Security Now Episode 875 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte (00:00:00):
It's time for security. Now, Steve Gibson is here. Some final thoughts about pass keys and the potential problem with pass keys. Also a free streaming pen test security course, which begins next week. A lot of listener feedback. And then finally, what is that flaw? The so-called unfixable flaw with apples, M one, Steve explains the attack and why you probably don't need to worry about it. It's all coming up next on security. Now, podcasts you love from people you trust. This is security. Now with Steve Gibson episode 875 recorded Tuesday, June 14th, 2022. The PAC man attack. Security now is brought to you by PlexTrac the proactive security management platform that helps you focus on winning the right security battles with PlexTrac, you'll streamline the full workflow from reporting to remediation. Visit plextrac.com/twit to claim your free month. And by NetFoundry apply zero trust to any use case.
Leo Laporte / Steve GIbson (00:01:12):
Making cloud easy with a simple user experience while closing all inbound ports, grab your free swag and free tier now by going to netfoundry.io/twit. And by Thinks Canary. Detect attackers on your network while avoiding irritating, false alarms. Get the alerts that matter 10% off and a 60 day money back guarantee. Go to canary.tools/twit and enter the code TWI. And how did you hear about his box? It's time for security. Now the show we cover the latest security with this guy right here, the man in charge, get ready folks. This show is gonna blow your mind. Steve Gibson. You promise me, oh, we've got a good one today. Leo for 875. I think that's sort of a, a good number to have a, an amazing podcast. Okay, so this week will I expect be the last time we talk about past keys for a while, but not quite yet, our listeners are still buzzing about it and some widespread confusion about what apple presented during their WWDC developers session does need a bit of clarification.
Leo Laporte / Steve GIbson (00:02:30):
But while I was writing that up, I realized, and I'll share how to best characterize what Fido is, which we're going to get with respect to squirrel, which we're not. But more importantly, what the web often E often issue is. I mean like that's really the big transformative deal that having Fido on the front end is gonna drive. And it's where all the inertia is gonna be. Anyway. I also wanna turn our listeners onto a free streaming penetration testing security course, which begins Wednesday after next. Then we have a ton of listener feedback, which I've wrapped in additional news. Oh, and one listener's question in particular was so intriguing that I'm going to repeat it, but not answer it yet so that all of our listeners can have a week to contemplate its correct answer. <Laugh> I love those. All right. Potential poised over my notepad.
Leo Laporte / Steve GIbson (00:03:36):
All right. It just, it just needed it. I mean, it's like a, Hmm. And although I wasn't looking for it, I also stumbled upon a surprising demonstration proof that we are indeed living in a simulation and it's broken. That's the point? Wait a minute. Simulation's broken. Well, reality is oh, okay. And, and reality can't be broken unless there's a bug in the simulation. Anyway, when I share it, I think you'll be as convinced as I am. So, you know, kind of, maybe we're gonna rock everyone's world today. Let's do it. And finally, as suggested by this podcast title, oh, which I forgot to mention is the Pacman attack. We're going to take a very deep dive into the past week's headline capturing news that Apple's famous M one arm chips and presumably the M two S coming soon, all contain a critical bug that cannot be fixed. We'll find out just how bad it is. Yikes and Ole. I've got the weirdest picture of the week. I, you know, it's I, you can't argue with it, you know, but it's who printed this on a cable. That's a good question. And I'm, I'm seeing it. So I know what you're saying. Well, we'll find out in a moment. Excellent. Steve, looking forward to it. Our show today brought to you by, oops. I gotta push these buttons in the right order here.
Leo Laporte / Steve GIbson (00:05:11):
Ah, there we, there we go. Our show. <Laugh> our show today brought to you by PlexTrac, the purple teaming platform, a proactive cyber security management platform for red teams, blue teams, and the teams in between. Are you ready to gain the benefits of purple teaming? But now I have no clue how to get started. Do you even know what purple teaming is? Well, until I met PlexTrac, I didn't, but maybe you do. I think, you know what red teams are and blue teams are you working to mature your security posture, but struggling to optimize efficiency and facilitate collaboration within your team. This is a great solution and you don't even have to have a purple team. You, you could have one team that does it all, but still communication is important. Keeping an eye on the tests, you're doing the, the checks you're doing.
Leo Laporte / Steve GIbson (00:06:05):
And then on the remediation efforts, PlexTrac is a powerful but simple cybersecurity platform that centralizes all your security assessments, all your pen, test reports, all your audit findings, your vulnerability tracking makes it easy to do all of that. And it transforms the risk management life cycle because security teams now can generate better reports and they can do it faster. They can aggregate and visualize analytics. They can collaborate. These are all words you want in remediation. In real time, it addresses pain points basically across the entire spectrum of security team workflows and roles. So I'll give you an example. There are a number of modules I'll give you. I'll give you a few of them so you can understand what PlexTrac can do for you. The reports module does what you'd expect does reports, but it's second to none because it's designed specifically for reporting security findings.
Leo Laporte / Steve GIbson (00:07:02):
So you, you can insert easily code samples, screenshots videos. You put those into any finding. You can import findings from all your major scanning tools. So you just take, take that, take that, take that you can create custom templates. So you don't have to repeat over and over again. And you can export to those templates with a click of a button. So really it's gonna streamline your reporting. And frankly, the faster and easier you can do reporting the better, right? You don't wanna waste time at a, you know, like at a typewriter, the runbooks module can facilitate your tabletop exercises. It's a runbooks module, right? So it, it can, it can it can be, you know, in charge of the red team, engagements, breach and attack simulations, your purple teaming activities, it improves communication and collaboration. Ultimately that's really what it comes down to.
Leo Laporte / Steve GIbson (00:07:53):
Right? You find the problem, you gotta solve the problem. Plex, track upgrades, your program's capabilities by making the most of every team member and every tool. And they love it too, because it takes off the busy work off their shoulders. So they can really do the thing they're there to do. Right? There's an analytics module, which helps you visualize your security posture. There's a few reasons why you wanna do that. Of course, it makes it easier for you to, you know, grasp it quickly, assess it, prioritize it. It's a much better workflow. You can map risks to frameworks like Mir attack and create a risk register by the way. And when you're reporting to the board or the, the, you know, the CSO or the C level executives, you'll love PlexTrac because your reports are so visual. So clear, they get what you're doing.
Leo Laporte / Steve GIbson (00:08:39):
You get you're do what you're doing. The collaboration is better. Any enterprise security team should absolutely be using PlexTrac to streamline their pen tests, security assessments, incident response reports to keep red and blue teams focused on getting the real security work done with PlexTrac. You're gonna gain precious time back in your team's day. And as I said, they love it. The employee morale goes through the roof, cuz it's, it's a lot. It's a time saver for them. Plextrac enterprise customer Jacob's engineering. You affect you. There's a lot of testimonials on the site, but this is one I picked deploying PlexTrac, allowed our team to cut the reporting cycle by 65%. That's huge book a demo today. See how much time PlexTrac can save your team. Try PlexTrac free for one month, you know, really test it out, see how it can improve your effectiveness, improve the efficiency of your security teams.
Leo Laporte / Steve GIbson (00:09:38):
But I gotta warn you when they've tried it for a month. They're never gonna let it go. They're gonna say no, no. We're using this go to PlexTrac.com/twi to claim the Fremont P L E XT R a C. Okay. Plextrac.com/t w I T. Make sure you use that. So they know that you saw it on security now. And that way Steve gets credit Plex, track.com/twit. I know sometimes people use security now in this case use twit. That's, that's the one they want to use. And by the way, we, thanks, black extract so much for supporting Steve and his silly pictures of the week. <Laugh> so, okay, this is not my fault. I didn't do this. <Laugh> not my fault. Okay. So what we got here is an ethernet cable, you know, cat five or cat six. And, and it says it's printed, very authentic looking.
Leo Laporte / Steve GIbson (00:10:35):
I mean, I, I believe that this cable actually has this printed on it. It says cut here to activate firewall. And then it's got an arrow pointing to a little line and there, you could see an arrow pointing from the other direction where it probably says the same thing, cut here to activate firewall telling you that. Yeah. <laugh>. I mean, it just must be somebody who is making cable with a great sense of humor who said okay, we'll just, he's not wrong on it. He's not wrong. No. And, and, and the, the person who sent this to me used a big red rectangle to highlight that phrase. Unfortunately it overlays the, the do the top level domain. I can see WW. You wanna know where you get this? Don't we <laugh> yes, yes. I've try. I was like, okay, where, what? So I can't sell, I can't see what the top level domain is.
Leo Laporte / Steve GIbson (00:11:31):
It's www dot B. I T do something looks like maybe an N something or I don't know. I mean, I think the shortest TLD is two characters. So I think we're, we're missing maybe L NL B I T oh, NL. That's Netherlands. Right? That feels like this feels like a Dutch joke. It does cut here to activate the fighter war. Yeah. Yeah. I love it. Cuz they give you a line and arrows pointing at the line. So just in case you're concerned about where you're cutting, you know, you know exactly. Yeah. Well, cuz you wouldn't wanna cut like in the middle of one of those words. No, no, the right. You know, who knows what would happen? It's gotta be made up. You don't you think it's made up? I mean the whole picture was, was like faked. Yeah. It's pretty good, man. I'm gonna go to ML and I'll find out for you.
Leo Laporte / Steve GIbson (00:12:20):
<Laugh> if I can order them, I'm getting you a whole, a whole role. <Laugh> we'll call it the security now. Oh yeah. You know what? It's it's a data center bit.nl. That's in Dutch, but a data center's network managed hosting in the cloud. So I think they did this as a, as a joke. <Laugh> I love it. I love it. Very cool. Yeah. Okay. So I heard from many different listeners that during the WWDC developer presentation on pass keys, apple talked about synchronizing keys. So I listened carefully to the entire presentation for anyone who's interested. The 34 minute presentation video is this week's GRC shortcut of the week. So that means it's HTTPS colon slash slash grc.sc/ 8 75. As I said, it's about a 34 minute presentation, 33, 34. And I believe that what these people thought they heard was apple addressing the need for or thought that what they heard, you know, being apple, addressing the need for the type of synchronization we talked about last week, syncing apps across non apple ecosystems like Android and windows is not what happened.
