Security Now 1003: A Light-Day Away

Leo Laporte

It's time for Security now. Steve Gibson is here. We're going to respond or at least get Microsoft's response to Steve's episode last week. They say, no, we don't use your data to train AI. What is a digital epileptic seizure? And why does your self driving vehicle have fits when it approaches an emergency vehicle, do you use Zello? Time to change the password. And then we're going to talk a little more about our favorite friend, the farthest object humanity has ever put in space. Voyager 1. Now nearly a light day away. It's gonna be another great security episode. Coming up next.

Steve Gibson

Podcasts you love from people you Trust.

Leo Laporte

This is TWiT. This is Security now with Steve Gibson. Episode 1003, recorded Tuesday, December 3rd, 2024. A light day away. It's time for Security now the show we cover your security, your privacy online, how things work. What's a great book to read when you're trying to get some sleep and you don't want to and I don't know all sorts of stuff. What's a good show to watch? What's a good vitamin to take? Steve Gibson is a polymath. He, he knows everything and tells all on the show. Hello, Steve.

Steve Gibson

Great to be with you again for episode 1003.

Leo Laporte

Yikes.

Steve Gibson

And it's still, I look at these four digits and I think, wow, okay.

Leo Laporte

We're getting used to it now though.

Steve Gibson

It really does feel like somehow a lot more than just three digits, which.

Leo Laporte

It is a lot.

Steve Gibson

Yeah, it was a cliffhanger there for a while, but we made it over the cliff and we're still flapping. We've got a bunch of fun stuff to talk about. Microsoft makes very clear what data they are not going to be using to train their AI models. So we're revisiting that topic that we touched on last week also. What's a digital epileptic seizure? What induces them and why you don't want your self driving car to have one.

Leo Laporte

No.

Steve Gibson

Yes. We've got a public plea for help in the form of volunteer volunteer bridge servers being asked for by the Tor network that we're going to talk on and explain. Also, if you're one of the 140 million Zello users, you should heed their notice to change your password.

Leo Laporte

Zello or Zelle later.

Steve Gibson

Zello. I had to double check that too. And in fact some of the reporting, I think the reporters are so used to typing Zelle Z E L L E that some of the text was mixed up. So it's Zello, which is a. It's a push to talk app for smartphones.

Leo Laporte

They have so many users. 140 million users.

Steve Gibson

140 million.

Leo Laporte

Holy cow.

Steve Gibson

Nobody wants to dial a number. So, yeah, apparently you just press it. Press the screen and you get to talk to your mom. I don't know. Anyway, the US Federal Trade Commission opens a broad antitrust investigation into whether Microsoft has been naughty or nice. A new form of Android smartphone scareware, which is really sort of interesting at first glance. It simulates a seriously malfunctioning, cracked and broken screen and scares people into like, oh, no. Yeah, getting tech support. That's hysterical. It really is. And when you see it, I got a picture of it in the show notes. It's like, whoa, okay, that would freak me out. Anyway, it's almost certainly positively and completely safe to leave wireguard open and listening for incoming connections. Almost is almost certainly positively and completely safe. Safe enough for you. That's. We're going to look at that. If the Internet fills with AI output, what happens when AI starts training on that? It seems that we know that some experiments have been done and it's not looking good. We're going to lose some very popular dog breeds, among other things. Last week, Australia passed the social media age restriction law. Now what? And finally, we're going to talk about once again, one of our sort of favorite side topics, Voyager 1. Not only is it now nearly an entire light day away, think about that. It takes a day.

Leo Laporte

That's amazing.

Steve Gibson

Like, that's how far out it is. It is beginning to have some harder to remotely repair problems. There was so much interesting science and engineering shared in the last week that I thought, okay, this is just, it's just cool stuff. I mean, it's like, you know, we're beaming up and we're doing warp drive and all this crap that we can't have phaser beams. No, we don't have any of that. What we actually have is a shockingly well designed piece of hardware from the 70s 70s that is still going. So. And of course we do have our. A great picture of the week. I've already had some feedback from people I haven't looked and. Yeah. And so I think a great show for everybody. Probably worth your time while you're mowing your lawn or commuting to work or walking your dog, whatever you're doing.

Leo Laporte

I always, every time you do a Voyager segment, I always call it V'Ger. And I should clarify that. After the first one, I looked it up and the V'Ger from Star Trek is actually supposedly movie ever made. Is that the one where Spock dies? I can't remember.

Steve Gibson

Oh, no, that was a good one. I think that might have been the reason.

Leo Laporte

It was the first one, maybe.

Steve Gibson

Yeah. Oh, it was the first. And they had bad uniforms and it's like, what happened?

Leo Laporte

You know, I remember watching though, and being so thrilled when that elevator opens and there are Kirk and Spock and McCoy and it was just like, oh, they're back, they're back.

Steve Gibson

Yeah.

Leo Laporte

Anyway, V'Ger from that movie is theoretically Voyager 16. There is no Voyager 16. So the Voyagers we're talking about 1 and 2 are not feature. Just.

Steve Gibson

Yeah, and I didn't say this and I may forget, so I'll say it now. One does need to wonder, like why they're expending all this effort. I mean, it's done its job. I mean, more things. It is outside the heliopause. We are getting information, we're getting science data we've never had before. But at this point, it's clearly just can't. Let's see how it's a flex. What we can do. Exactly. Can we keep this little sucker aimed at us?

Leo Laporte

They can. That's what's amazing.

Steve Gibson

Yeah. Wait till you hear what they are. Wait till you hear what's happening now.

Leo Laporte

Oh, I can't wait. Oh, it's going to be a good one. Security now, 1,003 in your hears and we will get to the first bit in just a bit. But first, our first sponsor of the show and the great folks at Melissa. We've been talking about Melissa for years, but they are even older than Security now is. They are and have been the trusted data quality expert since 1985. That means next year they're going to celebrate their 40th anniversary. That's. That's really cool. What's really actually even better is as the years have gone by, Melissa has become more sophisticated, more powerful, more useful. It's done so much more to keep your address book, your in business, your customer list, I should say, not really address book, although it's the same thing. Right. Or your supplier list, accurate up to date so that you save money, you save time. Personalization is as important as ever during the holiday season. But, you know, if you're offering personalization, it could kind of backfire because no one wants to be misidentified. That's what Melissa can help with. They have a fluid knowledge base of global names. Oh, and even as important, naming conventions. So if you put in a name associated with a specific country, you can parse it more accurately. For instance, as an example, signora is the first word in some countries and if it is, it would be flagged. They'll say, oh, yeah, that's not the first name. We're not. That's not our first name. That's an honorific. And Melissa knows that and much, much more. Melissa's database also has a large list of cultural names, also vulgarities, because you know, there's people out there who will try to get an embroidery done with some bad words. Some names might be flagged as valid but need extra checking because, for instance, it's a celebrity name. Melissa can do this with all of this, with your business names, your customers and your suppliers. Be sure to check out Melissa Marketplace too. This is really cool. That's where they offer premium third party data on demand to improve campaign performance. They have data visualization tools in there, they have business decision tools in there. And here's a very good bit of news. Melissa now offers transparent pricing for every one of its services. So no more guesswork when estimating your business budget. You'll know exactly what it's going to cost to use Melissa day in, day out. And of course, I shouldn't even have to say this, but I want to reassure you. Melissa uses secure encryption for all your data for file transfers. Their information ecosystem is built on the ISO 27001 framework. They adhere to GDPR policies, SOC2 compliant, so your data is safe. Whether you need the full white glove service or just the nuts and bolts, Melissa is the best choice for your enterprise. Get started today with 1000 records cleaned for free. Get your address records in order with Melissa melissa.com Twitter melissa melissa.com we thank him so much for supporting Security now and you support us when you use that address so that they know you saw it. Here, melissa.com twits all right, I'm ready for the picture of the week, Mr. Gibson.

Steve Gibson

So this one, I gave it the caption and not for the first time. We've had a few other ironic pictures. I but I call this one irony defined.

Leo Laporte

All right, I'm scrolling up. That's gotta be. That can't be. That's hysterical.

Steve Gibson

It is just too fun. It is too fun.

Leo Laporte

Go ahead and read it for us. For those not watching the video.

Steve Gibson

That's right. And so what I clipped out of the photo this one of our listeners sent me what looks like his. His camera screen.

Leo Laporte

So this is real.

Steve Gibson

I think it's real. Wow. So, yeah, so what we have, we can so we're looking through a glass door into a region behind which we learn is because of the headline on the sign that's been posted on this glass door. This is the mall maintenance shop. So it's some sort of a, like a large mall. And it looks authentic. You can see, you can see a very long ladder, an extension ladder against the far wall. There's some coiled up stuff in the foreground. Looks like an industrial, you know, like tile cleaner kind of thing. So, I mean, this looks like the real deal. This is clearly a mall, you know, like some large retail mall maintenance shop. And the sign brags about their capabilities, saying we can repair anything. But then it says in parentheses below that, please knock hard on the door. The bell doesn't work.

Leo Laporte

Okay, so they probably have a good sense of humor.

Steve Gibson

We haven't gotten around to fixing the bell yet, but otherwise, other than our own bell, you know, if you've got something broken, we'll fix it. I love it.

Leo Laporte

Yeah.

Steve Gibson

And it would be really fun. I agree with you, Leo. To learn the actual backstory here, you know, they may, it may just be a crusty old guy who's got a great sense of humor, as you say, but I have a feeling that the bell doesn't work.

Leo Laporte

No, I think it's true in that respect. Maybe there isn't even a bell, you know.

