Security Now Episode 888
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte (00:00:00):
It's time for security. Now, Steve Gibson is here. The white house has a listening session that drives my blood pressure up. We'll find out while one, why one Netherlands regulator quit his job in protest, another QAP mess. And finally it had to happen someday fishing as a service, it's all coming up next on security. Now podcasts you love from people you trust. This is TWIT.
Leo Laporte (00:00:36):
This is security. Now with Steve Gibson episode 888 recorded 13 September, 2022. The eval proxy service security now is brought to you by express VPN. Going online without express VPN is like leaving your laptop exposed at the coffee shop table. While you run to the bathroom, secure your online data today by visiting expressvpn.com/securitynow, and get an extra three months free on a one year package. And by Thinkst Canary .detect attackers on your network while avoiding irritating, false alarms. Get the alerts that matter for 10% off and a 60 day money back guarantee. Go to canary.tools/twit and enter the code TWIT in the, how did you hear about us box. And buy New Relic. Use the data platform made for the curious, right now you can get access to the whole new Relic platform and 100 gigabytes of data per month. Free forever. No credit card required.
Leo Laporte / Steve Gibson (00:01:43):
Sign up at newrelic.com/securitynow it's time for security now. Yes, he's here. Ladies and gentlemen, Steve Gibson. He didn't sleep well last night, but he's gonna sleep like a baby tonight. Cause it's security now. Hello, Steve. That's right. He told me he sleeps better when the show's done. You put a lot of stress into this, right? Well it's okay. So I monitor the phases of my sleep. Remember the Zs that I had you get? Yeah, yeah. Like years ago, I still have it. Well, it may come in handy that it turns out that the amount of slow wave sleep we get, which is the deepest level of sleep. It correlates with how basically it's a response from the previous days, cognitive memorization related work. And they've done tests where they taken two groups of people who are well mixed and had them both spend the day doing two different types of task.
Leo Laporte / Steve Gibson (00:02:49):
One which involves memorization and the other also a mental task, but did not require memory. And the amount of slow wave sleep obtained by the group who are trying to memorize things is significantly larger than the group that did an equal amount of work. But didn't require memory it's during slow wave sleep, that memories are transferred from temporary storage into permanent storage. And what's interesting is that it's all, that's also the only cycle. The only phase of our sleep, where the toxic proteins, the amyloid betas and thet proteins are swept out of our brain. So one wonders whether the old adage about learning a language or exposing yourself to novelty. If the reason that tends to keep your brain healthy is that our brain's response to that load, we're putting on it like a memorization load, learning something new is to give us more slow wave sleep, which has the effect of clearing out the metabolic the debris from the previous day's work.
Leo Laporte / Steve Gibson (00:04:08):
Hence you should never stop doing this show. <laugh> this show is good for you. Oh, hence. I need to keep fighting authors like the new author that I just had. Oh, good books are worth too. Oh, are you still reading him? You crazy band. We'll talk about, I've got a section of our show notes to talk about. Oh, can't wait. Yes. What else we gonna tell? So we're we're at episode 8 88 for the 13th of September. This was titled the evil proxy service and oh boy, <laugh> the Bruce Schneider's words about attacks, never getting worse. They only ever get better or stronger. They really ring true here. Anyway, we've got something really interesting and upsetting to talk about but first we're gonna look at an unusual and disturbing escalation of a cyber attack. I hope not an indicator of things to come. I also note that crypto heist have become so pervasive that I'm not mentioning them much anymore.
Leo Laporte / Steve Gibson (00:05:15):
It's just ridiculous. We'll talk about that breaches. It's the same thing. It's just so many. Yes. Also the white house last Thursday conducted a listening session as they called it to dump on today's powerful tech platforms. Some of what came from that was interesting. And a government regulator in the Netherlands quit his position and then told us why also there's another QAP mess, which is bad enough to exceed my already quite high QAP mess, discussion threshold. Normally I just don't talk about it anymore because it's like, okay again, anyway, also delink routers need to be very sure that they've been, that they are now running the latest firmware. I'll explain why I've got, as I mentioned another comment about my latest sci-fi author discovery, two quick bits of feedback from our listeners, and then we're gonna examine this essentially fishing as a service. Oh, golly happened inevitable in the same inevitable in the, yes, it isn't exactly that Leo in the same way, we had ransomware as a service. Now we have fishing as a service and this service can bypass all of our multifactor authentication safeguards. Oh boy. That's not good. So it is essentially the conceptual cousin of Rano are in a service and oh, do we have a picture of the week? <laugh> I burst out laughing when I saw it. It's good. It's good.
Leo Laporte / Steve Gibson (00:06:55):
All right. Well you have lots to get to and we will do that in a moment. As soon as we talk about our sponsor of the hour express VP, I'll never forget this. We at Lisa and I were in Japan at a McDonald's in Japan because they didn't want the bento box. They wanted a big Mac and we're sitting there and a woman is sitting in a table. She's eating her McDonald burger and gets up to go to the bathroom, leaves her purse right there. And Lisa and I are looking at each other. We're looking at the purse, but what we found out is, and this is in Tokyo. It is so safe in Japan that you can in fact, leave your purse and go to the bathroom and it will be there safe. In fact if you leave your wallet behind, somebody will come running.
Leo Laporte / Steve Gibson (00:07:42):
After you saying your wallet, your wallet. Very honest. Now I wouldn't recommend doing this in any other country in the world. And if you are using the internet without express VPN, it's basically like you're at a coffee shop and you're gonna go to the bathroom and just leave your laptop there and might as well leave it logged in, right? Most of the time nobody's gonna mess with you. Maybe you'll be in Tokyo and it'll be okay. But what if one day you come outta the bathroom, your laptop's gone or worse. You don't even know it, but they've stolen all your data, your passwords, everything. That's what it's like. If you're on the internet with that express VPN, you need a VPN. When you connect to an unencrypted network, what it does is it encrypted very simple. That's cafes, that's hotels, cruise ships, airports, anybody on the same network can gain access to your personal data, passwords, financial details, et cetera, as they float unencrypted through the sky.
Leo Laporte / Steve Gibson (00:08:42):
But doesn't take a lot of technical knowledge, just some inexpensive hardware, frankly a smart 12 year old could do it. Your data is valuable. Your laptop is valuable. Hackers can make a lot of money selling personal information about you on the dark web, even more subtle and worse than that. Darren kitchen at hack five sells a little thing called the wifi pineapple little device. You hook up to your laptop. You go to a coffee shop and if you're a bad guy, you can use his wifi pineapple to Snoop on all the laptops out there and do some really evil things. For instance, you can see that laptop's on the network. Even if they're encrypting their email password, you can see what it's favorite access points are. And you can see the one that's your home. And then you can impersonate the home access point and your laptop being the goofball that it is says, Hey, we're home.
Leo Laporte / Steve Gibson (00:09:36):
Join the network. Now your data's going through the hackers, wifi, pineapple, and laptop after the outside world. So being visible on a network is not a good thing. The good news is you're not. When you use express VPN, you're invisible because you're an encrypted tunnel. A hacker can see there's something going on, but they can't see your machine. They can't see you. They don't know it's you. And of course they can't steal your data. They can't attack you with a wifi pineapple. The encryption is of course, strong encryption. That means it's basically undefeatable it. Take a bad guy with a super computer, a billion years to get in. So you don't have to worry about that. The other thing though, and I always point this out is you're now trusting the VPN provider, right? Cuz everything's going through them and then got out into the real world.
Leo Laporte / Steve Gibson (00:10:24):
So it's very important. You choose carefully. That's why I use express VPN. That's why I tell you to use express VPN. They are absolutely safe. They don't log your presence. And we know they don't do this because from time to time nation states, without laws like ours, without warrants will come seize. The servers happen in Turkey, from express VPN, expecting to get lots of data about its users from it. And there's nothing on there. They developed a really cool specialized version of the Debbie and Lenox distro that automatically resets itself on every reboot which they do daily. They use a special server. They call it the trusted server that lives in Ram is sandbox. Can't write to the drive. So when you're using express VPN, the minute you close that connection, it's gone. And so is every evidence of you existing and it's. But that doesn't mean it's hard for you to use.
Leo Laporte / Steve Gibson (00:11:20):
You put the app it's on everything. You can even put it on some routers. So your whole household is protected. You press a button. You're protected phones, laptops, tablets, stay secure, no matter where you are on the go or at home, cuz you know what? Your ISP buys on you too. Secure your online data today. Visit express vpn.com/security. Now E X, P R E S S vpn.com/security. Now you don't need to use a VPN all the time, but on the other hand, express VPN is so fast. So easy to use. Why not just leave it on and you'll always be secured right now. Get an extra three months free with your one year package makes it less than seven bucks a month. By the way, you do not want a free VPN. You wanna pay for it. They take that money. They invested infrastructure. They invest it in rotating IP addresses.
Leo Laporte / Steve Gibson (00:12:09):
They do all the things you need to do to be a good VPN. It's not cheap to run a VPN. I think less than seven bucks a month is a very, very good price for the best VPN out there, express vpn.com/security. Now we get to see that thing that made me laugh out loud. So the residential version of this is that old story you'd have to be our age or older, probably right. To remember when fuses were screw in base in homes, right? The actual fuse, the actual there weren't circuit breakers so much back then that they were very much like a lamp socket, but you would screw a fuse which was round. Yes. And it would have a little piece of copper there in the middle. And of course the point was that if something downstream of the fuse was drawing so much current that the little fuse that's called a fuse would overheat and melt.
