Security Now Episode 883 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte (00:00:00):
It's time for security. Now, Steve Gibson is here. Yes, it's a patch Tuesday, but we'll save deeds on that until next week. Just, you know, we just like to prepare you for what is about to come. We are talking about a whole bunch of interesting things. Steve's found a new favorite writer, Paul Graham. It's not sci-fi it's fact. We'll talk about that. We've also gonna talk about the failure of one of N's proposed solutions for post quantum, crypto and deception at scale. What's the biggest problem with viruses today? It's all coming up next on security. Now, podcasts you love from people you trust this tweet.
Leo Laporte (00:00:48):
This is security. Now with Steve Gibson, episode 8 83 recorded Tuesday, August 9th, 2022. The maker's schedule. This episode of security now is brought to you by Kolide. Kolide is an end point security solution that uses the most powerful untapped resource in it. End users. Visit kolide.com/securitynow to learn more and activate a 14 day free trial today, no credit card required. And by ExpressVPN, when your phone carrier tracks you, that's a gross invasion of privacy. You can keep letting them cash in on you or visit expressvpn.com/securitynow to get the same VPN I use take back your online privacy today and use our link to get three extra months free and buy. Draw to security professionals are undergoing the tedious arduous task of manually collecting evidence with draw, say goodbye to the days of manual evidence collection and hello to automation. All done at draw to speed, visit drata.com/twit to get a demo and 10% off implementation.
Leo Laporte / Steve Gibson (00:01:59):
It's time for security. Now the show we cover the latest in security, privacy, bad guys, good guys, white hats, black hats, gray hats, and Steve Gibson who doesn't need a hat. And even, even really smart people, even them, even them. We got two really smart people that are topics. Dan Bernstein, who is one of my cryptographer mathematicians and the person who's responsible for the show's topic. A guy by the name of Paul Graham. Oh, who I'll be introducing people to who may not know of him. He'd really never crossed my radar one way or the other, although he's long been on yours, Leo. Oh yeah. So this is security now episode 8 83 for the 9th of August. This is patch Tuesday, so, oh boy, next Tuesday. We'll find out what happened. Now I know why my windows machine was so slow starting up this morning.
Leo Laporte / Steve Gibson (00:02:57):
Ah, yeah, yeah. And why I've been saying no, no, no, please. Don't reboot right now. I'm trying to do a podcast. Yeah. so we're gonna examine the collapse of one of the four N approved post quantum crypto algorithms. Oh good. I was hoping you do this. Yes. Yeah. We just announced them a couple weeks ago and you know, remember Scotty's di lithium crystals and so and so forth. Anyway, we lost one. But the lessons it teaches us are very important. We're also gonna look at what virus total has to tell us about what the malware MIS Koreans have been up to lately like based on all of their stats and at the conditions under which windows 11 was corrupting its users encrypted data. Yes. <laugh> gotta love those upgrades. We also celebrate a terrific looking new commercial service being offered by Microsoft.
Leo Laporte / Steve Gibson (00:03:56):
I'm not quite sure what it is from their description, but it looks great. And we briefly tease what will probably be next week's topic, which is Chris cryptographer, Daniel Bernstein, as I mentioned, his second lawsuit that he's filed against the United States. So we'll, before we get into the other stuff, the end of the show stuff, we'll talk about that. I'd also wanna share a bunch of interesting feedback, sort of more of in a sort of a Q and a style from our, our terrific listeners. And then we're gonna wrap by because I wanna share my discovery of a coder, a serial successful entrepreneur, and a surprisingly good writer by sharing something that he wrote, which I suspect will resonate profoundly with every one of our listeners. So today's title is the ti is part of the title from one of Paul Graham's essays.
Leo Laporte / Steve Gibson (00:05:02):
This is the maker's schedule and oh, we've got a great picture of the week. <Laugh> I, I, I will do my best to describe it. I saw it, I thought, oh, this is just too perfect. <Laugh> oh, a big show coming up and I'm looking forward to yeah. Paul Graham has been around for ages. He's founded why Combinator, which is a big yep. You know startup incubator in in the bay area and very well known more than 3000 startups. Yeah. Some of them huge boy. Yeah. And, and many that we all know. Yeah, absolutely. But also great thinker. Brilliant. I agree with you. Brilliant writer and an essayist and Lido. Yes. He is near and dear to your heart. You bet. But first a word from our sponsor also near and dear to our hearts Kolide.
Leo Laporte / Steve Gibson (00:05:52):
Actually I am a big fan of Kolide because I like their philosophy. You know, when you're you know, protecting a, a business, if you're in the security business or the it business, and you're protecting a business, the temptation is just to lock everything down. We've talked about that, filling the USB ports with super glue and preventing people from doing anything. But I think what we've learned in this B Y O D world is, you know, yeah, you could use MDM and lock everything down. But what users end up doing is is, is they become your adversaries. They don't like this. And they end up trying to get around it, you know, end up maybe even using their own devices, which of course is far worse. And maybe even bringing those devices now infected into the enterprise and you have no control over that. So there is a better way.
Leo Laporte / Steve Gibson (00:06:40):
And that's Kolide K O L I D E it's end point security that uses the most powerful untapped resource in it. Your end users. See it, it turns out that instead of making your end, users' adversaries, the bad guys, turn them and their devices into your allies. Old school device management tools like MDMs, forced disruptive agents onto employees' devices. You know, and employees know this, they slowed performance. They treat privacy as an afterthought. They're good for you, but they're not good for the users. And then you turn in, you know, it into admins and end users into enemies. And it creates its own security problems because users just turn to shadow it, just to do their jobs. It's not a, it's not a good scenario. You've probably been through it already. That's why you wanna take a look at Kolide. Now you need to be using slack.
Leo Laporte / Steve Gibson (00:07:37):
So this is for enterprises that use slack. We do slack is of course, very widely used as a messaging system in enterprises. And this is where Kolide does things very differently. Instead of forcing changes on users, Kolide sends them security recommendations via slack. In fact, it all begins with their first notification, helping them, walking them through the process of installing the Kolide user agent and explaining why they need it, what it's gonna do. And then Kolide will automatically notify your team when their devices are insecure and give employees step by step instructions on how to solve the problem. It's so much better. Let me tell you from both points of view, by reaching out to employees via a friendly slack DM, instead of, you know, educating about a company policies, instead of just saying, no, no, no Kolide helps you build a culture in which everybody contributes to security because everyone understands how to do it and why to do it.
Leo Laporte / Steve Gibson (00:08:33):
Now they're your allies. And it's so much better when, and it's frankly, necessity to have everybody on your team, get behind the idea of security, you know, to, to not understand it, to buy into it, to know how to do it for it. Admins you'll love it. Kolide gives you a single dashboard. You can monitor the security of your entire fleet. And by the way, completely cross platform, Mac windows, Linux, you could see the glance, which employees, for instance, have their discs encrypted, which ones are, are up to date on their OS patches, their password managers installed things, you know, that make it easy to prove, to compliance to your auditors, your customers, to your leadership. So this is in a sense, this is in a nutshell, this is what Kolide is. User centered cross platform, endpoint security for teams at slack. And if you're using using slack, I really want you to look at this.
Leo Laporte / Steve Gibson (00:09:21):
You can meet your compliance goals by putting users first, honestly, visit Kolide K O L I D E kolide.com/securitynow to find out how, if you follow that link, you're gonna get a great goodie bag, including my Kolides t-shirt, which you will be proud to wear everywhere, suitable for black tie events. You'll get, oh, there's more. I got another one look at this. Oh, this is even, this is another one. I like this with the Pinocchios or something on the back. What is that? Yeah, it's Pinocchio. <Laugh> ha security. You'll get stickers suitable for your laptop. All of that, just for going to kolide.com/security now and activating the free trial. Gotta try this. K O L I D E kolide.com/securitynow I just love this idea. All right. Back to Steve and the picture okay. Of the week. So the way to describe this we don't often get like thick fog in Southern California, but I spent the first, third of my life in Northern California.
Leo Laporte / Steve Gibson (00:10:31):
Yeah, we get it. Mm-Hmm <affirmative> oh boy. And especially like Sacramento driving, like around the Sacramento area, for some reason, like, you know, this super thick fog. So re remember how, if you've ever driven in fog, how you all you can see are the lights of a oncoming car. You know, there is, is just, you know, two white, glowing things in the darkness or even in the day, depending upon, you know, what time of, of the day the, the, the fog is. But, so, so the point is that the, the fog obscures, everything that's not lit up. Okay. So, and I have to say this picture of the week, it's worth getting the show notes, just to see this, cuz this was an, this was an actual photo taken in the distance is a digital billboard <laugh>, which has, which has, I know it's just so good, which has crashed and, or for some reason caused its it's backing windows OS to display an error message in a dialogue box.