Leo Laporte / Steve GIbson (00:13:46):
I found no mention of anything like that, anywhere in the presentation, nor is it anywhere in the developer docs, which I also linked to in the show notes for anybody who wants to jump right to it, the types of pass keys, the types of PAs key sharing apple supports is first and foremost using the iCloud key chain of course, to dynamically synchronize keys. These PA keys across an individual users, apple ecosystem. So as we know, all apple devices thus will remain synchronized. The other form of sharing apple described uses airdrop to pass log on credentials to another user. An airdrop can also be used to permanently pass a pass key to someone else for some site or service permanently adding it to their key chain to use from then on. So that's sort of like explicit. Here's my Pasky. You can now use it to log on as me, but so far from everything I've seen, apple has in no way suggested that they will ever be synchronizing past keys with external non apple platforms.
Leo Laporte / Steve GIbson (00:15:09):
You know, nothing's been fed so far, either way. They haven't said they're not going to, but nobody seems to have asked that question. And it was not part of the developer presentation, but Apple's example, solution of using airdrop to send a pass key to another person's eye device, you know, like, you know, a friend of yours, a spouse, a child, a sibling, whoever, you know, whatever for their subsequent use highlighted, something that I think is important to understand. And this is where in thinking about it, I realized what really makes, what, what really makes squirrel different from Fido and why squirrel is a complete solution for secure remote log on, whereas Fido and you know, technically Fido two with its past keys is a replacement for usernames and passwords. The two are not the same. For example, take the case of giving someone else access to a site.
Leo Laporte / Steve GIbson (00:16:16):
If you give them your pass key, which is Apple's solution demonstrated during the developer presentation, then they are now you on that site in every meaningful way when they authenticate it's you authenticating because they're using your past key, it's the exact equivalent of you giving them your username and password. And since they are you, they can see your settings, your private details, everything that you can see and do when you log in using that same pass key. And since they are you they're presumably also able to change the pass key to lock you out and they can presumably pass it along to others. Unless apple has realized that secondary pass key sharing is a really bad idea and should be blocked, which would technically be possible. Well, I don't know either way, this, this is what we, the situation we're in right now, when Lisa needs the log to our Comcast account, I just sent her my password and log in.
Leo Laporte / Steve GIbson (00:17:29):
She doesn't have a separate one, right. Because it's the same account. So that's the standard to squirrel solve that with some sort of shared access? No, of course. How could it, because Comcast only has one login for my account. Okay. So okay. So I don't know either way, whether they're gonna block secondary Pasky sharing in any event, when you voluntarily give your PAs key to someone else, your side access has now escaped your control. And I agree with you, Leo, it's exactly the same thing. We solve this with squirrel. If you wanna allow someone to share some access to an account as a guest, for example, sharing a Netflix account, you obtain a one time invitation token from the site and provide it to them. When they attempt to log into the site with their own squirrel ID, the site doesn't know them.
Leo Laporte / Steve GIbson (00:18:31):
So it prompts them to create a new account or to use an outstanding invitation. If they have one, they, their use of the invitation identifies them to the site as a guest of yours, enabling them to subsequently log into your account, using their squirrel ID since they're using their squirrel ID. And we just sold a copy of spin, right? Six, thank you. <Affirmative> if you're a listener <laugh> since they're using their school ID and guests are unable to request invitations for others, you as the account owner retain control, and you're able to rescind their guest access status at any time, which isn't possible otherwise. And like in traditional username and password sharing and all this scales seamlessly to enterprise use when hundreds of users might need to share access to common resources, it's called managed, shared access. And it's part of the squirrel solution.
Leo Laporte / Steve GIbson (00:19:40):
It's already there. We have an online demo with the entire solution working and his operation is fully worked out and specified ed, needless to say, there's a lot more to squirrel. So as it stands, the 5 0 2 pass key system is without question more secure than usernames and passwords. No doubt about it. It's definitely superior. But the Fido designers were crypto people working to solve one small part of the much larger problem of practical real world user authentication. They didn't think the whole problem through because that was never their charter. They could credibly say it wasn't their job. It wasn't, but even in a 5 0 2 Passkey world, that job still needs to be done. Squirrel does it, but unfortunately Fido and PAKEs does not do it. Unfortunately. This means that instead of being as revolutionary as it could have been, we get another half baked solution it's way better than what came before, but it missed the opportunity which comes along so rarely to address the practical needs of, and really solve the network authentication problem rather than the true breakthrough that squirrel's adoption would've meant we're gonna get incremental progress.
Leo Laporte / Steve GIbson (00:21:16):
It's definitely progress. But because it wasn't really thought through as an entire solution, Fido is basically a crypto hack. It also brings a whole new set of problems. If Fido is to be our solution, we really do need some form of centralized Passkey, storage and synchronization, not only within a vendor, but also across vendors last week, someone calling themselves, captain Jack ZNO mentioned at SG GRC in a tweet to someone else. So it appeared in my Twitter feed. Captain Joe Jack wrote to this other person, you may be excited about pass keys, but squirrel was carefully developed over seven years by at SG GRC and solves problems. You may not even realize that you'd have. And he said, he mentioned potentially cross-platform portability. And, and yeah, we, as we know, squirrel does that and it does so much more someone tweeting as Dr. Nathan P. Gibson, I guess that's.
Leo Laporte / Steve GIbson (00:22:24):
I mean, that's his Twitter handle said, hi, Steve love your detailed breakdown of pass key. You mentioned waiting for password managers to start providing sync services for these 5 0 2 private keys. I see that last pass seems to be promising something later this year. And then he has a link to the blog. He says, do you know anything more about when this syncing might be coming to a password manager near me? And so I saw last passes blog post last Monday, the sixth, it was a bit confusing. And I mean, I spent some time trying to figure out what they were saying because they were at the same time, also promoting the new use of what they called no more passwords today. And what I understand is that apparently that's by the use of their own PA last pass authenticator, which would use the biometrics present on a handset.
Leo Laporte / Steve GIbson (00:23:24):
Thus, you could unlock your last pass vault without using a master password. Okay? So not that big an announcement, but separate from that immediate announcement was indeed a forward looking statement of their intention to support 5 0 2 pass keys. So that's not today, but at least one major password manager is taking aim at this problem. And if one does they'll all need to. So I suspect that the biggest effect of Apple's Google's and Microsoft's support may be to induce websites to bring up their own support for web off N which is what's necessary on the back end. And so let's talk for a minute, by the way. That's what one password says they're gonna do is support off N good. Yeah. Good. So that's the way to do it, right? Is yes. And then presumably there'd be an export import feature from one password manager or iCloud.
Leo Laporte / Steve GIbson (00:24:25):
I would hope I would. Well, yes. Now it'll be really interesting to see whether apple allows a wholesale export. Well, they say they are, they say there's an export feature. Yeah, no, they didn't say that they, no, they said they there's a Passkey sharing, which is different. You use airdrop to send one key. No, to my phone. No, I know that's not the same, but I, somebody told me I didn't, you've watched the presentation. I watched the presentation, I read the developer docs. There's not a word there's no about. Okay. About export. Okay. And if I'm wrong, listeners, please correct me. I I'd much rather it be true that they're gonna allow export than, than just, you know, be a curmudgeon and say, well, I didn't get it. Right. So, you know, if anyone finds that there's an export of Paske from I land I want to know, okay.
Leo Laporte / Steve GIbson (00:25:17):
So web off N the heavy lift that Fido will face, and that squirrel would've faced was the need for backend web server support. As we know, it's surprising, always surprising how slowly things change. No question about it. It's gonna take years. It's gonna take all of the major web server platforms to build it in then for all of the existing web servers to be upgraded, to support it, and then to do whatever they need to do on their end to actually, you know, give it a database and enable it and, you know, have the lights on. And since it's not clear that there's a huge benefit to them since things are sort of working as is, I think we can expect, it's gonna take a while. Think about how long it took for the log on with Facebook and log on with Google OAuth clues to finally become popular.
Leo Laporte / Steve GIbson (00:26:19):
And it's still far from universal. You know, it's around, you would counter it, but you it's, you certainly can't use it everywhere. What you can use everywhere is the original fill out the form, username and password. The reason password managers were an overnight hit was that they provided an entirely client side solution, which did not require any backend change to websites. Web servers didn't know or care how a user was arranging to provide their username and password, and they didn't need to care, but make no mistake, automated form fill of username and password is, it has always been a horrific clue. The fact that clues mostly work doesn't make them any less cluey web off N finally. And at long last changes that the adoption of web off N which was approved and formalized by the w three C consortium three years ago, back in 2019, represents a massive and long needed update to username and password authentication.
Leo Laporte / Steve GIbson (00:27:33):
As I mentioned last week, Fido and squirrel work essentially the same way. They both give a web server, a public key. The, the web server generates a random, not which it sends to the browser, the browser holding the matching private key, which it never releases signs and returns thatnot to the web server. And the web server uses the public key that it has on file to verify the return to signature. What web often is and does is provide all of the mechanics, definitions, protocols, specifications, and implementations of that new form of interchange between a web server and a web client. Now we're likely gonna be facing a chicken and egg situation for some time. You know, what kind of got lost amid the hoo of Apple's announcement last Monday is the fact that you can't use it anywhere. I mean, it is like having squirrel, like <laugh>, which we've had for years now, but you can't actually log in anywhere, but GRC and you know, a community also, you can use your squirrel there.
Leo Laporte / Steve GIbson (00:28:52):
I think you can. Well, I set it up and then remember one of your guys in the forums was providing a backend server. Cause I need, you need a backend server for squirrel, right? Some sort of authentication thing. You, you I don't have one on any of my implementations, but you certainly could. You, you, you could federate the authentication. There was some going on. I couldn't do that. He was doing. And then he led that slide. And so people were using squirrel to log into twi.community. Couldn't use it. And then he said, oh yeah, let me see if I can get, I, I don't know. I haven't kept up on that. And it just sort of died. It just sort of died out. Yeah. So, but I needed something, some piece that he was providing. Well, thank you for trying Leo <laugh> it, it will be good that apple and Google and Microsoft will all be supporting pass keys, which is to say 5 0 2 on the client side and web off N on the protocol backend server side.
Leo Laporte / Steve GIbson (00:29:56):
That's, that's the glue that makes this possible. But when iOS 16 arrives with its builtin Pasky support, you'll probably only be able to log into apple.com, google.com and maybe microsoft.com due to the heavy lift of change that will be required on the back end. But web a N is the key period. It provides a complete replacement for the insecure mess of user names and passwords that we've been living since the Dawn of man and interestingly web ath N ally supports squirrels chosen 2 55 19 elliptic curve. Yay. With, yeah. With its special properties that allow for non random deterministic private key synthesis. That's the, that's the key behind squirrel, as I've mentioned, if you'll pardon upon. So it might be possible someday in the future. I'm not gonna do it. We got a bunch of squirrel developers. Now they'll, they'll do this to transparently run a modified squirrel solution to use squirrel style deterministic pass keys on the server infrastructure that Fido built.