Leo Laporte / Steve Gibson (00:13:27):
Well, you wanted that to happen because the melting opened the circuited, you and turned off the current. Yeah. And so at, as an engineer, as a technical person, the idea and what people would do of course is things would happen. Fuse is clearly you don't have a fuse. It could just sort of, yeah. You don't have a fuse handy because you used them up. You used a fuse the last time it blew. Yeah. That was your last fuse. <laugh> and so you forgot to go get some more <laugh> but the lights are off. So what are you gonna do? Well, you get a copper penny and you stick it in the socket and then you'd screw the burned out fuse on top of it. And oh look the lights come back on. Yeah. And you'd better hope the next surge is so powerful. It melts the penny <laugh> and you again. So, okay. All this by way of introducing our picture of the week, which is the equivalent on an industrial scale.
Leo Laporte / Steve Gibson (00:14:32):
Oh my God. If anyone has ever seen a fuse box, that would be protecting a huge, a woodworking shop with a bunch of equipment in it or something that's drawing like an oil Derrick or something where the fuges, the diff fus are cylinders with big thick copper blades on each end and you stick them in and the blades are grabbed by receptacles on either end. And there's a pair of them for the hot and cold line. Anyway, in this picture, apparently because something similar happened they ran out of fuses. Maybe they were stolen. Maybe they kept blowing out. Well, first of all, if your fuses keep blowing out, there's not, there's something wrong. Anyway, these industrious people decided, okay, well these pesky fuses keep blowing out. So they took two very large screwdrivers and just stuck them in place of these fuses. <laugh> and boy, I tell you if these fuses blow you trouble, you really have some problems.
Leo Laporte / Steve Gibson (00:15:49):
Yeah. Wow. Yeah. That's hysterical. Oh, I have those screwdrivers now that I know I can use 'em as fuses I'm set. That's good. Actually I own the one on the right. Yeah. Me too. Who does that's absolutely own. Yeah. Yes. That thing must be a popular screwdriver cuz both of have one. Okay. So Albania versus Iran risky business news, headlined their story this way. They said Albania cuts diplomatic ties with Iran in the first ever cyber related escalation. I don't have a strong emotional tie to either Albania or Iran though. It's worth noting that Albania is a member of NATO. Fortunately, at this time, cyber war, mostly amounts to transient inconveniences, some office can't process green cards or something. But what's so worrisome about this is that it feels as though it might be predictive of worse things to come and eventually perhaps involving global scale adversaries.
Leo Laporte / Steve Gibson (00:17:09):
Okay. Anyway. So here's what happened. The Albanian government announced last Wednesday, the seventh, that it would be cutting all diplomatic relations with Iran in the aftermath of a major cyber attack. And this marks the first time ever that a cyber attack has escalated this severely in the political realm, in a recorded video statement, published on YouTube for anyone who's interested. I have the link in the show notes. Albania's prime minister EDI Rama said that after concluding an investigation into the incident, they found indisputable evidence that Iranian state sponsored hackers were behind the cyber attack that took place nearly two months prior on July 15th. So they didn't just jump at this immediately. They did some investigating. In fact, they involved Microsoft that cyber attack crippled multiple Albanian government. It systems Roma gave Iranian diplomats one day 24 hours to close their embassy and clear out while the Iranian government naturally denied any involvement in the attack.
Leo Laporte / Steve Gibson (00:18:24):
NATO, the us white house and the UK government all published statements in support of the Albanian government and supported its attribution of the attack to the Tarran regime. The us called Iran's attack on its NATO ally, a troubling precedent and promised to take further action to hold Iran accountable. And I did see subsequently, but I didn't track it down that the us had announced sanctions on Iran specifically due to this attack, this cyber attack on Albania. And of course, although Iranian officials may delight may deny their involvement. The proof lies in the malware used, which was discovered in the July 15th attack, both Mandiant and Microsoft have linked back to multiple past instances of Iranian cyber espionage, operations and tooling using the same stuff Microsoft, which has participated. As I said in the Albanian government's response to the incident said it was able to link the incident to four different Iranian APTs advanced persistent threat groups and detailed how these four groups have been working together to breach Albanian government networks.
Leo Laporte / Steve Gibson (00:19:53):
At least since last year to establish the proverbial foothold. Then finally in July under the auspices of the Iranian government, which apparently decided it was time to act, the attack was launched. Microsoft says the four groups appear to work under the guidance and control of the I Iran minister of intelligence and security, M O I S the four groups with numerical designations there's dev 0 8 42, which deployed the ransomware and the wiper malware dev 0 8 61, a different group gained initial access and exfiltrated data. So now we're seeing specialization among individually identified groups. We have dev 0 1 66, which exfiltrated the data and dev 0 1 33, the group, which probed the victim's infrastructure initially. So both Mandiant which by the way, Google remember purchased in March for 5.4 billion and Microsoft concur in their statement that the Iranian attack is directly connected to the Albanian. Government's harboring thousands of Iranian dissidents, part of an exiled opposition party named the people's mu Muha.
Leo Laporte / Steve Gibson (00:21:22):
How do you say it? Muha gene, something like that. Anyway, organiza, I meant to look up the pronunciation before the podcast and I forgot anyway. Also known as me K, which I like to say much easy, more easily at the request of the us government. Me K was given shelter in Albania in 2016, after the Iranian regime declared the group, a terrorist organization and started hunting its members, me K members were planning to hold an annual summit on July 21st. But that summit, which was titled the free Iran world summit was canceled because of terrorist and bomb threats. Microsoft says that the threats and the cyber 15th cyber attacks were part of a broader effort from the Iranian government to go after the group and its host country. So whereas past operations typically involve coordinated social media campaigns, data leaks, vague threats, and declarations from Iranian officials, the deployment of a data wiper and ransomware appears to have crossed a line, which Albanian and NATO officials are not taking quietly though.
Leo Laporte / Steve Gibson (00:22:37):
Albania's prime minister tried to play down the aftermath aftermath of the July 15th attack and said the government systems were now restored the attack, crippled government operations and official websites for weeks. And in fact moments after Iranian officials left the embassy, Albanian police rated the building, which is unusual in search of any incriminating evidence that might have survived. The typical hard drive bashing and document burning practices of fleeing diplomats conducting this raid was seen as extreme. But the general sentiment is that NATO partners backed and pushed Albania into this action as a way to signal to other aggressive countries that align is being crossed when entire government it networks are being wiped, just because someone wants to attack a dissident group that they're annoyed with. And of course attack those who are harboring the group. I think that's appropriate. I really do. Don't you which you have to draw a line in the sand. No, no defense. Oh yeah. To say no, no. To draw the line. Yeah, absolutely. This shall not pass. And Leo, I mean, we're the thing that's worrisome about this as I started off saying, is that, what if this is a harbinger?
Leo Laporte / Steve Gibson (00:24:03):
I mean, we've talked about how weird it is that the us and China are apparently right now involved in percolating, kind of going on in the background, cyber attacks against each other. Well, the problem is cyber is becoming sorry to use that term in isolation. Leo <laugh> the cyber world is becoming cyber space, man. <laugh> it it's becoming where the world operates. And so attacks, there are real attacks. Yes, absolutely. Increasingly. And I be deadly. I mean, it's no reason to treat it any less seriously than a rocket. Yeah. A mortar attack, I think. Right. And so I agree with you completely. I think that it is good proportion, no response that the, yes, the world said, okay this is not all right. We know it was you Iran. We know why you did it. We know you're not happy. We don't agree with your unhappiness. And you've just attacked a member of NATO. So even if it was a cyber attack, yeah. Now I understand the risk is that it will escalate into it worse and worse, back and forth. But I don't see any way of that. This is the whole issue of any military force. Yes. You have to, there are bullies. And so you need a defense. You can't just let bullies be bullies or oh, and wait till you get to the fourth book in this.
Leo Laporte / Steve Gibson (00:25:46):
Oh, I can't wait. I can't wait. You want some bullies? Oh baby. We got some bullies bullies. And it ended up being a bit of a back and forth. Last Wednesday, the diplomats were given one day to clear out and close the embassy. Two days later, last Friday, the ninth Albania was hit by another major cyber attack, which has officials. Once again, pointing the finger at Iran, the attack hit Albania's total information management system as it's called Tims, which is an it platform belonging to Albania's ministry of interior used to keep track of people entering and leaving the country. According to a series of tweets from Albania's minister of the interior, six border crossing points were impacted and experienced border crossing stoppages for at least two days. This included five land crossings at Greece, Kosovo, and several in Monte Negro and at the airport near Albania's capital ministry. Officials banned the attack on the same hand as they put it that hit Albania's it network in July, in other words, Iran. So let's hope that the world is watching and recognizes that cyber attacks are not gonna be treated like anything less than the attack that they really are, especially when they seriously impact government infrastructure.
Leo Laporte / Steve Gibson (00:27:19):
So <laugh>, I feel that I should note something else that I'm seeing constantly, which I just skip over typically, without comment on this podcast and that's crypto heist of this or that also ran cryptocurrency nonstop. They're nonstop. Oh my God. Constant from this or that random exchange that no one's ever heard of before or random newbies being crypto scammed. So this week I'll give everyone three perfect typical examples, Leo of what we're both talking about. So everyone has a feeling for what they're normally not missing. Okay. First get this, the new free Dao that's NFD token. That's a, whatever that it's a Dow, right? A Dow autonomous, you know, organization, the new free Dow token lost 99% of its value. After a threat actor used a flash loan attack to steal more than one and a half million dollars worth of crypto from the platform.
Leo Laporte / Steve Gibson (00:28:33):
According to blockchain security firm, cert K the hacker appears to be the same attacker who also hit defi platform, knee order four months ago. <laugh> I know glass news. I shouldn't let I know cause no, but Leo, the sad thing is I don't mind if some Bitcoin bro loses his shirt, that's fine. But probably a lot of these people are just suckers, normal people unfortu. Yes, unfortunately. Yeah. So also the operators of the JIRA cryptocurrency suspended operations last week after a hacker gained control over the platform's smart contract, which is the name of it, which apparently wasn't so smart after developers leaked the private key. According to the JIRA team, the attacker minted one and a half million dollars worth of crypto, which they later transferred to their own Ethereum address. The platform has not yet resumed operations. Okay. Boohoo and third Romanian law enforcement rated two pet houses.
