Security Now Episode 900 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte / Steve Gibson (00:00:00):
It's time for security Now. Steve Gibson is here. You've got questions. Steve's got answers. A lot of questions. Australia's stiff finds for not disclosing a break-in what country is prosecuting its own X IT staff for a memory breach. Which podcast had the most amazing guest last week? I wonder. And what happened when Spin Wright was won on an ssd? Plus an analysis of last passes recent revelation of an attacker intrusion. It's all coming up next on Security Now. Podcasts you love from people you trust. This is twi. This is Security Now with Steve Gibson. Episode 900, recorded Tuesday, December 6th, 2022. Last pass. Again,

(00:00:59):
This episode of Security Now is brought to you by IT Pro from ACI Learning ITProTV is now IT PRO from ACI learning. If you're looking to break into the world of IT, or if your IT team needs to level up, get the introduction you need with IT Pro. Check out an IT pro business plan by visiting itpro.tv/securitynow today. And by This.nk Canary, detect attackers on your network while avoiding irritating false alarms. Get the alerts that matter for 10% off and a 60 day money back guarantee. Go to canary.tools/twit and enter, enter the code twit in the How did You Hear About Us Box and by PlexTrac the premier cybersecurity reporting and collaboration platform with PlexTrac. You'll streamline the full workflow from testing to reporting to remediation. Visit plextrack.com/twit to claim your free month of PlexTrac Today. It's time for security.

(00:02:03):
Now, the show where we cover your security, your privacy, we explain things, we talk about the world as it is with this fantastic fellow right here, Mr. Steve Gibson. Hello, Steve. Hello, Leo. You noted, and I had previously seen that we are now at episode 9 0 0. Yes. Wow. So wow. For the beg for the beginning of December. And I I, there was little doubt that I had the title. Today's podcast last pass again. Yeah. Yeah. Boy. Holy cow. Yeah. This was breaking news at the end of the episode last week, and now we've had, you've had time to Yep. Yep. Look at it. And I still don't know if we know exactly what happened, but I'm looking forward to hearing you. Well, I know in fact that yes, we, we will get there. We're gonna answer a few questions. And when I looked at the word few, I thought, wait a minute, we're doing ma more than a few.

(00:02:57):
What if an Australian company doesn't secure their own network, also has Ireland, not levied fines against any major internet property owned by Meta <laugh>, no <laugh>. What's in, what's in Regal's complete dump of Australia's MetaBank data closure. Oh, we finally answer Leo. Yes. The question yes is, is nothing sacred? It turns out it's not rhetorical. Oh, also, whose root cert just got pulled from all of our browsers? And how did a handful of Android platforms certs escape? Hmm. What US state? I kid you not has banned all use of TikTok. What Uhhuh what country is prosecuting its own X IT staff after a breach? How has memory safe language deployment actually fared in the wild? Mm-Hmm. <affirmative>, our last August's Black hat 2022 videos finally out yet <laugh>. And which brand of i t security camera do you probably not want to use or purchase? Oh, which podcast had the most amazing guest last week?

(00:04:10):
Hmm. What happened when Uhhuh, what happened when Spin Wright was run on an ssd Uhuh? And what does last passes announcement of another hacker intrusion mean for it and its users answers to those questions and more <laugh> coming your way during this Week's Security Now podcast. You've got questions. Steve has answers. <Laugh> inquiring minds want to know. Well, that's why we tune in the show, right? Every, every week. And why is nothing sacred? I can't wait to hear that one. Ah some of those I think I know the answer to, but we'll see. Hey, we want to say hello to IT Pro tv, our sponsor for this segment, but also mention that there's been a little change. It Pro TV is now it pro from ACI learning. And this is really good news for IT pro customers because now you've got an even broader range of offerings with a company that is committed to educating, to teaching, to getting the information into your brain so you can do a better job.

(00:05:16):
You can get the search you need to get the job you want it. Pro's mission is just getting better. Your IT team needs the skills and knowledge to ensure that your business is a success, right? With IT pro more than 80% of users who start a video actually finish it. I'm talking about training your IT team with content that's engaging, that's fun that they will see as a gift, not as an assignment. C is something they wanna do, not something you're making them do. If you've got a business, you know, you need to keep your IT team up to snuff. If you run an IT team, you know, that's probably the most important part of your job. Coaching them, getting 'em to learn, getting 'em to expand their skills while IT pro is the way to do it. A, a a, an assignment, they'll actually embrace and love IT.

(00:06:03):
Pro is engaging. Your team will enjoy learning on their platform and they will get the tools they need to make your business thrive. The tech industry, of course, is changing constantly, right? It's one of the reasons you can't just have your IT team sit on their laurels, is that what they're sitting on? They can't just sit on their laurels. They've got to evolve with technology. They've got to learn more skills. Even if you've got the best team in the world, there's, there's new software releases, there's system upgrades, there are new cyber threats. They're evolving all the time. It Pro offers the training that you need to handle these disruptions. And, and what's great is your team is gonna learn fast and again, they're gonna be happy about the whole thing. So what do you get? What do you get with IT pro? You get all the training, all the search for your team done in one place.

(00:06:55):
Every vendor, every skill you need for your IT team Training Microsoft. Sure. Cisco, you bet Linux, apple Security Cloud so much more. IT PRO has more than 6,800 hours worth of training on demand. They cover everything from technical skills compliance. You bet even soft skills like marketing, running your business. There's a lot of information in these in these IT pro videos. They're all 20 to 30 minutes long, which means very easy to watch 'em at at your convenience, your IT team's convenience. They all come with transcripts, which is great for you as well because you can make assignments. You could say, you know what Joe, you've gotta learn a little bit more about OAuth here. So we're gonna, this is the episode to watch. And you knew it because you found it through searching the transcripts. It's kinda like what we do with, with Steve.

(00:07:44):
You have a great dashboard too, you know, where you can manage seats unassigned and assigned team members. You can access monthly usage reports to make sure it's being used. You'll see metrics like logins and viewing time and tracks completed. It's very granular. You can say you need to do this down to a single episode. This group is a subset that needs to do this. That kind of thing. Completely customize the assignments and always, of course, monitoring progress, which is important. So also so you can justify the spend to your higher ups. So you get great reporting visual reports that are easy to look at, to scan and say, oh yeah, it's working on the viewing patterns on progress and all of that there. And we always talk about IT pros, individual plans. Those are still there is the best place for training an IT team for keeping an IT team up to snuff for getting your own personal training for getting that first job.

(00:08:37):
Or, you know what, if your boss isn't buying it for you, do it for yourself. Just cuz it's good for your own development. IT pro. Now from ACI learning, give your team the IT development platform. They need to level up their skills and enjoy every step of the way. Go to it pro.tv/security now. That's the website. Find out more, give it to your team. You will get great results. You'll be happy. They'll be happy. It pro TV slash security. Now, actually, I know a lot of companies, there's a more than a handful of companies that have bought this show for their team so they can keep up to date on all this stuff, Steve. They're, they're people who I hear from people and I know you do too all the time, who say, security now is a critical part of me getting my job done and keeping up with what's, what's changing all the time.

(00:09:33):
So, and it's cool also that, that you're able to get CE credits for Yeah. People do that, right? Yeah, that's great. Yeah. Yeah, yeah. Many. And in fact, it's like official, I hear from professors who should give this to their classes, the show. Yeah, it's great. Go ahead. Sorry. Our, our picture, our picture of the week Oh, is, I haven't looked yet, is a great one. So the caption that came with it, it was perfect. So it reads, if you've ever messed up a dimension or a whole position on something you're building, don't be too hard on yourself. At least you're not the Cisco design engineer oh dear, who caused ah-huh. Who caused an entire product line recall by placing the mode button directly above an RJ 45 port. Oh man, that button resets the switch to its factory default settings, <laugh> when is held down and what happens?

(00:10:32):
So when you plug in an ethernet with a lock yes. Well, yeah. So for, for, for, for those who can't see the picture, what we see is an RJ 45 plug in the first port of the switch. Now, if it were just a, a minimal RJ 45, that would be fine. That was what the engineer was thinking. But if you put one of those rubber boots on it where you have that rubber flap that comes over and, and, and protects the, the, the, the lock, the the plastic lock. Yeah. Right. Then what happens is that thing is perfectly positioned <laugh> over the, over the factory reset button. Oh my God. So I, if you were then to lift the cord up, that would rotate the plug so that the, the protective boot pushes the re the factory reset button down. It holds it holds it down and, and holds it down.

(00:11:29):
Returning the switch to, its the con, you know, like the, where the, the, the the login and, and password I can stand why every time I sit up our Cisco, our Cisco router, it it re it goes back to factory settings. I don't understand it. Yeah. What, what could be wrong? Oh, goodness. Anyway, great picture of the week. Thank you listener who sent that to me. Okay. So continuing our recent Australia watch recall from last week that a recent cybersecurity country ranking, which was published by M I t, gave Australia the number one slot for cyber defense, followed by, in decreasing order, the Netherlands, South Korea, US, and Canada. So Australia, number one, we recently covered Australia's proactive declaration of cyber war, which they'll be waging against the world's perpetrators of cyber crime, not waiting for them to commit another crime.

(00:12:32):
But, you know, going after them, you know, it would seem that these high profile attacks on Optus, Telstra MetaBank that we'll be talking about a little bit later, Woolworth's and Energy Australia really woke up the sleeping bear and galvanized Australia into action. You know, they've decided to go active last week, saw another facet of this campaign with the creation of new legislation to replace Australia's creaky 34 year old privacy Act of 1988. The new legislation ups the ante when Australia's own internal attack targets, like those companies just mentioned, are turn out to be willfully negligent. The legislation bears the cumbersome name privacy legislation, amendment enforcement, and other measures. Bill 2022, it grants the office of the Australian Information Commissioner, the O A I C, the power to levy hefty fines on companies and not only Australian companies, which is interesting, we'll get to that in a second.

