Security Now Episode 870 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte (00:00:00):
It's time for security. Now, Steve Gibson is here. We've got a patch for another Android. Zero day, actively exploited vulnerability. We'll find out why professor Biden. President Biden says likes quantum computing, and we'll find out what this new PHY initiative with apple, Google and Microsoft means. Is it more secure? Stay tuned. Security now is next podcasts you love from people you trust. This is, this is security. Now with Steve Gibson episode 870 recorded Tuesday May 10th, 2022. That PAKEs thing. This episode of security now is brought to you by Zentry Security. Remote work is here to stay. Zentry Security's zero trust private access solution is a modern cloud hosted alternative to a VPN. Enhance your security posture today. Tri entry trusted access with a 30 day free trial by visiting zentrysecurity.com/twit. And by Kolide get endpoint management that puts the user first. Visit kolide.com/securitynow to learn more and activate a 14 day free trial today, no credit card required and by privacy.com privacy lets you buy things online using virtual cards instead of having to use your real ones, protecting your financial identity on the internet right now, new customers will automatically get $5 to spend on their first purchase.
Leo Laporte / Steve Gibson (00:01:40):
When you go to privacy.com/securitynow to sign up today, it's time for security. Now the show we cover your security, your privacy safety how computers work. Anything else Steve wants to talk about including science fiction. Here he is ladies and gentlemen, Steve Gibson. Hi Steve. And we will have a little sci-fi segue since if you did see it, as you said, you were going to, I did. We can talk about it. Yes, we will talk about that. And today's main topic is a topic, you know, close to my heart. I titled it that Passkey thing after what the, the big announcement of what was world password day. It turns out was not only that, but Cinco, Cinco de Mayo. <Laugh> yes. And, and this is sort of a non announcement announcement. I mean, it was oh, okay. And in fact, because as we, you and I were talking before we began recording, I sort of have a dog in this hunt because I spent seven years of my life designing a, a solution, which Fido is still working to solve.
Leo Laporte / Steve Gibson (00:02:55):
I thought, well, I didn't want to get myself involved, but it was the most tweeted thing of the past week. So I thought, well, okay. And if I didn't have, if I hadn't invested seven years in designing, you're an role, you're an expert, obviously I'd be talking about this. Right. So I shouldn't allow that to dissuade me from doing so well. And you're an informed source. I was saying I'm Mac break weekly earlier. I really hope Steve fills us in on this. Yeah. So we're gonna look at a patch to Android, to thwart an actively exploited vulnerability. We briefly revisit Connecticut's new privacy law. And we take a quick look at the raft of recent ransomware victims. Not in depth. I just kind of want us to say, look at what's happening. The us state department has added another ransomware group to its big bounty list.
Leo Laporte / Steve Gibson (00:03:42):
And we look at what's being called the biggest cybersecurity threat facing the United States. Meanwhile, the white house issues, a memorandum about the threat from quantum computing and we have the discovery of a new and pernicious DNS vulnerability. That's unlikely to be fixed in our O T devices. And after looking at F five networks, new and quite serious troubles, we'll close the loop with some Lister feedback briefly discuss, or maybe not so briefly, cuz I think you and I will have some things to talk about. The past week of sci-fi news, then we're gonna finish by looking at the past. Week's most tweeted to me question what's that past keys thing that apple, Google and Microsoft are adopted the new phyto Alliance thing. Yeah, the new phyto Alliance thing. I can't can't wait. We do have a wonderful picture of the week. Thanks to somebody who knows that.
Leo Laporte / Steve Gibson (00:04:42):
I appreciate what we would call physical humor. It's quite the head scratcher. It is. <Laugh> I want to talk about our first sponsor before we get into the meat of the show and remind you a little bit about the colonial pipeline hacking. Remember that? Ooh, that was the case where the colonial pipeline was allowing employees and probably third trusted third parties into their network. They were protecting themselves with a VPN employee left, had used an insecure password probably to begin with and through a credential stuffing attack. The bad guys got in and brought down a major oil pipeline a big infrastructure a facility that was significant in in ransomware annals. Where did they go wrong? You might ask they went wrong because they didn't do zero trust because they, they said, well, if you've got a VPN access, you must be okay.
Leo Laporte / Steve Gibson (00:05:45):
Have at it clearly not the solution. I've got a better solution for you. XRY Z E N T R Y Zentry Security. I think we now know remote work is here to stay. The pandemic sent people home. And of course everybody suddenly knew what a VPN was right and started using them. But the VPN really was designed for a very different, probably somewhat less hostile environment. Right. I remember my first VPN, I used to VPN of the radio station down in LA and I had the Cisco app that I had to put on my Mac or my PC and I had to log to their VPN endpoint. And then I could get into the company network. There is the in lies, the problem I could get into the company network, I could now wander around throughout the company network. They assumed, well, if you can get in, you must be an employee.
Leo Laporte / Steve Gibson (00:06:44):
Well times have changed, right? Threat actors now are going after those remote workforces and they're doing it with sophisticated fishing attacks. They exploit vulnerabilities in R DP. They're doing credential stuffing. And if, you know, if your employee is the weakest link, you might be in trouble VPNs. The problem is they offer broad network level access, right? Which allows east west propagation for authorized users and unauthorized users. Zentry Security solves this instead of a VPN. You actually say this user has access to this application in the cloud, in the data center, no complex VPN clients. That's by the way, another side, benefit's a lot easier. There's not a lot of configuration not, and without any headaches you can give employees, contractors, third parties, regardless of their location, application level access. Only, only the specific apps and resources they need based on globally applied natural language policies you define the it department defines.
Leo Laporte / Steve Gibson (00:07:52):
And it's very easy to find the rules. Think of it as, as it's probably very similar to the firewall rules you're already writing, but it's very specific. It says, you know, this employee XYZ has access to this app and this app and this cloud data and that's it dispersed workforces get secured and it is much easier to use for them streamlined access just to the applications. They need to do their jobs by the way, with a browser, no software for them to install on their preferred device, every connection, yes, just like a VPN encrypted end to end, which reduces the attack service surface and increases your organization's security profile. So it's a perfect zero trust solution. Everyone wins. Users love it. They don't see a whole list of things they can do. They only see the things that they want to do. Everyone's more productive.
Leo Laporte / Steve Gibson (00:08:43):
You can collaborate. It has a lot less to support and you have a lot less sleepless nights, a lot fewer sleepless nights worrying about somebody wandering around in your network. I think it's a great idea. Enhance your security posture today. Try entry, trusted access 30 day free trial. If you go right now, Tory security.com/twi XRY. I think we couldn't do Zentry Security.com/security, cuz that would've been confusing. So it's zentrysecurity.com/twitt. We thank him so much for supporting security now. And, and also we thank you for supporting security now by using that address zentrysecurity.com/twitt. Thank you. XRY and now the picture of the week, Steve <laugh>. So this is a puzzler for those who are not seeing the podcast or hasn't, haven't seen the show notes what, what we have is a, is a roadway and a large wide sidewalk stretching across sort of a Gorge.
Leo Laporte / Steve Gibson (00:09:55):
And on the sidewalk, like to the side is a, is a bridge, which is sort of the bridge to nowhere. It, it goes up and then it goes down, but you, it, you know, you don't have to take the bridge because it just parallels the walking path and you know, and Leah, while you were telling us about century, I was thinking maybe this is of historical significance. You know, this, this, this roadway and, and pedestrian way. It is, it does look, it feels like from what, what we can see on the left, like it's over, it's like bridging some Gorge or a river or something. Yeah. Maybe once upon a time that little walkway was like down below going across the river. And they thought well for historical reasons. Yeah, yeah. Or maybe for the view, it gives you a better view of the whole.
Leo Laporte / Steve Gibson (00:10:52):
Now that <laugh> maybe, I don't know if that were the case. You put it closer to the edge though, wouldn't you? I, it's not clear from any of the context of the photo. What, where this is. I can't tell like what country it's in, but our, our listeners have quite a reach. So I'm calling to our listeners. You may know, you may have walked past this bridge and thought to yourself what, what the heck it looks like on these road signs looks like there might be Chinese. Oh, you could. Yeah. There are like distant road signs in the, in the, in the background. So if anyone knows what this is, where it is, why it is, it would be interesting to, to find out. And I'll certainly share that with a, oh, you can almost read that. You almost see it's, it's, it's either blurry or Chinese.
Leo Laporte / Steve Gibson (00:11:46):
I can't tell anyway, so I love the caption that came with this. I tweaked it a little bit that, but so here we have this bridge, right. That just, it doesn't really do anything you're you don't have to go up it, you could if you want, but it, you know, you're just gonna get back to where you were. And so the caption reads for our audience. I mean, for the, for this topic, when you don't know what that code does, but you assume it must be important. So you just leave it alone. <Laugh> yeah. <Laugh> yeah. Don't play it out. Yeah. You know, like you might be afraid to remove this bridge Leo, because it serves a mysterious purpose. Like, as you said, gazing into the hole from a better outfits, find out for sure. Yeah. Yeah. So, but you know, better just, you know, just try to maybe give it a little bit of leeway and just say, well, okay, fine.
Leo Laporte / Steve Gibson (00:12:38):
We're not gonna, we could, you could change your mind today. You'll take the bridge tomorrow. I won't either way you enter the same place anyway, <laugh> thank you to our listener. Who, who said, okay, Gibson, you're gonna, you're gonna like this one. Google updated Android to patch an actively exploited vulnerability, not for the first time. This was just their monthly security patch release. It fixed 37 flaws across various components. One of them is affixed to an actively exploited Linux kernel vulnerability that came to light earlier this year. It was a little odd that it took them as long as it did that. Vulnerability is CVE 2021. That's you know, last year's CVE number 22, 600. It has a CVSs of 7.8 ranked as high severity because it could be exploited by a local user to escalate privileges or deny service. And as we know, especially in a, in the Android ecosystem where it's not that difficult for malware to be running on your phone, right?
Leo Laporte / Steve Gibson (00:13:48):
I mean like people download this crap. <Laugh> from the Google play store all the time saying, oh, look, it's gonna improve your cell phone service and squeeze your memory down to give you more memory. And when you're not looking, it's gonna Polish your shoes. And someone says, Hey, that sounds like a good idea. I want some of that. And so they download it. Well, the app is constrained by Linux security rings, right? Unless the app knows about this CVSs 7.8 it's a high severity exploit, which allows it to escalate its privileges to root and root around in your phone. So the flaw was a double free vulnerability residing in the packet network, protocol implementation and the Linux kernel and, you know, it's kernel wide. So not really just Android. It could cause memory corruption potentially leading to at least denial of service or if you're a clever hacker execution of arbitrary code.