Leo Laporte / Steve GIbson (00:31:16):
So that would be cool. And you know, perhaps indeed the only kind of progress that can practically be made today in today's world is incremental. So the fact that everyone's excited and it's gonna be available in our clients and when web servers start adding end support their UI, their, their login UI will show, Hey, if you got a pass key use it. And you know, so you'll, you'll give them the first time you you'll log in. As you using old school login, then you'll have your client generate a pass key, which they'll hold onto and you could then use that to log in in the future. But the other point I wanted to make was that, that what I really did was squirrel. And this is exactly to the point you were making with you. And Lisa is, you know, I didn't just stop at replacing usernames and passwords.
Leo Laporte / Steve GIbson (00:32:16):
I solved the whole problem. I mean, every as, as you heard me say back then, every single question anybody could ask about what if this, what if that, but what the, but, you know, I have squirrel solved the problem and, and provided all kinds of forward looking solutions that would be handy to have we're we're not gonna get it yet. Maybe we'll get it eventually. Yeah. I realized that discourse, which is the forum software I use use Zen for, oh, you don't have to do anything. I think it's built in, but discourse has to use an OAuth two provider. So Jose C. Gomez, who was, I think is probably still around in your forums. Yeah. Had set up a squirrel OAuth. Two's very clever at squirrel, basically an an O off gateway gateway for, for squirrel, but he doesn't, it's gone. It's a, it's a 5 0 2 bad gateway.
Leo Laporte / Steve GIbson (00:33:11):
So bad gateway, bad gateway, bad gateway. Unfortunately, everybody who used squirrel that set up an account on TWI do community, I guess, is out outta a luck. All right. So, sorry. I apologize. If, you know, I don't know enough to run an OAuth to server myself so well, and I've, as we know I've moved on. So I, I did what I could and we'll, we'll maybe we'll get little pieces of squirrel over time. This is admittedly, this is not perfect, but you know, the perfect can be the enemy of the good and Pasky is much better than what we're doing right now. So yes, yes. My, my only, I guess my only argument is that making a change on the back end requires everybody to make the change. Right. And it's such a heavy lift that if we had just, if we were gonna make a change, let's make it a good one.
Leo Laporte / Steve GIbson (00:34:07):
I mean, let's, let's make it one that actually solves all these other use cases for which people are like, you know, sharing passwords and, and what if a bad guy did get a hold of your key and then we're able to use it to lock you out of an account that doesn't work with squirrel. Some other, some person who gets your squirrel identity cannot lock you out of accounts where, where you are registered with squirrel. It just got, there's so much there, but, you know, and that's where the time went, but, you know, I got it outta my system now <laugh> that just been right? What do you know what the lift is? Well, you, you must cuz you've watched this video now how hard it would be. Let's say I wanted to implement PAKEs on a site. So no, no mortal will do that.
Leo Laporte / Steve GIbson (00:34:56):
It's that hard? Yeah, so, but so it'll, but it'll be li it'll be a library for example. Yeah. I, I, I, I, I, I Googled, I PA Fido two PAKEs I, I, you know, obviously Microsoft server zero hits, oh, there just there's nothing for Microsoft's web server. So just with like the squirrel Zen fro supported squirrel, so was easy for you to implement discourse does not. It requires an O O two backend, actually Zen four did not support squirrel, but somebody was rasing that was Rasmus VIN, Rasmus, that one, our wonderful P guy who, so he hacked for to do that. Yeah, well actually Zen for has a beautiful add-ons architecture. So he was literally able to create an add-on that any Zen Foral user and any Zen site could just, you know, could just do it. And of course, none have, because what's a squirrel.
Leo Laporte / Steve GIbson (00:35:49):
Well, you're reliant. I'm just, as I am with this course, I would be reliant on discourse adding that capability and somebody's using WordPress, they would need a plugin. The good news is that the web is mostly dominated by a handful of servers, very, very few servers, and they will all get web off and plugins or, or modules in the Apache case, for example. And so you just, you know, add the web off and module and configure it. And you're probably good to go. Yeah. Right. Well that, that day I hope comes soon. It'll be interesting to see. I it's not, and this is the problem is, you know, there was a benefit to Google and Facebook doing the login with Google login with Facebook O off hack, because as we know, they track you right. As you pass by you know, they know who you are and where you're logging in.
Leo Laporte / Steve GIbson (00:36:43):
So this, this, this federated OAU login is, you know, they had a benefit. They had a reason for doing it. It's not clear to me what the benefit will be to PE for, to web servers and websites, adding pass keys. You know, things are working the way they are now. So we'll see. Yeah, yeah. You know, it's, and as I said, not everybody is doing the log on with Google and Facebook, you know, you certainly can't use it universally. You, you see it here and there. And it's kind of, you know, kinda like being able to buy something with PayPal. It's like, oh, good. I could use that here. Yeah. But other places, oh, you need my credit card number. Wordpress does have a squirrel plugin. Did, did that get a lot of uptake? Yeah, it did. Yeah. Yeah. Yeah. I think that's gotta be key.
Leo Laporte / Steve GIbson (00:37:35):
You gotta have those easy yes. Switches. Yes. Gotta be a drop in solution. Yep. So last Wednesday, a company known as offensive security that would, who are the people behind Cali Linux announced that they'd be live streaming, their penetration testing with Cali Linux course sessions on Twitch later this month, I mentioned this because a subset of the course's material, all of the streamed content will be open to the public on Twitch at no charge. And I felt sure that some of our listeners would find that interesting for those who don't know, Callie Linux is a Debbie and based Linux distro, which is targeted toward facilitating information, security tasks, such as penetration testing, security research, computer forensics, and reverse engineering. The course in question Penn 200 is a paid course, which helps students prepare for the offensive security certified professional O S C P certification exam before the pandemic.
Leo Laporte / Steve GIbson (00:38:37):
It was only available in person, but during the COVID response, live training was suspended and offensive security moved their courseware online for remote instruction. So today a 26 part 13 week, twice weekly hour long per event, online course will be offered to prepare students for the O S C P certification. Non enrolled viewers are welcome to audit the course. You of course won't get any credit for it, but there's the information. There's an FAQ in the show notes, which details EV or link to the FAQ in the show notes, which details everything you'll need to get going. I grabbed the two most relevant Q and a from that page. First one is where and when will it be happening? And their answer is the off offset live streaming sessions are currently planned to start June 22nd, 2022. So that's Wednesday after next at, from 12 to 1:00 PM Eastern.
Leo Laporte / Steve GIbson (00:39:41):
So that's currently nine to 10 west west coast and run through December 7th, 2022. So pretty much the rest of the year, the off offset live pen, 200 streaming sessions will consist of twice weekly hour, long interactive presentations. They said, we'll also be streaming a weekly office hour where we will address any questions student may have regarding the pen 200 course and prior streaming sessions. And those I would imagine will be only for enrolled people and how much will it cost. And they said the off offset live pen 200 Twitch streaming sessions will be free and open to the public. So just a heads up for our listeners before I introduce the proof that we are living in a simulation <laugh> and I'm just wait, J you laugh now, just wait. I did wanna mention that surf shark has followed express VPN in pulling out of India.
Leo Laporte / Steve GIbson (00:40:42):
I heard Andy mention on Mac break weekly that he logs in to a VPN in Alex, India. Alex. Yes. Oh, Alex. Yeah. Yeah. So he can watch the Pittsburgh Steelers football game. Yes <laugh>. And the good news is, as I mentioned last week, and at least in the case of express VPN, you can still get an IP from India. Right. Even though it's being hosted in some other country, some very clever little shenanigans, they must be pulling there. Yeah. Yep. A hack. Yeah. And Leah, let's take our second break. And then the proof that we're living in a simulated reality. Okay. Officially the best tease in the history of all time. <Laugh> and when, and you cannot unknow this. Oh God. So be careful. This is gonna change things. Well, I remember I went to see the movie, the matrix without any prior knowledge, right?
Leo Laporte / Steve GIbson (00:41:35):
Oh. And I go in, I watch it. I come out, my eyes are like this. Cause I think, oh my God, I'm in this simulation. <Laugh> cause that's the whole premise. So I have to say my life was never the same since, so I'm ready. I'm are we take the blue pill or the red pill once up to you? What's upon a time that the fact that Elon agreed with us had some value, not so much anymore. No, no one really cares what he thinks. Get ready. Your red pill moment is coming up. But first a word from NetFoundry. Our show today brought to you by NetFoundry, a game changing open source security tool for you every week. You know, you listen to this show, you, we it's like a mind field of ransomware and hacking. And, and it all really comes down to just the inability to secure resources on your network, right?
Leo Laporte / Steve GIbson (00:42:30):
Because networks are insecure, period. It's kind of their goal is to let everybody in. So NetFoundry is designed, you know, it's zero trust. It's designed to make an inherently insecure concept. Your concept secure. It's built on an open source tool that many of you may know, it's fantastic called open ZD. They built it. And they opensourced it. God bless them. It makes moving to the cloud. Easy peasy. It gives us simple user experience for remote access without a VPN. We're not talking a VPN here. It allows you to connect IOT and edge in minutes. It's entirely zero trust. That's the idea. That's the principle NetFoundry gives your application superpowers end to end encryption private DNS, dark services and more you'll stop DDoS attacks. You'll end brute force attacks. Credential stuffing got no home here. Those CVE expl, you know, zero days, we talk about all the time.
Leo Laporte / Steve GIbson (00:43:33):
Forget it. No 10 out tens gonna bother you cuz it closes all inbound ports. You know about that from Steve stealth, sit. This is port knocking on steroids. Deployable in minutes, open Zeti created and maintained by net. Foundry provides an open source free and easy way for the world to embed zero trust, networking into anything. It's a library. Basically it provides everything you need to spin up a truly private zero trust overlay network. In minutes across anything, you could do it in your app. You could do it on any device on any cloud. It's extensible, it's flexible, it's scalable and it's open source. So you can use it for free. If you want using open ZD, isolates your apps and systems. So they cannot be subject to external network level attacks for malicious actors while protecting from internal even OS networks, such as being immune and network side channel attacks like fishing.
