Security Now Episode 880 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Jason Howell (00:00:00):
Coming up on Security Now it's me, Jason Howell sitting in for Leo Laport, who is on a cruise at the moment. So you won't see Leo this week. You will though see the man of the hour. That is Steve Gibson talking this week about Facebook encrypting its link URLs incentives for cracking iOS lockdown mode, actually some pretty big incentives. So why don't you see what you can do? You make some money in the process, a clear view AI and how it's meeting total resistance around the world. For the most part. And the bleeding continues as Steve dives, deep into re bleed all that more coming up next, Steve Gibson explaining it all on Security Now, podcasts you love from people you trust. This is TWI.
Jason Howell (00:00:51):
This is Security Now with Steve Gibson episode 880 recorded Tuesday, July 19th, 2022, RET bleed. This episode of security now is brought to you by New Relic. Use the data platform made for the curious, right now you can get access to the whole New Relic platform and 100 gigabytes of data per month. Free forever. No credit card required. Sign up at newrelic.com/securitynow, and by Drata security professionals are undergoing the tedious and arduous task of manually collecting evidence. Withdraw to say goodbye to the days of manual evidence collection and hello to automation. All done at Drata speed, visit drata.com/twit to get a demo and 10% off implementation. And by World Wide Technology and Cisco. When was the last time your company updated your security strategy? Are your business assets protected well WWT, combined strategy and execution to secure your organization and drive business outcomes.
Jason Howell / Steve Gibson (00:01:54):
Visit wwt.com/twit to get started. It's time for Security Now with Steve Gibson, the man of the hour, I'm Jason Howell filling in for Leo LePort, who is on a cruise ship right now, who knows what Leo's up to, but I'm here with Steve to hang out once again, talk security. How you doing Steve? Let's hope he's not getting COVID. That would be, yeah. A good thing. Yeah. That's kind of top of the list of what we hope isn't happening, but let's hope that he is having a good time having a eating lots of awesome people eating good food, but not too much. We'll focus on the positive. Yeah, <laugh> so we're episode 880 for here, the middle of July and Jason, I don't know what it is, but whenever you're on the podcast, we're talking about bleeding and yo three weeks ago, three weeks ago, when Leo was off to on the east coast somewhere, we had Hertz bleed and now you're back and we've got RET bleed, which is rise to <laugh> subject and topic of the podcast.
Jason Howell / Steve Gibson (00:03:02):
So an another, I don't know what to tell me. Yeah, you bring the bleed, another interesting side channel attack on Intel and AMD processors. And this one has an interesting backstory because the Intel was sort of telling people that, you know, the way you're fixing this isn't really good enough, but then they decided, well, okay, but it does help performance. And we care about that. So we're just not gonna say anything anyway, we're gonna get to all that, but first we're gonna talk, we're gonna briefly look back at last week's rolling poem problem. Then we're gonna look at the state of I P V four IP space depletion and the rising price of an I P V four address. We have an interesting report on the Internet's failed promise, which I thought was really sort of sad, but you know, it's good.
Jason Howell / Steve Gibson (00:03:59):
Some people are acknowledging that. Well, it didn't really work out the way we hoped. We also have Facebook's unsurprising response to UL URL, tracker trimming, which was a, a subject last week. It didn't take this very long to drop and they, they clearly had it in the works, cuz it would've been complex for them to do, but they did. We've got Apple's record breaking lockdown mode, bounty clear view. AI's new headwinds that they're facing a new feature being offered by ransomware groups, three of them so far, but it's gonna catch on, we've got the return of Ross coor. Also last Tuesday's patches and some feedback from our listeners. Then, as I said, we're gonna take a look at the details of, of the latest way of exfiltrating secrets from operating system kernels. Thanks to what amount to insecurities in Intel and AMD's micro architecture implementations.
Jason Howell / Steve Gibson (00:05:04):
So yes, Jason you're here. So we're gonna talk about bleeding, another fine podcast with bleeding, somehow making its way in. I, I don't know. I, you know, I, I didn't do this on purpose, Steve. It's just the, the way the, the cookie crumbles sometimes super excited to hear all about everything that you just laid out. But before we do, let's take a moment and thank the sponsor of this episode of security now, and that is New Relic. Now we know a lot of developers, you know, here at Whit, we're talking to developers all the time. You, if you are a developer out there listening, you are one of the most curious of people, right? Developers are super curious. The first to explore the newest technology to dig into the documentation not only wanting to know how things work, but also why that's kind of the beauty of development.
Jason Howell / Steve Gibson (00:05:53):
You understand the why. That's exactly why so many engineers turn to New Relic. New Relic gives you data about what you build. And then it also shows what's really happening in the software life cycle. It's a single place where you can actually see the data from your entire stack. So you don't have to, you know, look into 16 different tools all over the place and make those connections manually. Who wants to have to do that New Relic pinpoints issues down to the line of code. So you actually know why the problems are there and they're happening and you can resolve them quickly. And that's why dev and ops teams at door dash at GitHub, epic games and so many more, actually more than 14,000 other companies use New Relic to debug and improve their software. When teams come together around data, it'll actually allows you to triage problems.
Jason Howell / Steve Gibson (00:06:46):
So you can be confident in your decisions. You can reduce the time that's needed to implement resolutions using data, right? <Laugh> your business is built around data. You might as well use that instead of the opinions that are floating around, use the data platform made for the curious, right now you can get access to the whole New Relic platform and 100 gigs of data per month, free forever. No credit card is even required. There you can sign up at new relic.com/Security Now that's N E w R E L I C. New relic.com/security now, and check it out for yourself, devs out there. You're not gonna be disappointed, newrelic.com/securitynow, and we thank New Relic for their support of this show. And we thank Steve in advance for the picture of the week, which is coming up right now, what you got <laugh> so, okay.
Jason Howell / Steve Gibson (00:07:39):
This is another one of those, it's sort of a variation on the theme of the, of the path out in the middle of a large field that has a gate like across the path, you know, and, and then, and, and, and in the case of the path, cuz I love it cuz cuz there's also then like, well worn side paths, like just going around this gate. It's like what, what, you know what, anyway, so this one though is not that this is somebody who locked up and I use that term advisedly. Yeah. Yeah. They locked up their very expensive and nice looking e-bike to very nice a post, but you know, it's a cylinder and, and there's nothing on the top of the cylinder to prevent the person from just lifting the whole thing up in the air, off the cylinder. Like, you know, <laugh>, I mean, so it's, so it's got the expensive, you know, bullet, you know, bolt, cutter proof, everything cord, you know, cable cord thing wrapped around the cylinder, not tightly either.
Jason Howell / Steve Gibson (00:08:58):
And so no, very loosely actually it looks like, yeah, they, it's very, they're very casual about this and you know, so, okay, good luck. You know, if I, I, you know, this has the advantage, unlike packets in the ether that a thief would have to be very visible while they were lifting this bike up off of the cylinder that it's not really locked to. But anyway, I just, the caption I put on this was Hmm, because this is, you know, yeah. This doesn't take too long to, to, to crack the code. John actually just whispered in my ear and points out that the weight of the battery, at least that's a, a little bit of a, you know, possibly a preventative measure for lifting it up. You'd have to be you know, weightlifter to maybe would lift that up compared to other people perhaps yes, I did.
Jason Howell / Steve Gibson (00:09:49):
It did occur to me that it were this like a motorcycle, which, you know, no human, that's not going lift, well, maybe shorts of anger, but you know but this thing would probably lift over pretty easily though. Ah, yeah. Yeah. And also for what it's worth, the helmet is not secured. It's just hung with its strap on one of the handlebar. So I mean maybe the per you, you could say maybe the person isn't far away in which case, why lock it at all? Yeah. Yeah. I, you know, I don't understand the story here. Maybe they, but don't like their helmet, but in general I think this person just has a cavalier attitude around security. It's kinda like a, I mean, you know, it's, it's almost like it's it's like putting the sign in your front door that says we are protected by this security system when you actually aren't, it's like, you know, that's gonna, that's gonna prevent some people from doing something like maybe some thief is gonna look at this and be like, well, there is a lock there and that's more trouble than another thing.
Jason Howell / Steve Gibson (00:10:47):
So I'm just gonna move on to another thing. But there's always somewhat out there that thinks it's worth the trouble. I, I, I wa I looked at this and I was like, you know, I've almost done this a few times <laugh> but I never actually followed through. It was like, well, I gotta put it to something. Should I, you know, no, it's, it really doesn't do anything. You do. You do wonder what this person's password is though, don't you? Yeah, right. Yeah. Probably pretty easy, you know? And then they only have one and they use it everywhere and it's, you know, probably not that difficult to figure out. It's just, it's e-bike e-bike I use e-bike everywhere or where I lost my bike is their password that's right. Someone stole my bike, someone took my bike <laugh> okay. So following up to last week's Honda centric story where the Honda engineers made the mistake of allowing their system, which resynchronizes their autos to their keyless remotes by allowing them to move back to a previous state, which should never happen, you know, re re re rethinking would've been fine.