(00:13:46):
Which ignore security best practices to needlessly expose their customers data through cybersecurity breaches under this bill, which is expected to receive Royal Ascent shortly to place it into force companies that fail to safeguard their data. Face fi face fines of up to the greater of 50 million Australian, or 30% of the company's adjust adjusted revenue, whichever is greater <laugh> the existing fines. I yeah. So if, you know, if, if you have more than 30, if 30% is is greater than 50 million Australian, that's what you gotta pay. So now this is a huge change. The existing fines impose only 2.22 million Australian as a fine as a result of security breaches. So we're going from 2.22 million to 50 million or 30% of revenue if 30% is more than 50 million. Okay. So steep as this is the updating of Australia's antiquated legislation is not surprisingly been greeted with positive feedback from Australian cybersecurity experts who view it, and I think reasonably as the incentive needed to get local companies to pay the attention that yes, they must to the state of their IT systems, right?

(00:15:24):
I mean, it's like, oh, we're sorry. Like when a breach happens, it's like, well, if you, you know, if you worked to fix this in the first place proactively, then you wouldn't have to be sorry. And Australian citizens wouldn't have had all of this data lost. So, you know, you know, given the historical reticence that we keep seeing to getting ahead of this problem, nobody does. I don't, I can't see any other way to bring about the changes we need. You know, it does still feel a bit wrong for the suppliers of the too often buggy systems, which enterprises rely upon to continue to be held harmless. But that's a bridge we're not prepared to cross yet. So at this point, we're gonna say, well, were you patching? Were you, you know, you know, like, and, and that's the other problem too that is uncomfortable here is how is this decision about negligence reached because it's a, it's a thorny problem.

(00:16:24):
 I mentioned before that this law wasn't applicable only to Australian companies. According to the Bill's text, its provision and fines will also apply to any non-a Australian company who's doing business in Australia, even if they're headquartered outside of Australia. And that one promises to prove interesting, you know, Australia finding some other company who's doing business in Australia, who exposes the, the private information of Australian citizens, 50 million Australian. Wow. okay, while we're on the topic of fines, Aust Irelands Data Protection Agency find meta 285 million euros due to Facebook's data breach. A year and a half ago in April of 2021, the Irish Data Protection Commission said that meta failed to safeguard its Facebook platform from data scraping, which, you know, as we know, data scraping is just like bots, spiders get in and scrape all of the pages of Facebook. Anyway, the, the, this Irish Data Protection Commissions alleges that this allowed a threat actor to compile details on more than 530 million Facebook users.

(00:18:01):
This data was later sold on an underground cybercrime forum. Thus bad guys profited Facebook told Tech Crunch that following the incident, they rolled out protections to detect scraping operations. To which I would ask again, why not before this? I mean, it really does seem that we're with it, we're having to like severely punish these tech companies in order to get their attention and, and get them to change their behavior. Crazy as it seems after the fact, since Ireland had previously fined META'S Instagram 405 million euros in September of also this year, and WhatsApp got a fine of 228 million euros in the, the previous September, this now rounds out the fines. So that Ireland's Data Protection Agency has now fined all or each of Meta's three main platforms. So that answers the question we pose at the beginning. Is there any major property of meta that Ireland has not yet find the answer now?

(00:19:12):
No. They've got 'em all. And speaking of MetaBank and Australia, okay, remember, MetaBank, as I mentioned, was one of the several ransomware embarrassments that Australia based organizations recently suffered. Well, MetaBank stood up to the Ral gang as everyone thinks they should. If you <laugh>, if you can, refusing to pay or to buckle under to rival's, extortion threats. They threatened to release the entire contents of what had been illegally stolen from MetaBank. So MetaBank is Australia's largest private health insurer. And what's known is that this significant personal data for meta bank's, 9.7 million current and past clients was stolen during re's original intrusion and data. Exfiltration Celest s Thursday MetaBank released a lengthy statement, I won't bother with it all, but it began. We are aware that stolen MetaBank customer data has been released on the dark web overnight. We are in the process of analyzing the data, but the data released appears to be the data we believed the criminals stole.

(00:20:36):
Unfortunately, we expected the criminals to continue to release files onto the dark web while our investigation continues we're, there are currently no signs that financial or banking data has been taken, and the personal data stolen in itself is not sufficient to enable identity theft. Although when you hear what it is, you'll maybe question that. And financial fraud, the raw data we have analyzed today so far is incomplete and hard to understand. Okay, we'll get back to that because I thought that was an interesting thing that they said a bit later in their released statement, they start quoting MetaBank, C E o David Cox car. And, and so they wrote and he hi. His quotes saying, anyone who downloads this data from the dark web, which is more complicated than searching for information on a public internet forum and attempts to profit from it, is committing a crime.

(00:21:42):
The Australian Federal police have said Law enforcement will take swift action against anyone attempting to benefit, exploit, or commit criminal offenses using stolen MetaBank customer data. We continue to work closely with the Australian Federal Police who are focused as part of Operation Guardian on preventing the criminal misuse of this data. Again, he says, I unreservedly apologize to our customers. We remain committed to fully and transparently communicating with customers, and we will continue to continue, I'm sorry, continue to contact customers whose data has been released on the dark web. Okay. At the end of the statement, MetaBank then, and the statement goes on and on on, at like a great length, they enumerate the sobering details of what they believe the evil gang both obtained and a little bit of what they did not obtain. So on the daunting bit that they did get, they said the name, date of birth, address, phone number, and email address for around 9.7 million current and former customers and some of their authorized representatives.

(00:23:03):
This figure represents around 5.1 million MetaBank customers, 2.8 million a H M customers and around 1.8 million international customers. Also, Medicare numbers for a h m customers, though not the expiration dates, passport numbers, huh? And Visa. The travel visa details for international student customers, though again, not expiration dates, HILT claims data for around 160,000 MetaBank customers, around 300,000 a h m customers and around 20,000 international customers. This includes service provider name and location where customers received certain medical services and codes associated with diagnosis and procedures administered. Additionally, around 5,200, my home hospital, that's Mhh patients have had some personal and health claims data access, and around 2,900 next of kin of these patients have had some contact de details access, also health provider details, including names, provider names and addresses. So, you know, wow, <laugh> a, a huge breach. On the flip side, they said that RAL did not access primary identity documents, such as driver's licenses for MetaBank and a h m resident customers.

(00:24:34):
Metabank did not collect primary identity documents for resident customers, except in exceptional circumstances. RAL also did not access health claims data for extras services such as dental, physio, optical, and psychology. And they did not access credit card and banking details. Okay? But wow, they did still got a lot, right? Lots of stuff on nine point million individuals. What most caught my attention was their statement that quote, the raw data that we have analyzed today so far is incomplete and hard to understand. What occurs to me is that a raw, unorganized dump of data concerning 9.7 million current and past customers is far less actionable than an organized, searchable online database containing the same information. In other words, it's almost entirely the structure of the data. I mean, that much data that gives it meaning and makes it useful if, if RAL grabbed raw data files without formatting templates and indexes into the data.

(00:25:59):
If the database is highly relational in nature and deeply depends upon the, the interrelationships of pieces of it and the indexes into it in order to pull it together into something coherent, then the release of a massive blob of raw and disorganized data where there's nothing to make clear what pieces go with, which might be much less damaging than it at first appears, which is interesting. It sort of says that, you know, while the data is in place, it's actually useful to the organization that owns it and that that, you know, knows how, how to interpret it. But if you just grab a static blob, a static file, then there may not be. I mean, it's all there, but if you can't like, find all the little bits and pieces which get pulled together by having this data understood by the, by the database and databases that contain it, then, you know, it's probably not so useful to anyone.

(00:27:11):
Anyway, I, I'm just, you know, interesting to have this actually happen. Ha. Okay, Leo? Yes. I couldn't resist giving this story. The, the short bit of news, the heading is nothing Sacred <laugh>. Okay. Because the official website of the Vatican was push off, pushed offline last Wednesday. Oh. By a DDoS attack. It's nothing sacred. <Laugh>. Exactly. I'm sure Father Robert had a late night that night. I bet. Yep. It was pro-Russian activist. Hmm. as, and I had to look this up. C n A, right? Yeah. The Catholic News Agency. Oh, well, there you go. They're serious. C n a, the Catholic News Agency pointed out the attack came a day after Moscow criticized Pope Francis's latest condemnation of Russia's invasion of Ukraine. So, no, nothing is sacred. And if the Vatican says, Putin, you are bad, well get ready to be blasted off the internet for a while.

(00:28:31):
 Okay Mozilla yanks a no longer trusted route, as we know. Actually, not only Mozilla, but everybody else because we covered this through the years, web browsers are extremely reticent. Okay? It's not the web browsers, right? It's the people who manage them. But, you know, web browser teams, I should have said, are extremely reticent to remove root certificates. Actually, Leo, maybe one day web browsers themselves will be sentient and will then decide whether they, whether they should trust their root certificates. I'm sorry, Dave, I can't go there. <Laugh>, I don't trust that website any longer, and you shouldn't either. Okay. So they're reticent to remove root certificates from their trusted root stores because doing so immediately renders invalid and not trusted any and all outstanding certificates, which have been previously signed by that certificate's authority using their matching private key. This effectively pulling the, the trust from the root effectively puts the certificate authority out of business overnight.

(00:29:47):
And, you know, as we know, this has happened a few times since the start of the podcast, and it's always interesting. In this case, the certificate authority in question is an apparently shady Panamanian firm called Trustco. Nearly a month ago. Long simmering questions about trustco were brought to a boil by a piece in the Washington Post whose headline was mysterious company with government ties, plays key internet role trust core systems vouchers for the legitimacy of websites, but its physical address is a u p s store in Toronto, <laugh>. Oh, no, that's not good. <Laugh> Oh, oh boy. No, that'll, that'll get your attention. Here's just a sampling of the juicy bits from the Washington Posts reporting. Ed, for what it's worth, I got the league of the show notes. I really recommend, you know, any of our listeners who enjoy gossip based on in facts. This thing is just, this reads like, like you couldn't make this up.

(00:30:59):
Okay. The Washington wrote the company's Panamanian registration records show that it has the identical slate of officers, agents, and partners as a spyware maker identified this year as an affiliate of Arizona based packet Forensics, which public contracting records and company documents show has sold communications interception services to US government agencies for more than a decade. One of those trust core partners has the same name as a holding company managed by Raymond Sono, who was quoted in a 2010 wired article as a spokesman for packet forensics. Sono also surfaced in a 2021, I'm sorry, in 2021 as a contact for another company, global Resource Systems, that caused speculation in the tech world when it briefly activated and ran more than a 100 million previously dormant i e p addresses assigned decades earlier to the Pentagon. The Pentagon reclaimed the i the digital territory months later, and it remains unclear, wrote the post, what the brief transfer was about, but researchers said the activation of those IP addresses could have given the military access to a huge amount of internet traffic without revealing that the government was receiving it.