Leo Laporte / Steve GIbson (00:44:31):
It's zero trust across all networks entirely, which you know, you don't have to worry about expensive and risky. Reactive patching agnostic design patterns mean you only need commodity internet, outbound ports without needing network engineering skills to implement it. You could say goodbye to complex firewall rules, inbound ports, public DNS, static network, access controls. You say goodbye to VPNs. It's really the holy grail of security, right? You just assume that the, your, and even your internal was open. So somebody has to authenticate before they can use an app or a network or any host. It can be embedded into any app host or network they've recently embedded private zero trusts, networking ready into Prometheus, which after Kubernetes is the second most cloud native compute foundation project. You ki you can kind of say goodbye to that tug of war between developers and security developers want it to be open, right?
Leo Laporte / Steve GIbson (00:45:30):
Security says, but look, zero, trust is a journey. You can start wherever you need to start based on your priorities. Open ZD. It's numerous SDKs, a variety of tunneling apps for popular OSS and edge routers. You could find them in the cloud marketplace for, you know, many of these OSS. If you don't wanna host open city, don't worry. You don't have to. Netfoundry has a SAS solution, which includes by the way you might say, oh, now I know how they make the money. Nope. Includes free forever tier <laugh> free forever tears from up to 10 endpoints. Yeah. And if you have more than 10 endpoints, okay, you can work out a deal with NetFoundry. They're really a great company. Their supportive open Zeti is a great model for open source software. We've talked about spring for shell that windows RPC remote exploit RCE, the recommendation of course.
Leo Laporte / Steve GIbson (00:46:27):
And you should do this to patch now, but with open Zeti you don't have any inbound ports at all. So no external network attack even can see you. You can get basically you could patch at your own convenience. You're still safe, right? That's an example. I, this is a big concept, a big subject, and there is a lot to this and it's really mindbogglingly. Good. I want you to go to NetFoundry, N E T F O U N D R Y. There@Netfoundry.Io slash twit. Get some free swag. I have my open ZD little, little macaroni sticker on my laptop. Learn more. Get started netfoundry.io/twi. Get your free swag and your free tier right now. That's what I love about this. You could try it free forever and really get a sense of it. But I think you'll be very impressed open Zeti I wanna put in a big plug for it.
Leo Laporte / Steve GIbson (00:47:20):
It is the way to do zero trust. Open Zeti is at netfoundry.io/twi. Okay. I'm ready to have my mind blown. I'm taking the red pill. Steve, go ahead. So I stumbled upon a proof that we are indeed living in a simulation. My proof that we're in a simulation is that I've, I I've identified a clear and incontrovertible bug that exists within the simulation itself. A glitch. It, it, yes, it's a bug because it defies reality, which is after all what the simulation is intended to simulate. Yeah. And what makes this so compelling is that all of us are aware of this bug, but we all just shrug it off without it ever occurring to us. That that is what it is. So here's the bug. I'm ready to have my mind blown. Okay. It's a clear failure in the rules of probability.
Leo Laporte / Steve GIbson (00:48:32):
If the rules of probability were being properly simulated, when you attempt to plug in one of those original us B style rectangular plugs, the plug's orientation would be wrong only half the time. Yeah. But we all know that it's not 50 50 <laugh> everyone's experience. Is that the first time we attempt to plug in one of those, it is almost always, always wrong. Always, always isn't it? It is. Yes. Leo, it is always wrong. It cannot be always wrong, but it is. I, I have the Leo LaPorte corollary to that. The toast always falls butter side down. Well, see, I think, think the more we think about this, the more we're gonna realize things are not all as they seem <laugh> you got I've. I mean, right. I mean, isn't, isn't one of those got GD USBs, always wrong. Always upside down. Yep. Yes. It should be 50 50.
Leo Laporte / Steve GIbson (00:49:45):
It must be 50 50. And it is not, no one's experience is it is 50 50. So we've been given a clue that we've not been paying attention to it's a glitch in the matrix. You found it. It's a bug. Yep. It's a bug in probability. And that must mean that there's a failure in the simulation. That's why cats always land on their feet. Now, Leo, I have something that may be of interest to you. I have found, I stumbled upon a valid use for facial recognition. Okay. It's in the show notes. It's the smart pet door. <Laugh> the other day I encountered an absolutely valid and very clever application for facial recognition, which I doubt that anyone would have a problem with unlike recognizing people. The bad news is that it's called pet V oh wow. Which has just gotta be about the worst name.
Leo Laporte / Steve GIbson (00:50:49):
Yeah. That anyone has ever come up with pet vain. Wow. My God. I'm sure there must be a wonderful name for such a product. Hopefully some listener will think of it and tell these poor Kickstarter people. So what is it though, you'd never know it from the name, it's a little automated doggy door or cat door, which employs facial recognition of the household canine or feline now, see, you're not a pet owner. So I know that you don't know how serious the need is for this. We have a pet door and we actually had to chip our cats so that the pet door, when they get close, it, it uses R F I D. And it goes, it opens cause otherwise raccoons, turkeys, vultures wolves, ducks, ducks. I've heard about apparently ducks. Anything could use that portal. Yep. Yeah. Yep. But I would love we face recognition.
Leo Laporte / Steve GIbson (00:51:47):
That'd be great. Isn't that great. So yeah, it's a little, it's an automated doggy door or cat door employs this facial recognition. You know, as they approach the door, their identities are verified and only if they are known to it, will it raise the barrier and allow them to pass? You know, it's brilliant the text, which a accompanies this horribly named, but otherwise wonderful looking innovation notes that it can also recognize the most common unwanted guests, raccoon Wolf slash coyote. Good bear. Deer bears. <Laugh> I don't how big is, how big is that? How big is that dog door? Yeah. Squirrel rabbit, duck bore, skunk Fox rats, bore, snake, chickens, and more <laugh> and deny them entry to your home. Well, well, wow. It's unclear to me in reading that description, why explicit recognition of unwanted pets is important. <Laugh> if it's truly being discriminating about the identity of the family's pet.
Leo Laporte / Steve GIbson (00:52:55):
Sure. Well, you don't wanna let the neighbor's cat in. I mean, well, what if you did have a pet duck? I mean, that's probably happened. That's a good point. Yeah. So, you know, you'd probably have to turn off the duck eliminator, but in any event, perhaps that's just, you know, to make sure that nothing unwanted can get in, even if it's, you know, like some clever animal wearing a dog mask to spoof the identity of your pooch <laugh> but really I think do maybe this, maybe I'm biased, but I think a lot of dogs look alike and a lot of cats look alike. Yeah. Can you really do this accurately? I don't know. I don't know. I'm sending this to Lisa and, and you're right. That, that chipping animals is a, is a that's perfect. You know? Yeah. Give them a little, a little short range.
Leo Laporte / Steve GIbson (00:53:40):
R F I D exactly. I should note that I stumbled upon this over on Kickstarter when I was following up on a recent communication from ed Cano, that was Ed's 48th communication <laugh> wow. Ed is the originator of the sand, Sarah, which you and I are still waiting for Leo. Oh, it may finally actually ship actually. Apparently it has shipped and they're working their way through customs at the moment. What is it? And for those it's been so long, I forgot. I know the San Sarah, for those who don't recall is a nifty looking tabletop bed of fine grained sand through which a steel ball bearing is rolled by a magnet located underneath the bed. Oh yeah. I remember the magnet. Yeah. Yeah, yeah. And, and I got the link to it in the show notes. If you want to click on it, you'll see some animated reminders.
Leo Laporte / Steve GIbson (00:54:36):
The magnet is moved by a pair of stepper motors using a quite ingenious mechanism. This podcast discovered this Kickstarter project back in March of 2020, just as COVID was descending upon the world. Ed's original timeline anticipated fulfillment during August that same year. So it appears that it'll finally be happening just shy of two years late. Yeah. That's pretty par for the course, unfortunately, or this stuff, but I have no complaint with Ed's approach. His communication has been good and consistent. And boy, is he a man after my own heart, he's proven himself to be an absolute perfectionist. He should be. He raised 18 million Mexican dollars. Yes. He has 2000 2000 supporters to 2000 backers. Yeah. Though it appears that we'll be receiving this nifty looking gadget nearly two years late. It really does appear that what we'll be receiving will have been well worth the weight.
Leo Laporte / Steve GIbson (00:55:40):
As I mentioned, his project has just shy of 2000 backers and I know that many of them are among our listeners since ed told me. So when we discovered this, we got quite excited at the time. So our collective weight may finally be nearing an end. What is 18 million pesos in American money? I don't know. It was a couple hundred bucks, I think. Yeah. I think it's yeah, yeah, yeah. It was it's expensive. He says 19 pesos to the dollar. So yeah, that's right. They're about a nickel each. So he raised a lot of money. Yeah. Well that's 20 million nickels worse to you. He didn't run out of money. Apparently he a, he pulled this thing off and you know, I just, I thought of it cuz Lori just think she will love this. It's just, you know, it's like the perfect thing.
Leo Laporte / Steve GIbson (00:56:31):
He he's worked. He's worked on making it quiet, cuz it was like, you could hear the stepping motors buzzing and so no, not anymore. And, and like these beautiful round wood, it, I mean he just went through like fire in order to get this thing done, but they're shipping. So I just wanted to mention that. And that's how I found pet vation, the worst named thing ever. The, the engineering looks good, but boy, they're not much for marketing that's by the way, it's almost, it's $874,000. It's a lot of money he raised. So I'm glad he didn't run with it. Nope. Good for did not. He, he is a good guy and if he were to do something else, I wouldn't put it on my calendar, but I'd probably give him more money because you know, he does come through. Yeah. Okay. We got some closing, the loop feedback from our listeners, a bunch of interesting stuff.
Leo Laporte / Steve GIbson (00:57:21):
Robert wicks who tweeted at, from at Berwicks. He said, you called it, Steve, this just popped up on my ancient I 7 47 70 system that has no TPM. And he sent me a screenshot. It says, windows update windows 11 version 22 H two is ready and it's free. <Laugh> get the latest version of, yeah. Get the pitch, your nose, get the latest version of windows with. And it says, and then there's under, that's a link. You can click a new look, new features and enhanced security because we always say that. And then there's a button generation. I seven. So it's not just a TPM. This is definitely ineligible. Yeah. It's a, it, it it's got like smoke signals coming off of it. <Laugh> so Peter G. Chase also tweeted from at P chase G. He said, haha. My only slightly in ineligible for win 11 upgrade PC processor has now magically is now magically eligible and windows is pestering me to do it.