Leo Laporte / Steve Gibson (00:11:46):
So you don't see the normal there, there. So, so the billboard itself is not displaying, whatever ad it normally would instead it's this, it's this dialogue box. And because this is taken on a foggy night, all you see is like hovering in the sky, is this eerie, glowing windows error dialogue. And so the, the caption on this, this great photo says a digital billboard in Odessa malfunctioned in the fog, convincing unknown numbers of motorists. Not only were they living in the matrix, but it was being run on windows 98. So anyway that we know can't possibly be true. <Laugh> yeah, I don't, I don't think that's the case, but anyway, just a great picture. So thank you, whomever. It was a listener of ours who sent that saying, Hey, I think this was a, but this would be a picture of the week boy, were you right?
Leo Laporte / Steve Gibson (00:12:55):
Absolutely. Okay. So we already know crypto is hard. In fact, it's even harder than we know. Okay. How many times have we observed the fallacy of rolling one's own crypto? And even when professional academics, carefully design test and vet an algorithm, they sometimes get it wrong. The biggest news of the past week in the crypto sphere is the fall of one of those four final and chosen post quantum cryptographic algorithms. But to their credit, even while N was announcing their final status, recall that everyone was told not to commit them to code just yet. Well, that turned out to be Sage and prescient advice. Some guys whose work we've covered in the past, the researchers with the computer security and industrial cryptography group at KU LUN managed to break one of those four late stage candidate algorithms, which was like ready to be deployed like soon for post quantum encryption.
Leo Laporte / Steve Gibson (00:14:16):
Fortunately, the di lithium crystals are still intact. Those algorithms are okay, the algorithm, they cracked psych S I K E, which is the abbreviation for super singular is Sony key encapsulation. It made it through all of the earlier stages of the us department of Commerce's national Institute of standards and technology, you know, the N competition. So that competition has been running since 20 17, 5 years ago, and started out with 69 69 candidates in its first round that weeded the number down two years later to 26 surviving candidates from the 69, that is to say all the other ones, something was like problems were found. It could have been performance. Most likely it was some security problems. Like there were defects found in some of those then the next year, which brings us to 2020, the third round, we had seven finalists with eight alternates.
Leo Laporte / Steve Gibson (00:15:33):
And as we know, when we talked about this a couple weeks ago, this was the end of the fourth round where we had three finalists and one alternate being selected to become the standards. So the good news is even after the announcement of the final four or perhaps because of the announcement of the final four, the KU Loun researchers rolled up their sleeves and got to work. They approached the problem, however, from a different angle than the cryptographers who designed it, they came at it from a pure math angle, attacking the core of the algorithms design instead of any potential code vulnerabilities like, you know, which is actually how the, a lot of these previous candidates got weeded out. As I mentioned, psych's base encryption was based upon something known as super singular is Sony Diffy Hellman or S I D H for short, but the mathematicians were able to show that S I D H itself was in turn vulnerable to a mathematical, a pure math attack, which had been developed back in 1997, known as the glue and split theorem, which is an attack on elliptic curves in response to this, like the, the discovery of this psych's co inventor, David Y a professor at the university of Waterloo, he said, quote, the newly uncovered weakness is clearly a major blow to psych, which is, you know, you can imagine he's feeling a little protective of his algorithm.
Leo Laporte / Steve Gibson (00:17:28):
So in other words, you know, it <laugh>, it killed it, you know, or as McCoy would've said, it's dead, Jim. And he added that all this goes back to crypto to cryptographers, sometimes imperfect dominion of pure mathematics in that the approach taken by the researchers he said was <laugh> really unexpected Uhhuh. Well, any in any event unexpected or not, it wasn't gonna be good enough. So essentially this means that the researchers used math rather than mechanics, to understand psych's encryption scheme and were then able to, to predict, and then retrieve its encryption keys, which is specifically what it was designed to protect and for their efforts, they received a bounty award, a $50,000 from after they published their paper titled an efficient key recovery attack on S I D H. And although not directly on psych S I D H being the basis for S I K E they are the same.
Leo Laporte / Steve Gibson (00:18:45):
The people who've been watching and participating in this process are concerned that this appears to be as difficult as it is in a note, which was written an email actually to ours Technica, which ours technical published, Jonathan Katz, and I E member and professor of the department of computer science at the university of Maryland wrote quote, it is perhaps a bit concerning that this is the second example in the past six months of a scheme that made it all the way to the third round of the N review process. And in this case, the fourth round, before big, completely broken using a classical algorithm, he added that quote, three of the four post quantum crypto schemes rely on relatively new assumptions whose exact difficulty is not well understood. So what the latest attack indicates is that we perhaps still need to be cautious and conservative with the standardization process going forward.
Leo Laporte / Steve Gibson (00:20:05):
In other words, we knew crypto was hard, but now it appears that it might be even harder than we thought it was. And, and part of the process is we are stepping into it like into unfamiliar territory pre and post quantum. They're like, it's a whole different thing, a whole different nature of computing that we are needing to be hardened against compared to classical computing, which is what we've been using until now. Right? So there's a lot of understanding and basis for, for rocking the, the way computers work today. That's not the way they work tomorrow. So, you know we've already been doing this work on for like working to come up with the, the algorithms, which will be rely, be able to rely on post quantum for five years. And thank goodness that as an industry, we started as early as we did.
Leo Laporte / Steve Gibson (00:21:10):
And that we're now focusing upon this as intently as we are, even though it's true sufficient, and you and I, Leo have had some fun with this, that sufficiently powerful quantum computers still seem to be a safe distance away. Have they factored the number 31 yet? I don't know. It's increasingly looking, I think 30, one's a prime though. So I think that may be way off <laugh> if they factor 31, then we got a problem. Oh, okay. How about 27? Let's go with that. There you go. Or yeah, or 35. I think it's what I meant. Anyway. It's interestingly, it's interestingly looking as though we're gonna need more time than we thought to get ready and remember that everything being encrypted and stored today still under pre quantum crypto is potentially vulnerable to disclosure once capable, sufficiently capable, quantum computing emerges. And at some point, depending upon what it is that's being stored, it might even be worth upgrading existing, stored encrypted data at rest from its current pre quantum encryption to post quantum encryption.
Leo Laporte / Steve Gibson (00:22:32):
In other words, read it decrypted under pre quantum, re-encrypt it under post quantum, and then store it back. Now, of course, the NSA they're happily storing everything that they can get their hands on, presumably that is pre quantum. And I wouldn't be surprised if they're, you know, one of the first people to order one of these big monster post quantum machines, as soon as they are available. So they have, so just to be clear, it's, it's kind of confusing. You mentioned di lithium crystals, di lithium. They have four already standardized four candidate algorithms, which are crystal skyr, crystal STH, crystal skyr is the KM or key establishment mechanism. And then there's crystals, lithium, FAL, and Finks. This is, this was part of an, a second class of four. That psych was part of a second class of four that they were looking at.
Leo Laporte / Steve Gibson (00:23:28):
Right, right. So it's, it doesn't undermine what they've already done, although it does, as you say, make us wonder, you know, how, how good these things are. And I think they've already they already say they're gonna standardize on Crystal's Falcon and FIS. Right? Correct. And so, so the, the lattice based algorithms, you know cryptographers and mathematicians have been working with lattice based crypto already for some time. So it's, you know, it, it, it's reasonable to hope that those are going to be stronger and more resistant to, I guess, what we would call new approaches <laugh> to, to cracking them. And of course we want every possible approach. Right. Right. Whether we want something that is absolutely resistant. And because the worst thing that could happen would be that the whole world standardizes on something that we all collectively believe is super solid.
Leo Laporte / Steve Gibson (00:24:33):
And then some oops, complete crack is you mean like Des or something like that? <Laugh> yeah. Kinda like that. Yeah. Although generally we've, you know, in the case of Des it was the NSA who said, oh, you know, I think maybe you wanna do that three times rather than just once. Right. And thus, you know, triple deses was, was found to be sufficiently secure because just doing it three times, each time with a different third of, of the whole key, you know re resulted in enough security margin. So the, the nice, so this does point out this is a good process, you know, that's what you hope. Yes. Is that somebody comes along and says, no, you can't use that one. That's why you do this. Oh, yes. So, so this was useful in two ways, it, it both took one of the, not safe enough contenders out of, out of consideration.
Leo Laporte / Steve Gibson (00:25:32):
And it's sort of shocked everyone. It's like, wait a minute. Yeah. And, and this is the point that this guy was making, was this thing made it through five years of scrutiny, right. Through, down to the fourth round where, where people were so tired, they finally said, okay, fine. You know, we we've been picking away at this thing for five years or these four, they all look fine. Well, they were wrong about one of them, are we sure they're not wrong about the other three? Right. Right. Well, that's, that's the point? These were, they weren't a hundred percent sure of any of those four. They aren't the four candidate algorithms that they've stand that they've put forward for standardization. These were the second, you know, second choices anyway, but I'm glad they got rid of one. <Laugh>. I hope they continue to look at the four that they have decided to standardize.