Jason Howell / Steve Gibson (00:11:58):
If the resync was only allowed to move forward to a later state, which is actually all that should ever be necessary. Anyway, you know, there's just, there's no safe way to allow an earlier state to be restored. Anyway, last week when we covered this, the spokesperson for Honda told the record who was doing some follow up reporting that, and I love this too. It hadn't really occurred to me. They, they said hackers would need sophisticated tools and technical knowhow to mimic remote keyless commands and gain access to certain vehicles of hours. Okay. Well, it didn't, it didn't hit me until just now, as I was writing this, that, that statement makes no sense. If hackers did not have sophisticated tools and technical knowhow to mimic remote keyless commands in the first place, then no rolling codes of any sort would need to be used at all.
Jason Howell / Steve Gibson (00:13:01):
It's specifically because hackers do have sophisticated tools and technical knowhow to mimic remote keyless commands that it's necessary in the first place to design a system with rolling codes, which Honda has failed to securely do for the purpose of defeating hackers who had sophisticated tools of technical knowhow to mimic remote keyless commands. But in any event, that's not why that's not why we're back here this week. In addition there was a D there was a dialogue which was spurred by last week's revelations. Honda said Honda regularly improves security features. As new models are introduced, that would thwart this and similar approaches. And then the spokesman added that all. And they said completely redesigned. And I'm not sure what that means completely redesigned 2022 and 2023 model year vehicles have an improved system that addresses the issue then saying, they said, currently this includes 20, 22 civic, 2022 MDX and 2023 H R V saying our newer system transmits codes that immediately expire, which would prevent this type of attack from being successful.
Jason Howell / Steve Gibson (00:14:40):
Okay. Now I think there seems to be some miscommunication somewhere because what's confusing is that the original hacking team used their system to crack 10 Hondas with four of them being year model 2022. And one of those four being the Honda civic, which this spokesperson claims has fixed the problem by, you know, using advanced technology like that's been fixed. But you know, also note that all rolling codes immediately expire. That's the whole point of having them roll. You know, the, the, you know, they're inherently meant to be single use codes that somebody can't capture and immediately repeat. So the good news behind all this is that hacking cars is fun and doing so is an easy means to generate headlines, which really is the only payoff that most researchers seek or receive. Right. I mean, they just, I often wonder why did they spend so much energy doing this, but it's apparently for a little bit of, you know, your moment in this, in the sun and then onto the next hack, since, you know, the hardware required to do this car hacking is now available, inexpensively off the shelf, you know, just put SDR or maybe software defined radio into Amazon's search and you'll get some, so, you know, we could be pretty sure that automakers past laziness with regard to their Auto's true security will no longer go unnoticed and will be making future headlines whenever and wherever it is found to be lacking.
Jason Howell / Steve Gibson (00:16:41):
And that as a consequence of seeing that happen a few more times, maybe they'll actually like figure out their communication if nothing else, because this Honda is still, you know, way messed up in that regard. Okay. We've had a lot of fun through the years watching the saga of diminishing I P V four address space, according to S I D N, which is the Netherlands official domain, registrar I P V four space address price. That is the, the, the price of individual I P V four addresses has doubled in the past year, back in 2015. So seven years ago, I P V four space was selling, eh, around $5 per IP.
Jason Howell / Steve Gibson (00:17:45):
This time, last year, that $5 had grown to between 25 and $35 last, last year, today, a year later, obviously we are at 50 to $60 per IP V4 space contrast this, of course, to I P V six, where there's essentially no practical limit. That is, you know, I mean, like it's, you know, no practical limit to address availability. I P V six addresses are not only free, but they are so freely available that ISPs hand out large chunks of I P V6 space to each of their residential subscribers. In fact, routing tables will not route individual. I P V six addresses. They won't, they can't by by definition, there, there are too many of them. So they are only, allocatable in big blocks at zoo. That's the way they're being allocated. You know? And, and I guess my point is the idea that here we have, I P V six and you know, it is here.
Jason Howell / Steve Gibson (00:19:08):
It it's been here for quite a while. It's been defined for decades. Nobody wants it. <Laugh>, they're willing to pay $60 for an I P V four address rather than use free ones because, well, you know, those are weird. So it's probably difficult to find a better example of an entrenched unwillingness to change, to adapt than for I P V four space to be selling at this kind of premium when you can have all the sixes, I, the V six S that you want for free. And yes, everyone, I know shields up. Doesn't do I P V six yet? It's, it's not that I'm unwilling to it's. I, I would love to, but, you know, I was distracted by squirrel for seven years, and now I'm back to spin, right. Where I should be. Everyone agrees. That's more important than having shields up B I P V six compatible once, once spin, right. Has caught up to the, to like all the hardware platforms it needs to run on. That'll be absolutely that. And the DNS benchmark, everybody wants that to be I P V six two. So yes, I, I gotta get my own house in order. I understand that everything's working except spin, right? So that <laugh>, that's, that's the top priority.
Jason Howell / Steve Gibson (00:20:37):
Okay. I love this next piece. I call, I, I titled it. Or, or did they title it? Somebody titled it? Oh yeah, they did con confronting reality in cyberspace foreign policy for a fragmented internet. That's the, that's the official title of this huge 116 page report where apparently they were being paid by the page, a pull quote from the article headlines the executive summary, it says the utopian vision of an open, reliable and secure global network has not been achieved and is unlikely ever to be realized today, the internet is less free, more fragmented and less secure. Okay. Now I'm, I'm not gonna drag us obviously through 116 page report, but, and although the report is obviously us centric, having been assembled by a us think tank, the who is, oh yeah, the council on foreign relations put this together. I think that everyone will find this interesting.
Jason Howell / Steve Gibson (00:21:58):
I mean, if not a little sad and sobering, so here's just the executive summary from the report, which, you know, sums it up. They wrote the global internet, a vast matrix of telecommunications fiber optics and satellite networks is in part, is in large part, a creation of the United States, the technologies that underpin the internet grew out of federal research projects and us companies innovated, commercialized and globalized the technology, the Internet's basic structure, a reliance on the private sector and technical community, relatively light regulatory oversight and the protection of speech and the promotion of free flow of information reflected American values. Moreover us strategic economic, political, and foreign policy interests were served by the global open internet. Washington long believed that its vision of the internet would ultimately prevail and that other countries would be forced to adjust to or miss out on the benefits of a global and open internet.
Jason Howell / Steve Gibson (00:23:27):
The United States now confronts a starkly different reality, the utopian vision, and here's where is, is the, the pull quote I said of an open, reliable, secure global network has not been achieved and is unlikely ever to be realized today, the internet is less free, more fragmented and less secure countries around the world. Now exert a greater degree of control over the internet, localizing data blocking and moderating content and launching political influence campaigns, nation states conduct massive cyber campaigns. And the number of disruptive attacks is growing adversaries are making it more difficult for the United States to operate in cyberspace. Parts of the internet are dark marketplaces for vandalism crime theft and extortion. Malicious actors have exploited social media platforms, spread disinformation and misinformation, incited, disparate forms of political participation that could sway elections, engendered fierce violence and promoted toxic forms of civic division. At the same time, the modern internet remains a backbone for civilian critical infrastructure around the world.
Jason Howell / Steve Gibson (00:24:58):
It is the main artery of global digital trade. It has broken barriers for sharing information supports grassroots organization and marginalized communities, and can still act as a means of dissent under repressive government regimes as the internet of things O T expands in coming years, <laugh> God help us. The next iteration of the internet will connect tens of billions of devices digitally binding every aspect of day to day life from heart monitors and refrigerators to traffic lights in agricultural methane emissions, the United States, however cannot capture the gains of future innovation by continuing to pursue failed policies based on an unrealistic and dated vision of the internet. The United States needs a new strategy that responds to what is now a fragmented and dangerous internet. The task force believes it is time for a new forum policy for cyberspace. The major findings of the task force, which are then basically documented and, and substantiated by the remaining 115 pages are.
Jason Howell / Steve Gibson (00:26:28):
And that we have a number of bullet points. The era of the global internet is over us policies promoting and open global internet have failed, and Washington will be unable to stop or reverse the trend toward fragmentation. Data is a source of geopolitical power and competition, and is seen as central to economic and national security. The United States has taken itself out of the game on digital trade and the continued failure to adopt comprehensive privacy and data protection rules at home undercuts Washington's ability to lead abroad increase digitization increases vulnerability, given that nearly every aspect of business and state craft is exposed to disruption, theft or manipulation, most cyber attacks that violate. So sovereignty remain below the threshold for the use of force or armed attack. These breaches are generally used for ESP espionage, political advantage and international state craft with the most damaging attacks, undermining trust and confidence in social politica, political and economic institutions, cyber crime is a national security risk and ransomware attacks on hospitals, schools, businesses, and local governments should be seen as such the United States can no longer treat cyber and information operations as two separate domains, artificial intelligence and other new technologies will increase strategic instability.