Leo Laporte / Steve GIbson (00:58:38):
Nothing changed on my end. Must be them. You said they might miraculously change the requirements, but I still don't want windows 11. Okay. So what happened Leo? Under the category of you just can't make this stuff up. We had the explanation for what Robert and Peter and many others experienced last week. The verge covered the story last Thursday under the unbelievable headline. Well, if it weren't Microsoft, it would be unbelievable. Microsoft has accidentally released windows 11 for unsupported PCs. Well thank you Microsoft. And it just fine. Thanks. So very much. Oh, paraphrasing from what the verge wrote, they said Microsoft released the final version of its next big windows, 11 update 22 H two to release preview testers on Tuesday and accidentally made it available to PCs that are not officially supported. Oops. That they actually wrote. Oops, not me. Twitter and Reddit users were quick to spot the mistake with hundreds of windows insiders able to upgrade their windows 10 machines on older CPUs.
Leo Laporte / Steve GIbson (00:59:58):
Microsoft, as we know has strict minimum hardware requires for windows 11, leaving millions of pieces behind. So the mistake will once again, highlight the company's controversial upgrade policy, which is to say that it runs just fine everywhere, even though we don't wanna give it to you. So they said windows 11 officially requires Intel eighth, gen Jen eighth gen coffee lake or Zen two CPUs and later with very few exceptions while there are easy ways to install windows 11 on unsupported CPUs, Microsoft doesn't even let its windows insiders officially install beta builds of the, of the operating system on unsupported PCs. So this mistaken release is rather unusual. Microsoft is aware of the mistake and it's investigating oh well that's comforting. Quote says Microsoft, it's a bug and the right team is investigating it as opposed to having the wrong team investigate it, which would just add insult to injury, presumably.
Leo Laporte / Steve GIbson (01:01:05):
And that is what the Microsoft's official windows insider, Twitter account tweeted. So if you managed to install windows 11 on an unsupported PC, and we're expecting only release preview updates for windows 10, you should be able to roll back the unexpected upgrade in the setting section of windows 11 said the verge. So anyway, got a kick out of that one. And speaking of large numbers, Jeff Parrish tweeting from at KB nine GX K sounds like he's might, might be a ham. Don't you think? Is that, is that a ham designation, KB nine GX K or is that to be K nine or something? I don't anyway, I don't, I don't know. He says you can go to math.tools/calculator/nu dot.dot. And I didn't get the rest of the link to convert that number. Remember the number was, I don't even remember now two to the, so two to the 768 from last week.
Leo Laporte / Steve GIbson (01:02:05):
It was, it was three, three sets of 2 56 bit encryptions. It was big. Yes. Well he says it's large, just the first couple of numbers and then he lists them, but somebody else sent me the entire thing. Of course we have that kind of listener. So I am not reading this. Are you gonna read this? No, <laugh> no, but, but I'm gonna go up from the, I'm gonna go up from the bottom. Okay. Because I stumbled on something that was sort of interesting. Yeah. So we have it ends in 38. Yes. Then we've got, we have 52,000. Then we have 139 million, 611 billion. 696 trillion. 116 quadrillion. Okay. Then we have 17 Quintel I guess I am reading it 886, 6 trillion. He's so good. He's reading it backwards folks. <Laugh> in high heels. Yes. 256 septillion 555 octillion. This is all left. 500, you know, 500 OC known.
Leo Laporte / Steve GIbson (01:03:16):
Go ahead. Yeah. Well and what happened was later, I got to Sept OC and Nove and wait a minute. Those are months. September, October, November. Yeah. That's right. Yeah. Yeah. So then we got, we got no million. Then we got decal. We, then we have unde then duo Deon tread tray, Deion cuatro. Decion these are not very imaginative at this point. Quin Deion. That's why sex? Decion it's orderly. So you can figure out seven Deion. Yeah. Eight. Oh, then we have Okta Deion and finally, oh no now Deion. DEC. Yeah. VE decion. Yeah. And finally one vague Virgin Tillion <laugh> Tillion Virgin Tillion that's cuz yeah. That's 20. Yeah. Yeah. Wow. Anyway, thank you. Those of you who followed up aggressive on the two to the 7 68, we will never forget ye and and Gumby, I think told, told us he tried to do it EAX and quit at quadrillion.
Leo Laporte / Steve GIbson (01:04:23):
What a wimp. So nevermind. EAX so X. So Roy Ben yoof tweeting at lizard at wizard lizard, Roy as his, his Twitter handle gene. Okay. He was able to out that one wasn't free when he went for it. He said, hi, Steve gestured your piece on the new south Wales driver's license, and maybe I'm missing something, but isn't it all client side they could do all sorts of fancy crypto and whatnot. Can't I just write my own app that looks the same with, you know, a dancing flower and shows, whatever I want is there is, you know, is there no, or shouldn't be server side variation somehow he says long time listener since 2011, you got me into the cybersecurity business. Nice. Since 2012. Wonderful. Thank you. And and I'll follow that immediately with Ryan's tweet because he's his company's PKI expert.
Leo Laporte / Steve GIbson (01:05:22):
Ryan tweeted, actually he sent via email, you know, grc.com/feedback. It was in the mail bag. Hello, Steve, regarding the new south Wales digital driver's license. I work as my company's PKI expert. We know that's, you know, pub public key infrastructure. There's a job called PKI expert who oh yeah, we're in. And he's he knows all about web off end I'm sure. Oh yeah. He says, I liked your solution to the DDL problem. You know, I talked about how you could just solve this with a certificate. He said, I wanted to let you know that you were proposed PKI based solution. Cam also cam also prevent spoofing of the driver's license. QR code dancing flowers are all well and good, but could be spoofed. If you were motivated enough. As our previous writer noted, he said the way to prevent copying the QR code and passing it off as your own lies in exactly the type of certificate that you issue.
Leo Laporte / Steve GIbson (01:06:18):
If you issued a signed DDL certificate, like you suggested with the key usage attribute of digital signature is at Perens and the enhanced key usage attribute of email protection, then your DDL can sign arbitrary messages. This is how encrypted S mime email works. In our case, the DDL, the digital driver's license could sign your name and age and include the signature in the QR code. In other words, he came up with a very clever extension. The certificate that is the DDL itself could be used for signing. So you, so it could, so that QR code could constantly be changing locally on the screen. Mm. Each of those changes dynamically, refreshed and signed by the certificate, which is the DDL because it's a cert. So the point is he, that's a very clever extension of the idea. He said, but couldn't this QR code be copied?
Leo Laporte / Steve GIbson (01:07:25):
He says, well, the next step is to have the person verifying the ID, check the timestamp to see exactly when the QR code was signed. You could have the user push a button or enter a pin in the app and the gen. And I had it just doing it automatically. Cuz you could do that too. This also lets you customize your trust. A police officer's scanning device could trust a QR code for 30 seconds. A bouncer's device could trust a QR code for one to two minutes. So you can pull up your QR code while you're in line and keeping the, and keep the line moving. He really thought this through the chances of being able to predict the exact 30, 60, or one 22nd window that you'll need to produce the QR code means that setting the clock ahead on your friend's phone and pre generating a QR code are vanishingly small live long and prosper Ryan.
Leo Laporte / Steve GIbson (01:08:19):
So Ryan, very nice piece of work on that. Nice. Yeah. Tom Davies was a little grumbling. He said it always grates me a bit. When you dunk on GDPR for ruining browsing, unquote, please have a look here. And he sent me to www.coventry.ac.uk. He says, as you can see, it's perfectly possible to be GDPR compliant, only forcing a single interaction on the user. What has ruined browsing? You guys getting quotes is not GDPR, but web hosts reliance on tracking users to the point where they would rather ruin your browsing experience than allow you to opt out. He says, I've not dug into it that much, but I'm sure we've all seen examples where it's clear that sites are deliberately making it extremely difficult to do anything other than accept the default. Please track me option. It really seems that if you don't want to be tracked, these sites do not want you to visit.
Leo Laporte / Steve GIbson (01:09:23):
So I was curious to see what Tom was referring to and Leo, you brought it up. So I went over there. What Tom means, cuz we have a, a, a bar at the bottom with three options. What Tom means is that it's possible for a website to request, to set a cookie in order to not to no longer need to notify about setting cookies. Okay. And just for the record, since Tom says, this is grading on him, we've previously made it clear that the strict privacy regulations that had been in place long before the GDPR, but that everyone was happily ignoring thus no annoying cookie warning banners until the GDPR was enacted to give those regulations some teeth. I certainly don't disagree with the bias toward tracking that Tom has, but it really was the enacting of the GDPR. That's what is making our lives miserable because now it's not just a regulation, everyone ignores it's you know, something that everyone has to pay attention to.
Leo Laporte / Steve GIbson (01:10:31):
Well, and it it's what it really is. The problem in my opinion is that this notion that all cookies are bad my site has uses one cookie, a cookie to remember your preferences between light and dark mode. But because it uses one cookie it's not tracking you it's just remember your saving on your computer, your setting, right. All it's doing. Yeah, because it's doing that. I have to put up a stupid ass cookie men thing and I think it's wrong and it's absurd. And it has the exact opposite effect by enduring people to these messages. It's it's making them forget about it's just like yeah, yeah. Click. How many quadrillion vental yeah. Useless clicks. Have there been click clicks, waste of resources cuz that has to be transmitted. No, it's a, a perfect example of a misguided law that accomplishes exactly the opposite of its intent.
Leo Laporte / Steve GIbson (01:11:34):
Yeah. By the way, pat on the back, because today Firefox announced what should have been the case all along that third party cookies are entirely blocked. They're gonna sandbox all cookies unless the originating site is asking for it by default. Yeah. And that's the problem is third party cookies. First party cookies are not problematic. I would submit in any event, certainly my light dark mode cookie is not problematic. No it's incredibly infuriating. And maybe that our mentions of this grates on you, but that ain't nothing compared to how these cookie warnings great on every other person in the globe. Yeah. Because we have to do it cuz you, the EU decided to do it. It damaged the EU credibility beyond belief. It's a terrible idea. Yeah. It had all sorts of negative effects. It makes the EU a laughing stock. Thank you. Yeah.
