Security Now Episode 920 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte (00:00:00):
It's time for Security Now Steve Gibson is here. We're gonna talk about a couple of zero click exploits discovered NSO Group was selling them. Some of them might even get around lockdown mode on the iPhone. We'll also talk about why you should wipe your routers before you sell them or give them away. And speaking of routers, a flaw in Cisco's I o s that hasn't been patched in some older routers, and why you should fix it now. It's all coming up next a lot more too, on Security Now.
Podcasts you love. From people you trust. This is TWiT.
Leo Laporte / Steve Gibson (00:00:43):
This is Security now with Steve Gibson. Episode 920, recorded Tuesday, April 25th, 2023. An end to end encryption proposal. Security now is brought to you by AG1 by Athletic Greens. If you're looking for a simpler and cost effective supplement routine, AG One will give you a free one year supply of vitamin D and five free travel packs with your first purchase of a subscription of the Delicious AG1. Go to athleticgreens.com/securitynow. And by lookout, whether on a device or in the cloud, your business data is always on the move. Minimize risk, increase visibility, and ensure compliance with lookouts Unified platform. Visit lookout.com today.
It's time for security now. Yay. The show. We wait all week four in my case, all month four. Yes. Who's back? I'm here kids. And I missed you. Yes, indeed. I missed you. Uncle Steve. Well, Leah aunt. And Jason did a great job of holding the fort down. I really appreciate that. The one, the one piece of news that really had me thinking of you was the, the news that we covered in February of that ridiculous psychotherapy clinic in, I don't remember where in Europe, somewhere. Finland, I think. Who, where they had the, the, A hacker got in and stole the records of 30,000 Yeah. Of their previous clients. I remember. And when, and when the clinic didn't succumb to the ransomware threats, the hacker emailed all the clients <laugh> saying, I've got all your data Uhoh. I need 300 bucks from each of you.
Oh God. Or I'm gonna expose you to the internet. Well, the good news is the c e o is convicted and in jail. Oh, good. So that Yeah. That I, I was thinking they take that stuff seriously there. They, yeah. I gotta tell you, like, a one thing though is extremely annoying. You think these cookie banners are bad in the states? Uhoh, every page you go to, it covers the page. Oh, you can't do anything until you see this bi. It's much bigger, much more elaborate. Lots clauses. And you, every single place you go to, you gotta click that. So they take that loss seriously too. And I'm so stupid because <laugh>, what are you gonna click? But accept, accept, accept, right. Yeah. It's just dumb. Anyway I'm glad to be back and I'm so glad to see you. I did. Now don't take this amiss, but I did, you know, we have an AI leo now.
Ah, and I saw that you asked chat G P t. Yeah. You know how many, when, when would be I be doing the last episode of, I'm just trying to do some planning. It was quite wonderful. Yeah. I said, cuz as you said, you've said this again and again. You 9 99 is last episode cuz you don't have four digits in you. And we're doing nine 20 today. So I asked, first I asked Chad, g p t, the, in fact G p D four, the official open a y one to tell me, well, when will Steve's last show be? It went on and on and on to calculate the date that 79 weeks from April 25th, 2023 will follow these steps and came up with the wrong freaking answer. Well, and I love it too, cuz it then it, it begins moving month to month. Trying to figure out how many days each month pass.
I mean, and then it gives up. It's amazing. Yeah. It's sort of amazing that it got, like, it thought it knew what it was doing. <Laugh>, but it's bizarre. And it, it is the point that it is the point that is worth making. 60 Minutes did a piece on, on all of this. I think it was Sunday before last. I mean the I think it was Scott Kelly who had, who had it was there the first half of the show. And he was astonished by some of the things that this thing came up with. Like, they, they, they gave it a like hemingway's shortest writing, which was three, two sentence words and, and asked it to expound on it or create a short story from it. And it did this amazing job. Well, that's what it done. And, and then someone said, and we'd like it as prose and it turned it into a poem.
Sure. Lori, Lori had tears running down her face <laugh> because it was just so eloquent and amazing. And then, then, but the point is then they said give us your forecasts for the economy. Oh. And it again, it produced this beautiful, very credible Yes. Fantastic looking result. And, and then said, for additional information, you might check these five reference texts, none of which were actual <laugh>. It made them up. Mixed stuff up. Yeah. <laugh>, because it's just fancy auto. Correct. I did go to Wolf from Alpha, which can do math. And just in case anybody wants to know, unless we miss an episode because of a best of or whatever October 29th, 2024 will be Well, and you, you actually keep the count. You keep the counter going through those. Yeah. I, because think we should. It should be accurate. Yeah. Well, yeah. And because I mean, I've had my count off when I forgot to add one.
Yeah, we across the ho Yeah. Across the holiday. So it's like we try to get it, you know, so you have 52 episodes a year. And if that happens, it'll be I'm sad to say sorry, chat g p t not August 30th, but thank goodness. October 29th. It'll be Halloween weekend by that point. By that point, we, you could probably just plug it in in place of me, Leo, and just let chat G p t. Well, it kind of knows now it's got a deadline. <Laugh>. Yeah. Yeah. Get going. <Laugh>. So what's coming up today? Oh, I've got something. I've got something. I think. So this is episode 920. Yeah. For, this is our last episode of April. Believe it or not. Leo, are you, you missed like most of the years. I missed April now. Yeah, here we are. It'll be, you know, may before we know it.
Not may day. We're gonna miss that by one. But that's good. Today's topic is an, an end-to-end encryption proposal. I think I may have solved this whole problem with government spying and, and all that and the tension between Oh, that would be good. These, that would be, yeah. Anyway. Well, we're gonna get to that. We're gonna look at the past week's most interesting security news answers. You know for the questions which have arisen, like whether apple's lockdown mode actually does anything useful. How big is the market for commercial Pegasus style smartphone spyware? Why exactly has the dark web suddenly become interested in purloin chat G P T accounts? And is purloin a word one uses in mixed company <laugh>? What trove of secrets did e set discover when they innocently purchased a few secondhand routers? Whoops. And speaking of routers, what was the mistake that users of old Cisco routers really wish Cisco had not made?
And whose fault is its exploitation today? Hmm. What's the story behind the newly established security research legal defense fund? And then after a few quick update and upgrade notes, we look at two opposing open letters written about the coming end-to-end encryption apocalypse and consider whether I may have just stumbled upon a solution to the whole mess. So I doubt anyone's gonna be getting bored this week. Yeah, course oft wait. We do have a great picture of Yes, we do. <Laugh>. Yes, we do. I have a little something you might be interested in as our first sponsor, brand new sponsor. I'm thirsty. Show. Are you thirsty? Are your body I'm thirsty, crave the nutrition that it needs while I've got athletic greens? This is not doing it nutritionally <laugh>, our sponsor today is AG1. Look, see it says it right there on the box by Athletic Greens.
And apparently, I didn't know this ain't been around for 10 years. Aunt Pruitt said, oh yeah, I've been taking that for years. It's well known among athletes and people who care about optimal nutrition. That's all new to me though. And I have to say, I'm pretty excited. Now, I bet you like me take a fistful <laugh> pills morning and night, right? Wouldn't it be nice to replace that fist full of pills with everything you need? You're, it's fact. It even says in here, you're gonna need a smaller cabinet. That's what ag one by Athletic Greens. It does, it gives your body what it craves for daily nutritional in one drink. In fact, this, you do this ideally you do this before you eat on an empty stomach first thing in the morning. There's actually two benefits to that. Not only are you getting your nutrition in, but the secondary benefit to that is water drinking a you know, 16 ounces of water first thing in the morning is a great way to start the day.
Reduces your appetite and so forth. So this, I've got the starter kit here. You can also get these in little packets, which are great for travel. And that's what we brought with us on the trip. So I'll, I'll do this with the pack. So what you do is you start and the the kit comes with a storage canister a month supply of AG1. And of course a special, special high quality measuring spoon. Actually, this is, is high quality. It's metal, which is, I love that. Anyway, but I'm gonna use the packets like we did on the, on the trip, the, you know, past trips I have put together. You know, you get those pill miners and you put 'em together and you have to carry this whole big thing around with you. And this makes it so easy. Everything you need is in here.
It's founded in 2010. AG1 has been part of a million routines since it's the best all in one solution for daily nutrition. You can replace your, your one a day. You can replace your probiotic By the way. It has probiotics in it and prebiotics. It saves you time, it saves you confusion and it even saves you money just $3 a day. Plus you get powerful long-term results. So I'm gonna make it right now. This is basically what you're doing is you're, it is just a powder that's got all those nutrients in it that you mix with water and, and, and you don't have to use hot water. It dissolves very easily. In fact I'm using nice cold water cuz that's what I want to drink in the morning. So I'm gonna put that in there. And then you close it up.
That's about six. You can do 12 to 16 ounces of water. Close it up. This is a really nice little canister. And then just mix it. And it's very easy to mix up. Mixes up very nicely. The best part for me though, cuz I don't know if you if you've tried these, but I've tried other, you know, beverages that are supposed to give you everything you need. And most of them taste well. Like they give you everything you need. This is actually quite refreshing, quite delicious and good for you. Here comes John, with napkins and towels. I'm not gonna spill it, John, I promise. Hmm. Ah, that is so good. And when you do AG1, it becomes a seamless, easy daily habit that gives you your entire day's nutritional basis supplements you support your long-term gut health. Ag One has 75 quality minerals, vitamins, pre and probiotics.