Leo Laporte / Steve Gibson (00:14:51):
And as I said, it wasn't just Android. That was vulnerable. Patches were released by various Linux. Distros including Debian red hat, sushi and Ubuntu back in late 2021 in December and also early 20, 22 in January. And it's unclear why Google didn't patches when sooner, maybe Jay just figured, well as far as we know, it's not being used. So anyway, now it is. And so now they did they said there are indications that CVE 20 21, 22, 600, maybe under limited targeted exploitation. The so last month this vulnerability was added to S's known exploited vulnerabilities catalog due to evidence of its active exploitation in the wild Google also patched three other bugs in the kernel as well as 18 other high severity and also one critical severity flaw, which was in the media tech and Qualcomm components. So, you know, update this you're, you're gonna actually a couple stories today.
Leo Laporte / Steve Gibson (00:16:02):
We're gonna have some fun with this, this issue of updating because come on folks okay. Connecticut's recently passed data, privacy bill became law. Last Wednesday. I talked about it last Tuesday. I was incorrect in stating last week that Connecticut's governor Ned Lamont would need to sign the recently passed legislation for it to become law. That's normally the way it works. It turns out that the state Connecticut has a rule that bills which have been passed in the state assembly become law automatically five days after their pass when during a legislative session. So that seems like ex an expeditious thing to have. We ought all have one of those. So consequently, Connecticut now joins California, Virginia, Colorado, and Utah, to become the fifth state to create its own privacy law in lieu. And because the federal government isn't doing anything about this. And there has been a specific reaffirmation that once that law has ramped up to full strength, that global privacy control signal that we talked about last week which will now or soon be sent by browsers must be honored and specifically without exception and without any further are you sure style prompting by anyone with whom Connecticut residents interact online?
Leo Laporte / Steve Gibson (00:17:42):
So, you know, the, the point being that no one gets hassled with this, like you are now with cookies. You know, if, if you, if you're sending that, that GPC signal, the browser cannot by law challenge you about that. Yeah, it just has to say, okay, okay. Darn and, and go with it. By the way, web 48 49 in our chat room has discovered the location of this bridge to nowhere. It is in Korea, the Dogan bridge and in song song Nam city. And it apparently is intended to not go anywhere when walking along the 72 meter long bridge passers by can choose to walk straight on. Or if they quote had a little more strength in their legs or a little more time, they could opt to cross over and overpas to get from one end to the other.
Leo Laporte / Steve Gibson (00:18:45):
You could also observe from it, the Pango techno park park. <Laugh> no, you got it. You get, you get it's an observation point. And, and, and what they call it an overpass. We should note that it's not passing over anything. It's a sidewalk <laugh> yeah, apparently well known in Korea. And thank you to one of our chatters we 48 49, who fantastic. I love mere seconds love the reach of our listeners. Let me think of other things I don't know. And we could exactly, we could, we could ask some other questions. Okay. I promise not to dwell at length, you know, add infinitum on ransomware attacks. But my concern is that in, in honoring that promise to the letter, we're downplaying it. So I decided, okay, from time to time, I'm just gonna kind of give people a sense for it.
Leo Laporte / Steve Gibson (00:19:42):
So for example, Trinidad's largest supermarket chain was crippled by a, an attack. The German library service is struggling to recover from a ransomware attack. A major German wind farm operator confirms a cybersecurity incident, which was ransomware Austin, PA state university in the us was hit with ransomware. The ADA that is our American dental association confirmed a cyber attack after ransomware group claimed credit Coca-Cola is investigating claims of a hack after a ransomware group was offering their stolen data for sale. Oops, Conti ransomware has deeply crippled the systems of the electricity manager in a Costa Rican town and the newly elected president of Costa Rica has since declared a state of emergency as a consequence, the agricultural equipment maker AGCO has reported a ransomware attack. A cyber attack has taken down the network at the state bar of Georgia and classes have resumed at Michigan community college.
Leo Laporte / Steve Gibson (00:20:50):
After a ransomware attack and classes at Kellogg community college will be resuming tomorrow. After two days of outages caused by a ransomware attack in battle Creek, Michigan, nearly 7,000 students were told last Monday, May 2nd, that ransomware had crippled its systems. The previous Friday, April 29th, the school was forced to shut down its main campus in battle Creek, as well as branches and cold water Albion and Hastings. So there's your yours snippet. What it tells you is it's so commonplace now that it's not worthy of note, right? Yes. It's just like it's bad and it doesn't seem to be getting any better, but I just, so I just wanted to sort of like put a little punctuation on this. It is not because I'm not talking about it. It doesn't mean it isn't happening. Oh no. And that this isn't like a really big problem. And which leads us to our next story.
Leo Laporte / Steve Gibson (00:21:46):
The us state department offering a 10 million reward for information about KTI members. The us state department has begun offering 10 million rewards plural for it. So it's not just a first take first come first serve. You can, you can, you know, there'll be a line for any information leading to the identification or location of people connected to the KTI ransomware gang. And in addition, you can get an additional 5 million reward. If any information you provide does lead to the arrest or conviction of a Canti member. So a total of $15 million to anyone who can turn in a member of the KTI gang, and you know, this is us dollars, 10 million, 15 million of them. You gotta think that this would make anybody associated with KTI quite uncomfortable. You know, there must be others outside of the immediate gang who are not themselves criminals, so they don't face prosecution, but to whom members of Conti have bragged about, you know, like just, you know, over drinks or, you know, who, you know, you know, <laugh>, I keep trying to say pillow talk, but no.
Leo Laporte / Steve Gibson (00:23:19):
So in a statement on Friday state department spokes, maned price told us something. We already know that Conti has been behind hundreds of ransomware attacks over the last several years. He said, quote, the FBI estimates that as of January, 2022, there had been over 1000 victims of attacks associated with KTI ransomware with victim payouts exceeding $150 million making the KTI ransomware variant, the, the COSTI costliest strain of ransomware ever documented the memo. Also notes that the group has recently claimed credit for that wide ranging ransomware attack that targeted the government of Costa Rica, as it was transitioning to a new president, the attack crippled the country's customs and taxes platforms alongside several other government agencies. And as I noted before they attack also brought down, brought down one coast Coasta Rican towns, energy supplier KTI also attacked as we had documented at the time Ireland's health service executive a year ago, back in may of 2021, which resulted in weeks of disruption at the, at the country's hospitals, Ireland refused to pay the 120 million ransom. And now estimates, it may end up spending 100 million recovering from the attack. Although, as I recall, Leo, I think that was the one where they were like gonna get all new computers as a result. So it was like, eh, yeah, nice. Maybe they're milking their insurance company a little harder than they, they should. Oh, that's the old computers. That's what I know.
Leo Laporte / Steve Gibson (00:25:19):
The group similarly crippled dozens of hospitals in New Zealand and the group has made a point of targeting us healthcare and first responder networks. They're not nice. Oh, and they're Russian, by the way. Including law enforcement agencies, emergency medical services, 9 1, 1 dispatch centers and municipalities within the last year. So says the FBI, the group has suffered a number of internal breaches over the years. The most notable of which occurred a few months ago in February after it expressed public support for rushes, no surprise invasion of Ukraine within a few days of the message, the gang's internal Jabber, you know, X MPP server, which carried their private messaging channel was hacked. And two years of the chats of, of the group's chat logs appeared on a new Twitter handle called Conti leaks. The leaks revealed the group's inner workings and illustrated the way they chose their targets.
Leo Laporte / Steve Gibson (00:26:22):
However, those leaks did nothing to slow the group down last Wednesday, they added New York based architecture firm, E Y P to their list of victims. So KTI now joins the ranks of those carrying a serious bounty on their heads. Last November, the us state department offered a 10 million reward for any information that would lead to the identification and or arrest of members of the dark side ransomware group with a similar bounty on the operators behind RAL also, you know, the sod Dino KII malware. So this is an interesting tactic that you, I, I have to imagine it would be effective. Us dollars are valued globally still, unfortunately. And, and again, if, if nothing else you, you have to imagine that, that this, you know, would weigh on the minds of anyone choosing to participate. If they get in they've gotta be very circumspect within their own social sphere because, you know, here's the us dangling 10 million just for turning you in and that's real money.
Leo Laporte / Steve Gibson (00:27:45):
So frustrating. One of our chatters just sent me a link to a leaping computer article about a college in Illinois, Lincoln college. One of the historically black colleges in rural Illinois closing after 157 years, it survived a major fire in 1912, the Spanish flu, the great depression, two world wars, the 2008 global financial crisis. But after two years of pandemic and finally getting hit by ransomware, they decided to shut down after 157 wow years that is horrific and tragic, just tragic a cyber attack in December. The thwarted admission activities hindered access to all institutional danger data, creating an unclear picture of fall enrollment, this fall enrollment. And so they're shutting bow. Wow. Wow. Well, and, and we we've covered when the, when the ransomware was attacking the healthcare industry, it was clearly damaging the lives of people. You know, people were being hurt by, by the, the healthcare providers. So it's so sad now they're going after schools. Yep. Ugh. Yep. Okay. So what's the worst threat. The us faces it's from the wi group, w I N N T I, the wi group also known as a P T 41, a P T of course, is advanced persistent threat.
Leo Laporte / Steve Gibson (00:29:22):
Just how advanced and persistent are these threat actors, researchers with cyber reason recently briefed the FBI and the DOJ about operation cuckoo bees, funny name, not a funny operation. This is an ongoing espionage effort by Chinese state sponsored hackers with the charter to steal proprietary information from dozens of global defense, energy, biotech, aerospace, and pharmaceutical companies. The specific individual organizations affected were not named in cyber reasons report, but they allegedly include some of the largest companies in north America, Europe, and Asia, and the threat actor behind it all is the prolific wi group also known as a P T 41, cyber reasons. CEO Leor di said that the most alarming aspect of the investigation into operation cuckoo bees was the evasive and sophisticated measures used to hide inside the networks of dozens of the largest global manufacturing companies in north America, Europe and Asia dating back.