Leo Laporte / Steve Gibson (00:29:39):
I got a kick at the fact that they were in pet houses, two pet houses in B arrest and detained three suspects. According to a joint investigation with the UK's national crime agency, the NCA, the suspects would contact victims. Get this Leo. You're gonna love it. The suspects would contact victims of cryptocurrency fraud and defraud them again. <laugh> oh, that's posing by posing as financial fraud recovery specialists and ask for a substantial fee to recover their initial losses. Once a sucker, you know, got the sucker hat on. They're gonna come at you. Oh, you're wearing it just so everyone knows there is now a more or less constant flux of these sorts of heist. I mean cryptocurrency, no one seems to be able to hold onto it. Just constant. This is a great website from Molly. White called web three is going just great. And she has a little counter in the lower right hand corner of how much money has been lost to crypto fraud.
Leo Laporte / Steve Gibson (00:30:54):
And it's it is it's kind of stunning. It's just nonstop. What does it show? 10.6, six, 9 billion. Oh my Lord. I mean, this is a classic. This is a typical headline algo Rand foundation, discloses 35 million exposure to hold knot. <laugh> well you don't wanna exposure. Hold knot. Leo hold. Well, both of these were legit. Hold Lott was a crypto wallet that halted withdrawals on August 8th Aran is a proof of steak, blockchain, and they foolishly put 35 million into ho not. And then hold Lott was heavily exposed to Tara, which collapsed in may. So total not halted with withdrawals cause there's no regulation possibly what could possibly go wrong? No regulation. Children are running the bank. Incredible. Goodness. Incredible. Yes. If we titled our podcasts after the show, the way you do for Mac break weekly, it would be never exposure huddle. Not. Yeah. And by the way, I I'm laughing only because it's so horrible.
Leo Laporte / Steve Gibson (00:32:12):
And again, if it were Bitcoin bros, fine throw your ill gotten gains the win away. The Winkle steam brothers are, let them lose all the bits in their coin, but it's not. It's sad to say it's people who are being suckered by NFTs and crypto don't be fooled kids. We have some guy, a neighbor in our neighborhood. Who's all NFT popped up. And, and some other neighbors who know I'm kind of a computer guy say, should we do anything? But I said, no, stay away from as far away as you can stay away from that guy. Yeah. Yeah. Mean apparently if you're Kevin Rose and you can have a little, what is it a zombie he's got, but he owns some zombies. But then, and I love Kevin, but I think this is a little sketch. He created his own owls moon, moon, birds. They call 'em and has been selling.
Leo Laporte / Steve Gibson (00:33:09):
'em sold them within the first week, 50 million worth of them. And what so many that he it's, he and a bunch of other people called the proof collective, but it's really one of the big names. There's three people is involved in stuff. So because it's big names in this area, NFT area, people bought in to the tune of 50 million. All of it's speculation. You owe and only buy an NFT cuz you think someday some sucker's gonna come along and buy it for twice as much. Then Kevin realizing <laugh> he made a lot of money here, put out a YouTube video saying no, no we're gonna do good things with the money. Then <laugh> last week it was announced that mark Andreeson Andreesen Horowitz just put another 50 million into it as an investment. So I think the only thing that was a good YouTube video. Yeah. The only thing we did wrong, Steve cannot, he cannot stop making money. That guy, the only thing we did wrong, Steve is not issuing an NFT early on that and throwing away the hard drive.
Leo Laporte / Steve Gibson (00:34:15):
I can only say a hundred times stop. This is bill Murray's NFT charity auction. That's $185,000, which is immediately stolen hours. After the auction, a hacker gave access to Murray's crypto wallet and snagged the 119 E for themselves. And on and on on, there were bulbs that were once so popular. That was tulip bulbs, tulip bulbs. I thought that was gonna be a good investment. That was gonna be a big deal. I got 'em next to my beanie by babies in the closet. <laugh> okay. So the white house held a tech platform, accountability listening session last Thursday in a nation founded on the principle of a right to free and open public speech and a free and open press neither being under the thumb of the government. The question is what responsibility do our social media platforms have? And to what degree, if any, about the content their users publish and which they subsequently host and our search engines find an index.
Leo Laporte / Steve Gibson (00:35:37):
Certainly a good question. Now I looked through the list and the titles of the 16 attendees who were invited to participate in this listing session last week, if it were possible for bureaucracy to reach a critical mass where its own gravitational attraction would cause it to collapse in upon itself, putting this group into a single room would be inadvisable boy. I mean the titles, just the law. You need a line wrap in order to see them. Nevertheless, the listing session occurred and everyone appears to have survived. I suppose that a session titled tech platform accountability would tend toward the negative, but voided this group dump on today's social media offerings, the white house started everyone off with a negative tone and the meetings participants appear to have willingly added fuel. The summary of the event is not long and I think it's worth sharing. So here's the white house's summary.
Leo Laporte / Steve Gibson (00:36:48):
They said, although tech platforms can help keep us connected, create a vibrant marketplace of ideas and open up new opportunities for bringing products and services to market. Okay. Just so everyone knows. That's the end of the good news part of the summary they continued. They can also divide us and reek serious real world harms. The rise of tech platforms has introduced new and difficult challenges from the tragic acts of violence, linked to toxic online cultures, to deteriorating mental health and wellbeing, to basic rights of Americans and communities worldwide suffering from the rise of tech platforms, big and small. They said today, the white house convened a listening session with experts and practitioners on the harms that tech platforms cause and the need for greater accountability in the meeting, experts and practitioners identified concerns in six key areas, competition, privacy, youth, mental health, misinformation, and disinformation, illegal and abusive conduct, including sexual exploitation and algorithmic discrimination and lack of transparency one and for what it's worth.
Leo Laporte / Steve Gibson (00:38:09):
I mean, I know we are all sympathetic to the problem that we have. There are certainly problems here. They said one participant explained the effects of anti-competitive conduct by large platforms on small and mid-size businesses and entrepreneurs, including restrictions that large platforms place on how their products operate and potential innovation. Another participant highlighted that large platforms can use their market power to engage in rent seeking as the term is which can influence consumer prices. Several participants raise concerns about the rampant collection of vast troves of personal data by tech platforms. Some experts tied this to problems of misinformation and disinformation on platforms explaining that social media platforms maximize user engagement for profit by using personal data to display content tailored, to keep users' attention content that is often sensational, extreme and polarizing. Other participants sounded the alarm about risks for reproductive rights and individual safety associated with companies collecting sensitive personal information from where their users are physically located to their medical histories and choices.
Leo Laporte / Steve Gibson (00:39:29):
Another participant explained why mere self help technological protections for privacy are insufficient and participants highlighted the risks to public safety that can stem from information recommended by platforms that promote radicalization mobilization and incitement to violence. Multiple experts explained that technology now plays a central role in access to critical opportunities like job openings, home sales and credit offers, but that too often companies algorithms display these opportunities, unequally or discriminatorily target some communities with predatory products. The experts also explained that the lack of transparency means that the algorithms cannot be scrutinized by anyone outside the platforms themselves creating a barrier to meaningful accountability. One expert explained the risks of social media use for the health and wellbeing of young people explaining that while some technology per well for some technology provides benefits of social connection. There are also significant adverse clinical effects of prolonged social media use on many children and teens, mental health, as well as concerns about the amount of data collected from apps used by children and the need for better guardrails to protect children's privacy and prevent addictive use and exposure to detrimental content experts also highlighted the magnitude of illegal and abusive conduct hosted or disseminated by platforms, but for which they are currently shielded from being held liable and lack of adequate incentive to reasonably address such as child sexual exploitation cyberstalking and the non-consensual distribution of intimate images of adults.
Leo Laporte / Steve Gibson (00:41:27):
I know the white house, I know the white house officials exposed the meeting, closed the meeting by thanking the experts and practitioners for sharing their concerns. They explained that the administration will continue to work to address the harms caused by a lack of sufficient accountability for technology platforms. They further stated that they will continue working with Congress and stakeholders to make bipartisan progress on these issues. And the president Biden has long called for fundamental legislative reforms to address the issues. So it seems clear that much as with the argument over cryptography and privacy, which creates an inherent lack of accountability when it can be used by criminals for criminal ends, that there's a tension there, which I find fascinating because it's created by technology. Well, there's obviously another set of tensions here on the, that is being created by the technology and frankly, by the willful conduct of these major tech platforms.
Leo Laporte / Steve Gibson (00:42:42):
So it seems clear that sooner or later we're gonna be subjected to legislation of some form as our various governments attempt to somehow it's gonna come down to micromanaging this incredibly slippery terrain, which at least in the United States also employs constitutionally protected freedoms. So I imagine there'll be some time spent into courts as well. Anyway, I wanted to finish by sharing that six bullet point, sort of the takeaways, the targets, which were cited as the main focuses, the core principles for reform. The first is promote competition in the technology sector. They said the American information technology sector has long been an engine of innovation and growth. And the us has led the world in the development of the internet economy today. However, a small number of dominant internet platforms use their power to exclude market entrance, to engage in rent seeking and to gather intimate, personal information that they can use for their own advantage.
Leo Laporte / Steve Gibson (00:43:55):
We need clear rules of the road to ensure small and mid-size businesses and entrepreneurs can compete on a level playing field, which will promote innovation for American consumers and ensure continued us leadership in global technology where are encouraged to see bipartisan and interest in Congress in passing legislation to address the power of tech platforms through antitrust legislation. Second, provide robust federal protections for Americans' privacy. They said there should be clear limits on the ability to collect, use, transfer, and maintain our personal data, including limits on targeted advertising. These limits should put the burden on platforms to minimize how much information they collect rather than burdening Americans with reading fine print. We especially need strong protections for particularly sensitive data such as geolocation and health information, including information related to reproductive health. We're encouraged again, to see bipartisan interest in Congress in passing legislation to protect privacy, third, protect our kids by putting in place even stronger privacy and online protections for them, including prioritizing safety by design standards and practices for online platforms, products, and services.