Leo Laporte / Steve GIbson (01:12:33):
<Laugh> Philip Le rich he said regarding last week's podcast, SN 8 74, the only essential diff between Paske and squirrel is that squirrel uses computed private keys. So could squirrel be made to register its private key with a 5 0 2 website and respond to a 5 0 2 off challenge then squirrel would work on any 5 0 2 site. Use that in prince, but please finish spin. Right first <laugh>. So, so he anticipated what I talked about at the top of this episode, the use of deterministic private keys may be possible under web off. N so if so, if so then yes. Squirrels single key approach could transparently replace the big bucket of keys approach that is used by Fido without sacrificing any security. And as we now more know, you know, there is in fact much more to squirrel than just the difference between one master key that synthesizes past keys on the fly versus randomly generated PAs keys, all of which you have to store.
Leo Laporte / Steve GIbson (01:13:45):
As I, as I've demonstrated at the top of the podcast, squirrel really goes all the way to solving authentication. What we have with, with, with PAs keys and 5 0 2 is a very robust replacement of user names and passwords. So definite improvement there. And as for spin, right, everyone should know that I'm done done with scroll. What except for talking with about it here, I've handed it off and over to a very competent group of developers who know it now just as well as I do. And they hang out firstname.lastname@example.org. So no one need worry for a nanosecond that I will again, become distracted by squirrel. That's not gonna happen. <Laugh> and somebody with a clever handle Linux, L Y N T U X Linux, he said, I wanted to remind you at SG GRC that a YubiKey can only hold up to 25 credentials. Each that's not a problem since there aren't that many fi oh two websites out there, but that could change. That's another reason why squirrel is better. And in fact, you know, the fact that UBI keys have a 25 credential limit also beautifully demonstrates that the Fidos projects work was never aimed at mass use and adoption. They were originally focused upon using super secure hardware, dongles for authentication to just a few crucial sites. That system was never able to scale. So when it failed to get off the ground, they relax their requirements and produced 5 0 2.
Leo Laporte / Steve GIbson (01:15:33):
I'm gonna skip one because we we're. That was good. Yeah. We started late. I no, no, no. It's okay. Yeah. Oh I guess I pronounce his name. U ho Vitu solo. He said, hi, I tried the lady. I'm pretty sure that's not how you pronounce it, but it's gonna have to do <laugh>. Yeah. Sorry about that. I'll just say that his Twitter handle is at J U ho V. Yeah. That's easier. Yeah. I, I, I tried the latest spin ride XE from your dev directory, but could not run it in windows seven. I was hoping to burn an ISO that way. I have a failing SS D I need to massage. Can you tell me how to use these executables? You have on your server. Thanks. Oh boy. Yeah. And, and Greg got a bunch of email from our listeners.
Leo Laporte / Steve GIbson (01:16:28):
So I'm sure that he's referring to the reference. We recently made to grc.com/dev/spin. Right. And I asked you, and you did to pull up the directory listing just to sort of show how much work we did on this first phase of spin, right? That directory contains a gazillion incremental spin, right. Development releases, but they are dos executables. Oh boy, not windows exes. So they definitely will not run under windows, but moreover, even if you did run them under dos, they do not yet move the user past the system inventory stage where spin run is figuring out what you've got and how it can best work with it. That's where all of our collective work thus far has focused. Once I do have something that's operational, all existing spin, right? Licensees will be able to obtain their own copies from GRCs a server, but we're not quite at that stage yet.
Leo Laporte / Steve GIbson (01:17:30):
So I apologize for the confusion. I'm guessing Juho thought he'd found a source of free spin, right. Which this is not maybe, although he was expecting to burn an ISO and the, the normal spin, right. That you run on windows will do that. Ah, okay. So he may have, so it sounds like he has some understanding. He just wanted to upgrade of the, of the way it normally works. Right, right. Okay. Could you use the old spin right? For an SSD. Yeah. Right. Yes. Yeah. Yeah. Okay. Okay. If anyone listening to this podcast has only been like paying half attention, although this has been so great. I don't know how that's possible now is the time to bring your entire focus to bear on this next question. Our final question from a listener, because it wins the award for the best question maybe ever, and I'm gonna leave it hanging and unanswered until next week.
Leo Laporte / Steve GIbson (01:18:25):
So everyone will have the opportunity this next week to ponder the question and its answer and Leo and everyone in the discord and chat rooms, please resist the temptation to blurt out any spoilers for everyone else who wants to ponder this very intriguing question? Here it is. Eric. Osterholm. He tweeted hi Steve longtime listener. I'm a little confused on the key length discussion. I always thought that encrypting twice, merely doubled the effective strength. Here's my reasoning. Imagine you have an algorithm and a key that you can fully brute force in one day, if you add one bit to the key, you double the key space and therefore it takes twice as long to brute force Perens or two days. If you instead encrypt twice, then it takes one day to decrypt the outer cipher text. At which points you get back to the first output of cipher text. Then in one more day, you can brute force the first inner cipher text. Like in the first example, this takes two days. It seems to me that these are equivalent. Is there something I'm missing?
Leo Laporte / Steve GIbson (01:19:59):
So there it is. Everybody think about that. And we'll answer the question at the top of next week's show. Hmm. His logic seems sound. It seems very sound. Hmm. So no spoilers. Anybody don't blurt it out. Just smile. If you think he got it, ain't gonna blurt it out. Cuz I don't know it <laugh> he's safe with me, Steve <laugh>. So let's take our last break and we're gonna delve into the so-called Pacman attack, which leverages an unpatchable and unfixable flaw, which exists across Apple's custom M one chip set family. SI. I'm gonna talk about our sponsor today. I've talked about 'em before. It's what we started with honey pots. This, my friends, this little do Hickey is a honey pot sitting on our network. Yeah. You say it, it looks like, you know, a little hard drive, maybe just like a little plastic enclosure with some circuitry.
Leo Laporte / Steve GIbson (01:21:01):
Yeah. I notice you say it's attached to your network and it's plugged in. That's a honey pot. Oh yeah. Because to the bad guy, the hacker who has penetrated my network, this doesn't look like, you know, a hard drive. This looks like a network attached storage. In fact I've set it up to look exactly. Like my Sonology it's got the Mac address. It's got the login. It's all the details a hacker would say, oh yeah. And maybe even try to log into it. But the minute the bad guy does, I get a notification saying, Hey, somebody just tried to lock in to this. Non-Existence Sonology you have could be a skated device. Could be a windows. Server could be a Linux server could be a Christmas tree with a hundred services lit up. Could have just a select few services. It could be almost anything you want.
Leo Laporte / Steve GIbson (01:21:55):
It's the easy to set up. Honey pie. You use your thinks to Canary console to set up, you know, whatever device it is. You can change it any time you want. Well, there's another cool thing you can do with this. This thanks, Canary. It will let you create Canary tokens, which look for all I intents and purposes like PDFs or word documents or Excel spreadsheets. They're not, but you know, you can spread them around your network. I might have one. I just might sitting on my hard drive saying something like employee payroll information. Now, if you're a bad guy, again, you're wandering around. You're looking at stuff. You might say, boy, that's a spreadsheet I'd like to download, but the minute they touch it, the minute they try to open it, the minute they do anything with it, it immediately pings me through my Canary and lets me know there's someone in the network.
Leo Laporte / Steve GIbson (01:22:52):
It's unfortunate, but companies almost always find out too late that they've been compromised. And you know, you can spend millions on perimeter security, but if somebody gets in, how are you gonna know? On average, it takes 191 days. What is that? More than six months for companies on average to realize there's somebody in their network, but with a Canary or two or three spread around your network. It's like a little trip wires just waiting for the bad guys. It's really a clever idea. I know many companies now that have adopted this. Some of the biggest companies in the world have hundreds of them. Even small companies might have five or six at critical access points. You could put 'em on active directory. So if an attacker brows active directory for file servers or explores file shares, they'll be looking for documents. They'll be trying to default passwords against network devices and web services.
Leo Laporte / Steve GIbson (01:23:49):
They'll scan for open services. Bing this thing, it doesn't look vulnerable. It looks valuable. This thing pops up. It can look like a router, a switch, a NAS server, a Linux box, a windows server attackers won't even know they've been caught. They'll just say, well, I guess that password didn't work. Oh, but you know, you know, Canary tokens, same thing. You can put infinite number. If you want. There's an unlimited number of Canary tokens you can make with your canaries. It's designed to be simple. In fact, Canary is based on the work that the company's founders did training other companies, militaries, even governments on how to break into networks. And it's with their knowledge about how attackers work that they built Canary. You could change its configuration anytime you want in minutes. And you know, the best part is they just sit there quietly on the network.
Leo Laporte / Steve GIbson (01:24:44):
You know, if you don't hear from 'em all is well, but if something bad happens, you're gonna get not swamped by false alarms. But a message that's very clear that tells you exactly what's going on. And you can get any way you want emails, text message. You're gonna get a console. When you get your canaries, you can just check that it works with slack. In fact, it works with web hooks. So it works with a whole bunch of stuff. Syslog there's even an API. If you want a kind of custom interface, I think canaries are the best. One of the best tools against data breaches. You've got your Def your perimeter defenses. You need those, but you also need somebody on the inside keeping an eye out for you watching, cuz there's nothing worse than getting that email from an intruder who says, yeah, we just triggered ransomware and oh, by the way, we've been on your network for months.
Leo Laporte / Steve GIbson (01:25:31):
Exfiltrated 18 terabytes worth of customer records, employee records and that new movie you're about to release. Ah, you'll know, before that happens now, how much do they cost? Well, it depends what you're gonna get. I'll give you an example. Go to canary.tools/twit canary.tools/twit. Let's say you want five of them cuz that's reasonable, small business. You might put 'em around different places in the network. 7,500 bucks a year for five, you can get more fewer if you want. Of course. As I mentioned, you get your own hosted console. You get upgrades, support maintenance for a year. You sit on it, you break it, whatever. They'll send you a new one. No questions asked. You can take 10% off that. If you use the word twit in the, how did you hear about us box? That helps us cuz then they know you saw it here, but it also helps you 10% off.
Leo Laporte / Steve GIbson (01:26:20):
And that's by the way, not just for the first year, that's forever, that's for life. And if you're at all worried, don't, you know, we know you're gonna love this Canary, but if you're at all unhappy, you've got a two month money back guarantee. So there really is no risk canary.tools/twit, C a N a R Y Canary like the Canary in the coal mine. Get it canary.tools/twit enter the code twit w I T. And how did you hear about us box a claim you're 10% off for life. These are just brilliant. If you're not running this, what is your plan? When somebody gets in and they're wandering around and you don't know cuz you know what, you're not gonna see. 'em It's not like some stranger in the hall. Who are you? No, they're sneaky canary.tools/twit. We think of so much for creating a great device and for supporting security now.