Leo Laporte / Steve Gibson (00:30:44):
As far as 2019, Leo said, quote, the group operates like a guided missile. And once it locks onto its target, it attacks and doesn't stop until it steals a company's crown jewels, wi pilfer thousands of gigabytes of data. And to add insult to injury also made off with proprietary information on business units, customer and partner, data, employee emails, and other personal information for use in blackmail or extortion schemes at a time of their choosing cyber reason said that throughout its 12 month investigation, it found the intruders took troves of intellectual property and sensitive proprietary data, including formulas source code R and D documents and blueprints, as well as diagrams of fighter jets, helicopters, missiles, and more. And remember China, the attackers also gain information that could be leveraged for use in future related cyber attacks like details about company's business units, network architecture, user accounts, and credentials, employee emails, and customer data.
Leo Laporte / Steve Gibson (00:32:12):
This group gets in your network you're hose basically. And of greatest concern. According to cyber reason, CEO was that the companies had no clue. They had been breached in a pair of detailed reports, cyber reason, a attributes, the attacks to win based on an analysis of the digital artifacts. The group left behind after its intrusions. Several other cybersecurity companies have also been tracking win since it first emerged, 12 years ago in 2010. And researchers have observed that the hackers are clearly operating on behalf of China state interests while specializing in cyber espionage and intellectual property theft. The group used a previously unknown and undocumented malware strain called deploy log as well as new versions of malware like spider loader, private log and, and win NT kit. The malware included digitally signed kernel level root kits, as well as an elaborate multi-stage infection chain that enabled the operation to remain undetected.
Leo Laporte / Steve Gibson (00:33:36):
The group also managed to abuse the windows common log file system C L Fs, which allowed the intruders to conceal their payloads and evade detection by traditional security products. C L Fs is a logging framework that was first introduced by Microsoft and windows server 2003 R two, and has been included in all subsequent windows OSS. Cyber reason explained that quote, the attackers implemented a delicate house of cards approach. That was their term, meaning that each component depends on the others to execute properly, making it very difficult to analyze each component separately and unsurprisingly operation cuckoo bees generally took advantage of existing weaknesses, including unpatched systems in I know in <laugh> yes. Thank you. Insufficient network segmentation, UN unmanaged assets, forgotten accounts, boy, and, and lack of multifactor authentications. In other words, stupid oversights. Yeah. Not easily remedied easily. Yes, exactly. Cyber reason said that the attackers generally obtained their initial foothold in the organizations through vulnerabilities in enterprise resource planning you know, E R P platforms last month's F last month FBI's director, Christopher Ray told 60 minutes that the biggest threat American law enforcement officials face is from Chinese hackers stealing proprietary information.
Leo Laporte / Steve Gibson (00:35:34):
He said that the FBI opens a new China counterintelligence investigation about every 12 hours. Oh my God. Think about that. Oh my God. Every 12 hours, another new Chinese counterintelligence investigation is opened by the FBI. Ray said that quote, they are targeting our innovation, our trade secrets, our intellectual property on a scale that's unprecedented in history. They have a bigger hacking program than that, of every other major nation combined. Wow. They have stolen more of Americans' personal and corporate data than every other nation combined. It affects everything from agriculture to aviation, to high tech, to healthcare, pretty much every sector of our economy. Anything that makes an industry tick. They target. There is a difference though, between this and the ransomware gangs we were talking about earlier, which are actually trying to steal from companies and bring them to their knees. This sounds like it's intellectual property theft.
Leo Laporte / Steve Gibson (00:36:59):
Yes. That, that the Chinese hackers aren't trying to destroy us or destroy our industry. They're just trying to find out how we make things so they can, make'em cheaper. Things like that. And admittedly, there's an economic consequence to that, but that's not, that's not nearly as offensive as the KTI group. Right. Or am I wrong? Well, when you're, when you're digging into our military industrial comment, well, if they go after the military, you're right. That's different. Cuz then that has, and they're in there. Yeah. They're in that's if the military's getting hacked, cuz they haven't patched and they're not using two factor. We have other reasons to be upset and Leo, we have other reasons to be upset. Yes. And we're, we're gonna get upset about something else in a minute. I'm sure we, we are, you know, we're a good team, Steve, because you scare the pants off our audience <laugh> and then I show up with the solution.
Leo Laporte / Steve Gibson (00:37:55):
It's perfect. Exactly. That's why we have so many security advertisers. <Laugh> like Kolide, which is a really cool idea. By the way. I want to tell you about, I presume you're ready for a break. I'm not stealing this away from you. Nope. Okay. Kolide has a great, had a great idea. So many businesses, ours included use slack to communicate right. Also there's this problem, which is a lot of times and we've, I think we've learned this lesson. It departments, they come in, they lock stuff down, right? That's the sensible thing to do. Fill all the USB ports with crazy glue and and you know, stuff like that. But there is a problem because the users aren't too happy cuz they're, you know, they're being forced to do stuff they don't understand. They don't really understand what the issues are. And then what happens is users start using their own stuff, their own devices, they all have laptops.
Leo Laporte / Steve Gibson (00:38:52):
They start, they say, well, my laptop is so locked down by it. I'm gonna use my own. And that now we have a whole nother kettle of fish. Wouldn't it be great. If you could get endpoint management that users bought into that, they understood that they said, yeah that, oh, I'm gonna do that. That's a good idea. It's possible. And that's what Kolide has. It's a new take on endpoint management that asks the question, how can we get end users more involved? The old school device management, MDM locking down your devices without considering employees needs or even, you know, attempting to educate them about why you're doing what you're doing or enroll them as your support. You know, imagine if your security team was expanded to include every employee in the enterprise. Wouldn't that be great? Well, that's what Kolide does. It's built by like-minded security practitioners who in the past have seen just how much MDM was disrupting end users and how often end users would get so frustrated.
Leo Laporte / Steve Gibson (00:39:53):
They just switch to personal laptops and not tell anyone. And that that is even worse. Collide is different. Instead of locking down a device, Kolide takes a user focused approach. Now I know, I know this is sometimes hard to get by. Especially some of the old school. It folks, user focused, not on my watch. <Laugh> what do they know? But you see if you can get your users to be part of your security force, it's so much better. What happens is Kolide, communicates security recommendations to your employees right there on slack in a friendly way. Look at the Kolide webpage. There's some very good examples of this. So instead of locking down a device as Kolide is set effect, you'll they'll experience Kolide right at the very first because it says, okay, let's it's a guided process. Let's install Kolide. It. It starts with the end users installing the endpoint agent on their own.
Leo Laporte / Steve Gibson (00:40:48):
Okay, come on. We're gonna install Kolide together. I know that some sometimes we say, oh no, no, we can't let the end users do this. But honestly, if you can get them to go along, your job is much, much easier. Security goes from being it. You know, we say what goes and that's that a black and white kind of state to dynamic conversation. And so the first slack message they get from Kolide says, okay, let's install this endpoint agent. Here's why you need it. From there. Collide regularly sends employees recommendations anytime their device, is it an insecure state? So if, for instance, they, you know, they take off the password on their screen lock, then they'll get a message say, Hey, you're I see you don't have a password on screen lock. Let's set that up because that way somebody can't come over and use your machine while you're at lunch.
Leo Laporte / Steve Gibson (00:41:36):
That kind of thing, nuanced issues that are hard sometimes for us to communicate. Although if you listen to this show, you probably have some pretty good ideas, but things like asking people to secure two-factor backup codes because they just left them in their download folder and plain text that, that kind. And we'll actually notice that. And it'll send, 'em a message saying, Hey, I notice you've got this file in your download folder that has all your passwords. You know, your sec, two factor keys in there. You might wanna do something about that. Can we help? Can we do that? Let's do that together because it's talking directly to employees. Collide is educating them about the company's policies and how to keep their devices secure, using real, tangible examples. These aren't the theoretical scenarios. They're things that are actually happening on that computer right now.
Leo Laporte / Steve Gibson (00:42:24):
Cross-Platform it works on slack for Linux, Mac and windows. It puts end users. First, as your team uses slack, you gotta get Kolide endpoint management that puts the user first, K O L I D E kolide.com/securitynow you can learn more. You can activate a free 14 day trial. There's no credit card needed. K O L I D e.com/security. Now you'll also get a goodie bag of Kolide swag after signing up for a new trial, just some fun stuff, you know, stickers, that kind of thing. Mugs t-shirts I think it's a really, really good idea. I love this. K O L I D E kolide.com/securitynow that way your security team is everybody who works for you Kolide. All right. I'm I'm ready to talk about quantum computing. And in fact for you for a long time, I've been wanting to ask you how I see.
Leo Laporte / Steve Gibson (00:43:21):
I look at this and I, to me, it looks like Google and everybody, it's just a way to get money from the feds. Like they aren't really are, are we close? No. No. Okay. So this one made me shake my head. Okay. the headline was white house wants nation to prepare for a cryptography breaking quantum computers. Okay. To give everyone a sense for this, the reporting on the, the reporting on this, which appeared in the record, started out saying a memorandum issued Wednesday by president Joe Biden orders, federal agencies to ramp up preparations for the day when quantum computers are capable of breaking the public key cryptography currently used to secure digital systems around the world, the document national security memorandum 10. So of course we have to have initials, right? NSM 10 calls for a whole of government and whole of society strategy.
Leo Laporte / Steve Gibson (00:44:27):
Well, let me get right on that. Whoa. Yeah. For, for quantum information science, that's Q I S including the security enhancements provided by quantum resistant cryptography Uhhuh. So, well, I'm, I that's one reason I switched from RSA to what is it? S CD 50,000, whatever it is, the, the, the crypto, the elliptic curve. I don't know what I'm doing, but I that's. That's why I changed my SSH keys. Right. Is that well, so is that more quantum resistant? I, I, I was looking at this and I was thinking, okay, why don't we just cure cancer? <Laugh> and I thought, I thought, oh, wait, that's what Biden was gonna do. Oh, while he did it. Yeah. Barack's VP. We were gonna take that, you know, do that. I know how'd that work out <laugh> but seriously. Okay. Ed, I did ed 25, 5 19, right? That's the keys I should use, right?