Leo Laporte / Steve Gibson (00:26:25):
And it is it's fair to say that they got rid of the one that was the less well understood yeah. Of, of the four. So they liked it cuz it has a small key, you know, it is small. And I like the other ones cuz they got di lithium in them. <Laugh> so can't go wrong with that. That's great. You know, either warp S or lightsabers one way or the other. Yeah. Okay. So virus total last week they published a report titled deception at scale, where they laid out the terrain of the malware samples that are uploaded to them more or less constantly to be analyzed. You know, they sit in the perfect place to see what's going on. They've got great, you know, scope I've explained in the past that signing my own executables, I discovered the hard way because people were saying, Hey, windows is saying, this is not safe.
Leo Laporte / Steve Gibson (00:27:24):
You know, you, you got a virus. It's like, no, I don't. Actually it didn't say that. It just said, this is, you know, you don't have any reputation here. So the point is that signing my executables was not sufficient proof of the integrity of my apps to bypass various of what are now hair triggered malware cautions, but virus, total reported among other things, get this, that fully 87% of the more than 1 million malicious samples, which were signed at the time, they were uploaded to virus total. Since the start of last year, January, 2021 contained a valid signature, 87% had a valid signature, those that were signed. So what that tells us is that signing code no longer means much it's necessary, but not sufficient. The bad guys are arranging to obtain code signing, credentials, just like any other legitimate, you know, code publisher would, you know, just like I do.
Leo Laporte / Steve Gibson (00:28:37):
So moving forward, the only thing that can be used that is, can be relied upon is the reputation of the hash of a given executable that, that is earned over time. Any new hash will need to start over from scratch, earning the reputation that specific exact code that, that it's the hash of is trustworthy. And there was another little interesting tidbit if you care to protect yourself somewhat by inspecting the certificate authority who issued the authentic code certificate that was used to sign a program, which you're considering running, it's worth noting that more than half more, actually more than 58% of the, the most often abused code siding certificates were all issued by just one company, a certificate authority known as sec Tigo a and if the name sec Tigo isn't ringing any bells, it's probably because they renamed themselves after their repeated conduct spoiled and soiled their previous name, which was Komodo <laugh> that's, you know, we've talked about Komodo quite a bit in the past that all the different mistakes they made, like allowing people to, you know, create their own certificates through problems in their web interface and, and, and giving code sci cert certificate minting authentication to people who didn't warrant it and so forth.
Leo Laporte / Steve Gibson (00:30:37):
Anyway I imagine that they're the favorite of malware authors, mostly because their certs are less expensive than the competition. And you know, you know, really, it's not their fault that virus total sees most malware signed by their certs since anyone can purchase a code siding certificate from any certificate authority. So you're gonna go with the cheapest. I don't, but I don't want to be signed by Komodo now named sec Tigo. You know, and it's the whole thing is roughly analogous to what lets encrypt did to TLS connections, right? Once upon a time having a web server certificate meant something, not anymore today, everyone needs to have one and they mean nothing because they're just being minted by automation based on the domain of the server that they're sitting behind. So, okay. Anyway, virus total also revealed that the top three, most often spoofed programs were Skype, Adobe reader and VLC player.
Leo Laporte / Steve Gibson (00:31:52):
Malware is masquerading as, as those three utilities, one of those three Skype, Adobe reader and VLC as the top three as basically obviously as a means to abuse the well earned trust that they've earned, that those apps have earned with users everywhere. And while those are the top three, the top 10 are rounded out by seven zip team viewer see cleaner edge steam, zoom, and WhatsApp. So yeah, you know, the top of the popular apps that people are needing now to, to grab wherever they are. So virus total said in their report last week, one of the simplest social engineering tricks we've seen involves making malware look like a legitimate program. The icon of these programs is a critical feature used to convince victims that these programs are legitimate. Just the icon. Of course, no one is surprised that threat actors employ a variety of approaches to compromise endpoints by tricking unwitting users, into downloading and running seemingly trusted executables.
Leo Laporte / Steve Gibson (00:33:15):
The other way this is achieved is by taking advantage of genuine domains, at least like, you know, the, the top level or, or second level domains to get around IP based firewall defenses, some of the most abused domains, which virus total has seen are discord app.com, squarespace.com, Amazon aws.com mediafire.com and qq.com. In total more than 2.5 million suspicious files were downloaded from 101 domains belonging to Alexa's top 1000 websites. In other words, the top 10 per 10% of the top 100 website domains have been used as sources for malware. And the misuse of discord has been well documented with that platform's content delivery network becoming a fertile ground for hosting malware alongside telegram, while also offering a perfect communications hub for attackers. So ultimately checking anything that's downloaded, which might be suspicious against virus total, I think is the best thing anyone can do. As I mentioned a while ago, back when I was needing to bring old dos machines onto my network, in order to debug spin right on them, I was sometimes needing to go to well off the beaten path driver repositories to locate old drivers for old network adapters driver, a repositories are classic sources of malware.
Leo Laporte / Steve Gibson (00:35:05):
So in every case I ran anything that I downloaded past virus total, to make sure that it didn't raise any alarms. And normally you get like one or two, some weird obscure, you know, virus total, I think scans as across or against as many as 75 different virus, you know, anti-virus engines and you'll typically get a couple reds, you know, you know, misfires, false positives from some scanners you've probably have never heard of. And so, you know, that's not a problem. It's when you see like 20 or 30 of them lighting up red, that is like, okay, okay. Do not, you know, do not click this thing. So, so that it's able to run and, you know, stepping back from all this a little bit, it's so annoying that so much of, you know, energy is being spent holding back the forces of darkness, look at how much, how much we put in now to, to doing that.
Leo Laporte / Steve Gibson (00:36:10):
But you know, on balance it's worth it because what can be done with computers today is truly amazing. Leo, I think I'm gonna take a sip of water. Okay. All right. And you could tell us why we're here and I just, maybe we should underscore don't download drivers from third parties. No, Steve's a trained professional. Do not try this at home. <Laugh> good advice. Yeah. It just, it just makes me really squeamish. I believe me, it made me just like I was, is it? Cause they were gone. They were no longer available. Is that why? Oh yeah. Yeah. You try to find a driver for an a 1986 network interface card. I mean, it's just do, I guess you gave no choice. Yeah, yeah. For dos. Yeah. Yeah. Whatcha are you gonna do? And you know, it was, it's a high level of pucker factor.
Leo Laporte / Steve Gibson (00:37:02):
Yeah. But you know, so, and I, I wouldn't run them on windows. I ran them. I only, I moved them immediately to dos and there's not much you can do on dos. Basically. If a virus comes alive on dos, it's like, oh crap. <Laugh>, you know? Yeah. I mean, yeah. Seriously. Huh? It's that's a, that's a virus has been hanging out for a long time. It's pretty ger. That's a geriatric virus. Yeah. It's like, what's 32 bits. <Laugh> I don't know what this windows thing you're talking about is <laugh> that's right. Let me talk. As long as we're talking about protecting yourself about another way to protect yourself online and that's with a, a good VPN virtual private network. And you know, the only VPN I recommend, the only VPN I use is ExpressVPN. And there are a lot of reasons for that.
Leo Laporte / Steve Gibson (00:37:53):
But chiefly, I know how ExpressVPN does what it does. And that gives me absolute confidence that they are not logging my presence there. They cannot log my presence there that nothing I do on ExpressVPN can be subpoenaed or otherwise acquired by governments or bad guys or marketers. It's truly private. Their trusted server technology is actually super cool. There's a good writeup on it. On bleeping computer. They actually have a custom version of Debbie and they run on all their machines. They have servers all over the world by the way, which is great. I'll explain why that's a good thing, but they run this custom. Devian a distro that by the way, every single time, the basically every day refr, the whole drive is wiped. The whole thing is reinstalled. The trusted server that's running on that loads itself into Ram.
Leo Laporte / Steve Gibson (00:38:48):
So when you start using a server, you have a, you have your own server, your own VPN server running in Ram only sandbox. So it can't write to the hard drive and the minute you stop using it goes away. No one else has used it. No one else can use it. I go on and on. They really go the extra mile. Of course, they're audited regularly. So you know, they're doing the right thing, respecting your privacy. Why would you wanna do that? Well, everybody and their brothers trying to find out what you're up to, where you're going. You saw Amazon, just, just try, is trying to buy Roomba, the Roomba vacuum cleaner, not cuz they think it's such a great business, but because it has maps of your house that they upload to the servers. Everybody wants to know what you do. Your phone is the ultimate espionage device.
Leo Laporte / Steve Gibson (00:39:32):
You do everything on it, right? And your phone carrier, what are they doing? Collecting data on everything you do. In fact, Verizon not only admits to it. They are constantly coming up with new technologies to track you betters track you better. They say it's so they can, I love this better. Understand your interests. Oh yeah. Sure. Well of course, really all they wanna do is sell that information to advertisers, stuff like sites, you visited what you've been up to online. The more they can get on you, the larger their paycheck becomes Fort your carriers, thwart everybody by using ExpressVPN. They can't see what you're doing. All it takes is a tap of a button. All your network data is now encrypted rerouted through ExpressVPN secure servers. Again, this is why it's so important that you trust ExpressVPN. They can see that information except they, they can't record it.