Jason Howell / Steve Gibson (00:28:20):
The United States has failed to impose sufficient costs on attackers norms are more useful in binding friends together than in constraining adversaries and indictments and sanctions have been ineffective in stopping state backed hackers. So they conclude the task force, proposes three pillars to a foreign policy that should guide Washington's a adaptation to today's more complex variated and dangerous cyber realm. First <laugh>, I'm gonna turn down my email notifications. <Laugh> first Washington should confront reality and consolidate a coalition of allies and friends around a vision of the internet that perseveres to the greatest degree possible, a trusted, protected international communication platform. Second, the United States should balance more targeted diplomatic and economic pressure on adversaries as well as more disruptive cyber operations with clear statements about self-imposed restraint on specific types of targets agreed to among us allies and third, the United States needs to put its own proverbial house in order that requirement calls for Washington to link more cohesively its policy for digital competition, with the broader enterprise of national security strategy.
Jason Howell / Steve Gibson (00:30:05):
So, you know, this is obviously what this podcast has been talking about for the last 17 years. We've been watching this happen. And I would argue that that, you know, the internet happened and it wasn't very pervasive, right? I mean, it was, it, it wasn't mission critical. It was an, an interesting global communications platform, but it was as it, you you know, inevitably became what it has become and that we've all watched over the last couple decades. It's nature changed. It became important. You know, it became something you couldn't do without communication, more and more communications moved to it. And it got to a point where control over. It became something that everybody wanted, you know, it, it, it was supposed to be free and open and utopian, and everybody gets to talk to everybody. And, you know, countries that, that try to restrict it are going to crumble because you can't restrict it well, turns out you could pull the plug and oops, no more internet, you know, we've just, we've had stories in the last few weeks we've been talking about where oppressive regimes are actually shutting the internet down during national testing days because too many kids cheat and, and like use the internet to do that.
Jason Howell / Steve Gibson (00:31:45):
So yeah, let's turn off <laugh> so, okay. The executive summary finished listing 60 major rec recommendations, and just a couple of them stood out to me as being worthy of note. I've got five of them. They said for their recommendations, agree to and adopt and adopt a shared policy on digital privacy that is interoperable with Europe's general data protection regulations, the infamous GDPR. And now that's interesting because we haven't done that in the states and from our perspective, the GDPR. Yeah. You know, it's kind of a mixed blessing, right? It's, it's the reason we're having to say yes, damnit. I mean, darn it. <Laugh> I accept these cookies or do with my, with cookies, whatever you will or whatever. I mean, you know, it's, it's sort of created a mess. Okay. Second major recommendation, declare norms against destructive attacks on election and financial systems. Okay.
Jason Howell / Steve Gibson (00:32:53):
Well, good luck with that third negotiate with adversaries to establish limits on cyber operations, directed at nuclear command and control communications systems. And, and obviously they would be bidirectional agreements. So, you know, we won't attack your nuclear reactors if you don't attack our, and, you know, hold each other to, to that fourth hold states accountable for malicious activity emanating from their territories. And that's interesting because it's, you know, we, we we've seen them say, well, we, you know it, okay. So the IPS were in our country, but we didn't do it. The, it must have been bad guys, you know, bouncing packets off of systems that they compromised. And so the point is, okay, you're still gonna be responsible. If traffic come, if malicious traffic and activity comes from your country, then you need to be responsible for it. You know, you're, we're certainly responsible for restricting communications within your country.
Jason Howell / Steve Gibson (00:34:01):
So you should be able to restrict malicious traffic coming from it equally. And finally clean up us cyberspace by offering incentives for internet service providers and cloud providers to reduce malicious activity within their infrastructure. And I thought that was interesting. You know, we've, we've like talked about how DDoS attacks traditionally spoofed their IP addresses that's happening less. Now that, that those sorts of attacks are less effective and are more easily blocked. But it, it, it always was the case that ISPs were allowing traffic to, to, to exit their control, having IP addresses that did not exist within their borders. So it had to be spoofed. And it would've been trivial to have ISPs block that, but, you know, we're all big one big happy internet, so no such regulations were ever imposed. So anyway, I just thought this was a, a really interesting report. The I'm not gonna go into it any further.
Jason Howell / Steve Gibson (00:35:16):
But as I was scanning through it and reading some of the many other interesting details, I kept thinking that our listeners would really find some of the reports details. Interesting. So it is this week's shortcut of the week. So grc.sc/eight 80 for anyone who's interested, you know, it's a big PDF, but boy I think it's really interesting that, that this group has assembled a report that formal, so sort of formally states what the rest of us have all seen. And that is that well it was a nice idea <laugh>, but didn't quite work out the way we hoped. So we need to like, you know, acknowledge that reality and figure out what we're gonna do about it, because if we keep doing nothing and just sitting around hoping that's not gonna turn out well, either. So GRC se slash eight 80.
Jason Howell / Steve Gibson (00:36:26):
Yeah. Didn't turn out quite the way we hoped. I feel like that could be like on a t-shirt for the 2020s, you know, the kind of the, the decade that we word in. Right. It was, it was a great idea. It didn't quite turn out the way we hoped. Yes. While, while, while we're in a massive heat wave right now that is, you know, melting, melting everything down. It's like, well, how'd that everything. How, how how'd that 21st century go? <Laugh> everything seemed like a really great idea at the time. I hope I hope the kids like the heat. Yeah. Yeah. Jason, let, let's give ourselves a break. Tell our listeners why we're here and I'm gonna take a sip of water. Well, yes, let's do that. This episode of Security Now we're gonna take a break is gonna continue in a moment, but first let's thank the sponsor of this episode.
Jason Howell / Steve Gibson (00:37:12):
And that is JDA. Is your organization finding it difficult to achieve continuous compliance as you're growing, as it scales is manual evidence collection actually slowing your team down as G two's highest rated cloud compliance software draw to streamlines your SOC two, your ISO 27 0 1, your PCI, DSS, GDPR, HIPAA, and other compliance frameworks, and also provides 24-hour continuous control monitoring. So you can focus on scaling securely has a suite of more than 75 integrations. That's what draw is all about in, in, inside how it works. Jada easily integrates with your tech stack through applications, such as AWS, Azure, GitHub, Okta, CloudFlare get countless security professionals from many companies, including lemonade notion, bamboo HR. They've all shared how crucial it's been to have draw as a trusted partner in the compliance process. They're they're deep. Their native integrations actually provide instant visibility into a security program and continuous monitoring to ensure compliance is always met and draw to allows companies to see all of their controls and then easily map them to compliance frameworks, to gain immediate insight into framework overlap.
Jason Howell / Steve Gibson (00:38:34):
Very important to see that companies can actually start building a solid security security posture from day one, with Dratata you can achieve and maintain compliance as your business scales and expand their security assurance efforts. Using the draw platform, draw DA's automated dynamic policy template, support companies, new to compliance and help alleviate hours of manual labor and their integrated security awareness training program and automated reminders ensure smooth employee onboarding. And by the way, they they're the only player in the industry to actually build on a private database architecture from day one. That means your data can never be accessed by anyone outside your organization. Very valuable. All customers receive a team of compliance experts, including a designated customer success manager. In addition, they have a team of former auditors who have conducted more than 500 audits and are available for support and counsel. How useful would that be?
Jason Howell / Steve Gibson (00:39:33):
Your success is actually their success, right? With a consistent meeting cadence. They actually keep you on track. They ensure that there are no surprises, no barriers, plus your pre-audit calls ensure that you're set up for success. When the audits actually begin draw does per again, Jada is personally backed by S V C I a syndicate of C I S O angel investors from some of the world's most influential companies. That's why you gotta use JDA, say goodbye to manual evidence collection and hello to automated compliance by visiting dda.com/twit that's D R a T ada.com/twit, bringing automation to compliance at Drata speed. We thank Jada for their continued support of security now. All right, Steve what's going on with Facebook? I feel like Facebook let ski Facebook was like it like, like everything, Facebook and then things got a little quiet and everything. Are, are they doing something right?
Jason Howell / Steve Gibson (00:40:33):
Or are they doing something wrong right now? <Laugh> well, so just last week we talked about how Firefox version 1 0 2 had added a feature to strip some of the tracking information from URLs that it was going to be querying before handing them over to a web server. The idea being that it would be in doing, you know, enforcing the privacy of its users in that way. So this is something that users had to enable, but when it was, when, when that habit enabled a small set of URLs domains, and then specific tags in the URL, which Firefox had been trained to recognize and felt comfortable with altering on the fly would be altered. And we noted last week that Firefox was apparently being conservative about what they were stripping from the URLs since the brave browser was reported to be significantly more aggressive.