Leo Laporte / Steve Gibson (00:45:25):
Yes. Okay. So he's ordering the federal government to ramp up preparations for a day when quantum computers are capable of breaking public key cryptography, which by the way, doesn't yet exist. Right. The, the federal government. And we don't know when it will exist, right? No, it's like, no, it's like the fusion energy someday. Well, I have a actually that's in the notes, Leo. Yes. The federal government is apparently unable to update its own software when being handed patches to do so. That might be more important. Someone somewhere says, eh, not today. We haven't yet secured our computers for technology we already have against attackers. We already have. So I don't know how about having the white house use a memorandum, ordering the various agencies of the federal government to please just reboot their computers, even that would be a, a step forward.
Leo Laporte / Steve Gibson (00:46:35):
How would that be? You know, we would actually get more security right now today, if we did that. And, and, and as to your, to your point, yes, sure. Quantum computing technology shows promise, but let's remember that it's been showing promise for quite some time. We've had nascent, quantum computing technology since around the late 1970s. So for more than four decades, it's intriguing and interesting. And it's been moving forward gradually, you know, like most, really big problems do and like fusion, power, exactly like that. And the federal government should absolutely be funding, ongoing research in universities to allow our nation's brightest, young minds to continue pushing this frontier forward. There's clearly something tantalizingly possible there. And I agree that we should not forget that we have adversaries, as we know, China is also working hard on this problem. So Leo, if we patch and reboot our computers, we might be able to keep them from stealing it once we figure it out.
Leo Laporte / Steve Gibson (00:47:56):
<Laugh> wow. But yes. Wow. it, it, it, it, it absolutely is the case that at some point in the future, I, I think right now the most I saw was four qubits. We were able to deal with, I, I kind of have a FA a hazy sense that I saw something about more, but I mean, it is, it doesn't scale linearly. You like, if you get four, you can't simply say, oh, let's use 128 of those to get 512. No, you, that can't do that. So we are so far away from like this actually being a threat. So I just, I just scratched my head. It's like Joe Biden is like issuing a memorandum, telling us to scale up our preparedness when we cannot reboot our servers. It's not a bad idea by itself, but it's not, maybe the first thing we should do there is an IBM says they've got 127 Qubit device.
Leo Laporte / Steve Gibson (00:49:01):
Ah, that may, that may be what it was that I remember. Yeah. Yeah. IBM's selling these now. You can one, a dollar 60 per runtime, second on their 27 cubit, FAL and R five processor. I, you know, I mean, so maybe, maybe, maybe it's happening. I don't know. I don't know what you could do with 27 qubits. Can you no basically you can, you, you can, you can absolutely simultaneously solve a, a, a symmetric crypto that uses a hundred a, that that uses a an eight bit key, I think, is what it, what it goes down to. So we gotta get to more than a thousand qubits before. Yes. We're, we're in trouble way. And, and am I right saying that if I did ed 25 19, that the, yes, the, the, the, that technologies, which do so, so, so the concern is that the one thing which has been protecting us, the, the RSA crypto is that we don't know how to factor big numbers.
Leo Laporte / Steve Gibson (00:50:06):
Right? So the, the, the concern is a quantum computer could be, could theoretically kill the factorization barrier, right. It, I mean, that was the trap door. You could, you could only go through one way and, and the worry is that a quantum computer could just go, oh, you wanna factor that here? I mean, like, like, it doesn't even take any time, just a here, here, you know, here's the factors it's like. Yeah. Yeah. So, so we, so we're wanting to get away from a crypto that is based on the, the, the multiplication of two primes that you're then unable to factor. Well, elliptic curve crypto, is that okay? So you've got enough bits of elliptic curve crypto, and we're not worrying about factorization any longer. I think I'm doing 512, no, 500. Yeah. It's weird. It's 521 bits for some reason. <Laugh>, I don't know.
Leo Laporte / Steve Gibson (00:51:00):
I dunno what that means, but like, like I said, I just put in the formula. That's all, that's good. As okay. And, and that's, what's so easy about this, like, yeah. And, and this has been the point I'm making, we have all the tools, all the tool kits are there, all the work has been done. The academic guys have pounded on it, and they've said, here you go. And so all you, all it takes now is just plugging these in and using them correctly. And unfortunately, and well, and not making any bad mistakes, which continues to dog us. Mm-Hmm <affirmative> okay. As I've often said, I am stunned by the elegance and fundamental simplicity of the Internet's design was so beautifully conceived in the beginning. But as we know, it's not without a few blemishes. One of the original sins of the Internet's early design was, and still is a lack of entropy in some fields, which are critically important.
Leo Laporte / Steve Gibson (00:52:03):
This entropy is crucially necessary for robust attack resistance. And in defense of the Internet's early designers, the last thing they were thinking about while they were trying to get this whole thing to go was about active and aggressive adversaries. They were trying to keep coincidental things from causing a problem, which is very different from causing from, from preventing an active aggressor from leveraging their design to, to create mischief that wasn't on their map at all. So they designed and built beautiful technology, which has against all odds with stood decades of explosive growth being put to use in applications they could never have, and didn't ever imagine, but we got a few problems. For example, the end points of a TCP connection are identified only by an IP address and a port number. And the progress of the connections data flow is tracked by a 32 bit sequence number.
Leo Laporte / Steve Gibson (00:53:25):
In the early days of this podcast, we examined how the predictability of the sequence numbers being issued by T C P I P software stacks could be weaponized and used by attackers to splice into existing TCP connections since nothing identified the other endpoint, other than its source IP address and source port TCP packets, carrying spoofed source, IP, and source port, and guessing a sequence number that would be expected by the receiving endpoint could and did back then succeed in injecting malicious traffic, into established TCP connections. Another quite famous lack of entropy may and often does exist in DNS queries being U D P. The spoofing task is much easier. If a DNS client emits a query to a DNS server, having a knowable IP address. And if the 16 bit source port of its query and the 16 bit transaction ID are predictable, it's not difficult for an adversary to jam a bogus DNS reply back into that client, which looks identical to the reply it's expecting to receive from the authentic DNS server.
Leo Laporte / Steve Gibson (00:55:02):
And as we know this form of DNS cash poisoning, spoofing attack can have devastating consequences. The IP being looked up will be altered and traffic will be silently redirected. It was the realization of that, which hit Dan Kaminski back in 2008, where nearly all DNS servers in the world were vulnerable to exactly that attack because their queries had very low, effective entropy that caused the world to secretly prepare and then synchronize a simultaneous global update of all affected DNS servers. It was a great example of global coordination, but we missed something, something that today afflicts many IOT devices, such as routers by linis net gear and those loaded with open w RT firmware, as well as Linux distributions like embedded gen two, this exposes many millions of O T devices right now today, once again, to this once solved security threat, what we missed, or at least weren't worrying about 14 years ago was that it's not only DNS servers and our desktop operating systems, which emit DNS queries.
Leo Laporte / Steve Gibson (00:56:42):
They were all fixed, but many other low end OTs devices also emit DNS queries. And we forgot about them. Maybe it wasn't a big problem or concern back then, but the crucial fact is the lesson of the need to deeply randomize source port and transaction query IDs for DNS was not learned well enough Nozomi networks labs discovered of vulnerability now being tracked as CVE 20 22 32 95, which affects the DNS implementation of all versions of micro CLI and micro C live C hyphen N G and NG, which are very popular C standard library replacements used in many O T products. You know, the C standard library is this big library, which is very capable, highly cross platform. You can compile it just for about anything, but it's huge. And it does way more than a little O T product with tight memory constraints needs. And then for example, it supports memory mapping, which embedded IOT there there's a micro C Linux that, that specifically doesn't have memory management because a little embedded product isn't swapping stuff in and out of Ram.
Leo Laporte / Steve Gibson (00:58:26):
So this micro CLI and micro C live NG are what embedded Linuxes use the flaw, which was found and fixed in all major DNS servers back in 2008 is the predictability of transaction IDs in the DNS requests generated by the library. In the show notes, I have a, a picture of the code from micro CLI C, where we can see and, and a variable local underscore ID plus plus semicolon. Well, that's a post increment operation, and since you're doing nothing, but, but that on the, on that particular instruction, it simply increments the value of local ID. The next line is reads local underscore ID am, and then, and ampersand equals with zero X, F F F F. Okay. So that masks the lower and masks and retains the lower 16 bits of the value local ID. So essentially what it does is local ID is incremented.
Leo Laporte / Steve Gibson (00:59:48):
And that, that, that, that, and operation then the, the lo the logical and of the lower 16 bits deals with the overflow when it tries to go to a 17th bit, it, it, it discards that. So we wrap from 6, 6, 5, 5, 3, 5 back around to zero, because those transaction IDs are 16 bits long. In other words, what this does, of course, is produce absolutely sequential DNS query, transaction IDs. The problem that took the wind and the breath out of the entire network world 14 years ago is present in this library. And apparently has been since its beginning, while I was doing a bit of background research into this micro CLI, I found that the original pre forked micro C Live's last update was May 15th, 2012. So 10 years ago, exactly this coming Sunday, because this library had become unsupported. It was forked to create micro C live C hyphen NG.
Leo Laporte / Steve Gibson (01:01:10):
Presumably NG stands for next generation. The good news is that one's being actively maintained, but under its home pages, history section talking about the history of micro CLI C NNG, it explains micro CLI CNG is a spinoff of micro CLI C from Eric Anderson, and then from HTP colon slash slash www.microclivec.org. Our main goal is to provide regularly, which in their writeup was misspelled and a stable and tested release to make embedded system developers happy. The first release 1.0 0.0 with a code name left blonde was made while visiting FOS D 2015. It was prepared in a hotel room in Brussels on the 1st of February, 2015, all releases are prepared while drinking a pair of Belgian beer since then, because, you know, Leo, that's what you want in the replacement for the standard sea library that everyone's embedded O T devices are using is for it to be maintained by a drunken Belgian.
Leo Laporte / Steve Gibson (01:02:42):
The idea to fork micro C live started in July, 2014, they wrote and was discussed on the build route and open w RT mailing lists. Okay, so we've identified a well understood flaw that has been present in embedded Linux based O T devices, which use the micro CLI C library or the micro CLI seed hyphen next generation library for the past decade or so apparently no one thought to look before now, now the world knows I'm pretty sure that the open w R T folks will get on this and fix it because that's who they are. The fix after all is trivial. The transaction ID sequence simply needs to be unpredictable, and it, and it needs to be unpredictable per instance, of that device booting, right? You can't just like make a pseudo, like a fixed pseudo random sequence because anyone can reverse engineer the firmware, see what the sequence is, and then go back to predictability an embedded device without a good source of local entropy, which a really low end, you know, O T electric plug for example might have, or might lack a lo a good local source could, you know, as it start up as a starting up, use something like high resolution packet timings to obtain an unpredictable seed, send out some pings to some known static IPS and time their return at the devices, full resolution clock speed that will generate a value that's unknowable by any external attackers.