Steve Gibson

Okay, so Microsoft felt the need to clarify what had become the widespread misapprehension that they would be training their AI models against the private and personal data of their Office product users. And of course, we looked at that speculation behind that last week. So the day after we did so last Wednesday, Bleeping Computer did a great job of summing up the situation. So I'm just going to quote, I've edited what they said, but you'll get the gist. They wrote. Microsoft has denied claims that it uses Microsoft 365 apps, including Word, Excel and PowerPoint, to collect data to train the company's artificial intelligence AI models. This comes after a Tumblr blog post spread on social media claiming that Redmond used their Connected Experiences feature to scrape customers Word and Excel data for AI training. And by the way, Paul was correct on Windows Weekly the day after our last podcast, saying that nowhere did any of Microsoft's own documentation ever say that it didn't use the word AI training. So that was a presumption. A Microsoft spokesperson told Bleeping Computer, quote, Microsoft does not use Customer data from Microsoft 365 consumer and commercial applications. Now, I should just mention, I wish that the person hadn't put that caveat in. They should have just said Microsoft does not use customer data from Microsoft 365 applications. Why say consumer and commercial applications? You know, it's like a little. Are they hedging? I don't know anyway to train large language models Additionally, the Connected Services setting has no connection to how Microsoft trains large language models. Okay, so that's good. So the company also told Bleeping Computer that this optional setting has been on by default since it was first made available in April of 2019. So five years ago, always been on bleep Bleep. Computer was also told quote the Connected Experiences feature enables features like co authoring, real time grammar suggestions and web based resources. And Leo, this is precisely what the assumption you were making. Also last week they said these features are on by default because they're features people naturally expect in a cloud connected productivity tool. However, customers always have control, they wrote and can adjust their Connected Experiences settings at any time, unquote. So as Microsoft explains on its support website, the feature is used to first provide design recommendations, editing suggestions or data insights based on the Office content through features like PowerPoint designer or translator. And it also downloads online content templates, images, 3D models, videos and reference materials including but not limited to Office Templates or PowerPoint Quick Starter. To toggle this feature off, Microsoft 365 users have to open their Office apps like Word or Excel and choose whether to enable or disable experiences that download online content or analyze their content under Connected Experiences after going to the File Account Account Privacy Manage Settings menu. So as we said last week, so quoting them, the Connected Experiences setting enables cloud backed features designed to increase your productivity in the Microsoft 365 apps, like suggesting relevant information and images from the web, real time co authoring and cloud storage, and tools like Editor in Word that provide spelling and grammar suggestions. Microsoft has been using their AI in Microsoft 365 for years now. Maybe that's where some of this confusion comes in, because they're calling spellcheck AI. So this is them saying Microsoft has been using AI in Microsoft 365 for years to enhance productivity and creativity through features like designer and PowerPoint which helps create visually compelling slides, and Editor in Word which provides grammar and writing suggestions. You know that's not today's definition of AI. But they then said these features do not rely on generative AI or large language models, but rather use simpler machine learning algorithms. Unquote. So Bleeping Computer says at the end Microsoft added that the setting has been available since April 2019, with enterprise admins having the option to choose if connected experiences are available to users within their organizations, using multiple policy settings designed to manage privacy controls for Microsoft 365 apps and Office for Mac, iOS and Android devices. So okay, we're certainly all of us, I'm sure glad for the clarification. Whatever Microsoft is doing exactly. And unless anything has changed recently, it's been doing whatever it is for the past five years. It's always been on by default, you know, like grammar and spelling suggestions. And anyone who isn't comfortable with this is free to turn it off if they wish. If nothing else, it seems very clear that this has nothing whatsoever to do with Copilot plus and any of the recent concerns over Microsoft's AI being used to otherwise enhance their users experiences. And it's one thing to be mistrustful and another thing to accuse them wrongly. We could certainly have one without the other. Given what I've witnessed firsthand of what they've done to Windows Start Menu Tray and Edge, you know, none of which enhances my own use of Windows. I'm obviously not a big fan of the direction they're taking their consumer desktop. Nevertheless, make no mistake, I love Windows. So I got some feedback from people saying wow, you know, if you're so unhappy with Microsoft and Windows, why are you still using it? I love it, you know, I mean, for my purposes it's far better than any alternative. And I'm hopeful that when I set up my next Windows desktop, my Microsoft developer access to the Enterprise edition of Windows 10 will provide me with the cleaner experience that I look for in what I consider to be a tool rather than a toy. You know, I just don't have any interest in Windows being a toy with, you know, offering me Candy Crush, Soda, Saga and Xbox features on my Start menu in addition to everything else they've done. So anyway, Microsoft is obviously very sensitive to all of this after the pushback and concern that the industry showed with their stumbling rollout of what they plan to do with recall in Copilot Plus. So they're going to great pains to calm people and there's every reason to believe this is just grammar and spelling checking. It is worth noting that in bleeping computers coverage, they don't talk about the fact that Microsoft does say whatever it is they're doing with connected experiences. There are those which where they're collecting data over the lifetime of the user's account. So maybe that's just they're learning what spelling mistakes people always make or what the, you know, what they're like learning the grammar of the user and getting better at helping them to correct themselves. You know, that's what I presume. But so, but we did learn last week that from their own statements that there is something that continues to exist at their end in the cloud on a per user account basis, presumably helping it to do a better job with those things that it's been doing for the last five years. And unfortunately they call that AI, which you know, nobody else bothers to. Okay, so I was put onto some new research from our friends at the Ben Gurion University of the Negev and Fujitsu, researched by both groups. That's by one of the researchers who's also one of our listeners, Ben Nasse. The title of their 21 page paper is Securing the Perception of Advanced Driving Assistance Systems against Digital Epileptic Seizures Resulting from Emergency Vehicle Lighting. Okay, now I suppose it's unavoidable to anthropomorphize driving assistance systems, but somehow calling this problem Digital epileptic seizures rubs me the wrong way. You know, you know, the overlap in apparently this behavior is the flashing of lights, which as we know can trigger human actual epilepsy, you know, epileptic seizures. So they're saying that auto driving systems don't like lights flashing either. Anyway, I'm not sure what bothers me about it, but something does. In any event, it turns out that driving assistance systems do have a problem with the flashing lights used by emergency vehicles. Wired has a nice summary of the very good research this group has just conducted and published under Wired's headline Emergency Vehicle Lights Can Screw Up a Car's Automated Driving System with the sub head. Newly published research finds that the flashing lights on police cruisers and ambulances can cause. And here we go, you know, quotes Digital epileptic seizures in image based automated driving systems potentially risking wrecks. And actually apparently there have been 16 instances that have been seen so far. Anyway, Wired, we'll get to that. Wired wrote. Carmakers say they're increasingly sophisticated automated driving systems make driving safer and less stressful by leaving some of the hard work of knowing when a crash is about to happen and avoiding it to the machines. But new research suggests some of these systems might do the virtual opposite at the worst possible moment. A new paper from researchers at Ben Gurion University of the Negev and the Japanese technology firm Fujitsu demonstrates that when some camera based automated driving systems are exposed to the flashing lights of emergency Vehicles they can no longer confidently identify objects on the road. The researchers call the phenomenon a digital epileptic seizure. Epilepticar for short, where the systems trained by artificial intelligence to distinguish between images of different road objects fluctuate in effectiveness in time with the emergency light's flashes. The effect is essentially, I'm sorry, is especially apparent in darkness, the researchers say. And that kind of makes sense, you know, much greater contrast there. Emergency lights, in other words, writes Wired, could make automated driving systems less sure that the car shaped thing in front of them is actually a car. The researchers write that the flaw quote poses a significant risk, unquote, because it could potentially cause vehicles with automated driving systems enabled to crash near emergency vehicles and be exploited by adversaries to cause such accidents.

Leo Laporte

You know, it's interesting because a lot of Teslas have crashed into emergency vehicles.

Steve Gibson

Exactly.

Leo Laporte

And maybe we now know why.

Steve Gibson

Exactly, they said. While the while the findings are alarming, this new research comes with several caveats. For one thing, the researchers were unable to test their theories on any specific driving systems such as Tesla's famous Autopilot. Instead they ran their tests using five off the shelf automated driving systems embedded in dash cams purchased off of Amazon and Wired, said Prenz. These products are marketed as including some collision detection features, but for this research they function as cameras. They then ran the images captured on those systems through four open source object detectors which are trained using images to distinguish between different objects. The researchers are not sure whether any automakers use the object detectors tested in their paper. It could be that most systems are already hardened against flashing light vulnerabilities. Okay, now to me, while this might appear to render the value of this research more questionable, there was at least some good reason to wonder and the researchers findings bore this out. Wired says the research was inspired to your point, Leo. Right. By reports that Tesla's using the electric car maker's advanced driver assistant feature. Autopilot collided with some 16 stationary emergency vehicles between 2018 and 2021, says Ben Nasi, a cybersecurity and machine learning researcher at Ben Gurion University who worked on the paper. Quote. It was pretty clear to us from the beginning that the crashes might be related to the lighting of the emergency flashers. Ambulances, police cars and fire trucks are different shapes and sizes. So it's not the type of vehicle that causes this behavior. In other words, you know, these guys started by probably correctly inferring that, you know, okay, what is it that is unique about these emergency vehicles that Tesla's keep crashing into? Well it's they've got flashing lights. So a three year investigation rights Wired by the US National Highway Traffic Safety Administration into the Tesla emergency vehicle collisions eventually led to a sweeping recall of Tesla Autopilot software, which is designed to perform some driving tasks like steering, accelerating, braking and changing lanes on certain kinds of roads without a driver's help. The agency concluded that the system inadequately ensured drivers paid attention and were in control of their vehicles while the system was engaged. They said other automakers advanced driving assistance packages, including General Motors, Super Cruise and Ford's Blue Cruise, also perform some driving tasks, but mandate that drivers pay attention behind the wheel. Unlike Autopilot, these systems work only in areas that have been mapped. In a written statement sent in response to WIRED's questions, Lucia Sanchez, a spokesperson for the NHTSA, acknowledged that emergency flashing lights may play a role. She said, quote, we're aware of some advanced driving assistance systems that have not responded appropriately when emergency flashing lights were present in the scene of the driving path under certain circumstances. Tesla, which disbanded its public relations team in 2021, did not respond to WIRED's request for comment. The camera systems the researchers used in their tests were manufactured by HP, Pelc, AZDome, Imagebon and Rexing. None of those companies responded to WIRED's request for comment. Although the NHTSA acknowledges issues in some advanced driver assistance systems, the researchers are clear they're not sure what this observed emergency light effect has to do with Tesla's autopilot troubles. Ben Nasi said, I do not claim that I know why Teslas crash into emergency vehicles. I do not know even if this is still a vulnerability. The researchers experiments were also concerned solely with image based object detection. Many automakers use other sensors, including radar and lidar, to help detect obstacles in the road. A smaller crop of tech developers, Tesla among them, argue that image based systems augmented with sophisticated artificial intelligence training can enable not only driver assistance systems but also, here we go, completely autonomous vehicles. Oh boy. Last month, Tesla CEO Elon Musk said the automaker's vision based system would enable self driving cars next year.

Leo Laporte

He's been saying that for 10 years.

Steve Gibson

2025, baby.

Leo Laporte

It's been next year for at least six years. That's right.

Steve Gibson

Indeed, they wrote, how a system might react to flashing lights depends on how individual automakers design their automated driving systems. Some may choose to tune their technology to react to things it's not entirely certain are actually obstacles. In the extreme, that choice could lead to false positives where a car might hard brake, for example, in response to a Toddler shaped cardboard box. Others may tune their tech to react only when it's very confident that what it's seeing is an obstacle. On the other side of the extreme, that choice could lead to a car failing to brake to avoid a collision with another vehicle because it misses that this is another vehicle entirely. The Ben Gurion University and Fujitsu researchers did come up with a software fix to the emergency flasher issue. It's designed to avoid the seizure issue by being specifically trained to identify vehicles with emergency flashing lights. The researchers say it improves object detectors accuracy. Erlens Fernandez, an assistant professor of computer science and engineering at University of California San Diego who was not involved in the research, said it appeared sound. He said, just like a human can get temporarily blinded by emergency flashers, a camera operating inside an advanced driver assistance system can get blinded temporarily. For researcher Brian Reamer, who studies vehicle automation and safety at the MIT Age Lab, the paper points to larger questions about the limitations of AI based driving systems. Automakers need repeatable, robust validation to uncover blind spots, so to speak, like susceptibility to emergency lights. He says he worries some automakers are moving technology faster than they can test it. Okay, so my own take is that, you know, this sort of research conducted by independent researchers is vitally important. It, you know, it needs to be done. It's obvious that the various car manufacturers are holding their, you know, their cards and their cars very close to their vests. They understandably consider their future auto driving technology to be ultra proprietary and because they want the best and no one else's business yet flesh and blood human beings and pets are moving within the same space as these autonomous high speed rolling robots. It's a recipe for disaster. And this has the feeling of being driven by the same sort of gold rush mentality as the, as the push for general artificial intelligence. So the headlines that these researchers have generated will doubtless, if nothing else, induce all of the developers of similar self driving technology that actually is, you know, being fielded to consider and test the effects of bright flashing lights on their driving AI. You know, the lives of people and pets have probably been saved. So hats off to these guys. And they have a, I have links to their 21 page paper where they really dig into the technology. They show the operation of the, of the AI learning neural networks and just how badly they are upset by flashing lights. So this is absolutely been useful for the long term safety of vehicles. And again I just think because the proprietary interests of automakers is to keep their stuff proprietary, not open. This limits what Researchers are able to test, but this kind of research is I think vitally important. And Leo, I know that you've had a Tesla for quite a while and.