(00:32:44):
And our listers may recall that we talked about this weird event at the time, noting how odd it was that this previously dormant and d o d reserved block of I P V four address space was suddenly being routed and tied to some random private company no one had ever heard of. Anyway, the post continues, trust corres products include an email service that claims to be end in end, end-to-end encrypted, though experts consult consulted by the Washington Post said they found evidence to undermine that claim. Researchers said that a test version of the email service also included spyware developed by a Panamanian company related to Packet forensics. Google later banned all software containing that spyware code from its App Store. A person familiar with Packet forensics work confirmed that it had used, that it had used Trust Core's certificate process and its email service message safe to intercept communications and help the US government catch suspected care terrorists speaking on the condition of anonymity to discuss confidential practices.

(00:34:09):
The person said, yes, packet Forensics does that, and come on, <laugh>, the name Packet Forensics should be an obvious enough should tell you everything you need to know, right? Yes, yes. AB about the company's intentions. Remember, any device that's holding a certificate, which is able to sign other end certificates is thereby able to intercept any and all t l TLS secured traffic bound for any remote web server. It accepts the connection that the TLS connection examines the domain being requested, create some signs, a TLS certificate on the fly and returns it to the browser. In this case, so long as all web browsers contained the trust core ca root certificate, they would happily accept that on the fly sign certificate. So the connection to the intercept middle box, as they're called, would be encrypted, where the middle box would decrypt the TLS data for completely in the clear analysis.

(00:35:20):
It's a man in the middle box attack it. That's exactly what it is. Yeah. The middle box would then initiate its own connection to the actual destination server so that its interception was invisible while it continued to surveil all of the intercepted browsers traffic <laugh>. Oh dear. So it's what is really, I mean, it's heartwarming to see how long the thread was in the Google groups back and forth while they explained very patiently to the trust core representative who crept trying to rebut all of their evidence that, you know we're gonna pull the plug on you. Yeah. Because it's pretty obvious this is not, this is not okay. Yeah. How'd they get it in the first place? That's my question. Well, I mean, there, it, it, apparently, if you have enough money, there was a quote somewhere later in this long Washington Post article.

(00:36:20):
If you had enough money, basically you could buy yourself certificate, authority, privileges, and, and, and, you know, essentially they don't wanna deny a company just out of hand who like passes all the requirements and certifications and looks like they're gonna be a reputable and reliable certificate. Authority is like, well, you know, why should we say no to them? So I would, I would've hoped there was a better way to vet certificate authorities given the power that Inc gives them. I, I know, and you know, Mozilla currently recognizes 166 root certificates, but no longer the three from Trust Corps. Oh, good. Our really longtime listeners may recall that episode, the Hong, which Kong Post Office episode, <laugh>, you don't have to say no more. I know exactly where you're going. That followed my chance discovery of what was then the explosion in certificate authorities in Firefox's Root Store.

(00:37:26):
The time before when I had looked, there were like seven or eight certificate authorities. Now there appeared to be hundreds and as I said at the time, this is inherently not good. All web browsers are trusting any certificate signed by the owners of any of these root certs. It makes it an inherently unstable system. But in fairness, you, you'd have to say that things have gone much better certainly than I expected. The industry has been amazingly effective at policing itself. And the events, you know of these trusted root store abuses have been very few and far between. You know, it's an obvious privilege to be granted certificate authority rights. It's a license essentially to print money, but only so long as the certificate authority signature means something. Okay. So the washer to post a story is not behind any paywall. And it reads, as I said, like someone's imaginative fiction being it's, you know, well researched and backed by facts.

(00:38:38):
I've got a link, as I said in the show notes for anyone who's curious to know more. And also I have a link to the Google Group's discussion which it sounds pretty good. I gotta read that. Oh, yeah. All of the industry's participants, including Trust tours, you know, trust Cores representative was there trying to rebut this, but ultimately they lost the argument because the evidence was just there. Yeah. You know, it just, it went on and on and on, and they said, look, sorry, but you know, we, you, we can no longer trust you to sign anything. This initial the the kickoff post has 34 references, footnoted references. That's a pretty good start. Yep. You know, that's that's not just some off the cuff. I think this is a problem. No, a again, the you have to, you have to take your hat off to these guys.

(00:39:28):
They do not yank this privilege casually. Yeah. You, I mean, you really, you know, they, they, they fret and worry and, you know make sure that they, that this guy, you know, that it wasn't a one off sort of in fact, there's almost a smoking gun connecting trust court to a spyware. Yes. couple. Yes. I mean, it's, it's pretty bad. I mean, yes. A ups, yeah, A UPS post post box. Oh my. Oh God. Holy cow. Holy cow. Oh, here's the trust core response. Yeah. Yeah. Oh, I'm gonna read this. That's good. That's some good late night reading. Yeah. Thank you. It really is good. Yeah. Yeah. Okay. So one, one more and then we'll take our next break. While we're on the subject of crucial certificates and certificate management. Last Wednesday, the 30th, an an internal Google report, which was originally created on the, on the 11th of November was made public.

(00:40:31):
And two days later on Friday, the security firm, rapid seven, pulled the pieces together. Google's report is titled Platform Certificates used to sign malware. And under technical details of Google's report, they said a platform certificate is the application signing certificate used to sign the Android application on the system image. The Android application runs with a highly privileged user id, Android dot u i d dot system. Basically, you know, it's complete, it's like the route and holds system permissions, including permissions to access user data. Any other application signed with the same certificate can declare that it wants to run with the same user Id giving it the same level of access to the Android operating system. In other words, it's a full penetration of Android security. Digging a bit deeper, we find that the Android security team discovered several malware samples in the wild that were signed by platform certificates issued by major vendors, including Samsung, lg, media Tech, and Rev View.

(00:41:57):
After discovering the incident, the Android security team worked with the affected companies to revoke and rotate the leaked platform certs. What I liked, I, I liked what Rapid seven had to say about this, because what they said made a lot of sense about what didn't make a lot of sense about the whole escapade. Here's what they wrote, they said on November 30th, 2022, a Google report initially filed on November 11th was made public. The report contained 10 different platform certificates and malware samples sample s hha 2 56 hashes, where the malware sample had been signed by a platform certificate. The application signing certificate used to sign the Android application of, of the system image applications they wrote, signed with platform certificates can therefore run with the same level of privileges as the Android application yielding system privileges on the operating system without user input. Google is recommended that affected parties should wrote, I bet they've recommended they affected par parties should rotate their platform certificate.

(00:43:17):
However, platform certificates are considered very sensitive. Rapid seven wrote, and the source of these certificates is unknown at this time. They said the use of platform certificates to sign malware indicates that a sophisticated adversary has gained privileged access to very sensitive code signing certificates. Any application signed by these certificates could gain complete control over the victim device. Rapid seven does not have any information that would indicate a particular threat actor group as being responsible. But historically, these types of techniques have been preferred by state sponsored actors, meaning, right, like those with like at the top of the food chain. That said, they wrote a triage level analysis of the malicious applications reported shows that the signed applications are adware. A malware type generally considered less sophisticated. This finding suggests that these platform certificates may have been widely available as state sponsored actors tend to be more subtle in their approach to highly privileged malware.

(00:44:38):
Okay. So, s some low end malware adware was somehow signed by the, by like the most closely guarded private keys belonging to some of Android's largest and most reputable vendors, either those closely signed private keys escaped, or somehow those still resident keys were used to sign the malware. Either way, the fact that malware was signed means that something went wrong. You know, what's weird is that any agency that somehow obtains the ability to get any malware signed by major platform keys is not gonna waste that awesome privilege on easily discovered adware. They would treasure that capability and hold it close, choosing to reserve its use for only highly targeted infiltration, specifically so that it never was discovered. Because as soon as it is, it's gonna be rendered, you know, it's gonna be neutered by having the keys rotated. Now, thanks to the casual misuse of a collection of certificates that, you know, somehow escaped from something, whoever or whatever gained the ability to sign those certs has almost certainly lost those rights.

(00:46:07):
None of the signatures of those certificates will be trusted going forward, given what we know. None of this makes any sense. So we have a mystery, but, you know, it's been dealt with, thank goodness. Wow. Interesting. And after we tell our listeners why we're here, Leo, we're gonna find out what state has banned the use of TikTok. <Laugh> and I, I think I know the answer, but I'll I'll wait and hear. Oh my goodness. I think it's only for government employees, not for That's the, that is not for you. That is true. Well, you, yeah, you can't ban it statewide. Of course you couldn't still, you couldn't. No. Yeah. Thank God. <Laugh>. Yeah. What would my son do without all his millions of fans on TikTok? I ask you, this episode of Security Now is brought to you by Thinkt Canary. Hey, I'm a fan of this.

(00:46:59):
Let me show you this. This is the Thinkt Canary honeypot in the the palm of my hand. I love this device. We have said many times that a security is a layered approach, right? And a lot of people focus on perimeter security, keeping bad guys out of your network. But what do you do when they're in your network? How do you know if they're in your network? You might even have a zero trust thing going, but that doesn't mean somebody's not not in there browsing around, trying to break through that zero trust barrier. You need this, you need the things to canary inside, sits inside your network. Little black box. For those of you who are just listening, it's about, it looks like a external U s b drive, one of those, you know, bus powered small little things. It's got two connections, one for plugging in the, the power, the grid the mains.

(00:47:52):
And the other is of course an ethernet jack. By the way, there is no reset button anywhere near the boot on this, on this ethernet plug. But what does it do? Well, just depends. You go to your canary console and you could say that's a Windows XP server with port 1 39 and 1 38 wide open. Or you could say, oh, no, no, no, this is, in fact, that's what this is my sonology nas ready to log you in with DSM seven. And the exact right MAC address to all of that is available to you in your Canary console. So you could be a skated device, you could be a Windows or Linux server. You could have a Christmas tree of services turned on, or just a few handpicked. You could put 'em on active directory. And the whole idea is if somebody has penetrated your network, they're gonna be looking for things like this.