Leo Laporte / Steve Gibson (01:04:35):
I then use that value to key a simple symmetric cipher, which encrypts the sequential counter that will produce a per power up per boot unpredictable sequence that no one on the outside can know. What we don't know is everywhere. This embedded library has been used in embedded Linux systems. We don't know whether net gear and Linux, which both use it will care to update. And most importantly, where and how this flaw will surface in the future, but the bad guys will make it their business to know because that knowledge is valuable to them.
Leo Laporte / Steve Gibson (01:05:26):
And this is the legacy we're building, which most worries me, the growing number of well known problems that are accruing mostly under the radar and which are not being diligently, fixed these things don't go away on their own. They accumulate what's happening over time. And mark, my words is that one of the favorite vehicles of fiction riders, which is that anything can be hacked offensive. As I have always found that idea is gradually becoming true. Anything can be hacked, and this is another perfect example of the way it's gonna happen. Little by little and bit by bit a problem like this. You know, that just doesn't really rise to the level of a, oh my God, run around house on fire, like we'd saw with the DNS servers. But the same problem is in all the other little things that are making DNS queries, and that could easily have their query poisoned by somebody who wanted to do that, that would relocate whatever traffic they were looking at to the, an attacker controlled IP, rather than where it should be going. And Lord knows then what mischief they can get up to. And you can't even count the, the hundreds of millions of devices running an embedded Linux that probably use this now known to be defective micro CLI C library.
Leo Laporte / Steve Gibson (01:07:15):
Well, we're not gonna be running out of things to talk about Leo that's clear F five networks, remote RCE. So here's another example of a serious vulnerability. That's far more high profile and should get the attention of anyone using F five networks. So called big five or big IP equipment. We've, you know, they've had problems before we've talked about them before. But both we and the bad guys already know that patching is badly broken and that there will be F five big IP equipment online, which remains unpatched. Remember that list of ransomware victims from earlier. This is exactly where attacks such as those begin last Wednesday on May 4th, F five, a major cloud security and application delivery network provider released patches to repair 43 bugs spanning its products of the 43 issues they addressed. One is rated critical. This one 17 are rated high, 24 medium, and one is rated low in severity, but that critical one, oh baby, it carries a CVSs of 9.8, which arises from a lack of an authentication check, which will allow attackers to take control of an affect of an affected system.
Leo Laporte / Steve Gibson (01:08:50):
As we're seeing more often. Now, the flaw took only a few days to reverse engineer and a working proof of concept has been made public. So the use of the terms such as might, may or could in F five's bureaucratically worded disclosure should be replaced with will did, and have they wrote this vulnerability may allow an unauthenticated attacker with network access to the big five, to the big IP system, through the management port and or self IP addresses to execute arbitrary system commands, create or delete files or disabled services Uhhuh. And this security vulnerability appears to be longstanding since it affects all six, most recent major version release chains, version 11 through version 16. It doesn't appear that they'll be patching the oldest two major versions, 11 and 12 since patches for the eye control rest authentication bypass flaw have been released for versions 17.0 0 16 1 2 2 15 1 5 1 14 1 4, 6 and 1315 leaving the 12 whatever and 11, whatever patched, vulnerable, but unpatched.
Leo Laporte / Steve Gibson (01:10:35):
So we can expect SISs a to soon add an alert and a mandatory update commandment for this to their growing catalog of known exploited vulnerabilities. And in fact, they just added five more to that catalog, three, for which patches were made available in 20 14, 1 in 2019 and another last year, yet all five are now under act active exploitation, even eight years in the case of those three that were patched in 2014 after having been patched. So, wow. We need to patch and, and reboot okay. A couple pieces of closing the loop feed fr from our listeners someone whose name on Twitter is let's Beate. He said, hi. Yeah, let's Beate <laugh> hi, Steve longtime listener. I J he said, I just wanted to share this image. When I tried to change my PayPal password and was shocked by this error message for obvious reasons.
Leo Laporte / Steve Gibson (01:11:51):
And it is kind of entertaining. So this is the, you know, I'm an avid PayPal user. They're a great solution for, for the problem that they're there to solve. So it's, this is the, they change your password dialogue, and first they want you to confirm your current password. That's good. And, and he's done that, then it says, enter your new password, keep your account more secure. Don't use your name. Good thinking. Okay. <Laugh> yeah. And then he, he put in a password, which it didn't like, and then it explained why it's with a, it turned it red with a red, you know, emergency symbol, your password can only contain letters, numbers, and these characters, and there's 10 of them. And I thought what? They looked familiar to me. Sure enough. They are the, they are the shifted numeric characters on a interest. Oh, interesting.
Leo Laporte / Steve Gibson (01:12:53):
A Western, whatever you call it. Yeah. You know, arrange exclamation mark til left and right. Parenthesis. They leave out Tilda for some reason. Interesting. I don't have Tilda in my oh, it's to the left of what? You're right. It's just one through zero you're right. Yeah, yeah. Yeah. So it's exactly the shifted zero one through nine and zero. Oh, that's better keys on our keyboard. I see this a lot. I think so you can't do colon or semicolon. Yeah. Apostrophe or double quote. You can't use the curly braces or the squares. Apparently you can't use dash plus undersign or equals that's weird. No tilty, no back apostrophe. Yeah. It's like no vertical bar or back slash why? Why no forward slide question mark. You can't use greater than, or, I mean, they're like, they've discarded a whole bunch of really good ones.
Leo Laporte / Steve Gibson (01:13:45):
Why? So, yeah. That's the question. Why let's let's burn anate I agree with you. Let's Beate. Let's burn it. <Laugh> I don't get it. So which burn it weird now. And I should note if we didn't have browser based hashing, then you'd have to think they were sending this back to, you know, central some cars <laugh> yeah. Who says no, no, no, no. I don't know how to pronounce that squiggly one. So we're not gonna have a tilty, you know, nobody knows what a tilty is, so it's like, okay, wow. Yeah. Again, there is no logic whatsoever. Yeah. To that, to them exclude excluding those a who's handle is at Adrian Terry. He said re feedback on eight 60 nines Moxies knock, knock. He said one can minimize their exposure of things on the internet without punching holes on their NA routers. On 8 33, you mentioned a couple of more options to overlay networks other than tail scale that might enable one, even on a home residential IP to be able to interconnect their devices across the internet, even with their IPS changing and a, you are absolutely right.
Leo Laporte / Steve Gibson (01:15:06):
I wanted to make sure I mentioned that. I thought that was, you know, thank you for the tweet he's of course, right? That the, these, this new class of so called overlay networks, you know, hamachi was the first one that appeared. And now there's a whole bunch that are free in public domain and, and great looking by, by all appearances. That is another way to allow a, a roaming device to, to participate in an overlay network, which is being maintained by some like a, a machine on your network or a router on the border and not have to do any pull any sorts of whole punching. So again, thank you. And then Bob grant asked, hi, Steve, thank you for your recommendation on McCullum. Meaning Michael McCullum. He said, can you suggest a good starting point for reading him? And I think I'd start with his Gibraltar trilogy.
Leo Laporte / Steve Gibson (01:16:03):
I think that was the first one that we all read here on the podcast. You know, he writes Michael McCullum writes old school hard. Sci-Fi where for me, no, oters drifting down rivers is what you're saying. <Laugh>, we'll talk about that in a minute. Yes. yeah. The joy is in his plot devices, you know, I love being surprised and I have always found Michael's work to be full of delightful moments. And to your point, Leo, speaking of sci-fi I I told our listeners that, that there would be the first episode of a new star Trek series that I had great hopes for strange new worlds premiering last Thursday. It did. I watched it and I loved it. Aw, it's very much in the old school. Every episode has a beginning, middle and end. Yep. There's a moral at the end, you know, very much like the original series.
Leo Laporte / Steve Gibson (01:17:12):
I thought it there's even apparently fist fight with aliens. <Laugh> you gotta have that. You gotta have that. Yeah, no red shirt guys, but other than that spot gets to do his, his, his neck tweak Vulcan in order to gets, gets a little line, a good line off on it too. Yeah. So we, we do have a young Spock and a young URA Spock is perfect. I have to say yes. Yeah. And we have yet to see, but they mentioned, I don't know if you noticed this, a Lieutenant Kirk on board. Oh, no. Well, no, he he did come on board toward the end. Oh, did we see him? He, he, he had a, I believe that, that our, that our that, that our Kirk James T. Kirk had a brother as I recall. Oh. And, and I think that he, when, when they talked about Lieutenant Kirk, I thought what?
Leo Laporte / Steve Gibson (01:18:00):
Yeah. But it was, but it wasn't it wasn't James and a young nurse chapel. Yes. A young nurse chapel. Anyway Lori was a bit confused about like the timeline on this. And I, so I had explained to her that this was a prequel yeah. To the original Kirk series, but only like 15 years before. Right. Because well, and that, and that pike was the, the, the previous captain of the enterprise, right. To whom Spock had loyalty. Right. Which superseded his to his own captain Kirk at the time. And the Federation Spock stole the enterprise right. In that episode. Right. And boy was Kirk pissed off the pilot was a pilot, wasn't it? Or was the second pilot. It was a pilot that was never aired. The pilot was never, never okay. Yes. And, and, and anyway, I I'm, I loved it.
Leo Laporte / Steve Gibson (01:18:55):
It's not, somebody's asking, is it the alternate timeline? It is not the new reboot timeline. It is the, the original series timeline, right. It is a prequel, it's a prequel, the, yes, it is not this new rebooted movie timeline. Right. That, that no, this is, this is very traditionalist, except for the graphics are updated, you know? Oh God, the bridge looks nice. Something about me. I don't know. I, I was getting choked up at various yeah. Points. It's just, it's just is so exactly right. So far Spock is perfect. I think in that he's just very SP yes. And, and I, I like pike. I think he's, he's got like the right good hair mixture. Good hair. Yep. Yeah. And, and he's like humility and that's perfect. Okay. Fine. Anyway, I, I, I'm, I'm very, very, very, very, very hopeful. We're only gonna get 10 episodes.