Leo Laporte

Well, we got rid of it. Lisa used to call it Christine because it would drive her into things and then do exactly what they were talking about, which was just stop, randomly screech to a halt as if it had seen something. And I think that that's the same, you know, the flip side of that coin. Right?

Steve Gibson

Yeah. I have a, I Finally replaced my 21 year old BMW and I have a car that's got sensors too. And when I'm backing up, oh, it beeps like crazy. I bet I have garages in both locations where there's not a lot of space and it's going dinging and donging and buzzing and, and, and it actually creates anxiety in me.

Leo Laporte

Yes.

Steve Gibson

Because I'm thinking it's seeing something I don't know about.

Leo Laporte

Lisa says she literally, I have a BMW i5 which is a very highly technically advanced machine, an EV. And she won't, she says back out of the garage before I get in because it makes me crazy, all the beeps and the boops. And I have a heads up display, you know, from 2001 A Space Odyssey, showing me the different vectors and synthetic.

Steve Gibson

Imaging generation and it overlays all sorts.

Leo Laporte

Of stuff on top of it. But I've learned what to pay attention to and whatnot. And you know, you can see why, you know, at least for now, AI is not good enough to replace a human. It's a nice pal.

Steve Gibson

Yes. And the problem is everybody, you know, there is clearly a rush to the promise of this. Your car can drive itself.

Leo Laporte

Yeah.

Steve Gibson

And you know, it does. It feels like they're always going to be pushing ahead of the envelope that they should stay in. And it's research. Like this is the only place we get an independent reality check. And so even though they weren't able to actually train on infield self driving technology, they were able to look at similar systems and say, guys, there seems to be a problem with flashing lights over here.

Leo Laporte

Well, I hate to say it, but anytime I hear the words Elon Musk said, I discount most of what follows because he is, he's a marketer, he's a master.

Steve Gibson

We too have been trained by Elon Musk to discount, to discount everything he does at the same time. You know, he lands, he captures returning rocket boosters with chopsticks and you know, and folding fold out legs and you know, and he, you know, Starlink is providing Internet connectivity to people would otherwise never have it.

Leo Laporte

Yeah, I mean, this is our backup when Comcast goes down, which they do, sadly, a little more often than a podcast network would like. If ubiquity fails over to the satellite dish on the roof right up here. Yeah, and it's, it's, by the way, it's very reliable, even in rain. And it's really pretty amazing how well that works. So I'm not saying that Elon's companies don't produce good products. I'm just saying he is like most marketers, prone to overstating things.

Steve Gibson

Okay, we're 35 minutes in. Let's take a break and then we're going to talk about the Tor network and how they need you.

Leo Laporte

They need me to operate a tour node, I'm guessing, but we'll see. All right, first though, a word from our sponsor and this segment of security now brought to you by Big id. I really like this company. They are the leading DSPM solution. What is dspm? You ought to know actually. Data security, posture management. If you're in business, if you run an enterprise shop, you know you need dspm. Big ID is the first and only DSPM solution to uncover dark data, to identify and manage risk, to remediate the way you want doesn't tell you what to do, gives you the options to scale your data security strategy through unmatched data source coverage. And it becomes especially important in the AI era. When you have and your company Training your own AIs on data from the company. You want to make sure that you train it on the data that's appropriate to train it on and not train it on the data you don't want it to be trained on. Big ID helps with that. Big ID seamlessly integrates with your existing tech stack. It allows you to coordinate security and remediation workflows. Because with Big ID you could take action on data risks. And as I said, you decide, annotate, delete, quarantine, whatever you want based on the data, all while maintaining an audit trail which is so important for compliance. Big ID has some of the biggest companies in the business using its ServiceNow uses, BigID, Palo Alto Networks, Microsoft, Google AWS, and on and on and on. With Big IDs advanced AI models, you can reduce risk, accelerate time to insight and gain visibility and control over all your data. Think about companies you know, usually legacy companies, companies have been business for a long time that have data in a variety of different places. No one probably in the world has data in A broader variety of places than the United States Army. Right. They use Big id. Yeah, the army does. To illuminate dark data, to accelerate cloud migration. That's by the way, a mandate right throughout our entire military infrastructure. Get up into the cloud. They help the army minimize redundancy. They help it with automated data retention. Here's a quote. This comes, this is, this is gold. From the US Army Training and Doctrine Command. The first wow moment with Big ID came with just being able to have that single interface that inventories a variety of data holdings, including structured and unstructured Data across emails, zip files, SharePoint databases and more. To see that mass and be able to correlate across all those completely novel. I've never seen a capability that brings us together like Big ID does. Boy, you gotta do something special to get US army training and doctor in command to say something that nice. That is high, high praise. CNBC recognized Bigid is one of the top 25 startups for the enterprise. Named to the Inc 5000 and Deloitte 500 for two years in a row. They're the leading modern data security vendor in the market today. In fact, when you think dspm, you should really be thinking Big id. The publisher of Cyber Defense magazine says Big ID embodies three major features we judges look for to become winners. Understanding tomorrow's threats today, that's one. Providing a cost effective solution, of course that's always important. And innovating in unexpected ways that can help mitigate cyber risk and get one step ahead of the breach. You got to know where your data is. You gotta know what's going on out there, right? Big ID will help you start protecting your sensitive data wherever your data lives. Very important in this AI age as well. Go to bigid.com securitynow bigid.com securitynow you can get a free demo. See how BigID can help your organization reduce data risk and accelerate the adoption of generative AI. That's BigID. B I G I D bigid.com Security now they actually have a number of reports if you go to that website that are free that you can download white papers, including one that provides insights and key trends on and issues on AI adoption challenges the overall impact of generative AI across organizations. Very helpful and it ties right into Big ID's mission. BigID.com Security now we thank you so much for your support Bigid. And we invite all of our listeners and viewers to support us by going to that address so that they know you saw it here. BigID.com security now Steve okay, so last.

Steve Gibson

Thursday, the Tor network posted their plea for volunteer help. They wrote, recent reports from Tor users in Russia indicate an escalation in online censorship with the goal of blocking access to Tor and other circumvention tools. This new wave includes attempts to block Tor bridges and pluggable transports developed by the Tor project, which I'll explain in a second. Removal of circumvention apps from stores and targeting popular hosting providers, shrinking the space for bypassing censorship. Despite these ongoing actions, Tor remains effective. One alarming trend is the target targeted blocking of popular hosting providers by none other than Ross Kamadzor.

Leo Laporte

I'll put an echo on it for.

Steve Gibson

The next time, as many circumvention tools are using them. This action made some Tor bridges inaccessible to many users in Russia. As Ross Kamzor. The Internet service providers in Russia are increasing their blocking efforts, the need for more web tunnel bridges has become urgent. Okay, so they say, why Web tunnel bridges? And I'll explain a little bit about what they are in a second. They wrote. Web tunnel is a new type of bridge that is particularly effective at flying under a sensor's radar. Its design blends itself into other web traffic, allowing a user to hide in plain sight. And since its launch earlier this year, we've made sure they wrote to prioritize small download sizes for more convenient distribution and simplified the support of micro TLS integration, further mimicking the characteristics of more widespread browsers. This makes webtunnel safe for general users because it helps conceal the fact that a tool like Tor is being used. We're calling on the Tor community and the Internet Freedom community to help us scale up Web tunnel bridges. If you've ever thought about running a Tor bridge, now's the time. Our goal is to deploy 200 new web tunnel bridges by the end of this December 2024 to open secure access for users in Russia.

Leo Laporte

So a bridge is not the same as a Tor node.

Steve Gibson

Correct? Okay, correct. It is literally a bridge to a node. So it is not itself a node. It is an endpoint, which, and this is what's so cool, which uses technology, they call it plugin protocol technology, to hide the fact that what the user is doing that connects to the bridge is using Tor. So anyway, their posting goes on to explain how to set up and run a web tunnel, among other things. It can be as straightforward as just hosting a Docker image. So I've got a link to this posting in the show notes blog.torproject.org call four web tunnel bridges. Since we haven't looked closely at Tor's web tunnel technology. I wanted to share a bit about it from their description. Where it was introduced just last March, it was titled Hiding in Plain Introducing Web Tunnel. Then they wrote today, March 12, on the World Day Against Cyber Censorship, the Tor Project's anti censorship team is excited to officially announce the release of webtunnel, a new type of Tor Bridge designed to assist users in heavily censored regions to connect to the Tor network. Available now in the stable version of Tor browser, which as we know is based on Firefox, webtunnel joined our collection of censorship circumvention tech developed and maintained by the Tor Project. The development of different types of bridges are crucial for making Tor more resilient against censorship and stay ahead of adversaries in the highly dynamic and ever changing censorship landscape. This is especially true as we're going through the 2024 Global Election MegaCycle. The role of censorship circumvention tech becomes crucial in defending Internet freedom if you've ever considered becoming a Tor bridge operator to help others connect to Tor, now is an excellent time to get started. And this was their posting back in March. You can find the requirements and instructions for running a web tunnel bridge in the Tor community portal. So what's a web tunnel and how does it work? Webtunnel is a censorship resistant pluggable transport designed to mimic encrypted web traffic. It works by wrapping the payload connection into a websocket like HTTPs connection, appearing to network observers as an ordinary HTTPs connection. So for an onlooker without the knowledge of the hidden path, it just looks like a regular HTTP connection to any web server, giving the impression that the user is simply browsing the web. In fact, Web Tunnel is so similar to ordinary web traffic that it can coexist with a website on the same network endpoint, meaning the same domain, IP address and port. This coexistence allows a standard traffic reverse proxy to forward both ordinary web traffic and Web Tunnel to their respective application servers. As a result, when someone attempts to visit the website at the shared network address, they will simply perceive the content of that website address and won't notice the existence of a secret bridge, the web tunnel. And I'll explain a little bit about that in a second. They said Web Tunnel's approach of mimicking known and typical web traffic makes it effective in scenarios where there's a protocol allow list and a deny by default network environment. In other words, Russia can put up a firewall that only allows Web traffic, not Tor, not anything unknown, that is it's a deny by default. But after all, we need to let people visit websites, right? This is indistinguishable from someone visiting a website. And in fact the sensors can go to the site that they observe Russians going to and they see a website. Whereas the people using this really cool Tor technology ctor they said, consider a network traffic censorship mechanism as a coin sorting machine with coins representing the flowing traffic. Traditionally, such a machine checks if the coin fits a known shape and allows it to pass if it does, or discards it if it does not. In the case of fully encrypted unknown traffic, as demonstrated in the published research, how the Great Firewall of China detects and blocks fully encrypted traffic which doesn't conform to any specific shape, it would be subject to censorship, meaning being discarded. In our coin analogy, not only must the coin not fit the shape of any known blocked protocol, it also needs to fit a recognized allowed shape, otherwise it would be dropped. Web tunnel traffic resembling HTTPs web traffic, a permitted protocol will be allowed to pass. So this is. This is so cool. Again, what this means is that any regular website, and you don't have to be hosting a website, but you can be can also be hosting a Tor web tunnel at the same IP and same port, side by side. And no one would ever be the wiser, since in this case Russia or any other censoring regime would be unable to detect that someone is not just visiting a website, the traffic would not be blocked. But this also makes it clear that the more pseudo websites are available, the better. So if any of our listeners is moved to help the Tor project, and specifically Russian citizens who are unable to see out past their country's censorship, and presumably Chinese citizens as well, which is being enforced, of course, for propaganda purposes. The Tor project needs you. To make following up on this easier, I created a GRC shortcut link. So it's just GRC sc Tor T O R GRC SC tor. And that will take you to the recent posting that has updated resources, including just a Docker container that you can download if you're interested in exploring this and getting going. But if you've got, you know, a Linux system, you can install stuff and.