Leo Laporte / Steve Gibson (00:40:26):
They can't write it down. It gets wiped every day. So you don't have to worry about it, right? Whether you're an iPhone user, an Android user, a tablet, user express, VPN works everywhere, smart TVs. So you can even put it on some routers, protect your whole home. Of course, Mac windows, Linux, one subscription can be used on five devices at the same time. They're not nickel and diving you here. So your whole family can use ExpressVPN all at once. You know, and then I love it because they are all over the world. It means you can use an ExpressVPN server in another country. That means you can do things like watch content on Netflix in that country. I it's just the right way to go. When your phone carrier tracks you, that is a gross invasion of privacy. You can keep letting 'em cash in on you.
Leo Laporte / Steve Gibson (00:41:12):
Or you can go to expressvpn.com/securitynow it's the only VPN I use and recommend take back your online privacy. If you use our special length, the security now link you'll get three months free with a one year plan that brings the price down below seven bucks a month for up to five simultaneous users. That's a great deal. Express vpn.com/security. Now ex P R E S S vpn.com/security. Now we thank 'em so much for supporting security. Now I appreciate the work they do to make sure they are secure and they are private. And I, and I invite you to support security now by checking it out to expressvpn.com/securitynow back to you and just occurred to me that everything you've just said, D is another example of what we're going through these days. Just <laugh> just to have some security and privacy is like my Lord.
Leo Laporte / Steve Gibson (00:42:09):
There is there's a story about a, a mother and daughter in Nebraska who just got arrested and charged with felonies. And how did the authorities get the information they subpoenaed their Facebook DMS. Oh wow. You know, I it's, it, we are, we're really now in a situation where the government is happy to use these technologies against you. And I think you, you, we now all need to have defend, defend ourselves. And, and it's why the big question is whether encryption will be allowed to survive. I'm sure they won't be, I'm sure they hate this. They hate this. You know, they don't want you. It's just a matter private. Yep. Just a matter of time. Yep. So two stories about Microsoft one, the first is a little rough, but the second I give them some props. The rough one is last week.
Leo Laporte / Steve Gibson (00:43:04):
Microsoft warned that their knowledge in their knowledge base article KB 5 0 1 72 59, that quote windows devices that have the newest supported processors might be susceptible to data damage. Now, though, they're poorly worded title. Doesn't make it clear. It's not the windows devices with the newest supported processors that might be damaged. It's users, encrypted data that has been damaged by the simultaneous use of windows 11 with the new vector encryption instructions that are present only in the latest processors. Microsoft's posting explained the quote windows devices that support the newest vector advanced encryption standard, you know, advanced encryption standard is AEs. The, the Rhind do cipher. So this is they, they V AEs instruction set are susceptible to data damage. The affected windows devices are those that use either AEs X, E X based tweaked codebook mode with cipher text stealing, which is AEs hyphen XTS. And that meant something to, to me, I'll explain it in a second or AEs with gal counter mode.
Leo Laporte / Steve Gibson (00:44:36):
That's of course GCM. So AEs GCM, both of those immediately raised my eyebrows since AEs GCM has become the preferred authenticating encryption mode for bulk encryption and AEs XTS is the way data at rest is stored encrypted in mass storage. And sure enough, in their knowledge base article, Microsoft wrote to prevent further data damage, okay, to prevent further data damage <laugh> we addressed this issue in May 24th, 2022 preview release, and the June 14th, 2022 security release. After applying those patches, they said, you might notice slower performance for almost one month. And I thought, what a month, what they said after you install them on windows server 2022 and windows 11, they said para's original release. The scenarios that might have performance degradation include BitLocker, transport layer, security, you know, TLS and disc throughput, especially for enterprise customers. In other words, the previously faulty encryption that was being used by windows 11 for BitLocker and TLS communications was fast but broken and it was damaging its user's data.
Leo Laporte / Steve Gibson (00:46:16):
So they fixed that quickly in may and June by no longer using the VAs instructions at the cost of performance, which is why they said you, you know, things, may, you may notice things going slower, but at least your data's not being scrambled. They wrote, if this affects you, we strongly urge you to install May 24th, 2022 preview release, or the June 14th, 2022 security release as soon as possible to prevent further damage. Then they said, performance will be restored after you install the June 23rd, 2022 preview release, or the July 12th, 2022 security release. In other words, you know, they're saying that they, they found and fixed the broken V a E S implementation and have restored windows 11 to use V a E S with the most recent updates. So now you get speed and happily, it's not, it's not damaging your data. So this was all resolved by last month's patch Tuesday, but there was a period and no one really knows how long it was, where windows 11, when used on the, on the most modern processors, which had this V a E S set of instructions.
Leo Laporte / Steve Gibson (00:47:49):
The vector AEs had broken windows core crypto algorithms, Microsoft wrote quote, we added new code paths to the windows, 11 original release and windows server, 2022 versions of SIM cryp to take advantage of V a E S the vectorized AEs instructions, SIM crypt, they wrote is the core cryptographic librarian windows. These instructions act on advanced vector extensions, AVX registers for hardware with the newest supported processors. Okay. Now, obviously, whatever these bugs were, they were not destroying everyone's data, or, I mean, we would've known about that. Or perhaps it was just that very few people were using windows 11 original release on the very latest processors, which also had these new VAs instructions. But at any event it's a bit frightening to have this somehow escape from, and to be shipped by Microsoft bleeping. Computer carried this story, and someone commented on their story on its page by writing in quote, by quoting the phrase data damage and said data damage the new marketing gloss over for data loss and file sips file system corruption.
Leo Laporte / Steve Gibson (00:49:28):
He said, don't be fooled it's yet another case where Microsoft's bungled agile development practices have screwed the pooch, their testing harnesses are entirely inadequate to support the massive legacy code bases they have to support in the time scales they need to release. And I think that's an accurate criticism as we know, this is, you know, we've seen lots of evidence of this increasingly in the last couple years, I don't think that Paul, Mary Jo or I could have sum things up better than that, but on the brighter side, I also have some happy Microsoft news to share. They've announced a new security offering, which looks pretty good to me. It promises to provide security teams with the means to S to spot internet exposed resources in the organization's environment that they may not be aware of. On the front page announcing this new what's what Microsoft calls, the Microsoft defender and, and Paul and Mary Jo the other day said that, you know, pretty much everything was now called Microsoft defender.
Leo Laporte / Steve Gibson (00:50:48):
Yeah. You know, so it's Microsoft defender, this or Microsoft defender that, you know, they're liking that they're liking that jargon a lot. Anyway, this is the Microsoft defender, external attack surface management and on the announcement page, they note the highlights. They said, discover unmanaged resources, understand the full extent of your attack surface, including shadow it. And assets created through common everyday business growth, multi-cloud visibility. And this is the first time I'd seen the term multi-cloud is like, okay, one's not enough. Let's get multi clouds. So we got multi-cloud visibility, maintain a dynamic inventory of external resources across multiple cloud and hybrid environments. And then let finally identify exposed weaknesses, prioritize vulnerabilities, and misconfigurations hidden in unmanaged resources. Then bring the resources under management to remove those exposures. So, okay. From everything they've written, it's unclear to me because of the terminology they've used, whether this is an external, but for example, a far more comprehensive scan, like GRCs shields up service, or whether it's local network packet monitoring.
Leo Laporte / Steve Gibson (00:52:22):
If a network monitor was placed truly upstream of everything else that the enterprise was exposing that could do the job, but it strikes me that even that could be prone to some mistakes. The focus is on mistakenly, unmanaged forgotten or unknown network assets, which might be added to the environment after, you know, what they say. They said business growth. So mergers or acquisitions created by shadow it. You know, somebody's uncle, you know, plugging something in somewhere or missing from inventory due to incomplete cataloging, or just left out due to, you know, rapid business growth. And I think all of this is a great idea. Microsoft's corporate VP for security said the new defender, external attack service management gives security teams, the ability to discover unknown and unmanaged resources that are visible and accessible from the internet. Essentially the same view an attacker has when selecting a target defender, external attack surface management helps customers discover unmanaged resources that could be potential entry points for an attacker.
Leo Laporte / Steve Gibson (00:53:45):
And I still can't figure out exactly what it is from what they've written. As I said, the language they're using is aggravatingly imprecise elsewhere in describing it. They wrote Microsoft defender, external attack, surface management scans, the internet and its connections every day. Well, okay. I don't know what the internet and its connections means. Exactly. Maybe Paul and Mary Jo will talk about this tomorrow. Anyway, they continue. My Microsoft says this builds a complete catalog of a customer's environment, discovering internet facing resources. That sure sounds like an external scanner to me, even the agentless and unmanaged assets, continuous monitoring without the need for agents or credentials, which again, sounds like out outside prioritizes new vulnerabilities with a complete view of the organization. Customers can take recommended steps to mitigate risk by bringing these unknown resources, endpoints, and assets under secure management within the security information and event management.