Leo Laporte / Steve Gibson (01:19:47):
So if you wanted to, first of all, you could sign up if you wanted to pay paramount for what is $5 a month or something for cheap three months, I think. Yeah. That it'll be airing. Yeah. Or if you really wanted to be tricky, you could, they have, they offer you five free days. So you could wait for three months, get your five, three days during that. Time's I wanna star Trek. <Laugh> that is it's a little, I'm gonna say a little cornball, because I think really it is so true to the original series that it has, that it's not modern in the sense that, you know, there's not an it's, it's kind of corny. Like the original series was, and I like me. Yeah. I think people who like the original series will love it, cuz it's much more in that spirit than even TNG or, or discovery or any of the other more modern stuff in, in discussing, in discussing some of the newer shows, some writer said, this is not your father's star Trek.
Leo Laporte / Steve Gibson (01:20:50):
And my point is, this is, it is your father's star Trek. Absolutely. Is your father's star Trek. And I apparently, well, your that's what I want because discovery was like a, like a, I sped up video game. Yeah. You know, it was just, it was not well, and I do like that episodic format where you don't, you don't have to like each one's last time. Yeah, yeah. Yes, no, previously. Yeah. Now it is also is the case that the phrase Bacard season two rhymes nicely with, and I hate Q <laugh> God do I hate Q I never liked him either. I always have. Yeah. And it turns out I still do. Yeah. He is an annoying fly in the ointment. Yes. And I suppose that I'm not a huge fan of John Delane, the actor, but we're watching the second season. We'll finish it tonight.
Leo Laporte / Steve Gibson (01:21:52):
We have two episodes left. Eh, it's better than the first one only because the first one was so horrible. And I heard that the second one was better. It's like, okay. Yeah, but it's got Q. Yeah. It's like, you know, you just can't have a, an really annoying omnipotent alien who wants to, you know, get in Kirk, get in ARDS face all the time. It's just annoying. So anyway, there were also too many dumb scenes, which it had very much had the sense that they were trying to draw the episode out to fill the hour. So I don't know I'm for what it's worth. I I'm very capable of disliking something that has star Trek in its name, even somebody that has John Luke Picard, strange new worlds, I thought was great. And as Lisa said, I don't want any more of the ugly old bald captain, Kirk captain.
Leo Laporte / Steve Gibson (01:22:49):
I want the young hot captain. And I think she, I think pike fits this, although she really, yeah. I think she really wants SHA in her back. <Laugh> <laugh> no more nor the bald old guy. That's it. We're oh, I gotta give, I gotta give bill Shaer credit for like, you know, legend hanging around legend and basically legend. Legendary. Yeah. He is wonderful. Yeah. Yeah. When I was over at I M D B, cuz I wanted to update for the show notes, the current ranking of strange new worlds. It is at 8.3. Oh, that's good. Out of 10. That's good. It's a very good rating. And it's going up. That's what you wanna see. You wanna see them going up after the actual show has been out for a while? What I stumbled on was the official trailer for the new avatar movie called avatar the way of water.
Leo Laporte / Steve Gibson (01:23:48):
And apparently this is number two. It sure took Cameron a long time to get number two out. But number three is already in post production. Four is filming and five is in the pipe. So we're gonna get a bunch of avatars. And I mean, it looked astonishing. I remember when I was watching the first avatar, I just sat there thinking, how do you make this movie? How, how do you make this? I mean, it was just an astonishing piece of visualization, but this sort of looks like the first one and you know, okay. I guess maybe a new story for the kiddies I'm afraid. I'm not sure that it's gonna, you know, but you know, Cameron has not never disappointed me. I mean, he gave us the Terminator aliens, the, the second one, the abyss true lies, Titanic, dark angel. That's where we saw Jessica Alba.
Leo Laporte / Steve Gibson (01:24:47):
Ooh, baby. And avatar. So yeah, I, I got mixed bag, I think, I think <laugh> yeah. And Leo, our last break, and then we're gonna talk about what is that pass keys thing. Okay. Okay. Our show today brought to you by, I was just in fact, it's funny because I was just doing it for my daughter sending her a credit card via privacy. Privacy is awesome. Awesome. privacy.com. It's a tool that lets you use credit cards without a, without a thought as to the security. Why? Because these are credit cards that are either one time only burner cards use them. It's gone. It's done. I actually don't make too many of those. I'm much more likely to use the merchant locked cards. So you make a firstname.lastname@example.org and they have plugins for Chrome and Firefox. So it's actually very easy or you can log in, make the card.
Leo Laporte / Steve Gibson (01:25:49):
It, it, it, it appears as a real credit card with a, you know, an expiration date, five years in the future, that's convenient a real security number and all of that, but it's locked to the merchant in the case of the merchant card, which means when I made a card for Amazon, only Amazon could ever use it. I do this all the time because I don't want, if that card gets stolen, can't be used. It gets declined immediately. I can also control how much is spent. I can set spending limits per day, per month, per year per transaction. I can I can use these in fact, I always do. In fact, I strongly recommend you do for recurring transactions subscriptions, cuz it seems to be the case. Now this is not true for subscribing a club TWI, but it does seem to be the case for other things that you subscribe to. Especially recurring ones, they don't make it easy to cancel. Right. But my worst one is, well you have to call to cancel.
Leo Laporte / Steve Gibson (01:26:51):
It was so easy to create the subscription online. Oh, but you gotta call to cancel. Well, if you use privacy cards for all your subscriptions, as I do, don't bother canceling, press pause. Or if you want burn the card, destroy it. They can never use it. They can never get any more money out of you. You're done. It's it. It's simple. It's the best way to use credit cards. Plus privacy masks, your real bank information. Obviously they have to have it so they can debit you, but they, they don't pass it along to the vendors so I can use. And I often do, you know, John DOE 1 23 main street, any town USA thousand as my, you know, address and zip code. And it goes through privacy knows it's me. They're not worried about it. And the merchant doesn't get any information about me. This is a great way to clean up your digital hygiene, to use with confidence, credit cards online, even at shady spots that you would never dare use a credit card.
Leo Laporte / Steve Gibson (01:27:51):
It's such a great way to do it. And is it easy to share? Yes. So from time to time my mom, 89 years old, she cooked for me my whole childhood. I wanna buy her dinner. So I said, well, mom, I'm gonna send you a card. And, and by the way, you don't tell it what the merchant is ahead of time. So I said, I'm gonna send you a card, use it for GrubHub door dash, you know, whatever delivery service you want to use, but just be aware that once you use it, it can't be used for anybody else. So the minute you use it for somebody that's now locked into that merchant, that's how it gets locked. I love that that's real convenient and I don't have to copy and paste the card number and all the information into a text message.
Leo Laporte / Steve Gibson (01:28:33):
That's not safe. There's a share. You make the card on the privacy.com website and there's a button that says share it. What's the email address. They take care of the rest completely securely. She doesn't need an account. She just gets the information she needs securely directly from privacy. The for your own accounting, the account summaries make it easy for you to track how much you're spending every month or somebody else is spending. I know exactly how much mom spends at GrubHub. There's a summary page. Easy for budgeting can filter by date by spend you even can tag your cards so you can sort by tagging makes it very easy to figure out where your money's going. And there are a number of different payment plans is free, absolutely free, but I pay, I think 10 bucks a month for a pro plan because I get 1% back.
Leo Laporte / Steve Gibson (01:29:20):
That means given how much I use my privacy card, I make money. I get more cash back, much more than I spend for the pro account. So just something to pay attention to. When you sign up, protect your financial identity on the internet, using virtual cards, go to privacy.com/security. Now, as I said, you can get the free account, try it out. You'll automatically get $5 to spend on their first purchase. It's free forever, always free. But you may wanna look at the other plans down the road, cuz because I it's worked out very well for me. If you use it a lot, do that privacy.com/security. Now just the best way to use credit cards online. Nobody ever knows anything about me. I can cancel it at any time. I can pause it. I can unpause it. That's a really nice feature. I just love it.
Leo Laporte / Steve Gibson (01:30:10):
Privacy. My, my daughter said, I want Spotify. I said, well look here. I just sent her the card for a, I sent her privacy card. I said, buy the family plan. So, and add me and your brother and everybody so everybody can use it. And that way we'll all benefit. And the, but she has the card, the cards in her name. I think it's just a really good way to do it. Privacy.Com/Securitynow secure, private. Great. Okay, Steve, by the way, I did wanna mention you didn't like book four of the Bob averse. That's where I was talking about otters floating down the river. I liked it. I liked it quite a bit. So but now I'm waiting for book five. Love the Bob averse. Good. Yeah. Good. Now let's talk about this Fido thing cause I'm very, I really want to get your take on it.
Leo Laporte / Steve Gibson (01:31:02):
So ours Technica headline was apple, Google and Microsoft want kill the password with pass key standard. Instead of a password devices would look for your phone over Bluetooth. Bleeping computers said Microsoft, apple and Google to support Fido passwordless logins. The record said Google, apple, and Microsoft to expand support for passwordless sign in standard. You know, and it made the headlines in all of the tech press. And all of these headlines popped up last Thursday, May 5th, which as I said at the top of the show was not only sync de Mayo, but also world password day. And the news of, and questions about this new past keys was the most tweeted to me item of the past week with many of our listeners wanting to know what it was and what I thought. Having spent seven years of my life, designing, implementing, demonstrating, and pro and proving a complete working solution to this need.
Leo Laporte / Steve Gibson (01:32:09):
I have a good grasp of the problem domain. So I dug into this past keys news by going to the source, as I always endeavor to, I first read the Google, I'm sorry, the Fido alliances May 5th press release, which was titled apple, Google, and Microsoft commit to expanded support for Fido standard to accelerate availability of passwordless sign-ins you know, this was the press release that everyone else was quoting in the news. It appeared that whoever wrote it was being paid by the word, since it went on and on to make sure that its reader would come away knowing that all pre Fido systems were bad and Fido was the cure. At this point, it appears that regardless of whether or not it turns out to be the cure, it will at least be the next thing we try. And I'm in the same boat as all of our listeners.