I would strongly suggest going to the website cuz they've got 'em all listed there. There's no artificial sweeteners or anything. I don't, it just tastes good all by itself. Oh, and another thing you're gonna like high quality production, check out where they make it, make it in New Zealand in a certified facility that really is making sure you're getting exactly what they say you're getting. No more, no less. You'll also feel good about it that Athletic Greens is a climate neutral certified company. They believe that good nutrition should be available to also for every purchase they donate to organizations helping to get nutritious food to kids in need. So you're doing good when you're drinking this. If you're looking for a simpler cost effective supplement routine. This is gonna replace about 30 pills that I used to take every day. AG1 from Athletic Greens.
You'll get a free, now you'll like this Steve, a free one year supply of vitamin D and five free travel packs. That's like that little pouch that I was using with your first purchase of subscription. Go to athleticgreens.com/Security Now this is the vitamin D that comes with it's vitamin D three plus k2. You probably know what that is. That's what you need. That's what you want, right? K2. It just comes a little dropper. So you can just put this just, that's, that's a year's supply cuz vitamin D doesn't take up a lot of space. You can take a little dropper and you just drop that in there and you can have it AG1. If you're looking for a simpler cost effective supplement routine ag one by Athletic Greens free one year supply of vitamin D five free travel packs with your first purchase of a subscription, go to athleticgreens.com/security.
Now, I've already had my ag one, I had it on Mac break weekly, so I guess I'll save this for tomorrow. Athletic greens.com/Security Now we really welcome these guys. We vetted them very thoroughly to really make sure, and I talk to a lot of people to really make sure that this is the one and they completely agree. This is fantastic. AG1 from athletic greens athleticgreens.com/securitynow. Thank you AG1. And thank you for when you buy it, go into that address so that you know, they know you saw it here on security now. All right, picture time <laugh>. This is hysterical by the way. Oh, okay. So yes, we, we have we have a <laugh> a a picture thank you one of our, our of our listeners for, for tweeting. This to me very valuable. This is a 16 port de-link barely recognizable <laugh> router or rather ra rather a a a switch, right?
An unmanaged switch. Yeah, an unmanaged switch. It it, if the guy in charge of the set of the Adams family had been overplayed, <laugh>, I think this is the, the ceiling or the basement somewhere and just, oh God, look at this. Ugh. It, it, it, it, so as I said, it's barely recognizable. I had to like squint to, okay, so we got, you know, we have two on the upper side, we have four, we have two groups of four ports, and I'm sure it's the same thing below there. Looks like there's a little four by four grid of LEDs and it's, they're lit up. You, there's a lot of 'em are green there. So I, I gave this the caption by some miracle it's still working. Don't touch it because boy I mean, yeah, so, you know, I I don't know where you've prob probably like some office building, you know, like sort of a low end office facility where Dusty and cobwebby though.
I mean, yeah, that's disgusting. And, and why would one ever put this in the attic where it's, you know, obvi? I mean, you could just see it's like, like there, there's some sort of a, a, a heating duct passing by in the very far lower left corner. You sort of sort of sort of see the, the ribs, the duct and many a spider has, has hopefully set up its operations here and thought, okay, I'm gonna get lucky. It doesn't look like anything happened there except the, the, the web collected a lot of dust, you know, dust the Adams family. It's ridiculous. Anyway, yes, it oh my, another great piece of technology that somehow is keeping the whole world online. You know, if the internet goes through there, then yeah, you're, you're in danger. Wouldn't that be funny if you unplugged it in the whole internet went down <laugh>.
Exactly. So it turns out that's the hub. That's it. That's the main crux. Yeah. So last Tuesday, the forensic security research group, citizen Lab reported on three iOS 15 and 16 exploits attributed to Israelis NSO group's, Pegasus Smartphone spyware system. And now just as a reminder, citizen Lab is at the University of Toronto's Monk School of Global Affairs and Public Policy. They've been doing some serious forensic work. Last week's main topic was forced entry which for our li our, our, our listeners and Leo, I'm bringing you up to speed. It was a fascinating example of the details of a zero click exploit against iOS devices, which Google's Project Zero researchers reverse engineered and dissected thanks to Citizens Lab, who found a live sample of, of, of it and sent it to Project Zero to, to take a look at. They found it, citizen Labs found it on a phone of a Saudi political activist.
So my eye was caught by Citizen Labs mentioned just last week of the apparent successes of Apple's lockdown mode, which of course we've previously described when Apple announced it, I think what it, it was brand new in Iowa 16. I think that's where it first appeared. As we know it rather significantly restricts many features of an iPhone for the express purpose of thwarting exactly these sorts of targeted attacks against high profile users of, of their iOS, of Apples iOS devices. Last Tuesday they publish an extensive description of several zero click attacks. They discovered they being Citizen Lab discovered being deployed against users of iOS 15 and 16. So, you know, not old out of service, you know, I, you know, version 13 or you know, 12 and 13 or 14, these are today's phones. I'm not gonna get into all of the details of those, but their intersection with lockdown mode I thought was interesting.
So to give you some sense before we get to the intersection, they summarized their fines in the, the, the things they found in seven bullet points, which are short. And so I think we're sharing, they said in 2022. So just, you know, just last year the Citizen Lab gained extensive forensic visibility into new N S O Group exploit activity after finding infections among members of Mexico's civil society, including two human rights defenders from Centro P R O D H, which represents victims of military abuses in Mexico. Our ensuing investigation led us to conclude that in 2022 NSO Group customers widely deployed at least three iOS 15 and 16 zero click exploit chains against civil society targets around the world. And just, you know, so everyone is up on the same page here, zero click exploit. The user does nothing. We, we covered one of them in detail last week where just the receipt of an iMessage without any acknowledgement of any kind was enough to take over the Target's phone.
And I'm sure what you, you were covering was that Apple was patching these yes. Yeah. I mean, very aggressively. I think they had three patches in a few weeks. It was Right, right. Yeah. And they have, they've been like, you know, again, they're doing everything they can, but it just seems that, you know, more problems keep being found. Yeah. Yes. So so Citizen Lab said, speaking of these NSO group's, third and final known 2022 iOS zero click, which we callone your home, was deployed against iOS 50 and 60, starting in October of 2022. It appears to be a novel two step zero click exploit with each step targeting a different process on the iPhone. The first step targets home kit, thus pulling your home. And the second step targets iMessage. So somehow the, the exploit against against home kit primes the I iMessage to then be exploitable by the second step in the, in, in, in the two step zero click.
And that's not unusual. I mean, in po own PO to own, we see multiple steps change sometimes. Yes, change. Exactly. Yeah. Yeah. So then, then, then they said NSO group second twenty, twenty two zero click find. My phone was, was deployed against iOS 15, beginning in June, 2022. It also appears to be a two-step exploit. The first step targets the iPhones, find my feature, thus find my poem. And the second step, again, targets iMessage. They said we shared forensic artifacts with Apple in October of 2022. An additional forensic artifacts regarding your home in January of this year, 2023, leading Apple to release several security improvements to home kit in iOS 16.3 0.1. Once we had identified find my and poem your home, we discovered traces of NSO group's first 20 22 0 click latent image on a single targets iPhone. This exploit may also have involved the iPhones find my feature, but it utilizes a different exploit chain than find my poem.
Okay. And so here's the final comment that I wanted with all that, that background to share for a brief period, targets that had enabled iOS sixteens lockdown mode received realtime warnings when po your home exploitation was attempted against their devices. That's, although, yes, they said that's amazing. Although, yeah, they said, although N S O group may have later devised a workaround for this real time warning, we have not e even so we have not seen your home successfully used against any devices on which lockdown mode is enabled. So props to Apple. You know, the, the first thing Apple notes, when they're talking about the limitations that they impose when lockdown mode is enabled, they say most message attachment types will be blocked other than certain images, video and audio. They said some features such as links and link previews will be unavailable. And so, you know, of course we know from, as I said, our examination last week of forced entry that the way entry was forced was by sending the target A P D F with the.gi f you know, a G file extension, which caused iMessage to attempt to render a very cleverly manipulated J bigg two image that had been embedded in the P D F.
It seems pretty certain that with lockdown mode, apple has switched from a, you know, well switched to a default deny with then highly selective allows being permitted. So forced entry would likely have also been nipped in the bud. The trouble with something like lockdown mode, unfortunately, is that to be effective, it really does need to be a restrictive service. I mean, it needs to be restrictive. You know, as we've seen, exploits are everywhere and that might annoy the people who need it the most, you know, enough for them to turn it off due to its interference with the things they need to do. So, you know, just, this is really of, of, of everything we've seen. Lockdown mode hasn't been around for that long. But, you know, the, the, the ability to, to find the forensic evidence of attacks, which are this targeted as highly targeted as, as Pegasus is you know, it, it's a very rarefied environment there.
So this is neat feedback to have. And we have fresh evidence that countries are busily using these patently illegal tools. No governments I know NC S C stands for the National Cybersecurity Center in the uk, which is, you know, exactly what it sounds like. Last Wednesday, the center published a report titled, cyber Experts Warn of Rising Threat from irresponsible use of commercial Hacking Tools over the next five years. Which of course begs the question, what, what would responsible use be? You know, it's like, okay, I mean the, this is all illegal, right? And the, the most of the countries, probably not all of them, cuz they're certainly used in, in, you know, non-democratic re pressure regimes. But you have to imagine that a lot of the countries who says, oh, no, no, no, that's bad. You know, it's like, okay, how much does that cost?