Leo Laporte

So forth, it's probably not a very heavy process either, right? I mean, it probably doesn't use a lot of CPUs or.

Steve Gibson

Right.

Leo Laporte

And they are bandwidth.

Steve Gibson

Oh yeah, exactly. Bandwidth only. Very little CPU because it's just forwarding traffic through. Very cool. So Zello Z E L L O is a mobile push to talk service used by 140 million first responders, hospitality services, transportation and family and friends to communicate via their mobile phones using a simple push to Talk app. The news is that over the past two weeks, starting on November 15, Zello's customers have been receiving legitimate notices from Zello because of course, everything is suspect these days asking them to change their passwords, the notice reads. Zello Security Notice As a precaution, we're asking that you reset your Zello app password for any account created before November 2, 2024. We also recommend that you change your passwords for any other online services where you may have used the same password. Well, doesn't take a rocket scientist nor anyone who's been following this podcast for more than a few months to know what must have happened over at Zillow headquarters. And it's not good news. But Zello is also not saying Bleeping Computer has reached out to Zello and been rebuffed. Customers who received that notice told Bleepy Computer that they had not received any further information from Zello, and Bleeping Computer's repeated attempts to contact the company have gone unanswered. So at this point, it's unclear whether Zello may have suffered a data breach or a credential stuffing attack. But the notice certainly does imply that threat actors may have access to the passwords of any users who had accounts before November 2. Bleeping computer noted in their reporting of this that Zello had previously suffered a data breach in 2020 which also required users to reset their passwords after.

Leo Laporte

Great.

Steve Gibson

Yeah, I know it's happened before. Yeah, after threat actors stole crit customers email addresses and hashed passwords. In any event, 140 million users is a substantial user base. As you noted, Leo, it's like a big chunk of the us. Yeah, I'm surprised. But of course it's global. If our listeners or anyone they know may be affected by it, it would be a good idea to heed this notice. And just a short note that the U.S. federal Trade Commission has opened an antitrust Microsoft probe, announcing a broad antitrust investigation into Microsoft's business practices. The investigation will cover the company's software licensing practices, cloud computing, cybersecurity and AI business units. The FTC allegedly received complaints that Microsoft was locking in customers. Gee, perhaps like the US Government preventing them from moving to competitors. In September, Google filed an official antitrust complaint against Microsoft's cloud business in the eu. So this will be something to keep an eye on and we don't know what the fate will be. You know, nothing much will happen right this month. And we get new administration in early January, so we don't know what approach that administration, you know, the second Trump administration will take. So we'll see.

Leo Laporte

There's been so much activity from the FTC and other, and FCC and the CFPB in the last few weeks, and I really feel like they're going, let's get everything done before the, before January 20th.

Steve Gibson

But you can't get anything done right.

Leo Laporte

In three weeks and then in January 20th, who knows what's going to happen? I mean, there are plenty of people in the Trump administration who don't like big tech, but there are people like Elon and others who do.

Steve Gibson

And so who is, who is big tech?

Leo Laporte

Who is big tech? So it's really kind of an interesting, it's really uncertain what's going to happen. Right. I don't know if this Microsoft case will go past January 20th. It might not.

Steve Gibson

It just could get dropped in favor or put on the back burner in favor of what the new administration perceives as more urgent priorities.

Leo Laporte

Yeah. And it's unpredictable. You know, Trump has said, I hate Google the way they're too big, they're big tech. But he's also said, but on the other hand, China's afraid of him. So I love Google. So you just don't, you just don't know. You don't know what the hell is going to happen. It's going to be an interesting few years.

Steve Gibson

That's will indeed the truth. Okay, so check out this screen, Leo. I've got a picture of it in.

Leo Laporte

The show notes is unbelievable.

Steve Gibson

Yeah, under the headline. You mean this actually convinces someone? That's actually my headline. Security researcher Lucas Stefano has identified a new form of Android scientific scareware that he refers to as convincing full screen images that resemble cracked or malfunctioning screens which trick users into calling tech support numbers or downloading malware on their devices. Now, I included a photo of this malware in this, you know, in action in the show notes. Now I could see how a neophyte might be led to believe that something has gone very wrong with their phone because the screen looks like it's no longer even remotely able to display an image. Except the only problem. Exactly. The only problem with this is that it is at the same time having no problem whatsoever. You know, apparently, despite the cracked and malfunctioning screen of displaying the malware's warning pop up notice claiming that a virus has been detected on the handset. So I suppose we'll give them points for coming up with something new.

Leo Laporte

It gets your attention. I mean, if initially you look at.

Steve Gibson

That and go, oh, I mean. And down there in the lower right. I mean, it looks like.

Leo Laporte

It looks real.

Steve Gibson

It really does look like. Oh shoot, something bad has happened to my phone. Thank goodness that that notice telling me to click here to remove the virus is still visible, right? Wow.

Leo Laporte

Now I'm curious because if you click Remove this, is that sufficient? I would think they put a phone number in there or something. I mean, maybe it's just a click to it'll run the virus because you clicked it, right?

Steve Gibson

That's often the case. If it said I'm a virus, click me, you'd be disinclined to do that.

Leo Laporte

That's a good point. Excellent point. Well taken, Steve. Maybe. Did I click that?

Steve Gibson

Yeah, I don't think so. Okay, so Matt Warner said. Hi Steve, regarding your comment about Wireguard's static ports in episode 1002. So last week he said, I run Wireguard Wire Guard on an Opn Sense firewall. With Securicata and Crowdsec watching my wan interface, neither shields up nor any other port scanner could find an open port. Even when I specify the port number, I don't have wireguard mapped to a specific allowable IP because that changes depending on my location. I'm happy to leave this as it is for now, but will certainly change my setup if a new vulnerability surfaces in any of the tools I use. Love the podcast. I look forward to it every week. Okay, so there is no reason to believe that it is not completely safe to leave a Wireguard VPN server running on a firewall such as OpenSense listening for incoming connections from a Wireguard client. There's no reason to believe that's a problem until there is. Everything we know tells us that this could flip from absolutely safe to oh my God. Within a single heartbeat of a skilled hacker who, while studying wireguard's open source code, notices something no one else has. That's one of the ways these things happen. Or perhaps the hacker is throwing nonsense packets at wireguard's listening service port and one of them suddenly crashes the wireguard server. That's another way this could happen. The specific packet that crashed the server is then examined and the source of the crash is reverse engineered to create a repeatable working exploit. But it's every bit as true that none of this may ever happen. It's also true that perhaps it can't. The conundrum of security as that could happen does not necessarily mean could happen. Perhaps it really can't. The trouble is, today's systems have become so complex that it's no longer possible for us to be absolutely and mathematically provably certain about the behavior of anything above a distressingly low level of complexity. Today, we just can't know. That's one of the things I'm hoping future AI might be able to help us with. My intuition suggests that this is the sort of thing that ought to be right in AI's backyard. But we don't have that today. What we have today is hope. Hope's better than nothing. But hope is not enough for me. I fully respect Matt's decision and position. It's one that's shared by tens of thousands of others. But my network is not the typical residential network. It's both the development and production arms of grc, so the stakes for me are higher. I'm not suggesting that my network is utterly impervious to attack, but it's as utterly impervious as I've been able to make it without exception. So deliberately exposing a wire guard process, no matter how safe I hope it is to the public Internet, would be an exception. I will not make Another listener identifying himself as an reminds us why we trust and should trust wireguard's design, he wrote Hi Steve, Regarding the discussion of wireguard and port knocking on this week's Security now episode, I just wanted to let you know that it's not really necessary with wireguard. The server will not respond to client connection requests at all. He has that in all caps and he's right unless the client provides a public key that the server knows and trusts. This, in addition to the fact that the protocol is UDP based, means that it's not possible to even know if there is a wireguard server listening on a specific IP and port unless you already have public key credentials to connect. While it technically would still be possible to have a bug where this can be bypassed, this is very unlikely because this is the first thing the server checks, so the code surface for bugs is minimal. This technicality would also apply to any port knocking techniques which can have their own bugs in implementation. Regards non OK, so non is 100% correct and this is why Wireguard represents the best of the best today. Is that good enough? Almost certainly. And his point about the possibility that adding port knocking to introduce an additional layer of pre wireguard security might itself introduce a new vulnerability is also a keen observation that could happen. My defense of the use of port knocking is that from an implementation standpoint, unlike anything like wireguard, that necessarily invokes a huge amount of complexity in order to validate a cryptographic certificate, port knocking adds an appealingly trivial layer of complexity while providing virtually absolute protection. In other words, what might be termed as its security gain is nearly infinite, and the port knocking service is inherently sitting behind the firewall which it's monitoring, so it's much more difficult to see how its failure could do anything other than fail to open a portion. And all of this is, of course, what makes the study of security so interesting. So great points from our listeners and as always, great incoming feedback to securitynowrc.com thank you everybody for that. One of our listeners, Richard Craver in Clemens, North Carolina pointed me at something that was so interesting it needed sharing. First of all, here's what Richard wrote. He said, hi Steve and Leo. I just finished the AGI episode. Interesting to ponder. I personally am not a particular fan of AI in general, as I see it as crowdsourcing knowledge that may or may not be correct. Science is based on challenging and testing prevailing assumptions and thought. AI in my humble opinion, discourages critical thinking. But for good or bad, it's here, he said. Below is a link to Tom Fishburne, the marketunist with a thought provoking cartoon and short viewpoint message. And I have the cartoon in the show notes. It's got two frames on the left. One guy is saying to someone else, once we train our AI, I can't wait to see the wide variety of new ideas it comes up with. And in the foreground we see a conveyor belt with all different shapes and sizes and brightly colored bottles and containers of different sorts. And this conveyor belt is sending them into a box in the middle that divides the two frames labeled AI. On the right hand side we see this guy with his hand up to his chin as if thinking, hmm. And what's coming out is a nearly identical set of almost the same shape and size and color bottles. So the AI has sort of generified everything. Okay, so the interesting information is that Tom Fishburn shares. He writes, it's still early days with AI generation tools. We're all still learning potentials and limitations. One watch out is the bias toward homogeneity, the tendency for AI results to look alike as AI predicts what to generate. The path of least resistance is an averaging of the content in its source material. Ian Whitworth once referred to this as the Great same writing ChatGPT, Jasper and all the rest are powered or powerful conformity machines, giving you the ability to churn out Bible length material about yourself and your business that's exactly the same as your competitors. Unquote. And Tom continues A couple months ago, Oxford and Cambridge researchers illustrated the risk of homogeneity in a study of AI generated content in Nature magazine. And as for anyone who doesn't know, Nature magazine is a serious magazine. Lori and I were subscribing to it for a while, but the articles were so dense that it was like, okay, well let's we're just wasting our time on this, so mean it's the real deal. He says. The risk increases as AIs get trained not only on human created content, but on other AI generated content. As an example, the researchers studied an AI model trained on images of different breeds of dogs. The source material included a naturally wide variety of dogs, French bulldogs, Dalmatians, corgis, golden retrievers, etc. The works. But when asked to generate an image of a dog, the AI model typically returned the more common dog breeds, golden retrievers, and less frequently, the rarer breeds, French bulldogs. Over time, the cycle reinforces and compounds when future generations of AI models are trained on these outputs, it starts to forget the more obscure dog breeds entirely, soon only creating images of golden retrievers. Eventually, the researchers found, there's model collapse. And I love that term model collapse, where the LLM is trained so much on AI generated golden retriever images that the results turn nonsensical and stop looking like dogs at all. Now, he writes, substitute dog breeds for whatever you're trying to create new products, new packaging, new advertising, communication. And the risk is that all outputs devolve to look the same. A related study from the University of Exeter found that AI generation tools have the potential to boost individual creativity, but with a loss of collective novelty. The good news is that this baseline situation creates opportunities for those who can push against this new status quo. Homogeneity is ultimately at odds with distinctiveness. As with all tools, it's all in how you use them. You can't break through the clutter by adding to it. So anyway, I love that, you know, these conclusions feel intuitively correct to me, and the research cited above supports that intuition. Also, it's certainly true that there is an unrealized danger as the Internet's content becomes more and more AI generated while our AI models are being continuously trained against the Internet's content. Future historians may wonder what happened to all the French bulldogs. And on that Leo, let's take another break and then we're Going to look at some more questions and feedback from our listeners.