Jason Howell / Steve Gibson (00:41:40):
Now, while discussing this last week, I commented that although I loved the idea of removing tracking identifiers from URLs, the whole thing felt flaky and uncertain to me since modifying Alys URL is inherently trouble prone, which is no doubt why Firefox was being apparently conservative in what, in the URLs they were modifying compared to brave. And because it would be so easy for Facebook, for example, to change the token name of the value in the URL link, you know, then all browsers would need to update their URL, exception handlers, and we'd be back into account and mouse game. Well, all of that hand ringing with regard to Facebook at least has been rendered moot because Facebook's links have suddenly transformed into opaque blobs. And really this should not be a surprise to anyone. It should have been obvious that Facebook would not be happy having anyone mucking around with their URL links.
Jason Howell / Steve Gibson (00:42:56):
The composition of any URL is by definition entirely up to the creator of the URL way back in 1994, RFC 1738, whose lead author was the famous Tim burner's Lee at CERN made clear that a URL is inherently an opaque token that only needs to have any meaning to the server that receives it once upon a time URLs tended to directly reflect the hierarchy of the receiving server's file system, or at least some piece of that file hierarchy. And that file system was often organized by a human in some reasonable structure. So the whole thing meant something, but as pages became more and more dynamic being assembled on the fly by server side, P P a S P or JSP scripting code after querying a big backend database, the primary reason URLs have remained at all, understandable to humans is that they have been in and, you know, they'll continue to be for some time, but they've been a source of signals for internet indexing search engines.
Jason Howell / Steve Gibson (00:44:29):
You know, we'd like Google to learn something about a page's link from its textual content. So that's often been preserved, but we've increasingly seen URLs being cluttered with things like, you know, grids, those globally unique IDs, which only have any meaning whatsoever to a server side process. Amazon's URLs, for example, have a short code near the front, which is surrounded by long hyphenated, descriptive strings, which describe the product. All of that superfluous text is only there for search engines to pick up on Amazon has no need for it and completely ignores it since those massive multiline Amazon URLs are ignoring are annoying to share. One of my favorite tricks is to strip everything out of an Amazon URL, other than an anchoring, it starts with slash DP slash followed by the 10 character product ID. That's all you need. And that results in a very short Amazon URL that always works in any event.
Jason Howell / Steve Gibson (00:45:52):
All of Facebook's content is obviously all being assembled on the fly driven by code and a massive backend database. So the construction of their URLs has always, or at least for a long time been arbitrary and in no way reflects anything other than whatever their code wants it to reflect. So Facebook apparently decided for whatever reason that, and you know, it should come as no surprise to anyone that it was probably tired of having third party browsers and add on extensions that are supposed to be enhancing privacy messing around with its links, specifically stripping out tracking information that they wanted to stay there. So now no one who doesn't know how to UNS scramble or decrypt a Facebook link can see anything about what's going on. They have truly become long opaque tokens.
Jason Howell / Steve Gibson (00:46:58):
Now since older pre encrypted links, that is from more than like from before this weekend, which is where this suddenly began to happen. Since those links are still gonna be around probably forever. I'm sure that all incoming links are now being checked to see whether they are old style in the clear format or this new opaque blob format. If they're old, they're accepted as is, if they're obfuscated by this new encryption, they'll first be decrypted then handled. So, you know, it's clear as it always should have been that any anti tracking privacy enforcement we are gonna obtain will need to be created by policy and, you know, laws and mandates and so forth, not by technology because ultimately this is something that Facebook has total control over, and they've just exercised another little bit of that control.
Jason Howell / Steve Gibson (00:48:07):
We discussed previously Apple's official launch well actually announcement because it's gonna be happening in iOS 16, their announcement of this very interesting new lockdown mode feature. And that was announced during this year's worldwide developer conference. I, I think this idea makes so much sense because it's, it's the, you know our phones have this insane level of it'll do anything you could ever want it to breadth of features. And many are often unneeded, many are unwanted. And as a consequence, most of them go unused. I mean, there's stuff in my iPhone. I, you know, I'm embarrassed to say I have no idea what it does. There are things that annoy me like the three dots that are now at the top. I keep trying to pull down the, the, from, from the top and now I'm getting the multitasking stuff where I didn't before that's annoying.
Jason Howell / Steve Gibson (00:49:15):
I used to be able to turn it off. Now you can't. Anyway, these things are like, cramed with features that most people don't need don't want, and don't use yet being there hugely increases any devices, attack surface. There are just more things that could have parsing errors in them that could go wrong. So simply turning off all of that unwanted and unneeded excess for individuals, especially for individuals, for whom security trumps the ability to receive cat videos from strangers seems like an obvious win. And when Leo and I were talking about this last week, it seemed like something we would both be inclined to turn off at least, you know, take it out for a spin and see how it affects our lives. The, the, you know, it doesn't seem like it's gonna be that restrictive, even though all the press talking about it, it's saying, oh my God, it's, you know, super locked down restrictive.
Jason Howell / Steve Gibson (00:50:16):
You can't do anything anymore. I don't do anything anyway. So it's not gonna affect me very much. So anyway, my feeling is it will probably go a long way toward limiting victimization by commercial malware, such as Pegasus, which is, you know, explicitly Apple's target here. And because apple thinks so too, they've decided to, as they say, put their money where their mouth is by offering the industry's largest bounty ever $2 million to anyone able to reproducibly crack into an iOS 16 device when it's in lockdown mode. I say, Bravo, I think that's cool. And I'll bet that a bounty of that size will likely give those who used to just enjoy finding day jail breaks for the fun of it, some new incentive, because $2 million. Wow. we've talked a lot in the past, like through the years of about clear view AI they're the company just to remind anybody maybe who hasn't been listening for years, that decided what they would do is send bots out onto the internet.
Jason Howell / Steve Gibson (00:51:41):
Much as Google sends spiders, they would send their own bots out to, to collect images from publicly available, social media, you know, crawl, crawling Facebook, crawling Twitter, crawling everything, and building a huge database of people's faces, which they would then using other means tie back to their location and their availability and build a big database. That's clear view AI. And it's been a big hit with law enforcement and governments and any entities that, that has some need to identify people from photos. Okay. So clear view. AI has been in the news just recently a set <affirmative> essentially they've been fined by Greece's privacy authority, the Lennic data protection authority, the H DPA for violating parts of Europe's infamous GDPR, the fine, which has been levied against Clearview AI by the H DPA is a hefty 20 million euros. And what's a little bit galling even to me, is that it's not due to any use or abuse of clear view.
Jason Howell / Steve Gibson (00:53:20):
AI's admittedly controversial facial recognition, database technology. It's just because clear view AI exists and Greece doesn't like the idea. And the GDPR gives them the right to find clear view AI over their conduct, even though there's no implication of its use a 22 page decision demands that clear view AI stop processing biometric data on individuals in Greece and said, the company must delete all the data that is all the pictures OFAN it is already collected the decision stems from a complaint filed by a number of privacy organizations, which questions clear view AI's practice of scraping selfies and photos from public social media accounts, as a means of assembling its facial recognition database, which is rapidly growing toward well, actually I think it's at a hundred billion and their goal is, I mean, it's at, I'm sorry, it's at 10 billion and they're trying to go to a a hundred billion.
Jason Howell / Steve Gibson (00:54:41):
Okay. Now, as we know, since we've been tracking this interesting edge case, since they emerged a number of years ago, Clearview AI sells it's in the business of selling its facial recognition tools to law enforcement agencies around the world and has said they want to get to a hundred billion images. It's also the case that clear view has been a work in Ukraine, helping to identify both deceased Ukrainian citizens for the government and Russian soldiers so that families can be notified back in Russia in case they want to come and, and, you know, pick up their dead Russian. The problem that kill clear view, AI faces surrounds consent more and more privacy regulations are requiring consent, but clear views, you know, autonomous image scraping technology is inherently consent free. What I thought was interesting is that while Greece's Lennic data protection authority has levied this Hef define clear view.
Jason Howell / Steve Gibson (00:55:52):
AI has never, never had any contact with either greases citizens or its law enforcement agencies. They simply share the same planet, clear view. AI said it does not have any, it does not have a place of business in Greece or the EU. And it does not have any customers in Greece or the EU. The company also claimed its product has never been used in Greece and does not undertake any activities that would otherwise mean it is subject to the GDPR. One of the several privacy groups, which filed the initial complaint, explained that the fine, the fine, and the ruling made clear that the GDPR is applicable because clear view AI uses its software to monitor the behavior of people in Greece, even though the company is based in the us and does not offer its services in Greece or in the EU, the privacy organization said collecting images for a biometric search engine is illegal period.