Leo Laporte / Steve Gibson (00:55:02):
And we have an acronym for that S I E, and extended detection and response that's XDR tools. So it it's sounds like sort of a Microsoft offered Showdan scanner for their enterprise customers anyway, whatever it is and whatever it costs in an enterprise environment where there might be too many overlapping regions of it authority and without any absolutely central single Omni mission management this sure seems like something that would be worth pricing out and exploring for an enterprise. You know, it is just, it is so easy to make a mistake and this might work to catch any such mistakes before the bad guys do. So I wanted to bring into everyone's attention. I imagine that our enterprise bound listeners may may want to know about it. Okay. So I'm gonna talk about Dan here in a minute. First. I wanna do some closing the loop with our listeners.
Leo Laporte / Steve Gibson (00:56:15):
Someone who asked me to keep his name anonymous. So I'll just call him. KA sent me a DM. He said, Steve just wanted to share my experience with zero patch. As you have mentioned it a few times on security. Now I hardly recommend this program for anyone still having to support windows 2008 servers or windows seven systems in their enterprise, which as we know, have gone out of, of security patch cycle, unless you buy it at, and it gets more expensive every year from Microsoft. Anyway, he says, due to business reasons, such as having to support legacy applications, anyone can sign up for the free account to get a copy of the zero patch agent. And that's, you know, zero P a T c.com. And he says, and see, in an instant, what windows modules are at risk and how often they are being called by the OS.
Leo Laporte / Steve Gibson (00:57:21):
That's really cool. He says the cost to patch a window system with zero patch is a fraction of what you would have to pay Microsoft. And the patches are installed instantly with no reboot required. He said, I was able to protect my systems within seconds of purchasing my subscription. As the agent immediately implemented the patches on my machines. I hope this is helpful to our security now community, as I am sure, several of us would like to simply shut down non-supported windows systems, but are unable to for business impact reasons. Please keep my handle anonymous. As I've identified myself through this message as having to support legacy systems. And I would not like anyone to trace my association with my company, which could put them at risk. Thank you for producing my favorite podcast and equipping our community with the information we need each week to digitally protect our business and loved ones systems. So thank you KA. I'm happy to share this information with our listeners. I, I think that the, the zero patch that, you know, the micro patch guys do a great job, and we're often talking about them.
Leo Laporte / Steve Gibson (00:58:41):
Someone sent someone calling themselves Oak song that's tweeted. Does the CIA care about felonies when hiring security consultants? Do they just move them overseas? <Laugh> which struck me as a really good question. It's related of course, to our more tongue in cheek picture of the week, last week you know, the two past to reaching professional security guru status I don't remember exactly what we called it. You know, one was the 20 year path of working your way up through the hierarchy. The other was, you know, be a hacker, get convicted, go to prison, get out in 14 months on good behavior and get hired as a security professional. So anyway, I, I got a kick out of that. I can certainly see both sides of it. Simon Kirkman said, hi, Steve, I'm trying to set up a guest wifi network.
Leo Laporte / Steve Gibson (00:59:38):
And I found an issue, which I can't see how you got around when you did it at home, he said, I set up a new router for visitors to our village hall, which is connected to a modem router in an office, belonging to a business who are willing to allow internet access, but not land access due to CCTV, et cetera, being on their network. My new router is set to a different subnet and subnet mask. And in theory is separate from the business network, but in practice, an IP address gets passed upstream to the other router, which then allows access. I can't see how to do this correctly. And it allows my guest users to access the business land. How did you do it with your smart home network? Okay. Well, first of all, I did it with my smart home network by using a, a non what we affectionately really very affectionately call dumb routers.
Leo Laporte / Steve Gibson (01:00:50):
Mine was a smart router where the individual ports were separate network interfaces, separate Nicks, not a, a hub or a switch where all of those ports were on, were all on the same land that allowed me to assign different lands to different ports. But there is the famous three dumb routers solution that I developed years ago on this podcast. It's a way of creating two mutually isolated networks using three simple and standard Nat routers and pretty much zero configuration. The three routers are wired in a Y configuration that the we'll call it router a connects to the internet on its wan interface and provides internet service to routers B and C by connecting each of their wan interfaces to two of routers land interfaces. Thus the, the Y connection, a useful simplification for simple net routers is to think of them as a one way valve where traffic can easily leave the network passing out of the router toward the internet, but unsolicited and unexpected traffic cannot enter the network.
Leo Laporte / Steve Gibson (01:02:27):
In fact, we now utterly depend upon this feature of net routers to act as our internet firewalls for us. This same principle works for the why configuration to prevent any traffic from one of the lands, from having any access whatsoever into the other land. Cuz each land is protected by its own dumb router, which is acting as a one-way valve. Now that requires three routers, each of which can be dumb. So speaking to Simon, if it's feasible for you to place a third router upstream on the land side of both the business router and your village hall router, that would provide perfect isolation, but there is a two router variation, which might also work switch the rolls of the two routers place, the village hall router on the internet and connect the business router, which requires the privacy to one of the land ports of the, of the village hall router.
Leo Laporte / Steve Gibson (01:03:42):
In that way, the traffic on the business' land is protected by its routers one way Nat firewall and the village hall router that doesn't need that protection. You know, doesn't need that. You know, it might still be able to see the village hall traffic, but not the other way around. So in other words, three dumb routers are needed for two way privacy, but two routers can be used when one way privacy is sufficient. So as it happens, I sent this answer back to Simon who later replied, hi, Steve, thanks for that. I have a third router around I'll look to set that up. Hadn't thought had not thought about doing it that way. Thanks very much. It's nice that you can do it all wireless. That's cool. Yes. Yes. Jose C. Gomez, he said, hi, Steve. Here's a pretty complete demo and explanation of how past keys are going work and interface between Microsoft, Google and apple presented by some of their product managers and engineers.
Leo Laporte / Steve Gibson (01:04:57):
And in his tweet, he sent me a YouTube link. I turned it into this week's shortcut. He says he, he, he finishes tweets saying, looks like there is no pass key sharing at all. And it's more cross device off and recreate. So for those who are interested in seeing this working the 14 minute YouTube video posted by the Fido Alliance on their YouTube channel is very good. It has a blessedly brief introduction by a Fido marketing person followed by brisk walkthroughs by Google and Microsoft product managers. So as I said, the video is this week's shortcut of the week, meaning that it's grc.sc/ 8 83, that'll bounce you to the YouTube link. So the short version is that it's all exactly what we thought. And they do succeed in making it all look wonderful. The Google guy highlights the magic created by Apple's iCloud synchronization, such that a pass key created on one apple device will be known to all of your other apple devices and they show how a Bluetooth enabled phone and a Bluetooth enabled desktop can use a QR code displayed on a webpage to allow the phone, to authenticate the user on that, on that desktop and how the user now having been authenticated may then choose to create another pass key locally on that device that is that desktop device.
Leo Laporte / Steve Gibson (01:06:47):
So that future logins can be done natively without the phone. As we know, it's not as good as we could have had and bridging isolated brands such as apple, Google, and Microsoft will, this pretty much confirms it require creating multiple functionally duplicate pass keys for every website on every machine that lacks a means of synchronizing and sharing existing Passkey. But it's the system we're gonna get. And thanks mostly to the authentication automation, which web often brings to finally create an alternative to the clues of clunky form fill in authentication. It will be better than what we've had, but implementing it on the server side. As we know, still requires some major work individually from each and every website. That's where, you know, the form filled password managers excelled is that the websites were spoiled. They didn't have to change anything. Everything was done by filling in the form, but it's a mess. So it's gonna be very interesting to see, you know, how all this transpires over the next few years, but our, our initial impression is confirmed in this 14 minute video, but it, it also, I have to to say, I mean, they make it look breezy and not burdensome. It's just not as nice as it could have been. Yeah.
Leo Laporte / Steve Gibson (01:08:25):
Electronic aro said, hi, Steve love security now. And recently came across something interesting. I thought I'd ask you about, at least I thought it was interesting. Maybe it's trivial and I should know better. He said, I recently took a United flight and they allow their inflight wifi to be used for IP based messaging apps for free. However, they block the sending of images. So how do they detect the one is sending an image. If one is using a messaging app that has strong encryption like signal. I would've thought that that, that since signal, yeah. That since signal does the encryption at the end, any image sent by a signal message would be indistinguishable from a text message. But after attempting to send an image, United has clearly figured out how to detect an image in a message and block it. How is this possible while maintaining signals encryption?