Leo Laporte

Good. Great. You're watching security now with Mr. G. This episode brought to you by Delete Me, a tool that we use actually at twit. And it became a very useful tool when our CEO started being targeted by hackers who were using her name and phone number to try to scam her direct reports. How do they know her name, her phone number, her direct reports? It's all out there on the Internet. Have you ever searched for your name online? I do not recommend it, but if you do, you'll see a surprisingly large amount of personal information is available. Maintaining your privacy is, by the way, not just your own concern. It's a family affair, too. That's why Deleteme offers family plans. Actually, they offer a variety of plans. Corporate plans, individual plans. Check it out@joindeleteme.com TWIT. Delete Me helps reduce risk from identity theft, from cybersecurity threats, from harassment, and more. I mean, there really is a cybersecurity side to this, because the more information that's out there about you, about your company, about your employees, the more likely bad guys will get that data. It's easily available to them for a very small cost. Actually, if you go to a data broker and use that data to impersonate you. I saw. I was watching the morning news, and it was alert. You know, local woman scammed by a bad guy out of $5,000. I thought, well, what's new, right? That's happening all the time. Why is it news? And actually, it's probably good that they showed this because the woman received a call from a person who said he was her grandson. The person knew her grandson's name, knew some basic information about her grandson, said, I've been arrested. I'm in jail. I need bail. She wired bail to the bad guy, not her grandson. Her grandson wasn't in jail. But this is a perfect example of how hackers can use the information online about you to take advantage of you or your family members. Your grandma. That's why you need delete me. That's why grandma needs delete me. I have to say, we. Of course, as soon as that hacker attacked Lisa, we got Delete me. And it's a funny thing because a couple of months ago, we were talking about the data broker breach that showed so much information, including Social Security numbers. Turns out, by the way, that's legal. The FTC has just announced. Maybe we shouldn't make that legal. Anyway, that's another thing that's not going to change. But we were talking about this and I did a little search. My data was in that breach, as was yours, Steve. My social was in that breach, Lisa's wasn't. And I realized that's because we've been using Delete me and the personal data brokers didn't have her data because delete me had made them delete it. That's what Deleteme does. They actually, the lead me experts go around, they know all the data brokers, and by the way, that's not an easy job because there's new ones. It's so profitable. There's new ones every day. They keep track of this, they find and they remove your information from hundreds of data brokers. So they did that for Lisa. That's why her data was not in the breach. It had been removed. And if you want to do it with family members like Grandma, you can assign a unique data sheet to every family member, tailored to them. So you can say, you know, grandma has an Insta account, she doesn't have a Twitter account, that kind of thing. You can manage privacy settings for the whole family. But by the way, it's more than just going to those data brokers and saying, get rid of that stuff. And they do. They're required to. So they delete it. But here's the thing, they're not required to never start over. So they just start reacquiring that data and building a dossier almost instantly. That's why DeleteMe will continue to scan and remove your information regularly. They go back again and again. I'm talking addresses, photos, emails, relatives, phone numbers, social media, property value. All of this stuff is online. You know, it is, it's a shock, right?

Steve Gibson

It's.

Leo Laporte

And it's completely legal. At least it is for now. So this is why you need Delete Deleteme. You need it as an individual, you need it as a family. And by the way, you need it as a business. Protect yourself, reclaim your privacy. Visit JoinDeleteMe.com Twitter if you use the offer code TWIT, you'll get 20% off. JoinDeleteMe.com TWIT it was, it was a real eye opener to see that Lisa's social was not in there. Her address was not in there. It had been removed before the breach. Join. Probably too late for you and me, right? But let's do it now before the next breach. Joinedeleteme.com Twitter and it's not even breaches. They sell that to anybody who wants it. A hacker doesn't have to wait for a breach. They just say, hey, here for a buck 15. Can you tell me who runs that company? What's her phone number? What are all our direct reports? It's all there. Join DeleteMe.com Twitter till we have some sort of national privacy protection, at least you've Got DeleteMe. Join theleetme.com Twitter and please use the offer code TWIT for 20% off. We thank Join Delete me for their support. You support us too, of course, if you use that special address and the offer code because then they know you saw it here. Jointleetme.com Twitter offer code twit on we go with the show, Mr. G. Okay.

Steve Gibson

Yes. So our listener, Greg Haslett has an interesting problem. He said, steve, I have an edge router. That was the router that we were loving for a while.

Leo Laporte

I still have one.

Steve Gibson

Yeah, yeah, it's a, it's a. I've.

Leo Laporte

I've upgraded now to the full Ubiquiti system that. That impressed me so much.

Steve Gibson

Oh, well. And it was so inexpensive and so powerful about what, you know, like, in terms of the way it could be configured. So he said, I have an edge router and created an IoT network. My problem is I cannot reach my ASUS RT66 to update the firmware that's on the IoT network. So he created isolation and now he's isolated. Yeah, he said, any quick ways to allow temporary access to the ASUS router? My last ditch answer would be to back up the edge router, meaning that it's config and reset to original settings. Hopefully find the IP address of the Asus and update the firmware. Then restore the edge router from backup with IoT. Longtime listener and met you at the Squirrel take in Irvine, so that's very cool. So, okay, I'm not 100% certain that I completely understood Greg's problem and question, but I think I do. But my first thought is that maybe he's making things too complicated. Leave the edge router alone and just temporarily rearrange some wires.

Leo Laporte

Take it out of the. Out of the wire.

Steve Gibson

Exactly. Rather than get fancy with reverting the edgerouter's configuration to its original simple switch, why not plug the ASUS RT66 into the LAN where a PC is located and update its firmware? I suppose if Greg doesn't have a spare old wired Ethernet switch lying around, and I have to think he would, who doesn't? They make great doorstops. Then that could be a problem. But it's also possible to plug the ASUS RT66 directly point to point into a PC's LAN socket. So if I understood Greg's question, it would appear that being less fancy and going old school might be the right solution.

Leo Laporte

That is the issue with V landing off your IoT and creating IoT network. If the IoT device is done, you know, controlled through the cloud.

Steve Gibson

Right.

Leo Laporte

Then it's not a problem because you're going to, on one VLAN contact the.

Steve Gibson

Cloud, you go to the cloud, it comes back down.

Leo Laporte

But more and more, and actually for security, this is probably a good thing. And for long term survivability, it's a good thing. These guys are talking directly, you're talking directly to the IoT device, which of course isn't going to work if it's on a separate vlan unless you create some rules. That's the other way around it. I ended up just giving up. I put it all on.

Steve Gibson

Yeah, our solution is to have. Because we also want to have guests over who are bringing untrusted equipment. We have two radios, so we have our network. And then on the IoT network is a different access point. And so if I need to talk to something there, I just quickly switch my wifi over to that.

Leo Laporte

We were doing that. But it's a pain in the butt if you want to print to switch to the secure insecure VLAN print and then switch back.

Steve Gibson

And printing is a good example because, boy, printing is so security riddled and problematic.

Leo Laporte

You don't want to put a printer on your network.

Steve Gibson

Not if you can help it.

Leo Laporte

Yeah, just. This is tough. It really is. That's the truth of it.

Steve Gibson

Oh, and while we're on the topic of old school solutions that are in this case obvious in retrospect, our listener Troy, was responding to something to what we're talking about last week about having a problem typing on this horrible keyboard screen of my iOS device and wondering about a solution for reversing that dongle, the Bluetooth keyboard dongle that you put into your computer. He said, Steve, congrats on security. Now, hey, regarding typing long messages on the iPhone, I hope you know that you can connect a Bluetooth keyboard to your iPhone. And this is where the use of the expression comes in. I confess I had completed, completely forgotten that. And I should have remembered it because one of my first reactions to the loss of the wonderful physical clicky button keyboard of my beloved BlackBerry, which I. Oh, I loved it so much, but I had to switch to an iPhone because you Know what has to. I added that little add on keyboard that you could stick onto the bottom of the phone which did indeed link the phone via Bluetooth and it worked perfectly. So needless to say, I have a cute little Bluetooth keyboard now thanks to Troy's note which allows me to quickly type on my iPhone. So thank you, Troy. Earl Rod in North Canton, Ohio shared some facts about social media age restrictions. He said the recent book by Jonathan Haidt titled Anxious Generation.

Leo Laporte

Okay, I know he loves it and you're going to read his praise. Okay, not widely accepted.

Steve Gibson

Hate is nonsense.

Leo Laporte

Said that it's. It's not true. So go ahead.

Steve Gibson

So, so, so, so who, who said so?

Leo Laporte

I will send you the article by I think what was her name Cougars who is an expert in the field. Jonathan Haidt is a polemicist and he's a social psychologist.

Steve Gibson

Psychologist, yeah.

Leo Laporte

And a lot of what he claims in the book is highly disputed by experts in the field. So it's convincing if you read the book. As with a lot of stuff, when people are polemicists, they write convincing books. Malcolm Gladwell does it too. That aren't true, but they sound right. And a lot of people come away with it with this conviction as a result. This is why there's that Australian law. There's this widespread thought that social networks are causing major mental illness issues with our kids. But experts disagree. I'll just say that now. Go ahead, you can read his note.

Steve Gibson

Well, I'm okay.

Leo Laporte

I just wanted to inoculate people against what you're about to say. He's about to say.

Steve Gibson

Okay, okay, so I will. Because it gives me the context for my reactions to it. So he said. The recent book by Jonathan Haidt, the Anxious Generation, has extensive discussion of the age limit issue. The main theme of the book is rather convincing evidence. To your point, Leo, that the dramatic 100, 200% increase in mental and teen mental health problems which corresponds to the introduction of smartphones is in fact caused he has in all caps, by the use of those phones and in particular social media. Haidt's argument rests on his work as a social psychologist, combining knowledge of the vulnerability of early teens due to brain development happening at the time of life with research on how social media is carefully designed to hook young adolescents. If hate is right and our listener says, and I think he is, the problem is very severe. We make a huge mistake equating our older adults who grew up before the smartphone era, use of various apps and how we handle it with adolescents during critical brain development years and he says Perenn's note, my adult children have been telling me this for years that I cannot transfer how I use social media for just the few things I want to the experience of youngsters. And he says the book has an extensive discussion of what to do. In that section, Jonathan discusses some technical ideas, not at the technical depth of security now, but also the social factors like parental role. The problem appears having more access and how some methods can be neutralized. The book has references to extensive discussions of both social scientists like hate and technical sources by people who have thought through a lot of the issues. While I share some skepticism of the effectiveness of age verification, I think the combination of laws requiring age verification, more parental awareness and cooperation between schools and parents can have a very positive impact. So my response was to say that in our recent discussion I happened to also touch on a number of the same potential pitfalls of age restriction, such as parents being pushed by their own children to make exceptions for them, which is then followed by other kids complaining to their more strict parents that their peers have been given access by their parents, so why can't they have the same, you know, and saying, after all, how bad can it be if 16 year olds are able to have access, you know. I note also that among other things, my wife Lori is an accomplished therapist. And while she rigorously honors the privacy of her clients, she's noted on a number of occasions that many of today's parents appear to be afraid of their own children, whom they appease by giving them anything they want. So how are such parents not going to capitulate to their children's demands, especially having previously established that pattern? So anyway, as I'll point you now.