Jason Howell / Steve Gibson (00:57:17):
So one thing that made me just shake my head is that clear view. AI has made it clear that they're happy to steer clear of regions that don't want their services. Yet. The Greek authority also ordered clear view to appoint a representative in the EU, even though they don't wanna do business in the EU and haven't, and aren't to enable EU citizens to exercise their rights more easily meaning I guess they will like someone local to Sue. And so regulators have a contact person in the EU. Yeah, I, I don't blame E clear viewed and for not doing that. So, you know, I don't mean to sound overly sympathetic toward clear view AI, but this does sort of seem to be, I don't know, overreaching, all of the images it's collecting our public, anyone could view them just like the webpages that Google crawls across and indexes, which allows us to later locate the information we seek.
Jason Howell / Steve Gibson (00:58:26):
So it's clear that the difference is that pictures of people's faces are considered to be biometric data, even though faces are kind of public, you know, it's, it's considered biometric data by these regulators and regulations and are not regarded any differently than fingerprints or DNA. You know, if someone followed us around dusting, everything, we touched to lift our fingerprints, that would likely annoy us. The fact that clear view AI's image collection is unseen. Doesn't render at any less noxious in the eyes of privacy regulators. One country after another is lowering the boom unclear view. AI. We previously talked about the UK's 7.5 million Euro. Fine last may. Similar rulings have recently been made by France and Italy and Austria is said to be preparing a similar ruling. So you know, it's looking like maybe this us based company will actually only be able to operate in a country where its privacy laws do not exclude it from doing so because we know that Illinois and their BIPA the state of Illinois, that's a problem cuz of BIPA, which is where some of the earlier suits have been filed. Now we've got lots of EU countries doing so under the GDPR. So it's looking like the territory that clear view AI is gonna be able to cover is is shrinking. And look, it's actually looking like this is a fight it's gonna lose.
Jason Howell / Steve Gibson (01:00:24):
And speaking of searchable databases, <laugh> several ransomware and extortion groups have been creating searchable databases of information. They have stolen during their attacks. As we know, it's not news that ransomware groups have been extorting organizations with the threat of leaking the data that they have stolen. So then, you know, they're not only they're they're they steal it, you know, they exfiltrate it, then they encrypt it. So, so the company that owns it can't have it and also adding insult to injury, they got a copy of it and they're threatening to release it publicly unless the ransom is paid well now they've gone one step further and created, started indexing the data <laugh> and making it searchable over the last month or so two ransomware groups actually three a V carer and lock bit have all debuted features on their leak sites, which allow visitors to search through the troves of data by company name and or other signifiers.
Jason Howell / Steve Gibson (01:01:36):
A senior staff researcher at tenable has confirmed that all three groups have incorporated some kind of searchable database functionality into their leak sites. You know, and if we've seen anything, it's an idea that's useful will quickly be picked up and mimicked by other ransomware groups. So we can soon expect this to be a new feature of all the dark web, you know, exfiltrated extorted data leak sites, MCI MCI softs threat analyst. Brett Callow said that the tactic was designed to further increase the pressure on organizations by weaponizing their customers and business partners. Callow said, quote, the gangs likely believe that making the data available in this way will result in more companies paying due to a perceived increase in the potential for reputational harm. And they may be right. He added that in the past, companies have been able to Dodge accountability for the leaks by claiming that there is quote no evidence, user data has been misused, which is aligned, seen in hundreds of breach notification letters over the past few years, Callo notes that such soothing statements like that aren't really possible when people know their personal information was exfiltrated compiled into an individual downloadable pack and made available online.
Jason Howell / Steve Gibson (01:03:15):
You know, who knows, maybe Google will start indexing at two <laugh> Moscow has imposed a $358 million fine, 358 million more than Trump change on Google over Google's continued failure, which I guess at this point, you'd have to consider you you'd have to call it a refusal. Since here we are in July and the attack on Ukraine was in February. As I recall, Google's failure to filter out information from a search results that rushes internet wa watchdog agency, Ross com Noor has demanded be removed. I should note that the amount of the fine is much more fun when expressed in Russia's much less valuable rubles. That would be a total of 21 billion, very small rubles. Anyway, Ross Comor announced that Google and its subsidiary YouTube have failed to remove the following materials after multiple requests information about the course of the quote, special military operation in Ukraine, which discredits the armed forces of the Russian Federation content promoting extremism and terrorism content, promoting harmful acts for the life and health of minors and information that promotes participation in all the unauthorized mass actions.
Jason Howell / Steve Gibson (01:05:10):
So as we see a free and open internet, isn't always the best thing for everyone. I suppose, this is what the council on foreign relations meant when they said that the dream had not come true. And the sooner we in the west and the us specifically wake up and smell the packets, the better IRES, I guess, Ross Kaan or realizes that Google is too useful to block outright, or they would've, they've tried over and over to enforce sanctions based on various parts of Russia's code of administrative offenses. Last month, Ross cut, Naor find Google 1.2 million. That's a measly 60 that's I'm easily 68 million rubs. But as the fines remain unpaid, the multiple de violations qualify it to be, to be based upon BA a different practice, which is a piece of the action. In this case, up to 10% of Google's annual Russian revenue, Russian users of Google search and YouTube will now also encounter a warning about Google's violation of the law.
Jason Howell / Steve Gibson (01:06:24):
And they will not be allowed to place advertisements or use them as information sources. So Russia is attempting to squeeze Google by the wallet and for what it's worth it's working, Google's paid services are disappearing and being withdrawn after Russia's invasion of Ukraine and the so-called Antifa news laws, which were enacted in Russia, which amounted to don't say anything. We don't like Russia's Google subsidiary, Google LLC filed for bankruptcy claiming it's. It had the, you know, no ability to continue business after a series of massive fines and ultimately asset confiscation. So loyal Russians will presumably think, well, that's just those corrupt Westerners getting what they deserve. On the other hand, they will no longer have access to Google services. And I suppose that was inevitable. I guess I would, you know, give Google a tip of the hat for not bowing to Russian pressure and doing their part to keep the internet open.
Jason Howell / Steve Gibson (01:07:36):
And speaking of getting what we deserve last Tuesday, windows users received patches to hopefully fix a total of 84 individual flaws across Microsoft's sprawling software base. One of those was a true zero day privilege elevation bug, which was being actively exploited in the wild that's now fixed the demographics of the patches break down of the is breakdown of those 84 52 were elevation of privilege vulnerabilities, 12 allowed remote code execution, 11 supported information disclosure, five were denial of service vulnerabilities, meaning that something crashed and four were generic security feature bypass, whatever that means there were no reports of any big meltdowns following last Tuesday's updates. So nothing big and obvious was messed up this month. A handful of bugs are no more well, you know, except for any new ones that may have been introduced. Maybe we'll get to those eventually as well as all the others that still remain in windows and other Microsoft's other products.
Jason Howell / Steve Gibson (01:08:53):
Okay. So I got a DMed tweet yesterday which sort of surprised me it was a fun spin, right testimonial and of the sort we haven't heard for a long time came from a guy named Paul jolly. He said last week, one of our power stations reported they needed to restore a G E M 80 PLC, you know, PLC, programmable logic controller, right? He said they had two separate backups on three and a half inch floppy discs, but neither would read configuration control. He wrote knowing what code is running on programmable devices, performing process control in an OT environment is very important in our industry. So they were in a pickle. They tried a number of ways to read the F floppies using various freeware and were unsuccessful. So I offered to try spin, right, as a last resort, he says, I took delivery of the FIEs this morning and set version 5.0 to work on level two.
Jason Howell / Steve Gibson (01:10:12):
It managed to recover about 90% of the file required from the first floppy. Then from the second floppy, which had a totally corrupt file system. He said, I was able to cat the entire device to Linux to a file and subsequently extract the same file contents combining the recovered data from both F Flo provided full coverage. And thanks to you. I was a hero. So, so I think what he meant was that he recovered everything, but 90% of one file, but that file, he was able to recover from the other floppy. So given the two and spin, right, he was able to succeed. What I found interesting was Paul's race to spin, right? Five, as I previously mentioned for some confounding, apparently mystical reason, version five is superior to version six for the recovery of Disques I've stared at the spin, right. Six code for probably a total of days at this point, trying to explain the difference.
Jason Howell / Steve Gibson (01:11:28):
There is no difference. So I have no idea why, but in testing both version five has consistently produced superior results. The other thing that was interesting was that in, by being a DM, I had our previous DM thread. It turns out back on February 13th, 2011. So about a year and a half ago, Paul had DMed to ask, he said, happy to contact GRC support, but thought I could quickly ask you first, I listened to a recent podcast where you said spin, right. Six owners could download, download, spin, right. Five, if they want, if they want, by simply changing the download URL. I was interested because at our site we still use floppy discs. And of course, he's talking about these for these PLC controllers. He said, so I looked up my purchase email and followed the link to the download page, where it asks for my transaction code, that generates links, that don't have a version in the URL.