Leo Laporte / Steve Gibson (01:09:27):
Okay. My guess would be that it's all about bandwidth usage and size text is truly tiny. Whereas any image is huge, massive by comparison. So it would be easy to simply watch each user on the airplane for the rate of data that they are exchanging. And if it exceeds some very low maximum, which is all texting is ever gonna be, right, like, you know, writing some text and hitting send is a little tiny little Birch of, of bandwidth use. It would be very easy for them to set a very low maximum and if they exceed that, cut them off and also note that a simple bandwidth cap, a very low bandwidth cap is also what United or any carrier would want. You know, it's sort of a nice compromise. Their travelers can trickle out in and out text for free so long as it's at such a low bandwidth as to be insignificant to them.
Leo Laporte / Steve Gibson (01:10:41):
But if you want the cap lifted fork over some cash relief, TWI tweeted <laugh> you said at SG G or C, you are a lifesaver exclamation point today. A PC in a pharmacy that I support installed Microsoft update KB 5 0 1 46 66. The one that makes the duplicate USB printer <laugh> and deselects the port for the original. I'm not sure why my organization let the patch through, but this PC shares a vital label printer with the rest of the pharmacy. And suddenly no wood could print labels. As soon as I saw the duplicate printer with the Peren copy, one closed Perens in its name. I knew exactly what to do. The reason I knew was because I had listened to security. Now 8 81, you saved me a lot of work and my pharmacists, a lot of downtime. Thank you. Oh, and he said, well, I have your attention.
Leo Laporte / Steve Gibson (01:11:50):
I'll make another plea for you to read sea of tranquility by Emily St. John Mandel. He says, I found it to be compelling speculative fiction. I think they call it that because is light on the sciency details opting instead to just concede that things like time travel and domed cities exist and to focus instead on the story of the humans in that environment, he says, I think you would like it. So first it's very cool when something from the podcast, so nicely lines up with a real world event. And as for his book recommendation, since I'm currently without an engaging science fiction novel, I purchased the book for $11 for my Kindle. The, and I'd have to say it has endless amazing over the top reviews there. So it looks like an interesting possibility. My nephew, who was similarly hooked on Rick Brown's frontiers saga, and who with me has been waiting for the next one to drop has not yet discovered Peter Hamilton.
Leo Laporte / Steve Gibson (01:12:59):
So he's heading into fallen dragon before, which I'm sure he's gonna go nuts over and then I'm gonna aim him at Pandora's star. So I envy him for not yet having found Hamilton because boy does he have some great stuff ahead? Martin Rojas, he said, my sister had a severe allergic reaction. He said, she's fine. But in talking to the paramedics, we talked about medical bracelets or ID cards. She has a complex medical history and medication as do many of the people they pick up. The paramedic mentioned that if there was a card with NFC or a QR code, they could scan that they could scan that information and it would be a, a great help to them in an emergency. He says that part is easy, but it would also be public for anyone to scrape the info. My question is whether there is some pattern that could serve both as secure, but also be easy to access by emergency personnel. I was thinking password printed in the card, but maybe there's something better.
Leo Laporte / Steve Gibson (01:14:17):
So from APRI, from a theoretical privacy protection standpoint, I had two thoughts in response to Martin, the first would be to have a publicly accessible QR code that anyone could use to access medical records, which would be carried by the person, but in such a way that it was not readily accessible to anyone. For example, make it a comfortable silicone wristband that's never removed, which identifies itself as offering critical emergency information on its underside only thus it provides a degree of physical privacy by physically limiting the circumstances under which someone could obtain access to the QR code. I could also or it could also make very clear what the person's most important health requirements are, which would be spelled out in the region's most common language on the underside, so that, you know, you wouldn't have to even scan the QR code.
Leo Laporte / Steve Gibson (01:15:33):
You could immediately determine, you know, what was most important. And then the QR code could provide additional backup. The second solution, which could be applied as an additional layer of privacy protection, if required would be for the QR code, which would, you know, presumably take anyone who scans it to an emergency information supply service that could also require login authentication by an accredited and confirmed emergency services supplier while that would offer greater privacy protection. The worry would be that the information not be made available as quickly as it could be, or, you know, maybe at all, if the authentication failed or if the provider of the service didn't have an account with the information provider. So I think if it was me, I'd worry less about privacy and more about being certain that any special medical needs allergies, et cetera, were readily known to, you know, someone who needed to obtain them.
Leo Laporte / Steve Gibson (01:16:36):
And I, let me put in a plug here for turning on medical ID. If you have an iPhone all first responders know this there go to the health app, scroll down, set up medical ID. Mine is set up with my my medications, my allergies, everything that first responders would need to know the most important thing a first responder needs I'm told by first responders is a number to call for your next of kin or, well, that sounds like you're dead. Your, your nearest, you know, your, your in contact emergency contact, because they often will just use that. But there is that information, iPhones have it built in they know how to get to it. You have to press and hold the side button and the volume up button at the same time, and then swipe the medical ID slider.
Leo Laporte / Steve Gibson (01:17:19):
So it's a little, it's not something a casual, you know, privacy thief would get to Android, unfortunately does not have this built in on all versions of Android, but there are third party apps, joint commission.org has the information. And there's one called medical ID on on the Google play store. Use those because first responders know now who doesn't have a smartphone, they know immediately to go for the smartphone. So I think medical alert, bracelets, and necklaces and other things like that have been superseded these days by, by your smartphone. So very, if you have a smartphone turn that on, it's really important. Very cool. And I, and I guess I would argue, even if you don't have any medical issues, but you do want them an emergency responder to be able to get a hold of yes. You know, the person that you need to have notified most important information of all.
Leo Laporte / Steve Gibson (01:18:12):
Exactly. Yeah. Yeah. Okay. So finally, Dan Burstein sues the NSA. As I mentioned at the top, Dan is one of my favorite cryptographer mathematicians since he's the father of the most efficient 2 55 19 family of elliptic curve crypto, and a number of other core crypto primitives that I adopted for squirrel and which have subsequently been adopted for use by TLS and even optionally by web often that would make it available for pass keys. And coincidentally, Dan and I independently came up with the idea that was, this is called sin cookies as a way to prevent resource depletion in T C P I P stacks, which are caused by sin flooding attacks. The idea was a way to encode the important details of the sin packet in the replying sin. A so that stateless connections set up became possible. Anyway, Dan was born in 1971, so he was 24 years old.
Leo Laporte / Steve Gibson (01:19:22):
When as a student at UC Berkeley, he brought his first lawsuit against the United States dance 50 years old. Now he wanted to publish a paper at the time with its associated source code on his snuffle was the name of it, the snuff, the snuffle encryption system, but that would've been illegal at the time. So he sued and won. He sued the United States and won after four years. And one regulatory change. The ninth circuit court of appeals ruled that software source code was speech protected by the first amendment and that the, the government's regulations preventing its publication were unconstitutional. Mm. And we owe Daniel for that. I'm bringing this up today. And I called that Dan's first lawsuit, because as I mentioned already last Friday, he announced that he is now sued the NSA in a blog posting titled NSA N and post quantum cryptography announcing my second lawsuit against the us government.
Leo Laporte / Steve Gibson (01:20:38):
<Laugh> it worked once before it's go his blog post is lengthy, and I want to read, digest and research the entire thing. So unless something more interesting pops up before next week, it will likely be next week's topic for anyone who doesn't wanna wait for me. The link to Dan's blog post is in the show notes. So I think that's what we'll be talking about next week and Leo, after our final sponsor break, we're gonna talk about somebody, I just discovered who you have known about for quite a while and a really compelling piece of his writing. Oh, good. Can't wait. And I put into the chat room and the show notes. Well there are no yours or the show notes, but I put into the chat room and the discord information about turning on medical ID, many Android phones.
Leo Laporte / Steve Gibson (01:21:27):
I know my Samsung galaxy phone has that built in. Otherwise there are third party apps and all iPhones to my knowledge support that our show today, Steve brought to you by DHA DRTA D R a T a, is your organization finding a difficult to achieve continuous compliance as it quickly grows in scales. This is a really common problem is manual evidence collection slowing your team down as G two's highest rated cloud compliance software draw a streamlines your SOC two ISO 27 0 0 1, PCI DSS, GDPR, HIPAA, and other compliance frameworks, and provides 24 hour continuous control monitoring. So you focus on scaling securely. And let me tell you, Trotter has the waterfront covered with a suite of 75 plus integrations draw to easily integrates with your tech stacks through applications like AWS and Azure and GitHub and Okta and CloudFlare, and on and on and on countless security professionals from companies including lemonade and notion and bamboo HR have shared how critical it has been to have draw as a trusted partner in the compliance process.