Leo Laporte

That we've talked about it, to, this is a great place to start Mike Masnick's article in which he quotes Candice Odgers, who is a actual expert on this stuff and has been doing this kind of research for years. And then his podcast about this essentially debunking hate. Hate is a polemicist. He is not an expert, period.

Steve Gibson

So do you not think, do you not conclude that there is something age related or that there is not damage or that kids are not addicted or so what?

Leo Laporte

Yeah, so the research shows that it's not the case, period. He's saying something that makes sense. And this is the problem with a lot of these just so stories. Oh yeah, that makes perfect sense. That makes a lot of sense. But if you actually look at the research, by the way, you can read her article in Nature, your favorite magazine, all about this. The issue is, is there an increase in mental health issues with kids? Because it's more reported. There are a lot of correlation does not equal causation, as you well know. And because there's a. Because the iPhone came out in 2007 and they're correlating that to a rise in mental health issues. There are many other issues involved in this, including Covid and isolation of kids. Stranger danger from the 80s, which made a lot of parents keep their kids at home instead of letting them out to play because they were so afraid of, by the way. This was also a specious argument. There were strangers in the neighborhood about to abduct them. We know perfectly well that the real danger to kids is people they know, people at home, their relatives. But the stranger danger actually prompted a lot of parents to say, oh, no more playing outside for you. That could be one of the causes. There are many things going on. Correlation does not equal causation.

Steve Gibson

And as we've said many times, and.

Leo Laporte

When you do the actual research with many have done, including Candace Odgers, it is in fact under. It's problematic because it's very easy to say, oh, it's social media. We put an age limitation on social media. We limit iPhones, we keep parents, you know, we give parents the power to stop doing all this stuff. It's all going to get better. And what you're not addressing, for instance, is the fact that schools no longer have mental health professionals, let alone nurses in the school. There are a lot of other issues you're not addressing because you, oh, all fixed.

Steve Gibson

You've already found the problem.

Leo Laporte

You found the problem. So I would recommend people look at Mike, Mike Masnick. I think our audience trusts and likes had did an excellent podcast with her about youth mental health, talking about Jonathan Haidt's book before. The problem is it's become a political issue.

Steve Gibson

And so do you think that the actual driver is mental health or that people don't want kids so stuck on their phones?

Leo Laporte

Steve, you remember when you were young and your parents said, stop listening to that rock and roll and cut your hair. Do you remember when Newton Minow, the chairman of the fcc, said that television was a vast wasteland and ruining the brains of our young people?

Steve Gibson

And then we have the whole video game phenomenon.

Leo Laporte

Do you remember when Tipper Gore said video games are ruining our children? It's happened again and again. The problem is with that kind of moral panic is you can be mis. You can focus on the wrong problem and not really address the issues. So there is a huge replication crisis. A problem with the data that Hate quotes, it's not been replicated. The actual experts who are working in this field and been working this field for decades say we actually don't see that. If you're interested and everybody should be, watch this podcast. It's a great starting point. It's@techdirt.com it's the tech dirt podcast with Candace Odgers O D G E R S titled Making sense of the research on Social Media and Youth Mental Health. Actually I think Hate's on it, so that would be kind of interesting.

Steve Gibson

Well, of course our interest for the podcast is just the idea that legislation is going to impose a new technical requirement.

Leo Laporte

Well, it's nonsense that Australia has said no, nobody under 16 can use social media. Besides the isolate. I mean you can make the case that social media is how kids socialize today. It may and well isolate a great many kids and cause worse problems. How do you do it? How do you. And so there's no good technical way without violating human privacy, our own privacy to identify who's an adult, who's not an adult.

Steve Gibson

Yes. And that, that is the interest of this podcast is what are they going to do? You know, like, you know, something is going to happen unless the law gets overturned and, or, or isn't implemented. The fines are 35, the equivalent of 50 million Australian dollars, equivalent of about 32 and a half million US dollars.

Leo Laporte

Which makes me think companies like Meta and others will just pay the fine.

Steve Gibson

Do you think It's a one time fine. And the other thing that I thought was odd was that YouTube is excluded. It's not considered.

Leo Laporte

Perfect example. Yes, perfect example. It's nonsense. And by the way, the campaign in Australia was started by Rupert Murdoch and Rupert Murdoch's newspapers who in the spring of this year launched a massive campaign and convinced the Australia legislature to do this.

Steve Gibson

Well, from a technology standpoint it's going to be fascinating to see what they come up with.

Leo Laporte

We talked about it on Sunday and I think the consensus of the panel was this is really mostly just kind of saying fix it because it's a year more than a year away. Right?

Steve Gibson

Yes. Takes effect on November 20th of 2025.

Leo Laporte

Yeah. So we think it's mostly just saber rattling and trying to convince them do something so that we can sit back on this law. But if not, we got a problem.

Steve Gibson

We got a. We have a need for some technology.

Leo Laporte

Yeah. That doesn't exist.

Steve Gibson

Finally, dawn appreciates our picture of the week for audio only listeners. She says Hello, Steve and Leo. I've listened to your show for a while now and I really enjoy it. I love all things computers, technologies, etc. And there's one thing I can definitely say with 1000% assurance there will always she has, in all caps, be in need for this podcast and experts such as yourselves to cover and explain it all. With the added challenge of putting the cookies on the bottom shelf where the kids can get them, which you're very good at doing. I wanted to write you an email thanking you for describing the Pictures of the Week. I have to admit, I got quite a bit of laughs from the one last week where the little troublesome twosome were finding a way to get upstairs. Even now as I write this, I'm chuckling. It means a lot to me that you guys describe the pictures of the week because I'm completely blind.

Leo Laporte

Oh, interesting.

Steve Gibson

Without your descriptions, I would not be able to get any enjoyment out of them.

Leo Laporte

Very good.

Steve Gibson

She said. Sometimes I think we do things like this without a second thought and without knowing the impact that we have and will have on someone when we do those things. This is one of them. Please keep the picture descriptions coming. Before you ask, I think one of my favorite picks of the week was the one that said, treat your passwords like your underwear. She said, I remember.

Leo Laporte

Daily.

Steve Gibson

She said, I remember. I just couldn't stop laughing for a long time after that one, then had to rewind the podcast a couple of times just for the laughs. I must admit I had never heard password safely put that way before. Thank you once again for the podcast and image descriptions, and please keep them coming.

Leo Laporte

Dawson, awesome, Don.

Steve Gibson

I hope you're listening. Thank you for your note and I can promise that we'll keep the Picture of the Week descriptions coming.

Leo Laporte

Yeah, you're very good about it. You realize that we have audio listeners and they aren't seeing it, and so you're always very good about that. It does remind us, though, Also, when you post images online, you should always use the alt tags in HTML, right? So the blind viewers who are using screen readers will actually know what that picture is. And I forget sometimes. I actually have a little thing on my Mastodon account that pings me when I post a picture without an alt tag and says, you didn't put your alt tags in. It's not too late. Go back and edit it. And I. And I always do. Thank you, Don. It's nice to have you listen.

Steve Gibson

Okay, our last break and then we're going to catch up on the current status of Voyager 1 as continues its, well, endless journey because it's way outside the sun's gravity field at this point.

Leo Laporte

And just along the Australia thing. You'll remember that it was the Australian Parliament, a parliamentarian in Australia, who said, we don't have to worry about math. Math. From our point of view, there's no need to pay attention to math.

Steve Gibson

And this is another one of those examples where of legislators ignoring technology even though they're legislating technology, saying that, saying social media companies, like some and a subset of social media companies have to do something. And, well, we don't know how, but you can do it. It's like the EU saying, well, we want you to block, you know, see Sam. And we don't know how you're going to do it, but you have to do it without breaching anyone else's privacy. It's like, yeah, I mean, you know, we.

Leo Laporte

The. It was the Australian Prime Minister who said, the laws of mathematics don't apply here. He's no longer Prime Minister.

Steve Gibson

Those pesky. Those pesky mathematicians.

Leo Laporte

How dare they. Yeah, governments do that. They say, well, you'll figure it out. You guys are the smart big brains. You've figured out Trumbull is no longer. I don't think Malcolm Trumbull is no longer the Prime Minister. But math. But math lives on, which is kind of interesting.

Steve Gibson

Love math. Yeah, math makes it all the way eternal.

Leo Laporte

Math lasts longer even than.

Steve Gibson

And if we didn't have math, we wouldn't have Voyager 1, that's for sure.

Leo Laporte

There you go. Yeah. I often say when people say, oh, science, you know, science isn't always perfect. Dude, you're listening to a technology podcast. All technology is. Is science applied, Right? Give me a break. That's all we got.

Steve Gibson

Yes, we have. We live in a noisy world and yet the digital bits get from point A to point B perfectly, somehow magically.

Leo Laporte

Well, math doesn't apply here. That's a science. No, I don't know what that is. Anyway, our show today, we're very glad to have you listening. We're going to get very excited about talking about V'Ger. I can't wait.

Steve Gibson

Lots of really cool information.