Leo Laporte / Steve GIbson (01:27:16):
Okay, Steve let's move on by far the biggest headline grabbing news this past week was the teaser that Apple's much vaunted M one chips contain a critical bug or bugs that cannot be patched or repaired. First of all, only part of that is true. The reason apple is being singled out is that their M one arm architecture chips are the first to use a cool new feature of the arm version 8.3 architecture known as pointer authentication. Everyone else plans to use it too. They just haven't gotten their newest chips out yet. The heading of the 14 page research paper published by four researchers at the MIT computer science and artificial intelligence laboratory reads Pacman attacking arm pointer authentication with speculative execution. So once again, we have the specter pun intended of speculative execution, raising its ever ugly. Head this time in a new context, a new feature of the arm version 8.3 architecture initially represented by Apple's proprietary M one chip.
Leo Laporte / Steve GIbson (01:28:42):
Okay. So what is it? Pacman is a novel hardware attack that can bypass the benefits of an emerging feature known as pointer authentication P CPAC. So that's where the pack comes from. Pacman. The authors of this work present the following three contributions. They feel first a new way of thinking about compounding threat models in the specter age, meaning hardware and software, not only one of the other second reverse engineering details of the M one memory hierarchy. There's almost nothing available publicly from apple. So they had to just figure it out the hard way to pull this off in practice and three, a hardware attack to forge PACS that is kernel pointer authentications from user space on M one they wrote Pacman is what you get when you mix a hardware mitigation for software attacks with micro architectural side channels, we believe the core idea of Pacman will be applicable to much more than just pack.
Leo Laporte / Steve GIbson (01:30:00):
So these guys believe that they've uncovered another entire class of exploitable micro architectural flaws, which are introduced by attempts to mitigate software attacks. We'll talk about pointer authentication and what it is in detail in a second, but here's what the researchers wrote for the summary abstract at the top of their paper, they said this paper studies, the synergies between memory corruption, vulnerabilities and speculative execution vulnerabilities. We leverage speculative execution attacks to bypass an important memory protection mechanism, arm pointer authentication, a security feature that is used to enforce pointer integrity. We present Pacman a novel attack methodology that speculatively leaks pack verification results via. And I'll be explaining all this in a second via micro architectural side channels without causing any crashes. Our attack removes the primary barrier to conducting control flow hijacking attacks on a platform protected using pointer authentication. In other words, you know, pointers are what the system uses to well obviously to point to things, but for example, to control its, its it's flow of control.
Leo Laporte / Steve GIbson (01:31:31):
So if you're able to change the pointers and not have that change detected, then you're back where you were being able to, without this protection, obviously being able to, if you're able to get down into the kernel to do things. So they said, we demonstrate multiple proof of concept attacks of Pacman on the apple M one SOC you know, system on a chip, the first desktop processor that supports arm pointer authentication. We reverse engineer the TLB that translation look side buffer, which is the way memories organized these days on the apple M one SOC and expand micro architectural side channel attacks to apple processors, meaning, you know, before it had been Intel stuff, right? So now apple, moreover, we show that the Pacman attack works across privilege levels, meaning that we can attack the operating system kernel as an unprivileged user in user space.
Leo Laporte / Steve GIbson (01:32:41):
And I've I loved how they set this up and framed this work in their paper, short introduction. So I wanna share it too. Two paragraphs. They said modern systems are becoming increasingly complex, exposing a large attack surface with vulnerabilities in both software and hardware in the software layer, memory corruption vulnerabilities such as buffer overflows can be exploited by attackers to alter the behavior or take full control of a victim program in the hardware layer, micro architectural side channel vulnerabilities such as specter and meltdown can be exploited to leak arbitrary data within the victim program's address space today. It is common for security researchers to explore software and hardware vulnerabilities separately. Considering the two vulnerabilities in two disjoint threat models. In this paper, we study the synergies between memory corruption, vulnerabilities and micro architectural side channel vulnerabilities. We show how a hardware attack can be used to assist a software attack to bypass a strong security defense mechanism.
Leo Laporte / Steve GIbson (01:34:00):
Specifically, we demonstrate that by leveraging speculative execution attacks, an attacker can bypass an important software security primitive called arm pointer authentication to conduct a control flow hijacking attack. Okay, so what is arm pointer authentication? We've talked and Leo is just talking about canaries, right? We've talked about related attack mitigation measures in the past. Remember stack cookies. They're a form of Canary. The idea with stack cookies is that the system places little bits of unpredictable crypto hashes on the stack, as a means for detecting a, when a buffer overrun has just occurred. So before executing a return from a subroutine, which is when the overwritten attack code would get executed, the bit of code performing the return first checks the stack for the proper cookie, the proper Canary and only executes the return. If the value found at the location matches what's expected. The idea is that if attackers don't have nearly sufficient visibility into the system to know what the cookie should be.
Leo Laporte / Steve GIbson (01:35:26):
So their attempt to overrun a buffer on the stack is inherently somewhat brute force, you know, kind of a blunder bus approach. The cookie allows their overriding to be proactively detected before the contents of the stack is trusted and acted upon what the arm version 8.3 architecture introduces is a clever means of adding a tiny authentication hash. Actually it can be too tiny as it turns out. We'll get there in a second, adding a tiny authentication hash into arm pointers as a means for detecting any unauthorized changes to that pointer. As we know, the arm architecture is 64 bits wide. That means that it will have 64 bit pointers, but 64 bits is, ah, I can't even pronounce this number. I, we went, we now know it's a it's if we it's a Virgin till <laugh> yes, it's it's 1-844-674-FOUR 0 7 3 7 0 9 5 5 1 6 1 6. It's a big number.
Leo Laporte / Steve GIbson (01:36:44):
That's that's how many 64 bits gives, you said another way. It's get this 18.4, four, 6 billion gigabytes. Wow. Of pointer space, 18.4, four 6 billion gigabytes of pointer space in 64 bits since no one has nearly that much Ram in 2022, you know, we'll, we'll see what happens at 10 years from now. That means that a large number of the high order bits of 64 bit arm memory pointers are always gonna be zero. So the clever arm engineers realized that they could set a boundary point in their pointers to the right of the boundary is a valid pointer, which is able to address as much memory as the system has. And to the left of the boundary, using all of the bits, the high order bits, which are always gonna be zero because they can't ever, because the system doesn't have enough memory for them to ever come into use.
Leo Laporte / Steve GIbson (01:38:00):
Those can now be cleverly used to validate the bits on the right here's how the MIT guys described this. They said memory corruption, vulnerabilities pose a significant security threat to modern systems, you know, right. We're talking about that pretty much all the time on this podcast, they said these vulnerabilities are caused by software bugs, which allow an attacker to corrupt the content of a memory location, the corrupted memory content containing important data structures, such as code and data pointers can then be used by the attacker to hijack the control flow of the victim program. Well, studied control flow, hijacking techniques include return or inter programming R O P, which we've discussed at length in the past and jump oriented programming J O P in 2017 arm introduced pointer authentication PA for short into arm V 8.3 as a security feature to protect pointer integrity. Since 2018 pointer authentication has been supported in apple processors, including multiple generations of mobile processors and the recent M one M one pro and M one max chips, multiple chip manufacturers, including arm Qualcomm and Samsung have either announced or are expected to ship new processors, supporting pointer authentication.
Leo Laporte / Steve GIbson (01:39:38):
In a nutshell, they wrote pointer authentication is currently being used to protect many systems and is projected to be even more widely adopted in the upcoming years. Pointer authentication makes it significantly more difficult for an attacker to modify protected pointers. In memory, without detection, pointer authentication protects a pointer with a cryptographic hash, this hash verifies that the pointer has not been modified and it's called a pointer authentication code or pack for short. Okay. So this is really clever. It essentially makes 64 bit pointers, self authenticating, such that any change to any of the pointers, 64 bits will trigger a protection fault and cause the operating system to immediately terminate the offending program. The Achilles heel of this approach is that there are not a large number of authentication bits available in the case of Mac OS version 12.2 0.1, which is which extravagantly uses 48 of the total 64 bits for valid pointers, only 16 bits remain available for the authentication role.
Leo Laporte / Steve GIbson (01:41:06):
As we know, 16 bits is a famous number. It's 64 K that's the total number of possible combinations that can be taken by any 16 bit value. Again, here's what the researchers describe. They said, considering that the actual address space in a 64 bit architecture is usually less than 64 bits. Yeah. Less than that. 18 billion gigabytes, for example, 48 bits on Mac OS 12, 2 21 or 12.2 0.1 on M one, they said pointer authentication stores. The pointer authentication code that the pack together with the pointer in these unused bits, whenever a protected pointer is used, the integrity of the pointer is verified by validating the pack using the pointer value use of a pointer with an incorrect pack will cause the program to crash with pointer authentication in place. An attacker who wants to modify a pointer must correctly guess or infer the matching pack of the pointer after they've modified it, depending on the system configuration the size of the pack, which ranges from 11 to 31 bits may be small enough to be brute forced. However, simple brute forcing approaches cannot break pointer authentication. The reason is that every time an incorrect pack is used the event results in a victim program, crash restarting a program after a crash results in changed packs. As the packs are computed from renewed secret keys. Every time the program runs, moreover frequent crashes can be easily captured by anomaly detection, tools, rules.
Leo Laporte / Steve GIbson (01:43:04):
The breakthrough that these guys achieved was finding a way to successfully brute force probe for the proper authentication code, given a modified pointer by doing that, they're able to make up their own pack for whatever pointer value they need. So the final piece of description I'll share from their paper is the PAC man attack. In this paper, we propose the PAC man attack, which extends speculative execution attacks to bypass pointer authentication by constructing a pack. Oracle, given a pointer in a victim execution context, a pack Oracle could be used to precisely distinguish between a correct pack and an incorrect one without causing any crashes. In other words, exactly what's needed for brute forcing. They said, we further show that with such a pack Oracle, the attacker can brute force the correct pack value while suppressing crashes and construct a a control flow hijacking attack on a pointer authentication enabled victim program or operating system.