(00:48:53):
They don't look vulnerable, they look valuable. And when they find it, and this is the key, you are gonna be alerted. That's the key, right? It's like fishing, like with the f kind of fishing. You're putting a little bait out there with this invisible hook. They won't even know they've triggered it until you go searching for 'em. And that's beautiful. The services on the canary designed to elicit further investigation, shall we say. At which point they betrayed themselves. Your canary notifies you, and by the way, you don't get a cascade of irrelevant alerts. You get just the alert that matters. Somebody trying to log into your faux sonology server. Here's the login and password they used. You can order, configure and deploy your canaries throughout your network. By the way, there's more you can do with these. They have cloud-based birds. Now, you can also set up canary tokens, little trip wires all over your network that are just files.

(00:49:50):
PDF, six LA spreadsheets doc files with, with provocative names, but they aren't really files. When, when the bad guy attempts to open them the canary says hello, it calls home, phones home. It's really neat. Every canary hosts realistic services, looks and acts exactly like it's namesake down to the Mac address, windows file server, a router, a Lennox web server. So brilliant. This is honeypots made easy for anyone, and it's easy to set yourself up. Every customer gets their own hosted management console. So you can configure settings, manage your things to canaries, handle events. They're constantly reporting in providing an up to the minute report on their status. But you don't need to monitor that because you're gonna get pinged if something happens. But if you wanna see, you know, like, oh, what's my canary doing? You can check. I'm just sitting here waiting, just looking provocative. <Laugh>,

(00:50:48):
Even customers with hundreds of canaries sometimes report, well, we only get a handful of events every year. Cuz most of the time there's no problem. Right? But when an incident does occur, when a bad guy is in your system, they will tell you, you'll get a, an alert and you'll get an alert the way you want it by an email. You can get text messages, slack notifications, the Canary support. They have an a p i, they have webhooks, they support syslog. If you're, if you're a CIS logger it's as easy as possible. The problem really comes down to most of the time, once a hacker has penetrated your defenses, you don't know they're in there and they can be wandering around for months on average, 91 days before they're discovered. Three minutes of setup, no ongoing overhead, nearly zero false positives. And you can detect attackers before they dig in.

(00:51:42):
That's why things Canary Hardware, vm and cloud-based canaries are deployed in loved on all seven continents. This created by guys who have taught governments, militaries, companies, how to break into systems, the best testers in the world. These red team guys have known and learned everything there is to do about attacking. And they've put all that knowledge into making something attackers can't resist. That's the point. It's like ice cream baby. They can't go buy it without trying it. Canary.Tools/Twit pricing will vary depending on how many you get. I'll give you an example. Five Canaries, that'd be good for, you know, a small business. A bank may have hundreds, but a small business, five canaries, 7,500 bucks a year. With that, you get you know, you sit on the canary, you break it in any way, of course immediately replaced. You get your own hosted console, you get support, you get maintenance.

(00:52:36):
And if you use the code twit, T W I T, and then how did you hear about a box? You're gonna get 10% off the price to your canary forever for life to further seal the deal. Cuz maybe you're going, well, I don't know. They've got a two months 60 day money back guaranteed for a full refund. So there's really no penalty just just testing these, get 'em and see you're gonna love them. If you go to canary.tools/love, you'll see all the, all the people who've over the years said, man, this is the best solution. Thank you Canary, et cetera, et cetera. If you're ready to buy, go to Canary, c a n a r y.tools/twit. Enter the offer code twit and how did you hear Bass Box? Get that 10% off for life. And that way they know you saw it here, here, which is pretty important to, to Steve and me.

(00:53:27):
Canary do tools slash twit. This thing is brilliant. Your business, your enterprise, your network needs them. They need them. Canary.Tools/Uh twit, thank you Canary. Thank you. Thanks. Now back to the Steve Gibson show already progress. Yes, <laugh>. Ah, so here's one for you. Last week, south Dakota's Governor Christie Nom. Oh, good old Christie. Ah, yes. Signed executive order 2022 dash 10, which bans all use of the Chinese social media platform, TikTok by state government agencies, employees, and contractors. The executive orders news release stated that the order is in response to the growing national security threat posed by TikTok due to its data gathering operations on behalf of the Chinese Communist Party. You know, Leo, you gotta keep your eye on those. Communis <laugh> the press release quoted Governor Nome saying, wow, South Dakota will have no part in the intelligence gathering operations of nations who hate us.

(00:54:50):
The Chinese Communist Party, she says, uses information that it gathers on TikTok, apparently from watching Hank make things <laugh> to manipulate the American people. Yeah. Leav manipulated by Hank's salt. Yes. And they gather data off the devices across the platform because she says, because our serious duty to protect the private data of South Dakota citizens, we must take this action immediately. I hope that other states will follow South Dakota's lead and Congress should take broader action as well. The order took effect immediately and applies to all employees and agencies of the state of South Dakota. No more TikTok for you. No. In including persons and entities who contract with the state Leo co commissions and authorities or agents thereof. And thinking about that, you know, I thought I, I really do wish that I would still be alive in another a hundred years to see what the internet has become by then.

(00:55:59):
You know, will it have succeeded in pulling the world together? Or will the world's fearful leaders have established borders and regional controls just as they have everywhere or else? Wouldn't that be a terrible thing for the internet? I mean, that's just what we don't want, right? Yes. And it seems to be happening. It's spaghetti. It's getting chopped up and fragmented and and regulated. And now unfortunately, everybody is like suing everyone because they're not happy with the outcome of, you know, of using it. Speaking of which Albania has blamed, its IT staff. Remember the drama that we, we we covered back in July where Iran retaliated against Albania by melting down their government networks. Then Albania retaliated back by, which I guess is redundant by severing diplomatic ties with Iran and sweeping into the just closed I Iranian embassy looking for anything that Iran might have not sufficiently destroyed before leaving.

(00:57:04):
Also recall that it turned out that Iran had been rummaging around in Albania's networks since April of 2012. So for more than 15 months without ever being detected, they need a fixed canary. The hey, I thought that at as I was, they really could use that, pulling this together. Yeah. I thought, you know, someone needs to give those Albanians a clue. Well, who is to blame for all this? It must be someone's fault. Right? And, you know, we can't blame the vendors of the buggy systems. After all they provided patches for some of the problems. Usually, eventually, again, we've gotta blame someone. So Albanian has decided that it was all the fault of the IT staff. Oh. And so now they're in trouble. Oh boy. Albanian prosecutors have charged and asked for the house arrest of five government employees. The prosecutors say the five accused failed to apply security updates to government systems and also failed to detect the hackers that had been wandering around inside their network as far back as April, 2021.

(00:58:18):
Okay. So maybe the IT guys were seriously negligent, but we know that's not necessarily the case. If I may segue for a moment, a perfect example of Albanian scale negligence not being necessary is the news that the US Department of Homeland Securities Cyber Safety Review Board recently said that it intends to review attacks carried out by the lapses extortion group and will publish a report detailing how lapses managed to bypass a broad range of security measures without the use of advanced malware and managed to breach a large number of high profile targets including Cisco, Microsoft, nvidia, Samsung, Uber, rockstar Games and others. These companies are not firing their IT department staff because they recognize that it's possible to do nothing wrong and still be breached. Okay. In Albania's case, it could just as easily have been his excellency, the president of the Republic of Albania, who clicked a link in a phishing email to invite those crafty Iranian cyber warriors to come for a visit.

(00:59:44):
And who knows what managerial opposition or budgetary constraints the Intrepid five might have faced in their department. IT departments are notoriously understaffed, overworked, and unappreciated, and IT department and IT people are just like everyone else, right? There are good ones and there are bad ones. Which are they? We don't know. What I wonder though, is who they're gonna get to fill those vacated jobs with the risk of prosecution. No, good point. With the risk of prosecution for attempting to do a job that might be impossible, and knowing what happened to the last five guys I wouldn't be surprised to, I would not be surprised to learn that those IT staff positions are difficult to fill. So <laugh>, you know, I I I would be careful, you know how you deal with problems like this in the future. Wow. we do have some good news on the memory safe languages front.

(01:00:56):
 Since the August release of Android 13, which was the first Android were a majority of new code added to the project was written in memory safe languages including Rust, Java, and Kotlin. Google noted that since shifting its focus to memory safe languages, the number of memory safety vulnerabilities reported in the Android OS has dropped to less than half of comparable counts. So that's good news for memory safe languages. You know, I, I've all, I've always been saying that we're never gonna get our systems fixed if we keep messing with them. You know, this is, of course, the big problem with Windows is Microsoft refuses to stop and, and, and they just keep doing stuff. Well, when you do new stuff, you're gonna have new problems. And so the only thing you could do moot would be to start, you know, using, I mean, high quality memory, safe languages for all the new stuff you do.

(01:02:08):
And that's what Google's been doing with Android and they're seeing a, a precipitous drop. I have a chart in the show notes that that shows successive years of Android releases 20 18, 19, 20 21 and, and 2022. And I mean, it is really looking good. So, you know, something has to change in order for these problems to change. And empowering programmers with languages that help them makes all the, you know, all kinds of sense. I'm, we, I'm kind surprised Kotlin is so low because boy, everybody is so excited about Kotlin. Yeah. it's still a tiny fraction of overall. I I think it's good. It's cuz it's just the very start. Yeah, yeah, yeah. Yeah. And isn't Kotlin the one that runs on top of the Java vm? I think it, I think ultimately I, at some point Java's gotta be, I think has to be in there.

(01:03:04):
Although I see rust and C and c plus plus. Yeah. But, but the Google least the last time I looked at Android development, the underneath underlying stuff is Java. So I don't know. Yeah. Kotlin would make sense of virtual machine for a Java VM or a front end for a Java vm. I, I I think it is a, a different language on top of Oh, it's a wonderful language. I mean it's a very Yeah, it's for the jvm. That's right. Right. It's a great language and I would guess probably more memory safe has null safety and stuff like that, so, right. Yeah. It's pretty looking. I yeah, was for, for me, the, the, the prettiest looking language I ever did any serious working was Pascal. It was just, it was just, it was pretty And you could come back later and it made sense to you.