Leo Laporte / Steve Gibson (00:45:25):
They said children, adolescents and teens are especially vulnerable to harm platforms and other interactive digital service providers should be required to prioritize the safety and wellbeing of young people above profit and revenue in their product design, including by restricting excessive data collection and targeted advertising to young people. An I for one, I don't have any young kids, never had to raise them in this internet age, but it would be a terrifying prospect, I think. Yeah, the problem. I agree with all of these sort of in principle, the problems the I I'm with you completely Leo and I heard you talking last week. It wasn't here. It was in the tech dirt guys dialogue with you. Yeah. Yes. About some of the ideas that California's legislators have come up with and by the way, it's in law and it's a Terri, it should be terrifying to you because yes, you have potentially 18 year olds and under using your site, you want 'em to that means you have to design your site and everybody has to design their site for the lowest common denominator.
Leo Laporte / Steve Gibson (00:46:45):
And that's ridiculous. That's just absurd. Yeah. That's not how you protect kids. So yeah. Well let's change the internet, make it safe for kids. You mean all of it? Yeah. All of it. Okay. Yeah. It it's very much like the overreach of the grant permission for cookies. It's like, oh my goodness. Yeah. Let's fix them rather than make everyone agree to them. There's some things I completely agree with. We need to work on privacy protections. I agree. But then they mix intermix this with this, to protect the children, the design of websites. That was all code earlier on about social networks to overturn section two 30 of the DM C, which is vital to the internet. And it's just a fundamental misunderstanding of how it works and it's politics and it's very shameful. I'm very disappointed, frankly. Yeah. So I'll just skip, I'll summarize the last three points.
Leo Laporte / Steve Gibson (00:47:43):
There was removal, special legal protections for large tech platforms. And here we come to section two 30, just as you were saying, Leo is like, how can we make open platforms actually responsible for everything that they're their participants post? I mean, again, it's a problem that they're not a problem, what people are posting, but it's impractical to say, to make them responsible. Section two 30, makes it possible for them to moderate. Yes. The problem is you have some politicians who don't like to be moderated. They call it de platforming. And if you keep make it impossible to moderate, well that's not good. Get ready. <laugh> it's gonna be bad news.
Leo Laporte / Steve Gibson (00:48:35):
Yep. Number five is increased transparency about platforms, algorithms, and content moderation decisions. They said, despite the central role in American life tech platforms are notoriously opaque, their decisions about what content to display to a given user and, and how to remove content from their sites affect Americans' lives in American society in profound ways. However platforms are failing to provide sufficient transparency, to allow the public and researchers to understand how and why such decisions are made their potential effects on users and their very real dangers. These decisions may pose. So California passed a law on this too, just the other day which Mike Masick calls the spammers protection act because it essentially says, tell any, make it public, how you block spam, how you clear stuff out. That's bad decide, which is not what not make your algorithms public. And oh, by the way, you can't change them unless you have a period of publishing it and stuff.
Leo Laporte / Steve Gibson (00:49:37):
So all this does is tell people how to game the system. It achieves nothing. Oh, I'm sorry. Yeah, go ahead. Do your show. No, no, no, no. Leave. You get me all up. Like to hear from you lead up. I'm all head up. Now it violates number six, stop discriminatory algorithmic decision making. They say we need strong protections to ensure algorithms do not discriminate against protected groups, such as by failing to share key opportunities equally by discriminatorily exposing vulnerable communities to risky products or through persistent surveillance. So what was the famous line? We're the government and we're here to help <laugh> but honestly, I don't think we should depend on the tech platforms to regulate themselves. They won't. No, no. So government needs to, but it needs to do so intelligently, not stupidly and not with a political ax to grind. I mean, capitalism has a lot going for it.
Leo Laporte / Steve Gibson (00:50:35):
One of the problems it has, however, is it does tend to form monopolies. It naturally forms, monopolies, someone, some, one or group will get bigger than others and they will use the power of their bigness to continue to accelerate. So it's, that creates positive rather than negative feedback. And it's unstable. So it's a good system, but it needs management. Yep. Yep. And we've got something like that here. Yep. Happening. I agree. And so we do need regulation, but boy, yeah. Maybe we need people under the age of 50 to do it. Perhaps that's the problem. They just, well, and in the case of the internet, we also have a single global network carrying services, which straddles nations, whose governments grant their citizen really widely differing rights. And which restrict the behavior of their enterprises in widely differing w ways. How does, I mean, I've presumably they've been trying to so far, how does a single Facebook, Twitter, Instagram, or Google simultaneously satisfy the widely differing requirements of different geographical regions of the globe.
Leo Laporte / Steve Gibson (00:51:50):
I mean, these are hard problems. So, oh, before I leave the subject of governments, Bert Hubert a member of, oh, in fact we're well into the podcast. Leah. Let's tell our listeners why we're still here. Oh, okay. <laugh> all right. Glad to do it. Before we get to Bert, Bert, hang on. We'll be with you in a moment. But first it's time to tell the world about our Canary. I love this little guy. This little Canary is a lifesaver. It's a honey pot. We we've talked about hunting pots on this show is one of the very first things we ever talked about. That was long before the folks at thinks came up with the Canary. But not long before they were teaching government's companies, militaries, how to break in into networks. They've been doing this for more than a decade and they used the knowledge they had to create the Canary.
Leo Laporte / Steve Gibson (00:52:54):
This is the hacker's worst nightmare. It is a device that sits on your network. Maybe it shows up in active directory. It's completely benign looking. It doesn't look vulnerable. It looks valuable. And it could be a server, windows or Linux. It could be a switch. It could be a router, a skated device, identical down to the Mac address. This one's set up as my Sonology NA that's not a ology NA, but it looks like it. And when you try to log in what happens, I get an alert saying, there's somebody snooping around on your network. And that's what these are so valuable for you protected the perimeter. I'm sure we do. Everybody should. But what happens when bad guys get in? And we know they get in worse, we know on average, it takes 191 days before the company realizes they've been breached six months for a bad guy to wander around unimpeded, to download files, to look at where your backups are and place time bombs there. If their goal is to put out ransomware, man, they're gonna scope. The whole system, do know everything that's going on. So that ransomware is doubly effective. And oh, the new thing, by the way, before you set off the time bomb, let's exfiltrate a lot of information so we can blackmail you later. This is your worst nightmare. Unless you got this, the things Canary.
Leo Laporte / Steve Gibson (00:54:24):
In fact, the other thing that's great about this, this will set trip wires throughout your network. You won't just have one of these. You'll have them spread out all over your network, looking like a lot of different devices, but they can also create something called Canary tokens, which look just like documents. They sit on your hard drive, like a windows, Excel spreadsheet, or maybe a PDF or a database, but they're not they're tokens. And as soon as a bad guy attempts to open them, it triggers an alert. Now this is great because you're not gonna get any false alarms. You're only gonna get alerts. That really matter. That really say there's you got a problem and you can get in any way you want email text message or all of the above. By the way, when you get a Canary, you'll get a console. Of course it's gonna be on there.
Leo Laporte / Steve Gibson (00:55:12):
You can have, 'em send you a slack message. It supports web hooks. That means it's open to a whole bunch of different ways. You could do it. Syslog a lot of guys, I know like sysops use syslog. That's a great way to do it. They even have an API. If you wanna code up something on your own canaries, these are fantastic. Let me give you some idea of the pricing. So most small companies might have a half, a dozen big bank might have hundreds spread out all over, you know, want 'em in all the nooks and crannies so that when somebody gets in the first thing they stumble on is this Canary so that you know immediately, right? Let's say you want five of them. That's a good number to start with. That's 7,500 bucks a year. You get five canaries. You get your own hosted console.
Leo Laporte / Steve Gibson (00:55:59):
You get all the upgrades, the support, the maintenance for that year. If you sit on your Canary, they immediately send you a new one. Don't worry. Actually, I could sit on this all day. It wouldn't break, but <laugh> just, if you did you'll you <laugh> I'm gonna give you a deal. I'll tell you what, if you use the code TWI in the, how did you hear bus backs? You tell things, Hey, we saw this on security. Now just use twit. It's easy to remember four letters. You will get 10% off your Canary and not just for the year, but for life forever.
Leo Laporte / Steve Gibson (00:56:31):
And we know you're gonna love this thing, but even if for some reason it doesn't suit, you got 60 days to return it for a full refund, two month money back guarantee. So there is zero risk, but don't put this on your network and then say, well, I don't hear anything. That's good. <laugh> good. If the little green light's on and you're not hearing anything, that's a good thing, but you'll be really glad when you get that message saying, Hey, somebody just tried to open me. Then, you know, got problems, canary.tools/twi. This is the Canary in your data. Mine enter the code TWI in the, how did you hear about us box? You get 10%. We get credit. We thank Canary for all. They do. canary.tools/twi. There's another little twist on that. By the way in my research this week for the podcast, I ran across a new product that they're offering.
Leo Laporte / Steve Gibson (00:57:26):
What you just described is great for detecting infiltration from the outside, but we know that insider threats are a problem. Also. Absolutely. They have the ability to plant monitors on the workstations throughout an enterprise, and then it can assign what they call protected commands. And if any command is issued on a workstation, which is under Canary monitoring, it will send the same sort of message to headquarters saying somebody over here has just done something that you told us you wanted to be informed. Oh, that's really cool. So it's watching more than just the activity against the Canary. It's watching commands that people are issuing and stuff. That's great that, yeah. Yeah. These guys that think are pretty sharp, pretty canny individuals. We talked to 'em once in a while. I really like them really great bunch. Okay. So back to Burt Bert Hubert and Mr.