You know, they're <laugh> they, they just so seem to be able to say no. Okay, here are some selected pieces from the report, which I think provides some conclusions which serve as a useful reality check. So the en the, the, the UK's NCS C said, the commercial proliferation of cyber tools and services lowers the barrier to entry to state and non-state actors in obtaining capability and intelligence that they would not otherwise be able to develop or acquire. I, I mean, and that really is the key, right? It's not like you need to have your own NSA level capability anymore. You just go to the NSO group and say how much, and you get what you need. They said the sophistication of some commercial intrusion cyber products and services can almost certainly rival the equivalent capabilities of some state linked advanced persistent threat groups. The bulk of the commercial cyber sector is highly likely focused on satisfying domestic state demand from law enforcement and government agencies, right?
I mean, the, they're not, they don't, the, the, the providers don't exist in a vacuum. They're fulfilling a need. They're selling this to people because people want it. However, they wrote over the last decade, a growing number of enterprises have emerged offering a range of products and services to global customers. They include off-the-shelf capability, known as hacking as a service, bespoke hacking services, hackers for hire, and the sale of enabling capabilities such as zero-day exploits and tool frameworks. Over the past 10 years, at least, 88 0 80 countries have purchased commercial cyber intrusion software or spyware for dozens for of states without a skills based, the commercial sector is almost certainly transformational. Allowing cost effective access to capability that would otherwise take decades to develop while products vary in capability and application. Commercially available spyware for mobile devices can offer the ability to read messages, listen to audio calls, obtain photos, locate the device, and remotely operate the camera and microphone.
Some states are likely to procure multiple commercial cyber tools to meet their requirements. <Laugh> wow devices can be compromised in a number of ways, including phishing, but also zero click attacks, which do not require user interaction, making it more difficult for victims to mitigate. While these tools have been used by states against law enforcement targets, spyware has almost certainly been used by some states in the targeting of journalists, human rights activists, political dissidents and opponents, and f and opponents and foreign government officials. This is almost certainly happening at scale with thousands of individuals targeted each year. While current products focus on multiple on mobile devices and intelligence gathering, as the sector grows and demand increases, products and services will likely diversify to meet demand. I mean, we're talking about a whole ecosystem, which is emerging, you know, on, on the dl, but, you know, being sold to governments, they write hacker for higher groups carry out cyber activity for paying clients, as well as providing information of traditional espionage value to states hackers for hire, or also reportedly used for legal disputes, intellectual property theft, insider trading, and the theft of other private data hackers for higher differ in skill and capability ranging from low level cyber crime activity to technically complex and effective network compromises that may go undetected.
Some groups operate in criminal circles, some portray themselves as commercial companies and others operate anonymously. Hacker for higher groups that focus on stealing information use phishing and other social engineering attacks exploits against publicly reported vulnerabilities in computer networks and sometimes zero day attacks to compromise victims. The greatest threat comes from higher end hacker for higher groups whose abilities and impact are similar to those of capable state actors. Hackers for hire pose a potential corporate espionage threat against organizations and individuals with privileged or valuable confidential information in multiple sectors while less skilled and cyber while less skilled and cyber criminal hackers for hire, almost carry out denial of service dedos attacks for a fee to temporarily disrupt a target website or server on a customer's behalf. Additional law enforcement attention probably de deters higher skilled hackers for hire from conducting destructive or disruptive operations.
In other words, you know, they're really high end guys. They're not mucking around w w wi wi down in the less skilled areas of DDoS attacks. And those tend to be much more easily attributable as we see. However, they said, a group, a growing market and the extra financial incentive raised the likelihood of hackers for hire accepting this type of tasking over the next five years. So that might be changing. Hackers for hire also raised the likelihood of unpredictable targeting or unintentional escalation through attempts to compromise a wider range of targets, particularly those seeking valuable information to sell on as opposed to working to order. So, you know, they might be like out doing their own reconnaissance work hacking companies, you know just you might say on spec as opposed to under contract. They said it's likely that potentially significant financial rewards incentivize state employees or contractors with cyber skills to become hackers for hire, risking the proliferation of cyber techniques from state to non-state actors.
So as you might expect these skills spread over time, they're not, you know, containment is not being maintained from where they they originated historically. Underground criminal markets have facilitated the exploit trade since the early two thousands. A lucrative market for zero day exploits has emerged in the commercial space. The large sums of money involved for critical zero day exploits for commonly used systems and processes, mean opportunities for profit are significant and have driven commercialization. And of course, we've often talked about, you know, the likes of xtium who are purchasing these exploits for resale. And there's no accountability, there's no sense for, you know, to whom they are selling them. But zeum, you know, makes no bones about it. It's like, yeah, we wanna buy your exploits, we'll pay you dollars. They said critical zero day exploits and vulnerabilities are almost certainly transformational to actors with the skills to make use of them states or commercial cyber intrusion companies providing products to states are the dominant customers for the commercial zero day market and are highly likely to remain.
So for the next five years, the growth of the commercial sector facilitating this trade has likely increased the number of states able to access critical zero-day capability directly or indirectly. Some well-funded cybercrime groups have likely have highly likely purchased lower priced zero day exploits for less well used systems from underground exploit marketplaces. However, purchasing high cost critical zero day capability from the commercial marketplace is unlikely to appeal to most groups. Financial motivation makes it more likely that they prioritize lower cost exploits developed from disclosed zero day vulnerabilities, albeit as early as possible after disclosure to maximize the number of unpatched systems they can target. Of course, as all follows from, from the things we're talking about on this podcast, constantly customizable tool frameworks are developed by cybersecurity software developers to emulate threat activity, to enable penetration testing of networks. And we're just talking about that w with, with you know red, red team ex attacks.
They said they're usually sold under license, but some are also publicly available or available inversions where the license has been removed. These frameworks are being used or repurposed by state and non-state actors, highly likely enabling a cost effective uplift in cyber capability. It's highly likely that their constant evolution and the ability of actors to customize and repurpose these frameworks means widespread misuse of these frameworks will almost certainly continue over the next five years. State and non-state actors also have access to capability developed and sold for cybercrime. In recent years, cybercrime marketplaces have grown and become increasingly professional in part driven by demand from ransomware actors. One example is malware as a service, M A A S, which is a service that provides use of malware, eliminating the need to create and develop the software, as well as reducing the knowledge threshold required to operate the malware.
Offering the services as a package is attractive to less skilled cyber criminals. And as such has almost certainly expanded the number of victims. So anyway, I thought that they did a great job of sort of encapsulating everything that's going on there and the trends that all of the evidence points to as you know, where we'll be headed in the future. And so they concluded with just four points saying over the next five years, increased demand coupled with a permissive operating environment will almost certainly result in an expansion of the global commercial cyber intrusion sector driving an increased threat to a wide range of sectors. Second, it is almost certain there will be further high profile exposures of victims against whom's commercial cyber tools or hacker for higher operations have been deployed. Third, oversight of the commercial intrusion cyber sector will almost certainly lack international consensus, be difficult to enforce and subject to political and commercial influence, right?
I mean the, the people who you would like to be providing the oversight are the customers and they fi they finished. However, it is likely that many commercial cyber companies will be incentivized to vet and limit their customer bases. Should effective oversight and international norms on development and sale of commercial cyber capability emerge. So, you know, last week we took a deep dive, as we know, into into forced entry, which led us to appreciate the insane level of f f of effort that the NSO groups, spyware developers, whomever they are, and you know, and what we just shared suggests, maybe they don't, they're not even NSO group developers, they might have developed a zero click independently and said, what's, how much is this worth to you? I thought the NSO group disbanded. That's why I'm surprised to see their name again.
Well they they did get pounded down PA well, because their stuff was, you know highly publicized, right? But they're still around. Can't kill cockroaches. <Laugh>. Exactly. They come back again. So, so anyway, what what Google's Project Zero researchers who reverse engineered that work reported was that the sophistication they discovered in that exploit terrified them. They used the word terrified. It was as if they had discovered alien technology lurking within a terrestrial device, which, which, you know, gives you some pause to note the, the deg the obvious commercial value of, of this sort of technology. And now we're seeing almost not surprisingly, a growing black market for chat G P T accounts, which I thought what the best way for me to introduce this next topic is to just read what Checkpoint research posted last week. Their headline was New chat.
G P T 4.0 concerns a market for stolen premium accounts. And they said since December of 2022, checkpoint research has raised concerns about chat GT's implications for cybersecurity. Remember, and we talked about some of this before, where they, they used it both to, to try to reverse engineer for them some code, which did not do a good job at or writing code, which unfortunately we know it does do a good job at. So they said. Now checkpoint also warns, warns that there's an increase in the trade of stolen chat G P T premium accounts, which enables si enables cyber criminals to get around open AI's geofencing restrictions to obtain unlimited access to chat. G p t. The market for account takeovers generically atos stolen accounts to different online services is one of the most flourishing markets in the hacking underground and in the dark web.
Traditionally this market's focus was on stolen financial services accounts, you know, banks, online payment systems and so forth, social media, online dating, websites, emails, and more. They said since March of 2023, which you know, was four weeks ago, checkpoint sees an increase in discussion and trade of stolen chat G P T accounts with a focus on premium accounts including leak and free publication of credentials to chat G P T accounts, trading of premium chat, G P T accounts that were stolen, brute forcing and checker tools for chat, G P T, meaning tools that allow for brute forcing, that allow cyber criminals to hack into chat G P T accounts and chat G P T accounts as a service, dedicated service that offers opening chat G P T premium accounts, most likely using stolen payment cards. So why is the market of stolen chat P G T account on the rise?
What are the main concerns? They said as we wrote in previous blogs chat, G p t imposes geofencing restrictions on accessing its platform from certain countries, including Russia, China, and Iran. Recently we highlighted that using chat G P T AI allows cyber criminals to bypass different restrictions as well as use of chat GT's premium account. All this leads to an increased demand for stolen chat G P T accounts, especially paid premium accounts in the dark web underground where there is a demand, there are smart cyber criminals already taking advantage of this business opportunity. Meanwhile, during the last few weeks, there have been discussions of chat G P T's privacy issues with Italy banning chat, G P T and Germany. Now considering a ban as well, excuse me, we highlight another potential privacy risk of this platform. Chat. G P t accounts store the recent queries of the accounts owner.