Jason Howell / Steve Gibson (01:12:41):
He says, I must be missing something or didn't understand what you meant on the podcast. Anyway, he later tweeted was just about to contact Greg this morning when I found the answer was on the FAQ page at the bottom. And sure enough, down on the bottom, we explain that how to change the, the download URL to allow yourself to get a copy of spin right. Five, because for reasons that will never be known at this point. I think it's safe to say <laugh> five is better than six at reco at recovering data from F Flo okay. A couple closing the loop bits, Michael Swanson. He said, hi, Steve. I just listened to SN 8 79. So that was, you know, last week's podcast he says, and regarding the use of a VPN when traveling or even at a coffee shop, he says, I prefer to use a travel router, like the TP link, N 300.
Jason Howell / Steve Gibson (01:13:45):
I connect the travel router to whatever internet service is available and whatever devices I bring with me, laptop, tablet, phone, Roku, et cetera, connect to the wifi network of the travel router. All my devices are then behind a full Nat firewall, added security. He said the travel router is also using Google DNS to prevent DNS hijack. And it is also possible to set the router to be a VPN client, to many VPN many VPN services and thus tunnel through to any VPN exit point, including my home network, if desired and the wifi network on my travel router has the same S S I D as my home network. So all my devices connect automatically thinking they're at home. So, Michael, thanks for sharing that. I thought there I was, you know, very clever. I liked the idea of using the same SS I D and obviously the same password, so that when you're on the road, your devices don't know that you're not home and, and they connect easily.
Jason Howell / Steve Gibson (01:14:54):
And obviously he also understands that to get the same security of a VPN, you'd still would need to use a VPN tunnel, although it definitely is nice to be behind a Nat firewall. If something in the hotel was trying to get into your devices by, by, you know, port scanning them having a, a a, a Nat based firewall would also solve the problem. However, <affirmative>, however, there was an even cooler idea. I think IC vRAN is his handle he's at hi Steve. One solution. If one does not trust a wifi hotspot is setting up a raspberry pie at home or whatever you want to actually with tail scale and configuring it as an exit node. And he provided a link which I have in the show notes. The, the link is to a, an FAQ and an explainer page about tail scales, exit nodes.
Jason Howell / Steve Gibson (01:16:07):
First of all, remember, the tail scale we've talked about before is a so-called overlay network. Very much like hamachi was back in the back in the days when five dot was unallocated internet, I P V four space that didn't last forever. Anyway, about exit nodes, tail scale says exit nodes capture all your network traffic, which is typically not what you want. The exit node feature lets you reroute all your non tail scale internet traffic through a specific device on your network. The device routing your traffic is called an exit node by default tail scale acts as an overlaid network. It only routes traffic between devices running tail scale, but does not touch your public internet traffic such as when you visit Google or Twitter. This is ideal. They wrote for most people who need secure communication between sensitive devices, like company servers, home computers and so forth, but don't need extra layers of encryption or latency for their public.
Jason Howell / Steve Gibson (01:17:25):
Internet<Affirmative>. However, there may be times when you do want tail scale to route all your public internet traffic in a cafe with an untrusted wifi, or when traveling overseas and needing access to an online service such as banking only available in your home country by setting a device on your network as an exit node, you can use it to route all your public internet traffic as needed, like with a consumer VPN. So I thought that was a very cool tip. So thank you. ICV ran for that and just a heads up for all of our listeners tail scale can do that task scale tweeted FYI on the quantum resistant algorithms, crystals ki and crystals di lithium. Remember that? We talked about that recently that the N I S T had had chosen four of the eight algorithm, new next generation cryptographic algorithms that would be used to provide quantum resistant crypto.
Jason Howell / Steve Gibson (01:18:44):
I loved di lithium crystals cuz of course, you know, they power the warp drive on, on star Trek. I didn't know what KBRA crystals were. Well, he writes KBRA crystals are what is used in light SAS in star wars. So there was something for star Trek and for star wars fans there. Thank you. Tasel didn't know. And someone tweeting as lethal dosages, lethal dosage <laugh> tweeted. I logged into Twitter for the first time in four years to poke fun at you. You are losing geek points. The first star wars movie was not episode four, a new hope. It was just star wars. He says episode four, a new hope was added later. And then he said, watch the original intro only two Mon two minutes long. And he provided a clip on a YouTube link to sure enough, a two minute capture of star wars, 1977, original opening crawl is the title of it.
Jason Howell / Steve Gibson (01:20:02):
It's had 1.4 million views and it's there. And I have to say it absolutely looked authentic, eh, but it's old and grainy. And in this day and age it could easily have been edited. So I did a bit of digging around the internet and I got the whole story in the beginning, there was just star wars, but then fans of what turned out to be the most popular science fiction movie of all time were thrown a hyperspace curve ball. The film known as just star wars turns out wasn't the beginning of the story. It was the middle four years after the original film hit theaters. It was re-released this time being called star wars, episode four, a new hope. So here's what happened in March of 78, right star star wars. The original movie was released in 77 next year, March of 78, the science fixture, the science fiction author Leia bracket died.
Jason Howell / Steve Gibson (01:21:16):
And George Lucas took over writing movie number two, which was titled the empire strikes back a task, which he shared with Lawrence Kaden. Next Lucas decided that there's a bigger backstory to all of star wars, which means that the empire, you know, empire strikes back is not part two, but instead part five. So in 1980, the empire strikes back identified itself as the empire strikes back episode five, which totally blew everyone's mind at the time resulting in no end of confusion. Then the next year in 81, the original star wars movie was rereleased as episode four to make everything line up properly. And what's confusing about all this is that I definitely saw the original star wars in 1977. You know, I mean I was alive. So of course I saw it. I was 22 years old. So I recall still that afternoon, 45 years ago, sitting in the theater and seeing this movie with some friends that I worked with.
Jason Howell / Steve Gibson (01:22:38):
And I distinctly also recall anxiety and consternation being created by star wars, episodes, numbering, but I guess the anxiety must have been created when the empire strikes back identified itself for the first time as episode five. And it was like, what, rather than when the original star wars identified itself as episode four, which it didn't in the beginning. So now we all understand that. <Laugh>, that's interesting Jason to hear that. I, yeah, <laugh> you, you, you obviously are not 45 years old, so you close have always had star wars in your life. Always. I have always had star wars in my life and I don't think that I ever really, you know. Okay. So while I'm 40, almost 47. So you are, I'm close to the age that you were then now and what is the best mustache you can, you, you, you can must.
Jason Howell / Steve Gibson (01:23:43):
Yeah, this is, this is, this is all I can do. Yeah. Believe me. Nothing even grows right here. Anyways. That's beside the, Hey I wish that was the case. That would be nice. <Laugh> it kind of shaves itself to be honest. But yeah, I've always had star wars in my life. I, I never really felt very weird about the, the numbering because star wars came out. Yes. When I was too little to watch it, I think I was too at the time when it was actually in the theater. And and so the whole Nu numbering thing was already in place by the time I was ever at all aware. But I do remember empire strikes back and loving it back then. That was my favorite of the, of those three anyways. But, but what this makes me think is like I've only ever watched Phantom MENA, which is the first one, right?
Jason Howell / Steve Gibson (01:24:30):
One time. And I thought it was awful. This was right around the time it was in the theaters. I thought it was horrible. And so as a result, I never gave part two and three, any chance I never actually watched them. I'm still to this day, not watch them. And I don't know why maybe I need to do that, but I can't, I didn't know what you just said do, do not, not watch them. Okay. See, there you go. So I hear what you just wrote, what, what you just read on the, on the podcast and I'm like, alright. It all makes sense. Why those earlier ones were not very good because it was kind of an after the fact thing like, oh, wait a minute. There's, there's more we can do here, but I'm not sure what that more is yet. Yeah. There we go.
Jason Howell / Steve Gibson (01:25:07):
More, more wasn't necessarily better. Yeah. It wasn't necessary. We immediately, we immediately descended into little Teddy bears running around. Yes. You know, it's just like what has happened. Yeah. Little strange. The arc of, so I have one last thing to share Dave Pope, he said FYI, my 2013. Okay. 2013 Ford key fob has bidirectional coms. It has a light that shows me red or green. If the remote start was successful or not, he has no idea if it does the handshake. You mentioned in the episode though, cuz I talked last week about how the only way to really secure remote keyless entry Tesla does a better job than Honda, cuz it hard, be hard to do a worse job than Honda. They do a better job by only ever moving the, the, the synchronizing counter forward. So that codes actually do expire the first time that they're used and cannot.
Jason Howell / Steve Gibson (01:26:16):
There's no way to trick the system into using the same code again, although as we saw an active attack can use jamming in order to get the key fob, to, to emit additional codes that aren't seen by the car, which an attacker can grab to use in the future. But the way to absolutely solve the problem is bidirectional handshake, which is what we have on the internet for all of our secure comms and that's robustly secure. Anyway, I just thought it was very cool that what nine years ago, Ford has a, a key fob that lights to let you know whether the car has affirmatively confirmed that the carve that the engine started or not. That's very cool. So anyway, David, thanks for sharing that. And Jason, let's tell us about our last sponsor and then we're gonna gonna go back into bleeding because you're here on the podcast.