Leo Laporte / Steve GIbson (01:44:31):
The key insight they said of our PAC man attack is to use speculative execution execution to stealthy leak, PAC verification, verification results via micro architectural side channels. Our attack works relying on Pacman gadgets. A Pacman gadget consists of two operations. First, a pointer verification operation that speculatively verifies the correctness or not typically of a guest pack and two, a transmission operation that speculatively transmits the verification result via a micro architectural side channel. So these guys have gotten very clever, but then bad guys are too. The pointer verification operation is performed by an authentication instruction. One of the new instructions introduced in arm version a 0.3, which outputs a valid pointer. If the verification succeeds and an invalid pointer, otherwise the transmission operation can be performed by a memory load store instruction or branch instruction taking the output, the pointer, the output of the pointer as an address, if a correct pack is guessed, the transmission operation will speculatively access a valid pointer resulting in observable micro architectural side effects.
Leo Laporte / Steve GIbson (01:45:58):
Otherwise the transmission step will cause a speculative execution due to accessing an invalid pointer. They said note that we execute both operations on a MIS speculated path. Thus the two operations will not trigger architecture, visible events. God that's clever avoiding the use where valid guesses result in crashes. So they've, they've basically taken the what, what, what we've learned in the last few years about micro architectural side effects. The idea that subtle variations in branches taken and not taken can, can be sensed across process because they're, they're left in the hardware so that everyone shares and you're not gonna cause a crash cuz they're deliberately arranging that the, that the, these tests occur in the speculation path, which the processor never executes. So the side effects are generated by the speculation portion of the engine, which wh where, you know, which is executing ahead of where the processor is actually going.
Leo Laporte / Steve GIbson (01:47:21):
The processor doesn't take that path. So no mistake is gen no crash occurs. No exception fault is, is triggered yet. It still leaves a, a trace of footprint in the, in the micro architecture, which they're able to sense. This is just, is so cool. Okay. So now we bottom line it. What does all this actually mean for those relying upon the security of apples, M one based devices in their own FAQ, the researchers provide some reality check answers. Does this attack require physical access? They ask themselves, no, we actually did all our experiments over the network on a machine in another room. Pacman works just fine remotely. If you, even if you have unprivileged code execution, should I be worried? As long as you keep your software up to date, no Pacman is an exploitation technique on its own. It cannot compromise your system while the, while the hardware mechanisms used by Pacman cannot be patched with software features, memory corruption, bugs can be.
Leo Laporte / Steve GIbson (01:48:44):
Can I tell if someone is using Pacman against me, they replied much like the specter attack. Our work is based on Pacman executes entirely in the speculative regime and leaves no logs. So probably not. They ask why do you need a software bug to do the Pacman attack? And they answer Pacman takes an existing software bug, a memory rewrite and turns it into a more powerful primitive pointer authentication bypass. For our demo, we add our own bug to the kernel, using our own kernel module in a real world attack, you would just find an existing kernel bug. Our demo only uses the kernel extension for adding a software bug. The entire attack runs in user space. So an attacker with an existing bug could do the same attack without the extension that their proof of concept provides. Finally is Pacman being used in the wild and they reply to our knowledge.
Leo Laporte / Steve GIbson (01:49:53):
No, now Apple's response didn't offer much. They officially said, quote, we want to thank the researchers for their collaboration as this proof of concept advances, our understanding of these techniques. Yeah, I bet <laugh> based, based on our analysis, as well as the details shared with us by the researchers we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass device protections on its own. Okay. That was carefully worded to be exactly factually correct. And it is generally speaking. The common M one chip user does not have anything to worry about more, you know, after this than they did before. But the off the authors never suggested that this could be used in any form of standalone attack. What this does mean is that successful attacks against current and future arm chips equipped with pointer authentication will need to be more complex in order to also defeat this new extra layer of protection is there.
Leo Laporte / Steve GIbson (01:51:22):
And it's good, but the attacks are gonna have to be more complex to defeat it. And they can as is Apple's M one chips based on the arm version 8.3 architecture are thus significantly more difficult to successfully attack than other systems, which lack this additional though, imperfect layer of protection. And I'll close with this observation, Apple's allocation of 48 bits for their pointers, which affords access to more than a quarter million gigabytes of Ram is obviously excessive in the extreme. Before this paper was published. Apple's engineers probably thought, what the hell we have 64 bits of pointer space <laugh> so we'll use the lower 48 for pointing and the upper 16 for pointer authentication. Assuming at the time that it was not possible to brute force probe for the correct value of those 16 spare bits, Apple's engineers likely thought that there would only be one chance in 6, 5, 5, 3, 6 of an attacker correctly guessing the proper hash for a modified pointer and a wrong guess.
Leo Laporte / Steve GIbson (01:52:49):
The first wrong guess Eddie wrong guess would cause the victim program to be immediately terminated. But we know that 16 bits. Now we know that 16 bits is not sufficient. So apple could choose to significantly strengthen their pointer authentication by tightening down on the active pointer space, maybe even setting it up dynamically based upon the amount of Ram a system actually contains a large system, even a large system with 64 gigabytes of Ram requires pointers to consume only 36 bits, 36 bits lets you address 64 gig of Ram. That leaves 28 bits for authentication, which is 4,096 times more difficult and time consuming to brute force with no other overhead or cost to the system. In any event, the sky is once again, not falling and all is well good now, but could it fall in the future? Well, you know, can, when you consider that every time we attempt to plug in a USB plug, it fails.
Leo Laporte / Steve GIbson (01:54:16):
It could be that the attacker will guess right? The first time. Yes, it could be, even though they've got one chance in 6, 5, 5, 3, 6, I mean I've never plugged in a USB plug correctly the first time. It just, it never happens. Never happens. Which demonstrates like that, that black cat remembered the kind of flickered two, two cats walked by the matrix and that represented the glitch in the matrix. Yeah, we got a glitch here. You know, the best thing about USB type C is that, you know, this may actually be an attempt to cover up this bug. It's hiding the glitch. I think you're right now. It doesn't matter. You'll get it right the first time, every time. So, and with time with time, those old type a connectors they'll they'll fade away. Mm-Hmm <affirmative> and this bug in reality that was made it very possible.
Leo Laporte / Steve GIbson (01:55:05):
I mean, someone, somewhere, someone is thinking, boy, those humans are dumb. <Laugh> look at them every, every time they plug try to plug in those USB things, never notice <laugh> Nope. We, we, we can't change the code and the simulation now it's running, we cannot patch it on the fly. So we just have to put up with this bug in USB type a connectors, but now those are gonna fade into the past. We're gonna get type C and nobody will even know. Oh see, brilliant, brilliant that matrix that knows what it's doing. Well, thanks for joining us on the red pill edition of security. Now, Mr. Steve Gibson lives at SG GRC on the Twitter. If you wanna leave him at DM he also has a little website. He calls grc.com the Gibson research corporation. What he's researching right now spin right.
Leo Laporte / Steve GIbson (01:55:58):
6.1, spin six is current world's best mass storage, maintenance and recovery utility. 6.1 is imminent. And if you buy six, oh, now you'll get 6.1. When it comes out, you can also participate in the development of 6.1. You can also find this show there. He has a couple of unique versions, a 16 kilobit audio version. Why don't you do eight bit? Why, why don't just go all the way, four bit audio it's we would call that the Minecraft edition. Yeah. Aint bit audio 16 success 16 bit audio, which is smaller obviously than the normal 64 kilobit audio. He also has transcripts, which are actually very handy for searching and reading. And of course the 64 kilobit audio, the standard version. That's email@example.com while you're there, check out all the wonderful goodies. Steve makes available to you for free. And of course his bread and butter spin, right?
Leo Laporte / Steve GIbson (01:56:56):
We have audio and video on our website, twit.tv/sn. There's a YouTube channel with the video dedicated to security now to search YouTube for security. Now you'll also be able to subscribe, cuz it's a podcast. As soon as we're done editing this thing, cleaning it all up, polishing it up. We'll put it out on the on the internets and you can get it just by subscribing in your favorite podcast player. If your podcast player has ratings, leave us a five star, would you let the world know? Everybody needs to know. I mean, this was clearly a five star episode. I don't know how you get any better than this one, but we'll find out next week. That's that's for sure. We do the show every Tuesday, we try to do it around one 30 Pacific. If Leo is in a laggard and slug, <laugh> one 30 to two, something like that.
Leo Laporte / Steve GIbson (01:57:45):
<Laugh> Pacific. One 30 is four 30 Eastern, 2030 UTC. The live streams are live dot TWI, do TV. There are chat rooms. The IRC chat room is free and open to firstname.lastname@example.org. If you prefer discord, join the club club. Twit gives you access to the very fancy club, TWI discord. Plus I have free versions of this show and all the other shows plus the trip plus feed, which has material that we don't put in the podcasts like the secrets of the universe. Oh no, wait a minute. That was in the podcast. All of that seven bucks a month. I think that's a fair price to pay it sure helps us. For instance, just to give you an idea we've gotta update Droople cuz that's what runs our backend. That's the website's running on it. The API runs on it.
Leo Laporte / Steve GIbson (01:58:36):
And it's an old version of Droople, which is gonna go out as support next year. We don't want to have an insecure version of Droople sitting there. It's a cool quarter of a million bucks. But we're saving up for it using the money from club TWI. It's that kind of thing that really helps us out. So if you wanna help out twit.tv/club TWI I will be back here next week. I know you will too, Steve for episode 8 76 more revelations the truth and the answer to the big, the answer to the big question. Why is double encrypting? Not only twice as, yeah, strong, but exponentially as strong takes one day to do the outer shell one day to the inner shell, it should take things right to me, she'd be one plus one, right? What do you, what to me, what do the boffins say one times one?
Leo Laporte / Steve GIbson (01:59:31):
No, it would be two to the 256 times a lot better, stronger way better. Why is that like summing the keys at like having a 500, 12 bit key instead of a 257 bit key? I know that's a head scratcher. I know. Get to work on that. And we got, do you want people to, to DM you with your, with their thoughts? They could certainly DM me. Those are private so that won't do public. Don't be a, that won't be a, a giveaway to anyone. Yeah. and we'll answer the question next week. All right. Good stuff. Thanks Steve. I'll see you next time. Bye-Bye righto. Bye.
Mikah Sargent (02:00:09):
If you are looking for a midweek update on the week's tech news, I gotta tell you, you gotta check out tech news weekly. See it's all kind of built in there with the title you get to learn about the news in tech that matters every Thursday, Jason Howell and I talk to the people making and breaking the tech news, get their insights and their interesting stories. It's a great show to check out twit.tv/tnw