So when cyber criminals steal existing accounts, they gain access to the queries from the accounts original owner. This could include personal information, details about corporate products and processes and more. And Leo, on the, the first of the, of the three podcasts where an co-hosted we covered the story of Samsung's employees on three separate instances uploading, you know, wanting to get the advantage of chat GT's thoughts, you know, in air quotes, <laugh> about something. What are your thoughts, <laugh>? What are your thoughts? They uploaded Samsung proprietary information in order to get chat G P T to tell them what it thought. Oh Lord. And after three instances of that, oh God, Samsung, Samsung I know has, has shut down. They imposed a one K limit on, on, on, on, on the transactions with chat G P T and said they are looking into measures for bringing a chat G p T facility into their internal corporate network so that you won't have to go on the public internet in order to use it. I I wonder though, if there's any evidence that chat g p t save that information?
Well, I think not evidence, but, but for example, here was a, he had j just here was the, the point being made that if an account is stolen, then the, the past queries are apparently available. Yeah, it saves a certain number of past queries on, but not all P it resets. Yeah, this is what I got in Italy. Natalia then they, this is actually from the chat G P T folks, they they posted an English one as well, which is nice. But yeah, I thought, well, I heard that, so I said, well, let me try to use it cause I have an account and said, no, we regret to inform you we've disabled chat G p T for users in Italy. Oh, that's right. I forgot that's where you just were, I was in Italy driving use it because, cause we, we, we covered the the, the, the, the news that Italy was saying it represented a, a privacy threat and so they were just not gonna make it available.
Right? Sorry about that. We're we're just saying. No, it's the same question though is you know, and chat. G P T denies it. They say, well we've, you know, we don't scrape everything. We scrape stuff that's publicly available, right? So if they don't save stuff and they don't only scrape public stuff, I don't know if there really is. It's, it's just a, yeah. In fact that, that was the point we made on the podcast was it's really just a different kind of spider than Google. Yeah. It's a spider, which is indexing and saving the entire web. Right. You know, it just is your, you, it has a conversational interface in, in instead of one that's just sort of, you know put in some keywords and see what hits you again. Exactly. This stuff will sh will shake out. I don't think it's, yeah, I think it's a short term issue.
I think we should take our second break and then we're gonna talk, we're gonna talk about what Isat found in some decommissioned routers that they purchased Whoopsy. Ooh, reminds me of when Simpson Garfinkel bought a bunch of hard drives on eBay and they were unraced hard drives from old at t m machines, <laugh>, and then all sorts of bank account information and stuff like that. This is why you need our sponsor lookout. I might add Perfect segue, right? Business has changed forever. Boundaries to where we work or even how we work have disappeared, which means your data is always moving, right? It's always on the move. If if it's on a device, if it's in the cloud, if it's across networks, it's gonna be even at the local coffee shop, right? Well, that's great for your workforce. They love that, you know, flexibility it's a challenge for it security.
That's why you want lookout. Lookout, lookout helps you control your data and free your workforce. With Lookout, you'll gain complete visibility into your data so you can minimize risk from external and internal threats. You can ensure compliance. That's become more and more important, isn't it? It's not just for you. You gotta be compliant, right? By seamlessly securing hybrid work, your organization does not have to sacrifice hybrid work productivity for security. And this is it. It always feels like that's the challenge, isn't it? You know, we want to be able to have this flexibility go anywhere, but how do we keep it secure? Lookout makes it security a lot simpler, working with multiple point solutions, legacy tools, you're probably doing it right now in today's environment. That's just too complex. That's just not, that's a recipe for disaster. Whereas Steve always says, what could possibly go wrong?
Lookout is a single, modern, unified platform. So it reduces it. Complexity gives you more time to focus on, you know, the stuff you need to do, and you don't have to worry so much, and you don't have to spend any time getting legacy stuff working together and all that thing. Good data protection. It's not a cage, it's a springboard letting you and your organization bound toward a future of your making. It's important that you can think of it that way, and that's why you need to visit lookout.com right now. To learn how to safeguard data, secure hybrid work, reduce it complexity, lookout, L O O K O U T, lookout, lookout.com, data point data protection from the endpoint to the cloud to your happy place. Lookout. I like that. Lookout.Com. Thank you lookout for supporting us here at Security now and for supporting all your customers.
Let them let their employees wander and still keep their data absolutely safe. Alright, Steve, let's continue on. Isat made a very interesting observation in their posting on Tuesday titled, discarded Not Destroyed. Old routers reveal Corporate secrets. Ah-Huh <affirmative> get a load of what they wrote. They said, taking a defunct router out of an equipment rack and sliding in a shiny new replacement is probably an everyday occurrence in many business networking environments. However, the fate of the router being discarded should be as important, if not more so than the smooth transition and implementation of the new kit in the rack. Unfortunately, this appears often not to be the case. When the EEP research team purchased a few used routers to set up a test environment, there was shock among team members shock. I tell you, when they found that in many cases previously used configurations had not been wiped and worse, the data on the devices could be used to identify the prior owners along with the details of their network configurations.
This led us to conduct a more extensive test, purchasing more used devices, and adopting a simple methodology to see if data still existed on the devices. A total of 18 routers were acquired, one was dead on arrival. Two were a mirrored pair, so we counted them as a single unit. After these adjustments, we discovered configuration details and data on over 56% of the devices in the wrong hands. The data gleaned from the devices, including customer data, router to router, authentication keys, application lists, and much more is enough to launch a cyber attack. A bad actor could have gained the initial access required to start researching where the company's digital assets are located and what might be available. We are all likely aware what comes next in this scenario. The change in recent years to the methods used by bad actors to conduct cyber attacks on businesses for the purposes of monetization, as is well documented.
Switching to a more advanced persistent threat style of attack has been cyber criminals establishing an entry point and then a foothold into networks. They then spend time and resources conducting sophisticated extraction of data, exploring methods to circumvent security measures, and then ultimately bring a business to its knees by inflicting a damaging ransomware attack or other cyber nastiness. The initial unauthorized incursion into a company network has a value. The current average price for access credentials to corporate networks, according to research by K E L A, cyber crime prevention is around $2,800. This means that a used router purchased for a few hundred dollars, which without too much effort provides network access, could provide a cyber criminal with a significant return on investment. And that's assuming they just stripped the access data and sell it on a dark web market as opposed to launching a cyber attack themselves.
A concerning element of this research was the lack of engagement from companies when we e attempted to alert them to the issues of their data being accessible in the public domain. Some were receptive to the contact, a few confirmed the devices had been passed to companies for secure destruction and wiping, whoops, a process that had clearly not taken place. They wrote, and others just ignored our repeated contacts, our, our repeated contact attempts. They said the lessons that should be taken from this research are that any device leaving your company needs to have been cleansed and that the process of cleansing needs to be certified and regularly audited to ensure your company's crown jewels are not being openly sold in public secondhand hardware markets. We have established the details, as you know they, they, they said we have, we have published the details, sorry, we've published the details except the company's names and data that would make them identifiable in a white paper.
The white paper also contains some guidance on the processes that should be followed, including references to N I S T special publication 888 revision one guidelines for media sanitization. We strongly recommend reading the details and using our findings as a nudge to check the process in your own organization to ensure no data is unintentionally disclosed. So I got in the show notes, I have a, a, a link to e setss white paper, which is titled How I In Per Could Have Stolen Your Corporate Secrets for a hundred dollars. And I also have a link to that to the NIST's special publication 800 dash 88 revision one guidelines for media sanitation. Anyway, in that white paper, they provided a summary breakdown, just some bullet points of what they found by percentage. They said 22% of the routers contained customer data, 33% exposed data, allowing third party connections to the network.
Think about that one in three of the routers they purchased for a hundred bucks off eBay or somewhere exposed data, allowing third party connections to the network. 44% had credentials for connecting to other networks as a trusted party. 89% itemized connection details for specific applications. 89% also contained router to router authentication keys. 100% of them contained one or more IP sec p n credentials or hashed root passwords and LA and finally, 100% had sufficient data to reliably identify the router's former owner and operator. So again, you know, wow. Just a heads up to make sure if you're in charge or or, or know somebody who is in a sufficiently sized organization, it is, you know, I would not trust a third party. I mean, how difficult is it to, to re initialize the, the configuration in a router that's, you know, return it to factory settings.
It's not difficult. So don't, you know, pull it out and toss it on a pile to some third party that, in this case apparently wasn't doing anything. And, and Leo, to the point you were making, I'll note that through 2023 which, what, what? Four months so far, I've been having some very similar experiences of my own, I've been purchasing specific old drives from eBay. Oh yeah, of course. For spring, right? Yeah, right when a spin Right. Tester has reported that they've had some weird behavior from a specific old drive. And as spin right is running, one of its more popular screens is one which flashes up snapshots of the data, which it's obtaining from the drive. It's scanning. You just see it flashing by, but it's kind of mesmerizing the way we used to watch all the blocks on a defragment or move around the screen sort of like that.