Leo Laporte / Steve Gibson (01:22:36):
Their deep native integrations provide instant visibility into a security program and continuous monitoring to ensure compliance is always met. JDA allows companies to see all their controls and easily map them to compliance frameworks, to gain immediate insight into framework overlap. Companies can start building a solid security posture from day one with draw data, achieve and maintain compliance as your business scales, expand security assurance efforts using the draw da platform draw DA's automated dynamic policy templates, support companies, new to compliance and help alleviate hours of manual labor and their integrated security awareness training program and automated reminders ensure smooth employee onboarding. They're the only player in the industry to build on a private database architecture from day one. That's huge. It means your data can never be accessed by anyone outside your organization. Now, do you believe me? You need draw to all customers receive a team of compliance experts, including a designated customer success manager, cuz they know this stuff's complicated and there's a lot of details and they have a lot of experience.
Leo Laporte / Steve Gibson (01:23:42):
In fact, they have a team of former auditors working for them. They've they've conducted 500 plus audits and they're available for support and council as well. Is, do I need to keep this do, is this record important? How long do I have to keep it? Your success is their success with a consistent meeting cadence. They keep you on track and ensure there are no surprises and no barriers. Plus your pre-audit calls ensure you're set up for success. When your audits begin draw to personally backed by SV CI a syndicate of CISO angel investors from some of the most influential companies in the world, this makes a lot of sense, right? These CISOs have dealt with this. They know this is a need and they, and they decided let's put this together S VCI, that's a syndicate of CISOs and they they supported DRTA and getting going, say goodbye to manual evidence collection, say hello to automated compliance, something.
Leo Laporte / Steve Gibson (01:24:41):
The world is needed for some time DRTA drta.com/tweet. You can see all the, all the G2 awards there on the bottom of the screen. It's pretty impressive. D R a T a.com/twi bringing automation to compliance at DRTA speed. I think this is so important. Drta.Com/Twit. You'll get 10% off when you requested a demo dta.com/twitter. We thank them so much for their support on security now and now to Steve Gibson. So here's what happened. When I settled down late yesterday morning to begin assembling today's podcast, I started by catching up with my weeks past Twitter DMS. The first and most recent DM I encountered was from a listener named Theran killer, who pointed to something that astounded me. And I thought it was so important that it became today's topic. He tweeted, hi, Steve. I'm a few weeks behind on SN I just heard the episode where you mentioned coding all night long.
Leo Laporte / Steve Gibson (01:25:53):
Then today I saw this and of course, thought of you. I'm sure other coders would agree. So he pointed to a posting on Facebook where someone had apparently just discovered something someone else had written back in July of 2009, after scanning the Facebook posting, I followed the source reference link to the original content and thus stumbled upon the work and writings of someone. I had never been very much aware of the guy's name is Paul Graham. And here's a very brief bio of Paul that could clearly be much longer. He is a programmer writer and investor in 1995. He and Robert Morris, yes, that Robert Morris started via web the first software as a service company. That's 1995. And as I, as I, I believe it was a lisp based storefront creating service. So via web was acquired by Yahoo in 1998, where it became Yahoo store.
Leo Laporte / Steve Gibson (01:27:03):
In 2001, Paul started publishing essays on or, or@paulgraham.com, which now gets around 25 million page views per year in 2005. He and Jessica Livingston. Now his wife, Robert Morris and Trevor Blackwell started Y Combinator. The first of a new type of startup incubator since 2005, Y Combinator has funded over 3000 startups, including Airbnb, Dropbox, Stripe and Reddit in 2019, he published a new lisp dialect written in itself called bell. Paul is the author of on lisp published by Prentice hall in 93, own it and C common lisp, Prentice hall, 95 own it and, and hackers and, and painters of all things which was published by O'Reilly in 2004. I own all three. Yep. Uhhuh. He has his bachelor's degree in philosophy from Cornell, his master's and a PhD in computer science from Harvard. He's also studied painting at the Rhode Island school of design and at the academy Deb bell, Artie in Florence the well known and, you know, technology journalist, Stephen Levy has described Paul as a hacker philosopher.
Leo Laporte / Steve Gibson (01:28:34):
And given what I've seen, I would tend to agree. I was curious about his P his PhD dissertation. Oh wow. So I tracked it. I tracked it down. Wow. I have not read that. <Laugh> it is, it is quite something Leo it's titled. I love the title, the state of a program and its uses. Hmm. You know, it's wonderfully mystical. I read the abstract as you might expect. It's some seriously nice, pure computer science thinking. Oh, so poking around a bit more. I was getting intrigued by this guy. I looked at a couple of his Twitter postings, a recent post of his from Saturday three days ago. He, he tweeted in office hours today. And I should mention, as we'll see that his, the use of his term office hours is important to him. He says, I talked to a pair of founders who needed a new idea.
Leo Laporte / Steve Gibson (01:29:31):
It turned out they already had a great idea, but had been ignoring it because they didn't know how to monetize it. I told them to just build it. This thing could have a hundred million users. And yesterday he tweeted <laugh>. I love this effective organizations are unnatural. The natural state of organizations is bureaucracy and turf wars and once deprived of effective leadership, they revert to their natural state with shocking speed. Oh boy. Is that true? Oh, isn't that great? Yes. Isn't that great? Yes. Oh, and looking AF a bit further back on August 1st, first he tweeted the hardest people for founders to hire are so called C level executives, because these people are the best fakers in the world. <Laugh> yes. <Laugh> yes. He said even the best founders make absolutely disastrous mistakes. Hiring these people. It happens far more often than anyone realizes really does because neither party wants to talk about it.
Leo Laporte / Steve Gibson (01:30:46):
So after nearly destroying one company, the exec cheerly goes off to their next opportunity. <Laugh> and of course, I actually, this put me in mind of someone I've talked about on the podcast before a horrible person by the name of Ron Posner, who Peter Norton hired, because Peter thought he needed, you know, like an executive big mistake to stuff. Oh boy. Yeah. Yeah. So anyway, if you're into following people on Twitter, Paul might be someone worth following. I don't follow anyone, anyone on Twitter, but I'm really tempted to follow him. He tweets as at Paul G and you'd be joining his one and a half million current followers. And I'm unsure why I find this guy so fascinating. You know, that that doesn't happen that often he's got something. So it seems pretty clear that in Paul Graham, we have a serious computer science guy with a strong creative side and a very strong entrepreneurial business side.
Leo Laporte / Steve Gibson (01:31:57):
And, and, you know, that might be what's hooking me. He made money early in the run up of the internet and the.com revolution. It also appears that he's one of those still rarer guys who didn't make it by chance, you know, by being in the right place at the right time, but then never able to, again, recreate that first early success. He's a serially serially successful entrepreneur. And his he's either spent a lot of time thinking or he's very good at it. And it turns out that Paul is also an outstanding writer, which brings us to today's topic. As I said earlier, as I began reading what Paul wrote its subject and content resonated so deeply with me, as I know it will with so many of this podcast listeners that I knew that sharing it here would be the best possible use of everyone's time.
Leo Laporte / Steve Gibson (01:32:54):
This week. It helped that there was not a huge amount of compelling security industry news this week. But I had already made the decision to share this share this as this week's topic. Before I even knew that he gives explicit permission for his essays to be included in full in school newspapers and the like asking that the URL to its original page be included as I've already done several times in these notes. So here's what Paul Graham wrote just over 13 years ago in July of 2009, under the title makers schedule managers schedule, he said one reason programmers dislike, dislike meetings so much is that they're on a different type of schedule from other people mm-hmm <affirmative> meetings cost them more. There are two types of schedule, which I'll call the manager's schedule and the maker's schedule. The manager's schedule is for bosses. It's embodied in the traditional appointment book with each day, cut into one hour intervals.
Leo Laporte / Steve Gibson (01:34:12):
You can block off several hours for a single task if you need to, but by default, you change what you're doing every hour. When you use time, that way it's merely a practical problem to meet with someone, find an open slot in your schedule, book them, and you're done most powerful people are on the manager's schedule. It's the schedule of command, but there's another way of using time. That's common among people who make things like programmers and writers. They generally prefer to use time in units of half a day. At least you can't write or program well in units of an hour. That's barely enough time to get started. When you're operating on the maker's schedule. Meetings are a disaster. A single meeting can blow a whole afternoon by breaking it into two pieces each too small to do anything hard in. Plus you have to remember to go to the meeting.
Leo Laporte / Steve Gibson (01:35:25):
That's no problem for someone on the manager's schedule. There's always something coming on the next hour. The only question is what, but when someone on the maker's schedule has a meeting, they have to think about it for someone on the maker's schedule. Having a meeting is like throwing an exception. It doesn't merely cause you to switch from one task to another. It changes the mode in which you work. I find he writes, one meeting can sometimes affect a whole day, a meeting commonly blows at least half a day by breaking up a morning or an afternoon. But in addition, there's sometimes a cascading effect. If I know the afternoon is gonna be broken up, I'm slightly less likely to start something ambitious in the morning. I know this may sound oversensitive, but if you're a maker, I think he says, if you're a maker, think of your own case, don't your spirits rise at the thought of having an entire day free to work with no appointments at all? Oh my Lord. Yes. Well that means your spirits are correspondingly depressed when you don't and ambitious projects are by definition close to the limits of your capacity. A small decrease in morale is enough to kill them off.