Leo Laporte / Steve Gibson (00:58:27):
Mrs. Hubert, <laugh> why Bert. I don't really why Hubert really? But did you really have to name your son Bert? You think his real name is Hubert Hubert, yo Humbert Humbert. Anyway, he's a member or actually he was of T I B the Dutch government board that checks the legality and approves communications, interception warrants for the Dutch intelligence and security services. Well, as I said, he was cuz he resigned last week the automatic English translation of bet's blog posting explaining his decision was so atrocious. He said that he wrote an English version himself and I'm glad he did because if I were serving in a government that I believed in, I'd hire this guy in a second based on what he wrote. So here's what he said. He said, if either of the civil or the military intelligence and security services of the Netherlands want to use a lawful intercept SIG in or hacking or some other legal powers, they must first convince their own jus then their ministry.
Leo Laporte / Steve Gibson (00:59:48):
And finally the ti B thet B then studies, if the warrant is legal and that decision is binding. He said, when I joined the regulatory commission, I was very happy to find that the Dutch intelligence and security services were doing precisely, the kinds of things you'd expect such services to do. I also found that our regulatory mechanisms worked as intended. If anything was found to be amiss, the services would actually stop doing that. If the ex anti regulator meaning upfront in advance, he says, I E my board ruled a permission to do something was unlawful. It would indeed not happen. He says, I think it is important to affirm this in public over the past two years. However, there have been several attempts to change or amend the Dutch intelligence law. The most recent attempt has now cleared several legislative hurdles and looks set to be passed by parliament.
Leo Laporte / Steve Gibson (01:00:59):
He said under this new law, my specific role technical risk analysis would mostly be eliminated. In addition, the Dutch S bulk interception powers would be stripped of a lot of regulatory requirements. Furthermore, there are new powers like using algorithmic analysis on bulk intercepted data without a requirement to get external approval. Finally, significant parts of the oversight would move from upfront ex-ante to ongoing or afterwards post doing upfront authorization of powers he says is relatively efficient and is also pleasingly self-regulating. If an agency overloads or confuses its ex anti regulator, they simply won't get permission to do things. This provides a strong incentive for clear and concise requests to the regulator. A regulator that has to investigate ongoing affairs, however, is in a difficult position. It can easily become overloaded, especially if it's unable to recruit sufficient technical experts in the current labor market. It is unlikely that a regulator will be able to swiftly recruit sufficient numbers of highly skilled computer experts able to do ongoing investigations of sophisticated hacking campaigns and bulk interception projects.
Leo Laporte / Steve Gibson (01:02:39):
An overloaded regulator does not provide good coverage. It is also vulnerable to starve the beast tactics. He said, once it became clear, the intended law would likely pass parliament. I knew I would have to resign anyhow. Wow. Since I don't agree since I don't agree with the new expanded powers and the changes in oversight as a member of the regulatory board, I could not share my worries about the new law. The regulatory board itself is staffed with excellent people, but by design, the board only operates within the existing law. It is not responsible for formulating or even criticizing any new laws instead of waiting out the likely passing of the new law. I've decided to leave. Now, this enables me to speak my mind on what is wrong with the new law. It may not help, but at least it's better than watching democratic backtracking in silence.
Leo Laporte / Steve Gibson (01:03:54):
It has been a great honor to have been part of the regulatory powers board. Its staff and members are an impressive bunch, and I wish them the best of luck with their ongoing and important work on a final note. If anyone is looking for a government regulator with a proven track record of residing, when things go wrong, know that I'm available. <laugh> that's great. <laugh> hired <laugh> wow, good for Burt Burt or whatever his name is. That's great. That's great. Yeah. Wow. And it's also worth noting. Although Burt didn't mention that in his blog posting that hist I B flagged several cases of abuse last year, that targeted journalists and several cases of broad warrants that intercept bulk traffic over entire global internet cables. So wow. His term for what he sees happening, I thought was great. He called it democratic backtracking, and I thought this was worth sharing since it shows the way democracy will decay.
Leo Laporte / Steve Gibson (01:05:01):
If it's not fully understood and continually reinforced it. As I said before, it's not an inherently stable system since it is subject to creeping manipulation. Just think of the us tax code. <laugh> if you need another example of creeping manipulation <affirmative> oh yeah. Some group of right-minded people originally established the operation of the Dutch regulatory commission to work the way it does today for a reason, for at least some of the reasons Bert has explained, but who knows maybe those who this are now out of power and those being regulated have been chafing at the limitations. The current system deliberately imposes upon them. Yes, it's an inconvenient and annoying. It's meant to be surveillance of a free and democratic people should not be the default. It should be the exception. And it does seem that initiating the surveillance first and asking for permission, either concurrently or afterward is far more likely to lead to abuse. Again, the question is, what principles do we wanna support? So Bravo Burt Bravo, I'm sorry. You sorry. Needed to resign, but that's what people have to do. If they see things happening around them, that they cannot participate in good conscience. Awesome. And it's glad you gave him a forum. Yeah.
Leo Laporte / Steve Gibson (01:06:42):
Okay. Another near constant event that I choose to only cover periodically, actually, you and I talked about it after we began, we stopped recording last week. Leo is horrendous problems occurring in QAP NA software. It's just constant. Since it's entirely possible to run a non QAP OS on their QAP hardware, ideally hope that anyone listening to this podcast will have switched out QAPs, constantly disappointing firmware for any of the Linux or Unix alternatives that are known to run on the hardware. In fact, Q A's own platform is a Linux derivative. So you can do that. And if you do, and again, Google will show you how and if you do need to remain with QNAP, please by all means protected from the public internet. We've talked about many ways to do that in the past. Even now QNAP themselves has told their own users not to expose their devices to the internet, despite the fact that their map worked storage.
Leo Laporte / Steve Gibson (01:07:56):
Oh boy. <laugh> I know. Okay. I know. Okay. So deadbolt is both a ransomware and a ransomware group that has been plaguing Q app users and their devices throughout 2022 all year, since January thousands of QNAP customers have reported being attacked by the deadbolt ransomware group. The group demands a ransom of 0.03 Bitcoin currently around $1,100 for the DEC description key. After the initial attacks affected about 3,600 devices. Last January, the group continued to resurface with campaigns in March, may and June of this year, there a persistent bunch Reddit and other message boards had been flooded with customers, lamenting the loss of files that included family photo albums, wedding videos, and more irreplaceable things. Dozens of users took to Reddit to complain that they were among those attacked in the latest campaign. In a note to QNAP the hackers demanded five Bitcoin, which would be about just shy of $94,000 to reveal details about the alleged zero day vulnerabilities.
Leo Laporte / Steve Gibson (01:09:22):
They initially used to attack its users and another woo 50 Bitcoin, which is just shy of a million dollars to release a master DEC description key that would unlock all of their victims, their users, victim files. Now Q a would not say whether it was, it has considered paying the ransom for the universal description key, which is to say no but we can be pretty sure that that's not gonna happen. Also when a spokesman said the company's research. So this is the QAP spokesman said the company's research has shown that the deadbolt group is attacking legacy versions with known vulnerabilities, which have security updates available. Okay. Sounds logical. Reasonable, maybe true. In other words, they're saying it's not, it's the user's fault, not theirs, so they should pay if they want their data back. Now, some users have disputed QAPs insistence that only devices that have not been updated are being attacked.
Leo Laporte / Steve Gibson (01:10:37):
And this kind of seems reasonable since the group behind this, the deadbolt group are coming up with new ways to do this all the time. And here's a little bit of a gotcha. If ransom is paid, the key provided by deadbolt may not work. So the security company we've talked of several times, MCI soft released its own version of a deadbolt decryptor after several victims reported having issues with the one they received in exchange for paying a ransom. However, it's not any sort of universal descriptor. It only works with a DEC description, key supplied by the operators of the deadbolt ransomware through a ransom payment, MCI Soft's fian WOAR tweeted QNAP users who got hit by deadbolt and paid. The ransom are now struggling to decrypt their data because a forced firmware update issued by QAP removed the payload that is required for decryption <laugh>.
Leo Laporte / Steve Gibson (01:11:46):
Okay. So this got so bad. Finally, that QNAP took matters into their own hands and forced a firmware update onto their customers, which broke the ability for the ransomware payment to after receiving the description key to function. So, wow. Emphasize soft came along and said, okay, we'll fix that for you. And they did what a mess earlier this year, the security company census who runs that OT search engine. Remember we we've often talked about Showan there's now another kid in town census, and they're doing neat things. Anyway, they have a search engine that goes wide and deep T stuff they reported. And a QAP, a QAP NASA is considered an T device. They reported that of the total 130,000 QAP NA devices sold forty nine hundred and eighty eight. So just shy of 5,000 of those servers exhibited the telltale signs of this specific piece of ransomware. So about 5,000 compromises census also managed to track the Bitcoin wallet transactions associated with an infection and found that of the previous batch of victims, 132 paid ransoms totaling about $188,000. So this is making money for someone who is saying will give you all of the stuff you've lost on your NA for a thousand dollars in Bitcoin, 132 people in that particular batch did. So the census also created a dashboard to track the number of victims around the world. The majority of the most recent infections are taking place in the us Germany and the UK. And it's not over since all of that.
Leo Laporte / Steve Gibson (01:13:56):
And this is really what finally caused this to rise above my QAP threshold senses observed that the number of QNAP NAS devices infected by the same deadbolt ransomware spiked from twenty one hundred and forty four on, which was the count on July 9th to 19,029 on September 4th, which was Sunday before last, the spike arose because the ever industrious deadbolt gang exploited, yes, another new zero day vulnerability in the photo app or the photo station app, which is installed on most Q app NASA systems. So they're finding more new ways in, okay, again, if you have a QAP NA with QNAP software, get it off the internet. And if you can put in a replacement software set just, and it is possible there are third parties solutions for QNAP. Oh, and before we leave the census internet scanning company, it's worth noting that they're they recently published a 20, 22 state of the internet report, which observed that misconfigurations accounted for 60% of the issues they observed across all internet exposed services.