NT Steve, I've spent many hours staring at that screen. I, we all have exactly. We talking about, we, we it's an embarrassing truth. No, but that <inaudible>, I love that stuff, man. That's cool, man. I love it. Yeah. Yeah. So Ntfs file system metadata has a particular look to it, and which I've learned to recognize interest. Interesting. These drives are full of it. I have no interest in the contents of those drives beyond watching spin, right. Recover whatever data they might contain, but they contain someone's data. Oh, there you go, Leo. And we're defragging here. <Laugh>. We're defragging. Wow. <laugh> love it. So that's interesting. I wouldn't erase those either. Yeah. I can understand how you would think, oh, well, I'll drive, I have to erase, but a router, what could that possibly contain? Turns out those, the crown jewels of accessing Yeah.
Inside of a corporate network. Yeah, makes sense when you think about it, but just make sure that you do think about it. Okay, while we're on the topic of routers, let's take a look at last week's report from the, the, again, from the UK's nnc S C regarding Jaguar tooth, a Cisco, that's a name Jaguar tooth a Cisco router, targeted malware. And this serves as a perfect case study. Jaguar tooth is a system of backdoor Trojan malware developed via exploitation of a long since patched S N M P vulnerability. It's C V E 20 17 67 42. So there are two things here. First of all, 2017 tells you that it's, it's now what, six years ago, 2017. And 67 42 reminds us of those quaint days six years ago when CVEs had four digit numbering for their individual CVEs. You know, we have to use scientific notation these days.
This vulnerability was first announced by Cisco on the 29th of June in 2017 when updated and repaired software was made available by them. Cisco's published advisory included details of workarounds including some of limiting access to S N M P from trusted hosts. You know, imagine that, or by disabling several vulnerable S N M P a p i branches, which are known as MIBs. Okay, so this amounts to another of those issues ISO often have about policies versus mistakes. Backing up a little bit, S N M P is the simple network management protocol. It's essentially a network api a very powerful network api, which allows for the complete configuration state querying and configuration management of S N M P capable network devices. The point is, it should never be publicly exposed to the wider internet. That's just nuts. It is meant to be used on the internal intranet for internal management.
And, and if by some weird network configuration need a router's S N M P traffic does need to transit the public internet, then it would certainly only ever need to be seen by a specific single targeted remote public ip. Never all public ips, there's, there's no conceivable reason for a router's sn MP service to be globally available. And yes, S N M P has an authentication layer, but it's old and it's lame, and it's barely adequate for the purpose of keeping insiders out. You know, it's, it's just ridiculous, you know, let alone outsiders keeping outsiders out. If external s and m P packets cannot reach the s n MP service, then vulnerabilities in that service will never become an issue in the first place, right? So even if there's a mistake, if your, if your policy is to firewall the S N M P service so that it isn't available, then no problem.
So once again, policies versus mistakes, mistakes happen by mistake, okay? But policies happen by policy, in other words, on purpose. And mistakes don't need forgiveness. But policies don't deserve any, and I don't mean to harp on this, but to me, this delineation seems important and it is too often confused. Anyone who's responsible for any Cisco corporate router in 2023, which is still running a version of Cisco's OS from 2017, should be immediately summarily and disgracefully discharged from their responsibilities and their employment. It's unconscionable. But we also know that unfortunately, many such routers will nevertheless exist. So what do we know about this specific problem? The vulnerability in s n MP from six years ago enables a stack based buffer to be overflowed, whoever heard of such a thing, enabling control of the instruction pointer, which can be used to gain remote code execution. This exploit uses return oriented programming to overwrite operating system memory and incrementally deploy the malware code over hundreds of iterations.
So remember that return oriented programming. The idea there is that until you're able to, to get your own code running, you need to use the code that's already there. And it turns out that, that, that an operating system like Cisco's iOS is full of subroutines. At the end of a subroutine is a return instruction, which returns to where it came from, from, from where the subroutine was, what was called. And first bad guys, and then good guys figured out that the last few instructions just before the return can be useful. They can load something in a register. They can add something to a register. They can do useful things. So, clever hackers who have access to the same operating system as the one that they're, they're attacking, look at all the return instructions and all of the instructions just in front of them that, that, that are, they're just before a return.
And they're able to knit together the, the execution of code they want by jumping deliberately, jumping to just before subroutines end, do a couple things, and then return to them, and then do it again and again, and again and again using just little snippets at the end of all the subroutines that exist in order to get done what they want done, which in this case is to incrementally their malware in ram. Again, <laugh>, it's a little frightening how sophisticated these attacks have been. Turns out the vulnerable function targeted by this exploit is reached using the S N M P object identifier, the so-called O I D, which corresponds to A L P S remote Pier connection local port by appending. Additional bites to the end of the O I D A stack based buffer can be overflowed, which tells us that this, the, the expected length of this O I D is how much space was, was, was created on the stack to hold it, but they didn't check to see if the o i d was actually that long.
They just went ahead and pared it. So you literally, an O i D is a weird looking thing in SM p SN m p It's, you know, 1.3 6.2 27 14. So the ID is, each of those dots is a branch in a tree. And so, SN m p represents all of the little settings that you might have in a router by the end points of this incredibly richly branching tree where you address it by following this crazy dotted syntax all the way out to the end. It turns out you could just keep adding things with dots in this broken version of iOS from 2017 and put a bunch of stuff on the stack, which then you can cleverly design what's there in order to go out and execute little code snippets for you. One of the side effects of this vulnerability is that any asky characters in the, that the, that additional o i d bites are converted to uppercase, which can be inconvenient.
So the attackers get around that Jaguar tooth is deployed by writing custom shell code to memory, which can be used to write an arbitrary four bite value to any specified address. This shell code is then called repeatedly to incrementally write jaguar tooth into ram four bites at a time. Once the jaguar tooth payloads have been copied into memory, they're individually executed by overflowing the return address of the vulnerable function with their location and memory. Once Jaguar tooth is running, it uses TF t p, that's the trivial file transfer protocol, like a really reduced subset of FTP to exfiltrate. Pretty much everything the router knows about all of the peers that touch it, its configuration and all of those things we were just talking about that you don't want to decommission, you'll wanna leave in your decommissioned router. You know, the router's, a table, for example, is dumped to obtain the Mac addresses and ips of all the internal machines that that have, that have recently touched the router.
And of course, the bad guys now have a foothold, a foothold in a border router, able to run whatever they choose from, you know from from there on. It's gonna be pretty much bad news. So, as I noted earlier, Cisco responsibly updated their iOS, that's what they call it, the inter network Operating System. Back in June of 2019, the bad guys probably assumed that there would be routers correctly assumed there would be routers that had not been updated in six years, and were still running this, this iOS software from back then. So, sure enough, a malicious actor group known as a P T 28 has been detected, ACT detected, actively conducting a reconnaissance and deploying their malware on the world's routers, which are still running that v vulnerable version of iOS. So another example of, you know, the problem that we have in our industry that we have not been able to figure out, we are unable to write software that doesn't have these kinds of problems, no matter how much we try and how much focus and attention we give to it, nor are we able to, to essentially recover all of the software that's already out there with known problems, which nobody is taking the, the, the measures to fix.
Okay. It's time for some happy news. Well, it's about time. I've been waiting for this for 18 years. We may have some really happy news at the end of this, but first, some, some interim happy news, something known as the Security Research Legal Defense Fund is in the process of being created, and it is what its name suggests. The organization's website domain is also its name security research legal defense fund.org, with no spaces or hyphens or anything. They explained themselves in one long line. They said, we aim to help fund legal representation for persons who face legal issues due to good faith security research and vulnerability disclosure in cases that would advance cybersecurity for the public interest, which is very cool. So they break this down in three statements. Their first is their mission statement. The Security Research Legal Defense Fund will be a nonprofit organization whose mission to promote social welfare by providing financial assistance for legal representation of good faith security researchers and vulnerability disclosure.
For background, they say society depends on secured digital communications and devices, but cyber attacks and system failures increasingly endanger physical safety, consumer privacy, and the operation of critical services. The public benefits when security vulnerabilities the pub, I'm sorry, the public benefits, when security vulnerabilities in software and systems are discovered and fixed before malicious actors can exploit them. In many instances, individuals have acted independently and in good faith to find and report vulnerabilities for mitigation, thereby strengthening this cybersecurity of products and services for the good of the community, while recognition from governments and businesses of the value of good faith, security research and vulnerability disclosure is growing. Individuals continue to meet with legal threats when their vulnerability research and disclosures are unwelcome or misunderstood. Such threats can ignore individual's rights or misconstrue facts, creating a chilling effect on beneficial security research and vulnerability disclosure, especially for individuals without the resources to finance legal counsel.
So, yay. You know, this is great news. Finally, under how it works, they explained the security research Legal Defense Fund may donate to good faith security researchers choice of counsel to represent them in defending against legal re legal claims related to good faith security research and vulnerability disclosure. The Defense Fund does not provide direct legal representation at this time. The organization's board of directors will cont will consider potential guarantees and vote on distribution of funds to help ensure funds are used in the public interest, the recipients of legal defense funds would be required to meet eligibility criteria. The eligibility criteria is subject to revision by the board and aims to reflect alignment with legally accepted definitions of good faith security research. The eligibility criteria to apply for grants from the Defense Fund is inti is anticipated to include the grantee demonstrates financial need. Funds donated from the Security Research Legal Defense Fund would go towards representation in legal matters related to good faith security research for, or vulnerability disclosure, and not such illegal behavior as extortion.
Okay, duh. Also, the good, the good faith security research or vulnerability disclosure was performed for the purpose of good faith testing, investigation, correction, or disclosure of a security flaw or vulnerability. It was carried out in a manner designed to avoid harm to individuals or the public. And the information derived from the activity was intended to be used primarily to promote the security or safety of computers or software or those who use such computers or software and finally board approval. So I think this is great. You know, through the year, through the years here, we've talked about this problem where, you know, well-meaning typically amateur hackers, you know, now who are not backed by an organization, you know, attempt to inform an organization of some significant problem that they've stumbled upon and identified only to have the organization's management freak out and aim their law enforcement and their attorneys at the hapless hacker.