(01:03:53):
Yes. It was very concrete <laugh>. Yeah. And the least pretty was fourth. Oh, you fourth is a right. Only language. Fourth is fun. You could stare at that and have no idea what the hell is going on. Wintu Dao is one of the hosts on all about Android and Android developer loves Scotland. And I remember when they announced that they were gonna support Kotlin first class, and this was four years ago or five years ago. Google io the developers cheered. So I I have high hopes. Good. don't wanna see all that sea look how big the C slice is. I know. Talk about not memory safe. Wow. And c plus plus is like together. They're almost half. Yeah. Yeah. The other half is Java. Big slice for Russ though. That's also good, good news. Yeah. Yeah. Okay, we're gonna answer another question. Have those Black Hat USA S a 2022 talk videos, which were recorded back in August finally been published.

(01:04:49):
Why am I asking? You might wonder Probably cause because the answer is yes. Oh, they have, they have been. Yes. Woo. I have a link of the show notes for anyone who's interested right below that graphic you were just showing, it brings you up to a playlist of all the Black Hat 2022 videos. And those are, are always interesting for, for hackers. And they're all on YouTube, which is great. Yep. We do have another Chrome zero day Biting the Dust, which brings a total up to nine for Google. It was a type confusion bug in Chrome's JavaScript V8 engine. It was discovered internally by one of two Google's tag researchers. But being a zero day, it was found because somebody was using it. So, wow. There, you know, there's a lot of pressure to get into Chrome. It being the majority browser now.

(01:05:38):
 And this was another way that's now been foreclosed at some point over the weekend, I restarted Chrome and it came up with an announcement of, yay, you got a new version. It's like, oh, okay, good. Okay. the Verges coverage of Anchors UFI, spelled E U F Y I O t cameras did not pull any punches. Their headline read Anchors, UFI lied to us about the security of its security cameras. And then the subhead said, despite claims of only using local storage with its security cameras, UFI has been caught uploading identifiable footage to the cloud. And it's even possible to view the camera streams using V L C. Huh. Okay. Since, since I can't improve on the verges coverage and reporting, here's what they wrote at the, the beginning of it, it was long, but this will give you the idea. They wrote, anchor and a company we all like has built a, a remarkable reputation for quality over the past decade at the Verge building its phone charger business into an empire spanning all sorts of portable electronics, including the UFI home security cameras we've recommended over the years, said, the Verge yi's commitment to privacy is remarkable.

(01:07:12):
It promises your data will be stored locally that it, quote levered never leaves the safety of your home. That its footage only gets transmitted with end-to-end military grade encryption. Okay. At this point, you start to have to worry. Right. When someone says military grade or, I never wanna see that phrase again. No. Every advertiser puts it in there. I just take it out and say, AEs 2 56 or somethings frightening. Yeah. And they said that they will only send the footage straight to your phone. So the Verge wrote, you could imagine our surprise to learn you could stream video from a UFI camera from the other side of the country with no encryption. Okay. Now, the verges coverage of this might seem somewhat harsh, but they then show a snapshot of the marketing for the UFI camera, which makes all of these claims quite clear, which then makes the reality of what Anchor is doing.

(01:08:16):
Somewhat stunning. So in the show notes, I have this snapshot, which is right off of the UFI marketing page. They said, our technology keeps your privacy safe. Okay. Now, I'm not sure that privacy can be kept safe. I'm so, the wording of the headlines, yeah, you're not safe, but your privacy is <laugh>. Yeah. So, but they got two, they got the words in there that they wanted. That's the main thing. Yeah. Your privacy and safe. So, okay, so, so maybe actually who, whoever wrote this didn't even understand what they were saying. I don't know. But th that might be their way out of this corner. So they've got three big icons, local storage, and we've got kind of your house, and there's a server with a, I don't know, a power symbol on it. And that says, for your eyes only home is where your data belongs.

(01:09:12):
With secure local storage, your private data never leaves the safety of your home and is accessible by you alone. Okay? Now consider that in the context of the fact that it is, you can stream it from the other side of the world with V L C. Okay, second icon, end-to-end encryption peeking, prohibited. All recorded footage is encrypted on device and sent straight to your phone, and only you have the key to decrypt and watch the footage. Data during transmission is encrypted. None of that is true on device ai. Ooh, everything in-house, our super smart ai, apparently much better than their super dumb crypto is built into every Youthy device. It analyzes your recorded footage without the need to risk your privacy by sending it to the cloud. Okay? Like all of this is untrue stunningly wow. I mean, it's just, it's like incredible. None of it's true.

(01:10:30):
So get ready for the lawsuits and how the verge continued. Okay? The, the, the verge said worse. It's not yet clear how widespread this might be because instead of addressing it head on, the company falsely claimed to the verge that it wasn't even possible on Thanksgiving day. Infosec consultant Paul Moore and a hacker who goes by wasabi, both alleged that anchors UFI cameras can stream encryption free through the cloud just by connecting to a unique address at UFI i's cloud servers with the fee, with the free V l C media player. So, I mean, there shouldn't even be cloud servers, right? What, what if never leaves your house, it goes straight to your phone. What do you need the cloud for? But apparently there's a cloud and all your video is there, and you, you don't even need an app. You just use V L C and give it the r url.

(01:11:35):
When asked anchor pointblank to confirm or deny that the company categorically denied it, quote, I can confirm that it is not possible to start a stream and watch live footage using a third party player such as V L C said, Brett White, a senior PR manager at Anchor. Oh, well, he knows there. Yeah, and of course, that's exactly whose opinion you want regarding anything potentially damaged. I tried, but I couldn't do it. What is this vlc? Yeah, I I clicked the link and it just said, hello. Wow, the verge they wrote, but the Verge can now confirm that's not true. That is what Brett said this week. We repeatedly watched live footage from two of our own UV cameras, which of course they had been recommending in the past, so they probably had some using that very same V L C media player from across the United States proving that Anchor has a way to bypass encryption and access these supposedly cured cameras through the cloud.

(01:12:50):
They said there is some good news, there's no proof yet that this has been exploited in the wild. Oh, great. Now everyone's gonna jump on that. I don't know how, you know, I mean, you couldn't, there's no way to prove disprove. It's right, you know? Yeah. Suddenly the cameras are getting hot <laugh>. I wonder why. I do think you need to know the serial number of the camera. So that is true. That's restriction, right? They, they, they, they said the way we initially obtained the address required, required logging in with a username and password before Yi's website will cough up the encryption free stream. Again, none of this, none. I mean, like what they're doing completely belies what they said they were doing. I mean, the fact that you have a, a like you log into the cloud, well, then the video must be there.

(01:13:40):
It's not in your house. I mean, just this, like, just, just make your head explode. If you think about this, nothing they're claiming matches the services that they're offering. So they said but it also gets worse. They said Yi's best practices appear to be so shoddy that bad actors might be able to figure out the address of a camera's feed, because that address largely consists of your camera's serial number encoded in Base 64, something you can easily reverse with, with a simple online calculator. The address also includes a Unix timestamp you can easily create plus a token that UFI servers don't actually seem to be validating. We changed our token to arbitrary potato and it still worked. Thank you. The Verge and a four digit random hex whose 6 5 5 3 6 combinations could easily be brute forced. And I'll note that other people have already done this and they did it.

(01:14:39):
So Mandy a, a Mandiant vulnerability engineer, Jacob Thompson tells the Verge, this is definitely not how it should be designed. Yeah, no kidding. For one thing, serial numbers don't change. So a bad actor could give or sell or donate a camera to Goodwill and quietly keep watching the feeds, but also he points out the cameras don't tend to keep, don't tend to keep their serial numbers secret. Some stick them on the box and sell them at Best Buy. Yes. Including ufi on the plus side, UFI serial numbers are long at 16 characters and aren't just an increasing number. We've seen that done before, not here. So quote, you're not gonna be able to just guess at IDs and begin hitting them, says Mandiant Red team consultant, Dylan Frank, calling it a possible saving grace of this disclosure. It doesn't sound quite as bad as user ID 1000.

(01:15:40):
Then you try 1 0 1, 1 0 2, 1 0 3 and so forth. Anyway, I'm reminded of the fact that I don't have a single connected video camera anywhere within my environment, and that your wife, Lisa Leo, early on intuited the inherent dangers of having unknowable video capture technology, which is what all of this is lurking around the house, you know, in A T N O trust, no one world, the the simple though impractical truth is, unless you designed it yourself, you don't know what it does. And I should add that due to the crazy complexity of the things we designed today, even if you did design it yourself, you may still not know what it, what it, that it does, what you think, you think you what it does, what whatever, what you said, man. Yeah, right. On <laugh>, the point is maybe it isn't an easy thing to exploit, but they completely misrepresented what was going on.

(01:16:46):
Oh my God, yes. Nothing that they said about it was when, and they must have known better. I mean, they, I mean, it's not an accidental mistake. Disclosure. The one, the one out I had was when you have a situation like an anchor was apparently in where everybody loved their power supplies, which they probably themselves actually did create, there's a tendency to go buy other companies, right? In order to expand yourself. Happened. Yeah. Yeah, yeah. And so it probably is like, well, we got all this money from power supplies, who looks good? Oh, let's, you know, let's get ufi. They have, you know, they make everything too. They make headphones, they make all all kinds of stuff. Anchor has a sound core division. Yeah, they, exactly as you say, they found success and they then expanded. Yep. And so they're the, they, the anchor people, unfortunately, are tying their good name to products that they can't actually vouch for, but which are making the money now. And they've got Brett out there on the frontline saying, what, what link? I don't have a link. Where, where, where'd you get that link? That's illegal for you to have that link. I tried, but I couldn't do it. <Laugh>.

(01:18:02):
Okay, so this is moderately random, but not too far afield for this podcast. Every, everyone knows of my passion for coding, but I predate electronic computers, and before computers was electronics. Although coding has taken over, electronics will always be my first love. So in addition to coding, I occasionally do a bit of tinkering, hacking, and designing with electronics. At some point in the past, some Googling must have taken me to a place called Seed Studio, that's s e e e d, spelled with three ees seed studio.com. I purchased something from them. I don't now remember what, and as a consequence was promptly added to their periodic mailing list. In this case, I don't mind the spam because the mail contains photos of the stuff they're promoting, and my jaw spends most of its time hanging down with my mouth open. <Laugh> over the insanely low cost of the technology that's currently available from China.