Leo Laporte / Steve Gibson (01:36:58):
Each type of schedule works fine by itself. Problems arise when they meet since most powerful people operate on the manager's schedule, they're in a position to make everyone resonate at their frequency if they want to, but the smarter ones restrain themselves. If they know that some of the people working for them need long chunks of time to work in it, our case is an unusual one near me. Speaking of why Combinator, he says nearly all investors, including all venture capitalists, I know operate on the manager's schedule, but why Combinator runs on the maker's schedule? RTM that's Robert Morris and Trevor. And I do because we, we always have, and Jessica does too mostly because she's gotten into sync with us. I wouldn't be surprised if there start to be more companies like us. I suspect founders may increasingly be able to resist or at least postpone turning into managers just as a few decades ago, they started to be able to resist switching from genes to suits.
Leo Laporte / Steve Gibson (01:38:24):
How do we manage to advise so many startups on the maker's schedule by using the classic device for simulating the manager's schedule within the makers office hours, several times a week, I set aside a chunk of time to meet founders. We've funded. These chunks of time are at the end of my working day. And I wrote a sign up program that ensures all the appointments within a given a given set of office hours are clustered at the end because they came at the, because they come at the end of my day, these meetings are never an interruption unless they're working day ends at the same time as mine, the meeting presumably interrupts theirs, but since they made the appointment, it must be worth it to them. During busy periods, office hours sometimes get long enough that they compress the day, but they never interrupted. When we were working on our own startup.
Leo Laporte / Steve Gibson (01:39:29):
When we were working on our own startup, back in the nineties, I evolved another trick for partitioning. The day I used to program from dinner until about 3:00 AM every day, because at night, no one could interrupt me. Then I'd sleep till about 11:00 AM and come in and work until dinner on what I called business stuff. I never thought of it in these terms, but in effect, I had two work days, each day, one on the manager's schedule. And one on the makers. When you're operating on the manager's schedule, you can do something you'd never wanna do on the makers. You can have speculative meetings, you can meet someone just to get to know one another. If you have an empty slot on your schedule, why not? Maybe it will turn out. You could help one another in some way, business people in Silicon valley and the whole world for that matter, have speculative meetings all the time.
Leo Laporte / Steve Gibson (01:40:32):
They're effectively free. If you're on the manager's schedule, they're so common that there's distinctive language for proposing them saying that you want to grab coffee. For example, speculative meetings are terribly costly. If you are on the maker's schedule though, which puts us in something of a bind, everyone assumes that like other investors, we run on the manager's schedule. So they introduce us to someone they think we ought to meet or send us an email proposing. We grab coffee. At this point, we have two options. Neither of them are good. We can meet with them and lose half a day's work, or we can try to avoid meeting them and probably offend them. Till recently, we weren't clear in our own minds about the source of the problem. We just took it for granted that we had to either blow our schedules or offend people. But now that I've realized what's going on, perhaps there's a third option to write something, explaining the two types of schedule, maybe eventually if the conflict between the manager's schedule and the maker's schedule starts to be more widely understood, it will become less of a problem.
Leo Laporte / Steve Gibson (01:41:51):
Those of us on the maker schedule are willing to compromise. We know we have to have some number of meetings. All we ask from those on the manager's schedule is they understand the cost. So I just thought that the crystallization of that is what hit me so clearly. And I hear, I, I heard you getting it at the, the beginning of this Leo. Oh yeah. Oh yeah. You know what I like so much about what Paul has created here. It is the clarity of the distinctions he's made. I've often explained to my friends and family about what I call the, I call it switching cost. It is so much more efficient to stay on one thing until it's finished then to switch back and forth among multiple things. You know, in programming we call it context switching and it's expensive there too.
Leo Laporte / Steve Gibson (01:42:46):
And I definitely operate on a maker's schedule and I always have a day with no scheduled interruptions. Planned is joyous. It's a block of unbroken time. I saver in anticipation and actively appreciate. And it completely explains why I was so miserable, running a company with 23 employees, which was GRCs size at its peak. I liked every single employee I had, I enjoyed them as individuals, but I was worried that they were gonna need something from me when I was in the middle of doing something else. And the point is, I am always in the middle of doing something else <laugh>, you know, and I wanna be, that's the way I wanna spend my that's the way I wanna spend my life. Pretty much, most of the time, I just wanna be left alone to work <laugh> and Leo, I sort of feel I have a kindred spin a kindred spirit in you.
Leo Laporte / Steve Gibson (01:43:51):
Yeah. you know, if I'd had the wisdom back when GRC was a cauldron of chaos, I should have worked at home in seclusion four days a week and held office hours as Paul does on Fridays on those Fridays, I would've, you know, pre resigned myself ahead of time. Not, you know, of that. I would not be getting any code written that day. And perhaps I would have, you know, both been more available and less miserable and grumpy. So anyway, I can imagine many of the makers schedule listeners we have here, maybe sending a link to this little piece of writing to their managers, asking and pleading with them to read it. If I were drowning in a corporate setting, I, I think I would do so I am gonna recommend another one, which I blogged about coming a couple of years ago that, oh, good.
Leo Laporte / Steve Gibson (01:44:48):
That goes along with this one, Steve, that he wrote in 2016 called life is short. Life is short because it's the same, it's the same premise extended even farther, you know, don't waste time on BS, cuz life is short. Yep. So Paul's articles page is that Paul graham.com/articles.html it lists this and 211 other short essays. I've only poked around at them a bit, but I find something about them to be quite compelling. Yeah. Once you start reading, you won't stop <laugh> yes, I did not. I did not wanna stop reading them. But I had this podcast to finish <laugh> and I think that before, before I start in on this next book, I'm gonna spend some time there at the top of his page, he says, if you're not sure which to read, try how to think for yourself or do things that don't scale or how to lose time and money.
Leo Laporte / Steve Gibson (01:45:53):
And of course we have Leo's recommendation. Life is short, life is short. He also wrote the article on why you should learn lisp. So I can't help recommend that as well. <Laugh> I will be getting to it. You will. I leave our, I leave our listeners in Paul Grahams, very capable hands. Yeah. He's amazing. Great thinker and a great writer. And those two when you get the two together. Fantastic. Yeah. Fantastic. Yeah. Yeah. alright. I think that means you gonna go back to work and yes, I'm gonna go back to reading and the rest of you. Well, you could keep listening to podcasts. That's my suggestion. Steve Gibson, does this show every Tuesday, 11:00 AM Pacific, I'm sorry, 1:30 PM. Pacific that's 4:30 PM. Eastern 21 or 2030 UTC. If you wanna watch us do it live. That's why I say the times you can watch it live at TWI TV slash live there's audio and video there.
Leo Laporte / Steve Gibson (01:46:54):
Chat with us live at IRC, do twi.tv or in the club, TWI discord on demand version of the show available in our site, TWI do TV slash SN. We've got 64 kilobit audio and video available there. And of course you can subscribe to it in your favorite podcast client as well. Steve has two unique versions of it at his website, grc.com. He's got a 16 kilobit version for the bandwidth impaired. He also has really good transcripts written by human Elaine Ferris. So you can read those and follow along or use 'em to search for parts. All of that is@grc.com while you're there pick up spin, right Steve's bread and butter. We gotta, we gotta keep him in bread and butter. All, all you have to do right now get 6.0, you will participate in the development of 6.1 and get it for free.
Leo Laporte / Steve Gibson (01:47:43):
If you buy today the minute it's available, grc.com for spin, right? The world's best mass storage, maintenance and recovery utility, lots of other free stuff. There, you can leave a message for Steve there. Grc.Com/Feedback, but probably more useful to leave it. A DM for him. His DMS are open on Twitter. He's at SG GRC. You can DM him there at SGR C. We invite you to join club TWI. You can buy this show ad free for 2 99 a month. That's four episodes, pretty good deal. What is that? 75 cents an episode, and there are no ads in it at all. If you wanna spend a little bit more for seven bucks a month, you can get all of our shows at free, all of them, plus access to the discord, which is a great social event all the time, really fun.
Leo Laporte / Steve Gibson (01:48:36):
And the twit plus feed, which has lots of stuff before and after the shows other things, plus there's shows that we don't actually put out like Paul TH's hands on windows. That's a club only show a lot of times when we start a show, there's no audience, no advertisers for it takes us a while to build those up. It's great now because we have some revenue from the club we can put 'em in the club for free there. The untitled Linux show is in there Stacey's book club Clara and the son is coming up by the way in a couple of weeks Alex Lindsay's asked me Anthony's also in the club, so that helps us do a lot of extra stuff. Hands on Mac. If you want to join again, seven bucks a month, twit.tv/clubtwit. Thank you in advance. I think that covers everything. Mr. G except to say, have a great week and we'll see you next time on security. Now I salute you Leo and I will see you in the seven days I send you back. <Laugh> bye. And you live long and prosperous.