That's what happened to Randy Schwartz at Intel, and he was arrested and prosecuted. Yes. I mean, it's so wrong. Yeah. So it seems like, you know, this would be a terrific backstop for such situations. I did a little bit of more research and, and legwork. SC Magazine knew a little bit more about this. It turns out that Google is the, the, the like the main anchor for this. They, they said Google and other companies will develop and stand up a pair of new initiatives that will provide policy guidance to governments and legal protection, to security researchers engaged in good faith vulnerability research and disclosure. While, and they said, while the Tech giant also said it would formalize an internal policy to be publicly transparent when bugs in Google products are exploited in the wild. Anyway they go on at some length.
It all it that the council that is this board of directors will include representatives from bug bounty firms, hacker one bug crowd integrity and Luta security, as well as Intel and Venable, a law firm that specializes in cybersecurity law and policy matters. So anyway, I just think this is great news that that there will be this sort of a formal legal defense fund that is, you know, that will be be backed by people who understand the nature of the business and will be there to support people who get themselves in trouble. You know, when they're absolutely not being black hat, not attacking, not doing anything, but, but, you know, trying to, trying to let someone know that they've got a problem and end up being attacked and sued in the process as a result. Okay, so a couple quick updates.
Never moved. Never moved. Theat tried, but I never moved. I know he kept giving me, he said, nobody, you should try this or that, or opera or braver. I, I've been love, I've been watching Paul. He's been like roaming all over the place. All everything. Yeah. Firefox fire. You know why, cuz I wanna support an ecosystem that has more than one browser engine. Yes. Everything else is Chrome or chromium. Yes. And, and Paul is a little reminiscent of, of Jerry who used to say, I do all these dumb things so you don't have to Yes. You're talking about of course, the great Jerry porn, right. Who is much missed, I have to say. Yeah. Yeah. He was great. He was a great guy. Also, you'll be glad to hear this Kubernetes received a security audit. The NCC group concluded and published a new security audit of the Kubernetes automation platform.
Hmm. Nothing significant found. That's huge cuz it's very widely used. Yes. Yeah, that's very cool. Yeah. And finally, Chrome fixed a zero day. They released one 12.0 0.561 5.137, and or 1 38, which fixes eight security flaws, including a new zero day. And I'm not sure I understand this unless it's a Oh, yeah, yeah. I I I I'm sorry. I was, I was, I was <laugh> I was looking at the number rather than the date. A a zero day CVE 20 23, 21 36. So it was discovered by Google's tag team, so internally although being a zero day, you know, they're not like Microsoft who calls it a zero day. If they learn of it by surprise, it's a zero day when it's found being exploited in the wild. So anyway, this, this was patched last week and that was, I wasn't aware of that.
That's, I did not know that. That's interesting. Yeah. Microsoft is a different definition. Yes. They've got their own private definition, which is, you know, weird. It allows them to, I mean, you wouldn't think they would be declaring No. It makes more things zero day than you would normally expect. Exactly. Yeah, exactly. Which, you know, they're not in the wild yet. That's still a zero day. Wait a minute. Yeah. Yeah. Google did note that it was under abuse by a surveillance vendor. Oh. So just exactly the type of slime that we were talking about before. Somebody selling these things to data parties. Data a data broker type. Yeah. Yeah. A surveillance. Well, no, like a, like a li like an NSO group. Oh, geez. A ave. A vendor selling surveillance. Terrible capability. Yeah. Okay. I'm very excited about what, what we've got coming next. An end-to-end encryption proposal.
Let's do our net. Yeah, we'll do a little break. Yeah. I'm gonna share two open letters and then an idea that I had that might just work. You've proposed things in the past, but boy, we, if now more than ever we need it earn it is back. The UK is about to do this. I mean, it's we need something. We need a solution that works for everyone. And if anybody could come up with it, be you, Steve. So I look forward to hearing this, but meanwhile, I just wanna tell, first of all, I want to thank all of our Club TWIT members because you are the salt of the earth. You're the people who, you know, we could, you could, and most of you do, like 95%. I think it's more like 98% of all of our listeners are very happy to listen for free.
We've been doing it that way for 18 years. That's fine. Did you know Steve? We had our 18th anniversary while we were gone on April 17th. 18 years. I know, because you and I are in we're right along in there. In there. Yeah. We were the second show, right? Yep. Yeah. So there, and you know, I'm happy to have you, and please listen for free as long as you want. But I really have to say a, a appreciation to the listeners who say, you know, I like what you do and we want to support it. We want to keep it on the air. We want you to grow. And they contribute. And it's not much. It's seven bucks a month. That's one. You know, half calf, half decaf, cappuccino, frappuccino with a twist. That's it. And what do you get? Oh, I think you get a pretty good deal.
We really, at Lisa, I give credit to Lisa, my wife, and our C because she did a lot of due diligence. She said, I don't wanna charge a lot for this, and I wanna make it expensive, but we want to give 'em real value. Add free versions of every show, this show, but every other show that means ad free and tracker free. There's, there's nothing. And you get a special URL dedicated to you. Each person gets their own special url. You can put in your podcast player, do, you know, use it as you would a normal R S S U url. You also get the Discord. And I have to say, the Discord to me is one of the surprise benefits of Club Twit. It's a, it's really become a community of like-minded geeks. Now they're all this is the Security Now channel and they're all you know, talking about the show, but it's not just shows.
Yes, every show has its channel in here, but Discord is really, I think, the future of social media. So we talk about everything from AI to anime, to coding, to comics, hacking gaming, ham Radio, Linux. So you can get in there and chat with people you know are high quality cuz they're twit listeners and contributors and chat about the subject that you're most interested in. And I think that really is fun. Also, our community manager, aunt Pruitt, and I gotta give props to him, puts together events on here. Alex Wilhelm's coming up with an Ask Me Anything in May. The Home Theater Geeks, that's one of the reasons we love the Club because it allows us to bring back shows that weren't financially viable on their own. Home. Theater Geeks is Back with Scott Wilkinson. It's a club special every week. Some fireside chats coming up with Sean Powers from Floss Weekly, Stacey Hagen, Bonham's Book Club.
Rod Piles gonna do a fireside chat. Another example of a show that started and the club was, was funded by the club and then became a regular show on our network this week in space. So you get that, you get the TWI plus feed with not just ad free versions of our shows and specials. But but the twi plus feed, actually Twi plus, he doesn't have the regular shows on there. It has specials. Those events that we just talked about plus before and after conversations, things that don't normally make it into the podcast, that's a lot for seven bucks a month. I'm very proud of this. A buck less than a blue check on Twitter. And I think you get a heck of a lot more. If you wanna join the fun and join the family, go to twi.tv/club twit.
That's an individual member ship. You can get it for a month or for a year, which we didn't do it first. I told Lisa, I don't wanna do a year because that means we have to do at least a year more shows, she said. So I said, okay, we'll do it for a year. So you're committing when you, when you pay for a year's worth of shows, you're making sure we'll be here for at least a year. There's also family memberships if you want others in your family. It doesn't have to be blood relatives, but others in your group. And then of course there's corporate memberships for big groups, all of that at TWIT TV slash club Twitter, we really love our club members. They're, they're the people who are most engaged, more involved, really support what we do. And thank you because of you, we're able to do more than ever before.
And and keep the lights on TWIT TV slash club twit. Now let's talk about Steve's proposal that's gonna solve, okay. All our problems. Maybe it's a good idea. Anyway we'll see. We have of course been covering the fascinating and escalating debate over the presence of ubiquitous end-to-end encryption, which took another step with the UK's online safety bill, which is currently winding its way through the United Kingdom's legal system, but it's on its way to becoming law in the uk. As we know, this is the legislation that's being promoted as a means of protecting children from online threats of all sorts, by requiring secure messaging providers to somehow arrange to monitor and filter the images, videos, audio, and textual communications of their entire user base, regardless of whether individuals are suspected of illegal behavior or not. Okay. So while assembling today's podcast, I encountered two opposing open letters, which I'll share here in a moment.
What's surprising is that after reading and placing these open letters into the podcast show notes, I was summarizing the current situation and working through the dilemma. And I may have actually come up with a workable solution to this whole encryption mess. I, well, we'll see. Let's submit it for their approval. I'll share, yes, I'll share with everybody and we'll see what you think. But, okay, first things first, last week's news is that the CEOs of the secure messaging firms have collectively authored and co-signed an open letter to the UK government. Represented were the heads of Element session Signal three, ma Viper WhatsApp and Wire. Since this open letter contains a few juicy bits and it's got some, they make some really great points. I wanna share what the heads of today's secure messaging companies just wrote to the UK <laugh>. They, they addressed it to anyone who cares about safety and privacy on the internet.
Okay, a little bit loaded there, but, okay. They said, as end-to-end encrypted communication services, we urge the UK government to address the risks that the online safety bill poses to everyone's privacy and safety. It is not too late to ensure that the bill aligns with the government's stated intention to protect end-to-end encryption and respect the human right to privacy around the world. Businesses, individuals, and governments face persistent threats from online fraud scams and data theft. Malicious actors in hostile states routinely challenge the security of our critical infrastructure. End-To-End encryption is one of the strongest possible defenses against these threats. And as vital institutions become evermore dependent on internet technologies to conduct core operations, the states have never, the stakes have never been higher. As currently drafted, the bill could break end-to-end encryption, opening the door to routine, general, and indiscriminate surveillance of personal messages of friends, family members, employees, executives, journalists, human right activists, and even politicians themselves, which would fundamentally undermine everyone's ability to communicate securely.