(01:19:14):
It is truly astonishing. For example, a recent mailing showed the seed studio X I A O E S P 32 cun three. It's a tiny module about the size of a quarter with 14 electrical connections, seven on either side, and what appears to be two tiny buttons and an L e d. It also has a tiny u s BBC connector, presumably for programming this little thing. And all of the software for doing so is open source. It's description says seed studio X i a o e s P 32 C three, adopts new risk five ooh architecture. Ooh, supporting both wifi and b l e wireless connections on this ring. The thing on that thing, wifi. Wifi and Bluetooth what for Internet of Things applications. You'll find it as flexible and suitable for all kinds of I o T scenarios. Okay? I was curious. So I looked into the chip.

(01:20:21):
This uses the E S P 32 C three. It's a 32 bit risk five microprocessor, which includes a whole host of IO peripherals in addition to wifi and Bluetooth five. It has cryptographic hardware accelerators that support a e s 1 28, 2 56 what? S h a hashes, R s rsa, H Mac, digital signatures Secure boot. What? And has a hard, and it has a hardware random number generator. And how much is it if you purchase just one $4 and 99 cents? Oh my God. Five. Oh my god. $5 for that. And that's like, that is just typical of what this Seed Studio has for sale. Anyway, that's just, don't try to bring it into South Dakota. That's all I'm saying. No, no, no, no. That's, that's outlawed <laugh>.

(01:21:20):
It might have TikTok embedded on it. <Laugh>. Oh, anyway. That is so cool. And risk, everybody's very interested in this risk. Five, this is the newest kind of open source digital architecture Yes. And license free. Right? The reason they're not, there's no arm on this, is you have to pay arm for that. And you're not gonna sell something for $5 that has this and everything else. It has, if, if, if you have to pay some arm license, it shows you what the arm tax is really, if you think about it. Yeah. And so risk, and I mean, risk five is it, it's a beautiful architecture. It's been, it's been like moving along for years and it's evolving and it has an absolutely mature, open source free tool chain for doing stuff. But none of that is why I'm, I've brought this up today. Although Steve, you could put your, you know, it could be a spin right?

(01:22:16):
Hardware device. Does it have room for software? You could put spin right on it. You wouldn't have to use Doss or anything. You just plug it in and boot to it. Wonderful. $5. I'm just telling you. I'm just telling you. All right, all yours. Okay. That's not why I am telling anyone about this. I'm telling anyone about this because a month or two ago, maybe three something in one of those mailings brought me up short because it was similarly stunning. And I thought you guys, our listeners all needed to at least know about it. It got away from me when I went back to try to find it. I don't know. I didn't know where it went, but when their most recent mailing mentioned it again, I thought, okay, this time is not getting away from me. Okay, get a load of this. It's called the link star H 68 K dash 1432 multimedia router.

(01:23:19):
It has wifi six four gig of Ram 32, gig of E M M C, flash storage on board with an SD card slot for more. It's powered by a quad core 64 bit cortex, A 55 chip an arm G 52 2 E E G P U. There's a G P U because it can output H D M I 4K video at 60 frames per second. What it ha it, by the way, Leo, it's two and a half by three and a half inches. That's the size of that little thing you that, that you're looking at <laugh>. It has a u SB three port, two U SB two ports, a U, SB type C that can be attached to a SAT three drive on the router side, aside from its dual band, 1200 megabits wifi six, it also has four ethernet ports, <laugh>, how they fit 'em in individual interfaces.

(01:24:19):
Two, running at up to two and a half gig, another two at one gig. It comes with Android 11 pre-installed what? But also supports Ubuntu Debian arm, bn open w r t, and build route, which is used to build embedded Linux systems. I just thought of a new geek game. We could play geek prices, right? So what will this little pocket size fan list, wifi six four ethernet interface router set you back? How about $119? Unbelievable. Wow. That's what got my attention. Th th that little net gate sg 1100 router that I love and use and have recommended. It's 180 9 and it only has three ethernet interfaces and no wifi. This thing has four separate interfaces and wifi six and a ton more. The fact that you can drop open w r t onto it and have an operating state-of-the-art router with four ports all, you know, isolated individual subnets and wifi six for $119.

(01:25:24):
Could you put PF cents on it? Do you think that, I don't know. I, that, that's a question I have and maybe one of our listeners will be interested to try. Again. It's, it's hard to imagine this thing from the picture. It's two and a half inches by three and a half inches, and it's fan, it's got a little heat sing on the bottom, multiple U S B ports 4k, H D M I and, and, and a and a SD card slot. It's just incredible. For 119 bucks in the palm of your hands, I want to be clear. I don't own one. I don't have time to own one, and I'm not vouching for it. <Laugh>, do not buy it. We're gonna get mad at you, <laugh>. That's right. I do. I'm so, I'm not vouching it for any, for any way, unlike the ZMA board, which I was happy to vouch for since I had several and I loved them.

(01:26:21):
You're on your own with this thing. If you should decide to take the plunge for the right hardware tinkerer, this could be so much fun, and it's not very expensive. I had the link of the show notes, and it is episode 900 s. This episodes G R C G R C shortcut of the week. So grc.sc/nine, that will take you to this thing's webpage where you can see for yourself. Anyway, I just, it was so cool, so inexpensive. It could be the perfect home router, four ports of add wifi six for hundred hundred. Cool. $19. Boy, we live an amazing time. Steve, can you imagine if you were a young guy, you know, a teenager, you know, at the time building the portable dog killer, if you'd had something like Seed Studio available to you, you might have, unfortunately, I'd probably be bringing Elon's satellites down <laugh> if I had it. That's a good thing. It's a good thing you didn't have it, so, wow. Wow. I figured out how to fire the retro rockett. Cool.

(01:27:31):
Okay, speaking of Elon, one last piece of lunacy when asked during a scheduled Twitter space chat this past Sunday, why he bought Twitter, Elon explained his decision as follows. And I'm not making this up, quote, I can't exactly say why, because it's one of those things where it's like my biological neural nets said, it is important to buy Twitter. And just like with a digital neural net, you can't really exactly explain why the neural net is able to understand an image or text. The collective result of the neural net says, this is an important decision, or this is the right action. And my biological neural net concluded that it was important to buy Twitter. And that if Twitter was not bought and steered in a good direction, it could be a danger for the future of civilization. And so that's why I bought it.

(01:28:43):
Wow. <laugh>. Oh, wow. Clear as mud Elon. Yeah, Elon. So, okay, you're, you're, you're passing the responsibility off to your brain whose operation you don't understand. I don't know what I'm doing or why I'm thinking it, but I'm gonna do it anyway. Yeah, because, you know, I'm a biological neuro laurel net, just like those image recognizers, and we don't know how they work either. It's puzzle, whether he knows what he's saying is it is moronic and he's saying it to dis, you know, to confuse and, and, and, huh, distract you. It's, or if he actually believes it, which I don't, I don't know which is worse. <Laugh>, that's amazing. So I did not have time to make a comprehensive scan of my dms this week. Frankly, the, the, their, the dms channel is becoming quite popular and it's there's a lot to go through.

(01:29:45):
I'm only gonna share my own tweet from last Wednesday. For those of my, of our listeners here who don't follow me on Twitter. And there are many I tweeted on Wednesday to All Security Now listeners, I'm currently listening to Alex Stamos on Wednesdays this week in Google. Alex has not let anyone get a word in edgewise because he has so much amazing information to share without reservation. I recommend all caps listening to this. It's fantastic in all caps, exclamation point. That tweet received about three times as many likes as my, as any of my weekly security now notes, postings, tweets do, as well as 13 replies in 12 retweets. Alex was amazingly wonderful. Thank you. And I just, yeah, wanted to make sure. I wanted, like, this is a, a reading or a listening assignment for all of our listeners last week's. So what would that, that would be November 30th.

(01:30:59):
 If you just go to this can Google twit TVs amazing twit TV slash twig. We'll take you to the twig page. It's episode 6 92. So it'll be the first episode if you'd go right now. But even in a few weeks, it'll still be twit tv slash twig episode 6 92. And, and you don't even have to wade through a bunch of crap in the beginning. I mean, like, there's no crap. They, like Alex said, is, is this microphone on? And that's all it took. It was very meat it rich density of information. It was, he was great. He's astonished. Wonderful guy. And I, I really enjoyed him. And I'm hoping we can get him back cuz he had a lot to say. So on my end to say that things are going well with spin rights alpha release testing would be an understatement considering how poorly things could have easily gone.

(01:31:54):
I'm still somewhat in shock that we are very close to having a final release. I have to, I have things to fix, but nothing major so far. Most mostly people who are now really engaged and involved are like, keep asking for new features. And so I was like, oh, you know, I, I, that's really not what we should be doing now. So it's really looking good. There was one posting to the news group last week that I wanted to share because it makes a point that I need to drive home not only for everyone's safety, but, but it's part of the reason why I am so fired up about spin right's potential long-term future. This person posted this, he said, I have a think pad helix and the s s D is a Samsung e v o one terabyte msat. So high end, you know, Samsung, Evo o, that's all, that's the only brand I buy now.

(01:32:49):
He said, when the spin right pre-release starts, it estimates 31.7 minutes for processing. However, a level two pass with no errors detected takes two hours and 56 minutes. Okay, so just shy of three hours, he says. So that's more than five times longer. It's actually almost six times longer, right? It guessed it, it estimated 31 minutes. It actually took three hours. So six times he says, then the estimated time he asks, is that normal? Okay. So I replied to him in the news group, we have found that whereas the fronts of spinning drives tend to be the fastest regions because they contain more sectors around their longer outer tracks, the fronts of many SSDs are conspicuously slow. We posit that this is due to the presence of much more on the fly error correction and data recovery. We first saw this using the Reed Speed benchmark tool.