Leo Laporte

Yeah. But before we do that, I want to talk a little bit about our sponsor, Bitwarden, the open source password manager that will drastically improve your chances of staying safe online. We love Bit Warden. It's open source, it's trusted by thousands of businesses, like all password managers. The basic functionality is to generate an auto fill strong long passwords. You don't have to remember them, it remembers them for you in an encrypted vault. That is part one of why I think it's really important that Bitwarden is open source. When, when you're talking encryption, I've always been of the opinion it's got to be open source because you have to be able to vet it. You have to be able to look at it and or some expert does and say there's no back doors, it's properly implemented. In fact, Bitwarden does that. Not only do they post, they are gpl. As Steve, you pointed out a couple episodes ago, they are fully open source. They post their Source code on GitHub, anybody can read it. But they also engage every year, in fact several times a year, third parties to look at the source code, vet it, validate it, say this is what it does, this is what it doesn't do. And they also go one step more. A lot of companies do that, but then they go one step more. Bitwarden promises to publish in full the reports from these third parties. So I'm saying this is the only way you can really be sure it's doing exactly what it says it does. So that's reason number one, I love Bit Warden Bitwarden for business. Reason number two, businesses. Bitwarden is a lifesaver in business. It's not just simply a password manager. It integrates with all of your existing software to support seamless operations and elevated security in every part of your enterprise. I'll give you some examples. You use Microsoft Intune. Bitwarden works with Microsoft Intune to enhance device security and user identity management. It enables secure Bitwarden app deployment on any intune managed endpoint. That's desktop's mobile devices everywhere. Do you use Rippling for your hr? You'll love it. Rippling integrates with Bit Warden to simplify employee off boarding and onboarding. Your IT team can assign and revoke access as your employees join or leave. Kind of push button. Simple. Maybe use Vanta, one of our sponsors. We love Vanta. Vanta combines compliance audit and reporting with secure password management. It says look, they're using secure password management. It's using being used effectively. It helps organizations meet their SOC2, ISO27001 and other standards. Here's a really interesting one. Rapid7 Rapid7, which is an EDR solution, ensures improved threat detection and response. And how does it work with Bit Warden? By correlating credential usage with security events. So Bit Warden says yes, this password was used on this device, on this app, at this time and rapid 7 then can correlate it with a security issue, strengthening proactive monitoring and intelligence for enterprise security teams. That's really cool. Bitwarden is really focused on these integrations. They increase flexibility to centralize security management across existing technology stacks and employee devices so that you can maintain control over sensitive information. There's a really great story to tell for Bitwarden, both for individuals and for businesses in business. Bitwarden users can seamlessly connect tools for IT management, compliance, security to improve and standardize the deployment of enterprise credential management throughout your organization. And your employees will love it. It's easy to use, it's effective. Your business deserves a cost effective solution that can dramatically improve its chances and your chances of staying safe online. It's very easy to switch to Bitwarden. It only takes a few minutes. They can import quickly from most password management solutions. It's open source. Bitwarden's fantastic. Bitwarden is also very affordable. You can get started right now with a free trial of bit warden's teams or enterprise plan. And the thing I always tell folks, I told everybody Thanksgiving, make sure you I hope you did this. Talk to your relatives, ask them about their password system, their security and if they don't have any security or they're reusing the same password heaven for fin tell them get Bitwarden very important. Free forever for individuals because it's open source. Free forever for individuals. That's unlimited passwords, unlimited Device, Mac, Windows, iOS, Android, Linux and that includes passkeys, unlimited passkeys and the use of hardware keys like yubikeys. All of that's in the free plan. Now I pay them 10 bucks a year because I want to support him. I have the premium plan, 10 bucks a year. So even then it's very affordable. I just. And by the way, with Bitwarden for the individual plans you can even host your own vault. I know there's some real tno people out there. Trust no one people. That's one way you can really do it is to host your own vault. Personally I trust Bitwarden. I feel fine about that. Bitwarden get started for free across all devices as an individual user or free trial of a teams or enterprise plan for your business@bitwarden.com Twitter this is the one really is. And if you're not using a password manager by all means I know if you listen to security now of course you're using one. Tell your friends bitwarden.com Twitter thank you bit warden for supporting security now and thank you for supporting it by using that address so they know you saw it here. V'Ger.

Steve Gibson

Okay, so our listener, Rob Woodruff brought this bit of news to my attention. NASA's posting was titled NASA's Voyager 1 resumes regular operations after Communications Pause. And I'm going to share it because as I said, it contains a bunch of interesting and amazing science and engineering information, and then we're going to even dig down a little deeper. So they wrote. NASA's Voyager 1 has resumed regular operations following a pause in communication last month. The probe. Yeah, the probe had unexpectedly turned off its primary radio transmitter, called an X band transmitter, and turned on the much weaker S band transmitter due to the spacecraft's distance from Earth about 15.4 billion miles, 24.9 billion kilometers. This switch prevented the mission team from downloading science data and information about the spacecraft's engineering status. Earlier this month, the team reactivated the X band transmitter and then resumed collecting data the week of November 18th from the four operating science instruments. Now engineers are completing a few remaining tasks to return Voyager 1 to the state it was in before the issue arose, such as resetting the system that synchronizes its three onboard computers. The X band transmitter had been shut off by the spacecraft's fault protection system when engineers activated a heater on the spacecraft. Whoops. Okay. Historically, if the fault protection system sensed that the probe had too little power available, it would automatically turn off systems not essential for keeping the spacecraft flying in order to keep power flowing to the critical systems. But the probes have already turned off all non essential systems except for the science instruments. So the fault protection system turned off the X band transmitter and turned on the S band transmitter because it uses lower power. Unfortunately, that also means it transmits at lower power, which means you can't get the data through, which is why they had stopped collecting data. They said. The mission is working with extremely small power margins on both Voyager probes. Powered by heat from decaying plutonium that is converted into electricity, the SpaceCraft lose about 4 watts of power each year. About five years ago, after some 41 years after the Voyager spacecraft launched, the team began turning off any remaining systems not critical to keeping the probes flying, including heaters for some of the science instruments. To the mission team's surprise, all of those instruments continued to operate despite reaching temperatures lower than what they've been tested for. The team has computer models designed to predict how much power various systems such as heaters and instruments are expected to use. But a variety of factors contribute to uncertainty in those models including the age of the components and the fact that the hardware doesn't always behave as expected, with power levels being measured to fractions of a watt. The team also adjusted how both probes monitor voltage. But earlier this year, the declining power supply required the team to turn off a science instrument on Voyager 2. The mission shut off multiple instruments on Voyager 1 in 1990 to conserve energy, but those instruments were no longer in use after the probe flew past Saturn and Jupiter. Of the 10 science instruments on each spacecraft, four are now being used to study the particles, plasma and magnetic fields in interstellar space, which is where both probes are. Voyagers 1 and 2 have been flying for more than 47 years and are the only two spacecraft to operate in interstellar space. Their advanced age has meant an increase in the frequency and complexity of technical issues and new challenges for the mission engineering team. Ok, so reading that the article said the X band transmitter had been shut off by the spacecraft's fault protection system when engineers activated a heater on the spacecraft. What it didn't tell us is why the JPL engineers turned on that heater. And there's even more fascinating information about that. Our listener Jeff Root in San Diego supplied the link to a story in the Register of all places titled Best Job at what it's like to be an Engineer on the Voyager Project. This was posted two days later on the US's Thanksgiving Thursday, and it too is chock full of interesting science and engineering insight. So the Register wrote, the Voyager probes have entered a new phase of operations. As recent events have shown, keeping the venerable spacecraft running is a challenge as the end of their mission nears. And of course, end of the mission just means we don't know what happened, right? I mean, it's like it's way past it's its design end of mission and it keeps getting extended. So they wrote. As with much of the Voyager team nowadays, Karim Badarudin, a 30 year veteran of NASA's Jet Propulsion Laboratory, divides his time between the twin Voyager spacecraft and other flight projects. He describes himself as a supervisor of chief engineers, but leaped at the chance to fill the role on the Voyager project. Suzanne Dodd, JPL director for the Interplanetary Network Directorate, is the project manager for the Voyager interstellar mission. Batarudin told the Register she knew that the project was sort of entering a new phase where there was likely to be a lot of technical problems. And so chief engineers, that's what they do, they solve problems for different flight projects. Dodd needed that support for Voyager. Batarudan would typically have found someone from his group. But he said, I was just so excited about Voyager. I said, you know, look no further, right? I'm the person for the job. In other words, this was one he did not want to delegate. He said, I'm your engineer, you know, please pick me. So Bata Rudin has spent the past two years on the Voyager project. After decades of relatively routine operation, following plans laid out earlier in the mission, when the team was much larger, the twin Voyager spacecraft had begun presenting more technical challenges to overcome as the vehicles age and power dwindles. The latest problem occurred when engineers warmed up part of the spacecraft, hoping that some degraded circuits might be healed by an annealing process. Batarudan explained that there's these junction field effect transistors, JFETs in a particular circuit that have become degraded through radiation. We don't have much protection from radiation in an interstellar medium. Remember where this thing was never designed to function right because it wasn't expected to live this long. We don't have much protection in an interstellar medium because we're outside the heliosphere where a lot of that stuff gets blocked. So we've got this degradation in these electronic parts. And it's been proven that they can heal themselves if you get them warm enough long enough. And so we knew we had some power margin, and we were hopeful that we had enough power margin to operate this heater. And as it turned out, we didn't. It was a risk we took to try to ameliorate a problem that we have with our electronics. So now the problem is still there and we realize that we can't solve it this way. And so we're going to have to come up with another creative solution, unquote. So the register says the problem was that more power was demanded than the system could supply. A voltage regulator might have smoothed things out, but the Voyagers no longer had that luxury. Instead, engineers took a calculated risk and ran afoul of the then innovative software on board the spacecraft. The undervoltage routine of the fault protection software shuts down loads on the power supply. But since the Voyager team had already shut down anything that's not essential, there isn't much left for it to shut down, Batarudan explained. He said, so quote, under the under voltage response doesn't do much except turn off the X band transmitter and turn on the S band transmitter. And that's because the S band transmitter uses less power, making it the last safety net to save you, he said, and save the mission. It did. While The S band is great for operations near Earth, such as the moon. It's almost useless at the distance of the Voyager spacecraft. However, by detecting the faint carrier signal of the S band transmission, the team was able to pinpoint that the problem had been the act of turning on the heater. Even without X band telemetry from the spacecraft. The challenge for engineers isn't just the time it takes to get a command to the Voyagers and receive a response, but also checking and rechecking every command that gets sent to the spacecraft, he said. The waiting is apparently not as frustrating as we might think, batarudan said. This is the rhythm we work in. We've grown accustomed to it. It used to be a very small time delay, and it's gradually grown longer and longer through the years. With duplicate physical hardware long gone, the team now works with an array of simulators, Batarudin said. We have a very clear understanding of the hardware. We know exactly what the circuitry is, what the computers are and where the software runs. And as for the software, it's complicated. There have been so many tweaks and changes over the years. Remember 46 years, 47 years, that working out the exact revision of every part of Voyager's code has become tricky, Bataruden said. It's usually easier to just get a memory readout for from the spacecraft to find out what's going on out there. The challenge for the Voyager team is that the spacecraft are nearing the half century mark, as is the documentation, he said. We have documents that were typewritten in the 70s that describe the software, but there are revisions and so building the simulators. We feel really good about the hardware, but we feel a little less good about understanding exactly what each instruction does. The latest bit of recoding occurred with the failure of one of Voyager's integrated circuits, which manifested itself as meaningless data last year. And of course we talked about that on the podcast at the time, Bata Rudin reminds us the basic problem was figuring out what was wrong with no information. We could see a carrier signal. We knew we were transmitting in the X band. We knew we could command the spacecraft because we could tweak that signal slightly with commands. So we knew the spacecraft was listening to us and we knew the spacecraft was pointing at Earth because otherwise we wouldn't get a signal at all. The engineers went further down the fault tree and eventually managed to get a minimum program to the spacecraft to get a memory readout. That readout could be compared to one retrieved when the spacecraft was healthy 256 words were corrupted, indicating a specific integrated circuit code was then written to relocate instructions around that failed area. And remember, this is almost a light day away at that point a year ago. The problem there is the code was very compact. There was no free space that we could take advantage of. So we had to sacrifice something so that they're patching on the fly on an operating machine. What is it, 15 billion miles away? That something that needed sacrificing was one of the Voyager's higher data rate modes used during planetary flybys. And that makes sense, right? It's like, hey, what don't we need? Well, we don't need the high data rate mode used during planetary flybys because we're not going to be flying by any planets. So now back to the present. The current challenge, if you'll pardon the punishment, involves dealing with the probe's. Oh, thrusters. And here's the problem, Leo. Silicon from bladders inside the fuel tanks has begun to leach into hydrazine propellant. Since silicon doesn't ignite like hydrazine, meaning it doesn't get burned off, a tiny amount gets deposited in the thrusters and slowly builds up in the thruster capillaries. Batarudin uses the analogy of clogging arteries. Eventually, the blockage will prevent the spacecraft from firing its thrusters to keep it pointed at Earth. However, the pitch and yaw thrusters, each of which have three branches, are clogging at different rates. The current software works on the basis that branch one, two or three will be used. But could it be operated in mixed Mode, where Branch 2 is used for the pitch thruster, but Branch 3 is used for yaw. Batarudan notes so that's a creative solution. It would be very complicated. This would be another modification in interstellar space to the software. And getting it right the first time is not just nice to have, it's almost essential. By the time the results of a command come back from the Voyager spacecraft, it might be impossible to deal with the fallout of a failure.