Leo Laporte / Steve Gibson (01:33:14):
We're all avid users and consumers of the internet. So we're all hoping that the industry knows what it's doing, but that press release. Wasn't gonna get the job done. Fortunately it linked to the description of the Fido Alliance, white paper titled multi device, phyto credentials. The description of the paper that links to it said the phyto standards together with their companion web often specification are on the cusp of an important new development. Evolutionary changes to the standards proposed by the phyto Alliance and the w three C web often community aim to marketly improve the usability and deployability of phyto based authentication mechanisms. As a result, phyto based secure authentication technology will for the first time be able to replace passwords as the dominant form of authentication on the internet. What a concept in this paper, they say, we explain how Fido and web often standards previously enabled low cost deployments of authentication mechanisms with very high assurance levels.
Leo Laporte / Steve Gibson (01:34:43):
While this has proved an attractive alternative to traditional smart card authentication and even opened the door to high assurance authentication in the consumer space, we have not attained large scale adoption of phyto based authentication in the consumer space. We explain how the introduction of multi device phyto credentials will enable phyto technology to supplant passwords for many consumer use cases, as they make phyto credentials available to users wherever they need them, even if they replace their device. Okay. So I have a link of the show notes to the PDF for anyone who wants the raw material. Obviously this descriptive overview still doesn't tell us what we want to know. So I dug into the white paper, we get the executive summary followed by a brief history of online authentication. Then a section titled Fido, starting from the top, followed by web often level three, bringing up the bottom.
Leo Laporte / Steve Gibson (01:36:04):
So this brings us to the bottom of page four of the PDF. And we begin to frame the problem as follows. The, the explanation explains phyto based solutions can also increase the security of consumer two factor authentication by providing fishing resistance, regardless of whether those use cases care about hardware based sign-in credentials or not. Now I should mention that that Fido was always hardware based, which has been the problem that they've been struggling with is that they, the, the Fido, the Fido authentication standard was you'll have a hardware dongle, a token, a a something, which, because it's hardware because it's physical, it cannot be spoofed. It cannot be, you know, no, no one in Russia can get the contents of your, of what you have in your thing. You're holding in your hand because the you're holding it in that's the UBI key said there's some that are phyto two UBI keys.
Leo Laporte / Steve Gibson (01:37:13):
That's that's what you mean. Yes, yes, yes. Yeah. Yes. And, and, and so the, which, which is that's good. That's good security. No one would deny that. Right? You could argue it's the best, the gold security. Yeah. Yes. The problem is it's physical. I mean, you can't make people buy keys. It's $50 keys. Yes. The be exactly the benefit is it it's physical. The problem is it's physical. And so if you absolutely so, so where they say they, they said final based solutions can also increase the security of consumer two factor authentication by providing fishing resistance, regardless of whether those use cases care about hardware based sign-in credentials or not. In other words, they're saying we are giving up, we're gonna back down from the position we had taken. I mean, you could still use hardware based sign-in credentials, but now you're not gonna have to, we're not gonna make, you have to have a hardware dongle.
Leo Laporte / Steve Gibson (01:38:19):
And, and this has been sort of in the air for a couple years, right? There's been talk about being able to use your phone as your Fido authenticator. So, so this notion is a completely new it's been happening. They said, however, we have observed limited adoption in this latter category, especially in the consumer space because of the perceived inconvenience of physical security keys, buying, registering, carrying, recovering, and the challenges consumers face with platform authenticators as a second factor, for example, having to re-enroll each new device, no easy ways to recover from lost or stolen devices. They said, while these drawbacks can make pH based solutions, whether based on physical security keys or platform authenticators, and I should explain this phrase platform, authenticators, that just means your smartphone or your laptop. That's what a they're, they're calling that a platform authenticator as opposed to a physical security key.
Leo Laporte / Steve Gibson (01:39:31):
So make drawbacks can make phyto based solutions where they're based on physical security, keys, or platform authenticators, a tricky proposition for users already accustomed to two factor authentication. They present an even higher barrier to adoption for users who don't, or don't want to use two factor authentication at all and are stuck with passwords. And so finally we get down to it. The white paper explains the fiyto Alliance and the w three C web often working group are proposing to address these gaps in a new version, which they call level three of the web often specification, the two approach, the, the, the, they said two proposed advances in particular bear mentioning. And so here they are one and two, number one, using your phone as a roaming authenticator. That's the first of these proposed advances. They said a smartphone is something that end users typically already have virtually all consumer space.
Leo Laporte / Steve Gibson (01:40:50):
Two factor authentication mechanisms today already make use of the user smartphone. The problem is that they do this in a way they do this in a fishable manner. You may inadvertently enter a one time password on a Fisher's site, or you may approve a login prompt on your smartphone, not realizing that your browser is pointed at the fishing site and not the intended destination. The proposed additions to the Fido web often specs define a protocol that uses Bluetooth to communicate between the user's phone, which becomes the phyto authenticator and the device from which the user is trying to authenticate. You know, your laptop, for example, Bluetooth, they say requires physical proximity, which means that we now have a fishing resistant way to leverage the user's phone during authentication. Yeah. The hacker has to be in physical proximity, which is good. <Laugh> right. Cuz Bluetooth is not the most secure.
Leo Laporte / Steve Gibson (01:42:06):
Well, I'll go ahead. No, go ahead. No, of course, squirrel solve this with a QR code, right? That you let your phone see, as we know, right, right. They said with this addition to the Fido web often standards, two factor deployments that currently use the user's phone as a second factor will be able to upgrade to a higher security level fishing resistance without the need for the user to carry a specialized piece of authentication hardware Perens security keys. Oh, thank God. So yes, we'll be able to use our phones. Wonderful. That was 0.1 here's 0.2 multi-device Fido credentials.
Leo Laporte / Steve Gibson (01:42:53):
Okay. They say, we expect that Fido authenticator vendors in particular, those of authenticator built into OS platforms. This is, we've heard the names, right? Apple, Google, Microsoft will adapt their authenticator implementations, such that a pH credential can survive device loss. In other words, and again, hasn't been done yet, but this is what they expect. We expect that fi authenticator vendors, blah, blah, blah. In other words, if the user had set up a number of Fido credentials for different relying parties and, you know, relying parties is a term of art in this whole identity space on their phone. If the user had set up a number of phyto credentials for different relying parties on their phone, and notice that in Fido, you need a credential per relying party. That is a phyto credential for Amazon, a phyto credential for PayPal, a phyto credential for Facebook, a Vito credential for Google, blah, blah, blah one.
Leo Laporte / Steve Gibson (01:44:06):
Each that it that's a, it's a one for one mapping in Fido. And then they say got a new phone. That user should be able to expect that their Fido credentials will be available on their new phone. This means that users don't need passwords anymore. As they move from device to device, their phyto credentials are already there ready to be used for fishing resistant authentication. Okay. Now I'll just pause to note that I solve this problem with one time password authenticators with my SHEF of Q printer QR codes. Right. We were talking about that last week when I, when I'm enrolling on a site that uses a a one that offers me second factor authentication with a one time password. And it shows me the QR code, which I can then capture with my authenticator on my phone. I also print the PA I print the paper out and it's securely stored there's I have a SHEF of them for all the places I use two factor authentication.
Leo Laporte / Steve Gibson (01:45:22):
So that, yeah, if I, if I need to set up a new device that doesn't sync in some fashion with the authenticator in my phone, I can do that. It's offline. No one in Russia can get to it. It's very secure, but yeah, it's a little burdensome. I had to do that. Lots of people don't and then they get stuck if their authenticator won't export or transport and, and, and sync. So they say for these multi device, phyto credentials. So that's, so this is their term multi device, phyto credentials just means cloud sync. That's all that is multi device phyto credentials. It is the OS platform's responsibility to ensure that the credentials are available where the user needs them. And also note that some, they said note that some companies are calling Fido credentials, pass keys in their product implementations in particular, when those phyto credentials may be multi device credentials.
Leo Laporte / Steve Gibson (01:46:37):
So in other words, just for the record, PA keys is not a term of art in Fido. And I imagine that the company that has a trademark on PA key is not very happy. Mm. You know, a lot of people noted that the government started to use the term shields up for one of their things. And it's like, yeah, I don't, I don't care. But exactly. So they say just like password managers do with passwords, the underlying OS platform will sync the cryptographic keys that belong to a Fido credential from device to device. This means that the security and availability of a user's synced credential depends on the security of the underlying OS platforms, pers Google's apples, Microsofts, et cetera, authentication mechanism for their online accounts and on the security method for reinstating access. When all old devices are lost, while this may not always meet the bar for use cases that require physical key level security, they write it is a huge improvement in security compared to passwords.
Leo Laporte / Steve Gibson (01:47:52):
Each of the reference, they say colon, each of the referenced platform platforms apply sophisticated risk analysis and employ implicit or explicit second factors in authentication, thus giving two factor like protections to many of their users. So this is Fido saying, well, it's not as good as physical keys. We're kind of annoyed, but look it's gonna work. Like maybe someone will actually use Fido because we're gonna allow cloud syncing in this level three Le mode. And the, the people who are doing the syncing are, you know, being responsible enough. So they said this shift from letting every service fend for themselves with their own password based authentication system, to relying on the higher security of the platform's authentication mechanisms, is how we can meaningfully reduce the Internet's over reliance on passwords at a massive scale. In other words, they're saying that we will rely upon the user authenticating to their own device, smartphone or desktop with biometrics or whatever, rather than authenticating to each remote site individually. And yes, that sounds familiar. Finally, they say syncing phyto credentials, cryptographic keys between devices may not always be possible. For example, if the user is using a new device from a different vendor, which doesn't sync with the user's other existing devices in such cases, the existence of the above mentioned standardized Bluetooth protocol enables a convenient and secure alternative.
Leo Laporte / Steve Gibson (01:49:48):
If the Fido credential isn't readily available on the device from which the user is trying to authenticate, the user will likely have a device, for example, a phone nearby that does have the credential. So in other words, if you're using windows and iOS won't sync to windows, then you can use Bluetooth on your iOS device to get the credential over into windows. They said the user will then be able to use their existing device to facilitate authentication from their new device. Okay. So it appears that what this press release and these so-called pass keys, which is again, though, as the white paper explains don't actually have anything to do with Fido. That is the term doesn't, it's just the introduction of cloud syncing among devices to facilitate the transport of one's collection of phyto credentials from one device to the next, the other piece. Well, and in, in the case of device loss, you, when you get a new one, you resync with the cloud and, and you get all of your phyto credentials back, the other pieces that the phyto Alliance appears to have formally given up on the idea that we're all gonna go out and purchase a hardware phyto token.