The bill provides no explicit protection for encryption. And if implemented as written, could empower off com O F C O M, that's the UK's communications regulator to try to force the proactive scanning of private messages on end-to-end. Encrypted communication services nullifying the purpose of end-to-end encryption as a result and compromising the privacy of all users. In short, the bill poses an unprecedented threat to the privacy, safety, and security of every UK citizen and the people with whom they communicate around the world. While emboldening hostile governments who may seek to draft copycat laws, proponents of the bill say that they appreciate the importance of encryption and privacy, while also claiming that it's possible to surveil everyone's messages without undermining end-to-end encryption. The truth is, that is not possible. We aren't the only ones who share concerns about the uk Bill. The United Nations has warned that the UK government's efforts to impose backdoor requirements constitute, quote, a paradigm shift that raises a host of serious problems with potentially dire consequences.
Even the UK government itself has acknowledged the privacy risks that the text of the bill poses, but has said its intention isn't for the bill to be interpreted this way. What <laugh> Yeah, it doesn't matter. That's me saying, how, how are, how are we supposed to interpret it? We're not interpreting it. We're just reading it. You shouldn't interpret that. You know it. Wow. It's yu and, and then they said global providers of end-to-end encrypted products and services cannot weaken the security of their products and services to suit individual governments. There you go. There cannot be a British internet or a version of end-to-end encryption that is specific to the uk. The UK government must urgently rethink the bill Rev revising it to encourage companies to offer more privacy and security to its residents, not less weakening encryption, undermining privacy and introducing the mass surveillance of people's private communications is not the way forward.
Then it was signed by, they said, those who care about keeping our conversation secure. And it was the CEOs of the companies I first mentioned. Okay. So there's the open letter from the encryption providers who argue convincingly. I think that forcing surveillance capability into all communications is not workable. Now we have an, an open letter published last Wednesday by a group known as the Virtual Global Task Force. They describe themselves as an international alliance of 15 law enforcement agencies. Now, I was a bit suspicious because the chair of the organization is the UK's National Crime Agency. So I was wondering how global they were. But Wikipedia knows all about them and explains the global, the virtual Global Task force is a group of law enforcement agencies from around the world who operate together to stop online child sex abuse. The V G T is made up of the following organizations.
We have Australian High Tech Crime Center and the Australian Federal Police Child Exploitation and Online Protection Center in the uk. Colombian National Police, the Cybercrime Coordination Unit of Switzerland, the Dutch National Police, Europe Pole, Interpol, the Italian Postal and Communication Police Service, the Korean National Police Agency, the Royal Canadian Mounted Police, the New Zealand Police, the Ministry of Interior for the United Arab Emirates, the Philippine National Police, and US Immigration and Customs Enforcement, you know, ice which is a division of the D H s. Okay, so this group of actual police forces law enforcement have collectively authored and sent their own open letter this time to meta asking meta to reconsider adding end-to-end encryption features to Facebook and Instagram. The letter argues, of course, that this would hinder their own and meta's efforts to fight the proliferation of Csam on the platform, you know, child sexual abuse material.
So here's what they said, this is their open letter. The Virtual Global Task force is calling for all industry partners to fully appreciate the impact of implementing system design decisions that result in blindfolding themselves to child sexual abuse occurring on their platforms, or reduces their capacity to identify C S A and keep children safe. It is time to confront these concerns and make tangible steps towards possible solutions that we know exist. The Virtual Global Task Force is an international alliance of 15 dedicated law enforcement agencies, of which the National Crime Agency is the chair working alongside affiliate members from private industry and non-governmental organizations to tackle the threat of child sexual abuse. The V G T issued its first position statement on end-to-end encryption in 2021. This statement highlighted the devastating impact end-to-end encryption can have on law enforcement's ability to identify, pursue, and prosecute offenders when implemented in a way that affects the detection of CSA on industry platforms.
It is important to update the V G T position on end-to-end encryption in the context of impending design choices by industry as outlined in our previous statement, there is no doubt that encryption plays an important role in safeguarding privacy. However, this must be balanced with the importance of safeguarding children online. The V G T encourages industry to respond and consider the following, only to implement platform design choices, including end-to-end encryption at scale, alongside robust safety systems that maintain or increase child and where the child user base and risk is high. A proportionate investment and implementation of technically feasible safety solutions is paramount. They said the abuse will not stop just because companies decide to stop looking. We all have a role to play in protecting children in online spaces, and we strongly urge industry partners to take active steps toward this goal. The scale of online child sexual abuse is increasing worldwide.
The We Protect Global Alliance have identified it as one of the most urgent and defining issues of our generation. The number of reports of CSA from industry continue to be staggering, but demonstrates the key role that industry plays, both in protecting children online and in reporting cases to law enforcement for action. The National Center for Missing Unex Exploited Children M C M E C received 29.3 million reports of suspected CSA in 2021. A 35% increase from 2020. Of this 23.9 million, over 29.1 million reports came from electronic service providers. Although these reports result in a range of different outcomes globally, what is consistent is that they significantly contribute to positive outcomes for child safety. These figures demonstrate the current success of industry partners in detecting and reporting CSA occurring on their platforms, resulting in victims being identified and safeguarded design and investment choices implemented in a way that interfere with the effectiveness of such safety systems threatened to undermine these successes which have been consistently built upon over previous decades.
Finally, the announced implementation of end-to-end encryption on meta platforms. Instagram and Facebook is an example of a purposeful design choice that degrades safety systems and weakens the ability to keep child users safe. Meta is currently the leading reporter of detected child sexual abuse to M C M E C. The V G T has not yet seen any indication from meta that any new safety systems implemented post end-to-end encryption will effectively match or improve their current detection methods. Okay, so everybody's gearing up here and staking out their positions. You know, it feels like it's coming to a head. It's unclear what's gonna happen. Legislation is probably gonna be passed since it's easy for politicians to write laws, which tell others what they can and cannot do. But it's difficult to see any of the providers of end-to-end encryption backing down from their positions, especially not those like Telegram Signal and Thema whose entire purpose is providing secure end-to-end encryption.
As we know, apple proposed a solution that would be minimally invasive, but the public freaked out over the idea of anything like a library of known child pornography being resident on their phones. And, you know, the sentiment is understandable. An Apple's solution would not handle the whole text messaging grooming problem. So this all led me to revisit the question we touched upon once previously, which was whether some form of good old fashioned parental control might be the only answer. Perhaps we should, you know, we would need to decide that these social media devices are just too dangerous for children to have. And that led me to an interesting idea that I haven't seen suggested anywhere. Why don't we arrange to only monitor children?
The pending laws and legislation would be changed to only require exactly what those governments claim is their reason and motivation for needing to compromise full end-to-end encryption, which is sexual abuse material content and behavior screening for minors. The then we implement that legislation with technology so that the devices children use in countries that require it are aware of the date when they will no longer be subject to monitoring for their own protection. When any device is first set up and configured with an account, the setup process determines whether the user of this device resides within a country whose government has mandated the surveillance of minors. If not, that's the end of it. But if so, the setup process is then informed of whether the user is already an adult. If so, again, that's the end of it. But if the user is currently a minor in their local society, governed by laws which mandate the protection of minors online, the setup process asks the user's date of birth and the age at which they will no longer be considered a minor in their, this sequence of steps sets and stores an immutable date, which subsequently governs the behavior of all encrypted services available for the device.
Encrypted services query for a binary value, whether or not its user requires the protection provided by side channel content moderation while users are young. Any government mandated surveillance will be conducted in the background without interfering with the use of any applications. It will be entirely transparent to its young users, but on the day of their birthday, when they reach the age of majority, all such background side channel surveillance automatically terminates in full compliance with the laws governing their use of encrypted services within their society. And importantly, this solution means that no user who is already an adult, none of us, for example, will ever be subjected to this monitoring. So think about the problems this solves. Children don't lose any functionality. Everything works for them as it always has. Yes, sure in the margins, they're sacrificing some of their privacy in the interest of their protection from online predation, but only while it's in their best interests to be protected.
As soon as it's no longer needed, it disappears. And since there's no observable effect from its presence, there's no great pressure for them to cheat the system. Children are never inconvenienced. Everything works perfectly for them. And the side channel monitoring is completely invisible. Parents can take some relief in knowing that whatever it is their kids are doing online, it's being monitored for their safety while preserving as much of their privacy as possible. So parents who are in the position to oversee and set up this system in compliance with their local laws are able to enforce its presence. Adults who are not endangered by online exploitation enjoy the privilege of truly private unmonitored end-to-end encryption without any fears of Big Brother eavesdropping. The fact that adults are never monitored dispels the worries about eventual government overreach and the presence of hidden government surveillance agendas, only children are ever monitored.
The online slime balls who seek to take advantage of youthful trust and innocence know that all of their communications with an underage target is being monitored. So that hopefully pulls, pours some cold water where it may do some good. The concern of whether such surveillance might be a slippery slope and whether governments are actually using, but think of the children as a stalking horse to mask their real interest in perpetrating more widespread surveillance is resolved by this. No adult is monitored. Only young users whose electronic devices are aware of their monitoring cutoff date are protected. If governments have secret intentions to expand this monitoring beyond sexual exploitation of minors, then that's fine too. But whatever they do, it will only work on kids. The monitoring cutoff date system could be entirely local to the device, as I described above, set up under parental supervision when the device is first brought online and never subject to change.