Leo Laporte

What do they write it in? What is it? Assembly language. What is it?

Steve Gibson

Oh, yeah, it's all individual. Like they have. They invented their own processor. They're not using any commercial processor. They invented a. A computer that reads this code. And that's where he's saying some. Sometimes we're not sure what an instruction does because somebody typed it in 1970 and may have said, oh, it's lunchtime. I'll get back to you later.

Leo Laporte

Wow. Wow, this is amazing.

Steve Gibson

It is just incredible. He said, the voyage spacecraft are Unlikely to survive another decade, the power will eventually dwindle to the point where operations will become impossible.

Leo Laporte

Is it a nuclear power plane on?

Steve Gibson

Yeah, yeah, it is a nuclear power. It is. It is using decaying plutonium to the heat generated from the particle decay to heat a thermocouple, which generates the electric current to drive all of this.

Leo Laporte

So it's a tiny bit of.

Steve Gibson

And it's been exponentially decaying for 47 years. Pretty good since this thing was first launched.

Leo Laporte

That's a long time.

Steve Gibson

Yeah, so he says high data rates, which is to say 1.4kbps, will only be supported by the current Deep space network until 2027 or 28. After that, some more creativity will be needed to operate Voyager 1's digital tape recorder. Batarudan speculates that shutting off another heater, the Bay 1 heater used for the computers, would free up power for the recorder. But I should mention that we're only able. The Deep Space Network, as I recall, is only out of Australia. And so it's only during a brief time window, once a day as the Earth rotates, that the Deep Space Network antenna is able to point at Voyager 1. And so Voyager 1 records its data during the dark period and then dumps it to us when it knows we're able to receive it. So he says turning off the bayone heater used for the computers would free up power for the recorder according to the thermal model. But it'll be a delicate balancing act. And of course, the recent annealing attempt demonstrated the limitations of modeling and simulations on Earth. So does Bataruden have a favorite out of the two spacecraft? He replies, well, Voyager 2 is the one that's been flying the longest, and Voyager 1 is the one that's furthest from Earth. So they both have a claim to fame. He says, to use another analogy, they're essentially twins. They're basically the same person, but they live different lives and they have different medical histories and different experiences.

Leo Laporte

What a great line.

Steve Gibson

Batarudan hopes to stick with the mission until the final transmission from the spacecraft. He said, I love Voyager. I love this work. I love what I'm doing. It's so cool. It just feels like I've got the best job at JPL.

Leo Laporte

And he's, I'm sure in his 60s, if not 70s, right? Yeah, he's been with it for 30 years with JPL.

Steve Gibson

Yeah.

Leo Laporte

Wow.

Steve Gibson

So I just checked on the Voyager 1 mission status, which is what gave me the title for today's podcast, that intrepid little spacecraft is now so far away that light and radio signals take more than 23 hours to travel in each direction, not round trip, each direction. So two days round trip. So it's nearly an entire light day distant. Yet Voyager 1, and this is what boggles my mind, is managing to keep itself pointed at our Earth across all that distance. And we still have working bidirectional communication with it. This entire endeavor has been an astonishing example of incredible engineering. The original design, and this is this, this too, the original design was flexible enough that and software controlled enough that even though it was designed in the 1970s and launched on September 5, 1977, all well before the Internet and all the technology that we now take for granted, this machine has endured and has exceeded everyone's expectations many times over. The story does make one principle absolutely clear. No pure hardware solution could have ever done this. No pure hardware solution would still be alive, functioning and communicating after 47 years of spaceflight. Nor even could any fixed firmware hybrid hardware software solution. The reason is that none of what has transpired since Voyager 1's original mission was redefined and extended after it continued to perform so brilliantly could have been anticipated by NASA's brilliant engineers in the mid-70s. The sole key to Voyager 1's success today is that to an extremely large degree, the original designers of the spacecraft put the machine's hardware under software control. The reason they did that way back in the 70s was different from the reason they're now. Glad they did that they created a deeply software based control system back then because software doesn't weigh anything and the spacecraft didn't have an ounce of weight to spare. So the engineers of the 70s put their faith in software. And that faith and the inherent dynamic redesign flexibility it enabled has given the spacecraft a far longer life than it could have ever otherwise enjoyed. Because software doesn't weigh anything.

Leo Laporte

Isn't that amazing?

Steve Gibson

And all of that said, yesterday's and today's software is ultimately at the mercy of hardware. You know, if the attitude control system's capillaries ultimately become clogged with leached and deposited silicon, the spacecraft's ability to maneuver and keep itself pointed at the earth will eventually be lost. At some point in the not too distant future, it will still be alive out there, but will have lost contact with one another. You know, what an amazing accomplishment, Leo. I mean, it makes you proud.

Leo Laporte

It also there's another lesson, which is sometimes constraints force a kind of creativity that's better than if you have unlimited hardware and software, unlimited memory Unlimited storage.

Steve Gibson

It's why I'm pointing at that PDP 8 behind me. Yeah, it's, you know, it came with 4K words of memory and it was expandable to 16, I think, or 12. It's. It's what I miss about the old days where, where there you, you really. There was. There was creativity and engineering instead of just asking ChatGPT for a program.

Leo Laporte

Right.

Steve Gibson

You know which. You know which it spits out from having ingested the Internet.

Leo Laporte

Right.

Steve Gibson

It is a different world.

Leo Laporte

Yeah. Fascinating. Well, as you know, we've covered this story for a couple of years now.

Steve Gibson

And it's as it's been, that intrepid little probe has been out there and.

Leo Laporte

There are, I've mentioned already, there are some documentaries. There's one fairly recent one that covers.

Steve Gibson

The old folks and I watched it after your recommendation. It was fantastic.

Leo Laporte

So great. These guys, this is their life work. It's just really neat. Amazing. Thank you, Steve, once again for a great show. As always, Steve hits it out of the park each and every time. I hope you listen. We do the show live on Tuesdays right after Mac break weekly, which usually ends up being somewhere between 1:30 and 2pm Pacific, let's say 5pm Eastern Time, 2200 UTC. You can watch us live on eight different platforms thanks to our Club Twit members. Of course, we are on the Discord. That's where our Club Twit members live. But we're also on YouTube, Twitch, we're on X dot com, we're on Facebook, we're on LinkedIn, we're on Kick, we're even on TikTok. So you can watch us live there if you're around of a Tuesday evening. If not, of course, there's on demand versions of the show. We have a 64 kilobit audio version and a full video version you can watch at Twitter TV SN. Steve has the 64 kilobit audio, but he also has the 16 kilobit audio which he makes handcrafts himself every week so that you can listen if you're bandwidth impaired. And one of the bandwidth impaired folks is our own Elaine Ferris, who does the transcripts. So she downloads that and literally by hand transcribes everything we say. Does a beautiful job of that.

Steve Gibson

It's actually why we have the 16 pivot. It was for Elaine that I started doing that.

Leo Laporte

That's so nice. So if you want to read along as you listen or use it for searching, that's also on his site. And of course, the full show notes And Steve does a really nice better show notes than anybody I've ever seen. I mean, it's all written out there, lots of images, links. And you can also get that from Steve's site. You can get it emailed to you as well. Steve has a couple of newsletters, one of which is the Security now newsletter, the show notes. And all you have to do to get on his mailing list is go to GRC.com that's his website. GRC.com email what you're actually doing is validating your email. So that gives you the opportunity to email him. You have to validate it first because he doesn't want spam. Is very effective technique against that. But you'll see there are two boxes that you could check. They are unchecked by default, but you could check them if you want to get those newsletters. GRC.com Email While you're at GRC, pick up a copy of Spinrite. That's Steve's bread and butter. The world's best mass storage, maintenance, recovery and performance enhancing utility. 6.1 is the current version@grc.com lots of free stuff there too. It's really a fun site just to browse around. The site looks like it was. It came out right about the same time as Voyager 1.

Steve Gibson

Yeah.

Leo Laporte

It'S all. But you know what? It weighs nothing. So that's a good thing. GRC.com There's a YouTube channel dedicated to the video if you want to watch. Better yet, that's the place you can use to share clips. YouTube makes that fairly easy. And if so, if you heard something and you said, oh, you know, my friend ought to hear that, you can clip it, send it to them. That helps us two ways. One is of course, you know you're sharing it. But two, your friend might say, hey, I want to hear that show again, or I want to hear more of that and subscribe. And we like that. We appreciate that. We especially appreciate all of our club members who are watching and listening tonight. We couldn't do it without you. And increasingly, as the times get tougher and tougher for independent podcasts like ours, we are relying on club members to keep the lights on. It's seven bucks a month. You get ad free versions of this show and every other show. You also get access to the club Twit Discord. You get special shows. We do. We've been. I've been streaming every night for the first three nights. The advent of code solving that is so much fun. Steve, I. It was really scary. For me, the first time to say, I'm going to let somebody watch me write code because I'm not, you know, I'm no pro. And even, I'm sure even somebody like you, they're false starts. There's, there's dumb like you. Oh, I left out a comma or something like that.

Steve Gibson

Yep.

Leo Laporte

So I'm. We're doing it live and you can watch me do dumb things. But fortunately I have, from our own club, three really accomplished coders. They wait till they've solved the advent of code themselves, which takes about 10 minutes, and then they come in. Dial in. So Sci Fi's Darren Oakey, who's Australian, our Canadian friend Paul Holder, you know very well who helps on your forums, they helped me out and last night, actually they helped me quite a bit doing some regular expression stuff. They were very helpful there. So please join us. I think I'm going to do it again. I'm going to, I think what my plan is, I'm going to keep doing it till I hit that wall where I go I can't. Or it past 2 in the morning. And that's, you know, I don't want to stay up all night doing it. So. But let's try it again. So far it's so good. It's taken a couple of hours. It's been really fun. So I'll be streaming that on my YouTube channel, but that's another club event. So join the club because that's what, that's where the fun happens and it's what really supports the work Steve does and the entire team. Twit TV Club, Twitter. Seven bucks a month, that's all it costs right now. One and a half percent of our audience is a member. I would love to get that. It doesn't have to be 100%, 4 or 5%. That would make it. So we didn't have to worry about what we're going to do next year. Right now we're quite worried. Twit TV Club, Twitch Steve. Have a wonderful week.

Steve Gibson

Will do. And we'll be back next week for 1004.

Leo Laporte

Holy moly.

Steve Gibson

Who knows what's going to go on between now and then? Whatever it is, we'll cover it.

Leo Laporte

Miv Episode Miv coming up. Thank you, everybody. We'll see you next time on Security Now. Security Now. ATT customers switching to T mobile has never been easier. We'll pay off your existing phone and give you a new one free. All on America's largest 5G network work. Visit tmobile.com carrierfreedom to switch today, pay off up to $650 via virtual prepaid MasterCard in 15 days. Free phone up to $830 via 24 monthly bill credits plus tax. Qualifying port in trade and service on Go5G next and credit required. Contact us before canceling entire account to continue bill credits or credit stop and balance and required finance agreement is due.