporte (02:04:46):
It's probably around 1:30 PM to 2:00 PM Pacific. That'd be about 4:30 PM Eastern time. That would be 2130 UTC. You could watch us do it. Live chat with us. Live@Ircdottwi.Tv or in the Club TWiT Discord. Then of course after the fact you can get it from Steve. Steve's got copy at his site, grc.com the edited versions in some unique formats to the 16 kilobit version LA he commissions a lane fair to write transcripts. Now that takes what about five to days a week for her to do. She really does hurry them out. You norm normally to do Tuesday, like Thursday afternoon is, is our typ is our typical turnaround. Check those out plus 64 kilo audio that's at grc.com. Steve's website, the Gibson research corporation now paired down to a mere three people, but they've been there for decades.

Leo Laporte (02:05:40):
<Laugh> that's really awesome. That's really awesome. It, it is three people, right? I mean, basically it is three people. Yeah. Three people. Yeah. Yeah. That's awesome. For 30 years you got the right three people 30 plus you can also find while you're there so many great free things information about squirrel his I think brilliant login system that I don't know. I don't know if anybody's gonna adopt it, but well, some have us. I, we have, but, but I, I don't know if the world's gonna adopt it, but it's there. If you need it you can also get the one thing that makes Steve money, which is spin, right? His bread and butter the world's best mass storage, maintenance and recovery utility. You can get it right now. 6.0 is the current version. But if you buy 6.0, now you'll get a free upgrade at six one and you get to participate in the development of it, which has been ongoing.

Leo Laporte (02:06:30):
But it's, I think we're getting, we're seeing the light at the end of the tunnel. Yeah. I'm very excited. No promises, but soon. There's also just like I said, a bunch of free stuff there, including a chance. If you wanna leave him feedback, you can leave him feedback there at grc.com/feedback. Probably better to DM him on Twitter. Those are open his Twitter handle at SG GRC SG GRC. Steve is of course also are kindly letting us put it on our website, twit.tv/sn you can get audio and video there. There's a YouTube channel and you can watch the show there. I think it's youtube.com/security. Now show maybe anyway, go to, you know, if you go to youtube.com/twit, that links to all the show individual show channels, are there easiest way to get it, maybe subscribe in a podcast client that way you'll get it automatically every week.

Leo Laporte (02:07:26):
Even if you watch it live, do that please for us. So that cuz we do count those downloads. And that helps us. All you have to do is find a podcast, client, you like podcast, overcast, apples podcast, Googles cast. There's tons of them and subscribe. And if you're a client allows reviews, please, you heard this show, see, you know how good this is? Give it a five star review. Let other people find it, help them find it. Because everybody ought be listening to security. Now. Now when it's eight to year, I don't know how many years it is. 17 <laugh> we're in 17th. Yeah. Feels like year 17th. Yeah. We're a team. We seem to be an adult. Yeah. We're gonna be an adult <laugh> so thank you, Steve. Have a wonderful week wheel of time. Good show Amazon prime, by the way.

Leo Laporte (02:08:12):
Ah, I heard you're talking about it. You, you said that the first come episodes were not quite there, but you really liked what they've done. So it's often the case especially for a big saga, the first few episodes, it takes a little while to get into it. But episode four, which they just dared on a Friday was amazing. Even if you haven't read the book, I think it's very good. So I love the books. P people grew up reading the wheel of time. Series, love the books. I don't think they'll be disappointed by the show. And a lot of people who haven't read the books, think the show is good. It's on Amazon prime wheel of time. Cool. Thank you, Steve. Okay, buddy. On with a Deb Bogan organiz, <laugh> see you in, <laugh> see you in December. See you in, see you in December. Bye.

Speaker 3 (02:08:56):
Have you ever read a tech news story and thought to yourself, man, I would love to talk to the person who wrote this to find out more information. Well, that's exactly what Mikah Sargent and I, Jason Howell, do each and every week on tech news weekly, we read the stories that matter to us. We reach out to the people, making a break in the tech news and we invite them on to tell their story and you can find it twit.tv. Look for Tech News Weekly, every Thursday

Speaker 4 (02:09:21):
Security. Now.