(01:33:56):
One of my future plans is to locate the slow to read spots and selectively rewrite them to restore their speed by eliminating this unseen error correction and data recovery, which results in a significant reduction in s s D performance. I said to him, if you do discover that the front of that drive is quite slow, you could identify the slow region and run level three, which does a rewrite over just that region. And it might very well speed it back up, I said, and that would likely also increase its reliability by solidifying those sectors, which might be on the verge of transitioning from very slow to unrecoverable. He replied, I just did a level three on the entire drive with alpha four and now spin, right estimates, the one terabyte drive will require 29.7 minutes and a full level two scan completed in 29 minutes and 50 seconds, which is an almost six times faster than it's scanned.

(01:35:15):
A couple of days ago he said, thank you for say thank you so much for creating 6.1. So what that means is to summarize this, he first did a, a simple read pass on that s s d in his think pad. It took him three hours just to read all the sectors. He ran Level three a spin right Level three across the entire drive. Now that same process of simply doing a read scan takes 30 minutes, just shy of 30 minutes. So running a level three spin right on an S S D that had nothing technically wrong with it increased its speed by a factor of six on average across the entire S s D. That's what we're seeing. So this is the reason I am, I am very excited there. What's happening is we are SSDs are having trouble reading their contents, but still able to, yet it's revealed by a significant slowdown, which is going unnoticed.

(01:36:34):
But how many times have we heard that an S s D based machine, which being solid state, you would think, right, it's solid state that an SSD based machine doesn't seem to be as fast as it was when it was new. That wouldn't seem logical, but this might be what's going on. So, as I said, one of the things I have in store once spin, right six one is launched and we start working immediately on seven, is to profile thefor the performance of mass storage media to locate and selectively repair sluggish spots. But for what it's worth, what anyone can do or will be able to do as soon as six one is out, is to give such drives a sing, a single level three pass, as this person who just posted did, which very well could significantly improve both the systems performance and its reliability by rewriting the drives of sectors to recharge those leaky storage capacity cells.

(01:37:39):
So anyway, a cool outcome from the six, the six one work and Leo? Yes, sir. Let's do our last insert and then we're going to revisit unfortunately, last pass you again <laugh>. You call it an insert. I call it a cherished sponsor bringing us. Oh yes. Snooze. You can use <laugh>. That's what I meant. Yes. Look, I know you did. We're talking PL track, of course. Well, we'd actually love PlexTrac, the purple teaming platform. They are the premier cybersecurity reporting and collaboration platform, completely transforming the way cybersecurity work gets done, whether you're on a red team or a blue team, or somewhere in the middle, a purple team, a Viva Magenta team. Are you ready to gain control of all your tools, all your data? Are you ready to build more actionable reports and focus on the right remediation? Are you working to mature your security posture?

(01:38:40):
But I bet, and I think we all, this is not unusual struggle to optimize efficiency and facilitate collaboration within your team. That's what PlexTrac is all about. It's a powerful but very easy to use cybersecurity platform that centralizes all your security assessments, all your pen test reports, all your audit findings and vulnerability tracking PlexTrac transforms the risk management life cycle, letting your security team generate better reports, faster, aggregate and visualize analytics and collaboration on remediation in real time. And by the way, a message for the team <laugh>, you're gonna love it. You're gonna love it. It, it saves you time. It makes it easier to get your job done. The PlexTrac platform addresses pain points across the entire spectrum of security team workflows and rolls. Second and none for managing offensive testing. Get that red team going here and then reporting the security findings.

(01:39:43):
You can put code samples easily inserted, screenshots, even videos can be added any finding. You can import findings from all the major scanning tools too. The anything that you use, neis, burp, whatever you use, you can export to custom templates with a click of a button. Which means once you've got your template set up, your reports are uniform, they're easy for you to generate a lot less typing they get the job done. You know, it's, it's really incredible. Analytics and service level agreement functions help you visualize your security posture so you can quickly assess and prioritize and ensure you're tracking remediation efforts to show progress over time. Great for compliance too, for that reason. Built in compatibility with the all the industry leading tools and frameworks, including vulnerability scanners, pen testing as a service platforms, bug bounty tools, adversary, emulation plans that mean you can approve the effectiveness and the efficiency of your current workflow.

(01:40:40):
Whatever it is, robust integrations with Jira and ServiceNow ensure you're always closing the loop on the highest priority findings. I mean, I can go on and on. There are so many features, this is so much what you want. Enterprise security teams use PlexTrac to streamline their pen tests, their security assessments, incident response reports, and a whole lot more. Plex extract. Clients say quote, up to a 60% reduction in time spent reporting. See, and man, that just feels good. 60%, 30% increase in efficiency. And for the boss, a five x R o ROI in year one, PlexTrac provides a single source of truth for all stakeholders transforming the cybersecurity management life cycle. Book a demo today to see how much time PlexTrac can save your team triplex track free for a month. See how it can approve the effectiveness and efficiency of your security team.

(01:41:36):
Just go to plex track.com/twi and claim your free month. P L E X T R A C PlexTrac, no. Okay, plex track.com/t w i t. You know, you want this thing, get it Plex track and your team wants it too. Plex track.com/twit. We thank you so much PlexTrac for supporting security now and you Security Now, listeners, you support us when you use that address, so please do plextrack.com/twit. And now the continuing last Pass Saga and I, you know, we still use Last Pass for our enterprise. I do access and identity management. So let me know if we should stop. We, I mean, I use Bit Warden at home, but, but TWIT uses Last Pass like many other last Pass users last week. I received another note from Last Pass. The note is short so I'll read it into the record.

(01:42:35):
 We got a note from team Last Pass as well. It was signed Dear Valued Customer. In keeping with our commitment to transparency, we wanted to inform you of a security incident that our team is currently investigating. We recently detected unusual activity within a third party cloud storage surface service, which is currently shared by both LastPass and its affiliate go-to. We immediately launched an investigation engaged Mandiant, a leading security firm, and alerted law enforcement. We've determined that an unauthorized party using information obtained in the August, 2022 incident was able to gain access to certain elements of our customer's information. Our customer's passwords remain safely encrypted due to last passes zero knowledge architecture. We're working to diligently understand the scope of the incident and identify what specific information has been accessed. As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat acti actor activity.

(01:43:45):
In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around the setup and con configuration of LastPass, which can be found here. And then they provided a link, as is our practice. We will continue to provide updates as we learn more. Please visit the LastPass blog for the latest information related to the incident. We thank you for your patience while we work through our investigation. Okay, so there's no follow up yet. Last time we waited precisely three weeks for the first announcement. The first release occurred I mean, we, we, we, sorry, we were, we waited exactly three weeks from the first announcement. The, the first announcement came on August 25th, and three weeks later we got the update on September 15th. For me, the two most relevant pieces of information in this first of presumably two disclosures are where he, where the person, the team <laugh> wrote, we've determined that an unauthorized party using information obtained in the August, 2022 incident was able to gain access to certain elements of our customer's information.

(01:45:04):
So that and our customer's passwords remain safely encrypted due to last passes zero na zero knowledge architecture. Okay, so a as usual from, you know, all such partial disclosures, we are left wanting more. Of course, you know, we don't know at the moment which quote, certain elements of their customer information was inadvertently made available, but they apparently know they're not saying yet. We know from the follow up note from the first intrusion that the bad guys were rummaging around in some developer network that was not connected to their production SY systems. But now it appears that those who were doing the rummaging managed to get sufficient information. They found something <laugh>, right? They found some keys in there, right? Whether in the form of source code that they, you know, that that disclosed or perhaps that like some other way to get into something else, or maybe in the form of credentials that were bound into the whatever it was they got, which were used to, to perpetrate this latest breach and information exfiltration.

(01:46:22):
 If, if last pass lost control of their customer's billing data, you know, names, credit cards, street addresses and so on, that would not be good. But, you know, at this point we're just speculating. Presumably in another two weeks or three, whenever we'll be told more, we let you know. Let's hope. Last week after this happened, I popped on for the first, first 50 minutes of Tech News Weekly with Jason and Micah to talk about this latest breach. I made the same point that I always make, which is that none of the passwords and other secret data that's being stored by any of the many competing password managers in know last pass and all of them should ever be vulnerable to any breach of the data that's being stored on our behalf in the cloud. You know, that's thanks to what we once called.

(01:47:21):
We, we, we coined the abbreviation or an acronym pie, which stood for pre-internet encryption, you know, which the industry now calls end-to-end encryption, though that term is becoming less useful as non end-to-end systems abuse it. I mean, you know, even Apple says that iMessage is end-to-end encrypted, except that, well, it's not in the out, not in the cloud cuz they had the keys to that. So again, the, unfortunately, the definition of end to end is being abused, but you know, that's gonna happen when any, you know, popular phrase gets into the marketing department. The, but the point is, if it's done correctly, we're really just using a password manager's cloud service to keep our various devices synchronized. It's, it's simply a synchronization mechanism. And in fact, my, my annoyance with the pass keys system, which is becoming hopefully will become popular, is that it isn't, there isn't an all in one cloud sync for them.

(01:48:29):
This is an opportunity for Microsoft to keep their devices separate from Apple, to keep their devices separate from Google, to keep their devices separate, unfortunately. But anyway maybe that'll change when password managers start supporting pass keys. Maybe we'll get sync back. That's a possibility. The threats we face to our storage secrets, and this is the point, are only on our end. In order to do its work, at some point, any password manager must have at least the users, you know, username and password decrypted for the site that they're visiting and wanna fill in the form for, I don't know whether the password that, whether the entire password archive is decrypted as a whole or whether sites can be decrypted individually, which would seem safer to me. But either way, at some moment in time, the data must exist in the clear, in the user's browser.

(01:49:35):
Way back at the start of this podcast, we noted the inherent impossibility of protecting encrypted D V D video content because the player itself needed to be able, able to decrypt the DVD v D in order to play it for its owner. And the DVD's publisher ultimately had no control over the DVD d player and what it did. So all they could do is the best they could do if the password manager's browser add-on were to be adulterated in some way to break its security design. Or if something was able to somehow intercept its operation in the client, that would prove devastating. But it's difficult to see how any breach of Last pass or any other password manager's cloud syncing facility could ever endanger a user's always encrypted secrets. Now, of course, none of this prevents reputational harm to last pass. You gotta know they're not happy about this, but they're also like the biggest target in town.