Leo Laporte / Steve Gibson (01:51:09):
When we all already own a smartphone that can serve the same purpose the use of it possibly available Bluetooth link allows one smartphone to be used to authenticate to a website on a desktop that does not contain a pH authenticator with one's credentials. And as, as we said, for clarity, that's what squirrel provides for, with a QR code and the smartphone's camera. And yes, speaking of squirrel, I know that the heads of everyone out there who understand squirrel is exploding right now because Fido still falls very far short of providing the complete solution that squirrel offers, but having moved from simple user names and passwords to password managers and multifactor authentication, and then to OAuth third party authentication, we're now going to get Fido, though. It will apparently be popularly called pass keys. From the samples I've seen online, it appears that it will still be necessary to first identify one's self to the website being authenticated to so Fido with pass keys, replaces the password, but unfortunately not the username.
Leo Laporte / Steve Gibson (01:52:34):
So it will continue to be somewhat more cumbersome in that way. The way Fidos crypto works is that it randomly synthesizes a public and private key pair for each and every website, the user wishes to authenticate with. And it gives that site, the public key to retain while the fi authenticator stores, the matching private key for each subsequent use for re authenticating. So it's this collection of individual private authentication keys, which are now being called past keys that apple, Google and Microsoft will be obtaining and synchronizing in the cloud for their users. This provides for same platform, cross device Fido credential synchronization, which is crucial for Fido. Since each new website authentication creates another public private key pair. And it provides for credential recovery in the event of a device's loss. And that's certainly needed to create a practical system. As we know, I went a different way with squirrel squirrel uses a single master key, which can be printed and stored safely, or could be loaded in the cloud if you wanted, whatever from that one key, it deterministically synthesizes unique per site, public and private key pairs based upon the website's domain name and like Fido.
Leo Laporte / Steve Gibson (01:54:14):
It gives each website the public key to use for future authentication. But unlike Fido, there is no growing collection of randomly synthesized per site, private keys that need to be retained and cloud synced among devices. So there's no need to back up a large collection of private keys to the cloud or anywhere the only thing a squirrel user ever needs for their identity to be secure and fully recoverable for all websites is one piece of paper. And if you have multiple identities on multiple devices, you can log in for the first time on an, on a device, on some other device that has your same squirrel identity. And when you log on, on, on a, on a, still on a, on a different device, the, the identity works because multiple devices all synthesize the same private key. So backing off from that overall, this whole big announcement of pass keys appears to have mostly been a world password day timed press event, without much technology to back it up.
Leo Laporte / Steve Gibson (01:55:29):
You know, we're not getting squirrel. We, all of us we're getting Fido. And that means we need cloud synchronized pass keys to make Fido's use practical. The good news is we're gonna get it. It'll, I'll be interested to see how the, you know, how the login flow functions, the other, the other big thing Fido is missing is it doesn't identify you to the site. You still have to first identify yourself. Then Fido replaces your password. Squirrel did both, which was way more convenient, but anyway, we're not getting squirrel. We're getting Fido and pass keys is, you know, basically makes it makes Fido feasible because you have to be able, since you are synthesizing completely random keys for every site you visit, you've got to collect them. You've somehow got a cross device, sync them and apple, Google, and Microsoft will be taking care of that for us.
Leo Laporte / Steve Gibson (01:56:32):
So it sounds like it's kind of less secure than if you used a UBI key, I guess. Yes. Yes. This is, this is absolutely Fido group. The phyto Alliance compromising themselves down from their ivory tower because which they needed. Nobody, nobody wanted Fido, right? Yes. Nobody was gonna do it. You know, I mean, yes, high level. I know that there are Google employees who use their, their, their Titan keys to do things, but it's not gonna succeed if everybody, but see that's, my other issue is not everybody has a smart device. You, I, I guess, would this work if you didn't have, have it's always possible to still use a username and password. Oh, okay. That will, that will never go away. Okay. Never know which means that's what people are gonna do. Yes. <laugh>. Yeah. So, you know, my favorite example, Leo is the person who said, well, I don't need a password manager.
Leo Laporte / Steve Gibson (01:57:34):
And I said well, you can't be using the same password everywhere. And she said, oh, no, I don't. And I said how you do that then? And, and she said, well, when I'm creating an account, I just bang on the keyboard a lot. <Laugh>. And I said, okay. And I said, so how, how do you log in again? I meant, she said, I forgot. There's always, it always a, there's a little line there that says I forgot my password. Yeah. She said, and I never knew it. So I did forget it. Yeah. And, and they, she said, then they send me a link and I log in with that. And that's that's actually is that's fairly secure. Right. <laugh> I mean, honestly, yeah. Well, you know, it use an email, it uses an email confirmation in order to reassert that you have, as long as you don't lose control of your email you're okay.
Leo Laporte / Steve Gibson (01:58:31):
Correct. And, and that is the segue to next week's picture of the week, which is already in the document waiting to be displayed. You don't have anything else, but that's there. <Laugh> that's right. I love it. Obviously squirrel would be much more secure, but squirrel has a similar problem, which is, it is not trivial, easy to use. And for that reason, I think people are gonna fall back to a password for almost anything. Yeah. Single sign. On's good. You know, I use Microsoft now for log into windows, as, you know, sends your phone an authenticator, sends it a digit, a two digit number, and you say, yeah, I know that number. And you're in that seems like, is that the same thing as this final thing? It's similar? Well, so it's, it's specific to Microsoft. That's right. And, and that's right.
Leo Laporte / Steve Gibson (01:59:23):
Yeah. Yeah. And, and, and so we're, we're, we're looking for a, a, a, a broad based solution, which solves the fishing and the, I forgot my password problem. Right. Which is, you know, easy to use, the fact is we're, we'll have to see how, what the flow looks like. It is certainly easy to do, you know, log in with Facebook, log in with Google. We know that that's horrific from a tracking and privacy standpoint. Right. Because, oh, I don't do that. You're bouncing, you're bouncing. I've doing that entirely. Yes. Oh my God. Yeah. And in fact, I did hear you on TWI last Sunday, talking about how you were finally thinking maybe you should be taking privacy a little more seriously. Yes. Than you. I admitted I was wrong. And that cuz these data brokers selling information about who visited planned parenthood over the past week for 160 bucks.
Leo Laporte / Steve Gibson (02:00:21):
Yeah. And what that does is it puts you a J if you live in Texas and there are now other states and soon it might criminalizing 23 other states. So criminalizing, interstate travel for the purpose of terminating a pregnancy. So for 160 bucks, anybody, not the way this Texas law works, anybody can go after you. So there's now probably a brisk business, people buying that information. And, and then sewing you or law enforcement in, in, in Tennessee for instance, going after you. Or I guess it's I guess it's Louisiana in any event it's suddenly became obvious that the government is now starting to go after people for things that they shouldn't be, and it is now dangerous to, you know, leave this stuff on unfortunately. And that's really, I think that is you're right. That's, that's the takeaway is that given a certain set of, of, of existing laws, you could argue that're with those laws, there's a, a reduced risk from lack of privacy.
Leo Laporte / Steve Gibson (02:01:34):
Yeah. But if, if the laws change well, that's the problem. Exactly. And suddenly you, the, the previous assumptions no longer hold exactly. Under the new regime. Exactly. And that's the, that's the danger, if you trust the government. No problem. I no longer trust the government, so problem. Yeah. And that's too bad. Yeah. But now we have to pay more attention. So you've been right all along. I was a wide-eyed optimist <laugh> I am no longer Steve, thank you as always it's always eye opening and always fascinating. If you do not tune in every Tuesday to security, now you're really auto you're listening today. I think, you know, now several ways you can do this, you can watch live if you ha, if you happen to be around 1:30 PM, Pacific four 30 Eastern, 20, 30 UTC on a Tuesday, you could just go to live.twi.tv.
Leo Laporte / Steve Gibson (02:02:33):
There's a live audio and video stream there. You could watch that if you're watching live chat email@example.com, of course club trap members can also watch live inside the club. They can chat about it inside the club. There's a lot of other benefits seven bucks a month ad free versions of all the shows. So there's no tracking if you really want privacy twit.tv/club twit is a good place to go. After the fact you can on online, go to twit.tv/sn that's our website. Steve also has the show at his website, grc.com. In fact, he has two unique formats. He has a good hand con contrived transcripts by Elaine Ferris who listens to this whole show. She's listening even now and writes it down and then puts it in a transcript that's really handy for searching. You can also get a 16 kilobit version for the bandwidth impaired and of course the full 64 kilobit audio also firstname.lastname@example.org.
Leo Laporte / Steve Gibson (02:03:31):
If you're over there, you know, it might be a good idea. Pick up a copy of spin, right? Current version 6.0, if you buy today, you'll get a copy of 6.1 when it comes out. But you'll also participate in the final stages of that creation. And everybody who has mass storage really needs spin, right? The world's best mass storage, maintenance and recovery utility. There's lots of other great stuff. Grc.Com. You can also leave him feedback there. Grc.Com/Feedback. Maybe the better way to do it is through Twitter. He has his DMS open. As the kids say, you can slide into them at SG G GRC on the Twitter, SG GRC. We have copies of the show at the website, as I mentioned, you know, the easiest thing might be just to subscribe both Steve and I have links to the RSS feed. You put that into your podcast client, and you'll get to the show the minute it's available each and every Tuesday. So you can listen at your own leisure at your own pace. I know some people like to listen at one and a half <laugh> in which case, when you watch live, I just gotta warn you. We will sound drunk talking at normal speed, but that's the side effect of listening at double speed. Thank you, Steve. Have a wonderful day and we'll see you next time on security now. RDO bye live log and pres <laugh>.
Rod Pyle (02:04:49):
Hey, I'm rod Pyle, editor of ad Astra magazine, and each week I'm joined by Tarik Malik the editor in chief email@example.com in our new this weekend space podcast. Every Friday Tarik and I take a deep dive into the stories that define the new space age what's NASA up to when will Americans, once again, set foot on the moon. And how about those samples from the perseverance Rover? When do those coming home? What the heck has Elon must done now, in addition to all the latest and greatest in space exploration will take an occasional look at bits of space flight history that you probably never heard of and all with an eye towards having a good time along the way. Check us out on your favorite podcatcher.