Leo Laporte / Steve Gibson (01:15:30):
Oh, globally. That's a good number. Yeah. Wow. Yeah. They found that software, the software, it was the software problems only accounted for 12% of all observed problems. That is software vulnerabilities. It wasn't it. So all of these problems are misconfigurations. Now it's unclear whether placing a QAP mass onto the internet would inherently be considered a misconfiguration of those devices, but it seems pretty clear that it should be. You do not wanna put one of those things on the net. Also one last O T note D link is currently being taken over by moat M O O B O T Palo Alto networks. Unit 42 has identified a three year old Marai botnet, variant known as moat it's rapidly finding. And co-opting any remaining vulnerable delink routers into another army of denial of service bots by taking advantage of multiple old and two new but all patched exploits.
Leo Laporte / Steve Gibson (01:16:49):
Last Tuesday, unit 42 said if the devices are compromised, they will be fully controlled by attackers who could utilize those devices to further conduct attacks such as distributed denial of service. Okay. So MOBA which was first identified and disclosed by the Chinese group, the Q hu 360 S net lab team it back in September of 2019. So three years ago, moat has previously targeted Lilin L I L I N. Digital video recorders and those hick vision, video surveillance products. We were talking about a couple weeks ago in the latest wave of attacks discovered by unit 42 early last month. As many as four different, highly critical flaws in de-linked devices are being used in the development of Mobo samples. So the four flaws, the oldest, believe it or not CVE 20 15, 20 51 carries a CVSs. I gotta love this one of 10.0. I mean, it must just be that you connect to the delink router and says, please, sir, may I enter?
Leo Laporte / Steve Gibson (01:18:14):
And it says, oh, by all means, make yourself at home. How do you get a 10.0, I don't know, on a wow. On a, so that one is an H it's called the H nap soap action, header, command execution, vulnerability. You probably just put a command in the header and it runs it for you. A CVE 20 18, 63 30. So back from year 2018, that's got a CVSs of 9.8 still right up there with the best of them. This one is the delink soap interface, remote code execution, vulnerability sounds kind of generic, but then the other two are 2022 this year. CVEs both also carry scores of 9.80, de delink goes big. They are both also remote command execution vulnerabilities. So as I said, successful exploitation of any one of those four flaws, which all have very low attack complexities. So we're told, is used to remotely launch a w get command, which retrieves the moat payload from a remote host moat.
Leo Laporte / Steve Gibson (01:19:31):
Then after it started parses instructions from a command and control server to launch DDoS attacks in ways we're all too familiar with. So although the oldest vulnerability is from 2015 and the next oldest is from 2018. Those other two, which are 9.8, remote code execution, vulnerabilities known and patched were only fixed this year. So anyone who knows anyone who uses a delink router should be certain that they have updated recently because these deadbolt guys are on the prowl and they're looking for all the routers they can get in them that they can get themselves into.
Leo Laporte / Steve Gibson (01:20:14):
Okay. Leo, would you like me to do something? No. No, I'm good. Okay. <laugh> but thank you shortly. I'm here when you need me, man. I'm just here for you last week. Oh, I want hear about introduced. Yes. I introduced our listeners to my latest science fiction, reading discovery, Scott Yuhas the silver ships. Thanks to one of our listeners. I have been having so much fun. Oh, now you've got it ever since now I gotta have it. <laugh> Leo. I'm now halfway through the fourth book, actually I'm at 71% and I can assert that this is the most engaging and satisfying series of novels. I have read in a long, long time. And just wait until you meet the sway. We, for those of you who prefer to have books read to them, I'm so glad Leo, that you said that the reader of this series is someone, you know, and you enjoy listening to.
Leo Laporte / Steve Gibson (01:21:23):
Yeah, he's good. Yeah, because I wouldn't want anything spoiled the experience of Audible's listeners. My initial mild concern after only the first book was that Scott Yuhas character development might be overly focused upon his story, central character, a young minor by the name of Alex rein. Well, that concern has dissolved completely. We now have a broadcast of wonderful characters and this guy writes so well. I was trying to put into context for myself, how good this book series is. I mean, I've just giddy reading it. I know that there have been times in the past, when I have been this thrilled over a science fiction storyline the honor, Harrington novels, Michael McCollum's Gibraltar stars trilogy. And I'm sure that some of Peter Hamilton's stories did this. Although there was always a lot to Wade through with his major work and there must be others since it is a familiar feeling for me to be so satisfied when I'm reading the inventions of a skilled storyteller, who really knows how to weave a yarn and who has come up with a bunch of great new sci-fi technologies and people, both human and non another thing I've noticed is that the best serialized stories a lot happens in every installment so far, there's been no sense of Scott stringing us along.
Leo Laporte / Steve Gibson (01:23:09):
Even when the action slows down for a while, as almost has to happen from time to time, there turns out to be a real purpose in the way we were spending that time. And the best books always always cause those of us who love to read to immediately wish for amnesia so that the story can be experienced again, new. Anyway, this series is the equal of any I've read and oh boy, prepare yourself for a huge surprise at the start of book three. Oh boy. So anyway, it is so good. I can't start it till September 22nd. I understand. I need my audible. I've got a backlog. <laugh> I know you have a backlog. Oh, speaking of which funny, you should mention that. Yes. They tweet from X four JW. He said, hi, Steve. Thanks for the recommendation of the silver ships series of books went to purchase book one on my audible account.
Leo Laporte / Steve Gibson (01:24:14):
Oh. And was surprised slash delighted to see that books. 2, 3, 4, 5, 7, 8, 9 are all included for free as part of the audible plus membership. And I just had to click, add to library to grab those. He said, I can understand why book one is not free. Not sure why book six isn't so again, it's you gotta buy book one, then 2, 3, 4, 5, 7, 8, 9 are all free. Nice. And then he said books, 10 to 20 are also purchased to own titles on audible. He said, anyway, just thought readers. He has in quotes using audible might like to know that they can get 35% of the series for free as part of the plus subscription service. Then by the time you're hooked at book 11 <laugh> oh, you go by the rest of them. Leo, as I said, I I'm at 71% of in book four. I I'm astonished by what this guy has done. Wow. It just we were talking about bullies and in, oh, in book four, some people you just wanna have get what's coming to them and oh, do they ever <laugh> oh, I might have to buy this one just ahead of time. Just to get started. I love it. That I get so many of them for free. That's good.
Leo Laporte / Steve Gibson (01:25:48):
So the guy who reads at Grover garden, I've spent some time with, because he read Steven King's the stand. So I've spent at least 48 hours with <laugh> listening to Grover. Gardner actually read, I listened to several of his audio books. Got, you know, might at first say, well, I don't like his voice. Just bear with him. I think for something like this, he's a good choice because he's a very clear, simple, easy to understand reader. And it sounds like there's a lot of content here, so this will be good. Yeah. I really like river garden, so, okay. Let's take our break. Thank. And then we're gonna talk about the evil proxy service. I appreciate your recommendations, Steve. So far I get a lot of feedback from our listeners saying they've liked everything I've seen. Oh, it's always great to get 'em. And we have Stacy's book club, which is a sci-fi book club.
Leo Laporte / Steve Gibson (01:26:38):
I get some between this show and this weekend Google. <laugh> why my list is so long on audible. I'm so far behind. I get so many good recommendations, but I think I might start this sooner than later. Oh, it's you really selling me? Oh yeah. Speaking of selling you, I wanna sell you on new Relic. I think new Relic is great. What makes great developer curiosity, right? The first to explore new tech, you read the documentation. You wanna know how things work and why they work that way. You've got that kind of mind. Right? But that's exactly why so many engineers turn to new Relic. New Relic gives you data about what you build as a developer and shows it's really happening in your software life cycle. And this is so valuable. You know, write your code, you commit it, you launch it. It has a life of its own.
Leo Laporte / Steve Gibson (01:27:26):
And if things go wrong, it's kind of a it's out there. It's a mystery, not with new Relic. It's a single place to see the data from your entire stack, 16 tools in one, you don't have to go out and get 16 independent tools and try to make 'em somehow work with one another. No, they all integrate into single pane of glass. It pinpoints issues down to the line of code. This is like debugging on steroids, right? Imagine if you could not just see your software stack, but the whole operating stack the cloud, everything, and then see where the problem is. You can resolve it quickly. That's why developers and ops teams at dash and epic games use new Relic. GitHub uses new re in fact, 14,000 companies use new Relic to debug and improve their software. When teams come together around data, it allows you to triage problems, be confident decisions and reduce the time needed to implement resolutions.
Leo Laporte / Steve Gibson (01:28:19):
Using data, not opinions. Use the data platform made for the curious, right now you get access to the whole new Relic platform and a hundred gigabytes of data per month. Free forever. No credit card required. Sign up at newrelic.com/securitynow w R E L I c.com/security. Now thank you. New Relic for saving the lives of thousands of developers all over the world and for support and security. Now we really appreciate it. New relic.com/security. Now one word. Thank you. New Relic. All right, Steve, on with the show and let's talk about these evil proxy. Oh boy. So wow. As you said, and you hit it exactly right. Leo, in retrospect, it was obvious that this was gonna happen last Monday, the security research group called security, their findings about a recently appearing just last may new fully functional turnkey fishing as a service system known as evil proxy key among the many powerful features are this new underground service debuting on the dark web is its effortless ability to intercept SMS OAuth.
Leo Laporte / Steve Gibson (01:29:47):
And one time token multifactor time based token multifactor authentication flows as a result, the login with some other website like Google or Facebook, or enter the SMS code. We just sent to your phone or enter the six digit code displayed on your authenticator or all effort, little effortlessly bypassed and rendered ineffective. Okay. This is all accomplished by streaming the actual target website where the naive user believes they are logging in through a transparent, reverse proxy, which I'll explain further in a minute. They're not actually where they think they are. And unless they are scrupulously attentive to the URL being displayed in their browser's URL bar, they will be unwittingly providing their full authentication credentials, including any form of multifactor authentication to a malicious third party who will intercept their successful login session token to obtain a full secondary login to their account with all the rights that arise from that. Okay. So this sort of proxying is one of the inherent Achilles heels of the way the web works.