(01:50:42):
So that's what comes with being a, the big target like Chrome is the big browser target, and most users will have no idea what it means for all of their data to always be encrypted before it leaves their browser. They don't see anything leaving their web browser. They have no concept of the cloud or a client side encryption or what any of that means. They just know that they're using this or that password manager and this or that password manager suffered a breach. And that the press is now able to say that this is in the case of LastPass, the second breach in a little over four months. If we assume that the decision took change, password managers is unwarranted. And I'm not suggesting whether it is or it is not. It's, you know, a personal decision. Then one huge advantage any password manager has is inertia.

(01:51:43):
It's much easier to change search engines than it is to change password managers. You know, certainly it can be done and the password managers have provided means to lower the bar to doing so offering various importers of other password managers content you know, and, and archives. But it seems most likely that until users learn that someone's passwords were actually stolen, inertia will reign. You know, the statement our customer's passwords remain safely encrypted, I think matters a lot, especially when changing password managers is a pain to do. The listeners of this podcast as knowledgeable and sophisticated as any anywhere you know, they're able to make an informed decision. I don't know what it means for them. I'm continuing to, to remain with last pass because I have no interest in punishing them for making a mistake. And there is, is no indication that the security I actually require from them has ever been endangered.

(01:52:52):
You know, that said, I'll be interested in, you know, to learn more in the next couple weeks when they're able to tell us more. I think, you know, their their fiduciary obligation is to immediately engage law enforcement and an outside firm and tell us that this has happened. It so it's reasonable for them for us to give them a few weeks, you know, for them to tell us more. And I'm, I'm sure we'll get something in a week or two. Good. Nothing to nothing to fear yet anyway. Yeah, I, I mean I just, I do, I do think the fact that something that happened, some information that escaped from the first breach got, you know, yeah. Used in some way is like, well, okay, that, you know, what it wasn't is a leak of they don't know what your master password is. They can't unencrypt correct your, your vault.

(01:53:47):
So there was nothing that could be leaked in that regard. Right. The, you know, the other thing maybe to worry about, and this was something that Travis Orman, Tavis Armandy brought up is the, the way that that Java script Chrome extension or Firefox extension works the code in there because at some point he does have to see it in the clear Yes, that is the concern is what happens on the client side, right? Not but but not on the cloud side. Right. Right. Yeah. And in fact, you know, one, one of my favorite expressions back when I was spending time doing squirrel stuff was that I used to say Squirrel gives websites no secrets to keep. Yes. And that's the team, and that's the, that's the team that's trust no one exactly. It's, it's trust. No one, not even, you don't even have to trust your password manager.

(01:54:34):
Right? Right. And somebody's saying, well, didn't Steve review the code? Well, you reviewed the code, but like 10 years ago, <laugh>, I mean, I don't think, well, any of that code survives and it wasn't their code in their cloud. I what, what it was, was it was the algorithm right, that Joe was using, which is this concept of client side Right. Blob encryption. Right. That's what it was. Right. And in fact, he even provided, he provided me a webpage where you could, you, you could go and like see a simplified JavaScript and understand it and see what it was doing. Yeah. My my guess is that any, all the major password companies do basically the same thing. They'd be, they'd be insane not to Yeah. E two E encrypted law, you have to Yeah. You have to do this. Yeah. The, the moment a password company actually compromises their, their user passwords, they might as well just declare chapter 11.

(01:55:30):
Right. It's over. Right. Roll up the carpet. Right. Nobody will ever use them again. Right. The other good side of this last pass has been spun off Log Me, which it's a complicated long corporate chain. But the equity capital company that bought Log Me is spinning last pass off as a standalone company, which if it isn't already, it will be any day now. And in a way that's good because of course, equity capital Yeah. Helps 'em keep focus. Exactly. And equity capital's always looking to make their investment back. They're usually highly leveraged. So just getting that off in its own corner where nobody's gonna tell 'em what to do means that they, I mean, they're good people. They know what to do and they will keep doing the right thing as long as they're left to their own devices.

(01:56:14):
And I think that's probably Well, and you know, I mean, this hurt them. There's no doubt this hurt them. No. You know, no one wants to say it. Whoops. We were breached. But you know, nothing to see move along. Well, everyone there, there's a gonna be a, a bunch of people that go, okay, that's two in one year. Yeah. You know, I'm not waiting for three strikes. Yeah. I'm going's true with two strikes. But, but you've reassured us. I hope, you know, I think everybody's listening. I, I I'm not changing. I'm, I'm, and if you're in Australia, just, you know, don't you <laugh> I don't know what Australia would do. <Laugh>. No, they had, they did responsibly disclose it, didn't they? They, they were the letter of the law in Australia. And GDPR has a responsible disclosure clause. I don't know if we do in the us feels like we ought to, but since you're there's CISA is definitely, certainly among government agencies.

(01:57:00):
You know, thou shout, disclose. Yeah. I I I think it was within, was it 48 hours or 24 hours? I mean, there was a short time. Yeah, you, yeah. There's a short window. Yes. At least. But I don't know. But they don't have the 50 million Australian dollar penalty to back it up. That's the problem. <Laugh>. Oh boy. <Laugh>. That does, that does get the job done, I must say. Yeah. I must say Steve Gibson, you get the job done each and every Tuesday with security now. Thank you so much for episode 900. What a milestone, huh? Wow. We would never have thought way back in, what was it, 2007, 2006? We were still using Cranks cranks to start our cars. Leo <laugh>. It's a lifetime ago. But we are, we're doing it, and we're gonna do it again next Tuesday, and we're gonna keep doing it for at least two more years.

(01:57:52):
 Go to grc.com. That's Steve's website, the Gibson Research Corporation. Couple of things you can do there. Of course, first thing you should do is get spin, right? The world's best mass storage, maintenance and recovery utility. Looking better every day. You're getting 6.0, but we're, we're minutes away from the release of 6.1. And anybody who buys now will get 6.1 for free. As an automatic upgrade, you'll also get to participate in the development, which is kind of a fun thing to do. There's wonderful forums going on all the time. Steve's got his own. Don't ask for any new features. No, no. Too late. It's locked, please. Yeah. Solid locked in <laugh>. While you're there, you also should check out all the other freebies that Steve offers. Shields up his world, famous things to test your network router and so forth. And you can get a copy of the show while you're there too.

(01:58:40):
Save yourself a step. He has 16 Kilobit Audio for the Bandwidth Impaired. 64 Kilobit Audio, that's the standard version and transcripts written by Elaine Ferris. So they're very well done. So you can read along as you listen, or you can search to find a part of it all. That's at grc.com. Feedback forms are open at grc.com/feedback. Steve's also on Twitter, although it sounds like it's a little busy now. Your dms might be a little full <laugh>. Don't DM 'em there, but you can follow 'em. I have some catching up to do. Yeah. At SG grc we have copies of the show, too at our website TWIT TV slash sn. There's also a YouTube channel dedicated to security. Now, a good place to share clips if you wanna share clips, all of the big shows are on the YouTube. And of course you can subscribe.

(01:59:29):
Best way to do this to support rss, you know podcasts. The, the original, the best, the l the, you know, least privacy invasive form of podcasting is, is getting it in a podcast client like, you know, Google's or Androids Podcast client or PocketCasts Overcast, something like that. And in fact, if you subscribe, then you don't even think about it. You'll just get it automatically. If you wanna watch us do the show, we do it live Tuesdays roundabout right after Mac Break Weekly. So that time will vary sometime between one 30 and 2:00 PM Pacific Time. That's four 30 to 5:00 PM Eastern Time, 2130 utc. And the Streams audio and video are at live. Do twit tv chat with us live during the show@irc.twit.tv. Of course, club twit members get their own private chat room in our Discord. Discord is so great, I just love it.

(02:00:22):
And one of the, it's just one of the benefits of Club Twitch. Seven bucks a month, $1 less than a blue check on Twitter. Steve, I might point out if you could get one, which apparently they still <laugh>, they still haven't done. But for seven bucks a month, you get ad free versions of every show you get, shows we don't put out in public, like Hands on Macintosh with Micah, Sergeant Hands on Windows with Paul Throt, the Untitled Linnux Show with Jonathan Bennett Stacy's book Club. We're doing Project Hail Mary next month. We're doing actually this, I think it's this week. Lemme look real quickly. We're gonna do an interview with Glen Fleischman. I'm gonna ask me anything with Glen Fleischman. That's our next event. And that date is December 15th. January 12th is a book club. Lisa and I, January 19th, are gonna do an inside twit for club members.

(02:01:07):
And Wintu Dao our Android developer from all about Androids doing a fireside chat in February. That's just some of the special events we plan for Club TWIT members. Plus you also get the Twit plus feed with stuff that happens before and after shows. Join the party as Aliah G says, join the party. Go to twit.tv/club twit sign up for a day, a monthly subscription. You can also get a yearly subscription. That'd be a great gift for the geek in your life. There's corporate subscriptions too, and I gotta say, it really is important to us because I don't know if you've heard times are tough in the, you know, RSS based podcast world. Everybody's going to iHeart and Spotify and Amazon. We want to continue to do what we're doing. So please, if you, if you like what we do and you wanna keep it going, help us out.

(02:02:01):
Twitter tv slash club twit. There's my plug. And just put that in there, Steve. Have a wonderful week. I am gone to book two of The Expanse. I'm finally getting around and reading these Oh, the Expanse, you know, nice. I like the show. Okay. But I love the novels. I think they're very surprisingly good. I didn't expect Yeah. Quite so well written. Yeah. So I just finished Leviathan Wakes. Who is that? A strong ending. <Laugh> that gets you started, man, that's so exciting. <Laugh>. I, you know, forget the TV show. I'm reading the books. Thank you, Steve. Have a great week. Okay, buddy. Bye.

Mikah Sargent (02:02:37):
If you are looking for a midweek update on the weeks tech news, I gotta tell you, you've gotta check out Tech News Weekly. See, it's all kind of built in there with the title. You get to learn about the news in tech that matters. Every Thursday, Jason Howell and I talk to the people making and breaking the tech news, get their insights and their interesting stories. It's a great show to check out TWI tv slash tnw

... (02:03:05):
Security Nooooow.