Or it might be set up by the device's service provider such as a cell provider or by the device's account provider such as Apple, Google, Samsung, et cetera. In the future, if governments require some form of oversight, verification that mins are being protected, that too could be implemented. But the crux of the idea is clear. We've come to loggerheads and are approaching an impasse because both sides have been taking absolute all or nothing positions using technology. A compromise is possible that should satisfy everyone. Governments and law enforcement agencies say that they want to monitor children for their own protection. Fine, that can be arranged. Adults are adamant that they do not want to ever be monitored. Fine. They won't ever be. Everyone worries that governments have a hidden agenda for this monitoring. This makes that impossible. I've been thinking about this since it occurred to me yesterday and I can't find much fault to it.
The need to embed the date when surveillance will no longer be needed is new. But, so what new features are being added to our phones continually, if necessary during a transition period or when a device does not yet offer the monitor me flag. The age determination could be individually distributed among encrypted service providers when a accounts are created. But it would be cleaner to have this built into the device and queryable by encrypted apps. If a device is shared by multiple children, the age of the youngest user among them would be chosen so that the youngest user remains protected and all remain in compliance with local laws. In all the coverage we've given of this mounting encryption standoff, I've never seen any mention of something like this that appears to a workable compromise. Both sides sound and appear to be absolute in their positions, but this would appear to offer a compelling middle ground that would not be objectionable to either adults or pre adults.
And it feels like a compromise that even the encryption absolutists could live with. And they may have to if they with their services and they may have to, if they want their service to, to services to remain legal. Where monitoring of minors is required by law. Okay. I don't think they're actually proposing monitoring kids. They wanna monitor adults for trafficking csam. Well, oh, so, okay. I guess I missed that. You, I think you missed the point. So, so I I thought it was two and I thought it used to protect children from children. No, well that's, I mean, that was a minor part of what Apple was proposing, but that's not all these other things are about, they're about ca the, the, the, this, the fear whether this is true or not, but the, I guess I'm too far out of the loop, Leo.
I really think they're trying to prevent, I don't understand what the bad guys are doing. The thing, the thing they're trying to prevent is adults from trafficking, trafficking and child sexual abuse material that CS a M database Apple was gonna put on your phone comes from NC Mick. The National Center for Missing and Exploited Children is a database of child pornography that adults are trafficking in. That's really creepy. Oh, Steve, you are very innocent. I did not realize you didn't know about this. Yeah, though that's the whole, of course it's horrible. Yes. I mean it's horrific, but it's not about monitoring children. I mean, that's part of it. I guess, you know, Apple's the thing where I guess I was focused on the whole grooming aspect of it and well, wow. Yeah, that's not the issue. The issue is they really want us, the problem is all of these cloud services are storing tons of data. They don't want them to be storing child sexual abuse material. That's what csam is. It's images, graphic child porn images. It's hard. It's not kids sharing these, it's adults sharing these. That's the people they're going after.
What was it on, was it on Saturday Night Live? Where at at the end of something someone said nevermind <laugh>, Roseanne, Roseanne Andana. No, there is a part of this. You're absolutely right. Apple, by the way, is doing this. So if a child receives a naked picture, the, you the parents could turn this on. The or or wants to send this is actually what they're really trying to stop. As children sexting each other or wants to send a naked picture of themselves, apple will say, oh, you don't want to do that to the kid. And the parent can turn on the thing where it will warn the parent that this is going on. That's right. We have talked about this before. Yeah, I I didn't realize that that was actually in place. That that is, that's in place now. Yeah, they turned that on.
Okay. But that's not what all of this, that's not what the FBI or the uk wants. What they want is to break encryption for all of us. So that pedophiles, oh, Leo can't communicate hard to even, it's, it's hard to even picture that happening. <Laugh>. Oh, it's horrible. And that's why, by the way, it's a very useful tool for law enforcement because nobody's in favor of that. And you don't wanna say, well, don't break encryption cuz they'll say, well, are you in favor of child porn? No, but the problem is you can't break encryption for pedophiles and still leave it intact for us. Yeah, I certainly understand my, the mistake I made. Well, you protected the kids, which I agree is a good idea. <Laugh>, you've proposed in the past as quite a few years ago, an escrow system, which I think still might not be a bad idea.
Third party escrow system like Apple holds the keys. But most of the people on that letter, for instance, just don't want any back doors at all. Or any escrow system or any key you should be end-to-end means only you and the recipient have the key, no one else. And the problem is, well, law enforcement says, well then PE pedophiles can exchange all of this stuff and we won't know. Wow. Yeah, I know. I'm sorry. I didn't mean to bust <laugh> burst your innocence. Steve, you're, I don't want to pat you on the head. <Laugh>. Wow. Yeah, there's some bad people out there. There's some really bad people out there. More than we think, I think. But nevertheless well, okay. I, that's why it's a complicated thing, right? I don't have any answer. Yeah. That's why it's a really complicated thing. Mean it are hard to embrace the problem.
Yeah, I know. Ugh. Oh, Steve, I'm so sorry, <laugh>. I didn't know you didn't know. Go talk to Lori. Would you ask her? God, ask her about it. Steve, thank you for a wonderful show. You have a solution for that one area of it. Right? And in fact, that's basically what Apple's doing, by the way. And I was gonna share these two open letters because what we are seeing is both sides, right? Escalating these things. Oh, they're at Loggerhead. It's, it's, and that's why it's tough. It's really tough cuz nobody wants to say, oh yeah, we want to facilitate child porn. But that's more, but it's much more than that. And this is the, you know, Phil Zimmerman created a pgp. I did a, I think I'm in favor of, of monitoring Leo. This is just so horrible. Well that's one of the reasons why that's what they use.
That's the specter that they raise cuz who's gonna be in favor of that? But I personally don't think that's the only thing they want. I mean, look, law enforcement says if we could see everything going on, there would be no crime. We could stop crime in nip crime in the bud. The Constitution says, yeah, that's true. But people deserve they have a right to privacy in their own home. Yeah. So this is what, this is the tension. This is why it's very difficult. I interviewed Phil Zimmerman and I that we raised, this has always been the issue with people said with pgp, look, that lets criminals exchange information freely. And Phil said, look, don't fool yourself. Law enforcement will say to you, oh, we're going dark. In fact, the FBI put out that paper going dark. They're not going dark. Technology's giving them far more means of surveillance.
And, and and what you're referring to when, when you talked about the, the thing I proposed a long time ago was the idea a, a a means of coming up with the equivalent of a search warrant where Right under warrant as a specific individual's communications could be monitored. Right. You know, appropriately. And again and again though we do have the problem of it not getting out of control of it not being abused. And and that's the premise that WhatsApp and Signal and everybody else says, if you've got a backdoor, it will leak out. We know that historically it will leak out. And so you can't have any back doors. It's not safe. It's a look, Steve <laugh>, I mean I sympathize with your feelings cuz it's a horrible thing. It's nobody's supporting, you know, pedophiles. But again law enforcement, yeah, we could give them the right to see everything.
That's what they'd like. But that would also mean that no one would have any privacy at all. It would eliminate crime. But at what price? I'll let you think about this for a while, Steven. We'll come back next week. Steve Gibson is the man grc.com is the site, the Gibson Research Corporation. You go there, get spin. I'm gonna right back to work on spin, right? Yes. Stick with Spin <laugh>. I'm gonna say this is why you didn't wanna do an encrypt. You were working on an encryption tool and you knew I Yeah. Crypto link because yeah, I knew the government was gonna say they would come for you. He would be unhappy with absolute encryption. Yeah. grc.com has this show. In fact, he's got two unique versions of this show. We have it too. But he's got the only one with a 16 Kilobit audio.
What if you like, old time radio you'll love, he also, but it's for bandwidth. It's a bandwidth thing. And and he also has transcripts and in fact they go hand in hand because the low bandwidth versions were created for Lane Ferris who makes the transcripts cuz she lives in a bandwidth constrained environment out there in the countryside. But you can take advantage of both. Thanks to steve grc.com. He also has 64 Kilobit audio show notes are also there. And that's a great place to get the full PDF of the show notes. While you're there, pick up spin, right? The world's best mass storage, maintenance and recovery utility, six point ohs, current six point ones on its way. You'll get it for free if you buy today. There's also lots of other stuff. Steve's forums, which are fantastic. Lots of great conversations going on there and a whole lot more.
Grc.Com. We have the show at our website, twit.tv/sn Security Now get it sn when you get there, you'll also see a link to the YouTube channel, which has every video. We have audio and video at our website. You'll also see links to various podcast programs or just get the plain rss put it in your favorite podcast program. That's probably the best way. Then you subscribe, you get it automatically. You have the RSS link too, I'm sure Steve at your yeah. A website. Steve, thank you once again. Have a great week. Talk to Lori. She'll explain it all to you. Was Roseanne, Roseanne doing on s snl? Sn she not laughing. No. No. Snl And she would, she was slightly def, right? And she'd say, what's all this <laugh>? I can't remember, but about cottage cheese in the mirror, <laugh>. And then the anchor would say, no, no, no, <laugh> we're, that's not what we're talking about. And then she'd go, oh, nevermind. Thank you Steve. Have a great week. We'll see you next time. Thank you my friend. See you next week. Bye.
Rod Pyle (02:02:58):
Hey, I'm Rod Pyle, editor-in-chief of Ad Astra magazine. And each week I'm joined with my co-host to bring you This Week in Space, the latest and greatest news from the Final Frontier. We talk to NASA chiefs, space scientists, engineers, educators and artists. And sometimes we just shoot the breeze over what's hot and what's not in space. Books and tv. And we do it all for you, our fellow true believers. So whether you're an armchair adventurer or waiting for your turn to grab a slot in Elon's Mars Rocket, join us on This Week in Space and be part of the greatest adventure of all time.