Leo Laporte / Steve Gibson (01:31:16):
I remember clearly one summer when I was deep into the work on squirrel, I brought my work to a halt in order to completely wrap my head around this whole problem of spoofing, because it's a tough one. I felt as though I still didn't have an absolutely crystal clear understanding of exactly where the problem arose and I needed squirrel to solve it if it was possible. Anyway, I figured it out. And the result for squirrel was something called CPS client provided session. And it does indeed once and for all completely solve this problem. Now, since I'm at work on spin right, six one, I haven't taken the time to determine whether the 5 0 2 and the web often folks also solve this problem. And I guess it doesn't matter whether it does solve it or not. Since the past key system is what will eventually be getting.
Leo Laporte / Steve Gibson (01:32:17):
In fact, it's, it's live in iOS 16, which is now on iOS devices that are able to take it, but for what it's worth, it is possible to completely solve the problem. And that's another one of the things that squirrel does anyway. Remember the wonderful observation which we credit to Bruce Schneider. I mentioned it at the top of the show, he said something to the effect of attacks, never get weaker. They only ever get stronger. We're about to see an example of Bruce's observation on steroids. The thing that is so chilling about this new evil proxy service is exactly that it's a service that horrifying. We thought log for Jay Java vulnerability, which began the year. It's certainly a problem. But as we previously described, it turned out not to be the end of the world. For one reason, it was not a slam dunk drop and go easy to use vulnerability.
Leo Laporte / Steve Gibson (01:33:27):
Every specific instance of its use needed to be deliberately engineered for the specific target where that potential vulnerability might be exploited. And the industry learned an important lesson from that. It matters far less, whether something is possible than whether it's easy, which brings me to why this new evil proxy fishing as a service facility is so horrifying. The service providers have created an astonishingly powerful, simple to use point and click web interface for their service. Through this interface, powerful fishing campaigns can be created by filling out some fields, selecting the required features and pressing a create campaign button. If the log for J vulnerability never exploded because it was difficult to use this evil proxy service promises to be an instant hit because it could hardly be any easier to use so that everyone can see for themselves. This week's GRC shortcut of the week.
Leo Laporte / Steve Gibson (01:34:47):
So that's grc.sc/ 8 88 will bounce its user browser to a four minute Vimeo video number four sorry, 7 4 6 0 2 0 3 6 4. But you can just put in grc.sc/ 8 88, that will show you a video, which the evil proxy service provider uses to market and demo the ease of the use of their tool. Okay, so now let's back up a bit for a bit of a broader overview of securities discovery from their coverage of this. The title of their report was evil proxy fishing as a service with MFA bypass emerged in dark web. They said following the recent Twilio hack, leading to the leakage of two factor authentication, one time password codes, cyber criminals, continue to upgrade their attack arsenal to orchestrate advanced fishing campaigns, targeting users worldwide security has recently identified a new fishing as a service. And then they have P H a a S in fact, in the same way that ransomware is a service R a a S <laugh> yes.
Leo Laporte / Steve Gibson (01:36:21):
So fast called evil proxy advertised in the dark web on some sources. The alternative name is MOOC or MOOC, sorry. M O L O C H. Yeah. Evil MOOC, MOOC, which has you want some MOOC, which has some connection to a fishing kit developed by several notable underground actors who targeted the financial institutions and eCommerce sector previously. While the incident with Twilio is solely related to the supply chain, cybersecurity risks obviously lead to attacks against downstream targets. The productized underground service like evil proxy enables threat actors to attack users with enabled multifactor authentication on the largest scale, without the need to hack upstream services. They said evil proxy actors are using reverse proxy and cookie injection methods to bypass multifactor authentication proxying victims session. Previously such methods have been seen in targeted campaigns of advanced persistent threat and cyber espionage groups. However, now these methods have been successfully productized in evil proxy, which highlights the significance of growth in attacks against online services and multifactor authorization mechanisms based on the ongoing investigation surrounding the result of attacks against multiple employees from fortune 500 companies, security was able to obtain successful knowledge about evil proxy, including its structure modules functions, and the network infrastructure used to conduct malicious activity.
Leo Laporte / Steve Gibson (01:38:27):
Early occurrences of evil proxy have been initially identified in connection to attacks against Google and Microsoft customers who have enabled multifactor authentication on their accounts, either with SMS or application tokens. In other words, authenticators, they said the first mention of evil proxy was detected early May, 2022. This is when the actors running, it released a demonstration video detailing, how it could be used to deliver advanced fishing links with the intention to compromise consumer accounts, belonging, to major brands, such as apple, Facebook goad, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex, and others. Was it on YouTube so we can all enjoy it. Geez, Louis. I know. And Leo, if you scroll down on the notes, look at some of the screenshots I've attached, I'll get to them in a second. Okay. Then they finished notably evil proxy also supports phishing attacks against Python package index. Oh, which we were just talking about PI pie.
Leo Laporte / Steve Gibson (01:39:40):
Okay. So in their report, these guys embed a screenshot from the evil proxy control panel, showing the entry and options for proxying PI pie login and authentication. It shows that login password and session cookies are supported, meaning that they're captured and the user can choose to have the service running for 10 days for $150, 20 days for two 50 or 31 days for $400. So your typical quantity discount schedule God up at the top of the page, we see a dot onion URL. So this is all being hosted by a hidden tour project, onion service, and below is the control panel page selector showing a shopping cart, icon labeled available services and prices next to a circled dollar sign icon labeled account balance.
Leo Laporte / Steve Gibson (01:40:50):
Conveniently on the left is an expandable dropdown label labeled campaign URLs. And underneath that is create campaign. The reservice guys addressed the point of targeting software repo. They said the official software repository for the Python language Python package index PI pie said last week, that project contributors were subject to a fishing attack that attempted to trick them into divulging their account login credentials, the attack leveraged juice, juice Steeler as the final payload after the initial compromise and according to re securities hunter team findings related to evil proxy actors who added this function not long before the attack was conducted, suggesting strongly that evil proxy was the reason that the PI PI pie system was attacked in a fishing attack. Besides PII, the functionality of evil proxy also supports GitHub and NPM JS. Of course, the JavaScript package manager, which is widely used by over 11 million developers worldwide, which enables supply chain attacks via advanced fishing campaigns.
Leo Laporte / Steve Gibson (01:42:16):
It's highly likely the actors aim to target software developers and it engineers to gain access to their repositories. And again, remember, this is not the evil proxy people doing the attack. Evil proxy is merely now a service in the same way that ransomware attacks were being conducted by affiliates using the ransomware as a service service. So what we have is we have random cyber criminals now starting to leverage the evil proxy service to launching a sophisticated fishing attacks using that service. So we're all already seeing evidence of the evil proxy service in use. Okay. So how does all this work, as I mentioned before, the internet and the worldwide web specifically have an inherent problem, which is created by the web's brilliantly flexible and powerful underlying technologies, the URL itself, the URL as a thing was originally intended to be fully human readable, even human typable, but as we've seen, and we've all watched the evolution of web hosted services through the past few decades, we've watched the readability and certainly the typability of URLs virtually disappear.
Leo Laporte / Steve Gibson (01:43:54):
As I'm typing this text into Google docs, I look up and I see a URL that appears to be mostly random character gobbly, goo, and significantly. I opened and have been editing this document at this point for the past three hours yet, that was the first time my eyes fell upon this page's URL. Why did I have any reason to believe I was at the right place? I was sure I was because the page looked the way I expected it to look. I never had any doubt. So I never sought or received any further confirmation beyond the composition of the page I'm visiting.
Leo Laporte / Steve Gibson (01:44:42):
I'm one of the hundreds of thousands of people listening to this podcast. One of us, how do we imagine that a normal internet user regards all of the utterly in decipherable things that their web browser does a and we've added all of this script driven automation to the user's experience too. When a user clicks on a link in a search engine on a social media site or an email, they may have noticed their URL bar flickering rapidly as their browser dances among all of today's various third party link tracking services. Everyone wants to get in there for a piece of the action. So we've fully eliminated any sense from even an unusually savvy user, that they should worry about the details of what's going on there. That's just the way things are today. Evil proxy leverages the reverse proxy principle, which has made possible by all of this inherent flexibility we've built into the web.
Leo Laporte / Steve Gibson (01:45:52):
Conceptually, the way it works is simple. The bad guys lead their intended victim to a fishing page. We've talked about fishing extensively in the past, right? It's p.com. That page uses what's. What's known as a reverse proxy to fetch and display from the legitimate page. All of the legitimate content, the user expects to see including login pages and it sniffs their traffic as it passes through the proxy. It's a classic man in the middle. This in the middle position allows the middle middleman to harvest the valid web browser session cookies, which are eventually passed back to the victim user, thus using the victim as an authentication mule to provide the usernames passwords and even two factor authentication tokens. Remember also that while the man in the middle is able to intercept and forward one time tokens for their one time, use the intercept. They also intercept and obtain the resulting session authentication cookies because the reverse proxy terminates TLS encryption in each direction, it sees everything in the clear.
Leo Laporte / Steve Gibson (01:47:19):
This means that that anyone not using some form of additional one time multifactor authentication will have their username and password stolen. In the clear for future use the re security guys obtained videos released by the evil proxy service providers demonstrating the use of their point and click setup to steal the victim's session and successfully authenticate through Microsoft two factor authentication and Google's email services to gain access to the target account. The more you see, the more chilling it all is, I've included the link to re securities full report, which embeds additional Vimeo videos for anyone who wants to become even more frightened. As I noted above evil proxies services are offered on a prepaid account basis. When the end user cyber criminal chooses a service of interest to target Facebook, LinkedIn, whatever the activation will be for a specific period of time. As I said, 20 or 10, 20 or 31 days, it described in the plan's itemized description.