Jason Howell / Steve Gibson (01:27:09):
Oh boy. Yeah. I, I hope next time I join, it has nothing to do with bleeding. Let's just put that on, on the table right there. But that's up next. You have so much to look forward to first. Let's take a moment to thank the sponsor of this episode of Security Now that is World Wide Technology and Cisco WWT. And they've been with us for years at this point, you know what they're all about? WWT offers security solutions and services that will protect your business. Attackers have updated their strategy, right? They're updating all the time. They're, they're taking a look at the, at the, the landscape and looking for insecurities all around to, to attack. But have you updated your strategy? You gotta keep up with all that. Well, WWT will help your organization prepare and combat NextGen threats. You want a company that has a vision, has services, has the capabilities needed to deliver security controls and reduce the risk for your organization?
Jason Howell / Steve Gibson (01:28:04):
What do you know WWT does exactly that their team provides resources and platforms that make that possible with over three decades of experience, they have a proven track record to truly help you succeed. And you know, we've got a few case studies that we can refer to to just prove this to you. WWT worked with a large healthcare organization to conduct a security risk assessment of their certified electronic health record technology. WWT consultants used expert knowledge. They used state-of-the-art tools in depth analysis, skilled training and repetition to complete their assessment. 90% of the vulnerabilities that they found could be fixed by putting a comprehensive, systematic approach in place for patching 90% of the vulnerabilities that were located could do that. So there you go. Also WWT worked with retail banking to help them achieve their primary goal of establishing an infrastructure capable of preventing and surviving and catastrophic cybersecurity event.
Jason Howell / Steve Gibson (01:29:06):
WWT actually helped them reduce system outages by 40%, along with an ongoing cost savings of 48% through infrastructure automation, not bad at all. They offer a variety of security solutions and services that are gonna help you achieve more effective outcomes. You can connect your organization's business goals and objectives to technical solutions, reducing the risk for your organization. That's risk management in effect, right there also endpoint security. So you can improve the visibility and compliance while defending at the edge. How about protecting your network traffic? You do that while decreasing your attack surface that's gonna improve your threat detection and response. It's gonna reduce your overall cyber risk. And then you wanna know that the right people and the devices have the right access at the right time and you get that through identity and access management. And finally cloud security increase that data protection ensure compliance and achieve a more consistent application of security policies across multiple clouds.
Jason Howell / Steve Gibson (01:30:07):
See how WWT and Cisco can protect your business assets and your intellectual property with a holistic security approach, go to wwt.com/twit, do that. You can get started and let World Wide Technology help you. That's wwt.com/twit WWT make a new world happen. And we thank WWT for their continued support of security now, and without further ado, let's talk a little bit about re bleed. What exactly is it and why is it, why are these things appearing every time I host this show? <Laugh> yeah. So, okay. Re is the universal name. I think it's like universal across all processors. I don't know if I've ever I've programmed many, you know, chips in assembly language and RET has always been the name of the CPU instruction for causing a subroutine to return. So RET is short for return. It's placed at the end of a subroutine to cause the submarine to stop at that point.
Jason Howell / Steve Gibson (01:31:18):
So it is a little bit like it's like a special jump instruction. It stops its execution and it return, it causes the processor to return to the instruction following the one that invoked the submarine. So in essence, the instruction tells the CPU to return to the point where the submarine was called, you know, like J you know, just after the point it was called. So in, so execution resumes in a linear stream from that point in stack based processors subroutines are often provided with some parameters, which they will use for whatever work they need to do. So the, the, the caller puts these parameters onto the stack, and then the submarine looks on the stack in order to, to access them. You know, they, they can be values or pointers or, or whatever, and submarines may place some of their own local, temporary data onto the stack as well.
Jason Howell / Steve Gibson (01:32:17):
You know, and how many times on this podcast have we used the term stack buffer overflow meaning that there was a buffer that some code had put on the stack and it overflowed the stack. That's always been a big problem. And when the processors return instruction is executed, all of this stack based data is discarded. You know, it's nobody bothers to like flush it to zeros or override it, cuz that takes time. Instead the stack pointers just moved back above it as if it never existed. And we go on from there. So it's a very elegant means for, for managing various sorts of temporary data.
Jason Howell / Steve Gibson (01:33:02):
Red bleed is the brain child of two researchers from E th Zurich who have been behind a number of previous, very clever attacks, their paper on red bleed, which is what they named. This will be delivered in a few weeks from now. I think it's August August. I don't remember now. I had the date in my head. It's gone anyway a couple weeks from now during a technical session, a session of the use N's security, 22 conference, they being good guys. They responsibly disclosed their discovery to Intel and AMD back in February of this year, presumably with a six month non-disclosure period, they agreed to be silent. That embargo was lifted last Tuesday, the 12th of July, which also happens to be patch Tuesday when it turns out some fixes for red bleed were pushed out to the world. Okay. So I'm gonna start by just reading their papers abstract.
Jason Howell / Steve Gibson (01:34:18):
I'm not gonna get into the weeds cuz the weeds are very deep and thick here, but the abstract gives us an overall feel for what this is. And then I, I will break it down some. So they wrote modern operating systems, rely on software defenses against hardware attacks. These defenses are however, as good as the assumptions they make on the underlying hardware. In this paper, we invalidate some of the key assumptions behind repoing. I'll explain that in a minute, a widely deployed mitigation against specter branch target injection BTI that converts vulnerable indirect branches to protected returns. We present RET bleed, a new specter BTI again, branch target injection attack that leaks arbitrary kernel memory on fully patched Intel and AMD systems. Two insights make red bleed possible. First we show that return instructions behave like indirect branches under certain micro architecture dependent conditions, which we reverse engineer.
Jason Howell / Steve Gibson (01:35:50):
Our dynamic analysis framework discovers many exploitable return instructions inside the Linux kernel reachable through unprivileged system calls. Second, we show how an unprivileged attacker can arbitrarily control the predicted target of such return instructions by branching into kernel memory re bleed leaks privileged memory at the rate of 219 bites per second, with 98% accuracy on Intel coffee lake and 3,900 bites per second, with greater than 99% accuracy on AMD Zen two chips. So, okay, there are a few things we need to observe here. One is that this is another instance of the lesson that attacks never get worse. They only ever get better. When we started off with the specter and meltdown speculative execution attacks, they were purely theoretical. This was at the end of 2017, early 2018 is all we were talking about purely theoretical, but they didn't remain that way for long before. Long researchers were discovering how to use these once theoretical attacks to probe the contents of memory that they had.
Jason Howell / Steve Gibson (01:37:23):
Absolutely no valid access to that, that that access limitation was enforced by hardware. And it didn't matter, essentially they deliberately created a road that would not be taken by the CPU, but which the CPU would speculatively prepare to take anyway and in doing so, it would preload the contents of some memory down that road into its cash. Then they would probe the cash to see what the CPU had cashed in preparation for that never taken road in this manner, they would get the CPU to access memory for them, which they could not legally access themselves. Access violations were never triggered because speculation never triggers access violations. This all amounted to some extremely clever manipulations of the insanely complex micro architectures that have been incrementally added to generation after generation to modern processors, all in the name of squeezing out every last cycle of performance. What's annoying to researchers who are just wanting to like make the world more secure is that the, the, the micro architecture is undocumented.
Jason Howell / Steve Gibson (01:39:00):
It is never documented. Intel just says, oh, don't worry about it. It's perfect. Except it's not. And so the first thing these guys all have to do is like painstakingly reverse art, reverse engineer, the underlying architecture in order to figure out how it works that they do. They can only do by observing bef performance in all kinds of crazy tests. They, they reverse engineer how this all works underneath the chips instructions. Then they go, they go about bypassing the protections. In some instances that that this system provides an amazing amount of work and you know what? They get a paper out of it. They ought to be rich. Anyway, the problem that's the subject of this paper and of much sudden scurrying around. For example, as I'll explain in a minute, Linus just delayed the next Linux kernel release by one week as a result of this, this has the name branch target injection.
Jason Howell / Steve Gibson (01:40:13):
It's also known as specter variant two. There are essentially two available mitigations for this sort of speculation side channel leakage. There is repo, which is a contraction of return trampoline, thus repo and I B RS, which stands for indirect branch restricted speculation just over three years ago. Oh, I should mention I B R S indirect branch restrictive speculation is Intel's official solution and has always been repoing is what Google cleverly came up with quickly as a fix for Chrome because Chrome would've been a big target for this. It turns out that that you could U you could actually do this in a browser. And so Google had to ha had to fix the chromium engine, making it, hardening it against the specter variant too. Thus they invented red Pauline, which people liked a lot better than Intel's IBR S solution. Just over three years ago, the Susi Linux blog posted an article titled removal of I BS mitigation for specter variant two.