Leo Laporte / Steve Gibson (01:48:36):
And Leo there's another screenshot further down, which yep, there it is. One of the key actors using the moniker. John Malkovich acts as gatekeeper administrator to vet all new customers. The service is represented on all major underground communities, including Xs X, SX, <laugh> X SS and exploit. Both of which we've talked about before and breached payments for evil proxy are arranged manually via and operator on telegram. Once the funds for the subscription are received, they're deposited into the account in the customer portal, hosted in tour use of the service is available for $400 per month in the dark web hosted in the tour network and in the show notes. And on the screen in the video, we see the options for creating campaigns where Dropbox is used as the fishing target Ruby gems Yandex, Yahoo, Microsoft, and the list that looks like the list is about maybe half of the scroll length based on the scroll thumb that we see over on the right.
Leo Laporte / Steve Gibson (01:49:55):
So, and those and more services are being added continually. And in fact, for the Microsoft box, we see xbox.com, skype.com, onenote.com, office.com, Microsoft online.com, microsoft.com live.com and bing.com. So you get to choose your target of the fishing attack. The evil proxy portal contains tutorials and interactive videos explaining and demonstrating the use of the service and configuration tips. So the bad guys have done a state-of-the-art job in terms of the service usability and configurability of new campaigns, traffic flows and data collection. After activation, the operator will be asked to provide SSH credentials to further deploy a Docker container and a set of scripts. This approach was likely borrowed from a previous fishing as a service called Fraco, which the security guys identified earlier this year. So what does all this mean? Me while access to the evil proxy service requires individual customer, client vetting, cyber criminals now have a cost effective and scalable point and click solution, which provides them with all the backend machinery required to enable them to run advanced fishing attack campaigns on their own while having no skill whatsoever about how to actually do the technology.
Leo Laporte / Steve Gibson (01:51:42):
That's all now turnkey provided for them just as ransomware as a service was. And that includes bypassing state of the art multifactor authentication, which is no protection against any of these. The appearance of such a service on the dark web will undoubtedly lead to a significant increase in account takeover, business, email, compromise to activity and cyber attacks targeting the identity of end users where multifactor authentication may now be easily bypassed with the help of tools like this one and evil proxy has no corner on the market. All they really did was to fully automate an already existing aspect of advanced cyber crime. They have made it trivial to do. They clearly got the idea from the preceding ransomware as a service control panels, which act just the same. And as we know, those have been way too successful for exactly the same reason that evil proxy promises to be.
Leo Laporte / Steve Gibson (01:52:57):
And we know what'll happen next other credence will see it and decide to compete with it. Once multiple such services exist, competition will drive continued evolution in the features and will also drive down the cost to use them. We built a very powerful and capable worldwide web whose features are increasingly being used against us. The creation of reverse proxy exploitation followed by an easy to use turnkey service. Well, it was probably inevitable, but it's certainly not good news. Wow. Fast. Yes. Fast fishing as a service. And so now the script kitties, anybody can do it. There are, yeah. Yep. Anybody can do it. And this is the problem I have with things like the wifi pineapple too. It's like, oh, well, we're a proof of concept. Or you could use it for pen testing, but you're really just making it easy for people with mal intention and no skill yes.
Leo Laporte / Steve Gibson (01:54:06):
To act out. And that just means more people can do it. Oh, well, I don't understand. It's funny. You and I, and I'm sure all of our listeners have a moral compass and just can't fathom how somebody could do this. No. It's why that job offer from the government was so appealing. It's like, wait, you mean, I could do this for the us government <laugh> and get a paycheck. Still get to do it. Yeah. Yeah, no, I agree with you. Well, and I told you that I have turned down some solicitations in the past. Sure. But they knew I was able to do these things. And they said, I mean, this was our government said, we'd like you to do this. And I couldn't even do that because I'll say this to anybody who might be teetering on the edge thinking, well, I could really use the money. Maybe my family needs the money or whatever.
Leo Laporte / Steve Gibson (01:55:09):
If you have a moral compass, follow it, you will never go wrong. And at any point when you don't, you will regret it. And isn't a good thing. Just stick with your moral compass, stick with your moral tenets that your deeply held beliefs do. What's right. Don't be tempted by what's wrong in the meanwhile, in the meantime, as a takeaway to our listeners and to everybody, everybody we are talking to knows and loves be so, oh gosh, careful. Yes. About clicking links in email. That's the way this happens. That's the starting point for all of this is an innocent looking seductive, looking expected, looking whatever it is. I mean, this is not the Nigerian princes anymore. This it's gone nor is it your car insureds need to be renewed. It's clever. It's very believable. It's very believable. Yes. And the problem is this means that we're going to see a dramatic increase in the amount of these sorts of attempts to get us to click something. And it's gonna be believable exactly. As you said, Leo, but again, it's a matter of scale. And unfortunately this is going to cut loose.
Leo Laporte / Steve Gibson (01:56:39):
I've a jump in the scale at which these sorts of campaigns occur. I mean, it's probably gonna get to the point where smart people just are refuse to click anything in email or believe anything you see in a text message. Yeah. I mean, I don't know about you, but I get text messages every day from Amazon and my bank and my other companies that aren't my bank. <laugh> saying, oh, you gotta act. Now something's gone wrong quick call this number. And it's very easy to fall for this. I spend almost, I think now every radio show, 10 minutes talking about this because people need to hear it and really need to GERD their <laugh> prepare themselves for battle. When they go out on the internet, sad, put your armor on it is sad. True. It's very sad. It's not sad that this guy here gets a better night's sleep tonight because he did this show.
Leo Laporte / Steve Gibson (01:57:37):
<laugh> thanks for listening. Thanks for getting him to do it. Episode 8, 8, 8, which is this super lucky episode, you know that right? Eight is a very lucky number. 8 88. Yes. Happy to have it. Yeah. You'll find copies of this show in a couple of places. Steve has them. In fact, he has two unique forms of this show at his website, grc.com. He's got the 16 kilobit audio, which admittedly is not high-fi, but it is a small form factor for people who are bandwidth impaired. Also those wonderful transcripts, Elaine Ferris does for every single show, which allow you to read along as you listen to search for the part you're looking for all of that. Plus 64 kilobit high quality audio available@grc.com while you're there. Check out, spin right for the last 20, some years. More than that 30 years, the world's finest mass storage, maintenance and recovery utility.
Leo Laporte / Steve Gibson (01:58:36):
If you have storage hard driver SSD, you need spin, right? That's Steve's bread and butter. So go there and get a copy. If you buy 6.0, now you'll get 6.1. As soon as it's done only slightly delayed due to this new author. Damn you, silver ships. <laugh>. Now that I know that I'm not gonna read that book only slight, just a little bit, just a little bit. Cause I'm a fast reader and I'm still working on spring, right? Yeah. Steve's Steve's never gonna stop working and just take a it's good. You need a little break, little downtime for the brain. Let the steam cool off a little bit. The years, get the smoke out of the ears. You can also find so much other stuff at Steve's site. It's worth visiting grc.com do leave him feedback there. If you want grc.com/feedback or on his Twitter account, his DMS are open at SG GRC, SG GRC.
Leo Laporte / Steve Gibson (01:59:35):
We have 64 kilobit audio and video of the show at our website, twi.tv/sn. There is a security now YouTube channel, which is probably the easiest way. If you wanna share a little tidbit with a coworker, a friend or a boss you just snip it out of the YouTube makes it very easy. So look for the security now YouTube channel. And of course the thing most people will end up doing is getting a podcast player and subscribing cuz that way you get it automatically every Tuesday afternoon the minute it's done being polished up and edited, we do the show live. If you wanna get it, the soonest you can watch us do it. live@live.twi.tv, supposed to be one 30 Pacific four 30 Eastern, 2030 UTC, depending on long Mac break, weekly goes, sometimes it's delayed by half an hour or so be patient. It will show up on the stream.
Leo Laporte / Steve Gibson (02:00:25):
If you're watching live chat live at IRC dot twit, do TV that's Tuesdays. And of course the chat goes on as well in our club, the club twig discord club, twit discord which is one of the many benefits you get from being a club member. It's only seven bucks a month, couple of lattes a month. You get ad free versions of every show. You get access to special shows that are only in the club because the club supports them with your membership like hands on Mac, hands on windows, the ultimate Linux untitled Linux show Stacy's book club, the GI FIS and more this weekend space launched. So to speak in the club. That's what those $7 really helps us out with launching new shows that aren't are revenue zero <laugh>, regular revenue negative. When they start you also get the TWI plus feed with lot of material before and after the shows that doesn't make it into the podcast. So highly recommend a club TWI. It doesn't go in my pocket. Trust me, but do go to twit.tv/club. If you'd like to know more, you can also buy individual shows. If you just want security now ad free 2 99 a month. That's also at that page, twit.tv/club.
Leo Laporte / Steve Gibson (02:01:41):
I think that concludes this thrilling gripping edition of silver bad guys. <laugh> go back to your spaceships, Steve, and we'll see you next week. We'll do my friend for 8 89 next week.
Steve Gibson (02:01:55):
Bye.
Rod Pyle (02:01:57):
Hey, I'm rod Pyle editor in chief VAD Astra magazine. And each week I joined with my co-host to bring you this week in space, the latest and greatest news from the final frontier. We talked to NASA, chief space, scientists, engineers, educators, and artists. And sometimes we just shoot the breeze over. What's hot and what's not in space books and TV. And we do it all for you, our fellow true believers. So whether you're an armchair adventure or waiting for your turn to grab a slot in Elon's Mars, rocket, join us on this weekend space and be part of the greatest adventure of all time.