Jason Howell / Steve Gibson (01:41:39):
And what was written is interesting in light of today's events, Sui wrote as the meltdown and spectra attacks were published at the beginning of January, 2018, several mitigations were planned and implemented for specter variant. Two specter variant two describes an issue where the CPU's branch prediction can be poisoned. So the CPU speculatively executes code, it usually would never try to, for instance, user space, attacker controlled code could make the kernel code speculatively execute specter code gadgets that disclose secret kernel information via flush and reload. Those are cash timing, disclosure methods. They said two major mitigations were proposed. That is for spectra variant two, a CPU feature called indirect branch restricted speculation that would not use branch predictions from lower privileged levels to higher ones. Meaning when jumping into that OS from, from user land, they said, or software workarounds called repo and RSB stuffing. They said, these can fully replace the I B R S mitigation, except not now, but that's what they said at the time.
Jason Howell / Steve Gibson (01:43:14):
They said on Intel Skylake, there is the theoretical possibility that these software mitigations are not sufficient, but so far research has not shown any holes. Well, of course, that was true three years ago, but it was, as we know now, it is no longer true. They said SU backport the IBR RS patches to our colonels, meaning backport, I'm sure from Linux to our S for the initial release of mitigations and enabled them as the repo mitigations were not yet ready, Sui pushed the red Pauline mitigation. Some months later after support in the compiler and Ker became available, but left in the IBR S mitigation, which they now wish they had left in. As of today, again, this was three years ago, the red Pauline and RSB stuffing software workarounds provide the same level of mitigations that I B RS provides while IBR R S support continued in the Sui Nel.
Jason Howell / Steve Gibson (01:44:24):
It was not accepted by the Linux upstream Ker community. And it was also shown to cause performance degradation and how finally they said as red Pauline and RSB stuffing completely mitigate the specter variant to issue for the Linux. Colonel SU decided with guidance from Intel to remove the IBR S patches from our kernel releases. While on Intel sky lake, there exists a theoretical possibility that the software mitigations are not complete so far. No research has shown exploitable scenarios. Should research show any exploitable scenarios there. Sushi will Reen enable the IBR S mitigation on these chip sets. So now that research has shown exploitable scenarios, I'm sure that's what they've been doing the last week. This means that the clever, no hardware required repoing hack that Google had originally invented to protect their chromium browser from these attacks worked for about three years until enough time focus and reverse engineering had been applied by some very dedicated researchers to hack past the imperfect mitigation that RET Pauline was and turn a theoretical vulnerability into a very real threat.
Jason Howell / Steve Gibson (01:45:57):
Meanwhile, the day before yesterday on Sunday, Linus posted into the Linux kernel 5.19, hyphen RC, seven thread writing it's a Sunday afternoon. I wonder what that might mean. He said another week, another RC, we obviously had that whole RET bleed thing, and it does show up in both the diff stat and the short log and R C seven is definitely bigger than usual. And also as usual, when we've had one of those embargoed hardware issues pending, meaning all of this RET bleed stuff, the patches did not get the open development. And then as a result missed all of the usual sanity checking by all of the automation build and test infrastructure. We have so no surprise. There has been various small fix up patches afterwards, too, for some corner cases that said last week, there were two other development trees that independently also asked for an extension.
Jason Howell / Steve Gibson (01:47:10):
So 5.19 will be one of those releases that have an additional RC eight next weekend, before the final release, we had some last minute BT RFS reverts, and also there's a pending issue with an Intel GPU firmware. So anyway, this did affect affect the Linux kernel delaying its release by a week so that they could get the IBR S stuff back in and going now among, among all of this more than anything else, I loved Intel's description of this problem. It's CVE 20 22, 29, 9 0 1. And it starts out with the phrase non-transparent sharing now. Okay? You gotta love that somewhere in their technical press release department, someone called out, Hey, anyone, I need a term for leakage. That doesn't sound like a bad thing. And someone replied, how about non-transparent sharing? The writer said perfect return to his keyboard and wrote non-transparent sharing of branch predictor targets between contexts in some Intel processors may allow an unauthorize an sorry, an unauthorized user, meaning someone logged in to potentially enable information disclosure via local access.
Jason Howell / Steve Gibson (01:48:57):
Okay. Again, nontransparent sharing of branch predictor targets between contexts. Okay. Anyway, everyone gets the message. They could not possibly have soft pedaled this thing anymore than they did. What it means is at least several hundred bites per second can be exfiltrated from your Linux kernel. If you don't fix this, oops. Okay. The good news is not all processors will be affected. The E th Zurich researchers said they tested the red bleed attack in practice on a, this on AMD Zen, one, Zen 1, 2, 1 Zen one plus, and Zen two, as well as the Intel core generations, six, seven, and eight. This essentially means Intel CPUs from between three and six years ago and AMD processors, but from between one and 11 years ago will likely be affected. Fortunately, the industry's getting better about addressing these sorts of problems and patches for red bleed were incorporated into this month's patch Tuesday in both OS and cloud infrastructure updates from all major providers.
Jason Howell / Steve Gibson (01:50:18):
So that this leaves us though with the performance hit, that comes whenever we disable some performance enhancing bit that had inherently exploitable features. We've talked about this from the first glimmer of the first of these many micro architectural side channel vulnerabilities. Since all these fancy features were invented to speed up the execution of real world code, taking them out or shutting them down like, you know, when we need the most means some performance loss, the E th researchers noted that installing these patches will have an impact on the CPU's performance metrics on affected processors between 14% and 39%. And another issue they found in AMD processors only that they named Phantom jumps might even come with a 209% overhead. Yikes. The E th researchers concluded their paper by writing. We showed how return instructions can be hijacked to achieve arbitrary speculative code execution under certain micro architecture dependent conditions.
Jason Howell / Steve Gibson (01:51:46):
We learned these conditions by reverse engineering, the previously unknown details of indirect branch prediction on Intel and AMD micro architectures and its interaction with the return stack buffer. We found many vulnerable returns under these conditions using a new dynamic analysis framework, which we built on top of standard Linux kernel testing and debugging facilities. Furthermore, we showed that an unprivileged process can control the destination of these kernel returns by poisoning the branch target buffer using invalid architectural page faults based on these insights are end to end exploit RET bleed can leak arbitrary kernel data as an unprivileged process, running on a system with the latest Linux kernel. That is until last Tuesday. Actually that's a good question until this coming next release, probably with all deployed mitigations enabled our efforts. They said led to deployed mitigations against RET bleed. Oh. Led to deployed mitigations against RET bleed in the Linux kernel.
Jason Howell / Steve Gibson (01:53:10):
So presumably that has been resolved. So yay. And Jason, I look forward to you coming back for the next, the next bleeding attack that the industry suffers. I, I just, I don't need this attached to me, this, this whole idea idea. You return name something bleeds. Like I want Ja I want Ja I want Jason bleed. I think that would be no, be very cool. I don't, I don't. I appreciate that. That, that we all want different things. I do not want that, so. Okay. <Laugh> but we'll see who knows maybe we can break the cycle and there will be no bleeding on the next time that I return. That's that's hope let's hope <laugh> thank you, Steve, for sharing all of your wisdom on this and everything else throughout the show, Steve you can find all everything that Steve firstname.lastname@example.org.
Jason Howell / Steve Gibson (01:54:03):
That's where you can go to find, well, everything you need to know about spin ride, of course, and that best mass storage, recovery and maintenance tool, you can get your copy right there. You can find audio and video of this show at grc.com also email@example.com which is I think the only place you can get transcripts of this show. I don't, I don't believe that we offer those on our site, but you can find 'em there. If you want to go to our site, there is this show page on the web twit.tv/sn for Security Now you can find audio video. You can jump out to YouTube. Everything you need to know about the show is listed there as well. Including our our recording times we record live every Tuesday at 4:30 PM Eastern 1:30 PM Pacific that's 2030 UTC. So if you wanna watch live, you can do that twit.tv/live, and you can follow along on all the bleeding each and every time that I'm joining Steve on Security Now, Steve, thank you so much for doing the show. Once again with me, I appreciate you welcoming me back, welcoming me back. Absolute pleasure, Jason, and next time Leo wanders off. I hope you'll join us again. <Laugh> I will indeed. We'll see you next time. And Leo will be back next week on Security Now take care everybody. Thanks buddy.
Mikah Sargent (01:55:21):
Did you spend a lot of money on your brand new smartphone? And then you look at the pictures on Facebook and Instagram and you're like, what in the world happened to that photo? Yes, you have. I know it happens to all of us. Well, you need to check out my show hands on photography, where I'm going to walk you through simple tips and tricks that are gonna help make you get the out of your smartphone camera or your DSLR or mirrorless, whatever you have. And those shots are gonna look so much better. I promise you, so make sure you're tuning into twit TV slash hop for hands on photography to find out more